When we’re looking to monitor network traffic, we have two options to choose from: Taps or Span ports. Let’s take a look at some basic differences between the two.
For starters, a Switch Port Analyzer (SPAN) port, also known as a mirror port is a method of monitoring network traffic. When port mirroring is enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be further analyzed. The amount of traffic you want to monitor depends on where the SPAN is installed in relation to the equipment. In some situations, if utilization exceed the SPAN link capacity, oversubscription occurs which leads to dropped packets. SPAN ports are ideal in situations where dropped packets won’t affect network analysis and if you’re looking for a low- cost alternative.
A TAP (Test Access Point) on the other hand, is more expensive but requires little setup. Essentially, a TAP is a passive device that can be connected and/or disconnected to the network without affecting it. TAPs provide a way to access the data flowing across a network to allow for greater visibility, stronger network security and higher performance. TAPs will capture everything on the wire, including any MAC or media errors and provides complete packet capture even if the network becomes oversaturated.
While both offer various advantages and disadvantages, the ultimate decision depends on the type of analysis you need, the amount of network traffic involved and cost.
Check out our infographic showing TAPs versus SPAN ports.
TAPs or Span: Which one do you use? Comment below!