Please fill the form below up and receive immediately an automated email with the instructions to download and install the trial Virtual Appliance!

This Virtual Appliance will be valid for 15 days from the day the download link is sent.

About you

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

How to capture traffic ? (SPAN vs TAP)

This is an extract from Performance Vision’s Users Guide. As this is useful data for most users, we have decided to publish it on our blog.PerformanceVision can rely on two mechanisms to capture network traffic: Port Mirroring (commonly called SPAN) & TAP (Terminal Access Point).

Port mirroring

Port mirroring, also known as SPAN or roving analysis, is a method of monitoring network traffic which forwards a copy of each incoming and / or outgoing packet from one (or several) port(s) (or VLAN) of a switch to another port where the analysis device is connected. Port mirroring can be managed locally or remotely.

To configure the port mirroring, an administrator selects one or several ports from which all packets will be copied (source ports) and another port or ports where the copy of the packets will be sent (destination port).

The administrator can include either all packets in the port mirroring or only the transmitted /received packets. In case both transmitted and received packets are included, a packet going from a 1st monitored port to another monitored port will be copied twice to the destination port. This will have an impact on the measures and performance provided by the analysis device (e.g. retransmission rates, response times, …). APS captures and evaluates the data without any impact on the original traffic.

The port mirroring / SPAN is the most commonly used solution to capture traffic, because it is inexpensive, flexible in terms of how much traffic can be captured at once and remotely configurable.

Please note that a port mirroring may have some drawbacks, such as:

  • It can consume significant CPU resources while active
  • There is a risk of not receiving some packets (like media errors)
  • In the case of traffic congestion at the switch level, the port mirroring is likely to drop some traffic (because the SPAN process does not have priority).
  • In some cases, a better solution for long-term monitoring may be a passive TAP or an Ethernet repeater (”hub”).

Advantages & drawbacks of port mirroring


  • Low cost (this feature is embedded in most switches)

  • Can be configured remotely through IP or Console port

  • The only way to capture intra-switch traffic
  • A good way to capture traffic on several ports at once


  • Not adequate for fully utilized full-duplex links (packets may be dropped)
  • Filters out physical errors
  • Impact on the switch’s CPU
  • Can alter the timing of the frame (with an impact on response time analysis)
  • SPAN has a lesser priority than port to port data transfer

Network TAP

A network tap (Terminal Access Point) is a hardware device which can passively capture traffic on a network. It is commonly used to monitor the network traffic between two points in the network. If the network between these two points consists of a physical cable, a network TAP may be the best way to capture traffic.

The network TAP has at least three ports — a A port, a B port, and a monitor port. To place a tap between points A and B, the network cable between point A and point B is replaced with a pair of cables, one going to the TAP’s A port, one going to the TAP’s B port. The TAP passes all traffic between the two network points, so they are still connected to each other. The TAP also copies the traffic to its monitor port, thus enabling an analysis device to listen.

Network TAPs are commonly used by monitoring and collection devices like APS. TAPs can also be used in security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks, and will usually pass-through traffic even if the tap stops working or loses power.

Advantages & drawbacks of TAPs


  • No risk of dropped packets
  • Monitoring of all packets (including hardware errors -MAC & media)
  • Provides full visibility including congestion situations


  • The device may require two listening interfaces on the analysis device
  • Costly
  • No visibility on intra-switch traffic
  • Not appropriate for the observation of a narrow traffic range.

To learn how to troubleshoot network and application performance degradations in 4 easy steps, you can download our Performance Troubleshooting Guide: 

 Performance Troubleshooting Guide

Topics: Network troubleshooting

Posted by Boris Rogier on 10 juin 2016
Boris Rogier
Find me on:

Most popular

Receive our Blog Articles