Interpreting an application message at a network element using sampling and heuristics
First Claim
1. A method of interpreting an application layer message at a network element, the method comprising the computer-implemented steps of:
- receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
inspecting payload portions of data packets in the data packet group to determine application layer messages that are collectively contained in one or more of the payload portions;
for each particular message classification in a set of message classifications, determining a separate message subset of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing one or more message subsets;
for each particular message subset in the message subsets, determining a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing one or more characteristic sets;
receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
if the first packet header group possesses all of the characteristics contained in any characteristic set in the characteristic sets, then inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein; and
if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets, then sending the first data packet toward a destination without inspecting the first payload portion.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is disclosed for interpreting an application message at a network element using sampling and heuristics. Using this method, a network element such as a router can determine, based solely on a data packet'"'"'s packet headers, whether the network element ought to invest the time and processing power required to inspect and interpret the data packet'"'"'s payload portion, or whether the network element can send the data packet toward the data packet'"'"'s destination without inspecting and interpreting the data packet'"'"'s payload portion. According to one aspect, while in a sampling state, the network element determines shared packet header characteristics possessed by packet headers of all data packets that require application layer message inspection. While in a processing state, the network element forgoes application layer message inspection relative to data packets whose packet headers do not possess the shared packet header characteristics. The network element alternates between the states.
233 Citations
20 Claims
-
1. A method of interpreting an application layer message at a network element, the method comprising the computer-implemented steps of:
-
receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
inspecting payload portions of data packets in the data packet group to determine application layer messages that are collectively contained in one or more of the payload portions;
for each particular message classification in a set of message classifications, determining a separate message subset of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing one or more message subsets;
for each particular message subset in the message subsets, determining a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing one or more characteristic sets;
receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
if the first packet header group possesses all of the characteristics contained in any characteristic set in the characteristic sets, then inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein; and
if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets, then sending the first data packet toward a destination without inspecting the first payload portion. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of interpreting an application layer message at a network element, the method comprising the computer-implemented steps of:
-
during a first time interval, sending, to a first blade of the network element, every data packet that is received by a second blade of the network element during the first time interval;
receiving, at the second blade, one or more sets of packet header characteristics that the first blade determined based on packet headers of data packets that the second blade sent to the first blade; and
during a second time interval, sending, to the first blade, only data packets that are received by the second blade during the second time interval and that contain packet headers that possess all characteristics that are contained in at least one of the sets of packet header characteristics.
-
-
9. A computer-readable medium carrying one or more sequences of instructions for interpreting an application layer message at a network element, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
inspecting payload portions of data packets in the data packet group to determine application layer messages that are collectively contained in one or more of the payload portions;
for each particular message classification in a set of message classifications, determining a separate message subset of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing one ore more message subsets;
for each particular message subset in the message subsets, determining a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing characteristic sets;
receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
if the first packet header group possesses all of the characteristics contained in any characteristic set in the characteristic sets, then inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein; and
if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets, then sending the first data packet toward a destination without inspecting the first payload portion. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable medium carrying one or more sequences of instructions for interpreting an application layer message at a network element, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
during a first time interval, sending, to a first blade of the network element, every data packet that is received by a second blade of the network element during the first time interval;
receiving, at the second blade, one or more sets of packet header characteristics that the first blade determined based on packet headers of data packets that the second blade sent to the first blade; and
during a second time interval, sending, to the first blade, only data packets that are received by the second blade during the second time interval and that contain packet headers that possess all characteristics that are contained in at least one of the sets of packet header characteristics.
-
-
17. An apparatus for interpreting an application layer message at a network element, the apparatus comprising:
-
means for receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
means for inspecting payload portions of data packets in the data packet group to determine application layer messages that are collectively contained in one or more of the payload portions;
means for determining, for each particular message classification in a set of message classifications, a separate message subset of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing message subsets;
means for determining, for each particular message subset in the message subsets, a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing one or more characteristic sets;
means for receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
means for determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
means for inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein if the first packet header group possesses all of the characteristics contained in any of the characteristic sets; and
means for sending the first data packet toward a destination without inspecting the first payload portion if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets.
-
-
18. An apparatus for interpreting an application layer message at a network element, the apparatus comprising:
-
means for sending, to a first blade of the network element during a first time interval, every data packet that is received by a second blade of the network element during the first time interval;
means for receiving, at the second blade, one or more sets of packet header characteristics that the first blade determined based on packet headers of data packets that the second blade sent to the first blade; and
means for sending, to the first blade during a second time interval, only data packets that are received by the second blade during the second time interval and that contain packet headers that possess all characteristics that are contained in at least one of the sets of packet header characteristics.
-
-
19. An apparatus for interpreting an application layer message at a network element, the apparatus comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
one or more processors;
one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of;
receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
inspecting payload portions of data packets in the group to determine application layer messages that are collectively contained in one or more of the payload portions;
for each particular message classification in a set of message classifications, determining a separate message subset that comprises those of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing message subsets;
for each particular message subset in the message subsets, determining a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing one or more characteristic sets;
receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
if the first packet header group possesses all of the characteristics contained in any of the characteristic sets, then inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein; and
if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets, then sending the first data packet toward a destination without inspecting the first payload portion.
-
-
20. An apparatus for performing adaptive load balancing, the apparatus comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
one or more processors;
one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of;
during a first time interval, sending, to a first blade of the network element, every data packet that is received by a second blade of the network element during the first time interval;
receiving, at the second blade, one or more sets of packet header characteristics that the first blade determined based on packet headers of data packets that the second blade sent to the first blade; and
during a second time interval, sending, to the first blade, only data packets that are received by the second blade during the second time interval and that contain packet headers that possess all characteristics that are contained in at least one of the sets of packet header characteristics.
-
Specification