Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Home-made ethernet TAP

From: "Ryan B. Lynch" <rlynch () strozllc com>
Date: Mon, 18 Aug 2003 19:42:30 -0400
I built and tested a home-made full-duplex ethernet TAP today. It's a simple configuration using an old phone block and four pieces of cat5e. I snapped a photo, which is available here: 

http://www.securetheory.com/pix/sniffer_pics07.jpg
Beware, it's a ~500K picture--my apologies for having no graphical editing facilities.
I chopped a straight-across patch cable in half and punched down the cut pairs, and then re-connected the cable through the block using two pieces of twisted-pair wire as patches, such that the two cable pieces were again wired as the two ends of a single straight-across connection. I tested the wiring at 100 Mbps and didn't see any degradation in performance.
Then, I punched in both pieces of a new cut patch cable. I wired the RX pair of one of the new pieces to the TX pair of the straight-across connection, and wired the RX pair of the other new piece to the RX pair of the straight-across connection. This made for four RJ-45 terminated patches coming off the block, two wired as T568B and two with only the RX pairs attached.
I attached the ethernet port of a laptop to a 10/100 hub through the straight-across connection in the block, and then hooked up both of the RX-only patch pieces to a dual-port machine running two sessions of tcpdump, one on each port. The straight-across connection worked perfectly, with no hiccups and no degradation, while the two RX-only ports sniffed two sides of the connection. As far as I could tell, it was a fully functional TAP.
So here's the question: this took me ~20 minutes and $10 worth of parts to gin up. Why the heck do ethernet TAPs cost $400 and up? I've STFW'd and asked everyone I know who works with Ethernet, but no-one had ever heard of a working homebrew TAP like this. Am I just using the wrong keywords?
Has anyone else experimented with home-made full-duplex TAPs? I'd like to eventually put this into a production configuration, but I'm worried that I've missed some horrible flaw in the design. If anyone can suggest a potential problem or improvement, I would greatly appreciate it. 



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: