There are three common methods to obtain data packets for network analysis: hub, span and tap.

A hub hub is very "mentally retarded", but this method is the earliest packet acquisition method. Hub is a half duplex Ethernet device. When broadcasting data packets, it cannot transmit data in the opposite direction at the same time.

Advantage: cheap

Disadvantages: 1. Reduce the bandwidth of more than half of the link; 2. Cause error conflicts; 3. No Gigabit solution

2. Span span (switch port analysis) is the mirror port. Advanced switches can copy packets of one or more ports to a specified port, and the analyzer can receive data from the mirror port. But this function will affect the performance of the switch, when the data overload will also cause the loss of data packets.

Advantage 1. Economic, no need for additional equipment. 2. It can monitor all traffic on a VLAN on a switch at the same time. 3. One analyzer can monitor multiple links.

Disadvantages 1. Multi port traffic mirrored to one port can cause cache overload and packet loss. 2. When a packet passes through the cache, it will be retimed, so it is impossible to determine the time scale accurately, such as jitter, packet interval analysis and delay. 3. The OSI layer 1.2 error packets cannot be monitored. Most data image ports filter out irregular packets, which cannot provide detailed and useful data information for troubleshooting. 4. Because the traffic of the mirror port makes the CPU load of the switch heavier, the performance of the switch will be reduced.

Typical application of image technology: 1. In low bandwidth and with a relatively low link for image, multi port image can be used for flexible analysis and monitoring. 2. Trend monitoring: do not need accurate monitoring, as long as the irregular data statistics can be. 3. Protocol and Application Analysis: it is convenient and economical to provide relevant data information from a mirror port. 4. Whole VLAN monitoring: it is convenient to monitor all VLANs on a switch by using multi port mirror technology.

Three tap tap (test access point) is also called a splitter, which is a popular method of network data acquisition at present. Even if tap is powered down, the network connection will not be interrupted. It can provide a comprehensive and visible network data flow, accurately monitor the two-way session with full line speed, without packet loss and delay.

Advantage 1: capture 100% packets without packet loss. 2. Irregular packets can be detected, which is convenient for troubleshooting. 3. Precise time stamp, no delay and retime. 4. Once installed, the analyzer can be accessed and moved easily.

Disadvantages: 1. It needs to pay extra for tap, which is very expensive. It also occupies the rack space. 2. Only one link can be viewed at a time.

Typical application of splitter technology 1. Commercial links: these links need very short troubleshooting time. Install tap in these links, and network engineers can quickly find and eliminate the unexpected problems. 2. Core or backbone links. They have high bandwidth utilization and can not interrupt the link when accessing and moving the analyzer. Tap guarantees 100% data capture without packet loss, and provides performance guarantee for accurate analysis of these links. 3. VoIP and QoS: the QoS test of VoIP requires accurate jitter and packet loss rate measurement. Tap can fully support these tests, but the image port will change the jitter value, providing an unreal packet loss rate. 4. Troubleshooting: ensure that irregular packets and wrong packets can be detected. The image port will filter out all these packets, so it can not provide engineers with important and complete data information to find faults. 5. IDS application: IDS relies on complete data information to identify intrusion patterns, tap can provide reliable and complete data flow to intrusion detection system. 6. Server group: the multi port splitter can connect 8 / 12 links at the same time, and can realize remote free switching, which is convenient for monitoring and analysis at any time.

Conclusion the important link and critical applications usually prefer the application of splitter. Tap can provide a complete and accurate access point for data monitoring. Image port is usually used to monitor the overall trend or to monitor multiple links at the same time. Because of the cache, synchronization and packet loss rate of the mirror port can not be accurately measured, and can not be applied to the VoIP and other precise measurement of time requirements.

Read (9352) | comment (0) | forward (2)|