• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Creating a passive network tap

airdata

airdata

Diamond Member
I found this not too long ago and found it pretty interesting. Have yet to put one together because I don't have any keystones.

I'd been looking for something like this to be able to use wireshark to examine all network traffic on my network, but have unmanaged switches.


http://www.enigmacurry.com/category/diy/




Ethernet%20Tap%20-%20complete.jpg


Ethernet%20Tap%20wiring%20diagram.png
 
Would work for 10 / 100. 1 Gig would monitor trash since all 4 pairs are used. Also there are DSPs used in there since all 4 pairs are able to transmit and receive at the same time. Basically the transmitting NIC is constantly "subtracting" itself from the signal on the wire. So "Wire signal" - "Transmitted signal" = "received signal."
 
Last edited:
true. I was looking for a way to monitor traffic between some netgear switches and a pix 501 that is the default gateway.
 
Use port mirroring on the switches. I would mess with a home grown tap like that, could cause problems. You can purchase a LAN hopper that does something similar, but those are dead technology thanks to port mirroring/span session.
 
A Cisco SLM-2008 is ~US$100 @ CDW and has VLANS and port mirroring and is config''d via web GUI.

We use 'em for cheap taps (we do have some full-speed aggregating single and dual port copper taps, but the SLMs are good for our less critical measurements, and cheap enough to put out to the field when necessary).

IF they only had IGMPv3, they'd be perfect ...
 
And, BTW the home-made tap, as pictured, murders the signal by severely changing the characteristic impedance and load. Skew would be way out-of-spec, and all of the crosstalk specs would also likely be pretty ugly.
 
ScottMac said:
And, BTW the home-made tap, as pictured, murders the signal by severely changing the characteristic impedance and load. Skew would be way out-of-spec, and all of the crosstalk specs would also likely be pretty ugly.
Click to expand...

That's what I was thinking. Fubarred impedance, reflections, just bad all around.
 
Find an old 10/100 hub. Plug the netgear switches in to the hub, plug the PIX 501 into the hub, plug a computer running Wireshark into the hub. Profit++

Since you are only transmitting between the switches and the PIX 501, I don't believe there would be any collisions during peak data transfers.

Another option would be to get a computer with two network cards, bridge them transparently (can be easily accomplished in linux), and then run Wireshark.
 
airdata, one of the wonderful things about Ethernet is its ability to mostly work in situations where it shouldn't. This tap is an example of that. Electrically, it's a very very bad thing. In practice, it works. Mostly.

If you put such a device into your network, don't be surprised when your network works, mostly. Personally, I'm not into working mostly. I like working always.

spidey07, switch mirror ports are not the same as a proper passive tap. You almost never can see bad packets, you almost never can see dropped or modified packets, and mirroring is a feature that often tickles bugs in switches that can screw up your regular traffic. It's a nice feature to have, but I would strongly recommend against using it regularly. Nothing like turning a subtle problem into a catastrophic problem courtesy of a switch bug.
 
Last edited:
cmetz said:
airdata, one of the wonderful things about Ethernet is its ability to mostly work in situations where it shouldn't. This tap is an example of that. Electrically, it's a very very bad thing. In practice, it works. Mostly.

If you put such a device into your network, don't be surprised when your network works, mostly. Personally, I'm not into working mostly. I like working always.

spidey07, switch mirror ports are not the same as a proper passive tap. You almost never can see bad packets, you almost never can see dropped or modified packets, and mirroring is a feature that often tickles bugs in switches that can screw up your regular traffic. It's a nice feature to have, but I would strongly recommend against using it regularly. Nothing like turning a subtle problem into a catastrophic problem courtesy of a switch bug.
Click to expand...

I agree. We have a small pile of NetOptics one and two port output aggregating taps; they're a Very Good Thing to have. I've got a small "pocket tap" that doesn't do the aggregation (has one port for each direction to monitor in addition to the gozinta/gozoutta ports).

We do use the SLM2008's for routine traffic (i.e., "what traffic is passing" not "what's the quality of the traffic passing").
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top