Building a passive Ethernet tap
Building a passive Ethernet tap / 构建一个无源以太网分流器
I saw this cool ethernet tap and thought it would be cool to see how chatty my “smart” TV is. But I didn’t want to pay €39 for it. So I made a clone on mini breadboards. 我看到了这个很酷的以太网分流器(Ethernet tap),觉得用它来看看我的“智能”电视到底有多“话痨”应该会很有趣。但我不想花 39 欧元去买,于是我就用迷你面包板自己克隆了一个。
A passive Ethernet tap is a stupid-simple device. It sits inline between your computer and router, copies the signal onto two extra monitor ports, and physically cannot inject traffic back. No power, no software, no configuration. The monitor ports are receive-only. You can’t accidentally DoS your own network with one of these. 无源以太网分流器是一个极其简单的设备。它串联在你的电脑和路由器之间,将信号复制到两个额外的监控端口上,并且在物理层面上无法向网络注入流量。它不需要电源、软件或配置。监控端口仅用于接收。你完全不用担心会因为使用它而意外导致自己的网络拒绝服务(DoS)。
The design / 设计方案
The tap has four RJ45 jacks. J1 and J2 are wired straight through, pin for pin. The computer plugs into J1, the router into J2. The link works exactly like a patch cable because, electrically, it is one. 该分流器有四个 RJ45 插口。J1 和 J2 是直通连接的,引脚一一对应。电脑插入 J1,路由器插入 J2。这个链路的工作方式与普通的网线完全一样,因为从电气角度来看,它就是一根网线。
J3 monitors traffic from the computer toward the router. It taps the computer’s TX pair (pins 1 and 2 on J1) and routes it into the monitor’s RX pair (pins 3 and 6). J4 does the same thing in reverse, tapping the router’s TX pair into its monitor’s RX pair. J3 用于监控从电脑发往路由器的流量。它从电脑的发送(TX)线对(J1 的 1 号和 2 号引脚)引出信号,并将其路由到监控端口的接收(RX)线对(3 号和 6 号引脚)。J4 则以相反的方式执行同样的操作,将路由器的 TX 线对引出到其监控端口的 RX 线对上。
The monitor ports can’t transmit. Pins 1 and 2 on J3 and J4 are left floating. A monitoring computer plugged into J3 only gets a signal on its receive pair. It sees the traffic, it can’t touch the line. The tap is invisible to both ends. 监控端口无法发送数据。J3 和 J4 的 1 号和 2 号引脚处于悬空状态。插入 J3 的监控电脑只能在其接收线对上获得信号。它能看到流量,但无法触碰线路。对于两端的设备来说,这个分流器是不可见的。
Two 220 pF ceramic capacitors bridge the unused pairs on the monitor jacks (C1 on J3 pins 4-5, C2 on J4 pins 7-8). Their only job is to corrupt Gigabit auto-negotiation on the blue and brown pairs, forcing the link to fall back to 100 Mbps. Ethernet at 100 Mbps only uses two of the four pairs, and those are exactly the pairs we’re tapping. If the link negotiated at Gigabit and spread data across all four pairs, we’d be blind. 两个 220 pF 的陶瓷电容跨接在监控插口的未使用线对上(C1 接在 J3 的 4-5 引脚,C2 接在 J4 的 7-8 引脚)。它们唯一的作用是干扰蓝色和棕色线对上的千兆自动协商,强制链路降级到 100 Mbps。100 Mbps 的以太网仅使用四对线中的两对,而这恰好就是我们正在分流的线对。如果链路以千兆速度协商并跨四对线传输数据,我们将无法获取任何信息。
The build / 制作过程
Four RJ45 breakout boards, two 220 pF ceramic caps, and a mini breadboard. €10 worth of parts. 四个 RJ45 转接板、两个 220 pF 陶瓷电容和一个迷你面包板。零件成本约为 10 欧元。
The original Throwing Star LAN Tap uses a custom PCB. I used RJ45 breakout boards with header pins. Each board breaks out all 8 pins plus a shield pin to labeled pins. Four of them, two capacitors, and a mini breadboard. 原版的“手里剑”LAN 分流器(Throwing Star LAN Tap)使用的是定制 PCB。我使用了带有排针的 RJ45 转接板。每个转接板将全部 8 个引脚加上一个屏蔽引脚引出到带有标签的针脚上。四个转接板、两个电容和一个迷你面包板就足够了。
