1. Field of the Invention
The present invention relates to network traffic sampling and more specifically to trajectory-based and priority-based network traffic sampling.
2. Introduction
Routers summarize traffic flows in flow records which are exported to collectors, possibly through a mediation device. The mediation device has the ability to sample or otherwise select subsets of flow records in order to achieve different traffic analysis goals. Some current approaches to network traffic sampling include trajectory based (or hash based) sampling, priority-based sampling, and threshold based sampling. Trajectory based sampling observes trajectories at each router of a subset of all packets traversing the network. Priority-based sampling selects a fixed number of flow records which best represent all the flow records from a population of flow records, for example, those generated by router during a certain time interval. Threshold sampling selects a subset of flow records each being selected with a probability P that may depend on the flow record, for example being a function of the recorded size of the flow and a threshold parameter set by the user. None of these methods can consistently select subsets of flow records at different routers that a flow traverses with a selection probability that depends on the fields of the flow record while also have explicit and exact direct control over the number of flow records sampled. A user can experiment with changes to the threshold to provide some coarse, imprecise control over the number of flow records sampled and/or required bandwidth for flow sampling. When flows are selected independently with some probability, the number of flows is a random quantity and hence will not conform exactly to required bandwidth limit. Accordingly, what is needed in the art is an improved way to sample a fixed number of packets that best represents all the traffic flows in a network while retaining characteristics of trajectory-based sampling.