Traffic in a computer network can be analyzed to improve real-time decision making for network operations, security techniques, etc. The traffic may be acquired at numerous entry points by a variety of devices and/or applications (collectively referred to as “nodes” in the computer network) to provide extensive visibility of traffic flow and network security. Given the complexity and volume of traffic routed through many infrastructures, various kinds of network tools are often used to identify, analyze, and/or handle security threats to the computer network, bottlenecks in the computer network, etc. Examples of such network tools include an intrusion detection system (IDS) and an intrusion prevention system (IPS).
Network appliances and network tools can operate as in-band (i.e., “inline”) devices or out-of-band devices. Out-of-band devices operate outside of the path of data traffic between an origination node and a destination node and receive copies of the data packets that make up the traffic, rather than the original data packets. Out-of-band devices are able to freely modify the copies of the data packets because the original data packets are allowed to traverse the computer network unimpeded. Inline devices, on the other hand, operate within the path of data traffic between an origination node and a destination node and receive and forward the original data packets.
Traffic contracts typically govern how data traffic traverses the computer network through one or more inline devices (e.g., network appliances and network tools). However, because inline devices reside within the path of data traffic, noncompliance with a traffic contract can degrade the functionality of the computer network as a whole. For example, an inline device that suffers from high congestion may drop data packets indiscriminately. Metering (also referred to as “policing”) is the process for monitoring compliance with a traffic contract and, if necessary, taking steps to enforce the traffic contract. But effective metering of inline devices can be difficult, particularly when the amount of data traffic flowing through an inline device varies over time.