Full-time analysts should install Security Onion in a VM on their workstation. Run through the Ubuntu installer, but you do not need to run our Setup wizard since the analyst VM won't be sniffing any live traffic. This gives you a local copy of Wireshark, NetworkMiner, and our customized Sguil client.
To connect from the Analyst VM to your production master server, you will need to run so-allow on the master server and choose the analyst option to allow the traffic through the host-based firewall.
Once you’ve allowed the traffic using so-allow, you can launch the Sguil client and connect to the IP address or hostname of your production master server and/or launch the web browser and connect to Squert or Kibana on your production master server.
This allows you to investigate pcaps without fear of impacting your production server/sensors.