North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What's the best way to wiretap a network?

  • From: Paul Vixie
  • Date: Sun Jan 18 12:04:43 2004

> > Assuming lawful purposes, what is the best way to tap a network
> > undetectable
> 
> ...
> The best solution I've found is to use an Ethernet tap. It allows you to
> piggy back off of an existing connection and monitor all the traffic
> going to and from that system. Its pretty undetectable, does not use any
> additional switch ports, and allows you to run full duplex. A number of
> vendors sell them and a Google will give you sites on how to make them.
> ...

i hadn't thought of making my own -- that sounds like a fun project.

for f-root, we've (isc) been installing the netoptics version of this:

http://www.netoptics.com/products/product_family.asp?cid=1&Section=products&sid=439813.237927026&menuitem=1

works great.  it's basically a hub, but with the interesting feature of
letting you monitor TX and RX separately, and full duplex is preserved.
(it takes 2x100Mbit to fully monitor a full duplex 100Mbit link.)  it
also fails into "connected" mode if power is dropped.  so if both power
blobs die, you lose monitoring, but not connectivity.

there are also 1000-TX, 1000-SX, DS3, sonet and other versions, plus combos.

i'm fairly sure that this is what law enforcement uses for wiretap warrants.
-- 
Paul Vixie