Ngenius Packet Flow Extender (PFX) V6.X Reference: 733-1338 Rev. B March 5, 2020

nGenius Packet Flow eXtender (PFX) v6.
x
Reference
73 3-13 38 Rev. B
March 5, 2020
NETSCOUT SYSTEMS, Inc.

Westford, MA 01886
Telephone: 978.614.4000
Fax: 978.614.4004
Web: http://www.netscout.com
Use of this product is subject to the End User License Agreement available at http://www.NetScout.com/legal/terms-and-conditions or
which accompanies the product at the time of shipment or, if applicable, the legal agreement executed by and between NetScout Systems,
Inc. or one of its wholly-owned subsidiaries ("NETSCOUT") and the purchaser of this product ("Agreement").
Government Use and Notice of Restricted Rights: In U.S. government ("Government") contracts or subcontracts, Customer will provide
that the Products and Documentation, including any technical data (collectively "Materials"), sold or delivered pursuant to this Agreement
for Government use are commercial as defined in Federal Acquisition Regulation ("FAR") 2.101and any supplement and further are
provided with RESTRICTED RIGHTS. All Materials were fully developed at private expense. Use, duplication, release, modification, transfer,
or disclosure ("Use") of the Materials is restricted by the terms of this Agreement and further restricted in accordance with FAR 52.227-14
for civilian Government agency purposes and 252.227-7015 of the Defense Federal Acquisition Regulations Supplement ("DFARS") for
military Government agency purposes, or the similar acquisition regulations of other applicable Government organizations, as applicable
and amended. The Use of Materials is restricted by the terms of this Agreement, and, in accordance with DFARS Section 227.7202 and FAR
Section 12.212, is further restricted in accordance with the terms of NETSCOUT'S commercial End User License Agreement. All other Use
is prohibited, except as described herein.
This Product may contain third-party technology. NETSCOUT may license such third-party technology and documentation ("Third-Party
Materials") for use with the Product only. In the event the Product contains Third-Party Materials, or in the event you have the option to
use the Product in conjunction with Third-Party Materials (as identified by NETSCOUT in the
Documentation provided with this Product), then such third-party materials are provided or accessible subject to the applicable third-
party terms and conditions contained either in the "Read Me" or "About" file located in the Software or on an Application CD provided
with this Product, or in an appendix located in the documentation provided with this Product. To the extent the Product includes Third-
Party Materials licensed to NETSCOUT by third parties, those third parties are third-party beneficiaries of, and may enforce, the applicable
provisions of such third-party terms and conditions.
Open-Source Software Acknowledgment: This product may incorporate open-source components that are governed by the GNU General
Public License ("GPL") or licenses that are compatible with the GPL license ("GPL Compatible License"). In accordance with the terms of
the GNU GPL, NETSCOUT will make available a complete, machine-readable copy of the source code components of this product covered
by the GPL or applicable GPL Compatible License, if any, upon receipt of a written request. Please identify the product and send a request
to:
NETSCOUT Systems, Inc.
GNU GPL Source Code Request
310 Littleton Road
Westford, MA 01886
Attn: Legal Department
To the extent applicable, the following information is provided for FCC compliance of Class A devices:
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules.
These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in
a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own
expense.
Modifications to this product not authorized by NETSCOUT could void the FCC approval and terminate your authority to operate the
product. Please also see NETSCOUT's Compliance and Safety Warnings for NetScout Hardware Products document, which can be
found in the documents accompanying the equipment, or in the event such document is not included with the product, please see
the compliance and safety warning section of the user guides and installation manuals.
No portion of this document may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine form
without prior consent in writing from NETSCOUT. The information in this document is subject to change without notice and does not
represent a commitment on the part of NETSCOUT.
The products and specifications, configurations, and other technical information regarding the products described or referenced in this
document are subject to change without notice and NETSCOUT reserves the right, at its sole discretion, to make changes at any time in
its technical information, specifications, service, and support programs. All statements, technical information, and recommendations
contained in this document are believed to be accurate and reliable but are presented "as is" without warranty of any kind, express or
implied. You must take full responsibility for their application of any products specified in this document. NETSCOUT makes no implied
warranties of merchantability or fitness for a purpose as a result of this document or the information described or referenced within, and
all other warranties, express or implied, are excluded.
Except where otherwise indicated, the information contained in this document represents the planned capabilities and intended
functionality offered by the product and version number identified on the front of this document. Screen images depicted in this
document are representative and intended to serve as example images only.
Copyright 2020 NETSCOUT SYSTEMS, Inc. All rights reserved.
ii
Contacting NETSCOUT SYSTEMS
Customer Support
The best way to contact Customer Support is to submit a Support Request:
https://my.netscout.com/mcp/Pages/default.aspx
Telephone: In the US, call 888-357-7667; outside the US, call

+011 978-614-4000. Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time
(EST).
E-mail: support@netscout.com
When you contact Customer Support, the following information can be helpful in diagnosing
and solving problems:
— Type of network platform
— Software and firmware versions
— Hardware model number
— License number and your organization’s name
— The text of any error messages
— Supporting screen images, logs, and error files, as appropriate
— A detailed description of the problem
Sales
Call 800-357-7666 for the sales office nearest your location.
Training
Course listings and information on product certification are available at:
http://www.netscout.com/training
iii
iv
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 1
Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 2
Packet Deduplication Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 2
IP Tunnel Termination Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 2
Tunnel Header Stripping Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 3
Slicing Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 4
Masking Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 4
Encryption Detection Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 5
NetFlow Generation Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 5
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 7
Data Source Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 7
Software and Console Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 7
Modes Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 8
Enabling PFX Capability on Data Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 8
PFX Feature Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
General PFX Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Enabling/Disabling PFX Mode on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring Packet Deduplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuring IP Tunnel Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring Tunnel Header Stripping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring Packet Slicing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuring Packet Masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring Encryption Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring NetFlow Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
v
vi
nGenius Packet Flow eXtender (PFX)
v6.x Reference
Introduction
This document describes the features, setup, and known issues (if applicable) when configuring
nGenius® Packet Flow eXtender (PFX) interfaces on InfiniStreamNG appliances running a v6.x
release from NETSCOUT® SYSTEMS. NETSCOUT strongly recommends that you read this
document in its entirety, as well as the following documentation that it supplements:
• InfiniStream Hardware Appliance Administrator Guide
• InfiniStreamNG Qualified COTS Software Appliance Administrator Guide
• Agent Configuration Utility for CDM/ASI Administrator Guide
These and other documents as well as any updates to this document are available on the
My.NETSCOUT.com website:
https://my.netscout.com/mcp/AddlDocs/Pages/Technical-Documentation.aspx
Refer to the following sections for details:

• "Product Overview" on page 2
• "System Requirements" on page 7
• "Enabling PFX Capability on Data Sources" on page 8
• "PFX Feature Configuration" on page 10
nGenius Packet Flow eXtender (PFX) v6.x Reference 1

Product Overview
nGenius Packet Flow eXtender (PFX) is a software application enabling expert packet conditioning
for service assurance and cyber security monitoring. The solution is built on the NETSCOUT
InfiniStreamNG (ISNG) hardware platforms and framework, leveraging patented technologies. The
v6.x release supports the following nGenius PFX features:
• Packet deduplication
• IP tunnel termination
• Tunnel header stripping
• Slicing
• Masking
• NetFlow generation
• Encryption detection
Packet Deduplication Feature

