Network monitor (via mirrored port to dedicated e1000)
 

I have my switch setup to send all packets tx and rx from my internet connection port to a mirrored port.

I can monitor that port in windows with wireshark and all looks good.

When I move it to a linux machine to use fprobe; it only sees 'rx' packets. No 'tx'!

I have set to promiscuous mode (ifconfig eth1 promisc)
using tcpdump -ni eth1 shows the same issue, only one way packets.

ifconfig shows the rx packets climbing (incrementing) like crazy with no change in tx packets :(

Any ideas?

Well, of course if does... the mirror port on the switch sends a copy of all traffic (inbound or outbound) on the port being monitored to eth1 on your server. Every packet gets registered as incoming on eth1, and the RX counter gets incremented.

The TX counter on eth1 only counts outbound packets generated by the system, and surely that would make no sense for a NIC connected to a mirror port on a switch?

(You should however put the interface in promiscuous mode, as it needs to process packets with any destination MAC address.)