Reliable packet monitoring methods and apparatus for high speed networks

US 20040049596A1
Filed: 08/11/2003
Published: 03/11/2004
Est. Priority Date: 08/15/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for controlling traffic on a network, said method comprising:

monitoring a data stream;

determining a particular byte offset within the monitored stream at which to block flow of the stream; and

blocking flow of the data stream at the determined byte offset.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling traffic on a network includes monitoring a data stream, determining a particular byte offset within the monitored stream at which to block flow of the stream, and blocking flow of the data stream at the determined byte offset.

498 Citations

61 Claims

1. A method for controlling traffic on a network, said method comprising:
- monitoring a data stream;
  
  determining a particular byte offset within the monitored stream at which to block flow of the stream; and
  
  blocking flow of the data stream at the determined byte offset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method in accordance with claim 1 further comprising:
    - sending data to an authorizing authority; and
      
      re-enabling flow of the blocked stream upon receipt of an authorization from the authorizing authority.
  - 3. A method in accordance with claim 1 further comprising manipulating the data stream such that a second device comprising a receiving device receives data different than that sent from a first device comprising a sending device.
  - 4. A method in accordance with claim 3, wherein said monitoring a data stream comprises monitoring TCP traffic in band through a switch using a plurality of content scanning engines.
  - 5. A method in accordance with claim 4, wherein said monitoring comprises content scanning a plurality of TCP packets to detect a content match that spans multiple packets.
  - 6. A method in accordance with claim 5, wherein said monitoring comprises monitoring a plurality of flows through the network wherein an overlapping retransmission is handled using a data enabled signal and a valid bytes vector.
  - 7. A method in accordance with claim 6 further comprising:
    - maintaining a period of idle time for each monitored flow; and
      
      stopping monitoring a flow which has the longest period of idle time upon receipt of a new flow to be monitored when a total number of flows being monitored is equal to a desired maximum number of simultaneous flows.
  - 8. A method in accordance with claim 6, wherein said monitoring a plurality of data flows comprises monitoring a plurality of existing data flows simultaneously wherein each existing flow has a hash table entry, said method further comprises:
    - receiving a new flow to be monitored, wherein the new flow hashes to the hash table entry of an existing flow causing a hash table collision; and
      
      stopping monitoring of the existing flow whose hash table entry the new flow collided with.
  - 9. A method in accordance with claim 1, wherein said monitoring comprises monitoring a TCP data stream for a predetermined condition, said blocking comprises generating and transmitting a TCP FIN packet for the monitored data stream upon a detection of the predetermined condition for the purpose of terminating the TCP data stream.

10. A method for controlling traffic on a network, said method comprising:
- monitoring a data stream for a first predetermined condition;
  
  blocking flow of the data steam upon a detection of the first predetermined condition; and
  
  re-enabling flow of the blocked stream.
- View Dependent Claims (11, 12)
- - 11. A method in accordance with claim 10 further comprising:
    - sending data to an authorizing authority; and
      
      re-enabling flow of the blocked stream upon receipt of an authorization from the authorizing authority.
  - 12. A method in accordance with claim 11, wherein said monitoring comprises monitoring a plurality of flows through the network wherein an overlapping retransmission is handled using a data enabled signal and a valid bytes vector.

13. A method for controlling traffic on a network, said method comprising:
- monitoring a TCP data stream for a predetermined condition; and
  
  generating and transmitting a TCP FIN packet for the monitored data stream upon a detection of the predetermined condition for the purpose of terminating the TCP data stream.

14. A method for controlling traffic on a network, said method comprising:
- monitoring a TCP data stream from a first device directed toward a second device for a predetermined condition; and
  
  manipulating the TCP data stream such that the second device receives data different than that sent from the first device.
- View Dependent Claims (15, 16, 17)
- - 15. A method in accordance with claim 14, wherein said monitoring comprises monitoring a TCP data stream from a first device directed toward a second device for an indication of a presence of a virus within the stream, said manipulating comprises removing the virus from the stream.
  - 16. A method in accordance with claim 14, wherein said manipulating comprises computing a checksum for a modified TCP packet which is the same number of bytes long as an original TCP packet which the modified TCP packet is replacing in the TCP data stream.
  - 17. A method in accordance with claim 14, wherein said manipulating comprises computing a checksum for a TCP packet added to the stream.

18. A method for controlling traffic on a network, said method comprising monitoring TCP traffic in band through a switch using a plurality of content scanning engines.
- View Dependent Claims (19, 20, 21)
- - 19. A method in accordance with claim 18 further comprising buffering the monitored TCP traffic in an input buffer.
  - 20. A method in accordance with claim 18 further comprising validating and classifying TCP packets as part of individual flows and sending the flows to the content scanning engines such that each content scanning engine receives a unique flow.
  - 21. A method in accordance with claim 20, wherein said classifying comprises using a hash table to classify a flow wherein hash table conflicts are resolved by chaining off a linked list of flow state records wherein a length of the chain is limited to a constant number of entries.

22. A method for controlling traffic on a network, said method comprising content scanning a plurality of TCP packets to detect a content match that spans multiple packets.

23. A method for controlling traffic on a network, said method comprising monitoring a plurality of flows through the network wherein per flow memory usage is matched to a burst width of a memory module used to monitor a flow.

24. A method for controlling traffic on a network, said method comprising monitoring a plurality of flows through the network wherein an overlapping retransmission is handled using a data enabled signal and a valid bytes vector.

25. A method for controlling traffic on a network said method comprising:
- monitoring a plurality of data flows simultaneously;
  
  assigning a maximum idle period of time for each monitored flow; and
  
  stopping monitoring a flow which is idle for at least the assigned period of time.

26. A method for controlling traffic on a network said method comprising:
- monitoring a plurality of data flows simultaneously;
  
  maintaining a period of idle time for each monitored flow; and
  
  stopping monitoring the flow having a longest period of idle time.
- View Dependent Claims (27, 28)
- - 27. A method in accordance with claim 26, wherein said stopping comprises stopping monitoring a flow having the longest period of idle time upon receipt of a new flow to be monitored.
  - 28. A method in accordance with claim 26, wherein said stopping comprises stopping monitoring a flow which has the longest period of idle time upon receipt of a new flow to be monitored when a total number of flows being monitored is equal to a desired maximum number of simultaneous flows.

29. A method for controlling traffic on a network said method comprising:
- monitoring a plurality of existing data flows simultaneously wherein each existing flow has a hash table entry;
  
  receiving a new flow to be monitored, wherein the new flow hashes to the hash table entry of an existing flow causing a hash table collision; and
  
  stopping monitoring of the existing flow whose hash table entry the new flow collided with.
- View Dependent Claims (30)
- - 30. A method in accordance with claim 29 further comprising monitoring the new flow after said stopping monitoring the existing flow.

31. A Field Programmable Gate Array (FPGA) configured to:
- monitor a plurality of data flows using a hash table to store state information regarding each flow;
  
  resolve hash table collisions according to a first algorithm stored on said FPGA;
  
  receive a second algorithm at said FPGA to resolve hash table collisions, said second algorithm different from the first algorithm; and
  
  use the received second algorithm to resolve hash table collisions occurring subsequent said receipt of the second algorithm.

32. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to;
  
  monitor a data stream;
  
  determine a particular byte offset within the monitored stream at which to block flow of the stream; and
  
  block flow of the data stream at the determined byte offset.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40)
- - 33. An apparatus in accordance with claim 32, wherein said logic device further configured to:
    - send data to an authorizing authority; and
      
      re-enable flow of the blocked stream upon receipt of an authorization from the authorizing authority.
  - 34. An apparatus in accordance with claim 32, wherein said logic device further configured to manipulate the data stream such that a second device comprising a receiving device receives data different than that sent from a first device comprising a sending device.
  - 35. An apparatus in accordance with claim 32, wherein said logic device further configured to monitor TCP traffic in band using a plurality of content scanning engines.
  - 36. An apparatus in accordance with claim 32, wherein said logic device further configured to content scan a plurality of TCP packets to detect a content match that spans multiple packets.
  - 37. An apparatus in accordance with claim 32, wherein said logic device further configured to monitor a plurality of flows through the network wherein an overlapping retransmission is handled using a data enabled signal and a valid bytes vector.
  - 38. An apparatus in accordance with claim 32, wherein said logic device further configured to:
    - maintain a period of idle time for each monitored flow; and
      
      stop monitoring a flow which has the longest period of idle time upon receipt of a new flow to be monitored when a total number of flows being monitored is equal to a desired maximum number of simultaneous flows.
  - 39. An apparatus in accordance with claim 32, wherein said logic device further configured to:
    - monitor a plurality of existing data flows simultaneously wherein each existing flow has a hash table entry;
      
      receive a new flow to be monitored, wherein the new flow hashes to the hash table entry of an existing flow causing a hash table collision; and
      
      stop monitoring of the existing flow whose hash table entry the new flow collided with.
  - 40. An apparatus in accordance with claim 32, wherein said logic device further configured to:
    - monitor a TCP data stream for a predetermined condition; and
      
      generate and transmit a TCP FIN packet for the monitored data stream upon a detection of the predetermined condition for the purpose of terminating the TCP data stream.

41. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to;
  
  monitor a data stream for a first predetermined condition;
  
  block flow of the data steam upon a detection of the first predetermined condition; and
  
  re-enable flow of the blocked stream.
- View Dependent Claims (42, 43)
- - 42. An apparatus in accordance with claim 41, wherein said logic device further configured to:
    - send data to an authorizing authority; and
      
      re-enable flow of the blocked stream upon receipt of an authorization from the authorizing authority.
  - 43. An apparatus in accordance with claim 41, wherein said logic device further configured to monitor a plurality of flows through the network wherein an overlapping retransmission is handled using a data enabled signal and a valid bytes vector.

44. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to;
  
  monitor a TCP data stream for a predetermined condition; and
  
  generate and transmit a TCP FIN packet for the monitored data stream upon a detection of the predetermined condition for the purpose of terminating the TCP data stream.

45. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to;
  
  monitor a TCP data stream from a first device directed toward a second device for a predetermined condition; and
  
  manipulate the TCP data stream such that the second device receives data different than that sent from the first device.
- View Dependent Claims (46, 47, 48)
- - 46. An apparatus in accordance with claim 45, wherein said logic device further configured to:
    - monitor a TCP data stream from a first device directed toward a second device for an indication of a presence of a virus within the stream; and
      
      remove the virus from the stream.
  - 47. An apparatus in accordance with claim 45, wherein said logic device further configured to compute a checksum for a modified TCP packet which is the same number of bytes long as an original TCP packet which the modified TCP packet is replacing in the TCP data stream.
  - 48. An apparatus in accordance with claim 45, wherein said logic device further configured to compute a checksum for a TCP packet added to the stream.

49. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to;
  
  monitor TCP traffic in band using a plurality of content scanning engines.
- View Dependent Claims (50, 51, 52)
- - 50. An apparatus in accordance with claim 49, wherein said logic device further configured to buffer the monitored TCP traffic in an input buffer.
  - 51. An apparatus in accordance with claim 49, wherein said logic device further configured to validate and classify TCP packets as part of individual flows and send the flows to the content scanning engines such that each content scanning engine receives a unique flow.
  - 52. An apparatus in accordance with claim 51, wherein said logic device further configured to use a hash table to classify a flow wherein hash table conflicts are resolved by chaining off a linked list of flow state records wherein a length of the chain is limited to a constant number of entries.

53. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to scan a plurality of TCP packets to detect a content match that spans multiple packets.

54. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to monitor a plurality of flows through the network wherein per flow memory usage is matched to a burst width of a memory module used to monitor a flow.

55. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to monitor a plurality of flows through the network wherein an overlapping retransmission is handled using a data enabled signal and a valid bytes vector.

56. An apparatus for controlling traffic on a network said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to;
  
  monitor a plurality of data flows simultaneously;
  
  assign a maximum idle period of time for each monitored flow; and
  
  stop monitoring a flow which is idle for at least the assigned period of time.

57. An apparatus for controlling traffic on a network said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to;
  
  monitor a plurality of data flows simultaneously;
  
  maintain a period of idle time for each monitored flow; and
  
  stop monitoring the flow having a longest period of idle time.
- View Dependent Claims (58, 59)
- - 58. An apparatus in accordance with claim 57, wherein said logic device further configured to stop monitoring a flow having the longest period of idle time upon receipt of a new flow to be monitored.
  - 59. An apparatus in accordance with claim 57, wherein said logic device further configured to stop monitoring a flow which has the longest period of idle time upon receipt of a new flow to be monitored when a total number of flows being monitored is equal to a desired maximum number of simultaneous flows.

60. An apparatus for controlling traffic on a network, said apparatus comprising:
- at least one input port;
  
  at least one output port; and
  
  at least one logic device operationally coupled to said input port and said output port, said logic device configured to;
  
  monitor a plurality of existing data flows simultaneously wherein each existing flow has a hash table entry;
  
  receive a new flow to be monitored, wherein the new flow hashes to the hash table entry of an existing flow causing a hash table collision; and
  
  stop monitoring of the existing flow whose hash table entry the new flow collided with.
- View Dependent Claims (61)
- - 61. An apparatus in accordance with claim 60, wherein said logic device further configured to monitor the new flow after stopping monitoring the existing flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Washington University In St Louis
Original Assignee
Washington University In St Louis
Inventors
Lockwood, John W., Schuehler, David V.

Application Number

US10/638,815
Publication Number

US 20040049596A1
Time in Patent Office

Days
Field of Search
US Class Current

709/238
CPC Class Codes

H04L 43/18   Protocol analysers

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Reliable packet monitoring methods and apparatus for high speed networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

498 Citations

61 Claims

Specification

Use Cases

Quick Links

Others

Reliable packet monitoring methods and apparatus for high speed networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

498 Citations

61 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others