So the decision is to do passive.  It's a great start, and useful for a lot of reasons.  And fortunately, once your kernel is up and working, it's really simple to make a passive HiPPIE system.  First of all, you'll need a span from a switch or from a tap interface, which are an exercise for the reader.  However, if you can plug a network cable into an interface on a HiPPIE system that's not your management interface for the system that is getting packets, HiPPIE can do the rest.  Below is a list of things you'll need to do to start making work on that interface.

1. Put the interface into promiscuous mode - I've tried to work through making HiPPIE do this on it's own, but in my limited attempts, it's failed with a lockup or crash of the system.  However, if you have a boot script that you can put this into, the command is below.  As an example, you could put this into /etc/conf.d/local.start on a Gentoo system.
   # ifconfig [interface] promisc
2. Enable HiPPIE on the interface for inbound read only - For further details on this, you should consider looking at the proc interface details, and enabling a HiPPIE interface, but for the simple steps, you can find it below.
   # echo 1 > /proc/net/hippie/interfaces/[interface]
3. Check it out! - At this point, depending on how active your span/tap interface is, you should be able to begin seeing packets processed by HiPPIE.  To find out, have a look at the general HiPPIE statistics by looking at it in proc, as defined below.  You should have a non-zero number of packets processed and a non-zero number of sessions processed.  If so, HiPPIE is analyzing packets, and you can find out further information from the other proc interfaces.
   # cat /proc/net/hippie/stat

Back to HiPPIE Documentation.