Sniffing Ethernet

Re: Sniffing Ethernet

Smitty,

A great slide deck, and I'm looking forward to information on the inductive tap next year.

A couple of technical questions:

I've made some passive ethernet taps like that in the past, but never used a 100-ohm resistor in the RJ-45 jack. Since it's not directly attached to either pair, I'm making a SWAG that its purpose is to maintain the correct line impedance across the pairs. Can you verify that, or otherwise explain the resistor's use?

Assuming for the moment that the resistor is there to maintain impedance, wouldn't a 47-ohm resistor be closer to the correct impedance (Cat5 impedance is 50 ohms), or have you found it just isn't that critcal?

This is the instruction page I've used to create the taps in the past:
http://www.sun.com/bigadmin/content/...ernet_tap.html

Also, this article, which borrows heavily off the first, gives information on bonding two network interfaces into one while tapping:
http://www.jasons.org/2009/04/26/ins...-ethernet-tap/

Re: Sniffing Ethernet

Note that the 100 ohm is across the orange pair, or the TX pair. I've noticed that my card at least doesn't like listening if it doesn't think anyone is listening to it. Giving it a 100ohm load makes it think its transmitting to SOMETHING so it starts listening.

...or maybe I just screwed something else up and it wasn't until after I tried the 100ohm resistor that it started working... That could be too. I should try one without the load resistor to see whether it works. Could save a quarter from the cost. ;-)

Cat* is 100 ohm, not 50 ohm. You're probably thinking of coax.

But, you're right; Ethernet is incredibly forgiving of crappy cable. I once ran a 10base2 network through SNA baluns over a single pair of phone wiring (not even Cat3, household PHONE wiring.) It started in the garage as coax, converted to twisted pair, went through the walls to the first bed room, back to coax to the computers there, back to twisted pair up to the next bed room, same thing, to the next bedroom, same thing, then down to the kitchen where it converted to coax for the last time and ran around the room to the computers in the living room. And the damn thing worked. (This was circa 1998; the statute of limitations is up on crazy shit like this, right?)

The bonding driver is a fantastic idea, I'll include that in the talk. Thanks! :-)

Though, I will point out that something the author mentioned in that second link is wrong: He talks about the inherrant safety of this type of tap, that its impossible to transmit on the line. With many network interfaces auto-detecting the MDI state these days, this is no longer the case. You do have to be very careful of your NIC transmitting a burst of traffic on the RX line to see if it gets a response on the TX line. I'm not quite sure how to turn this off.

My inductive system won't have this problem. :-D

-Mark

Re: Sniffing Ethernet

Ah ha! I was thinking it wasn't connected to anything, but of course it is connected to the card when the patch cable is plugged in. That makes perfect sense, especially in light of the card wanting to see some signal on that pair.

I'll put a resistor into my taps to prevent that from ever being an issue on any of my machines.

<slaps forehead> D'uh! Yeah, I'll use "coax" as my defense; too much RF work.

Yikes!

Hey, you're entirely welcome, and I'm happy to help you!

A good point. I'd guess that it's taking place down at the hardware level.

Good luck with the talk!