- Print
- PDF
The capture: sensor sniffer can detect all Ethernet packets even if those packets have a VLAN tag in their Ethernet header. SkyLIGHT capture: sensor also accepts both IPv4 and IPv6 protocols.
Note: Non-Ethernet flows are invisible in the capture: sensor solution.
Non-IP Protocols
If the Ethernet protocol is not an IP protocol, it will appear in the Non IP submenu. These data will not appear elsewhere.
IP Protocols
IPv4 and IPv6 are both captured and split in four Level 3/4 protocols: TCP, UDP, ICMP and OtherIP.
Some of these data are duplicated in other specialised categories: Web, VoIP, DNS to display more specific metrics.
Protocol layers
The next level of classification for the flows is into "layers". The layers currently supported in the sensor capture are the following:
- TCP
- UDP
- VoIP
- TLS
- ARP
- VNC
- SOCKS5
- Databases
- SMB
- Netflow
- ICMP
- HTTP
- DNS
- Citrix
- BOOTP
- LDAP
- KERBEROS
- IPSEC
- SSH
- DEC/RPC
- NTLM
- FTP
- RDP
Protocol parsers
Once classified into a layer, the sensor capture also supports parsers for specific protocols that provide additional metrics within the layers
- BOOTP
- IP
- TCP
- Citrix
- DNS
- HTTP
- HTTP2
- RDP
- SQL
- TLS
- VoIP
- VXLAN
- VNC
- ERSPAN
- SOCKS5
- LDAP
- KERBEROS
- IPSEC
- SSH
- DCS/RPC
- NTLM
- SMTP
- FTP_CTRL
Limitations
If the rate of incoming packets exceeds the rate at which the sniffer can parse the traffic for too long, then some packets may be dropped by the Linux kernel. These packets won’t get accounted for in the GUI.
As a real-time protocol analyzer, the sniffer is also limited in what protocols it supports and how deep it inspects packets. Here is a quick overview of the most obvious limitations:
- Ethernet parser supports Linux cooked capture extension (used when capturing on “any” interfaces) and 802.1q VLAN tags. All other Ethernet extensions are ignored.
- ARP parser knows only Ethernet and IP addresses.
- DNS parser supports MDNS, NBNS and LLMNR to the extent where these protocols mimic legacy DNS (with the exception that it can unscramble NetBios encoded names).
- FTP connection tracking merely looks for EPSV, PASV or PORT commands in the TCP stream without much care for the actual protocol.
- TCP options are ignored.
- PostgreSQL parser only supports protocol version 3.0 and MySQL parser only supports protocol version 10. This should cover most of the installed bases, though.
- TNS parser (for Oracle databases) was roughly reverse-engineered from various sources, especially the Wireshark source code. Thus, it should not be expected to understand all messages in all situations.
- SIP parser implements no proprietary extensions, however prevalent.
- As there is no concept of connections for UDP, UDP conversations are ended after a timeout period of two minutes without any packet in any direction. This might not match the underlying protocol.
- VoIP dialogs are identified by their call-ID only, which implies that if the sniffer listens to various independent SIP proxies or servers, then call-ID collisions cannot be ruled out (this choice was made because it proved useful in practice).
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks