Taps Vs. SPAN: Taps Provide Full Visibility into Network Data

By Grover Koelpin 3 comments

– To efficiently monitor a network you must have complete
visibility into that network. This means being able to reliably capture 100% of the network traffic
under all network conditions. To achieve this, devices
need to be installed into that network to capture that data. These devices are known as TAPs, or switch port analyzers, or SPANS. A TAP is a passive
splitting mechanism placed between two network devices. It provides a monitoring connection. Using TAPs, you can easily
connect monitoring devices such as protocol analyzers, RMON probes, and intrusion detection
and prevention systems to the network. The TAP duplicates all traffic on the link and forwards this to
the monitoring device. Any monitoring device connected to a TAP receives the same traffic
as if it were inline. This includes all errors. TAPs do not introduce
delay or alter the content or structure of the data. They also fail open, so that
the traffic continues to flow between network devices even if you remove a monitoring device or power
to that device is lost. A SPAN port, also known
as a mirroring port, is a function of one or
more ports on a switch in the network. Like a TAP, monitoring
devices can also be attached to the SPAN port. So what are the advantages
of TAPs versus SPANs? A TAP captures everything on the wire including Mac and media errors. A SPAN port will drop those packets. A TAP is unaffected by
bandwidth saturation. A SPAN port cannot handle heavily used full duplex links
without dropping packets. A TAP is simple to install. A SPAN port requires an
engineer to configure the switch or switches. A TAP is not an
addressable network device, it cannot be hacked. SPAN ports leave you vulnerable. A TAP doesn’t require you
to dedicate a switch port to monitoring, it frees
the monitoring port up for switching traffic. For more information on
how you can eliminate the blind spots in your
network with Ixia TAPs, please visit us on the web.


Deepak Reddy

Dec 12, 2016, 12:40 pm Reply

Beautifully explained ..


May 5, 2017, 6:45 pm Reply

they dont explain that taps will not capture the intra switch traffic that a span port will capture (assuming the overall traffic load on the switch is not too heavy). unless the intra switch traffic happens to go to another switch that a tap is monitoring, you may never see intra switch traffic. ok, if the data traveled to another switch, it is no longer considered intra switch, but i hope you get my point. taps alone may not offer visibility for all network traffic.

Digital Foundry

Jun 6, 2019, 11:00 pm Reply

as all that coped traffic is being dumped to an analyzer, can I remotely manage and access that copied traffic from my desk? Or am I physically bound to only being able to access it on the local machine that is running the analyzer software?

Leave a Reply