Garland Technology ensures complete packet visibility by delivering a full platform of network TAP (test access point), inline bypass and packet broker products.
Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.
Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.
The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners
Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.
Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.
For years now we all have read about the difference between data capture off a span/mirror port and a network TAP.
Packet Pioneer, Chris Greer was interested to see the difference between a data stream captured on a network TAP versus a SPAN port. So he set up a test with a few PCs, a TAP, a SPAN port, a couple of hardware network analyzers, and a healthy stream of data.
Packet Pioneer connected two PCs to a basic Cisco Catalyst Switch at 100Mbps. A throughput test using iPerf was configured and run between the two machines. On one of the PCs, he placed a 100Mbps TAP, and placed a hardware analyzer on it to capture. Lastly, he configured a SPAN on the switch to forward all traffic to and from this port to another hardware analyzer.
Below is a basic drawing of the setup.
The throughput test finished with a result of 93.1Mbps sustained for 10 seconds between the two PCs.
|TAP vs SPAN||Packets captured||Delta Time at TCP Setup|
|TAP Capture Results||133,126||243uSec|
|SPAN Capture Results||125,221||221 uSec|
The SPAN data capture showed almost 8,000 packets missing from the trace. This represents almost 8% of the total packets captured by the analyzer on the network TAP. We should also point out that this was on a 100Mbps interface, not a Gigabit interface, and there were no errored frames. The switch bus was not in a near overloaded state.
Also, the difference in the timing between the TCP SYN and SYN ACK in the two traces shows us that the switch is not treating both the SPAN and Destination ports the same. In fact, it was forwarding traffic to the SPAN port faster than the true destination. While the difference is only 21 uSec, it shows that the switch is affected when SPAN is enabled. It is not as seamless as it would appear, and this delay was under no load test. With the switch loaded with traffic, the losses and timing will show greater differential and also dropped packets.
Considering the results of their test, Chris Greer, a network analyst at Packet Pioneer, said, “I am now a full believer in using a real [network] TAP whenever possible, especially when timing and total view of the data is important!”
Looking to add a visibility solution to your next deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do!
Chris focuses on assisting IT professionals in resolving the root cause of network and application performance problems. This is primarily done through use of a protocol analyzer reading and interpreting trace files. Additionally, I teach courses in network analysis and troubleshooting, Wireshark, and several vendor analysis products. Chris supports clients in several regions of the USA, Latin America, and Caribbean.