Method and apparatus for mirroring traffic over a network

US 20040003094A1
Filed: 06/18/2003
Published: 01/01/2004
Est. Priority Date: 06/27/2002
Status: Abandoned Application

First Claim

Patent Images

1. A traffic mirroring method of transmitting incoming packets from a source network device to a target network device, comprising the steps of:

(a) duplicating a plurality of ingress packets received at the source network device, wherein a plurality of duplicate packets are formed;

each of the plurality of ingress packets having a destination address information;

(b) encapsulating the plurality of duplicate packets with a mirrored flow encapsulation header, wherein a plurality of mirrored flow encapsulation packets are formed;

(c) transmitting the plurality of mirrored flow encapsulation packets from the source network device to the target network device; and

(d) transmitting each of the plurality of ingress packets from the source network device to one or more network nodes in accordance with the destination address information contained therein;

wherein the target network device receives a substantially identical copy of said plurality of ingress packets received at the source network device after de-encapsulation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for mirroring traffic from a first network device to a second network device are disclosed. The method includes the selecting of one or more qualified packets from an ingress stream using mirror classification criteria; duplicating the one or more qualified packets; appending a mirrored flow encapsulation header with the destination addressing information of the second network device to the duplicate packets; transmitting the duplicate packets from the first network device to the second network device; and removing the mirrored flow encapsulation header at the target network device to regenerate the qualified packets originally received at the first network device. The qualified packets may then be forwarded to an egress port of the second network device and analyzed by a traffic analysis tool, for example. With the invention, the traffic received at the first network device may be analyzed remotely.

265 Citations

56 Claims

1. A traffic mirroring method of transmitting incoming packets from a source network device to a target network device, comprising the steps of:
- (a) duplicating a plurality of ingress packets received at the source network device, wherein a plurality of duplicate packets are formed;
  
  each of the plurality of ingress packets having a destination address information;
  
  (b) encapsulating the plurality of duplicate packets with a mirrored flow encapsulation header, wherein a plurality of mirrored flow encapsulation packets are formed;
  
  (c) transmitting the plurality of mirrored flow encapsulation packets from the source network device to the target network device; and
  
  (d) transmitting each of the plurality of ingress packets from the source network device to one or more network nodes in accordance with the destination address information contained therein;
  
  wherein the target network device receives a substantially identical copy of said plurality of ingress packets received at the source network device after de-encapsulation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 31, 32, 40)
- - 2. The traffic mirroring method of claim 1, wherein the mirrored flow encapsulation header comprises a network layer encapsulation header.
  - 3. The traffic mirroring method of claim 2, wherein the network layer encapsulation header is an Internet Protocol header that comprises the destination address of the target network device.
  - 4. The traffic mirroring method of claim 3, wherein the at least one of the plurality of ingress packets comprises a network layer header comprising an Internet Protocol destination address of an intended recipient reachable through the source network device.
  - 5. The traffic mirroring method of claim 4, wherein the at least one of the plurality of ingress packets comprises a data link layer header including a media access control destination address of the source network device.
  - 6. The traffic mirroring method of claim 1, wherein the method further includes a step of encapsulating the plurality of duplicate packets with a mirrored flow encapsulation footer.
  - 7. The traffic mirroring method of claim 6, wherein the mirrored flow encapsulation footer comprises a frame check sequence accounting for the size of the mirrored flow encapsulation header.
  - 8. The traffic mirroring method of claim 1, wherein the method further includes, prior to duplicating the plurality of ingress packets, a step of selecting said plurality of ingress packets using mirror classification criteria to identify a subset of ingress traffic received at the source network device.
  - 9. The traffic mirroring method of claim 8, wherein the mirror classification criteria include criteria selected from the group consisting of:
    - ingress and egress physical port number, OSI model layer 2 source address, OSI model layer 2 destination address, OSI model layer 3 source address, OSI model layer 3 destination address, VLAN tag, MPLS labels, protocol, application, and quality of service parameters.
  - 10. The traffic mirroring method of claim 1, wherein the target network device removes the mirrored flow encapsulation header from the plurality of mirrored flow encapsulation packets.
  - 11. The traffic mirroring method of claim 1, wherein the source network device is a switching device for performing OSI model layer 2 and layer 3 packet processing.
  - 12. The traffic mirroring method of claim 11, wherein the target network device is a switching device for performing OSI model layer 2 and layer 3 packet processing.
  - 31. The traffic mirroring method of claim 1, wherein the mirrored flow encapsulation header comprises a label for switching the plurality of mirrored flow encapsulation packets between the source network device and target network device.
  - 32. The traffic mirroring method of claim 31, wherein the label is a MPLS label.
  - 40. The traffic mirroring method of claim 39, wherein the information used in the transmitting step of claim 1 is determined independently of the information used in the transmitting step of claim 2.

