Packet sequence number network monitoring system

US 20040073655A1
Filed: 10/09/2002
Published: 04/15/2004
Est. Priority Date: 10/09/2002
Status: Active Grant

First Claim

Patent Images

1. A network monitoring system, comprising:

storage circuitry for storing network packet information, wherein the network packet information includes a predicted identifier; and

at least one monitoring circuit coupled to a network along which network traffic flows in a form of packets, the at least one monitoring circuit programmed to perform the steps of;

receiving a packet communicated along the network;

determining whether the received packet is communicated between a source and destination in a first set of network nodes, wherein each packet in a sequence of communications between the source and the destination comprises a packet identifier that uniquely identifies the packet from all other communications in a flow between the source and the destination; and

responsive to determining the received packet is communicated between a source and destination in the first set of network nodes, comparing the packet identifier of the received packet to the predicted identifier to determine an identifier deviation between the packet identifier and the predicted identifier for identifying an irregularity in the network traffic.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network monitoring system (60). The system comprises storage circuitry (32) for storing network packet information, wherein the network packet information includes a predicted identifier. The network monitoring system also comprises at least one monitoring circuit (36) coupled to a network (70) along which network traffic flows in a form of packets. The at least one monitoring circuit programmed to perform the steps (44) of receiving a packet communicated along the network and determining whether the received packet is communicated between a source and destination in a first set of network nodes. Each packet in a sequence of communications between the source and the destination comprises a packet identifier that uniquely identifies the packet from all other communications in a flow between the source and the destination. The at least one monitoring circuit programmed to perform the step of, responsive to determining the received packet is communicated between a source and destination in the first set of network nodes, comparing the packet identifier of the received packet to the predicted identifier to determine an identifier deviation between the packet identifier and the predicted identifier for identifying an irregularity in the network traffic.

122 Citations

40 Claims

1. A network monitoring system, comprising:
- storage circuitry for storing network packet information, wherein the network packet information includes a predicted identifier; and
  
  at least one monitoring circuit coupled to a network along which network traffic flows in a form of packets, the at least one monitoring circuit programmed to perform the steps of;
  
  receiving a packet communicated along the network;
  
  determining whether the received packet is communicated between a source and destination in a first set of network nodes, wherein each packet in a sequence of communications between the source and the destination comprises a packet identifier that uniquely identifies the packet from all other communications in a flow between the source and the destination; and
  
  responsive to determining the received packet is communicated between a source and destination in the first set of network nodes, comparing the packet identifier of the received packet to the predicted identifier to determine an identifier deviation between the packet identifier and the predicted identifier for identifying an irregularity in the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The system of claim 1 wherein the at least one monitoring circuit is programmed to further perform the steps of:
    - comparing the identifier deviation to a threshold; and
      
      responsive to the identifier deviation exceeding a threshold, indicating an alarm.
  - 3. The system of claim 1 wherein the at least one monitoring circuit is programmed to further perform the steps of:
    - comparing the identifier deviation to a threshold; and
      
      responsive to the identifier deviation exceeding a threshold, adjusting packet communications between the source and the destination.
  - 4. The system of claim 3:
    - wherein the at least one monitoring circuit monitors packets between core routers; and
      
      wherein the adjusting step adjusts packet communications at an edge router.
  - 5. The system of claim 1 wherein the packet identifier comprises a sequence number.
  - 6. The system of claim 1:
    - wherein the packet comprises a TCP packet; and
      
      wherein the packet identifier comprises a TCP sequence number.
  - 7. The system of claim 1 wherein the at least one monitoring circuit is programmed to further perform, prior to the comparing step, the steps of:
    - receiving a plurality of packets communicated along the network;
      
      for each packet in the plurality of packets;
      
      determining whether the received packet is communicated between a source and destination in the first set of network nodes; and
      
      responsive to determining the received packet is communicated between a source and destination in the first set of network nodes, storing in the storage circuitry the packet identifier of the received packet.
  - 8. The system of claim 7 wherein the at least one monitoring circuit is programmed to further perform the step of determining the predicted identifier in response to a plurality of packet identifiers stored by the storing step corresponding to a plurality of packets in the first set.
  - 9. The system of claim 8 wherein the at least one monitoring circuit is programmed to further perform the step of determining the predicted identifier as a most common one of the plurality of packet identifiers.
  - 10. The system of claim 1 wherein the at least one monitoring circuit is programmed to further perform the step of, responsive to determining the received packet is communicated between a source and destination in the first set of network nodes, comparing a time of arrival of the received packet to a predicted time of arrival to determine a time deviation between the time of arrival and the predicted time of arrival.
  - 11. The system of claim 10 wherein the at least one monitoring circuit is programmed to further perform the steps of:
    - comparing the time deviation to a threshold; and
      
      responsive to the time deviation exceeding a threshold, indicating an alarm.
  - 12. The system of claim 10 wherein the at least one monitoring circuit is programmed to further perform the steps of:
    - comparing the time deviation to a threshold; and
      
      responsive to the time deviation exceeding a threshold, adjusting packet communications between the source and the destination.
  - 13. The system of claim 10 wherein the at least one monitoring circuit is programmed to further perform, prior to the step of comparing a time of arrival, the step of determining the predicted time of arrival in response to a difference in time between two successively-received packets between the source and the destination in the first set of network nodes.
  - 14. The system of claim 1 wherein the first set consists of a single source and a single destination node.
  - 15. The system of claim 1 wherein the first set comprises a plurality of source nodes in a first physical sub-network and a plurality of destination nodes in a second physical sub-network that differs from the first physical sub-network.
  - 16. The system of claim 1 wherein the at least one monitoring circuit is programmed to further perform the steps of, responsive to determining that the identifier deviation exceeds a threshold:
    - receiving an additional packet communicated along the network;
      
      determining whether the additional packet is communicated between the source and the destination in the first set of network nodes; and
      
      responsive to determining the additional packet is communicated between a source and destination in the first set of network nodes, comparing the packet identifier of the additional packet to a predicted identifier to determine an identifier deviation between the packet identifier of the additional packet and a predicted identifier.
  - 17. The system of claim 16 wherein the at least one monitoring circuit is programmed to further perform, responsive to determining that the identifier deviation between the packet identifier of the additional packet to a predicted identifier exceeds a threshold, the steps of:
    - receiving a plurality of packets communicated along the network; and
      
      determining whether each packet in the plurality of packets is communicated between a source and destination in a second set of network nodes, wherein the second set of network nodes comprises the first set of network nodes.
  - 18. The system of claim 17:
    - wherein the first set consists of a first number of nodes; and
      
      wherein the second set consists of a second number of nodes greater than the first set of nodes.
  - 19. The system of claim 18 wherein the first set consists of a single source and a single destination node.
  - 20. The system of claim 18:
    - wherein the single source node corresponds to a first physical sub-network and the single destination node corresponds to a second physical sub-network; and
      
      wherein the second set comprises a plurality of source nodes corresponding to the first physical sub-network and a plurality of destination nodes corresponding to the second physical network.
  - 21. The system of claim 17 wherein the at least one monitoring circuit is programmed to further perform, relative to each packet in the plurality of packets and determined to be communicated between a source and destination in the second set of network nodes, the step of comparing the packet identifier of each respective received packet to a predicted identifier to determine a respective identifier deviation between the packet identifier of the respective received packet and the predicted identifier.
  - 22. The system of claim 21 wherein the at least one monitoring circuit is programmed to further perform, relative to each packet in the plurality of packets and determined to be communicated between a source and destination in a second set of network nodes, the steps of:
    - comparing the respective identifier deviation to a threshold; and
      
      responsive to the respective identifier deviation exceeding a threshold, adjusting packet communications along the second set of network nodes.
  - 23. The system of claim 22 wherein the step of adjusting packet communications along the second set of network nodes comprises adjusting packet communications at least one an edge router.
  - 24. The system of claim 21 wherein the at least one monitoring circuit is programmed to further perform, relative to each packet in the plurality of packets and determined to be communicated between a source and destination in a second set of network nodes, the steps of:
    - comparing the respective identifier deviation to a threshold; and
      
      responsive to the respective deviation exceeding a threshold, indicating an alarm.
  - 25. The system of claim 16 wherein the at least one monitoring circuit is programmed to further perform the step of, responsive to determining the additional packet is communicated between a source and destination in the first set of network nodes, comparing a time of arrival of the additional packet to a first predicted time of arrival to determine a time deviation between the time of arrival of the additional packet and the first predicted time of arrival.
  - 26. The system of claim 25 wherein the at least one monitoring circuit is programmed to further perform, responsive to determining that the time deviation exceeds a threshold, the steps of:
    - receiving a plurality of packets communicated along the network; and
      
      determining whether each packet in the plurality of packets is communicated between a source and destination in a second set of network nodes, wherein the second set of network nodes comprises the first set of network nodes.
  - 27. The system of claim 26 wherein the at least one monitoring circuit is programmed to further perform, relative to each packet in the plurality of packets and determined to be communicated between a source and destination in a second set of network nodes, the step of comparing a time of arrival of the packet to a corresponding predicted time of arrival to determine a corresponding time deviation between the time of arrival of the packet and the corresponding predicted time of arrival.
  - 28. The system of claim 27 wherein the at least one monitoring circuit is programmed to further perform the steps of:
    - comparing the corresponding time deviation to a threshold; and
      
