Passive tap (tap) of fast ethernet - IP "listening in"

TechEkspert 8553 15

TL;DR

A passive Fast Ethernet tap uses two double 8P8C (RJ45) sockets to sniff traffic between two LAN devices without a managed switch or software on the endpoints.
The pairs are first extended 1-1, 2-2, 3-3, 6-6, then the transmit lines are branched to the second socket so each Tap port exposes one direction.
The design targets 100Mb/s Fast Ethernet and maps 1/2 as TX+, TX- and 3/6 as RX+, RX-.
One Tap socket can capture traffic from device to uplink or uplink to device, and two network interfaces let Wireshark monitor both directions simultaneously.
It works only at your own risk, may damage or disturb equipment, and AUTO MDI-MDIX can make the direction available on each Tap socket inconsistent.

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply | New topic

Notify about new articles

📢 Listen (AI):

» | Topic author Helpful post? (+6)

Post #1
17218557 13 May 2018 14:42

Sometimes during deployment, it is necessary to capture network traffic between devices to resolve a problem to remove obstacles. In the case where one of the devices is a computer running software, it is often enough to have Wireshark software installed and check where the problem is. If we want to check the traffic between devices, it is necessary to intercept the transmission from the port of one of the devices.
In professional solutions, we can use the "port mirroring" function on the switch and we can "copy" traffic from the selected port / ports / vlan to another selected port where we connect the computer, eg with Wireshark software. In this way, we can intercept traffic at the interface speed, i.e. 1Gb / s or more (e.g. 10Gb / s), but at higher speeds there are significant requirements for devices that intercept and analyze the tested network traffic.

How can we deal in the "field" when we urgently need to examine the traffic between two devices in the LAN and we do not have a managed switch with the "mirror port" function, and we cannot install traffic analysis software on the devices (e.g. it is a router / printer pair / disk array / switch etc.).
Once a popular way was to use the outdated 10Mb / s hub, nowadays these types of devices are less available and limited bandwidth can be a problem.

We can use the 100Mb / s (fast Ethernet) passive tap method, which will allow intercepting network traffic between devices. It is a solution beyond all standards, which can even damage the equipment (in extreme cases). You can also "separate" yourself from the tap for greater security, e.g. with a fast Ethernet switch for ~ 40 PLN.
Use of the solution is at your own risk, but sometimes such a simple "tap" can be useful when troubleshooting network communication problems.

To prepare the "branch" I used two double 8P8C (RJ45) sockets,
to begin with, we connect the pins of one socket with the socket in the other module:
1 - 1 (TX +)
2 - 2 (TX-)
3 - 3 (RX +)
6 - 6 (RX-)

We get an "extension" that can work in the FastEthernet standard.

Then, in both modules, branch the transmission lines to the second socket. In one socket the transmitting pair (1,2), in the other socket a receiving pair (3,6). The pairs are branched to terminals 3,6 (RX +, RX-).
1 (TX +) - 3 (RX +)
2 (TX-) - 6 (RX-)

3 (RX +) - 3 (RX +)
6 (RX-) - 6 (RX-)

After closing the sockets, it is worth marking them so that the internal wiring diagram is clear to everyone:

Connect the device to the "Device" socket with a straight cable (patch), e.g. in the EIA / TIA T586B standard,
connect the existing cable connected to the interface of the device to the "Uplink" socket.

On Tap sockets we can intercept one-way transmissions "from the device" or "to the device". Connect a straight cable to the "Tap" socket and connect it to the network card in the computer with the Wireshark program installed. ifwe want to intercept the transmission in both directions at the same time, we need two network interfaces on the computer analyzing the traffic.

Due to the common AUTO MDI-MDIX (connection detection with a straight / patch or crossover / crossover cable), the transmission direction available on the Tap terminals is determined experimentally.
In my case, the traffic "from device to Uplink" was available on the "Tap" socket next to the "Uplink" socket, while the "Uplnik to device" traffic was available on the "Tap" socket next to the "Device" socket.

Passive Tap can be used only at your own risk (risk of damage / interference), in home conditions the "tap" may be useful to check the traffic between our home router and the operator's device with an Ethernet interface. You can check what communication is established by the home router and what traffic is coming to the WAN interface from the Internet. Attackers may try to use flaws in the software of cheap routers to build botnets or try, for example, to redirect us to a fake bank website, etc. Checking the router's communication with the Internet can detect anomalies. The device can be useful for education and experimenting with the LAN and for detecting problems with the devices launched (e.g. enc28j60).

What do you think about such a primitive way to analyze network traffic?
About Author
TechEkspert TechEkspert

Editor
Offline

Joined: 19 Sep 2014

Posts: 6917

Help: 16

Posts rating: 5386

Points: 23490
TechEkspert wrote 6917 posts with rating 5386, helped 16 times. Been with us since 2014 year.
ADVERTISEMENT
#2 17218663 13 May 2018 15:40

rb401 rb401

Level 39

» | Helpful post? (0)

Post #2
17218663 13 May 2018 15:40

TechEkspert wrote:
What do you think about such a primitive way to analyze network traffic?

The fact that you showed that it works and this is mainly about (because the hardware itself is trivial) about the overall operation of such a system, i.e. also from the software side, etc., has a great value and it's very nice on your part that you put it here, thanks. And an easy thing to do when needed.
I even think of a more "compact" concept, ie using the corpse of some broken switch or something similar (as long as it has less than 4 sockets), Cutting the paths, eg with a dremel, and connecting the sockets with wires soldered to them. Then one box, not two, would be handy. But it is still a secondary detail depending on what is at hand at the moment.

At the moment I am bothering with such a thing, can a Wireshark like this "bind" packets from two network networks to show them as single transmissions in the sense of eg TCP?
ADVERTISEMENT
#3 17218925 13 May 2018 18:47

TechEkspert TechEkspert

Editor

» | Topic author Helpful post? (0)

Post #3
17218925 13 May 2018 18:47

Can be quite miniaturized, for example, as you write using sockets from damaged equipment,
you can also use only RJ45 plugs. I used the surface-mounted sockets because they had a full box, and it took a moment to press the wires with a patch knife.

As for the order of packets in Wireshark, I suspect that in my application the "time" column was sufficient,
in other cases a packet sequence number may be useful in analyzing a particular link?
ADVERTISEMENT
#4 17219546 14 May 2018 00:12

krru krru

Level 33

» | Helpful post? (0)

Post #4
17219546 14 May 2018 00:12

rb401 wrote:

At the moment I am bothering with such a thing, can a Wireshark like this "bind" packets from two network networks to show them as single transmissions in the sense of eg TCP?

Since you need a computer with two network cards anyway, you just need to install "bridge" software on it to logically connect network cards with each other and record the transmission through one. No weird adapters will be needed.
#5 17219571 14 May 2018 03:10

rb401 rb401

Level 39

» | Helpful post? (+1)

Post #5
17219571 14 May 2018 03:10

krru wrote:
Since you need a computer with two network cards anyway, you just need to install "bridge" software on it to logically connect network cards with each other and record the transmission through one. No weird adapters will be needed.

Also a very nice idea for "wiretapping". But maybe this simple hardware tap can have some advantages in some situations as well. For example, that there is no risk of any interference with packets (some TTL or Ethernet layer addresses etc.) that the bridge and the card crossing can (or possibly must) change. Also, for example, with this hardware solution, only slightly modifying it (by adding a "splitter" on the other side), you can make a double tap-computer monitoring connection with only one cable.

But your proposal also gave me an indirect concept, whether in this hardware solution presented by my colleague TechEkspert, it would not be possible to connect these network cards with this bridge. Then, by tracking the traffic on one of the cards, you could see all the bugged traffic and have synchronized packets so that you could easily see all connections, eg TCP.
It is true that the cards would send "nowhere", but it does not matter. But I don't know if and how such a thing would work out in practice.
#6 17219625 14 May 2018 07:38

Gruby__ Gruby__

Level 16

» | Helpful post? (0)

Post #6
17219625 14 May 2018 07:38

All in all, this can be slightly reduced. Use a LAN tee like this one:

And build a cable
#7 17220072 14 May 2018 13:25

rb401 rb401

Level 39

» | Helpful post? (+1)

Post #7
17220072 14 May 2018 13:25

Gruby__ wrote:

And build a cable

It's not really about that. Because it's not about splitting, but joining parallel to the line. But your suggestion of using such a tee is not bad.
Because by properly preparing two such tees, one can make a tap with a transition to two strands of one cable, and from the other, a splitter for these two strands for two cables for two network cards. And it will be very elegant. Admittedly, not in terms of compliance with standards, etc. But what is not done for science.
And it's important that it works, as shown by the author of this thread.
#8 17220084 14 May 2018 13:31

Gruby__ Gruby__

Level 16

» | Helpful post? (0)

Post #8
17220084 14 May 2018 13:31

But that's what a tee does. Splits the signal into two of the same. So you can connect the source on one side, the receiver on the other and pull the tx and rx out of the third socket using the cable shown in the diagram (for two network card connectors). And then you don't need two tees ;)

EDIT of course I mean a RJ45 tee, not a splitter
#9 17220112 14 May 2018 13:51

rb401 rb401

Level 39

» | Helpful post? (0)

Post #9
17220112 14 May 2018 13:51

Gruby__ wrote:
But that's what a tee does.

Your diagram suggests something else. But you are right here that such a tee can be used as a tap without any modification, and from it a standard 1: 1 cable can go towards the eavesdropping computer. However, from the computer side, a second tee is necessary to switch from one cable to two and it is necessary to modify it to cut off the transmission direction from the eavesdropping network cards (because it will get chaos) and to enter one of the cards with the RX receiver pins on the second twisted pair than the second card has RX connected.
So the second "tee" should have a diagram as you originally drew here. A tap is a tee without modification.
So what you have in the first drawing is ok. And the diagram would apply to the second "tee" (in appearance, because it would not be a tee).
#10 17220548 14 May 2018 18:35

TechEkspert TechEkspert

Editor

» | Topic author Helpful post? (0)

Post #10
17220548 14 May 2018 18:35

I will also mention that to remove some of the problems, it was enough to analyze the packets from one tap sent by the device using a laptop with one network interface and Wireshark.
On a computer with two network interfaces in Wireshark, it was enough to select both cards, start the capture and that's it,
we get packages from both tabs in one "window", packages are probably sorted by arrival time and that was sufficient in this case.

Of course, it is most convenient to use a switch that can be configured to forward packets from selected ports or the entire vlan, with one port we handle the registration of all communication between devices. But you have to have it in place ...
#11 17220581 14 May 2018 18:51

rb401 rb401

Level 39

» | Helpful post? (0)

Post #11
17220581 14 May 2018 18:51

TechEkspert wrote:
On a computer with two network interfaces in Wireshark, it was enough to select both cards, start the capture and that's it,

And some more questions. How did you configure the IP address of these cards (because DHCP would not be able to find out)? I mean, is it possible to listen to packets from a completely different network (with a different address) than the network of these cards.

How long did you have tapu cables to these cards, because it is known that in the parameters of wave lines, such an attachment will severely damage them?
#12 17220594 14 May 2018 18:58

TechEkspert TechEkspert

Editor

» | Topic author Helpful post? (+1)

Post #12
17220594 14 May 2018 18:58

As for IP, they get APIPA without DHCP, but it is accidentally selected, it is better to configure fixed addresses, and set a filter in Wireshark that cuts out these IP addresses just in case.
You can set the IP and mask to be in the listening subnet, but it doesn't really matter because we set the cards to promiscuous mode (mixed mode) and we intercept any traffic.

As for the length, the original cable for the device was about 5m, the cable connecting the splitter with the device is about 3m, while the tap cables are 2x1m. I think that you could "regenerate" the signal with a cheap fast etherent switch for several dozen PLN.
ADVERTISEMENT
#13 17220889 14 May 2018 21:33

IS IS

Level 19

» | Helpful post? (0)

Post #13
17220889 14 May 2018 21:33

I wonder if cheap switches with little memory can be forced to act as a HUB after flooding with false MAC addresses. They used to be attacked like that.
#14 17221099 14 May 2018 23:15

vayo vayo

Level 14

» | Helpful post? (0)

Post #14
17221099 14 May 2018 23:15

krru wrote:
Since you need a computer with two network cards anyway, you just need to install "bridge" software on it to logically connect network cards with each other and record the transmission through one. No weird adapters will be needed.

I am of exactly the same opinion. In such cases, I use an additional USB card. I must admit that I was not even aware of the possibility of linking a card with only RX connected. I like the concept itself as a curiosity, but in practice I will not use it.
#15 17221994 15 May 2018 16:21

TechEkspert TechEkspert

Editor

» | Topic author Helpful post? (0)

Post #15
17221994 15 May 2018 16:21

Port mirroring is sometimes used in production, e.g. for recording calls in a callcenter, regardless of the Voip solutions used. RTP packets and signaling go to the recorder which composes the data into the recordings of consultants' calls.

The data LED is somewhat similar to the described solution. A device that allows one-way communication and galvanic separation. Interestingly, a data diode encased in a suitable proxy allows you to simulate two-way traffic. For example, you can make a system for receiving e-mails, ensuring that no information from the protected system comes back to the sender or the attacker.
#16 17228943 19 May 2018 12:58

Anonymous Anonymous

Anonymous

» |

Post #16
17228943 19 May 2018 12:58

It's a pity it's not that straightforward with Wi-Fi. During the reign of ESP8266 and ESP32, it would be very useful to me.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion revolves around methods for capturing network traffic between devices, particularly in scenarios where quick troubleshooting is necessary. Users explore various techniques, including the use of Wireshark for packet analysis and the implementation of hardware taps using modified switches or RJ45 plugs. Suggestions include creating a compact tap from damaged equipment, utilizing bridge software on computers with multiple network cards, and employing LAN tees for signal splitting. The conversation also touches on the importance of packet order in analysis, the configuration of network cards, and the potential for using inexpensive switches as hubs. Additionally, the use of port mirroring in production environments, such as call centers, is mentioned, along with the concept of data diodes for one-way communication.

Home page
/
Forum
/
Articles
/
Passive tap (tap) of fast ethernet - IP "listening in"

FAQ

TL;DR: A sub-€10 DIY passive Fast-Ethernet tap copies 100 Mb/s traffic; "Use of the solution is at your own risk" [Elektroda, TechEkspert, post #17218557] Build it from two RJ45 sockets in 15 min and monitor with Wireshark on one or two NICs. Why it matters: Lets you troubleshoot links when managed switches with port-mirroring aren’t on-site.

Quick Facts

• Supported speed: 10/100 Mb/s only (pairs 1-2 & 3-6) [Elektroda, TechEkspert, post #17218557] • Parts cost: ≈40 PLN (~€9) including optional isolating switch [Elektroda, TechEkspert, post #17218557] • Tested cable run: 5 m uplink + 3 m patch + 2 × 1 m tap leads [Elektroda, TechEkspert, post #17220594] • Required NICs on sniffer PC: 1 for single-direction, 2 for full-duplex capture [Elektroda, TechEkspert, post #17218557] • Wireshark merges both interfaces by timestamp automatically [Elektroda, TechEkspert, post #17220548]

What is a passive Fast-Ethernet tap?

It is a short cable assembly wired in parallel with the TX and RX pairs of a 10/100 Mb/s link. The tap copies electrical signals to a third connector without forwarding packets back, allowing silent monitoring of traffic between two devices [Elektroda, TechEkspert, post #17218557]

When should I use this DIY tap?

Use it in the field when no managed switch offers port-mirroring and you cannot install sniffing software on the endpoints, such as routers, printers or embedded boards [Elektroda, TechEkspert, post #17218557]

How do I build the tap?

Cross-connect pins 1-1, 2-2, 3-3, 6-6 between two RJ45 modules.
Bridge pins 1-2 to 3-6 on the extra jacks to expose TX and RX separately.
Label Device, Uplink and two Tap ports for clarity [Elektroda, TechEkspert, post #17218557]

Which pins carry the monitored signals?

Pins 1 (TX+), 2 (TX−) mirror onto Tap-A; pins 3 (RX+), 6 (RX−) mirror onto Tap-B. Other pairs remain unused, so Gigabit links drop to Fast-Ethernet speeds if they link at all [Elektroda, TechEkspert, post #17218557]

Can the tap damage my equipment?

Yes. The parallel connection violates impedance specs and could over-load PHY drivers or add reflections. The author notes it is "at your own risk" [Elektroda, TechEkspert, post #17218557] Keep total stub length under about 15 m and isolate with a cheap switch if in doubt.

Do I need two network cards in the sniffer PC?

One NIC captures a single direction. To see full-duplex conversations, plug both Tap leads into two NICs and start capture on both; Wireshark merges them by arrival time [Elektroda, TechEkspert, post #17220548]

How should I configure IP on the sniffing NICs?

Assign static addresses or leave APIPA defaults. Because the NICs run in promiscuous mode, packet decoding works regardless of the NICs’ subnets. Filter out the NICs’ own IPs to avoid clutter [Elektroda, TechEkspert, post #17220594]

What cable lengths work reliably?

The example worked with 10 m total stub length without errors [Elektroda, TechEkspert, post #17220594] Longer stubs increase return loss and may force auto-negotiation failures at >15 m, an edge case that drops the link.

Is a software bridge easier?

Bridging two NICs on the sniffer PC also works and avoids impedance issues [Elektroda, krru, post #17219546] Hardware taps, however, guarantee zero packet alteration because they never transmit frames back, useful for forensics [Elektroda, rb401, post #17219571]

Will it work on Gigabit Ethernet or PoE?

No. Gigabit uses all four pairs and expects balanced impedance; the tap only copies two pairs and often forces the link to down-rate or fail. PoE injects 48 V that might arc across the open tap lines—avoid tapping powered pairs [TIA-568.C-2].

Can I force an unmanaged switch to act like a hub instead?

Flooding its CAM table with ≈4 k spoofed MAC addresses can make some budget switches broadcast all frames, replicating hub behaviour [CERT-CC, 2000]. Success varies with model and risk of disruption is high.

Any ready-made alternatives?

Commercial Fast-Ethernet taps start at about €70 and include magnetics to maintain impedance and PoE protection, plus a single monitor port that merges directions internally [DualComm, 2023].