Network technology

/ Switches / Tap's / NIC's / Network ANALYSIS SOFTWARE


Frequently Asked Questions


Network TAPS

Passive Network Taps are network taps that will cause absolutely no change in the state of the link if the tap loses power. In the event of power loss, network traffic will flow uninterrupted as long as the network itself has power. Datacom Systems taps designed for Gigabit fiber links, 10/100 only, T-1/E-1 and DS-3 are passive.

Active taps rely on a Fail-over system for power fault tolerance. If an Active tap loses power a set of copper relays will fall into a closed position to provide a passive bypass.  When the passive bypass system is engaged a momentary interruption of link occurs. This can be kept to an absolute minimum by configuring the endpoint devices of the tapped link for PortFast or FastLearn.

There is no truly passive scheme for tapping copper Gigabit. Some manufacturers have enlisted internal batteries to hold the copper relay if the tap loses power.  This is a dangerous gimmick, since the battery life comes into question to support an active production link.  All current copper Gigabit capable taps are Active devices and rely on relay based power fault tolerance systems.

The latency introduced in the link by any fiber or passive 10/100 design is equal only to that caused by actual length of the physical path through the tap. It is equivalent to adding only a few inches of fiber or copper cable to the actual link, typically less than 10ns.

The latency introduced into links by the Datacom Systems copper Gigabit capable SS-1200 and SS-2200 series taps will depend on the nature of the traffic (packet size distribution and inter-packet gap) and will range from as little as 2.0 microseconds up to a maximum of 13.8 microseconds.

Some latency is added when packet copies are aggregated and/or regenerated out the monitor ports to the tools. Latency through Datacom devices will vary depending on the model and the nature of the traffic (packet size distribution and inter-packet gap).  Contact Datacom Systems for specific details.

Intrusion Detection Systems (IDS) may have an option to use a feature known as “Active Response” when malicious traffic is detected. If an attacker uses TCP sessions, they can be reset by RST (Reset) packets that are sent to reset one or both hosts in a session from the IDS. In the case of UDP, a session can be broken by sending various ICMP packets to the host from the IDS box.

In some cases the IDS may need to use the monitoring NIC for  this purpose. Enabling a Bi-directional traffic path in the tap allows the RST packets to renter the network through a tapped  copper link.  In the case of a tapped fiber link the directional characteristics of fiber taps will not allow this.  The “any-to-any” feature of Datacom Systems configurable taps allows the RST packets to be sent out any available extra Monitor  port of the tap and enter the network via a local network switch.

Traffic injection is only done on copper based inline taps or bypass switches.  Fiber taps do not allow traffic injection, based on their directional nature, they simply make a one way copy of traffic used for analysis.

In order to introduce traffic injection into the network, there must be an actual bidirectional physical connection between the tap's monitor ports and the link itself. For this reason neither passive copper taps nor fiber taps can support bi-directional traffic or can be used with traffic injection.

Auto-negotiation and speed sensing allows the port of a network device to automatically detect the speed and duplex setting of the link (10/100/1000 and half or full duplex) and negotiate link with the connected device. 

If two Auto-enabled devices fail to properly establish link they will typically default to a lower speed half duplex setting - serious performance issues on the link result. Also, if an Auto enabled device is connected to a device with fixed settings they will sometimes initially establish link but may fail to re-establish link if a port goes up and down or if endpoints reboot.

All Gigabit capable copper taps negotiate, establish and maintain two separate links between the tap and the endpoint devices of the link.  If one link endpoint device is only 10/100 capable and the other endpoint is 10/100/1000 capable then the taps respective tap assembly ports will each negotiate to the highest available speed – resulting in a speed mismatch and significant performance issues on the link. The required solution is to hard set the ports of both the endpoint devices and the tap assembly to fixed speed and duplex settings.

Network monitoring switches are not in line products, and receive their traffic from external taps or mirror ports. If simple non-aggregating passive fiber taps are used as the source of data to provide inputs to a network monitoring switch then the ports on that device must have Auto-negotiation disabled in order to accept data. But if other ports on that same device are used to accept data from SPAN ports or aggregation taps it is customary for Auto-negotiation to be used.

