Network flow stitching using middle box flow stitching

US 10,574,575 B2
Filed: 04/30/2018
Issued: 02/25/2020
Est. Priority Date: 01/25/2018
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

collecting flow records of traffic flow segments at a middlebox in a network environment corresponding to one or more traffic flows passing through the middlebox, the flow records including one or more transaction identifiers assigned to the traffic flow segments;

identifying flow directions of the traffic flow segments in the network environment with respect to the middlebox using the flow records;

maintaining a hash table including entries for each of the traffic flow segments at the middlebox, wherein each entry includes a transaction identifier of the one or more transaction identifiers assigned to the traffic flow segment;

grouping together the entries in the hash table of traffic flow segments having shared transaction identifiers of the one or more transaction identifiers;

stitching together the traffic flow segments to form a stitched traffic flow of the one or more traffic flows passing through the middlebox in the network environment based on the entries of the traffic flow segments grouped together according to the shared transaction identifiers and the flow directions of the traffic flow segments in the network environment with respect to the middlebox; and

incorporating the stitched traffic flow as part of network traffic data for the network environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media for flow stitching network traffic flow segments at a middlebox in a network environment. In some embodiments, a method can include collecting flow records of traffic flow segments at a middlebox in a network environment including one or more transaction identifiers assigned to the traffic flow segments. The traffic flow segments can correspond to one or more traffic flows passing through the middlebox and flow directions of the traffic flow segments with respect to the middlebox can be identified using the flow records. The traffic flow segments can be stitched together based on the one or more transaction identifiers and the flow directions of the traffic flow segments to form a stitched traffic flow of the one or more traffic flows passing through the middlebox. The stitched traffic flow can be incorporated as part of network traffic data for the network environment.

Citations

20 Claims

1. A method comprising:
- collecting flow records of traffic flow segments at a middlebox in a network environment corresponding to one or more traffic flows passing through the middlebox, the flow records including one or more transaction identifiers assigned to the traffic flow segments;
  
  identifying flow directions of the traffic flow segments in the network environment with respect to the middlebox using the flow records;
  
  maintaining a hash table including entries for each of the traffic flow segments at the middlebox, wherein each entry includes a transaction identifier of the one or more transaction identifiers assigned to the traffic flow segment;
  
  grouping together the entries in the hash table of traffic flow segments having shared transaction identifiers of the one or more transaction identifiers;
  
  stitching together the traffic flow segments to form a stitched traffic flow of the one or more traffic flows passing through the middlebox in the network environment based on the entries of the traffic flow segments grouped together according to the shared transaction identifiers and the flow directions of the traffic flow segments in the network environment with respect to the middlebox; and
  
  incorporating the stitched traffic flow as part of network traffic data for the network environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the one or more traffic flows pass through the middlebox directly between a client and a server.
  - 3. The method of claim 1, wherein the one or more traffic flows pass through the middlebox to another middlebox in the network environment.
  - 4. The method of claim 1, wherein the flow records are collected from the middlebox as the middlebox exports the flow records using an Internet Protocol Flow Information Export protocol.
  - 5. The method of claim 1, wherein the flow records include sources and destinations of the traffic flow segments at the middlebox, and the sources and the destinations of the traffic flow segments are used to stitch together the traffic flow segments to form the stitched traffic flow at the middlebox.
  - 6. The method of claim 5, wherein the sources and the destinations of the traffic flow segments are used to identify the flow directions of the traffic flow segments in the network environment with respect to the middlebox.
  - 7. The method of claim 1, further comprising:
    - identifying whether the stitched traffic flow forms a complete flow from the one or more traffic flows for a transaction between two entities in a network environment; and
      
      if it is determined that the stitched traffic flow forms the complete flow for the transaction between the two entities in a network environment, then pushing traffic flow data for the stitched traffic flow to a network traffic monitoring system remote from the middlebox to incorporate the stitched traffic flow as part of the network traffic data for the network environment.
  - 8. The method of claim 7, wherein the two entities include a client and a server.
  - 9. The method of claim 8, wherein the complete flow of the transaction between the client and the server includes a request sent from the client to the middlebox and included as part of the traffic flow segments at the middlebox, the request sent from the middlebox to the server and included as part of the traffic flow segments at the middlebox, a response to the request sent from the server to the middlebox and included as part of the traffic flow segments at the middlebox, and the response to the request sent from the middlebox to the client and included as part of the traffic flow segments at the middlebox.
  - 10. The method of claim 1,wherein each hash table entry includes a source and a destination of data in a corresponding traffic flow segment of the hash table entry, the method further comprisingusing the hash table of the traffic flow segments at the middlebox to form the stitched traffic flow at the middlebox in the network environment based on sources and destinations of the traffic flow segments included in the entries of the traffic flow segments in the hash table.
  - 11. The method of claim 10, further comprising identifying the flow directions of the traffic flow segments in the network environment using the hash table.
  - 12. The method of claim 11, further comprising identifying the flow directions of the traffic flow segments in the network environment based on the sources and destinations of the traffic flow segments included in the entries of the traffic flow segments in the hash table.
  - 13. The method of claim 1, wherein the stitched traffic flow is used to create an application dependency mapping as part of the network traffic data for the network environment.
  - 14. The method of claim 1, wherein the stitched traffic flow is used to create a policy for the middlebox.

15. A system comprising:
- one or more processors; and
  
  at least one non-transitory computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  collecting flow records of traffic flow segments at a middlebox in a network environment corresponding to one or more traffic flows passing between a client and a server directly through the middlebox, the flow records including one or more transaction identifiers assigned to the traffic flow segments;
  
  identifying flow directions of the traffic flow segments in the network environment with respect to the middlebox using the flow records;
  
  maintaining a hash table including entries for each of the traffic flow segments at the middlebox, wherein each entry includes a transaction identifier of the one or more transaction identifiers assigned to the traffic flow segment;
  
  grouping together the entries in the hash table of traffic flow segments having shared transaction identifiers of the one or more transaction identifiers;
  
  stitching together the traffic flow segments to form a stitched traffic flow of the one or more traffic flows passing through the middlebox in the network environment based on the entries of the traffic flow segments grouped together according to the shared transaction identifiers and the flow directions of the traffic flow segments in the network environment with respect to the middlebox; and
  
  incorporating the stitched traffic flow as part of network traffic data for the network environment.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the flow records include sources and destinations of the traffic flow segments at the middlebox, and the sources and the destinations of the traffic flow segments are used to stitch together the traffic flow segments to form the stitched traffic flow at the middlebox.
  - 17. The system of claim 15, wherein the traffic flow segments includes a request sent from the client to the middlebox and included as part of the traffic flow segments at the middlebox, the request sent from the middlebox to the server and included as part of the traffic flow segments at the middlebox, a response to the request sent from the server to the middlebox and included as part of the traffic flow segments at the middlebox, and the response to the request sent from the middlebox to the client and included as part of the traffic flow segments at the middlebox.
  - 18. The system of claim 17, wherein the instructions which, when executed by the one or more processors, further cause the one or more processors to perform operations comprising:
    - determining if the response to the request is sent directly from the server to the client through the middlebox; and
      
      generating the network traffic data to indicate the stitched traffic flow passes directly from the server to the client through the middlebox if it is determined that the response to the request is sent directly from the server to the client through the middlebox.
  - 19. The system of claim 15, wherein each hash table entry includes a source and a destination of data in a corresponding traffic flow segment of the hash table entry and the instructions which, when executed by the one or more processors, further cause the one or more processors to perform operations comprising:
    - using the hash table of the traffic flow segments at the middlebox to form the stitched traffic flow at the middlebox in the network environment based on sources and destinations of the traffic flow segments included in the entries of the traffic flow segments in the hash table.

20. A non-transitory computer-readable storage medium having stored therein instructions which, when executed by a processor, cause the processor to perform operations comprising:
- collecting flow records of traffic flow segments at a middlebox in a network environment corresponding to one or more traffic flows passing through the middlebox, the flow records including one or more transaction identifiers assigned to the traffic flow segments;
  
  identifying flow directions of the traffic flow segments in the network environment with respect to the middlebox using the flow records;
  
  maintaining a hash table including entries for each of the traffic flow segments at the middlebox, wherein each entry includes a transaction identifier of the one or more transaction identifiers assigned to the traffic flow segment;
  
  grouping together the entries in the hash table of traffic flow segments having shared transaction identifiers of the one or more transaction identifiers;
  
  stitching together the traffic flow segments to form a stitched traffic flow of the one or more traffic flows passing through the middlebox in the network environment based on the entries of the traffic flow segments grouped together according to the shared transaction identifiers and the flow directions of the traffic flow segments in the network environment with respect to the middlebox; and
  
  incorporating the stitched traffic flows as part of an application dependency mapping included as part of network traffic data for the network environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rao, Supreeth, Yadav, Navindra, Arumugam, Umamaheswaran, Watts, Micheal, Gandham, Shashi, Malleshaiah, Prasannakumar Jobigenahally, Nguyen, Duy, Vu, Hai, Patwardhan, Tapan Shrikrishna, Ma, Aiyesha, Zou, Xuan, Prabakaran, Jothi Prakash
Primary Examiner(s)
Waqas, Saad A.

Application Number

US15/966,561
Publication Number

US 20190230035A1
Time in Patent Office

666 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/082   the condition being updates...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/40   using virtualisation of net...

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/20   the monitoring system or th...

H04L 45/38   Flow based routing

H04L 45/70   Routing based on monitoring...

H04L 47/10   Flow control; Congestion co...

H04L 47/2483   involving identification of...

H04L 47/822   Collecting or measuring res...

H04L 67/14   Session management for real...

Network flow stitching using middle box flow stitching

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network flow stitching using middle box flow stitching

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links