I've recently begun researching network monitoring solutions. I've configured SPAN on our cisco catalyst, and it's working ok, but I've been reading up on taps too. Most of the articles I've seen reference cost as the major drawback. Unless theres something I'm missing about this technology it seems ike it could be implemented with a commodity PC and three NICs (in, out, and the monitor port.) Does something like this exist, or am I way off?
Open source network tap
monitoringnetworking
Best Answer
You can do something simple and passive like the Throwing Star Network Tap or an equivalent made out of jacks and wires. It won't work for gigabit Ethernet but it's a great cheap little gadget (free if you make one yourself out of wire and jacks you've got laying around).
In terms of an active tap, I've been interested in trying out some of the very reasonably priced offerings from DualComm Technology (that USB-powered gigabit Ethernet tap looks sweet!). I haven't used them, personally, so I can't vouch for how well they work but they look very nice.
I frequently bridge NICs on my laptop to sniff traffic as an active tap. It's a perfectly feasible thing to do. You can use the bridging code in Linux to do something similar. We did long-term WAN circuit protocol distribution analysis for a Customer like that a few years ago-- sniffing and compiling gigs and gigs of
tcpdumpcaptures off of abrinterface on a Linux and then processing them. The main drawback, if you're not using a purpose-built tap, is that a failure of your "active tap" computer can result in disconnection of the device being tapped. It would be better, for long-term applications, to use a tap that had latching relays to allow your tap to lose power / fail w/o interrupting the connection.