“Wire-tapping” or “port mirroring” is a mechanism by which certain traffic ingressing or egressing a network node is sent through an arbitrary interface while the packet is also forwarded normally. Lawfully-authorized wire-tapping is considered to be an invaluable tool for law enforcement agencies in their fight against crime and terrorism.
In some prior art wire-tapping methods, normal forwarding lookup is first performed on a packet in question. Then, an “intercept lookup”—a process that determines whether the packet meets certain predefined profiles—is performed. If the packet indeed meets the predefined profiles, the packet is replicated and a copy of the packet is forwarded to a law enforcement agency. The packet is forwarded normally to its intended destination after the intercept lookup. An example of such prior art wire-tapping methods is shown in FIG. 1.
One problem with the prior art method of FIG. 1 is that normal packet forwarding is delayed until the intercept lookup is complete. Sources and receivers of the intercepted network traffic may be able to detect the delay, thus undermining the effectiveness of the wire-tap.
Accordingly, what is needed is a mechanism for wire-tapping network traffic efficiently such that the wire-tapping activities are undetectable to the originator and recipient(s) of the network traffic.