| This is the way that Network General (the creator of | | | | Analyst. |
| Sniffer ®) has deployed Distributed Sniffer ® | | | | Two NICs: |
| since the beginning. While the product that you are | | | | 1st NIC - Monitor Card - No IP bound to the card. This |
| using may be from another or Open-Source vendor,( | | | | card just listens in promiscuous mode. It is the one that |
| i.e. Ethereal ®/ WireShark ®), this process is | | | | is attached to the Monitor Port in the Switch. This |
| time honored and as such, is considered to be "Best | | | | should be a 100 Mbs NIC. |
| Practice." | | | | 2nd NIC - Transport Card - IP is bound (static) so that |
| This design is meant to assure that the NIC that is | | | | this card can be used on the Intranet to access the |
| listening to the Monitor is not sending any packets itself. | | | | remote control function of the PC. This can be Gigabit |
| The Monitor Card should have no protocols bound to | | | | if that is all that is available. |
| itself and listens in promiscuous mode. Additionally, the | | | | Other Configuration Issues: |
| PC should be as passive as possible and not phoning | | | | No Management Software (SMS, Radia, etc.) enabled. |
| home to vendors because of unnecessary software it | | | | No management of this device other than remote |
| has loaded. | | | | control. |
| One process is to take a company's standard laptop | | | | Virus Protection (only if it is considered mandatory by |
| and customize it by removing anything that is not | | | | company policy). However, this laptop should have no |
| needed to support the role of a Protocol Analyzer. | | | | email client or any other software that will want to |
| Any software that is not part of the laptops OS | | | | connect to the Internet (with the possible exception of |
| requirements should be un-installed. Once the laptop | | | | Time Services). A Firewall rule can always be created |
| has been stripped down this way, load the Open | | | | to enforce its isolation from the public Internet except |
| Source Protocol Analyzer of your choice and test it. | | | | on approved sockets. |
| Once testing is satisfactorily completed, save an Image | | | | A Time Server should be in place to keep the various |
| of the laptop to be used to generate other Open | | | | Protocol Analysis Laptops in sync. This can be an |
| Source Laptop Protocol Analyzers. | | | | Internet source if Company Policy permits or a local |
| System Requirements: | | | | Intranet source. |
| Pentium 4 or higher. | | | | The laptop should not be a member of the Company |
| 1GB Memory or higher. | | | | Domain. One logs into the PC itself, locally or via |
| 2 NICs. One of which is 100Mbs (not Gigabit) to be | | | | remote control. |
| used as the Monitor Card. (NOTE: This process is not | | | | All Mirrors in switches are to be bi-directional. |
| appropriate for Gigabit Monitoring.) | | | | Consider creating a shared folder to act as a Trace |
| Remote Control Software (i.e. VNC) that supports File | | | | File depository. This is not required, but can be helpful |
| Transfers from the laptop acting as a Protocol | | | | as these files can easily grow too large for many |
| Analyzer to the PC used by the Network Transaction | | | | corporate email policy size limits. |