Some embodiments provide a method for presenting a visualization of a data message flow within a logical network that is implemented across multiple sites. The method receives flow tracing data regarding the data message flow from a source endpoint in a first site to a second endpoint in a second site. The data message flow is processed according to logical forwarding elements (LFEs) implemented in at least the first and second sites. For each of the sites through which the data message flow passes, the method identifies the LFEs that process the data message flow in the site. The method presents a visualization for the data message flow. The visualization includes a separate section for each site through which the data message flow passes. Each section indicates at least a subset of the LFEs that process the data message flow in the corresponding site for the section.

A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

In an embodiment, a computer implemented method receives flow data for a network flows. The method extracts a tuple from the flow data and calculates long-term and short-term trends based at least in part on the tuple. The long-term and short-term trends are compared to determine whether a potential network anomaly exists. If a potential network anomaly does exist, the method initiates a heavy hitter detection algorithm. The method forms a low-complexity intermediate stage of processing that enables a high-complexity heavy hitter detection algorithm to execute when heavy hitters are likely to be detected.

In an embodiment, a computer implemented method receives flow data for a network flows. The method extracts a tuple from the flow data and calculates long-term and short-term trends based at least in part on the tuple. The long-term and short-term trends are compared to determine whether a potential network anomaly exists. If a potential network anomaly does exist, the method initiates a heavy hitter detection algorithm. The method forms a low-complexity intermediate stage of processing that enables a high-complexity heavy hitter detection algorithm to execute when heavy hitters are likely to be detected.

It is disclosed a performance measurement application for a user communication device. The device runs at least one user application which exchanges at least one packet flow with a packet-switched communication network. When executed, the performance measurement application receives from an owner of the user communication device a request for performing a performance measurement. In response to such request, the performance measurement application activates a marking functionality comprising marking upstream packets of the packet flow to be measured and inducing the network node originating the downstream packets of the packet flow to be measured to mark them. The performance measurement application then provides performance parameter(s) relating to the marked upstream packets as transmitted and/or the marked downstream packets as received and, based on such parameter(s), provides a performance measurement. The measurement results are then shared with a measurement management server.

In one example, a processing system including at least one processor may obtain a first packet, determine a first tunnel identifier from a tunnel identifier field and a first source port identifier from a source port identifier field of the header of the first packet, and assign the first packet to a first flow. The processing system may further obtain a second packet, extract a first value from a tunnel identifier field and a second value from a source port identifier field of a header of the second packet, determine that the first value matches the first tunnel identifier and that the second value matches the first source port identifier, and assign the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.

In one example, a processing system including at least one processor may obtain a first packet, determine a first tunnel identifier from a tunnel identifier field and a first source port identifier from a source port identifier field of the header of the first packet, and assign the first packet to a first flow. The processing system may further obtain a second packet, extract a first value from a tunnel identifier field and a second value from a source port identifier field of a header of the second packet, determine that the first value matches the first tunnel identifier and that the second value matches the first source port identifier, and assign the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.

Systems and methods for reducing bandwidth loss in IPv6 packet switching networks. A network appliance is configured to sample IPv6 packets and mirror sampled packets to a working memory or memory structure, such as a queue. A transport layer payload is extracted from each sampled packet and a transport layer checksum validation operation is performed. Upon detecting an error, the network appliance updates a dropped packet rate or other metric.

An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.