May 26th, 2005 12:57 AM
Split a 100MB ethernet connection for sniffing
Short of using a switch with a mirror port is there a good way to split a 100MB ethernet connection for sniffing so you can just sniff whats on that one line? In this case I dont want to do any kind of arp poisoning. I tried to use an old 10MB hub to split the connection but it did not work that well, best I could manage was half duplex. I'm making a new tutorial about Cain and it would help if I could figure it out. Thanks.
May 26th, 2005 01:58 AM
Re: Split a 100MB ethernet connection for sniffing
I'm not quite sure what you mean by this? Do you mean to monitor it? If this is the case a network tap would be the best idea. A hub works in the same manor except it can generate collisions which cause problems.
Originally posted here by Irongeek
split a 100MB ethernet connection for sniffing
May 26th, 2005 02:00 AM
I just googled them, wat out of my price range. But thanks for pointing them out.
May 26th, 2005 02:15 AM
I have an idea but I have NO idea if it would work... Could you physically cut the cable, and connect two wires to each of the wires in the original cable, then connect one set back to the original cable, then connect the other to your sniffer computer?
That's my best idea, though I doubt it'd work.
<--Best hardware/gaming news out there--|
<--Gamers will love this one
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
May 26th, 2005 02:23 AM
Thanks Grunt, but I tried that, best I could do by splicing wires was a half duplex sniff. Could be I wired it wrong, but I canít think of a way you can do that without screwing up the transmit and receive lines.
May 26th, 2005 02:44 AM
I think you would nead a custom routing table, how you go about that is well beyond me. Ho hum.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
May 26th, 2005 04:46 AM
As far as I can gather, you're attempting a setup like this..
Instead of splicing the wires, which would cause massive amounts of cross talk (removing the shielding and twists from a section of CAT5 is never a good idea)... Why do you just combine them? You're PC will transmit on pins 1 & 2 and receive on pins 3 & 6.. You only need to receive data to sniff.. Combine the cables at the end... it'll be a pain in the ass to slide two of them into a single RJ45 connector.. and will require some fancy work on your part.. but it's what I'd try..
Victim PC ----- Switch
Step 1: Strip and prepare the ends of two lengths of Cat5 as you normally would.
Step 2: Using your teeth, or small enough wiring strippers, remove the sheathing on the individual copper lines for pins 3 & 6 (White-Green and Green for example), Only do this to one end of each of the lengths of cable.
Step 3: Twice the bare ends together (3 to 3 and 6 to 6).. twist really tight because you're going to have to fit it into the groove of the RJ45 connector...
Step 4: Wire the end of the one cable (2 spliced ends and then 6 ends from one of the 2 lengths).. I'd apply a little electrical tape around this end for safe measure.
Step 5: Wire the opposite ends of both cables as you normally would.
Step 6: Plug the spliced end into the switch, plug the fully wired opposite end into the victim and the partial wired opposite end into the sniffer..
I believe that would work for ya... however, I'm extremely tired.... so who knows..
Good luck and let me know your results.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
May 26th, 2005 04:57 AM
I have built this one in the past with great fun and success..
It's just a couple bucks.
I think the best you can do is 1/2 until something re-assembles...AFAIK.
May 26th, 2005 05:02 AM
Thanks HTRegz, I've tried something like that before but I only could get one side of the date (in other words, not full duplex). I would need someway to isolate the send wires from the receive otherwise it looks like the switch just faults on that port because it sees a loop back problem (I could be misinterpreting what I see).
May 26th, 2005 05:09 AM
Thanks ss2chef, it's kind of like what HTRegz was geting at. With the tap and two NICs I could get something like full duplex.