Set up traffic collection

The traffic sensor is currently in closed beta. Availability is limited, and setup and requirements may change during this phase.
If you’d like access, you can join the interest list.

Traffic sensors observe real network communications to build an accurate asset inventory and application dependency map. Reliable packet visibility enables improved change management, cybersecurity monitoring, and compliance reporting.

To function correctly, each sensor must receive a copy of production traffic using one of the mirroring methods described below.

What is traffic mirroring?

Port mirroring (Switched Port Analyzer or SPAN), remote port mirroring (Remote Switched Port Analyzer or RSPAN), and encapsulated mirroring (Encapsulated Remote Switched Port Analyzer or ERSPAN) are switch/router features that duplicate packets from selected interfaces, VLANs, or routing points and send them to a dedicated destination interface.

The sensor attaches to this destination interface and passively inspects the mirrored traffic.

Traffic mirroring is required; the sensor must observe real packets to:

Identify assets communicating on the network
Build application dependency maps
Detect lateral movement (east–west traffic)
Increase overall visibility without introducing risk to production traffic (sensor is receive‑only)

There are multiple ways to provide the required packet feed (SPAN, RSPAN/ERSPAN, network TAPs, and packet brokers). Choose the option that best matches your network design, operational constraints, and fidelity requirements. The next section compares each option in detail.

Methods for providing packet feeds

There are several methods to provide traffic sensor with a reliable copy of network traffic. Each of these methods has different costs, fidelity, and operational characteristics. The table below compares the four primary methods: SPAN, RSPAN/ERSPAN, network TAPs, and packet brokers.

Method	What it is	When to use	Prerequisites	Pros	Cons
SPAN	Mirrors traffic from selected ports/VLANs to a monitor port on a switch	Simple, low-cost option Fast to pilot Traffic volumes won’t oversubscribe the switch	Free SPAN session(s) Available mirror port Cable to sensor NIC	No hardware purchase Quick to configure and modify	Limited sessions per switch
RSPAN/ERSPAN	Remote mirroring across the network (via VLAN, or via GRE over IP)	Deploying virtual sensor Centralizing capture across sites	Hardware/software support MTU tuning for ERSPAN QoS if needed	No local monitor cabling (ERSPAN) Consolidates multiple capture sources	MTU/QoS complexity ERSPAN overhead
Network TAP	Physical device inserted inline to provide full-fidelity traffic copies	No switch access/permissions SPAN capacity/limitations are a concern	TAP matching link type/speed Physical access and cabling Maintenance window	Full line-rate capture No switch performance impact	Hardware purchase required Less flexible than SPAN Physical installation necessary
Packet brokers	Aggregation device that collects SPAN/TAP feeds and forwards filtered traffic to tool	Broker already exists Need centralized management of feeds	None beyond broker availability	Centralized control Filtering, load-balancing, deduplication	Additional cost/licensing Mis-filters can hide traffic If sampling is enabled, the traffic sensor will receive an incomplete representation of network traffic

Any capture method can produce incomplete visibility if the capture path is oversubscribed (mirror destination, broker/tool port, WAN transport, or sensor NIC). This affects monitoring data, not production forwarding.

Configure mirroring on common switch vendors

The steps for configuring SPAN, RSPAN, or ERSPAN vary significantly across switch platforms. The most common switch vendors are listed below, along with direct links to their documentation.

Manufacturer	Documentation
Cisco	https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html
Aruba/HPE	https://support.hpe.com/hpesc/public/docDisplay?docId=a00057353en_us
Dell Networking/PowerSwitch	https://www.dell.com/support/kbdoc/en-us/000118038/how-to-configure-port-monitoring-mirroring-on-dell-emc-networking-os9-switches
Juniper	https://www.juniper.net/documentation/us/en/software/junos/sampling-forwarding-monitoring/topics/concept/policy-configuring-port-mirroring.html
Huawei	https://support.huawei.com/enterprise/en/doc/EDOC1000057410?section=j00y
Arista	https://arista.my.site.com/AristaCommunity/s/article/introduction-to-port-mirroring
Extreme Networks	https://documentation.extremenetworks.com/exos_32.5/GUID-FE0C3B2D-FC1E-4BDD-974A-D1FA67DDAD84.shtml

Where to place the traffic sensor?

The sensor should observe as much internal asset traffic as practical, including east–west communications (asset-to-asset within/ across VLANs), and north–south communications (to/from external networks).

Ideal capture points include:

Aggregation/Distribution switches
Core switches/routers
Inter-VLAN gateways
Data center cores where traffic converges

Do not mirror traffic after it has been encrypted
Mirroring or TAPs must be placed before SD‑WAN appliances, IPsec tunnels, VPN gateways, and other encryption points.

