Back to All Scenarios
PASSEDnetwork / network_tap_span_oversubscription
Network TAP/SPAN Port Oversubscription
The network TAP aggregating traffic for the IDS/IPS and packet capture system becomes oversubscribed. The 10G TAP is receiving 14Gbps of traffic, causing 28% packet loss on the monitoring feed. The IDS misses attack signatures and the packet capture has gaps.
Pattern
PERFORMANCE_DEGRADATION
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | PERFORMANCE_DEGRADATION | PERFORMANCE_DEGRADATION | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 6 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Network TAP aggregating 4x10G uplinks to 1x10G monitoring port. Total traffic: 14Gbps through 10G TAP output. 28% packet loss on monitoring feed. IDS missing attack signatures. Full packet capture with 28% gaps. Security blind spot during active incident.
Injected Error Messages (1)
Network TAP oversubscribed — monitoring port dropping 28% of traffic, TAP output at 14Gbps on 10G port, IDS alert volume dropped 40% (missing signatures due to packet loss), packet capture showing 28% gaps in session reconstruction, security monitoring severely degraded, unable to perform complete forensic analysis during active incident investigation
Neural Engine Root Cause Analysis
The network TAP (tap01) is experiencing traffic oversubscription where 14Gbps of traffic is being pushed through a 10Gbps port, causing 28% packet loss. This bandwidth limitation is creating a bottleneck that severely impacts security monitoring capabilities, with IDS alert volume dropping 40% and incomplete packet capture for forensic analysis. The root cause is insufficient port capacity to handle the current traffic volume, likely due to increased network activity or misconfigured traffic distribution.
Remediation Plan
1. Immediately assess if traffic can be load-balanced across multiple TAP ports or redirect some monitoring to alternate TAPs 2. Implement traffic filtering/sampling on the TAP to prioritize critical traffic types (reduce non-essential monitoring temporarily) 3. Upgrade the monitoring port from 10G to 40G or implement port aggregation if hardware supports it 4. Review and optimize IDS signature rules to reduce processing overhead 5. Establish traffic baselines and implement alerting for future oversubscription scenarios 6. Consider deploying additional TAP infrastructure for redundancy and capacity
Tested: 2026-03-30Monitors: 1 | Incidents: 1Test ID: cmnck2z2i06ceobqe94gyf4pj