Ensuring complete visibility of network data is the first critical component of analysis. There are two common ways for a monitoring device to access network traffic: using a switch’s SPAN session (also known as port mirroring) or a network TAP (Test Access Port).

SPAN Session
A SPAN session functions best on lightly used, non-critical networks. In a SPAN session, the switch copies the send and receive data channels, and constructs an integrated data stream from both channels. It then routes the integrated signal through the send channel of the SPAN port to a monitoring device. Because both channels are integrated into a single send channel, the SPAN port can only support a maximum of 50 percent of link utilization. When link utilization reaches above 50 percent, packets are dropped. Networks running business-critical or bandwidth-intense applications, like VoIP, are not appropriate environments for a SPAN port.

A SPAN session also presents the following risks:

• A switch filters out physical layer errors, which can hamper some types of analysis
• There is an extra burden on a switch’s CPU to copy all data passing through the ports, potentially affecting timestamping accuracy
• A SPAN port hides jitter from the monitoring device, critical to the types of analysis that require very accurate timestamping, like VoIP

Aggregator TAP
An aggregator TAP makes a good compromise between the SPAN and full-duplex TAP options for non-mission critical links. The aggregator TAP provides access to data streams passing through a full-duplex network link, copying both sides of the link. Both sides of the link are then aggregated into a single stream. The integrated stream is then sent out over a simplex port to an analysis device with a single-receive capture interface.

Its advantage over a SPAN is that the aggregator TAP buffers the analyzer output, which makes it less likely than a SPAN to drop packets during short spikes of high usage. In addition, the aggregator TAP will forward layer 1 and 2 errors to the analysis device.

An aggregator TAP is most ideally suited for:

• Working with an analysis device with a standard (single-receive) capture interface, such as a laptop or standard system with an analysis device
• A light to moderately used network that occasionally has utilization peaks above the capture capacity of the analyzer

Full-Duplex TAP
A full-duplex TAP is a passive mechanism installed between two “devices of interest” on the network. The TAP can be placed, for example, between a server and switch, or a router and firewall. Full-duplex TAPs transmit both the send and receive data streams on separate dedicated channels, ensuring that all full-duplex data (up to 2000 Mbps) arrives at the monitoring device. For that reason, the monitoring device must be equipped with a dual-receive capture card capable of aggregating the two data streams.

Full-duplex TAPs are ideal for ensuring visibility of highly utilized full-duplex links because:

• A full-duplex TAP never drops packets, regardless of speed or utilization
• A full-duplex TAP does not filter out physical layer errors from the monitoring device
• A full-duplex TAP is completely passive; it does not present a risk to the network

Other TAP Resources

• Analyzing Full-Duplex Networks Through SPANs, Port Aggregators, and TAPs
• Implementing Networks Taps with Network Intrusion Detection Systems
• Network Taps Enable Passive Monitoring
• Wikipedia’s Discussion of Network TAPs

[Stephen Brown of Network Instruments]

Tags: tap, span port, test access port, stephen brown, network instruments, network