1 / 10

Remote Packet Capture <draft-bullard-pcap-00.txt>

Remote Packet Capture <draft-bullard-pcap-00.txt>. Internet Engineering Task Force San Diego, California Thursday, September 18, 2014. Problem. Accessing packets of interest is difficult Existing technology is/are becoming inadequate RMON filter/capture Constrained by resources

howe
Download Presentation

Remote Packet Capture <draft-bullard-pcap-00.txt>

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Remote Packet Capture<draft-bullard-pcap-00.txt> Internet Engineering Task Force San Diego, California Thursday, September 18, 2014

  2. Problem • Accessing packets of interest is difficult • Existing technology is/are becoming inadequate • RMON filter/capture • Constrained by resources • Pull technology • SMON port copy • Full duplex port replication suffers from congestion issues, which impact packet capture reliability • Full packet replication limits what you can do with captured stream • Distributed monitoring makes the problem even more interesting

  3. Need • An improved packet capture paradigm • Designed as a service? • Simple • Standardizable • Assured operation • Support existing IPPM metrics • Type-P* metrics • Path determination • Facilitate/enable new measurements

  4. PCAP Requirements • Integrated high performance packet capture • Reliable/sustained stream capture • Flexible packet selection strategies • Support IPPM framework and metrics • RFC 2330 Framework for IP Performance Metrics • RFC 2678 IPPM Metrics for Measuring Connectivity • RFC 2679 A One-Way Delay Metric for IPPM • RFC 2680 A One-Way Packet Loss Metric for IPPM • RFC 2681 A Round-trip Delay Metric for IPPM • Minimize privacy impact

  5. ApplicationEnhanced SMON Port Copy Facility IP + Transport Header Capture + Pkt Len + Timestamp Full ICMP Packet Capture + Timestamp MPLS Label Capture + Pkt Len + Timestamp

  6. ApplicationsIPPM Type-P* “Whatever” Metrics IP + Transport Header Capture + Pkt Len + Timestamp Full ICMP Packet Capture + Timestamp End system End system Monitor Switch

  7. Recommendations • Integrated packet filter/capture • Devise a simple strategy • that is high performance friendly (OC-192) • Exploit benefit of SMON PortCopy • Get packet off the box as soon as possible • Address SMON PortCopy congestion issues • Partial packet capture • Variable packet header capture • Label capture • Enable better packet dispostion • Capture packet encapsulation and transport

  8. Approach • Packet Capture encapsulation header • Support Distributed Multipoint Monitoring • Source identification • Source component identifier • Interface identifier • Direction • Assured packet capture • Sequence numbering • IPPM Conformant Timestamp • Variable length capture payload • Captured packet transport • Layer 2 transport • Layer 3 transport

  9. Draft PCAP Header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ifIndex | Interface Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp (sec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Captured Packet Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  10. Privacy • Packet capture perceived as threat to privacy • Selective/partial packet capture • Protocol Specific Content separation • Authorized content capture • Limited header capture • Captured content protection • Unauthorized modification • Unauthorized disclosure

More Related