Datacom Systems SINGLEstream™ and VERSAstream™ products include the flexibility to change speed/duplex and Auto-negotiation settings independently on any and all ports – providing maximum flexibility.

All network hardware, no matter how reliable, must be considered as a device that could  malfunction.  Network architects will assess the mission critical nature of any given link, what redundant or alternate data paths exist, and how service might be impacted if a service window were required to replace a device in that link.

In some cases an in-line device that has multiple links passing through it and may be an appropriate choice. But a more conservative design might dictate that no in-line device should ever tap more than one link – thereby eliminating the possibility that two links might ever be impacted if such a device had to be replaced. The most conservative or lowest risk designs may even require that the tapping be done by a  non-powered Physical Layer device such as a simple fiber tap and the task of aggregating the duplex data streams and making multiple copies for the tools be handled by a  separate device.

There is no right or wrong answer for such question – it will be determined by the individual circumstances and priorities of the organization – but such issues should be considered.

That depends on the model of tap that you use and how it is configured. If you are using a truly passive tap, such as a fiber tap the answer is no. Gigabit capable copper taps that are configurable can be set up by the user to allow bi-directional traffic back onto the link. The monitoring tool will be visible only if the tap has a Bi-directional traffic path intentionally configured to allow this.  The default configuration of these taps has bidirectional traffic disabled by default for security reasons. It can be changed only by an administrator logged in via Superuser mode.

Yes - all products include two (2) redundant power supplies with the initial purchase, and the devices are designed to run solely on one power supply.  Additional power supplies may be purchased seperately.

The optional AC Power Supply model RPS-12-5-AC addresses this need. The 1U rack mountable chassis is equipped with two load sharing hot-swappable power supplies and contains 24 lead power connections to provide dual redundant power for up to 12 Datacom Systems devices.  Models such as the SS-1204BT-BT-S, VS-1208BT-S and 10/100/1000-TAP may be redundantly powered by the RPS-12-5 which is available with both AC and DC inputs.

SINGLEstream Link Aggregation TAPS

Aggregation Taps are network taps that can combine the copies of data from both sides of one or more full duplex links and send the "aggregated" copy of the entire transmission to a connected monitoring device. That receives it on a single capture/monitoring NIC. Datacom Systems  aggregation  taps are all in the product family known as SINGLEstream™.

Traditional full duplex taps provide a dual stream of non-aggregated output – one monitor port for each side of the conversation. This requires use of “dual receive” devices, which have two separate monitor cards and combine the data streams after receiving it. Protocol analyzers, probes, and intrusion detection systems (IDS) of this variety are more expensive and are less common in today’s networks.

Many of the most widely used packet sniffer and IDS tools are based, respectively, on the open source Wireshark and Snort products - neither of which supports receiving on separate NICs and recombining the data. The SINGLEstream™ tap can combine the bi-directional traffic from a full duplex conversation into a single data stream, thus allows such tools devices with half duplex single receive monitor cards to be used in-line on full duplex links.

Yes.  Certain tools monitor “conversation flow” on the network and perform analysis based on directional data – thus requiring that the Rx and Tx information be received separately.  In other instances a specialized tool may be deployed that needs to see only the Inbound (Rx) traffic or Outbound (Tx) traffic but not both.

Avoiding lost packets due to oversubscription during aggregation is another example. Using aggregation taps in links that experience spikes exceeding 50% aggregate utilization of the maximum link capacity will result in packet copies being lost due to oversubscription. For example - a 1 Gig full duplex link that spikes at 60% will have 1.2 Gig of data to be aggregated and handed off on a 1 Gig Monitor port.  In such instances it’s advisable to use a regular full duplex or non-aggregated tap and a monitoring tool that can receive and recombine the two streams of data.

