What's the difference between a TAP and SPAN?
Network TAP (test access point) and SPAN (port mirroring) are the two most common methods for network traffic access used for data monitoring and security analysis. Is there a difference? Yes, there are significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of network tools. This page discusses the differences in both options in regards to monitoring the network.
"SPANs can add overhead on a network device, and that SPAN port will often drop mirrored packets if the device gets too busy. Therefore, TAPs are a better option.” -EMA [Enterprise Management Associates]
Network TAP [Test Access Point]
Network TAPs are a purpose-built hardware device that sits in a network segment, between two appliances (router, switch or firewall), and allows you to access and monitor the network traffic. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.
• Make a 100% full duplex copy of network traffic without altering the data.
• Designed to support 10M/100M/1G/10G/40G/100G/400G.
• Are scalable and can either provide a single copy, multiple copies (regeneration), or consolidate traffic (aggregation) to maximize the production of your monitoring tools.
• Court approved. A TAP provides forensically sound data/evidence that data captured is 100% accurate with time reference.
• Do not alter the time relationships of frames. Spacing and response times are especially important with VoIP and Triple Play analysis including FDX analysis.
• Fiber TAPS are 100% passive and have no power.
• Have no IP address, no MAC address and cannot be hacked.
SPAN [Switch Port Analyzer]
Port Mirroring also known as SPAN (Switch Port Analyzer), are designated ports on a network appliance (switch), that are programmed to send a copy of network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.
• Provide access to packets for monitoring.
• Designed for low-throughput spot checking.
• SPAN sessions do not interfere with the normal operation of the switch.
• Low priority processing -- the switch will drop SPAN packets if heavily utilized or oversubscribed.
• Can duplicate packets if multiple VLANs are used.
• Using SPAN/Mirror ports can change the timing of the frame interactions, altering response times.
"The switch treats SPAN data with a lower priority than to-port data...the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations."
Network Access Best Practices
TAP vs SPAN is the question. Let's explore network TAP and SPAN use cases:
Creating a foundation of visibility is key for network management. Spanning (mirroring) technology is still viable for some limited situations but as one migrates from 10Mb to Gigabit to 40 Gigabit networks, and with the demands of seeing all frames for data security and policy compliance, deep packet capture, and Lawful Intercept, one must use purpose-built TAP technology to fulfill the demands of today’s complex analysis and monitoring technologies.
TAP vs SPAN Resources
TAP vs SPAN
An in-depth look into network visualization access, differences between TAP and SPAN, and what security, monitoring, management, compliance, and capture today’s networks require.
Visibility Fabric Best Practices
This white paper provides a step-by-step guide to planning and implementing a network visibility fabric of TAPs and network packet brokers.
Additional White papers
Putting TAP vs SPAN to the Test
TAP into Technology
Leading the way in Network Technology
Years back, companies within our critical infrastructure sectors realized that if they wanted to improve their strategic planning and scale their..
Why do I need TAPs? That’s a question I hear a lot from people in the field. Either they aren’t familiar with TAPs, or even if they are, with a low..