Network TAP

7 reasons to use Network TAP vs SPAN

Network TAP (Test Access Point) is a hardware device which is used to provide passive access to a data stream over the wired network link. It passes the original traffic between devices connected to “input” ports and at the same time makes a copy of this traffic and sends it to devices connected to “output” ports, enabling a secure access for monitoring and analyzer tools.

Input ports are often called “network ports” (as these ports are usually used to connect different network segments), while output ports are called “monitoring ports”.

TAP consists of (minimum) two input (network) ports, usually marked as “A” and “B” to which you will connect your network devices (switches, servers, routers, etc.) and minimum one monitoring port (today, because of 1G full-duplex traffic it is normal to have two monitoring ports).

Why using a TAP?

Many of you will ask the same question: “Why should I use TAP when I have mirror port (SPAN) enabled by my switch manufacturer?” Yes, in same cases, you can use this ports to connect your analyzer (often in simple network environments). But are you aware of drawbacks using a SPAN port? I will try to name some of them.

7 reasons against SPAN port

1. Causes your switch to overload

As soon as you enable SPAN port and select ingress and egress traffic to be sent to SPAN port you’ve created, switch starts replicating (copying) packets from the ports you selected to SPAN port. This means that, if you selected 2 ports, switch will actually start copying those packets to SPAN port.

Let’s say your business is growing and number of happy users is growing, quite good thing. So the server you are using is getting more and more logins which means more and more traffic. In the end, utilization of the monitored link is constantly higher than 85%. All that time, switch is copying the packets to SPAN port until the point it reaches CPU and memory limit and it gets overloaded. And as SPAN port is lowest priority port on switch, it starts dropping the packets. You lost the visibility and you are even not aware of it, as you will not be notified for sure. If you call a technical support of switch vendor, first answer you will get is “Turn off SPAN ports”. In the mean time, some of those lost packets were actually attackers. Ups!

Recent report by Fujitsu in UK shows that 51% of customers were never return to company who had their personal data lost. Don’t be one of them!

2. Doesn’t forward Layer 1 and Layer 2 errors

Well, bad news if you have a lot of L2 errors on your link. I will just copy a part of Cisco’s whitepaper about SPAN port:

The SPAN port did not pass incoming frames containing a CRC error, an End-of-Frame invalid frame (EOFni), or End-of-Frame Abort (EOFna).

Do not use the SPAN port to debug FC-0, FC-1, and FC-2 problems, since it doesn’t mirror 8b/10b coding, MAC layer primitives or errors (FC-0, FC-1, FC-2), and corrupted frames with cyclic redundancy check (CRC) errors.

So if you are having L2 channel errors or CRC errors, good luck!

Additional catch: Undersized or Over-sized frames are not forwarded!

3. Needs to be configured

OK, probably most of you will say: “This is not so complicated and that’s my job, I love it!”. But, it can be really painful. You need to know which switch you can re-configure, which port, when, who will use it, in what time… Enough? Also, you still need to type in some commands (see photo below) though it is only a 1-2 min, depending of typing speed but you still need to think about if you entered correct port number or if you mistyped anything.  By using a tap all you have to do is to plug it in the network. Job done!


Additional catch:

Entering SPAN configuration commands does not remove previously configured SPAN parameters. You must enter the no monitor session {session_number | all | local | remote} global configuration command to delete configured SPAN parameters.

4. Mixing source and destination information (Rx and Tx)

Another bad thing. When you configure a SPAN port, you will mostly configure 2 sessions: source (ingress) and destination (egress), which means that you want to see the traffic which is coming in and also the traffic which is coming out of the port. But guess what? . Local SPAN does not have separate source and destination sessions. This can be really painful as you will lose a lot of time decoding sources and destinations, figuring out who, what, when, where.

5. Number of SPAN ports is limited per switch – maximum 2 sessions

Can be quite problematic if you need to implement redundant IDS, traffic recorder and VoIP analyzer at the same time. On most devices, number of SPAN sessions (ports) is limited to 2, which is quite reasonable if you remember the part which causes switch to overload. How to connect 4 tools when you have only 2 available ports? This is something where tap also couldn’t help but a device called “Network Packet Broker” or “Network Monitoring Switch” could. But I will cover it in some of my next posts.

Additional catch: “You cannot have two SPAN sessions using the same destination port“, meaning that if you want to share the same traffic on two monitoring devices – you will not be able to do it!

6. “Skews” packet arrival times

SPAN port is not primary port on switch, so in many cases, it can mix-up the times on frames, as it’s switching process is core job. This means that if you are doing VoIP analysis, SPAN is useless as RTP is really dependent on timing.

7. Compliance (Security) issues

If you had a breach and some of the evidence of that is coming from SPAN port, it is very likely that defender will challenge it. As SPAN port is not passive technology, there is no 100% assurance of source liability, which means that you can easily lose on court (especially important for Lawful Intercept and LEA agencies). Moreover, TAPs do not have IP address and can’t be hacked/accessed by third party, which means that data they colleceted/forwarded is 100% liable.

Not even cheaper than TAP!

And please don’t make a comment “SPAN port is 10 times cheaper”. Even if we forget about these facts I’ve just written, let’s calculate: Cisco switch (Nexus) with 48 ports costs about 18-22k, which means that 1 SPAN port costs about ~500$, if I am correct. Fiber TAP price is about the same 500$ and copper TAP is a bit higher priced, about 1.000$. So if you are wiling to gamble with thousand or even millions of dollars because of 200$, feel free!