Hello folks,

this is my first english blog entry. Excuse me for my hopefully not so bad english

During my reverse engeneering on the Terratec Noxon 2 Audio (read the past two blog posts) i had to sniff the network traffic between the Noxon and the Internet.

First i just sniffed the wireless traffic with a simple ARP spoofing attack in my switched network.

But i couldn’t be sure wheather I sniffed the whole traffic or if I just missed some “intranet” traffic in my net.

After some internet research, i decided to build my own passive ethernet tap to do a MITM (man in  the middle) attack.

Snort and Geekslunch have excellent instructions for this. Geekslunch hosts also a very good paper about receive only UTP calbes. Have a look on this!

Note that you can only receive data from the connection. Injection is impossible with a passive tap!

If you want do modify or inject packets you should use two network interfaces as a bridge.

For my tap I used two screened two-port RJ-45 connectors which I soldered together.

Finally here some pictures of my tap. It’s the smallest i found on the internet! It has a size of 4*3*1 centimeters!

At last a small tip if you want two sniff in both directions simultaneaously. For this you need two NICs. Link them together with the “bonding” kernel module. Here is a little howto and the documentation.