Network tap
A network tap is a hardware device which provides a way to access the data flowing across a computer network. Computer networks, including the Internet, are collections of devices, such as computers, routers, and switches, that are connected to each other. The connections can utilize different technologies, such as Ethernet, 802.11, FDDI, and ATM. In many cases, it is desirable for a third party to monitor the network traffic between two points in the network, point A and point B. If the network between points A and B consists of a physical cable, a network tap may be the best way to accomplish this monitoring. The network tap has at least three ports -- an A port, a B port, and a monitor port. To place a tap between points A and B, the network cable between point A and point B is replaced with a pair of cables, one going to the tap's A port, one going to the tap's B port. The tap passes through all traffic between A and B, so A and B still think they are connected to each other, but the tap also copies the traffic between A and B to its monitor port, enabling a third party to listen.
Network taps are commonly used for network intrusion detection systems, network probes, RMON probes, packet sniffers, and other monitoring and collection devices and software that require access to a network segment. Taps are used in security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks, and will usually pass-through traffic even if the tap stops working or loses power.
Terminology
The term network tap is analogous to phone tap or vampire tap. Some vendors have phrases for which TAP is an acronym, for example Datacom Systems uses test access port and Network Critical uses test access point; however, those are most likely bacronyms.
The monitored traffic is sometimes referred to as the pass-through traffic, while the ports that are used for monitoring are the monitor ports.
Vendors will tend to use terms in their marketing such as passive, regeneration, inline power, and others. Common meanings will be discussed later. Unfortunately, vendors do not use such terms consistently. Before buying any products, be sure to understand the available features, and check with vendors or read the product literature closely to figure out how marketing terms correspond to reality.
Advantages and Features
Older network technologies tended to be shared. Connecting a monitoring device to a shared network segment (ie. piece of a network) was very easy -- just connect the monitoring device as you would any other host, and enable promiscuous mode. Modern network technologies tend to be switched, meaning that devices are connected using point-to-point links. If a monitoring device is connected to such a network, it will only see its own traffic. The network tap allows the monitoring device to view the contents of a point-to-point link.
Modern network technologies are often full-duplex, meaning that data can travel in both directions at the same time. If a network link allows 100Mbps of data to flow in each direction at the same time, this means that the network really allows 200Mbps of aggregate throughput. This can present a problem for monitoring technologies if they have only one monitor port. So network taps for full-duplex technologies usually have two monitor ports, one for each half of the connection. The listener must use channel bonding to merge the two connections into one aggregate interface to see both halves of the traffic. Other monitoring technologies do not deal well with the full-duplex problem
Once a network tap is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored.
Once a tap is in place, a monitoring device can be connected to it as-needed without impacting the monitored network.
Some taps have multiple output ports, or multiple pairs of output ports for full-duplex, to allow more than one device to monitor the network at the tap point. These are often called regeneration taps.
Some taps, particularly fiber taps, can use no power and no electronics at all for the pass-through and monitor portion of the network traffic. This means that the tap should never suffer any kind of electronics failure or power failure that results in a loss of network connectivity. One way this can work, for fiber-based network technologies, is that the tap divides the incoming light using a simple physical apparatus into two outputs, one for the pass-through, one for the monitor. This can be called a passive tap. Other taps use no power or electronics for the pass-through, but do use power and electronics for the monitor port. These can also be referred to as passive.
Some taps operate at the physical layer of the OSI model rather than the data link layer. For example, they work with multi-mode fiber rather than 1000BASE-SX. This means that they can work with most data link network technologies that use that physical media, such as ATM and some forms of Ethernet. Network taps that act as simple optical splitters, sometimes called passive taps (although that term is not used consistently) can have this property.
Some network taps offer both duplication of network traffic for monitoring devices and SNMP services. These are called iTaps and are introduced by Net Optics,Inc., a major manufacturer of network taps. Net Optics call these network taps "intelligent" because they monitor a handful of basic traffic statistics, such as bandwidth utilization, and makes this information available to SNMP management tools. This network tap hybrid can be very helpful to network managers who wish to view baseline performance statistics without diverting existing tools. Alternately, SNMP alarms generated by Net Optics iTaps can alert network managers to link conditions that merit examination by analyzers to intrusion detection systems.
Some taps get some of their power (ie. for the pass-through) or all of their power (ie. for both pass-through and monitor) from the network itself. These can be referred to as having inline power.
Some taps can also reproduce low-level network errors.
Disadvantages and Problems
Network taps require additional hardware, so are not as cheap as technologies that leverage capabilities that are built-in to the network.
Network taps can require channel bonding on monitoring devices to get around the problem with full-duplex discussed above.
Putting a network tap into place can disrupt the network being monitored for a short time.
Monitoring large networks using network taps can require a lot of monitoring devices. Other technologies scale better.
Even fully passive network taps introduce new points of failure into the network.
Comparison to Other Monitoring Technologies
Many different types of monitoring are desirable.
The simplest type of monitoring is logging in to an interesting device and running programs or commands that show performance statistics and other data. This is the cheapest way to monitor a network, and is highly appropriate for small networks. However, it does not scale well to large networks. It can also impact the network being monitored; see observer effect.
Another way to monitor devices is to use a remote management protocol such as SNMP to ask devices about their performance. This scales well, but is not necessarily appropriate for all types of monitoring. For example, network intrusion detection systems require a lot of host resources, so it is desirable to run such software on centralized monitoring systems rather than on individual hosts. Also, politically, sometimes one group runs the network and another group runs the computers, so the group that runs the network wants to have monitoring capabilities independent of the group that runs the computers.
Another method to monitor networks is by enable promiscuous mode on the monitoring host, and connecting it to a shared segment. This works well with older LAN technologies such as 10BASE-T Ethernet networks and FDDI networks. On such networks, any host can automatically see what all other hosts were doing by enabling promiscuous mode. However, modern switched network technologies such as those used on modern Ethernets provide, in effect, point-to-point links between pairs of devices, so it is hard for other devices to see traffic.
Another method to monitor networks is to use port mirroring (called "SPAN", for Switched Port Analyzer, by Cisco, and given other names by some other vendors) on routers and switches. This is a low-cost alternative to network taps, and solves many of the same problems. However, not all routers and switches support port mirroring and, on those that do, using port mirroring can affect the performance of the router or switch. These technologies may also be subject to the problem with full-duplex described elsewhere in this article, and there are often limits for the router or switch on how many pass-through sessions can be monitored, or how many monitor ports can monitor a given session.