Apparatus, system, and method for debugging network devices based on the contents of dropped packets

US 10,735,282 B1
Filed: 06/29/2018
Issued: 08/04/2020
Est. Priority Date: 06/29/2018
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, at a network stack of a network device, a packet that;

is destined at least intermediately for a network interface of the network device; and

has been flagged by the network stack to be dropped instead of forwarded to the network interface based on at least one characteristic of the packet;

identifying an Internet Protocol (IP) identification number within a header of the packet;

instead of dropping the packet;

replacing, within the header of the packet, the IP identification number with an error code that corresponds to a reason that the packet has been flagged based on the characteristic of the packet;

altering a checksum field of the packet such that the packet is undeliverable to the network interface; and

forwarding the packet to an alternative network interface of the network device that analyzes content of packets;

identifying, at the alternative network interface, the error code that replaced the IP identification number within the header of the packet; and

executing, based on the error code identified within the header of the packet, at least one action in connection with the packet that improves the performance of the network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A disclosed method may include (1) detecting, at a network stack of a network device, a packet that (A) is destined at least intermediately for a network interface of the network device and (B) has been flagged by the network stack to be dropped instead of forwarded to the network interface based on at least one characteristic of the packet, (2) instead of dropping the packet, forwarding the packet to an alternative network interface of the network device that analyzes content of packets, (3) identifying, at the alternative network interface, the characteristic of the packet, and then (4) executing, based on the characteristic of the packet, at least one action in connection with the packet that improves the performance of the network device. Various other apparatuses, systems, and methods are also disclosed.

Citations

20 Claims

1. A method comprising:
- detecting, at a network stack of a network device, a packet that;
  
  is destined at least intermediately for a network interface of the network device; and
  
  has been flagged by the network stack to be dropped instead of forwarded to the network interface based on at least one characteristic of the packet;
  
  identifying an Internet Protocol (IP) identification number within a header of the packet;
  
  instead of dropping the packet;
  
  replacing, within the header of the packet, the IP identification number with an error code that corresponds to a reason that the packet has been flagged based on the characteristic of the packet;
  
  altering a checksum field of the packet such that the packet is undeliverable to the network interface; and
  
  forwarding the packet to an alternative network interface of the network device that analyzes content of packets;
  
  identifying, at the alternative network interface, the error code that replaced the IP identification number within the header of the packet; and
  
  executing, based on the error code identified within the header of the packet, at least one action in connection with the packet that improves the performance of the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising adding, before forwarding the packet to the alternative network interface, an indication of the characteristic of the packet to the packet.
  - 3. The method of claim 2, wherein adding the indication of the characteristic of the packet to the packet comprises:
    - selecting, from a set of error codes that describe characteristics of dropped packets, the error code that corresponds to the reason that the packet has been flagged.
  - 4. The method of claim 1, wherein altering the checksum field of the packet comprises scrambling, before forwarding the packet to the alternative network interface, data within the checksum field of the packet such that the network stack is not capable of forwarding the packet to a destination network address listed within the packet.
  - 5. The method of claim 1, further comprising creating the alternative network interface prior to detecting the packet at the network stack.
  - 6. The method of claim 5, wherein creating the alternative network interface comprises creating a virtual network interface dedicated to analyzing packets that have been flagged to be dropped.
  - 7. The method of claim 1, wherein identifying the characteristic of the packet at the alternative network interface comprises executing a command that returns content of at least a portion of packets currently residing at the alternative network interface.
  - 8. The method of claim 1, wherein:
    - identifying the characteristic of the packet at the alternative network interface comprises determining that the characteristic of the packet indicates the packet is malicious; and
      
      executing the action on the packet comprises preventing the packet from compromising the security of the network device due at least in part to the packet being malicious.
  - 9. The method of claim 1, wherein:
    - identifying the characteristic of the packet at the alternative network interface comprises determining that the packet contains an error that renders the packet undeliverable to the network interface; and
      
      executing the action on the packet comprises correcting a network issue that produced the error within the packet.

