Network test access points (TAP) and port mirroring (SPAN) are the two most common access methods of packet capture for the use of analysis in data monitoring. Is there a difference? Yes, there are significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. This page discusses the differences in regards to monitoring the network. When deploying and managing active, inline appliances SPAN should never be used, as packets are randomly dropped when the SPAN ports become oversubscribed.
Network TAP [Test Access Point]
A hardware tool that allows you to access and monitor your network. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.
Port Mirroring also known as SPAN (Switched Port Analyzer), sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.
What does Cisco say about data capture and SPAN ports?
"The switch treats SPAN data with a lower priority than to-port data...the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations." - Cisco
Network security and management personnel must have full access and using TAP (test access points) technology is the only viable and reliable technology for that job. Still not convinced? This white paper will cover the value TAP access will provide and remove all the misinformation about SPAN or monitor access through switches and false products.