Packet deduplication technology removes duplicated packets from network traffic forwarded to
monitoring, analyzing, and recording tools. When accessing data from networks, duplicate packets
are often captured and aggregated together. Without identifying and removing duplicate packets
first, monitoring tools alarm on the duplicates or produce compromised data and results.
The PFX interface deduplication capability removes packet duplicates and provides a substantial
reduction in the volume of traffic forwarded to monitoring tools. The packet deduplication feature
increases tool efficiency, reduces errors on the monitoring tool, and closes security holes resulting
from false positives or false negatives. This feature possesses the following key capabilities:
• Selective packet deduplication criteria at L2 and L3 layers, including Ethernet frames, IP
headers, and VLAN IDs (both outer and inner)
• Fixed deduplication window size of 1 second
• Ability to discard all subsequent duplicates of any packet
• Presentation of metrics associated with duplicate packets
To enable and configure packet deduplication on a PFX interface, perform the steps in "Configuring
Packet Deduplication" on page 19.
IP Tunnel Termination Feature

SPAN ports or TAPs are typically used to capture a mirrored copy of network traffic and feed it to
a monitoring tool. In situations where these methods are not possible, a tunneling method can be
used to carry mirrored traffic to a packet broker or directly to the monitoring device. One of the
most common methods is Generic Routing Encapsulation (GRE) tunneling protocol, which
encapsulates a wide variety of network layer protocols inside virtual point-to-point links over an
IP network.
GRE was developed for various generic applications, including mobile core networks and virtual
mirror port forwarding (such as NVGRE and ERSPAN). A monitoring tool not specifically designed
for handling GRE tunnel termination cannot receive GRE and account for the added tunnel
headers, resulting in inaccurate traffic analysis. An InfiniStreamNG PFX interface addresses this
problem by terminating GRE tunnels and stripping any encapsulations from the tunneled traffic.
2 Product Overview
IP Tunnel termination allows the PFX interface to perform encapsulated forwarding of mirrored
traffic. As a destination endpoint, designated interfaces on the PFX receive traffic from one or more
remote mirroring source ports. A remote mirroring source port captures, encapsulates, and
transmits the traffic to a destination port over a local area network. The traffic is typically
encapsulated in GRE (using IP as its transport) and routed across a Layer 3 network between the
source node and the destination node. Acting as an IP endpoint, each defined PFX interface
responds to ARP messages so that upstream switches and routers can forward the tunneled traffic
to the PFX interface.
To enable and configure IP tunnel termination on a PFX interface, perform the steps in
"Configuring IP Tunnel Termination" on page 20.
Tunnel Header Stripping Feature

Most network monitoring, analysis, and security tools are typically either unable to handle or have
limitations handling packets containing certain tunneling or encapsulation protocols. Additionally,
the presence of such protocols can restrict the ability to apply filtering and flow-based load
balancing to the traffic as it is forwarded to monitoring tools. To address these challenges, a PFX
interface introduces features for de-encapsulating or stripping protocols from tunneled traffic.
To enable and configure tunnel header stripping on PFX interfaces, perform the steps in
"Configuring NetFlow Generation" on page 25.
GRE De-Encapsulation
Encapsulation in GRE means that a packet's content, inside the layer 2 header, is encapsulated
inside new layer 2 (MAC), layer 3 (IP), and optionally layer 4 (usually UDP) headers. These new
headers represent the two main network nodes that the GRE tunnels have been established
between, and do not bear any direct relation to the actual user as seen in the layer 3 and layer 4
headers inside the GRE encapsulation. GRE de-encapsulation removes the outer IP and optional
UDP headers as well as the GRE header, restoring the packet to its condition prior to GRE
encapsulation, except that it retains the same MAC header as the encapsulated packet. Now
filtering and load balancing can be performed on the user session's layer 3 and layer 4 headers
and beyond without difficulty.
MPLS Label Stripping and De-encapsulation

MPLS labeling or encapsulation in MPLS means that a packet's content, inside the layer 2 header,
is encapsulated inside one or more MPLS labels (headers). These labels are used to differentiate
this traffic flow from other flows for quality of service (QoS) control, VPN, and other routing
purposes, and do not bear any direct relationship to the encapsulated flows themselves. The
reason for multiple MPLS labels is that when traffic from one network (which uses MPLS labeling)
traverses another network (which also uses MPLS labeling) it needs the nested labels to
successfully navigate those networks. Stripping, or de-encapsulation, removes all MPLS labels
from each packet, including single labels, double-stacked, and n-stacked labels.
VLAN/VNTAG Stripping
With the VLAN/VNTAG header stripping mode configured on a PFX interface, the InfiniStreamNG
appliance will remove the following header fields from tagged packets:
• For packets with a VNTAG: the tag protocol identifier (TPID) and tag value are stripped
out and the packet CRC is recalculated
• For packets with one or more VLAN tags (Ethernet type 0x8100 or 0x88A8): the VLAN
numbers, TPIDs, and tag values are stripped out and the packet CRC is recalculated

MAC Routing Tunnel Stripping
PFX interfaces support Layer 2 header stripping for a variety of MAC address-based tunnel
protocols, including:
• TRILL (TRansparent Interconnection of Lots of Links) with an Ethernet type of 0x22F3
• Cisco FabricPath with an Ethernet type of 0x8903
MAC-in-MAC Header Stripping

MAC-in-MAC protocol is also known as Provider Backbone Bridge (PBB) routing. This protocol
applies an outer Ethernet header (Ethernet type 0x88E7) which encapsulates the original Ethernet
frame. When MAC-in-MAC header stripping is enabled on a PFX interface, the appliance strips the
outer Ethernet header and recalculates a new frame check sequence (FCS). If there is a VLAN tag
associated with the PBB Ethernet type it will also be removed.
Generic Header Stripping

To provide maximum flexibility, the nGenius PFX offers a Generic header stripping feature which
can be applied to all packets, regardless of protocol (any Ethernet type). When configuring this
feature, you simply specify an offset location (byte 0-1518) to begin stripping the header and the
length of header to strip (1-1518 bytes). No additional PFX feature processing is performed on the
packets after this generic header stripping is applied and this feature takes precedence over any
previously configured header stripping.
Slicing Feature
PFX interfaces on InfiniStreamNG appliances support conditional packet slicing based on one of
two packet matching criteria:
• Based on Ethernet type using the hexadecimal IANA values at
https://www.iana.org/assignments/ieee-802-numbers/ieee-802-numbers.xhtml
• Based on IP protocol using the decimal IANA values at
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml (for
example, for UDP use 17, for TCP use 6, etc).
Multiple slicing configurations can be defined and applied to each PFX interface. For each
matching criteria (Ethernet type or IP protocol) you can specify a different slice length. To enable
and configure packet slicing on PFX interfaces, perform the steps in "Configuring Packet Slicing" on
page 22.
Masking Feature
Similar to the packet slicing feature, PFX interfaces on InfiniStreamNG appliances support
conditional packet masking based on one of two packet matching criteria:
• Based on Ethernet type using the hexadecimal IANA values at
• Based on IP protocol using the decimal IANA values at
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Multiple masking configurations can be defined and applied to each PFX interface, each with their
own matching criteria, offset location to begin masking and mask length. You can also customize
the masking character applied to all masks configured on that interface (default mask is “X”, ASCII
code 0x58).
To enable and configure packet masking on PFX interfaces, perform the steps in "Configuring
Packet Masking" on page 23.
4 Product Overview
Encryption Detection Feature
The v6.x release introduces a new nGenius PFX feature, encryption detection. This feature allows
for special packet handling/filtering for any encrypted packet received on a PFX interface based on
a keyed secure hash. When an encrypted packet is received, the PFX interface on the
InfiniStreamNG appliance can be configured to:
• Drop the encrypted packet (no encrypted packets forwarded for transmitting)
• Slice the encrypted packet (a reduced portion of the packets payload is forwarded for
transmitting based on the configured slice length)
To enable and configure encrypted packet handling on PFX interfaces, perform the steps in
"Configuring Encryption Detection" on page 24.
NetFlow Generation Feature

NetFlow is a protocol that collects IP traffic details such as the source and destination of traffic and
class of service among several other parameters for use by the network performance, security and
QoS analytic tools.
NETSCOUT offers an end-to-end NetFlow solution-from the TAP to the monitoring tool. PFX
interfaces on the InfiniStreamNG appliance generate NetFlow data and the appliance transmits
this data out its eth0 Manage port to a specified destination, typically a nGenius Flow Collector.
The nGenius Flow Collector captures and manipulates this data using NETSCOUT’s Adaptive
Service Intelligence™ (ASI) technology. The nGeniusONE service assurance platform analyzes
NetFlow and provides visibility into the data using dashboards and monitor displays.
Table 1 lists the fields appearing the datagrams generated by PFX interfaces, based on the version
of Netflow configured, as well as the templates the datagrams are based on.

Table 1 NetFlow Fields Generated by nGenius PFX
Datagram NetFlow v5 NetFlow v9 IPFIX/v10 Notes

Section
Header Version: 5 Version: 9 Version: 10
SysUptime SysUptime
Timestamp Timestamp Timestamp
FlowSequence FlowSequence FlowSequence
EngineType
EngineId SourceId Observation Domain Id EngineID value for
v5 is always 0
Sampling Mode Value always 0
Sample Rate Value always 0
Flow FlowSet Id FlowSet Id ID is 256 for IPv4,
Record 257 for IPv6
SrcAddr IP_SRC_ADDR or IP_SRC_ADDR or IPV6_SRC_ADDR
IPV6_SRC_ADDR
DstAddr IP_DST_ADDR or IP_DST_ADDR or IPV6_DST_ADDR
IPV6_DST_ADDR
NextHop Value always 0
InputInt INPUT_SNMP INPUT_SNMP Indicates the PFX
interface (3-6)
receiving the traffic
OutputInt OUTPUT_SNMP OUTPUT_SNMP
Packets PKTS PKTS
Octets BYTES BYTES
StartTime FIRST_SWITCHED FIRST_SWITCHED
EndTime LAST_SWITCHED LAST_SWITCHED
SrcPort L4_SRC_PORT L4_SRC_PORT
DstPort L4_DST_PORT L4_DST_PORT
TCP Flags TCP_FLAGS TCP_FLAGS
Protocol PROTOCOL PROTOCOL
IP ToS IP_TOS IP_TOS
SrcAS Value always 0
DstAS Value always 0
SrcMask Value always 0
DstMask Value always 0
To enable and configure NetFlow generation on PFX interfaces, perform the steps in "Configuring
NetFlow Generation" on page 25.
6 Product Overview
System Requirements
PFX interfaces can be enabled on select InfiniStreamNG appliances. In order to support PFX
interface mode, ensure that your appliance meets the following requirements and considerations.
Data Source Requirements

The following data sources support PFX functionality:
• InfiniStreamNG hardware appliance models purchased directly from NETSCOUT and
equipped with four 1/10 Gigabit, two 40 Gigabit or two 100 Gigabit interfaces as follows:
– InfiniStreamNG 1410H (6 TB) and InfiniStreamNG 1410J (8TB)
– InfiniStreamNG 2395H (6 TB) and InfiniStreamNG 2395J (8TB)
– InfiniStreamNG 2410H (16TB) and InfiniStreamNG 2410J (16TB)
– InfiniStreamNG 4695H (6 TB)
– InfiniStreamNG 4895H (32 TB) and InfiniStreamNG 4895J (32 TB)
– InfiniStreamNG 6695G (48 TB) and InfiniStreamNG 6695J (48 TB)
• InfiniStreamNG Certified Network Appliances purchased from certified resellers and
with a 4-port 1/10 Gigabit, 2-port 40 Gigabit, or 2-port 100 Gigabit ASI Accelerator
Network Interface Card (NIC) installed by the customer as follows:
– C-02695H (16 TB) and C-02695J (16 TB)
– C-02795H (32 TB) and C-02795J (32 TB)
– C-04895H (32 TB) and C-04895J (32 TB)
– C-06695G (48 TB) and C-06695J (48 TB)
– C-09807J (128 TB)
– C-09895G (96 TB) and C-09895J (128 TB)
– C-09A02G (96 TB) and C-09A02J (128 TB)
– C-09A07G (96 TB) and C-09A07J (128 TB)
– C-09A95G (96 TB) and C-09A95J (128 TB)
• InfiniStreamNG Qualified COTS Appliances that employ qualified
commercial-off-the-shelf (COTS) servers from Dell or HP Enterprise (HPE) and are
equipped with a 4-port 1/10 Gigabit or 2-port 40 Gigabit ASI Accelerator NIC
Software and Console Compatibility

nGenius PFX functionality is supported by any standard InfiniStream v6.2 or later application.
However, to unlock transmit capability and access PFX functionality, you must download and
install a special ./pfx_enable file from My.NETSCOUT.com. When this file is installed on a
supported data source running v6.x, a PFX Options sub-menu appears in the Agent Configuration
utility (localconsole) main menu and additional options appear on the Interface menu selections.
Refer to "Enabling PFX Capability on Data Sources" on page 8 for instructions on how to obtain and
install this file.

An InfiniStreamNG appliance with all interfaces configured in PFX mode can be completely
configured and managed using the Agent Configuration utility. If you are reconfiguring all the
interfaces on an InfiniStream appliance that was previously managed by nGeniusONE for PFX
functionality, it is recommended that you remove the appliance from the list of managed devices
in nGeniusONE Device Configuration and perform all management of the appliance using the
Agent Configuration utility.
Modes Supported
For the v6.x release, each interface on an InfiniStreamNG appliance can be separately configured
to perform (a) PFX functions (such as deduplication, tunnel termination, or NetFlow generation) or
(b) collect packets and generate ASI data to provide to a nGeniusONE server (standard data source
functionality). However, the following limitations apply:
• PFX mode is supported only when the appliance is configured with probe_mode set to
hdx.
• PFX mode is not applicable when GeoProbe software is installed on the InfiniStreamNG
appliance with GEO mode enabled. PFX mode is supported when GEO is off and ASI is
on as described in the geo_probe command description.
• PFX mode can only be enabled on an interface when that interface is:
– Transmit-capable (normally based on the port hardware)
– Not part of an aggregated interface
– Not an aggregation interface
– Not configured in PFS mode
– Not part of a logical Interface
Enabling PFX Capability on Data Sources

