Because Beeks Analytics performs its analysis on packets that traverse one or more points on the network, it needs to be provided with a copy of the packets that are crossing these points in the network. This is known as traffic mirroring.
There are three principle ways in which traffic can be mirrored from a network to a monitoring device:
Optical Taps
Port Mirroring
Layer 1 switching
This section provides more background information on each of these.
Latency Impact of Traffic Mirroring
All three methods (optical taps, port mirroring, Layer 1 switches) generally introduce negligible latency. Optical taps and Layer 1 switches are particularly known for near-zero latency impact. Port mirroring can introduce slight additional switch processing delays, but in most scenarios, these delays are minimal compared to higher-layer processing.
Traffic Mirroring using Optical Taps
An optical tap is a simple, passive device inserted into a fiber-optic network link. It splits the light signal, forwarding most of the signal’s optical power in one direction (the main path) and a small portion of it to a separate monitoring port. Because the tap is passive, it introduces minimal latency—largely negligible in most practical scenarios. Essentially, it takes a fraction of the light to send to the monitoring port without actively modifying or buffering the packets.
Key benefits:
Very low latency.
Doesn’t introduce a single point of failure for the link since it’s a passive device.
Doesn’t depend on network switch capacity or configuration.
Traffic Mirroring using Port Mirroring or SPAN
Port mirroring (also known as SPAN (Switched Port Analyzer) on Cisco devices and RSPAN/ERSPAN for remote capturing) is a feature on most managed switches. It copies the traffic from one or more switch ports (or VLANs) to a designated monitoring port. Tools such as intrusion detection systems or packet capture appliances can be connected to this monitoring port to receive a real-time feed of the mirrored traffic.
Key benefits:
Flexible: You can decide which ports or VLANs to monitor.
No need to physically insert a tap in the cable.
Potential considerations:
The switch CPU handles the mirroring, so it can be resource-intensive on some devices.
In heavily loaded links, mirrored traffic may be dropped if the switch is oversubscribed.
Beeks has seen that Arista and Cisco switches are the most reliable mainstream switches in the market that are capable of mirroring packets. The Cisco switch is recommended to mirror packets in SPAN mode, as ERSPAN mode is inefficient and can introduce timing problems.
Traffic Mirroring using a Layer 1 Switch
A Layer 1 switch (sometimes called a “physical layer switch” or a “matrix switch”) is a hardware device that allows traffic replication by physically connecting input ports to multiple output ports at the physical layer. It can replicate signals at wire speed with very low latency impact, typically measured in mere nanoseconds or microseconds.
Key benefits:
Wire-speed replication with extremely low latency.
Centralized control over multiple links and configurations.
Using a Packet Aggregator with Traffic Mirroring
A packet aggregator (often referred to as a “network packet broker”) can take multiple monitoring inputs— whether from taps, mirrored ports, or layer 1 switches—and combine these streams into one or more aggregated data feeds. By doing this, a single analytics or monitoring device can more easily process traffic from multiple network segments.
Key functions of a packet aggregator:
Traffic Aggregation: Consolidates multiple ingress streams into a single output. This is particularly useful if your monitoring tool has fewer physical interfaces than the number of network links being monitored.
Filtering and Load Balancing: Can filter traffic to reduce bandwidth requirements (e.g., drop broadcast or irrelevant packets) or balance traffic across multiple capture/analyzer ports.
De-duplication: If the same traffic is seen on multiple feeds, a packet aggregator can remove duplicates.
High-Speed Interconnects: Some aggregators can output traffic on 10G, 40G, or even 100G interfaces for consolidation into fewer capture ports.
When packets pass through a packet aggregator metadata can be appended to each packet. This metadata often appears in the form of a small header inserted before the original packet data.
Common types of metadata include:
Source Port Identification: Indicates which physical input port (or which mirrored session) the packet came from. This is vital in environments monitoring numerous ports.
Timestamp: A highly accurate timestamp, often derived from GPS or PTP (Precision Time Protocol). Nanosecond or microsecond precision is common in modern capture systems. This is critical for latency-sensitive applications (financial trading, for instance).
VLAN or MPLS Tagging: Sometimes monitoring devices add or modify VLAN tags for internal handling or path identification.
Sequence Number: Ensures that if packets get out of order further downstream, the original sequence can be reconstructed.
This metadata allows operators to correlate captured packets across multiple network segments and precisely reconstruct timelines for troubleshooting, compliance, or analysis.
An additional benefit of a packet aggregator switch is that typically these switches can combine ingress timestamping with deep buffers. Buffering in a packet aggregator temporarily stores packets in memory, which provides several benefits:
Handling Bursts: Network traffic can be “bursty.” A buffer ensures short surges in traffic do not lead to immediate packet drops if the egress interface or the monitoring tool is temporarily saturated.
Smoothing Traffic Flows: The aggregator can smooth out traffic so the downstream tool receives a more consistent data rate, avoiding overflow in the capture device’s buffers.
Time Gap Preservation: Some aggregators allow for advanced timestamping while buffering so that short congestion periods do not corrupt the accuracy of timestamps.
Controlled Forwarding: If the aggregator is performing advanced processing (e.g., filtering, load balancing), buffering allows the aggregator time to manage those tasks without losing data.
Whether you need a packet aggregator depends on whether you need any of these extra functions, how many ports of traffic you want to feed to Beeks Analytics, and whether there are other monitoring tools that you wish to feed the same traffic to.