Thursday, February 17, 2011

Throwing Star LAN Tap

Not long after I designed the 5-in-1 Network Admin's Cable several years ago, I built the first Throwing Star LAN Tap. It is a simple cross of CAT5 cable spliced together to permit in-line monitoring of Ethernet connections. As a passive (unpowered) device, it is limited to sniffing 10BASE-T and 100BASE-TX, and each sniffing connector monitors only the network traffic going in one direction. You just insert it in-line on a target Ethernet connection (between a computer and a switch, for example), and then you can use monitoring tools like tcpdump or Wireshark on a computer attached to one or both of the sniffing connectors. The sniffing ports are receive-only, so there is no danger of your monitoring station accidentally transmitting packets onto the wire.

Despite its limitations, the device has come in handy countless times over the years. It is small enough that I can keep it in my backpack all the time. To sniff traffic in both directions, you have to monitor on two ports, but you'd be surprised how often sniffing just one direction at a time is sufficient for monitoring and troubleshooting tasks.

In 2007, Jason MacPherson wrote to me describing his extension of the Throwing Star LAN Tap design. (Alas, the link he sent is now broken.) He didn't bother with the throwing star form factor, instead opting to build his device in a box. The cool thing he did was to use the complete pinout of the 5-in-1 cable (all eight conductors) such that his tap could be used for monitoring either Ethernet or RS-232 serial connections. Why didn't I think of that?

Ever since then I've thought about building a new throwing star using Jason's approach. Another improvement I've had in mind is to switch from male RJ-45 plugs to female sockets. Although the male version is nifty and tiny, it invariably must be used with two or three couplers. Plus the tabs eventually break off the plugs, which is particularly annoying when they are attached to a very carefully spliced device.

Within the past year I've learned how to design printed circuit boards, so I decided to try building a female throwing star. There was one new problem I had to solve: how to handle 1000BASE-T (Gigabit Ethernet). Because 1000BASE-T signals travel in both directions simultaneously on each individual wire, it is impossible to build a passive tap for the technology. To properly tap 1000BASE-T, you need an active device such as a powered LAN tap or a switch with a monitor port. In a pinch, though, it is nice to be able to pull something out of your bag to get the job done, so I opted to make my throwing star compatible with 1000BASE-T in the only way I could, by breaking 1000BASE-T:

Since 1000BASE-T uses two more pairs of conductors than 10 or 100 Mbit Ethernet, I bypassed each of those extra pairs with a 220 pF capacitor. (Disregard the erroneous 22 pF marking in the photos.) This filters out the high frequency signals of 1000BASE-T, forcing the target devices to revert to 100BASE-TX which can then be monitored. The capacitors don't adversely affect lower frequency RS-232 signals, so all eight conductors function when monitoring serial connections. Sure, it's an ugly hack, but it's an ugly hack that fits in your pocket.

I figure that most folks who are interested in Bluetooth monitoring have occasion to sniff Ethernet from time to time, so I'm getting a bunch of kits produced, and I'll drop one into each reward package sent to backers of Ubertooth One on Kickstarter at the $100 level or higher. I'll also include a bare PCB with the $15 and $30 reward packages. I'm thinking about handing out PCBs as business cards at hacker cons, but I can't decide if it is a really good idea or a really bad idea. What do you think?

Open source design files are here.

Update: Throwing Star LAN Tap Kits are now available.

16 comments:

tmugherini said...

Best business card I have seen in a while. Gets the #awesomesauce tag

tz said...

This is great! (and a reason to keep the second usb LAN device in my fixit kit). Any suggestions on what to use since you would have to do a capture on two devices at the same time - does tcpdump or wireshark work well with it (and how should they be setup)>

Michael Ossmann said...

tz: You can bond two interfaces as suggested in the Wireshark wiki or do what I used to do: capture with two tcpdump processes and combine them later with mergecap.

RigoR MorteM said...

If you put a star for the $100 pledge, I'll support you Kickstart! Please, tell me if you do that, I've only 9 days left to submit!

Michael Ossmann said...

It's in there, Rigor. See Update #7 and its comment.

Paul said...

My name is Paul and I am the admin of a site called HackHut. You obviously have a lot of skill, and I just wanted to let you know about HackHut because it seems like a perfect fit for you. We are a hosting service somewhat like wordpress, blogspot, or Instructables accept run by and geared toward the hacker/DIYer. We offer or are working on features that people like you want and can use. I hope you check us out and feel free to contact me there if you have any requests for features or questions about the site.

RigoR MorteM said...

Tnx a lot, Michael, now I'm an official backer of Ubertooth One :-)

Gerald Combs said...

@tz & @Michael: The upcoming development release of Wireshark (1.7.0) will support multiple capture interfaces.

Luy said...

bummer I wish I could've contributed to Ubertooth One in time.

And yes those are awesome business cards.

Anonymous said...

The eagle files doesn't open.

Anonymous said...

The eagle files dowsn't open.

Michael Ossmann said...

There are no Eagle files. Eagle isn't open source. I use KiCAD.

Anonymous said...

Handing out PCBs as business cards at hacker cons is a good idea at White Hats but a bad one at Black or Grey Hats.

Anonymous said...

There is a lounge at my school that plays POP music over the PA system. It has been playing the same 40 songs for the past three months and despite people complaining, they will not turn it down or off. The controls are locked in a cabinet under a desk, but an Ethernet cable plugs into a router attached to the shelf next to it. Unplugging it prevents any new songs from playing after the last one.

My question is, is there a discrete dongle that can be attached inline that would redirect the incoming internet radio host to another source, such as a youtube playlist for instance?
The majority of people who use the space prefer Rock N Roll.

Tania Kevin said...

Thanks foe sharing this great information with us.It is very useful & helpful.And your way of describing is very good.

LAN Wiring Arizona

Julien B said...

Hello,

I really like your idea.

What about removing the sniffing rj45 ports and replacing them with an ethernet/usb chipset?

Even with an extra usb hub chipset, it could be possible to simply connect one usb cable between the Star and a computer.

The computer will then add two NIC.

I personnaly would love such.

Cheers