Configuring generation of multiple event streams from a packet flow
First Claim
1. A computer-implemented method performed by a remote capture agent coupled to a network, the method comprising:
- monitoring network traffic comprising a plurality of network packets on the network;
identifying a packet flow in the plurality of network packets, wherein the packet flow is associated with a communication path between a source and a destination;
identifying a first protocol and a second protocol associated with the packet flow;
generating, based on configuration information associated with the first protocol and the second protocol, a first event stream from the packet flow, wherein the first event stream comprises time-series event data created based on first data derived from network packets of the packet flow, and a second event stream from the packet flow, wherein the second event stream comprises time-series event data created based on second data derived from network packets of the packet flow; and
sending the first event stream and the second event stream to another component on the network.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments provide a system that processes network data. During operation, the system obtains, at a remote capture agent, a first protocol classification for a first packet flow captured by the remote capture agent. Next, the system uses configuration information associated with the first protocol classification to build a first event stream from the first packet flow at the remote capture agent, wherein the first event stream comprises time-series event data generated from network packets in the first packet flow based on the first protocol classification. The system then transmits the first event stream over a network for subsequent storage and processing of the first event stream by one or more components on the network.
259 Citations
30 Claims
-
1. A computer-implemented method performed by a remote capture agent coupled to a network, the method comprising:
-
monitoring network traffic comprising a plurality of network packets on the network; identifying a packet flow in the plurality of network packets, wherein the packet flow is associated with a communication path between a source and a destination; identifying a first protocol and a second protocol associated with the packet flow; generating, based on configuration information associated with the first protocol and the second protocol, a first event stream from the packet flow, wherein the first event stream comprises time-series event data created based on first data derived from network packets of the packet flow, and a second event stream from the packet flow, wherein the second event stream comprises time-series event data created based on second data derived from network packets of the packet flow; and sending the first event stream and the second event stream to another component on the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A remote capture agent, comprising:
-
a processor; a non-transitory computer readable storage medium storing instructions which, when executed by the processor, cause the remote capture agent to; monitor network traffic comprising a plurality of network packets on the network; identify a packet flow in the plurality of network packets, wherein the packet flow is associated with a communication path between a source and a destination; identify a first protocol and a second protocol associated with the packet flow; generate, based on configuration information associated with the first protocol and the second protocol, a first event stream from the packet flow, wherein the first event stream comprises time-series event data created based on first data derived from network packets of the packet flow, and a second event stream from the packet flow, wherein the second event stream comprises time-series event data created based on second data derived from network packets of the packet flow; and send the first event stream and the second event stream to another component on the network. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations comprising:
-
monitoring network traffic comprising a plurality of network packets on the network; identifying a packet flow in the plurality of network packets, wherein the packet flow is associated with a communication path between a source and a destination; identifying a first protocol and a second protocol associated with the packet flow; generating, based on configuration information associated with the first protocol and the second protocol, a first event stream from the packet flow, wherein the first event stream comprises time-series event data created based on first data derived from network packets of the packet flow, and a second event stream from the packet flow, wherein the second event stream comprises time-series event data created based on second data derived from network packets of the packet flow; and sending the first event stream and the second event stream to another component on the network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification