Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Tool Time: Page 9 of 15

Better choices are a mirror port on a switch or a network tap. Mirror or span ports on a switch take traffic off a target port, group of ports or VLAN and mirror it to a monitor-only port, to which you attach a protocol analyzer. Just be aware that you're limited to half the bandwidth on a full-duplex connection, because all the traffic is passing down the transmit wire pairs from the switch. Also, note that switches won't pass frames that have Layer 1 or 2 errors, such as frame CRC errors, so if you're troubleshooting a Layer 1 or 2 problem, you'll have to use a hub or a network tap.

Some switches let you transmit traffic out of the span port so it can be used as a network port. But you shouldn't use that feature, because you're injecting traffic into the traffic flow you're monitoring and could overrun the switch's capacity. Use a separate network port to send/ receive traffic.

Network taps sit in-line with the physical network and transparently pass electrical or optical signals through while shunting traffic off to an external port. Typically, network taps will forward traffic to the monitor port only when the tap is powered; otherwise, it will pass traffic through the wire but not out of the monitor port, so in the event of a power outage, your network won't be affected. Although a network tap has the distinct advantage of mirroring the physical signal to a monitor port so you can see all errors from Layer 1 on up, you can't just plug the monitor link into any old NIC and expect to see all traffic.





Network Tap to a Span Port

click to enlarge


Remember: On full duplex connections, a network tap turns both the A (transmit) and B (receive) wire pairs into transmit pairs. The NIC in your desktop is going to collect only on the receive pair, not the transmit pair, so you'll see only half the traffic.

There are two ways to work around this problem if you're using fiber. If your OS and NIC support interface binding, feed one fiber interface into one fiber NIC, and the second fiber interface to a second fiber NIC. Then, bond the two NICs together to form a virtual interface and use that interface for protocol analysis.