Selective Packet Truncation in Tap Aggregation
Packet Truncation in tap aggregation mode allows tapped traffic to be truncated to a smaller size before being transmitted. It can be used to reduce the amount of traffic received by analysis devices, if only the headers are to be analyzed while the payload of the packets is irrelevant or unwanted for practical or legal reasons.
Truncation is applied either at the tap or tool port. This means that all traffic either arriving from a source or sent to a tool is subject to the truncation setting. In practice, it may be desirable to truncate a subset of the traffic rather than every single packet. For example, if a tap port is receiving both encrypted and plaintext traffic, it may be required to capture the full plaintext data but discard the encrypted payload to save resources on the connected tool devices.
We can apply traffic steering on the tap port to select the traffic we want to truncate. We then set the destination of that traffic to an unused tool port on the switch.
We could cable that interface to a second unused tap port, and apply truncation at either the tool port or this new tap port, but this does consume more switchports and require physical access to the switch.
For this example configuration, we have traffic coming in Ethernet1, with a capture device running wireshark connected to Ethernet2. Ethernet48 is unused.
- First we create a traffic steering policy that matches SSL traffic and sends it to a specific interface
policy-map type tapagg TAPAGG-STEER 10 match ip tcp any any eq https set interface Et48 20 match ip tcp any eq https any set interface Et48
- We apply the policy to the input interface. Anything that doesn’t match the policy will be placed in the tapagg group named “unclassified”.
interface Ethernet1 service-policy type tapagg input TAPAGG-STEER switchport mode tap switchport tap identity 101 switchport tap default group unclassified
- The interface for the steered traffic gets the extra configurations for two way and loopback, and truncation is applied on ingress (i.e after it is sent “out” the tool side and looped back to the “tap” side). This traffic is placed in the tapagg group “SSL-TRUNCATED”.
interface Ethernet48 traffic-loopback source system device phy switchport mode tap-tool switchport tool identity dot1q switchport tap truncation 100 switchport tap default group SSL-TRUNCATED
- Finally, the tool port connected to our packet capture device is configured to send the “unclassified” and “SSL-TRUNCATED” groups.
interface Ethernet2 switchport mode tool switchport tool identity dot1q switchport tool group set SSL-TRUNCATED unclassified
A mix of http and https traffic is sent from the span source. The original captures show SSL packets of varying sizes.
At the packet capture tool, we see the https packets have been truncated while the http packets remain their original size (plus an additional 4 bytes for the dot1q identity).
Combining traffic steering with two way ports and a traffic loopback allow us to selectively truncate traffic, allowing both header only analysis and full payload analysis as required on a per flow basis.