Placement of network sniffer in network
 

I'm thinking of putting a network sniffer on my home network and I'm wondering where to put it and how to get it to listen to all the traffic.

I believe that it should ideally be able to listen to the line going from the external firewall to the rest of the network.

The question is, how do I get it to be able to listen to all the traffic? If I had a more expensive switch, I guess I could set a port to be able to listen to all the traffic, but I haven't. I was thinking of using a little hub, but I can't find hubs that easily these days - everything is switched.

There's probably an obvious option that I'm missing, but what is it?

You're actually on the right path... you'll need to pick up traffic going to your firewall, or out of it. If you use a software-based firewall you can put the packet monitor directly on this machine.

Lately, I've actually come across hubs that act like switches (each port is independent) but are not configurable, so be careful when selecting one.

Otherwise, your switch will need to support port-mirroring so you can copy all traffic to the port where your sniffer is housed.

For wireless networks, you wireless driver must support RF monitoring, which renders the card useless for all other purposes. In this mode, however, you'll pick up all wireless chatter on the network regardless of whether it's on your network or not.

Well you can still find hubs if you know where to look. Some retail stores are blowing them out for cheap, and you could always find them on eBay.

Another option would be to create a network tap by doing a custom cable.

Also, which traffic do you need to monitor? If you need to monitor all Internet traffic (including attacks that are blocked), then you want it outside the firewall between the firewall and the router. If you only need to examine the traffic going through the firewall, you could put it behind the firewall between the firewall and the switch (using bridged interfaces on the IDS box). First you need to decide what exactly you need to monitor, then you can work on how to place the sensor.

You can put two NICs in a Linux Box, then use the bridge modules and utilities (bridge.sourceforge.net) to set up a two port Ethernet bridge, which is essentially a two port switch. You then can plug the firewall into one port on the bridge, then plug the other port into your switch, and then a sniffer or Snort can watch all traffic going through the bridge.

You might use ettercap - a sniffer designed for switched LAN's. But with its intrusive nature you must RTFM before deploying it - it is very easy to render your LAN unoperational by telling everyone you are the owner of all the MAC addreseses in your network space, which is the nature of the ettrcap - arp poison switche(s) on your LAN to the extent they become transparent bridges and stop switching (the switch will function as a bridge at this point broadcasting the traffic among all the hosts connected to it - that's how you sniff the traffic not destined to you - everything is broadcast at this point).
Regards,
Boris.