Passive Network Tap

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
641
Any recommendations for a passive (inline) network TAP to monitor traffic? It is for personal use and learning. Willing to buy used to save money. I have seen a few of these on eBay but not sure what brand/model to purchase. I am running 1G network, was going to insert the TAP inline after the FW to test internal traffic. So probably just need one with four ports. One for ingress traffic, one port for egress, and two for monitoring.
 
Thanks for the replies,

Appreciate the links, I saw that instructable but the problem is it degrades the speed to 100 since you can't use all 8 wires.

To answer your questions...I am trying to inspect all internal traffic from switch to firewall. The SPAN option might be better based upon my thoughts below....

Taking a step back here, I assume I won't be able to remotely connect to an inline passive appliance since it won't be addressable. I foresee a problem in that monitoring will probably have to be done manually. Since I would prefer to receive alerts real-time, I might be better off using a 1000 Mb switch with a span port instead.

By the way, I would install SNORT on the device. If I remember correctly, I researched SNORT inline a while back and it was a pain in the ass to setup.

What you guys think?
 
If you are looking to just tap the interface, you need something that runs in promiscuous mode. The easiest solution would be to configure a SPAN port on your switch for all traffic and connect an endpoint to that SPAN port running Wireshark.

SNORT isn't what you are looking for - SNORT is an IDS/IPS function and beyond what you are trying to do, even though you can probably get the data you want.
 
hmm what about the lan turtle? not sure if that supports gigabit speeds or if you could run the capture software you want on there though...
 
If you just need to inspect the traffic between your switch and firewall, why don't you monitor the firewall traffic logs?.... Simple task to do on something like pfsense.

Unless you don't have access to the firewall, then it sounds like you are doing something illegal under the guise of 'I'm just playing around on my home network'. In that case, it's against forum rules to provide help.
 
Any recommendations for a passive (inline) network TAP to monitor traffic? It is for personal use and learning. Willing to buy used to save money. I have seen a few of these on eBay but not sure what brand/model to purchase. I am running 1G network, was going to insert the TAP inline after the FW to test internal traffic. So probably just need one with four ports. One for ingress traffic, one port for egress, and two for monitoring.
I have had good luck with this... LANprobe www.QlinxTech.com/lanprobe. It has the 4 ports you seek, but one of them is Ethernet over USB.
 
If you just need to inspect the traffic between your switch and firewall, why don't you monitor the firewall traffic logs?.... Simple task to do on something like pfsense.

Unless you don't have access to the firewall, then it sounds like you are doing something illegal under the guise of 'I'm just playing around on my home network'. In that case, it's against forum rules to provide help.
There is absolutely nothing illegal about monitoring your own internal traffic, people hear TAP and think "omg spies! illegal" come one now.
 
Depending on the amount traffic this gonna generate a shit ton of data which means file storage. How long are you looking to retain the data. Also all SSL traffic is encrypted so you really won't to get to see inside these packets without some form of SSL decryption.
 
Is it possible to detect SPAN, TAP, and similar devices without physical inspection? Are there WiFi/WLAN-based devices where Ethernet packets sent into the monitoring device, which then sends it via its own WiFi or mobile data? I saw something like that in episode of Mr. Robot, where the "Alexa-loving" FBI agent attached a physical device to Ethernet cable of some office and received data from that device. Then again, Mr. Robot included a scene with an IPv4 address that had a number above 255...
 
If you don't already have a managed switch that can do port mirroring, cheap options are either a computer with two (or probably three) NICs, have two set for software bridging and then you can tcpdump or whatever. Otherwise, I'd get one of the TP Link 'easy smart switches' https://www.tp-link.com/us/home-networking/5-port-switch/tl-sg105e/ The 5 port is about $25 and it'll do port mirroring. Security is a farce, and the management capabilities aren't the best, but you can do link aggregation and a few (32) vlans with the web interface (or a java application if you insist), and it's cheap.
 
Is it possible to detect SPAN, TAP, and similar devices without physical inspection? Are there WiFi/WLAN-based devices where Ethernet packets sent into the monitoring device, which then sends it via its own WiFi or mobile data? I saw something like that in episode of Mr. Robot, where the "Alexa-loving" FBI agent attached a physical device to Ethernet cable of some office and received data from that device. Then again, Mr. Robot included a scene with an IPv4 address that had a number above 255...
No. It's not possible through standard logical methods even with a properly setup SPAN port. You can infer that something is SPAN ported though due to performance oddities. I have yet to see any device, even high-end switches, that will do port spanning without some impact to performance. A purpose built tapping device though? Yeah, you aren't seeing that.

However, this is why critical links typically have an inline networked TDR and/or it's just built into the transport equipment. That way you can catch tampering/outage the instant it happens, and know exactly where.
 
You can infer about SPAN, but not TAP. TAP is scary... Fiber TAP is especially scary because it has no need for power...
 
Back
Top