RS-232 Sneaky Snooper

Have you ever had two devices that communicate through a serial connection (RS232, not USB!), and you want to know what they're saying to one another? For instance, suppose you've got some kind of peripheral that connects to a PC through a COM port, and there's some special user interface (UI) software that you run on the PC that knows how to talk to the device. But now, because you like hacking things, you want to write your own program to talk to the device. The only problem is, there's no manual that defines what the message structure is.

Usually you can work out the baud rate, parity, stop bits etc by connecting a good freeware terminal program like TeraTerm to the PC running the UI software, instead of the device, and then trying different settings of the terminal program until you get something that looks right. But more often than not, the UI will choke when it doesn't get the expected responses - and how could it, from a terminal program? Once you've got the right serial settings, you can turn the terminal program around and connect it to the device, and start guessing commands. Sometimes a capture of what the UI was sending will help here, but often you just won't be able to enter the right stuff fast enough.

This is where this project comes in. Wouldn't it be easier to see how the UI and the device talk, if you could just watch both sides? The following circuit will let a 3rd computer, running your terminal program, eavesdrop on the connection and capture the entire interchange to a log file that you can then pick apart at your leisure.

I know this works because I built and used this today, capturing a complex interchange between a GUI and a device that involved several message trades for each button clicked, over a 38400 N81 connection.

How It Works

Basically, the RS-232 transmitters idle at something like -9 to -12 Volts, called the 'mark' level . Whenever one of the devices transmits data, its Tx line will toggle between this mark level and the +9 to +12 volt 'space' level, before coming to rest back at the mark level. The trick is to get the Rx line of the eavesdrop computer to go to the space level when either (or both) of the other two do.

Here, the Tx line of the eavesdropping computer is used as a supply of negative voltage for what amounts to an old-fashioned resistor-diode logic 'OR' gate. When everything was idle, all my Tx lines were at about -11V. Now, assume that the first computer sends a byte. Every time its Tx line goes positive, the diode associated with that line becomes forward biased and conducts, with the current being limited to somethign near 2mA by the 47K resistor. The other side's diode will be reverse biased, preventing the signal from looping back to the sending device's Rx. The 2mA current across the resistor presents the eavesdrop computer's Rx line with nearly the full space level from the first computer; in my case, around +10.4V, well within spec for a 232 space. Similarly, if the second computer sends, the eavesdrop computer sees that data as well, with the role of the diodes reversed. One thing this circuit cannot do, however, is listen in if (or when!) both sides talk at the same time; the signals will mush together and the eavesdrop computer will decode the result as garbage. But as long as the first two take turns sending messages, everything works fine.