Interpreting an application message at a network element using sampling and heuristics

US 20060146879A1
Filed: 01/05/2005
Published: 07/06/2006
Est. Priority Date: 01/05/2005
Status: Active Grant

First Claim

Patent Images

1. A method of interpreting an application layer message at a network element, the method comprising the computer-implemented steps of:

receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;

inspecting payload portions of data packets in the data packet group to determine application layer messages that are collectively contained in one or more of the payload portions;

for each particular message classification in a set of message classifications, determining a separate message subset of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing one or more message subsets;

for each particular message subset in the message subsets, determining a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing one or more characteristic sets;

receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;

determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;

if the first packet header group possesses all of the characteristics contained in any characteristic set in the characteristic sets, then inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein; and

if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets, then sending the first data packet toward a destination without inspecting the first payload portion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for interpreting an application message at a network element using sampling and heuristics. Using this method, a network element such as a router can determine, based solely on a data packet'"'"'s packet headers, whether the network element ought to invest the time and processing power required to inspect and interpret the data packet'"'"'s payload portion, or whether the network element can send the data packet toward the data packet'"'"'s destination without inspecting and interpreting the data packet'"'"'s payload portion. According to one aspect, while in a sampling state, the network element determines shared packet header characteristics possessed by packet headers of all data packets that require application layer message inspection. While in a processing state, the network element forgoes application layer message inspection relative to data packets whose packet headers do not possess the shared packet header characteristics. The network element alternates between the states.

233 Citations

20 Claims

1. A method of interpreting an application layer message at a network element, the method comprising the computer-implemented steps of:
- receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
  
  inspecting payload portions of data packets in the data packet group to determine application layer messages that are collectively contained in one or more of the payload portions;
  
  for each particular message classification in a set of message classifications, determining a separate message subset of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing one or more message subsets;
  
  for each particular message subset in the message subsets, determining a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing one or more characteristic sets;
  
  receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
  
  determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
  
  if the first packet header group possesses all of the characteristics contained in any characteristic set in the characteristic sets, then inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein; and
  
  if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets, then sending the first data packet toward a destination without inspecting the first payload portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as recited in claim 1, further comprising:
    - if the first packet header group possesses all of the characteristics contained in any characteristic set in the characteristic sets, then performing steps comprising;
      
      determining whether at least a portion of the first application layer message satisfies all criteria associated with a first message classification in the set of message classifications; and
      
      if at least a portion of the first application layer message satisfies all criteria associated with the first message classification, then performing, at the network element, one or more actions that are associated with the first message classification.
  - 3. A method as recited in claim 1, wherein the network element is a network router.
  - 4. A method as recited in claim 1, wherein determining a separate message subset comprises determining a message subset of the application layer messages that are Extensible Markup Language (XML) documents that contain a specified path within a hierarchical structure.
  - 5. A method as recited in claim 1, wherein determining a separate set of characteristics comprises determining whether source addresses that are specified in Internet Protocol (IP) headers of data packets are the same.
  - 6. A method as recited in claim 1, wherein determining a separate set of characteristics comprises determining whether destination addresses that are specified in Internet Protocol (IP) headers of data packets are the same.
  - 7. A method as recited in claim 1, wherein determining a separate set of characteristics comprises determining whether ports that are specified in Transport Control Protocol (TCP) headers of data packets are the same.

8. A method of interpreting an application layer message at a network element, the method comprising the computer-implemented steps of:
- during a first time interval, sending, to a first blade of the network element, every data packet that is received by a second blade of the network element during the first time interval;
  
  receiving, at the second blade, one or more sets of packet header characteristics that the first blade determined based on packet headers of data packets that the second blade sent to the first blade; and
  
  during a second time interval, sending, to the first blade, only data packets that are received by the second blade during the second time interval and that contain packet headers that possess all characteristics that are contained in at least one of the sets of packet header characteristics.

9. A computer-readable medium carrying one or more sequences of instructions for interpreting an application layer message at a network element, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
  
  inspecting payload portions of data packets in the data packet group to determine application layer messages that are collectively contained in one or more of the payload portions;
  
  for each particular message classification in a set of message classifications, determining a separate message subset of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing one ore more message subsets;
  
  for each particular message subset in the message subsets, determining a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing characteristic sets;
  
  receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
  
  determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
  
  if the first packet header group possesses all of the characteristics contained in any characteristic set in the characteristic sets, then inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein; and
  
  if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets, then sending the first data packet toward a destination without inspecting the first payload portion.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. A computer-readable medium as recited in claim 9, wherein the steps further comprise:
    - if the first packet header group possesses all of the characteristics contained in any of the characteristic sets, then performing steps comprising;
      
      determining whether at least a portion of the first application layer message satisfies all criteria associated with a first message classification in the set of message classifications; and
      
      if at least a portion of the first application layer message satisfies all criteria associated with the first message classification, then performing, at the network element, one or more actions that are associated with the first message classification.
  - 11. A computer-readable medium as recited in claim 9, wherein the network element is a network router.
  - 12. A computer-readable medium as recited in claim 9, wherein determining a separate message subset comprises determining a message subset that comprises those of the application layer messages that are Extensible Markup Language (XML) documents that contain a specified path within a hierarchical structure.
  - 13. A computer-readable medium as recited in claim 9, wherein determining a separate set of characteristics comprises determining whether source addresses that are specified in Internet Protocol (IP) headers of data packets are the same.
  - 14. A computer-readable medium as recited in claim 9, wherein determining a separate set of characteristics comprises determining whether destination addresses that are specified in Internet Protocol (IP) headers of data packets are the same.
  - 15. A computer-readable medium as recited in claim 9, wherein determining a separate set of characteristics comprises determining whether ports that are specified in Transport Control Protocol headers of data packets are the same.

16. A computer-readable medium carrying one or more sequences of instructions for interpreting an application layer message at a network element, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- during a first time interval, sending, to a first blade of the network element, every data packet that is received by a second blade of the network element during the first time interval;
  
  receiving, at the second blade, one or more sets of packet header characteristics that the first blade determined based on packet headers of data packets that the second blade sent to the first blade; and
  
  during a second time interval, sending, to the first blade, only data packets that are received by the second blade during the second time interval and that contain packet headers that possess all characteristics that are contained in at least one of the sets of packet header characteristics.

17. An apparatus for interpreting an application layer message at a network element, the apparatus comprising:
- means for receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
  
  means for inspecting payload portions of data packets in the data packet group to determine application layer messages that are collectively contained in one or more of the payload portions;
  
  means for determining, for each particular message classification in a set of message classifications, a separate message subset of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing message subsets;
  
  means for determining, for each particular message subset in the message subsets, a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing one or more characteristic sets;
  
  means for receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
  
  means for determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
  
  means for inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein if the first packet header group possesses all of the characteristics contained in any of the characteristic sets; and
  
  means for sending the first data packet toward a destination without inspecting the first payload portion if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets.

18. An apparatus for interpreting an application layer message at a network element, the apparatus comprising:
- means for sending, to a first blade of the network element during a first time interval, every data packet that is received by a second blade of the network element during the first time interval;
  
  means for receiving, at the second blade, one or more sets of packet header characteristics that the first blade determined based on packet headers of data packets that the second blade sent to the first blade; and
  
  means for sending, to the first blade during a second time interval, only data packets that are received by the second blade during the second time interval and that contain packet headers that possess all characteristics that are contained in at least one of the sets of packet header characteristics.

19. An apparatus for interpreting an application layer message at a network element, the apparatus comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  one or more processors;
  
  one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of;
  
  receiving a group of data packets at the network element, wherein each data packet in the group of data packets comprises a separate packet header group and a separate payload portion;
  
  inspecting payload portions of data packets in the group to determine application layer messages that are collectively contained in one or more of the payload portions;
  
  for each particular message classification in a set of message classifications, determining a separate message subset that comprises those of the application layer messages that satisfy all criteria associated with the particular message classification, thereby producing message subsets;
  
  for each particular message subset in the message subsets, determining a separate set of characteristics that are possessed by every packet header group that was contained in a data packet that also contained at least a portion of an application layer message that is in the particular message subset, thereby producing one or more characteristic sets;
  
  receiving, at the network element, a first data packet that comprises a first packet header group and a first payload portion;
  
  determining whether the first packet header group possesses all of the characteristics contained in any of the characteristic sets;
  
  if the first packet header group possesses all of the characteristics contained in any of the characteristic sets, then inspecting the first payload portion to determine at least a portion of a first application layer message that is contained therein; and
  
  if the first packet header group does not possess all of the characteristics contained in at least one of the characteristic sets, then sending the first data packet toward a destination without inspecting the first payload portion.

20. An apparatus for performing adaptive load balancing, the apparatus comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  one or more processors;
  
  one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of;
  
  during a first time interval, sending, to a first blade of the network element, every data packet that is received by a second blade of the network element during the first time interval;
  
  receiving, at the second blade, one or more sets of packet header characteristics that the first blade determined based on packet headers of data packets that the second blade sent to the first blade; and
  
  during a second time interval, sending, to the first blade, only data packets that are received by the second blade during the second time interval and that contain packet headers that possess all characteristics that are contained in at least one of the sets of packet header characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Srinivasan, Subramanian, Potti, Sunil, Anthias, Tefcros, Trikha, Nitesh

Granted Patent

US 7,551,567 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/471
CPC Class Codes

H04L 41/0266   using meta-data, objects or...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 67/00   Network arrangements or pro...

H04L 69/16   Implementation or adaptatio...

H04L 69/22   Parsing or analysis of headers

H04L 69/329   in the application layer [O...

Interpreting an application message at a network element using sampling and heuristics

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

233 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Interpreting an application message at a network element using sampling and heuristics

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

233 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links