SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
Network Protocol Analysis Tip: Packet Slicing
Packet slicing can speed analysis. See a demonstration in this video.
Tony Fortunato
August 24, 2017
1 Min Read
As a network protocol analyst, "packet slicing" is one of the most important techniques I can share. Packet slicing simply saves a specific number of bytes from your packets rather than the entire packet. By default, most network protocol analyzers will save the entire packet, but there are many scenarios where you might want to save a portion of the packet instead of the entire packet.
Here are some examples/reasons when to consider slicing:
The data is not useful or unreadable/encrypted
To conserve disk space or reduce your trace file size
Legal issues around the payload of captured packets
Reduce load on your capture device. Some packet capture tools are less likely to drop packets when packets are sliced.
In the video below, I demonstrate how to slice packets from a trace file using Wireshark’s editcap application.
Check your protocol analyzer and determine if you can slice after you captured your packets. For example, Wireshark only allows you to configure packet slicing before you start your capture. For post-capture packet slicing, you can use Wireshark’s editcap application.
packetsliceimage.png
If you want the MAC, IP, TCP layers and a bit of the application layer, 128-byte slice will work just fine. Check whether your protocol analyzer requires fixed lengths for packet slicing; otherwise, you can input any number. Having the ability to input specific values provides an analyst with more flexibility and enables better precision.
packetslice-2.png
About the Author(s)
More Insights
Webinars
How to Amplify DevOps with DevSecOps
May 22, 2024Generative AI: Use Cases and Risks in 2024
May 29, 2024Smart Service Management
June 4, 2024