When to SPAN vs TAP is a discussion that everyone should have at some point in their career. Early on, I used SPAN (aka port mirroring) quite a bit and still do to this day to varying degrees. For quick one-off situations, SPAN will be the quickest and potentially least disruptive ways of seeing traffic on the network because you dont have to unplug something to connect the TAP into the network. Early on, there was a limit on Cisco switches that I ran into where if you had multiple SPAN sessions configured that you would get an error message that you were already at the limit to what the switch could handle.
Recently I ran into a problem where I didnt think I was seeing all of the traffic. After doing some digging, I confirmed that I wasnt. After doing some extensive research, I found that I wasnt the only one that had run into this situation. I was able to borrow a NetOptics TP-CU3 Tap from my good friend, Laura Chappell (http://www.chappellu.com). This gave me immediate confirmation that I hadnt been seeing all of the traffic.
Initially I had to run each test twice because you have two monitoring ports that each gives you one side of the conversation. My initial response was to either use a second laptop to do a capture on the second port at the same time and then do a “merging” of the two different capture files so see both sides of the conversation at the same time. The challenge becomes here that both laptops have to be in timesync so that the timestamps are as close as possible to the same to give you a realistic picture of what is on the wire.
I discussed this challenge with Laura and she offered up a solution that was right in front of me. Anyone who has heard one of her many presentations over the years knows to keep several hubs around for when you need to “insert” yourself into the network and be able to see all of the traffic on the wire between a workstations or server and where it connects to the network. In this case, Laura suggested to take each of the monitoring ports and plug it into a hub and then plug the laptop running wireshark into the same hub. In that way, I would have both sides of the traffic recombined with far less work.
If you need to go this way, you will need to slow down the network traffic to either 10 or 100 MB since the fast hub I have found maxes out at 100MB. In a testing situation this should be a problem. If you dont have a hub laying around (and I didnt at that time), you can go to this URL (http://wiki.wireshark.org/HubReference) and find a list of hubs that have been known to work as reported by other users. If you want to build an ultra portable network tap solution, I would like to suggest getting one or two of the Netgear DS104 (DS = Dual speed) 10/100 hubs. This particular 4 port is made of metal cabinet that can stand up to quite a bit of use and moving around.
If you have the money, you can look at getting what is called an Aggregation Tap that automatically combines both sides of the network traffic. The Aggregator version of the tap that I mentioned above is a TPA-CU3. This will cost a bit more but if you do a lot of this, there wont be a better way you can spend the money. You will save the hassle of extra wiring and a hub with the bonus being that you can capture at near 1 GB line speed if the application is running in that range (I usually find that the effective line speed runs between 300 to 450 MB with the captures I have done).
You will find plans on different websites showing you how you can build your own tap. I have done this in the past for more of a learning exercise than for actual production use. I wouldnt have a problem using something like this on a 10 MB connection and if there were no other choice, I would consider using it on a 100 MB connection. I would not use it on a Gigabit connection because you would have to be more careful with how you ran the wiring to keep electrical / magnetic interference from damaging or corrupting the packet capture you are doing. In either case, I would be very concerned about putting a DIY type of tap on a long cable run because there is nothing to reamplify the signal level to make sure that the traffic makes it all the way to the end of the wire.
As you will see by doing a bit of research, there are several companies out there. Buying a TAP isnt something that you should do without doing some research to make sure that you are getting the best one for your needs. You may find out that one TAP may not be enough