For most security and networking monitoring applications there is no need to examine live network traffic. In fact, it is almost counterproductive lest one inadvertently block or disrupt live traffic. As a result, two common techniques are used to copy or mirror data. Both techniques replicate network traffic without disrupting the natural flow of data and are often referred to as “passive” or “out-of-band”.
The first technique is called an “optical TAP” where the term “TAP” is always capitalized because it is an acronym for “Test Access Point.” The TAP is a non-powered, hardware device that makes a full copy of network data without affecting network traffic. Garland Technology is a well-known manufacturer of TAPs and there is further information on their website. For the sake of completeness, I should mention that copper TAPs are also available, but they are much less common as optical fiber is the medium of choice for most backbone links in an enterprise, government or service provider network.
The other technique is a SPAN or mirror port on an Ethernet switch. SPAN is an acronym for “Switch Port Analyzer.” This is a configurable option on most advanced Ethernet switches from companies such as Cisco or Arista Networks. A network administrator configures the traffic from specific Ethernet ports on a given switch to be replicated or mirrored out another port. This naturally creates the desired traffic data copy which is forwarded on to security or network monitoring appliances.