The SINGLEstream™ Aggregation Tap can aggregate up to 1000Mbps of data sustained at line rate. In the Gigabit fiber or 1000 Mbps environment it is possible to exceed 100% utilization if more than 1000Mbps of input is received at one time when the Rx and Tx of the duplex link are aggregated. To prevent exceeding 100% utilization, the aggregate total of Rx and Tx traffic – i.e. the overall utilization on the link itself- should never exceed 50%.

The SINGLEstream™ Aggregation Tap also includes a 1 MB shared buffer memory to account for very brief spikes of utilization over one Gigabit.  If the tapped link is expected to routinely exceed 50% aggregate utilization then a non-aggregated tap is recommended.

Yes. Datacom Systems SS-1200, SS-2200 and SS-4200 series taps can be configured by the user to provide either type of output or on the higher port density models can even provide both simultaneously.

An additional benefit of this design is the capability for the tap to be reconfigured to accommodate growth in utilization. These taps can initially be deployed as aggregation taps but when utilization spikes begin to dictate the addition of a monitor card to the tool and a need for non-aggregated output - they can be reconfigured by the user to provide non-aggregated output.

No. The link will continue to operate normally. If any packets were to be lost due to oversubscription they would be packet copies only – not the original data itself.

The answer is nearly always no – because most network tools can’t capture at 100% of full line rate.

The vast majority of tools rely on the onboard NICs of the appliance (i.e. the server running the capture/monitoring software) to receive the packets and send to disc those that will be retained. The front side bus speed and write-to-disc capability of even the best and most robust servers simply can’t keep up with the data rate of today’s Gigabit networks when utilization levels are high. If the capture device is doing software based filtering as a way to validate which packets to keep and which to discard the actual sustained throughput capability may be as low as 150 to 200 Mbps on a Gigabit capture tool.

If  software filtering is not being used then a server doing full packet capture – e.g. the open source sniffer Wireshark or commercial products based on the Wireshark engine – then the throughput capability of such tools may increase to as much as 300 to 400 Mbps. Only when a specialized “enhanced capture card” is installed can the tool receive line rate data at full utilization without packet loss. These specialized NICs have large amounts of buffer memory and proprietary drivers – they are costly and in use only on a limited number higher end commercial capture/monitoring turn-key “appliances”.

What does this have to do with tap buffer memory?  It’s simple. The tap buffer memory begins accepting packets when the aggregation chip set becomes utilized at 100% of line rate and then streams it out to the tool at line rate once utilization levels have dropped back down to the point where the chip set is not 100% subscribed.  But this release of data form buffer memory is at a continuous 100% rate until the buffer is fully released. As we have seen above – the ultimate bottleneck in any capture/monitoring scenario is the tool itself. 

Datacom Systems recommends using a regular full duplex or non-aggregated tap and a monitoring tool that can receive and recombine the two streams of data in any scenario where the utilization levels on the link will routinely be spiking at above 50% aggregate utilization. The flexible “any-to-any” feature of the SINGLEstream™ Aggregation Tapallows the user to reconfigure and change the monitor ports from aggregated to non-aggregated output.   As utilization levels on the network increase over time the tap can be reconfigured to evolve with the network and additional monitor ports added to the tools to accommodate this growth.

In many network environments it is desirable and often necessary to have an IDSdevice monitoring a on a 24x7 basis. Additional monitor ports allow a protocol analyzeror other network management tools to access the same link on a permanent or as needed basis. This eliminates contention for access to the data. The extra monitor ports also allow redundant devices to be connected to the same link as a failsafe measure to prevent the loss of data in case one of the connected devices has problems or needs to be updated.

No problem. SINGLEstream™ Aggregation Taps come in a variety of media combinations that allow monitoring of fiber links with copper tools, copper links with fiber tools and are also available in several models with SFP based monitor ports that allow media type to be changed.

In theory this is possible but there are a number of shortcomings to using such an approach. Network switches are designed to perform a variety of functions on the network. SPAN and mirror port activities take the lowest priority – sending copies of busy link traffic out a SPAN port can easily oversubscribe the port, resulting in lost packets. Additionally, network switches are managed devices requiring maintenance and an IP presence on the network. The SINGLEstream™ Aggregation Tap is transparent to the network and fault-tolerant, therefore it is more reliable and more secure.

