Throughout the document, regular reference will be made to the following:
TAP
Within the NAPM “Network Application Performance Monitoring” space the one key requirement for Network Application Monitoring is packet analysis. Packet Analysis can only be achieved after the collection of the packets and this is done through TAP (Test Access Point) or SPAN (Switched Port Analyzer - Port Mirror) feeds.
In the following sections we will cover the difference between the two methods and also explain the pros and cons.
Network Packet Broker (NPB)
A network packet broker (NPB) is a device that provides a collection of monitoring tools with access to traffic from across the network. The word “broker”, or “dealer” is helpful to focus on here. The diagram below shows how an NPB receives data from a number of network links.
SPAN
Most enterprise switches copy the activity of one or more ports through a Switch Port Analyser (SPAN) port, also known as a mirror port. An analysis device can then be attached to the SPAN port to access network traffic.
TAP vs SPAN at a Glance
TAP
RX & TX signal delivered on separate ports.
Captures everything on the wire, including MAC and media errors.
Guarantees complete capture even when the network is 100 percent saturated
Pros
Eliminates the risk of dropped packets*
Monitoring device receives all packets, including physical errors.
Provides full visibility into full-duplex networks.
Cons
Analysis device may need dual-receive capture interface*
Additional cost with purchase of TAP hardware
Cannot monitor intra-switch traffic.
Some inline TAP modules are dumb-devices and will need additional Network Packet Broker to manage the packet collection
Bottom Line
A TAP is ideal when analysis requires seeing all the traffic, including physical-layer errors. A TAP is required if network utilization is moderate to heavy. An Aggregator TAP can be used as an effective compromise between a TAP and SPAN port, delivering some of the advantages of a TAP and none of the disadvantages of a SPAN port.
*Refers to a full-duplex TAP, not an aggregator TAP.
SPAN
Hardware and media errors are dropped.
RX & TX copied into in one TX signal.
If utilizations exceed the SPAN link capacity, packets are dropped.
Pros
Low cost
Remotely configurable from any system connected to the switch.
Captures intra-switch traffic
Cons
Cannot handle heavily utilized full-duplex links without dropping packets.
Filters out physical layer errors, hampering some types of analysis.
Burden placed on a switch’s CPU to copy all data passing through ports.
Can change the timing of frame interaction altering response times.
Switch prioritizes SPAN port data lower than regular port-to-port data.
Could also require an additional Network Packet Broker to manage multiple SPAN packet collection
Bottom Line
A SPAN port performs well on low-utilized networks or when analysis is not affected by dropped packets.
Conclusion
Whether you TAP or SPAN it is important to have a professional look at your volumes and the data type that needs to be consolidated for tool analysis, this goes in hand with security analysis areas and the sensitivity of certain types of data. You might need to split production data from your security data to ensure privacy and compliance with a certain regulatory standard.
Using out of band traffic for analysis with filtering capability will also give you a cost save with the type of tooling you are using to analyse this traffic, for instance if you have a security tool that only needs security traffic it can be filtered and aggregated from the packet broker, saving you throughput time to that tool that could have costed you double just because of pure direct traffic volume if you used a SPAN.
So different strokes for different folks, as I said let someone that knows their stuff look at this before you invest!
Gustav Joubert