Title: Capture Ethernet Packages
Post by: zizmo on August 16, 2011, 04:59:00 pm
Post by: zizmo on August 16, 2011, 04:59:00 pm
Hello, Do you think it could be possible to use the Open Bench Logic Sniffer to capture ethernet packages if the input pins were connected to two external daughter boards with the required ethernet PHYs and MAC and then load the correct IP Core to the FPGA? Which do you think would be the extra requirements to be able to do this?
I'm more interested in industrial protocols like real time ProfiNet communication.
Thanks!
I'm more interested in industrial protocols like real time ProfiNet communication.
Thanks!
Title: Re: Capture Ethernet Packages
Post by: sqkybeaver on August 16, 2011, 05:38:34 pm
Post by: sqkybeaver on August 16, 2011, 05:38:34 pm
some managed switches have the capability to clone ports, this can be used to transparently capture packets.
the mac can be implemented in fpga (check out opencores) you will need a large amount ram or an fast connection to a computer to reliably capture packets.
if you want to build something yourself look for an fpga dev board with 2 or 3 Ethernet and some fast sram.
the mac can be implemented in fpga (check out opencores) you will need a large amount ram or an fast connection to a computer to reliably capture packets.
if you want to build something yourself look for an fpga dev board with 2 or 3 Ethernet and some fast sram.
Title: Re: Capture Ethernet Packages
Post by: tayken on August 16, 2011, 05:53:11 pm
Post by: tayken on August 16, 2011, 05:53:11 pm
You might be able to get 10Mbit packets but my guess you're better of sniffing the traffic with a hub connected in series and Wireshark (or tcpdump) running on a Laptop. You can do bunch of different analysis stuff with this setup. The microcontroller creates a choke point for transferring even slower traffic, this is my concern about using OLS.
Title: Re: Capture Ethernet Packages
Post by: arhi on August 16, 2011, 08:05:18 pm
Post by: arhi on August 16, 2011, 08:05:18 pm
Use a HUB + sniffer :D
btw if you can't find a hub anywhere (too weird but they started to be hard to find pass few years) use some el cheapo switch and overload it - (on some port start sending huge amount of traffic) and if it is cheap enough it will switch into HUB mode (when you send too much traffic the cpu on the switch is incapable to parse all traffic and sort it to it's proper port so the cpu dumps the routing table and switch to hub mode sending all packages on all port)... then just attach to a free connector with a sniffer (sniffit, wireshark or any of the million sniffers out there)
btw if you can't find a hub anywhere (too weird but they started to be hard to find pass few years) use some el cheapo switch and overload it - (on some port start sending huge amount of traffic) and if it is cheap enough it will switch into HUB mode (when you send too much traffic the cpu on the switch is incapable to parse all traffic and sort it to it's proper port so the cpu dumps the routing table and switch to hub mode sending all packages on all port)... then just attach to a free connector with a sniffer (sniffit, wireshark or any of the million sniffers out there)
Title: Re: Capture Ethernet Packages
Post by: honken on August 16, 2011, 09:37:47 pm
Post by: honken on August 16, 2011, 09:37:47 pm
Or you could try to get hold of a http://http://greatscottgadgets.com/throwingstar/, they are awesome.
Only bad thing is you need two ethernet ports for sniffing.
Only bad thing is you need two ethernet ports for sniffing.
Title: Re: Capture Ethernet Packages
Post by: tempmj on August 16, 2011, 10:34:19 pm
Post by: tempmj on August 16, 2011, 10:34:19 pm
For what it's worth, i use a Cisco SLM2008 switch that is 10/100/1000 and managed. It's a small 8 port switch that runs about $120 online. It sounds like a lot, but for what you're getting (10/100/1000 managed switch that supports port security, vlans, mirroring, lag groups, jumbo packets, PoE (to power it, not for it to power other things (unfortunately)), etc) it's a great deal. Not to mention it won't degrade the network connection like a passive tap or hub may. I'm a network engineer, so i ALWAYS keep it in my bag for port sniffing or using it to allow a gig-only device to talk to a 10/100 device temporarily.
I also second WireShark for the analyzing software. It rocks!
I also second WireShark for the analyzing software. It rocks!
