The network probe is based on Skydive, an open source real-time network topology and protocols analyser.
Skydive pushes network data to the network probe adapter where several operations are done before pushing data as observed data to the Data Collector:
- flows classification according to the traffic type (internal, ingress, egress, unknown);
- flows reformat to FINSTIX;
- flows submission to the Data Collector
- [NEW] flows anonymization of IP fields
On the actuation path, an API is being exposed to control the probe capturing attributes.
The Mitigation Enabler API controls the dynamic behaviour of the probe and supporting operations such as:
- Capturing enable/disable: this is supported at the granularity of flow classification
- Capture sampling: support capturing of a representative sample of the entire volume, sampling is done per each individual classification and is defined in a percentage point (0% to 100%)
- Capture aggregation level: this feature enable to control the time window used for aggregation of data (typically 30s), a smaller window providing higher resolution at the cost of higher resources (mainly bandwidth)
As depicted in the Figure below the Probe adapter is controller via the Actuation REST API, in then registers to the Skydive Service comprising Skydive Agent (it is based on Kubernetes daemonSet functionality, so it will deploy on each worker of Kubernetes cluster) and at least one Skydive Analyzer (per-cluster).