I did a network tap similar to the two shown in the links from hackaday
and instructibles. The way I did it was with 4 ports, one to the
router, modem, whatever faces the internet. Then behind that I split
the RX and TX into 2 separate ports, then the forth one when to the
device i wanted to sniff. Now the question I got asked is how do I use
the data...
I had a server with 3 NIC, but could have been 2 but I was lazy and
wanted to reach it from my desk and not stand in the datacenter all
day. One interface was access to corp network normal operations for Mr.
lazy! The other 2 were doing absolutely nothing but tcpdump, I had two
terminals open each running tcpdump to a file that I named something
related to the interface name so I knew which was TX and which was RX.
Then i open the captures in wireshark or your favorite packet tool.
I also reformated the server and installed OSSIM having OSSIM watching
for anything just as you would if it was mirror a port or inline on a
network.
I was in a hurry so my wires did get untwisted but that did not seem to
be the issue, my issue was the amount of data the server could process
and log. It seems 14,000 packets a second tends to fill up the hard
disk space fast with default settings :-) I never dropped a packet due
to the make shift tap though.
- Robert
(arch3angel)
On 1/14/2010 3:24 PM, Sam Buhlig wrote:
To be honest, I dont know how you would do it on only 3 of them.
Because if your computer that is doing the sniffing has anything
hooked up at all to the transmit side.....collisons....broadcast from
the sniffing box.....attenuation (hope that is spelled right) issues....
I do it with 2 nics and bond them together and the way they are
connected to the box that is sniffing; it wont allow them to transmit.
They are only connected to 2 and 6 on both nics. Which should only
allow to receive.
If someone else has any thoughts....throw them on here because I would
like to know.
As far throughput issues....have not seen any. I kept the twists as
tight as possible. Keeping the loss to a minimum.
Thanks,
Sam
On Thu, Jan 14, 2010 at 11:01 AM, Robin Wood <[email protected]
<mailto:[email protected]>> wrote:
2010/1/14 Sam Buhlig <[email protected] <mailto:[email protected]>>:
> Just another possible work around for you might be building a
passive tap.
>
> http://hackaday.com/2008/09/14/passive-networking-tap/
This article builds a device with two ports for tapping each direction
but then this instructables does a similar things with just a single
tap port.
http://www.instructables.com/id/Make_a_Passive_Network_Tap/step7/close-it-up/
What would be the advantage of having the two ports over having just a
single port?
There is also discussion about untwisting the cables and debate over
whether such short lengths of untwisted cable would make any
difference to throughput, can anyone comment on this?
Robin
>
> or....
>
> cinci2600.com/wp-content/uploads/2009/01/passive-taps.odp
<http://cinci2600.com/wp-content/uploads/2009/01/passive-taps.odp>
>
> (that is the one I followed)
>
> It is not as clean as being able to span a port, but a good way
to do it on
> the cheap.
>
> Hope this helps.
>
> Later,
> Sam
>
> On Thu, Jan 14, 2010 at 8:16 AM, Paul Asadoorian
<[email protected] <mailto:[email protected]>>
> wrote:
>>
>> From all the research that I did on the WRT54G (and similar
hardware
>> like the ASUS) this was not possible. I believe that I read
somewhere
>> that it was possible on some of the hardware, but that the
drivers did
>> not support it.
>>
>> If you find that it does, let us know!
>>
>> Cheers,
>> paul
>>
>> On 1/13/10 7:39 PM, Cody Dumont wrote:
>> > Can you setup a mirror or SPAN-Port using a OpenWRT on the
ASUS or
>> > WRT54G?
>> >
>> > thanks all..
>> >
>> > Note: This message and any attachments is intended solely for
the use of
>> > the individual or entity to which it is addressed and may contain
>> > information that is non-public, proprietary, legally privileged,
>> > confidential, and/or exempt from disclosure. If you are not
the intended
>> > recipient, you are hereby notified that any use, dissemination,
>> > distribution, or copying of this communication is strictly
prohibited. If
>> > you have received this communication in error, please notify
the original
>> > sender immediately by telephone or return email and destroy
or delete this
>> > message along with any attachments immediately.
>> >
>> > _______________________________________________
>> > Pauldotcom mailing list
>> > [email protected]
<mailto:[email protected]>
>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> > Main Web Site: http://pauldotcom.com
>>
>> --
>> Paul Asadoorian
>> PaulDotCom Enterprises
>> Web: http://pauldotcom.com
>> Phone: 401.829.9552
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
<mailto:[email protected]>
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
<mailto:[email protected]>
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected] <mailto:[email protected]>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
