Network traffic monitoring and analyzing has a significant value for traffic analysis and trouble-shooting, and therefore mirroring is widely used in network intrusion detection systems, VoIP recording, network probes, remote network monitoring (RMON) probes, packet sniffers, and other monitoring and collection devices and software. In a virtualized environment, however, the transparent monitoring of traffic still faces many challenges. The invisibility of network flow direction and distribution leads to numerous safety lapses. The first step for fulfilling a monitoring requirement in any environment is to have a feasible way to access all of the network traffic of interest. In a physical environment, two ways are commonly used to fulfill the goal of traffic access.
First, a network tap is a passive splitting mechanism installed between a device of interest and the network. A network tap transmits input/output traffic simultaneously on separate links, ensuring all traffic arrives at monitoring device in real time. The advantage of a tap is that it never drops packets, regardless of bandwidth saturation. Therefore, it can fulfill the goal of lossless traffic monitoring. Nevertheless, its high equipment cost and difficulty in deployment limit its scope of application.
Second, port mirroring, also known as SPAN (Switched Port Analyzer), RSPAN (Remote Switched Port Analyzer), and ERSPAN (Encapsulated Remote Switched Port Analyzer) is capable of sending a copy of network packets to a network-monitoring device connected to another switch port. As packet mirroring is a subordinate function in a switch, the switch places a lower priority on SPAN port data than it places on regular port-to-port data. Port mirroring is widely applied by today's medium- and high-end switches for traffic monitoring and analyzing. A switch with a port mirroring function has the advantage of low cost and easy deployment and remote deployment as well.
However, when it comes to virtualized environments, neither of the techniques mentioned above are easily applied. To monitor virtual traffic by either of the above methods, the first thing one needs to do is to transfer traffic from the virtual environment to the physical environment. Once that is done, either TAP or port mirroring can be used to perform traffic monitoring. However, hardware outside of a hypervisor cannot be aware of inter-VM traffic within a host, and any kind of packet loss that happens within the virtual environment is invisible to such a method.
In recent years, the significant shift to virtualization has yielded great efficiency benefits. However, the invisibility of traffic in virtualized environments creates significant problems for traffic monitoring, and as the shift to virtualization continues, issues relating to traffic monitoring need to be resolved. Additionally, considering the virtualization environment, the shortage of both CPU resources and network resources also remains a most worrisome problem when conducting lossless traffic monitoring.