I wanted to setup a system that could snoop (or sniff) network traffic
but was invisible on the network itself. I orignally tried just snipping
the different wires in a UTP cable, but that doesn't work as it causes
link to drop and you drop off the network.
AUI (10Mb/s)
Since I am running an endpoint over my existing phone cable (CAT 3)
I needed to use a 10Mb/s only hub (the 10/100 would get link at 100 but get
collisions that brought down the usable bandwith to 1Mb/s). The 10baseT hub also
has an AUI port. Since the AUI
is on the hub you need a transceiver and a cross-over UTP cable
to connect to the host's NIC. You then just remove the receive signal
(pin 5 or 12) and the host would be invisble while receiving all data.
I forgot how tough AUI cables were (I made an hubless host to host AUI "cross over" cable
the early 1990s). They have braided shielding, foil, insulation, more foil, and
then the individual wires. I found pin 12's wire (white) and placed
a switch on it. I now could go in and out of stealth mode. If you don't
want the switch it would be best not to cut open the cable and just remove
pin 12 with needle-nose pliers.
UTP for 100baseTX
This works great for 10Mb/s with AUI, but if you want to do this at
100Mb/s almost all hubs and switches are UTP. 100Mb/s does have
MII, but I've never seen a transceiver for that. So I was
going to figure out how to make a stealth cable for 100baseTX.
The orginal thinking was this:
since a capacitor looks like a open circuit to DC and a closed
circuit to AC (the data signal) you could block the data signal while
keeping voltage live and keeping link. In hindsight this
is flawed because how does a 10/100 hub know a port is at 10Mb/s or 100Mb/s
unless it can see the signal? But I started experimenting by putting
small capacitors across and inline with the receive wires and I got it to work.
You need to place a small capacitor in-line on pin 1 to the hub. For most CAT 5
(TIA 568B standard) this
wire is usually white with an orange stripe. What I think this actually does
is to introduce enough electrical noise that the data packets are dropped
by the hub.
I used two 47pF capacitors in series (effectively a single 23pF)
and a switch. When the switch is on it shorts across the capacitors
and removes then from the circuit (out of stealth mode).
When the switch is off the capacitors are in and you are in stealth mode.
Link is up, you can see traffic, but no one can see you. This UTP cable works
on my Sun hme and qfe interfaces, the 3com cards in my PCs all connecting
into 10/10 NetGear hubs. It also works in connecting to a Cisco PIX 520 and
a Cisco 3640 FastEthernet port (1FE-TX).
Since this was determined by experimentation,
I run into trouble when I use it as an uplink
to another NetGear hub. I would get the collison problem that
uses all the bandwith on the hub.
It seems that this setup has a different impedance, but it was
solved but trying different ports in the hub. Different ports have
differnet impedance for some reason. This cable does not work at all with the 10baseT
hub on any port as link just goes up and down. This may be because the signal
rate (the AC componet) is one tenth of 100baseTX (10MHz vs. 100MHz).
For 10baseT UTP it would seem that you would need ten times
the capacitance assuming the impedance is the same, but have not tried
it myself.
Parts
The cost for both these (excluding AUI and UTP cables) is $2.28
plus tax.
Package of Two Slide Switches: Radio Shack catalog number
275-409A: $1.49
Package of Two 47pF Ceramic Capacitors: Radio Shack catalog number
272-121: $0.79
