Instructables

Make a Passive Network Tap

Make a Passive Network Tap
This instructable will show you how to make an inexpensive network tap to monitor your network.

Companies like Network Optics make incredible taps, for all sorts of media, but if you have 10/100 home network then for $18 in parts from home depot you can make a tap and send the output to YAF/snort/tcpdump/wireshark and see if any data is leaking that should not be.

I have been doing Flow Analysis lately instead of using other tools. I like YAF . Then again I work on it...

If you want to see step by step instructions on setting up a flow collection infrastructure look at this wiki page.
 
Remove these adsRemove these ads by Signing Up
 

Step 1Parts

Parts
You will need:
3x Leviton Multi Use Cat 5e Jacks (5G108-W)
- I used 2 white and 1 blue, to let me know which one is the tap.
Leviton 3 port wall plate (#41080-3W)
Handy Box
5 inches of cat 5 cable
« Previous StepDownload PDFView All StepsNext Step »
34 comments
Aug 31, 2011. 12:52 AMrrostamnejad says:
hi
Nov 23, 2010. 12:24 AMsamchen says:
I don't get it: Make sure to have the snooping interface set to promiscuous mode and not assigned an ip. How can I do this on a windows machine?

When I plug the cable from a NB with wireshark, the connections were cut off on two machines. Could any explain? Thanks.
7
Sep 8, 2008. 7:18 AMmrmath says:
Alright, stupid question time. I know that the pairs are twisted to deal with magnetic stuff. I used to know exactly why, but that was in a geekier lifetime. Wouldn't you be better off leaving the wires as twisted as possible? Doesn't untwisting deteriorate the signal some? Or is the distance you're covering here so small that it won't make a difference? (That last one, by the way, doesn't seem possible, as the wires are pretty tightly wrapped.
Sep 8, 2008. 7:54 AMtehmiller says:
The distance between the jacks here is too insignificant to cause much signal deterioration. For something like this, it doesn't really matter, at least in my experience. But watch someone come along and completely blow my theory out of the water :P
Sep 9, 2008. 9:49 PMAllanButton says:
I have validated a 10ft run of Cat 5e that was completly untwisted, for 1gb speed.
Apr 4, 2010. 8:09 PMcowen says:
Ok try a normal run average of about 100' untwisted.

There are tolerances but not big ones.
6
Sep 8, 2008. 11:22 PMfrollard says:
In my network wiring classes, we were instructed when punching keep the wires twisted as long as humanly possible - but reality is that the tolerances are built into the hardware these days that a a millimeter or even an inch untwisted wont hurt you in noise/attenuation...much.
2
Sep 8, 2008. 10:00 AMcrapflinger says:
at this distance it shouldn't make a difference at all..you could just strip a small portion of the ethernet sheathing on the ends and just double punch the lines (i.e. two of the same color in each punch) but that could get a little funky
Jan 29, 2010. 4:21 PMc80drew says:
Joe,

 Just came across your instructions here, and I put a tap together exactly how you detailed in this instructable. I connect it inline between my modem and router, and I maintain internet access as normal. As soon as I plug the third ethernet cable into the tap interface (or any combination for that matter), my internet connectivity gets interupted and I can no longer pull an IP from my ISP or send/receive traffic. This happens even if the third/tap cable isn't connected to my system setup for passive monitoring - it is just the act of plugging in the cable that causes the interruption. I liked this option because it only required one interface for the passive monitoring (I have a dell laptop I was planning to use), vice the other directions online with 2 interfaces... any advice??

Thanks,
Drew
Feb 9, 2010. 8:26 PMkiel2155 says:
Just built this instructable as well and same problem.  I can connect the router and 1 of the computers in either the pass-through or tap port and it works great, no problem.  As soon as the second computer gets plugged in, all lights on the Ethernet ports go out and the connection drops.  Could it be due to not enough voltage/power running through the cable?
 
Mar 22, 2009. 10:54 PMinsturctables says:
Dude, that thing's going to be an EMI magnet . . . not to mention all the NEXT potential. Wouldn't it be better to try to maintain the twists to within 1/2" or better of the IDC blades? If it were me, I would put a hairpin bend in each wire at the tap jack and push the entire bend (both sides of the wire) into the IDC. That would allow both conductors of each set (solid and stripe) to be near one another to allow for twisting. Otherwise a great instructable.
Sep 17, 2008. 10:46 PMprimekhan says:
Without twisting the pairs, what's to guard against NEXT (Near end cross talk)? It seems not have been a problem in your case, but if the desire is to monitor *all* traffic, perhaps it would be worth the time to make certain that the hardware wasn't causing any packet loss. Just a thought. I love your idea though!
Sep 17, 2008. 9:45 AMnubie says:
Nice, I am very interested in the software tools that you use, it is much cheaper to buy a commercial connector for a $1 if you don't have network stuff laying around:

http://www.monoprice.com/products/product.asp?c_id=105&cp_id=10513&cs_id=1051304&p_id=1112&seq=1&format=2

The 2 I bought are wired as your custom jack here, I opened mine and moved the pins around for use as normal t-splitters to put 2 100Mb LAN links through a single run of Cat5.

