I am attempting to use Snort as an IDS on my network.  Currently I have all traffic on my router uplink port mirrored to a port I have plugged into an unused port on an oVirt node.  I have created a network that only has access to that port and assigned that network to my snort vm.  I am able to see broadcast traffic (DHCP requests, DNS discoveries, ect) when I listen to that port but no direct IP to IP traffic.  I believe it has something to do with macspoofing but I am not sure I have set that up correctly for this host.  Has anyone seen documentation on properly setting up macspoofing or using snort on a virtual infrastructure like oVirt??