The present invention relates to a network monitoring system and method for asynchronous calculation of network traffic rates based on randomly sampled packets.
U.S. Pat. Nos. 6,894,972 and 7,164,657 discuss that prior art approaches of checking whether a packet belongs to a particular class of traffic can be expensive in terms of network resources and/or equipment costs. In addition, one prior art approach such as Cisco's Netflow™ monitoring system also suffers from delay problems.
A packet switching network such as the Internet includes multiple nodes connected together by multiple transmission links for transporting information in packet form from one or more source nodes to one or more destination nodes. A node can be a switch or a router.
Packet sampling is widely employed as a means of monitoring traffic in computer networks. The packet samples are used to estimate traffic levels (in packets per second or bits per second), based on properties identified in the packet headers, for example calculating the data rate associated with web traffic, to/from a particular network address, etc.
The current practice for analyzing sampled data is to accumulate totals over an interval, scale the result by the sampling rate, and then divide by the interval in order to report a rate (ref: Packet Sampling Basics <http://www.sflow.org/packetSamplingBasics/index.htm>).
For example, suppose network traffic is being sampled with a probability of 1/N. Further, suppose that packet per second rate is to be computed every minute, estimating the traffic from a given source address A. At the start of the minute, the set of counters is reset to zero. With each sample received a total_samples count is incremented. If the sampled packet was from host A (determined by examining the sampled packet), then a second A_samples count is also incremented. At the end of the minute, the packet rate from host A can be calculated as:(A_samples/total_samples)*N/60
Important limitations of this approach to calculating rates are:
1. The rate is only available at the end of the computation interval;
2. The Nyquist frequency is double the calculation interval.
The result is a delay of up to two minutes in this example before the measurements can be reliably used to trigger actions based on the measurements. Reducing the measurement interval can improve responsiveness, but since fewer samples contribute to the smaller intervals, the accuracy of the estimates is reduced, thereby limiting the reliability of any actions.
The present invention describes a method of asynchronously analyzing packet samples (i.e., without using regularly spaced intervals) so that the speed of generating useful metrics is determined entirely by the arriving samples.