[66637] in North American Network Operators' Group
Re: What's the best way to wiretap a network?
daemon@ATHENA.MIT.EDU (Paul Vixie)
Sun Jan 18 12:01:56 2004
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 18 Jan 2004 17:00:16 +0000
In-Reply-To: <1074420168.2209.21.camel@grendel>
Errors-To: owner-nanog-outgoing@merit.edu
> > Assuming lawful purposes, what is the best way to tap a network
> > undetectable
>
> ...
> The best solution I've found is to use an Ethernet tap. It allows you to
> piggy back off of an existing connection and monitor all the traffic
> going to and from that system. Its pretty undetectable, does not use any
> additional switch ports, and allows you to run full duplex. A number of
> vendors sell them and a Google will give you sites on how to make them.
> ...
i hadn't thought of making my own -- that sounds like a fun project.
for f-root, we've (isc) been installing the netoptics version of this:
http://www.netoptics.com/products/product_family.asp?cid=1&Section=products&sid=439813.237927026&menuitem=1
works great. it's basically a hub, but with the interesting feature of
letting you monitor TX and RX separately, and full duplex is preserved.
(it takes 2x100Mbit to fully monitor a full duplex 100Mbit link.) it
also fails into "connected" mode if power is dropped. so if both power
blobs die, you lose monitoring, but not connectivity.
there are also 1000-TX, 1000-SX, DS3, sonet and other versions, plus combos.
i'm fairly sure that this is what law enforcement uses for wiretap warrants.
--
Paul Vixie
