GigaSMART Packet Slicing

Required License: Base

GigaSMART operations with a Slicing selected truncate packets after either a specified header/layer and offset (a relative offset) or at a specific offset. Slicing operations are typically configured to preserve specific packet header information, allowing effective network analysis without the overhead of storing full packet data.

Packets can have multiple variable-length headers, depending on where they are captured, the different devices that have attached their own headers along the way, and the protocols in use (for example, IPv4 versus IPv6). Because of this, slicing operations with a hard-coded offset will not typically provide consistent results.

To address this, the GigaSMART lets you configure packet slicing using relative offsets – a particular number of bytes after a specific packet header (IPv4, IPv6, UDP, and so on). The GigaSMART parses through Layer 4 (TCP/UDP) to identify the headers in use, slicing based on the variable offset identified for a particular header instead of a hard-coded number of bytes.

Keep in mind the following when configuring GigaSMART operations with a Slicing component:

Feature

Description

Protocol

The following are the protocols that you can select for from the protocol drop-down list:

- IPV4 – Slice starting a specified number of bytes after the IPv4 header.
- IPV6 – Slice starting a specified number of bytes after the IPv6 header.
- UDP – Slice starting a specified number of bytes after the UDP header.
- TCP – Slice starting a specified number of bytes after the TCP header.
- FTP – Identify using TCP port 20 and slice payloads using offset from the TCP header.
- HTTPS – Identify using TCP port 443. Slice encrypted payloads using offset from the TCP header.
- SSH – Identify using TCP port 22. Slice encrypted payloads using offset from the TCP header.

The GigaSMART can provide slicing for GTP tunnels, provided the user payloads are unencrypted. Both GTPv1 and GTPv2 are supported – GTP' (GTP prime) is not supported. Keep in mind that only GTP-u (user plane packets) are sliced. Control plane packets (GTP-c) are left unmodified because of their importance for analysis.

- GTP – Slice starting a specified number of bytes after the outer GTP header.
- GTP-IPV4 – Slice starting a specified number of bytes after the IPv4 header inside the encapsulating GTP packet.
- GTP-UDP – Slice starting a specified number of bytes after the UDP header inside the encapsulating GTP packet.
- GTP-TCP – Slice starting a specified number of bytes after the TCP header inside the encapsulating GTP packet.

Slicing Offsets

You can specify either a relative offset or a static offset for the start of the packet slice:

Static offsets begin slicing a specific number of bytes from the start of the packet. Choose a static offset by setting protocol to none and supplying an offset from <64~9000> bytes.
Relative offsets begin slicing a specified number of bytes from the end of a particular header – IPv4, IPv6, and so on. Choose a relative offset by selecting any of the values listed for the protocol argument, along with an offset of <4~9000> bytes from the end of the specified layer:

Recalculated CRC

GigaSMART packet slicing automatically calculates and appends a new four-byte Ethernet CRC based on the sliced packet’s length and data and uses it to replace the existing CRC. This way, analysis tools do not report CRC errors for sliced packets.

GigaSMART Trailer

Slicing operations can optionally include the GigaSMART Trailer. If you do elect to include the GigaSMART Trailer, it will include the original packet length before slicing.

Note: Refer to Using GigaSMART Trailers for details on when the GigaSMART Trailer is required for a GigaSMART Operation as well as the information found in it.

In Combination with Masking

Slicing operations can be assigned to GigaSMART groups consisting of multiple engine ports. Refer to Groups of GigaSMART Engine Ports for details.

Example – GigaSMART Packet Slicing

This example shown in creates a GigaSMART slicing operation named IPv6_Headers. This operation truncates all packet data starting four bytes after the IPv6 header. The sliced packet would include the DLC, IPv6, and TCP headers, which are often enough for analysis needs.

 

Figure 869: GigaSMART Operations (GSOP) Page with Slicing Selected

Displaying Slicing Statistics

To display slicing statistics, select GigaSMART > GigaSMART Operations > Statistics. The statistics for slicing will be in the row labeled Slicing in the GS Operations column.

Refer to Slicing Statistics Definitions for descriptions of these statistics as well as to GigaSMART Operations Statistics Definitions.