I predominantly work in a Cisco environment and contemplating buying a network tap device for use with Wireshark.
Can anyone provide the pros and cons from their experience between using network taps OR setting up port mirroring given considerations like ease of use, cost of kit and are there limitations between the 2 approaches respectively?
Best Answer
(having worked with this for a decade now)
Hands down, the biggest functional difference between a tap and a span... a passive tap will never, ever drop a frame, under any circumstances -- it electrically duplicates the frame, errors and all. Active taps (regenerative, or aggregate) can drop frames, eg. if the bidirectional traffic exceeds the link speed of the monitor port. (a 1G link cannot carry TX+RX 1G (2G) of traffic)
Switch SPAN ports will drop traffic. The SPAN is the lowest priority to the switch -- it will sacrifice the SPAN traffic in favor of maintaining live traffic. A slightly loaded switch may never show this, but I've had dozens of customer calls from all over the world complaining that we dropped traffic, when it was in fact their switch SPAN that didn't send it to us.
However, SPANs are cheap and plentiful. Almost every managed switch supports setting up a monitor session. And they are usually trivial to setup and/or reconfigure. Taps, on the other hand, are exceedingly expensive and rare. Taps require unplugging network cables, which has a lot of resistance from just about everyone. And they cause a hit when they lose power. (momentary, not "unplugged == broken link". even dirt simple ones will maintain link when off.)