Sample netflow for network traffic data collection

US 7,193,968 B1
Filed: 02/08/2001
Issued: 03/20/2007
Est. Priority Date: 02/08/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

collecting network traffic data wherein said collecting comprisesreceiving a group of information,determining whether to process the group of information for network traffic data collection, whereinsaid determining is performed according to one of a plurality of sampling algorithms,processing the group of information for network traffic data collection if the determination is to process the group of information, wherein the processing further comprises;

creating a traffic information packet, wherein the traffic information packet includes a sampling mode field indicating the sampling algorithm used; and

transmitting the traffic information packet to a network traffic data collection application; and

forwarding the group of information to a destination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new network traffic data collection technique is presented. A group of information is received, and a determination is made whether to process the group of information for network data collection according to a sample mode and a sample rate. If the determination is to process the group of information, the group of information is processed for network data collection. The group of information is forwarded according to its destination address. The group of information can be an IP packet and the sample mode can be, for example, one of linear, exponential, natural log, burst and traffic attribute. To process the group of information, a determination is made whether the group of information is part of one or more recorded traffic flows. If not, a new entry in a table is created. If so, a field in an existing entry in the table is incremented. In addition, a traffic information packet is created and transmitted to a network traffic data collection application. The traffic information packet can consist of a header and one or more flow records.

Citations

31 Claims

1. A method comprising:
- collecting network traffic data wherein said collecting comprisesreceiving a group of information,determining whether to process the group of information for network traffic data collection, whereinsaid determining is performed according to one of a plurality of sampling algorithms,processing the group of information for network traffic data collection if the determination is to process the group of information, wherein the processing further comprises;
  
  creating a traffic information packet, wherein the traffic information packet includes a sampling mode field indicating the sampling algorithm used; and
  
  transmitting the traffic information packet to a network traffic data collection application; and
  
  forwarding the group of information to a destination.
- View Dependent Claims (2, 3, 4, 5, 6, 24, 28)
- - 2. The method of claim 1 wherein the group of information is an IP packet.
  - 3. The method of claim 1 wherein forwarding the group of information to the destination comprises:
    - identifying the destination using a forwarding table;
      
      if the destination is in the forwarding table, automatically forwarding the group of information to the destination; and
      
      otherwise sending the group of information to one or more processing engines to determine routing to the destination and forwarding the group of information according to the determined routing.
  - 4. The method of claim 1 wherein forwarding the group of information to the destination is performed after processing the group of information.
  - 5. The method of claim 1 wherein the processing of the group of information for network traffic data collection comprises:
    - determining if the group of information is part of one or more recorded traffic flows;
      
      creating a new entry in a table if the group of information is not part of the one or more recorded traffic flows;
      
      incrementing a field in an existing entry in the table if the group of information is part of the one or more recorded traffic flows; and
      
      time stamping the group of information.
  - 6. The method of claim 1 wherein the traffic information packet comprises a header and one or more flow records.
  - 24. The method of claim 1 wherein said collecting further comprises:
    - selecting the sampling algorithm, wherein the sampling algorithm is one of a linear, an exponential, a natural log, and a burst sampling algorithm, and examination of traffic attribute data in the group of information.
  - 28. The method of claim 1 wherein the traffic information packet includes a sampling interval field.

7. An apparatus comprising:
- means for receiving a group of information; and
  
  means for collecting network traffic data said means for collecting comprisingmeans for determining whether to process the group of information for network traffic data collection, whereinthe means for determining comprises a means for sampling,means for processing the group of information for network traffic data collection if the determination is to process the group of information, wherein the means for processing further comprises;
  
  a means for creating a traffic information packet, wherein the traffic information packet includes a sampling mode field indicating one of a plurality of sampling algorithms used; and
  
  a means for transmitting the traffic information packet to a network traffic data collection application; and
  
  means for forwarding the group of information to a destination.
- View Dependent Claims (8, 9, 10, 11, 25, 29)
- - 8. The apparatus of claim 7 wherein the group of information is an IP packet.
  - 9. The apparatus of claim 7 wherein the means for forwarding the group of information to the destination comprises:
    - means for identifying the destination using a forwarding table;
      
      means for automatically forwarding the group of information to the destination if the destination is in the forwarding table; and
      
      means for sending the group of information to one or more processing engines to determine routing to the destination and then forward the group of information according to the determined routing otherwise.
  - 10. The apparatus of claim 7 wherein the means for processing of the group of information for network traffic data collection comprises:
    - means for determining if the group of information is part of one or more recorded traffic flows;
      
      means for creating a new entry in a table if the group of information is not part of the one or more recorded traffic flows;
      
      means for incrementing a field in an existing entry in the table if the group of information is part of the one or more recorded traffic flows; and
      
      means for time stamping the group of information.
  - 11. The apparatus of claim 7 wherein the traffic information packet comprises a header and one or more flow records.
  - 25. The apparatus of claim 7 wherein the means for determining further comprises:
    - means for selecting the means for sampling from one of a means for linear sampling,a means for exponential sampling,a means for natural log sampling,a means for burst sampling, anda means for examining traffic attribute data in the group of information.
  - 29. The apparatus of claim 7 wherein the traffic information packet includes a sampling interval field.