Title: Re: Capture Ethernet Packages
Post by: tempmj on August 16, 2011, 10:46:18 pm
Post by: tempmj on August 16, 2011, 10:46:18 pm
[quote author="honken"]Or you could try to get hold of a http://http://greatscottgadgets.com/throwingstar/, they are awesome.
Only bad thing is you need two ethernet ports for sniffing.[/quote]
Appears to be very similar in concept to my passive ethernet tap i made years ago.
I basically took 4 Panduit brand modular ethernet jacks and wired between two of them normally, other than the fact that the TX pairs from "Side A" looped through an extra jack and the TX pairs from "Side B" looped through the remaining jack. On the two tap jacks (the extra jacks) that created, it was the TX pair that i hooked it to (so the RX on my laptop would see the traffic). To protect it i encased it in a LOT of hot glue :P
[attachment=1]
[attachment=0]
Only bad thing is you need two ethernet ports for sniffing.[/quote]
Appears to be very similar in concept to my passive ethernet tap i made years ago.
I basically took 4 Panduit brand modular ethernet jacks and wired between two of them normally, other than the fact that the TX pairs from "Side A" looped through an extra jack and the TX pairs from "Side B" looped through the remaining jack. On the two tap jacks (the extra jacks) that created, it was the TX pair that i hooked it to (so the RX on my laptop would see the traffic). To protect it i encased it in a LOT of hot glue :P
[attachment=1]
[attachment=0]
Title: Re: Capture Ethernet Packages
Post by: zizmo on August 17, 2011, 11:17:37 pm
Post by: zizmo on August 17, 2011, 11:17:37 pm
Hello, thank you all very much for your answers and suggestions!
The thing is, I already know how standard sniffing works (HUB+laptop+wireshark) but I'm looking at the possibility of doing the capturing with the fpga and maybe eventually do some internal simple package analysis. My idea is to use an external bord with dual PHYs and connect it to the fpga board. The fpga would contain the MAC and some IP core for ethernet. The packages would enter the fpga be duplicated and saved in memory and then just passed through.
I have never done anything like this and I'm not sure if it even makes sense, but the idea is to have a more portable kind of tap.
Right now I'm just looking at the hardware possibilities and that is why I was asking if this board could be able to handle this and what other hardware I would need attached to it (i.e. more memory, buffers, etc).
The thing is, I already know how standard sniffing works (HUB+laptop+wireshark) but I'm looking at the possibility of doing the capturing with the fpga and maybe eventually do some internal simple package analysis. My idea is to use an external bord with dual PHYs and connect it to the fpga board. The fpga would contain the MAC and some IP core for ethernet. The packages would enter the fpga be duplicated and saved in memory and then just passed through.
I have never done anything like this and I'm not sure if it even makes sense, but the idea is to have a more portable kind of tap.
Right now I'm just looking at the hardware possibilities and that is why I was asking if this board could be able to handle this and what other hardware I would need attached to it (i.e. more memory, buffers, etc).
Title: Re: Capture Ethernet Packages
Post by: arhi on August 18, 2011, 01:07:19 am
Post by: arhi on August 18, 2011, 01:07:19 am
[quote author="zizmo"]Right now I'm just looking at the hardware possibilities and that is why I was asking if this board could be able to handle this and what other hardware I would need attached to it (i.e. more memory, buffers, etc).[/quote]
it is possible but not feasible. You can purchase a laptop for 100$ and HUB for 10$ and there's no way you can make a fpga based device that will get the job done for that amount of money. If you want to sniff 10/100M you could in theory use one of the low side fpga's (for e.g. spartan 3) but even then there's not a lot of room for parsing the packets with any "customizable" rules. You could make a design that will recognize one type of packages and that's about it .. Of course you could go with higher end chips (spartan 6 for e.g.) that could easily fetch and parse gbit ethernet, the only problem is the price. These chips are BGA, you need multilayer board to handle them (I never seen spartan 6 on less then 8layer board, usually 12layers or more), they are not cheap, yield of assembling those at home is going to be not very nice and all in all it's not gonna be cheap project. On the other hand a laptop + hub (or passive intercept, managed switch etc etc) can be pack together for peanuts, you almost always have your laptop with you anyhow if you are doing any diagnostic and conformity of the desktop app (like wireshark) ....
