Passive ethernet tap

Question

I'm having an hard time figuring out why can't I capture the packets flowing between two devices, in both directions, using a self made Ethernet tap, with copper cable, which looks just like this one:

Both end devices (say, A and B) are connected to a switch. But since the sniffer (a regular laptop) only has one Ethernet port I can't perform the sniffing, like it is presented in most cases (e.g. Wireshark Example using Network Tap), where the traffic from TX and RX is received on a Sniffer with 2 interfaces.

So, in order to "solve" this issue, I just plugged the 2 (tap) connector ports to the ones on the switch and, finaly, 1 port from the switch to the sniffer. I thought the packets would just be broadcasted but every time I plug the connectors to the switch the connection between A and B is interrupted (can't ping from A to B and vice versa). I made an illustration of the scenario:

What kind of problem is the switch experiencing when I perform this connection? is it really necessary a commercial tap (those devices with 3 ports: A, B and sniffing port)?

Any ideas?

PS: I don't want to use port mirror or a hub. I want a passive tap.

Answer 1

The problem you are experiencing is that the switch does not act like a hub. It only sends traffic down the link that it needs to go down, if it knows what that is (and it builds this information by watching and seeing which MAC addresses are on which port).

If you want to do this, you either need to connect your sniffer so that the traffic has to go through it, use a port mirror, or put the sniffer with one of the devices you're sniffing traffic for on a passive, non-switching hub. The only thing you can do which won't require additional hardware is port mirroring or cloning (which you should do if you can, because this is completely transparent to the devices under monitoring).

As it happens, the type of "commercial tap" you have described is effectively a hub.

Your tap doesn't work for a few reasons. The net effect it will have is that, assuming the switch sees the ports as being connected at all (which it may not, because it may attempt to detect polarity and discover that only one pair is connected to each port), traffic toward the switch will be doubled, and the switch will become confused as to which port the host you are trying to tap is actually on (and may try to send packets out the port with the host's transmit pair on it, despite the physical absence of its own transmit pair). There may also be some electrical consequences to this arrangement which might render the signals unintelligible to devices on either end.

Additionally, the traffic on the device's receive pair will be completely garbled by the switch. The switch will transmit broadcast packets down the wire twice, oblivious to the conflict this causes, and this is likely why you find connectivity ceases when you connect this.