Port Mirroring & SPAN
Visibility without Disruption
The Mirroring Mechanic
In a switched environment, traffic is delivered only to the specific port where the destination MAC address resides. To monitor this traffic—for security auditing or troubleshooting—we must instruct the switch fabric to 'mirror' (copy) packets.
Port Mirroring (SPAN) Simulator
Traffic Replication & Visibility
Source and Destination Dynamics
A SPAN session consists of a Source (ports or VLANs being monitored) and a Destination (the port where the sniffer/IDS is connected).
- Ingress (RX): Monitors traffic entering the source.
- Egress (TX): Monitors traffic leaving the source.
- Both: Full duplex visibility.
1. Header Deconstruction: RSPAN vs. ERSPAN
How the traffic is moved across the network depends on the scale and topology of the monitoring session.
- RSPAN (L2): Uses a dedicated Remote VLAN. The packet is preserved exactly as it enters the switch, but capped with an RSPAN VLAN tag. This is limited to the same L2 domain.
- ERSPAN (L3): High-fidelity encapsulation for routed networks. [IP Header] + [GRE Header (Proto 0x88BE)] + [ERSPAN Header] + [Original Frame]
Hardware Perspective: ASIC vs. CPU
Most enterprise-grade switches perform mirroring at the ASIC (Application-Specific Integrated Circuit) level. This is "Non-Blocking," meaning the switch fabric can duplicate the packet with wire-speed performance.
Network TAPs: The Physical Alternative
While SPAN is a logic-based duplication in the switch fabric, a Network TAP (Test Access Point) is a physical hardware device inserted into the cable run.
- Passive Optical TAPs: Use an optical splitter (prism) to physically divide the light. For example, a 70/30 split sends 70% of the light to the destination and 30% to the monitoring tool. It requires no power and cannot fail logically.
- Active Copper TAPs: Mechanically replicate the electrical signal. Importantly, TAPs often provide "Failsafe" bypass, meaning if the TAP loses power, the production link remains closed (connected).
Optimization: Packet Slicing & Masking
Capturing every byte of every packet is expensive in terms of storage and disk I/O. For most monitoring needs (like Flow analysis or Header auditing), we use Packet Slicing.
6. The Network Packet Broker (NPB)
In large enterprises, simply mirroring a port is not enough. We use a Network Packet Broker (NPB) as a middleware layer between the TAPs/SPAN ports and the monitoring tools.
NPB Functions:
- Aggregation: Combine multiple low-bandwidth SPAN feeds into one high-bandwidth tool port.
- Deduplication: If a packet is seen on multiple mirrored ports, the NPB removes the duplicates before sending them to the IDS.
- Filtering: Forward only specific protocols (e.g., HTTP/TLS) to the relevant analyzer.
- Load Balancing: Distribute traffic across a cluster of Wireshark or Zeek sensors.
Calculating Oversubscription & Direction
A common mistake is mirroring a full-duplex 1Gbps link to a single 1Gbps destination.
If , the switch will drop packets at the egress port. To avoid this, use Packet Slicing to only capture the first 64-128 bytes (headers) of each packet.
Security & VLAN Leakage
Monitoring ports are a massive security risk. Because a SPAN destination port receives traffic from other VLANs, it can be exploited to bypass logical segmentations.
Conclusion: Visibility Optimization
Network visibility requires a balance between fidelity and impact. While ERSPAN offers incredible flexibility for virtualized environments, Local SPAN remains the lowest-latency option for real-time forensics. By deconstructing the hardware buffer impact and header overhead, engineers can build visibility fabrics that enhance security without compromising the production link.