Traditionally, network traffic is captured locally using a mirror port present on a network switch or a network tap in conjunction with an inline traffic capture point positioned along a communication link coupling two or more communicating devices. Network traffic captured in this way is typically monitored locally, thus requiring a port on a monitor for every individual capture point and mirror port in the network. This localization leads to great infrastructure and bandwidth costs and, consequently, many networks are inadequately monitored.
Another drawback to traditional network monitoring systems is that all captured traffic is sent to each monitoring device. With increased specialization, many conventional monitoring devices monitor a specific category or range of categories of network traffic. Thus, when a monitoring device receives all captured traffic, it is inundated with an excess of information, only a portion of which is useful. This results in an inefficient use of both bandwidth and monitoring capacity because, as a first step to monitoring the captured traffic, the monitor must first filter, or otherwise manipulate, the traffic to remove unnecessary information.
A further drawback to traditional network monitoring systems is that conventional taps do not communicate with one another. Thus, each tap must be individually configured. In the event of a desired change in the configuration information, each tap must then be individually reconfigured.