Creating a "data tap"



  • One device that's handy when working on network problems is something called a "data tap". This is inserted between two devices and a computer running Wireshark can then be used to monitor and analyze the traffic. A data tap can be made with a managed switch. A proper data tap will not allow packets from the monitoring computer or even the tap itself to appear on the monitored connections as that can cause problems if port security is used.

    Here's how to create one:

    1. Get a five (or more) port managed switch.
    2. Configure one port for the monitoring computer (I use port 1).
    3. Configure another port to be monitored (I use 2)
    4. Configure port based VLANs, with the monitoring port (port 1 in my case) on the default VLAN 1
    5. Configure all the other ports on another VLAN (I used 2).
    6. Configure port mirroring so that the monitoring port mirrors the monitored port.
    7. Turn off Loop Prevention.
    8. While the switches generally support DHCP, I configured mine to use an address in the 169.254.0.0 /16 link local range.

    Once this is done, you have a "data tap". Connect a computer running Wireshark to the monitoring port and pass the monitored connection through the monitored port and any other.

    Steps 4 & 5 are to prevent packets from either the switch or monitoring computer from appearing on the monitored circuit. However, I have noticed that one or two broadcast/multicast packets from the monitoring computer appear in the monitored circuit, if that computer is plugged into the switch, when the switch is powered up. So, power up the switch and connect the monitoring computer to it, before inserting the switch into the circuit to be monitored.

    Step 7 stops the packets used to determine if a loop exists.

    I configured the switch to use a link local (169.254.0.0 /16) address, so that it won't conflict with anything on the network. Also, a computer configured for DHCP can be plugged into the monitoring port and, when DHCP fails, will usually default to a link local address. The monitoring port can now be used for configuring the switch.

    Also, while they do work, I'd advise against TP-Link switches, as some models do not handle VLANs properly, in that broadcast/multicast packets leak between VLANs. I suspect this may be why I see those packets when the switch powers up.


Log in to reply