Every day I come across network techs who continue to rely on SPAN ports for their network access method. This blows my mind as it's been proven time and again why you shouldn’t rely on SPAN ports. Let me share with you some of the reasons why:

First - Spanning or mirroring changes the timing of the frame interaction (what you see is not what really happened).

Second - The spanning algorithm is not designed to be the primary focus or the main function of the device like switching or routing, so the first priority is not spanning and if replicating a frame becomes an issue, the hardware will temporally drop the SPAN process resulting in dropped frames and timing that is way off.

Third - If the load on the bus of the SPAN port becomes overloaded, frames are just dropped along with all frames that are corrupted in any way.

Fourth – Proper spanning requires that a network engineer configure the switches properly through Line Code and this takes away from the more important tasks that network engineers have. Many times configurations can become a political issue (constantly creating contention between the IT team, the security team, and the compliance team).

Fifth – A SPAN port drops all packets that are corrupt, those that are below the minimum size or oversized, so all frames are not passed on. All of these events can occur, and no notification is sent to the user, so there is no guarantee that one will get all the data required for proper analysis. Corrupted CRC frames can come from many issues, and they are important to know.

Sixth - A SPAN port is not a passive visibility technology. Some may say that SPAN port access is a passive data access solution – but passive means “having no effect”. However, spanning (mirroring) does have measurable and non-repeatable/variable effects on the data that is delivered to analysis and storage equipment.

Seventh - SPAN ports are not a scalable technology. With Gigabit, 10 Gigabit and up technologies, the maximum bandwidth is now twice the base bandwidth – so a Full Duplex (FDX) Gigabit link is now 2 Gigabits of data and a 10 Gigabit FDX link is now 20 Gigabits of potential data (– InterFrame gaps).

No switch or router can handle replicating/mirroring all this data plus handling its primary job of switching and routing. It is difficult, if not impossible, to pass all frames (good and bad), including FDX traffic at full-time rate, in real time at non-blocking, no-loss speeds.

In summary, the fact that SPAN port is not a passive data visibility access technology, or even entirely non-intrusive can be a problem, particularly for data security and compliance monitoring or lawful intercept. Since there is no guarantee of absolute fidelity, it is likely that evidence gathered by this monitoring process will be challenged in a court of law.

We recommend the industry best practice of using network TAPs to capture PCAP data for analysis in Teleseer.

As the saying goes, "PCAP, or it didn't happen."