Summary
You want to know if DDI is able to scan or analyze TCP traffic if the packets for TCP three-way handshake are not mirrored but all other packets after the handshake are mirrored.
Details
DDI cannot scan or analyze TCP traffic when handshake packets are not mirrored. Because TCP is a stateful protocol, three-way handshake packets are required for DDI scanning. Otherwise, DDI will not treat the traffic as stream to scan.
Make sure to mirror all packets to DDI, including packets from connection establishment to connection close.
Since UDP traffic is a stateless protocol, DDI treats UDP packets as independent datagram so there is no such limitation.
