Network Black Box

I read security researchers use a black box to rewind attacks.

What would it take to build an Open Source version. A network sniffer with alerts.
I guess you would have to retain packets as well for 'rewind'?
Some sort of transparent bridge behind the firewall?

Is this just security researchers with honeypots or does industry use them as well?

What kind of programs would you use for a homebrew version. Tools like Tripwire?
Speaking to your last point, I would employ net/tcpdump and either net-mgmt/tcpreplay or net/bittwist (I have not personally used the last two).

Put a host in between your two points of interest, bridge two NIC's and capture all network traffic on that bridge. Stop capture, replay capture file (I'm sure it's not really going to be that easy though).
Tools like Tripwire?
Tripwire only works on files. It basically keeps a database of hashes of all files and compares them at set times. Any file that has a different hash than the one stored in the database has been modified and Tripwire alerts you to this.