The Problem
To grasp the concepts of TAP and SPAN, it is crucial to first understand the challenge they address. Picture yourself overseeing a network where it becomes necessary to observe the data traveling over a connection. This monitoring could be for various reasons: perhaps you are troubleshooting to pinpoint network communication issues or aiming to enhance network optimization. You could also be monitoring the network for intruder detection.
Regardless of why you want to capture network traffic, your fundamental goal is to acquire a copy of the network traffic traveling over a network link. The copy of this data stream becomes a valuable tool for analyzing or monitoring the traffic on that link. Importantly, since you are working with a copy, there’s no impact or disruption to the actual flow of network traffic. In essence, you become a silent observer of the network, seamlessly monitoring all activities without causing any interference or disturbance.
Let’s have a look at how a TAP and SPAN achieve this.
TAP vs SPAN
TAP stands for Test Access Point. A TAP is integrated into a network by physically inserting it into the cable run between two network devices, such as switches, routers or firewalls. It has at least three ports: one for the incoming data stream, one for the outgoing data stream and one or more monitor ports.
The example shown here is used for ethernet. These devices are also available for fiber and other network types. The first example has one incoming, one outgoing and one monitor port. The second example takes two incoming, two outgoing and two monitor ports. There is also one big difference between the two. The first one is active, that is, it requires power to operate. The second is passive and thus does not require power to operate.
For active TAPs, in the event of a power outage, most are designed to automatically switch to a pass-through mode. This will mean the network will not be affected; however, monitoring will not be available until the power is restored.
SPAN or Switched Port Analyzer, in contrast to TAP, requires a network switch to support it. This may also be referred to as a mirror port. SPAN does not appear on the exam objectives but is talked about in the official study guide. In the real world, in most cases, SPAN will be used over TAP due to it just being the more convenient option. There are some differences between the two which I will look at in a moment.
To utilize SPAN, you just need to configure a port as a monitoring port on your switch that supports this feature. SPAN ports are often a feature of managed switches, but it is best to check before you purchase the switch. Businesses will often purchase managed switches, so there is a good chance your company has some that already support this feature. For this reason, you can see why SPAN ports are often used in the real world rather than a TAP since there is a good chance you already have the hardware. However, there are reasons why you would want to use a TAP over a SPAN.
Difference between TAP and SPAN
While both TAP and SPAN facilitate the creation of a data stream for analysis and monitoring, they operate in distinct ways. Specifically, a TAP generates an identical replica of your data, inclusive of any errors present. This feature is particularly valuable for troubleshooting scenarios where identifying and analyzing errors in a connection is crucial. If your objective is to diagnose a connection that is generating errors, utilizing a TAP is a good choice, as it ensures you have a comprehensive and unaltered view of the data, errors included.
SPAN, in contrast, does not create an identical copy and, in fact, can drop packets. This happens for two main reasons. Firstly, due to packet errors. If there is something wrong with the packet (for example, it is incomplete or corrupt), the packet will be dropped. If you are troubleshooting a network problem (for example, a damaged cable that is causing packets to be dropped), you won’t be able to detect this using SPAN. If you are not using TAP or prefer to use SPAN, you can always look in the switch’s reports to see if packets are being dropped.
The other reason packets can be dropped is network congestion at the switch. Switches have limited processing and memory and if they get overloaded, they can drop packets. SPAN allows you to monitor multiple incoming ports; therefore, the combination of the traffic from these ports may be greater than the monitor port can accept. When this occurs, the switch will drop packets. Keep this in mind when using SPAN, as you may not be getting all the packets. If the switch is not congested and there are no error packets, you should be getting an accurate representation of the traffic on the network.
Example LAN TAP (Passive)
Let’s explore an example of a passive LAN TAP designed for twisted pair networks. These passive LAN TAPs feature a straightforward design, simple enough for a tech enthusiast to build. However, they are also quite affordable to buy, so it may not be cost-effective to invest time in constructing one yourself. This balance of simplicity and cost-efficiency makes them an accessible option for anyone looking to monitor network traffic. However, these basic LAN TAPs are limited to 100 Megabits per second. To get higher speeds, you will need to use a more expensive active TAP.
One such design, aptly named the “Throwing Star,” is visually reminiscent of a throwing star, thus the name. However, it’s important to note the limitations as they are simple passive devices; they work as a traditional network hub by mirroring the incoming traffic across multiple ports. Consequently, this architecture restricts the network speed to 100 Megabits per second. Modern networks will generally run at a minimum speed of 1 Gigabit per second. If you do decide to purchase one of these, just be aware of the speed limitation.
I will now demonstrate how to use a throwing star. In this example, I have a switch connected to a router. I want to monitor all the traffic going from the switch to the router. To do this, the throwing star will need to be connected between them. The network you want to monitor is plugged in on the left and right sides. The top and bottom ports are for monitoring.
I will first unplug the network cable from the router and plug it in to the left of the throwing star. Next, I will plug a network cable from the router to the right side of the throwing star. The throwing star will now transfer traffic from one side to the other. The next step is to plug in the monitoring port.
In this demonstration, I will use a computer to monitor network traffic. Typically, I would install packet-sniffing software, such as Wireshark, on the computer to analyze the network traffic. Wireshark is a free open-source network protocol analyzer which captures and analyzes network traffic in real time. It provides detailed insights into network activities, supporting a vast array of protocols.
The next step involves connecting the computer to the throwing star. Although I have used a computer running Wireshark in the example, you could also plug a physical network analyzing device into the throwing star.
You can see that the process of setting up a throwing star is pretty simple. If you are installing a network TAP, it is the same process. Just make sure you plug the cables into the correct ports.
SPAN Setup
To set up SPAN, you need to plug in the device you want to monitor, such as a router in this example, to a compatible switch. The next step involves configuring one of the switch’s ports as a dedicated monitor port. It is important to note that the configuration process can vary depending on the switch model. Once the monitor port is set up, you can then connect the device you will use for network traffic monitoring, in this example, a computer running Wireshark. This setup allows you to effectively observe and analyze the network traffic passing through the monitored device.
The process is pretty simple, so you can understand why many network administrators will use this when they need to troubleshoot network problems. As a lot of businesses purchase switches that support this feature, no additional hardware is required.
End Screen
That concludes this video from ITFreeTraining on TAP and SPAN. I hope you have found this video informative, and I hope to see you in other videos from us. Until the next video from us, I would like to thank you for watching.
References
“The Official CompTIA A+ Core Study Guide (Exam 220-1101)” page 140
Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk