NetTAP® How to Capture Network Traffic ? Port Mirror vs Network Tap

How to Capture Network Traffic ? Port Mirror vs Network Tap

In order to analyze the network traffic, it is necessary to send the network packet to NTOP/NPROBE.There are two solutions to this problem:

Port Mirroring (also known as SPAN)

Network Tap (also known as Replication Tap, Aggregation Tap, Active Tap, Copper Tap, Ethernet Tap, etc.)

Before explaining the differences between the two solutions(Port Mirror and Network Tap), it is important to understand how the Ethernet works. At 100Mbit and above, hosts usually speak in full duplex, meaning that one host can send(Tx) and receive(Rx) simultaneously. This means that on a 100 Mbit cable connected to one host, the total amount of the network traffic that one host can send/receive(Tx/Rx)) is 2 × 100 Mbit = 200 Mbit.

The Port mirroring is active packet replication, which means that the network device is physically responsible for copying the packet to the mirrored port.

This means that the device must perform this task by using some resource (such as the CPU), and both traffic directions will be replicated to the same port. As mentioned earlier, in A full duplex link, this means that

A- >;B and B -> A;

The sum of A will not exceed the network speed before packet loss occurs.This is because there is physically no space to copy packets.It turns out that port mirroring is a great technique as it can be performed by many switches (but not all), because most of the switches with the drawback of packet loss, if you monitor a link with over 50% load, or mirror the ports onto a faster port (e.g. mirror 100 Mbit ports onto a 1 Gbit port). Not to mention that packet mirroring may require exchanging switches resources, which may load the device and cause exchange performance to degrade. Note that you can connect 1 port to one port, or 1 VLAN to one port, but you generally cannot copy many ports to 1. (So as the packet mirror) is missing.

A Network TAP (Terminal Access Point) is a fully passive hardware device which can passively capture traffic on a network. It is commonly used to monitor the traffic between two points in the network. If the network between these two points consists of a physical cable, a network TAP may be the best way to capture traffic.

The network TAP has at least three ports: an A port, a B port, and a monitor port. To place a tap between points A and B, the network cable between point A and point B is replaced with a pair of cables, one going to the TAP’s A port, the other one going to the TAP’s B port. The TAP passes all traffic between the two network points, so they are still connected to each other. The TAP also copies the traffic to its monitor port, thus enabling an analysis device to listen.

Network TAPs are commonly used by monitoring and collection devices such as APS. TAPs can also be used in security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks, and will usually pass-through traffic even if the tap stops working or loses power.

As Network Taps ports do not receive but transmit only, the switch has no clue who’s sitting behind the ports. The consequence is that it broadcast the packets to all ports. So if you connect your monitoring device to the switch, such device will receive all packets. Note that this mechanism works if the monitoring device does not send any packet to the switch, otherwise the switch will assume that the tapped packets are not for such device. In order to achieve that, you can either use a network cable on which you have not connected the TX wires, or use an IP-less (and DHCP-less) network interface that does not transmit packets at all. Finally note that if you want to use a tap for not loosing packets, then either don’t merge directions or use a switch where tapped directions are slower (e.g. 100 Mbit) that the merge port (e.g. 1 Gbit).