Re: What's the best way to wiretap a network?

[doug () nanog con com]

We've been using Shomiti taps for several years with good effect.  All
they do is copy all the data going through a segment (100bT in our case)
to two ports, one for inbound, another for outbound.  Now Finisar, they
sell both copper and fiber taps for a variety of media, including Ethernet
from 10Mbps to 10Gbps.  They have been rock-solid, never missing a packet,
and isolate the sniffer from the rest of the network.

Of course, you then need to choose a packet analyzer/IDS to use with the
tap.

Doug


On Sat, 17 Jan 2004, Jared Mauch wrote:

>       I'd have to say this depends on the media involved.
>
>       ethernet switches allow the monitoring of specific ports (or entire
> vlans) in most cases.  This can be done without impact (assuming nobody
> goofs on the ethernet switch config) to other people and limit the scope
> of packets inspected.
>
>       Various vendors have their own monitoring solutions and port
> replication features.  I seem to recall one customer of my employer
> saying how much they enjoyed the ability to tcpdump/inspect traffic
> on their Juniper routers.  (with regards to a DoS attack we were working
> on tracking).
>
>       - Jared
>
> On Sat, Jan 17, 2004 at 09:08:22PM -0500, Sean Donelan wrote:
> > Assuming lawful purposes, what is the best way to tap a network
> > undetectable to the surveillance subject, not missing any
> > relevant data, and not exposing the installer to undue risk?
>
> --
> Jared Mauch  | pgp key available via finger from jared () puck nether net
> clue++;      | http://puck.nether.net/~jared/  My statements are only mine.