[Snort-users] Passive Tap Help

kenw at ...10492... kenw at ...10492...
Mon Dec 1 08:19:02 EST 2003

On Mon, 1 Dec 2003 10:21:53 -0500, you wrote:

>http://www.snort.org/docs/100Mb_tapping1.pdf is the picture I am
>referencing. I am looking to decipher the exact pin out of the 100Mb copper
>tap. It looks like I would have 4 - RJ45 Ethernet jacks in the tap.


>I guess I am looking for an "Ethernet Tap for Dummies" version that includes
>the wiring pin out for all 4 jacks.
>Best regards,
>Michael D. Peters 

That diagram is interesting.  Essentially, what it does is take both sides
of a Cat 5 cable and feed them into separate RX lines on two ports of a
switch, and then use the switch's spanned port to "see" them both at once.

Pin numbers on it could have helped, but you can look at any Ethernet RJ45
pinout diagram for them.  I recommend it for educational value.  Just
remember to match polarities.

Note that the "copper tap" may appear to constitute a crossover connection
on the full duplex lines, but it doesn't.  TX stays TX, RX stays RX.  The
crossover occurs when one FDX TX line goes the a switch's RX lines.

You could even build a box with no crossovers at all, and use a crossover
cable on one of the switch ports.

So far as I can see, this is a lot of trouble and expense (low-cost
switches with port spannning are rare) to go to when you could do nearly
all of it with a cheap hub.  The tap's claim to fame is that it passes full
duplex while monitoring both ways, by funneling two Ethernet lines into
one; it relies on the spanned port's buffering to avoid dropping packets.
A hub would accomplish the same net result by disabling full-duplex on the
tapped line, but that's usually a minor issue, very unlikely to be noticed
on all but the busiest links.  


K&M Systems Integration
Phone (403)274-7848
Fax   (403)275-4535
kenw at ...10492...

More information about the Snort-users mailing list