VSS's product range is a family of devices that collect network traffic, filter it and then pass it on for consumption by network management and diagnosis packages.

There's a fundamental problem with any tool on the market today that watches packets fly down network connections (which means everything from a simple packet capture tool like WireShark to a big, hefty IDS appliance) - namely that to make use of these products, you have to get the packets to them. Yes, you can set up a mirror port on your switch, but this is about as far as you can go - and most switches can only provide you with one or two mirror ports anyway. There's another problem, too: most packet capture products are software-based, so you stand a whelk's chance in a supernova of being able to do proper traffic analysis on a heavily loaded Gigabit or 10Gbit/s port.

VSS's answer is the Distributed Filter Tap, a family of products of which we were sent the heftiest in the range - the 4x24. On the back panel of the 1U unit is a pair of power inlets, plus an RS-232 console port and a pair of Ethernet connections. On the front are 28 ports, in three separate clumps: four 10Gbit/sec XFP ports, 16 10/100/1000 Ethernet outlets (configured as eight pairs) and eight Gigabit SFP ports. To get started, we connected a PC to the RS-232 port in order to look up the unit's IP address; once we'd got the IP settings in unison with our test network, we could fire up the admin GUI in a browser. Note, incidentally, that as well as serial and basic HTTP, the unit also supports Telnet and HTTPS for management connections.

The admin interface is very simple to use, because there's actually very little that needs to be configured. All you'll really do is (a) configure the ports into which data will be arriving; (b) configure the ports out of which data will be delivered; and (c) optionally configure filters that determine how ingress data is transformed into egress data.

Each port is given one of three types. A "span" port is an ingress port that's connected to a mirror port on an infrastructure switch, and so it will receive all data that emerges from that mirror port. A "tap" port is another ingress port, but this time it's configured as an in-line tap in a network segment; for optical ports it uses a passive optical tap, and for UTP ports each pair of ports (remember we mentioned they're paired on the front panel) can act as a tap. Finally, a "monitor" port is an egress port - data is sent out to be consumed by your monitoring applications.

The principle by which the device works is elegantly simple - it collects traffic from a number of network segments, filters it, then passes the filtered results (in multiple different streams if desired) out for collection. And since everything's done in hardware, this all happens at wire speed. The result is, therefore, that you can use it to take in all the traffic it sees on its ingress ports, filter out the packets that the downstream applications don't care about, then pass on a manageable amount of traffic for consumption by your software-based tools.

It's dead easy to get going. First, you'll need to choose your port types and run through the GUI to flag them as tap, span or monitor ports as appropriate (a simple tick-the-boxes exercise, though for in-line tap ports you'll want to ensure you pick sensible auto-negotiation settings), and of course connect the network segments in appropriately. If you're switching a UTP port between "tap" and "span", remember that they're paired - so if you switch port 1 to "tap", port 2 will flip to "tap" as well since each port in a pair has to be the same type as its partner. The unit has a feature named "LinkSafe", which for in-line tap ports ensures that a link failure on one side is propagated to the other - a handy feature that ensures the unit doesn't break your network by getting in the way of things like Spanning Tree Protocol packets.

Once you've got your ports sorted out, you can define your filters (assuming, of course, the option you've chosen supports filtering - it's an additional feature that you enable by entering an option key into the System Software screen of the GUI). There are two screens for defining filters; the "Quick" screen is a short, easy-to-use set of common filter criteria (MAC/IP address and a few common protocols such as HTTP, NTP and SMTP), while the "Detailed" screen has a much more extensive list of parameters including such things as VLAN tags, type of service and whatnot. Entering things in these screens causes the "Condition" text box to be auto-populated with a textual version of what you've selected - and if you wish, you can actually enter your own text into this box (there's a guide to the syntax in the "Advanced" screen, and it's dead easy to get to grips with). In addition to filtering, our unit also had the Load Balancing option enabled. This lets you take the input data and have it split up (you can choose the split criteria - so you might split by destination address, or by a combination of source and destination address, for example) and sent evenly out of the egress ports. This is clearly useful if you don't think your downstream analysis tools can cope with everything arriving on a single link.

The Distributed Filter Tap is one of those products that makes you wonder why nobody's ever done one before. It's a fantastically simple idea, but that's not a bad thing - and VSS has managed to stick to the job in hand and hasn't been tempted to start adding bells and whistles. Admittedly these devices aren't cheap, but if you're the kind of organisation that has a network sufficiently fast and extensive, and an array of monitoring tools sufficiently large, to need this kind of equipment, then the price tag will seem reasonably palatable.


These units will soak up a significant amount of your budget, so a purchase won't be entered into lightly; they do, however, let you make the most of whatever monitoring/IDS/packet analysis products you use, by helping you get as much of the relevant traffic as possible to those downstream systems. Also, be thorough when selecting the unit(s) you choose; the sheer range of products can be rather baffling.