How to trim packets
Any time egress packet sizes must be controlled—not the volume or type—packet trimming is the solution. Use packet trimming to set the maximum number of bytes per packet to forward to analysis tools.
These steps require that at least one rule exists in your rules library. You can create a new rule if necessary.
Some benefits of packet trimming with the Matrix include:
Lowering link utilization between tool ports and tools
Removing sensitive payload from further analysis
Extending the effective storage space of a protocol analyzer
To enable packet trimming in a rule:
1. Starting in the dashboard, click Rules.
The rules and filters designer appears, where rules and filters can be created and edited.
2. Ensure the Rules tab is selected.
3. Click a rule from the list.
The rule opens and is ready to edit.
4. Select Packet Trim.
If selected, packets larger than the Trim Length value are truncated to a specified size. Packets smaller than the Trim Length value are unchanged.
5. In the Trim Length list, click a trim length.
Only the first N-bytes of each ingress packet are forwarded to tool ports. A new 4-byte CRC value is affixed to each trimmed packet. Valid values are: 64, 128, 192, 256, 384, and 512.
6. Click Save.
You successfully enabled packet trimming in a rule. Connecting this rule between network and tool ports causes ingress packets to be trimmed, if necessary, before being forwarded to analysis tools.
Understanding packet trimming
Packet trimming limits the size of egress packets to no larger than a set value. Packets larger than the set value are reduced in size before being sent to analysis tools.
Use packet trimming to improve the performance of analysis tools. Forwarding only the first 64-bytes of each packet (for example) to a protocol analyzer tool can greatly extend how many calendar days of data it retains. It is important to remember that trimmed packets lose some data because the data was removed. Therefore, a good practice to follow is to use packet trimming on packets that meet other criteria first, such as traffic from specific protocols or subnets. Accomplish this by creating a filter to isolate the traffic that should be trimmed.
Packet trimming can lower the link utilization of tool ports. This becomes important when using speed conversion to connect slower-speed analysis tools to a faster network. Consider this example: a 10 Gb network port utilizing 20% of its bandwidth is transferring approximately 2 Gigabits per second of unfiltered traffic. The 2 Gbps throughput is too fast for a single 1 Gb tool port to egress, so oversubscription occurs and packets are dropped. In such a scenario, try using packet trimming to lower the tool port utilization enough that packets do not drop. Other solutions for lowering tool port link utilization include load balancing and filtering, and any of these solutions can be used together or separately.
Packet trimming can increase security and privacy by removing sensitive payload from analysis. Sensitive payloads might include financial or medical information, trade secrets or intellectual property, and more. With packet trimming, the sensitive data can effectively be reduced or altogether removed before it is forwarded.
Avoid packet trimming when tools need full payloads to operate efficiently. Packet payload is the data below any encapsulation and headers. Some of your tools may need full packet payloads to perform stream reconstruction, network forensics, and advanced analysis—especially when tools investigate layers 5-7 of the OSI model.