What is a TAP?
A TAP (Test Access Point) is a hardware device that passively copies network traffic in full for Monitoring or analysis. Unlike SPAN, a TAP is physically placed between two network devices and provides a 100% copy of all data flows, including errors and Layer 1 signals.
TAPs are used in OT networks for reliable, permanent network monitoring, especially in critical environments where visibility is essential.
🧠 How does a TAP work?
- A TAP is physically placed between two network devices (e.g. between a PLC and a Switch)
- The TAP device typically has four ports:
- Two network ports (link A ↔ link B)
- Two monitoring ports (output A and output B)
- The TAP copies all traffic without sending or influencing any data itself
- Monitoring tools such as Wireshark, IDS or SIEM can be connected to the monitor ports
TAPs deliver lossless monitoring, even at high bandwidth or with errors in the traffic.
🏭 Application of a TAP in industrial networks
- Permanent monitoring of critical communication between SCADA and PLC
- Feeding an IDS or SIEM without affecting the production process
- Auditing or forensic analysis of Modbus TCP, ProfiNET or OPC UA
- Comparing redundant communication channels when using PRP or H-SR
- Inspection of low-level errors (such as CRC or jitter) during incidents
TAPs are often used in zones 0–2 of the Purdue Model, where reliability is paramount.
🔍 TAP vs. SPAN
| Aspect | TAP (Test Access Point) | SPAN (Switched Port Analyzer) |
|---|---|---|
| Type | Hardware | Switch-based software function |
| Packet loss | None – 100% copy | Possible under high load or due to bugs |
| Duplex traffic | Provided separately (TX/RX) | Combined – sometimes risk of loss |
| Trustworthiness | Fully passive, fail-safe | Dependent on switch capacity |
| Use in OT | For permanent, forensic monitoring | For ad-hoc analysis or flexible configuration |
🔐 Security aspects
- TAPs are read-only: they cannot disrupt network traffic
- Even so, the monitor ports must be physically secured (only trusted devices)
- Combine TAP with encrypted logging to SIEM or Syslog
- Connect the monitoring tool to a separate segment or VLAN
- Only use TAPs with reliable, verified measurement equipment
TAPs offer maximum visibility without any impact on the OT traffic, provided they are properly implemented.
📌 In summary
A TAP is a hardware-based solution for network traffic Monitoring, designed for situations where reliability, safety and transparency are crucial. In industrial environments, a TAP is the standard for permanent Monitoring in critical Zones.