10. A system comprising:
- a detection module, stored in memory, that;
  
  detects, at a network stack of a network device, a packet that;
  
  is destined at least intermediately for a network interface of the network device; and
  
  has been flagged by the network stack to be dropped instead of forwarded to the network interface based on at least one characteristic of the packet;
  
  identifies an Internet Protocol (IP) identification number within a header of the packet;
  
  replaces, within the header of the packet, the IP identification number with an error code that corresponds to a reason that the packet has been flagged based on the characteristic of the packet; and
  
  alters a checksum field of the packet such that the packet is undeliverable to the network interface; and
  
  a forwarding module, stored in memory, that instead of dropping the packet, forwards the packet to an alternative network interface of the network device that analyzes content of packets;
  
  an identification module, stored in memory, that identifies, at the alternative network interface, the error code that replaced the IP identification number within the header of the packet;
  
  an action module, stored in memory, that executes, based on the error code identified within the header of the packet, at least one action in connection with the packet that improves the performance of the network device; and
  
  at least one physical processor configured to execute the detection module, the forwarding module, the identification module, and the action module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein before the packet is forwarded to the alternative network interface, the detection module adds an indication of the characteristic of the packet to the packet.
  - 12. The system of claim 11, wherein the detection module adds the indication of the characteristic of the packet to the packet by:
    - selecting, from a set of error codes that describe characteristics of dropped packets, the error code that corresponds to the reason that the packet has been flagged.
  - 13. The system of claim 10, wherein before the packet is forwarded to the alternative network interface, the detection module scrambles data within the checksum field of the packet such that the network stack is not capable of forwarding the packet to a destination network address listed within the packet.
  - 14. The system of claim 10, wherein the forwarding module further creates the alternative network interface prior to detecting the packet at the network stack.
  - 15. The system of claim 14, wherein the forwarding module creates the alternative network interface by creating a virtual network interface dedicated to analyzing packets that have been flagged to be dropped.
  - 16. The system of claim 10, wherein the identification module identifies the characteristic of the packet at the alternative network interface by executing a command that returns content of at least a portion of packets currently residing at the alternative network interface.
  - 17. The system of claim 10, wherein:
    - the identification module determines that the characteristic of the packet indicates the packet is malicious; and
      
      the action module executes the action on the packet by preventing the packet from compromising the security of the network device due at least in part to the packet being malicious.
  - 18. The system of claim 10, wherein:
    - the identification module determines that the packet contains an error that renders the packet undeliverable to the network interface; and
      
      the action module executes the action on the packet comprises correcting a network issue that produced the error within the packet.

19. An apparatus comprising:
- at least one storage device that stores rules for identifying packets to be dropped at a network device; and
  
  a physical processing device communicatively coupled to the storage device, wherein the physical processing device;
  
  detects, at a network stack of the network device, a packet that;
  
  is destined at least intermediately for a network interface of the network device; and
  
  has been flagged by the network stack to be dropped instead of forwarded to the network interface based on at least one characteristic of the packet;
  
  identifies an Internet Protocol (IP) identification number within a header of the packet;
  
  instead of dropping the packet;
  
  replaces, within the header of the packet, the IP identification number with an error code that corresponds to a reason that the packet has been flagged based on the characteristic of the packet;
  
  alters a checksum field of the packet such that the packet is undeliverable to the network interface; and
  
  forwards the packet to an alternative network interface of the network device that analyzes content of packets;
  
  identifies, at the alternative network interface, the error code that replaced the IP identification number within the header of the packet; and
  
  executes, based on the error code identified within the header of the packet, at least one action in connection with the packet that improves the performance of the network device.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, wherein the physical processing device further adds, before forwarding the packet to the alternative network interface, an indication of the characteristic of the packet to the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Singh, Prashant, Rupavatharam, Sreekanth, MacNeil, Erin C.
Primary Examiner(s)
Cunningham, Kevin M

Application Number

US16/024,496
Time in Patent Office

767 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0654   using network fault recover...

H04L 41/0677   Localisation of faults

H04L 41/0836   to enhance reliability, e.g...

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 45/22   Alternate routing

H04L 47/31   by tagging of packets, e.g....

H04L 47/32   by discarding or delaying d...

H04L 49/3009   Header conversion, routing ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 69/22   Parsing or analysis of headers

Apparatus, system, and method for debugging network devices based on the contents of dropped packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, system, and method for debugging network devices based on the contents of dropped packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links