All SINGLEstream™ Aggregation Taps are either inherently passive devices or have robust power fault-tolerance passive bypass systems. The SS-100 copper tap for 10/100 only and all of the fiber tap models feature “Never Breaks the Link” technology, meaning connectivity is never interrupted and the link never changes state, even when  power is lost or being restored to the tap. Because power is required for the monitoring device to receive data from the tap ports, all models of theSINGLEstream™ Aggregation Tap come standard with a dual redundant power supply to ensure maximum uptime for network analysis and monitoring tools.

All Gigabit capable copper models – the SS-1200, SS-2200 and SS-4200 series, utilize a robust copper relay based power fault tolerance system that provides a passive bypass in the event of power loss. With the models it is recommended to set endpoint devices of the tapped link to Portfast or FastLearn thereby ensuring absolute minimum time for the link to re-establish itself when power is lost or restored.

Although ideal for Ethernet links where the total utilization is under 50%, theSINGLEstream™ Aggregation Tap may be used on any full duplex Ethernet link. The most likely locations on the network to deploy a link aggregation tap will be those in which probes or IDS devices need 24x7 visibility. These include the links between switches and critical servers, full duplex connections between routers and firewalls, and links between firewalls and a demilitarized zone (DMZ).

Yes – the output of a link aggregation tap may be connected to a matrix switch in the same manner as a SPAN port and the matrix switch can accept a mix of tap outputs and SPAN ports.

VERSAstream Network Packet Brokers - Data Access Switches

The SINGLEstream™ Dual Link Aggregation Tap is designed to tap two full duplex Ethernet segments where total aggregate utilization of full duplex traffic on both segments does not exceed 1 Gig. The Dual Link Aggregation Tap is ideally deployed monitoring is required for two segments that are “channeled” together, such as Cisco Ether Channel or Nortel Multi Link Trunking.

It is also effective when used in active/passive failover link pair scenarios where two identical network segments are set up for redundancy. If the active link fails – e.g. a firewall connection - the traffic fails over to the passive link.  The Dual Link Aggregation Tap provides uninterrupted visibility to a single monitoring tool that can view traffic on both links.

Finally, asymmetric routing paths (used by routers) and load balancing (used by servers) are implemented to maximize bandwidth and performance. The SINGLEstream™ Dual Link Aggregation Tap can aggregate all the data from asymmetrically routed and load-balanced traffic on two network segments and allow monitoring tools with single receive interfaces to view all the data copied from both links.

First, be sure that you are using a “DB9 M/F Straight-through Serial Cable” to connect to the device. If your PC does not have a serial port, you can use a “USB to DB9 Serial Plug-in” adapter in combination with the serial cable to connect to it.

Second, check to make sure that you are using a compatible terminal emulator. Tested and proven terminal emulators to work with Datacom Systems devices include Putty and Tera Term.

In order for the terminal emulator to successfully communicate with the SINGLEstream™ Aggregation Tap, the following terminal settings must be configured:

Serial Terminal Settings

  • Bits per second: 9600
  • Data bits: 8
  • Parity: None
  • Stop: 1
  • Flow Control: None
  • Font: Terminal or Proxy


The LINKprotect™ feature of Datacom Systems SS‐1200/2200 and 4200  series network taps provides a reliable system for ensuring that the endpoint devices of tapped links will properly engage routing protocols, redundant failover systems etc. in exactly the same manner as they would if the tap were not present. This feature only exists on link that tap copper media, since fiber taps are completely passive and will not drop a link.

The taps use a Gigabit chipset for tapping the data as well as aggregating and regenerating copies to the monitoring tools. When a tap is in active mode the data path of the tapped link is routed through the chipset. 

If power is lost, or one tap port (of a two port tap group) loses link, then a set of copper relays automatically moves into closed position to provide a passive bypass.

