Login
    Contents x
    Supported Protocols
    • 21 Mar 2022
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Supported Protocols

    • Updated on 21 Mar 2022
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    The capture: sensor sniffer can detect all Ethernet packets even if those packets have a VLAN tag in their Ethernet header. SkyLIGHT capture: sensor also accepts both IPv4 and IPv6 protocols.

    Note: Non-Ethernet flows are invisible in the capture: sensor solution.

    Non-IP Protocols

    If the Ethernet protocol is not an IP protocol, it will appear in the Non IP submenu. These data will not appear elsewhere.

    IP Protocols

    IPv4 and IPv6 are both captured and split in four Level 3/4 protocols: TCP, UDP, ICMP and OtherIP.

    Some of these data are duplicated in other specialised categories: Web, VoIP, DNS to display more specific metrics.

    Limitations

    If the rate of incoming packets exceeds the rate at which the sniffer can parse the traffic for too long, then some packets may be dropped by the Linux kernel. These packets won’t get accounted for in the GUI.

    As a real-time protocol analyzer, the sniffer is also limited in what protocols it supports and how deep it inspects packets. Here is a quick overview of the most obvious limitations:

    • Ethernet parser supports Linux cooked capture extension (used when capturing on “any” interfaces) and 802.1q VLAN tags. All other Ethernet extensions are ignored.
    • ARP parser knows only Ethernet and IP addresses.
    • DNS parser supports MDNS, NBNS and LLMNR to the extent where these protocols mimic legacy DNS (with the exception that it can unscramble NetBios encoded names).
    • FTP connection tracking merely looks for EPSV, PASV or PORT commands in the TCP stream without much care for the actual protocol.
    • TCP options are ignored.
    • PostgreSQL parser only supports protocol version 3.0 and MySQL parser only supports protocol version 10. This should cover most of the installed bases, though.
    • TNS parser (for Oracle databases) was roughly reverse-engineered from various sources, especially the Wireshark source code. Thus, it should not be expected to understand all messages in all situations.
    • SIP parser implements no proprietary extensions, however prevalent.
    • As there is no concept of connections for UDP, UDP conversations are ended after a timeout period of two minutes without any packet in any direction. This might not match the underlying protocol.
    • VoIP dialogs are identified by their call-ID only, which implies that if the sniffer listens to various independent SIP proxies or servers, then call-ID collisions cannot be ruled out (this choice was made because it proved useful in practice).

    © 2024 Accedian Networks Inc. All rights reserved. Accedian®, Accedian Networks®,  the Accedian logo™, Skylight™, Skylight Interceptor™ and per-packet intel™, are trademarks or registered trademarks of Accedian Networks Inc. To view a list of Accedian trademarks visit: http://accedian.com/legal/trademarks/. 

    Was this article helpful?
    What's Next
    Get In Touch
    Learn
    About Us
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout