Introduction: Passive Network Tap - Revised.

About: Bytesize articles instead of a trilogy in one post.
Thought I would take a stab at making a network tap. Basically what is it is used for?  Eavesdrop a network connection. You as an administrator need to see what data is coming off a connection. This is especially helpful if either you do not have access to equipment that controls the network or you want something quick and easy to gather network data. There are a lot of legal implications, so consult an expert before using this device. (Do this at your own risk as I will not be responcible for any or all issues.)

You need to have experience in wiring network cables and sockets to complete this instructable. There are already lots of instructables that will do just that. In fact this instructable was based on an earlier one I was not really impressed with. In any case I kept the original wiring in case there was some commercial device that depended on that type of circuit. (figure 2)

When I built my network tap based on the original designs, I used longer wire than was needed in case I want to use another configuration. Which is actually what I wanted to do.  Most cabling follows the T568B convention on both ends. A crossover cable will have a t568b on one end and a t568a on the other end.   The traditional wiring configuration is as follows:
   Color Codes for T568B
Pin     color  pair  name
---     -----  ---- ---------
1       wh/or   2   TxData +
2       or      2   TxData -
3       wh/grn  3   RecvData+
4       blu     1
5       wh/blu  1
6       grn     3   RecvData-
7       wh/brn  4
8       brn     4 
Traditional network passive taps were wired as figure 3. This worked fine with 10m and 100m network speeds. Basically most traditional network cables used only four of the eight lines. If there were ever any used for the other four lines you were already setup. Actually on a lot of 1g networks all eight lines are used now, but no need to re-cable! In making a tap for a 1g network can lead to speed problems. See figure 4.So as I was told, a capacitor was introduced into the circuit to slow down the traffic. Which leads me to say if you are running 1g network and you see a quick disconnection and then slower speeds, your computer might possible be being tapped.

On my network tap I used two extra female ends. One was for getting the received data and the other for the sent data. I also incorporated the two 220pf capacitors right in the ends so that no soldering would be needed. Since the capacitor wires are thinner, I pushed them down first and then pushed down the existing wiring. See figure 5.  The other tap is hidden on the other side. Last picture is an updated wiring diagram. (wo = 1 brown = 8 so follow the color coding for t568b on the first three  jacks, not the numerical sequence. Then for for the last two jacks:

On connectors 4 and 5 a capacitor goes from the wbrown to the brown pin.

Connector 4
wo to the wg pin
o to the green pin
blue to the wbrown pin
wblue to the brown pin

Connector 5
wg to the wg pin
green to the green pin
wbrown to the wb pin
brown to the brown pin

So how do you use it. You need software that will examine and capture the data such as wireshark.

$ sudo apt-get install wireshark

Warning: Putting a network connection in promiscuous mode leaves you system open to hacking!!

For the next step, it is best to use a computer without any vital data and or etc. and only use it sparingly.

We need to set up the network interface card (aka nic) temporarily in promiscuous mode.

$ sudo ifconfig eth0 promisc

See if the nic tool the setting

$ sudo ifconfig eth0

Since you can only look at either incoming or outgoing data one at a time, you use a second nic (most people just get an usb to ethertnet adapater) and will need to start a second version of wireshark to watch the other nic Later you can piece together the two connections when you are off line.

Run wireshark. Happy hunting!

You can find more information at:   Ethereal was the basis for Wireshark. Also this unit makes a great male to femaile gender changer.

Note: The last picture is of a hidden passive network tap. Unless you tool off the plate, you would never know.


A fiber optic splitter can also be dangerous.