Ethernet Tapping

Geeks Lunch - Intensive Version -HowTo's

Ethernet Tapping

There are various approaches to "Ethernet tapping"... here's what I've found.

For 10Mbps links-

Nothing is better than finding a cheap hub (not a switch) Plug it in series with the traffic you want to sniff, and plug your laptop (sniffer) into it as well.

You could use a second Ethernet card (PCMCIA version if a laptop is your sniffer) and use brctl [see below] (less stuff to carry around- but a lot of processor is needed)

100Mbps links are a little harder.

I've looked for 100Mbs HUB's, but have yet to find one. One device I found that claimed to be a 100Mbs HUB was actually a switch :(. If anyone knows of a source of 100Mbs hubs; please let me know.

If the actual traffic is less than 10Mbps use one of the 10Mbps methods above.

Passive taps.

I built a passive tap with TX wires going to 1 port and RX wires going to another to sniff Full Duplex 100Mbps- but the link became erratic. I'd recommend against it. "Receive-only UTP cables and Network Taps" http://www.geekslunch.com/other_docs/network_taps.pdf

Buy an active tap.

Easy- if you call spending $400 easy.

Use brctl and two interfaces (Bridge method).

My experience is that it MAY work up to about 50Mbps - but get a good processor. http://www.geekslunch.com/glivh/linux_bridge.html

Let CISCO do it (if a CISCO switch is available)

Cisco switches are required to be able to do port monitoring- that they call SPAN.

# here's the config
config t
# change to the interface you want to be the monitor port
interface fastethernet 0/24
#set the port you want to monitor
port monitor fastethernet 0/1
end

Other "high end" switch should have this capability as well.
(Cisco SPAN reference)

Proxy Arping

Assume one device "D"; one gateway "W"; and one sniffer box "S". "S" could be inserted between "D" and "W". Eth0 of "S" could put in promiscuous mode and proxy are for the IP of device "W" (convincing "D" to send packets to it). Turn on packet forwarding and do the same thing for Eth1 facing "W". This gives the physical ease of insertion of the "bridge method" above, while not being limited by its high CPU utilization. The down side being the difficulty is setting it up for complex networks where many devices to monitored are talking to "W".

A "not quite" tapping method

A "not quite" tapping method I have used is to write ACL's in a CISCO router that will log interesting packets to a syslog host. You can then count / review the packets there (just the headers and size- not the actual data) but that may be all you need in some instances.

What Now?

How you "sniff the glue that holds the Internet together"; is up to you. I'd consider Ethereal or Snort.



The most recent copy of this document is here.

http://www.geekslunch.com/glivh/ethernet_taps.html
written by: Monta Elkins


Back to GLIVH's [Geeks Lunch Intensive HowTo's]

email Monta @ [this domain]