The Network Tapping System is one of the most important network systems. It takes a copy of all the networking events and send it to the served system to be monitored and analyzed. It is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network tap" may be the best way to accomplish this monitoring. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic (send and receive data streams) through unimpeded in real time, but also copies that same data to its monitor port, enabling a third party to listen. Network taps are commonly used for network intrusion detection systems, VoIP recording, network probes, RMON probes, packet sniffers, and other monitoring and collection devices and software that require access to a network segment. Taps are used in security applications because they are non-obtrusive, are not detectable on the network (having no physical or logical address), can deal with full-duplex and non-shared networks, and will usually pass through or bypass traffic even if the tap stops working or loses power.
There are various methods for getting access to the net-work. Many tapping methods can be used, according to the network technology and the monitoring objective. The first method, when a monitoring device is installed in-line. When a monitoring device is installed in-line, the network will stop every time the device updated or rebooted. Similarly, if the device failed, the network will break down as well . Another method to monitor networks is by enabling Promiscuous Mode on the host that used for the monitoring and attaching it to a network switch. This method is work-ing well with old LAN technologies. However, Modern net-work became switched network, that meaning; the devices are communicated using Point-To-Point links. If the moni-toring device is connected to such network, it will only see its own traffic, so it is hard for other devices see the traffics. Some of the traditional methods for gaining access to the network traffic are using a SPAN port, also known as MIRROR port, in the switch. It is a software method to make network tapping. It makes load on the network switch. This is a low cost alternative to network tap. How-ever, not all routers and switches support port mirror and, on those that do, using port mirroring can affect the per-formance of the router or the switch.