Packet-based data networks continue to grow in importance, and it is often desirable to monitor network traffic associated with these packet-based networks on an ongoing basis. To meet these monitoring needs, copies of network packets can be forwarded to diagnostic network monitoring tools. Packets are often forwarded using network hubs, test access ports (TAPs), and/or switched port analyzer (SPAN) ports available on network switch systems.
To help alleviate the problem of limited access to network packets for monitoring, tool aggregation devices or packet broker devices have also been developed that allow shared access to the monitored network packets. In part, these network packet broker devices allow users to obtain packets from one or more network monitoring points (e.g., network hubs, TAPs, SPAN ports, etc.) and to forward them to different monitoring tools. Network packet brokers can be implemented as one or more packet processing systems in hardware and/or software that provide access and visibility to multiple monitoring tools. These network packet brokers can also aggregate monitored traffic from multiple source links and can load balance traffic of interest to various tools. The traffic of interest can be network packets that are selected by the packet brokers through packet filters and related packet forwarding rules that identify particular packets or packet flows from within the monitored network traffic as traffic of interest.
Network packet analysis tools include a wide variety of devices that analyze packet traffic, including traffic monitoring devices, packet sniffers, data recorders, voice-over-IP monitors, intrusion detection systems, network security systems, application monitors and/or any other network tool device or system. Network analysis tools, such as traffic analyzers, are used within packet-based data networks to determine details about the network packet traffic flows within the packet communication network infrastructure. For example, certain network traffic analyzers identify software applications being used and executed by devices operating within the packet communication network infrastructure, track user activity within the network infrastructure, identify possible security threats to the network infrastructure and its network-connected devices, and/or make other determinations based upon an analysis of the network packet traffic and/or the contents of the data packets being communicated within the network infrastructure. Application and threat intelligence processors (ATIPs), for example, are network traffic analyzers that are used to determinate applications operating within the network infrastructure and to identify potential threats to the network infrastructure. Network traffic analyzers, including application and threat intelligence processors (ATIPs), can be included as part of a network tool optimizer device or other tool aggregation device, and the resulting traffic analysis can be used to provide traffic information concerning the nature of network traffic to external devices and systems.
Certain network communication systems also include virtual processing environments that include virtual machine (VM) platforms hosted by one or more processing devices within a VM host hardware system. For example, network cloud resources made available to network-connected systems are often virtualized such that processors or processing cores associated with a server processing platform (e.g., server blade) and/or combinations of such server processing platforms are used to provide software processing instances or virtual machine platforms within cloud server processing systems. A virtual machine (VM) platform is an emulation of a processing system or application that is initialized and operated within virtualization layer software being executed on a VM host hardware system. By operating multiple VM platforms within such a virtualization layer or hypervisor also operating on VM host hardware system, a variety of processing resources can efficiently be provided internally to the virtual processing environment and/or externally to other processing systems and devices.
When a network to be monitored includes a virtual processing environment, however, difficulties arise in utilizing prior tool aggregation devices as such virtual processing environments can be relatively contained and internal packet communication bandwidths can be very large. For example, it is often difficult to provide external visibility to packet traffic being communicated among virtual machine (VM) platforms within a VM host hardware system. This virtual packet traffic often remains inside the virtualization layer for the VM host hardware system, and traffic bandwidths are often relatively unlimited as compared to packet communication bandwidths available outside the virtualization layer for the VM host hardware system, for example, with respect to external network communication paths.
One prior solution to this external visibility problem for packet traffic within a VM host system is for very limited packet flow information to be collected and output based upon packets being communicated to and from VM platforms within the virtualization layer. This limited flow information, however, is often too limited to provide desired visibility into the details of the network traffic and potential threats to the network. Other solutions send complete copies of the network packets within virtual packet flows to external monitoring tools, for example, using a virtual switch and a virtual TAP within the virtualization layer. The external monitoring tools can then apply post-collection packet analysis. However, as the overall throughput bandwidth for the virtual packet traffic within the virtualization layer is not limited by physical hardware drivers, this throughput can become very high. As such, forwarding copies of this traffic to external monitoring tools through network hardware drivers for the VM host hardware system often overwhelms the capabilities of the VM host hardware system. Further prior solutions provide some static filtering to the virtual packet traffic within the virtualization layer to limit the external bandwidth requirements. This static filtered traffic, however, can still overwhelm hardware drivers for the VM host hardware system or related network infrastructure and can unnecessarily waste network bandwidth where no threats are present.