A network operator can build a monitoring network so as to attain improved visibility into application and network performance of this network. The monitoring network further enables improved security, compliance, and reporting for the network operator. To setup the monitoring network, existing switches have passive tap ports that mirror traffic to a tap aggregator. The tap aggregator provides traffic consolidation and source identification and directs selected traffic to specific analytical tools or storage services, including data analyzer tools. Data analyzer tools can be used to analyze the data so as to provide the analysis for the network operator as to the use, security, and performance of the network.
The flow of the data in the monitoring is unidirectional as the data flows from the existing switches to the tap aggregator and to the data analyzer. In this design, each of the switches will be coupled to the tap aggregator through a separate port on the tap aggregator. In addition, the tap aggregator switches the data received from the switches out different ports of the tap aggregator to the data analyzer based on the data characteristics being analyzed by the data analyzer. For example, the tap aggregator can switch the received traffic based on the protocols used for the data, such as source and/or destination headers for Link, Transport and Session layers as well as the potential for arbitrary patterns within datagram headers and/or payloads. Examples could be common protocols and address fields such as MAC and IP addresses, well known protocols such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Secure Shell (SSH) and/or other known protocols.
For various reasons at least some of the data analyzers connected to the tap aggregator may wish to enable truncation for received data. Truncation removes unwanted or unneeded bytes from the packet at a configurable or fixed starting byte position, it may also be referred to as ‘Packet Slicing.’ Truncation is useful in situations where the data of interest is contained within the headers or early in the packet payload. Truncation can be used to remove all payload data in situations where regulatory compliance requires the removal of payload for data before storing captured traffic. Additionally, truncation enables a dramatic reduction in the volume of sampled data that is stored when payload data is not required.