> > Assuming lawful purposes, what is the best way to tap a network > > undetectable > > ... > The best solution I've found is to use an Ethernet tap. It allows you to > piggy back off of an existing connection and monitor all the traffic > going to and from that system. Its pretty undetectable, does not use any > additional switch ports, and allows you to run full duplex. A number of > vendors sell them and a Google will give you sites on how to make them. > ...
i hadn't thought of making my own -- that sounds like a fun project. for f-root, we've (isc) been installing the netoptics version of this: http://www.netoptics.com/products/product_family.asp?cid=1&Section=products&sid=439813.237927026&menuitem=1 works great. it's basically a hub, but with the interesting feature of letting you monitor TX and RX separately, and full duplex is preserved. (it takes 2x100Mbit to fully monitor a full duplex 100Mbit link.) it also fails into "connected" mode if power is dropped. so if both power blobs die, you lose monitoring, but not connectivity. there are also 1000-TX, 1000-SX, DS3, sonet and other versions, plus combos. i'm fairly sure that this is what law enforcement uses for wiretap warrants. -- Paul Vixie