Welcome to the World of TAPs – our comprehensive coverage of articles about network TAPs.
Traditionally, monitoring an IT network only meant to keep an eye on the health and status of the hardware equipment which made up that network. As networks grew more complex, IT administrators felt the need to monitor the data traffic in addition to monitoring the hardware. Combined with information security concerns, traffic monitoring became a must for IT administrators. Today, real-time traffic monitoring is an integral part of most enterprise networks.
In order to monitor a traffic stream you need to be able to access and capture the data packets running over the network. There are two common ways to do this. One way is to copy and channel all traffic to a single output port, also known as SPAN port. However, this method is not recommended due to technical limitations. Another, much more recommended, way to access and capture traffic is by using network TAPs.
What is a Network TAP?
A network TAP, or simply TAP, stands for Test Access Point. It is a hardware device commonly used in computer networks to access the traffic flowing within a network.
The traffic, either data or voice, flowing within a network consists of packets travelling between various points. These packets contain the actual data or voice payload that one computer sends to another and vice versa.
Imagine a segment of network connecting two points A and B over a Gigabit Ethernet trunk. To be able to ‘see’ the traffic flowing over this gigabit trunk and capture the packets in real-time, you need to insert a TAP in between the points A and B.A typical TAP has at least 3 ports: two network ports (A and B), and a third monitoring port (M).
The Gigabit Ethernet trunk connecting the network segment points A and B would now have to pass through the TAP. This means that the trunk’s physical cable would be connected to the TAP. All traffic packets would continue to traverse through the A and B ports unobstructed.
All packets would also be copied on the monitoring port M. Thus, any system connected to the monitoring port M would be able to ‘see’ the packets in real-time.
Usually, the system connected to the monitoring port M is hosting either a network monitoring software, a network analyser, a packet sniffer, or a deep packet inspection tool, e.g. Wireshark.
Capture Network Packets
Most modern TAP manufacturers produce Aggregation TAPs. This allows capturing the traffic streams flowing in both directions, A to B and B to A, simultaneously. For example, if a network link allows 100 Mbps of data to flow in each direction at the same time, it means that the network port really allows 200 Mbps of aggregate throughput.
In case the TAP has only 3 ports, with the third port (M) being a Fast Ethernet NIC (100 Mbps), then this can be a problem for monitoring, because the total aggregate of the traffic streams of ports A and B would be 200 Mbps, which cannot be captured completely on an output port of 100 Mbps throughput.
The solution for this is to either have two monitoring ports, M1 and M2, or the monitoring port M should be of a higher throughput, e.g. Gigabit Ethernet (1 Gbps). In case of two monitoring ports, the host system receiving the packets would need to have link aggregation to merge the two links into one aggregate interface to see both directions of the traffic.
However, most modern TAPs do not face such problems as they have a full-scale solution to cater multiple streams of traffic by having multiple higher-end output (monitoring) ports.
A very important point to consider in TAPs is that they should not become a point of failure themselves in a network. This means that the network ports (A and B) should operate in true passthrough mode without depending on the power source or any other element of the TAP. Whenever there is a failure in power or the circuit board of the TAP, the network ports should connect to each other on a hardware level and bypass the TAP’s internal circuitry.
In the case of Gigabit Ethernet TAPs, this is achieved by having hardware relays built into the network ports which connect to each other in case of any failure in the TAP, allowing traffic to continue to flow between ports A and B.
In the case of Fast Ethernet TAPs, the network ports are galvanically separated from the rest of the TAP, ensuring that the link stays up at all times.
The speed of the hardware relays would determine whether its switching comes across as obtrusive or non-obtrusive. Because packet networks are sensitive to even microsecond delays, any TAP failure event and the subsequent relay switching between ports A and B can be detected as a glitch in the network.
In this case, the network switch would then reinitiate handshake procedure at the Ethernet layer, which can take up to 3 seconds for link restoration. Hence a minor downtime (packet drop, ping loss, link loss, etc.) can be reported in the network. Some of the advanced TAPs available today bypass this problem by having network ports with nanosecond hardware relays in non-blocking design.
In addition to monitoring, network TAPs are also used for security applications, e.g. network intrusion detection/prevention systems (IDS/IPS), security event and incident management (SEIM), packet sniffers, and similar other platforms that require access to a network segment.
TAP devices are used in security applications because they are non-intrusive and are undetectable on the network (having no physical or logical address). More about the Different Types of Network TAPs in this article.
TAP technology has evolved rapidly in the past few years and there is a wide variety of TAPs available on the market today. Some are copper-based and some are for fiber-optic. We will cover all of them in our next episode of the World of TAPs. Stay tuned for more updates.
Continue reading the 2nd part of The World of TAPs here.