Passive Network Tap - Revised.

Introduction: Passive Network Tap - Revised.

About: Bytesize articles instead of a trilogy in one post.
Thought I would take a stab at making a network tap. Basically what is it is used for?  Eavesdrop a network connection. You as an administrator need to see what data is coming off a connection. This is especially helpful if either you do not have access to equipment that controls the network or you want something quick and easy to gather network data. There are a lot of legal implications, so consult an expert before using this device. (Do this at your own risk as I will not be responcible for any or all issues.)

You need to have experience in wiring network cables and sockets to complete this instructable. There are already lots of instructables that will do just that. In fact this instructable was based on an earlier one I was not really impressed with. In any case I kept the original wiring in case there was some commercial device that depended on that type of circuit. (figure 2)

When I built my network tap based on the original designs, I used longer wire than was needed in case I want to use another configuration. Which is actually what I wanted to do.  Most cabling follows the T568B convention on both ends. A crossover cable will have a t568b on one end and a t568a on the other end.   The traditional wiring configuration is as follows:
   Color Codes for T568B
Pin     color  pair  name
---     -----  ---- ---------
1       wh/or   2   TxData +
2       or      2   TxData -
3       wh/grn  3   RecvData+
4       blu     1
5       wh/blu  1
6       grn     3   RecvData-
7       wh/brn  4
8       brn     4 
Traditional network passive taps were wired as figure 3. This worked fine with 10m and 100m network speeds. Basically most traditional network cables used only four of the eight lines. If there were ever any used for the other four lines you were already setup. Actually on a lot of 1g networks all eight lines are used now, but no need to re-cable! In making a tap for a 1g network can lead to speed problems. See figure 4.So as I was told, a capacitor was introduced into the circuit to slow down the traffic. Which leads me to say if you are running 1g network and you see a quick disconnection and then slower speeds, your computer might possible be being tapped.

On my network tap I used two extra female ends. One was for getting the received data and the other for the sent data. I also incorporated the two 220pf capacitors right in the ends so that no soldering would be needed. Since the capacitor wires are thinner, I pushed them down first and then pushed down the existing wiring. See figure 5.  The other tap is hidden on the other side. Last picture is an updated wiring diagram. (wo = 1 brown = 8 so follow the color coding for t568b on the first three  jacks, not the numerical sequence. Then for for the last two jacks:

On connectors 4 and 5 a capacitor goes from the wbrown to the brown pin.

Connector 4
wo to the wg pin
o to the green pin
blue to the wbrown pin
wblue to the brown pin

Connector 5
wg to the wg pin
green to the green pin
wbrown to the wb pin
brown to the brown pin

So how do you use it. You need software that will examine and capture the data such as wireshark.

$ sudo apt-get install wireshark

Warning: Putting a network connection in promiscuous mode leaves you system open to hacking!!

For the next step, it is best to use a computer without any vital data and or etc. and only use it sparingly.

We need to set up the network interface card (aka nic) temporarily in promiscuous mode.

$ sudo ifconfig eth0 promisc

See if the nic tool the setting

$ sudo ifconfig eth0

Since you can only look at either incoming or outgoing data one at a time, you use a second nic (most people just get an usb to ethertnet adapater) and will need to start a second version of wireshark to watch the other nic Later you can piece together the two connections when you are off line.

Run wireshark. Happy hunting!

You can find more information at:   Ethereal was the basis for Wireshark. Also this unit makes a great male to femaile gender changer.

Note: The last picture is of a hidden passive network tap. Unless you tool off the plate, you would never know.


A fiber optic splitter can also be dangerous.

Be the First to Share


    • Tinkercad to Fusion 360 Challenge

      Tinkercad to Fusion 360 Challenge
    • Frozen Treats Speed Challenge

      Frozen Treats Speed Challenge
    • Electronics Contest

      Electronics Contest



    5 years ago

    Would it be sufficient to use 3 keystones and have the middle (Red) keystone as the sole sniffing jack? I want to be able to see outgoing and incoming traffic and I should be able to do that with one jack. I was thinking about keeping the schematic the same and use two capacitors but on one jack. I am no electrical engineer so I am not sure If this is plauseable or not.


    6 years ago on Introduction

    What purpose do the capacitors serve in the device and are they essential to it's function or just to improve reliability?


    Reply 6 years ago on Introduction

    Not an engineer, so I can not tell you exactly, but I am told that it
    helps the signal be cleaner at 1kb. at 100 mb it is not really needed.


    7 years ago on Introduction

    Hey man! Great instructable! I just like to ask for the original electric diagram, because in the original tutorial you have three ports: two for the traffic and one to snooping. I want to know how use one port to snoop instead two. I think diodes to send all flux (TX e RX) from traffic to RX pinouts to snooping machine.



    Reply 7 years ago on Introduction

    The original instructable is on this site. You probably could use one interface, but I do not recommend it.


    7 years ago on Introduction


    Reply 7 years ago on Introduction

    The one you suggest is more expensive, but mine is so easy to make.


    8 years ago

    Nice instrzctable, but just apply a free spellchecker on it, please.