MONITORING NETWORK TRAFFIC BY USING A MONITOR DEVICE

US 20100281527A1
Filed: 05/03/2010
Published: 11/04/2010
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

at a network device configured to couple with a network, obtaining user information from a directory service, by obtaining at least one user object attribute set from the directory service;

identifying at least one authentication exchange packet from packets traversing the network;

extracting a first user ID and a first network address from the authentication exchange packet;

filtering packets traversing the network that each have a network address equivalent to the first network address; and

associating packets found in the filtering with the user information having a user name attribute equivalent to the first user ID.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A solution is provided for associating network traffic traversing on a networked environment according to a selected category item, such as a user name or other network entity identity-related information, by using a monitor device. The solution includes: obtaining user information from the directory service by obtaining at least one set of user object attributes from the directory service; identifying at least one authentication exchange packet from packets traversing on the networked environment; extracting a user ID and a network address from the authentication exchange packet; filtering or selecting packets traversing on the network environment that each have a network address equivalent to the extracted network address; and associating packets that were selected with user information having a name attribute equivalent to the extracted user ID.

Citations

34 Claims

1. A computer implemented method comprising:
- at a network device configured to couple with a network, obtaining user information from a directory service, by obtaining at least one user object attribute set from the directory service;
  
  identifying at least one authentication exchange packet from packets traversing the network;
  
  extracting a first user ID and a first network address from the authentication exchange packet;
  
  filtering packets traversing the network that each have a network address equivalent to the first network address; and
  
  associating packets found in the filtering with the user information having a user name attribute equivalent to the first user ID.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising:
    - validating the first user ID and first network address; and
      
      performing the filtering and the associating only if the first user ID and the first network address are found valid in the validating.
  - 3. The method of claim 1 further comprising:
    - validating the first user ID; and
      
      performing the filtering and the associating only if the first user ID is found valid in the validating.
  - 4. The method of claim 1 wherein the associating packets enables the monitoring of packets generated by a real user that corresponds to the user information having the user name attribute equivalent to the first user ID.
  - 5. The method of claim 1 wherein the obtaining user information further comprises storing the at least one user object attribute set in a memory store.
  - 6. The method of claim 1 wherein each of the at least one user object attribute set includes a user name attribute.
  - 7. The method of claim 6 wherein the each of the at least one user object attribute set further comprises a group ID attribute and organizational unit attribute corresponding to a real user for whom a user object has been created in the directory service.
  - 8. The method of claim 1 wherein the associating packets includes assigning a unique index to the packets found and to one of the at least one user object attribute set having the user name attribute.
  - 9. The method of claim 1 wherein the validating includes determining whether the first user ID includes a user name that matches a user name attribute from one of the user object attribute set, and if the match is found, finding the first user ID valid.
  - 10. The method of claim 1 wherein the validating further comprises determining whether a user account is logged on to a client that sent the authentication exchange packet.
  - 11. The method of claim 10 wherein the determining comprises:
    - using the first network address in a hostname request; and
      
      sending the hostname request to the name service.
  - 12. The method of claim 11 wherein the determining further comprises:
    - receiving a hostname from the name service and using the first user ID in a user account query;
      
      sending the user account query to a client having the hostname; and
      
      finding the first network address valid, if the client responds with a user account that includes a user name equivalent to the first user ID.
  - 13. The method of claim 12 wherein the sending the user account query includes using the SMB protocol.
  - 14. The method of claim 1 wherein the authentication service uses the Kerberos protocol during network authentication and the first user ID is in the form of a Kerberos principal name.
  - 15. The method of claim 1 wherein the extracting further comprisesextracting a second user ID and a second network address from another authentication exchange packet;
    - andassociating packets found in the filtering with the user information having a user name attribute equivalent to the second user ID.
  - 16. The method of claim 1 wherein the first network address is a destination network address if the authentication exchange packet is an authentication exchange response packet.