The clicking sound is the relays moving from open to closed and back to open positions.  By default all taps ship with Linkprotect on, with internval timers 1 and 2 set to 10 seconds.  To eliminate the clicking sound, you can connect all tap ports to their end devices.  This is the recommended and safest tapping method.  You can also turn off the link protect feature.


Commands to turn on / off LinkProtect are as follows:


SET LINK PROTECT(SE LP) tap enable int1 int2 recovery


                tap             tap number

                enable          ON/OFF

                int1            fail interval 1-3600(secs)

                int2            recover interval 1-3600(secs)

                recovery        AUTO/MANUAL


telnet into the device:  default IP address:

login:  Administrator

password:  admin

enable mode:  su

enable or superuser mode password:  password

Example to turn off LinkProtect on tap group 1 (usually ports 1 and 2 on the far left)

se lp 1 off

Example to turn on LinkProtect on tap group 1 (usually ports 1 and 2 on the far left) with the fail closed timer (int1) set to 10 seconds, and the recovery timer (int2) set to 3600 seconds.  This setup will throw the relays after 10 seconds if one side of the tapped link loses link status.  It will check both ports every 60 minutes and reconnect the tapped ports if link exists on both of them.  If no link is on both ports, the relays will close, and will retry after another 60 minutes.  If link exists, the tap is automatically inserted inline and will remain that way.  If you replace AUTO with MANUAL, the tap will stay out of the link until it is reconnected by cycling the "se lp" command.

se lp 1 on 10 3600 auto

MANUAL recover example

se lp 1 on 10 3600 MANUAL

A Network Packet Broker (NPB) or Network Monitoring Switch is a network device that acts like a network patch panel, but with the ability to aggregate and copy traffic to one or more ports.   NPBs can combine data from multiple ethernet network segments into one or more aggregated streams of data, perform port steering, and regenerate ports, so that multiple copies of data are available for multiple tools. Some models have packet filtering capability.

NPBs are not designed to be inline devices, they receive their network traffic from two (2) different types of source.  Most often, customers deploy taps on their network links which are inline devices that make a copy of network traffic.  That copy is sent from the tap into the NPB.  Some solutions use mirror ports or SPANs to collect traffic from the network.  Mirror ports are connected into Network Monitoring Switch for aggregation or regeneration (copies).  NPBs are not inline devices, but are referred to as out of band devices, since they work with copies of network traffic from a tap or mirror port.

VERSAstream is Datacom Systems brand name for Network Packet Brokers or Network Monitoring Switches.  These two terms are interchangeable.

Many solutions connect a VERSAstreamto an intrusion detection system, protocol analyzer, or network probe.  These devices can receive the aggregated data with just one network interface card (NIC). Network and security personnel are then able to monitor several network links simultaneously with as little as one monitoring tool. In many environments there are multiple areas of interest at the access layer or network edge that have either lower utilization or use lower speed data sources.

TheVERSAstream allows these data sources to be aggregated together and monitored by a single high speed or high capacity tool instead of multiple lower speed legacy tools. This reduces the overall number of tools needed and dramatically reduces the rack space required, while also lowering ongoing support and maintenance costs for monitoring tool software and hardware.

The VERSAstreamis designed to receive traffic from an external tap or SPAN. It aggregates or copies network traffic to one or more ports. 

Ports can be designated as inputs or output only, or both.  Traffic can be steered to any other port.  The connection can be configured so that traffic is either one way, or two way between ports.  Full duplex configuration must be configured in each direction.  One way traffic is usually preferred for most analysis applications, but sometimes two way traffic is necessary.

There is some latency when packet copies are aggregated and/or regenerated by the VERSAstream™; contact your Datacom Systems account representative or authorized partner for more information.

Typically the network edge (between internal routers and switches). The VERSAstream™ is available in a wide variety of media combinations and can accept inputs from 100, 1000 M and 10G devices, so it can be inserted into any copper or fiber ethernet environment, depending on the model. The VERSAstream™ will allow multiple devices to monitor the same links, so anywhere contention is an issue will benefit from this product, typically security environments or mixed environments using network analyzers and intrusion detection systems.

