You can use a managed switch as a tap into your network, and let it send packets to a NetFlow or sFlow exporter, which can, in turn, send flow records to a NetFlow or sFlow collector such as InterMapper Flows. (You might want to do this if your switches or routers don't support NetFlow or sFlow natively.)

The trick is that the switch must support "port mirroring" or a "SPAN port" (http://en.wikipedia.org/wiki/SPAN_port). The switch sends copies of packets flowing to/from one port or set of ports to a separate "span" or "mirror" port on the switch, and then to the Flow collector.

Dartware decided to evaluate the Cisco/Linksys SLM2005 Small Business Smart Switch based on a mention in Network World. This inexpensive switch (about $100) supports 10, 100, and Gigabit connections on its five ports. It also supports VLANs, 802.1X port authentication, Power over Ethernet, and more. The only downside that I saw with this switch is that it doesn't support SNMP.

The Web GUI allows you to enable port mirroring (Admin > Port Mirroring) so that the single Target port receives copies of all the packets sent to and from the Source port. 

As shown in the image below, we connected the SLM2005 between our external router/firewall and the backbone switch. (The screen shot is actually taken from an InterMapper map showing our production network.) We then connected the Target port of the switch to a NetFlow exporter (we used the nProbe software from ntop.org). This was configured to send the flow records into InterMapper Flows.

Update:

Uli Hertweck from System.de (one of Dartware's resellers in Germany) wrote to me with an excellent response to my earlier posting. His major points:

• In my initial description of the system, I had left out the presence of a NetFlow exporter. The image above shows the actual interconnections. 
• Uli also pointed out that any additional equipment introduces a possible point of failure. In this particular application, if the switch-as-network-tap fails, then the entire network stops. The Linksys SLM2005 introduces two kinds of failure possibilities:
  • Point of Attack: its web agent doesn't allow HTTPS, and it's unknown how much penetration testing the web interface has endured.
  • Point of Failure: It only has a single power supply that is easily stripped off, especially since it cannot be rack-mounted.
• A better choice might be the Linksys SRW208. It's a bit more expensive ($150), supports essentially the same features as the cheaper SLM2005, but offers these capabilities:
  • It is SNMP managed, so InterMapper can see and monitor traffic on all ports.
  • It can be configured through HTTPS and SSH, and you can turn off the HTTPS agent if desired.
  • However, its external AC power adapter that is still prone to disconnection.
• Uli points out that it is mandatory in a serious production environment to use a span port on the backbone switch. This eliminates the tap as a point of failure.
• The best alternative of all (if your equipment supports it) is to use flow-capable routers and switches. They send the flow data directly to your collector, eliminating the need for a network tap, a span/mirror port, and the flow exporter. We have done this with our backbone HP Procurve switch. It exports sFlow records to our InterMapper Flows collector, as shown in the image above