My Lan Tap Maybe Outdated?

[demonjester]

I made a lan tap from this site here http://www.enigmacurry.com/articles/building-an-ethernet-tap/

Since this article is 6 years old I figured it could be outdated.. Whenever I hook up my lan tap (using ethernet port and ethernet usb on my laptop) Both eth0 and eth1 will try to get a connection, and I think that is interfering with wireshark. I would disconnect both of them so I can try to sniff packets, but I think I am doing something wrong I put both interfaces into promiscuous mode through terminal and still cannot get any packets.

Could it be the lan tap?

Additional info:

Ubuntu 12.04

wireshark 1.8.0

belkin F4U047 ethernet usb

If it is I may consider buying the throwing star lan tap.

[digip]

Did you wire the ports like normal ethernet ports? I mean, you have to sort of bridge them, or you would be getting crossover signal or no signal. Lan taps are generally transparent, and depending on which end your sitting between, you only see one end of the traffic, or the other. Check out the hak5 ninja star lan tap kit.

Based on the diagram on the site you linked, make sure each end point is in the top ports, and your listening tap on the bottom.

edit: just noticed you said USB ethernet, not sure if that works the same, but might be where the problem is and not in your actual tap. Draw a diagram of how you are intercepting and from what devices so we can see you setup.

Edited August 9, 2012 by digip

[demonjester]

I actually re wired the lan tap before I made this thread. When I ran wireshark it caught some packets but to be honest it only captured the packets of the ethernet trying to grab a ip address.

Edit; that lan tap is made to capture the sending packets and receiving packets so it captures both ends.

router---------TAP------desktop

.......................| |

.......................| |

.................Laptop

Edited August 9, 2012 by demonjester

[digip]

Physical taps are mainly meant to be transparent interceptors. They generally only capture one end at a time depending which end you are tapping.

Unless doing total switch port mirroring or MITM attacks without a TAP at all, you should only see one device's traffic flow in one direction with a lan tap. So if tapping the router, you should only see replies sent FROM the router to the PC. If tapping the PC, only what it sends to the router. To see the whole conversation and all traffic between the two of them at the same time, you could "double tap" with two nics and two wiresharks open, or just do a MITM on the lan, and be done with the physical tap to begin with, but thats not going to be completely transparent, if thats what you want.

[Jason Cooper]

Here is a useful little shell script that I put together to grab traffic off two interfaces and merge the capture files. It needs tcpdump to do the grabbing and mergecap to merge the two captures afterwards. Simply start the script passing it the two interfaces to capture and the output file you want to produce at the end. You will see to header lines from tcpdump, when you have finished capturing packets press CTRL+C and it will close down the two tcpdumps and then merge their output files.

Note: mergecap is part of wireshark so you will need that installed to use the script.

#!/bin/sh

#
# File: sniffLanTap
#
# Usage: sniffLanTap <Interface 1> <Interface 2> <Output File>
#
# Author: Jason Cooper
#
TMPFILE1="$(/bin/mktemp)"
TMPFILE2="$(/bin/mktemp)"

/usr/sbin/tcpdump -w $TMPFILE1 -s1500 -i $1 "$FILTER" &
TCPDUMP_BG=$!
/usr/sbin/tcpdump -w $TMPFILE2 -s1500 -i $2 "$FILTER"

kill $TCPDUMP_BG

/usr/sbin/mergecap -w $3 $TMPFILE1 $TMPFILE2

[demonjester]

Physical taps are mainly meant to be transparent interceptors. They generally only capture one end at a time depending which end you are tapping.

Unless doing total switch port mirroring or MITM attacks without a TAP at all, you should only see one device's traffic flow in one direction with a lan tap. So if tapping the router, you should only see replies sent FROM the router to the PC. If tapping the PC, only what it sends to the router. To see the whole conversation and all traffic between the two of them at the same time, you could "double tap" with two nics and two wiresharks open, or just do a MITM on the lan, and be done with the physical tap to begin with, but thats not going to be completely transparent, if thats what you want.

I am using two nic, and in wireshark 1.8.0 you can capture from two interfaces without bridging or running two instances of wireshark. "Apparently" the lan tap can capture both flows of the traffic. But, it is either my lan tap or my ethernet usb.

Since I cannot capture from either interfaces idk it could be my tap.

[digip]

Might be how its wired, or just made one crossed over on the wrong transmit/receive part. Ethernet is highly susceptible to EMI though, and USB cables, generally are horrible as ethernet connectors and why they make ethernet as twisted pair, to cancel noise and interference. Some USB cables, come with ferrite beads on the ends just because they are so bad at collecting noise, shelling out the money for a high end cable with the ferrite bead on one end, tends to make them more reliable and with some devices, the only way they will work. So make sure your connections are clean,connected in the right spots and no electrical interference, like power lines near the tap, like laptop battery cable, extension cords, surge protectors, etc near any of the TAP wires, since they are no longer shielded.

[demonjester]

Might be how its wired, or just made one crossed over on the wrong transmit/receive part. Ethernet is highly susceptible to EMI though, and USB cables, generally are horrible as ethernet connectors and why they make ethernet as twisted pair, to cancel noise and interference. Some USB cables, come with ferrite beads on the ends just because they are so bad at collecting noise, shelling out the money for a high end cable with the ferrite bead on one end, tends to make them more reliable and with some devices, the only way they will work. So make sure your connections are clean,connected in the right spots and no electrical interference, like power lines near the tap, like laptop battery cable, extension cords, surge protectors, etc near any of the TAP wires, since they are no longer shielded.

Yep, I re wired it (for 3rd time) and made sure it had clean connections, and I was having trouble at first with it but I did quick google search and got it resolved. Works perfect now :D

[digip]

Good to hear. =)