Network Monitor Discards MPLS Encapsulated Packets

book

Article ID: 160148

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

As designed, the Network Detection Server will discard packets encapsulated by MPLS (MultiProtocol  Label Switching).

PacketCapture will discard these packets at the driver level so it will appear that the Network Detection Server is not seeing traffic.

See http://en.wikipedia.org/wiki/Multiprotocol_Label_Switching for a detailed description of MPLS.

 

Resolution

There are a couple of ways to find out if the traffic being sent to the monitor is encapsulated in MPLS format:

 

1.        The quickest way is to get a Wireshark capture and check the Protocol Hierarchy.  Go to Statistics menu -> Protocol Hierarchy.

If a large percentage of the packet has MultiProtocol Label Switching Header, then these packets are being discarded by packetcapture and not seen by the monitor.   In the example below, 99.86% of packets are MPLS encapsulated.  This means 99.86 of the packets during this capture were discarded by packetcapture.

     

2.   Another way to check for MPLS is to filter the Wireshark capture for eth.type == 0x8847.  Again the packets encapsulated by MPLS are being discarded.  This may be a good way to check Network Monitors that are partially seeing traffic to see if some of the packets are being encapsulated.


Attachments