Port mirroring for sampling measurement of network flows

US 9,203,711 B2
Filed: 09/24/2013
Issued: 12/01/2015
Est. Priority Date: 09/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method, in a data processing system, for analyzing data traffic through a network, the method comprising:

sampling data packets of a data flow through a normal port of a network forwarding device of the network, wherein the sampling is performed at least by configuring the network forwarding device to implement port mirroring of the normal port to a designated mirror port of the network forwarding device;

forwarding sampled data packets, copied to the mirror port by virtue of the port mirroring, to a collector computing device;

processing, by the collector computing device, the sampled data packets to analyze the data flow through the normal port of the network forwarding device; and

performing, by the collector computing device, an operation based on results of the analysis, wherein a number of mirror ports and a number of normal ports in the network forwarding device are configured according to a desired sampling size or desired sampling rate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for analyzing data traffic through a network. The mechanisms sample data packets of a data flow through a normal port of a network forwarding device of the network. The sampling is performed at least by configuring the network forwarding device to implement port mirroring of the normal port to a designated mirror port of the network forwarding device. The mechanisms forward sampled data packets, copied to the mirror port by virtue of the port mirroring, to a collector computing device. The mechanisms process, by the collector computing device, the sampled data packets to analyze the data flow through the normal port of the network forwarding device. The mechanisms perform, by the collector computing device, an operation based on results of the analysis.

Citations

18 Claims

1. A method, in a data processing system, for analyzing data traffic through a network, the method comprising:
- sampling data packets of a data flow through a normal port of a network forwarding device of the network, wherein the sampling is performed at least by configuring the network forwarding device to implement port mirroring of the normal port to a designated mirror port of the network forwarding device;
  
  forwarding sampled data packets, copied to the mirror port by virtue of the port mirroring, to a collector computing device;
  
  processing, by the collector computing device, the sampled data packets to analyze the data flow through the normal port of the network forwarding device; and
  
  performing, by the collector computing device, an operation based on results of the analysis, wherein a number of mirror ports and a number of normal ports in the network forwarding device are configured according to a desired sampling size or desired sampling rate.
- View Dependent Claims (2, 3, 4, 5, 6, 8, 9)
- - 2. The method of claim 1, wherein sampling data packets of the data flow comprises oversubscribing the designated mirror port to thereby saturate the designated mirror port under non-light loads, and wherein data packets that are sampled are data packets that do not exceed a bandwidth of the designated mirror port.
  - 3. The method of claim 1, wherein the sampled data packets are forwarded to the collector computing device without involving a control plane processor of the network forwarding device.
  - 4. The method of claim 1, wherein a number of sampled data packets forwarded per period of time to the collector computing device is dynamic based on an amount of traffic received over the normal port during the period of time.
  - 5. The method of claim 1, further comprising:
    - configuring a network adapter of the collector computing device to be in a promiscuous mode of operation.
  - 6. The method of claim 1, further comprising:
    - recovering original input port metadata associated with the sampled data packets based on data packet forwarding rules implemented in the network forwarding device of the network.
  - 8. The method of claim 1, wherein the network forwarding device is a network switch, the network switch is either a physical or virtual switch of a data processing device, and the normal port and mirror port are either physical or virtual ports of a data processing device.
  - 9. The method of claim 1, wherein the operation is one of a traffic analysis operation or a traffic engineering operation.

7. A method, in a data processing system, for analyzing data traffic through a network, the method comprising:
- sampling data packets of a data flow through a normal port of a network forwarding device of the network, wherein the sampling is performed at least by configuring the network forwarding device to implement port mirroring of the normal port to a designated mirror port of the network forwarding device;
  
  forwarding sampled data packets, copied to the mirror port by virtue of the port mirroring, to a collector computing device;
  
  processing, by the collector computing sampled data packets to analyze the data flow through the normal port of the network forwarding device;
  
  performing, by the collector computing device, an operation based on results of the analysis; and
  
  recovering original input port metadata associated with the sampled data packets based on data packet forwarding rules implemented in the network forwarding device of the network, wherein recovering original input port metadata for the sampled data packets comprises, for each sampled data packet;
  
  correlating packet header information of the sampled data packet with the forwarding rules to determine another device in the network from which the sampled data packet was received; and
  
  determining an input port of the network forwarding device through which the sampled data packet was received based on the determination of the another device.

10. A computer program product comprising a non-transitory computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a data processing system comprising a network forwarding device and a collector computing device, causes the data processing system to:
- sample data packets of a data flow through a normal port of the network forwarding device, wherein the sampling is performed at least by configuring the network forwarding device to implement port mirroring of the normal port to a designated mirror port of the network forwarding device;
  
  forward sampled data packets, copied to the mirror port by virtue of the port mirroring, to the collector computing device;
  
  process, by the collector computing device, the sampled data packets to analyze the data flow through the normal port of the network forwarding device; and
  
  perform, by the collector computing device, an operation based on results of the analysis, wherein a number of mirror ports and a number of normal ports in the network forwarding device are configured according to a desired sampling size or desired sampling rate.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer program product of claim 10, wherein the computer readable program causes the data processing system to sample data packets of the data flow at least by oversubscribing the designated mirror port to thereby saturate the designated mirror port under non-light loads, and wherein data packets that are sampled are data packets that do not exceed a bandwidth of the designated mirror port.
  - 12. The computer program product of claim 10, wherein the sampled data packets are forwarded to the collector computing device without involving a control plane processor of the network forwarding device.
  - 13. The computer program product of claim 10, wherein a number of sampled data packets forwarded per period of time to the collector computing device is dynamic based on an amount of traffic received over the normal port during the period of time.
  - 14. The computer program product of claim 10, wherein the computer readable program further causes the data processing system to:
    - configure a network adapter of the collector computing device to be in a promiscuous mode of operation.
  - 15. The computer program product of claim 10, wherein the computer readable program further causes the data processing system to:
    - recover original input port metadata associated with the sampled data packets based on data packet forwarding rules implemented in the network forwarding device of the network.
  - 16. The computer program product of claim 10, wherein the network forwarding device is a network switch, the network switch is either a physical or virtual switch of a data processing device, and the normal port and mirror port are either physical or virtual ports of a data processing device.

17. A computer program product comprising a non-transitory computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a data processing system comprising a network forwarding device and a collector computing device, causes the data processing system to:
- sample data packets of a data flow through a normal port of the network forwarding device, wherein the sampling is performed at least by configuring the network forwarding device to implement port mirroring of the normal port to a designated mirror port of the network forwarding device;
  
  forward sampled data packets, copied to the mirror port by virtue of the port mirroring, to the collector computing device;
  
  process, by the collector computing device, the sampled data packets to analyze the data flow through the normal port of the network forwarding device;
  
  perform, by the collector computing device, an operation based on results of the analysis; and
  
  recover original input port metadata associated with the sampled data packets based on data packet forwarding rules implemented in the network forwarding device of the network, wherein the computer readable program causes the data processing system to recover original input port metadata for the sampled data packets at least by, for each sampled data packet;
  
  correlating packet header information of the sampled data packet with the forwarding rules to determine another device in the network from which the sampled data packet was received; and
  
  determining an input port of the network forwarding device through which the sampled data packet was received based on the determination of the another device.

18. A system comprising:
- a network forwarding device; and
  
  a collector computing device communicatively coupled to the network forwarding device, wherein the network forwarding device is configured to;
  
  sample data packets of a data flow through a normal port of the network forwarding device, wherein the sampling is performed at least by configuring the network forwarding device to implement port mirroring of the normal port to a designated mirror port of the network forwarding device; and
  
  forwarding sampled data packets, copied to the mirror port by virtue of the port mirroring, to the collector computing device, and wherein the collector computing devices is configured to;
  
  process the sampled data packets to analyze the data flow through the normal port of the network forwarding device; and
  
  perform, by the collector computing device, an operation based on results of the analysis, wherein a number of mirror ports and a number of normal ports in the network forwarding device are configured according to a desired sampling size or desired sampling rate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Agarwal, Kanak B., Carter, John B., Dixon, Colin K., Rasley, Jeffrey T.
Primary Examiner(s)
Yuen, Kan

Application Number

US14/034,666
Publication Number

US 20150085694A1
Time in Patent Office

798 Days
Field of Search

370/252, 370/253
US Class Current

1/1
CPC Class Codes

H04L 41/14   Network analysis or design

H04L 41/40   using virtualisation of net...

H04L 43/022   by sampling

H04L 43/04   Processing captured monitor...

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/14   using software, i.e. softwa...

H04L 43/20   the monitoring system or th...

Port mirroring for sampling measurement of network flows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Port mirroring for sampling measurement of network flows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links