[66630] in North American Network Operators' Group
Re: What's the best way to wiretap a network?
daemon@ATHENA.MIT.EDU (doug@nanog.con.com)
Sat Jan 17 23:19:27 2004
Date: Sat, 17 Jan 2004 23:18:12 -0500 (EST)
From: doug@nanog.con.com
To: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <20040118021902.GA251@puck.nether.net>
Errors-To: owner-nanog-outgoing@merit.edu
We've been using Shomiti taps for several years with good effect. All
they do is copy all the data going through a segment (100bT in our case)
to two ports, one for inbound, another for outbound. Now Finisar, they
sell both copper and fiber taps for a variety of media, including Ethernet
from 10Mbps to 10Gbps. They have been rock-solid, never missing a packet,
and isolate the sniffer from the rest of the network.
Of course, you then need to choose a packet analyzer/IDS to use with the
tap.
Doug
On Sat, 17 Jan 2004, Jared Mauch wrote:
>
> I'd have to say this depends on the media involved.
>
> ethernet switches allow the monitoring of specific ports (or entire
> vlans) in most cases. This can be done without impact (assuming nobody
> goofs on the ethernet switch config) to other people and limit the scope
> of packets inspected.
>
> Various vendors have their own monitoring solutions and port
> replication features. I seem to recall one customer of my employer
> saying how much they enjoyed the ability to tcpdump/inspect traffic
> on their Juniper routers. (with regards to a DoS attack we were working
> on tracking).
>
> - Jared
>
> On Sat, Jan 17, 2004 at 09:08:22PM -0500, Sean Donelan wrote:
> > Assuming lawful purposes, what is the best way to tap a network
> > undetectable to the surveillance subject, not missing any
> > relevant data, and not exposing the installer to undue risk?
>
> --
> Jared Mauch | pgp key available via finger from jared@puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
>
