TAP

A TAP (Test Access Point) is a passive splitting mechanism installed between a ‘device of interest’ and the network. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring device in real time.

vs

SPAN

Most enterprise switches copy the activity of one or more ports through a Switch Port Analyzer (SPAN) port, also known as a mirror port. An analysis device can then be attached to the SPAN port to access network traffic.

  • RX & TX signal delivered on seperate ports
  • Captures everything on the wire, including MAC and media errors
  • Guarantees complete capture even when the network is 100 percent saturated
  

  • Hardware and media errors are dropped
  • RX & TX copied into in one TX signal
  • If utilizations exceeds the SPAN link compacity, packets are dropped

Pros

  • Eliminates the risk of dropped packets*
  • Monitoring device receives all packets, including physical errors
  • Provides full visibility into full-duplex networks
  

Pros

  • Low cost
  • Remotely configurable from any system connected to the switch
  • Captures intra-switch traffic

Cons

  • Analysis device may need dual-receive capture interface*
  • Additional cost with purchase of TAP hardware
  • Cannot monitor intra-switch traffic
  

Cons

  • Cannot handle heavily utilized full-duplex links without dropping packets
  • Filters out physical layer errors, hampering some types of analysis
  • Burden placed on a switch’s CPU to copy all data passing through ports
  • Can change the timing of frame interaction altering response times
  • Switch prioritizes SPAN port data lower than regular port-to-port data

Bottom Line

When deciding whether to use a TAP or SPAN the two primary factors that will affect your decision are the type of analysis and amount of bandwidth.

A TAP is ideal when analysis requires seeing all the traffic, including physical-layer errors. A TAP is required if network utilization is moderate to heavy. An Aggregator TAP can be used as an effective compromise between a TAP and SPAN port, delivering some of the advantages of a TAP and none of the disadvantages of a SPAN port.

*Refers to a full-duplex TAP, not an aggregator TAP.

  

Bottom Line

When deciding whether to use a TAP or SPAN the two primary factors that will affect your decision are the type of analysis and amount of bandwidth.

A SPAN port performs well on low-utilized networks or when analysis is not affected by dropped packets.