Commonly known local area networks (LAN) such as an Ethernet-based network communicate data via packets having a set format. Control of packet traffic in a network is critical to insure balanced communication flow and efficient transmission to devices on the network. Such packets are sent between a source network node and a destination node over a communication medium such as coaxial cable or twisted pair wire. Each packet typically has a header that contains limited routing information and a payload.
The most common method of local area network communication is the Ethernet protocol that is a family of frame-based computer networking technologies for local area networks. The Ethernet protocol is standardized as IEEE 802.3 and defines a number of wiring and signaling standards for the physical layer through means of network access at the Media Access Control (MAC)/Data Link Layer and a common addressing format.
The combination of the twisted pair versions of Ethernet for connecting end systems to the network, along with the fiber optic versions for site backbones, is the most widespread wired LAN technology. Ethernet nodes communicate by sending each other data packets that are individually sent and delivered. Each Ethernet node in a network is assigned a 48-bit MAC address. The MAC address is used both to specify the destination and the source of each data packet in the header. Network interface cards (NICs) or chips on each node normally do not accept packets addressed to other Ethernet nodes.
Various refinements may be used to improve network efficiency to LANs and other devices that result in overall improvements in the performance of networked devices. For example, network appliances such as quality of service (QoS) devices perform prioritization and traffic shaping operations on computer network traffic sent over a network circuit to ensure a more controlled delivery of application data. When a network circuit is being completely utilized, prioritization is used by a QoS device to ensure that the most important application is given preferential access to the network circuit. Traffic shaping attempts to limit certain types of network traffic to a limited amount of bandwidth. The controls of a feature rich QoS device will allow lower priority traffic to use all of the network circuit if no other higher priority traffic is requesting use of the network circuit. Typical QoS devices use policies or rules to govern the prioritization and traffic shaping operations. However, such policies or rules rely on having accurate network traffic data and analysis in order to efficiently function.
Network traffic appliances collect network data such as which applications are on the network, which hosts are sending or receiving data, which hosts are communicating with other hosts and about what, what URLs are being accessed, what is the latency of the network for particular application types, how many packets per second are being processed, and so on. This information can be used for a variety of purposes, including capacity planning, configuration guidance, network trouble-shooting, investigating network user acceptable use violations, monitoring network user behavior, and so on.
There is a wealth of information that may be extracted from network traffic data. This network traffic information may be used for a variety of purposes, including capacity planning, configuration guidance, network trouble-shooting, investigating network user acceptable use violations, monitoring network user behavior, and so on. Yet it requires time, effort, and expertise on behalf of the network manager to investigate and analyze the data, possibly diagnose issues, and to determine a course of action. It would be beneficial if the network management system could proactively analyze the data and diagnose issues and make recommendations for courses of action.
The amount of network traffic data and the different ways it can be analyzed for different purposes is endless. However, analyzing the data properly requires effort that most network administrators do not have time or resources to address. In some cases, even when such data is available, the network administrator doesn't know what course of action that should be taken, given the result of the data analysis.
Additionally different network managers or different industries or different business functions may have different analyses that they would like performed. It would be beneficial if a network traffic analysis system were extensible so the third parties could extend the system to support their desired analysis and recommendations.