Terminology

Terminology
The term network TAP is analogous to phone tap or vampire tap. Some vendors have phrases for which TAP is an acronym; however, those are most likely bacronyms.

The monitored traffic is sometimes referred to as the pass-through traffic, while the ports that are used for monitoring are the monitor ports. There is also an aggregation port where in the Full Duplex World the "A" traffic is Aggregated with the "B" traffic resulting in one stream of data /packets for monitoring the Full Duplex communication. The packets must be aligned into a single stream using a time of arrival algorithm.

Vendors will tend to use terms in their marketing such as breakout, passive, aggregating, regeneration, inline power, and others. Common meanings will be discussed later. Unfortunately, vendors do not use such terms consistently. Before buying any products, be sure to understand the available features, and check with vendors or read the product literature closely to figure out how marketing terms correspond to reality. All of the "Vendor Terms" are common within the industry and have real definitions and are valuable points of consideration when buying a TAP device.


New Filterable TAP Technology
A new type of TAP, or network access point, is now available. This new type of TAP is called a "filterable" TAP. It is especially valuable in the 10 Gigabit environment because 10-Gigabit test equipment is very expensive. Some TAPs, like those from several vendors, offer the ability to utilize less expensive and more widely available 1-Gigabit monitoring and analysis tools with these 10 Gigabit networks. When used in this fashion, some form of load-balancing or port-bonding is recommended to avoid packet loss to the monitoring tools.

A filterable TAP, that provides advanced filtering, can selectively pass data, based on application, VLAN ID, or other parameters, to the 1-Gigabit port for deep analysis and monitoring, including IDS requirements.

Filtered access is also the best way to focus on business-critical traffic, or other specific areas of your network. At higher speeds, network traffic analysis cannot be performed using the older "capture and decode everything" philosophy. In this type of environment, focused access is the best way to enable traffic analysis, and often is the only way.

Any filterable TAP you consider must have a simple user interface for easy setup and management. Furthermore, it must be able to collect the Layer 1 and Layer 2 data, while still allowing for auto saving, and easy access to data by graphing programs. Such a TAP can be part of a strategy to monitor for essential metrics, such as frame errors and corrupted frames in IPv6.