Gentoo network passthru packet logger?

[mitm]

Hi all,

I have a client who is interested in logging all of the data that goes into and out of a small (<10 computers) LAN. They also don't want the traffic on the network when it's logged to be indistinguishable from the traffic on the network when it's unlogged. I have physical access to the site and carte blanche to do whatever is necessary to implement this logging.

The network is switched, so we can't just put a packet logger on a box with no IP address set in promiscuous mode. (Right?)

Instead, I was thinking that I would put a box between the gateway and the rest of the network. The box would have two NICs. Anytime one of the NICs received a packet, it would log that packet and write it out to the other NIC. (i.e. it woudln't decrement the TTL, it wouldn't change the source IP/MAC, etc.) It should do this for all protocols -- including arp, icmp, etc. -- so that the traffic for the logged network truly is indistinguishable from the traffic for the unlogged network. (So, essentially, it just copies data from each NIC to the other byte-for-byte, interpreting the data only enough so that it may be logged appropriately.) I have physical access, so I can just grab the logs off the comptuer and delete said logs by hand. The network is switched, so we don't need to worry too much about multiple copies of packets flying around.

Has anyone done something like this? Does anyone know of any tools to do this? I ran across ettercap, which can conduct man in the middle attacks. could this work? I want it to work at the byte level, so are we talking driver-level code here?

Thanks in advance!

[badchien]