January 26, 2010

Does your network stink? Make a sniffer!

Sometimes there is just no substitute for looking at raw packet capture data when infiltrating troubleshooting a network. In normal situations, I'm content with loading Wireshark or Network Monitor up on a system that sits in-line with the data I require (e.g. sniffing packets from a DHCP server when you have clients that cannot get an IP address). However, there are many times when you cannot load sniffing software on the device in question, or don't want to. Perhaps you want to monitor inbound traffic to your ISP to a border router, or watch for packets leaving a device you don't manage. In these situations, you need a passive network tap to capture the traffic without touching the two end points to be monitored.

So here is how you can make your own professional-looking passive network monitoring device for your toolkit. You'll need the following:

  1. 4ct Cat5e Jacks (or inserts/modules, they have several names)
  2. 1ct 4-Port Surface Mount Box
  3. ~6" of Cat5e Cabling
  4. Punchdown Tool with 110-Block attachment
Our passive network tap will consist of the following:
  • 2 ports for connecting our devices to be monitored (Labeled A & B here)
  • 1 port for monitoring the first pair (1 & 2)
  • 1 port for monitoring the second pair (3 & 6)
Without some actual circuitry, we won't be able to monitor both upstream and downstream information at the same time. However, if you have two network ports on whatever device you are using to sniff the wire, you could bridge them to monitor both pairs at once.


First, cut off about 6" of Cat5e cabling and strip the insulating wrap off.

Terminate port "A" with all 4 pairs using the TIA-568B standard. You can use TIA-568A if you are weird like that, but you'll have to reverse the labeling later on.

Next, untwist a small section of the orange pair (corresponding to pins 1 & 2). Terminate this pair, WITHOUT cutting it (i.e. use the blunt 110-block tool), to the receiving pins on your first monitoring port. If you are using Cat5e modular jacks that are labeled, this will be the Green & Green/White pins if you are looking at the 568B standard.

Repeat this for the green pair (corresponding to pins 3 & 6), connecting them to the green & green/white pins of the second monitoring port. Be sure to leave some slack in between the jacks. Don't cut the cable yet! We want that signal to continue on to its destination, port "B".

Now simply terminate the "B" jack according the same standard you used for the "A" jack (Should be 568B if you listened to me!). The final product should resemble this (ignore the A & B labels, I swapped those around):

Throw the cover on and label the ports as appropriate:

Now just pick your port, plug in your favorite sniffing application, and start monitoring! If you connect a PC in port A and switch to port B, then the "1,2" port will give you the PC->Switch traffic and "3,6" will give you Switch->PC. You'll have to think ahead to figure out which port to use when.

Dispelling Common Myths

One of the reasons I chose to post this is that there is a wealth if misinformation out there concerning network monitoring. Here are the most common comments I see about DIY network monitoring:

Q: Can't you just connect to the same switch as the device you wish to monitor?
A: No, switches do not forward all traffic to all ports, like hubs did (past tense, they are hard to find now). Switches maintain forwarding tables that keep track of which MAC addresses are connected to which port, and will only forward traffic to you if the traffic is intended to reach your port, or if the traffic has been sent to a broadcast address. Notice I said MAC address (Layer 2), not IP address (Layer 3). With a few exceptions, switches only operate at Layer 1 & 2 of the OSI model. Some switches are capable of port mirroring, essentially making a copy of all port traffic from one port to another. However, if you are looking for problems caused by Ethernet frame errors, these will be discarded by most switches and you will never see them with port mirroring.

Q: So then I can use a hub to monitor network traffic?
A: Yes, you certainly can. This is a common use for hubs nowadays. But keep in mind that most hubs you'll find are much slower than their switching counterparts. In addition, that bandwidth (usually 10mbps) is shared between all ports and you will be placing your monitoring station on the same collision domain as the two devices you are monitoring. This is NOT recommended, particularly for production environments. It introduces errors that you'll have to weed out from whatever errors you might be trying to troubleshoot. It is also not truly passive without a special cable, which leads to the next question...

Q: Why can't I just connect both the transmit and receive pairs (1&2, 3&6) to my monitoring port?
A: I see this suggestion a lot, it's even included as part of the instructions in a horribly inaccurate Instructables article (Which, strangely, is written by a self-proclaimed flow analysis expert). Although it seems logical to do this at first glance, the truth is that connecting a Cat5 pair that is transmitting traffic to your transmit pins will not allow you to monitor the traffic. The transmit pins can ONLY transmit, not receive. What it will allow you to do is transmit on that wire. Not something you want happening if this is a critical line, or one where you wish to be silent during observation. Even setting your card to promiscuous mode does not necessarily preclude it from throwing random information onto the wire, which is even more haphazard when you are actually interrupting a transmission between two hosts who think they are dedicated.

Q: Is this reliable? Can I leave this tap in place permanently?
A: You can. I wouldn't. It's a recipe for all sorts of EMI issues. The twists in a Cat5 cable are there for a reason and we have just removed several. Additionally, the monitoring ports have sliced into your line and we essentially terminated it three times in each direction. This is going to increase attenuation slightly. Add this to the fact that we are not regenerating the signal in any way. Long story short, this little contraption gets the job done, but don't look at me if it breaks.

Hope this helps out someone else! Post your thoughts below. Did I miss anything?

No comments:

Post a Comment