Slicing

Packet slicing allows you to truncate packets after a specified header and slice length, preserving the portion of the packet required for monitoring purposes. Slicing operations are typically configured to preserve specific packet header information, allowing effective network analysis without the overhead of storing full packet data.

Packets can have multiple variable-length headers, depending on where they are captured, the different devices that have attached their own headers along the way, and the protocols in use (for example, IPv4 versus IPv6). Because of this, slicing operations with a hard-coded offset will not typically provide consistent results.

To address this, the slicing application lets you configure packet slicing using protocols that allow you to start slicing from a particular number of bytes after a specific packet header (IPv4, IPv6, UDP, and so on). The slicing application parses through Layer 4 (TCP/UDP) to identify the headers in use, slicing based on the variable offset identified for a particular header instead of a hard-coded number of bytes.

To add a slicing application:

  1. Drag and drop Slicing from APPLICATIONS to the graphical workspace.
  2. Click the Slicing application and select Details. The Application quick view appears.
  3. In the Application quick view, enter the information as follows:

    Component

    Description

    Alias

    Enter a name for the application.

    Protocol

    The following are the protocols that you can select for from the protocol drop-down list:

    o None –Slice starting a specific number of bytes from the start of the packet.
    o IPV4 – Slice starting a specified number of bytes after the IPv4 header.
    o IPV6 – Slice starting a specified number of bytes after the IPv6 header.
    o UDP – Slice starting a specified number of bytes after the UDP header.
    o TCP – Slice starting a specified number of bytes after the TCP header.
    o FTP – Identify using TCP port 20 and slice payloads using offset from the TCP header.
    o HTTPS – Identify using TCP port 443. Slice encrypted payloads using offset from the TCP header.
    o SSH – Identify using TCP port 22. Slice encrypted payloads using offset from the TCP header.

    The slicing application can provide slicing for GTP tunnels, provided the user payloads are unencrypted. Both GTPv1 and GTPv2 are supported – GTP' (GTP prime) is not supported. Keep in mind that only GTP-u (user plane packets) are sliced. Control plane packets (GTP-c) are left unmodified because of their importance for analysis.

    o GTP – Slice starting a specified number of bytes after the outer GTP header.
    o GTP-IPV4 – Slice starting a specified number of bytes after the IPv4 header inside the encapsulating GTP packet.
    o GTP-UDP – Slice starting a specified number of bytes after the UDP header inside the encapsulating GTP packet.
    o GTP-TCP – Slice starting a specified number of bytes after the TCP header inside the encapsulating GTP packet.

    Offset

    Specify the length of the packet that must be sliced.

  4. Click Save.