Some conventional switches provide a feature for flow-based mirroring where a network administrator may enable a mirroring mechanism based on switch ports. For the purpose of debugging protocol interactions and understanding traffic patterns, mirroring is widely used. In some cases, by mirroring or replicating flows, effective problem replication may be performed for problem investigations. Here, problems may be of various natures. However, an application has no control over the mirroring functionality for its own flows in and out of a server. Secondly, today's mirroring mechanisms cause a performance impact on all other applications and application flows. Currently, there is no intelligence available to mirror packets based on application states without impacting other applications or application flows.
Applications are made up of a large number of instructions and data. Instructions operate on data which is fetched in a cache and memory and is always unencrypted. Scaled-out, distributed applications are made up of a large number of application instances. These application instances have their own data in the cache and memory of the processor on which these applications run. A large number of such application instances communicate with each other and process data in parallel to create an aggregate output.
These types of scaled-out applications are extremely vulnerable to application breaches, data thefts from cache and memory by scraping, and other methods of illicitly obtaining data from the applications, cache, and/or memory. Therefore, mirroring may be a useful mechanism for identifying possible threats, but not with the limitations of current mirroring mechanisms.