top of page

Short Packets in the Shortest Month: Protecting Your Traffic Data Integrity

Did you know that in ancient times, February was the last month of the year? In the year 713 BC, Roman King Numa Pompilius moved it to the second month to better align the calendar with the seasons. As well as being the shortest month of the year, February is also the only month that sometimes receives an additional day, and yet it is an important component of our calendar. Despite only occurring every 4 years, this extra day is essential in helping the earth stay aligned with our seasonal orbit around the sun. It’s a great example of how short things can make a big impact. That’s why February is a good time to discuss the importance of short packets in network management. 

Understanding the Significance and Implications of Short Packets in Network Communication

Short, or runt packets are smaller than the ethernet standard of 64 bytes. Due to their small size, they are often not delivered to their intended destination but can provide important insight into a network’s performance. Short packets can indicate collisions, electrical interference, software problems or faulty network interface controllers (NICs). The resulting packet loss can cause poor communication for real time applications like VoIP, reduced throughput, security vulnerabilities and degradation of network performance. Continuous visibility into traffic flowing through the network is critical to locate, diagnose and solve potential network issues, and short packets can be a vital tool in doing so. 

Exploring Network Monitoring Methods: SPAN Ports vs. Test Access Points (TAPs) and Their Impact on Short Packet Analysis

Monitoring is important in order to understand network flows, improve performance, protect network infrastructure and plan for future growth. There are two methods used by network managers to access, capture and understand traffic flows. 

One method is the use of Switched Port Analyzer (SPAN) ports embedded in switches. SPAN ports duplicate the internal network traffic, sending a mirror copy of live traffic to another device for analysis. The other option for network managers is to connect a Test Access Point (TAP) that also creates a mirror copy of live traffic for tools to analyse. So, what do these two network visibility methods have to do with short packets? The answer lies in the difference between SPAN and TAPs and how they send traffic to analysis tools.

Understanding the Limitations and Considerations of SPAN Ports for Network Traffic Analysis

SPAN ports replicate packets in the switch and direct them to a monitor port where an analysis appliance is connected. However, configuration is complicated and requires a switch engineer to actually deploy the connected tools. Some analytic tools will specify that their tools can be connected by either a TAP or SPAN thus implying interchangeability. While this statement is technically accurate, there are some serious considerations deciding between SPAN ports vs TAPs.  Here are a few critical differences:

  • A SPAN port is an integral part of the switch. When a SPAN port is configured to mirror switch traffic, the internal switch traffic doubles. This may be acceptable if the switch is underutilised, but can create congestion during busy times. As mentioned above, congestion can cause collisions and create short packets.

  • Short packets are not considered “real” traffic by the switch and are filtered out before reaching the SPAN port. 

  • Delivering live traffic is the top priority of a switch. During busy times, low priority traffic may randomly be dropped. SPAN traffic is the lowest priority traffic in the switch. Therefore, during busy times, the switch may randomly drop SPAN packets in order to process live traffic. When this happens, the mirror traffic that actually reaches the analysis tool does not exactly mirror live traffic.

  • SPAN sessions and speeds are limited by the switch capability. This can limit the number of analytic tools that can be connected to SPAN ports.

When developing network traffic reports, it is important that the data sent to analysis tools is 100% complete and accurate. If packets are randomly dropped during busy periods and short packets are not passed to the tools, final traffic reports will be skewed by incomplete data. Furthermore, short packets are an indicator of network problems. If they are not included in traffic analysis, the underlying issues that cause the short packets may be overlooked. Finally, network availability issues are most likely to present during busy periods, meaning it is the most important time for accurate data to be passed to tools. Yet with SPAN, this is exactly the time when the ports are least likely to present accurate data.  

Harnessing the Power and Advantages of TAPs for Comprehensive Network Visibility

A TAP is an independent piece of equipment that can be deployed at various locations in the network. Most commonly, they are inserted between a switch and a firewall or router. Like a SPAN session, TAPs create a mirror copy of switch traffic and pass it to a monitoring device. Unlike SPAN, however, there is no impact on switch traffic because TAPs are independent of the switch. TAPs can offer virtually unlimited port access and speeds of up to 100Gbps. Here are some TAP characteristics:

  • TAPs provide access to a wide variety of network tools used for monitoring, performance and security. 

  • TAPs offer fail-safe relays. If power to the unit is lost, live traffic will continue to pass through the network.

  • TAPs have no IP or MAC address. Therefore, they are invisible to the network, do not add delay and cannot be hacked.

  • TAPs mirror 100% of the network traffic including short packets or runts, physical layer errors and error packets. This guarantees that monitoring tools will receive all the network traffic. Traffic reports will be 100% accurate because they will be based on 100% of the requested traffic.

  • TAPs comply with data privacy audits such as GDPR in the European Union and HIPPA in the United States along with many other global government regulations.

  • Deployment is simple. TAPs, such as the SmartNA from Network Critical, use a smart Graphical User Interface (GUI) for simple drag and click configuration with safeguards against mistakes that can take down the network.

  • TAPs can easily be deployed in optical and copper networks. There are also options for copper to optical and optical to copper conversion. This allows for maximum utilisation of existing network tools.

  • Many intelligent TAPs provide advanced features such as port mapping, filtering, aggregation and packet manipulation to maximise tool utilisation.

TAPs are an integral part of any network visibility strategy, helping managers understand network traffic, plan for future growth and execute robust security measures. Historically, TAPs were temporarily used to connect a diagnostic tool. After many innovations and advances, TAPs are now being included in the early stages of network design for permanent traffic visibility and analysis. With the industry’s current emphasis on network monitoring for improved performance and strong network security, TAPs have moved from a tactical to strategic device.

Find out how TAPs can improve your network visibility with a free visibility audit

We’re here to help. You can now sign up for a FREE network visibility audit. Our experts will review the visibility of your current network and provide ideas for more accurate monitoring, better performance and robust security. Don’t let hidden short packets, dropped packets or inaccurate traffic data skew your network analysis - click the button below to book in your audit today.