What is SPAN?
SPAN (Switched Port Analyzer), also known as port mirroring, is a feature on managed Switches that copies network traffic from one or more ports to another port for analysis or Monitoring.
In OT networks, SPAN is used to passively analyse communication from PLCs, HMIs, or SCADA systems with tools such as Wireshark, or to feed data to an IDS or SIEM.
π§ How does SPAN work?
- The administrator configures the switch to duplicate traffic from a source port or VLAN
- This traffic is sent to a destination port to which an analyser or sensor is connected
- The analysing device receives an exact copy of the data stream, but does not send any traffic back itself
SPAN is read-only monitoring β ideal for safe inspection of OT traffic.
π Application of SPAN in industrial networks
- Passively analysing Modbus, ProfiNET, or OPC UA traffic with Wireshark
- Feeding an IDS or SIEM with real-time traffic data
- Monitoring BOOTP/DHCP behaviour when configuring new Drives or IO modules
- Inspecting suspicious network information without affecting the network
- Supporting audits, troubleshooting, and network documentation
SPAN is often deployed on core switches or at segment boundaries in the Purdue Model.
π SPAN vs. TAP
| Aspect | SPAN (switch-based) | TAP (hardware-based) |
|---|---|---|
| Cost | No additional hardware required | Requires dedicated TAP equipment |
| Configuration | Software-based via switch CLI/web interface | Physical installation |
| Reliability | May drop packets under high load | Always a 100% copy of traffic |
| Impact | Minimal, but depends on the switch | Fully passive |
| Use in OT | Widely used for ad hoc and flexible monitoring | TAP is recommended for critical segments |
π Security aspects
- SPAN ports must be physically and logically protected: only trusted devices may be connected
- Make sure the analysing device (e.g. Wireshark) does not send traffic back β use βreceive onlyβ interfaces
- Combine with VLAN, ACL, and Firewall to restrict access to the SPAN port
- Log configuration changes to SPAN via Syslog or SIEM
- SPAN is not a security measure in itself β it is a tool within network monitoring
Use SPAN only as part of a managed and segmented network design.
π In summary
SPAN is a valuable tool for making network traffic visible without intervening in communication, especially in OT environments where reliability is essential. It supports safe Monitoring, troubleshooting, and forensic investigation.