Large-scale passive network monitoring using multiple tiers of ordinary network switches

摘要

Passive monitoring of a large-scale network using multiple tiers of ordinary network switches, as opposed to purpose-built network monitoring hardware, is accomplished by initially providing network communications to an initial tier of monitoring switches, either from existing switches that copy frames and provide them to the monitoring switches, or from network taps to which the monitoring switches are connected. The initial tier of monitoring switches comprises flow tables that initially simply drop all frames provided to those switches and, subsequently, when specific network issues arise, they are modified to include a specification particular frame criteria whose frames are either forwarded to subsequent tiers of monitoring switches, or statistics regarding those frames are collected. Subsequent tiers of monitoring switches receive frames from the initial tier and direct them to one or more appropriate analysis computing devices. Ordinary network switches are selected based on their ability to provide low latency forwarding.

主权项

1. A system of ordinary network switches for passively monitoring a production network, the system of ordinary network switches establishing a distinct and parallel network to the production network, the system comprising:
a first tier of one or more ordinary network switches communicationally coupled to the production network so as to receive copies of frames of data being transmitted through the production network, each of the one or more ordinary network switches of the first tier comprising a flow table comprising a low priority entry instructing each of the one or more ordinary network switches of the first tier to drop each frame received from the production network, thereby causing the one or more ordinary network switches of the first tier to drop all frames received from the production network unless a higher priority entry in the flow tables of the one or more ordinary network switches of the first tier specifies otherwise; and a second tier of one or more ordinary network switches differing from the one or more ordinary network switches of the first tier and communicationally coupled to the one or more ordinary network switches of the first tier, each of the one or more ordinary network switches of the second tier comprising a flow table comprising at least one entry instructing the one or more ordinary network switches of the second tier to output received frames to at least one analysis computing device differing from one or more destination computing devices to which the received frames were addressed; wherein the production network directs undropped frames to computing devices to which such frames are addressed, while the system directs undropped frames to computing devices differing from the computing devices to which such frames are addressed.