Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS20100085891 A1
Publication typeApplication
Application numberUS 12/520,114
PCT numberPCT/IB2007/054447
Publication dateApr 8, 2010
Filing dateNov 2, 2007
Priority dateDec 19, 2006
Also published asCA2669932A1, CN101563908A, CN101563908B, US8861397, US20130238792, WO2008075224A1
Publication number12520114, 520114, PCT/2007/54447, PCT/IB/2007/054447, PCT/IB/2007/54447, PCT/IB/7/054447, PCT/IB/7/54447, PCT/IB2007/054447, PCT/IB2007/54447, PCT/IB2007054447, PCT/IB200754447, PCT/IB7/054447, PCT/IB7/54447, PCT/IB7054447, PCT/IB754447, US 2010/0085891 A1, US 2010/085891 A1, US 20100085891 A1, US 20100085891A1, US 2010085891 A1, US 2010085891A1, US-A1-20100085891, US-A1-2010085891, US2010/0085891A1, US2010/085891A1, US20100085891 A1, US20100085891A1, US2010085891 A1, US2010085891A1
InventorsAndreas Kind, Jan van Lunteren
Original AssigneeAndreas Kind, Van Lunteren Jan
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Apparatus and method for analysing a network
US 20100085891 A1
Abstract
The invention relates to an apparatus for analysing a network flow, comprising—a parser for extracting flow identification information from the network flow, —a flow metering unit for metering the network flow, —a programmable controller for controlling the flow metering unit and the parser.
Images(9)
Previous page
Next page
Claims(18)
1. An apparatus for analysing a network flow, the apparatus comprising:
a parser for extracting flow identification information from the network flow;
a flow metering unit for metering the network flow; and
a programmable controller for controlling the flow metering unit and the parser.
2. The apparatus according to claim 1, wherein the flow metering unit is configured for sending flow status information to the programmable controller and wherein the programmable controller is configured for sending flow metering instructions to the flow metering unit in dependence on the flow status information.
3. The apparatus according to claim 1, wherein the parser is configured for sending parsing information to the programmable controller and wherein the programmable controller is configured for sending parsing instructions to the parser in dependence on the parsing information.
4. The apparatus according to claim 1, wherein the programmable controller is configured for:
evaluating in parallel two or more flow status information values of the flow metering unit; and
sending two or more flow metering instructions in parallel to the flow metering unit.
5. The apparatus according to claim 1, wherein the programmable controller comprises a program memory having two or more flow metering programs.
6. The apparatus according to claim 1, wherein the programmable controller is implemented as state machine.
7. The apparatus according to claim 6, wherein the state machine comprises:
a transition rule memory;
a rule selector; and
a state register;
wherein the rule selector is configured for receiving an external input signal and an internal input signal from the state register indicating the current state and wherein the rule selector is configured for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal having parsing and/or flow metering instructions when a transition rule applies.
8. The apparatus according to claim 1, wherein the flow metering unit comprises:
a flow table unit;
a flow table management unit; and
a flow information export unit.
9. The apparatus according to claim 8, wherein the flow table management unit comprises a programmable hash function unit provided with two or more selectable hash functions for mapping the flow identification information on a hash index, wherein the programmable controller is configured for selecting one of the selectable hash functions.
10. The apparatus according to claim 8, wherein the programmable controller is configured for sending table management commands to the table management unit.
11. The apparatus according to claim 1, wherein the apparatus is implemented as hardware assist device.
12. The apparatus according to claim 1, further comprising:
a central processing unit;
a memory; and
a computer networking device.
13. The apparatus according to claim 12, wherein the apparatus is implemented in hardware as hardware assist device for the central processing unit.
14. The apparatus according to claim 1, further comprising:
two or more virtual computing systems;
wherein the apparatus is provided for analysing the network flow between the virtual computing systems and/or between the virtual computing systems and an external device.
15. The apparatus according to claim 14, further comprising:
a software networking device for internal communication between the virtual computing systems; and
a hardware networking device for external communication between the virtual computing systems and an external device;
wherein the software networking device and the hardware networking device are provided for forwarding the network flow between the virtual computing systems and/or between the virtual computing systems and an external device for an analysis to the apparatus.
16. The apparatus according to claim 15, wherein the apparatus is arranged in the hardware networking device.
17. A method for analysing a network flow, comprising the steps of:
extracting flow identification information from the network flow using a parser;
metering the network flow using a flow metering unit; and
controlling the flow metering unit and the parser using a programmable controller.
18. A computer readable program product tangibly embodying computer executable instructions which when implemented, causes the computer to carry out an analysis of a network flow according to the steps of the method according to claim 17.
Description
    TECHNICAL FIELD
  • [0001]
    The invention relates to an apparatus, a method and a computer program for analysing a network flow.
