Tuesday, September 9, 2014

How to build a $10 passive network tap

When one's profession involves network security, sometimes it helps to capture network communication to analyze. Often the simplest way to do this is to install packet capture software such as tcpdump or Wireshark on the system in question. This has the advantage of being easy (tcpdump may even already be installed - it is common on Linux systems), and by running on the target system there can be less unrelated traffic to wade through.

The downside, of course, is sometimes I don't have access to the target system ... or do have access but do not wish for the user of the system to know it is being investigated. If it is malware I am investigating, the malware might tamper with software running on the same system. In any of these cases, it is to my benefit to capture the network traffic from somewhere other than the target system.

Not too terribly long ago, network traffic within a local office passed through a device known as a hub, or repeater. The hub does one thing, and does it well: it takes a message coming in on any port, and repeats it out every other port. In essence, it yells out in a crowded room "I have a message for George. Don't listen unless your name is George." It is simple, it requires no intelligence - and it made capturing network traffic easy. Since every message was sent out every port, I could connect to any port and capture every message sent across the network.


More sophisticated environments began to use switches instead of hubs. As technology advanced and became less expensive, switching devices became very common, to the point that it is now relatively uncommon to come across a hub even in a home network. A switch is an intelligent device. It keeps track of who is on what port. Every network device has a unique* number known as a Media Access Control, or MAC, address. The switch makes note of the MAC for any device detected on a given port, and will only send traffic addressed to that MAC via that port. Instead of yelling in a crowded room, the switch walks up to the front door and delivers the message in person.

* Unique in theory. Many devices are able to programmatically change the MAC. If you have two devices with the same MAC, weird things happen on the network.

This is great for network performance (imagine a dozen people simultaneously yelling out in the same crowded room. It would be hard to hear your name. An unswitched network is similar - the simultaneous yelling is known as collissions, and slows the network). It is great for security (I can't eavesdrop on George if I am not on George's port). But it's a pain if I want to monitor George's traffic (I can't eavesdrop on George if I am not on George's port).

Advanced or "managed" switches (so called because they allow the administrator to change, or manage, the configuration of the network, as opposed to a more basic "plug and play" switch) get around this by providing a "monitor port," a port to which I can "mirror" the traffic of any other port. In some cases this is a specific monitor port; in other cases, the switch supports programming commands to mirror traffic to any specified port. Either way, it provides a way to send a copy of George's traffic to someone else.

When a monitor port is unavailable, the next best option is known as a network tap. This is a hardware device that sits between the target computer and a switch, or between the target computer and another computer. The tap allows all traffic between the two endpoints to pass, but it sends a copy out an extra port - perfect for connecting a packet capture device to analyze the traffic passing between the two endpoints.

Managed switches can cost many hundreds to thousands of dollars - beyond the reach of most home network budgets. A decent network tap could easily cost $100 or more. But you can build your own for around $10 worth of readily-available parts. This design will support 10 or 100 megabit speed. For many purposes that is more than adequate - most of us don't have gigabit home networks, and even fewer have gigabit broadband Internet. Just be aware that this design won't work to tap traffic from a gigabit connection.

For my design, I picked up 4 cat 5e network jacks, a 4-port wallplate, and an electrical junction box to put everything in. I had some loose cat5e network cable lying around; if you don't have that, pick up a cable for a few more bucks. I found all the parts for a grand total of $10.11 plus tax at Home Depot. If you prefer online shopping, here is a shopping list at Amazon:



With the parts in hand, take a close look at one of the Ethernet (cat 5e) jacks. Cat 5e refers to the type of wire - typically 4 pairs of colored wires, each twisted a certain number of times per meter to minimize crosstalk interference between the pairs (you may remember from high school science class that a wire carrying electrical current creates a magnetic field, and that a magnetic field can induce a current in another wire). By convention, the wires within a cat 5e cable are colored as follows: a solid green and a striped green for data transmission; a solid orange and a striped orange for data receiving; and a solid and striped blue, and solid and striped brown that are unused for our purposes. I bought two white jacks for the computer and router connections, and two blue jacks for the tap connections, but that was a purely arbitrary decision. Note that there are two common conventions - I described the "T-568A" standard, which is commonly used in household devices. Commercial devices often follow the T-568B standard, which merely swaps the orange and green wires.

I connected the two white jacks directly, as though there were no interruption in the cable: pin 1 goes to pin 1, pin 2 goes to pin 2, and so forth. That ensures the two active devices continue to talk without any interruption. The "tap" comes in by what I did next. I mentioned earlier that the green wires transmit and the orange wires receive ... that is true from the perspective of the computer or host. Both sides can't transmit on the same wire though - one side transmits while the other receives, and vice versa. The computer transmits on the green pair and listens on the orange pair. The router, switch, or other computer transmits on orange and listens on green. Because of this fact, my $10 tap only lets me listen to one half of the conversation at any given time: I can listen to the computer's transmissions, or I can listen to the router's response - but not both (unless I have two network cards on my capturing computer).

On the host side, I wired the host's transmit wires to the tap's receive pins. This way, my packet analyzer can listen to whatever the host computer is transmitting. I do the opposite on the router tap: I wire the receive wires (which in fact are where the router transmits back to the computer) to the receive pin on the tap. Here is a diagram showing the pin-outs and wiring:


Here is a photo of the completed wiring:


Now, what can I do with the finished product? Specific examples are beyond the scope of this post (keep an eye out here for future topics though), but here are some basic ideas. I can insert it between my broadband modem and my router (outside my protected network), to watch what sort of evilness is attempting to attack my network (but being blocked by the firewall built into my router). I can insert it between a suspected-compromised computer and my router (inside my network), to see if the computer is reaching out to botnet command and control servers. I can connect it to a system running Snort and build my own Intrusion Detection System (detect and send me alerts if something malicious shows up). This doesn't let me directly intercept wireless network traffic, but if I place it outside my router and monitor outbound traffic, I can see what every device on my network - including the wireless ones - is sending out to the Internet. In short, I can do things that wouldn't be possible with just a basic switch.

One final word of caution: building a network tap to use on your home network is a great way to learn. Using one on a network for which you are professionally responsible may be acceptable depending on local regulations and your company's policies. Connecting a tap to someone else's network without permission almost certainly runs afoul of wiretapping laws.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen