Search

US-12621326-B2 - Optimized deep packet inspection (DPI) anywhere

US12621326B2US 12621326 B2US12621326 B2US 12621326B2US-12621326-B2

Abstract

A method of monitoring network traffic flowing in a production fabric, includes, in part, receiving a multitude of mirrored packets of the traffic flow at a service node disposed in a monitoring fabric that is distinct from the production fabric. From the received packets, the start of a communication session established between a first client and a second client on the production fabric is determined. A subset of the received packets are then selected for deep packet inspection at the service node to identify metadata associated with the network traffic of the identified session. The metadata may be used to identify the software application that generates the traffic flow. The mirrored packets may include packets sent from the first client to the second client, as well as packets sent from the second client to the first client.

Inventors

  • Sandip Shah
  • Michael T. STOLARCHUK
  • Sean Dao

Assignees

  • ARISTA NETWORKS, INC.

Dates

Publication Date
20260505
Application Date
20240116

Claims (20)

  1. 1 . A method of monitoring a production fabric, having a plurality of data taps coupled to a monitoring fabric, the method comprising: receiving, by a service node of the monitoring fabric, a first plurality of mirrored packets of a traffic flow from at least some of the plurality of data taps and via a switch fabric of the monitoring fabric coupling the plurality of data taps to the service node; identifying, by the service node of the monitoring fabric, a start of a communication session established between a first client and a second client on the production fabric based on the received first plurality of mirrored packets; selecting, by the service node of the monitoring fabric, a subset of the received first plurality of mirrored packets; and performing, by the service node of the monitoring fabric, deep packet inspection of the subset of the received first plurality of mirrored packets to identify metadata associated the communication session, wherein the metadata identifies a software application generating the traffic flow and wherein network traffic associated with the traffic flow is prioritized based on a type of the identified software application generating the traffic flow.
  2. 2 . The method of claim 1 further comprising: causing packet forwarding for the traffic flow to be prioritized based on the type of the identified software application generating the traffic flow.
  3. 3 . The method of claim 1 wherein the prioritized network traffic comprises voice network traffic and wherein the prioritized network traffic is prioritized over web browsing network traffic.
  4. 4 . The method of claim 1 wherein the first plurality of mirrored packets comprise packets sent from the first client to the second client and packets sent from the second client to the first client.
  5. 5 . The method of claim 1 wherein the deep packet inspection of the subset of the received first plurality of mirrored packets is performed in accordance with instructions requiring an IP address of the subset of the received first plurality of mirrored packets to match one of a specified plurality of IP addresses.
  6. 6 . The method of claim 1 wherein the deep packet inspection of the subset of the received first plurality of mirrored packets is performed in accordance with instructions requiring an IP protocol of the subset of the received first plurality of mirrored packets to match one of a specified plurality of IP protocols.
  7. 7 . The method of claim 1 further comprising: storing the first plurality of mirrored packets.
  8. 8 . The method of claim 1 wherein the first plurality of mirrored packets of the traffic flow are mirrored in accordance with a network configuration policy, the method further comprising: changing the network configuration policy to mirror a second plurality of packets of an additional traffic flow from the production fabric.
  9. 9 . The method of claim 8 further comprising: encapsulating the second plurality of mirrored packets into layer-2 generic routing encapsulation (L2GRE) packets; and forwarding the L2GRE packets to the service node via a layer-3 network.
  10. 10 . The method of claim 9 further comprising: performing deep packet inspection of a subset of the L2GRE packets at the service node to identify additional metadata associated with the subset of the L2GRE packets.
  11. 11 . A packet processing system comprising: one or more computer processors; and a computer-readable storage medium comprising instructions, which when executed by the one or more computer processors, cause the one or more computer processors to: receive, from one or more data taps of a production fabric and via a switch fabric of a monitoring fabric that is distinct from the production fabric, a plurality of mirrored packets associated with a traffic flow; identify, from the received plurality of mirrored packets, a start of a communication session established between a first client and a second client on the production fabric; select a subset of the received plurality of mirrored packets; drop a remaining portion of the received plurality of mirrored packets; perform deep packet inspection of the subset of the received plurality of mirrored packets to identify metadata associated with the communication session; and provide the identified metadata associated with the communication session to a network monitoring tool that prevents unauthorized access based on the identified metadata.
  12. 12 . The packet processing system of claim 11 wherein the metadata identifies a software application generating the traffic flow.
  13. 13 . The packet processing system of claim 11 wherein the deep packet inspection of the subset of the received plurality of mirrored packets is performed using a service node of the monitoring fabric.
  14. 14 . The packet processing system of claim 11 wherein the plurality of mirrored packets comprise packets sent from the first client to the second client and packets sent from the second client to the first client.
  15. 15 . The packet processing system of claim 11 wherein the deep packet inspection of the subset of the received plurality of mirrored packets is performed in accordance with instructions requiring an IP address of the subset of the received plurality of mirrored packets to match one of a specified plurality of IP addresses.
  16. 16 . The packet processing system of claim 11 wherein the deep packet inspection of the subset of the received plurality of mirrored packets is performed in accordance with instructions requiring an IP protocol of the subset of the received plurality of mirrored packets to match one of a specified plurality of IP protocols.
  17. 17 . A non-transitory computer readable medium comprising stored instructions, which when executed by one or more processors of a service node of a monitoring fabric, cause the one or more processors to: receive, from one or more data taps of a production network and via a switch fabric of the monitoring fabric coupling the one or more data taps of the production network to the service node of the monitoring fabric, a plurality of mirrored packets associated with a traffic flow; identify, from the received plurality of mirrored packets, a start of a communication session established between a first client and a second client on the production network; select a subset of the received plurality of mirrored packets; perform deep packet inspection of the subset of the received plurality of mirrored packets to identify metadata associated with the communication session; and provide, via the switch fabric, the identified metadata to a network monitoring tool of the monitoring fabric that detects and responds to a threat based on the identified metadata.
  18. 18 . The non-transitory computer readable medium of claim 17 wherein the metadata identifies a software application generating the traffic flow.
  19. 19 . The non-transitory computer readable medium of claim 17 wherein the plurality of mirrored packets comprise packets sent from the first client to the second client and packets sent from the second client to the first client.
  20. 20 . The non-transitory computer readable medium of claim 17 wherein the deep packet inspection of the subset of the received plurality of mirrored packets is performed in accordance with instructions requiring an IP address of the subset of the received plurality of mirrored packets to match one of a specified plurality of IP addresses.

Description

RELATED APPLICATION The present application is related to U.S. patent application Ser. No. 17/644,410, filed on Dec. 15, 2021, the content of which is incorporated herein by reference in its entirety. BACKGROUND Network monitoring tools are often deployed to identify security threats, prevent unauthorized access, and thwart cyber-attacks. Monitoring the traffic in a conventional communications network in order to detect malicious activities often requires a physical connection to a network appliance disposed in the network. Establishing a physical connection to an appliance used in today's extensive and highly complex enterprise or datacenter networks is costly, time consuming and unscalable. A need continues to exist for an improved technique for monitoring network traffic. BRIEF DESCRIPTION OF THE DRAWINGS With respect to the discussion to follow, and in particular, to the drawings, it is stressed that the particulars shown represent examples for purposes of illustrative discussion and are presented in the cause of providing a description of principles and conceptual aspects of the present disclosure. In this regard, no attempt is made to show implementation details beyond what is needed for a fundamental understanding of the present disclosure. The discussion to follow, in conjunction with the drawings, makes apparent to those of skill in the art how embodiments in accordance with the present disclosure may be practiced. Similar or same reference numbers may be used to identify or otherwise refer to similar or same elements in the various drawings and supporting descriptions. In the accompanying drawings: FIG. 1 is a high level diagram of a production fabric in communication with a monitoring fabric to perform deep packet inspection, in accordance with one embodiment of the present disclosure. FIG. 2 shows more details of the production fabric and the monitoring fabric of FIG. 1, in accordance with one embodiment of the present disclosure. FIG. 3 shows a service node in communications with a switch fabric of the monitoring fabric of FIG. 1, in accordance with one embodiment of the present disclosure. FIG. 4 is a flowchart for monitoring network traffic flowing in a production fabric, in accordance with one embodiment of the present disclosure. FIG. 5 depicts a simplified block diagram of an exemplary computer system in which some embodiments of the present disclosure may operate. DETAILED DESCRIPTION The present disclosure is directed to real-time monitoring and deep packet inspection (DPI) of sessions occurring in a network communication system. Network traffic is tapped at one or more points in a production network (also referred to herein as production fabric), mirrored and forwarded to a monitoring fabric in which real-time DPI operation is carried out. As described further below, a network monitoring system, in accordance with embodiments of the present disclosure, is highly scalable and has a distributed architecture. Because the DPI, in accordance with embodiments of the present disclosure, is performed in the monitoring fabric, relatively large and complex production fabrics may be monitored without being subjected to performance degradation. The monitoring fabric includes, in part, one or more service nodes that receive and session-slice the mirrored traffic so that only a subset of packets of each session (e.g., TCP session) are selected for the DPI operation. In one example, the subset of packets selected for the DPI operation may be the first 5-15 packets of a TCP session, thus significantly reducing the amount of data used to inspect the traffic, while concurrently improving the performance, and reducing the storage requirements. In accordance with another aspect of the present disclosure, mirrored packets may be encapsulated into layer 2 generic routing encapsulation (L2GRE) packets and forwarded to a service node for the DPI operation via, for example, a layer-3 network. It is understood that the mirrored packets may be encapsulated using any packet encapsulation protocol other than the L2GRE, and that embodiments of the present disclosure are not limited to L2GRE or any other packet encapsulation protocol. Because, in accordance with one aspect of the present disclosure, DPI is performed by the service nodes on the monitoring fabric, the traffic flow in the production fabric is not degraded. Information obtained by performing DPI on the session-sliced packets includes, for example, the type and identity of application from which the packets are mirrored. Such information may be transferred by the service nodes to a collector using, for example, the IPFIX protocol. By identifying the application type and other metadata associated with the traffic flow, malicious activity, such as access to malicious websites and transmission of sensitive data, is prevented. A network monitoring system, in accordance with embodiments of the present disclosure, therefore, dispenses with the need for time con