PFX functionality is built into v6.x InfiniStream application software, but by default it is disabled
and PFX options are not viewable in the Agent Configuration utility. In order to unlock PFX
functionality you must download and install a file from My.NETSCOUT.com as described below:
1 Launch your Web browser and enter the following URL:
https://my.netscout.com/mcp/Pages/DL_Main.aspx
2 Click on Licensing & Downloads.
3 From the Product list, choose InfiniStream Deep Packet Capture Appliances and
choose a product version (6.2 or later).
4 Scroll down the page and click on the Download tab.
5 Download the pfx_enable.zip file to your local machine.
6 Extract the .pfx_enable file from the ZIP archive.
7 Use either WinSCP (Windows machines) or SCP (Linux machines) to copy the
.pfx_enable file to the /opt/platform directory on the InfiniStreamNG appliance.
8 Log in to the InfiniStreamNG as the root user (default password is netscout) using any
of the following methods:
– Locally, using an attached keyboard (InfiniStreamNG appliances only)
– Remotely, via an SSH session (for example, PuTTY)
– Remotely, via the web-based IPMI/RMM interface (InfiniStreamNG appliances
only)
8 Enabling PFX Capability on Data Sources

9 Navigate to the /opt/NetScout/rtm/bin directory:
cd /opt/NetScout/rtm/bin
10 Restart the InfiniStream processes:
./stopall
./start
11 To activate the transmit capability on InfiniStreamNG interfaces, perform the following
steps:
a Launch the Agent Configuration Utility:
./localconsole
b From the main menu, enter option [7] Select Interface and choose the number
of the interface you want to configure in PFX mode from the next menu.
c In the Interface Options menu, enter option [65} Toggle Interface Mode. A
notification message appears as shown below:
##########################################################
# #
# TX MODE NOTICE #
# #
##########################################################
By selecting the “PFX Mode” option, you are activating the

NetScout PFX Mode feature which will enable the monitoring port(s)
of this device to be used for communication and transmissions
to other devices.
Use of the PFX Mode option is only authorized for the purpose of
service assurance activities such as network and application
monitoring and security. All other uses are strictly prohibited.
--> [1] Do Not Proceed With Activation

[2] Proceed With Activation
Please Enter your choice :
d To activate transmit capability on this interface and configure the interface in PFX
mode, press 2.
If you wish to later disable the transmit capability on an interface, you can toggle PFX mode off
using the Agent Configuration Utility in one of two ways:
• Select the interface (option [7] from the main menu, choose the interface, and enter
option [65} Toggle Interface Mode to return the interface to the default (listen only)
mode
• Enter the command line mode and issue the following command:
set interface_options 65 default
To permanently disable the transmit capability, navigate to the /opt/platform directory, delete the
.pfx_enable file, and restart the processes from the /opt/NetScout/rtm/bin directory.

PFX Feature Configuration
All PFX configuration and management can be performed using the Agent Configuration Utility
accessible on the appliance itself. For example, an InfiniStreamNG appliance with all of its ports
configured for PFX operation does not need to be managed by a nGeniusONE server. If PFX
features are enabled on every interface, it is recommended that you remove the appliance from
the list of managed devices in nGeniusONE Device Configuration
General PFX Setup

When the Agent Configuration Utility is accessed from an appliance with the .pfx_enable file
installed, an additional menu option, PFX Options, appears in the main menu. To access the Agent
Configuration Utility for PFX interface configuration, perform the following steps:
1 If you have not already done so, establish a local or remote console connection to the
InfiniStreamNG appliance and log in as the root user.
2 Navigate to the /opt/NetScout/rtm/bin directory and run the ./localconsole
command. This opens the Agent Configuration Utility similar to the one shown below.
** Infinistream Model 2395H - CDM 6.2.2 (Build xxx) **
Interface number : 3
Probe IP V4 address 10.20.101.201
[4] Change Config Server Address 10.20.100.200

[5] Change Read Community public
[6] Change Write Community public
[7] Select Interface 10 GIGABIT-ETHERNET
[8] Software Options
[9] Agent Options
[11] Enter Command-line mode
[12] Reset Agent
[13] Security Options
[14] Console Logout
[15] Protocol Options
[16] PFX Options
3 Do one of the following:

• To configure PFX features using the command line, type 11 and use the commands
described in Table 2.
• To configure PFX features using menu options, type 16 and perform the instructions in
the following sections:
– "Enabling/Disabling PFX Mode on an Interface" on page 18
– "Configuring Packet Deduplication" on page 19
– "Configuring IP Tunnel Termination" on page 20
– "Configuring Tunnel Header Stripping" on page 21
– "Configuring Packet Slicing" on page 22
– "Configuring Packet Masking" on page 23
– "Configuring Encryption Detection" on page 24
– "Configuring NetFlow Generation" on page 25
10 PFX Feature Configuration

Table 2 Agent Configuration for PFX Quick Reference
Feature Action Command Line Menu Option Notes

General Enabling PFX set interface_options [7] Select Interface When configuring an
functionality on 65 <pfx | default> interface in PFX mode, you
an interface
 are warned that this mode
[x] ifnx involves transmission to
where x is the interface other devices and you must
number enter 2 to activate the
 transmit capability of the
[65] Toggle interface. To return the
Interface Mode interface to standard packet
collection (listen only, no
transmit) use the menu
option to toggle off the PFX
mode or use the option
default in the command.
View current get pfx [16] PFX Options To display a summary of all
settings current PFX configuration
get pfx netflow  settings, enter the
get pfx <ifn> [x] ifnx [pfx] command get pfx. To
get pfx <ifn> <option> where x is number of the
display NetFlow
interface in PFX mode configuration settings
Where [ifn] is an interface across all applicable
number and [option] is one interfaces, enter get pfx
of the following: netflow. To view settings
de_dup for a specific interface,
mask include the interface
netflow number (get pfx <ifn>).
slice To view the configuration
tunnel_strip for a particular PFX feature
encryption_handling on an interlace, add one of
the option settings (get
pfx <ifn> <option>).
View available help pfx N/A Displays all PFX-specific
PFX commands commands.

Table 2 Agent Configuration for PFX Quick Reference (Continued)

Deduplication Configure set pfx <ifn> de_dup [16] PFX Options Off by default. Menu
deduplication <action> options 2, 4, 5 and 8 are
 only supported for IPv4, not
[x] ifnx IPv6. The only deduplication
Where <action> options where x is the interface
are: option supported for IPv6 is
number menu option 3 (IP Header &
off: No deduplication
 CRC) and command action
processing occurs.
[6] De-Duplication ip_hdr_crc (all other
on: Deduplication occurs command actions only work
according to the selected  for IPv4 packets).
setting (ip_hdr_crc, ip_hdr, [1] Off The deduplication window
inner_vlan, outer_vlan). [2] IP Header size is fixed at 1 second; it is
ip_hdr: If an IPv4 frame is [3] IP Header & CRC not configurable.
identified, ignore L2 headers [4] Inner VLAN & IP
and deduplicate packets if
[5] Outer VLAN & IP
the IPv4 frame is matched
(based on Source Address, [8] IP_Header &
Destination Address, IP Generic
Identification, and IP
Fragmentation Offset). Note
that only IPv4 packets are
deduplicated, IPv6 is not
supported.
ip_hdr_crc: Matching is
determined using the
Ethernet frame and IP
header (applied to both IPv4
and IPv6 packets)
inner_vlan (and IP): Includes
the inner VLAN ID when
evaluating whether the
packet is a duplicate.
outer_vlan (and IP): Includes
the outer VLAN ID when
evaluating whether the
packet is a duplicate.
generic: De-duplicates
packets with IPID=0. When
enabled, you are prompted
for an offset (1-1518) from
the beginning of the
application layer PDU, and a
value (in the range of
0-0xFFFF) to match for
further duplicate validation.
Use of this option
automatically enables the
span_duplicate generic
command for this interface.
Note that IPID is fixed at 0 for
this option.


IP Tunnel To view current get interface_options [7] Select Interface Indication of whether
Termination tunnel tunnel termination is on or
termination
 off and if on, the destination
settings for the [x] ifnx IP address, is shown under
selected where x is the interface option [66].
interface number
To enable and set interface_options [7] Select Interface Specify the IPv4 address to
configure tunnel 66 <ip address> use for tunnel termination.
termination on
 Note that IPv6 format is not
the selected [x] ifnx supported.
interface where x is the interface
number

[66] Configure
Tunnel Termination
To set interface_options [7] Select Interface When prompted for a
enable/disable 66 <on | off> Tunnel Termination IP,
tunnel
 you can enter on or off
termination on [x] ifnx instead of an IP address.
the selected where x is the interface Any previously configured IP
interface number address is preserved when
 tunnel termination is
[66] Configure disabled (turned off).
Tunnel Termination
Tunnel To enable / set pfx <ifn> [16] PFX Options Off by default, use this
Header disable tunnel tunnel_strip command to enable/disable
Stripping header stripping <type> <on | off>
 whether packets are
[x] ifnx transmitted with tunnels
where x is the interface removed and to specifically
Where <type> is one of: number set tunnel stripping on or
all: Enable or disable all of
 off for the supported tunnel
the tunnel stripping options
at one time [5] Tunnel Stripping type (MPLS, GRE,
VLAN/VNTAG, MAC routing
generic: Disables all other  tunnels for network
types; requires you specify [1] MPLS overlays such as Cisco
an <offset> and <length> [2] GRE FabricPath and TRILL), or
mpls: Stripping of MPLS [3] VLAN/VNTAG MAC-in-MAC tunnels).
headers Be aware that the Generic
[4] MAC Routing
gre: Stripping of GRE tunnel Tunnel option bypasses all
headers stripping and deduplication,
[6] MAC-IN-MAC
vlan_vntag: Stripping of sending the packets straight
[7] GENERIC to transmit. Generic also
VLAN/VNTAG values
mac_rt: Stripping of MAC
[20]Toggle All requires you to specify the
routing tunnel headers offset and length (the length
must be greater than
mac-in-mac: Stripping of
offset). The entered values
MAC-in-MAC encapsulation
are then displayed in next to
headers
the Generic menu option as
(offset:length)


Slicing To add slicing set pfx <ifn> slice add [16] PFX Options To slice packets based on
configurations <type> <id> <length> their Ethernet type, use the
 hexadecimal IANA values at
Where <type> is one of the
[x] ifnx https://www.iana.org/assign
three following values:
where x is the interface ments/ieee-802-numbers/ie
0: Slice from the start of the number
packet ee-802-numbers.xhtml and
 include the 0x prefix (for
1: Slice based on Ethernet
example, enter 0x0800 for
type [7] Slicing
IPv4).
2: Slice based on IP Protocol  To slice packets based on
[31] Add Slicing their IP protocol, use the
id: For types 1 and 2, this is Configuration decimal IANA values at
the corresponding value  https://www.iana.org/assign
from the indicated IANA list. ments/protocol-numbers/pr
[0] Slices from
The value can be decimal or otocol-numbers.xhtml (for
start of packet
Hex. If Hex, it must include a example, for UDP use 17,
0x prefix. See Notes for more [1] Slices based on for TCP use 6).
information. Ethernet type
For all slice types, you must
[2] Slices based on
also provide a length to slice
IP Protocol type
length: In all cases, you (in bytes).
must provide a length to
slice (in bytes).
To delete one or set pfx <ifn> slice delete [16] PFX Options Delete all slicing
all slicing configurations (all) or
configurations
<all | entry id>  delete a specific slicing
Where <entry ID> is the [x] ifnx configuration by supplying
configuration’s ID as shown where x is the interface the entry ID as shown in the
in a table on the PFX Slicing number PFX Slicing Configuration
Configuration display in the table.
Agent Configuration utility.

[7] Slicing

[32] Delete Slicing
Configuration
[33] Delete All
Slicing
Configurations


Masking To add a set pfx <ifn> mask add [16] PFX Options To mask packets based on
masking <type> <id> <offset> their Ethertype, use the
configuration <length>
 hexadecimal IANA values at
[x] ifnx https://www.iana.org/assign
Where <type> is one of the
where x is the interface ments/ieee-802-numbers/ie
three following values:
number ee-802-numbers.xhtml and
0: Mask from the start of the
packet  include the 0x prefix (for
example, enter 0x0800 for
1: Mask based on Ethernet [8] Masking
IPv4).
type  To mask packets based on
2: Mask based on IP Protocol [31] Add Masking their IP protocol, use the
Configuration decimal IANA values at
id: For types 1 and 2, this is  https://www.iana.org/assign
the corresponding value
[0] Mask from Start ments/protocol-numbers/pr
from the indicated IANA list. otocol-numbers.xhtml (for
of Packet
The value can be decimal (IP example, for UDP use 17,
Protocol) or Hex (Ethernet [1] Mask based on
for TCP use 6).
type). If Hex, it must include Ethernet type For all masking types, you
a 0x prefix. See Notes for [2] Mask based on IP
must also provide a length
more information. Protocol type
to mask (in bytes).
offset: When masking is

not set to occur at the start
of the packet, specify the
offset at which to begin
masking.
length: In all cases, you

must provide a length for the
mask.
To delete one or set pfx <ifn> mask [16] PFX Options Delete all masks (all) or
all masking delete a specific mask by
configurations
delete < all | entry
id>
 supplying the entry ID as
[x] ifnx shown in the PFX Masking
Where <entry ID> is the
where x is the interface Configuration table.
configuration’s ID as shown
number
in a table on the PFX Masking
Configuration display in the 
Agent Configuration utility. [8] Masking

[32] Delete Masking
Configuration
[33] Delete All
Masking
Configurations
To set the set pfx mask_char N/A The default masking
masking <code> character is set to 0x58 (“X”).
character: Where <code> is the new If you want to change this to
ASCII code in decimal or hex another value, such as a
notation. If using space, you must use the
hexadecimal, you must command-line option. Note
include 0x as the prefix. that this command sets the
masking character for all
interfaces.
To view the get pfx mask_char N/A
current masking
character


Encryption To configure set pfx <ifn> [16] PFX Options Drop and Slice are mutually
Detection encrypted encryption_handling exclusive settings
packet handling <setting>

