In my home network, I have a passive tap sitting between my cable modem and my router, instead of spending tons of money, I made my own. They’re surprisingly simple to make, and also extremely simple to use.
Let’s start with the wiring, at a local electronics store, I purchased 4 RJ-45 wiring plugs, I probably shouldn’t have bought solder-less ones, but I didn’t feel like buying a board to solder them to. Anyhow, 2 of the ports will be used for entry and exit, the other two for taps. In this case, we need 2 extra ports so that inbound data is passed through one port, outbound data is passed through the other port.
Set up the wiring as shown in this wiring diagram (credit goes to the Snort team for the diagram):
Personally, I split open a network cable and used the wires inside just so the color coding could be correct, that’s probably the easiest way to wire the ports.
After wiring the ports, you should be able to test that data passed from one host port to the other host port is unchanged, below is a picture of the tap I created. Yes, I know it’s very messy, the box I bought for it didn’t fit the way I wanted.
The next thing to do it connect the two ports (labeled “tap 1″ and “tap 2″ in the picture above) to 2 NICs in the machine of your choice. I’m using FreeBSD to manage the bridge. If you want to monitor outbound and inbound traffic separately, you’re done, just start tcpdump on the interface and you should be able to see all the traffic.
If you want to monitor both outbound and inbound traffic on the same interface, you’ll need to bridge the interfaces. You can accomplish this in FreeBSD with the following:
shell> ifconfig bridge create
shell> ifconfig bridge0 addm ed0 addm ed1 monitor up
shell> tcpdump -i bridge0
(or run snort/bro-ids/argus/etc on interface bridge0)
In this case, my network cards are ed0 and ed1, if you had different network interfaces, substitute them instead. You don’t need to assign an address to the bridge interface, since the only wires that are connected are the receive wires, so it wouldn’t transmit through the taps if it wanted to. For more advanced bridging, check out the FreeBSD manual on bridging.
I should note though, that you’ll need a 3rd network card in the monitoring machine if you want to remotely manage the machine.
8 Comments
February 24, 2008 at 10:24 pm
[...] Create a passive network tap for your home network (tags: security networking snort) [...]
February 25, 2008 at 9:49 pm
This is neat, I’m definitely trying it on my FreeBSD machine. I guess I don’t understand the way wiring works, but whats the reason for the need to have 2 taps? Can it be done with one?
September 9, 2008 at 3:34 am
[...] hur väl det här fungerar? Create a passive tap. Om man stoppar in det mellan routern och utsidan/kabelmodemet… Hohum.. kanske får testa [...]
September 14, 2008 at 4:27 pm
[...] is easy to insert a passive Ethernet tap inline, as shown in the picture above from a different multitap project, simply plug the incoming line into a host port and a patch cable from the other host port to the [...]
September 17, 2008 at 1:48 am
[...] Un segon exemple encara mostra com és més fàcil construir-lo: Create a passive network tap for your home network: [...]
September 19, 2008 at 3:31 am
[...] is easy to insert a passive Ethernet tap inline, as shown in the picture above from a different multitap project, simply plug the incoming line into a host port and a patch cable from the other host port to the [...]
November 7, 2008 at 8:29 am
Nice, i will definately try this out at home, my question is will this home made tap support enterprise level kind of traffic?
June 7, 2009 at 2:17 pm
I just wanted to say THANKS for putting this up!!! Very helpful and informative – worked great! I was surprised to find that snort.org NO LONGER has the detailed guide for creating your own copper tap that it used to have up – so thanks again for having it here !
-Grateful Internet User