Today, in certain virtualized network environments, network controllers generate a large number of flow entries to manage the behavior of forwarding elements, and distribute these flow entries to the forwarding elements. The forwarding elements (e.g., software forwarding elements such as virtual switches) manage the sending of packets between various physical and virtual entities based on these flow entries, which are rules that the forwarding elements apply to send the packets. A single forwarding element may apply several flow entries to a packet before sending the packet to its next destination.
It is difficult to determine whether every single one of the flow entries is necessary or which flow entries are necessary for which forwarding elements. It is also difficult to determine which features (e.g., ACL, port security, etc.) depend on a particular flow entry. In determining whether flow entries are necessary, solutions producing false positives (identifying flow entries as necessary even though they are not) are still useful, but solutions producing false negatives (identifying flow entries as unnecessary, even though they are necessary) can result in the elimination of needed flow entries and thereby cause problems in the system. A random packet injection approach, where random packets are injected into the system (e.g., using a simulator) to observe the set of flow entries that are employed, is an example of a solution with false negative results.