TAP vs. SPAN: Choosing the Right Tool for Network Packet Capture
*This article is an English translation of the Engineer Notes article as of Dec 13, 2021.
*Please note that the content may have been updated since then.
When you're conducting network monitoring or packet capture, you might come across instructions in product manuals that say something like "Connect to a TAP or SPAN." Both TAP and SPAN are ways to see what's happening with your network traffic. But what's the difference between them? Knowing this can save you from those "This isn't what I expected..." moments later on.
In this article, we'll break down what TAP and SPAN are all about and help you figure out which one is right for your needs.
Table of Contents
Methods for Visualizing Packets
Advantages and Disadvantages of TAP Connections
Advantages and Disadvantages of SPAN Connections
Methods for Visualizing Packets
When conducting network monitoring, packet capture, or any packet-based analysis, the first step is to capture the traffic flowing on the network. Simply connecting a packet capture device to a switch port without preparation won't allow you to visualize all the traffic. There are two common methods to capture packets: "installing a TAP inline and connecting it" and "creating a SPAN and connecting via it". Although there are other ways to visualize packets, we'll focus on these two common methods in this article.
Our products, such as SYNESIS, NetEyez, and NetEyez Security, utilize these methods to visualize network traffic.
Here is an image representing the connections in a 1G Ethernet network:
Each connection method has its advantages and disadvantages, so it's important to understand them before choosing a method.
Advantages and Disadvantages of TAP Connections
A TAP is a device that splits the data traveling over a cable, allowing you to connect it to a monitoring device through the TAP's monitoring port.
Advantages of TAP
- Zero Packet Loss: A TAP can extract all frames on the network without any packet loss. It can capture full-duplex data from both directions (uplink and downlink) separately. Since most modern networks are full-duplex, this means that in a 1GbE network, you could theoretically have 1Gbps throughput in each direction. When connected via a TAP, it's possible to capture this total 2Gbps traffic separately in each direction. Additionally, a TAP can capture L2 error frames (like short packets), which are typically discarded by a switch port during SPAN.
- Independence from Existing Equipment and Network Conditions: A TAP can be installed regardless of existing equipment or network conditions. Simply install the TAP at the desired point, switch the cables, and the setup is complete.
- Minimal Impact on Network Performance: A TAP is a specialized device that causes minimal delay or impact on both the network and monitoring sides when inserted. This allows for accurate analysis of the time data passes through the network.
Disadvantages of TAP
- Network Disruption During Insertion: Installing a TAP requires making physical changes to the network cables, which causes a network disruption during insertion. If the TAP is inserted on the server side, the impact on connected terminals can be significant.
- Cost of Purchasing a TAP: If you don't already have a TAP, you'll need to bear the cost of purchasing one.
- Multiple Ports Needed on Monitoring Devices: Monitoring full-duplex communication requires two ports per line on the monitoring device—one for uplink and one for downlink. This could lead to higher costs for the monitoring device.
Advantages and Disadvantages of SPAN Connections
SPAN (Switched Port Analyzer), also known as port mirroring, is a feature built into network switches that allows you to monitor traffic on specific ports.
Advantages of SPAN
- No Network Disruption: Unlike TAP, SPAN does not require any physical changes to the network and can be used immediately after configuration.
- No Need for Additional Devices: Many modern switches come with SPAN (or mirror port) capabilities as a standard feature, meaning there’s no need to purchase additional devices. This makes SPAN an easy and cost-effective way to visualize packets.
Disadvantages of SPAN
- Potential for Packet Loss and Latency: Since SPAN is part of the switch's functions, the switch's performance and traffic environment can lead to packet loss or latency on the monitoring side. Unlike TAP, SPAN outputs full-duplex communication through a single port, which can cause packet loss if the combined uplink and downlink traffic exceeds the port speed.
- Unmonitored Frames: Most switches discard L2 error frames before they reach the monitoring side. Since SPAN does not physically split the traffic, any frames discarded by the switch cannot be captured.
Which Should You Use: TAP or SPAN?
The decision of whether to use TAP or SPAN depends on the situation. Here are some criteria to help you choose:
- When Packet Integrity Is Critical: If you cannot tolerate packet loss, you should opt for a TAP. Particularly if you need to monitor all data, including L2 error frames, TAP is the only choice.
- Leveraging Existing Network Infrastructure: If you want to avoid changes to the existing network infrastructure, SPAN is convenient. It allows for visualization with minimal physical changes, making it both cost-effective and efficient. Additionally, if it's difficult to disrupt the network to insert a TAP, SPAN becomes the necessary choice.
Ultimately, the choice depends on your network requirements, constraints, budget, and security needs. In certain situations, using both TAP and SPAN together can be beneficial. The key is to choose the optimal method based on your network monitoring goals and requirements to ensure network security and performance.
Recommended TAP Products
Our company offers not only packet capture products but also Garland TAPs. We provide a wide variety of TAPs, so please feel free to consult with us. To fully leverage the lossless capture capabilities of SYNESIS, it's crucial to choose the right traffic visualization method.
Garland Product Page (Japanese content)
Conclusion
While SPAN's performance has been improving, if you want to ensure 100% packet capture without loss, TAP is recommended. If you install TAPs at key network points during new network installations, you can connect monitoring devices to visualize traffic whenever necessary. Even if it's not needed right now, consider installing TAPs at critical points in your network for future needs.