Inline vs. SPAN / Mirror Packet Capture

As standalone packet capture appliances, IPCopper appliances combine network tapping with storage. When placed inline on a cable they require no additional equipment to capture and record Ethernet/IP traffic. In addition to inline capture, IPCopper appliances also feature a dedicated SPAN mode, for connecting the appliance to the SPAN/mirror port on a switch, router or other piece of networking equipment.

Inline

Inline mode (also known as “pass-through”) presents several advantages. The biggest advantage of inline deployment is the absence of any intervening equipment between the packet capture appliance and Ethernet/IP traffic on the wire. When inline, IPCopper packet capture appliances capture and timestamp packets exactly as they traverse the wire, with none of the potential delays, latency, data loss or packet re-ordering that intermediary equipment could introduce. The inline setup is also quite simple, involving the connection of a pair of cables. As a side benefit, the network could also take advantage of the IPCopper appliance’s large buffer memory during spikes in utilization.

SPAN / Mirror

Since IPCopper packet capture appliances have at least two capture ports, SPAN mode enables one unit to capture traffic from more than one network or network segment (the four-port USC6042, for example, would be able to receive data from up to four separate networks).

In a SPAN configuration, the accuracy and integrity of the captured network data relies heavily on the performance of the equipment mirroring the traffic. This intermediary equipment may potentially re-order or drop packets and it is possible for packets traversing the intermediary equipment not to be mirrored for output on the SPAN port. Having intervening equipment also introduces a delay in the packets reaching the IPCopper packet capture appliance, resulting in inaccurate timestamping.

Lastly, with a SPAN configuration situations may arise in which the router or switch attempts to feed data in excess of 1 Gbps or 10 Gbps through the SPAN/mirror port, since the traffic sent out through the SPAN/mirror port is an aggregate of all the traffic received and sent by the router/switch in both directions. Under peak loads, the switch/router may drop packets intended for the SPAN/mirror port should the traffic volume overwhelm the switch/router’s buffer.

Choosing Which Mode to Use

In situations where the accuracy of the capture and timestamping is of utmost importance, inline mode would be the preferred configuration. In other situations, where connecting multiple networks or network segments to one IPCopper unit is more important, SPAN mode may be preferred, with the understanding that the intermediary router or switch may introduce errors and skew the timestamps.

At other times, inline mode may be preferred for its accuracy, yet network downtime due to malfunction or power loss may be of concern. For that scenario, the USC6042 1-Gbps model, USC10G3, USC10G4 and USC10M2 10-Gbps models all feature bypass (a.k.a. failover passthrough), to ensure continued network operations even in the event the appliance loses power or otherwise malfunctions.

Report: Marketing Cybercrime to Infect America

Report