If you purchase these they should be wired identically to your box :)
Sep 12, 2008. 1:31 AMdings says:
BridgeCouldn't you just put a box in between with two network cards, set up an ethernet bridge and listen to the traffic on the bridge?
I realy like the idèa by the way. What would be realy nice was just two outlets and a "short circut switch," so that traffic either could go through something connected to both or directly across.
Sep 9, 2008. 3:26 PMbenjamander says:
How is this better than just plugging the sniffer into your router/network switch? Wouldn't that allow the same thing?
Sep 10, 2008. 4:44 PMbaconfish says:
Routers and switches don't work that way. They keep track of which IP is connected to which jack and only forwards the packet on the appropriate connection. Hubs, on the other hand, don't bother and will send everywhere.
Sep 11, 2008. 12:56 PMHoagie says:
There's a technique called ARP cache poisoning that makes switches send you the data but it's easier to use a hub if you can get one these days.
Sep 11, 2008. 1:53 PMbaconfish says:
True, I just kind of figured that defeated the whole "passive" thing.
Sep 12, 2008. 12:14 AMHoagie says:
Definitely. Some switches detect it as a security breach too.
65
Sep 10, 2008. 4:43 PMjoe (author) says:
Its not better at all, if your router has the ability to do a span port, or if you a sniffer/tap you don't need this. This would be more aimed at the home user who wanted to see , for example if non routeable traffic was making it past your linksys firewall. Thanks for looking. -Joe
Sep 11, 2008. 9:22 PMwethecom says:
this is over my head but...dont laugh to hard for this suggestion... couldn't you use windows xp or something like that and give everyone service threw your machine and use wireshark to monitor the data .....im more than sure i missed a few fine points in this discussion but wouldn't it be the same or at least similar results
Sep 11, 2008. 7:15 PMredshirt3 says:
Be careful with hooking in a hub, a switch is full duplex at the speed on each direction. A hub is not. you can lose critical packets. A hub will allow you to insert packets into the stream. This solution is still better if stealth is required.
4
Sep 11, 2008. 4:38 PMpuffyfluff says:
Neat Idea, I never would have thought of this.
1
Sep 9, 2008. 1:17 PMZak says:
This may work a bit but is is not 'correct'. The snooping PC will have its input connected to one direction of communication, while the other direction is not monitored, but even hampered as it is connected to the output of the 'snooping PC'. TO do this right needs 2 network cards in the snooper, of which one RX pair listens to what goes from A to B, while the other listens to what goes in the other direction (over a different wire pair).
Sep 11, 2008. 1:06 PMHoagie says:
That's true - especially the bit about the TX pair hindering the link. Sometimes, just one direction is all you want. In those cases just connecting one pair in the sniffer socket and using one NIC would be fine. Can't remember which pair is which off the top of my head though.
1
Sep 10, 2008. 6:17 PMMACKattacksnipe says:
your exactly right
1
Sep 10, 2008. 6:17 PMMACKattacksnipe says:
your exactly right Zak
65
Sep 10, 2008. 4:45 PMjoe (author) says:
Hey Zak - You are correct, you can make the tap your are talking about and use two nics. I have had success using this tap with fedora setting the nic to promiscuous and disabling arp and am able to see all traffic. I'll put together another instructable showing the tap you are talking about. Thanks for bringing this up. -Joe
1
Sep 11, 2008. 12:34 PMSpokehedz says:
The much easier solution (and indeed, a much more robust solution) is to find a cheap 10/100 HUB (not a switch) and put it in the middle of whatever you want to monitor. yeah. The ones that are $1 at fleamarkets. Oldest trick in the book.
Sep 9, 2008. 12:00 PMMarche says:
Awesome work dude! Ill post pics when I finish building one inside a altoids tin for mobile tapping :3
65
Sep 10, 2008. 5:26 PMjoe (author) says:
Thanks! I knew I should have jammed it in a altoids tin :) -Joe
Sep 9, 2008. 12:25 PMrancidbry says:
Sorry... stupid question. What exactly can you use this for? I can monitor my network using the network monitor application...
65
Sep 10, 2008. 4:50 PMjoe (author) says:
Hey rancidbry- This would used for looking at all the traffic on your network not just what is being sent to your nic. A way to use it would be say if you had a cheap firewall that did not have logging. Clearly you are dropping packets at the firewall for incoming smb requests, but you do not have a way to see where they are coming from. You could place this between the firewall and cable modem, fire up wireshark and see what was coming in. -Joe
Sep 9, 2008. 12:16 PMbrs928 says:
I don't think it matters what jack you plug into for the incoming, monitoring, and outgoing cables. They're all just wired in parallel, so it makes no difference.

Pro

Get More Out of Instructables

Already have an Account?

close

All Steps Viewing
View all steps of an Instructable on the same page when you're a Pro Member.

Upgrade to Pro today!
68
Followers
65
Author:joe
I like to tinker with just about anything, sometimes it works out in the end. I am a researcher in network security by day and a bike rider by night. Have fun looking at the projects, try tear...
more »