The last year or so I have been using analyzing network traffic using either a mirrored port or a passive network tap. The passive network tap is a powerful and very cheap tool; however, it requires that you run a sniffer on two different physical ports. Each of the ports on the passive tap carries traffic one direction in the communication stream. So… to make the sniff really useful you need to merge the two packet captures together. Doing this once and a while is fine; however, doing this constantly is a real hassle and tedious to say the least.
If you are curious here is the pin out to make a passive Ethernet tap;
If you are interested in making your own tap Google for “passive ethernet tap” Most parts can be found in a home depot or similar homes good store. If not you can definitely order them on line. I usually would suggest building a few and leaving them in key parts of your lab or home network topology. You do not need to leave the sniffer connected for them to function.
Thankfully I recently received a hardware based network tap, which allows me to sniff using one physical interface and only one capture file. Life has just gotten so much easier in the old home lab environment.
