Build an Ethernet and RS-232 tap using the 5-in-1 cable
The Five-in-One Admin’s cable is a very handy cable. It was featured in the premiere edition of Make. The five-in-one cable is an Ethernet cable, a crossover Ethernet cable, a modem cable, a null modem cable, a serial/Ethernet loop-back cable, and a Cisco console cable. That’s a lot of functionally in just one cable. The elegant thing about this cable is that its components are dual use. For example, the cross-over cable doubles as a null-modem cable.
Recently, I’ve been working on projects that require an Ethernet tap and an RS232 tap. A tap is an in-line device which allows one to passively sniff a connection. Taps can be used to debug problems which would other wise be tricky to debug. Taps also have applications in security monitoring systems like Snort. I could have bought a RS232 tap and an ethernet tap, but after looking over the circuit diagrams I noticed something. The circuit diagrams for the Passive Ethernet Tap and the Full duplex RS232 sniffer cable are very similar. In fact the only difference between the two cables is that the handshake signals on the RS232 sniffer cable have been looped back.
So in the spirit of the 5-in-1 cable, I built a system of connectors to allow me to tap both Ethernet and serial communications (not at the same time, of course).
The construction wasn’t too hard. Basically I just built the five-in-one cable described here. Then built the Passive Ethernet Tap described here. The only thing left to do was to build two of my own custom loopback cables.
Here’s how to make your own:
DB9 to RJ45 adapters
First build the 5-in-one cable. However, instead of building two DB9 to RJ45 adapters you’ll need to build four. You should probably also buy an RS232 gender changer.
So you’ll need four female adapters, and one Male-Male gender changer.
Wire the adapters as instructed in step four of the 5-in-1 construction guide.
Passive Ethernet Tap
Next build the Passive Ethernet Tap, following the instructions on this page. You’ll need a four-port enclosure such as this one (or if you’re picky about colors this one). You’ll also need four cat5 modular snap-in jacks. You should end up with something that looks like this:
RS232 Handshake loop-back cables
Now in order to use the Ethernet tap to tap a serial link you should build two custom connectors. I found that I could sniff many connections without these connectors. However, some programs will block unless the handshake signals are looped back. If you’ve made it this far you’ve already learned how to use a cable cripper to make short cables.
Pins 1, 2, 3, and 6 are connected straight through.
Loop pins 4 and 7 on the sniffing side.
Also Loop pins 8 and 5 on the sniffing side.
This diagram should help:
Use two short spare wires and an RJ45 connector to connect pins 4 and 7 and to connect pins 8 and 5.
Next clip the end off of a standard ethernet cable.
You only need pins 1, 2, 3, and 6. Cut the extra wires off of the cable. It’s a tight fit inside the RJ45 connector, you’ll need the extra room. Insert the wires into pins 1, 2, 3, and 6 of the RJ45 connector.
Crimp the connector. You should end up with something like this:
It also helps to mark the sniffing end with a marker. The “sniffing end” should be inserted to the machine which will sniff the connection.
You’ll need two of these cables. Repeat the above steps and make a second RS232 handshake cable.
Using the Serial tap
Serial/Network Taps capture full duplex traffic duplex, but each tap port can only monitor one direction of traffic. One tap port monitors the traffic from point A to B while the other tap port monitors the traffic from B to A. Sometimes tapping just one side of the communication is enough. However, in order to view the full capture you’ll need to capture traffic from both ports and combine the traffic using software. The Network Security Toolkit contains a program called monitor_serial that is capable of merging data captured from two serial taps. In the case of Ethernet traffic, a tool called mergecap works well. Mergecap comes bundled with Wireshark (and Ethereal).