Why you may need protocol stripping function?
As you know there are 7 OSI model levels. Each one adds some particular volume header to the packet.
name='more'> In the easiest case for every network analyzer, packet contains source and destination MAC-addresses and then IP-addresses. If we mirror datacenter or even distribution level uplinks we can observe 802.1q-tagged or even MPLS-labeled traffic. Each of these headers is inserted between data link layer and network layer. I could see in my practice some situations when network sensors didn't understand these headers. In the best case they were ignored but in the worst one devices might start wrong calculation and higher level data interpretation according to hardcoded packet offset algorithm used for throughput increasing.
So, it is possible to delete unused headers if you don't need a detection of VLAN/VXLAN id, MPLS label etc.
If you need for the information security incident investigation:
- Layer 2 or 2.5 info,
- entire access network traffic analysis including every subnet/VLAN,
- traffic copy aggregation on the packet broker,
then you may not need a packet stripping function but you must use packets deduplication feature.
But if you mirror uplinks to IP/MPLS core or service level (it depends on the network architecture) with 802.1q tags or MPLS labels you may optimize your network sensors resources usage:
- qualitatively - by packets structure unification;
- quantitatively - by packets unused size minimization with unanalyzed headers elimination.
Some approx headers list for protocol stripping is shown on the picture below.
