Packet-based data networks continue to grow in importance, and it is often desirable to monitor network traffic associated with these packet-based networks on an ongoing basis. To meet these monitoring needs, copies of network packets can be forwarded to diagnostic network monitoring tools. Packets are often forwarded using network hubs, test access ports (TAPs), and/or switched port analyzer (SPAN) ports available on network switch systems.
To help alleviate the problem of limited access to network packets for monitoring, tool aggregation devices or packet broker devices have also been developed that allow shared access to the monitored network packets. In part, these network packet broker devices allow users to obtain packets from one or more network monitoring points (e.g., network hubs, TAPs, SPAN ports, etc.) and to forward them to different monitoring tools. Network packet brokers can be implemented as one or more packet processing systems in hardware and/or software that provide access and visibility to multiple monitoring tools. These network packet brokers can also aggregate monitored traffic from multiple source links and can load balance traffic of interest to various tools. The traffic of interest can be network packets that are selected by the packet brokers through packet filters and related packet forwarding rules that identify particular packets or packet flows from within the monitored network traffic as traffic of interest.
Network packet analysis tools include a wide variety of devices that analyze packet traffic, including traffic monitoring devices, packet sniffers, data recorders, voice-over-IP monitors, intrusion detection systems, network security systems, application monitors, and/or other network tool devices or systems. Network analysis tools, such as traffic analyzers, are used within packet-based data networks to determine details about the network packet traffic flows within the packet communication network infrastructure.
Certain network communication systems also include virtual processing environments that include virtual machine (VM) platforms hosted by one or more VM host servers. For example, network applications and resources can be made available to network-connected systems as virtualized resources operating within virtualization layers for VM host servers. In some embodiments, processors or processing cores associated with a server processing platform (e.g., server blade) and/or combinations of such server processing platforms operate to provide instances or virtual machine platforms within the server processing platforms. A virtual machine (VM) platform is an emulation of a processing system or network application that is formed and operated within virtualization layer software being executed on a VM host hardware system. By operating multiple VM platforms within such a virtualization layer also operating on VM host hardware system, a variety of processing resources can be provided internally to the virtual processing environment and/or externally to other network-connected processing systems and devices.
When a network to be monitored includes virtual processing environments, however, difficulties arise in obtaining packet traffic from network communications for VM platforms operating within such virtual processing environments. One prior solution includes a TAP application that runs within a virtualization layer, such as hypervisor, for a virtual processing environment. This TAP application forwards packets to an external network-connected packet broker device using GRE (generic routing encapsulation) tunnels. For these GRE tunnels, GRE identifiers are added to encapsulation headers for the packets, and the external packet broker device removes the GRE headers from the packets and forwards the packets to external monitoring tools. This prior solution, however, requires installation of the TAP application in the virtualization layer of the virtual processing environment, which creates significant security issues where multiple different users are operating VM platforms within a VM host server that each communicate network packets through the virtualization layer. For example, a virtual switch operating in the virtualization layer may receive packets from VM platforms from multiple different users, and it can be difficult for the TAP application to segregate such packet traffic within the virtualization layer.