Sniffing Ethernet one-sided read-only

Go To Last Post
10 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I have an application where I need to monitor and log the Ethernet packets transmitted from one Ethernet device (A) to another (B). I would like to use just one of the Ethernet ports on an NGW100 to sniff and log these packets. All I'm interested in are the packets transmitted by device (A) to device (B).

Is it possible to use just the receive side of the Ethernet port on the NGW connected directly to the cable between device (A) to device (B) to achieve this?

If this can be done, I could make a custom cable, but more likely, I would create a PCB with three RJ connectors. One would connect to the NGW100 Ethernet port the other to device (A) and the 3rd to device (B). The device (A) would be connected to device (B) via the PCB and the signals to sniff would be connected to the NGW100.

Due to cost constraints, I cannot use an Ethernet HUB in this application and the second Ethernet port on the NGW100 is already in use.

Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The problem with sniffing on an 10xbase-Tx is the impedance matching problem you'd get if you just connected two pairs to one transceiver. While it might work for 10Base-T, for 100BASE-TX it won't.

If you add a sense amplifier it works reliably, provided you manually configure the port on the ngw to the actual speed (autonegotiation won't work).
If the cabling is 'local' and EMI isn't a problem, a pair of emitter followers with appropriate biasing works. If EMI is bad or you have one handy, an 1:1 ethernet transformer on the input and output of the sniffer amplifier is recommended.
I used two BFR505 and both halves of a 10/100/1000 transformer pair.

[Apologies for dropping off the face of the world. There's a saying about the minimum number of disasters in a given temporal interval and I really should have known better..]

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I may have found what I need in this article on how to build a passive Ethernet tap. http://www.snort.org/docs/tap/

A link to other's comments on this article.
http://www.snort.org/archive-7-1...

Tom

Last Edited: Sun. Mar 9, 2008 - 12:29 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

KKP, thanks for the reply. Do you happen to have a schematic you can share for what you built using the two BRF505's and the 10/100/1000 transformer pair?

Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Quick redraw:
L1-L2 is the same winding, and L1-L2-L3-L4 is the same transformer. Likewise for L5-L8.

Since L7 and L8 have currents in opposite directions, the magnetic material in L5-L8 does not see a DC magnetic field, and does not saturate.

The 180 ohm resistor should be 90 ohm.

Attachment(s): 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

KKP - Thanks for the schematic. In looking for a suitble transformer, I came across the Pulse PE-65263 and the (SMD) PE-65726. Here is a link to the datasheet. http://www.pulseeng.com/products...

Both of these are of type T4 as shown on page 6 of the datasheet. Is this transformer suitable or do you have another recommendation?

Thanks,

Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Could you not use the RIP protocol instead? We use it for ISP failover, and it has the ability to report back if you use the right hardware. We are using NETSCREEN firewalls and it works great. In your application you could use NETGEAR firewalls and set up a simple routing scheme to log the flow.

Jim

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

 

"The critical shortage here is not stuff, but time." - Johan Ekdahl

 

"Step N is required before you can do step N+1!" - ka7ehk

 

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?"  - Lee "theusch"

 

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-)  - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Quote:
In your application you could use NETGEAR firewalls and set up a simple routing scheme to log the flow.

Thanks for the reply, Jim. I wish I could do as you suggested. However, this is a low-cost embedded application and as such we cannot afford to use this method.

Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

transformers:
The two transformers listed are 10Mbps types. They may or may not work at 100Mbps if you need that. For 10Mbps they look perfect.
If you choose a 100Mbps transformer with common mode choke, be sure to NOT have the common mode choke pointing towards the amplifier. It should be on the cable side. Otherwise you'll likely get an oscillator.

/Kasper

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thanks, Kasper. I'll post the schematic of the design back here when I'm done.

Tom