Network Visibility TAP Deployment
Overview
Deploy passive network TAP (Test Access Point) for non-intrusive traffic monitoring, packet capture, and security analysis without impacting production traffic.
Hardware Selection
Dualcomm ETAP-2003
| Specification | Value |
|---|---|
Type |
Passive Ethernet TAP (no power required) |
Speed |
10/100/1000 Mbps |
Ports |
1x Network A, 1x Network B, 2x Monitor (A→B, B→A) |
Cable Type |
RJ-45 Cat5e/Cat6 |
Latency |
Zero (passive copper connection) |
Power |
None (fully passive) |
Form Factor |
Inline device |
MSRP |
~$250-300 |
Why Passive TAP
| Benefit | Explanation |
|---|---|
Zero latency |
Copper-to-copper connection, no processing delay |
No single point of failure |
Traffic flows even if TAP is removed (fail-open) |
Full duplex capture |
Separate monitor ports for each direction |
Protocol agnostic |
Works with any Ethernet traffic |
Tamper evident |
Physical device, can’t be compromised remotely |
Air-gapped monitoring |
Monitor ports are receive-only (no injection) |
Architecture
Deployment Position
┌─────────────┐
│ Security │
│ Appliance │
│ (Wazuh) │
└──────┬──────┘
│ Monitor A→B
┌──────────┐ ┌────────────┐ ┌─────────┴─────────┐ ┌──────────┐
│ pfSense │──────│ ETAP-2003 │──────│ c9300-01 │──────│ Internal │
│ Firewall │ │ (TAP) │ │ Core Switch │ │ Networks │
└──────────┘ └────────────┘ └───────────────────┘ └──────────┘
Network A TAP Network B
Monitor Ports:
- A→B: Traffic from pfSense to switch (ingress)
- B→A: Traffic from switch to pfSense (egress)
Recommended Placement
| Position | Monitors | Use Case |
|---|---|---|
Firewall ↔ Core Switch |
All inter-VLAN and WAN traffic |
Primary - Security monitoring, IDS |
Core ↔ ISE |
RADIUS, TACACS+, profiling |
802.1X troubleshooting |
Core ↔ Server VLAN |
East-west server traffic |
Application security |
WAN ↔ Firewall |
Raw internet traffic |
DDoS detection (dangerous - high volume) |
Phases
Phase 1: Hardware Acquisition
-
Purchase Dualcomm ETAP-2003
-
Verify cables: 2x Cat6 (network), 2x Cat6 (monitor)
-
Identify monitoring workstation/server
Phase 2: Monitor Station Setup
-
Configure NIC for promiscuous mode
-
Install capture tools:
# Rocky Linux / RHEL sudo dnf install -y tcpdump wireshark-cli tshark # Verify promiscuous support ip link show eth1 | awk '/PROMISC/{print "Promiscuous mode available"}' -
Configure NIC to accept all frames:
sudo ip link set eth1 promisc on # Verify ip link show eth1 | awk '/PROMISC/{print "OK: Promiscuous enabled"}'
Phase 3: TAP Installation (Maintenance Window)
|
TAP installation requires brief network interruption (~30 seconds). Schedule during maintenance window. |
-
Power down monitoring workstation NIC
-
Disconnect cable between firewall and core switch
-
Insert TAP:
-
Network A port → pfSense
-
Network B port → Core switch
-
-
Connect monitor cables:
-
Monitor A→B → Monitoring workstation NIC 1
-
Monitor B→A → Monitoring workstation NIC 2
-
-
Verify traffic flow:
# Should see packets immediately sudo tcpdump -i eth1 -c 10 -nn
Capture Commands
Basic Capture
# Capture all traffic on monitor port
sudo tcpdump -i eth1 -w /tmp/capture-$(date +%Y%m%d-%H%M%S).pcap
# Capture with rotation (100MB files, keep 10)
sudo tcpdump -i eth1 -w /tmp/capture-%Y%m%d-%H%M%S.pcap -C 100 -W 10Filtered Capture
# Only HTTP/HTTPS
sudo tcpdump -i eth1 -w /tmp/web.pcap 'port 80 or port 443'
# Only RADIUS (ISE authentication)
sudo tcpdump -i eth1 -w /tmp/radius.pcap 'port 1812 or port 1813'
# Only DNS
sudo tcpdump -i eth1 -w /tmp/dns.pcap 'port 53'
# Specific host
sudo tcpdump -i eth1 -w /tmp/host.pcap 'host {ise-01-ip}'Verification
Security Considerations
| Consideration | Mitigation |
|---|---|
Physical access |
TAP is physical device; secure server room |
Monitor port injection |
TAP monitor ports are receive-only by design |
Captured credentials |
Encrypt pcap storage, restrict access |
Storage exhaustion |
Implement rotation and retention policies |
Legal/compliance |
Document authorization for packet capture |