Techniques for determining network anomalies in data center networks

1 . A method comprising: monitoring, by a network monitoring device, a plurality of nodes in a data center network; determining, by the network monitoring device, one or more latency distributions of response times for messages exchanged between pairs of nodes of the plurality of nodes; determining a network topology for the plurality of nodes consistent with the one or more latency distributions, the network topology includes one or more communication links interconnecting nodes of the plurality of nodes and a relative position for each node of the plurality of nodes; determining a representative response time for each communication link of the one or more communication links based on the one or more latency distributions; comparing, by the network monitoring device, a current response time for at least one message exchanged between one pair of nodes to the representative response time for the communication link interconnecting the one pair of nodes; and identifying, by the network monitoring device, a network anomaly when the current response time deviates from the representative response time for the communication link interconnecting the one pair of nodes by a threshold amount. 2 . The method of claim 1 , wherein the one pair of nodes includes a first node and a second node, the method further comprising: determining, by the network monitoring device, the current response time substantially corresponds to a network path in the network topology that traverses one or more communication links interconnecting a third node of the plurality of nodes and at least one of the first node or the second node; and identifying the network anomaly as one of a link fault or a link failure for the communication link interconnecting the first node and the second node. 3 . The method of claim 1 , wherein the one pair of nodes includes a first node and a second node, the first node and the second node exchange the at least one message through one of a third node or a fourth node, the method further comprising: determining, by the network monitoring device, the current response time substantially corresponds to a network path in the network topology that includes the fourth node and avoids the third node for the at least one message exchanged between the first node and the second node; and classifying the network anomaly as a device fault at the third node. 4 . The method of claim 3 , wherein the third node and the fourth node are network switches. 5 . The method of claim 1 , wherein the one or more latency distributions of response times include a first latency distribution of retransmission response times for the messages exchanged between the one pair of nodes, the method further comprising: determining a representative retransmission response time for the communication link interconnecting the one pair of nodes; determining a second latency distribution of retransmission response times for current messages exchanged between the one pair of nodes; determining a deviation between the representative retransmission response time and at least a portion of the second latency distribution of retransmission response times; and classifying the network anomaly as a bit rate error for the communication link interconnecting the one pair of nodes. 6 . The method of claim 1 , wherein the one pair of nodes includes a first node and a second node, the method further comprising: determining an aggregated representative response time for a network path in the network topology that includes the first node, the second node, and a third node disposed between the first node and the second node; and classifying the network anomaly as a buffer fault at the second node when the current response time deviates from the representative response time for the communication link interconnecting the one pair of nodes by a threshold amount and the current response time fails to substantially correspond to the aggregated representative response time for the network path in the network topology. 7 . The method of claim 1 , wherein determining the one or more latency distributions further comprises determining the one or more latency distributions of response times for messages having a specific attribute. 8 . The method of claim 1 , wherein determining the one or more latency distributions further comprises determining the one or more latency distributions of response times for messages based on time stamp data associated with each message. 9 . The method of claim 1 , wherein the representative response time for each communication link of the one or more communication links is one of a median response time or an average response time based on the one or more latency distributions. 10 . The method of claim 1 , wherein the monitoring device includes a plurality of distributed monitoring modules operable by one or more node of the plurality of nodes in the data center network. 11 . A monitoring device, comprising: one or more network interfaces to communicate within a data center network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: monitor a plurality of nodes in a data center network; determine one or more latency distributions of response times for messages exchanged between pairs of nodes of the plurality of nodes; determine a network topology for the plurality of nodes consistent with the one or more latency distributions, the network topology includes one or more communication links interconnecting nodes of the plurality of nodes and a relative position for each node of the plurality of nodes; determine a representative response time for each communication link of the one or more communication links based on the one or more latency distributions; compare a current response time for at least one message exchanged between one pair of nodes to the representative response time for the communication link interconnecting the one pair of nodes; and identify a network anomaly when the current response time deviates from the representative response time for the communication link interconnecting the one pair of nodes by a threshold amount. 12 . The monitoring device of claim 11 , wherein the one pair of nodes includes a first node and a second node, wherein the process, when executed is further operable to: determine the current response time substantially corresponds to a network path in the network topology that traverses one or more communication links interconnecting a third node of the plurality of nodes and at least one of the first node or the second node; and identify the network anomaly as one of a link fault or a link failure for the communication link interconnecting the first node and the second node. 13 . The monitoring device of claim 11 , wherein the one pair of nodes includes a first node and a second node, the first node and the second node exchange the at least one message through one of a third node or a fourth node, wherein the process, when executed is further operable to: determine the current response time substantially corresponds to a network path in the network topology that includes the fourth node and avoids the third node for the at least one message exchanged between the first node and the second node; and classify the network anomaly as a device fault at the third node. 14 . The monitoring device of claim 11 , wherein the one or more latency distributions of response times include a first latency distribution of retransmission response times for the messages