• Selective Packet Truncation in Tap Aggregation

 
 
Print Friendly, PDF & Email

Selective Packet Truncation in Tap Aggregation

Packet Truncation in tap aggregation mode allows tapped traffic to be truncated to a smaller size before being transmitted. It can be used to reduce the amount of traffic received by analysis devices, if only the headers are to be analyzed while the payload of the packets is irrelevant or unwanted for practical or legal reasons.

Truncation is applied either at the tap or tool port. This means that all traffic either arriving from a source or sent to a tool is subject to the truncation setting. In practice, it may be desirable to truncate a subset of the traffic rather than every single packet. For example, if a tap port is receiving both encrypted and plaintext traffic, it may be required to capture the full plaintext data but discard the encrypted payload to save resources on the connected tool devices.

Solution

We can apply traffic steering on the tap port to select the traffic we want to truncate. We then set the destination of that traffic to an unused tool port on the switch.

We could cable that interface to a second unused tap port, and apply truncation at either the tool port or this new tap port, but this does consume more switchports and require physical access to the switch.

As an alternative, we can configure our first unused interface as a two-way port and rather than using fiber to connect the tool side to the tap side we can configure a loop back for the traffic.

Configuration

For this example configuration, we have traffic coming in Ethernet1, with a capture device running wireshark connected to Ethernet2. Ethernet48 is unused.

  • First we create a traffic steering policy that matches SSL traffic and sends it to a specific interface
policy-map type tapagg TAPAGG-STEER
   10 match ip tcp any any eq https set interface Et48
   20 match ip tcp any eq https any set interface Et48
  • We apply the policy to the input interface. Anything that doesn’t match the policy will be placed in the tapagg group named “unclassified”.
interface Ethernet1
   service-policy type tapagg input TAPAGG-STEER
   switchport mode tap
   switchport tap identity 101
   switchport tap default group unclassified
  • The interface for the steered traffic gets the extra configurations for two way and loopback, and truncation is applied on ingress (i.e after it is sent “out” the tool side and looped back to the “tap” side). This traffic is placed in the tapagg group “SSL-TRUNCATED”.
interface Ethernet48
   traffic-loopback source system device phy
   switchport mode tap-tool
   switchport tool identity dot1q
   switchport tap truncation 100
   switchport tap default group SSL-TRUNCATED
  • Finally, the tool port connected to our packet capture device is configured to send the “unclassified” and “SSL-TRUNCATED” groups.
interface Ethernet2
   switchport mode tool
   switchport tool identity dot1q
   switchport tool group set SSL-TRUNCATED unclassified

Results

A mix of http and https traffic is sent from the span source. The original captures show SSL packets of varying sizes.

At the packet capture tool, we see the https packets have been truncated while the http packets remain their original size (plus an additional 4 bytes for the dot1q identity).

Summary

Combining traffic steering with two way ports and a traffic loopback allow us to selectively truncate traffic, allowing both header only analysis and full payload analysis as required on a per flow basis.

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: