We've been using Shomiti taps for several years with good effect. All they do is copy all the data going through a segment (100bT in our case) to two ports, one for inbound, another for outbound. Now Finisar, they sell both copper and fiber taps for a variety of media, including Ethernet from 10Mbps to 10Gbps. They have been rock-solid, never missing a packet, and isolate the sniffer from the rest of the network. Of course, you then need to choose a packet analyzer/IDS to use with the tap. Doug On Sat, 17 Jan 2004, Jared Mauch wrote:
I'd have to say this depends on the media involved.
ethernet switches allow the monitoring of specific ports (or entire vlans) in most cases. This can be done without impact (assuming nobody goofs on the ethernet switch config) to other people and limit the scope of packets inspected.
Various vendors have their own monitoring solutions and port replication features. I seem to recall one customer of my employer saying how much they enjoyed the ability to tcpdump/inspect traffic on their Juniper routers. (with regards to a DoS attack we were working on tracking).
- Jared
On Sat, Jan 17, 2004 at 09:08:22PM -0500, Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.