<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

Understanding the Basics of Packet Data Acquisition

July 11, 2019

Packets are an essential source of data for network performance management (NPM) tools. They are the foundation of data truth that all network monitoring and security tools rely upon for analytics, forensics, threat detection, and performance monitoring. In order to be able to fully trust the reporting and results of your tools, you have to have full confidence in their data source; the packets.

 

EMA (Enterprise Management Associates) research has found that enterprises have greater success in applying NPM tools to performance monitoring and cloud application migration assessments when they use packets for those use cases. Packets are an essential component to forensic security analysis and real-time incident detection. In essence, without full and complete packets, it’s very hard to gain a full understanding as to what’s happening in the network. 

 

The Basics of Packet Acquisition


Once you’ve determined that packets are the source of data you’re looking to get from a network link to send to tools for analysis, your next question to answer is, ‘How am I going to get those packets?’

Well your answer is simple. Either you use Network TAPs or SPAN (mirror) Ports. 

Network TAPs, or test access points, are the most popular approach and best to mirroring traffic and sending it to NPM tools, with 50% of respondents in a recent EMA survey using TAPs as their packet acquisition method. TAPs are purpose-built, hardware devices that are physically connected to a network port via a fiber or copper cable. TAPs can take the workload of mirroring traffic off of your switch or router, alleviating the burden and ensuring performance isn’t degraded.

Download: TAP vs SPAN [Free whitepaper]


Using SPAN ports as your data acquisition method may seem simple at first, since you are configuring ports on a switch or router to act as a Switched Port Analyzer (SPAN). But that one choice can lead to problems later on. Many switches and routers can produce bad data when mirroring traffic from the SPAN port.  This is in addition to dealing with oversubscription and a reduction in overall performance of the switch when traffic levels increase. These problems all occur because the switch was not originally designed for this use. 

Not convinced yet?

Check out these other reasons why you don’t want to rely on SPAN ports:

  • Duplicate data packets can reduce the efficiency of your NPM tools
  • Missing data is not forwarded to NPM tools, which makes real-time monitoring and analysis difficult
  • They can lead to network blind spots depending on how the SPAN ports were initially set up.
  • User error - they require manual configuration, rather than a plug and play design.
  • Legal regulations - Timestamps are modified, leading to data being challenged in court when used for lawful intercept.


If you’re looking for true visibility and accuracy of your data packets, then Network TAPs are the clear choice to use as the foundation of your network visibility strategy. Starting with TAPs instead of SPAN ports ensures that your NPM tools will work efficiently and effectively.

Looking to add a visibility solution to your next deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do!

New call-to-action

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES