To monitor network traffic, such as user online behavior analysis, abnormal traffic monitoring, and network application monitoring, you need to collect network traffic. Capturing network traffic may be inaccurate. In fact, you need to copy the current network traffic and send it to the monitoring device. Network splitter, also known as Network TAP. It is just does this job. Let's take a look at the definition of Network TAP:
I. A Network Tap is a hardware device which provides a way to access the data flowing across a computer network.(from wikipedia)
II. A Network Tap, also known as a Test Access Port, is a hardware device that plugs directly into a Network cable and sends a piece of Network communication to other devices. Network splitters are commonly used in network intrusion detection systems (IPS), network detectors, and profilers. Replicating communication to network devices is now typically done through a switching port analyzer (span port), also known as port mirroring in network switching.
III. Network Taps are used to create permanent access ports for passive monitoring. A tap, or Test Access Port, can be set up between any two network devices, such as switches, routers and firewalls. It can function as an access port for monitoring device used to collect in-line data, including Intrusion detection system, Intrusion prevention system deployed in passive mode, protocol analyzers and remote monitoring tools. (from NetOptics).
From the above three definitions, we can basically draw several characteristics of Network TAP: hardware, inline, transparent
Here's a look at these features:
1. It is an independent piece of hardware, and because of this, it does not have any impact on the load of existing network devices, which has great advantages over port mirroring
2. It is an in-line device. Simply put, it needs to be connected to the network, which can be understood. However, this also has the disadvantage of introducing a point of failure, and because it is an online device, the current network needs to be interrupted at deployment time, depending on where it is deployed.
3. Transparent refers to the pointer to the current network. Access networks after shunt, the current network for all the equipment, does not have any effect, for them is completely transparent, of course, it also contains network shunt send traffic to monitor equipment, the monitoring device for network is transparent, it is as if you are in a new access to a new electrical outlet, for other existing appliances, Nothing happens, including when you finally remove the appliance and suddenly remember the poem, "Wave your sleeve and not a cloud"......
Many people are familiar with port mirroring. Yes, port mirroring can also achieve the same effect. Here is a comparison between Network Taps/Diverters and Port Mirroring:
1. As the port of the switch itself will filter some error packets and packets with too small size, port mirroring cannot guarantee that all traffic can be obtained. However, the shunter ensures the integrity of data because it is completely "copied" at the physical layer
2. In terms of real-time performance, on some low-end switches, port mirroring may introduce delays when it copies traffic to mirroring ports, and it also introduces delays when it copies 10/100m ports to GIGA ports
3. Port mirroring requires that the bandwidth of a mirrored port be greater than or equal to the sum of the bandwidths of all mirrored ports. However, this requirement may not be met by all switches
4. Port mirroring needs to be configured on the switch. Once the areas to be monitored need to be adjusted, the switch needs to be reconfigured.
Post time: Aug-05-2022