The inline path (J1 to J2) is eight wires, straight through, on one half of the breadboard. 直通路径(J1 到 J2)由八根导线组成,在面包板的一半区域直接连接。
The monitor taps branch off the inline path. For J3, I ran jumpers from J1 pins 1 and 2 to J3 pins 3 and 6. For J4, from J2 pins 3 and 6 to J4 pins 3 and 6. The capacitors sit directly on the monitor jacks, bridging the unused pairs. 监控分流线从直通路径上引出。对于 J3,我从 J1 的 1 号和 2 号引脚引出跳线到 J3 的 3 号和 6 号引脚。对于 J4,则从 J2 的 3 号和 6 号引脚引出到 J4 的 3 号和 6 号引脚。电容直接安装在监控插口上,跨接在未使用的线对之间。
I was worried the breadboard would introduce enough capacitance to degrade the signal. 100BASE-TX runs at 125 MHz. Breadboard parasitics are usually 2-5 pF between adjacent rows, and the impedance is all wrong. But the inline wires are short, and the signal held up fine. A breadboard is not a PCB, and I wouldn’t run a production network through one, but for a passive tap, it works. 我曾担心面包板会引入过大的电容从而导致信号衰减。100BASE-TX 的运行频率为 125 MHz。面包板相邻行之间的寄生电容通常在 2-5 pF 左右,且阻抗匹配也不理想。但由于直通导线很短,信号保持得很好。面包板毕竟不是 PCB,我不会用它来搭建生产环境的网络,但对于这种无源分流器来说,它完全够用。
What it captured / 抓取到的数据
The only Ethernet-tappable device I had was the smart TV. My laptop doesn’t have an RJ45 port, and the USB Ethernet adapter I ordered hadn’t arrived yet. So the tap sat between the TV and the router, with my desktop plugged into the monitor ports. 2,769 packets in the first 7.5 minutes at an average of 14 kbps. A smart TV at idle doesn’t move much data. Mostly control traffic and device discovery. 我手头唯一能用以太网连接的设备就是那台智能电视。我的笔记本电脑没有 RJ45 接口,而我订购的 USB 以太网适配器还没到货。因此,我把分流器放在电视和路由器之间,并将我的台式机连接到监控端口。在最初的 7.5 分钟内,共抓取到 2,769 个数据包,平均速率为 14 kbps。智能电视在待机状态下传输的数据并不多,主要是控制流量和设备发现信息。
The TV announced itself 877 times in under 5 minutes: SSDP NOTIFY packets to 239.255.255.250, one every few seconds. It also broadcast mDNS over both IPv4 and IPv6 simultaneously, same service, same announcements, two protocols. A “smart” device on a different subnet (192.168.3.7) sent 34 broadcast frames in a burst. The router at 192.168.2.254 answered everything with IGMP queries. 电视在不到 5 分钟内宣告了自己 877 次:每隔几秒钟就向 239.255.255.250 发送一次 SSDP NOTIFY 数据包。它还同时通过 IPv4 和 IPv6 广播 mDNS,相同的服务、相同的宣告,却用了两种协议。另一个子网(192.168.3.7)上的“智能”设备突发发送了 34 个广播帧。而 192.168.2.254 处的路由器则用 IGMP 查询回应了所有请求。
Zero CRC errors across all 2,769 frames. The link light stayed solid at 100 Mbps. The breadboard didn’t introduce any detectable noise. 在全部 2,769 个帧中,CRC 错误为零。链路指示灯稳定在 100 Mbps。面包板没有引入任何可检测到的噪声。
Once the USB Ethernet adapter shows up, I can tap my actual laptop traffic, and see something more interesting than a TV shouting its name into the void. 等 USB 以太网适配器到了,我就可以分流我笔记本电脑的实际流量,看看比“电视对着虚空大喊自己名字”更有趣的东西。
Parts and cost / 零件与成本
Most of the stuff I already had hoarded but the ethernet breakout connectors cost €10 for 7. Kinda expensive per piece at €1.4 but it was on next-day delivery. ¯_(ツ)/¯ 大部分零件我平时都有囤货,但以太网转接头花了 10 欧元买了 7 个。单价 1.4 欧元稍微有点贵,但胜在次日达。¯_(ツ)/¯