GigaSMART Packet Slicing

Required License: Base

GigaSMART operations with a Slicing selected truncate packets after either a specified header/layer and offset (a relative offset) or at a specific offset. Slicing operations are typically configured to preserve specific packet header information, allowing effective network analysis without the overhead of storing full packet data.

Packets can have multiple variable-length headers, depending on where they are captured, the different devices that have attached their own headers along the way, and the protocols in use (for example, IPv4 versus IPv6). Because of this, slicing operations with a hard-coded offset will not typically provide consistent results.

To address this, the GigaSMART lets you configure packet slicing using relative offsets – a particular number of bytes after a specific packet header (IPv4, IPv6, UDP, and so on). The GigaSMART parses through Layer 4 (TCP/UDP) to identify the headers in use, slicing based on the variable offset identified for a particular header instead of a hard-coded number of bytes.

Keep in mind the following when configuring GigaSMART operations with a Slicing component:

Feature

Description

Protocol

The following are the protocols that you can select for from the protocol drop-down list:

o IPV4 – Slice starting a specified number of bytes after the IPv4 header.
o IPV6 – Slice starting a specified number of bytes after the IPv6 header.
o UDP – Slice starting a specified number of bytes after the UDP header.
o TCP – Slice starting a specified number of bytes after the TCP header.
o FTP – Identify using TCP port 20 and slice payloads using offset from the TCP header.
o HTTPS – Identify using TCP port 443. Slice encrypted payloads using offset from the TCP header.
o SSH – Identify using TCP port 22. Slice encrypted payloads using offset from the TCP header.

The GigaSMART can provide slicing for GTP tunnels, provided the user payloads are unencrypted. Both GTPv1 and GTPv2 are supported – GTP' (GTP prime) is not supported. Keep in mind that only GTP-u (user plane packets) are sliced. Control plane packets (GTP-c) are left unmodified because of their importance for analysis.

o GTP – Slice starting a specified number of bytes after the outer GTP header.
o GTP-IPV4 – Slice starting a specified number of bytes after the IPv4 header inside the encapsulating GTP packet.
o GTP-UDP – Slice starting a specified number of bytes after the UDP header inside the encapsulating GTP packet.
o GTP-TCP – Slice starting a specified number of bytes after the TCP header inside the encapsulating GTP packet.

Slicing Offsets

You can specify either a relative offset or a static offset for the start of the packet slice:

■   Static offsets begin slicing a specific number of bytes from the start of the packet. Choose a static offset by setting protocol to none and supplying an offset from <64~9000> bytes.
■   Relative offsets begin slicing a specified number of bytes from the end of a particular header – IPv4, IPv6, and so on. Choose a relative offset by selecting any of the values listed for the protocol argument, along with an offset of <4~9000> bytes from the end of the specified layer:

Recalculated CRC

GigaSMART packet slicing automatically calculates and appends a new four-byte Ethernet CRC based on the sliced packet’s length and data and uses it to replace the existing CRC. This way, analysis tools do not report CRC errors for sliced packets.

Note:  The minimum relative offset is 4 bytes to allow the recalculated CRC to be added. The packet is sliced at the relative offset, and then the recalculated 4 bytes CRC is added to the sliced packet.

GigaSMART Trailer

Slicing operations can optionally include the GigaSMART Trailer. If you do elect to include the GigaSMART Trailer, it will include the original packet length before slicing.

Note:  Refer to How to Use GigaSMART Trailers for details on when the GigaSMART Trailer is required for a GigaSMART Operation as well as the information found in it.

In Combination with Masking

Slicing operations can be assigned to GigaSMART groups consisting of multiple engine ports. Refer to Groups of GigaSMART Engine Ports for details.

This example creates a GigaSMART slicing operation named IPv6_Headers. This operation truncates all packet data starting four bytes after the IPv6 header. The sliced packet would include the DLC, IPv6, and TCP headers, which are often enough for analysis needs.

Figure 88 GigaSMART Operations (GSOP) Page with Slicing Selected

To display slicing statistics, select GigaSMART > GigaSMART Operations > Statistics. The statistics for slicing will be in the row labeled Slicing in the GS Operations column.

Refer to Slicing Statistics Definitions for descriptions of these statistics as well as to GigaSMART Operations Statistics Definitions.