The present invention generally relates to a network monitoring device, and more particularly to a network monitoring device that samples a stream of selected packets from a network traffic.
As computer networks continue to grow in complexity and importance, the need to collect information about network usage and problems increase. To gain a full picture of what events are occurring on the network, a network manager collects traffic information from segments of the network. Increasingly, all but trivial networks contain multiple segments with the network traffic being confined within individual segments, if possible, to increase performance. Further, the networks are often switched, as opposed to shared networks, thus the segment connections are point to point, single connections, containing traffic only for that segment. Thus, known traffic collection solutions include using a network monitoring device, often called a monitor or probe, on each segment of the network.
Monitors are instruments that exist to aid a network manager or a network management service to oversee a network that is often geographically remote. Frequently, monitors are stand-alone devices that devote significant internal resources for the sole purpose of managing the network. Organizations often employ many monitors, one per network segment, to oversee the network.
A problem exists when employing stand-alone monitors on each segment of the network, since use of a monitor on each segment of the network adds expense and nodes to the network. Also, in a highly switched network it is nearly impossible to add stand-alone monitors, such as personal computers since there may be no network connection available for the monitor. In response to this problem, vendors of infrastructure products that are naturally part of the network, such as hubs and switches, add embedded monitors into the products.
Problems occur as the embedded monitors incorporate additional network segments, and segments of higher speeds. For example, Internet Engineering Task Force (IETF) provides standardized sets of information, referred to as Management Information Bases (MIBs), that network devices collect to aid network administrators in monitoring a network. Request for Comment (RFC) 1757 (RMON) and 2021 (RMON-II) standard MIBs, incorporated herein by reference, contain information collected from every packet on the network. As network speeds increase, it follows that packet speeds climb, and analysis of each packet becomes increasingly expensive and difficult. Already resource restrained embedded systems cannot maintain added and faster ports.
Thus, Hewlett-Packard Company(copyright) has developed algorithms that provide statistical approximations of network traffic given a stream of randomly selected samples of packets from the network. U.S. Pat. No. 5,315,580, which is incorporated herein by reference, describes such an algorithm. In a sampling operation, the monitor randomly selects a subset of packets to analyze, and extrapolates data collected from the subset to approximate the total traffic on the network. Thus, the network manager obtains reliable data without the monitor fully analyzing every packet on the network.
Some problems exist, however, with known sampling systems. First, as network speed and segment count increase, selecting packets as part of the random sample requires increased resources since the monitor still needs to count each packet for the algorithm. Second, the data that known monitors collect is less than the amount of data specified by IETF. IETF mandates that additional data be collected for the network than is collected by known samplers.
Accordingly, it is a primary object of the present invention to provide an improved apparatus for monitoring network traffic.
Another object of the present invention is to provide an improved apparatus handling multiple network segments.
Yet another object of the present invention is to provide an improved apparatus for collecting specified data.
Still another object of the present invention is to provide an improved apparatus for handling network segments of an increased speed.
Other objects and advantages will become patents upon reading the following detailed description, in conjunction with the attached drawing: