Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tap Gigabit Networks on the Cheap

Published: 2016-12-01
Last Updated: 2016-12-01 21:26:27 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

First a disclaimer: This method works for a home network, maybe a small business network. I do describe how to do this using a specific vendor's equipment. This isn't an endorsement of the vendor. 

Back in the 100 BaseT days, it was pretty easy to make your own tap. You could essentially just connect the network cable's transmit line to the receive pins of a "output" plug, and all it took was four network plug, a punch down tool and a bit of wire. Sadly, with Gigabit Ethernet, both pairs are used to transmit and receive. Tapping this type of network is a bit more tricky and requires more sophisticated circuitry.

You can buy some relatively cheap "Taps," but often a simple switch is cheaper, and provides similar capabilities. To monitor just a single network segment, a simple switch like this may be perfectly acceptable, and with port-based VLANs, you can even aggregate multiple segments. 

To get us started here is a little network diagram to illustrate some of the challenges you may run into

There are three possible spots to connect a sensor:

  1. Between Firewall and Modem: In this case, you will see all the traffic entering / leaving the network. But you will only see the "NAT'ed" traffic assuming that the firewall/router also does NAT. It will be difficult to assign traffic to a particular device on your network
  2. "LAN": This is the network we use to connect our workstations/mobile device. We can define a port on the "LAN" switch as a mirror port and at least mirror the port connected to the gateway. This should give us a nice spot to connect a sensor.
  3. "WAN": Same as for the "LAN" port, a mirror port on the switch will allow us to watch traffic to/from the servers connected to this switch

So how do we monitor traffic in both networks, the "LAN" and the "WAN" segment? There are a couple of options here:

Run the "sensor" on your Firewall/Router

If you are using a homemade Linux device or PF Sense, then it is pretty easy to install tools like snort or even bro on the device as well. Again: We are talking home network here. But even in a home network, I find that this type of setup quickly runs out of steam, in particular, if you are using less than state-of-the-art hardware.

Run a dedicated sensor, with multiple network cards

You will need a network card for each segment and one more for a management network. In the diagram this would require at least three (LAN, DMZ + management) or even four (LAN, DMZ, WAN + management) . Finding a small / low-cost system with more than two network cards is challenging. But luckily, with some port-based VLAN trickery, our cheap monitor switch can be coerced into aggregating multiple networks.

Aggregating Multiple Network Segments with a Switch

I am using the Netgear GS105Ev2 switch. This is a 5 port switch that offers port-based VLANs and port mirroring, the two features I am going to use here. Other switches that provides these two features should work as well. This switch currently sells for about $45.

First, figure out which port you would like to use how. In my example, I am using:

Port 1 to manage the switch
Port 2,3,4 to connect to the different network segments
Port 5 to connect to the sensor (and remember that the monitoring interface of the sensor has no IP address, but is just listening)

First, let's configure the "mirror" feature. We define ports 2,3,4 as "source" and port 5 as destination

Next, let's define the VLANs. Setting up port-based VLANs is CRITICAL since we do not want to "shortcut" the different network segments

So how bad is it? Does it work at all?

It does work pretty well. I still have to measure the exact throughput. The admin interface for the switch does become unresponsive pretty quickly, but well, once it is set up, you don't need to touch it anymore. There are better switches with more buffer memory that you can often get on eBay for not much more money. I am having a hard time finding "real" gigabit taps for less than a few hundred dollars on eBay. But you may get lucky. Many of the taps that you find around this same price are typically actually just switches that are preconfigured with a monitoring port.

Let me know if it works for you, or if you have better ideas to monitor multiple gigabit network segments. If you are just interested in using a switch as a tap, there are a couple of videos on YouTube walking you through the setup.

Johannes B. Ullrich, Ph.D.

8 comment(s)
Diary Archives