WHAT DO I NEED NETWORKS TAPS FOR?

The term TAP is an abbreviation and stands for Test Access Port. A Network TAP, also called Ethernet TAP , creates a passive access point to a network connection, with which the data signals transmitted via the cable can be read and evaluated for analysis purposes.

Once installed, all data traffic can be made available for various monitoring applications transparently, quickly, easily and without impairing the active network line with the help of a TAP.

A Network TAP works on OSI Layer 1 and does not have a MAC address. It is therefore invisible in the network and cannot be detected by any attacker. This is indispensable in network forensics and security, as otherwise criminals could take the TAP into account.

The use of TAPs has another advantage: You decide where you want to access the data. This flexibility is of great benefit, as you are able to greatly influence and improve the quality of your measurement results.Network TAPs are passive components and do not affect the original data traffic in any way.

Thanks to the additional “fail-open” technology in the Ethernet copper TAPs, the data line is also switched through in the event of a power failure, the Network TAP works like a cable bridge and protects your productive network from failure. This means that you receive accurate data for error-free analysis directly from the line.

By using SPAN ports, however, the result can be falsified, as this technology works in store-and-forward mode and discards FCS/CRC errors at OSI Layer 2 instead of outputting them to the Mirror Port. In contrast, Ethernet taps remove these critical CRC errors without affecting the original data.

Furthermore, a Network TAP with copper or SFP monitoring port works like a diode and does not allow access to the network via the monitoring ports for security reasons. Professional network analysis is therefore only guaranteed by using TAPs.

In addition, when using multiple TAPs, you get a much more accurate measurement result and can identify network and application errors even faster and more precisely. This saves you valuable time troubleshooting network errors.

Instead of the complex configuration of SPAN ports, Network TAPs can be plug’n play installed and put into operation without any prior technical knowledge. Cisco, the world’s leading network equipment supplier, therefore advises against using such SPAN ports for network analysis with good reason.

Due to the way they work, Network TAPs have another decisive advantage: They completely divert the bi-directional data traffic. This means that you receive the send and receive directions of a full duplex line separately and can therefore, for example, analyze a 1G line loss-free even with a maximum load of 2Gbps.

As a result, you need two network interfaces on the analyzer to record the network data.Using this method, the sending and receiving directions can be easily differentiated from one another, which eliminates another source of error.

SPAN ports, on the other hand, have to aggregate this data in the memory before it is passed on to the SPAN port, but this is not one of the primary tasks of a switch and thus has a significant negative impact on the quality of the analysis result. Furthermore, due to the use of mirror ports, the switch processor is used more heavily, which can result in data loss on the SPAN port.

Experts therefore only recommend the use of Network (Ethernet) TAPs for loss-free and reliable recording of network data!

You can find more detailed information on the topic of Network TAP vs SPAN/Mirror Port in our Whitepaper.

Aggregation TAPs have the ability to bundle several data streams or, as the name suggests, to aggregate them. This results in a significant advantage: you can use this technology to evaluate the data from several lines simultaneously using a single network interface on your analyzer.

When a single network connection is aggregated, it is referred to as a Port Aggregation TAP.
If aggregation is exercised on multiple lines, this technique is called Link Aggregation.

The diagram below shows the schematic of a Port Aggregator. As you can see on this picture, the TX & RX line of a network connection is aggregated to Monitoring port A & B respectively, so you are able to capture the data of a full duplex route bundled with only one network port.
Thus, Monitoring port A and B each receive the entire traffic of a route and, using this Aggregation TAP, one could send the network data to an analyzer such as OmniPeek or Wireshark for analysis purposes and simultaneously have the network traffic monitored by a security device such as an IDS.

Furthermore, our Aggregation TAPs can also be operated in TAP mode, also called Break-out mode, and can be conveniently switched between these functions by means of a DIP switch. This is a significant advantage and allows you to use the Aggregation TAP like a conventional TAP for analysis purposes if needed.

In addition, a Port Aggregation TAP can also be used as a Regeneration TAP. In this case the applied signal on Network port A is copied to Network port B, Monitoring port A and Monitoring port B. This is a convenient way to multiply a simple signal to up to 3 ports without complex configuration, which allows you to analyze the applied data with 3 different monitoring tools simultaneously.

Since Network TAPs are usually installed in critical network lines, it must be ensured that TAPs do not affect the line in any way.

By means of fail-safe, the TAP behaves like a cable bridge in the event of a failure or arbitrary deactivation and ensures that the active network connection is not interrupted or at least continues to function without the TAP function and thus does not negatively affect the active line.

In the event of a power failure, the active network connection is not interrupted! Only the devices connected to the monitoring port are no longer supplied with data.

In order to tap data from an optical network connection, it is necessary to decouple or split a part of the available light signal.

The split ratio is the ratio of the amount of light that is still available for the fibre optic network connection in relation to the amount of light that is diverted or split off to the monitoring ports of the (passive) fibre optic Network TAPs.

A split ratio of e.g. 70/30 means that 70% of the light is still available for the network connection and 30% is split off for the monitoring ports.

However, as these TAPs have a copper or SFP-based monitoring output, 100% signal strength is available by means of OEO conversion – i.e. conversion of the optical signal into an electrical signal – in contrast to fibre-based monitoring ports.