Meet the Swiss pocket knife of network traffic inspection
Netsplit is a passive Ethernet tap device, making it easy to sniff packets across Ethernet links. It fits in your pocket and requires no power, making it extremely easy and quick to use.
In this article we will explore exactly how to achieve this through a basic example scenario, as well as explain how the Netsplit works.
A bit of theory before we start
Before we actually jump into this, let's begin by looking at how the Netsplit actually works.
The Netsplit allows connecting two network nodes like a simple cable, but also exposes the transmission lines for each device as separate RJ45 ports. These "tap" ports are "listen-only": their transmission lines are not even wired, so there is no risk of creating any contention on the Ethernet link.
The two ports at the ends of the Netsplit are wired together as a standard CAT5 cable.
The other two ports located in the middle of the Netsplit have their reception lines wired to the transmission lines from the first two ports.
To make this work, the Netsplit forces the devices into "10/100" mode (prohibiting gigabit-speed comms) also known as "Fast Ethernet", which is well suited for passive monitoring. Gigabit sniffing cannot be done passively in this way. For this, go check out the Skunk gigabit tap & switch.
Let's get to it
From what we saw in the explanations above, we can start by connecting the Netsplit in place of the network cable between the two devices. Connect the two devices to the outermost ports on the Netsplit.
This will allow communication between the devices but limit it to 10/100 mode / "Fast Ethernet". The result should look exactly like the picture above.
Knowing how the Netsplit works, we know the two ports at the center can now be used to tap the transmission lines of either device.
This means we can actually connect our "sniffer" host to one of these center "tap" ports to start capturing packets. For this scenario, let us assume we wish to capture packets going from host "A" (left side) to host "B" (right side).
The tap ports are placed nearest to the port which they mirror the TX lines for. To sniff packets sent by host "A", we can use the center tap port closest to it. The picture below demonstrates this example setup.
That's it! The packets should now be flowing to the "sniffer" host connected to the tap port.
Let's start a TCPdump or Wireshark session and capture those packets!
Go check out ringtail.ch and get your Netsplit today!
Don't forget to subscribe to the newsletter to never miss an update!
So it's been over a year since the last news. A lot has happened :)
Fear not however, as I have in fact been hard at work developing new products.
As many of you already know, I also work as a pentester for a Swiss cyber-security consultancy firm.
Over the past year I have encountered increasing opportunities to combine Dooba technology with my pentest job. In fact, some of you may already be familiar with Azban - the USB injection and payload delivery system I announced a few months ago.
I felt however that Azban did not have its place in the Dooba shop. I therefore setup a dedicated shop on the side just for it, which seemed like a good idea at the time.
As I started developing other products I realized it would quickly become an unmanageable mess to maintain multiple dedicated shops for every product that didn't really fit among Dooba's more "traditional" product line.
I recently decided it was time to create a subdivision within Dooba - one that could focus entierly on security-related products and technologies.
This was the birth of Ringtail Security.
This way I can keep developing cool Dooba modules and the SDK, but at the same time I hope that this new brand will allow me to go further in developing innovative, specialized products for pentesters or curious individuals.
Already some other interesting tools are available in the shop, and more will be added soon.
Go check out the selection at ringtail.ch!
Also, subscribe to the newsletter to never miss an update!
It was time this weekend to assemble some more modules to replenish the stock for the shop.
I wanted to share a bit of the process, so you can see what goes into manufacturing your Swiss-made modules!
Setting up for stenciling
Stenciling is the first step of the process. The point here is to deposit some solder paste on the raw PCB panels through a stainless steel stencil.
With the help of a squeegee, the solder paste is pushed through the stencil and accurately applied to the PCB panel.
At this point I want to thank OSH Stencils and Digi-Key Switzerland for their amazing service.
OSH Stencils produce the stencils that I use to manufacture your modules. Their quality is perfect and consistent, and they offer very good support.
Digi-Key Switzerland supply the components with which I build your modules. Their selection of parts seems just endless and always in stock. Plus, their support is outstanding.
I was not paid to say any of this. I honestly enjoy working with these people - they are the best.
After completing this first step, the panels have all their solder pads covered in paste. The texture is similar to toothpaste, but I don't recommend brushing your teeth with it...
Pick & place
Now comes the most time-consuming part: placing every component on the panels.
Every single resistor, capacitor, IC chip, etc... They are simply "dropped" into place, right into the paste. The toothpaste-like consistency and texture will actually maintain the components in place until they are soldered.
For this, I use simple tweezers and some patience. After about two hours, all components are in place.
Well... ALMOST all components :)
Some components are not included at this stage and will be individually soldered later on. These are the through-hole components (large capacitors, 3.5mm stereo jacks) and sensitive components (mini-joysticks, switches, buttons) that risk being damaged by the heat during reflow.
Hot air reflow
Once the components are all sitting comfortably in solder paste, the next step is to expose the panels to enough heat for the paste to reflow.
The temperature must be carefully controlled to follow as accurately as possible the reflow profile of the solder paste's specification.
For this I use an Aoyue hot air station with a wide nozzle and low-speed flow.
After a few minutes the reflow is complete and everything is soldered into place. Unless extreme caution is applied during stenciling, some solder bridges will appear during reflow.
Now comes the time to clean up those solder bridges, as well as touch up any small defects that may have resulted from the reflow soldering step.
For this part I use a WT1010 soldering station from Weller tools and some solder wick.
When heated, the wick magically sucks away any excess solder through capillary action.
Once everything is reflowed, I finally add the remaining components and solder them by hand with the same WT1010 station.
After this, only one last step is still necessary: cleaning the panels.
I dip the panels in some alcohol (IPA, not vodka...) and gently rub them with a medium-soft toothbrush.
And that's it! The panels are now ready to be broken into individual modules for packaging and shipping :)
Don't forget to subscribe to the newsletter to get the latest updates!
Dooba is an open-source embedded development ecosystem from Switzerland.
My name is Paul DUNCAN and I founded Dooba in 2016 in Vaud, Switzerland.
I love code, electronics, security and raccoons.
Want the full story? Make yourself comfortable and check this out: Discover Dooba.
At the heart of the Dooba ecosystem is the ioNode, a basic hardware development board featuring a microcontroller, a USB interface, and a lot of inputs/outputs.
To support development of firmware, we also provide a Software Development Kit (SDK), which allows extremely fast and straightforward development of firmware components, both simple and complex.
The SDK includes a dependency management system capable of fetching and configuring libraries from various sources, including the official Dooba Core Team repositories.
We provide libraries (with tutorials) for many things ranging from basic code utilities to complete frameworks such as the VFS, the Graphics Framework or Network sockets.
One of the core advantages of the Dooba SDK is the substrate system - a powerful way to generate the underlying bricks for any application with minimal code.
The Dooba ecosystem is designed to allow the construction of better applications with less code.
Manage files across multiple storage devices using different file systems.
Open up menus and dialogs through a generic user interface framework on any display.
Call and serve APIs through WiFi using the generic HTTP library.
The Dooba ecosystem takes care of the details and lets you focus on implementing your applications.
We offer a collection of tutorials to help you navigate this ecosystem: the Dooba Wiki.