13. A source network device for transmitting a substantially identical copy of one or more qualified packets to a target network device, the source network device comprising:
- (a) a flow resolution logic for;
  
  (i) processing one or more packets from an ingress stream for switching, wherein one or more egress packets is formed; and
  
  (ii) selecting one or more qualified packets from the ingress stream;
  
  (b) a replicator for duplicating the one or more qualified packets, wherein one or more duplicate packets are formed;
  
  (c) an encapsulation module for appending a mirrored flow encapsulation header to each of the one or more duplicate packets, wherein one or more mirrored flow encapsulation packets are formed; and
  
  (d) one or more queue memory devices for buffering the;
  
  (i) one or more egress packets prior to transmission to one or more network nodes, and (ii) one or more mirrored flow encapsulation packets prior to transmission to the target network device.
- View Dependent Claims (14, 15, 16, 17, 18, 33, 34)
- - 14. The source network device of claim 13, wherein the mirrored flow encapsulation header comprises a network layer encapsulation header including the destination address of the target network device.
  - 15. The source network device of claim 14, wherein the at least one of the one or more qualified packets comprises a network layer header including an Internet Protocol destination address of an intended recipient reachable through the source network device.
  - 16. The source network device of claim 13, wherein the source network device is a switching device for performing OSI model layer 2 and layer 3 packet processing.
  - 17. The source network device of claim 13, wherein the flow resolution logic uses mirror classification criteria for selecting the one or more qualified packets from the ingress traffic stream.
  - 18. The source network device of claim 17, wherein the mirror classification criteria include criteria selected from the group consisting of:
    - ingress and egress port number, OSI model layer 2 source address, OSI model layer 2 destination address, OSI model layer 3 source address, OSI model layer 3 destination address, VLAN tag, MPLS label, protocol, application, and quality of service parameter.
  - 33. The source network device of claim 13, wherein the mirrored flow encapsulation header comprises a label for switching the plurality of mirrored flow encapsulation packets between the source network device and target network device.
  - 34. The source network device of claim 33, wherein the label is a MPLS label.

19. A target network device for receiving one or more mirrored flow encapsulation packets from a source network device, each of the mirrored flow encapsulation packets comprising a mirrored flow encapsulation header and a qualified packet, the target network device comprising:
- (a) a flow resolution logic for;
  
  (i) processing one or more packets from an ingress stream for switching, wherein one or more egress packets are formed; and
  
  (ii) selecting one or more mirrored flow encapsulation packets from an ingress stream;
  
  (b) a de-encapsulation module for removing the mirrored flow encapsulation header from each of the one or more mirrored flow encapsulation packets;
  
  wherein one or more qualified packets substantially identical to that received at the source network device are regenerated.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 29, 30, 35, 36, 37)
- - 20. The target network device of claim 19, wherein the device further comprises one or more queue memory devices for buffering the one or more egress packets prior to transmission to one or more network nodes, and one or more qualified packets prior to transmission to an egress port of the target network device.
  - 21. The target network device of claim 20, wherein the egress port to which each qualified packet is distributed is designated by a network administrator.
  - 22. The target network device of claim 20, wherein at least one of the qualified packets transmitted to the egress port of the target network device retains a destination address for the source network device.
  - 23. The target network device of claim 19, wherein the mirrored flow encapsulation header comprises a network layer encapsulation header including a destination address of the target network device.
  - 24. The target network device of claim 23, wherein one or more of the qualified packets comprises a network layer header including an Internet Protocol destination address of an intended recipient reachable through the source network device.
  - 25. The target network device of claim 19, wherein the target network device is a switching device for performing OSI model layer 2 and layer 3 packet processing.
  - 26. The target network device of claim 19, wherein the flow resolution logic uses target classification criteria to select the one or more mirrored flow encapsulation packets from the ingress stream.
  - 27. The target network device of claim 26, wherein the target classification criteria uses a UDP port number to select one or more mirrored flow encapsulation packets from the ingress stream.
  - 29. The source network device of claim 27, wherein the source network device is a switching device for performing OSI model layer 2 and layer 3 packet processing.
  - 30. The target network device of claim 27, wherein the target network device is a switching device for performing OSI model layer 2 and layer 3 packet processing.
  - 35. The target network device of claim 19, wherein the mirrored flow encapsulation header comprises a label for switching the plurality of mirrored flow encapsulation packets between the source network device and target network device.
  - 36. The target network device of claim 35, wherein the label is a MPLS label.
  - 37. The target network device of claim 26, wherein the target classification criteria uses a MPLS label to select one or more mirrored flow encapsulation packets from the ingress stream.

28. A method for mirroring one or more qualified packets from a source network device to a target network device, the method comprising the steps of:
- (a) selecting one or more qualified packets from an ingress stream using mirror classification criteria;
  
  (b) duplicating the one or more qualified packets, wherein duplicate packets are formed;
  
  (c) appending a mirrored flow encapsulation header to the duplicate packets, the mirrored flow encapsulation header comprising destination addressing information for the target network device, wherein one or more mirrored flow encapsulation packets are formed;
  
  (d) transmitting the mirrored flow encapsulation packets from the source network device to the target network device;
  
  (e) removing the mirrored flow encapsulation header from the one or more mirrored flow encapsulation packets at the target network device, wherein the plurality of qualified packets are regenerated; and
  
  (f) forwarding the one or more qualified packets to an egress port independent of the destination address contained therein.

