I might have a go at making one then, sounds like a bit of fun. I'll get hold of two USB NICs as well so I've got a pair of inputs. I like the idea of using bridging to bring the two back together so you can see the complete flow as well.
Robin 2010/1/15 Robert Miller <[email protected]>: > I did a network tap similar to the two shown in the links from hackaday and > instructibles. The way I did it was with 4 ports, one to the router, modem, > whatever faces the internet. Then behind that I split the RX and TX into 2 > separate ports, then the forth one when to the device i wanted to sniff. > Now the question I got asked is how do I use the data... > > I had a server with 3 NIC, but could have been 2 but I was lazy and wanted > to reach it from my desk and not stand in the datacenter all day. One > interface was access to corp network normal operations for Mr. lazy! The > other 2 were doing absolutely nothing but tcpdump, I had two terminals open > each running tcpdump to a file that I named something related to the > interface name so I knew which was TX and which was RX. Then i open the > captures in wireshark or your favorite packet tool. > > I also reformated the server and installed OSSIM having OSSIM watching for > anything just as you would if it was mirror a port or inline on a network. > > I was in a hurry so my wires did get untwisted but that did not seem to be > the issue, my issue was the amount of data the server could process and > log. It seems 14,000 packets a second tends to fill up the hard disk space > fast with default settings :-) I never dropped a packet due to the make > shift tap though. > > - Robert > (arch3angel) > > On 1/14/2010 3:24 PM, Sam Buhlig wrote: > > To be honest, I dont know how you would do it on only 3 of them. Because if > your computer that is doing the sniffing has anything hooked up at all to > the transmit side.....collisons....broadcast from the sniffing > box.....attenuation (hope that is spelled right) issues.... > > I do it with 2 nics and bond them together and the way they are connected > to the box that is sniffing; it wont allow them to transmit. They are only > connected to 2 and 6 on both nics. Which should only allow to receive. > > If someone else has any thoughts....throw them on here because I would like > to know. > > > > As far throughput issues....have not seen any. I kept the twists as tight as > possible. Keeping the loss to a minimum. > > > Thanks, > Sam > > > On Thu, Jan 14, 2010 at 11:01 AM, Robin Wood <[email protected]> wrote: >> >> 2010/1/14 Sam Buhlig <[email protected]>: >> > Just another possible work around for you might be building a passive >> > tap. >> > >> > http://hackaday.com/2008/09/14/passive-networking-tap/ >> >> This article builds a device with two ports for tapping each direction >> but then this instructables does a similar things with just a single >> tap port. >> >> >> http://www.instructables.com/id/Make_a_Passive_Network_Tap/step7/close-it-up/ >> >> What would be the advantage of having the two ports over having just a >> single port? >> >> There is also discussion about untwisting the cables and debate over >> whether such short lengths of untwisted cable would make any >> difference to throughput, can anyone comment on this? >> >> Robin >> >> > >> > or.... >> > >> > cinci2600.com/wp-content/uploads/2009/01/passive-taps.odp >> > >> > (that is the one I followed) >> > >> > It is not as clean as being able to span a port, but a good way to do it >> > on >> > the cheap. >> > >> > Hope this helps. >> > >> > Later, >> > Sam >> > >> > On Thu, Jan 14, 2010 at 8:16 AM, Paul Asadoorian <[email protected]> >> > wrote: >> >> >> >> From all the research that I did on the WRT54G (and similar hardware >> >> like the ASUS) this was not possible. I believe that I read somewhere >> >> that it was possible on some of the hardware, but that the drivers did >> >> not support it. >> >> >> >> If you find that it does, let us know! >> >> >> >> Cheers, >> >> paul >> >> >> >> On 1/13/10 7:39 PM, Cody Dumont wrote: >> >> > Can you setup a mirror or SPAN-Port using a OpenWRT on the ASUS or >> >> > WRT54G? >> >> > >> >> > thanks all.. >> >> > >> >> > Note: This message and any attachments is intended solely for the use >> >> > of >> >> > the individual or entity to which it is addressed and may contain >> >> > information that is non-public, proprietary, legally privileged, >> >> > confidential, and/or exempt from disclosure. If you are not the >> >> > intended >> >> > recipient, you are hereby notified that any use, dissemination, >> >> > distribution, or copying of this communication is strictly >> >> > prohibited. If >> >> > you have received this communication in error, please notify the >> >> > original >> >> > sender immediately by telephone or return email and destroy or delete >> >> > this >> >> > message along with any attachments immediately. >> >> > >> >> > _______________________________________________ >> >> > Pauldotcom mailing list >> >> > [email protected] >> >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> > Main Web Site: http://pauldotcom.com >> >> >> >> -- >> >> Paul Asadoorian >> >> PaulDotCom Enterprises >> >> Web: http://pauldotcom.com >> >> Phone: 401.829.9552 >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
