Make a Passive Network Tap

198,510

129

37

About: I like to tinker with just about anything, sometimes it works out in the end. Have fun looking at the projects, try tearing something open and let me know how it goes. cheers, -Joe

This instructable will show you how to make an inexpensive network tap to monitor your network.

Companies like Network Optics make incredible taps, for all sorts of media, but if you have 10/100 home network then for $18 in parts from home depot you can make a tap and send the output to YAF/snort/tcpdump/wireshark and see if any data is leaking that should not be.

I have been doing Flow Analysis lately instead of using other tools. I like YAF . Then again I work on it...

If you want to see step by step instructions on setting up a flow collection infrastructure look at this wiki page.

Step 1: Parts

You will need:
3x Leviton Multi Use Cat 5e Jacks (5G108-W)
- I used 2 white and 1 blue, to let me know which one is the tap.
Leviton 3 port wall plate (#41080-3W)
Handy Box
5 inches of cat 5 cable

Step 2: Tools

You will need a wire stripper and a screw driver.

Step 3: Strip Wire

Cut 5 inches of cat 5 cable, and pull out the 8 strands of wire.

Step 4: Wire the First Jack

Separate the strands of wire and wire up the leviton jack. It comes with a little punchdown tool to make this job easy. I followed the color code on the side of the jack, it does not really matter though, as long as you are consistent the whole way through.

Step 5: Wire the Second Jack

To wire the second jack, you should put both the jacks in the wall plate.
Use the punchdown tool to put the wires in the jack using the color codes or same pattern as you did on the first jack. Make sure to leave enough wire left over to reach the third jack.

Step 6: Third Jack

To wire the third jack, drop the third jack in the panel then wire it up just like the 1st and 2nd.

Trim any excess wire.

Step 7: Close It Up

At this point you can close up the box and you are done.

Test it by hooking up the input in the top jack, snooping interface in the middle, and the destination on the bottom.

You can start up your snooping program and watch the traffic spin by. Make sure to have the snooping interface set to promiscuous mode and not assigned an ip.

2 People Made This Project!

Recommendations

  • Plastics Contest

    Plastics Contest
  • Make it Glow Contest 2018

    Make it Glow Contest 2018
  • Optics Contest

    Optics Contest

37 Discussions

0
None
bryanbrews

10 years ago on Introduction

Sorry... stupid question. What exactly can you use this for? I can monitor my network using the network monitor application...

2 replies
0
None
AhamedB2bryanbrews

Reply 1 year ago

Even this article is too old to consider as 'Active' it seems Google still send some traffic for people looking for passive network monitoring solution.

To answer @bryanbrews question, you can monitor part of network data with network monitor application but when it comes to capture EVERY Bit of traffic and most impotently Stealthily device like this tap instrument is must. Even it act like some other 'bridge' equipment, it NEVER sent any data to trace back this device. It is something like wireless / radio scanner, it 'catch' all traffic without 'transmit' single bits if data ....

0
None
joebryanbrews

Reply 10 years ago on Introduction

Hey rancidbry- This would used for looking at all the traffic on your network not just what is being sent to your nic. A way to use it would be say if you had a cheap firewall that did not have logging. Clearly you are dropping packets at the firewall for incoming smb requests, but you do not have a way to see where they are coming from. You could place this between the firewall and cable modem, fire up wireshark and see what was coming in. -Joe

0
None
insturctables

9 years ago on Step 6

Dude, that thing's going to be an EMI magnet . . . not to mention all the NEXT potential. Wouldn't it be better to try to maintain the twists to within 1/2" or better of the IDC blades? If it were me, I would put a hairpin bend in each wire at the tap jack and push the entire bend (both sides of the wire) into the IDC. That would allow both conductors of each set (solid and stripe) to be near one another to allow for twisting. Otherwise a great instructable.

1 reply
0
None
Computothoughtinsturctables

Reply 2 years ago

With all the computing equipment it will be connecting with it , I t may not be notices, especially if it is used in a wall socket with a power socket nearby.

