Packet-based data networks continue to grow in importance, and it is often desirable to monitor network traffic associated with these packet-based networks on an ongoing basis. To meet these monitoring needs, copies of network packets can be forwarded to diagnostic network monitoring tools. Copies of packet within network packets flows are often obtained and forwarded using network hubs, test access ports available on network devices, and/or switched port analyzer (SPAN) ports available on network switch systems. Other network tap devices can also be used to obtain and forward copies of network packets being communicated within a network communication system.
To help alleviate the problem of limited access to network packets for monitoring, tool aggregation devices or network packet brokers have been developed as packet forwarding systems that allow shared access to the monitored network packets. These packet forwarding systems allow users to aggregate the processing of packets from multiple network monitoring points and to forward these packets to different network monitoring tools based upon desired filtering parameters. The network monitoring tools can be used, for example, to analyze packets being communicated within a network communication system to identify various threats to the network and/or to identify communication problems within the network.
Current network visibility systems, such as tool aggregation devices or network packet brokers, are designed as intelligent centralized processing engines that receive copies of packets and process packet contents to perform various network visibility and packet forwarding functions. In contrast, physical and virtual network tap devices are typically distributed at edges of the network communication system and are typically designed as relatively unintelligent devices that simply copy packets from edge network monitoring points and forward these copied packets to centralized packet brokers for further intelligent processing and/or forwarding to additional network systems such as network monitoring tools. For example, physical and virtual network tap devices can be deployed at numerous monitoring points within a network, and these network tap devices can forward copies of packets from these monitoring points to a centralized network packet broker where the packets are further processed and forwarded to network monitoring tools.
Prior to forwarding packets to network monitoring tools, however, the network packet brokers often apply various packet processing functions such as de-duplication of packet flows, packet payload truncation, removal of packet headers, identification of relevant packets, and/or other packet processing functions to reduce the amount of packet data being forwarded to and then processed by the network monitoring tools. Network packet brokers can also adjust or modify packets in other ways prior to forwarding them to various network monitoring tools. However, because the same or similar packet flows can potentially be forwarded by different network tap devices located at different monitoring points within a network communication system, the network packet brokers can receive extremely large amounts of packet traffic that needs to be processed including redundant and/or non-relevant packet traffic. Further, because the traffic being monitored may have wide variations and include high bandwidth communication sessions, the aggregated packet traffic volume being processed and forwarded by network packet brokers can be significant. As such, network packet brokers are often required to have significant processing resources so that the network packet brokers can process large volumes of packet traffic and perform various packet processing functions without significant delays.