  • BACKGROUND OF THE INVENTION
  • [0002]
    Communication networks, e.g. networks according to the Internet Protocol (IP) are complex and difficult to analyse and to monitor with respect to the end-to-end network traffic flows, also denoted as network flows. A known protocol for analyzing a network flow is the NetFlow protocol that is currently being standardized by the Internet Engineering Task Force (IETF). Details are provided in IETF IP Flow Information Export (IPFIX) at http://www.ietf.org/html.charters/ipfix-charter.html.
  • [0003]
    The NetFlow protocol provides technology for network accounting, bandwidth usage analysis, network anomaly detection, traffic engineering and capacity management.
  • [0004]
    NetFlow is supported at routers, switches, metering appliances and software-based traffic meters. Some high-end routers and switches support NetFlow with dedicated hardware extensions.
  • [0005]
    The realization of extensions in a router or switch for NetFlow or for other network analysis protocols is typically expensive because the extension has to be well integrated into the specific forwarding and routing architecture of the router or switch.
  • [0006]
    It is an object of the invention to provide improved solutions for network flow analysis. It is a further object of the invention to provide an improved apparatus, an improved method, an improved computer system and an improved computer program for analysing a network flow.
  • SUMMARY AND ADVANTAGES OF THE INVENTION
  • [0007]
    The present invention is directed to an apparatus, a computer system, a computer program and a method as defined in independent claims. Further embodiments of the invention are provided in the appended dependent claims.
  • [0008]
    According to a first aspect of the invention there is provided an apparatus for analysing to a network flow, comprising
      • a parser for extracting flow identification information from the network flow,
      • a flow metering unit for metering the network flow,
      • a programmable controller for controlling the flow metering unit and the parser.
  • [0012]
    The architecture of the apparatus according to this aspect of the invention allows for an efficient, flexible and fast implementation of a flow metering function that is able to support a large number of configuration options. Such configuration options might cover different versions of today's or future standards. This architecture provides the benefits of high performance without the drawback of fixed metering functionality and interfaces which only support a single standard.
  • [0013]
    The modular approach of this architecture comprises a parser that is provided for receiving a network flow and for extracting flow identification information from this network flow. The parser can be programmed to extract any desirable combination of flow identification information from the network flow. The flow identification information might e.g. be contained in fields of packet headers of a network flow. As an example, the parser can be programmed to extract the corresponding header fields that are relevant for a specific protocol standard. The flow identification information might comprise e.g. the source and destination IP address, the source and destination port and the IP protocol of the analysed network flow.
  • [0014]
    The network flow identified by the flow identification information is metered by a flow metering unit. The metering of the flow identification information might e.g. comprise timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • [0015]
    Both the flow metering unit and the parser are controlled in parallel by a programmable controller. The programmable controller can be individually programmed for the respective application environment, the used protocol standards of to the network flow (e.g. NetFlow v5, v7, v9, IPFIX), the number of flows to be supported and the speed of the respective network. Hence the parser and the flow metering unit are generic units. The specific functionality of these generic units is determined by the programmable controller.
  • [0016]
    According to an embodiment of this aspect of the invention the flow metering unit is provided for sending flow status information to the programmable controller and the programmable controller is provided for sending flow metering instructions to the flow metering unit in dependence on the flow status information.
  • [0017]
    Such a control loop between the flow metering unit and the programmable controller facilitates an efficient, fast and flexible flow metering process and processing.
  • [0018]
    According to another embodiment of this aspect of the invention the parser is provided for sending parsing information to the programmable controller and the programmable controller is provided for sending parsing instructions to the parser in dependence on the parsing information.
  • [0019]
    Such a control loop between the parser and the programmable controller facilitates an efficient, fast and flexible parsing process and processing.
  • [0020]
    According to another embodiment of this aspect of the invention the programmable controller is provided for
      • evaluating in parallel two or more flow status information values of the flow metering unit,
      • sending two or more flow metering instructions in parallel to the flow metering unit.
  • [0023]
    Such a parallel processing structure further facilitates an efficient, fast and flexible flow metering process and processing.
  • [0024]
    According to another embodiment of this aspect of the invention the programmable controller comprises a program memory comprising two or more flow metering to programs.
  • [0025]
    The two or more flow metering programs can e.g. be programmed for different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network.
  • [0026]
    This allows for changing the configuration and application of the apparatus very quickly and easily. Furthermore, it is a flexible and cost effective solution.
  • [0027]
    According to another embodiment of this aspect of the invention the programmable controller is implemented as programmable state machine.
  • [0028]
    The implementation of the programmable controller as programmable state machine is a flexible and cost effective solution.
  • [0029]
    According to another embodiment of this aspect of the invention the programmable state machine comprises a transition rule memory, a rule selector and a state register, wherein the rule selector is provided for receiving an external input signal and an internal input signal from the state register indicating the current state and wherein the rule selector is provided for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal comprising parsing and/or flow metering instructions when a transition rule applies.
  • [0030]
    This embodiment is an efficient way of implementing the programmable state machine.