0
None
vimal1

6 years ago on Introduction

cheaper still use 2 cat5 RJ 45 Cables..
cable 1 is host.
cable 2 is tap.
Cut cable2 in half . use a lighter to burn off some of the plastic insulation on the ends
green wire and the green&white wires on both halves.
Remove some of the grey sleeve on cable 1. burn off the insulation on the green&white, green, orange&white and orange wires.
now connect the green&white wire from cable 2 to the green&white wire on cable 1. insulate with electrical tape.
connect the green wire from cable 2 to the green wire on cable 1
insulate with electrical tape.
connect the green wire from other half of cable 2 to the orange wire on cable 1
insulate with electrical tape
connect the green&white wire from other half of cable 2 to the Orange&white wire on cable 1.
insulate with electrical tape.
use marker pen to identify host , tap A and B
cheap and simple.
remove the cable from your PC and Router and replace with cable 1
plug end of cable 2 into another computer with wireshark etc. running . you now have a passive tap.
image grey cable host.
yellow cable tap.

Picture 004.jpgPicture 001.jpgPicture 002.jpgPicture 003.jpg
0
None
samchen

7 years ago on Step 7

I don't get it: Make sure to have the snooping interface set to promiscuous mode and not assigned an ip. How can I do this on a windows machine?

When I plug the cable from a NB with wireshark, the connections were cut off on two machines. Could any explain? Thanks.

0
None
cowen

8 years ago on Introduction

Ok try a normal run average of about 100' untwisted.

There are tolerances but not big ones.

0
None
c80drew

8 years ago on Introduction

Joe,

 Just came across your instructions here, and I put a tap together exactly how you detailed in this instructable. I connect it inline between my modem and router, and I maintain internet access as normal. As soon as I plug the third ethernet cable into the tap interface (or any combination for that matter), my internet connectivity gets interupted and I can no longer pull an IP from my ISP or send/receive traffic. This happens even if the third/tap cable isn't connected to my system setup for passive monitoring - it is just the act of plugging in the cable that causes the interruption. I liked this option because it only required one interface for the passive monitoring (I have a dell laptop I was planning to use), vice the other directions online with 2 interfaces... any advice??

Thanks,
Drew

1 reply
0
None
kiel2155c80drew

Reply 8 years ago on Introduction

Just built this instructable as well and same problem.  I can connect the router and 1 of the computers in either the pass-through or tap port and it works great, no problem.  As soon as the second computer gets plugged in, all lights on the Ethernet ports go out and the connection drops.  Could it be due to not enough voltage/power running through the cable?
 
0
None
primekhan

10 years ago on Introduction

Without twisting the pairs, what's to guard against NEXT (Near end cross talk)? It seems not have been a problem in your case, but if the desire is to monitor *all* traffic, perhaps it would be worth the time to make certain that the hardware wasn't causing any packet loss. Just a thought. I love your idea though!

0
None
nubie

10 years ago on Introduction

Nice, I am very interested in the software tools that you use, it is much cheaper to buy a commercial connector for a $1 if you don't have network stuff laying around:

http://www.monoprice.com/products/product.asp?c_id=105&cp_id=10513&cs_id=1051304&p_id=1112&seq=1&format=2

The 2 I bought are wired as your custom jack here, I opened mine and moved the pins around for use as normal t-splitters to put 2 100Mb LAN links through a single run of Cat5.

If you purchase these they should be wired identically to your box :)

0
None
dings

10 years ago on Introduction

BridgeCouldn't you just put a box in between with two network cards, set up an ethernet bridge and listen to the traffic on the bridge?
I realy like the idèa by the way. What would be realy nice was just two outlets and a "short circut switch," so that traffic either could go through something connected to both or directly across.

0
None
benjamander

10 years ago on Introduction

How is this better than just plugging the sniffer into your router/network switch? Wouldn't that allow the same thing?

4 replies
0
None
baconfishbenjamander

Reply 10 years ago on Introduction

Routers and switches don't work that way. They keep track of which IP is connected to which jack and only forwards the packet on the appropriate connection. Hubs, on the other hand, don't bother and will send everywhere.

0
None
Hoagiebaconfish

Reply 10 years ago on Introduction

There's a technique called ARP cache poisoning that makes switches send you the data but it's easier to use a hub if you can get one these days.