Why you may need protocol stripping function?
As you know there are 7 OSI model levels. Each one adds some particular volume header to the packet.
In
the easiest case for every network analyzer, packet contains source and
destination MAC-addresses and then IP-addresses. If we mirror
datacenter or even distribution level uplinks we can observe
802.1q-tagged or even MPLS-labeled traffic. Each of these headers is
inserted between data link layer and network layer. I could see in my
practice some situations when network sensors didn't understand these
headers. In the best case they were ignored but in the worst one devices
might start wrong calculation and higher level data interpretation
according to hardcoded packet offset algorithm used for throughput
increasing.
So, it is possible to delete unused headers if you don't need a detection of VLAN/VXLAN id, MPLS label etc.
If you need for the information security incident investigation:
- Layer 2 or 2.5 info,
- entire access network traffic analysis including every subnet/VLAN,
- traffic copy aggregation on the packet broker,
then you may not need a packet stripping function but you must use packets deduplication feature.
But if you mirror uplinks to IP/MPLS core or service level (it depends on the network architecture) with 802.1q tags or MPLS labels you may optimize your network sensors resources usage:
- qualitatively - by packets structure unification;
- quantitatively - by packets unused size minimization with unanalyzed headers elimination.
Some approx headers list for protocol stripping is shown on the picture below.
But only you must decide what data is needed for analysis and what is not.
No comments:
Post a Comment