Commonly known local area networks (LAN), such as an Ethernet-based network, communicate data via packets having a set format. Control of packet traffic in a network is critical to insure balanced communication flow and efficient transmission. Such packets are sent between a source network node and a destination node over a communication medium such as coaxial cable or twisted pair wire. Each packet typically has a header that contains limited routing information and a payload.
The most common method of local area network communication is the Ethernet protocol, which is a family of frame-based computer networking technologies for local area networks. The Ethernet protocol is standardized as IEEE 802.3 and defines a number of wiring and signaling standards for the physical layer through means of network access at the Media Access Control (MAC)/Data Link Layer and a common addressing format.
The combination of the twisted pair versions of Ethernet for connecting end systems to the network, along with the fiber optic versions for site backbones, is the most widespread wired LAN technology. Ethernet nodes communicate by sending each other data packets that are individually sent and delivered. Each Ethernet node in a network is assigned a 48-bit MAC address. The MAC address is used both to specify the destination and the source of each data packet in the header. Network interface cards (NICs) or chips on each node normally do not accept packets addressed to other Ethernet nodes.
The speed of computer networks is increasing. Internal LANs with speeds of 1 Gb/s are ubiquitous. Backbones of 10 Gb/s are becoming more and more popular. Some enterprises are moving to 10 Gb/s for their internet gateway, which is already popular at the university institutions.
Network visibility is a desired feature. Network administrators want to know what traffic is on their network and this process takes up networking resources. Also when there are issues in the network, network managers want to investigate by understanding what was happening on the network at the time of the issue and the time leading up to the issue. Additionally when a customer investigates an issue, they typically want highly granular data relating to both network data and non-networking data and richness to the data as well as correlation between the data, so that they can accurately assess the issue.
There are protocols such as NetFlow that output summary information about each network transaction flow as it happens in order to assist network administrators. NetFlow export is a feature that was introduced on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine information such as the source and destination of traffic, class of service, and the causes of congestion. NetFlow records provide detailed visibility into network traffic. However NetFlow records can add 10-15% extra traffic volume on a network. At 1 Gb/s and certainly at 10 Gb/s this represents a large amount of data for a network system to capture and process. Also storing data about the traffic that passes through a network appliance that routes and controls network traffic in a fashion that supports the desired richness represents a large amount of data for a system to capture and process.
Thus, there is a need for a network traffic appliance that varies the type of data monitored on a network based on events in the network. There is also a need for conserving network resources based on the need for additional network traffic data. There is also a need for a network system to collect data from a variety of sources during certain abnormal circumstances.