When you select slice
[x] ifnx
Where <setting> is one of: without the delete option,
where x is the interface
off: Disables special you are prompted to specify
number
handling of encrypted the slice offset (0-1500). A
packets. To enable encrypted  length of 0 deletes the
packet handling, Use either [9] Encryption entire packet or you can use
drop or slice Detection set pfx <ifn>
drop: Drop all encrypted 
encryption_handling
packets slice delete. Slicing
[30] No Encryption occurs from the start of the
slice: Configure slicing of Detection (default) packet.
encrypted packets based on [31] Drop Encrypted
an offset from the start of Packets
the encrypted packet or use
[32] Slice Encrypted
the [delete] option to slice
Packets
off the entire packet
NetFlow View current get pfx netflow [16] PFX Options Displays global NetFlow
Generation global NetFlow export options applied to all
settings
 NetFlow-enabled interfaces.
[9] NetFlow Export
Options
To enable / set pfx <ifn> netflow [16] PFX Options Off by default. Use this
disable NetFlow <on | off> command or menu options
export for an
 to enable export of NetFlow
interface [x] ifnx metrics per interface.
where x is the interface
number

[1] NetFlow Export
Configure the set pfx netflow [16] PFX Options Use this command or menu
NetFlow destination <ip> option to define the address
destination for <port>
 and UDP listener port for
all [9] NetFlow Export the NetFlow destination
NetFlow-enabled Where:
Options (such as a nGenius Netflow
interfaces  Collector) for all PFX
ip: IP address of the
interfaces configured to
destination NetFlow device [4] Destination
generate NetFlow.
port: Applicable UDP port 
for the destination NetFlow [1] IP Address
device [2] UDP Port
Specify the set pfx netflow [16] PFX Options Default is Internet Protocol
NetFlow version version <IPFIX | v6 | Flow Information eXport
used for all v9>
 (IPFIX).
NetFlow-enabled [9] NetFlow Export
interfaces Options

[1] NetFlow Version

[5] Version 5
[9] Version 9
[10]IPFIX


NetFlow Accept packet set pfx <ifn> [16] PFX Options Off by default. Enable this
Generation slicing on the netflow_slice <on | setting if the incoming
specified
 packets are known to be
(continued) off>
interface [x] ifnx sliced. In this case the frame
where x is the interface size is calculated using the
number information in the IP
 header.
[2] NetFlow Slice
Configure the set pfx netflow [16] PFX Options For NetFlow Version 9 or
template refresh tmpl_refresh_rate IPFIX, specify the interval at
rate for all <rate>
 which the InfiniStreamNG
NetFlow-enabled Where: [9] NetFlow Export should send periodic
interfaces Options template flow sets for
rate: refresh rate in
minutes, between 1 and 10  Version 9 or IPFIX. The
(default 5) [5] Template Refresh default rate is 5 minutes,
Rate (Minutes0 with a range of 1 to 10.
Configure the set pfx netflow [16] PFX Options Specify the frequency to
frequency to active_timeout <rate> export the collected flows
export collected
 for the PFX interfaces. The
rate: export rate in seconds,
flows for all [9] NetFlow Export default is 30 seconds with a
between 30 and 180 (default
NetFlow-enabled 30)
Options range of 30 to 180.
interfaces 
[3] Active Time Out
(Seconds)

Enabling/Disabling PFX Mode on an Interface
PFX mode is enabled/disabled on a per interface basis. Using the Agent Configuration Utility menu,
you can toggle an interface between PFX mode (which includes transmit capability) and the default
packet collection mode (listen only) as follows:
1 If it is not open already, launch the Agent Configuration Utility by navigating to the
/opt/NetScout/rtm/bin directory and running the ./localconsole command.
2 Type 7 to open the Select Interface menu.
3 Type the number for the interface you want to modify and press Enter. An Interface
Options Menu appears similar to the one shown below:
Interface Options Menu:
Interface number : 3
[5] Toggle admin_shutdown off

[10] Toggle Data w/o Control Tcm off
[18] Toggle jumboframe_support on
[19] Change interface_speed 10000 Mbps (auto)
[30] Change mib2_ifspeed 10000000 Kbps
[34] Toggle vifn_enable on
[36] Change vifn_mode vlan
[45] Change HTTP Mode Monitor URL Only
[52] Toggle M3UA Table off
[53] Toggle enable xDR on
[54] Toggle Tunnel Parsing off
[55] Change interface type Enterprise
[59] Change auxiliary interfaces -
[60] Toggle Data w/o Control off
[65] Toggle Interface Mode default
[66] Configure Tunnel Termination off
4 To determine the current interface mode, look at the value next to [65} Toggle Interface
Mode. In the example above, the mode is default, which is the standard packet
collection mode for ASI processing where the interface listens but does not transmit.
5 To enable PFX mode, enter option [65} Toggle Interface Mode. The system checks to
verify that the interface is:
– Transmit-capable (normally based on the port hardware)
– Configured in HDX (half-duplex) interface mode
– Not part of an aggregated interface
– Not an aggregation interface
– Not configured in PFS mode
– Not part of a logical Interface

6 If the interface passes those checks, a notification message appears as shown below. To
activate transmit capability on this interface and confirm that you want the interface to
operate in PFX mode, press 2.
##########################################################
# #
# TX MODE NOTICE #
# #
##########################################################
By selecting the “PFX Mode” option, you are activating the
NetScout PFX Mode feature which will enable the monitoring port(s)
of this device to be used for communication and transmissions
to other devices.
Use of the PFX Mode option is only authorized for the purpose of
service assurance activities such as network and application
monitoring and security. All other uses are strictly prohibited.
--> [1] Do Not Proceed With Activation

[2] Proceed With Activation
Please Enter your choice :

7 If you wish to later disable the transmit capability on an interface, you can toggle PFX
mode off using the Agent Configuration Utility in one of two ways:
– Enter option [65} Toggle Interface Mode again to return the interface to the
default (listen only) mode
– Enter the command line mode and issue the following command:
set interface_options 65 default
Configuring Packet Deduplication

This section describes how to enable PFX packet deduplication using the PFX Options sub-menu
in the Agent Configuration Utility. You can also enter command-line mode and use the set PFX
command to configure this feature; refer to Table 2 for the command syntax.
2 At the Agent Configuration Utility main menu, type 16 to open the PFX Options
sub-menu and press Enter.
3 Type the number for the interface you want to enable packet deduplication on and
press Enter.
4 On the PFX Interface sub-menu, type 6 and press Enter to select the De-Duplication
option.

5 At the De-Duplication Menu, choose one of the following deduplication techniques:
– [1] Off: Once deduplication is enabled, you can later turn it off by choosing this
option.
– [2] IP Header: If an IPv4 frame is identified, the PFX ignores L2 headers and
de-duplicate packets if the IPv4 frame is matched (based on Source Address,
Destination Address, IP Identification, and IP Fragmentation Offset). Note that
only IPv4 packets are de-duplicated. IPv6 packet deduplication is not currently
supported.
– [3] IP Header & CRC: Matching is determined using the Ethernet frame and IP
header.
– [4] Inner VLAN & IP: Matching includes the inner VLAN ID when evaluating
whether the packet is a duplicate.
– [5] Outer VLAN & IP: Matching includes the outer VLAN ID when evaluating
whether the packet is a duplicate.
– [8] IP_Header & Generic: Matches packets with IPID=0. When enabled, you are
prompted for an offset (1-1518) from the beginning of the application layer PDU,
and a value (in the range of 0-0xFFFF) to match for further duplicate validation.
Note: The deduplication window size is fixed at 1 second and cannot be changed.
6 To configure packet deduplication on another PFX interface, type 99 and press Enter to
return to the PFX Options menu. Select another interface and repeat Steps 4 and 5;
otherwise, continue with the next step.
7 Type 99 and press Enter as necessary to return to the main menu and select option 12
to reset the agent when you are done.
Configuring IP Tunnel Termination

