Just recently I decided to add a passive LAN tap to my toolkit, partly because I needed a quick, easy and non-intrusive way of being able to monitor network traffic, and partly to justify buying a new soldering iron.
The kit was manufactured by Great Scott Gadgets to Michael Ossman’s original design and supplied by RoboSavvy. It’s been a while since I tackled anything involving a PCB and molten metal, but the lack of dry and/or bridged joints must mean I haven’t completely lost the ability to solder just yet.
There are four RJ-45 ports – two for connecting in-line on the Ethernet network to be monitored, and two monitoring ports. As an unpowered tap, it doesn’t have the ability to cope with full duplex Gigabit Ethernet, so only two of transmit/receive pairs are broken out to monitor ports. This also means that the monitoring ports are unidirectional; to sniff traffic in both directions at the same time you’d need to connect both monitoring ports, for example using a dual port NIC.
The on board capacitors are there to act as low-pass filters, forcing the network devices at either end of the network segment being monitored to fall back to 100BASE-T, allowing Gigabit traffic 1000BASE-T to at least be monitored, albeit over a link downgraded to Fast Ethernet (of course, if you only ever want to sniff 100BASE-T traffic, none of that matters anyway).
As a quick test just to prove things work as expected, I inserted the tap between my Mac and a switch on my home network, then kicked off an aggressive Nmap scan against my wife’s poor unsuspecting Roberts “smart” radio. Running Wireshark on a laptop connected to the upstream monitoring port, we can see the scan activity being directed at the target device; the capture in the screenshot shows an attempt by Nmap to locate signs of unprotected Git repositories at the root of the web admin interface, by using the http-gti.nse script as part of the aggressive scan:
Given that it’s highly portable, easy to use and invisible to network scans, I suspect this little gadget will be getting plenty of use in the field in the near future.