Network TAP Instrumentation
You can insert passive network taps as another method for collecting packet data. This device sits inline on a physical link and makes a copy of all traffic passing through to a monitoring device. You can classify taps as follows:
• Basic TAPs - Make a copy of the signal on the wire to a secondary port for monitoring. When you use a passive TAP, you must use two monitoring ports on the NetShark for each single link that you monitor, because the TAP uses a separate port to copy the traffic in each direction.
Figure: Basic TAP Connectivity shows a TAP on a link between Device A and Device B. The TAP copies traffic in the direction from Device A to Device B on one port and the direction from Device B back to Device A on a second port.
Figure: Basic TAP Connectivity
• Regeneration taps - Enables you to send the same traffic for the same monitored link to multiple devices. These taps are useful if you want to send traffic from one link to both a NetShark, AppResponse, or NetExpress and another device (such as an IDS).
• Aggregation taps - Enables you to aggregate both directions of traffic on a monitored link through a single port so that you need only a single port on the NetShark, AppResponse, or NetExpress for a link you want to monitor. If you use this method, you can potentially miss some packets if the full-duplex link exceeds the available single duplex line rate of the capture point.
Some aggregation taps can regenerate and send traffic from a monitored link to multiple monitoring devices (sometimes referred to as port aggregation). Some aggregation taps can combine multiple monitored links to one or more monitoring devices, sometimes referred to as link aggregation.
Other aggregation taps can split traffic and spread the incoming packets among various different collectors allowing for load balancing and packet slicing.
If you are using an aggregation tap, check with you tap vendor for specific capabilities and options.
• Advanced/Intelligent taps - Many of the same vendors that offer intelligent SPAN or port-mirror solutions also offer solutions you can use for taps.
Best practices for TAP deployment:
• Ensure that you understand which type of TAP you are using, keeping in mind that basic taps require two monitoring ports per monitored link, one for traffic in each direction.
• You can use taps on existing SPAN and port-monitoring ports. Using taps is useful if there are no longer SPAN and monitoring ports available on the switch you want to monitor.
• You can chain taps. For example, if you already have a TAP deployed to a monitoring device such as an IDS, you can TAP into the feed to the IDS for monitoring with the NetShark or NetExpress.
• Ensure all packets from a single conversation are sent to the same capture port. NetShark is unable to calculate certain metrics (such as cRTT) if the packets are seen on different capture ports.