This section describes how to enable IP tunnel termination using the menu options in the Agent
Configuration Utility. You can also enter command-line mode and use the set interface_options
command to configure this feature; refer to Table 2 for the command syntax.
2 Type 7 to open the Select Interface menu.
3 Type the number for the interface you want to configure for IP tunnel termination and
press Enter.
4 On the Interface Options Menu, type 66 and press Enter to enable the Tunnel
Termination feature.
5 When prompted, enter the destination IPv4 address (IPv6 addresses are not currently
supported) of the tunnel and press Enter.
6 To configure IP tunnel termination on another PFX interface, type 99 and press Enter to
return to the Select Interface menu. Select another interface and repeat Steps 4 and 5;

Configuring Tunnel Header Stripping
This section describes how to enable packet header stripping for GRE or MPLS tunnels (or both)
using the PFX Options sub-menu in the Agent Configuration Utility. You can also enter
command-line mode and use the set PFX command to configure this feature; refer to Table 2 for
the command syntax.
3 Type the number for the interface you want to configure for packet header stripping on
tunnels and press Enter.
4 On the PFX options sub-menu, type 5 and press Enter to select the Tunnel Stripping
options.
– To enable/disable packet header stripping for all tunnel types, type 20 (Toggle All)
to toggle this feature on or off.
– To enable/disable packet header stripping for MPLS tunnels, type 1 to toggle this
feature on or off.
– To enable/disable packet header stripping for GRE tunnels, type 2 to toggle this
feature on or off.
– To enable/disable packet header stripping based on VLAN/VNTAG, type 3 to toggle
this feature on or off.
– To enable/disable packet header stripping for MAC routing tunnels, type 4 to
toggle this feature on or off.
– To enable/disable packet header stripping for MAC-in-MAC encapsulation, type 6
to toggle this feature on or off.
– To enable/disable custom packet header stripping, type 7 to toggle this feature on
or off. When enabling GENERIC header stripping, you must also specify the offset
and length (in bytes, 0-1518) of the header portion to strip off. Note that the
length must be greater than the offset.
6 To configure packet header stripping on another PFX interface, type 99 and press Enter
to return to the PFX Options menu. Select another interface and repeat Steps 4 and 5;

Configuring Packet Slicing
This section describes how to define packet slicing to truncate packets to a specified length either
for all packets received on the interface or based on the type of packet received (of a specific
Ethernet type or IP protocol). Multiple slicing configurations can be defined and applied to
received packets. You can also enter command-line mode and use the set pfx <ifn> slice add
<type> <id> <length> command to configure this feature; refer to Table 2 for the command
syntax.
3 Type the number for the interface you want to configure for packet slicing and press
Enter.
4 On the PFX options sub-menu, type 7 and press Enter to select the Slicing option.
5 When the PFX Slicing Configuration display appears, type 31 and press Enter to create
a new slicing configuration.
– To slice all packets, type 0 and press Enter. Then specify the length of the sliced
packets in bytes and press Enter.
– To slice packets based on the Ethernet type (Ethertype), type 1 and press Enter.
Then specify the Ethernet type in hexadecimal (refer to the IANA list at
for values), including the 0x prefix (for example, to specify IPv4, type 0x0800) and
press Enter. Finally, specify the length of the sliced packets in bytes and press
Enter.
– To slice packets based on the IP protocol, type 2 and press Enter. Then specify the
protocol by decimal number (refer to the IANA list at
for values) and press Enter. Finally, specify the length of the sliced packets in
bytes and press Enter.
7 Repeat the previous step for all slicing configurations you want to employ. As you add
configurations, they appear in a list in the PFX Slicing Configuration display as shown in
the example below. You can later reference each configuration using its ID number in
the Entry ID column.
PFX Slicing Configuration for <ifn 3> :
Total Number of Entries : 2
====================================================
Entry ID Method Type Length
-------- ------ ---- ------
Slicing is : on
1: Ether Type 0x800 64
2: IP Protocol 0x6 64
====================================================
8 Turn on packet slicing for this interface by typing 30 and pressing Enter. You can later
toggle off slicing by entering the same value again.
9 To configure packet slicing on another PFX interface, type 99 and press Enter to return
to the PFX Options menu. Select another interface and repeat Steps 5 and 6; otherwise,
continue with the next step.

You can remove slicing configurations at any time by performing Steps 1 through 4 above to access
the PFX Slicing Configuration display for the selected interface and then typing 32 to delete a
selected configuration (specified by Entry ID) or typing 33 or delete all slicing configurations
applied to this interface (which also disables slicing on the interface). After you delete one or more
slicing configurations, reset the agent to put the changes into effect.
Configuring Packet Masking

This section describes how to mask parts of received packets, either for all packets received on the
interface or based on the type of packet received (of a specific Ethernet type or IP protocol).
Multiple masking configurations can be defined and applied to received packets. You can also
enter command-line mode and use the set pfx <ifn> mask add <type> <id> <offset>
<length> command to configure this feature; refer to Table 2 for the command syntax.
3 Type the number for the interface you want to configure for packet masking and press
Enter.
4 On the PFX options sub-menu, type 8 and press Enter to select the masking option.
5 When the PFX Masking Configuration display appears, type 31 and press Enter to create
a new masking configuration.
– To mask all packets, type 0 and press Enter. Then specify the offset from the start
of the packet (in bytes) to start the mask. Finally, specify the length of the mask in
– To mask packets based on the Ethernet type (Ethertype), type 1 and press Enter.
Then specify the Ethertype in hexadecimal (refer to the IANA list at
for values), including the 0x prefix (for example, to specify masking of IPv4
packets, type 0x0800) and press Enter. Then specify the offset from the start of
the packet (in bytes) to begin masking. Finally, specify the length of the mask in
– To mask packets based on the IP protocol, type 2 and press Enter. Then specify
the protocol by decimal number (refer to the IANA list at
for values) and press Enter. Then specify the offset from the start of the packet
(in bytes) to begin masking. Finally, specify the length of the mask in bytes and
press Enter.
7 Repeat the previous step for all masking configurations you want to employ. As you add
configurations, they appear in a list in the PFX Masking Configurations display as shown
in the example below. You can later reference each configuration using its ID number in
the Entry ID column.
PFX Masking Configurations for <ifn 3> :
Total Number of Entries : 2
======================================================
Entry ID Method ID Offset Length
-------- ------ -- ------ ------
Masking is : on
1: Start Of Packet N/A 0x19 222
2: Ether Type 0x800 0xff 333
======================================================

8 Turn on packet masking for this interface by typing 30 and pressing Enter. You can later
toggle off masking by entering the same value again.
Note: The default masking character is ASCII 0x58 (“X”). If you want to use another character as the mask,
such as a space, you must use the command-line option on the Agent Configuration Utility (refer to "Agent
Configuration for PFX Quick Reference" on page 11 for the command syntax). Note that this command sets
the masking character for all interfaces.
9 To configure packet masking on another PFX interface, type 99 and press Enter to
return to the PFX Options menu. Select another interface and repeat Steps 4 through 8;
You can remove masking configurations at any time by performing Steps 1 through 4 above to
access the PFX Masking Configuration display for the selected interface and then typing 32 to
delete a selected configuration (specified by Entry ID) or typing 33 or delete all configurations
applied to this interface (which also disables masking on the interface). After you delete one or
more masking configurations, reset the agent to put the changes into effect.
Configuring Encryption Detection

