On Sat, 2004-01-17 at 21:08, Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network undetectable
The best way to go undetectable is easy, run the sniffer without an IP address. The best way to tap a network varies with your setup. If your repeated, just plug in and go. If your switched (which most of us are), you need to figure out how to get in the middle of the data stream you want to monitor. The best solution I've found is to use an Ethernet tap. It allows you to piggy back off of an existing connection and monitor all the traffic going to and from that system. Its pretty undetectable, does not use any additional switch ports, and allows you to run full duplex. A number of vendors sell them and a Google will give you sites on how to make them. You can plug a mini-hub in line and use that as a tap point to monitor the stream. Up side is its cheap and easy. Down side is you have to drop to half duplex. Not a problem in most situations but in some the drop in performance can be an issue. Many switch vendors include a copy or mirror port that allows you to replicate all traffic to and from a specific port, to some other port where you can plug in your sniffer. Up side here is ease of configuration. If you want to start monitoring a different port its a simple configuration change within your switch. Down side is you could end up missing packets (I've run into this myself). Seems when some/many switches get busy the first thing they stop doing is copying packets to the mirror port. There are tools out there like Dsniff and Ettercap that allow you to sniff in a switched environment. I recommend you avoid them because they tend to either work or hose your network. You don't want to DoS yourself. ;-)
to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
Sniffing is a passive function so its always possible you are going to miss data. It all depends on the capabilities of the box recording the packets. As for "risk", that's always there as well. For example check the Bugtraq archives and you are going to find exploits that work against tools like Tcpdump and Snort. The attacks go after the way the software processes the packet. So even if you are running without an IP address its possible that someone with malicious intent can DoS the box. HTH, C