Good article on sniffer placement at http://sevenlayers.wordpress.com/
Running a large number of websites, our enterprise uses the Coradiant TrueSight appliance (now BMC End-user experience management) that sniffs specifically HTTP (and SSL if you drop the certs on it). From 4 different SPAN ports — two on each agg switch -- both client-side and server-side VLANs can be monitored on each load-balancer pair.
For general packet captures, I run Wireshark on a physical box that sits outside of our vmWare clusters and is tied to an access switch. Using RSPAN (remote SPAN), I can get mirrored packets from just about anywhere in the data center over to Wireshark. Most pcap troubleshooting (like earlier today!) is usually non-http traffic because of the TrueSight appliance, so I watch conversations like web servers to sql servers on the side where traffic is unencrypted.
By the way, I’m sure I saw Wireshark documentation that talked about giving it the SSL private key to decrypt traffic, though I haven’t personally tried it and suspect it won’t be simple. For now, I'd just be happier with a more stable Wireshark that doesn't crash under the weight of a mere 10,000 packets. It's supposed to handle 50K packets easily.
Notify me of follow-up comments via email.