PaulDotCom mailing list archives

WRT54G Mirror Port

From: arch3angel at gmail.com (Robert Miller)
Date: Thu, 14 Jan 2010 19:23:41 -0500

I did a network tap similar to the two shown in the links from hackaday 
and instructibles.  The way I did it was with 4 ports, one to the 
router, modem, whatever faces the internet.  Then behind that I split 
the RX and TX into 2 separate ports, then the forth one when to the 
device i wanted to sniff.  Now the question I got asked is how do I use 
the data...

I had a server with 3 NIC, but could have been 2 but I was lazy and 
wanted to reach it from my desk and not stand in the datacenter all 
day.  One interface was access to corp network normal operations for Mr. 
lazy!  The other 2 were doing absolutely nothing but tcpdump, I had two 
terminals open each running tcpdump to a file that I named something 
related to the interface name so I knew which was TX and which was RX.  
Then i open the captures in wireshark or your favorite packet tool.

I also reformated the server and installed OSSIM having OSSIM watching 
for anything just as you would if it was mirror a port or inline on a 
network.

I was in a hurry so my wires did get untwisted but that did not seem to 
be the issue, my issue was the amount of data the server could process 
and log.  It seems 14,000 packets a second tends to fill up the hard 
disk space fast with default settings :-)  I never dropped a packet due 
to the make shift tap though.

- Robert
(arch3angel)

On 1/14/2010 3:24 PM, Sam Buhlig wrote:

To be honest, I dont know how you would do it on only 3 of them. 
Because if your computer that is doing the sniffing has anything 
hooked up at all to the transmit side.....collisons....broadcast from 
the sniffing box.....attenuation (hope that is spelled right) issues....

I do it with 2 nics and bond them together  and the way they are 
connected to the box that is sniffing; it wont allow them to transmit. 
They are only connected to 2 and 6 on both nics. Which should only 
allow to receive.

If someone else has any thoughts....throw them on here because I would 
like to know.



As far throughput issues....have not seen any. I kept the twists as 
tight as possible. Keeping the loss to a minimum.


Thanks,
Sam


On Thu, Jan 14, 2010 at 11:01 AM, Robin Wood <dninja at gmail.com 
<mailto:dninja at gmail.com>> wrote:

    2010/1/14 Sam Buhlig <sbuhlig at gmail.com <mailto:sbuhlig at gmail.com>>:
    > Just another possible work around for you might be building a
    passive tap.
    >
    > http://hackaday.com/2008/09/14/passive-networking-tap/

    This article builds a device with two ports for tapping each direction
    but then this instructables does a similar things with just a single
    tap port.

    http://www.instructables.com/id/Make_a_Passive_Network_Tap/step7/close-it-up/

    What would be the advantage of having the two ports over having just a
    single port?

    There is also discussion about untwisting the cables and debate over
    whether such short lengths of untwisted cable would make any
    difference to throughput, can anyone comment on this?

    Robin

    >
    > or....
    >
    > cinci2600.com/wp-content/uploads/2009/01/passive-taps.odp
    <http://cinci2600.com/wp-content/uploads/2009/01/passive-taps.odp>
    >
    > (that is the one I followed)
    >
    > It is not as clean as being able to span a port, but a good way
    to do it on
    > the cheap.
    >
    > Hope this helps.
    >
    > Later,
    > Sam
    >
    > On Thu, Jan 14, 2010 at 8:16 AM, Paul Asadoorian
    <paul at pauldotcom.com <mailto:paul at pauldotcom.com>>
    > wrote:
    >>
    >> From all the research that I did on the WRT54G (and similar
    hardware
    >> like the ASUS) this was not possible.  I believe that I read
    somewhere
    >> that it was possible on some of the hardware, but that the
    drivers did
    >> not support it.
    >>
    >> If you find that it does, let us know!
    >>
    >> Cheers,
    >> paul
    >>
    >> On 1/13/10 7:39 PM, Cody Dumont wrote:
    >> > Can you setup a mirror or SPAN-Port using a OpenWRT on the
    ASUS or
    >> > WRT54G?
    >> >
    >> > thanks all..
    >> >
    >> > Note: This message and any attachments is intended solely for
    the use of
    >> > the individual or entity to which it is addressed and may contain
    >> > information that is non-public, proprietary, legally privileged,
    >> > confidential, and/or exempt from disclosure.  If you are not
    the intended
    >> > recipient, you are hereby notified that any use, dissemination,
    >> > distribution, or copying of this communication is strictly
    prohibited.  If
    >> > you have received this communication in error, please notify
    the original
    >> > sender immediately by telephone or return email and destroy
    or delete this
    >> > message along with any attachments immediately.
    >> >
    >> > _______________________________________________
    >> > Pauldotcom mailing list
    >> > Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    >> > Main Web Site: http://pauldotcom.com
    >>
    >> --
    >> Paul Asadoorian
    >> PaulDotCom Enterprises
    >> Web: http://pauldotcom.com
    >> Phone: 401.829.9552
    >> _______________________________________________
    >> Pauldotcom mailing list
    >> Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    >> Main Web Site: http://pauldotcom.com
    >
    >
    > _______________________________________________
    > Pauldotcom mailing list
    > Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    > Main Web Site: http://pauldotcom.com
    >
    _______________________________________________
    Pauldotcom mailing list
    Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
    http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100114/02844413/attachment.htm

Current thread:

WRT54G Mirror Port Cody Dumont (Jan 13)
- WRT54G Mirror Port Scott Webster (Jan 13)
  - WRT54G Mirror Port Paul Asadoorian (Jan 14)
    - WRT54G Mirror Port Tim Krabec (Jan 14)
- WRT54G Mirror Port Robin Wood (Jan 14)
- WRT54G Mirror Port Paul Asadoorian (Jan 14)
  - WRT54G Mirror Port Sam Buhlig (Jan 14)
    - WRT54G Mirror Port Robin Wood (Jan 14)
    - WRT54G Mirror Port Adrian Crenshaw (Jan 14)
    - WRT54G Mirror Port Sam Buhlig (Jan 14)
    - WRT54G Mirror Port Robert Miller (Jan 14)
    - WRT54G Mirror Port Robin Wood (Jan 14)
    - WRT54G Mirror Port Larry Pesce (Jan 14)
  - WRT54G Mirror Port Robin Wood (Jan 14)
    - WRT54G Mirror Port Paul Asadoorian (Jan 14)
    - WRT54G Mirror Port Tim Krabec (Jan 14)
    - WRT54G Mirror Port Nicholas B. (Jan 14)
    - WRT54G Mirror Port Nicholas B. (Jan 14)
- WRT54G Mirror Port Michael Miller (Jan 14)