Make The Right Choice For Monitoring Data Capture

WWhen monitoring a data network, you need quick and easy data access. A short delay or capturing the wrong data, can cost you thousands of dollars and result in longer troubleshooting time.

Keep in mind that you have choices when collecting monitoring data. Your choice of network monitoring equipment will affect the complexity and effectiveness of your monitoring strategy. The two most common ways of accessing monitoring data are through either a switched port analyzer (SPAN) port or a test access port (Tap).

A tap is a purpose-built device that passively makes a copy of network data but does not alter the data. Once you install it, you are done. No programming is required.

SPAN ports, also called mirror ports, are part of Layer 2 and 3 network switches. They are active devices and will require you to program them to copy the data desired.

Taps are the best choice when it comes to ease of data capture, versatility of location for data capture, and programming costs. Read this white paper to get more information on how to dimension taps within your network.

Taps Vs SPANs

There is a clear difference between taps and SPANs. Taps offer significant advantages over SPAN ports when monitoring the network.

One benefit is that you can "set and forget" taps because they are a one-time intrusion to the network. SPAN ports require you to configure the switch (or switches) every time you want to change the switch data that needs to be copied.

Once installed, taps and a network packet broker eliminate the need for many Change Board Review processes because you do not need to touch the live network. You just filter and analyze the readily available monitoring data to get the troubleshooting, performance, security-related, and compliance data you need.

Taps are also versatile and you can deploy them anywhere across your network. This gives you the ability to tap ingress, egress, remote links, problem links, etc. with almost no restrictions, unlike the SPAN port which is tied specifically to a network switch and the switch’s physical location.

Take a look at this solution brief to see the differences.

SPAN Ports Can Lie

Keep in mind is that network switches (and their SPAN ports) introduce mechanisms on ingress ports to eliminate corrupt packets and also packets that are below a minimum size. While this may sound beneficial, the problem with this approach is that monitoring devices for troubleshooting normally require the capture of all data within the egress segment. Key clues can be contained in this data. Switches and SPAN ports can drop Layer 1 and select Layer 2 data as well, depending on priority level.
By contrast, a tap passes on all of the data on a link. This includescapturing everything needed to properly troubleshoot common physical layer problems, including bad frames that can be caused by a faulty NIC.

Cost Analysis

The chart to the right is an attempt to perform an “apples to apples” comparison with respect to SPAN port and Tap port programming.


  • The cost to administer a Tap is typically $0
  • Proper SPAN port mirroring requires a network engineer to configure the switches (CLI programming + filter validation)
  • Labor rate = $100/hr
  • Programming for each SPAN session get progressively more time intensive to create a correct filter and troubleshoot it

Administration costs for SPAN sessions start Day 1. In this conservative example, the average annual recurring maintenance costs ($6,890) for SPAN sessions could have been redeployed to buy an average of 10 Taps (annually).


Initial Set-up
$0 $530
Session 1 $0 $97
Session 2
$0 $302
Session 3 $0 $540
Session 4 $0 $864
Session 5 $0 $957
SPAN session planning $0 $3600
Averaged Total $0 $6890

Is Partial Coverage Good Enough?

Taps offer the ability to collect data anywhere in the network, not just where the Layer 2 or Layer 3 switches are located.

Tap Vs SPAN Comparsion Table

While SPAN ports create a mirrored copy of network data, there are a host of issues associated with them and you need to factor this into your monitoring strategy. See the adjacent table for a comparison of the two data capture methods.

Provides access to monitoring packets x x
Delivers a complete copy (100%) of data
(includeing bad data vital for diagnosis)
Has full system resource priority during crisis
(i.e., does not drop frames)
Less vulnerable to security attacks x  
Does not create unnecessary, duplicate packets x  
Does not create unnecessary, duplicate packets x  
Recommended for lawful intercept x  
Relieves SPAN port contention x  
Plug & play: no configuration needed x  

Featured Resources

The following resources are available to help you with your research

Want help or have questions?