Getting down to troubleshooting lower level networking issues has generally involved configuring a port on a managed network switch to be a SPAN/Mirror port. This would only be possible on a managed network switch which tends to be larger rackmount switches and generally more expensive. Not something you see in smaller network infrastructures. It also involves getting assistance from the network admin.
NetGear now has a “Plus” version of the network switches. Take the NetGear GS105E as an example. This very small footprint 5-port switch has a durable metal case, supports Gigabit Ethernet on all ports, and is “manageable” using the NetGear ProSafe Plus Utility. The best part, it is only $60 usd and supports port mirroring.
Out of the box, it supports DHCP for its management IP though you can configure a static IP.
I recommend you use the ProSafe Plus Utility once to configure one port to mirror another, then label the top of the switch so you don’t forget. Now don’t worry about needing the utility anymore, just keep this little switch in your “toolkit” and you can easily introduce a sniffer into any network connection you need to troubleshoot.
If you have a laptop running Wireshark, you can connect your laptop directly to the monitoring port on the GS105E. You will need get a copy of all traffic that is being monitored. When done, disconnect the switch out of the picture. This does involve physically connecting and disconnecting network cables. However it is portable and doesn’t require much other coordination. It is all in your control when you are onsite and need to do some quick troubleshooting.
If you want to leave a connecting permanently being monitored, you could setup an intrusion detection system appliance easily by installing EasyIDS. This box would need 2 network cards, one to connect into the network so you can access/manage this box. The other network port goes into the monitoring switch port, typically this would be an Internet connection (the WAN side of your router/firewall).
By having this IDS always connected to your Internet connection, you now have a bunch of tools readily available should you ever need them (tcpdump, snort, netcat, ntop, arpwatch, etc). Another idea is to place it on the internal lan connection of your router/firewall, this might offer a lot of visibility into troubleshooting internet connectivity issues and also tracking usage.
Everyone has favorite tools for troubleshooting networks. Most of the time, it comes down to what is handy and accessible at the moment. If you prepare yourself ahead of time by having a pre-configured switch with a monitoring port along with the right software already installed, you’ll be able to react a lot quicker and more efficiently.