17. An apparatus comprising:
- a memory; and
  
  one or more processors configured to;
  
  obtain user information from a directory service, by obtaining at least one user object attribute set from the directory service, the apparatus configured to couple with a network;
  
  identify at least one authentication exchange packet from packets traversing the network;
  
  extract a first user ID and a first network address from the authentication exchange packet;
  
  filter packets traversing the network that each have a network address equivalent to the first network address; and
  
  associate packets found in the filtering with the user information having a user name attribute equivalent to the first user ID.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The apparatus of claim 17 wherein the apparatus is further configured to:
    - validate the first user ID and first network address; and
      
      perform the filtering and the associating only if the first user ID and the first network address are found valid in the validating.
  - 19. The apparatus of claim 17 wherein the one or more processors are further configured to:
    - validate the first user ID; and
      
      perform the filtering and the associating only if the first user ID is found valid in the validating.
  - 20. The apparatus of claim 17 wherein the associating packets enables the monitoring of packets generated by a real user that corresponds to the user information having the user name attribute equivalent to the first user ID.
  - 21. The apparatus of claim 17 wherein the one or more processors are further configured to store the at least one user object attribute set in a memory store.
  - 22. The apparatus of claim 17 wherein each of the at least one user object attribute set includes a user name attribute.
  - 23. The apparatus of claim 22 wherein the each of the at least one user object attribute set further comprises a group ID attribute and organizational unit attribute corresponding to a real user for whom a user object has been created in the directory service.
  - 24. The apparatus of claim 17 wherein the one or more processors are further configured to assign a unique index to the packets found and to one of the at least one user object attribute set having the user name attribute.
  - 25. The apparatus of claim 17 wherein the one or more processors are further configured to determine whether the first user ID includes a user name that matches a user name attribute from one of the user object attribute set, and if the match is found, find the first user ID valid.
  - 26. The apparatus of claim 17 wherein the one or more processors are further configured to determine whether a user account is logged on to a client that sent the authentication exchange packet.
  - 27. The apparatus of claim 26 wherein the one or more processors are further configured to:
    - use the first network address in a hostname request; and
      
      send the hostname request to the name service.
  - 28. The apparatus of claim 27 wherein the one or more processors are further configured to:
    - receive a hostname from the name service and using the first user ID in a user account query;
      
      send the user account query to a client having the hostname; and
      
      find the first network address valid, if the client responds with a user account that includes a user name equivalent to the first user ID.
  - 29. The apparatus of claim 28 wherein the one or more processors are further configured to use the SMB protocol to send the user account query.
  - 30. The apparatus of claim 17 wherein the authentication service is configured to use the Kerberos protocol during network authentication and the first user ID is in the form of a Kerberos principal name.
  - 31. The apparatus of claim 17 wherein the one or more processors are further configured to:
    - extract a second user ID and a second network address from another authentication exchange packet; and
      
      associate packets found in the filtering with the user information having a user name attribute equivalent to the second user ID.
  - 32. The apparatus of claim 17 wherein the first network address is a destination network address if the authentication exchange packet is an authentication exchange response packet.

33. A computer program embodied on at least one computer-readable medium for executing a method, the method comprising:
- at a network device configured to couple with a network, obtaining user information from a directory service, by obtaining at least one user object attribute set from the directory service;
  
  identifying at least one authentication exchange packet from packets traversing the network;
  
  extracting a first user ID and a first network address from the authentication exchange packet;
  
  filtering packets traversing the network that each have a network address equivalent to the first network address; and
  
  associating packets found in the filtering with the user information having a user name attribute equivalent to the first user ID.

34. An apparatus comprising:
- a memory;
  
  means for, at a network device configured to couple with a network, obtaining user information from a directory service, by obtaining at least one user object attribute set from the directory service;
  
  means for identifying at least one authentication exchange packet from packets traversing the network;
  
  means for extracting a first user ID and a first network address from the authentication exchange packet;
  
  means for filtering packets traversing the network that each have a network address equivalent to the first network address; and
  
  means for associating packets found in the filtering with the user information having a user name attribute equivalent to the first user ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
PacketMotion Incorporated (Broadcom, Inc.)
Inventors
Christensen, Mitchell T., Erlund, Maxine R., John, Pramod, Chen, Tsehua A.

Granted Patent

US 8,312,522 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 16/00   Information retrieval; Data...

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/535   Tracking the activity of th...

MONITORING NETWORK TRAFFIC BY USING A MONITOR DEVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

MONITORING NETWORK TRAFFIC BY USING A MONITOR DEVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links