Packets are an essential source of data for network performance management (NPM) tools. They are the foundation of data truth that all network monitoring and security tools rely upon for analytics, forensics, threat detection, and performance monitoring. In order to be able to fully trust the reporting and results of your tools, you have to have full confidence in their data source; the packets.
EMA (Enterprise Management Associates) research has found that enterprises have greater success in applying NPM tools to performance monitoring and cloud application migration assessments when they use packets for those use cases. Packets are an essential component to forensic security analysis and real-time incident detection. In essence, without full and complete packets, it’s very hard to gain a full understanding as to what’s happening in the network.
Once you’ve determined that packets are the source of data you’re looking to get from a network link to send to tools for analysis, your next question to answer is, ‘How am I going to get those packets?’
Well your answer is simple. Either you use Network TAPs or SPAN (mirror) Ports.
Network TAPs, or test access points, are the most popular approach and best to mirroring traffic and sending it to NPM tools, with 50% of respondents in a recent EMA survey using TAPs as their packet acquisition method. TAPs are purpose-built, hardware devices that are physically connected to a network port via a fiber or copper cable. TAPs can take the workload of mirroring traffic off of your switch or router, alleviating the burden and ensuring performance isn’t degraded.
Using SPAN ports as your data acquisition method may seem simple at first, since you are configuring ports on a switch or router to act as a Switched Port Analyzer (SPAN). But that one choice can lead to problems later on. Many switches and routers can produce bad data when mirroring traffic from the SPAN port. This is in addition to dealing with oversubscription and a reduction in overall performance of the switch when traffic levels increase. These problems all occur because the switch was not originally designed for this use.
Above, we have a sample network using a SPAN port. Below, the same network capture using a TAP.
Not convinced yet?
Check out these other reasons why you don’t want to rely on SPAN ports:
If you’re looking for true visibility and accuracy of your data packets, then Network TAPs are the clear choice to use as the foundation of your network visibility strategy. Starting with TAPs instead of SPAN ports ensures that your NPM tools will work efficiently and effectively.