Packet slicing can speed analysis. See a demonstration in this video.
As a network protocol analyst, "packet slicing" is one of the most important techniques I can share. Packet slicing simply saves a specific number of bytes from your packets rather than the entire packet. By default, most network protocol analyzers will save the entire packet, but there are many scenarios where you might want to save a portion of the packet instead of the entire packet.
Here are some examples/reasons when to consider slicing:
- The data is not useful or unreadable/encrypted
- To conserve disk space or reduce your trace file size
- Legal issues around the payload of captured packets
- Reduce load on your capture device. Some packet capture tools are less likely to drop packets when packets are sliced.
In the video below, I demonstrate how to slice packets from a trace file using Wireshark’s editcap application.
Check your protocol analyzer and determine if you can slice after you captured your packets. For example, Wireshark only allows you to configure packet slicing before you start your capture. For post-capture packet slicing, you can use Wireshark’s editcap application.
If you want the MAC, IP, TCP layers and a bit of the application layer, 128-byte slice will work just fine. Check whether your protocol analyzer requires fixed lengths for packet slicing; otherwise, you can input any number. Having the ability to input specific values provides an analyst with more flexibility and enables better precision.