Friday, June 2, 2017

A better LAN tap

I had a project recently where I needed to see the traffic between two hosts and ettercap ARP spoofing was not reliable. I decided to grab my Throwing Star LAN tap that I got at Defcon a couple years ago. Finally, I thought, a reason to use it.

I plugged it in, started the devices I was sniffing, and started up wireshark. Wait a second. Something is off here. Why am I only seeing traffic in one direction? *googles it* Seriously? each port on this Throwing Star can only see a single direction at a time? yeesh

It says so very clearly on the website, and its completely my fault for not reading and understanding its functionality earlier. Bad me.

If you want to see both directions, you need to plug in both sides at the same time. Which wouldn't be that bad except for the fact that you need to pcap twice, and there is no easy and obvious way of stitching the traffic back together. You're left with two files that you have to manually go through to understand what the devices are doing.

On top of this, most laptops released these days don't have an ethernet jack. So now you have to resort to two separate USB-Ethernet adapters and a USB hub. Again, much less than ideal. I'm sure the Throwing Star LAN tap would be fine in a pinch, but as a regular testing device, I would not recommend it.

After some research and personal testing, there is a brand of LAN taps that I do recommend. The ones from SharkTap.

There is the cheaper one:

And the one I decided to get:

I decided to purchase it for a number of reasons:

  • Gigabit capability
  • PoE passthrough
  • Can function as USB-Ethernet adapter
  • Both USB and RJ45 connections for taps
  • Powered over USB
  • See both sides of the traffic
I only have two complaints. The first is that you have to install a driver if you are on a Mac (windows/linux works out of the box). This was not a big deal since it was very quick and easy. My second gripe is that the device itself is twice as long as the Throwing Star (but smaller if you factor in the other pieces you need for this to work)

Despite these two gripes, I definitely feel that the pros outweigh the cons massively.

I have personally tested the gigabit one and can confirm it lives up to its claims. Go forth, and pwn.