38. A traffic mirroring method, comprising the steps of:
- (a) receiving an ingress packet on a first network node;
  
  (b) duplicating the ingress packet, such that a duplicate packet is formed;
  
  (c) encapsulating the duplicate packet with a mirrored flow header; and
  
  (d) transmitting, using information in the mirrored flow header, the duplicate packet from the first network node to a second network node.
- View Dependent Claims (39, 41, 42, 43, 44, 45)
- - 39. The traffic mirroring method of claim 38, wherein the method further comprises the step of transmitting, using information in a header of the ingress packet, the ingress packet to a third network node.
  - 41. The traffic mirroring method of claim 38, wherein the method further comprises the step of classifying, using mirrored fLow classification criteria, the ingress packet as a mirrored flow packet.
  - 42. The traffic mirroring method of claim 41, wherein the mirrored flow classification criteria include one or more criteria selected from the group consisting of:
    - ingress and egress port, source MAC address, destination MAC address, IP source address, IP destination address, VLAN identifier and MPLS label.
  - 43. The traffic mirroring method of claim 38,further comprising the steps of de-capsulating the duplicate packet;
    - and transmitting the duplicate packet to an analysis device.
  - 44. The traffic mirroring method of claim 38, wherein the first network node is a switching device performing OSI model layer 2 and layer 3 packet processing.
  - 45. The traffic mirroring method of claim 38, wherein the second network node is a switching device performing OSI model layer 2 and layer 3 packet processing.

46. A traffic mirroring system for a communication network, comprising:
- (a) a first network node; and
  
  (b) a second network node interconnected to the first network node;
  
  wherein the first network node receives an ingress packet, duplicates the ingress packet such that a duplicate packet is formed, encapsulates the duplicate packet with a mirrored flow header and transmits, using information in the mirrored flow header, the duplicate packet from a first network node to the second network node.
- View Dependent Claims (47, 48, 49, 50, 51)
- - 47. The traffic mirroring system of claim 46, wherein the ingress packet is transmitted to a third network node using information in a header of the ingress packet.
  - 48. The traffic mirroring system of claim 47, wherein the information used in the transmission of claim 46 is determined independently of the information used in the transmission of claim 47.
  - 49. The traffic mirroring system of claim 46, wherein the first network node further classifies, using mirrored flow classification criteria, the ingress packet as a mirrored flow packet.
  - 50. The traffic mirroring system of claim 49, wherein the mirrored flow classification criteria include one or more criteria selected from the group consisting of:
    - ingress and egress port, source MAC address, destination MAC address, IP source address, IP destination address, VLAN identifier and MPLS label.
  - 51. The traffic mirroring system of claim 46, wherein, upon receipt of the duplicate packet from the first node, the second node de-capsulates the duplicate packet and transmits the duplicate packet to an analysis device.

52. A transmitting network node of a flow mirroring system for a communication network, comprising:
- (a) an ingress module for receiving an ingress packet on an input port;
  
  (b) a classification module for classifying the ingress packet as belonging to a mirrored flow;
  
  (c) a replication module for duplicating the ingress packet, such that a duplicate packet is formed;
  
  (d) an encapsulation module for appending a mirrored flow header to the duplicate packet;
  
  (e) a memory for temporarily storing the duplicate packet; and
  
  (f) an egress module for transmitting, using information in the mirrored flow header, the duplicate packet on an output port.
- View Dependent Claims (53, 54)
- - 53. The network node of claim 52 wherein the memory is further arranged for temporarily storing the ingress packet, and further comprising a second egress module for transmitting, using information in a header of the ingress packet, the ingress packet on a second output port.
  - 54. The network node of claim 52, wherein the classification module classifies the packet as belonging to a mirrored flow based on one or more criteria selected from the group consisting of:
    - ingress and egress port, source MAC address, destination MAC address, IP source address, IP destination address, VLAN identifier and MPLS label.

55. A receiving network node of a flow mirroring system for a communication network, comprising:
- (a) an ingress module for receiving a duplicate packet on an input port;
  
  (b) a classification module for classifying the duplicate packet as belonging to a mirrored flow;
  
  (c) a de-capsulation module for removing a mirrored flow header from the duplicate packet;
  
  (d) a memory for temporarily storing the duplicate packet; and
  
  (e) an egress module for transmitting the duplicate packet on an output port.
- View Dependent Claims (56)
- - 56. The network node of claim 55, wherein the output port on which the duplicate packet is transmitted is selected independent of any addressing information in the duplicate packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel SA (Nokia Corporation)
Original Assignee
Alcatel SA (Nokia Corporation)
Inventors
See, Michael

Application Number

US10/465,070
Publication Number

US 20040003094A1
Time in Patent Office

Days
Field of Search
US Class Current

709/227
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/14   using software, i.e. softwa...

Y02D 30/50   in wire-line communication ...

Method and apparatus for mirroring traffic over a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

265 Citations

56 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for mirroring traffic over a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

265 Citations

56 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others