Meet the Swiss pocket knife of network traffic inspection

Netsplit is a passive Ethernet tap device, making it easy to sniff packets across Ethernet links. It fits in your pocket and requires no power, making it extremely easy and quick to use.

In this article we will explore exactly how to achieve this through a basic example scenario, as well as explain how the Netsplit works.

A bit of theory before we start

Before we actually jump into this, let's begin by looking at how the Netsplit actually works.

The Netsplit allows connecting two network nodes like a simple cable, but also exposes the transmission lines for each device as separate RJ45 ports. These "tap" ports are "listen-only": their transmission lines are not even wired, so there is no risk of creating any contention on the Ethernet link.

The two ports at the ends of the Netsplit are wired together as a standard CAT5 cable.
The other two ports located in the middle of the Netsplit have their reception lines wired to the transmission lines from the first two ports.

To make this work, the Netsplit forces the devices into "10/100" mode (prohibiting gigabit-speed comms) also known as "Fast Ethernet", which is well suited for passive monitoring. Gigabit sniffing cannot be done passively in this way. For this, go check out the Skunk gigabit tap & switch.

Let's get to it

From what we saw in the explanations above, we can start by connecting the Netsplit in place of the network cable between the two devices. Connect the two devices to the outermost ports on the Netsplit.

This will allow communication between the devices but limit it to 10/100 mode / "Fast Ethernet". The result should look exactly like the picture above.

Knowing how the Netsplit works, we know the two ports at the center can now be used to tap the transmission lines of either device.

This means we can actually connect our "sniffer" host to one of these center "tap" ports to start capturing packets. For this scenario, let us assume we wish to capture packets going from host "A" (left side) to host "B" (right side).

The tap ports are placed nearest to the port which they mirror the TX lines for. To sniff packets sent by host "A", we can use the center tap port closest to it. The picture below demonstrates this example setup.

That's it! The packets should now be flowing to the "sniffer" host connected to the tap port.
Let's start a TCPdump or Wireshark session and capture those packets!

Go check out ringtail.ch and get your Netsplit today!

Don't forget to subscribe to the newsletter to never miss an update!