Patent Application
20160087916
The present invention relates to monitoring network traffic flow, more particularly, to systems and methods for event-based mirroring of data packets.
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
As the value and use of information continues to increase, individuals and businesses seek additional ways to monitor network traffic. One conventional way to monitor packets flowing through a network device is port minoring. Port minoring is used on a network device, such as switch, to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system, passive probe or real user monitoring (RUM) technology that is used to support application performance management (APM).
Another conventional way to monitor packets flowing through a network device is sampled flow, or shortly sFlow. sFlow uses sampling to achieve scalability and is, for this reason, applicable to high speed networks. An sFlow system may sample one packet per a fixed number of incoming packets. Alternatively, the sFlow system may read the header information of each incoming packet and check if the header information has matching parameters specified in a table, such as ACL table. Then, the sFlow system may sample one packet per a fixed number of incoming packets that have matching parameters, make a copy of the sampled packet and send the copy to a network monitoring connection on another switch port.
There can be a lot of interest in terms of analytics on the switch 100, and the areas of interest include, for instance, dropping, buffering, congestion and causes for these phenomena. The existing minoring techniques are not suitable for analysis of such phenomena since the existing mirroring techniques sample packets based on the two parameters; (1) the identify of the ingress (or egress) port and (2) the header information of packets. Since the sampling is not associated with such phenomena, the packets sampled by the existing mirroring techniques cannot provide any meaningful information on the phenomena in the switch 100. As such, there is a need for monitoring techniques that can sample packets based on the event of interest occurring in a network device.
References will be made to embodiments of the invention, examples of which may be illustrated in the accompanying figures. These figures are intended to be illustrative, not limiting. Although the invention is generally described in the context of these embodiments, it should be understood that it is not intended to limit the scope of the invention to these particular embodiments.
In the following description, for purposes of explanation, specific details are set forth in order to provide an understanding of the invention. It will be apparent, however, to one skilled in the art that the invention can be practiced without these details. Furthermore, one skilled in the art will recognize that embodiments of the present invention, described below, may be implemented in a variety of ways, such as a process, an apparatus, a system, a device, or a method on a tangible computer-readable medium.
Components shown in diagrams are illustrative of exemplary embodiments of the invention and are meant to avoid obscuring the invention. It shall also be understood that throughout this discussion that components may be described as separate functional units, which may comprise sub-units, but those skilled in the art will recognize that various components, or portions thereof, may be divided into separate components or may be integrated together, including integrated within a single system or component. It should be noted that functions or operations discussed herein may be implemented as components or nodes. Components may be implemented in software, hardware, or a combination thereof.
Furthermore, connections between components within the figures are not intended to be limited to direct connections. Rather, data between these components may be modified, re-formatted, or otherwise changed by intermediary components or devices. Also, additional or fewer connections may be used. It shall also be noted that the terms “coupled” “connected” or “communicatively coupled” shall be understood to include direct connections, indirect connections through one or more intermediary devices, and wireless connections.
Furthermore, one skilled in the art shall recognize: (1) that certain steps may optionally be performed; (2) that steps may not be limited to the specific order set forth herein; and (3) that certain steps may be performed in different orders, including being done contemporaneously.
Reference in the specification to “one embodiment,” “preferred embodiment,” “an embodiment,” or “embodiments” means that a particular feature, structure, characteristic, or function described in connection with the embodiment is included in at least one embodiment of the invention and may be in more than one embodiment. The appearances of the phrases “in one embodiment,” “in an embodiment,” or “in embodiments” in various places in the specification are not necessarily all referring to the same embodiment or embodiments.
The use of certain terms in various places in the specification is for illustration and should not be construed as limiting. A service, function, or resource is not limited to a single service, function, or resource; usage of these terms may refer to a grouping of related services, functions, or resources, which may be distributed or aggregated.
In embodiments, a user may specify mirroring of packets based on events within the device 200. For instance, as depicted, the data packet received through the port 202a may pass through a pipeline 208a for data processing, such as buffering. When the egress queue in the buffer 212a is beyond a preset queue length (or, equivalently, marking threshold), i.e., the packets are placed beyond the preset queue length in the buffer 212a, the processor 207 may mark the packets beyond the marking threshold, make copies of the marked packets and send them to the analysis engine 220 via the port 206. Then, the analysis engine 220 may analyze the packets for various purposes so that the network engineer/administrator can monitor and analyze network performance and get warning when problems occur or predict issues.
In embodiments, the processor 207 may forward the dropped packets to the port 206. The packet received through the port 202a may be dropped by several reasons. For instance, the egress queue in the buffer 212a may not have enough space and hence a packet may be dropped. In another example, the drop may occur because the buffer 212a may not be available for the port/queue combination. In yet another example, the drop may occur due to the global buffer depletion. In still another example, the drop may occur when the size of the packet is bigger than the egress interface maximum transfer unit (MTU), or the egress port 204a is not a member of the virtual local area network (VLAN) that the packet belongs to. In embodiments, when the packet is dropped and forwarded to the analysis engine 220, the analysis engine 220 may analyze the packets for various purposes.
