Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Third Party Tools » Construction and Use of a Passive Ethernet Tap

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Construction and Use of a Passive Ethernet Tap


Posted by talb on September 27, 2005 01:04:27

would it work on 1Gbit connection?
if not is it possible to construct one
Thanks in advanced

Posted by Joel_Esler on September 27, 2005 06:08:27

Yes it is possible to make one. No, I don't know how. Yes there are guides, Yes you can buy them.

Joel Esler
SOURCEfire

Posted by Harry_Covair on September 30, 2005 18:37:25

I _just_ put one together today. There is a PDF in the docs section that shows how to do it. I simply used four ports in my punchdown block rather than buying some housing for it.

IIRC, the more you pull the pairs of wires away from each other the more degradation you get. Keep it tight.

Posted by Joel_Esler on October 04, 2005 06:33:43

Thanks for the note!


Joel Esler
SOURCEfire

Posted by gbobeck on October 18, 2005 01:06:29

The passive tap which is detailed in the DOCS section will not support gigabit ethernet. It works fine for 10/100Mbit networks. As I understand it, this is because gigabit ethernet uses 2 pairs for transmit and 2 pairs for recieve. The tap only listens on one pair for each. Also, there are more strict electrical guidelines in the specifications for gigabit ethernet cables, and unfortunately, that tap may violate those specifications.

Posted by tilted_mtp on November 03, 2005 16:10:20

Even if gigabit did use all four pairs, it would seem easy enough to modify it to support gigabit. Is this not the case? Has anyone actually tried it? Copper gigabit (gigabit in general) taps are ridiculously expensive.

Posted by gbobeck on November 03, 2005 22:18:33

Actually, I'm working on making a real gigabit passive tap as a side project.

The problem with 1000BASE-T is that the spec is available, but not for free. One must purchase the a copy of the spec from IEEE.

The other issue which much be addressed is the current drop created by the tap. Once again, I'm working on that also.

I hope to have a solution soon.

Posted by greymore57 on November 30, 2005 00:29:50

gbobeck, I would be very interested in any solution you develop. I have looked at buying a gigabit tap, but to get enough taps would cost more than the budget I have for the whole project!


Posted by gbobeck on December 06, 2005 14:09:50

I hope to have a solution (or at least a design) by the end of the next semester.

Posted by cw3sting on February 15, 2006 11:42:43

gbobeck;

I'm available to help out if you need it.

For all, I've been building and using the 10/100 taps for years, after finding the docs here and on Sun BigAdmin. Two of the papers on my work are on my site http://www.altsec.info/papers.html

I would appreciate comments, and will certainly help out with anyone trying to use the taps.

Posted by nikns on March 09, 2006 01:49:32

gbobeck; I'm interested too :)
cw3sting read your docs too.
I have constructed passive network tap as shown in snort.org/docs,
sweet photos can be seen here: http://openbsd.secure.lv/tap/
I'm running on 3com nics and never felt any link slowdown or errors.
Once I had problems with 3com nics 3com-3C905C(2002year small ones), after I connected
sniffing cables nic's didn't link up. So I repeaced them with the same 3C905C, but older - made in 1999year and they ware bigger than thoose new ones. So thoose new small nic's screwed me.

There is one more interesting issue I always had with tap and sniffing nics.
If I connect sniffing cables to tap, but in other end do not connect them to sensor nics (even if sensor is totaly powered off) then connection between monitoring points gets lost.
Don't know how to explain this.

Posted by cw3sting on March 09, 2006 02:24:48

nikns;

If the tap is plugged into the network path to be sniffed,
then the tap ports should have their cables plugged into
the sensor. Otherwise, I believe what you're seeing is
radio interference on the ethernet wires, much like you
would see on a SCSI connection with no terminator or
the old days of BNC coax without a terminator.

I should start a faq on my site to make a point of having
the sensor taps plugged in before connecting the tap
inline with the network.

Thanks for the link to the pics.

Posted by riopuerco on April 24, 2006 16:47:11


You cannot build a passive tap for Gigabit Ethernet. If you read the standard, you will see that all four pairs are used to transmit AND receive simultaneously. A DSP is used to subtract out the data you are sending (as well as cancel any crosstalk between pairs) to give you the received data for each pair. That's why gigabit Ethernet devices use so much power and cost more. There's a lot more happening inside the chip. If you don't know what is being sent from one side, you can't subtract the signals from one another. An unintentional built in security mechanism.

You can get a copy of the standard for free from the IEEE website. http://standards.ieee.org/getieee802/portfolio.html You want the base 802.3 standard, though it's not easy reading as it contains every version of Ethernet ever thought of from the original through gigabit.

Unpowered passive taps are asking for trouble and shouldn't be used on anything but very short links where you are OK with messing up the network. Having a "T" in the wiring causes significant loss to your network signal. Even if there is nothing on the "monitor port" of such a tap, Ethernet signals have high enough frequency components that the signal bounces back from the open at the end of the cable and then distorts the network signal by mixing with it. Look up the word "rf stub" for a more detailed explanation of this phenomenon.

Commercial taps use an analog or digital amplifier and circuitry designed to not load or disturb the impedance of the cable as it passes through the tap (at least the good ones do!). Gigabit taps need to interpose themselves between the two devices you are trying to tap. The tap links it's own Ethernet controller to each of the two network devices, decodes and duplicates the data and then re-encodes it back to an Ethernet signal.

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.