Thank you, you are a great teacher, I appreciate the visualizations. Not many can teach technical IT topics, always find the older videos being the best
Glad I came across your channel, going to build one now but I'll also purchase the lan tap from you to support the channel, keep up the good work. Subbed.
Thanks for the informative video. The question may be beyond the scope of the video. How can I prevent the attacker's ARP and DHCP requests from being captured? The attacker host is constantly trying to send packets to the Ethernet interface.
Seems to me that you could turn off the TCP/IP stack with a card in promiscuous mode. Been a whiles since I had to use something like this. Will probably need to turn off any file sharing types services that might create UDP port announcement messaging.
I'm curious why your would go thru the trouble to make a network tap like this when you can use network switch that does port mirroring? Also I be a little concern about causing reflections on the Ethernet line and cause packet errors. Port mirroring allows you to monitor the packets on selected ports and use WireShark to see what is going on -- even works at GigaBit speeds. Examples of switches that do port mirroring are the Netgear GS108T and GS108E. I keep one in the trunk just for case when I want to see what traffic is going to and from a device. You can also use a hub instead of a switch although hubs are pretty hard to find now days.
StevesProjects Good question. You will find that a lot of my projects aren't exactly a clean solution. Yes it does create issues with speed and performance on the line. Usually it's not enough to matter in most office environment situations. In truth I carry the very Netgear switch you referred to and use them in classes that I teach.This tutorial is more geared toward those looking for a field expedient solution. I sometimes have to work with guys that have very few resources and encounter problem sets in resource poor conditions. This can range from the kid at the local hackerspace that can't afford a switch to a military sys admin who finds himself in Iraq trying to troubleshoot a network. It's "good enough" engineering at work.Thanks again for the comment and have a great day!
StevesProjects Port mirroring has a few issues that a passive tap overcomes. The most obvious one is that port mirroring copies the TX and RX for a particular port and mirrors it to the TX of a monitor port. If you have over 100 mbps combined TX+RX ( which could be from a utilization as low as 50%) you will miss packets on your monitor port since it will be congested. Obviously if the utilization is below 50% on the target port then port mirroring can be an advantage because all the traffic is combined into one interface! There are some other reasons someone might go with a tap over port mirroring that are discussed on the wireshark wiki and elsewhere. For the resource rich, JDSU, black box, and others make passive networks taps that run about 300 bucks for single line monitoring and they scale up from there. They do gigabit as well! I really like this tutorial though! One thing I would change would be to put a female RJ45 jack(wall jack) on one end of the target cable. That way this becomes an easily insertable pigtail onto the existing cable you want to monitor.
Only wires 3 (RX+) and 6(RX-) are connected to Monitoring machines, what about remaining, because with just two wires the Monitoring machine will not power up the poet and there will be no connection
No, it will work with just 2 wires. You may have to vary your connection sequence, but it will work. Sometimes Gigabit ethernet adapters have a difficult time adjusting to the load, but with a little persistence, the interface will come alive.
