On Wed, Mar 3, 2010 at 8:10 AM, Raymond Norton <admin at lctn.org> wrote: > I need to set up a box at our pop to sniff inbound and outbound traffic. > I want to set it up as a passive device, or connect to a monitoring port > on our switch, so if the box fails it does not kill our traffic. I've noticed that Wireshark will slowly die if you feed it too much traffic. I think it will still populate the capture file, but the interface will be dead if you try to feed it too much. My favorite sniffer (though costly) is Network Observer from Network Instruments. The Observer package ($2500 as I recall) coupled with the the ethernet splitter ($1500 as I recall) is exactly what you're looking for, although that's a huge chunk of change so obviously you have to need it pretty badly. The nice folks at NI work just up the road from me, I've worked with them for a few years and have had outstanding success with their tools. Regardless of the tool, make sure the box has gobs of disk and gobs of RAM if you intend to capture for long periods. Also, most capture tools will wrap the logs after awhile, so if you're doing a long running sniff make sure you tewak the log settings. A quick and dirty approach is just to use 'tcpdump -i eth0 > mybigfatfile' , then use a tool like Wireshark to analyze the capture later. Brian