存档

文章标签 ‘端口镜像’

Knowing the difference between SPAN and TAPs are important in order to correctly setup sniffing

2013年5月11日 没有评论

To know the difference between Mirror Ports, SPAN Ports and TAPs

Port Mirroring generally indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port.

Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port.

TAP stands for Test Access Port. Network Taps are devices that allows to examine network traffic without causing any data stream interference. They work at OSI level 1, therefore they do not make any forwarding or routing decisions.

Differences between them:
1. SPAN/Mirror Ports consume switch resources, degrading its overall performance.
2. Taps pass full-duplex data at wire speed without affecting the actual traffic. Software architecture of low-end switches introduces delay by copying the spanned/mirrored packets.
3. The device connected to the Tap receives the same traffic as if it were also in-line, including all errors. A SPAN/Mirror port on a switch does not see all the traffic. Corrupt network packets, packets below minimum size, and layer 1 and 2 errors are usually dropped by the switch.
4. In SPAN/Mirror ports, you may lose traffic if the port is running close to capacity. For e.g. a switch is copying traffic from eth0 and eth1 into eth2 (all 100Mbps full duplex links). No packet loss will occur as long as the total traffic on eth0 and eth1 is 50Mbps or less (50Mbps of eth0 + 50Mbps of eth1 = 100Mbps on eth2). If any of eth0 or eth1 goes above 50Mbps, then some packets/frames will be dropped on the SPAN/Mirror port i.e. eth2.

专业网络数据镜像设备 network tap 分光器 流量复制器

2011年2月13日 没有评论

一般的网络中通过交换机的端口镜像功能复制数据,复杂的网络环境中还是需要专业的数据镜像设备来抓取数据。

阅读全文…

Multi-Tap Network Packet Capturing

2011年1月28日 没有评论

Port Mirror vs Network Tap

2011年1月28日 没有评论

做入侵检测的时候什么环境用端口镜像,什么环境用TAP。

In order to analyze network traffic, it’s necessary to feed ntop/nProbe with network packets. There are two solutions to the problem:

Prior to explain the differences between these two solutions, it’s important to understand how ethernet works. In 100 Mbit and above, hosts usually speak in full duplex meaning that a hosts can both send and receive simultaneously. This means that on a 100 Mbit cable connected to a host, the total amount of traffic that a host can send/receive is 2 x 100 Mbit = 200 Mbit.

阅读全文…