What's the best way to wiretap a network?
Paul Vixie
vixie at vix.com
Sun Jan 18 17:00:16 UTC 2004
> > Assuming lawful purposes, what is the best way to tap a network
> > undetectable
>
> ...
> The best solution I've found is to use an Ethernet tap. It allows you to
> piggy back off of an existing connection and monitor all the traffic
> going to and from that system. Its pretty undetectable, does not use any
> additional switch ports, and allows you to run full duplex. A number of
> vendors sell them and a Google will give you sites on how to make them.
> ...
i hadn't thought of making my own -- that sounds like a fun project.
for f-root, we've (isc) been installing the netoptics version of this:
http://www.netoptics.com/products/product_family.asp?cid=1&Section=products&sid=439813.237927026&menuitem=1
works great. it's basically a hub, but with the interesting feature of
letting you monitor TX and RX separately, and full duplex is preserved.
(it takes 2x100Mbit to fully monitor a full duplex 100Mbit link.) it
also fails into "connected" mode if power is dropped. so if both power
blobs die, you lose monitoring, but not connectivity.
there are also 1000-TX, 1000-SX, DS3, sonet and other versions, plus combos.
i'm fairly sure that this is what law enforcement uses for wiretap warrants.
--
Paul Vixie
More information about the NANOG
mailing list