Sign in to follow this  
Followers 0

How to Create and Install a Passive Ethernet Tap

Windows Intrusion Detection System - Companion Add-On Tutorial


Construction and Use of a Passive Ethernet Tap

Written by: Michael Peters - 2003


This tutorial is a simple to understand, step-by-step tutorial for building and deploying an Ethernet tap to an existing network.

Hardware Requirements

  • A single 4-port Ethernet housing such as the Versatap AT44 Surface Jack Housing from Allen Tel Products
  • 4 Category 5e modular snap-in jacks such as the AT55 Category 5e Modular Snap-In Jacks from Allen Tel Products
  • A small section, about 6 inches, of Category 5e cable


Figure 1 represents the AT55 Category 5e jack. The wire termination pin positions and associated wire color codes are also shown.


Figure 1: AT55 Category 5e Jack

This diagram is usually included with new Category 5e jacks from any other vendor.

Disassemble the section of Category 5e wire that you have into eight separate wires. These wires should have the same color codes as in Figure 1.

The next step should be to partially assemble the Ethernet housing with the four jacks. These should snap into position easily. Once mounted, begin wiring the first jack position using the solid orange wire. Use the next diagram as a guide. The wires can be inserted with a small screwdriver or some other small flat tool.

Once you have terminated all eight wires, trim off any excess wire that remains. Snap the housing closed, and you should now have a completed passive Ethernet tap (see Figure 2).


Figure 2: Passive Ethernet Tap

Instructions for Use

Place the passive Ethernet tap inline between a host machine and the Ethernet switch using the two outside positions labeled "HOST". Verify that the link status indicators on your host Ethernet interface and the Ethernet switch are connected again. You may now connect the Ethernet port of your sniffer or IDS sensor into the Tap A and/or Tap B connectors of the passive Ethernet tap.

Keep in mind that when you have a full-duplex Ethernet connection, Tap A will show half-duplex traffic and Tap B will show the remaining traffic. You will need to use two Ethernet interfaces to examine both halves of the full-duplex signal. If you use Sun Trunking software, the traffic can be reassembled. See for information on Sun Trunking software.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components

General problems

For general issues that pertain to this tutorial, left-click the support button at the top of this tutorial, or manually navigate to the correct support forum.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support:
Snort: Open Source Network IDS -