[ale] Ethernet Tap

Transam bob at verysecurelinux.com
Wed Aug 20 14:36:06 EDT 2003 

A hub, as opposed to a switch, also can be used.  There are two
considerations:

  1. Most "hubs" actually are a 10 mbps hub connected via a switch to a
     100 mbps hub.  Thus your sniffing system must be at the same 10 or 100
     mbps as the systems under test.

  2. Some devices claiming to be hubs actually are switches.
  
Usually, you can tell if it is operating as expected if the activity lights
on all ports always flash at the same time.  If it is a switch then for
non-broadcast data, only the sending and receiving ports will indicate
activity.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

On Wed, Aug 20, 2003 at 12:34:31PM -0400, Mike Panetta wrote:
> I am assuming the reason you are doing the tap is so that the machine that is doing the sniffing is 100% secure (IE it cant be easily hacked if the communication is one way only).  If thats the case, place a hub in between the 2 devices you wish to monitor, and just connect the RX lines of the sniffing device to one of the ports on the hub.  The hub should forward packets from both the devices to the RX pins of the sniffer, so you wont get the one sided communication problems you are having.  The hub however may not show link, but the card on the sniffing box may.
> 
> Another thing that might work (but definately will not if the connection between the switch and the device your monitoring is full duplex) is to use "oring diodes" to connect both the RX and the TX lines of the cable to the RX lines of the sniffing device. Try using something like a 1N914 or somesuch to do the oring.
> 
> Someone awhile back posted a gif of a device that radio shack sold that "split" a single ethernet jack into 2.  That same concept may work here, assuming the connection is not full duplex, and you are running at 10BaseT speeds (I am not sure it would work at 100BaseT).  It basicly used a bunch of bipolar transistors wired as fast diodes to allow every port on the unit to see the signals coming from every other port (including itself IIRC) in a kind of wired OR type config, basicly a dirt cheap hub if you will.  Only problem is it would absolutly not work in a full duplex network because it would cause 100% collision rate (RX tied to TX of every port through the "fast diodes").
> 
> Mike
> 
> -------Original Message-------
> From: Christopher Fowler <cfowler at outpostsentinel.com>
> Sent: 08/19/03 06:04 PM
> To: ale at ale.org
> Subject: [ale] Ethernet Tap
> 
> > 
> > 
> 
> I got my Ethernet Tap woking.  Here is hte pinout I used.
> 
> 
> 
> 568A Start                      568A End
> 1 GW Tx+ ------------------------ 1 Gw Tx+
> 2 G  Tx- ------------------------ 2 G  Tx-
> 3 Ow Rx+ ----+------------------- 3 Ow Rx+  
> 6 O  Rx- ------+------------------6 O  Rx-
>              | |    
>              | |     568A Tap
>              | + --- 3 Ow Rx+ 
>              +------ 6 O  Rx-
> 
> 
> I guess the problem maybe it is a one-way tap.  It 
> only sees traffic coming from the switch?  Is there
> a way to wire it so that it can receive traffic 
> from the end point too?
> 
> Thanks,
> Chris
>             
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> > 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list