Packet Analysis and VPC Traffic Mirroring

This study guide focuses on capturing and analyzing data at the packet level to resolve obscure network issues, optimize performance (packet shaping), and ensure security compliance within AWS environments.

Learning Objectives

• Define the core components of VPC Traffic Mirroring (Source, Filter, Target, Session).
• Explain how to use granular filtering to isolate specific traffic of interest.
• Contrast VPC Traffic Mirroring with VPC Flow Logs for troubleshooting purposes.
• Identify tools used for Deep Packet Inspection (DPI) such as Wireshark and tcpdump.
• Analyze packet-level data to implement quality-of-service (QoS) and traffic shaping strategies.

Key Terms & Glossary

• ENI (Elastic Network Interface): A logical networking component in a VPC that represents a virtual network card.
• Traffic Mirror Source: The network interface (ENI) from which traffic is copied.
• Traffic Mirror Target: The destination for mirrored traffic (an ENI or a Network Load Balancer).
• Promiscuous Mode: A configuration for a network interface that allows it to receive all traffic passing through it, rather than just traffic addressed to it.
• PCAP (Packet Capture): A standard file format and API for capturing network traffic.
• Packet Shaping: The practice of regulating network data transfer to ensure performance for higher-priority applications.

The "Big Idea"

While VPC Flow Logs provide the "Who, What, When" (metadata) of a connection, VPC Traffic Mirroring provides the "How" (content). To identify issues like packet corruption, subtle shaping errors, or malicious payloads, you must move beyond logs into full packet analysis. It is the difference between reading a phone bill (Flow Logs) and wiretapping the actual conversation (Traffic Mirroring).

Formula / Concept Box

[!IMPORTANT] Mirrored traffic is encapsulated in VXLAN headers. Your analysis tool (Wireshark) must be configured to decode VXLAN to see the original payload.

Hierarchical Outline

1. Packet Capture Mechanisms
   • VPC Traffic Mirroring: Native AWS service for copying L2 traffic from ENIs.
   • Transit Gateway Network Manager: Used for tracking global network performance metrics like latency and packet loss.
2. Traffic Analysis Workflow
   • Capture: Mirroring traffic to a dedicated EC2 instance.
   • Ingestion: Setting the target interface to promiscuous mode.
   • Inspection: Using Wireshark or tcpdump to view headers and payloads.
3. Troubleshooting & Optimization
   • Identifying Issues: Detecting dropped, delayed, or modified packets.
   • Corrective Action: Implementing QoS to prioritize delay-sensitive traffic (e.g., Voice over IP).
   • Security: Detecting malware, unauthorized access, and data breaches.

Visual Anchors

Traffic Mirroring Architecture

Packet Encapsulation Concept

Definition-Example Pairs

• Traffic Mirror Filter: A set of rules that determine which traffic is sent to the target.
  • Example: Creating a filter that only captures UDP traffic on port 5060 to troubleshoot a VoIP connectivity issue while ignoring heavy background HTTPS traffic.
• Packet Shaping Issues: Inefficiencies or errors in how traffic is prioritized.
  • Example: Identifying that critical database replication traffic is being throttled by a misconfigured rate limit, causing high application latency.
• Deep Packet Inspection (DPI): Analyzing the data part (and headers) of a packet as it passes an inspection point.
  • Example: Using Wireshark to find a specific error code inside an application-layer header that isn't visible in standard VPC Flow Logs.

Worked Examples

Scenario: Troubleshooting Application Latency

Problem: A web application is experiencing intermittent 504 Gateway Timeouts. Reachability Analyzer shows the path is open, but performance remains poor.

1. Setup: Create a Traffic Mirror Target (a C5 instance running Wireshark).
2. Filter: Create a filter for the Source ENI (the Web Server) targeting Port 443.
3. Session: Start the Mirror Session.
4. Analysis: In Wireshark, filter by tcp.analysis.retransmission.
5. Discovery: You notice a high volume of TCP Retransmissions and Duplicate ACKs originating from a specific downstream microservice.
6. Resolution: Adjust the MTU settings on the microservice network interface to prevent packet fragmentation, effectively "shaping" the traffic for better flow.

Checkpoint Questions

1. What is the main difference between VPC Flow Logs and VPC Traffic Mirroring?
2. Which UDP port is used by AWS to encapsulate mirrored traffic?
3. Why must a Traffic Mirror Target instance have its interface in promiscuous mode?
4. How can packet analysis help in implementing Quality of Service (QoS)?

▶Click to see answers

1. Flow Logs provide metadata (logs); Traffic Mirroring provides actual packet content (payload).
2. UDP Port 4789 (VXLAN).
3. To ensure the OS processes packets that are not addressed to its own IP/MAC address.
4. By identifying which traffic is delay-sensitive (like voice) vs. non-critical (like backups) so priority rules can be applied.

Muddy Points & Cross-Refs

• VXLAN Overhead: Remember that mirroring adds 54 bytes of metadata. If your original packet is already at the MTU limit (e.g., 1500), the mirrored packet might be truncated if the path doesn't support Jumbo Frames.
• Cost vs. Visibility: Traffic Mirroring can be expensive due to data transfer and compute costs for analysis. Use VPC Flow Logs first, and only move to Mirroring for deep-dive troubleshooting.
• Cross-Ref: See Reachability Analyzer for path-level connectivity vs. Traffic Mirroring for packet-level content.

Comparison Tables

VPC Flow Logs vs. VPC Traffic Mirroring