What's the best way to wiretap a network?
doug at nanog.con.com
doug at nanog.con.com
Sun Jan 18 04:18:12 UTC 2004
We've been using Shomiti taps for several years with good effect. All
they do is copy all the data going through a segment (100bT in our case)
to two ports, one for inbound, another for outbound. Now Finisar, they
sell both copper and fiber taps for a variety of media, including Ethernet
from 10Mbps to 10Gbps. They have been rock-solid, never missing a packet,
and isolate the sniffer from the rest of the network.
Of course, you then need to choose a packet analyzer/IDS to use with the
tap.
Doug
On Sat, 17 Jan 2004, Jared Mauch wrote:
>
> I'd have to say this depends on the media involved.
>
> ethernet switches allow the monitoring of specific ports (or entire
> vlans) in most cases. This can be done without impact (assuming nobody
> goofs on the ethernet switch config) to other people and limit the scope
> of packets inspected.
>
> Various vendors have their own monitoring solutions and port
> replication features. I seem to recall one customer of my employer
> saying how much they enjoyed the ability to tcpdump/inspect traffic
> on their Juniper routers. (with regards to a DoS attack we were working
> on tracking).
>
> - Jared
>
> On Sat, Jan 17, 2004 at 09:08:22PM -0500, Sean Donelan wrote:
> > Assuming lawful purposes, what is the best way to tap a network
> > undetectable to the surveillance subject, not missing any
> > relevant data, and not exposing the installer to undue risk?
>
> --
> Jared Mauch | pgp key available via finger from jared at puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
>
More information about the NANOG
mailing list