packet sniffing of physical wire

[terxx]

a few days ago a a try out this thing called "passive ethernet tap"

http://hackaday.com/2008/09/14/passive-networking-tap/

http://www.infosecwriters.com/hhworld/hh9/roc/node4.html

i test it on 100baseT and it works fine,

but you have to play around with the wires a bit (wite green/green en wite orang/orang)

so am able to sniff packets of a physical wire without unplugging any cable

(by cutting it open en connect the wires)

but only half duplex (or you need to use 2 ethernet cards).

i was wondering if there is a way of making it full duplex,

by using a modified router or something else (and sending the packets to my laptop wireless).

I thought of a cisco switch with a spam port (a port ware everything you want is sent to for sniffing purpose)

but a cisco swich is rather large and expensive to play around with.

any ideas ??

ps: sorry for my crappy english.

[digip]

Just inset a hub inbetween the segments/networks. All packets get broadcasted to everyone, then just start up your sniffer. Hubs arent used much these days any more because of that one reason. You can probably find one cheap online somewhere. Switches would learn all the mac addresses, and eventually only reply to the one port, instead of sending all the data to everyone. Hubs don't route traffic, they just repeat it, like a wire ;)

http://www.google.com/products?q=ethernet+...0&price2=30

[terxx]

tanx digip for reply

a hub is a fine idea but i think that in a busy network.

people will notice that their traffic is slowing down.

because a hub is half duplex.

also to insert a hub you have to unplug a cable.

what i want is sniff packets from a wire without changing anything to the network.

this can be useful in baselining or troubleshooting.

where you dont want to change anything to the network.

if you insert a hub you changing the network.

ok a little schematic ;)

al traffic that travels from A =>B uses orage B => A uses green

now i thought to use a router with 2 ethernet interfaces en 1 wifi interfaces.

al traffic that is received on the 2 ethernet interfaces ar ar forward to the wireless interface

of course the wifi can also be a ethernet interface

the 1e problem with this is that the ethernet header is changed when it travels through the router

(source MAC and destination MAC)

but if you know that it happens it's not really a problem

the 2e problem is the speed of the link

when the 2 hosts are using all 100mbs in both directions then the wifi has to be 200mbs

i don't have any routers with that many interfaces so i can't test it

maybe there is someone out there that is, and wanto test it out

[digip]

To make the tap, you would need to unplug the existing connection and plug it into the tap anyway.

Either way with any tap, home made or a hub, you are still going to have to unplug something unless it were all wireless, which then you could just do a mitm.

[terxx]

you could do something like this

of course you dont gone do this on you one network

after you done sniffing you juist tape everything back together

of course this is al hypothetically,

i would never do something link this on someone else's network ;) :P

[beakmyn]

Or get a FON and build an interceptor ;)

[Keltha]

By using both a hub and wire splicing it can be done. Get 2 extra Ethernet jacks/plugs and connect the TX lines from the wire to the TX pins of one jack/plug. After that, connect the RX pins from the wire to the TX pins of the other jack/plug. Then connect the two jacks to a hub and plug your sniffer into it. There should be no difference in speed, but there still is that bandwidth problem. This is the only solution that currently comes to mind, so you're just gonna have to deal with it