System and method of spoof detection

What is claimed is: 1 . A method comprising: analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host to yield first data; analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host to yield second data, wherein the first capture agent is located within a first layer of the network and the second capture agent is located in a second layer of the network, and wherein the first layer and the second layer are different layers of the network; collecting the first data and the second data at a collector to yield aggregated data; based on the aggregated data, generating a database comprising a topological map of the network and a history of network activity associated with the first environment and the second environment to yield historical data; extracting network data from a packet to yield extracted network data, the extracted network data identifying a reported source of the packet; comparing the extracted network data with stored network data in the database to yield a comparison; and when the comparison indicates that the extracted network data does not match the stored network data, determining that the packet is a spoofed packet. 2 . The method of claim 1 , further comprising: based on the topological map and the historical data, determining whether there is first packet loss at the first environment or second packet loss at the second environment. 3 . The method of claim 1 , wherein the historical data comprises at least one of a history of network interactions with the first environment and the second environment, IP addresses, and subnets used for communication. 4 . The method of claim 1 , wherein the aggregated data further comprises one or more of currently active processes in the network, active file handles, socket handles, status of I/O devices and memory usage. 5 . The method of claim 1 , wherein the first environment and the second environment comprise one or more of a virtual machine, a hypervisor, a server, a hardware switch, and a software switch. 6 . The method of claim 1 , further comprising, based on the topological map of the network and the history of network activity, identifying network elements, connections, IP addresses and subnets in the network. 7 . The method of claim 1 , further comprising, based on the topological map of the network and the history of network activity, identifying a sequence and order of the first environment and the second environment and IP addresses and subnets along different communication paths within the network to yield the stored network data. 8 . The method of claim 1 , wherein the stored network data comprises an expected source of the packet. 9 . The method of claim 8 , wherein determining that the packet is a spoofed packet is based at least in part on the expected source of the packet not matching the reported source of the packet. 10 . A system comprising: a processor; and a computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising: analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host to yield first data; analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host to yield second data, wherein the first capture agent is located within a first layer of the network and the second capture agent is located in a second layer of the network, and wherein the first layer and the second layer are different layers of the network; collecting the first data and the second data at a collector to yield aggregated data; based on the aggregated data, generating a database comprising a topological map of the network and a history of network activity associated with the first environment and the second environment to yield historical data; extracting network data from a packet to yield extracted network data, the extracted network data identifying a reported source of the packet; comparing the extracted network data with stored network data in the database to yield a comparison; and when the comparison indicates that the extracted network data does not match the stored network data, determining that the packet is a spoofed packet. 11 . The system of claim 10 , wherein the computer-readable storage medium stores additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: based on the topological map and the historical data, determining whether there is first packet loss at the first environment or second packet loss at the second environment. 12 . The system of claim 10 , wherein the historical data comprises at least one of a history of network interactions with the first environment and the second environment, IP addresses, and subnets used for communication. 13 . The system of claim 10 , wherein the aggregated data further comprises one or more of currently active processes in the network, active file handles, socket handles, status of I/O devices and memory usage. 14 . The system of claim 10 , wherein the first environment and the second environment comprise one or more of a virtual machine, a hypervisor, a server, a hardware switch, and a software switch. 15 . The system of claim 10 , wherein the computer-readable storage medium stores additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: based on the topological map of the network and the history of network activity, identifying network elements, connections, IP addresses and subnets in the network. 16 . The system of claim 10 , wherein the computer-readable storage medium stores additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: based on the topological map of the network and the history of network activity, identifying a sequence and order of the first environment and the second environment and IP addresses and subnets along different communication paths within the network to yield network data. 17 . The system of claim 10 , wherein the stored network data comprises an expected source of the packet. 18 . The system of claim 17 , wherein determining that the packet is a spoofed packet is based at least in part on the expected source of the packet not matching the reported source of the packet. 19 . A computer-readable storage device that stores instructions which, when executed by a processor, cause the processor to perform operations comprising: analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host to yield first data; analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host to yield second data, wherein the first capture agent is located within a first layer of the network and the second capture agent is located in a second layer of the network, and wherein the first layer and the second layer are different layers of the network; collecting the first data and the second data at a collector to yield aggregated data; based on the aggregated data, generating a database comprising a topological map of the network and a history of network activity associated with the first environment and