A method and apparatus for mirroring traffic from a first network device
to a second network device are disclosed. The method includes the
selecting of one or more ingress frames from an ingress stream using
mirror classification criteria; duplicating the one or more ingress
frames; appending a mirrored flow encapsulation header with a virtual
local area network tag; transmitting the duplicate frames with tags from
the first network device to the second network device; and removing the
mirrored flow encapsulation header at the target network device to
regenerate the ingress frames originally received at the first network
device. The ingress frames may then be forwarded to an egress port of the
second network device and analyzed by a traffic analysis tool, for
example. With the invention, the traffic received at the first network
device may be analyzed remotely.