A quick overview of the problem
We've been experiencing some issues with our bandwidth usage lately which I fear may be due to misuse (whether intentional or not) of our internet in the office. I want to be able to monitor the network traffic to see if a certain internal IP address is at fault. Our bandwidth should be more than sufficient.
Our setup
We have a 3Com Superstack 3 Switch connected to a Cisco PIX 501 firewall, which then connects into our ISP-provided router.
What I've tried
It seems that neither the switch or firewall have a Port Mirroring feature available, so I am not able to keep up a permanent trace. The PIX does offer a temporary trace into it's own memory buffer, however I am not too confident using this.
I've also tried installing Wireshark on our (Windows 2000) DNS server, but the packet data here didn't help.
Next steps
Any suggestions from you guys as to how monitor the traffic would be great. We're not in a position to replace the existing hardware just yet, though. I have looked into the cost of a Network Tap, which I could place between the switch and firewall (or firewall and router) and set up a machine to monitor the packets there. I've never taken this approach before, so wondered if it's really viable.
(your_lan)---[your_switch]--[internet_router]
then change that into(your_lan)---[your_switch]--[a_hub]--[internet_router]
and plug the monitoring PC (or a secondary link of a monitoring server) on[a_hub]
! Then you can see every traffic to/from the router. Of course it's important that this is a hub, and not a switch or a router ^^ Otherwise you'll have many traffic hidden as you're not the direct source/destination.