It may seem obvious, but to solve problems at the packet level requires access to the packets that will contain the “answers” you are looking for (you cannot analyze what you cannot see). Two common hardware-based methods of accessing packets are (1) using an external TAP (‘test access point’) or (2) putting your analyzer inline. Let’s explore each method…

An external tap is a device that essentially “copies” the traffic in question and sends that traffic out separate ports to an analyzer. In the case of a copper tap (with “RJ-45” ports), this is done electrically in hardware, whereas on fiber optic links, a non-powered optical splitter can be used. In the diagram below, a “full duplex tap” is pictured. There are two ports for the “active link”; one for connection to the “upstream” device and one for connection to the “downstream” device. Two other ports are provided for output to a dual-port analyzer. If this device were tapping a full-duplex 1 Gig link, ostensibly there could be two gigs of traffic being output to the analyzer (one up + one down). The alternative type of tap would be an “aggregating tap” – where the upstream/downstream traffic is joined together and sent out a single output port. The downside of this approach is the likelihood of exceeding the capacity of the output port (and the capacity of a single port analyzer) if utilization exceeds 50% (ex: 600Mbps upstream + 600 Mbps downstream = too much traffic if the output port is 1 gig). Also, a dual port analyzer is required – there’s no way an off the shelf laptop can handle this kind of traffic.

  

Inline mode is, well, pretty obvious. This requires using an analyzer that is architected with multiple ports that support going inline between two active devices on the network (say, between a VoIP phone and an access layer switch, for example). All traffic to/from an endpoint is routed through the analyzer itself where an INTERNAL tap that copies the traffic into the analyzer’s capture buffer. In the case of the OptiView XG Network Analysis Tablet, this ensures full line-rate capture of 100% of the packets.

 

Both methods eliminate the risk of dropping packets during analysis. (Presuming, of course, that your analyzer is capable of full line rate capture.) Physical layer packet errors are also routed to the analyzer (which does NOT happen when using SPAN.) 

A downside to either method is that the link will have to be broken to insert either the tap or the inline analyzer (if the tap had not been installed earlier). “Everybody hold on while I disconnect the server” may not be a viable approach, but if the network is “on fire”…well, desperate times call for desperate measures as they say.  

We’ll explore SPAN (another packet access method) in another tech tip…