The NetDetector was configured with two monitoring interfaces on separate LAN segments in the lab. One interface was plugged into a Cisco 2950 10/100 switch inside the network. The switch was configured to mirror packets from all interfaces to that port. The other interface on the NetDetector was plugged into a Cisco 2924 switch placed outside the firewall, with all packets from the firewall and Internet router mirrored to the NetDetector port. The NetDetector unit was left in place for a week.
I ran several load tests, using custom Perl scripts to generate connections between hosts inside and outside the network on random ports, and also to generate large amounts of HTTP, Telnet, and AIM traffic. Focused testing was done by using network resources normally, then inspecting the captures. Attack testing was conducted in a closed network with a single source and target system, although the NetDetector noted and logged hundreds of attack attempts seen on the external segment of the production network.