1 | initial version |
TAP is the way to go, but you need to make sure that they are not allowing traffic injection on the monitor ports - "passiveness" doesn't necessarily guarantee that. Some vendors call their TAPs passive because they have no IP, others mean that there is no power supply for the TAP.
So make sure that the TAP doesn't have the traffic injection feature, and building your own (only physically possible for 10/100, as you probably know) is a risk if you are not very careful with the wiring. Also, there are aggregation TAPs that can do RX/TX aggregation, so if you don't want to go with dual NIC setups you could use one of those.
Also, it is very important to realize that anything can be called a TAP - sometimes, cheap devices are called TAPs, but they are not what you'd expect, e.g. the devices from DualComm usually allow in- and outgoing traffic on the monitoring port. If you need help selecting a device that meets your requirements you can always contact me directly if there are any questions, or ask here. Also, you might want to check my blog post here: https://blog.packet-foo.com/2016/12/the-network-capture-playbook-part-5-network-tap-basics/