Sensor placement guidelines

Effective sensor placement ensures broad visibility into network communications while minimizing blind spots and unnecessary duplication.

East-west coverage

While east–west traffic is often overlooked, it contains a large portion of the internal communications that matter for security and dependency mapping.

When planning capture points, ensure mirrors or TAPs also cover:

Inter-VLAN routing points
Lateral movement paths inside campuses, branches, or data centers

Remote sites via ERSPAN

When deploying a physical sensor at a remote site isn't practical, ERSPAN provides an effective way to forward mirrored traffic to a central location.

Because ERSPAN encapsulates packets, a few additional considerations are important:

Account for ERSPAN overhead in MTU calculations
Ensure the WAN links have sufficient capacity, as multiple ERSPAN feeds can be bandwidth heavy
Use separate NICs on the sensor when using multiple ERSPAN sources

Distributed vs centralized networks

In highly distributed networks, you may need multiple sensors or capture points to maintain visibility across independent sites or segments.

Centralized networks on the other hand often allow you to capture the majority of traffic at core or aggregation layers, reducing the number of sensors required.

Reliability and capacity

Reliable capture depends on both the network and the sensor host.

To ensure predictable capture quality:

Avoid oversubscribing SPAN sessions
Confirm the sensor NIC can handle the expected bandwidth
Adjust mirror scope (VLANs/ports/direction) if drops occur
Ensure the NIC is in promiscuous mode so all mirrored traffic is collected.
For virtual deployments, you may also need to enable promiscuous mode on the hypervisor vSwitch/port group.
Confirm NIC receive buffers are sized appropriately for high‑rate traffic
Validate traffic delivery after deployment (packet counters, SPAN/TAP health checks)

FAQs

How can I validate if traffic is flowing for SPAN?

After you’ve configured the SPAN session and connected the mirror port to the sensor NIC, log in to the sensor host and:

Identify the capture interface (for example ens192):
ip link show
Run a short packet capture test (requires root):
tcpdump -i <INTERFACE> -c 20 -nn

If you see packets scrolling by, the SPAN feed is working.
If no packets are captured, the sensor is not receiving mirrored traffic: recheck the source ports/VLANs, direction (ingress/egress/both), and that the correct physical port is cabled to the sensor.

How can I validate if traffic is flowing from a TAP?

Once the TAP is inserted and the monitor ports are connected to the sensor NIC(s):

Confirm at the network layer that the TAP and sensor links are up (link light/switch port status if applicable).
On the sensor host, identify the capture interface:
ip link show
Run a short packet capture test (requires root):
tcpdump -i <INTERFACE> -c 20 -nn

If you see packets scrolling by, the TAP is correctly delivering traffic.
If no packets are captured, verify that:

The TAP type matches link speed/media (1G/10G copper/fiber)
You’re using the correct monitor ports
For bi‑directional links, both directions are actually presented to the sensor (some TAPs output two one‑way feeds that must both be connected/aggregated)

How can I validate if traffic is flowing for RSPAN/ERSPAN?

After configuring RSPAN or ERSPAN on the switches/routers and connecting/attaching the sensor endpoint:

On the sensor host, identify the interface or tunnel that should receive the mirrored traffic:
ip link show
Run a short packet capture test (requires root):
tcpdump -i <INTERFACE> -c 20 -nn
For RSPAN, you should see mirrored packets directly.
For ERSPAN over GRE, you may first see GRE-encapsulated ERSPAN packets.

If tcpdump shows no packets, re‑check:

Verify MTU settings along the path to avoid silent drops due to fragmentation.
The destination endpoint (correct NIC, tunnel, or vSwitch port group).
The RSPAN VLAN/ERSPAN tunnel configuration and ACLs.
That the source session is actually active on the switch.

How can I validate if traffic is flowing through a packet broker to the sensor?

Validation is done in two places: on the broker and on the sensor.

On the packet broker:
- Check the statistics/counters on the tool‑port feeding the sensor (ingress/egress packet/byte counters).
- Confirm that any filters or ACLs applied to that tool‑port are not excluding the VLANs, IP ranges, or protocols you expect to see.
- If you are load‑balancing across multiple sensor NICs, verify the hash/load‑balancing policy and per‑port counters.
On the sensor host:
- Identify the interface(s) connected to the broker:
  ip link show
- Run a short packet capture test (requires root):
  tcpdump -i <INTERFACE> -c 20 -nn

If you see packets, the broker is successfully delivering a feed to that NIC.
If no packets are showing, revisit broker filters, output mapping, and cabling, and verify that the correct tool‑port is assigned to the sensor.