Port-Mirroring and Duplicated Packets

Introduction

The configuration of a port-mirroring session has to respect some specific rules and standards. The main goals of a port-mirroring session are to:

• Gain insight into the highest number of flows, which are seen as strategic by the IT manager, and
• Ensure that all collected flows are appropriately analyzed.

It is crucial to ensure that a minimum number of flows are duplicated to the interfaces.

Detail

PVX solution can manage any level of traffic duplication (dropping packets received in excess). This, however, involves a significant loss of performance. There are two main rules:

• Basic port-mirroring sessions, also called 1-to-1 port-mirroring session. This configuration does not generate duplicated packets. However, increasing the number of 1-to-1 port-mirroring sessions could produce this phenomenon.

“1-to-1” port mirroring session

• Multiple port-mirroring sessions, also called N-to-1 port-mirroring session. In this specific event, the duplicated packets can occur.

“N-to-1” port mirroring

• According to the number of listening points in a multi-switch mode, this phenomenon can occur despite the use of a 1-to-1 port-mirroring session.
• A VLAN is a set of ports; this means that the port-mirroring session is a N-to-1 port-mirroring session.
  

  ---

Some examples of duplicated packets / non-duplicated packets

In a standard port-mirroring configuration (N-to-1), it is highly likely that some packets transmitted to the appliance are duplicated. In the following example, configuring a port-mirroring session on both the IN traffic and the OUT traffic of the switch means that the appliance will receive the same traffic twice:

Example with duplicated packets

By only listening to the IN traffic (or only the OUT traffic) on the concerned Ethernet ports, we will ensure the flow transmission to be unique between the client and server, thus avoiding the duplication of packets:

Example without duplicated packets

Removal of Duplicated Packets

The SkyLIGHT PVX system checks and controls the duplicated packets phenomenon on all listening ports. It also ensures all duplicated packets are removed. However, in some cases, some duplicated packets could be mixed up with retransmitted packets.

It is therefore crucial to minimize the duplicated packet rate (or at least to arrange the mirroring so that duplicates follow the original as closely as possible). In order to reach a low rate of duplicated packets, the appliance provides information on the duplicated packet rate through the Pulsar command:

Information on the duplicated packets rate in Pulsar. Here, on average, 3.35% of the traffic is duplicated on the interface eth3.

Deduplication Algorithm

The sniffer usually receives frames from multiple locations on a network, and so it can be cumbersome (if not impossible) to avoid the situation where the same frames are mirrored several times towards the probe. Deduplication is the process of selectively ignoring packets that are artificial duplicates due to the network infrastructure. On the other hand, automatic deduplication makes it harder to find out if duplicates were present in the network in the first place.

The sniffer detects and drops duplicate frames based on a digest of some parts of their headers and payload. The Maximum duplicate delay for which the sniffer will remember these digests is configurable from the Nodes Management page.

The sniffer will take into account the following information from the packet’s header (if present):

• From Ethernet, the VLAN if Ignore VLAN tags isn’t set in the Nodes Management page
• From IP, the addresses and the transported protocol
• From UDP, everything
• From TCP, the flags, ports, sequence and acknowledgement numbers, the window, etc.

We deliberately ignore MAC addresses, IP’s TTL, ToS, options, checksum, TCP’s options and others as they may be altered by different network equipment (for example, after going through routers). Along the way, we also decapsulate possible tunnels, such as GRE.

Once the sniffer doesn’t recognize the protocol as a transport protocol, it interprets the rest of the packet as the inner payload to be digested.

Notice that TCP duplicate acknowledgements may be deduplicated due to the fact that their headers are similar and that they do not transport any payload. Tuning the default delay of 100ms may help report a more accurate number.