It is noted that the conventional mirroring techniques sample packets based on the identity of ingress (or egress) port and the header information of packets; and thus, they cannot predict whether each packet will be dropped or not in the pipeline 208. Unlike the conventional minoring devices, in embodiments, the device 200 allows the network engineer to specify a stage in the pipeline 208 where an event of interest occurs, to thereby understand the problems associated with the event. Stated differently, in embodiments, the device 200 is not, at least no solely, using the explicit parameters of the incoming packets, such as source identification (SID), destination ID, etc.; rather, one or more internal processing conditions are used by the device to identify data traffic for minoring, i.e., it monitors the transitory occurrence of an event or events in the process flow in the device.
In embodiments, the processor 207 may mark the packets when the packets experience congestion and send the marked packets to the analysis engine 220. For instance, an explicit congestion notification (ECN) bit of a packet may be marked in case of packet congestion. By analyzing the marked packets, the network engineer may know which type of packets are congested and find out which applications are causing the congestion so that a proper measures can be taken to prevent the congestion.
Some information of egress queue in the buffer 212a, congestion, and dropping may be inferred by enabling quantized congestion notification (QCN). By trapping QCN to the processor, the network engineer may get some idea of the packets that are being queued up in the congested state. However, this approach is not reliable and has its own issues in terms of the amount of QCN messages that are generated. In embodiments, the device 200 may send only a first few bytes of each mirrored packet along with some detailed header so that analytics of the buffering, utilization and congestion, and data flow related to congestion time can yield valuable information of the network traffic.
In embodiments, the processor 207 may minor a packet when the parameters of the packet match a set of rules specified in the table 210a. (In
In embodiments, the device 200 may perform the port minoring and sFlow. For instance, the counter 209 may count the number of packets received through each egress port and minor out one packet per a preset number of packets. In embodiments, the counter 209 may be also used to collect the statistics on the dropped, congested, or queued packets and report the collected information to the analysis engine 220.
In embodiments, the pipeline 208b for the packets received through the port 202b may be similar to the pipeline 208a, i.e., the functions of the table 210b and buffer 212b may be similar to those of the table 210a and 212a, respectively. In embodiments, the pipeline 208a may have different components than the pipeline 208b so that different types of events may be associated with the mirrored packets.
In
In
For purposes of this disclosure, an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, calculate, determine, classify, process, transmit, receive, retrieve, originate, switch, route, store, display, communicate, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. For example, an information handling system may be a personal computer (e.g., desktop or laptop), tablet computer, mobile device (e.g., personal digital assistant (PDA) or smart phone), server (e.g., blade server or rack server), a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, touchscreen and/or a video display. The information handling system may also include one or more buses operable to transmit communications between the various hardware components.
In embodiments, the I/O ports 410 may be connected via one or more cables to one or more other network devices or clients. The network processing unit (NPU) 415 may use information included in the network data received at the device 405, as well as information stored in the tables 420, to identify a next hop for the network data, among other possible activities. In embodiments, a switching fabric then schedules the network data for propagation through the device to an egress port for transmission to the next hop.
It shall be noted that aspects of the present invention may be encoded upon one or more non-transitory computer-readable media with instructions for one or more processors or processing units to cause steps to be performed. It shall be noted that the one or more non-transitory computer-readable media shall include volatile and non-volatile memory. It shall be noted that alternative implementations are possible, including a hardware implementation or a software/hardware implementation. Hardware-implemented functions may be realized using ASIC(s), programmable arrays, digital signal processing circuitry, or the like. Accordingly, the “means” terms in any claims are intended to cover both software and hardware implementations. Similarly, the term “computer-readable medium or media” as used herein includes software and/or hardware having a program of instructions embodied thereon, or a combination thereof. With these implementation alternatives in mind, it is to be understood that the figures and accompanying description provide the functional information one skilled in the art would require to write program code (i.e., software) and/or to fabricate circuits (i.e., hardware) to perform the processing required.
One skilled in the art will recognize no computing system or programming language is critical to the practice of the present invention. One skilled in the art will also recognize that a number of the elements described above may be physically and/or functionally separated into sub-modules or combined together.
It will be appreciated to those skilled in the art that the preceding examples and embodiment are exemplary and not limiting to the scope of the present invention. It is intended that all permutations, enhancements, equivalents, combinations, and improvements thereto that are apparent to those skilled in the art upon a reading of the specification and a study of the drawings are included within the true spirit and scope of the present invention.
