Likewise, engineers are beginning to take a traffic engineering approach to network monitoring: employing distributed traffic capture as a system matched to the network. The capabilities of the traffic capture devices are determined by the speeds, nature of traffic and their location in the network's core, distribution, access and/or gateway layers and, if applicable, related telecom architectures.

A traffic capture system is optimally comprised of two layers: 1) inline or SPAN port capture-aggregation, and 2) aggregation-distribution to the monitoring equipment. This design enables flexibility in terms of where the capture points are located and provides for scalability. The system collects the copied traffic at a few or hundreds of capture points anywhere on the network, grooms it and then forwards it to centralized analytical and monitoring devices.

Grooming operations occur in real time and solely in hardware, typically resulting in an average propagation delay of two packets or less. The copied traffic may be selectively aggregated, filtered on Layers 2 to 4 depending on the types of analytical devices to which it is going, load balanced to ensure that the monitoring equipment is not oversubscribed, and sent to a centralized location.

A key element to the traffic capture system's scalability is an interface, preferably graphical, that lets users create filter settings and securely manage all of the capture devices from one location, either at one traffic capture device or remotely.