Build a Cheap Gigabit Network Tap

by | May 23, 2022 | #_shelIntel, Blog

Whether doing security research or troubleshooting networks, network sniffers and packet analysis can be invaluable tools. If you’re a network engineer like me, you’ve probably been holding onto your favorite 4 or 8-port 10/100 hub for 25 years now. The reason is that hubs (not switches) make great network taps. By design, all Ethernet transmissions on a hub are sent to all ports. To monitor another device, you can place it on a hub along with your laptop/sniffer and then connect that hub to the rest of your network (if needed). All packets sent to or from this device will also be sent to your sniffer on the hub. Even 25 years later, the hub I bought during college still makes a great network tap. It was only recently that I needed something a little more powerful.

Hubs date back to the early years of Ethernet when twisted-pair cabling started being used for networking (like Cat-3/Cat-5). These networks initially ran at only 10 Mb/s and early hubs were also limited to that throughput. As technology advanced, Ethernet speeds increased to 100 Mb/s and new Ethernet switches were created. Unlike hubs, switches only forward packets to the port needed for the packet to reach its intended destination. This was done because hubs can suffer from “collisions” that occur when more than one device tries to transmit at the same time. Switches eliminate packet collisions and allow networks to remain efficient as the number of networked devices grow. Modern switches also support 10/100 Mbit/s and gigabit (1,000 Mbit/s) throughputs. While this is great for network performance, most inexpensive switches can’t be used as a network tap.

So, what can you do when you need to monitor a highspeed gigabit link and can’t afford an expensive network tap? How about the $39.99 10/100/1000 8-port Netgear GS308E switch with “Enhanced Features”. As you probably guessed, one of those enhanced features, called Port Mirroring, allows this switch to be used as a network tap. And unlike a hub, port mirroring allows you to monitor another port without it also monitoring you.

 

How To:

Follow the instructions below to configure a high-speed (up to gigabit) network tap using the Netgear GS308E switch.

Physical connections:

Port 1 – Device (or Network Segment) Being Monitored

Port 2 – Sniffer (My Laptop)

Port 8 – Uplink to Network (optional)

  1. Log into your Netgear GS308E by going to it’s management IP address with a web browser. The default URL is http://192.168.0.249 if there is no DHCP server available to assign an address. (See owners manual if you are having trouble accessing the switch management.)
  2. Click: System (top row) >> Monitoring (2nd row) >> Monitoring (left button)
  3. Port Mirroring Configuration:
    1. Click the Source Port of the port you want to monitor. In our example, this is Port 1. Multiple ports can be selected if you want to monitor several ports at the same time.
    2. In the Mirroring dropdown, select Enable.
    3. In the Destination Port dropdown, select the port that you will connect your sniffer to. In our example, this is Port 2.
    4. Validate that your settings are correct and click Apply.

A screenshot of a computer Description automatically generated.

That’s all there is to it! Make sure your devices are connected to the proper ports and start your network analysis.