Building a passive Ethernet tap
24 points by lvmbdv
24 points by lvmbdv
If you have a switch that has configuration possibilities, it’s pretty likely it supports port mirroring to do this. If you don’t want to build it yourself!
Thanks for the heads-up! My ISP-leased router does not have such a feature but I'll keep it in mind in case I get an external switch.
That's a big if, though.. at least I've never come across any consumer-grade managed switches.
I thought managed switches are pretty common. For instance, I have this modest Netgear switch on my desk which cost £25 and has features like VLANs and port mirroring. The switches in consumer broadband routers often have similar tickybox feature lists.
Looking at Inet (my local enthusiast retailer), they do seem to finally offer a few managed options, though I still wouldn't expect it to be the default you get if you go in and ask for "a switch please". It also seems a bit confused in some places.. for example, this listing claims to be for managed while the product pictures prominently label it as "Unmanaged Pro Switch" on both the chassis and the box. TP-Link themselves also don't seem to be sure: their US listing consistently refers to it as "Smart" while the nordic one has the same contradictions as Inet's.
As for routers, I can only speak for the ASUS RT-BE92U that I own (which I'd consider to be a relatively high-end model), I see options for QoS, jumbo frames, and moving one of the ports between the LAN and acting as a secondary WAN, but nothing about VLANs or port mirroring.
That TP-Link switch appears to have a proprietary configuration utility whose documentation describes VLANs and port mirroring.
Yeah I assume there's a managed TL-SG105E, I'm just not exactly confident that it's the one you'd get from the store.
But I'm happy that things finally seem to start to be moving in the right direction, compared to the last time I looked into this!
The Unifi ones have it, but I suppose maybe that’s prosumer-level. They’re not enterprise-level priced at least.
When I was learning about networking, I recall being taught that there were Ethernet "hubs" which were configured to broadcast the TX side of each Ethernet port to all the RX sides of the other Ethernet ports.
Isn't this half way there?
Granted, I've genuinely never encountered such a primitive "hub". I might be too young...
There are still cheap "ethernet splitter" products sold online that work like that but naturally, they are prone to collisions thus not very reliable. I never bought one but saw their insides on this video: https://youtu.be/QgrVVyIzecM?t=266
Yeah, I think those were mostly a thing back in the days of 10BASE-T. I assume the collision risk became too much of a problem after that...
The main difficulty is that after the advent of 100baseT ethernet, switches had to be able to buffer packets in order to retransmit at different speeds on different ports. Wikipedia describes how dual-speed hubs worked using a two-port switch and a bunch of muxes, a glorious hack.
There’s the secondary issue that hubs are half-duplex but 100baseT could also be full duplex, desirable because (as you implied) getting rid of collisions gives the network more of a performance boost than the 10 -> 100 bit rates suggest. (This brings back memories of how autonegotiation on 100baseT was really janky; one of the great improvements of gigabit is its significantly more robust autoneg.)
I went down a rabbit hole to read further into how hubs actually work. To answer my question, no this is not half way to a 10BASE-T hub.
Here's a patent for an ASIC you would find in some hubs: EP0495575A1
This thing handles clock recovery because it's an active repeater, needs to be able to spot collisions and produce the jam signal, and needs to avoid forwarding the bitstream back to the sender. The combination of these and the electrical requirements mean that it has to implement some state machines.
At this point one may wonder: "if this is so complicated, why not just have a switch" and the reason is that switches were even more complex and this made them more expensive.
What is even more surprising is that it was still considered a cost effective compromise to have hubs in the 100BASE-TX era, although that's the point at which they quickly got obsoleted by cheaper switches.
What's super interesting is that if you think about it, increasing speeds reduce the amount of time to send a frame, which means that collisions for the same volume (bytes/frames) of traffic become less likely. Of course, separating collision domains is a good thing regardless, but the other major problem is that an increased speed makes your cables virtually "longer" in a sense. The collision detection part of CSMA/CD must happen in a short window (before the sender finishes transmitting) for it to be fully effective.
Let's say you have two computers connected to a hub, one indirectly via n other hubs (or at the end of a long cable), and the other connected directly. The local one starts transmitting as the hub begins to receive the frame from the other computer. A jam signal resulting from this collision must reach and be noticed by that distant computer before it finishes transmitting the portion of the frame corresponding to the minimum frame size. Otherwise CSMA/CD stops working (properly).
The speed increase effectively reduces the maximum allowable "time diameter" of one collision domain.
Switches, on the other hand, can reduce the collision domain to the length of one link (half duplex), or eliminate the need for collision detection entirely (full duplex).