Port Mirroring for Network Monitoring Explained

Yoram Ehrlich By: Yoram Ehrlich May 22, 2018
Let’s say that we want to study or measure traffic on the network (for example, to detect system intrusion, forecast traffic, analyze performance and measure throughput). We’ll want to pass our traffic to some analysis device or monitoring station, but in such a way, that we won’t noticeably affect the system. In other words, that the analysis process is carried out seamlessly and non-intrusively.
Blog 13-01 (1)

There are several options available to us, including:

In order to best carry out traffic monitoring via the ports in our networks, we should consider the various options, and weigh their various pros and cons.

Mirrored Ports – A Well-Known Tradition

The traditional traffic capturing solution — and probably also the most common method used across the data information industry — is port mirroring.

Also known as SPAN (Switched Port Analyzer) or roving analysis, this is a method for catching and observing network traffic in a non-intrusive manner. It is a software feature built into a network switch or router that creates a copy of selected packets passing through the device and sends them to a designated mirrored (SPAN) port. Using software, we can easily configure or change what data is to be monitored.

Managed locally or remotely, we set up our mirrored ports to forward a copy of each incoming and/or outgoing packet from the ports of our SPAN switches to other ports where our analysis devices or monitoring stations are connected.

To configure the port mirroring, we select the relevant source ports (from which all packets will be copied) and the relevant destination ports (where the copies of the packets will be sent to).

We can include either all packets in the port mirroring or only the transmitted/received packets.


If both transmitted and received packets are included, a packet going from one monitored port to another monitored port will be copied twice to the destination port (due to the mirroring). This duplication could have an impact on the measurements and performance of the analysis devices (such as the retransmission rates and/or response times). Therefore, relevant built-in filtering and deduplication algorithms will handle the redundant data, cleaning it out and ensuring that no duplication is transferred.  

Mirrored Ports – The Right Stuff

Port mirroring is one of the most popular solutions for traffic monitoring, and offers the following advantages:

  • Relatively inexpensive (most switches have the feature already embedded in them)
  • These ports are generally available from a network routing switch
  • Remotely configurable – Can be configured via the IP or console port
  • The only means of capturing intra-switch traffic
  • An excellent method for catching traffic on several ports at once

Mirrored ports can be used for non-time sensitive monitoring (for example, addresses inventory).

Such monitoring instances handle low bandwidth application layer events like:

  • Application flows
  • Conversation or correction analysis
  • Applications where monitoring in real-time is not a critical factor or prerequisite
  • Applications where monitoring real delta times (like those of voice and video flows) is not a critical factor or prerequisite

These monitoring requirements do not consume a large amount of bandwidth or require packet grooming. Thus, dropped packets do not affect the quality of the reports and statistics. Their success relies on the fact that they stay within the parameters and capability of the mirrored port’s capacity. These specific applications are not dependent on every frame for their successful analysis or reporting.

Network Tap (Terminal Access Point)

In certain cases, an alternative solution for long-term monitoring may be a network tap (terminal access point). This is a hardware device which can passively capture traffic on a network, and is commonly used to monitor the network traffic between two points in the network. If the network between these two points consists of a physical cable, a network tap may be the best way to capture traffic. They are commonly used by monitoring and collection devices like APS. Taps can also be used in security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks. Passive taps will pass-through traffic even if the tap stops working or loses power.

Some of the Network Tap advantages include:

  • No risk of dropped packets
  • Monitoring of all packets
  • Provides full visibility including congestion situations

For more information on Niagara Networks taps, see here.

When to Mirror

Consider using mirrored ports for the following network scenarios:

  • Limited ad hoc monitoring in a network schema with port mirroring capabilities where a network tap does not currently exist.
  • Production emergencies where there is no maintenance window in which to install a tap.
  • Remote locations with modest traffic that cannot justify a full time tap on the link.
  • Access to traffic that either stays within a switch or never reaches a physical link where the traffic can be “tap”ed.
  • Low-cost troubleshooting alternative where links have low utilization.

When configured and managed appropriately, port mirroring is a valid and valuable tool and system asset.

Tap or Mirror?

Whereas port mirrors and taps both have their strengths and weaknesses, selecting the right solution will be based on your network design and requirements - and, of course, your budget.

Consider that port mirroring solutions do not consume a large amount of bandwidth and are relatively inexpensive (most switches have the feature already embedded in them). Tap devices, on the other hand can be inserted in the network at different points, to provide full exposure and visibility - and when they are passive taps on fiber cabling, they can continue working even during power loss.

Need help choosing the right Network Tap? Talk to our network visibility experts today.

How to monitor your network traffic with no impact - get the white paper