Some say the future is here. If we look at the IoT technologies that have been developed over the last decade, we really have nothing to refute them. The technological boom of the 21st century has changed the way we live and communicate with each other.
For example, the MAREA project we are studying, we can even say that we are witnessing history. This is an ultra-high-speed optical fiber network laid on the seabed from the United States to Spain, with a high-speed transmission of 160Tbit/s.
Unfortunately, these innovations can open up new avenues for hackers to infiltrate networks. The latest ransomware or DDoS attack reveals security gaps that haven't been seen in past years.
To keep up with the ever-changing developments and give users peace of mind, many companies have created monitoring and security tools. Among them, packet capture solutions are the basis of a highly secure IT infrastructure.
Cyber crises can happen when you least expect them, which is why the world of cyber surveillance must evolve too. We can choose a network analyzer that is quick to deploy, captures your packets quickly, and is good enough to handle unexpected situations even in the field.
Companies such as Profitap create powerful portable TAPs (such as the ProfiShark series) that are among the best and fastest tools for field packet capture. They are ideal devices to help you drill down into your network, analyze traffic, and identify which packets are causing the problem.
But how do we do it? How can a portable TAP be strong enough to handle 100% traffic and at the same time be easy to deploy in the field?
Let's take a look at how the portable network TAP has evolved.
Portable Full Duplex TAP
Originally, we had copper and fiber TAPs that were designed to be used only in a data center environment. Learn more about all types of network monitoring tools.
It didn't take long for manufacturers to understand the need for field tools, so they created a basic version of the full-duplex TAP and sold it as a portable model. However, they're also just smaller versions of the rack-mount models and still include rack-mount screw holders.
This full-duplex TAP (also known as a Breaking TAP) captures traffic from two network ports and copies it to two output or monitoring ports. In addition to the full-duplex TAP itself, you'll need to have a box PC that contains dual network interface cards (NICs). In addition to this, the PC hosting the monitoring application must also perform interface bonding or link aggregation in order to see two interfaces as a single flow.
The device captured traffic at full line rate without any packet loss or timing delays. Therefore, the performance is positive, but it is still difficult for IT engineers to adopt this kind of "portable" TAP in the field, because they still need additional hardware.
All in all, the first method of portable TAP is not really portable, because you can't take the desktop with you in the field, and there is no dual network card on the laptop.
Portable Polymer TAP
Another way TAP manufacturers are trying to solve the portability problem is by introducing Aggregator TAPs, also known as Aggregation TAPs. This type of TAP device combines two incoming traffic streams into one outgoing traffic stream. This means that only one monitoring port can also receive the aggregated traffic of both network ports.
Therefore, this solves the need for dual NICs for the PC used for analysis. In fact, it removes the box PC entirely, allowing a laptop to easily connect to the TAP. While this achieves true portability, it does not achieve performance.
We all know that network backbones can reach at least gigabit speeds (1 Gbps). Therefore, no matter troubleshooting any network backbone, the TAP must be placed along with the gigabit network port. However, when the output (or monitor port) is also a gigabit port, it is impossible to fully transmit 2Gbps of aggregated traffic on a 1Gbps output.
Therefore, this results in inconsistent traffic capture. Once the utilization of the network interface spikes above 50%, if the buffers are also saturated at this point, your packets will drop off the bridge. If both input network ports are throttling traffic at maximum capacity, as much as 50% of the total traffic may be lost.
The best way to overcome this bottleneck is to route the aggregated traffic to a higher data rate output. It is not feasible for TAP manufacturers to use a 10GE NIC as an output for a portable TAP. Also, the laptop doesn't have a 10GE NIC, and probably won't be for a long time. The point is again to pack portability and performance into a single gadget.
Advanced on-site packet capture tool
Later we released a specially developed portable network TAP. Pocket-sized and powerful, this device can handle every type of troubleshooting—an ideal piece of equipment for companies that want to ensure network stability, scalability, and security.
These advanced field troubleshooting tools are different from their predecessors because they have the ability to connect and start capturing packets in minutes with no special requirements.
They are also capable of transferring captured packets directly to the host computer's disk. All packets are captured in real-time at the hardware level, with nanosecond timestamps, as each packet enters the TAP. This timestamp allows real-time protocol analysis of captured traffic with nanosecond resolution.
Our Portable Network TAP is designed to do just that, without using a Gigabit NIC as a monitor port. Instead, it uses USB 3.0, which can transfer data at speeds of up to 5 Gbps. Therefore, it can easily transfer 2 Gbps of aggregated traffic (ports A and B transfer 1G each) over a USB 3.0 link.
This means that the buffer memory does not need to drop any packets, nor does it have to store packets long enough to affect their timing. In addition, it can be connected to a laptop's USB port and has a unique plug-and-play feature without relying on an external power source.
Today, portable capture devices have evolved even further than network lines in portable packets. Today, they can be used as a long-term capture solution and can be accessed remotely. For example, if you use the ProfiShark 1G with a NAS, its long-term capture feature will help you catch intermittent problems in behavior.
Additionally, ProfiShark can be used in conjunction with ProfiSight, our own web-based network traffic analyzer, allowing you to quickly view flow data by extracting metadata from captured packet flows. In other words, this packet capture and analysis setup provides fast, complete access and visualization of important traffic so that you can troubleshoot intermittent network performance issues and ensure the quality of service (QoS) of your network.
Advanced portable TAP tools are already available in many situations and promise to provide good results. They may be ideal when evaluating temporary, intermittent issues, such as unexpected protocol interactions, that cannot be assessed by traditional monitoring tools.
These portable devices are very useful for protecting against cyber attacks such as phishing or other types of security threats. With such tools, network administrators can reconstruct web sessions, emails, and "chat line" conversations in chronological order to investigate security incidents and conduct accurate forensic analysis.
Finally, perhaps the most exciting fact about portable network TAPs is that we're only just hitting the road. Endless possibilities for live network monitoring await us!