Creating a passive network tap

airdata

Diamond Member
Jul 11, 2010
4,987
0
0
I found this not too long ago and found it pretty interesting. Have yet to put one together because I don't have any keystones.

I'd been looking for something like this to be able to use wireshark to examine all network traffic on my network, but have unmanaged switches.


http://www.enigmacurry.com/category/diy/




Ethernet%20Tap%20-%20complete.jpg


Ethernet%20Tap%20wiring%20diagram.png
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
Would work for 10 / 100. 1 Gig would monitor trash since all 4 pairs are used. Also there are DSPs used in there since all 4 pairs are able to transmit and receive at the same time. Basically the transmitting NIC is constantly "subtracting" itself from the signal on the wire. So "Wire signal" - "Transmitted signal" = "received signal."
 
Last edited:

airdata

Diamond Member
Jul 11, 2010
4,987
0
0
true. I was looking for a way to monitor traffic between some netgear switches and a pix 501 that is the default gateway.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Use port mirroring on the switches. I would mess with a home grown tap like that, could cause problems. You can purchase a LAN hopper that does something similar, but those are dead technology thanks to port mirroring/span session.
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
A Cisco SLM-2008 is ~US$100 @ CDW and has VLANS and port mirroring and is config''d via web GUI.

We use 'em for cheap taps (we do have some full-speed aggregating single and dual port copper taps, but the SLMs are good for our less critical measurements, and cheap enough to put out to the field when necessary).

IF they only had IGMPv3, they'd be perfect ...
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
And, BTW the home-made tap, as pictured, murders the signal by severely changing the characteristic impedance and load. Skew would be way out-of-spec, and all of the crosstalk specs would also likely be pretty ugly.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
And, BTW the home-made tap, as pictured, murders the signal by severely changing the characteristic impedance and load. Skew would be way out-of-spec, and all of the crosstalk specs would also likely be pretty ugly.

That's what I was thinking. Fubarred impedance, reflections, just bad all around.
 

hawk82

Member
Jul 25, 2004
199
0
76
Find an old 10/100 hub. Plug the netgear switches in to the hub, plug the PIX 501 into the hub, plug a computer running Wireshark into the hub. Profit++

Since you are only transmitting between the switches and the PIX 501, I don't believe there would be any collisions during peak data transfers.

Another option would be to get a computer with two network cards, bridge them transparently (can be easily accomplished in linux), and then run Wireshark.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
airdata, one of the wonderful things about Ethernet is its ability to mostly work in situations where it shouldn't. This tap is an example of that. Electrically, it's a very very bad thing. In practice, it works. Mostly.

If you put such a device into your network, don't be surprised when your network works, mostly. Personally, I'm not into working mostly. I like working always.

spidey07, switch mirror ports are not the same as a proper passive tap. You almost never can see bad packets, you almost never can see dropped or modified packets, and mirroring is a feature that often tickles bugs in switches that can screw up your regular traffic. It's a nice feature to have, but I would strongly recommend against using it regularly. Nothing like turning a subtle problem into a catastrophic problem courtesy of a switch bug.
 
Last edited:

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
airdata, one of the wonderful things about Ethernet is its ability to mostly work in situations where it shouldn't. This tap is an example of that. Electrically, it's a very very bad thing. In practice, it works. Mostly.

If you put such a device into your network, don't be surprised when your network works, mostly. Personally, I'm not into working mostly. I like working always.

spidey07, switch mirror ports are not the same as a proper passive tap. You almost never can see bad packets, you almost never can see dropped or modified packets, and mirroring is a feature that often tickles bugs in switches that can screw up your regular traffic. It's a nice feature to have, but I would strongly recommend against using it regularly. Nothing like turning a subtle problem into a catastrophic problem courtesy of a switch bug.

I agree. We have a small pile of NetOptics one and two port output aggregating taps; they're a Very Good Thing to have. I've got a small "pocket tap" that doesn't do the aggregation (has one port for each direction to monitor in addition to the gozinta/gozoutta ports).

We do use the SLM2008's for routine traffic (i.e., "what traffic is passing" not "what's the quality of the traffic passing").