Network test access points (TAP) and port mirroring (SPAN) are the two most common access methods of packet capture for the use of analysis in data monitoring. Is there a difference? Yes, there are significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. This page discusses the differences in regards to monitoring the network.
"SPANs can add overhead on a network device, and that SPAN port will often drop mirrored packets if the device gets too busy. Therefore, TAPs are a better option.” -EMA [Enterprise Management Associates]
Network TAP [Test Access Point]
Network TAPs are a purpose-built hardware device that allows you to access and monitor your network traffic. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.
Make a 100% full duplex copy of network traffic without altering the data.
Designed to support 10M/100M/1G/10G/40G/100G/400G.
Are scalable and can either provide a single copy, multiple copies (regeneration), or consolidate traffic (aggregation) to maximize the production of your monitoring tools.
Court approved. A TAP provides forensically sound data/evidence that data captured is 100% accurate with time reference.
Do not alter the time relationships of frames. Spacing and response times are especially important with VoIP and Triple Play analysis including FDX analysis.
Fiber TAPS are 100% passive and have no power.
Have no IP address, no MAC address and cannot be hacked.
Port Mirroring also known as SPAN (Switch Port Analyzer), sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.
Provide access to packets for monitoring.
SPAN sessions do not interfere with the normal operation of the switch.
Low priority - switch will drop SPAN packets if heavily utilized or oversubscribed.
Can duplicate packets if multiple VLANs are used.
Using SPAN/Mirror ports can change the timing of the frame interactions, altering response times.
What does Cisco say about data capture and SPAN ports?
"The switch treats SPAN data with a lower priority than to-port data...the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations." - Cisco
Creating a foundation of visibility is key for network management. Once deployed, network TAPs allow you to access that point in your network at any time. Many organizations have adopted the stance of tapping all critical links for easy access during troubleshooting or inevitable security breaches.
Spanning (mirroring) technology is still viable for some limited situations but as one migrates from 10Mb to Gigabit to 40 Gigabit networks, and with the demands of seeing all frames for data security and policy compliance, deep packet capture, and Lawful Intercept, one must use purpose-built TAP technology to fulfill the demands of today’s complex analysis and monitoring technologies.
Looking for ways to reduce network complexity and improve effectiveness of your tool performance?
This whitepaper is an in-depth look into network visualization access, and what visibility security, monitoring, management, compliance, capture and auditing of our today’s networks require..