IP Filter should be configured to block everything in and out of the SNIFFER NIC interface. In our example this is the em0 interface, IP address 172.16.18.2. You may wish to log any hits on the block rules so that debugging and alerts are easy to accomplish; it's not a bad idea to do the same on the pass rules as well. If you choose to log the rule hits, remember to start ipmon with the proper flags.
Modify /etc/ipf.rules (/etc/opt/ipf/ipf.conf in Solaris) thusly: