| Historically, administrators had to disconnect a suspect device from one of its adjacent devices to connect a protocol decoder. The protocol decoder would be inserted between the suspect device and its adjacent device (usually a switch or hub). That was required to facilitate traffic capture. This method is known as in-line traffic capture. The disadvantages of this approach include the following: The suspect device must be taken offline temporarily to connect the protocol decoder and again to subsequently disconnect the protocol decoder. The act of inserting another device into the data stream can introduce additional problems or mask the original problem. A one-to-one relationship exists between the suspect device and the protocol decoder, so only one device can be decoded at any point in time unless multiple protocol decoders are available. Note that protocol decoders tend to be very expensive. An administrator must be physically present to connect and configure the protocol decoder.
The advantages of in-line traffic capture include the following: All types of frames can be captured including low-level primitives that are normally terminated by the physically adjacent device. OSI Layer 1 issues related to faulty cabling and connectors can be detected.
To mitigate the drawbacks of in-line traffic capture, Cisco Systems developed an alternate approach (out-of-line). The Switch Port Analyzer (SPAN) feature was introduced on the Catalyst family of Ethernet switches in the mid-1990s. The MDS9000 family of switches also supports SPAN. SPAN is also known as port mirroring and port monitoring. SPAN transparently copies frames from one or more ports to a specified port called a SPAN Destination (SD) port. In most cases, the SD port can be any port in the switch. A protocol decoder is attached to the SD port. The disadvantages of this approach include the following: Low-level primitives that are normally terminated by the device physically adjacent to the suspect device cannot be captured. OSI Layer 1 issues related to faulty cabling and connectors cannot be detected.
The advantages of out-of-line traffic capture include the following: The protocol decoder can be connected to the switch in a non-disruptive manner. No new devices are introduced into the original data stream, so no additional problems are created. Multiple SPAN sessions can be configured and activated simultaneously. Thus, the one-to-one relationship between the suspect device and the protocol decoder is removed. This reduces the total number of protocol decoders required to troubleshoot large networks. SPAN traffic can be forwarded between switches via the Remote SPAN (RSPAN) feature. RSPAN further reduces the total number of protocol decoders required to troubleshoot large networks. After the protocol decoder is connected to the switch, an administrator can configure and activate SPAN/RSPAN sessions remotely.
Another approach is to use a signal splitter such as a "tap" or "Y-cable," but this approach has its own set of drawbacks that precludes widespread adoption. So, signal splitters are used to meet niche requirements, and the in-line and out-of-line approaches are used to meet mainstream requirements. | 