Two possible choices... a packet capture tap (which is quite viable) or packet capture on the ASA.
If you're not interested in buying a tap and inserting it inline, you shouldn't be afraid of capturing on your Cisco PIX. To capture traffic on the PIX, first define an ACL... assume you're trying to capture traffic from a host inside the firewall at 10.10.10.1.
access-list CAPACL permit ip host 10.10.10.1 any access-list CAPACL permit ip any host 10.10.10.1 Now start capturing the traffic that matches the ACL using a buffer large enough to find whether this host is legitimately a problem...
capture inside_capture interface INSIDE buffer <some buffer size> access-list CAPACL packet-length 1500 You can optionally download the capture using tftp...
copy /pcap capture:inside_capture tftp: This Cisco doc has a lot of good information about capturing traffic on a PIX / Cisco ASA... DOC 17345 Capturing PIX Traffic