Profitap Blog

How to monitor network traffic (TAP vs. SPAN)

by Profitap | May 19, 2017 | Insights, ProfiShark, Copper, Fiber, Datacenter, Field service

When it comes to monitoring network traffic, there are only two choices if you don’t want to stand directly behind the user as they go about their business. This article will give an overview of a network TAP (Test Access Point) and a SPAN (Switch Port Analyzer).

To TAP or to SPAN large.pngSPAN

SPAN, also called Port mirroring or Roving Analysis Port, monitors network traffic by copying most of the packets going through the switch. This traffic is then sent to another port where the network traffic analyzer is connected. Unfortunately, “most of the packets” does not mean “all of the packets.” Errors, for example, will not be copied by default. Additionally, the particular monitoring settings determined by the individual engineer will also affect the flow of information.

SPAN is most often used on simpler systems to monitor multiple stations at once. The exact amount of network traffic that it is able to monitor depends on precisely where the SPAN is installed in relation to the data center equipment. You might get only what you want to see, and you can easily wind up seeing much more than you need. Spanning an entire VLAN, for instance, can result in multiple copies of the same data. This makes LAN troubleshooting more difficult and can also impact the speed of the switch's CPU or affect Ethernet throughput tests.

Basically, the more you SPAN, the more likely you are to drop packets, however, the fact that SPANs can be managed remotely, unlike network TAPs, means that changing the configuration is less time consuming, but still requires a network engineer.

SPAN ports are not a passive technology, as some have claimed, since they can have other measurable effects on network traffic including:

  •   Changing the timing of the frame interactions
  •   Dropping packets due to oversubscription
  •   Discarding corrupt packets without notification, hindering analysis

SPAN ports are therefore better suited to situations where dropped packets do not affect analysis.


In contrast, a network TAP requires money to be spent upfront on the hardware, but as a bonus it do not require much setup. In fact, because it is a passive tap, this device can connect and disconnect to the network without affecting it.

TAP devices provide a way to view packets of all sizes and types, including short and jumbo frames (as well as physical layer errors) as they flow throughout the network. This makes it a better choice for network security tools and performance monitoring tools since it can provide more accurate data than SPAN ports. In this system, "monitor ports" watch over all of the traffic on the network, which is called "pass-through" traffic, as it is not affected by the TAP.

Because they do not affect the packets, TAPs can be considered a truly passive way to view network traffic. We will cover others in future articles, but essentially there are three different types of TAPs.

  •      Network TAPs (1:1 ratio)
  •      Aggregation TAPs (Many:1)
  •      Regeneration TAPs (1:Many)

TAPs work by copying all traffic to either a single location, usually a passive monitoring tool, or to several locations running various tools. This typically involves a high-density network packet broker (NPB) splitting traffic up between a variety of network monitoring tools, quality of service (QOS) testing tools, and packet sniffer tools such as Wireshark.

Additionally there are different types of network TAPs depending on the type of cable, i.e. passive fiber TAPs and copper TAPs. Both work in essentially the same way, splitting part of the signal off to the network traffic analyzer while the main signal continues on its way uninterrupted. For fiber TAPs, it is the light beam that is split in two, while in the copper system, the electrical signal is copied.

Comparing the Two

To begin with, SPAN ports cannot handle the traffic of a full duplex 1G link.  Even under circumstances that seem to fall below their maximum capacity, they can quickly become overburdened and drop packets. This can also happen because the switch prioritizes regular port-to-port date above SPAN port data. Unlike a TAP device, SPAN ports filter out physical layer errors, making some types of analyses more difficult. And as we have seen, incorrect delta times and altered frames can cause additional problems. TAPs, on the other hand, are capable of running full duplex 1G links without dropping packets.

TAPs can also handle full packet captures and carry out deep packet inspections for protocol, non-compliance, intrusions, etc. Because of this, TAP data are admissible in a court of law as evidence whereas SPAN port data are not.

Security is another area where there are differences between the two technologies. SPAN ports are often configured for unidirectional traffic, but they can also receive traffic in some instances, creating a critical vulnerability. Conversely, TAPs cannot be addressed, have no IP address, and therefore cannot be hacked.

SPAN ports are still a useful tool for network administrators, but when speed and reliable access to all the network data are crucial, TAPs are the obvious choice. When deciding which approach to take, SPAN ports are better suited for lower utilized networks where dropped packets will not affect analysis or in situations where cost is a factor. On heavier traffic networks, however, the capacity, security, and reliability of TAPs will provide crucial full visibility into the traffic on your network without worrying that packets are being dropped or physical layer errors are being filtered out.

New Call-to-action