UMON: User-Defined Flexible Traffic Monitoring in Open vSwitch

SDN switches typically monitor packet and byte counts that are associated with entries in the switch's flow table. This association of monitoring with flow table entries tries limits data path monitoring flexibility in SDNs. In particular, flows that require monitoring using flow definitions different from those used for forwarding may cause packets to be sent to the controller resulting in sub-optimal packet handling. This mismatch between flow definitions for monitoring and for forwarding is ex- acerbated by the growth in the number of possible fields (over 40 currently) for which matching may have to be done for packet forwarding [5] or for monitoring. In this paper, we propose UMON, a mechanism that de- couples monitoring from forwarding. UMON employs a "monitoring flow table" in the switch to enable effi- cient and flexible monitoring of user-defined flows. We describe a prototype implementation of this monitoring mechanism in Open vSwitch and evaluate its perfor- mance. We illustrate UMON's efficiency in monitoring user-defined flows with example use cases such as de- tecting port scans.