Filtering and slicing are powerful tools to employ when performing network analysis. Their use helps to focus analysis on just the data of interest, while reducing the load, including data volume and overall processing, on the system being used to collect and process the data. The bottom line is that techniques like filtering and slicing reduce the amount of time required to troubleshoot complex networks.
Filtering is a way of limiting the overall number of packets captured and stored based upon user-specified criteria. Typical filtering criteria include addresses, protocols and ports, though more detailed packet information including values, patterns and lengths can also be used in filters. The ability to generate complex filters that combine these criteria using Boolean logic enables users to develop very specific filters that identify critical and often transient network events. Using “not” logic allows you to filter out all “good” traffic, so when packets pass the filter you know you have data you want to investigate.
Slicing truncates the packets after a certain length, significantly reducing the data that is collected and analyzed. Slicing is typically used to capture the header information from packets and not the payloads. This is a very useful technique, particularly when your analysis is centered on nodes, protocols, and flows, and not payload information, which is a significant percentage of
typical network analysis.
Four key benefits of filtering and slicing include:
1. Extra time for value added projects
Improving an engineer’s ability to isolate traffic by filtering and slicing can reduce the time spent responding to problems and increase the time available to proactively prevent other issues. Businesses benefit in that they accelerate the resolution of critical issues, thereby shortening the impact on productivity or revenue.
2. Quickly identify anomalous traffic
By applying filters that only allow unexpected traffic through the analyzer, enterprises can quickly monitor their network for malicious behavior. This makes it difficult to spot conditions that need immediate attention and to set up alarms so engineers can be notified of anomalous conditions even when they’re away from their network dashboard.
3. Resourceful analysis
The overall amount of data to analyze and store is significantly reduced through the use of filtering and slicing, freeing up more processing power for capture and analysis and more disk space for storing the data that’s truly important to the current analysis task.
4. Increased flexibility and performance
By not capturing the whole packet on a segment, you’re limiting the collection and analysis to only what is necessary; certain conditions can be immediately ruled out, which dramatically improves
network analysis performance.
Filtering and slicing are not without their drawbacks. Both techniques are “final” – once employed, the discarded data is lost forever. This is typically not a problem, if you’re confident you know what you’re looking for, but for situations where the problem isn’t clear, or no problem is even expected, it may be better to collect all packet data for a complete post-capture forensics analysis. Also, the use of filtering and slicing does require advanced knowledge for effective results. Both can lead to frustration if not carefully employed.