This section describes how to configure how the InfiniStreamNG appliance handles encrypted
packets received on the PFX--enabled interface by either immediately dropping the packets or
slicing them. You can configure encrypted packet handling using the PFX Options sub-menu in the
Agent Configuration Utility or enter command-line mode and use the set PFX command; refer to
Table 2 for the command syntax.
3 Type the number for the interface you want to configure for encrypted packet handling
and press Enter.
4 On the PFX options sub-menu, type 9 and press Enter to select the encryption detection
option.
– To disable any special handling of encrypted packets (which is the default setting),
type 30 and press Enter. Encrypted packets received on this interface will be
handled the same as non-encrypted packets.
– To cause the InfiniStream appliance to drop all encrypted packets received on this
interface, type 31 and press Enter.
– To slice all encrypted packets received on this interface, type 32 and press Enter.
Then specify the length of the slice (between 0 and 1500 bytes) and press Enter.
6 To configure encrypted packet handling on another PFX interface, type 99 and press
Enter to return to the PFX Options menu. Select another interface and repeat Steps 3
through 5; otherwise, continue with the next step.

Configuring NetFlow Generation
This section describes how to enable NetFlow data generation for selected PFX interfaces using
the PFX Options sub-menu in the Agent Configuration Utility. You can also enter command-line
mode and use the set PFX command to configure this feature; refer to Table 2 for the command
syntax. Note that NetFlow data collected for each PFX interface is sent out the InfiniStreamNG
appliance eth0 Manage port to the destination device and IP address you specify as part of this
configuration.
2 At the Agent Configuration Utility main menu, type the menu number for the PFX
Options sub-menu and press Enter.
3 Configure global NetFlow settings (applied to all PFX interfaces exporting NetFlow) as
follows:
a Type 9 and press Enter to access the NetFlow Export Options sub-menu.
b Type 1 and press Enter to select the NetFlow Version.
c Choose between NetFlow Version 9 (option [9]), NetFlow Version 5 (option [5]), or
Internet Protocol Flow Information eXport (IPFIX) (option [10]) and press Enter.
d If you selected NetFlow Version 9 or IPFIX in the previous step, type 2 and press
Enter to specify the Template Refresh Rate, the interval at which the PFX should
send periodic template flow sets. The default rate is 5 minutes, with a range of 1
to 10 minutes. If you selected NetFlow Version 5 in the previous step, you do not
need to configure the Template Refresh Rate.
e Type 3 and press Enter to specify the Active Time Out, the frequency at which the
PFX exports the collected flows. The default is 30 seconds with a range of 30 to
180 seconds.
f Type 4 and press Enter to specify the Destination where you want to export the
Network data for this the PFX interface. Use the additional options to enter the IP
address of the destination device (typically the Manage port IP address of a
nGenius Flow Collector) and the UDP port number the device uses to listen for
NetFlow traffic. Note that NetFlow data from the InfiniStreamNG appliance is sent
out its eth0 Manage port to this destination IP address.
g Type 99 and press Enter to return to the PFX Options Menu.
4 On the PFX Options sub-menu, type the number for the PFX interface you are exporting
NetFlow data for and press Enter.
5 To enable NetFlow export for that interface, type 1 and press Enter.
6 If the incoming packets are known to be sliced, type 2 and press Enter; otherwise,
continue with the next step. When NetFlow Sliced is On, the frame size is calculated
using the information in the IP header.
7 To enable NetFlow export for another PFX interface, type 99 and press Enter to return
to the PFX Options menu. Select the interface and repeat Steps 5 and 6; otherwise,
continue with the next step.

NETSCOUT SYSTEMS, INC.
310 Littleton Road
Westford, MA 01886-4105
Tel. 978 614-4000
888-999-5946 © 2020 NETSCOUT SYSTEMS, Inc. All rights reserved.
Fax 978-614-4004 733-1338 Rev. B
E-mail info@netscout.com
Web www.netscout.com

Ngenius Packet Flow Extender (PFX) V6.X Reference: 733-1338 Rev. B March 5, 2020

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ngenius Packet Flow Extender (PFX) V6.X Reference: 733-1338 Rev. B March 5, 2020

Uploaded by

Copyright:

Available Formats

nGenius Packet Flow eXtender (PFX) v6.

NETSCOUT SYSTEMS, Inc.

Copyright 2020 NETSCOUT SYSTEMS, Inc. All rights reserved.

Telephone: In the US, call 888-357-7667; outside the US, call

Refer to the following sections for details:

nGenius Packet Flow eXtender (PFX) v6.x Reference 1

Packet Deduplication Feature

IP Tunnel Termination Feature

Tunnel Header Stripping Feature

MPLS Label Stripping and De-encapsulation

nGenius Packet Flow eXtender (PFX) v6.x Reference 3

MAC-in-MAC Header Stripping

Generic Header Stripping

NetFlow Generation Feature

nGenius Packet Flow eXtender (PFX) v6.x Reference 5

Datagram NetFlow v5 NetFlow v9 IPFIX/v10 Notes

Data Source Requirements

Software and Console Compatibility

nGenius Packet Flow eXtender (PFX) v6.x Reference 7

Enabling PFX Capability on Data Sources

8 Enabling PFX Capability on Data Sources

By selecting the “PFX Mode” option, you are activating the

--> [1] Do Not Proceed With Activation

Please Enter your choice :

nGenius Packet Flow eXtender (PFX) v6.x Reference 9

General PFX Setup

Probe IP V4 address 10.20.101.201

[4] Change Config Server Address 10.20.100.200

3 Do one of the following:

10 PFX Feature Configuration

Feature Action Command Line Menu Option Notes

nGenius Packet Flow eXtender (PFX) v6.x Reference 11

Feature Action Command Line Menu Option Notes

12 PFX Feature Configuration

Feature Action Command Line Menu Option Notes

nGenius Packet Flow eXtender (PFX) v6.x Reference 13

Feature Action Command Line Menu Option Notes

14 PFX Feature Configuration

Feature Action Command Line Menu Option Notes

offset: When masking is

length: In all cases, you

nGenius Packet Flow eXtender (PFX) v6.x Reference 15

Feature Action Command Line Menu Option Notes

16 PFX Feature Configuration

Feature Action Command Line Menu Option Notes

nGenius Packet Flow eXtender (PFX) v6.x Reference 17

[5] Toggle admin_shutdown off

18 PFX Feature Configuration

--> [1] Do Not Proceed With Activation

Please Enter your choice :

Configuring Packet Deduplication

nGenius Packet Flow eXtender (PFX) v6.x Reference 19

Configuring IP Tunnel Termination

20 PFX Feature Configuration

nGenius Packet Flow eXtender (PFX) v6.x Reference 21

22 PFX Feature Configuration

Configuring Packet Masking

nGenius Packet Flow eXtender (PFX) v6.x Reference 23

Configuring Encryption Detection

24 PFX Feature Configuration

nGenius Packet Flow eXtender (PFX) v6.x Reference 25

You might also like