Packet Trimming and Protocol Stripping - The ABCs of Network Visibility
2020-05-01 | 9 min read
Another concept important to achieving network visibility is packet trimming and protocol stripping, sometimes called “packet grooming.” A strong visibility engine is more than just a window to traffic flow, it also actively isolates key information for further action. Grooming removes unnecessary information and prepares packets for faster processing by security and monitoring tools. I liken packet grooming to the prep work done by the sous-chef in a busy kitchen. Everything is geared to making the head chef super-efficient and to serving the meals as quickly as possible.
In the network world, sophisticated security and monitoring tools are the valued resource. IT departments make large investments in tools and count on them to protect the organization from outside threats and secure assets from unauthorized access. It makes sense to help the tools perform at maximum potential and earn a solid return on investment. If you haven’t yet deployed packet grooming techniques, you’re in for a pleasant surprise, as they can significantly offload tools that are struggling to keep up with growing traffic volume. With less congestion, your tools are less likely to become overloaded and drop packets. The kitchen analogy holds up: paying a skilled sous chef costs less than hiring a second executive chef and lets the restaurant serve a larger number of diners without putting quality at risk.
Packet trimming refers to the removal of a portion of an IP packet prior to forwarding it on at line rate speed to security appliances or monitoring tools. Many of the tools that inspect and analyze network traffic do not actually need to look at the payload of the packets, but rather information about the packet: where it came from, what headers are attached, where it’s going. This ‘metadata’ can uncover misconfigurations, policy abuses, and security threats. If it’s the metadata that’s really important, sending the complete data stream to each monitoring tool effectively lowers its performance by using up valuable processing cycles to sort through traffic looking for the data it needs. That’s where packet trimming comes in.
How is it done?
There are network switches that can perform packet trimming but they generally require you to create a custom rule to limit the length of packets they forward to some set value. That can inadvertently cut out critical data. If you want a different length for another type of packet, you would need to create a new rule to isolate the specific type of packet and another rule to trim the packet at a different point. But, just because something can be done with a particular technology, doesn’t make it the most efficient way to do it. Back to the kitchen for a second to imagine you need to thinly slice 10 pounds of potatoes for a casserole. You COULD do it by hand with a chef’s knife, but it’s so much easier to use a slicing tool designed to easily create slices of consistent thickness.
With network packets, if you use a visibility engine with the intelligence to isolate packet metadata from packet payload, you can be sure you are removing only the portion that is unnecessary. Ixia, through its acquisition of Anue in 2012, has been providing network packet brokers with packet trimming for many years and has found trimming can reduce average frame length by up to 75%. Another advantage of Ixia packet brokers is that trimming rules are easily updated from a remote graphical user interface with drag-and-drop functionality. No coding is required.
Benefits of packet trimming
What impact does packet trimming have? Here is a list of benefits noted by Ixia customers who’ve activated this feature in their network packet broker:
- Prevent packet loss: Reducing congestion keeps tools from becoming overwhelmed and dropping packets.
- Increase quality of experience: Some types of traffic, multimedia for instance, are particularly susceptible to congestion and packet delay. By reducing congestion, packet trimming can improve the delivery and quality of video traffic.
- Delay/eliminate CAPEX: Reducing a tool’s workload can eliminate the need to add a second device to keep up with increasing traffic volume.
- Compliance/ protect sensitive data: For monitoring devices that receive copies of network traffic, a packet broker can remove the payload to ensure copies of sensitive data are not created.
Closely related to packet trimming is the stripping of protocol labels or headers that were added to help the packet reach its destination, but are not needed by security and monitoring tools. In addition to adding overhead to the packet size, the presence of certain protocols can restrict or limit the ability to apply filtering and load balancing to traffic as it is being forwarded. Other protocols may actually prevent a tool from accessing the information it needs. There’s a kitchen analogy here too. The cardboard carton and natural shell make it possible to transport eggs from the hen to the kitchen, but both must be removed and the egg white filtered out, before the yolk is available to create a hollandaise sauce.
Protocols that can present challenges to security and monitoring tools include:
- Generic Routing Encapsulation (GRE)
- GPRS Tunneling Protocol (GTP) (GPRS=general packet radio service)
- Multiprotocol Label Switching (MPLS)
- VLAN (Virtual Local Area Network) and the extensible version, VXLAN
How is it done?
As with packet trimming, a visibility engine that can identify and remove specific headers using preset rules is a highly-efficient way to expose the traffic data your tools need. Ixia packet brokers are shipped with the ability to automatically detect and remove a dozen different protocol headers.
Benefits of protocol stripping
In addition to the benefits associated with basic trimming, stripping also helps:
- Use wider variety of monitoring tools: Packets are frequently wrapped with various protocols (or headers) in order to enable transmission across an Ethernet network or for security purposes. Stripping away the header or headers enables the packet to be analyzed by tools that do not understand these overlay protocols.
- Increase tool efficiency: Using a network packet broker to identify traffic specifically by protocol type enables only the most relevant traffic to be processed through each tool, increasing overall tool efficiency.
- Accelerate traffic analysis and problem resolution: Protocol awareness is required to accurately identify traffic and assign it to the right monitoring and analytic tools.
Visibility solutions that include packet trimming and protocol stripping will enable your security and monitoring tools to process data more efficiently, saving you time and money. Look for high-performance packet processors, like the Ixia Vision portfolio, that perform these functions, along with deduplication and advanced filtering, at line rate speed.