Recently, I've had the pleasure of applying the passive ethernet tap
documented at http://www.snort.org/docs/tap/ to a network sniffing
project in a large production multiuser environment.
The nature of this tap splits the traffic across the receive channel
of two ethernet ports. The traffic must be reconstructed before
it can be used for sniffing purposes. Transmission is disabled on the
tap ports, and the traffic traveling over the network is unaffected
by the presence of the tap.
Michael Peters, the author of the document describing the tap,
provided helpful information for using the tap with Solaris. However,
use with Linux and other operating systems was left as an exercise to
Below, I'd like to relate my successful experience using the tap with
Debian Linux and the details required for its proper operation.
My network sniffer of choice for this project was a Compaq desktop
with several 10/100 3com cards. I applied a clean install of Debian
Linux, specifically Woody with the 2.4 kernel.
The network link that I tapped was running full duplex, 100 megabit
ethernet. I also tested the tap with half duplex, 10 megabit ethernet.
This diagram demonstrates the setup of the passive tap and the sniffer host.
In Debian, the Linux kernel interface bonding driver is used to
reconstruct the traffic from the pair of interfaces attached to the
tap. Debian comes with the kernel module required, however there are
some utilities required to activate the bonding interface and bind
interfaces to it.
The "ifenslave" package contains the necessary utilities to configure
the bonding interface. Downloading it and installing it via Debian's
Apt Package Manager is simple, and documented below.
# apt-cache search ifenslave
ifenslave - Attach and detach slave interfaces to a bonding device.
# apt-get install ifenslave
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
0 packages upgraded, 1 newly installed, 0 to remove and 0 not
Need to get 8412B of archives. After unpacking 73.7kB will be used.
Get:1 http://http.us.debian.org stable/main ifenslave 0.07-1 [8412B]
Fetched 8412B in 0s (24.0kB/s)
Selecting previously deselected package ifenslave.
(Reading database ... 15297 files and directories currently
Unpacking ifenslave (from .../ifenslave_0.07-1_i386.deb) ...
Setting up ifenslave (0.07-1) ...
Before configuring the bonding interface, the bonding kernel module
must be loaded.
# modprobe bonding
Now that the ifenslave utility has been installed and the kernel
module loaded, we can configure the bonding interface.
To bring the bonding interface online without an IP address, perform
the following commands. My example uses eth0 and eth1 for the
receiving interfaces attached to the tap.
# ifconfig eth0 promisc up
# ifconfig eth1 promisc up
# ifconfig bond0 promisc up
# ifenslave -e bond0 eth0 eth1
Note that each interface bound to the bond0 interface must be placed
in promiscuous mode beforehand. Placing bond0 into promiscuous mode
does not change the interfaces bound to it.
Now bond0 can be used as a packet source by the chosen network
sniffing tool. In my experience bond0 required an IP address, however
this depends on the network sniffing tool and the sniffing methods
The commands loading the kernel module and configuring the interface
can easily be scripted to automate configuration of the bond0
Since transmission is disabled on the interfaces attached to the tap,
another network interface would be required for remote
administration and other outbound traffic (ie: mail alerts, syslog,
Best of luck applying the network tap to your network sniffing
projects. Comments and suggestions are welcome!
Copyright 2004 by Russell Adams and Adams Information Services.