In general, a network analyzer is a device used to sample traffic flows in a network. For example, a network analyzer may capture data from the network, and generate traffic flow statistics indicative of the traffic flow in the network. The network analyzer may locally store the traffic flow statistics, but more often, the network analyzer communicates the traffic flow statistics to another network device, referred to as packet flow collector, that can be used by a network administrator to examine traffic flows through the entire network. Specifically, the network analyzer generates traffic flow packets that include the accumulated statistics, i.e., the traffic flow information, for individual packet flows of the sampled network. In many network environments, the traffic flow collector may receive traffic flow information via traffic flow packets sent from various network locations. Consequently, a network administrator can use the packet flow collector to analyze overall network traffic flow.
Conventional network analyzers comprise dedicated computers that extract traffic flow information from packets being sent between routers or other devices in the network. In addition, a network router, switch, hub, or other device, may include traffic analysis functions to generate traffic flow packets based on the traffic flow that occurs through the device. In either case, the network analyzers typically compute traffic flow information, and generate traffic flow packets to communicate the traffic flow information to the packet flow collector. The information generated by network analyzers and contained in the traffic flow packets may be used to improve network planning, traffic engineering, network monitoring, usage-based billing and the like. In addition, the information contained in the traffic flow packets may be used to identify denial of service (DoS) attacks, or other network events related to network security.
Conventional network analyzers perform sampling of the network and compute traffic flow information over a period of time, and then send a large collection of traffic flow packets to the packet flow collector. For example, network analyzers may accumulate flow statistics into a database or other data structure and, upon expiration of a defined period or upon collecting a defined amount of data, transmit all of the flow information in a burst of traffic flow packets. This burst of traffic flow packets may consume significant network bandwidth, and may overload or otherwise burden the packet flow collector. These effects may be more noticeable in network environments having multiple network analyzers.