      responsive to the corresponding time deviation exceeding a threshold, indicating an alarm.
  - 29. The system of claim 27 wherein the at least one monitoring circuit is programmed to further perform the steps of:
    - comparing the corresponding time deviation to a threshold; and
      
      responsive to the corresponding time deviation exceeding a threshold, adjusting packet communications between at least some of the second set of nodes.
  - 30. The system of claim 1 wherein the network comprises an internet protocol network.
  - 31. The system of claim 1 wherein the internet protocol network comprises the global internet.
  - 32. The system of claim 1 and further comprising a plurality of monitoring circuit, each coupled to the network, and each programmed to perform the steps of:
    - receiving a packet communicated along the network;
      
      determining whether the received packet is communicated between a source and destination in a first set of network nodes, wherein each packet in a sequence of communications between the source and the destination comprises a packet identifier that uniquely identifies the packet from all other communications in a flow between the source and the destination; and
      
      responsive to determining the received packet is communicated between a source and destination in the first set of network nodes, comparing the packet identifier of the received packet to the predicted identifier to determine an identifier deviation between the packet identifier and the predicted identifier for identifying an irregularity in the network traffic.

33. A method of monitoring a network along which network traffic flows in a form of packets, the method comprising:
- storing network packet information in storing circuitry, wherein the network packet information includes a predicted identifier and wherein the storing circuitry is accessible to the network; and
  
  operating at least one monitoring circuit coupled to the network along which network traffic flows in a form of packets, the operating step comprising the steps of;
  
  receiving a packet communicated along the network;
  
  determining whether the received packet is communicated between a source and destination in a first set of network nodes, wherein each packet in a sequence of communications between the source and the destination comprises a packet identifier that uniquely identifies the packet from all other communications in a flow between the source and the destination; and
  
  responsive to determining the received packet is communicated between a source and destination in the first set of network nodes, comparing the packet identifier of the received packet to the predicted identifier to determine an identifier deviation between the packet identifier and the predicted identifier for identifying an irregularity in the network traffic.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40)
- - 34. The method of claim 33, wherein the operating step further comprises:
    - comparing the identifier deviation to a threshold; and
      
      responsive to the identifier deviation exceeding a threshold, one of the steps from the group consisting of indicating an alarm and adjusting packet communications between the source and the destination.
  - 35. The method of claim 33 wherein the packet identifier comprises a sequence number.
  - 36. The method of claim 33, wherein the operating step further comprises, responsive to determining the received packet is communicated between a source and destination in the first set of network nodes, comparing a time of arrival of the received packet to a predicted time of arrival to determine a time deviation between the time of arrival and the predicted time of arrival.
  - 37. The method of claim 36 wherein the operating step further comprises:
    - comparing the time deviation to a threshold; and
      
      responsive to the time deviation exceeding a threshold, one of the steps from the group consisting of indicating an alarm and adjusting packet communications between the source and the destination.
  - 38. The method of claim 33 wherein the operating step further comprises, after determining that the identifier deviation between the packet identifier of the packet to a predicted identifier exceeds a threshold, the steps of:
    - receiving a plurality of packets communicated along the network; and
      
      determining whether each packet in the plurality of packets is communicated between a source and destination in a second set of network nodes.
  - 39. The method of claim 38 wherein the second set of network nodes comprises the first set of network nodes and wherein the second set consists of a number of nodes greater a number of nodes in the first set of nodes.
  - 40. The method of claim 38 wherein the operating step further comprises, relative to each packet in the plurality of packets and determined to be communicated between a source and destination in the second set of network nodes, the steps of:
    - comparing the packet identifier of each respective received packet to a predicted identifier to determine a respective identifier deviation between the packet identifier of the respective received packet and the predicted identifier;
      
      comparing the respective identifier deviation to a threshold; and
      
      responsive to the respective identifier deviation exceeding a threshold, one of the steps from the group consisting of indicating an alarm and adjusting packet communications between the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WSOU Investments, LLC (WSOU Holdings, LLC)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Kan, Chao, Jones, Emanuele, Labbe, Thierry, Ogier, Hubert, Guingo, Pierrick

Granted Patent

US 7,313,141 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/5009   Determining service level p...

H04L 43/00   Arrangements for monitoring...

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 43/0817   by checking functioning

H04L 43/0829   Packet loss

H04L 43/0858   One way delays

H04L 43/087   Jitter

H04L 43/0888   Throughput

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 43/18   Protocol analysers

H04L 69/16   Implementation or adaptatio...

Packet sequence number network monitoring system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

Packet sequence number network monitoring system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others