Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Creating a "data tap"

    L2/Switching/VLANs
    1
    1
    175
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnott
      JKnott last edited by

      One device that's handy when working on network problems is something called a "data tap". This is inserted between two devices and a computer running Wireshark can then be used to monitor and analyze the traffic. A data tap can be made with a managed switch. A proper data tap will not allow packets from the monitoring computer or even the tap itself to appear on the monitored connections as that can cause problems if port security is used.

      Here's how to create one:

      1. Get a five (or more) port managed switch.
      2. Configure one port for the monitoring computer (I use port 1).
      3. Configure another port to be monitored (I use 2)
      4. Configure port based VLANs, with the monitoring port (port 1 in my case) on the default VLAN 1
      5. Configure all the other ports on another VLAN (I used 2).
      6. Configure port mirroring so that the monitoring port mirrors the monitored port.
      7. Turn off Loop Prevention.
      8. While the switches generally support DHCP, I configured mine to use an address in the 169.254.0.0 /16 link local range.

      Once this is done, you have a "data tap". Connect a computer running Wireshark to the monitoring port and pass the monitored connection through the monitored port and any other.

      Steps 4 & 5 are to prevent packets from either the switch or monitoring computer from appearing on the monitored circuit. However, I have noticed that one or two broadcast/multicast packets from the monitoring computer appear in the monitored circuit, if that computer is plugged into the switch, when the switch is powered up. So, power up the switch and connect the monitoring computer to it, before inserting the switch into the circuit to be monitored.

      Step 7 stops the packets used to determine if a loop exists.

      I configured the switch to use a link local (169.254.0.0 /16) address, so that it won't conflict with anything on the network. Also, a computer configured for DHCP can be plugged into the monitoring port and, when DHCP fails, will usually default to a link local address. The monitoring port can now be used for configuring the switch.

      Also, while they do work, I'd advise against TP-Link switches, as some models do not handle VLANs properly, in that broadcast/multicast packets leak between VLANs. I suspect this may be why I see those packets when the switch powers up.

      1 Reply Last reply Reply Quote 1
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense Plus
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy