09. 06. 2016 Luca Di Stefano Unified Monitoring

Network Performance Monitoring: Port Mirroring vs. Network TAPs vs. Hardware Timestamp

Monitoring network traffic was initially used only for highlighting the typology of network traffic and the quantity of packages/bites broadcasted. This information are important to analyze anomalies, to optimize flows (balance network traffic) and to size the infrastructure.

Usually, the NetFlow protocol is used to collect network traffic data. NetFlow can be generated from the network device itself – if the device has this functionality – or from an ad-hoc device such as the nBox. The latter is recommended as it prevents a burgeoning workload of the device. Moreover, the nBox does not sample the data neither does it aggregate data every 5 minutes, as it usually happens when using network devices. When using an nBox, port mirror is used to duplicate traffic data and to send it to the probe.

Port Mirroring

For a quantitative analysis of network traffic data port mirroring is enough, since the most important thing is that the packages are sent to the probe by a fair time.

However, new network performance monitoring systems (APM, NPM) brought tighter requirements than port span and port mirror can provide. Switches need time to copy the packages and send them to the probe. The processing time of that ends up in inaccurate data. This is a real problem if you have to evaluate network latencies of modern networks (microseconds). On top of that, some network devices do not send the packages immediately to the probe: the devices queue the packages until a certain number is reached, before sending them all together to the probe. As a consequence, the temporal distance among the packages isn’t considered and the probe’s results are wrapped.

Port Mirroring

In this case it is important to consider that the packet ingress time and the packet mirror egress time are different.

We can propose two solutions for fixing it: network Tap and hardware timestamp.

1: Network TAPs

Network TAPs are devices that mirror the traffic and immediately send it to the probe.

Network TAP

Network TAPs are trustworthy as they guarantee zero package loss during the mirroring (this loss might happen if you port mirror has an incorrect setup), they don’t buffer and they reduce the switches’ workload. You can find different kinds on the market, for ethernet and fiber connection, and they are a cheap alternative.

TAP Fibra TAP Rame

2: Hardware Timestamps

There exist also switches which apply a timestamp on the packages before queuing them up the buffering in the port mirror. The nBox is able to detect and use this (arrival) timestamp. This process eliminates all the time latencies created by the port mirror during the elaboration and the forwarding. These devices are expensive but more flexible as they provide multiple-port mirrors and allow hot configuration.

Port Mirroring with Hardware Timestamp

As a conclusion, port mirrors are great for IDS (intrusion detection System) and for quantitative traffic analysis and network TAPs are great for more precise network performance monitoring.

Luca Di Stefano

Luca Di Stefano

Solution Architect at Würth Phoenix
Hi everyone, I’m Luca, graduated in electrical engineering from the University of Bologna. I am employed by Würth Phoenix since its foundation. I worked mainly as enterprise architect and quality assurance engineer. Previously I was involved in systems measurement and embedded systems programming. I have gained experience on Unix (Solaris, HPUX), Windows, and C, C + +, Java. I personally contribute to the Open Source community as beta tester and developer. During my spare time I love piloting airplanes fly over the beautiful Alps. I practice many sports: tennis, broomball, skiing, alpine skiing, volleyball, soccer, mountain biking, middle distance, none have a sample but the competition excites me! I love hiking, tracking and traveling.

Author

Luca Di Stefano

Hi everyone, I’m Luca, graduated in electrical engineering from the University of Bologna. I am employed by Würth Phoenix since its foundation. I worked mainly as enterprise architect and quality assurance engineer. Previously I was involved in systems measurement and embedded systems programming. I have gained experience on Unix (Solaris, HPUX), Windows, and C, C + +, Java. I personally contribute to the Open Source community as beta tester and developer. During my spare time I love piloting airplanes fly over the beautiful Alps. I practice many sports: tennis, broomball, skiing, alpine skiing, volleyball, soccer, mountain biking, middle distance, none have a sample but the competition excites me! I love hiking, tracking and traveling.

Latest posts by Luca Di Stefano

27. 04. 2017 Uncategorized
Chi si sta mangiando la banda? Scoprilo con ntopng
27. 04. 2017 Uncategorized
Identifizieren Sie Bandbreitenfresser mit ntopng
27. 04. 2017 Unified Monitoring
Find out who is eating your bandwidth with ntopng
22. 09. 2016 NetEye, Real User Experience Monitoring
Warum erhöht sich meine Netzwerk-Latenz an Arbeitstagen?
22. 09. 2016 NetEye, Predictive Analysis, Real User Experience, Unified Monitoring
Why does my local network latency increase during working hours?
See All

Related Content

Tags: , , ,

05. 03. 2024 Unified Monitoring

nBox Mini

Every now and then I like to keep you up to date about news in the ntop environment. This time it's not news about analysis methods or software, but about a new hardware solution. If you're someone looking for a Read More
12. 04. 2022 Unified Monitoring

News from nBox and ntopng

In the last few weeks I installed and configured some nBoxes with the new ntopng version 5.2. Now I'd like to briefly tell you all about it. For all of you who don't know what an nBox is, I'll relay Read More
02. 11. 2021 NetEye, Unified Monitoring

nBox to NetEye Elastic Module

A customer asked me to analyze their network flows, with a solution oriented towards using an nBox that collects NetFlow data from a router located away from the branch office, takes it in for analysis, and then sends it to Read More
26. 11. 2018 NetEye, Unified Monitoring

ntop Training

  Who is using your network and how? What kind of traffic does your company generate? Where does slow network performance come from? ntop has the answers. ntop is a network traffic probe that monitors network usage. This solution provides an intuitive, Read More
27. 04. 2017 Uncategorized

Chi si sta mangiando la banda? Scoprilo con ntopng

Chi riesce a sapere veramente quali sono i protocolli utilizzati nella rete locale? Solitamente con i netflow si può distinguere il traffico attraverso le porte L4 (80=http,443=https,..) ma non è più sufficiente. Alcune applicazioni usano invece porte dinamiche (vedi nfs, Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive