HYBRID CLOUD NETWORK MONITORING SYSTEM FOR TENANT USE

US 20160182336A1
Filed: 12/22/2014
Published: 06/23/2016
Est. Priority Date: 12/22/2014
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic in a cloud computing system, the method comprising:

receiving a request to capture network traffic of a tenant port of a first virtual machine (VM) executing in the cloud computing system, wherein the first VM is associated with a first tenant organization different from a second organization managing the cloud computing system;

instantiating a decapsulating VM having a first network interface and a second network interface, wherein the decapsulating VM is inaccessible to the first tenant organization;

establishing an encapsulated port mirroring session from the tenant port of the first VM to the first network interface of the decapsulating VM;

decapsulating, by execution of the decapsulating VM, a plurality of packets comprising captured network traffic received via the encapsulated port mirroring session; and

forwarding the captured network traffic via the second network interface of the decapsulating VM to a sniffer VM.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network traffic in a cloud computing system is monitored in response to a request to capture network traffic of a tenant port of a first virtual machine (VM) executing in the cloud computing system, wherein the first VM is associated with a first tenant organization different from a second organization managing the cloud computing system. A decapsulating VM having a first network interface and a second network interface is instantiated, wherein the decapsulating VM is inaccessible to the first tenant organization. An encapsulated port mirroring session from the tenant port of the first VM to the first network interface of the decapsulating VM is then established. A plurality of packets comprising captured network traffic received via the encapsulated port mirroring session are decapsulated, and the captured network traffic is forwarded via the second network interface of the decapsulating VM to a sniffer VM.

119 Citations

20 Claims

1. A method for monitoring network traffic in a cloud computing system, the method comprising:
- receiving a request to capture network traffic of a tenant port of a first virtual machine (VM) executing in the cloud computing system, wherein the first VM is associated with a first tenant organization different from a second organization managing the cloud computing system;
  
  instantiating a decapsulating VM having a first network interface and a second network interface, wherein the decapsulating VM is inaccessible to the first tenant organization;
  
  establishing an encapsulated port mirroring session from the tenant port of the first VM to the first network interface of the decapsulating VM;
  
  decapsulating, by execution of the decapsulating VM, a plurality of packets comprising captured network traffic received via the encapsulated port mirroring session; and
  
  forwarding the captured network traffic via the second network interface of the decapsulating VM to a sniffer VM.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the encapsulated port mirroring session comprises an Encapsulated Remote Switched Port Analyzer (ERSPAN) session configured to encapsulate captured Layer-2 network traffic at the tenant port using Layer-3 packets.
  - 3. The method of claim 1, wherein decapsulating the plurality of packets comprising the captured network traffic received via the encapsulated port mirroring session further comprises:
    - extracting the captured network traffic from the plurality of packets comprised of Layer-3 packets, wherein the captured network traffic comprises Layer-2 packets; and
      
      modifying a destination MAC address of the captured network traffic to be a MAC address associated with the sniffer VM.
  - 4. The method of claim 1, wherein the first VM is executing on a first host and the decapsulating VM is executing on a second host inaccessible to the first tenant organization.
  - 5. The method of claim 1, wherein the sniffer VM is managed by the first tenant organization and includes a network traffic analyzer application.
  - 6. The method of claim 1, wherein forwarding the captured network traffic via the second network interface of the decapsulating VM to the sniffer VM further comprises:
    - transmitting the captured network traffic to the sniffer VM via a virtual distributed switch shared by the decapsulating VM and the sniffer VM.
  - 7. The method of claim 1, further comprising:
    - launching a plurality of sending threads executing in parallel with one another, each sending thread corresponding to one of a plurality of sniffer VMs, wherein each sending thread forwards captured network traffic via the second network interface of the decapsulating VM to the corresponding sniffer VM.

8. A non-transitory computer-readable medium comprising instructions executable by a host computer in a cloud computing system, where the instructions, when executed, cause the host computer to carry out a method for monitoring network traffic in the cloud computing system, the method comprising:
- receiving a request to capture network traffic of a tenant port of a first virtual machine (VM) executing in the cloud computing system, wherein the first VM is associated with a first tenant organization different from a second organization managing the cloud computing system;
  
  instantiating a decapsulating VM having a first network interface and a second network interface, wherein the decapsulating VM is inaccessible to the first tenant organization;
  
  establishing an encapsulated port mirroring session from the tenant port of the first VM to the first network interface of the decapsulating VM;
  
  decapsulating, by execution of the decapsulating VM, a plurality of packets comprising captured network traffic received via the encapsulated port mirroring session; and
  
  forwarding the captured network traffic via the second network interface of the decapsulating VM to a sniffer VM.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium of claim 8, wherein the encapsulated port mirroring session comprises an Encapsulated Remote Switched Port Analyzer (ERSPAN) session configured to encapsulate captured Layer-2 network traffic at the tenant port using Layer-3 packets.
  - 10. The computer-readable medium of claim 8, wherein decapsulating the plurality of packets comprising the captured network traffic received via the encapsulated port mirroring session further comprises:
    - extracting the captured network traffic from the plurality of packets comprised of Layer-3 packets, wherein the captured network traffic comprises Layer-2 packets; and
      
      modifying a destination MAC address of the captured network traffic to be a MAC address associated with the sniffer VM.
  - 11. The computer-readable medium of claim 8, wherein the first VM is executing on a first host and the decapsulating VM is executing on a second host inaccessible to the first tenant organization.
  - 12. The computer-readable medium of claim 8, wherein the sniffer VM is managed by the first tenant organization and includes a network traffic analyzer application.
  - 13. The computer-readable medium of claim 8, wherein forwarding the captured network traffic via the second network interface of the decapsulating VM to the sniffer VM further comprises:
    - transmitting the captured network traffic to the sniffer VM via a virtual distributed switch shared by the decapsulating VM and the sniffer VM.
  - 14. The computer-readable medium of claim 8, wherein the method further comprises:
    - launching a plurality of sending threads executing in parallel with one another, each sending thread corresponding to one of a plurality of sniffer VMs, wherein each sending thread forwards captured network traffic via the second network interface of the decapsulating VM to the corresponding sniffer VM.

15. A cloud computing system, comprising:
- a plurality of host computers, each of which is configured to execute one or more virtual machines (VMs) therein; and
  
  a management server configured to manage resources of the cloud computing system, wherein the plurality of host computers and the management server are programmed to carry out a method for monitoring network traffic in the cloud computing system, the method comprising;
  
  receiving a request to capture network traffic of a tenant port of a first VM executing in the cloud computing system, wherein the first VM is associated with a first tenant organization different from a second organization managing the cloud computing system;
  
  instantiating a decapsulating VM having a first network interface and a second network interface, wherein the decapsulating VM is inaccessible to the first tenant organization;
  
  establishing an encapsulated port mirroring session from the tenant port of the first VM to the first network interface of the decapsulating VM;
  
  decapsulating, by execution of the decapsulating VM, a plurality of packets comprising captured network traffic received via the encapsulated port mirroring session; and
  
  forwarding the captured network traffic via the second network interface of the decapsulating VM to a sniffer VM.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the encapsulated port mirroring session comprises an Encapsulated Remote Switched Port Analyzer (ERSPAN) session configured to encapsulate captured Layer-2 network traffic at the tenant port using Layer-3 packets.
  - 17. The system of claim 15, wherein decapsulating the plurality of packets comprising the captured network traffic received via the encapsulated port mirroring session further comprises:
    - extracting the captured network traffic from the plurality of packets comprised of Layer-3 packets, wherein the captured network traffic comprises Layer-2 packets; and
      
      modifying a destination MAC address of the captured network traffic to be a MAC address associated with the sniffer VM.
  - 18. The system of claim 15, wherein the first VM is executing on a first host and the decapsulating VM is executing on a second host inaccessible to the first tenant organization.
  - 19. The system of claim 15, wherein the sniffer VM is managed by the first tenant organization and includes a network traffic analyzer application.
  - 20. The system of claim 15, wherein forwarding the captured network traffic via the second network interface of the decapsulating VM to the sniffer VM further comprises:
    - transmitting the captured network traffic to the sniffer VM via a virtual distributed switch shared by the decapsulating VM and the sniffer VM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
DOCTOR, Brad, PROBST, Matt

Granted Patent

US 9,860,309 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

H04L 43/20   the monitoring system or th...

H04L 67/10   in which an application is ...

HYBRID CLOUD NETWORK MONITORING SYSTEM FOR TENANT USE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HYBRID CLOUD NETWORK MONITORING SYSTEM FOR TENANT USE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links