Assuming lawful purposes, what is the best way to tap a network undetectable
... The best solution I've found is to use an Ethernet tap. It allows you to piggy back off of an existing connection and monitor all the traffic going to and from that system. Its pretty undetectable, does not use any additional switch ports, and allows you to run full duplex. A number of vendors sell them and a Google will give you sites on how to make them. ...
i hadn't thought of making my own -- that sounds like a fun project. for f-root, we've (isc) been installing the netoptics version of this: http://www.netoptics.com/products/product_family.asp?cid=1&Section=products&sid=439813.237927026&menuitem=1 works great. it's basically a hub, but with the interesting feature of letting you monitor TX and RX separately, and full duplex is preserved. (it takes 2x100Mbit to fully monitor a full duplex 100Mbit link.) it also fails into "connected" mode if power is dropped. so if both power blobs die, you lose monitoring, but not connectivity. there are also 1000-TX, 1000-SX, DS3, sonet and other versions, plus combos. i'm fairly sure that this is what law enforcement uses for wiretap warrants. -- Paul Vixie