Cyberspatial News

Understanding the Basics of Packet Data Acquisition

October 25, 2023

Packets are an essential source of data for network performance management (NPM) tools. They are the foundation of data truth that all network monitoring and security tools rely upon for analytics, forensics, threat detection, and performance monitoring. In order to be able to fully trust the reporting and results of your tools, you have to have full confidence in their data source; the packets.

EMA (Enterprise Management Associates) research has found that enterprises have greater success in applying NPM tools to performance monitoring and cloud application migration assessments when they use packets for those use cases. Packets are an essential component to forensic security analysis and real-time incident detection. In essence, without full and complete packets, it’s very hard to gain a full understanding as to what’s happening in the network.

The Basics of Packet Acquisition

Once you’ve determined that packets are the source of data you’re looking to get from a network link to send to tools for analysis, your next question to answer is, ‘How am I going to get those packets?’

Well your answer is simple. Either you use Network TAPs or SPAN (mirror) Ports.

Network TAPs, or test access points, are the most popular approach and best to mirroring traffic and sending it to NPM tools, with 50% of respondents in a recent EMA survey using TAPs as their packet acquisition method. TAPs are purpose-built, hardware devices that are physically connected to a network port via a fiber or copper cable. TAPs can take the workload of mirroring traffic off of your switch or router, alleviating the burden and ensuring performance isn’t degraded.

Using SPAN ports as your data acquisition method may seem simple at first, since you are configuring ports on a switch or router to act as a Switched Port Analyzer (SPAN). But that one choice can lead to problems later on. Many switches and routers can produce bad data when mirroring traffic from the SPAN port. This is in addition to dealing with oversubscription and a reduction in overall performance of the switch when traffic levels increase. These problems all occur because the switch was not originally designed for this use.

Network Capture using a SPAN.

Above, we have a sample network using a SPAN port. Below, the same network capture using a TAP.

Network Capture using TAP.

Not convinced yet?

Check out these other reasons why you don’t want to rely on SPAN ports:

  • Duplicate data packets can reduce the efficiency of your NPM tools
  • Missing data is not forwarded to NPM tools, which makes real-time monitoring and analysis difficult
  • They can lead to network blind spots depending on how the SPAN ports were initially set up.
  • User error - they require manual configuration, rather than a plug and play design.
  • Legal regulations - Timestamps are modified, leading to data being challenged in court when used for lawful intercept.

If you’re looking for true visibility and accuracy of your data packets, then Network TAPs are the clear choice to use as the foundation of your network visibility strategy. Starting with TAPs instead of SPAN ports ensures that your NPM tools will work efficiently and effectively.

<-- All Blogs