Have you ever wanted to view the traffic on a link without forcing it to half-duplex with a hub or spending an exorbitant amount of money on a aggregating tap? A cheap DIY passive tap may be your answer.
Before we get into the build lets explore the types of network taps and their pros and cons.
These are cost effective and very simple network taps. The problem is that they force the port to half duplex, which is handy because you can monitor the link with a single network card but if there is a problem relating to full duplex on the link it may not be observable when changed to half duplex. Additionally, if the link is heavily used inserting a hub may affect performance on the network. Finally, true hubs are harder and harder to find since there is little use for them outside monitoring traffic.
Referred to as SPAN (Switched Port Analyzer) in the Cisco world, many managed switches have the ability to duplicate frames from a monitored port to a dedicated monitoring port. If your switches have this capability it is a non-invasive (you don’t have to unplug ports to insert a tap) method of monitoring a link, though it too has downsides. Mirroring typically runs as a low priority process and if the switch is under heavy load packets may not be mirrored (particularly bad for IDS), corrupt frames get dropped at ingress and are not mirrored, if bidirectional traffic exceeds the capability of the monitoring port excess traffic will be dropped (ie, when the monitoring ingress and egress traffic on a gigabit link the maximum bidirectional traffic is 2Gbps, which would exceed the capabilities of a gigabit monitoring port).
An aggregation tap is connected inline between devices and copies all traffic to a monitoring port. This is similar to port mirroring, the difference being an aggregation tap is a dedicated device, they don’t drop frames do to being overloaded and corrupt frames are passed to the monitoring port. Like port mirroring they can be overloaded if bidirectional traffic exceeds the output of the monitoring port. Aggregation taps tend to be expensive, particularly for personal use. (Note: There are many types of aggregation taps, with varying features, this is not meant to be a thorough examination.)
As the name implies a passive tap contains no special circuitry and is connected inline with the monitored devices. It functions simply by splitting out the receive and transmit wires so that the electrical signal is sent to both the intended devices and two monitoring ports. Two monitoring ports are required because the transmit and receive is not aggregated like with port mirroring or an aggregation tap. Due to this passive taps require two network cards in order to capture bidirectional traffic. This requirement is both a blessing and a curse, the obvious downside is that you need to add an additional network card in your monitoring computer, and popular software such as Wireshark is incapable of capturing from multiple cards at once so it becomes necessary to run multiple instances and combine the results later. (Some operating systems can bond interfaces so that multiple instances aren’t necessary.) The benefit of a passive tap, other than being cheap, is that full bidirectional traffic can be captured, assuming the the monitoring device is able to keep up. EDIT: Passive network taps do not work on gigabit links, 1000BASE-T uses all four pairs for both receive and transmit so it is not possible to tap gigabit with a passive device.
Although most of the switches I own and work with are capable of mirroring ports I wanted to be able to see all traffic passing over a link and be able to insert a tap at any point rather than only at a switch. Initially I looked for a guide to building a passive tap but found most of them overly complicated or ugly and fragile. Some were even wired so poorly that in practice they would have taken down the link they were connected to.
In the end I decided to come up with my own. The goal of this project is to create a functional, compact tap sturdy enough to be tossed in a bag and doesn’t look like a mess of wires. Knowing that I would need four RJ45 jacks I started by looking for small enclosures that could house four keystone jacks, I didn’t find many and those that I did weren’t quite what I wanted. While browsing Monoprice I came across a two port surface mount box with built in RJ45 jacks and wondered how difficult it would be to attach two of them together to create a cube with four jacks. Since they were only a few dollars each I decided to purchase a couple to see if they would fit the bill. To my gratification they worked out better than expected. Enough with the background, lets build one!
- 2 x Monoprice Surface Mount Box Cat5e Double
- 2 x Very small nuts and bolts (I used 1/4″ long, 7/64″ diameter bolts)
- 1 x ~12″ length of Cat5 cable
- Scissors or Snips
- Drill with bit the same diameter as bolts
- 110 Punch down tool
- Philips head screw driver
Remove the screw from the top of the wall mount boxes and set the tops aside.
Unscrew the circuit board from each box.
Hold the boxes back to back with the openings for the jacks facing in opposite directions. (I chose to make the boxes face away from each other, you can have them facing the same direction if you would like.) On each side, put the tip of a marker through the hole closest to the jack openings, making sure that it marks the back of the other box.
Use the drill to make a hole where you made the marks.
Secure the boxes together using the bolts and nuts.
Drill a hole through one of the blank areas to the left or right. This hole will be used to pass the receive and transmit wire pairs into the adjoining box, you may need to make it slightly larger than the previous holes.
Screw the circuit board back on to one side of the tap. Use one of the covers to give yourself a stable base.
Remove the casing from the length of Cat5 cable, don’t untwist the pairs. The wires will be punched down as follows:
Box 1 Box 2 Wire Passthrough 1 Passthrough 2 Host Tap Switch Tap 1 green-white green-white 2 green green 3 orange-white orange-white green-white orange-white 4 blue blue 5 blue-white blue-white 6 orange orange green orange 7 brown-white brown-white 8 brown brown
Punch down the wires for the two passthrough ports according to the table above, wire numbers are marked on the circuit board. Try to untwist the pairs as little as possible while punching them down, otherwise interference may be introduced. Don’t trim or cut off one side of the green and orange pairs, these will be used to wire in the tap ports. I recommend punching down the green and orange pair last.
Double check that everything is wired properly, then unscrew the circuit board from the box. Feed the excess green and orange wires through the hole drilled earlier.
Screw the circuit board back on as well as the cover.
Turn the box over and screw in the other circuit board.
Punch down the orange and red pairs according to the table from step 8. The orange pair will transmit the data being sent from the switch, the green pairs will transmit the data sent from the host device. (This doesn’t apply if you are connecting the cables between two host devices.) I recommend that you keep track of which port is connected to which so you can label them when finshed.
Double check the wires are in the correct places and screw the cover on. Label each side as either passthrough or tap (the ports that are fully connected are the passthrough ports, the ports with only two wires connected are the tap ports), optionally you can also label the tap ports as switch or host as discussed in step 13.
You should now have a complete passive network tap! Connect it between a couple devices and try it out with Wireshark or your packet capture tool of choice. If you don’t see any packets check your cabling and the wiring inside the tap.
Disclaimer: I take no responsibility for any affect this tap has on your network. A properly wired and connected tap can’t affect the monitored devices, but an improperly wired tap could be devastating. Always test the tap in a non-production environment.