Sebek client traffic not getting to Honeywall

[schnibitz () gmail com]

All,
I have set up a Honeynet using VMware, although I suspect I have done something incorrectly.  The problem is when I 
launch attacks from a test machine, the network portion of those attacks (that snort would see) shows up on the 
honeywall web interface like they are supposed to, but despite a successful compromise of the honeywall, I don't see 
any Honeywall-specific information show in the web interface, just the snort data.  In other words, it doesn't look 
like the honeypot is communicating properly with Honeywall.

I am thinking this is a problem with my configuration, so I wanted to see if someone could clear something up for me.  
The following link:

http://www.honeynet.org.pk/honeywall/roo/page20.htm

suggests that:

"Since Sebek server runs on Honeywall, it will automatically detect Sebek packets on the interface. Type gateway IP 
address for destination IP address of sebek packets and hit Enter."

To me this means that whatever the gateway IP address for the honeywall is, put it in there.

1. Did I get this right?

2. Does it mean that the attack must originate from a network outside the honeynet?  What if the attacker happens to be 
on the same network as the honeypot?  Would Honeywall still show Sebek (client) traffic detailing the attack?

3. During the installation of the client, there is a section that deals with this as well:

"Sebek logs all data it collects to a central server.  Please specify the information Sebek will use to generate 
packets that the server can collect."

So how do I reconcile that with the above questions.  Is it asking for the MAC address of the internal interface of the 
Honeywall, or something else?  I am sorta stuck here, so any suggestions you might have would be great!

Schnibitz