it is possible but not feasible. You can purchase a laptop for 100$ and HUB for 10$ and there's no way you can make a fpga based device that will get the job done for that amount of money. If you want to sniff 10/100M you could in theory use one of the low side fpga's (for e.g. spartan 3) but even then there's not a lot of room for parsing the packets with any "customizable" rules. You could make a design that will recognize one type of packages and that's about it .. Of course you could go with higher end chips (spartan 6 for e.g.) that could easily fetch and parse gbit ethernet, the only problem is the price. These chips are BGA, you need multilayer board to handle them (I never seen spartan 6 on less then 8layer board, usually 12layers or more), they are not cheap, yield of assembling those at home is going to be not very nice and all in all it's not gonna be cheap project. On the other hand a laptop + hub (or passive intercept, managed switch etc etc) can be pack together for peanuts, you almost always have your laptop with you anyhow if you are doing any diagnostic and conformity of the desktop app (like wireshark) ....
Title: Re: Capture Ethernet Packages
Post by: Sjaak on August 23, 2011, 11:54:37 am
Post by: Sjaak on August 23, 2011, 11:54:37 am
[s:]I saw a simular design in throwing star design here: http://ossmann.blogspot.com/2011/02/thr ... n-tap.html (http://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html)
it has some passives added to disable gigabit.[/s:] Nevermind
Microchip has some pic32 chip that has a 100/10 RMII interface on them together with lots of flash and SRAM memory. The ethernet shares some memory with the cpu, so I guess it should be doable to capture the headers of IP frames and store them timely. You still need a switch with port mirror capabilites though.
it has some passives added to disable gigabit.[/s:] Nevermind
Microchip has some pic32 chip that has a 100/10 RMII interface on them together with lots of flash and SRAM memory. The ethernet shares some memory with the cpu, so I guess it should be doable to capture the headers of IP frames and store them timely. You still need a switch with port mirror capabilites though.
Title: Re: Capture Ethernet Packages
Post by: orcinus on August 23, 2011, 03:50:14 pm
Post by: orcinus on August 23, 2011, 03:50:14 pm
That tap reminded me of this one:
http://greatscottgadgets.com/throwingstar/ (http://greatscottgadgets.com/throwingstar/)
The 1000BASE-T trick with the capacitors is pretty neat :)
http://greatscottgadgets.com/throwingstar/ (http://greatscottgadgets.com/throwingstar/)
The 1000BASE-T trick with the capacitors is pretty neat :)
Title: Re: Capture Ethernet Packages
Post by: jack.gassett on August 23, 2011, 10:31:17 pm
Post by: jack.gassett on August 23, 2011, 10:31:17 pm
Hello Zizmo,
I'm coming in late to this conversation but thought I'd chime in.
Before I started designing Open Source hardware I was a Network Engineer and was actually looking at making a networking tool before I worked on the OpenBench Logic Sniffer. Our primary goal was not packet sniffing, we wanted more of a battery powered device that could be used for various useful things. Like load up image files on a sd card, plug it into your network segment and have it serve up tftp to isolated routers. Or a target for logging that you could drop in a network segment to avoid poking holes through firewalls. It's been years since I thought about networking though and I don't remember half the things we wanted to do with it.
We were originally looking at using a Freescale MCF52233 chip which has integrated Ethernet and a nice TCP/IP stack. The project never went anywhere beyond some prototypes. Personally I think it would be possible to do what you want with an FPGA but I'm not sure it would be an easy task to do packet sniffing... General TCP tasks like tftp and such would not be too hard using Microblaze. But packet sniffing would take more work.
If you really want to pursue this I have some things that could help you out. I have an RMII Ethernet Wing design that you are welcome too, it is open source but I have just not had the time to test it out yet. It implements a ksz8041nl PHY that is capable of Fast ethernet speeds. You would probably have to build the boards yourself but it could give you a leg up to test out your ideas.
Arhi is correct in that it would be a difficult task, but the Spartan 6 landscape has changed a bit recently, there used to be only BGA options but since Xilinx released the Spartan 6 LX line there are now LQFP options for Spartan 6. In fact I have two new Papilio boards designed and currently being tested for the Spartan 6 LX chips. :)
Hope this helps,
Jack.
