Portable Data Packet Capture Solution

They say the future is right before our eyes. If we look at the IoT technologies developed in the past decade, we can't deny their statement. The technological boom of the 21st century has transformed our lives and the way we communicate with each other.

For instance, let's take a look at the MAREA project we are currently researching. We can even say that we are witnessing history. It is an ultra-high-speed fiber-optic network laid underwater from the United States to Spain, with a high-speed transmission of 160Tbit/s.

Unfortunately, these innovations open new pathways for hackers to penetrate networks. The latest ransomware or DDoS attacks have exposed security vulnerabilities unseen in the past few years.

To keep up with the rapidly changing developments and provide users with peace of mind, many companies have created monitoring and security tools. Among them, data packet capture solutions form the foundation of highly secure IT infrastructure.

Network crises can occur when you least expect them, which is why the world of network monitoring must also evolve. We can choose a network analyzer that allows for rapid deployment and swift capture of your data packets, capable of handling unforeseen circumstances even in on-site usage.

Companies like Profitap have developed powerful portable TAPs (such as the ProfiShark series), which are among the best and fastest tools for on-site data packet capture. They assist in deep network exploration, traffic analysis, and identification of problematic packets causing malfunctions—an ideal device for these purposes.

But how do we achieve this? How can a portable TAP be robust enough to handle 100% of the traffic and yet be easy to deploy on-site?

Let's take a closer look at the development of portable network TAPs.

Portable Full-Duplex TAP

Initially, we had copper and fiber-optic TAPs designed solely for data center environments. Learn more about all types of network monitoring tools.

Soon, manufacturers recognized the demand for field tools, leading them to create basic versions of full-duplex TAPs and offer them as portable models. However, they were still smaller versions of rack-mounted models and included rack-mount screw fixers.

This type of full-duplex TAP, also known as a Breakout TAP, captures traffic from two network ports and replicates it to two output or monitoring ports. In addition to the full-duplex TAP itself, you also need a box PC with dual network interface cards (NICs).

Furthermore, the PC hosting the monitoring application must perform interface bonding or link aggregation to treat the two interfaces as a single stream of traffic.

The device captures traffic at wire speed without any packet loss or timing delays. Therefore, the performance is commendable, but IT engineers still face challenges in adopting this "portable" TAP on-site because they still require additional hardware.

In conclusion, the initial approach to portable TAPs was not truly portable since you couldn't carry a desktop PC with you on-site, and laptops typically don't have dual NICs.

Portable Aggregation TAP

TAP manufacturers attempted another approach to address the portability issue by introducing Aggregator TAPs, also known as Aggregation TAPs.

These types of TAP devices merge two incoming communication streams into one outgoing communication stream. This means that only one monitoring port can receive aggregated traffic from two network ports.

Therefore, this eliminates the need for a PC with dual NICs for analysis. In fact, it completely removes the need for a box PC, allowing laptops to easily connect to the TAP. While this achieves true portability, it doesn't achieve optimal performance.

We all know that network backbones can reach at least gigabit speeds (1 Gbps). Thus, whenever troubleshooting is done on any network backbone, the TAP must be placed with gigabit network ports. However, if the output (or monitoring port) is also a gigabit port, it is impossible to fully transmit the aggregated traffic of 2 Gbps on a 1 Gbps output.

This results in inconsistent traffic capture. Once the utilization of network interfaces goes above 50% and the buffer becomes saturated, your packets will drop from the bridge. If both input network ports are pushing traffic at their maximum capacity, up to 50% of the total traffic can be lost.

The best way to overcome this bottleneck is to transmit the aggregated traffic to a higher data rate output. For TAP manufacturers, using 10GE NICs as the output for a portable TAP is impractical. Moreover, laptops don't come with 10GE NICs and may not be in use for a long time. The focus remains on packaging portability and performance into a small tool.

Advanced On-Site Data Packet Capture Tools

Later, we introduced specifically developed portable network TAPs. Compact in size yet powerful, these devices handle various types of troubleshooting—an ideal solution for companies aiming to en

sure network stability, scalability, and security.

These advanced on-site troubleshooting tools differ from previous products because they possess connectivity and can start capturing packets within minutes, without any special requirements.

They also have the capability to directly transfer captured packets to the host computer's disk. As each packet enters the TAP, it is captured at the hardware level in real time, with nanosecond-level timestamps. These timestamps allow real-time protocol analysis with nanosecond resolution on the captured traffic.

Our portable network TAPs are designed precisely for this purpose, without using gigabit NICs as monitoring ports. Instead, they utilize USB 3.0, which enables data transfer speeds of up to 5 Gbps. Therefore, it can easily handle the aggregated traffic of 2 Gbps (1 Gbps transmitted on each port, A and B) through the USB 3.0 link.

This means that the buffer memory doesn't need to drop any packets, nor does it need to store packets for extended periods that would impact their timing. Additionally, it can connect to a laptop's USB port and features unique plug-and-play functionality without relying on external power.

Today, the development of portable capture devices has surpassed even the network lines in portable data packets. They can now be used as long-term capture solutions with remote access. For example, if you combine ProfiShark 1G with a NAS, its long-term capture feature will assist you in capturing intermittent issues in behavior.

Furthermore, ProfiShark can be combined with our web-based network traffic analyzer, ProfiSight, enabling you to quickly view flow data by extracting metadata from the captured packet streams. In other words, this packet capture and analysis setup provides fast, comprehensive access and visualization of critical traffic, allowing you to address intermittent network performance issues and ensure quality of service (QoS) for the network.

Advanced portable TAP tools are now widely used in many scenarios and hold promise for delivering excellent results. They can be an ideal choice when assessing temporary or intermittent issues, such as unexpected protocol interactions that traditional monitoring tools are unable to evaluate.

These portable devices are highly valuable in mitigating network attacks, such as phishing or other types of security threats. With the help of such tools, network administrators can reconstruct web sessions, emails, and chat line conversations in chronological order for investigating security incidents and conducting precise forensic analysis.