In my home network, I have a passive tap sitting between my cable modem and my router, instead of spending tons of money, I made my own. They’re surprisingly simple to make, and also extremely simple to use.
Let’s start with the wiring, at a local electronics store, I purchased 4 RJ-45 wiring plugs, I probably shouldn’t have bought solder-less ones, but I didn’t feel like buying a board to solder them to. Anyhow, 2 of the ports will be used for entry and exit, the other two for taps. In this case, we need 2 extra ports so that inbound data is passed through one port, outbound data is passed through the other port.
Set up the wiring as shown in this wiring diagram (credit goes to the Snort team for the diagram):
Personally, I split open a network cable and used the wires inside just so the color coding could be correct, that’s probably the easiest way to wire the ports.
After wiring the ports, you should be able to test that data passed from one host port to the other host port is unchanged, below is a picture of the tap I created. Yes, I know it’s very messy, the box I bought for it didn’t fit the way I wanted.
The next thing to do it connect the two ports (labeled “tap 1″ and “tap 2″ in the picture above) to 2 NICs in the machine of your choice. I’m using FreeBSD to manage the bridge. If you want to monitor outbound and inbound traffic separately, you’re done, just start tcpdump on the interface and you should be able to see all the traffic.
If you want to monitor both outbound and inbound traffic on the same interface, you’ll need to bridge the interfaces. You can accomplish this in FreeBSD with the following:
shell> ifconfig bridge create
shell> ifconfig bridge0 addm ed0 addm ed1 monitor up
shell> tcpdump -i bridge0
(or run snort/bro-ids/argus/etc on interface bridge0)
In this case, my network cards are ed0 and ed1, if you had different network interfaces, substitute them instead. You don’t need to assign an address to the bridge interface, since the only wires that are connected are the receive wires, so it wouldn’t transmit through the taps if it wanted to. For more advanced bridging, check out the FreeBSD manual on bridging.
I should note though, that you’ll need a 3rd network card in the monitoring machine if you want to remotely manage the machine.
links for 2008-02-25 at edsmiley.com wrote:
[…] Create a passive network tap for your home network (tags: security networking snort) […]
Link | February 24th, 2008 at 10:24 pm
Aleksey F. wrote:
This is neat, I’m definitely trying it on my FreeBSD machine. I guess I don’t understand the way wiring works, but whats the reason for the need to have 2 taps? Can it be done with one?
Link | February 25th, 2008 at 9:49 pm
john wrote:
aleksey – the two taps are required if the interface of the host being monitored is in full duplex. otherwise, just one of the two taps will suffice.
Link | March 27th, 2008 at 10:19 pm
Ivan Petrushev wrote:
Hello,
I had thought that I know something about networks and wiring, but this is the first time I see similar thing
Could you please explain what a ‘passive tap’ is and what is it used for?
Aside for setting up bridge or regular gateway or whatever – what are these taps about?
Why would you separate the orange wires from the green wires?
There is RJ45 connector to each pair, so I suppose you could connect a cable and thus – network interface to one of the pairs. The question is – why the only one pair?
AFAIK, you need both orange and green pair for proper 100BaseTX network?
Regards, Ivan.
Link | November 20th, 2008 at 11:32 am
Lee wrote:
@Ivan – A passive tap is used to monitor all traffic that is occurring on a connection without interfering with it in any way. They can be used to monitor traffic for security breaches, or attacks.
I separated the green and orange wires because in order to be complete passive, I needed to remove any possibility of transmitting data on the wire for the machine that is monitoring the traffic. This is also why 2 additional jacks are needed, 1 jack for traffic in one direction, the other jack for traffic in the opposite direction.
Hope that cleared up things a little bit.
Link | November 20th, 2008 at 12:36 pm
Ivan Petrushev wrote:
And how do you minimalize the possibility of interfering with the transmitted data?
Connecting each of the pairs to separate NICs, but what prevent that NIC from sending packets with source the intrusion detection system connected behind? Maybe firewall rule dropping all output packets and putting the NIC into promisc mode? Is that your approach?
Regards, Ivan.
Link | November 20th, 2008 at 12:48 pm
Lee wrote:
@Ivan – Interference is completely cut off by only having the Rx wires attached to each of the two jacks. Without the Tx wires, any transmitted data can not be sent out, data may only be received.
Link | November 20th, 2008 at 12:52 pm
Ivan Petrushev wrote:
Got it!
That is pretty interesting set up
Thanks for sharing!
Link | November 20th, 2008 at 1:30 pm
GB wrote:
If I am correct the tap goes in-line. The label of “host” on the tap is real the “Host in” and “host out” or maybe another way to say it would be “To Host NIC” and “To Switch”. The Second image shows this better if I’m not mistaken.
Link | March 1st, 2011 at 9:09 pm