首页 > 技术点滴 > Knowing the difference between SPAN and TAPs are important in order to correctly setup sniffing

Knowing the difference between SPAN and TAPs are important in order to correctly setup sniffing

2013年5月11日 baoz 阅读评论

To know the difference between Mirror Ports, SPAN Ports and TAPs

Port Mirroring generally indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port.

Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port.

TAP stands for Test Access Port. Network Taps are devices that allows to examine network traffic without causing any data stream interference. They work at OSI level 1, therefore they do not make any forwarding or routing decisions.

Differences between them:
1. SPAN/Mirror Ports consume switch resources, degrading its overall performance.
2. Taps pass full-duplex data at wire speed without affecting the actual traffic. Software architecture of low-end switches introduces delay by copying the spanned/mirrored packets.
3. The device connected to the Tap receives the same traffic as if it were also in-line, including all errors. A SPAN/Mirror port on a switch does not see all the traffic. Corrupt network packets, packets below minimum size, and layer 1 and 2 errors are usually dropped by the switch.
4. In SPAN/Mirror ports, you may lose traffic if the port is running close to capacity. For e.g. a switch is copying traffic from eth0 and eth1 into eth2 (all 100Mbps full duplex links). No packet loss will occur as long as the total traffic on eth0 and eth1 is 50Mbps or less (50Mbps of eth0 + 50Mbps of eth1 = 100Mbps on eth2). If any of eth0 or eth1 goes above 50Mbps, then some packets/frames will be dropped on the SPAN/Mirror port i.e. eth2.

  1. 本文目前尚无任何评论.