I'm coming in late to this conversation but thought I'd chime in.
Before I started designing Open Source hardware I was a Network Engineer and was actually looking at making a networking tool before I worked on the OpenBench Logic Sniffer. Our primary goal was not packet sniffing, we wanted more of a battery powered device that could be used for various useful things. Like load up image files on a sd card, plug it into your network segment and have it serve up tftp to isolated routers. Or a target for logging that you could drop in a network segment to avoid poking holes through firewalls. It's been years since I thought about networking though and I don't remember half the things we wanted to do with it.
We were originally looking at using a Freescale MCF52233 chip which has integrated Ethernet and a nice TCP/IP stack. The project never went anywhere beyond some prototypes. Personally I think it would be possible to do what you want with an FPGA but I'm not sure it would be an easy task to do packet sniffing... General TCP tasks like tftp and such would not be too hard using Microblaze. But packet sniffing would take more work.
If you really want to pursue this I have some things that could help you out. I have an RMII Ethernet Wing design that you are welcome too, it is open source but I have just not had the time to test it out yet. It implements a ksz8041nl PHY that is capable of Fast ethernet speeds. You would probably have to build the boards yourself but it could give you a leg up to test out your ideas.
Arhi is correct in that it would be a difficult task, but the Spartan 6 landscape has changed a bit recently, there used to be only BGA options but since Xilinx released the Spartan 6 LX line there are now LQFP options for Spartan 6. In fact I have two new Papilio boards designed and currently being tested for the Spartan 6 LX chips. :)
Hope this helps,
Jack.
Title: Re: Capture Ethernet Packages
Post by: AutomaticLogic on August 26, 2011, 01:10:06 am
Post by: AutomaticLogic on August 26, 2011, 01:10:06 am
Hi,
I thought I might add for anyone interested:
We've had an interesting solution for many years (since 2006) - a system of quad-MCU units with four transparent (no MAC or IP address) 10/100 connections consuming 1 watt or less (expandable to at least 128 MCUs and 128 10/100 connections). These boxes can be controlled by a 'control box' for all kinds of purposes.
For example, one can transparently 'tap' an incoming connection (straight off of a DSL/cable modem/FRAD, etc.). The boxes pass the traffic with zero overhead/delay (actually, we've seen enhancements in throughput when our hardware is in place due to MTU-'massaging' and proper PCF behaviour injected into the traffic). Whilst passing the traffic, all packets (or a selection of them) are passed to another backend system to be stored/analysed/manipulated. Of course, the manipulation can take place 'inline' and the resulting modified packet can be passed on. An interesting probable feature popped up - scanning/manipulating VOIP data. There's no problem with getting bogged down - all these MCUs work in parallel and can be expanded into a rather large mesh, as well as spewing the data into (a) multi-core PC(s) with a customised OS that only deals with this application...
If there's any interest, please speak up.
---AutomaticLogic
I thought I might add for anyone interested:
We've had an interesting solution for many years (since 2006) - a system of quad-MCU units with four transparent (no MAC or IP address) 10/100 connections consuming 1 watt or less (expandable to at least 128 MCUs and 128 10/100 connections). These boxes can be controlled by a 'control box' for all kinds of purposes.
For example, one can transparently 'tap' an incoming connection (straight off of a DSL/cable modem/FRAD, etc.). The boxes pass the traffic with zero overhead/delay (actually, we've seen enhancements in throughput when our hardware is in place due to MTU-'massaging' and proper PCF behaviour injected into the traffic). Whilst passing the traffic, all packets (or a selection of them) are passed to another backend system to be stored/analysed/manipulated. Of course, the manipulation can take place 'inline' and the resulting modified packet can be passed on. An interesting probable feature popped up - scanning/manipulating VOIP data. There's no problem with getting bogged down - all these MCUs work in parallel and can be expanded into a rather large mesh, as well as spewing the data into (a) multi-core PC(s) with a customised OS that only deals with this application...
If there's any interest, please speak up.
---AutomaticLogic
Title: Re: Capture Ethernet Packages
Post by: arhi on August 26, 2011, 05:41:34 am
Post by: arhi on August 26, 2011, 05:41:34 am
It is an interesting project, I would for sure be interested to read more about it :)