Yes. A variety of speeds and ports are available.  Many of our devices have SFP+ or SFP ports for 10G and 1G capability.

No problem. VERSAstream™ models are available with a mix of copper and SFP ports also with all SFP based ports to allow complete flexibility for mixing media types.

The VERSAstreamcan accept and aggregate up to 1000Mbps of data sustained at line rate.

In a Gigabit Ethernet or slower environment, it is possible to exceed 100% utilization if more than 1000Mbps of input is received at one time. To prevent exceeding 100% utilization, the sum of all the ports should never exceed 1000 Mbps, which can be achieved by connecting fewer devices to the VERSAstream™, pre-filtering the data, or by reducing the traffic load of the attached network segments. The VERSAstream™ also includes buffer memory to account for utilization spikes.

Datacom Systems recommends matching the aggregate total of input data carefully to ensure that the throughput capacity of the tool is not exceeded.  The flexible “any-to-any” feature of the VERSAstream™  allows the user to reconfigure and change the ratio of input ports to aggregated output ports.   As utilization levels on the network increase over time the inputs can be aggregated in smaller groups and additional monitor ports added to the tools to accommodate this growth. If sustained high utilization rates occur as the result of aggregation or bursts in traffic, consider a VERSAstream model with packet filtering or load balancing capability, such as the VS-1212-F or VS-1224-F.

Since our devices are standards compliant, you can connect any device to our products.  The VERSAstream is platform independent and will accept connections from analyzers, IDS, IPS, and probes from any manufacturer with the appropriate port media and interface.

Deploy a VERSAstream(by connecting it to network taps and SPAN ports throughout the network), to collect traffic from various points in the network can be aggregated into a single stream of data, so that a network analyzer or intrusion detection system can see the end-to-end path of packets as they travel through the network.

The VERSAstream uses a hash function as an algorithm to determine the correct egress port to send a packet to. The hash is based off of the following fields:

  • Source MAC address
  • Destination Mac address
  • Source IP
  • Destination IP
  • Source Port
  • Destination Port

If all of the above fields on a set of packets match, they will be sent out the same egress port. Additionally, the load balancer will recognize bidirectional conversations. If the fields for a packet are the same, but the source and destination are switched, it will go out the same egress port. For example:  


Source MAC

Destination MAC

Source IP

Destination IP

Source Port

Destination Port








Will go to the same egress port as

Source MAC

Destination MAC

Source IP

Destination IP

Source Port

Destination Port





Physical Layer Switches

Yes. On specific models you can interconnect up to 8 devices, which will appear via software as a single logical unit. The 4x16SY-BT in-line copper switch supports daisychain stacks of up to eight devices. Other models allow you to interconnect 4 devices, such as the 2x16SP-1000BT or 4x16SY-SX in-line fiber switch.

Each device ships with our software called MANAgents. The software will allow you to control your device from any Windows based machine that has the console loaded. You can download the software and instructions for installing and configuring MANAgents from our website.



Devices that support a serial connection will ship with a 72 inch DB9M-DB9F serial cable. Managed devices ship with a 32 inch RJ45 ethernet cable.

Pin 2 is used to receive data

Pin 3 is used to transmit data

Pin 5 is used for signal ground

The distance of the control cable is limited by the distance the network analyzer or monitoring device can be from the device. There are two connections between the switch and the analyzer - the Control cable, which connects to the COM port for Serial Control purposes, and the Common cable, which provides a data connection to the monitor card for the topology being analyzed. The total cabling distance is determined by calculating the total length of all cables (the primary cables, daisy chain cables and any additional cables between the matrixes switch Network ports and the data access points such as SPAN ports). When all relevant cable lengths are added together the sum must be equal to or less than the maximum allowable distance for the topology in use (e.g. the Common cables, Daisy cables and cables from 4X16SP-1000BT to SPAN port must not exceed 100 meters).

Connections to the female ports on a Datacom Systems devices are made with customer provided patch cables appropriate for the specific network environment.