A network monitoring system monitors traffic on a network and must process all of the packets in order to avoid lost information. One symptom of reaching a processing limit is lost packets due to overflow of buffer capacity.
A network monitoring system typically has two major processing blocks. One processing block receives the packet, and a second block processes the packet. The “receiving” of the packet and “processing” of the packet typically reside on the same computational platform and both blocks compete for CPU and memory resources. For example, if the receiving block utilizes 80% of the computational capacity of the system, only 20% of the computational capacity of the system remains to perform the “processing” phase. The value added work in a network monitoring system is in the “processing” phase. Any reduction of load from the “receiving” phase will add capacity to the “processing” phase and translate into improved performance of the system and thus allowing more advanced application “processing” that addresses real customer needs.
One solution that addresses the problem of excessive packet load filters incoming packet traffic by dropping packet traffic that is not of interest to the system that is under customer control. In firewall-type systems, this filtering is typically done by configuring firewall rules to selectively allow or deny traffic. Any traffic that is denied would not be forwarded. These firewall rules inspect the header of the TCP/IP packets, and operate on what is referred to as the 5-tuple of source address, source port, destination address, destination port and protocol. These rules are typically created to deny or allow traffic on a particular application protocol such as FTP or HTTP. These rules work well when the ports are well known since static rules can be created to allow or deny traffic. But in the case where the customer wants to specify a rule such as “Block all FTP” traffic, the standard firewall rule will not suffice. Accordingly, a need exists in the art for an improved solution for packet filtering.