LMTV Case Study | Where the Network Meets the Application (by Paul Offord)
LMTV Sharkfest | Successful Lawful Intercept - How to Capture Criminal Evidence (by the Oldcommguy)

The Perfect Gigabit Copper TAP (by Jasper Bongertz)

The perfect gigabit copper TAP

Capturing network packets often leads to the famous question of TAP vs. SPAN, and there are some fierce supporters for both techniques. For me, a TAP is always the better option, but unfortunately it is not always possible to put it in action, especially if a line cannot be disconnected for putting it in. But when it is possible, there is the next question of aggregation vs. full duplex tapping. Aggregation is easier to capture with just one network card, but may not produce as exact results as full duplex captures – but full duplex captures require two network cards that need to be synched in hardware to avoid out-of-order time stamps.

Garland P1GCCA

Tap1
Thanks to Tim and Chris B of Garland Technology I got my hands on a brand new Garland P1GCCA TAP, and I immediately fell in love with it. It is small compared to the older TAPs I own, and it has one feature that none of them had: a DIP switch that lets me select the mode of operation without any serial connection or other additional management tools.

Read how I use this super TAP and How I turned it into a USB powered totally portable device!

 

Tap 2
It can work as full duplex TAP, but it can also aggregate the links twice, one aggregated link available at each output port. Very cool. But it can also copy the traffic of one port to the other three, in case you want to run multiple capture or IDS devices on the same SPAN output. It’s basically the one TAP for every situation I’m going to carry around in my laptop back.

The power issue

I was surprised to see that the TAP only had one power connector; all other copper TAPs I own have two for redundancy. I was disappointed for a second, but then I thought about how often it really would have made a difference in the last ten years. The answer: never, and that is because if power fails for a TAP like this it will just fall back to layer 2 connectivity in an instant. Not that it ever happened, but if it would, the link would only go down for a second or two, if at all. So I don’t think having only one power connector is a problem.

The one thing left…

The only thing that I thought could be improved was the power supply. I have a DualComm gigabit switch I carry in my laptop bag, and the big advantage of it is that it can be powered via USB. How often have you had to capture packets with your laptop where you could not find a power socket to plug anything in? It happened to me quite a lot, so the USB powered switch was often really nice because I could power it from the same laptop I did the capture with.

I was talking to the German distributor of Garland Technology TAPs one day, and I mentioned that I would love to see a TAP that could be USB powered as well. To my surprise his answer was that I could do that with the P1GCCA, because it ran on only 6 volts anyway. I hadn’t realized that before, because I was used to my other TAPs requiring 12 volts or more. According to him, USB should be able to provide enough power to run the TAP, especially if connected to a USB 3 port which has a higher maximum ampere rating.

Time for some soldering

I found a low voltage cable with the right plug to fit the TAP, and got a USB plug that I could solder on to the other end. I used a voltmeter to determine which color was plus and which one was GND. After consulting an online diagram of the USB pin layout I started soldering the USB plug to the cable.

Tap 3

Afterwards I sealed the end of the plug with some black shrink tube.

TAP 4
For the first test I used a USB 3 hub without a computer attached to it to check if it was good enough to power the TAP, and it worked just fine.

The next test was connecting the TAP to my Laptop on one of its USB 3 ports.

TAP 5
When I connected the output port to the capture card and started Wireshark, I could capture the aggregated connection without any problems.

Now that’s a perfect TAP for my laptop bag.

Jasper Picture

Jasper Bongertz is a Senior Technical Consultant and started working freelance in 1992 while he began studying computer science at the Technical University of Aachen. In 2013, he joined Airbus Defence and Space CyberSecurity, focusing on IT security, Incident Response and Network Forensics. During his time with Fast Lane Jasper created a large training portfolio with a special focus on Wireshark.  Jasper is certified Sniffer Certified Professional (SCP), VMware Certified Professional (VCP3/4/5) and has been a VMware Certified Instructor (VCI).

To Contact Jasper Bongertz, jasper@packet-foo.com

Editor's Note - Jasper is one of the Best of the Best in the network analysis and forensic world. He is a long time Wireshark Developer, a real Engineer, a Super Instructor,a super honest person to know and work with! One can always see Jasper at the Annual Sharkfest gathering every June! I have known Jasper a long time and if you need help with a technical problem he is the guy to go to!

Please note - Garland Technology TAPs come with 110/220 power supplies. This conversion is being considered for future releases. Please use caution when using the USB power as it could cause a hardware failure.

Reference material -

http://www.garlandtechnology.com/wp-content/uploads/2014/02/Real-Network-Visualization-Considerations-for-Professionals-TAO-18April20131.pdf

http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html

http://www.lovemytool.com/blog/2010/07/todays-network-data-access-technology-a-review-by-tim-oneill.html

Comments