Re: Home-made ethernet TAP

["Scot Scot" <scotw () hotmail com>]

----- Original Message ----- 
From: "Ryan B. Lynch" <rlynch () strozllc com>
To: <snort-users () lists sourceforge net>
Sent: Monday, August 18, 2003 6:42 PM
Subject: [Snort-users] Home-made ethernet TAP


> I built and tested a home-made full-duplex ethernet TAP today.  It's a
> simple configuration using an old phone block and four pieces of cat5e.
>   I snapped a photo, which is available here:
>
> http://www.securetheory.com/pix/sniffer_pics07.jpg
>
> Beware, it's a ~500K picture--my apologies for having no graphical
> editing facilities.
>
> I chopped a straight-across patch cable in half and punched down the cut
> pairs, and then re-connected the cable through the block using two
> pieces of twisted-pair wire as patches, such that the two cable pieces
> were again wired as the two ends of a single straight-across connection.
>   I tested the wiring at 100 Mbps and didn't see any degradation in
> performance.
>
> Then, I punched in both pieces of a new cut patch cable.  I wired the RX
> pair of one of the new pieces to the TX pair of the straight-across
> connection, and wired the RX pair of the other new piece to the RX pair
> of the straight-across connection.  This made for four RJ-45 terminated
> patches coming off the block, two wired as T568B and two with only the
> RX pairs attached.
>
> I attached the ethernet port of a laptop to a 10/100 hub through the
> straight-across connection in the block, and then hooked up both of the
> RX-only patch pieces to a dual-port machine running two sessions of
> tcpdump, one on each port.  The straight-across connection worked
> perfectly, with no hiccups and no degradation, while the two RX-only
> ports sniffed two sides of the connection.  As far as I could tell, it
> was a fully functional TAP.
>
> So here's the question:  this took me ~20 minutes and $10 worth of parts
> to gin up.  Why the heck do ethernet TAPs cost $400 and up?  I've STFW'd
> and asked everyone I know who works with Ethernet, but no-one had ever
> heard of a working homebrew TAP like this.  Am I just using the wrong
> keywords?
>
> Has anyone else experimented with home-made full-duplex TAPs?  I'd like
> to eventually put this into a production configuration, but I'm worried
> that I've missed some horrible flaw in the design.  If anyone can
> suggest a potential problem or improvement, I would greatly appreciate it.
<snip>

Splitting vs. Regeneration

You're splitting your transmit signals and changing the Z (actual electrical
resistance ) of the circuit when you "tap" without shore-power. Difficult to
say if you'll run into signal-garbage issues, perhaps a Saturday afternoon's
research project would turn up some comparable data.
Copper TAP's provide signal regeneration under shore-power (AC/DC power
adapter). Perhaps if your traffic load were under 10-30 Mbps a splitting
device may function sufficientally? I would venture a guess that one may be
more pleased with the results of a regenerative TAP device under heavier
traffic load conditions. Without further research I can only offer my humble
opinion.

Just my 2.0134 cents worth (tax included)
Watch "Enterprise", It's the only Star Trek we have left!
Scot Wiedenfeld


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users