WO2016122708A1 - Determining a sampling rate for data traffic - Google Patents

Determining a sampling rate for data traffic Download PDF

Info

Publication number
WO2016122708A1
WO2016122708A1 PCT/US2015/038357 US2015038357W WO2016122708A1 WO 2016122708 A1 WO2016122708 A1 WO 2016122708A1 US 2015038357 W US2015038357 W US 2015038357W WO 2016122708 A1 WO2016122708 A1 WO 2016122708A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
sampling rate
traffic
load level
sampling
Prior art date
Application number
PCT/US2015/038357
Other languages
French (fr)
Inventor
David Corrales Lopez
Diego Valverde Garro
Claudio Enrique VIQUEZ CALDERON
Osvaldo Andres SANCHEZ MELENDEZ
Original Assignee
Hewlett Packard Enterprise Development Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development Lp filed Critical Hewlett Packard Enterprise Development Lp
Publication of WO2016122708A1 publication Critical patent/WO2016122708A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/022Capturing of monitoring data by sampling
    • H04L43/024Capturing of monitoring data by sampling by adaptive sampling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate

Definitions

  • Sampling data traffic is advantageous because network traffic at a network switch is typically processed and transmitted at a much faster rate than a rate in which network traffic can be analyzed.
  • Some conventional approaches include limiting the proportion of data traffic packets which are sampled and delivered for data analysis (i.e., the sampling rate), based on the worst-case scenario.
  • An approach which utilizes the worst-case sampling rate can prevent the data analysis processor(s) from being excessively loaded, but such an approach also limits system performance to that which is permitted under the worst-case scenario.
  • Another conventional approach provides for the sampling rate to be based on the average incoming data rate. However, in this approach, the sampling rate overloads the data analysis processor(s) whenever the incoming data rate exceeds the average incoming data rate.
  • Some other conventional approaches allow for a one-way automated backoff of the sampling rate which is triggered when a specified number of samples per second is generated. Each time a specified number of samples per second is reached, the sampling rate is cut in half (i.e., only half as many data traffic packets are sampled). Typically, under this approach, the sampling rate does not increase after this back-off process unless there is manual intervention.
  • FIG. 1 illustrates an example system for controlling a sampling rate at which data from data traffic passing through a network switch is forwarded to a data analysis resource.
  • FIG. 2A illustrates an example system for controlling sampling of data producers on a network system.
  • FIG. 2B illustrates another example system for controlling sampling of data producers on a network system.
  • FIG. 2C illustrates another example system for controlling sampling of data producers on a network system.
  • FIG. 3 illustrates an example method for controlling a sampling rate for data traffic of a network switch.
  • Examples described herein include a system and method for controlling data sampling on a network.
  • an amount of data traffic of a data producer is determined for a given duration of time.
  • An indicator of a load level is determined for a data analysis resource.
  • a sampling rate is determined from the indicator and the amount of traffic, for use in forwarding data of the data traffic to the data analysis resource.
  • sampling rate can be determined for a network switch on which the data producer is provided.
  • the sampling rate can be determined by a controller (or control entity), operating separate from the network switch.
  • control entity can be implemented as part of the network switch.
  • control entity can control the sampling rate which is utilized on multiple network switches (or data
  • examples such as described enable a provider or operator of a network to control sampling of data traffic at a network switch. By controlling the sampling rate, data traffic can be analyzed at a rate or volume that is optimal, to reflect network conditions such as load levels existing on the resource where the data analysis is performed.
  • Examples described herein provide that methods, techniques, and actions performed by a computing device are performed programmatically, or as a computer-implemented method. Examples can be implemented as hardware, or a combination of hardware (e.g., a processor(s)) and executable instructions (e.g., stored on a machine-readable storage medium). These instructions can be stored in one or more memory resources of the computing device. A programmatically performed step may or may not be automatic.
  • Examples described herein can be implemented using modules or components, which may be any combination of hardware and programming to implement the functionalities of the modules or components.
  • the programming for the components may be processor executable instructions stored on at least one non-transitory machine-readable storage medium and the hardware for the components may include at least one processing resource to execute those instructions.
  • the at least one machine-readable storage medium may store instructions that, when executed by the at least one processing resource, implement the modules or components.
  • a system may include the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to system 200 and the processing resource.
  • examples described herein may be implemented through the use of instructions that are executable by one or more processors. These instructions may be carried on a computer-readable medium. Machines shown or described with figures below provide examples of processing resources and computer-readable mediums on which instructions for
  • Examples of computer-readable mediums include permanent memory storage devices, such as hard drives on personal computers or servers.
  • Other examples of computer storage mediums include portable storage units, such as CD or DVD units, flash memory (such as carried on smart phones, multifunctional devices or tablets), and magnetic memory.
  • Computers, terminals, network enabled devices e.g., mobile devices, such as cell phones
  • examples may be implemented in the form of computer-programs, or a computer usable carrier medium capable of carrying such a program.
  • FIG. 1 illustrates an example of a data sampling system for sampling data traffic that is passed through a network switch.
  • a data sampling system 100 includes a network switch 101 and a controller 110.
  • the network switch 101 and the controller 110 collectively operate to selectively sample traffic passing through the network switch 101 for communication to a data analysis resource 120.
  • Packets received by network switch 101 are shown as data traffic in 102, and the packets are transmitted to destination devices are shown as data traffic out 103.
  • the data sampling system 100 operates to sample data from the data traffic in 102, so as to generate sampled data 107, which is transmitted to the data analysis resource 120.
  • Each of the network switch 101, controller 110 and/or data analysis resource 120 can be implemented by a computing resource that includes a processor, combination of processors, or shared processor.
  • the network switch 101 and controller 110 are provided on separate devices or components and interconnect across a network or data bus.
  • the network switch 101 and controller 110 are integrated, so as to be part of the same device or chip package.
  • the data analysis resource 120 can also be provided as a separate component or combination of components. While network switch 101, data sampler 104 and data analysis resource 120 are shown in an example of FIG. 1 as being separate entities, in some variations, the network switch 101, data sampler 104 and/or the data analysis resource 120 can be integrated together as one entity (e.g., within one structure or processing component).
  • data analysis resource 120 analyzes sampled data 107 provided from data sampler 104 of the network switch 101.
  • the data analysis resource 120 can process the sampled data 107 for any one of a variety of purposes, including, for example, (i) detecting when entities that generate traffic handled through the network switch 101 are protocol compliant or non-compliant; (ii) detecting when the data traffic passing through the network switch 101 contains an unacceptable level of computer viruses or spam messages; (iii) detecting network-based intrusion events; and/or (iv) performing deep packet inspection (DPI).
  • DPI deep packet inspection
  • the data analysis resource 120 is processor intensive and not suited for handling large volumes of traffic as compared to the network switch 101.
  • the data analysis resource 120 includes operational limitations as compared to the network switch 101, and more specifically, limitations as to the amount of data that the data analysis resource 120 can accept and process as compared to the amount of data that can be handled by the network switch 101.
  • the amount of data that data analysis resource 120 can process and analyze can be several orders of magnitude less than the amount of data traffic input 102 which passes through the network switch 101.
  • the data sampler 104 can be dynamically adjusted or tuned in order to adjust an amount of sampled data 107 that is communicated to the data analysis resource 120.
  • the data sampler 104 can utilize selection criteria 117 and sampling rate values 105 in order to reduce the amount of packets which are sampled.
  • the selection criteria 117 can correspond to, for example, a setting which identifies the type of data packets which are to be sampled.
  • the selection criteria 117 can identify specific applications or packet types (e.g., application data packets), and exclude other data packets from sampling (e.g., packets at the beginning of a flow).
  • the data sampler 104 can use sampling rate values 105 so that it can operate at any given moment in accordance with a sampling rate.
  • the sampling rate defines the amount of data that is forwarded to the data analysis resource 120 for analysis.
  • the sampling rate values 105 of data sampler 104 can be adjusted or tuned in accordance with sampling rate values 105.
  • the sampling rate values 105 include values that affect the operational level or sampling rate of data sampler 104 (e.g., amount of sampled data 107).
  • the sampling rate values 105 can be determined from, or otherwise based on sampling control parameters 115 provided from the controller 110.
  • the controller 110 includes sampling rate logic 112 and sampling mode logic 114.
  • the controller 110 can receive feedback 111 as input from the data analysis resource 120.
  • the feedback 111 can be based on or otherwise include a variety of factors which indicate sampling conditions or capacity.
  • the feedback 111 can include indicators, corresponding to information or data that is indicative of (i) a desired processor utilization for data analysis resource 120, (ii) a capacity of the network switch 101, and/or (iii) a processing jitter or delay with the switch 101 and/or the data analysis resource 120.
  • the sampling rate logic 112 can implement an algorithm or process to determine the sample rate at a given instance of time based at least in part on the feedback 111. In determining the sample rate, the sampling rate logic 112 can utilize information indicating the amount of traffic passing through the network switch 101, shown as traffic parameters 113.
  • the traffic parameters 113 can be determined from the network switch 101, or from other sources on the network.
  • the sampling mode logic 114 can include logic to select the algorithm or process for calculating the sample rate at the given instance.
  • the sampling mode logic 114 can include conditions or events which warrant switching the algorithm or process for calculating the sample rate.
  • the process or algorithm used to determine the sample rate can vary in
  • the selection of the process or algorithm can be based on, for example, network conditions or the amount of traffic being handled through the network switch 101. If, for example, the network switch 101 is experiencing heavy traffic, the controller 110 may select the least computationally intensive algorithm for determining the sample rate.
  • the controller 110 can calculate the sample rate using, for example, an averaging process, a statistical process, or a predictive process, such as provided through linear regression, time series regression, best curve fit, Markov model, or weighted averages.
  • the sampling mode logic 114 can specify the type of data that is forwarded on as sampled data 107.
  • the sampling mode logic 114 can forward headers of sampled packets in one implementation mode.
  • the sampling mode logic can forward a combination of headers and specified portions of the packet payloads as the sampled data 107.
  • the determination of what portions or aspects of the packets in traffic input 102 which are to be contained in the sampled data 107 can also be based on factors such as (i) the amount of network traffic that is present, and/or (ii) the bandwidth and/or available resources of the data sampler 104 or network switch 101.
  • the data analysis resource 120 operates by examining the incoming packets of the sampled data 107 to determine information about each received packet.
  • the determined information can include what protocol is used with the individual data packets; the packet's source or destination; whether a packet matches a particular sequence of bits; or whether the packet matches other criteria of interest.
  • the controller 110 can determine the sampling control parameters 115 based at least in part on feedback 111.
  • the sampling control parameters 115 can reflect the determined sampled rate as a direct measurement (e.g., x packets per second).
  • the sampling control parameters 115 can provide a relative measure (e.g., sample 1 packet out of 1000 packets).
  • the sampling rate logic 112 can use indicators provided by the data analysis resource 120 in the feedback 111 to determine the sample rate control parameters 115.
  • the sampling mode logic 114 selects an algorithm or process for calculating the sample rate control parameters 115, and the sampling rate logic 112 calculates the sample rate using an algorithm that is determined by the sampling mode logic 114.
  • the sampling mode logic 114 can make the selection of the algorithm or process for calculating the sample rate based on a variety of factors, such as based on traffic passing through the network switch 101.
  • the controller 110 can communicate the sampling control parameters 115 to the data sampler 104 of the switch 101.
  • the data sampler 104 can set or otherwise determine a value of one or more sampling rate values 105 which implement data sampling rate for a given duration of time (e.g., duration of sample, more than one second).
  • the sampling rate values 105 can correspond to, or be based on the sampling control parameters 115.
  • the sampling control parameters 115 can directly reflect the sampling rate values 105.
  • sampling control parameters can identify a relative quantity for the sampling rate, and the sampling rate values 105 can reflect additional parameters such as those measured directly from the traffic input 102 of the network switch 101.
  • sampling rate values 105 can be continuously or repeatedly updated by the controller 110.
  • the controller 110 can update the sampling control parameters 115 to reflect a change in the indicators of the load level incurred by the data analysis resource 120, and the update to the sampling control parameters can be reflected in the sampling rate values 105.
  • the sampling can be executed on the network switch 101 using sampling rate values 105 which are continuously or repeatedly updated based on changes to the load level of the data analysis resource 120.
  • the controller 110 continuously or repeatedly calculates changes to the sampling control parameters 115.
  • the changes to the data sampling rate can be the result of fluctuations of the indicators of the feedback 111, as well as changes to the algorithm or process used to calculate the data sampling rate.
  • the controller 110 can reflect changes to the data sampling rate in the sampling control parameters 115, which can update the sampling rate values 105 of the data sampler 104.
  • FIG. 1 some or all of the functions described in relation to the examples herein may be implemented by devices via hardware or a combination of hardware and instructions for the hardware.
  • components of FIG. 1 may be implemented via hardware which is instructed to perform functionality associated with the components, utilizing instructions stored in memory.
  • FIG. 2A, FIG. 2B, and FIG. 2C illustrate alternative network systems on which a sampling rate for data traffic of data producers is
  • an example system 200, 220, 250 such as depicted in FIG. 2A, FIG. 2B or FIG. 2C respectively, can be implemented in a variety of computing environments, including in an environment in which sampling is performed to analyze data packets or traffic passing through a node such as the network switch 101.
  • examples of FIG. 2A, FIG. 2B and FIG. 2C provide for a system to sample data from a high traffic source in order to analyze the data packet or traffic using a data analysis resource that has a significantly lesser but fluctuating capacity to receive and process the sampled data.
  • Each of the systems 200, 220, 250 can be implemented using computing resources, including a combination of processors and/or processing resources (e.g., integrated circuit).
  • system 200 can be implemented as a single, stand-alone device, such as, e.g., a system-on-chip (SoC) device.
  • the system 200 includes a controller 201, one or more data producers 202, 203, 204, and one or more data collectors 205, 206, 207.
  • the data producers 202, 203, 204 each sample and provide data traffic from a network switch (such as, e.g., network switch 101 of FIG. 1).
  • the data producers 202, 203, and 204 correspond to one or more application-specific integrated circuits (ASICs) which operate with or as part of a network switch 101 (FIG. 1).
  • ASICs application-specific integrated circuits
  • Each of the data producers 202, 203, 204 can also include a data sampler 244, which can operate to sample data passing through the respective data producer.
  • Data producers 202, 203, and 204 each provide sampled data 212, 213, 214 to the data collectors 205, 206, and 207.
  • Each data collector 205, 206, 207 can correspond to a computing resource for performing data analysis on sampled data (e.g., see data analysis resource 120 of FIG. 1). While an example of FIG.
  • FIG. 2A depicts three data producers 202, 203, 204 and three data collectors 205, 206, 207
  • system 200 to utilize a greater or lesser number of data producers (e.g., network switches) and data collectors (e.g., data analysis components).
  • data producers e.g., network switches
  • data collectors e.g., data analysis components
  • each data producer 202, 203, and 204 is shown in FIG. 2A as being coupled to each of the data collectors 205, 206, and 207
  • other examples can provide for alternative configurations as to the manner in which data collectors 205, 206, 207 receive and sample data from data producers 202, 203, 204(e.g., each data producer could be coupled to only one data collector).
  • the controller 201 provides sampling control parameters 211 to control the rate at which data producers 202, 203, 204 sample data traffic 222, 223, 224 and provide sampled data
  • Each of the data producers 202, 203, 204 can include a data sampling component 234, 235, 236 which performs the data sampling in order to provide sampled data 212,
  • the data sampling component 234, 235, 236 can operate, for example, in a manner described with the data sampler 104 of the network switch 101 (see FIG. 1).
  • the controller 201 determines the sampling control parameters 211 based on feedback 231 that is received from the one or more data collectors 205, 206, 207.
  • the feedback 231 can include data indicators of each data collector's load level.
  • the load level of each data collector 205, 206, 207 can specify (i) a CPU load level, (ii) percentage memory utilization, and/or (iii) intrinsic latency issues.
  • the controller 201 implements a process to determine whether the data collectors 205, 206, 207 are operating
  • the controller 201 can implement a process to compare the load level of each data collector 205, 206, 207 to one or more threshold value(s) which are predetermined values correlating to maximum load level(s) for each data collector.
  • the controller 201 can implement a process to compare the load level of each data collector 205, 206, 207 to an optimum load level. Based on the comparison, the controller 201 can output sampling control parameters 211 which cause the respective data sampler 234, 235, 236 of each data producer to sample data at an estimated rate that is at or below the threshold values and/or the optimum load level for each data collector 205, 206, 207.
  • the data collectors 205, 206, 207 can update indicators of feedback 231 in order to enable the controller to dynamically determine and adjust data sampling rate to be faster or slower.
  • the controller 201 can be responsive to the feedback 231 to generate sampling control parameters 211 that set the data sampling rates of the data samplers 234, 235, 236 at each of the individual data producers 202, 203, 204. In this way, the sampling rates that are utilized by the data producers 202, 203, 204 can be increased or decreased dynamically, so as to be responsive to, for example, events that affect the capacity of the data collectors 205, 206, 207 to receive the sampled data.
  • the controller 201 can operate to adjust the sampling control parameters 211 so that the sample rate utilized by each data producer 202, 203, 204 can change repeatedly or continuously.
  • the sample rate of each data producer 202, 203, 204 can be changed after every sample, or every other sample.
  • the frequency of how often the sample rate is changed on each data producer 202, 203, 204 can be dynamically determined, based on settings or external events or traffic (e.g., fluctuations in the data traffic).
  • the controller 201 can receive feedback 231 which is indicative of a load level from one or more of the data collector 205, 206, 207.
  • the controller 201 can determine that the indicated load level is sufficiently below a designated threshold limit.
  • the controller 110 can cause the data sampler 234, 235, 236 of one or more of the data
  • controller 201 receives feedback 231 that indicates a load level from one or more of the data collectors 205, 206, 207.
  • the controller 201 can determine that the load level that is indicated in the feedback 231 exceeds a designated threshold limit.
  • the controller 201 can adjust the sampling control parameters 211 to cause the data sampling components 234, 235, 236 of one or more of the data producers 202, 203, 204 to decrease the rate at which sampled data 212, 213, 214 is generated and communicated to the data collectors 205, 206, 207.
  • controller 201 can receive feedback 231 which indicates the load level of one or more of the data collectors 205, 206, 207.
  • the controller 201 can calculate a data sampling rate to produce an optimum load level of the data collector 205, 206, 207.
  • the controller 201 can then adjust the sampling control parameters 211 to cause the data samplers 234, 235, 236 of one or more of data producers 202, 203, 204 to sample at the calculated rate.
  • controller 201 can receive load levels from one or more data collectors 205, 206, 207 for a given duration of time.
  • the controller 201 can also determine the amount of data traffic on a network switch (e.g., network switch 101 of FIG. 1) for a given duration of time.
  • the controller 201 can then use the received load levels and amount of data traffic to determine one or more sampling rates for one or more of data producers 202, 203, and 204.
