Recently I’ve had a need to actually sit between a host and its network connection to watch its traffic because I wasn’t able to interfere with the host. I had quite a few challenges in doing this and was surprised that a lot of people that used taps didn’t actually understand how to use them.
For the most part there are two types of taps, active and passive. When you have an active tap, you have the ability to alter traffic in real time. This is great for MITM (Man in the Middle). A passive tap will give you just a copy of the data and you cannot modify any data. There is also a bunch of other names vendors will use like breakout, aggregating, etc. I will only be discussing a passive tap, not active.
Things you will need:
- A Physical network tap.
- A linux computer (I used Debian 6.0.4 i386)
- At LEAST 2 network cards (3 if you want a management network)
For passive taps there are a lot of options. However the thing that will determine how much you will pay depends on if you want 10/100 or gigabit.
Gigabit requires power and the devices will range around the $1,000 dollar mark, like this one by Black Box: http://www.blackbox.com/Store/Detail.aspx/10-100-1000-Copper-Tap/TS250A
If you don’t mind dropping the connection down to 10/100, Michael Ossmann (@michaelossmann) created the Throwing Star LAN tap which you can buy for $14.99 from the awesome folks at Hak5: http://hakshop.myshopify.com/products/throwing-star-lan-tap
He has also recently created the PRO version, which at $39.99 adds more professionalism and durability but is essentially the same: http://hakshop.myshopify.com/products/throwing-star-lan-tap-pro
It is important to note that Mike has installed two capacitors on his taps which force the host to negotiate down to 10/100. This isn’t a horrible thing unless you’re trying to monitor high speed traffic that requires that gigabit throughput.
No matter which tap you bought, the tap has 4 ports. Looking at the graphic below, you'll see two ports will be used to connect from the source host to the target host. The other 2 will go into the linux box to receive the transmit and receive signals.
|Basic Wiring of a Passive Network Tap|
Image from: http://www.altsec.info/pnt-sensor-data.html
This is a problem since it only gives us one side of the story. This is where our Linux box comes in. It is going to aggregated the two interfaces (this is the reason for two open NICs) into what’s called a bonded interface.
To setup our Debian Linux box, I used the stock distro and added the following:sudo apt-get install ifenslave
I then wrote a bash script to do the following for me, but you can just type the commands in one line at a time:sudo modprobe bonding
sudo ifconfig eth0 promisc up
sudo ifconfig eth1 promisc up
sudo ifconfig bond0 promisc up
sudo ifenslave bond0 eth0 eth1
That’s it! Fire up wireshark and use bond0 as your interface to listen to.
In order to test to make sure both transmit and receive ports of your tap are working, from either the host machine or another machine on the network, ping something. You should see both reply and requests inside wireshark (ensure that ICMP is allowed or else your results will be wrong).