Packet-based data networks continue to grow in importance, and it is often desirable to monitor network traffic associated with these packet-based networks on an ongoing basis. To meet these monitoring needs, copies of network packets can be forwarded to diagnostic network monitoring tools. Packets are often forwarded using network hubs, test access ports (TAPs), and/or switched port analyzer (SPAN) ports available on network switch systems.
To help alleviate the problem of limited access to network packets for monitoring, tool aggregation devices or packet broker devices have also been developed that allow shared access to the monitored network packets. In part, these network packet broker devices allow users to obtain packets from one or more network monitoring points (e.g., network hubs, TAPs, SPAN ports, etc.) and to forward them to different monitoring tools. Network packet brokers can be implemented as one or more packet processing systems in hardware and/or software that provide access and visibility to multiple monitoring tools. These network packet brokers can also aggregate monitored traffic from multiple source links and can load balance traffic of interest to various tools. The traffic of interest can be network packets that are selected by the packet brokers through packet filters and related packet forwarding rules that identify particular packets or packet flows from within the monitored network traffic as traffic of interest.
Network packet analysis tools include a wide variety of devices that analyze packet traffic, including traffic monitoring devices, packet sniffers, data recorders, voice-over-IP monitors, intrusion detection systems, network security systems, application monitors, and/or other network tool devices or systems. Network analysis tools, such as traffic analyzers, are used within packet-based data networks to determine details about the network packet traffic flows within the packet communication network infrastructure.
Certain network communication systems also include virtual processing environments that include virtual machine (VM) platforms hosted by one or more VM host servers. For example, network applications and resources can be made available to network-connected systems as virtualized resources operating within virtualization layers on VM host servers. In some embodiments, processors or other programmable integrated circuits associated with a server processing platform (e.g., server blade) and/or combinations of such server processing platforms operate to provide VM platforms within the server processing platforms. A virtual machine (VM) platform is an emulation of a processing system or network application that is formed and operated within virtualization layer software being executed on a host hardware system. By operating multiple VM platforms including application instances within such a virtualization layer also operating on the host hardware system, a variety of processing resources can be provided internally to the virtual processing environment and/or externally to other network-connected processing systems and devices.
When a network to be monitored includes virtual processing environments, however, difficulties arise in determining managing and controlling packet traffic for network communications with VM platforms operating within such virtual processing environments. For example, web based computing services (e.g., Amazon Web Services) allow a wide variety of external users to obtain dedicated and elastic processing resources within virtual processing environments running on a large number of interconnected servers. These external users can install, initialize, and operate a wide variety of user application as instances within VM platforms operating within the virtual processing environment. Further, the external users can be corporate or commercial entities that provide multiple different application services to employees and/or end-user consumers of the processing resources. When one or more of these external users desires to monitor, manage, and/or control traffic with respect to their respective VM platforms, difficulties arise in obtaining the network packet traffic to be monitored.
FIG. 1 (Prior Art) is a block diagram of an example embodiment 100 for a prior solution that operates to collect network packets from multiple monitoring points and provides those packets to a network tool or a network packet broker (NPB). The network tool can be one or more virtual or physical tools that processes received packets, and the NPB can also be one or more virtual or physical devices that distribute received packets to one or more network tools. For the embodiment 100, a packet flow (FLOW X) 110 is assumed to be sent from a first VM platform (VM1) 102 to a second VM platform (VM2) 112. A first virtual tap (TAP 1) 104 monitors traffic exiting the egress port 106 for the first VM platform 102 and sends a copy 108 of the packets in the packet flow 110 to the destination tool/NPB 120. The second virtual tap (TAP 2) 114 monitors traffic entering the ingress port 116 for the second VM platform 112 and sends a copy 118 of the packets in the packet flow 110 to the destination tool/NPB 120. As such, the destination tool/NPB 120 receives a first copy 108 and a second copy 118 of the packets within the packet flow 110. These duplicate copies 108/118 of the packets within the packet flow 110 create additional processing requirements for the network tool that is analyzing the captured packets unless a deduplication process is applied to remove duplicate packets. As shown a deduplication processor module 122 can be included as part of the tool/NPB 120 to analyze the captured packets from the virtual taps 104/114 and remove duplicate packets prior to further processing of the captured packets.
This deduplication processing, however, requires processing resources to be allocated and used within the tool/NPB 120. For example, comparison algorithms and/or hash algorithms may be used along with associated data storage to implement the packet comparisons in order to identify and discard duplicate packets. These additional resource requirements including the memory required for data storage can be become significant where a large number of virtual taps are employed within a virtual processing environment to monitor network communications. In addition to the increased processing requirements, the communication of the captured duplicate packet copies 108/118 within the virtual and/or physical network environment also uses network communication bandwidth thereby causing reduction in overall system performance where a large number of virtual taps are employed.