  • the one or more sampling rates can be
  • the controller 201 can then cause the data sampler 234, 235, 236 of one or more data producers to sample data traffic at the determined rate(s). Using these techniques can also control the oscillation or jitter of the apparatus.
  • controller 201 can determine which technique is used to determine the one or more sampling rates based on the amount of traffic. For example, if the determined amount of traffic is very high or highly variable, controller 201 can determine the sampling rates using a different model than for lower or less variable amounts of traffic. In accordance with some examples, the technique used to determine the sampling rate can vary dynamically according to the amount of data traffic.
  • controller 201 can cause the one or more data producers 202, 203, and 204 to sample data traffic at the determined rate(s) by transmitting a signal to the one or more data producers 202, 203, and 204 indicating the sampling rate.
  • the controller 201 can additionally specify the destination for forwarding sampled packets.
  • this destination can be a remote destination (e.g., the sampled packets are transmitted over the network to the
  • this transmitted signal can also specify a pattern or other criteria for use in the analysis of the sampled data traffic.
  • the data producers 202, 203, and 204 can preprocess the sampled packets before passing them to the data collectors 205, 206, and 207.
  • data producers 202, 203, and 204 can scan sampled packets for a specified criteria such as a source, destination, or other pattern to match (e.g., a specified URL). Sampled packets not matching the specified criteria can be discarded.
  • a system 250 for controlling the rate of data sampling on a network can be implemented as two separate devices or entities— a network device 240, and a processing subsystem 270.
  • Network device 240 can be a stand-alone network device, or can optionally be integrated with a network switch such as network switch 101 of FIG. 1.
  • processing sub-system 270 can be a stand-alone network appliance coupled to network device 240.
  • network device 240 and processing sub-system 270 can be separate modular components, which can be mounted in the module slots of a network switch.
  • the processing sub-system 270 includes a controller 251, one or more data producers 241, 242, 243, and one or more data collectors 252, 253, 254. In accordance with the example depicted in FIG.
  • the data producers 241, 242, 243 each include data samplers 266, 267, 268 which operate to sample and provide data traffic from a network switch (such as, e.g., data sampler 104 of network switch 101 in FIG. 1).
  • the data producers 241, 242, 243 correspond to one or more application-specific integrated circuits (ASICs) which operate with or as part of a network switch 101 (FIG. 1).
  • ASICs application-specific integrated circuits
  • Data producers 241, 242, and 243 each provide sampled data 212, 213, 214 to the data collectors 252, 253, 254.
  • Each data collector 252, 253, 254 can correspond to a computing resource for performing data analysis on sampled data (e.g., see data analysis resource 120 of FIG. 1). While an example of FIG.
  • FIG. 2B depicts three data producers 241, 242, 243 and three data collectors 252, 253, 254, other configurations or examples can provide for the system to utilize a greater or lesser number of data producers (e.g., network switches) and data collectors (e.g., data analysis components). Additionally, while each data producer 241, 242, 243 is shown in FIG. 2B as being coupled to each of the data collectors 252, 253, 254, other examples can provide for alternative configurations as to the manner in which data collectors 252, 253, 254 receive and sample data from data producers 241, 242, 243 (e.g., each data producer could be coupled to only one data collector).
  • data producers e.g., network switches
  • data collectors e.g., data analysis components
  • the controller 251 provides sampling control parameters 211 to control the rate at which the data
  • samplers 266, 267, 268 of the data producers 241, 242, and 243 sample data traffic 222, 223, 224 and provide sampled data 212, 213, 214 to the individual data collectors 252, 253, 254.
  • the controller 251 determines the sampling control parameters 211 based on feedback 231 that is received from the one or more data collectors 252, 253, 254.
  • the feedback 231 can include, or be based on parameters that are indicative of each data collector's load level.
  • the load level of each data collector 252, 253, 254 can include (i) a CPU load level, (ii) percentage memory utilization, and/or (iii) intrinsic latency issues.
  • controller 251 can determine appropriate sampling rates similarly to the examples described above with respect to FIG. 2A.
  • the variation depicted in FIG. 2B can allow greater flexibility of operation as opposed to the single device example depicted in FIG. 2A.
  • network device 240 and processing subsystem 270 can be mounted in the module slots of a network switch, and network device 240 or processing sub-system 270 can be removed and replaced with an identical device (e.g., if network device 240 or processing sub-system 270 requires a repair), with a new device (e.g., if an upgraded version of network device 240 or processing sub-system 270 is introduced), or with a device having capabilities better suited for current network conditions.
  • a system 280 controlling the rate of data sampling on a network can be implemented as a plurality of separate devices— a plurality of network devices 260A, 260B, and a processing sub-system 270. Note that while only two network devices are shown in the example of FIG. 2C, other numbers of network devices can also be present, in accordance with some other examples. In accordance with some examples, network devices 260A, 260B and
  • processing sub-system 270 can be separate modular components, which can be mountable in the module slots of a network switch.
  • the system 280 includes two or more network devices 260A, 260B and the processing system 270.
  • the processing sub-system 270 can alternatively be implemented as a device with a collection of components.
  • the processing sub-system 270 can include controller 251, one or more data producers 241, 242, 243, 261, 262, 263 and one or more data collectors 252, 253, 254.
  • the data producers 241, 242, 243, 261, 262, 263 each include or provide data samplers (not shown for brevity) which sample and provide data traffic from a network switch (such as, e.g., network switch 101 of FIG. 1).
  • a network switch such as, e.g., network switch 101 of FIG. 1.
  • the data producers 241, 242, 243, 261, 262, 263 correspond to one or more application-specific integrated circuits (ASICs) which operate with or as part of a network switch 101 (FIG. 1).
  • Data producers 241, 242, 243, 261, 262, and 263 provide sampled data 212, 213, 214, 215, 216, 217 to the data collectors 252, 253, 254.
  • Each data collector 252, 253, 254 can correspond to a computing resource for performing data analysis on sampled data (e.g., see data analysis resource 120 of FIG. 1).
  • FIG. 2C depicts six data producers 241, 242, 243, 261, 262, 263 and three data collectors 252, 253, 254, other
  • each network device 260A, 260B is depicted as containing three data producers, other configurations or examples can provide for the system to utilize a greater or lesser number of data producers per network device.
  • each data producer 241, 242, 243 is shown in FIG. 2C as being coupled to each of the data collectors 252, 253, 254, other examples can provide for alternative configurations as to the manner in which data collectors 252, 253, 254 receive and sample data from data producers 241, 242, 243.
  • each of data producer 261, 262, 263 of the example depicted in FIG. 2C is only coupled to one data collector (i.e. data producer 261 is coupled to data collector 252).
  • the controller 251 provides sampling control parameters 211 to control the rate at which data producers 241, 242, 243 and 261, 262, 263 sample data traffic 222, 223, 224, 225, 226, and 227 and provide sampled data 212, 213, 214, 215, 216, 217 to the individual data collectors 252, 253, 254.
  • the controller 251 determines the sampling control parameters 211 based on feedback 231 that is received from the one or more data collectors 252, 253, 254.
  • the feedback 231 can include, or be based on parameters that are indicative of each data collector's load level.
  • the load level of each data collector 252, 253, 254 can include (i) a CPU load level, (ii) percentage memory utilization, and/or (iii) intrinsic latency issues.
  • controller 251 can determine appropriate sampling rates similarly to the examples described above with respect to FIG. 2A.
  • the variation depicted in FIG. 2C can also allow similar flexibility of operation as the example depicted in FIG. 2B.
  • a variation depicted in FIG. 2C can allow further benefits over the example depicted in FIG. 2B.
  • data traffic can be distributed among network devices 260A, 260B (or more generally among a larger number of network devices) according to one or more specified criteria, such as, e.g., source/destination address or source/destination network.
  • controller 251 can cause network devices 260A, 260B to sample data traffic at different sampling rates, as there can be differing amounts of traffic satisfying the specified criteria. Additionally, differing sampling rates can be appropriate because network devices 260A, 260B can have differing processing
  • each network device 260A, 260B can monitor the amount of traffic it has been allocated (e.g., the amount of traffic satisfying a specified criteria as described above).
  • the network devices 260A, 260B can send this amount of traffic information to controller 251 periodically, or upon request from controller 251.
  • a voting operation can be conducted to
  • Controller 251 can poll the network devices 240, 260A, and the network devices can respond with a signal indicating preferred or supported models.
  • FIG. 3 illustrates an example method for controlling a sampling rate for data traffic of a network switch.
  • An example of FIG. 3 can be
  • an amount of data traffic on a network is determined for a given duration of time (301).
  • the controller 110 can determine a load level by communicating with data analysis resource 120.
  • An indicator is received for a load level of a data analysis resource (302).
  • the controller 110 can determine a load level by
  • the indicator can pertain to, for example, the load level of the data analysis resource 120 at a given instant or duration of time.
  • the data of the network switch 101 can be sampled based on the indicator and the amount of traffic, in order to forward data of the network switch to the data analysis resource at below the designated threshold limit (304).
  • the data sampler 104 can use the sampling rate values 105 to determine the amount of sampled data which is forwarded to the data analysis resource 120.
  • a comparison is performed of the load level of the data analysis resource at the detected amount of network traffic to a designated threshold limit of the data analysis resource (304A).
  • the controller 110 can utilize the feedback 111 and the traffic parameters 113 in order to make the comparison.
  • the sampling rate can be increased upon a determination that the received load level is sufficiently below the designated threshold limit (304B). In some variations, the sampling rate can be decreased upon a determination that the load level exceeds the designated threshold limit (304C). Still further, in other variations, the sampling rate can be chosen to cause the data analysis resource to sample data with an optimum load level (304D).
  • a controller may be located on a separate device from the data producers and data collectors.
  • a controller may be a software-defined network (SDN) controller.
  • SDN software-defined network
  • a network switch may perform data sampling, and deliver sampled data to a separate server for analysis.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

According to an example, an amount of data traffic of a data producer is determined for a given duration of time. An indicator of a load level is determined for a data analysis resource. A sampling rate is determined from the indicator and the amount of traffic, for use in forwarding data of the data traffic to the data analysis resource.

Description

DETERMINING A SAMPLING RATE FOR DATA TRAFFIC
BACKGROUND
[0001] At a network switch, data can be sampled and analyzed to
characterize the network traffic. Sampling data traffic is advantageous because network traffic at a network switch is typically processed and transmitted at a much faster rate than a rate in which network traffic can be analyzed.
[0002] Sampling data traffic appropriately allows the provider or operator to characterize the data traffic on the network, while making efficient use of data analysis resources. Because these data analysis procedures can be quite processor-intensive, it is important not to overload the processor(s) performing the analysis.
[0003] Some conventional approaches include limiting the proportion of data traffic packets which are sampled and delivered for data analysis (i.e., the sampling rate), based on the worst-case scenario. An approach which utilizes the worst-case sampling rate can prevent the data analysis processor(s) from being excessively loaded, but such an approach also limits system performance to that which is permitted under the worst-case scenario. Another conventional approach provides for the sampling rate to be based on the average incoming data rate. However, in this approach, the sampling rate overloads the data analysis processor(s) whenever the incoming data rate exceeds the average incoming data rate.
[0004] Some other conventional approaches, such as provided by an industry standard sFlow, allow for a one-way automated backoff of the sampling rate which is triggered when a specified number of samples per second is generated. Each time a specified number of samples per second is reached, the sampling rate is cut in half (i.e., only half as many data traffic packets are sampled). Typically, under this approach, the sampling rate does not increase after this back-off process unless there is manual intervention. BRIEF DESCRIPTION OF THE DRAWINGS
[0005] FIG. 1 illustrates an example system for controlling a sampling rate at which data from data traffic passing through a network switch is forwarded to a data analysis resource.
[0006] FIG. 2A illustrates an example system for controlling sampling of data producers on a network system.
[0007] FIG. 2B illustrates another example system for controlling sampling of data producers on a network system.
[0008] FIG. 2C illustrates another example system for controlling sampling of data producers on a network system.
[0009] FIG. 3 illustrates an example method for controlling a sampling rate for data traffic of a network switch.
DETAILED DESCRIPTION
[0010] Examples described herein include a system and method for controlling data sampling on a network. According to one aspect, an amount of data traffic of a data producer is determined for a given duration of time. An indicator of a load level is determined for a data analysis resource. A sampling rate is determined from the indicator and the amount of traffic, for use in forwarding data of the data traffic to the data analysis resource.
[0011] Some examples can provide for a sampling rate to be determined for a network switch on which the data producer is provided. The sampling rate can be determined by a controller (or control entity), operating separate from the network switch. In variations, the control entity can be implemented as part of the network switch. Still further, the control entity can control the sampling rate which is utilized on multiple network switches (or data
producers).
[0012] Among other advantages, examples such as described enable a provider or operator of a network to control sampling of data traffic at a network switch. By controlling the sampling rate, data traffic can be analyzed at a rate or volume that is optimal, to reflect network conditions such as load levels existing on the resource where the data analysis is performed. [0013] Examples described herein provide that methods, techniques, and actions performed by a computing device are performed programmatically, or as a computer-implemented method. Examples can be implemented as hardware, or a combination of hardware (e.g., a processor(s)) and executable instructions (e.g., stored on a machine-readable storage medium). These instructions can be stored in one or more memory resources of the computing device. A programmatically performed step may or may not be automatic.
[0014] Examples described herein can be implemented using modules or components, which may be any combination of hardware and programming to implement the functionalities of the modules or components. In examples described herein, such combinations of hardware and programming may be implemented in a number of different ways. For example, the programming for the components may be processor executable instructions stored on at least one non-transitory machine-readable storage medium and the hardware for the components may include at least one processing resource to execute those instructions. In such examples, the at least one machine-readable storage medium may store instructions that, when executed by the at least one processing resource, implement the modules or components. In examples, a system may include the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to system 200 and the processing resource.
[0015] Furthermore, examples described herein may be implemented through the use of instructions that are executable by one or more processors. These instructions may be carried on a computer-readable medium. Machines shown or described with figures below provide examples of processing resources and computer-readable mediums on which instructions for
implementing examples described herein can be carried and/or executed. In particular, the numerous machines shown with examples include processor(s) and various forms of memory for holding data and instructions. Examples of computer-readable mediums include permanent memory storage devices, such as hard drives on personal computers or servers. Other examples of computer storage mediums include portable storage units, such as CD or DVD units, flash memory (such as carried on smart phones, multifunctional devices or tablets), and magnetic memory. Computers, terminals, network enabled devices (e.g., mobile devices, such as cell phones) are all examples of machines and devices that utilize processors, memory, and instructions stored on computer-readable mediums. Additionally, examples may be implemented in the form of computer-programs, or a computer usable carrier medium capable of carrying such a program.
[0016] FIG. 1 illustrates an example of a data sampling system for sampling data traffic that is passed through a network switch. In examples of FIG. 1, a data sampling system 100 includes a network switch 101 and a controller 110. The network switch 101 and the controller 110 collectively operate to selectively sample traffic passing through the network switch 101 for communication to a data analysis resource 120. Packets received by network switch 101 are shown as data traffic in 102, and the packets are transmitted to destination devices are shown as data traffic out 103. The data sampling system 100 operates to sample data from the data traffic in 102, so as to generate sampled data 107, which is transmitted to the data analysis resource 120.
[0017] Each of the network switch 101, controller 110 and/or data analysis resource 120 can be implemented by a computing resource that includes a processor, combination of processors, or shared processor. In some variations, the network switch 101 and controller 110 are provided on separate devices or components and interconnect across a network or data bus. In variations, the network switch 101 and controller 110 are integrated, so as to be part of the same device or chip package. The data analysis resource 120 can also be provided as a separate component or combination of components. While network switch 101, data sampler 104 and data analysis resource 120 are shown in an example of FIG. 1 as being separate entities, in some variations, the network switch 101, data sampler 104 and/or the data analysis resource 120 can be integrated together as one entity (e.g., within one structure or processing component). [0018] According to at least some embodiments, data analysis resource 120 analyzes sampled data 107 provided from data sampler 104 of the network switch 101. The data analysis resource 120 can process the sampled data 107 for any one of a variety of purposes, including, for example, (i) detecting when entities that generate traffic handled through the network switch 101 are protocol compliant or non-compliant; (ii) detecting when the data traffic passing through the network switch 101 contains an unacceptable level of computer viruses or spam messages; (iii) detecting network-based intrusion events; and/or (iv) performing deep packet inspection (DPI).
However, the data analysis resource 120 is processor intensive and not suited for handling large volumes of traffic as compared to the network switch 101. In this regard, the data analysis resource 120 includes operational limitations as compared to the network switch 101, and more specifically, limitations as to the amount of data that the data analysis resource 120 can accept and process as compared to the amount of data that can be handled by the network switch 101. For example, the amount of data that data analysis resource 120 can process and analyze can be several orders of magnitude less than the amount of data traffic input 102 which passes through the network switch 101.
[0019] According to some implementations, the data sampler 104 can be dynamically adjusted or tuned in order to adjust an amount of sampled data 107 that is communicated to the data analysis resource 120. In particular, the data sampler 104 can utilize selection criteria 117 and sampling rate values 105 in order to reduce the amount of packets which are sampled. The selection criteria 117 can correspond to, for example, a setting which identifies the type of data packets which are to be sampled. For example, the selection criteria 117 can identify specific applications or packet types (e.g., application data packets), and exclude other data packets from sampling (e.g., packets at the beginning of a flow).
[0020] Additionally, the data sampler 104 can use sampling rate values 105 so that it can operate at any given moment in accordance with a sampling rate. The sampling rate defines the amount of data that is forwarded to the data analysis resource 120 for analysis. The sampling rate values 105 of data sampler 104 can be adjusted or tuned in accordance with sampling rate values 105. The sampling rate values 105 include values that affect the operational level or sampling rate of data sampler 104 (e.g., amount of sampled data 107). As described with examples, the sampling rate values 105 can be determined from, or otherwise based on sampling control parameters 115 provided from the controller 110.
[0021] According to an example of FIG. 1, the controller 110 includes sampling rate logic 112 and sampling mode logic 114. The controller 110 can receive feedback 111 as input from the data analysis resource 120. The feedback 111 can be based on or otherwise include a variety of factors which indicate sampling conditions or capacity. In particular, the feedback 111 can include indicators, corresponding to information or data that is indicative of (i) a desired processor utilization for data analysis resource 120, (ii) a capacity of the network switch 101, and/or (iii) a processing jitter or delay with the switch 101 and/or the data analysis resource 120. The sampling rate logic 112 can implement an algorithm or process to determine the sample rate at a given instance of time based at least in part on the feedback 111. In determining the sample rate, the sampling rate logic 112 can utilize information indicating the amount of traffic passing through the network switch 101, shown as traffic parameters 113. The traffic parameters 113 can be determined from the network switch 101, or from other sources on the network.
[0022] The sampling mode logic 114 can include logic to select the algorithm or process for calculating the sample rate at the given instance. For example, the sampling mode logic 114 can include conditions or events which warrant switching the algorithm or process for calculating the sample rate. The process or algorithm used to determine the sample rate can vary in
robustness, processing requirements, and/or accuracy. The selection of the process or algorithm can be based on, for example, network conditions or the amount of traffic being handled through the network switch 101. If, for example, the network switch 101 is experiencing heavy traffic, the controller 110 may select the least computationally intensive algorithm for determining the sample rate. The controller 110 can calculate the sample rate using, for example, an averaging process, a statistical process, or a predictive process, such as provided through linear regression, time series regression, best curve fit, Markov model, or weighted averages.
[0023] Still further, in some embodiments, the sampling mode logic 114 can specify the type of data that is forwarded on as sampled data 107. For example, the sampling mode logic 114 can forward headers of sampled packets in one implementation mode. In a variation, the sampling mode logic can forward a combination of headers and specified portions of the packet payloads as the sampled data 107. The determination of what portions or aspects of the packets in traffic input 102 which are to be contained in the sampled data 107 can also be based on factors such as (i) the amount of network traffic that is present, and/or (ii) the bandwidth and/or available resources of the data sampler 104 or network switch 101.
[0024] The data analysis resource 120 operates by examining the incoming packets of the sampled data 107 to determine information about each received packet. By way of example, the determined information can include what protocol is used with the individual data packets; the packet's source or destination; whether a packet matches a particular sequence of bits; or whether the packet matches other criteria of interest.
[0025] The controller 110 can determine the sampling control parameters 115 based at least in part on feedback 111. In some implementations, the sampling control parameters 115 can reflect the determined sampled rate as a direct measurement (e.g., x packets per second). In variations, the sampling control parameters 115 can provide a relative measure (e.g., sample 1 packet out of 1000 packets).
[0026] According to one aspect, the sampling rate logic 112 can use indicators provided by the data analysis resource 120 in the feedback 111 to determine the sample rate control parameters 115. The sampling mode logic 114 selects an algorithm or process for calculating the sample rate control parameters 115, and the sampling rate logic 112 calculates the sample rate using an algorithm that is determined by the sampling mode logic 114. The sampling mode logic 114 can make the selection of the algorithm or process for calculating the sample rate based on a variety of factors, such as based on traffic passing through the network switch 101.
[0027] The controller 110 can communicate the sampling control parameters 115 to the data sampler 104 of the switch 101. In turn, the data sampler 104 can set or otherwise determine a value of one or more sampling rate values 105 which implement data sampling rate for a given duration of time (e.g., duration of sample, more than one second). In this way, the sampling rate values 105 can correspond to, or be based on the sampling control parameters 115. For example, in one implementation, the sampling control parameters 115 can directly reflect the sampling rate values 105.
Alternatively, the sampling control parameters can identify a relative quantity for the sampling rate, and the sampling rate values 105 can reflect additional parameters such as those measured directly from the traffic input 102 of the network switch 101.
[0028] Additionally, the sampling rate values 105 can be continuously or repeatedly updated by the controller 110. In particular, the controller 110 can update the sampling control parameters 115 to reflect a change in the indicators of the load level incurred by the data analysis resource 120, and the update to the sampling control parameters can be reflected in the sampling rate values 105. In this way, the sampling can be executed on the network switch 101 using sampling rate values 105 which are continuously or repeatedly updated based on changes to the load level of the data analysis resource 120.
[0029] In some embodiments, the controller 110 continuously or repeatedly calculates changes to the sampling control parameters 115. The changes to the data sampling rate can be the result of fluctuations of the indicators of the feedback 111, as well as changes to the algorithm or process used to calculate the data sampling rate. The controller 110 can reflect changes to the data sampling rate in the sampling control parameters 115, which can update the sampling rate values 105 of the data sampler 104.
[0030] With reference to FIG. 1, some or all of the functions described in relation to the examples herein may be implemented by devices via hardware or a combination of hardware and instructions for the hardware. For example, components of FIG. 1 may be implemented via hardware which is instructed to perform functionality associated with the components, utilizing instructions stored in memory.
[0031] FIG. 2A, FIG. 2B, and FIG. 2C illustrate alternative network systems on which a sampling rate for data traffic of data producers is
controlled, in accordance with one or more embodiments described herein. In more detail, an example system 200, 220, 250 such as depicted in FIG. 2A, FIG. 2B or FIG. 2C respectively, can be implemented in a variety of computing environments, including in an environment in which sampling is performed to analyze data packets or traffic passing through a node such as the network switch 101. In particular, examples of FIG. 2A, FIG. 2B and FIG. 2C provide for a system to sample data from a high traffic source in order to analyze the data packet or traffic using a data analysis resource that has a significantly lesser but fluctuating capacity to receive and process the sampled data. Each of the systems 200, 220, 250 can be implemented using computing resources, including a combination of processors and/or processing resources (e.g., integrated circuit).
[0032] With reference to FIG. 2A, system 200 can be implemented as a single, stand-alone device, such as, e.g., a system-on-chip (SoC) device. The system 200 includes a controller 201, one or more data producers 202, 203, 204, and one or more data collectors 205, 206, 207. In accordance with an example depicted in FIG. 2A, the data producers 202, 203, 204 each sample and provide data traffic from a network switch (such as, e.g., network switch 101 of FIG. 1). In some examples, the data producers 202, 203, and 204 correspond to one or more application-specific integrated circuits (ASICs) which operate with or as part of a network switch 101 (FIG. 1). Each of the data producers 202, 203, 204 can also include a data sampler 244, which can operate to sample data passing through the respective data producer. Data producers 202, 203, and 204 each provide sampled data 212, 213, 214 to the data collectors 205, 206, and 207. Each data collector 205, 206, 207 can correspond to a computing resource for performing data analysis on sampled data (e.g., see data analysis resource 120 of FIG. 1). While an example of FIG. 2A depicts three data producers 202, 203, 204 and three data collectors 205, 206, 207, other configurations or examples can provide for system 200 to utilize a greater or lesser number of data producers (e.g., network switches) and data collectors (e.g., data analysis components). Additionally, while each data producer 202, 203, and 204 is shown in FIG. 2A as being coupled to each of the data collectors 205, 206, and 207, other examples can provide for alternative configurations as to the manner in which data collectors 205, 206, 207 receive and sample data from data producers 202, 203, 204(e.g., each data producer could be coupled to only one data collector).
[0033] With further reference to FIG. 2A, the controller 201 provides sampling control parameters 211 to control the rate at which data producers 202, 203, 204 sample data traffic 222, 223, 224 and provide sampled data
212, 213, 214 to the individual data collectors 205, 206, 207. Each of the data producers 202, 203, 204 can include a data sampling component 234, 235, 236 which performs the data sampling in order to provide sampled data 212,
213, 214 to the data collectors 2205, 206, 207. The data sampling component 234, 235, 236 can operate, for example, in a manner described with the data sampler 104 of the network switch 101 (see FIG. 1).
[0034] The controller 201 determines the sampling control parameters 211 based on feedback 231 that is received from the one or more data collectors 205, 206, 207. The feedback 231 can include data indicators of each data collector's load level. By way of example, the load level of each data collector 205, 206, 207 can specify (i) a CPU load level, (ii) percentage memory utilization, and/or (iii) intrinsic latency issues.
[0035] According to one aspect, the controller 201 implements a process to determine whether the data collectors 205, 206, 207 are operating
efficiently or at optimum levels. In particular, the controller 201 can implement a process to compare the load level of each data collector 205, 206, 207 to one or more threshold value(s) which are predetermined values correlating to maximum load level(s) for each data collector. Alternatively, the controller 201 can implement a process to compare the load level of each data collector 205, 206, 207 to an optimum load level. Based on the comparison, the controller 201 can output sampling control parameters 211 which cause the respective data sampler 234, 235, 236 of each data producer to sample data at an estimated rate that is at or below the threshold values and/or the optimum load level for each data collector 205, 206, 207. The data collectors 205, 206, 207 can update indicators of feedback 231 in order to enable the controller to dynamically determine and adjust data sampling rate to be faster or slower. The controller 201 can be responsive to the feedback 231 to generate sampling control parameters 211 that set the data sampling rates of the data samplers 234, 235, 236 at each of the individual data producers 202, 203, 204. In this way, the sampling rates that are utilized by the data producers 202, 203, 204 can be increased or decreased dynamically, so as to be responsive to, for example, events that affect the capacity of the data collectors 205, 206, 207 to receive the sampled data.
[0036] As an addition or alternative, the controller 201 can operate to adjust the sampling control parameters 211 so that the sample rate utilized by each data producer 202, 203, 204 can change repeatedly or continuously. For example, the sample rate of each data producer 202, 203, 204 can be changed after every sample, or every other sample. Moreover, the frequency of how often the sample rate is changed on each data producer 202, 203, 204 can be dynamically determined, based on settings or external events or traffic (e.g., fluctuations in the data traffic).
[0037] By way of example, the controller 201 can receive feedback 231 which is indicative of a load level from one or more of the data collector 205, 206, 207. The controller 201 can determine that the indicated load level is sufficiently below a designated threshold limit. In response, the controller 110 can cause the data sampler 234, 235, 236 of one or more of the data
producers 202, 203, 204 to increase the data sampling rate. This results in an increase in the amount of sampled data 212, 213, 215 that is provided to the data collectors 205, 206, 207.
[0038] In some examples, controller 201 receives feedback 231 that indicates a load level from one or more of the data collectors 205, 206, 207. The controller 201 can determine that the load level that is indicated in the feedback 231 exceeds a designated threshold limit. In response to this determination, the controller 201 can adjust the sampling control parameters 211 to cause the data sampling components 234, 235, 236 of one or more of the data producers 202, 203, 204 to decrease the rate at which sampled data 212, 213, 214 is generated and communicated to the data collectors 205, 206, 207.
[0039] In some variations, controller 201 can receive feedback 231 which indicates the load level of one or more of the data collectors 205, 206, 207. The controller 201 can calculate a data sampling rate to produce an optimum load level of the data collector 205, 206, 207. The controller 201 can then adjust the sampling control parameters 211 to cause the data samplers 234, 235, 236 of one or more of data producers 202, 203, 204 to sample at the calculated rate.
[0040] Still further, in some variations, controller 201 can receive load levels from one or more data collectors 205, 206, 207 for a given duration of time. The controller 201 can also determine the amount of data traffic on a network switch (e.g., network switch 101 of FIG. 1) for a given duration of time. The controller 201 can then use the received load levels and amount of data traffic to determine one or more sampling rates for one or more of data producers 202, 203, and 204. The one or more sampling rates can be
determined through anyone of various possible algorithms and techniques, including averaging techniques, statistical techniques, or predictive techniques such as linear regression, time series regression, best curve fit, Markov models, weighted averages, or other techniques. The controller 201 can then cause the data sampler 234, 235, 236 of one or more data producers to sample data traffic at the determined rate(s). Using these techniques can also control the oscillation or jitter of the apparatus.
[0041] Still further, in some variations, controller 201 can determine which technique is used to determine the one or more sampling rates based on the amount of traffic. For example, if the determined amount of traffic is very high or highly variable, controller 201 can determine the sampling rates using a different model than for lower or less variable amounts of traffic. In accordance with some examples, the technique used to determine the sampling rate can vary dynamically according to the amount of data traffic.
[0042] Still further, in some variations, controller 201 can cause the one or more data producers 202, 203, and 204 to sample data traffic at the determined rate(s) by transmitting a signal to the one or more data producers 202, 203, and 204 indicating the sampling rate. In this signal, the controller 201 can additionally specify the destination for forwarding sampled packets. In accordance with some examples, this destination can be a remote destination (e.g., the sampled packets are transmitted over the network to the
destination). In accordance with some other examples, this transmitted signal can also specify a pattern or other criteria for use in the analysis of the sampled data traffic.
[0043] Still further, in some variations, the data producers 202, 203, and 204 can preprocess the sampled packets before passing them to the data collectors 205, 206, and 207. For example, data producers 202, 203, and 204 can scan sampled packets for a specified criteria such as a source, destination, or other pattern to match (e.g., a specified URL). Sampled packets not matching the specified criteria can be discarded.
[0044] With reference to FIG. 2B, in some other examples, a system 250 for controlling the rate of data sampling on a network can be implemented as two separate devices or entities— a network device 240, and a processing subsystem 270. Network device 240 can be a stand-alone network device, or can optionally be integrated with a network switch such as network switch 101 of FIG. 1.
[0045] With respect to FIG. 2B, the system comprising network device 240 and processing sub-system 270. Processing sub-system 270 can be a stand-alone network appliance coupled to network device 240. In accordance with some other examples, network device 240 and processing sub-system 270 can be separate modular components, which can be mounted in the module slots of a network switch. The processing sub-system 270 includes a controller 251, one or more data producers 241, 242, 243, and one or more data collectors 252, 253, 254. In accordance with the example depicted in FIG. 2B, the data producers 241, 242, 243 each include data samplers 266, 267, 268 which operate to sample and provide data traffic from a network switch (such as, e.g., data sampler 104 of network switch 101 in FIG. 1). In some examples, the data producers 241, 242, 243 correspond to one or more application-specific integrated circuits (ASICs) which operate with or as part of a network switch 101 (FIG. 1). Data producers 241, 242, and 243 each provide sampled data 212, 213, 214 to the data collectors 252, 253, 254. Each data collector 252, 253, 254 can correspond to a computing resource for performing data analysis on sampled data (e.g., see data analysis resource 120 of FIG. 1). While an example of FIG. 2B depicts three data producers 241, 242, 243 and three data collectors 252, 253, 254, other configurations or examples can provide for the system to utilize a greater or lesser number of data producers (e.g., network switches) and data collectors (e.g., data analysis components). Additionally, while each data producer 241, 242, 243 is shown in FIG. 2B as being coupled to each of the data collectors 252, 253, 254, other examples can provide for alternative configurations as to the manner in which data collectors 252, 253, 254 receive and sample data from data producers 241, 242, 243 (e.g., each data producer could be coupled to only one data collector).
[0046] With further reference to FIG. 2B, the controller 251 provides sampling control parameters 211 to control the rate at which the data
samplers 266, 267, 268 of the data producers 241, 242, and 243 sample data traffic 222, 223, 224 and provide sampled data 212, 213, 214 to the individual data collectors 252, 253, 254. The controller 251 determines the sampling control parameters 211 based on feedback 231 that is received from the one or more data collectors 252, 253, 254. The feedback 231 can include, or be based on parameters that are indicative of each data collector's load level. By way of example, the load level of each data collector 252, 253, 254 can include (i) a CPU load level, (ii) percentage memory utilization, and/or (iii) intrinsic latency issues.
[0047] In accordance with some examples, controller 251 can determine appropriate sampling rates similarly to the examples described above with respect to FIG. 2A. The variation depicted in FIG. 2B can allow greater flexibility of operation as opposed to the single device example depicted in FIG. 2A. For example, in some aspects network device 240 and processing subsystem 270 can be mounted in the module slots of a network switch, and network device 240 or processing sub-system 270 can be removed and replaced with an identical device (e.g., if network device 240 or processing sub-system 270 requires a repair), with a new device (e.g., if an upgraded version of network device 240 or processing sub-system 270 is introduced), or with a device having capabilities better suited for current network conditions.
[0048] With reference to FIG. 2C, in accordance with some other
examples, a system 280 controlling the rate of data sampling on a network can be implemented as a plurality of separate devices— a plurality of network devices 260A, 260B, and a processing sub-system 270. Note that while only two network devices are shown in the example of FIG. 2C, other numbers of network devices can also be present, in accordance with some other examples. In accordance with some examples, network devices 260A, 260B and
processing sub-system 270 can be separate modular components, which can be mountable in the module slots of a network switch.
[0049] With respect to FIG. 2C, the system 280 includes two or more network devices 260A, 260B and the processing system 270. The processing sub-system 270 can alternatively be implemented as a device with a collection of components. The processing sub-system 270 can include controller 251, one or more data producers 241, 242, 243, 261, 262, 263 and one or more data collectors 252, 253, 254. In accordance with the example depicted in FIG. 2B, the data producers 241, 242, 243, 261, 262, 263 each include or provide data samplers (not shown for brevity) which sample and provide data traffic from a network switch (such as, e.g., network switch 101 of FIG. 1). In some
examples, the data producers 241, 242, 243, 261, 262, 263 correspond to one or more application-specific integrated circuits (ASICs) which operate with or as part of a network switch 101 (FIG. 1). Data producers 241, 242, 243, 261, 262, and 263 provide sampled data 212, 213, 214, 215, 216, 217 to the data collectors 252, 253, 254. Each data collector 252, 253, 254 can correspond to a computing resource for performing data analysis on sampled data (e.g., see data analysis resource 120 of FIG. 1).
[0050] While an example of FIG. 2C depicts six data producers 241, 242, 243, 261, 262, 263 and three data collectors 252, 253, 254, other
configurations or examples can provide for the system to utilize a greater or lesser number of data producers (e.g., network switches) and data collectors (e.g., data analysis components). Similarly, while each network device 260A, 260B is depicted as containing three data producers, other configurations or examples can provide for the system to utilize a greater or lesser number of data producers per network device. Additionally, while each data producer 241, 242, 243 is shown in FIG. 2C as being coupled to each of the data collectors 252, 253, 254, other examples can provide for alternative configurations as to the manner in which data collectors 252, 253, 254 receive and sample data from data producers 241, 242, 243. For example, each of data producer 261, 262, 263 of the example depicted in FIG. 2C is only coupled to one data collector (i.e. data producer 261 is coupled to data collector 252).
[0051] With further reference to FIG. 2C, the controller 251 provides sampling control parameters 211 to control the rate at which data producers 241, 242, 243 and 261, 262, 263 sample data traffic 222, 223, 224, 225, 226, and 227 and provide sampled data 212, 213, 214, 215, 216, 217 to the individual data collectors 252, 253, 254. The controller 251 determines the sampling control parameters 211 based on feedback 231 that is received from the one or more data collectors 252, 253, 254. The feedback 231 can include, or be based on parameters that are indicative of each data collector's load level. By way of example, the load level of each data collector 252, 253, 254 can include (i) a CPU load level, (ii) percentage memory utilization, and/or (iii) intrinsic latency issues.
[0052] In accordance with some examples, controller 251 can determine appropriate sampling rates similarly to the examples described above with respect to FIG. 2A. The variation depicted in FIG. 2C can also allow similar flexibility of operation as the example depicted in FIG. 2B. [0053] Additionally, a variation depicted in FIG. 2C can allow further benefits over the example depicted in FIG. 2B. In accordance with some other examples, data traffic can be distributed among network devices 260A, 260B (or more generally among a larger number of network devices) according to one or more specified criteria, such as, e.g., source/destination address or source/destination network. In accordance with some examples, controller 251 can cause network devices 260A, 260B to sample data traffic at different sampling rates, as there can be differing amounts of traffic satisfying the specified criteria. Additionally, differing sampling rates can be appropriate because network devices 260A, 260B can have differing processing
capabilities.
[0054] Still further, in another aspect, each network device 260A, 260B can monitor the amount of traffic it has been allocated (e.g., the amount of traffic satisfying a specified criteria as described above). The network devices 260A, 260B can send this amount of traffic information to controller 251 periodically, or upon request from controller 251.
[0055] In another aspect, a voting operation can be conducted to
determine how sampling rates should be calculated (e.g., linear regression, time series regression, best curve fit, predictive, Markov models, or weighted averages as described above). Controller 251 can poll the network devices 240, 260A, and the network devices can respond with a signal indicating preferred or supported models.
METHODOLOGY
[0056] FIG. 3 illustrates an example method for controlling a sampling rate for data traffic of a network switch. An example of FIG. 3 can be
implemented using components described with other examples, including with an example of FIG. 1. Accordingly, reference may be made to elements of FIG. 1 for purpose of illustrating a suitable component for performing a step or sub- step being described. [0057] With reference to FIG. 3, an amount of data traffic on a network is determined for a given duration of time (301). For example, the controller 110, can determine a load level by communicating with data analysis resource 120.
[0058] An indicator is received for a load level of a data analysis resource (302). For example, the controller 110, can determine a load level by
communicating with data analysis resource 120. The indicator can pertain to, for example, the load level of the data analysis resource 120 at a given instant or duration of time.
[0059] The data of the network switch 101 can be sampled based on the indicator and the amount of traffic, in order to forward data of the network switch to the data analysis resource at below the designated threshold limit (304). For example, the data sampler 104 can use the sampling rate values 105 to determine the amount of sampled data which is forwarded to the data analysis resource 120.
[0060] In accordance with some examples, a comparison is performed of the load level of the data analysis resource at the detected amount of network traffic to a designated threshold limit of the data analysis resource (304A). For example, the controller 110 can utilize the feedback 111 and the traffic parameters 113 in order to make the comparison.
[0061] In some variants, the sampling rate can be increased upon a determination that the received load level is sufficiently below the designated threshold limit (304B). In some variations, the sampling rate can be decreased upon a determination that the load level exceeds the designated threshold limit (304C). Still further, in other variations, the sampling rate can be chosen to cause the data analysis resource to sample data with an optimum load level (304D).
[0062] In accordance with some other variations not depicted in FIG. 2A- 2C, a controller may be located on a separate device from the data producers and data collectors. For example, a controller may be a software-defined network (SDN) controller. In accordance with these variations, a network switch may perform data sampling, and deliver sampled data to a separate server for analysis. [0063] Although illustrative examples have been described in detail herein with reference to the accompanying drawings, variations to specific examples and details are encompassed by this disclosure. It is intended that the scope of the embodiments described herein are defined by the following claims and their equivalents. Furthermore, it is contemplated that a particular feature described, either individually or as part of an example, can be combined with other individually described features, or parts of other examples. Thus, absence of describing combinations should not preclude the inventor(s) from claiming rights to such combinations.

