Make a Passive Network Tap

Thanks for the detailed instructions & ideas in this thread.

However, you can just buy a pair of in-line ethernet RJ-45 splitter for $8 currently @ Amazon... https://amazon.com/dp/B07CW7JHYV/

Warning that I have not tested this myself. & beware of other splitters that are not in-line & actually spilt 2x2 pairs to create 2 separate connections.

I know this is an old thread, but these days the solution is to use a cheap managed switch configured for port mirroring. You can even put the traffic carrying ports on a port based VLAN, so that packets from the monitoring computer don't interfere with the monitored circuit. If you have 2 NICs available, you can even monitor the 2 directions separately, so that with high data rates you don't overrun a single NIC. For example, I have a cheap 5 port Gb switch, which is capable of passing more than you could squeeze through a single NIC. The switches support it and so does Wireshark. I also have an 8 port managed switch installed as part of my home network, which can be used for mirroring.

Sorry... stupid question. What exactly can you use this for? I can monitor my network using the network monitor application...

Dude, that thing's going to be an EMI magnet . . . not to mention all the NEXT potential. Wouldn't it be better to try to maintain the twists to within 1/2" or better of the IDC blades? If it were me, I would put a hairpin bend in each wire at the tap jack and push the entire bend (both sides of the wire) into the IDC. That would allow both conductors of each set (solid and stripe) to be near one another to allow for twisting. Otherwise a great instructable.

But this is only working with 10/100 Mbit

read this to understand why

http://www.cubro.net/cubro/index.php/papers-docs/whitepaper/35-passiv-gbit-copper-tap

We are working on a full passiv solution also for Gbit and 80 % is done we have working sample ! We did our own mix signal silicon chip for this you see the gui between the RJ45 sockets marked A and B
Call me for details

cheaper still use 2 cat5 RJ 45 Cables..
cable 1 is host.
cable 2 is tap.
Cut cable2 in half . use a lighter to burn off some of the plastic insulation on the ends
green wire and the green&white wires on both halves.
Remove some of the grey sleeve on cable 1. burn off the insulation on the green&white, green, orange&white and orange wires.
now connect the green&white wire from cable 2 to the green&white wire on cable 1. insulate with electrical tape.
connect the green wire from cable 2 to the green wire on cable 1
insulate with electrical tape.
connect the green wire from other half of cable 2 to the orange wire on cable 1
insulate with electrical tape
connect the green&white wire from other half of cable 2 to the Orange&white wire on cable 1.
insulate with electrical tape.
use marker pen to identify host , tap A and B
cheap and simple.
remove the cable from your PC and Router and replace with cable 1
plug end of cable 2 into another computer with wireshark etc. running . you now have a passive tap.
image grey cable host.
yellow cable tap.

hi

I don't get it: Make sure to have the snooping interface set to promiscuous mode and not assigned an ip. How can I do this on a windows machine?

When I plug the cable from a NB with wireshark, the connections were cut off on two machines. Could any explain? Thanks.

Ok try a normal run average of about 100' untwisted.

There are tolerances but not big ones.

Joe,

 Just came across your instructions here, and I put a tap together exactly how you detailed in this instructable. I connect it inline between my modem and router, and I maintain internet access as normal. As soon as I plug the third ethernet cable into the tap interface (or any combination for that matter), my internet connectivity gets interupted and I can no longer pull an IP from my ISP or send/receive traffic. This happens even if the third/tap cable isn't connected to my system setup for passive monitoring - it is just the act of plugging in the cable that causes the interruption. I liked this option because it only required one interface for the passive monitoring (I have a dell laptop I was planning to use), vice the other directions online with 2 interfaces... any advice??

Thanks,
Drew

Without twisting the pairs, what's to guard against NEXT (Near end cross talk)? It seems not have been a problem in your case, but if the desire is to monitor *all* traffic, perhaps it would be worth the time to make certain that the hardware wasn't causing any packet loss. Just a thought. I love your idea though!

Nice, I am very interested in the software tools that you use, it is much cheaper to buy a commercial connector for a $1 if you don't have network stuff laying around:

http://www.monoprice.com/products/product.asp?c_id=105&cp_id=10513&cs_id=1051304&p_id=1112&seq=1&format=2

The 2 I bought are wired as your custom jack here, I opened mine and moved the pins around for use as normal t-splitters to put 2 100Mb LAN links through a single run of Cat5.

If you purchase these they should be wired identically to your box :)

BridgeCouldn't you just put a box in between with two network cards, set up an ethernet bridge and listen to the traffic on the bridge?
I realy like the idèa by the way. What would be realy nice was just two outlets and a "short circut switch," so that traffic either could go through something connected to both or directly across.

Definitely. Some switches detect it as a security breach too.

this is over my head but...dont laugh to hard for this suggestion... couldn't you use windows xp or something like that and give everyone service threw your machine and use wireshark to monitor the data .....im more than sure i missed a few fine points in this discussion but wouldn't it be the same or at least similar results

Be careful with hooking in a hub, a switch is full duplex at the speed on each direction. A hub is not. you can lose critical packets. A hub will allow you to insert packets into the stream. This solution is still better if stealth is required.