  • [0031]
    The transition rule memory is provided for storing a set of transition rules. A set of transition rules may establish a flow metering program. For different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network a plurality of sets of transition rules might be loaded into the transition rule memory.
  • [0032]
    The rule selector is provided for receiving an external input signal and an internal input signal from the state register. The internal input signal from the state register indicates the current state of the programmable state machine. The external input signal or the external input signals are received from the flow metering unit and/or the parser. The external input signal of the state machine may comprise flow status information, parser information and various other information.
  • [0033]
    The rule selector observes the internal and external input signal by means of the transition rule memory for transition rules. If a predefined transition rules applies, the programmable state machine changes the state of the state register and generation an output signal comprising parsing and/or flow metering instructions
  • [0034]
    In other words, the programmable state machine observes the flow status information and/or the parsing information for predefined states. The state machine changes its state, when such a predefined state is detected. Then the changing state of the state machine triggers control actions for the parser and/or the flow metering unit.
  • [0035]
    According to another embodiment of this aspect of the invention the flow-metering unit comprises
      • a flow table unit
      • a flow table management unit and
      • a flow information export unit.
  • [0039]
    The flow table unit comprises a memory for storing information about the network flows that are analysed by the apparatus. The flow table might e.g. use the 5-tuple definition to characterise a specific network flow. In other words, the flow table may provide an entry for each specific network flow characterized by the 5-tuple definition. According to the example of the 5-tuple definition, a network flow is defined as a unidirectional sequence of packets that have the same source and destination IP address, the same source and destination port and the same IP protocol.
  • [0040]
    For each such entry the flow table may store flow metering information, e.g. to timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • [0041]
    The flow table management unit is provided for managing the entries of the flow table. The flow table management unit is controlled by the programmable controller. This flow table management unit may be provided to execute various flow metering instructions received from the programmable controller. Such flow metering instructions may include instructions for updating the flow table unit, creating a new entry in the flow table unit and checking the status or specific entries of the flow table unit. The flow table management unit may be implemented using a conventional hard-wired state machine.
  • [0042]
    As an example, the flow table management unit may check upon reception of a check-command from the programmable controller if the flow table already contains an entry for an identified network flow. As a result it could provide an indication (implemented as a single-bit flag) back to programmable controller that indicates if an entry for this identified network flow already exists or that the identified network flow is a new flow that is not present in the flow table of the flow table unit.
  • [0043]
    In response to receiving the indication that a network flow either exists or not, the programmable controller may dispatch further flow metering instructions to the table management unit to either update an existing flow table entry, to create a new flow table entry or to create a complete new flow table with a corresponding “update”, “create new flow table entry” or “create new flow table” command.
  • [0044]
    The flow information export unit is provided for exporting flow information to another location or entity. The flow information export unit is controlled by the programmable controller as well. The programmable controller may trigger the export of flow metering information by dispatching an export-command to the flow information export unit.
  • [0045]
    According to another embodiment of this aspect of the invention the flow table management unit comprises a programmable hash function unit provided with two or more selectable hash functions for mapping the flow identification information on a hash index, wherein the programmable controller is provided for selecting one of the selectable hash functions.
  • [0046]
    Hash functions are widely used to improve the efficiency of network flow analysis and network flow metering. However, different standards and different protocol versions of flow metering standards use different hash functions. By means of providing a programmable hash function unit, the apparatus according to this embodiment of the invention can support these different standards and protocol versions.
  • [0047]
    According to another embodiment of this aspect of the invention the programmable controller is provided for sending table management commands to the table management unit.
  • [0048]
    Such table management commands may be e.g. an update-command, a create-command or a check-command.
  • [0049]
    According to another embodiment of this aspect of the invention the apparatus is implemented as hardware assist device.
  • [0050]
    The implementation of the apparatus as hardware assist device has the advantage that it can be implemented in a system without requiring processor or processing load of this system.
  • [0051]
    A second aspect of the invention relates to a computer system comprising a central processing unit, a memory and a computer networking device, comprising an apparatus according to the first aspect of the invention for analysing the network flow in the computer networking device.
  • [0052]
    The computer networking device may be e.g. a switch or a router. The apparatus works as hardware assist device for the central processing unit of the computer system. This allows for an analysis of the network flow without loading the central processor.
  • [0053]
    A third aspect of the invention relates to a computer system comprising two or more virtual computing systems, further comprising an apparatus according to the first aspect of the invention, wherein the apparatus is provided for analysing the network flow between the virtual computing systems and/or between the virtual computing systems and an external device.
  • [0054]
    This allows for monitoring and analysing the network flow between the virtual computing systems in a scalable way without any additional software to be available on the computer system and on the virtual computing systems.
  • [0055]
    According to a further embodiment of this aspect of the invention the computer system comprises
      • a software networking device for internal communication between the virtual computing systems,
      • a hardware networking device for external communication between the virtual computing systems and an external device,
        wherein the software networking device and the hardware networking device are provided for forwarding the network flow between the virtual computing systems and/or between the virtual computing systems and an external device for an analysis to the apparatus according to the first aspect of the invention.
  • [0058]
    This architecture allows for an efficient implementation of a network flow function within a virtualized environment.
  • [0059]
    The software networking device may be e.g. a software switch, i.e. a switch implemented in software. The hardware networking device may be e.g. a hardware switch, i.e. a switch implemented in hardware.
  • [0060]
    The external device can be e.g. another computer system, a network, the internet or any other destination.
  • [0061]
    According to a further embodiment of this aspect of the invention the apparatus is arranged in the hardware networking device.
  • [0062]
    A fourth aspect of the invention relates to a method for analysing a network flow, comprising the steps of
      • extracting flow identification information from the network flow by means of a parser,
      • metering the network flow by means of a flow metering unit,
      • controlling the flow metering unit and the parser by means of a programmable controller.
  • [0066]
    A fifth aspect of the invention relates to a flow metering computer program comprising instructions for carrying out a flow metering program on a programmable controller, the flow metering computer program being provided for controlling the flow metering unit and the parser of an apparatus according to the first aspect of the invention.
  • [0067]
    Preferred embodiments of the present invention are described in detail below, by way of example only, with reference to the following schematic drawings, in which:
  • DESCRIPTION OF THE DRAWINGS
  • [0068]
    FIG. 1 is a schematic drawing of an apparatus for analyzing a network flow according to an embodiment of the invention, comprising a programmable controller, a parser and a flow metering unit,
  • [0069]
    FIG. 2 shows a schematic computer system comprising a computer networking to device and an apparatus for analysing the network flow in the computer networking device,
  • [0070]
    FIG. 3 is a schematic drawing of a programmable controller implemented as state machine,
  • [0071]
    FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in more detail,
  • [0072]
    FIG. 5 shows a flow chart illustrating a flow table update function of the flow metering unit,
  • [0073]
    FIG. 6 shows a flow chart illustrating the determination of expired table entries of a flow table unit,
  • [0074]
    FIG. 7 shows a flow chart illustrating the exportation of expired table entries of the flow table unit,
  • [0075]
    FIG. 8 shows a schematic drawing of a computer system comprising virtual computing systems and an apparatus for analysing the network flow between the virtual computing systems.
  • [0076]
    The drawings are provided for illustrative purposes only and do not necessarily represent practical examples of the present invention to scale. In the figures, same reference signs are used to denote the same or like parts.
  • [0077]
    FIG. 1 shows an apparatus 100 for analysing a network flow 105 according to an exemplary embodiment of the invention. The apparatus 100 comprises a parser 110 for extracting flow identification information from the network flow 105. The network flow 105 may be any kind of communication traffic in a network, in particular end to end network traffic. The network flow 105 may comprise a sequence of data packets, wherein each data packet is part of a communication between two distinct network addresses. The apparatus 100 comprises a flow metering unit 130 for metering the network flow 105 and a programmable controller 140 for controlling the flow metering unit 130 and the parser 110.
  • [0078]
    The flow metering unit 130 is provided for sending flow status information to the programmable controller 140 and the programmable controller 140 is provided for sending flow metering instructions to the flow metering unit 130 in dependence on the flow status information. Furthermore, the parser 110 is provided for sending parsing information to the programmable controller 140 and the programmable controller 140 is provided for sending parsing instructions to the parser 110 in dependence on the parsing information.
  • [0079]
    The programmable controller 140 comprises a central processing unit 150 and a program memory 160. In the program memory 160 one or more flow metering programs 170 can be stored.
  • [0080]
    The apparatus 100 is preferably implemented in hardware and may be used as hardware assist device. This is further illustrated with reference to FIG. 2.
  • [0081]
    FIG. 2 shows a computer system 200 comprising a central processing unit 210, a memory 220 and a computer networking device 230. Furthermore it comprises the apparatus 100 for analysing a network flow. The apparatus 100 is implemented in hardware as hardware assist device for the central processing unit 210. The central processing unit 210, the memory 220, the computer networking device 230 and the apparatus 100 are coupled via an internal bus system 240.
  • [0082]
    The computer networking device 230 may be any kind of Input/Output device, e.g. a router or a switch. In the example of FIG. 2 the computer networking device 230 serves as router between a first Local Area Network (LAN) 250, a second LAN 260 and the Internet 270. Accordingly, the computer networking device 230 is provided for routing network flows 280 between the first LAN 250, the second LAN 260 and the Internet 270. The apparatus 100 is provided for analysing and meter the network flow in the computer networking device 230.
