Systems and Methods for Controlling Switches to Record Network Packets Using a Traffic Monitoring Network

1. A method of using a controller that controls client switches in a monitoring network having network interfaces that are coupled to a packet forwarding network and that receive tapped network packets from the packet forwarding network, the method comprising: with the controller, receiving a packet recording policy that identifies a set of the tapped network packets to be recorded; with the controller, generating network paths that forward the a set of tapped network packets from the network interfaces to a packet recorder through the client switches in the monitoring network for storageat the packet recorder; with the controller, sending a packet request to the packet recorder that instructs the packet recorder to transmit a subset of the set of tapped network packets back into the monitoring network; and with the controller, generating additional network paths that forward the subset of the set of tapped network packets from the packet recorder to a traffic analysis tool through the client switches in the monitoring network.

2. The method defined in claim 1, wherein the set of tapped network packets are stored at the packet recorder and wherein the controller is coupled to the packet recorder over a control path, the method further comprising: with the controller, querying an additional subset of the set of tapped network packets stored at the packet recorder over the control path; and with the controller, receiving the queried additional subset of the set of tapped network packets stored at the packet recorder over the control path.

3. The method defined in claim 2, wherein the packet recording policy identifies an additional set of the tapped network packets to be recorded, the method further comprising: with the controller, generating third network paths that forward the an additional set of tapped network packets from the network interfaces to an additional packet recorder through the client switches in the monitoring network for storageat the additional packet recorder.

4. The method defined in claim 3, wherein the additional set of tapped network packets are stored at the additional packet recorder and wherein the controller is coupled to the additional packet recorder over an additional control path, the method further comprising: with the controller, querying a subset of the additional set of tapped network packets stored at the additional packet recorder over the additional control path in parallel with querying the additional subset of the set of tapped network packets stored at the packet recorder; and with the controller, receiving the queried subset of the additional set of tapped network packets stored at the additional packet recorder over the additional control path.

5. The method defined in claim 4, further comprising: with the controller, coalescing the additional subset of the set of tapped network packets received over the control path with the subset of the additional set of tapped network packets received over the additional control path to generate a graphical visualization associated with the packet forwarding network; and with display equipment associated with the controller, displaying the graphical visualization.

6. The method defined in claim 3, wherein generating the network paths and the third network paths comprises: generating flow table entries based on the received a packet recording policy, a network policy, and network topology information associated with the monitoring network; and providing the flow table entries to the client switches of the monitoring network.

7. The method defined in claim 6, further comprising: with the controller, transmitting probe packets into the monitoring network; with the controller, identifying a new packet recorder that has been coupled to the monitoring network based on the transmitted probe packets; and with the controller, updating the network topology information based on the identified new packet recorder.

8. The method defined in claim 1, wherein the controller is coupled to the packet recorder over a control path and wherein the traffic analysis tool comprises a traffic visibility tool coupled to the monitoring network, the method further comprising: with the controller, receiving a packet replay request that identifies the subset of the set of tapped network packets, wherein the subset of the set of tapped network packets is stored at the packet recorder.

9. The method defined in claim 8, wherein the traffic visibility tool is implemented on a virtual machine of a cloud computing network and is coupled to the monitoring network over a tunnel interface at a given client switch of the monitoring network, and wherein the additional network paths forward the subset of the set of tapped network packets to the given client switch, the method further comprising: with the controller, controlling the given client switch to encapsulate the subset of the set of tapped network packets and to transmit the encapsulated subset of the set of tapped network packets over the tunnel interface.

10. The method defined in claim 8, wherein the packet recording policy identifies an additional set of the tapped network packets to be recorded, the method further comprising: with the controller, controlling the client switches to forward the an additional set of tapped network packets from the network interfaces to an additional packet recorder through the client switches in the monitoring network for storageat the additional packet recorder, wherein the controller is coupled to the additional packet recorder over an additional control path, wherein the packet replay request identifies a subset of the additional set of tapped network packets, and wherein the subset of the additional set of tapped network packets is stored at the additional packet recorder; with the controller, instructing the additional packet recorder to transmit the identified subset of the additional set of tapped network packets into the monitoring network; and with the controller, controlling the client switches to forward the subset of the additional set of tapped network packets from the additional packet recorder to the traffic visibility tool through the client switches in the monitoring network.

11. The method defined in claim 1, wherein the controller is coupled to the packet recorder over a control path, the method further comprising: with the controller, controlling the packet recorder to perform deep packet inspection (DPI) operations on the set of tapped network packets and to forward a result of the DPI operations to the controller over the control path without storing the results at the packet recorder.

12. A method of using a controller that controls client switches in a monitoring network having network interfaces that are coupled to a packet forwarding network and that receive tapped network packets from the packet forwarding network, the method comprising: with the controller, identifying first and second sets of the tapped network packets to be recorded; with the controller, generating first network paths that forward the a first set of tapped network packets from the network interfaces to a first packet recorder through the client switches in the monitoring networkfor storage at the first packet recorder; with the controller, generating second network paths that forward the a second set of tapped network packets from the network interfaces to a second packet recorder through the client switches in the monitoring network for storageat the second packet recorder; and with the controller, sending a packet request in parallel to both to each of the first and second packet recorders that respectively instructs the first and second packet recorders to identify a predetermined set subset of recorded packets and to transmit the predetermined set subset of recorded packets to the controller; with the controller, receiving the subset of recorded packets from the first and second packet recorders; and with analysis equipment associated with the controller, analyzing the packet forwarding network based on the subset of recorded packets received from the first and second packet recorders.

13. The method defined in claim 12, further comprising: with the controller, controlling a given client switch in the monitoring network to generate a copy of the first set of tapped network packets; and with the controller, generating third network paths that forward the copy of the first set of network packets to the second packet recorder through the client switches in the network for storageat the second packet recorder.

14. The method defined in claim 12, further comprising: with the controller, receiving the predetermined set of recorded packets from the first and second packet recorders; and with analysis equipment associated with the controller, analyzing the packet forwarding network based on the predetermined set of recorded packets received from the first and second packet recorders.

15. The method defined in claim 12, further comprising: with the controller, sending a packet replay request in parallel to both the first and second packet recorders that instructs the first and second packet recorders to identify an additional predetermined set subset of recorded packets and to replay the additional predetermined set subset of recorded packets into the monitoring network based on timestamp information associated with the additional predetermined set subset of recorded packets.

16. The method defined in claim 15, further comprising: with the controller, generating third network paths that forward at least some of the additional predetermined set subset of recorded packets from the first packet recorder to a network visibility tool coupled to the monitoring network through the client switches in the monitoring network; and with the controller, generating fourth network paths that forward at least some of the additional predetermined set subset of recorded packets from the second packet recorder to the network visibility tool through the client switches in the monitoring network.

17. The method defined in claim 16, wherein generating the first, second, third, and fourth network paths comprises generating flow table entries and providing the flow table entries to the client switches in the monitoring network.

18. A method of operating computing equipment that controls client switches in a monitoring network having a filter port that is coupled to a packet forwarding network and that receives tapped network packets from the packet forwarding network, the method comprising: with a switch controller engine on the computing equipment, identifying a set of the tapped network packets to be recorded; with the switch controller engine, generating network paths that forward the set of tapped network packets from the filter port to a packet recorder device through the client switches in the monitoring network for storage at the packet recorder device, wherein the switch controller engine controls the client switches through a set of paths coupling a corresponding client switch in the client switches to the computing equipment; and with query and visualization tools on the computing equipment: receiving metadata associated with the set of tapped network packets, receiving a query for a subset of the set of tapped network packets, generating a control signal based on the received query and the received metadata, providing the a control signal from the query and visualization tools to a query port on the packet recorder device through an additional path coupling the packet recorder device to the computing equipment, wherein the additional path is separate from the set of paths, and receiving the a subset of the set of tapped network packets from the query port of the packet recorder device, and displaying a graphical visualization associated with the received subset of the set of tapped network packets on display equipment and saving the received subset of the set of tapped network packets in a file stored at the computing equipment for analysis using a packet analysis tool.

19. The method defined in claim 18, wherein the control signal comprises a five-tuple and a time duration associated with the subset of the set of tapped network packets.

20. The method defined in claim 18, further comprising: with analytics equipment coupled between the switch controller engine and the query and visualization tools and implemented on the computing equipment, passing the metadata associated with the set of tapped network packets from the filter port to the query and visualization tools.