1. Field of the Invention
The present invention relates generally to methods of monitoring data transiting switched packet networks and, more particularly, to the use of modified conventional network switching integrated circuits to implement network data stream monitoring as well as aggregation and filtering of the monitored data streams.
2. Description of the Related Art
Switched packet data networks, such as the Internet and related intranets, characteristically using an Ethernet-based transport protocol, rely on a variety of network infrastructure devices including, in particular, discrete path routing network switches to efficiently distribute packet data streams while maintaining end-to-end connectivity and data throughput. Earlier data stream distribution devices operated as simple, multi-ported hubs that replicated all inbound data packets on any given port to all other ports. This had the undesirable effect of flooding all connected network segments with data packets, even where data packet transmission was pertinent to only one segment. In addition to creating a rather substantial and unnecessary bandwidth burden, such an unrestrained distribution of data packets to all network segments would create security exposures. Current conventional Ethernet switches employ intelligent or learned routing techniques to identify and establish specific port-to-port data packet transfers through the switches. A complex of internal routing tables and related data structures are dynamically built and maintained to ensure optimal transfer of data packets through a switch. The goal of conventional switches is to minimize switch transit latency and uniquely route data packets between ingress and egress port pairs.
The effectiveness of current conventional network switches in performing port-to-port routing, however, greatly complicates efforts to monitor and evaluate on-going data stream transport throughout typically large scale networks. Intentional administrative network monitoring is desirable, if not as a practical matter required, to enable ongoing evaluation and analysis of network infrastructure performance, including network segment loading, protocol and end-point routing usage, infrastructure configuration and optimization planning, and various forms of error-detection that may reveal present or predict future network infrastructure failures. In addition, ongoing network monitoring is essential to detecting the source and nature of intrusion attempts and other security concerns.
Various network elements and associated analysis methods have been devised and, over time, evolved, to enable appropriate administrative monitoring of switched data networks. Early techniques, which may in some cases still be employed, involve a passive tapping of network segments combined with an analog amplification of the derived network data stream signals. These techniques suffer from a number of disadvantages, including signal quality degradation in the tapped network segment, excessive noise in the tapped data stream, and incompatibility with certain encoding schemes. For example, a protocol such as the 1000Base-T version of IEEE 802.3z standard supports both ends of a network segment simultaneously transmitting on a single wire. In general, a passive tap cannot be used to capture and accurately reproduce the bidirectional packet data stream.
More recently devised active tap devices, such as shown in U.S. Pat. No. 6,424,627, issued Jul. 23, 2002 to Sorhaug et al., are designed to be physically inserted into network segments and digitally copy all passing data packets to a network monitoring device. Implemented as stand-alone devices, these active taps are useful, though limited by the inability to aggregate, filter or otherwise manipulate the tapped data stream packets. They also do not allow for a means of the complex port configuration required in large installations that mix legacy and current state of the art equipment.
Subsequent monitoring device designs, such as shown in U.S. Pat. No. 6,898,632, issued May 24, 2005 to Gordy et al., while more flexible, remain limited in terms of functionality. The described device is tailored specifically to providing intrusion detection and, where identified, to inject network data packets directed to a firewall to specifically configure the firewall to block the intrusion traffic. The device is not, however, capable of broader use, given no capability to deal with network segments where trunking is enabled or where the data stream packet flow allows re-use of network MAC addresses. In either scenario, use of the disclosed intrusion detection device will instead cause mis-routing of data packets and concomitant data loss.
Another approach to monitoring network data streams, such as shown in U.S. Pat. No. 5,940,376 issued Aug. 17, 1999 to Yanacek et al., relies on existing infrastructure network switches having built-in SPAN or MIRROR port capabilities. This approach requires each network switch to internally implement promiscuous copying of the network data streams passing through the switch with negotiated redirection to a designated monitor probe end-point. As described, this approach allows network data streams between any two end-points to be monitored at least where a transiting infrastructure network switch implements MIRROR ports. To enable monitoring of an entire network, a high percentage of the switches must implement MIRROR ports with compatible negotiation capabilities to select a designated monitor probe port. Beyond the increased network switch costs, disadvantages include a significant increased internal bandwidth requirement to support internal derivation and routing of the tapped data streams and a corresponding network performance degradation due to the transport of the tapped data streams to the designated monitor probe ports.