  • [0083]
    FIG. 3 shows a schematic block diagram of a programmable controller 300 according to another exemplary embodiment of the invention. The programmable controller 300 is implemented as programmable state machine. The programmable controller 300 comprises a transition rule memory 310, a rule selector 320 and a state register 330. The rule selector 320 is provided for receiving as external input signal 340 parsing information from the parser 110 and flow status information from the flow metering unit 130 of FIG. 1. Furthermore, the rule selector 320 is provided for receiving an internal input signal 350 from the state register 330. This internal input signal 350 indicates the current state of the state register 330. The rule selector 320 observes the internal input signal 350 and the external input signal 340 by means of the transition rule memory 310 for transition rules. When a transition rule applies, the rule selector 320 is provided for changing the state of the state register 330 and sending parsing instructions to the parser 110 and/or flow metering instructions to the flow metering unit 130 of FIG. 1.
  • [0084]
    More details for implementation of a programmable state machine as shown in FIG. 3 are described in US 2005/0132342A1 which is herewith incorporated by reference.
  • [0085]
    FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in more detail.
  • [0086]
    The parser 110 can be programmed by means of the programmable controller 140 to extract any desirable flow identification information from the network flow 105. According to an exemplary embodiment of the invention the network flow 105 comprises packets including a packet header and the parser 110 uses the packet headers to extract the flow identification information. Accordingly, the parser 110 may be programmed to extract any desirable combination of header fields from the packet header that will be used for flow identification. Examples of such header fields include IP source and destination addresses, Transmission Control Protocol (TCP) source and destination port numbers, Multi-Protocol Label Switching (MPLS) and Virtual Local to Area Network (VLAN) tags etc. Based on the protocol standard of the respective network analysis protocol, the parser 110 can be programmed to extract the corresponding header fields that are relevant for that protocol standard. The parser 110 is provided for writing the flow identification information of these header fields into a register unit 400. Hence the register unit 400 comprises registers with flow identification information derived from packet headers.
  • [0087]
    This flow identifying information is provided as input to a programmable hash function unit 410. The programmable hash function unit 410 maps the flow identification information stored in the register unit 400 on a hash index. In other words, the programmable hash function unit 410 maps the actual values of the selected header fields upon a hash index. The programmable hash function unit 410 may provide a variety of hash functions that cover all desired functions for the protocol versions that the apparatus 100 shall support. The programmable controller 140 is provided for selecting one of the available hash functions. The selection of one of the hash functions may be implemented by sending a hash identifier corresponding to that hash function from the programmable controller 140 to the programmable hash function unit 410. Such a hash identifier can consist of a short bit vector that uniquely corresponds to one of the implemented hash functions.
  • [0088]
    The flow metering unit 130 further comprises a flow table management unit 420. The flow table management unit 420 is provided to receive the hash index of the respective flow identification information of the respective packet header from the programmable hash function unit 410. The flow table management unit 420 manages and controls a flow table unit 430. The flow table management unit 420 can execute as flow metering instructions flow table management commands. Such flow table management commands may include e.g. commands for updating the flow table unit 430, for creating a new entry in the flow table unit 430, for checking entries of the flow table unit 430, for removing entries from the flow table unit 430 and for scanning the entries of the flow table unit 430. Preferably the flow table management unit 420 is implemented by means of a hardwired state machine. The flow table management commands are sent from the programmable controller 140 to the flow table management unit 420. The flow table unit 430 comprises a memory that stores network flow entries for network flows identified by the respective hash index. The network flow entries comprise key fields that define the flow and content fields that comprise information about the defined flow. The content fields are updated with every new packet of the network flow. The flow table unit 430 might e.g. use the 5-tuple definition to characterise and define the network flow in the key fields. In this example the key fields would comprise the source and destination IP address, the source and destination port and the IP protocol of the respective network flow.
  • [0089]
    For each such key field the flow table may store in the corresponding content fields flow metering information, e.g. timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • [0090]
    As an example, upon reception of check-command from the programmable controller 140, the flow table management unit 420 will check if the flow table unit 430 already contains an entry for the network flow identified by the respective hash index. In return it will provide as flow status information an indication to the programmable controller 140 that indicates that the respective network flow exists or that the hash index corresponds to a new network flow that is not present in the flow table unit 430. Dependent on the hash function the flow table management unit 420 can also have direct access to the actual register values of the register unit 400, i.e. to the flow identification information stored in the register unit 400.
  • [0091]
    In response to receiving the flow status information that an identified network flow either exists or not, the programmable controller 140 may dispatch as flow metering instructions table management commands to the flow table management unit 420 to either update an existing flow table entry or to create a new flow table entry by means of an update or a create command.
  • [0092]
    Furthermore, the programmable controller 140 is provided for controlling the scanning of the flow table unit 430 for expired flow table entries. For this purpose, the to programmable controller 140 will test the value of a programmable timer 450 which can be configured to meet the characteristics of the supported protocol versions of the respective network analysis protocol. This will trigger the programmable controller 140 to send as table management command a scan instruction to the flow table management unit 420 after certain periods and/or at regular configurable intervals. The flow table management unit 420 will then scan the flow table unit 430 and report any expired flow table entries to the programmable controller 140. In response the programmable controller 140 can send a remove-command to remove these flow table entries to the flow table management unit 420. Furthermore, the programmable controller 140 can trigger the export of these expired flow table entries. In the latter case, the programmable controller 140 triggers the creation of a flow information packet containing information on the expired network flow. The programmable controller 140 sends a “generate packet” command to a flow information export unit 440. The flow information export unit 440 is also denoted as packet generator. The flow information export unit 440 can be implemented using a hardwired state machine. The flow information export unit 440 exports a flow information packet containing network flow information to a central server or any other destination.
  • [0093]
    By means of this programmable concept of the apparatus 100 the flow metering functions of the flow metering unit 130 can be implemented, configured and executed differently depending on the application environment, the used protocol standards (e.g. NetFlow v5, v7, v9, IPFIX), the number of network flows to be supported or the speed of the respective network.
  • [0094]
    For example, NetFlow v9 and IPFIX do not use fixed record fields, but a variable number of fields defined in flow templates. A template determines the content of the flow table and the amount of exported network flow information. In addition, multiple network flows can be aggregated and mapped on the same flow table entry. The flow table might contain various types of information for each network flow. Furthermore, the rules that determine when network flow information will be exported can vary.
  • [0095]
    FIG. 5 shows a flow chart illustrating a flow table update function of the flow to metering unit 130.
  • [0096]
    In a step 510 the apparatus 100 receives a data packet of a network flow that is observed. In step 520 the parser 110 parses the header of the data packet, extracts the flow identification information and writes it in the register unit 400. In step 530 the programmable hash function unit 410 calculates the hash index of the flow identification information and the flow table management unit 420 performs a flow table (hash table) lookup in the flow table unit 430. In step 540 the flow table management unit 420 evaluates whether a flow table entry already exists for the respective hash index. If this is the case, the flow table management unit 420 updates in step 550 the respective flow table entry in the flow table unit 430. If this is not the case, the flow table management unit 420 creates in step 560 a new flow table entry in the flow table unit 430.
  • [0097]
    FIG. 6 shows a flow chart illustrating the determination of expired flow table entries in the flow table unit 430.
  • [0098]
    In step 600 the programmable controller 140 sends as flow metering instruction a scan-command to the flow table management unit 420. This can happen after certain time periods and/or at regular configurable intervals. The flow table management unit 420 will then scan the flow table unit 430. In step 610 the flow table management unit 420 selects an initial entry of the flow table unit 430 and determines in step 620 the time t since the last update. If the time t is larger than a predefined time, e.g. determined by the timer 450, the respective entry of the flow table unit 430 is marked as expired. In step 650 it is checked whether all entries of the flow table unit 430 have been processed, i.e. have been checked for expiration. If this is not the case, the flow table management unit 420 will select the next entry and continue with step 620. If the result of step 650 is that all entries of the flow table unit 430 have been processed, the scanning has been completed. The scanning function of the flow table management unit 420 waits then in step 670 for a time t' until it receives a new scan-command from the programmable controller 140.
  • [0099]
    FIG. 7 shows a flow chart illustrating the export of expired table entries to a server or another destination.
  • [0100]
    In step 700 the programmable controller 140 triggers the export process by sending a “generate packet” command to the flow information export unit (packet generator) 440. In step 710 flow information export unit 440 selects an initial entry of the flow table unit 430 and checks in step 720 if the respective entry is marked as expired. If this is the case, the flow information export unit 440 creates and transmits in step 730 a flow information packet containing network flow information of the expired network flow of the respective flow table entry. The flow information export unit 440 may export a flow information packet to a central server or any other destination. In a following step 740 the respective table entry is removed from the flow table unit 430. In a following step 750 the flow information export unit 440 checks if all table entries have been processed, i.e. checked for flows that are marked as expired. If the result of step 720 is that the respective flow table entry is not marked as expired, the export process continues with step 750 as well. If the checking of step 750 is negative, in step 760 the next flow table entry is selected for processing and the export process is continued with step 720. If the checking of step 750 is positive, the export process is finished for the meantime. The exportation function of the flow information export unit 440 waits then in step 770 for a time t″ until it receives a new generate packet command from the programmable controller 140.
  • [0101]
    FIG. 8 shows a schematic drawing of a virtualized server environment comprising an apparatus for analyzing the network flow between virtual computing systems.
  • [0102]
    The virtualized server environment comprises a computer system 800 comprising two or more virtual computing systems 810 that run on a central processing unit 820 of the computer system 800. The computer system 800 comprises further a software networking device 830 for internal communication between the virtual computing systems 810 and a hardware networking device 840 for external communication between the virtual computing systems 810 and an external device 850.
  • [0103]
    The software networking device 830 is provided for managing and controlling the internal communication between the virtual computing systems 810. It may be e.g. a software switch, i.e. a switch implemented in software.
