I'm very curious to know if these little black boxes could function as a MITM. I mean, if you're already there mirroring everything that's going across...
Just guessing, but since it "just" gets all of the traffic that is passing in and out of the other server(s)/switchport (probably much like a hub), i don't think it'd be able to interfere with the monitored servers traffic.
Also, it'd kinda tip off the monitored person(s) if there suddenly was another hop on the route to their server, no?
No. Its entire job is logging. Doing MITMs could very potentially lead to information leaking that shows surveillance is going on. Pretty much any switch a datacenter's going to use has port mirroring, which allows for a passive, invisible tap of a server.
This was probably the FBI. And if the data center's switch couldn't mirror the customer port (I can't imagine any data center would use a switch that couldn't - but it is within the realm of possibility), the investigating agency would probably provide a 1U switch along with the 2U server that could handle the mirroring and then they could force the data center to connect the customer through that switch instead.
Just an unfortunate side effect. There are lots of legitimate uses for port mirroring in troubleshooting and monitoring a network, like intrusion detection and performance monitoring.
