NetFort Advertising

Top 5 Alternatives For SPAN or Mirror Ports

Network Security Monitoring Software

Looking for an alternative for SPAN ports?

SPAN (Cisco) or mirror (everyone else) ports are an excellent data source for network security monitoring and traffic analysis. With them you can monitor single or multiple ports or VLANs and they give you access to packet payloads rather than just header information that you get with flow data.

What if you don’t want to use SPAN ports but you still need a source of network packets? Maybe you have used up your SPAN ports or maybe you don’t have access to your switch infrastructure. The good news is there are alternatives and here are the top 5 that you will get on most networks.

Top 5 Alternatives For SPAN or Mirror Ports

  1. Network TAP
  2. Port aggregator
  3. Network visibility solutions
  4. Virtual switches
  5. Use a spare switch to create more SPAN sessions

Network TAP

A network TAP (Test Access Point) is a hardware device that enables network and security personnel to access packet data passing through a network. Taps are passive devices.

Not so long ago, when TAPs were expensive, there was a cheaper option, a simple network hub! It is actually quite difficult to purchase a hub these days!

Most taps pass all seven layers of OSI network traffic (including layer 1 and layer 2 errors) and do not interfere with the performance of the network or the data stream of the network traffic.

They are a low cost option if you want to monitor single ports but more advanced versions are available which allow for many to one port mirroring. The following diagram shows a typical use case. A TAP is used to take a copy of traffic going to\from a firewall and it sends a copy to a network monitoring tool.

Garland TAP

Port Aggregation TAP

A port aggregation TAP is a hardware device which allows you to aggregate the data from multiple source or destination ports. It is not to be confused with the port aggregation protocol which is Cisco proprietary. The most common use case for port aggregators is where you have multiple source ports that you want to monitor with a single network monitoring tool.

Port Aggregation TAP

Network Visibility Solutions

Network visibility appliances include dedicated application processors pre-loaded with packet analyzers, network performance, and security/performance applications on a KVM software environment. Network engineers select traffic to stream or capture for diagnostics and on board storage is included for traffic analysis software and data files. Vendors such as Apcon develop solutions in this space.

Virtual Switch Monitoring

Most data centers now host one or more hypervisor platforms. VMWARE ESX and Microsoft Hyper-V are the most popular and both come with options for virtual packet capture.

VMWARE uses VLAN 4095 for monitoring purposes. You need to create a virtual switch for monitoring purposes and assign VLAN 4095 to this. Once the virtual switch is in place you can connect your network monitoring tools to this.

Hyper-V monitoring is very similar in that you create a virtual switch for monitoring purposes. Instead of VLAN 4095 you set ports as destinations for monitored traffic. Microsoft have more information on this blog post. We recently published a video which looks at how you can deploy LANGuardian on Microsofty Hyper-V servers. The steps shown can be used to deploy any type of monitoring tool which use network packets as a data source.

Use a Spare Switch To Create More SPAN Sessions

If you have a shortage of SPAN ports, network switches can be used to double the number available. You need to connect the SPAN port from one switch to another spare one. Create a new VLAN on the new switch which is used for network monitoring purposes. There is no need to replicate this VLAN on other switches on your network. Once the VLAN is configured you can create two SPAN sessions which use this VLAN as a data source.

Do you have any other ways for capturing network packets off a network? Suggestions welcome in the comments section below.

 

Darragh Delaney