  • [0104]
    The hardware networking device 840 may be e.g. a network adapter or a hardware switch. It is provided for managing and controlling the external communication between the virtual computing systems 810 and an external device 850. The external device 850 can be e.g. another computer system, a network, the internet or any other destination the computer system 800 would like to communicate with.
  • [0105]
    The hardware networking device 840 comprises the apparatus 100 for analysing a network flow. The apparatus 100 is implemented in hardware as hardware assist device for the central processing unit 820 of the computer system 800.
  • [0106]
    The virtual computing systems 810 may communicate with each other via the software networking device 830 and a virtual local network 860. The virtual local network 860 could be e.g. a Virtual Local Area Network (VLAN).
  • [0107]
    The hardware networking device 840 can communicate with the virtual computing systems 810 and with the software networking device 830 by means of a virtual Input/Output (I/O) server partition 870
  • [0108]
    The software networking device 830 is provided for forwarding the network flow or parts of the network flow occurring in the software networking device 830 to the apparatus 100. The hardware networking device 840 is provided for forwarding the network flow or parts of the network flow occurring in the hardware networking device 840 to the apparatus 100. The software networking device 830 may use the virtual Input/Output (I/O) server partition 870 for forwarding the network flow or parts of the network flow to the apparatus 100. The hardware networking device 840 may use a hardware bus 880 for forwarding the network flow or parts of the network flow to the apparatus 100.
  • [0109]
    The computer system 800 allows for monitoring and analysing the network flow between the virtual computing systems 810 and/or between the virtual computing systems 810 and the external device 850 in a scalable way. There is no additional software needed on the computer system 800 and on the virtual computing systems 810.
  • [0110]
    The disclosed embodiments may be combined with one or several of the other embodiments shown and/or described. This is also possible for one or more features of the embodiments.
  • ADDITIONAL EMBODIMENT DETAILS
  • [0111]
    The described techniques may be implemented as a method, apparatus or article of manufacture involving software, firmware, micro-code, hardware and/or any combination thereof. The term “article of manufacture” as used herein refers to code or logic implemented in a medium, where such medium may comprise hardware logic [e.g., an integrated circuit chip, Programmable Gate Array (PGA), Application Specific Integrated Circuit (ASIC), etc.] or a computer readable medium, such as magnetic storage medium (e.g., hard disk drives, floppy disks, tape, etc.), optical storage (CD-ROMs, optical disks, etc.), volatile and non-volatile memory devices [e.g., Electrically Erasable Programmable Read Only Memory (EEPROM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), flash, firmware, programmable logic, etc.]. Code in the computer readable medium is accessed and executed by a processor. The medium in which the code or logic is encoded may also comprise transmission signals propagating through space or a transmission media, such as an optical fiber, copper wire, etc. The transmission signal in which the code or logic is encoded may further comprise a wireless signal, satellite transmission, radio waves, infrared signals, Bluetooth, etc. The transmission signal in which the code or logic is encoded is capable of being transmitted by a transmitting station and received by a receiving station, where the code or logic encoded in the transmission signal may be decoded and stored in hardware or a computer readable medium at the receiving and transmitting stations or devices. Additionally, the “article of manufacture” may comprise a combination of hardware and software components in which the code is embodied, processed, and executed. Of course, those skilled in the art will recognize that many modifications may be made without departing from the scope of embodiments, and that the article of manufacture may comprise any information bearing medium. For example, the article of manufacture comprises a storage medium having stored therein instructions that when executed by a machine results in operations being performed.
  • [0112]
    Certain embodiments can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements. In a preferred embodiment, the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc.
  • [0113]
    Furthermore, certain embodiments can take the form of a computer program product accessible from a computer usable or computer readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk—read only memory (CD-ROM), compact disk—read/write (CD-R/W) and DVD.
  • [0114]
    The terms “certain embodiments”, “an embodiment”, “embodiment”, “embodiments”, “the embodiment”, “the embodiments”, “one or more embodiments”, “some embodiments”, and “one embodiment” mean one or more (but not all) embodiments to unless expressly specified otherwise. The terms “including”, “comprising”, “having” and variations thereof mean “including but not limited to”, unless expressly specified otherwise. The enumerated listing of items does not imply that any or all of the items are mutually exclusive, unless expressly specified otherwise. The terms “a”, “an” and “the” mean “one or more”, unless expressly specified otherwise.
  • [0115]
    Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise. In addition, devices that are in communication with each other may communicate directly or indirectly through one or more intermediaries. Additionally, a description of an embodiment with several components in communication with each other does not imply that all such components are required. On the contrary a variety of optional components are described to illustrate the wide variety of possible embodiments. Further, although process steps, method steps, algorithms or the like may be described in a sequential order, such processes, methods and algorithms may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order. The steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously, in parallel, or concurrently.
