The use of TAP devices in today’s enterprise networks is inevitable. From network monitoring platforms to packet analysers and from intrusion detection & prevention systems to security forensic applications – network TAPs are now an integral part.
While most data centers have full-scale Test Access Point (TAP) solutions, catering to copper and fiber connections, there are certain cases where a portable solution is required instead of a rack-mounted version. Cases where a quick and easy install is needed to start capturing packets instantly. Troubleshooting a particular segment of network in the field, collecting forensic evidence in an external environment or performing deep packet inspection to aid security applications are amongst such cases.
We felt that need too during our interactions with IT engineers. However, portability does not necessarily mean compromising performance.
Therefore, we set out to design a network TAP which is ultra portable and yet packed with power. We wanted to have the same level of traffic streaming capability in our portable unit as found in most standard rack-mount versions, so it could be installed on most gigabit switch trunks whether inside a data center or in an office LAN.
Our ProfiShark 1G is an all-in-one, pocket-sized, full-featured portable network TAP perfect for any type of troubleshooting, inside the data center or out on the field. This handy tool comes with two Gigabit network ports (A and B) which are able to capture traffic at 1 Gbps from each direction of a network segment.
Capturing the two traffic streams together and transporting them to the host system at actual wire-rate is important. A network link allowing 1 Gbps of data to flow in each direction at the same time means that the two network ports A and B actually capture 2 Gbps of traffic inside the TAP. And in the case the TAP has only 3 ports, with the third being the monitoring port (M) connected to a Gigabit Ethernet NIC, this could be a problem, because the total aggregate of the traffic streams of ports A and B would be 2 Gbps, which cannot be transported completely to an output port of 1 Gbps.
To go around this limitation, most other TAPs would have two monitoring ports, e.g. M1 and M2, both connected to the host computer over two 1 Gbps links. The host computer receiving the packets would also need to have dual Gigabit NICs and perform link aggregation to merge the two links into one aggregate interface to see both directions of the traffic. Find out more about the evolution of portable network TAPs here.
We wanted to make our portable network TAP powerful enough and yet simple. So we kept two provisions in our hardware design.
First, we designed the ProfiShark 1G to work as an aggregation TAP. An aggregation TAP combines or aggregates the two network links, coming via network ports A and B, and produces a single aggregated stream of packets for the host computer to receive. The aggregation happens at the hardware level, inside the TAP device, via a built-in buffer to combine the two traffic streams. Most other TAPs use an internal buffer too; however, the result is either packet drops at increased data bursts or a significant impact on the packet timing which is not suitable at all for real-time protocol analysis.
The best way to overcome this limitation is to transport the aggregated traffic to an output having a higher data rate than the input.
This is where the second provision of our design comes in. We did not use a Gigabit NIC as the monitoring/output port in the ProfiShark 1G. Instead, we utilised the power of a USB 3.0 port. USB 3.0 is the third major revision of the Universal Serial Bus standard, which uses a new transfer mode, SuperSpeed, that can transfer data at up to 5 Gbps. The increased bandwidth in USB 3.0 comes because of USB 3.0 using two unidirectional data paths, one to receive data and the other to transmit. This enables it to transfer data at 5 Gbps. Hence it can easily transport 2 Gbps of aggregated traffic streams (1G each from ports A and B) over a USB 3.0 link.
And because it connects to the host computer over a USB port, the best part of our plug and play tool is that it is not dependent on an external power source. Combine it with a laptop and you have a full troubleshooting kit ready to use at any location without depending on a power source.
ProfiShark 1G captures packets and copies them directly to a host computer’s disk at full line-rate speed of 1 Gbps from each direction. All packets are captured in real-time with nanosecond resolution timestamping on each packet, which allows for accurate analysis of each captured packet.
It has the ability to capture any type of frame, be it VLAN, VXLAN, MPLS, etc., between 10 bytes and 10 Kilobytes. Also, this best-selling network TAP captures low level error frames, e.g. CRC errors, which makes it a perfect tool to perform troubleshooting at the lowest level as well.
On top of that, we designed it to be PoE (Power over Ethernet) compliant, allowing the network links to continue transporting power to the network equipments without any hindrance.