Clarification on how the ExtraHop classifies dedup traffic


#1

Greetings,

I wanted to see if someone could provide clarification on what characteristics certain traffic have to meet for it to be classified as dedup traffic. I have a case open where certain Heartbeat traffic was only visible when dedup was disabled. SalesForce Case # 20160429-18517. The Sales Engineer which opened the case to see if we could provide further clarification as to what constitutes dedup traffic.


#2

From what I understand, if we see the same frame (L2 dedup) or packet (L3 dedup) less than 1ms of each other, it’s considered duplicate and should be filtered out. Anything outside of that, would be considered a retransmission.

It seems the question is, why aren’t we seeing/parsing the heartbeat traffic initially.