What's the difference between a TAP and SPAN?
Network test access points (TAP) and port mirroring (SPAN) are the two most common access methods of packet capture for the use of analysis in data monitoring. Is there a difference? Yes, there are significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. This page discusses the differences in regards to monitoring the network.
"SPANs can add overhead on a network device, and that SPAN port will often drop mirrored packets if the device gets too busy. Therefore, TAPs are a better option.” -EMA [Enterprise Management Associates]
Network TAP [Test Access Point]
Network TAPs are a purpose-built hardware device, that sit in a network segment, between two appliances (router, switch or firewall), and allows you to access and monitor the network traffic. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.
• Make a 100% full duplex copy of network traffic without altering the data.
• Designed to support 10M/100M/1G/10G/40G/100G/400G.
• Are scalable and can either provide a single copy, multiple copies (regeneration), or consolidate traffic (aggregation) to maximize the production of your monitoring tools.
• Court approved. A TAP provides forensically sound data/evidence that data captured is 100% accurate with time reference.
• Do not alter the time relationships of frames. Spacing and response times are especially important with VoIP and Triple Play analysis including FDX analysis.
• Fiber TAPS are 100% passive and have no power.
• Have no IP address, no MAC address and cannot be hacked.
SPAN [Switch Port Analyzer]
Port Mirroring also known as SPAN (Switch Port Analyzer), are designated ports on a network appliance (switch), that are programmed to send a copy of network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.
• Provide access to packets for monitoring.
• Designed for low-throughput spot checking.
• SPAN sessions do not interfere with the normal operation of the switch.
• Low priority processing -- the switch will drop SPAN packets if heavily utilized or oversubscribed.
• Can duplicate packets if multiple VLANs are used.
• Using SPAN/Mirror ports can change the timing of the frame interactions, altering response times.
"The switch treats SPAN data with a lower priority than to-port data...the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations."
Network Access Best Practices
TAP vs SPAN is the question. Let's explore network TAP and SPAN use cases:
Creating a foundation of visibility is key for network management. Spanning (mirroring) technology is still viable for some limited situations but as one migrates from 10Mb to Gigabit to 40 Gigabit networks, and with the demands of seeing all frames for data security and policy compliance, deep packet capture, and Lawful Intercept, one must use purpose-built TAP technology to fulfill the demands of today’s complex analysis and monitoring technologies.
TAP vs SPAN Resources
TAP vs SPAN
An in-depth look into network visualization access, differences between TAP and SPAN, and what security, monitoring, management, compliance, and capture today’s networks require.
Visibility Fabric Best Practices
This white paper provides a step-by-step guide to planning and implementing a network visibility fabric of TAPs and network packet brokers.
Additional White papers
Putting TAP vs SPAN to the Test
TAP into Technology
Leading the way in Network Technology
The convergence of Operational Technology (OT) with Information Technology (IT), has exposed many challenges for the industrial space, including..
Network visibility has never been more important to the success of a business, regardless of industry. Addressing increasingly demanding business..
Sometimes we come across interesting requests from customers that are outside the normal security and monitoring applications within data centers or..