The present invention relates to a method allowing a monitoring system to classify, by entity, IP (Internet Protocol) flows called accounting elements passing through routers or switches of a network of a service provider, these entities being arranged in different sites.
The present invention has an application in the measurement of performance and monitoring of the quality of service of an information system. It relates in particular to the collection of IP accounting information originating from routers in such a way as to produce real time monitoring, statistics or also registrations.
Generally, the increasing complexity of information systems integrating in particular, client-server architectures and integrated local area networks, makes effective management of the quality of service more and more difficult within these systems. On the one hand, the administrators and managers of these information systems are led to adopt a service approach towards users and to operate as service providers concerned about the quality of services provided, at the same time as being faced with reductions in operating costs, and on the other hand, the users of these services demand yet higher levels of quality of service.
Control over the quality of service involves a reliable feedback system of relevant information originating from the different resources of the information system. To do this, the large-volume performance data references residing in the network equipment, in the systems and in the software applications must be exploited.
One of the methods used in order to analyse the IP flows passing through the network of an operator consists of configuring the PE (Provider Edge) routers so as to make them generate then transmit the accounting information (via NetFlow, sFlow, IPFix etc.) to one or more systems capable of analysing and aggregating them.
In concrete terms, by configuring the PE routers in order to make them transmit, for example, records according to the NetFlow V5 protocol to a monitoring system, it is possible to generate volumetric statistics and flow matrices broken down by protocol, IP address, TCP/UDP port, etc. for all of the traffic which has passed through the network of the operator.
However, in the specific context of the network of an operator, it is common for the IP addressing plans in force on the sites of the different clients to overlap, i.e. that two different machines or applications in different client sub-networks connected to the same network operator (service provider) have the same IP address. When this happens, the significance of the statistics produced by the monitoring system on the basis of IP addresses can be changed dramatically.
By operator, is meant an enterprise which offers network services to different clients. The “network” resource is therefore not dedicated to one particular client but shared between several clients, which is where the risks of the overlapping of addressing plans comes from.
In fact, 2 entities sharing the same IP address are viewed as one and the same entity on which flows of different types will accumulate.
This situation is yet more critical when, in such monitoring system, the IP addresses are used to identify, not only the servers and the main applications, but also the ownership of the latter and of their clients at different geographical sites.                The correlation between IP address and application is then carried out via the establishment by the client of an “application repository” which associates a set of IP addresses and ports for a given protocol (UDP/TCP) with each application        The correlation between IP address and geographical site is, carried out via the establishment by the client of a “geographical repository” which associates a set of IP addresses IP with each geographical site.        
The overlapping of the IP addressing plans automatically leads to an overlapping of the application repositories and geographical repositories of the different clients.
The result of this overlapping of the repositories of the different clients means that it is impossible for the monitoring system to decide reliably whether an IP address belongs to one or another geographical site or the identification of an application server.