On Cisco's switches you can use the SPAN feature to send a mirror of data received on a given port to another port.
IE, your firewall port is spanned to another switchport to allow your IDS to sample all incoming data destined for the trusted net. --BD -----Original Message----- From: David Gillett [mailto:[EMAIL PROTECTED] Sent: Monday, March 10, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: RE: sniffing packets on a switch Do you know what kind of problems? The most obvious problem with doing this is that, by default, your sniffer machine's port on the switch will only be sent traffic that is either broadcast, or addressed specifically to the sniffer host. Most switches offer a way that the switch administrator can direct that traffic for one or more other ports be copied to the sniffer's port. That's not a sniffer program issue. There *are* ways to try that may make this happen if you don't have administrative access to the switch, and there might even be some tools around that automate such measures. But on most well-run networks, people without admin access to things like switches are also not authorized to be running sniffers, so let's not go there in a public forum.... David Gillett > -----Original Message----- > From: Scott Borre [mailto:[EMAIL PROTECTED] > Sent: March 7, 2003 15:55 > To: [EMAIL PROTECTED] > Subject: sniffing packets on a switch > > > I am interested in what people recommend using to > sniff packets on a switch. I have heard that TCPdump > has some problems doing this. Thank you ahead of the > time for any assistance.