Has anyone built a network tap ?

I tried using this plan http://www.instructables.com/id/Make-a-Passive-Network-Tap/ . It basically tells you to wire three ethernet jacks in parallel and does not work at all.

I also tried this way http://www.sun.com/bigadmin/content/submitted/passive_ethernet_tap.jsp but with only the tap A. With this I only see incoming traffic.

So with three ports can I make something that will show incoming and outgoing traffic ? How is a passive hub different ?

It is people on instructables giving bad advice again. The first one won't ever work as you're wiring all 3 sockets in parallel. One of the pairs will have the transmitter from one of the hosts and the monitoring machine connected together which it won't like. Assuming it didn't mind that, it wouldn't be able to see what was going on with that pair anyway since the monitoring host doesn't have a reciever on there.

The second one is how you do it but you need two NICs. One to monitor incoming and one to monitor outgoing.

The other option would be to find a 10/100 hub (can you even buy these things still?) or see if your switch has SPAN support. If it is a basic unmanaged home switch then it won't.

I may be wrong on this, but that sort of three jacks in parallel tap will work only on a half-duplex connection. Since most networks use switches nowadays, the links are usually all full-duplex. So the tap won't work.

An ethernet hub is the usual way to do a "tap", and by its nature is half-duplex.

Edit: you could try forcing all three ends of the connection to use half-duplex, and turn off auto-negotiation -- then the tap might actually work.

Cheers

Ah good point. If you're going to make a half duplex only tap then you should wire it the second way though. Possibly even leaving out some of the pairs so it'll automatically force the link to half duplex.

No, only two pairs are used, whether half or full duplex.

That's why I am trying to make the tap a hub is pretty much impossible to find I tried an old one I had that claimed to be a hub and it turned out to be a switch.



I won't be able to change anything like that.

So aside from finding a hub there is no way to capture incoming and outgoing with only one nic ?

I am assuming if I had a hub I would be able to capture incoming and outgoing with one nic right ?

I just need a bunch of diodes

http://www.zen22142.zen.co.uk/Circuits/Interface/pethhub.htm

My bad. GigE does all 4 but not 10/100.

I'd just install a Linux machine in the middle with its two interfaces bridged.

Alternately, many managed switches have the ability to "mirror" ports.

A 10 or a 100 hub. IIRC a 10/100 hub has (what's effectively) a 2-port switch between the 10 and 100 sides, so that 100-to-100 traffic isn't slowed down to 10 speed by being replicated out of the 10 ports -- i.e. no one port sees all the traffic.

Peter

I've also encountered "hubs" that were actually switches. Took me a good half hour with ethereal to figure that one out.

Matthew

Then I would still need two network interfaces on the computer. I am using a laptop and do not have another usb or pcmcia one.

Heh.. it is precisely for this kind of situation that I have held onto an ancient 8-port 10baseT hub (plus one coax port!), as well as a more modern 8-port 10/100 hub.

Mmm.. I think I could even get my other old 5-port hub back from a buddy of mine, in trade for a disused 5-port switch I have on hand..

Technically, with a passive tap, you have to have two interfaces on the logging computer anyway. You cannot monitor both directions passively with one interface. Well, you could aggregate the traffic with a hub, but if you're going to do that, you might as well make the hub the "tap".

There's more detail over on the Wireshark page.

Thanks Mark if that was an offer If it comes to that I have a 5 port switch labeled as a hub I can trade too. I didn't know any reason to want a hub over a switch until now this is my first time doing this.

So Bitt are you saying even if I find a hub I wouldn't be able to get both directions with one interface anyway ? If that's the case then I can just use what I have kludged.

I am not really sure if I need to get both directions or not I am trying to help an "engineer" in another state get data to resolve a problem someone is having here in Minnesota. I was sent the link to build the thing on Instructables by them so maybe they don't know what they want either A device here is losing a connection seemingly at random with a server in a different state. I am just kind of assuming they would want to capture both ways but maybe it doesn't matter.

I guess I have two interfaces. I was digging more because I swear I had another potential hub (still haven't found it) and I found a USB 10/100 adapter. So maybe I can do something with that.

Look like I could do the "machine in the middle" method since I found the USB ethernet adapter.

No, using a hub will capture everything, as long as all of the computers involved are using the same speed (100mb/sec or 10mb/sec).

Cheers

Just buy two cheap USB Ethernet adapters and just plug it into the second type of tap.

So I did a capture with wireshark. USB adapter connected to my laptop with windows xp. I bridged the two network connection. Hooked my desktop to the built in ethernet and my lan to the USB adapter. I tell wireshark to watch the built in ethernet. Ping google from the desktop and in wireshark I see outgoing from the desktop IP to google and a reply from google to the desktop IP.

That would mean I am getting outgoing and incoming right ?

Yep.

Its not quite transparent though. You can detect it and some thing may not like you doing that but generally it'll be fine.

Heh, all this was sooo much easier in the good old days of 10BASE5, with vampire connectors...