WarpZero RSS WarpZero@Twitter WarpZero@LinkedIn Michael Marth@Facebook Monday, 21-May-2012 01:52:25 EDT
   
warpzero.com

° Home
° News & Updates
° Howto & Knowledge Base
° External Resources
° Contact us
° Search
° Site Validated
° Site Map




Building a Passive Ethernet Tap




The below has been tested using a Windows 2000/XP client with Wildpackets EtherPeek.
These intructions will provide you the means of constructing a passive ethernet tap. The end product may be used in conjunction with a hub and operating system. A passive ethernet tap is useful when deploying an IDS (Intrusion detection system) or a sniffer to monitor traffic without interrupting client service.
Hardware Requirements
  • A single 4-port Ethernet housing (Diagram 1)
  • 4 Category 5e modular snap-in jacks (Diagram 2)
  • A small section, about 6 inches, of Category 5e cable

diagram 1
Diagram 1: 4-port Ethernet Housing

The housing shown above is available at almost all electronic stores and is very easy to work with.


Assembly

diagram 2
Diagram 2: Category 5e modular snap-in jack

This diagram is usually included with new Category 5e jacks from any other vendor

Disassemble the section of Category 5e wire that you have into eight separate wires. These wires should have the same color codes as in Diagram 2.

The next step should be to partially assemble the Ethernet housing with the four jacks. These should snap into position easily. Once mounted, begin wiring the first jack position using the solid orange wire. Use the next diagram as a guide. The wires can be inserted with a small screwdriver or some other small flat tool

Once you have terminated all eight wires, trim off any excess wire that remains. Snap the housing closed, and you should now have a completed passive Ethernet tap (see Diagram 3).

Diagram 3
Diagram 3: Category 5e modular snap-in jack

How To Use

Place the passive Ethernet tap inline between a host machine and the Ethernet switch using the two outside positions labeled "HOST". Verify that the link status indicators on your host Ethernet interface and the Ethernet switch are connected again. You may now connect the Ethernet port of your sniffer or IDS sensor into the Tap A and/or Tap B connectors of the passive Ethernet tap.

An example of this would be having your ISP connection plugged into the "HOST" port to the left of the "TAP A" and a firewall connection plugged into the "HOST" port to the right of "TAP B".

Note: As this is a passive ethernet tap, you will not see the full duplex connection on either of the two "TAP" ports. 2 ways of monitoring the traffic are as follows:

  1. Install an Isolated HUB in which both tap connections, "TAP A" and "TAP B" are plugged into as well as an interface from the sniffer. A hub is used because the traffic is broadcasted across all ports and thus the sniffer would see the traffic.
  2. Place the sniffer into either of the two tap ports "TAP A" or "TAP B" and monitor the traffic that is being passed.

    Flow of Traffic

    Diagram 4
    Diagram 4: Tap Scheme - Flow of Traffic being monitored



  1. A - RX/TX would be the ISP connection
  2. B - RX/TX would be the Firewall connection
  3. A - would be the TAP monitoring the traffic which is being transmitted by the ISP to the Sniffer device. All traffic being transmitted would have a source of the devices coming from the ISP.
  4. B - would be the TAP monitoring the traffic which is being transmitted by the Firewall to the Sniffer device. All traffic being transmitted would have a source of the devices behind the firewall.
  5. NOTE: As this is a passive ethernet tap, the sniffer device does NOT have the capability of injecting data into the line as the sniffer device is only capable of receiving data NOT transmitting.


Linux Counter
Apache
IBM Canada
Cisco Systems
RedHat
Linux
 
Published: Wednesday, 10-Nov-2010 04:57:48 EST  
  © 1996-2011 WarpZero Technologies. All Rights Reserved.