Ask Your Question

Secure capture setup for multiple connections

asked 2018-04-25 11:08:18 +0000

colada gravatar image

What would be the most optimal and secure setup for capturing traffic from multiple connections?

We currently have a setup with multiple connections between different computers. Each connection belongs to some kind of different security level. We like to capture traffic for all those connections on one machine. The requirements are:

  1. No possibility of compromising the different levels and data flow between them.
  2. No introduction of an additional device which can be attacked or compromised.
  3. Capture and monitoring devices should be invisible on the network.

Port mirroring would be useful for multiple connections, however, in case the switch is compromised traffic from one level could be easily send to another one which is a no go. Since most of the connections are still 100Base TX we thought about simple diy passive taps, for higher bandwidth we would use optical fiber taps.

So the setup would look like this:

Taps capture traffic from the different connections. Since taps need two nics, two ports will be occupied on the switch. Since the taps are passive nothing can be send back and a potential misconfiguration on the switch would also not lead to data flowing back. Also the switch and tap would be invisible to the network. The switch aggregates the traffic and mirrors all the different connections into on port. The port is connected to a monitoring PC running wireshark.

Is there anything to look out for hard- or software wise? Any other ideas for such a setup?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2018-04-25 11:55:21 +0000

Jasper gravatar image

TAP is the way to go, but you need to make sure that they are not allowing traffic injection on the monitor ports - "passiveness" doesn't necessarily guarantee that. Some vendors call their TAPs passive because they have no IP, others mean that there is no power supply for the TAP.

So make sure that the TAP doesn't have the traffic injection feature, and building your own (only physically possible for 10/100, as you probably know) is a risk if you are not very careful with the wiring. Also, there are aggregation TAPs that can do RX/TX aggregation, so if you don't want to go with dual NIC setups you could use one of those.

Also, it is very important to realize that anything can be called a TAP - sometimes, cheap devices are called TAPs, but they are not what you'd expect, e.g. the devices from DualComm usually allow in- and outgoing traffic on the monitoring port. If you need help selecting a device that meets your requirements you can always contact me directly if there are any questions, or ask here. Also, you might want to check my blog post here:

edit flag offensive delete link more


I already came across the blog which is indeed a great resource on that topic :) The TAP would be just some rewired ethernet cables for 10/100 mbit/s or maybe something like this: So no worries about IP address or traffic injection. We are mostly concerned about the part where data flows into the switch and then to the mirroring port. How could we distinguish data from all the connections. The idea was to use different VLAN tags for connections A,B,C ..., but according to your blog some switches strip the tag off while mirroring. I'm always wondering why there are aggregation taps and if there is something inherently different in their setup and internal working mechanism compared to a switch, since they usually come at a much higher price. Is it really just due to more convenience, all-in-one device, higher supported speeds etc. ?

colada gravatar imagecolada ( 2018-04-25 15:36:51 +0000 )edit

Hm I think I misunderstood the description of the setup - so you want to TAP the links, and then use a normal network switch to aggregate the traffic via multi source SPAN into a single Wireshark PC? Switches are not made for this kind of thing - that's what so called "Packet Brokers" are for. Packet Brokers are sort of "specialty switches" that allow you to distribute and aggregate various TAP sources to whatever capture/inspection device you want to use. They are more expensive unfortunately, often costing a five digit number.

Maybe you might want to look at the ProfiTAP Booster device, which can aggregate various sources to a single output and uses VLAN tags that it inserts into the packets to mark the source port the packet was seen on:

And yes, TAPs (and aggregation TAPs) are very different from switches. They use ...(more)

Jasper gravatar imageJasper ( 2018-04-25 16:08:02 +0000 )edit

"so you want to TAP the links, and then use a normal network switch to aggregate the traffic via multi source SPAN into a single Wireshark PC?"

Yes. I certainly see the difference between our setup and a commercial solution. The question is if our setup would fail in general. I found something similar on the bottom of this page: i.e. a switch aggregating traffic from tapping a single connection. So the answer is probably no. Not sure if there is a difference for more connections. Dropping packages would probably be no issue as the traffic will be quite low in our case. The setup also would not mess with production traffic. The switch is not an active part on the production network since it is kind of separated via the TAPs. Timing might be an issue, not sure if there is anything ...(more)

colada gravatar imagecolada ( 2018-04-25 22:27:23 +0000 )edit

@colada Seems to be modern at the moment. That people want to capture stuff, but are not interesting in precision and reliability of the captured data. You are not alone... For me the precision and reliabilty of the captured data is one of my highest goals of capturing. So I totally agree with @Jaspers statements.

But at the end you have to test your solution and see, if works for your requirements.

Christian_R gravatar imageChristian_R ( 2018-04-26 07:14:39 +0000 )edit

I haven't found any switch yet that could SPAN LACP frames (I tried some Cisco and some HP a while ago), so I have to say I don't know. It may be possible.

Your setup is not really what switches are designed for, so if you need reliable capture results you may run into problems. For me, few things are worse than wondering if the capture was messed up or if what I see is what truly happened, so I wouldn't go the way you described. I can understand that there is probably a cost issue, and it's hard to build something good on a budget. So if there's no other way you can try to do it that way, but be aware than your PCAPs may not contain exact results.

Jasper gravatar imageJasper ( 2018-04-29 23:12:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-04-25 11:08:18 +0000

Seen: 610 times

Last updated: Apr 25 '18