12. A network node comprising:
- a processing engine, whereinthe processing engine is configured to collect network traffic data; and
  
  a memory coupled to the processing engine and the memory is configured to store instructions configured to cause the processing engine toreceive a group of information;
  
  determine whether to process the group of information for network traffic data collection according to one of a plurality of sampling algorithms;
  
  process the group of information for network traffic data collection if the determination is to process the group of information;
  
  create a traffic information packet, wherein the traffic information packet includes a sampling mode field indicating the sample algorithm used;
  
  transmit the traffic information packet to a network traffic data collection application; and
  
  forward the group of information to the destination.
- View Dependent Claims (13, 14, 15, 16, 26, 27, 30)
- - 13. The network node of claim 12 wherein the group of information is an IP packet.
  - 14. The network node of claim 12 wherein the set of instructions to forward the group of information to the destination comprises a set of instructions to:
    - identify the destination using a forwarding table;
      
      if the destination is in the forwarding table, automatically forward the group of information to the destination; and
      
      otherwise send the group of information to one or more processing engines to determine routing to the destination and forward the group of information according to the determined routing.
  - 15. The network node of claim 12 wherein the set of instructions to process the group of information for network traffic data collection comprises a set of instructions to:
    - determine if the group of information is part of one or more recorded traffic flows;
      
      create a new entry in a table if the group of information is not part of the one or more recorded traffic flows;
      
      increment a field in an existing entry in the table if the group of information is part of the one or more recorded traffic flows; and
      
      time stamp the group of information.
  - 16. The network node of claim 12 wherein the traffic information packet comprises a header and one or more flow records.
  - 26. The network node of claim 12 having the memory further configured to store instructions to select the sample algorithm from one ofa linear sampling algorithm,an exponential sampling algorithm,a natural log sampling algorithm,a burst sampling algorithm, andselecting the group of information based on an examination of traffic attribute data in the group of information.
  - 27. The network node of claim 12 wherein the network node further comprises:
    - a plurality of processing engines, whereinthe plurality of processing engines comprise the processing engine.
  - 30. The network node of claim 12 wherein the traffic information packet includes a sampling interval field.

17. A router comprising:
- one or more switch fabrics;
  
  one or more destination line cards coupled to the one or more switch fabrics;
  
  a source line card coupled to one of the one or more switch fabrics, whereinthe source line card receives a data packet;
  
  a router processor, coupled to the switch fabric, and configured to determine whether to process the data packet for network traffic data collection according to one of a plurality of sampling algorithms;
  
  process the data packet for network traffic data collection if the determination is to process the data packet;
  
  create a traffic information packet, wherein the traffic information packet includes a sampling mode field indicating the sample algorithm used;
  
  transmit the traffic information packet to a network traffic data collection application; and
  
  forward the data packet to one of the one or more destination line cards.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 31)
- - 18. The router of claim 17 wherein the data packet is an IP packet.
  - 19. The router of claim 17 wherein the router processor is further configured to select the sample algorithm from one of linear sampling exponential sampling, natural log sampling, burst sampling, and selecting the data packet based on an examination of traffic attribute data in the data packet.
  - 20. The router of claim 17 wherein to forward the data packet to one of the one or more destination line cards, the source line card is configured to:
    - identify the one of the one or more destination line cards using a forwarding table;
      
      if the one of the one or more destination line cards is in the forwarding table, automatically forward the data packet to the one of the one or more destination line cards; and
      
      otherwise send the data packet to the router processor wherein the router processor is configured todetermine routing to one of the one or more destination line cards, andthen forward the data packet according to the determined routing.
  - 21. The router of claim 20 wherein the router processor is located on the source line card.
  - 22. The router of claim 17 wherein to process the data packet for network traffic data collection, the source line card is configured to:
    - determine if the data packet is part of one or more recorded traffic flows;
      
      create a new entry in a table if the data packet is not part of the one or more recorded traffic flows;
      
      increment a field in an existing entry in the table if the data packet is part of the one or more recorded traffic flows; and
      
      time stamp the data packet.
  - 23. The router of claim 17 wherein the traffic information packet comprises a header and one or more flow records.
  - 31. The router of claim 17 wherein the traffic information packet includes a sampling interval field.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dubey, Rakesh K., Calabrese, Angelo D., Kapoor, Ruchi D., Goldberg, Charles I.
Primary Examiner(s)
To; Doris H.
Assistant Examiner(s)
Moore; Ian N.

Application Number

US09/779,248
Time in Patent Office

2,231 Days
Field of Search

370/395.3, 370/395.31, 370/395.5, 370/395.52, 370/230, 370/428, 370/429, 370/419, 370/235, 370/359, 370/381, 370/389, 370/392, 370/149, 370/395.34, 711203-209, 711/211, 709238-244
US Class Current

370/235
CPC Class Codes

H04L 43/022 by sampling

H04L 43/106 using time related informat...

Sample netflow for network traffic data collection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Sample netflow for network traffic data collection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links