  • [0116]
    When a single device or article is described herein, it will be apparent that more than one device/article (whether or not they cooperate) may be used in place of a single device/article. Similarly, where more than one device or article is described herein (whether or not they cooperate), it will be apparent that a single device/article may be used in place of the more than one device or article. The functionality and/or the features of a device may be alternatively embodied by one or more other devices which are not explicitly described as having such functionality/features. Thus, other embodiments need not include the device itself.
  • [0117]
    Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.
Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US5781729 *Jul 7, 1997Jul 14, 1998Nb NetworksSystem and method for general purpose network analysis
US6665725 *Jun 30, 2000Dec 16, 2003Hi/Fn, Inc.Processing protocol specific information in packets specified by a protocol description language
US8239565 *Nov 20, 2007Aug 7, 2012Nippon Telegraph And Telephone CorporationFlow record restriction apparatus and the method
US20030061401 *Sep 25, 2001Mar 27, 2003Luciani Luis E.Input device virtualization with a programmable logic device of a server
US20050132342 *Oct 21, 2004Jun 16, 2005International Business Machines CorporationPattern-matching system
US20050238022 *Aug 25, 2004Oct 27, 2005Rina PanigrahyStateful flow of network packets within a packet parsing processor
US20070115825 *Sep 19, 2006May 24, 2007Caspian Networks, Inc.Micro-Flow Management
US20070140128 *Oct 27, 2006Jun 21, 2007Eric KlinkerSystem and method to provide routing control of information over networks
US20070237079 *Mar 30, 2006Oct 11, 2007AlcatelBinned duration flow tracking
US20070248084 *Apr 20, 2006Oct 25, 2007AlcatelSymmetric connection detection
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US8125920 *May 14, 2009Feb 28, 2012Cisco Technology, Inc.System and method for exporting structured data in a network environment
US8259723 *Dec 23, 2009Sep 4, 2012Korea Internet & Security AgencyDevice and method for generating statistical information for VoIP traffic analysis and abnormal VoIP detection
US8593970Jul 3, 2012Nov 26, 2013Juniper Networks, Inc.Methods and apparatus for defining a flow control signal related to a transmit queue
US8717889Aug 24, 2012May 6, 2014Juniper Networks, Inc.Flow-control in a switch fabric
US8724487Feb 15, 2010May 13, 2014Cisco Technology, Inc.System and method for synchronized reporting in a network environment
US8811163Apr 6, 2012Aug 19, 2014Juniper Networks, Inc.Methods and apparatus for flow control associated with multi-staged queues
US8811183Oct 4, 2011Aug 19, 2014Juniper Networks, Inc.Methods and apparatus for multi-path flow control within a multi-stage switch fabric
US8854972 *Jan 25, 2013Oct 7, 2014Palo Alto Networks, Inc.Security device implementing flow lookup scheme for improved performance
US8964556Jul 9, 2012Feb 24, 2015Juniper Networks, Inc.Methods and apparatus for flow-controllable multi-staged queues
US9032089Mar 9, 2011May 12, 2015Juniper Networks, Inc.Methods and apparatus for path selection within a network based on flow duration
US9065767 *Apr 3, 2012Jun 23, 2015Cisco Technology, Inc.System and method for reducing netflow traffic in a network environment
US9065773Jun 22, 2010Jun 23, 2015Juniper Networks, Inc.Methods and apparatus for virtual channel flow control associated with a switch fabric
US9189218 *Mar 26, 2014Nov 17, 2015Telefonaktiebolaget L M Ericsson (Publ)Processing packets by generating machine code from pre-compiled code fragments
US9252960 *Feb 10, 2010Feb 2, 2016Intrinsic Id B.V.System for establishing a cryptographic key depending on a physical system
US20100226282 *May 14, 2009Sep 9, 2010Cisco Technology, Inc.System and method for exporting structured data in a network environment
US20110058481 *Dec 23, 2009Mar 10, 2011Lee Chang-YongDevice and method for generating statistical information for voip traffic analysis and abnormal voip detection
US20110154132 *Dec 23, 2009Jun 23, 2011Gunes AybayMethods and apparatus for tracking data flow based on flow state values
US20120072737 *Feb 10, 2010Mar 22, 2012Geert Jan SchrijenSystem for establishing a cryptographic key depending on a physical system
US20130262703 *Apr 3, 2012Oct 3, 2013Cisco Technology, Inc.System and method for reducing netflow traffic in a network environment
US20150277882 *Mar 26, 2014Oct 1, 2015Telefonaktiebolaget L M Ericsson (Publ)Processing packets by generating machine code from pre-compiled code fragments
Classifications
U.S. Classification370/253
International ClassificationH04L12/26
Cooperative ClassificationH04L63/1425, H04L43/026, H04L43/08
European ClassificationH04L63/14A2, H04L43/02B
Legal Events
DateCodeEventDescription
Jun 19, 2009ASAssignment
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION,NEW YO
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIND, ANDREAS;LUNTEREN, JAN VAN;REEL/FRAME:022848/0519
Effective date: 20090615