Network packet capture is the foundation of everything you do to monitor, troubleshoot, and secure your infrastructure. Without it, your security tools are guessing, your performance data is incomplete, and your forensic investigations lack the evidence they need. Getting packet capture right, and doing it at scale, is one of the most important things any network or security team can do.
This guide covers every stage of the process: choosing your access method, deploying the right hardware, configuring your capture tools, and filtering traffic so your analysis tools receive exactly what they need. Whether you're setting up packet capture for the first time or reviewing your current approach, you'll find everything you need here.
Packet capture, sometimes called network packet sniffing or packet recording, is the process of intercepting and recording packets as they travel across a network link. Every captured packet contains a complete record of the data in transit: its source and destination addresses, the protocol in use, timestamps, and the payload itself.
This raw visibility underpins a wide range of use cases across security, performance, and compliance programs.
Security teams replay captured traffic to investigate incidents after they happen. When an alert fires, packet data tells you exactly what happened, what systems were involved, and what data moved. Without a capture record, you're reconstructing events from incomplete log data and working with probabilities rather than facts.
When an application slows down or fails intermittently, packet capture gives you ground truth. You can see whether the problem is in the network, the application, or an external dependency, and pinpoint the exact packet exchanges where latency or errors appear. This level of detail cuts troubleshooting time dramatically compared to working from metrics alone.
Many regulatory frameworks require organizations to demonstrate that network monitoring controls are in place and functioning. Captured packet data, collected from a complete and reliable access point, provides legally defensible evidence that your monitoring program covers the traffic it's supposed to cover.
A full packet capture records every layer of the packet, from the Layer 2 Ethernet header through to the application payload. Depending on your tools and storage capacity, you can capture:
Before any software can capture a packet, you need physical or logical access to the network link where traffic flows. There are two main methods for this: network TAPs and SPAN ports (Switch Port Analyzer, also called mirror ports). The choice between them has significant implications for the completeness and reliability of what you capture.
A network Test Access Point (TAP) is a dedicated hardware device installed directly into a network link. It splits or copies the traffic on that link and sends an exact duplicate to your monitoring infrastructure, completely independently of the live traffic path.
TAPs are the preferred access method for any environment where complete, reliable capture matters:
A SPAN port is a software feature on a managed network switch that mirrors traffic from one or more ports to a designated monitoring port. SPAN ports are built into most enterprise switches and require no additional hardware, making them attractive for quick or ad-hoc captures.
However, SPAN ports have serious limitations for production packet capture:
For security monitoring, compliance programs, and any situation where a complete, forensically defensible packet record is required, use hardware TAPs. SPAN ports are useful for quick troubleshooting captures in environments where a TAP isn't available, but they can't match the reliability or completeness that TAPs provide.
Deploying a network TAP is straightforward and typically requires a brief planned maintenance window for fiber links. Copper links with bypass capability can often be inserted without a full link-down event.
Start by mapping the network links where you need visibility. The highest-priority capture points are usually:
Each link you want to capture requires a TAP. Cover your highest-risk links first, then expand your deployment.
Your TAP selection depends on the physical link you're tapping:
For a passive fiber TAP:
For a copper Ethernet TAP, the process is identical. Bypass-capable copper TAPs allow insertion without a full link-down event, using failsafe circuitry to maintain the live path during installation.
If you're capturing from multiple links and need to feed traffic to one or more analysis tools, insert a network packet broker between your TAPs and your capture devices. The packet broker aggregates traffic from multiple TAPs, applies filtering and deduplication, and distributes the right traffic to the right tools.
Without a packet broker in a multi-TAP deployment, managing your capture infrastructure becomes increasingly difficult as your network grows. Every new tool requires new direct connections, filtering is impossible without dedicated hardware, and any change to your tool estate means recabling.
When a TAP isn't available and you need a quick capture, here's how to configure a SPAN port on a managed switch.
Decide which ports you want to monitor (source) and which port your capture device is connected to (destination). Your capture device plugs into the destination port.
The exact syntax varies by switch vendor, but the general process is consistent:
Enabling both ingress and egress gives you a complete picture of traffic on each source port. Monitoring only one direction is a common mistake that produces an incomplete capture.
After configuration, check:
With your access method in place, you need software to capture and record the packets. The right tool depends on your capture rate, use case, and storage requirements.
Most capture tools write to PCAP (Packet Capture) format, the industry standard. PCAP files can be opened by Wireshark, tcpdump, and virtually every network analysis platform. The newer PCAPng format extends this with support for multiple interfaces in a single file and richer metadata, and is increasingly common in modern tooling.
Capturing everything is valuable for forensic work, but it generates large data volumes and can overwhelm analysis tools. Filtering focuses your capture on the traffic that matters, reducing storage requirements and making analysis faster.
You have two stages where filtering can be applied:
For high-volume production environments, the most scalable approach is pre-capture filtering through a packet broker. The SmartNA-XL and SmartNA-PortPlus platforms both support advanced filtering at line rate, including Layer 2–4 filtering by IP address, protocol, port, and VLAN tag.
Berkeley Packet Filter (BPF) syntax is the standard for software-level capture filtering:
host 192.168.1.100 captures all traffic to or from a specific IP addressport 443 captures HTTPS traffictcp, udp, or icmp isolates traffic by transport layer protocolnet 10.0.0.0/8 captures all traffic within a defined subnethost 192.168.1.100 and port 443 narrows capture to a specific host and serviceBeyond filtering, packet brokers can apply additional processing before traffic reaches your analysis tools:
A well-designed capture infrastructure is one you can rely on when it matters most. These principles will help you build something robust from the start.
Identify every network segment where a monitoring gap would create risk, and build your TAP deployment around eliminating those gaps. It's far easier to capture broadly and filter down than to discover a blind spot after an incident has already occurred.
Connect TAPs and monitoring tools through a dedicated out-of-band management network. This keeps monitoring traffic off your production infrastructure, eliminates the risk of feedback loops, and ensures your monitoring tools aren't visible to potential attackers on the production network.
If you deploy inline security appliances (such as IPS or SSL inspection devices), always protect them with bypass TAPs. When an inline tool fails or requires maintenance, the bypass TAP automatically reroutes traffic to maintain network availability. Without bypass protection, an inline appliance failure takes the link down with it.
Full packet capture generates substantial data volumes at speed. Use filtering, packet slicing, or selective capture to match your capture depth to your actual analysis and retention requirements, and size your storage accordingly before going live.
Confirm periodically that your TAPs are delivering traffic to your monitoring tools, that your SPAN sessions are still active, and that your capture appliances are recording as expected. Monitoring infrastructure that silently fails is worse than no monitoring at all.
A network TAP accesses traffic on a specific link and provides a copy to your monitoring infrastructure. A packet broker sits downstream of one or more TAPs and manages how that traffic reaches your analysis tools, applying filtering, aggregation, deduplication, and load balancing. TAPs collect traffic; packet brokers distribute it intelligently.
Yes, but you'll see ciphertext rather than plaintext payload unless decryption is applied before analysis. Header metadata remains visible even in encrypted traffic: IP addresses, ports, timing, flow volumes, and connection patterns are all accessible without decryption, and this information alone is valuable for security analysis and anomaly detection.
When done correctly with hardware TAPs, packet capture has zero impact on network performance. Passive fiber TAPs require no power and introduce no latency. The risk of performance impact comes from SPAN ports, which consume switch CPU resources and can drop packets under high load.
Retention requirements vary by compliance framework and operational need. Many regulatory programs require between 90 days and 12 months of packet retention for audit purposes. Forensic teams typically want at least 30 days available for incident investigation. Packet slicing and selective capture can significantly extend how far back you can retain data within a given storage budget.
Getting packet capture right depends on having reliable, complete traffic access from hardware-level TAPs before anything else. Without that foundation, your capture tools can only work with what they receive, and SPAN ports simply can't guarantee completeness.
Our network TAPs provide guaranteed 100% packet capture across speeds from 1G to 400G, with passive fiber options for zero-power deployment and copper Ethernet TAPs with automatic bypass protection. Every TAP in our range passes all full-duplex traffic simultaneously on separate channels, including errors, so your capture tools see exactly what's on the link.
For environments with multiple capture points or multiple analysis tools, the SmartNA-XL and SmartNA-PortPlus packet broker platforms aggregate traffic from multiple TAPs, apply line-rate filtering and packet manipulation, and distribute the right traffic to the right tools. Managed through the intuitive Drag-n-Vu interface, you can configure and adjust your entire capture architecture quickly and accurately, without touching a command line.
Whether you're building a new capture infrastructure or resolving gaps in an existing deployment, our team can help you design an architecture that delivers complete network coverage and gives your security and analysis tools everything they need to work effectively.