The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
In computer networks such as the Internet, packets of data are sent from a source to a destination via a network of elements including links (communication paths such as telephone or optical lines) and nodes (for example, routers directing the packet along one or more of a plurality of links connected to it) according to one of various routing protocols. Elements in the network are typically identifiable by a unique internet protocol (IP) address.
One routing protocol used, for example, in the internet is Border Gateway Protocol (BGP). BGP is used to route data between autonomous systems (AS) comprising networks under a common administrator and sharing a common routing policy. BGP routers exchange full routing information during a connection session for example using Transmission Control Protocol (TCP) allowing inter-autonomous system routing. The information exchanged includes various attributes including a next-hop attribute. For example where a BGP router advertises a connection to a network, for example in a form of an IP address prefix, the next-hop attribute comprises the IP address used to reach the BGP router.
Within each AS the routing protocol typically comprises an interior gateway protocol (IGP) for example a link state protocol such as open shortest path first (OSPF) or intermediate system-intermediate system (IS-IS).
Where the network carries different types of traffic, for example email or video traffic, this may be handled by separate processes or ports on network components.
It is desirable in many instances to monitor the flow of network traffic for various purposes such as security and billing. The information derived can be used to identify, for example, “top talkers”, that is, the noisiest protocol or most prolific addresses used, for network profiling, traffic analysis or for security purposes such as attack mitigation.
One way of monitoring the flow of network traffic is to categorize data packets forming the traffic as one of a plurality of “flows”. According to this approach packets with common characteristics or key fields are grouped together as a flow. One example of such an approach is the NetFlow™ product which is a feature of Cisco IOS® software available from Cisco Systems, Inc, San Jose, Calif., USA.
According to this approach, packets having a common value for a set of key fields such as source interface, destination interface, IP source address, IP destination address, IP type of service (ToS), network layer (UDP/TCP) source port, and network layer (UDP/TCP) destination port are classified into a flow, the relevant key fields defining the flow profile. Information relating to the flow is stored in a flow record and includes information about the key fields and their values as well as non-key field information or values such as how many packets and bytes are seen in that flow together with other routing information or field values.
An element such as a monitor performs the overall process and includes one or more Observation Points such as data (packet/flow) collection points within a router through which the packets pass. The key fields can be hard coded into the device for example in a flow accounting implementation Non-key field information is also collected at the monitor according to a set of fixed data plus, optionally, a choice from a small list of additional available information. The collected information for example in the form of flow records is gathered for example at a remote collector node from one or more data collection sites for the purposes of analysis of the collected data.