Claims

WHAT IS CLAIMED IS:
1. A method for controlling data sampling on a network, the method being implemented by one or more processors and comprising:
(a) determining, for a given duration of time, an amount of data traffic of a data producer of the network;
(b) receiving an indicator of a load level for a data analysis resource; and
(c) determining, from the indicator and the amount of traffic, a sampling rate for use in forwarding data of the data traffic to the data analysis resource.
2. The method of claim 1, wherein determining the sampling rate includes performing a comparison of the data analysis resource to a designated threshold limit of the data analysis resource.
3. The method of claim 2, wherein determining the sampling rate includes increasing the sampling rate in response to a determination that the load level is sufficiently less than the designated threshold limit.
4. The method of claim 2, wherein determining the sampling rate includes decreasing the sampling rate in response to a determination that the load level exceeds the designated threshold limit.
5. The method of claim 1, wherein determining the sampling rate includes calculating the sampling rate to produce an optimum load level at the data analysis resource.
6. The method of claim 1, wherein determining the sampling rate includes at least one of (i) performing a linear regression of the load level on the amount of data traffic, (ii) applying a best-curve fit model to the load level and amount of data traffic, (iii) applying a Markov model to the load level and amount of data traffic, (iv) applying a time series regression to the load level and amount of data traffic, or (v) applying a weighted average to the load level and amount of data traffic.
7. The method claim 1, wherein the data analysis resource utilizes one or more processors, and wherein the load level is a measure of a load level for each of the one or more processors.
8. The method of claim 1, further comprising :
communicating with the data analysis resource in order to receive the indicator as feedback; and
wherein determining the sampling rate is based on the indicator provided with the feedback.
9. The method of claim 1, further comprising :
receiving feedback from the data analysis resource after data of the data traffic is forwarded to the data analysis resource at the sampling rate;
determining an updated indicator from the feedback; and
adjusting the sampling rate based on the updated indicator.
10. The method of claim 9, wherein determining the sampling rate is performed using a first technique, and wherein adjusting the sampling rate is performed using a second technique.
11. The method of claim 1, further comprising :
communicating the sampling rate to the data producer; and
sampling the data of the data traffic at the data producer.
12. The method of claim 1, wherein the data producer is provided on a network switch, and wherein (a) through (c) are performed on a controller that is separate from the network switch.
13. The method of claim 1, wherein the data producer is provided on a network switch, and wherein (a) through (c) are performed on a controller that is integrated with the network switch.
14. A system comprising :
one or more network switches;
a data analysis resource;
a controller;
wherein the controller is to:
determine, for a given duration of time, an amount of data traffic passing through at least one of the one or more network switches;
receive an indicator of a load level for the data analysis resource; and
determining, from the indicator and the amount of traffic, a sampling rate for use in forwarding data of the data traffic to the data analysis resource.
15. A non-transitory computer readable medium storing instructions, that when executed by one or more processors, cause a computer system of the one or more processors to perform steps comprising :
determine, for a given duration of time, an amount of data traffic passing through a network switch;
receive an indicator of a load level for a data analysis resource; and
determining, from the indicator and the amount of traffic, a sampling rate for use in forwarding data of the data traffic to the data analysis resource.
PCT/US2015/038357 2015-01-28 2015-06-29 Determining a sampling rate for data traffic WO2016122708A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
USPCT/US2015/013249 2015-01-28
US2015013249 2015-01-28

Publications (1)

Publication Number Publication Date
WO2016122708A1 true WO2016122708A1 (en) 2016-08-04

Family

ID=56544112

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/038357 WO2016122708A1 (en) 2015-01-28 2015-06-29 Determining a sampling rate for data traffic

Country Status (1)

Country Link
WO (1) WO2016122708A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10659327B2 (en) 2015-06-19 2020-05-19 Cisco Technology, Inc. Network traffic analysis
WO2021113904A1 (en) 2019-12-11 2021-06-17 Redfig Consulting Pty Ltd Network traffic identification device
EP4162335A4 (en) * 2020-07-21 2024-01-24 Siemens Aktiengesellschaft Multi-parameter dynamic sampling method and multi-parameter dynamic sampling device
EP4138340A4 (en) * 2020-04-14 2024-04-17 ZTE Corporation Data sampling method, apparatus and device for network device, and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007074385A (en) * 2005-09-07 2007-03-22 Yokogawa Electric Corp Network apparatus
JP2011239218A (en) * 2010-05-11 2011-11-24 Hitachi Cable Ltd Network relay device, statistic information acquisition system, and statistic information acquisition method
JP2013093735A (en) * 2011-10-25 2013-05-16 Fujitsu Ltd Data sampling device, method, and program
US20140078903A1 (en) * 2012-09-18 2014-03-20 Cisco Technology, Inc. Real Time and High Resolution Buffer Occupancy Monitoring and Recording

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007074385A (en) * 2005-09-07 2007-03-22 Yokogawa Electric Corp Network apparatus
JP2011239218A (en) * 2010-05-11 2011-11-24 Hitachi Cable Ltd Network relay device, statistic information acquisition system, and statistic information acquisition method
JP2013093735A (en) * 2011-10-25 2013-05-16 Fujitsu Ltd Data sampling device, method, and program
US20140078903A1 (en) * 2012-09-18 2014-03-20 Cisco Technology, Inc. Real Time and High Resolution Buffer Occupancy Monitoring and Recording

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PERE BARLET-ROS ET AL.: "Robust Resource Allocation for Online Network Monitoring", TELECOMMUNICATION NETWORKING WORKSHOP ON QOS IN MULTISERVICE IP NETWORKS, 2008. 4TH INTERNATIONAL, 13 February 2008 (2008-02-13), Venice, pages 129 - 134, Retrieved from the Internet <URL:http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=4488142&url=http%3%%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D4488142> *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10659327B2 (en) 2015-06-19 2020-05-19 Cisco Technology, Inc. Network traffic analysis
WO2021113904A1 (en) 2019-12-11 2021-06-17 Redfig Consulting Pty Ltd Network traffic identification device
EP4073981A4 (en) * 2019-12-11 2023-01-18 Redfig Consulting Pty Ltd Network traffic identification device
EP4138340A4 (en) * 2020-04-14 2024-04-17 ZTE Corporation Data sampling method, apparatus and device for network device, and medium
EP4162335A4 (en) * 2020-07-21 2024-01-24 Siemens Aktiengesellschaft Multi-parameter dynamic sampling method and multi-parameter dynamic sampling device
US11921499B2 (en) 2020-07-21 2024-03-05 Siemens Aktiengesellschaft Multi-parameter dynamic sampling method and multi-parameter dynamic sampling device

Similar Documents

Publication Publication Date Title
US8661283B2 (en) Power distribution unit-device correlation
JP4659850B2 (en) Network monitoring program, network monitoring method, and network monitoring apparatus
WO2019120187A1 (en) Non-intrusive mechanism to measure network function packet processing delay
US11095535B2 (en) Adaptive and flexible packet sampling
US20130238792A1 (en) Apparatus and method for analyzing a network
US10135711B2 (en) Technologies for sideband performance tracing of network traffic
WO2016122708A1 (en) Determining a sampling rate for data traffic
US10237192B2 (en) Apparatus and system for optimizing communication networks
CN109981744B (en) Data distribution method and device, storage medium and electronic equipment
US9350669B2 (en) Network apparatus, performance control method, and network system
US9577939B2 (en) Method and apparatus for distributing EtherChannel load based on variance
WO2013059760A1 (en) Application based bandwidth control for communication networks
US11171869B2 (en) Microburst detection and management
CN108206788B (en) Traffic service identification method and related equipment
CN104580008A (en) Method and device for improving multi-queue random message discarding accuracy based on hardware
CN116545936A (en) Congestion control method, system, device, communication equipment and storage medium
CN109952743B (en) System and method for low memory and low flow overhead high flow object detection
CN105471938B (en) Server load management method and device
CN101159673A (en) Arbitrary sampling method and apparatus
CN107438268B (en) Method and device for accelerating wireless network for mobile device
US20180101609A1 (en) Pattern-based Data Collection for a Distributed Stream Data Processing System
CN115277504B (en) Network traffic monitoring method, device and system
CN107995053B (en) Method and device for detecting network packet loss based on software defined network
JP2017152956A (en) Work load estimation method and work load estimation device
CN115576698A (en) Network card interrupt aggregation method, device, equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15880596

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15880596

Country of ref document: EP

Kind code of ref document: A1