An out-of-band network intercept device (NID) sits atop/beside an in-band network device to monitor network traffic between endpoint devices of an enterprise and those outside. Suspicious connections can be detected and reset. One feature that is monitored is excessive bandwidth usage such as by internet protocol (IP) address.
A simple look-up table by (Source IP, Destination IP and Destination Port) can be used to hold a counter for each conversation. But such a table can be prohibitively large, causing a large memory footprint and excessive CPU time for look-ups and to add information. For example, 5000+ enterprise IP addresses may be monitored in some network configurations. The NID must remain efficient and cost effective.