The LAN Tap | Yet another hacking device for social engineers

What Network Tap  is ?

A network tap is a system that monitors events on a local network in order to aid administrators (or attackers) in analyzing the network.[ The tap itself is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network tap" may be the best way to accomplish this monitoring. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic (send and receive data streams) through unimpeded in real time, but also copies that same data to its monitor port, enabling a third party to listen. Network taps are commonly used for network intrusion detection systems, VoIP recording, network probes, RMON probes, packet sniffers, and other monitoring and collection devices and software that require access to a network segment. Taps are used in security applications because they are non-obtrusive, are not detectable on the network (having no physical or logical address), can deal with full-duplex and non-shared networks, and will usually pass through or bypass traffic even if the tap stops working or loses power.

Man in the middle passive packet capturing with a Throwing Star LAN Tap from Great Scott Gadgets and a Netool NE1 is a true mobile lan capturing power house. With this setup there is zero packets being sent from the netool to the monitor LAN connection making the stealthy way to gather data about a single ethernet connection.

The LAN Tap Pro is a passive Ethernet tap, requiring no power for operation. There are active methods of tapping Ethernet connections (e.g., a mirror port on a switch), but none can beat passive taps for portability. To the target network, the LAN Tap looks just like a section of cable, but the wires in the cable extend to the monitoring ports in addition to connecting one target port to the other.

The monitoring ports (J3 and J4) are receive-only; they connect to the receive data lines on the monitoring station but do not connect to the station’s transmit lines. This makes it impossible for the monitoring station to accidentally transmit data packets onto the target network.

The LAN Tap is designed to monitor 10BASET and 100BASETX networks. It is not possible for an unpowered tap to perform monitoring of 1000BASET (Gigabit Ethernet) networks, so the Throwing Star LAN Tap intentionally degrades the quality of 1000BASET target networks, forcing them to negotiate a lower speed (typically 100BASETX) that can be passively monitored. This is the purpose of the two capacitors (C1 and C2).

Like all passive LAN Taps, this device degrades signal quality to some extent. Except as described above for Gigabit networks, this rarely causes problems on the target network. In situations where very long cables are in use, the signal degradation could reduce network performance. It is a good practice to use cables that are not any longer than necessary.

1. Use Ethernet cables to connect the LAN Tap (J1 and J2) in line with a target network to be monitored.
2. Use Ethernet cables to connect one or both of the monitoring ports (J3 and J4) to ports on one or two monitoring stations. Each port monitors traffic in one direction only.
3. Use your favorite software (e.g., tcpdump or Wireshark) on the monitoring station(s) to capture network traffic.