I'm going through Offensive Security's "Pentesting With Kali" (PWK) course, and I added this hook to my Kali VM so that Bro would record everything going over the wire. I wanted to do this so I could analyze what my traffic would show up like using various tools.
Of course, you could use this on other systems using NetworkManager. And if you're pentesting, but not going over a VPN, just change the interface name in the script and the instructions. To add this to Kali for the OpenVPN connection, you need to do the following:
apt-get install bro broctl
sed -i 's/eth0/tap0/' /etc/bro/node.cfg
curl 'https://gist.githubusercontent.com/dcode/214fe616b1c98cd5665c99ad34a78893/raw/8d116140bb567c5990e378ab01973399719bb62a/nm-broctl.sh' | tee /etc/NetworkManager/dispatcher.d/broctl.sh
chmod +x /etc/NetworkManager/dispatcher.d/broctl.sh
NOTE: This will only capture traffic over the VPN. If you're using DNS out another interface, it will not be captured.
That's it! The next time you connect to the OpenVPN, bro will automatically startup and start recording traffic metadata in /var/log/bro/current/. From there customize your bro policy as usual in /usr/share/bro/site/local.bro