Network Traffic Analysis with Network Taps: Tools and Techniques

By /

Listen to this Post

Featured Image
When troubleshooting network issues, having the right tools to capture and analyze traffic is essential. While Wireshark is the go-to tool for analysis, capturing traffic efficiently requires reliable methods—especially in environments where switch port mirroring isn’t available or practical. Network taps provide a seamless solution by passively copying traffic without disrupting network operations.

Types of Network Taps

1. Hakshop “Throwing Star”

  • URL: Throwing Star LAN Tap
  • Features:
  • Low-cost ($15, requires self-assembly).
  • No power or software needed.
  • Supports up to 100 Mbps.
  • Portable and ideal for field use.

2. ProfiTap “ProfiShark 1G”

  • URL: ProfiShark 1G
  • Features:
  • Gigabit-speed support.
  • USB-powered with Windows drivers for precise timestamps.
  • Provides physical layer diagnostics.

3. Indu-Sol PNMA-II (Permanent Tap)

  • URL: Indu-Sol PNMA-II
  • Features:
  • DIN-rail mountable for industrial use.
  • 24V power supply, industrial-grade Ethernet connectors.
  • Ideal for OT/ICS environments.

You Should Know: Practical Network Tap Usage

Capturing Traffic with Taps

1. Physical Setup:

  • Insert the tap between the target device and the network switch.
  • Connect your monitoring device (laptop running Wireshark) to the tap’s monitor port.

2. Wireshark Configuration:

  • Open Wireshark and select the correct interface.
  • Apply filters (e.g., `tcp.port == 502` for Modbus traffic in OT networks).

3. Advanced Capture Filters:

 Capture only HTTP traffic
tshark -i eth0 -f "tcp port 80" -w http_capture.pcap

Capture traffic between two specific IPs
tshark -i eth0 -f "host 192.168.1.1 and host 192.168.1.2"

4. Analyzing Traffic:

  • Use `tshark` for CLI-based analysis: 
    tshark -r capture.pcap -Y "http.request.method == GET"
  • Extract files from PCAP: 
    binwalk -e capture.pcap

Linux Networking Commands for Troubleshooting

  • Check Network Interfaces: 
    ip a
  • Monitor Real-Time Traffic: 
    tcpdump -i eth0 -nn -v
  • Test Connectivity: 
    ping -c 4 192.168.1.1
  • Route Inspection: 
    route -n

What Undercode Say

Network taps are indispensable for accurate traffic capture, especially in OT/ICS environments where downtime is costly. While software-based solutions like port mirroring exist, hardware taps provide reliability and precision. Always ensure proper placement (near PLCs or critical nodes) and use Wireshark filters to manage large captures efficiently.

Expected Output:

  • A clean PCAP file with only relevant traffic.
  • Minimal packet loss due to tap efficiency.
  • Accurate timestamps for forensic analysis.

For further reading:

References:

Reported By: Rob Hulsebos – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: