Using cPacket’s cVu to identify and troubleshoot unusual packet types

For those of you that have struggled with network tools that fail to decode packets coming from a SPAN port, you’re not alone.  Your switch says it’s forwarding packets but your network tools can’t make any sense of the traffic. There must be a practical solution to resolve this issue.

Introducing cPacket’s cVu monitoring device:

In 2017, cPacket introduced its cVu monitoring device which allows users to gain a deeper insight into the nature of the traffic. The overview page clearly displays that the packets per second and bits per second are increasing on each port that has network traffic. This indicates that traffic is definitely occurring.

Let’s see how we can use cPacket’s cVu traffic monitoring device to gain insight into the nature of the traffic. Starting at the cVu’s overview page you’ll notice that the packets per second and bits per second are incrementing on each port that has network traffic – so there is definitely traffic.

For an in-depth analysis of traffic type, simply go to the reports page and click on a specific port. Under protocol breakdown, you might see IPv4 or IPv6 traffic. However, if you look at not_IPv4_ IPv6 this is indicative of traffic that is encapsulated at L2 and not categorized as IPv4 or IPv6.

To obtain first hand access to these packets, we can use cVu’s L2-L7 Smart Filter snapshot feature and selectively retrieve specific packets. To do this, start by navigating to the filters page on cVu, and select the port in question. Configure a new filter and under the drop-down, select string match to capture all Ethernet packets, including those that don’t fit into an IPv4 or IPv6 format. When the filter is activated, you should see the packets and bits per second in the lower right-hand corner increasing. This will confirm that our filter will match the traffic we are interested in investigating. Lastly, click the SNAP button to obtain a 10 second capture that is stored on the captures page which can be downloaded and viewed in Wireshark.

 

By following the above steps, you should now be able to determine the type of header that the packets are encapsulated in. Secondly, you can enable packet stripping on cVu to remove these headers before forwarding to output ports without any implications to performance. By doing so, downstream tools can view the packets in their native format.

As you can see, cPacket’s cVu monitoring device makes it easy by providing you with the tools you need to process the data and provide a deeper insight into the true nature of the traffic.