1. Field of the Invention
This invention relates to network monitoring.
2. Related Art
In a computer network in which messages are transmitted and received between devices, it is often desirable to monitor the nature and volume of communication traffic. For example, by noting the number of messages (or more detailed information about those messages) transmitted from selected source devices or to selected destination devices, it can be possible to obtain useful information about usage patterns of the network. One known set of network objects used for this purpose is called RMON (“remote monitoring”). In known systems, a device coupled to and monitoring a communication link in the network generates these RMON objects. RMON objects are retrievable from the generating device using a known message protocol, such as SNMP (Simple Network Message Protocol).
RMON was originally conceived for monitoring OSI layer 1 and layer 2 communication. Accordingly, a first version of RMON (RMON1) was directed to collecting information and statistics primarily about packets between a source device MAC address and a destination device MAC address. A first version of RMON1 was optimized in some respects for Ethernet LAN communication; a second version was optimized for token-ring LAN communication. RMON1 also included capabilities for capturing the contents of selected packets, and for setting alarms upon selected events (those events being distinguished for layer 1 and layer 2 communication).
A more recent version of RMON (RMON2) extends the monitoring capabilities to include more analysis of actual packets, including identifying layer 3, layer 4, and some application aspects of communication. For example, RMON2 includes capabilities for collecting information about usage of particular routing protocols (such as IP or IPX) and particular ports used at the source device or destination device (such as ports for FTP or HTTP transactions). RMON2 also differs from RMON1 in the number of communication links that are monitored by a single device.
In parallel with the evolution from RMON1 to RMON2, another evolution has taken place: early RMON applications using RMON1 were usually directed to monitoring probes, which monitor a single port of a switch. More recent RMON applications using RMON2 are often directed to monitoring software that is embedded in a switch, and therefore is contemplated to monitor several, preferably all, interfaces of the switch.
One problem in the known art is that ability to monitor network traffic is not keeping up with the amount and speed of the network traffic itself. First, more recent versions of RMON result in an increase in the processing required for each packet. Second, it is desirable to monitor as many output interfaces as possible. Third, the bandwidth and wire speed of network interfaces is rapidly increasing due to advances in technology. All three of these effects require additional processing power in the monitoring device.
One response to this problem is to select only a sample set of packets for monitoring, rather than attempting to process all packets transmitted over the monitored communication links. The sampled traffic would serve as a proxy for all traffic, to measure the frequency of selected network events and to collect aggregate information about network traffic. U.S. Pat. No. 5,315,580, titled “Network Monitoring Device and System”, issued May 24, 1994, in the name of Peter Phaal, to assignee Hewlett-Packard Company of Palo Alto, Calif. shows one example of a sampling technique for monitoring.
Known sampling techniques achieve the purpose of collecting aggregate information about network traffic where the network transmission rate of packets exceeds the ability of the monitoring device to process those packets. However, these techniques suffer from several drawbacks. First, estimated frequency measurement for relatively in-frequent events can be subject to error and inaccuracy. Second, processor load for the monitoring device can vary wildly in response to network traffic load. When network traffic is relatively frequent, processor load is relatively heavy, and the monitoring device can fail to keep up with the network traffic. When network traffic is relatively infrequent, processor load is relatively light, and the monitoring device can be underused.
Accordingly, it would be advantageous to provide a method and system for collecting aggregate information about network traffic, in which processor load is relatively constant despite substantial variation in network traffic, and in which the accuracy of frequency measurement can be improved even for relatively infrequent events, due to the ability to sample more frequently. This advantage is achieved in an embodiment of the invention that samples packets from network traffic adaptively in response to that network traffic, and measures frequency in response to either the sampling rate or the frequency rate of appearance in sampled packets, or both.