Network traffic analysis devices, sometimes called packet sniffers, are devices that capture, monitor, and/or analyze computer network traffic. For example, a network traffic analysis device may be used to capture data that is transmitted on a computer network over a predetermined time period. The network traffic analysis device stores the data during the predetermined time period, and the data may be subsequently recovered and analyzed. Typical applications for network traffic analysis devices include bottleneck detection, diagnostic testing, and security verification.
Network traffic analysis devices are commonly connected to computer networks through Ethernet network devices such as hubs or local area network (LAN) switches. The network traffic analysis devices may be assigned to monitor one or more ports of the Ethernet network device. However, it is easier to monitor a wider range of network traffic in a hub that in a LAN switch. This is because hubs are typically shared network devices in which each port of the hub sees every packet that enters or leaves every other port. However, in switches only intended destination ports receive copies of packets. Therefore, switches require a mechanism for generating copies of packets from desired ports.
Referring to FIG. 1, an Ethernet network device 10 such as a LAN switch includes a packet processing module 12 and ports 14 through which network communications devices communicate. The Ethernet network device 10 may also communicate with a distributed communications system 16 such as the Internet. A network traffic analysis device 18 is connected to a port 14-8 of the Ethernet network device 10 (Port 8 in FIG. 1). The network traffic analysis device 18 communicates with the packet processing module 12 and identifies desired ports 14 from which network traffic is captured and/or monitored. The network traffic analysis device 18 may receive network traffic from a single port 14-1, 14-2, 14-3, 14-4, 14-5, 14-6, 14-7, or 14-8 or multiple ports 14 of the Ethernet network device 10. Additionally, the network traffic analysis device 18 may specify whether incoming network traffic, outgoing network traffic, or both are desired for each port 14-1, 14-2, 14-3, 14-4, 14-5, 14-6, 14-7, and/or 14-8. Referring now to FIG. 2, the packet processing module 12 includes an ingress processing module 26 that receives an incoming packet from a port 14-1, 14-2, 14-3, 14-4, 14-5, 14-6, 14-7, or 14-8 of the Ethernet network device 10. The ingress processing module 26 generates tags that indicate desired actions to be taken with the incoming packet. For example, a tag may indicate a desire to drop the incoming packet. If the port 14-1, 14-2, 14-3, 14-4, 14-5, 14-6, 14-7, and/or 14-8 of the incoming packet is currently being monitored by the network traffic analysis device 18, the ingress processing module 26 generates an analyzer mirroring tag. The analyzer mirroring tag indicates that a copy of the packet is to be mirrored to the network traffic analysis device 18.
The packet processing module 12 includes an ingress command execution module 28 that receives the incoming packet and any associated tags. Unless the tags include an instruction to drop the packet, the ingress command execution module 28 forwards the packet to an intended destination port 14-1, 14-2, 14-3, 14-4, 14-5, 14-6, 14-7, and/or 14-8 of the Ethernet network device 10. The ingress command execution module 28 also executes any actions identified by the tags. When the ingress command execution module 28 receives an analyzer mirroring tag with a packet, the ingress command execution module 28 generates a copy of the incoming packet.
The ingress command execution module 28 forwards the copy of the incoming pack to the port 14-8 of the Ethernet network device 10 where the network traffic analysis device 18 is connected (for example, port 8 in FIG. 2). The network traffic analysis device 18 essentially eavesdrops on the identified port(s) 14-1, 14-2, 14-3, 14-4, 14-5, 14-6, 14-7, and/or 14-8. Therefore, it is important that the copy of the packet that is received by the network traffic analysis device 18 is as identical to the original incoming packet as possible.
Typically, packet processing modules 12 in Ethernet network devices 10 only support a single network traffic analysis device 18 at a given time. This is because network traffic analysis devices 18 are very expensive. Additionally, it is difficult and expensive to hire personnel qualified to interpret data from network traffic analysis devices 18. However, it may be beneficial for a single packet processing module 12 in an Ethernet network device 10 to support multiple network traffic analysis devices 18. For example, a network administrator may wish to utilize a first network traffic analysis device 18 that is programmed to automatically perform a first task such as network security verification. In addition, the network administrator may wish to utilize a second network traffic analysis device 18 to perform another task. This requires the packet processing module 12 to generate at least three copies of an incoming packet, including the copy that is forwarded to the intended destination port 14-1, 14-2, 14-3, 14-4, 14-5, 14-6, 14-7, and/or 14-8.
In one approach, a packet processing module 12 is designed with additional hardware to support multiple network traffic analysis devices 18. This requires both hardware to generate another copy of an incoming packet and hardware that decides where to send the additional copy of the packet. However, the added space requirements and complexity of the additional hardware may be cost prohibitive.
In another approach, a packet processing module 12 utilizes traffic classification tags to direct copies of packets to egress interfaces. In this case, additional network traffic analysis devices 18 may be connected to the egress interfaces. However, packets forwarded in this manner are typically not exact copies of incoming packets and are changed during the forwarding process.