What You Need to Know

Copper Network TAP Overview

Network TAPs (Test Access Points) have become a requisite component in networks of all sizes – from small offices to enterprise data centers. The shortcomings of SPAN ports (Switched Port Analyzer) have become increasingly evident. TAPs provide a better solution for visibility. SPAN ports are often still useful for short-term reactive troubleshooting, but much less so for detailed monitoring and capture at a higher level.

For details on SPAN ports shortcomings please review our previous article:

Is there a benefit to using Network TAPs instead of SPAN ports?

TAP Terminology

  • Non-Aggregation TAP (also called a Break-Out TAP): Hands off separate copies of the Receive (Rx) and Transmit (Tx) data and requires that the user has a monitoring device with two capture NICs (Network Interface Cards), and specialized software which allows the data to be re-combined. This enables the user to view the original duplex (two-way) conversation (Requests and Acknowledgements, etc.) in a single window.
  • Aggregation TAP: Aggregates or merges the Rx and Tx data by using a switch chip (network Switching logic embedded inside an Integrated Circuit) and designed to fit inside the TAP, thus allowing devices with a single capture NIC to receive all of the data in a single stream. Examples of devices benefiting from this include Wireshark – a popular open-source packet sniffer software, and Snort – a widely used IDS (Intrusion Detection System) software. Many commercial monitoring and security capture tools are based on Wireshark and Snort.
  • Regeneration TAP: Allows multiple copies of the tapped data to be replicated, enabling multiple tools to listen to or capture from the same link (Note: Aggregation TAPs inherently have this capability)
  • “Any-to-Any ”: Ports which can be configured to function as Outputs to monitoring tools OR as Inputs to accept data from other sources such as additional TAPs or SPAN ports, thus allowing an Aggregation TAP to merge this with data from the primary tapped link before sending it to tools.
  • Passive: A design in which the TAP is unpowered or can lose power without creating any impact on the tapped link (Note: Fiber TAPs work exclusively in the optical realm and are inherently passive).
  • Power Fault-tolerant: Certain topologies – e.g., copper Ethernet at 1G and 10G speeds – have a level of complexity that has prevented development of a truly passive TAP design for such links. The de facto industry standard is to utilize copper relay bypass systems, which provide a direct pass -through between link endpoints if the TAP loses power.


  1. There is not now nor has there ever been a truly passive copper Gigabit Ethernet TAP – with or without aggregation.
  2. The two Network ports that allow the endpoints to connect to the tap do not have IP addresses or MAC addresses. Once the endpoints negotiate and establish link with the TAP’s Network port, the TAP becomes transparent to the network.

TAP Categories and Datacom TAP models

10/100 TAPs

Datacom offers one specific passive TAP model for 10/100 links only – the 10/100-AT. Magnetic induction allows copies of the data to be borrowed from the two Ethernet wiring pairs. If the TAP loses power there is zero impact on the link. The model 10/100-AT is truly passive and uses a non-aggregation or break-out design.

10/100/1000 TAPs

The 10/100/1000-TAP is unique to the industry. A simple selector switch allows the user to select truly passive mode for 10/100 links, but also supports power fault tolerant mode for 1G links. It provides non-aggregation output only.

The CTP-1000 is the industry’s most secure copper TAP. It is a non -managed device, having no Management port, no user interface that can be hacked, and no internal path that could allow access from the TAP back on the link itself. A rear slider switch allows the user to select Aggregated or Non-Aggregated output. It is auto-sensing and supports use with 10/100/1000 links and tools.

10/100/1000 Aggregation TAPs

Datacom’s SINGLEstream™ series of TAPS are available in two categories:

SINGLEstream Single, Dual, and Quad link TAPs with 1G output

These models utilize a switch chip optimized for the sole purpose of borrowing copies of the data and passing it out the monitor ports as aggregated or non-aggregated data. This SINGLEstream TAP series offers anywhere from two to as many as ten “Any-to-Any ports that may be used as inputs or outputs. Intended for use in links with aggregate total traffic loads not exceeding 1G, they are compact and affordable. Secure SSH is used for remote management. An intuitive CLI is provided for configuration and control. SNMP v2/v3 traps can be enabled to provide alerts if there is an issue with a power supply or a link goes down or back up.

SINGLEstream “G” series high density TAPs

Looking to tap multiple links all in one physical location, with higher bandwidth requirements and higher speed tools? The “G” series can provide tapping for as many as eight links in a single compact chassis (one half of a rack width and 1RU in height.) The data from all of the links can be aggregated into a single stream or split up into groups. All models provide four SFP+ receptacles which function as “Any-to-Any” , providing support for 10/100/1000 and 10G copper or 1G/10G fiber. The SNMP v2/v3 traps are more sophisticated in this series – allowing notifications for fan failure, temperatures inside the unit, power supply and link status alerts. (NOTE: The “G4” model SS-G4C8S4 has eight additional “Any-to-Any” 10/100/1000 copper ports that may be used as inputs or outputs.) The “G” series also offers user authentication via Radius or Tacacs+ and provides output to Syslog if desired.

Network engineers have long been accustomed to using post-capture display filters in products such as Wireshark. Display filters mask traffic of no interest to the viewer, allowing for easier analysis of issues. Display filters are convenient but not useful in real-time troubleshooting.

Capture filters, on the other hand, the G-series allows real-time filtering of the data as it is being captured. This enables certain user selected protocols, VLANs, IP Addresses, MAC addresses etc. to be captured by the monitoring tool and excludes data not of interest to the user. In products like Wireshark and other monitoring tools, this is software based filtering; it is an extremely processor intensive activity that dramatically impacts the potential throughput capacity of the tool. Software-based filtering requires the monitoring tool itself to inspect all data and determine which packets to keep or discard.

The “G” series TAPs offer hardware-based filtering: This feature utilizes the resources of the TAP itself to be used for filtering – allowing packet filtering to occur at full line rate (sometime also referred to as “wire-speed”). In addition to excluding data of no interest – e.g., duplicate traffic copies that being sent to a backup system or a Disaster Recovery Center, hardware-based filtering offloads that burden from the analytics tools and presents to them only the data that is pertinent for their applications. Examples include TCP Ports 80, 8080 and 443 data sent to Web monitoring systems, Port 1521 data to tools used for monitoring Oracle database traffic, etc. This frees up these expensive tools to operate at maximum efficiency, with optimal throughput and more effective use of their drive storage space.

The “G” series TAPS offer Load Balancing: Load balancing is the capability and action of a device to take incoming network traffic and dynamically spread it across multiple output ports. The best known traditional use involves application-specific network hardware known as a load balancer, which typically takes high data rate high volume traffic, and dynamically divides it amongst the NICs of devices such as network servers. This minimizes the risk of bottlenecks and packet drops on the servers. It also creates redundancy through the use of HA (High Availability). The load balancing function built into the Datacom Systems multi-link TAPs is typically intended for dynamically splitting a single aggregated stream of packet copies to multiple capture interfaces. A typical application is to divide the internally aggregated data stream (which may be coming from as many as 8 links) into two or four streams at 10G and send them to multiple interfaces on 10G capture or monitoring tools. One could even take a 10G data stream copy and divide it among multiple 1G capture interfaces.

10G Copper TAPs
The CTP-10G is the newest entry in Datacom’s TAP product line. It is a robust and secure non-managed product and is the next evolution from the CTP-1000. It provides both non-aggregated and aggregated output – making it the only 10G copper TAP currently on the market that offers this. Also unique to the industry is its support of Auto-sensing on the Network Ports and Monitor Ports – allowing use in 1G, 2.5G, 5G, and 10G links, and support of monitoring tools at any of those speeds.

The Datacom Sales Team and Sales Engineers are available at your convenience to provide pricing or analysis of your copper Ethernet TAP needs.

Recent Posts


We'll be Glad to Help You

For the latest information, product updates, and to check the status of your service agreement, please contact our support team