In an ideal network, all infrastructure devices such as routers, firewalls, switches, wireless LAN controllers and so on would be capable of producing detailed metadata (such as NetFlow/IPFIX) about the traffic passing through them. These devices would then be capable of sending that metadata to a collector/analyser such as Scrutinizer for alerting, reporting, incident response, bandwidth optimisation and much more.
But what if your network infrastructure devices are unable to produce and send the necessary metadata? In some cases, only limited fields are available, in others, metadata generation is unavailable altogether. In some very rare scenarios, the volume of metadata the device would be required to generate would create an unacceptably high processor workload, potentially having an negative impact on network performance.
In these cases, a network probe can be used to generate rich network traffic metatdata. Network probes are available in either software or hardware appliance form. Network traffic can be fed to them using either a port on the device (SPAN – Switch Port Analyser – port mirror) or by using a TAP (Test Access Point). A TAP is fully independent of network devices and connects directly to the network on a pass through basis, with no performance impact.