PacketStack Advanced Packet Processing

Feature-Rich and Line-Rate Packet Processing

Advanced packet processing is one of the most important features of a Network Packet Broker (NPB). Many security tools cannot work efficiently without the help of a NPB to perform some levels of advanced packet processing like packet deduplication, protocol header stripping, packet trimming or a combination of many, performing as a cascaded operation. It’s one of the Key Performance Indicators (KPI) to consider when evaluating and selecting a packet broker

Solution

There are two general types of NPB implementations for advanced packet processing: Hardware FPGA-based or software CPU based.

Keysight network packet brokers are purpose-built to perform intensive processing at line rate and are optimized with a fieldprogrammable gate array (FPGA). FPGA hardware accelerates the packet processing of the NPB and offers significant architectural benefits including accelerated advanced packet processing with zero packet-loss at line-rate, independent of packet size. A combination of advanced functions can cascade to operate with no performance degradation.

In contrast, NPBs that rely on onboard software-based CPU processing commonly drop packets as traffic volumes increase and more often than not, cannot use all features simultaneously because of limited CPU power. This significantly slows down application detection and reporting and requires ongoing investment in additional modules. Keysight NPBs operate on a single module with highdensity, modular chassis and customizable bays, and do not have these limitations.

These advanced functions perform either on standalone, or in an Ixia Fabric Controller (IFC) cluster which makes the feature universally available even within a distributed monitoring infrastructure.

PacketStack software is designed specifically for Keysight NPBs that utilize FPGA accelerated hardware processing and allows them to perform at their highest level.  PacketStack adds value to your Keysight NPBs, enabling intelligent network visibility and unlocking more capabilities with advanced features.  

Key Features

• Packet de-duplication – Packet duplicates occur in networks when a packet traverses multiple taps or SPAN ports that generate multiple copies of the same packet. De-duplicating packets reduces the amount of redundant data sent to security and monitoring tools, directly improving tool efficiencies and preserving their integrity. Flexible configuration parameters let you ignore specific headers and control whether the deduplication window is packet- or time-based.

• Protocol header stripping – Monitoring tools, legacy or even modern ones, cannot analyze traffic encapsulated inside of an unsupported protocol. This feature enables tools to monitor all required data by removing VLAN or QinQ, FabricPath, ETag, VNTag, GTP, MPLS, VxLAN, GENEVE, ESP, L2GRE, or ERSPA headers from the packet stream. Generic Header Stripping can also remove new or proprietary protocol headers such as: L3GRE, JMirror, PBB-TE, LISP, VSL, OTV, PPPoE etc.

• L2GRE tunnel termination – Many virtual taps, including Keysight’s Phantom vTap, will originate VM traffic in L2GRE encapsulation. PacketStack can terminate the L2GRE tunnel so plain Ethernet traffic can be directed to tools for processing; hence removing the burden of tunnel termination from the attached tools.

• Extended burst protection – Deep buffering allows monitoring tools to see every packet, even under microburst conditions where aggregate bandwidth temporarily exceeds port capacity. This condition commonly occurs when traffic from a high-speed network adapts to feed a lower-speed tool. PacketStack’s extended burst protection allows data flow from higher- speed, bursty traffic to lower speed tools. 

• Packet trimming – Many monitoring tools, especially legacy ones, only need to analyze packet headers. In other monitoring applications, regulatory compliance requires tools to remove sensitive data from captured network traffic. The Packet Trimming function can remove payload data from the monitored network traffic, which boosts tool performance and keeps sensitive user data secure. 

• Data masking – Network operators commonly need to remove personally identifiable information (PII), such as credit card or social security numbers, before sending the data to analysis tools. Data Masking removes this data from the packet in real-time and replaces it with a fixed-field value before forwarding to security and monitoring tools. 

• Timestamping – Network operators require high-accuracy timestamps on packets to correlate events with other device logs in low-latency financial data centers and to correlate traffic events across a WAN. PacketStack Timestamping inserts a high-accuracy timestamp into every packet at ingress. Timestamp sources include local, NTP, and PTP.