Invisibly Sniffing Between Two Network Points

Problem

You want to insert a tap between two particular points on your network.

Solution

Construct a passive tap.

Discussion

A passive tap is slightly more complex than the receive-only Ethernet cable. You require a four-port Ethernet housing, four category 5e modular snap-in jacks, and bit of category 5e cabling.

1. Take a small length of your cabling, strip off the outer coating, and separate the eight internal wires. Partially assemble the Ethernet housing by snapping the jacks into place.
2. Number the ports 1 to 4 from the left and the pins on each 1 to 8 from the left.
3. Starting with the orange wire from your separated cable, connect it to pin 1 in jack 1, and run it through pin 6 in jack 2 to pin 1 on jack 4.
4. Run the white wire with the orange stripe from pin 2 in jack 1 through pin 3 in jack 2 to pin 2 in jack 4.
5. Run the white wire with the green stripe from pin 3 on jack 1 through pin 3 on jack 3 to pin 3 on jack 4.
6. Run the white wire with the blue stripe from pin 4 on port 1 straight to pin 4 on port 4.
7. Run the solid blue wire straight from pin 5 on port 1 to pin 5 on port 5.
8. Run the solid green wire from pin 6 in port 1 through pin 6 in port 3 to pin 6 in port 4.
9. Run the solid brown wire from pin 7 in port 1 to pin 7 in port 4.
10. Run the white wire with the brown stripe from pin 8 in port 1 to pin 8 in port 4.

You can see an example in Figure 1-11.

Figure 1-11. Passive tap example

Cut off any excess wire and seal up the Ethernet housing. Port 1 should be connected to the source at one side, and port 4 should be connected to the destination on the other side. Ports 2 and 3 will dump the traffic in each direction, respectively.

See Also

Snort online documentation, "IDS Deployment Guides" (http://www.snort.org/docs/)