Method and Apparatus for Storing and Indexing High-Speed Network Traffic Data

US 20110125749A1
Filed: 11/15/2010
Published: 05/26/2011
Est. Priority Date: 11/15/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method of network database maintenance comprising:

sequentially recording in real-time packetheader, packet flow and/or packet content attributes in a plurality of database units in an order of arrival of the network packet data, the packet header, packet flow and/or packet content attributes derived from network packets captured and stored in one of a packet capture repository and a file system;

indexing each database unit of the plurality of database units to point to a memory location of the network packet data in one of the packet capture repository and the file system; and

generating an index bit mask on each database unit of the plurality of database units, the index bit mask providing an identification of a particular packet header, packet flow or packet content attribute in the database unit.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Storing and indexing of high-speed network traffic data is disclosed. In one embodiment, a method of network database maintenance includes sequentially recording in real-time packet header and/or packet content attributes derived from network packets captured and stored in one of a packet capture repository and a file system in database units ordered by arrival of the network packet data. In addition, the method includes indexing each database unit to point to a memory location of the network packet data in one of the packet capture repository and the file system. The method also includes computing a hash value on certain input data and creating index bitmaps on each database unit to facilitate grouping of a similar attributes associated with the network packet data recorded in the database units. The resulting data may then be stored in compressed and/or encrypted formats on a file system for efficiency and security.

126 Citations

27 Claims

1. A method of network database maintenance comprising:
- sequentially recording in real-time packetheader, packet flow and/or packet content attributes in a plurality of database units in an order of arrival of the network packet data, the packet header, packet flow and/or packet content attributes derived from network packets captured and stored in one of a packet capture repository and a file system;
  
  indexing each database unit of the plurality of database units to point to a memory location of the network packet data in one of the packet capture repository and the file system; and
  
  generating an index bit mask on each database unit of the plurality of database units, the index bit mask providing an identification of a particular packet header, packet flow or packet content attribute in the database unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein a size of each database unit of the plurality of database units is based on a size of the header, packet flow, and/or content information designated for storage in the respective database unit.
  - 3. The method of claim 1, further comprising computing a hash value for certain input data from the plurality of database units using a mathematical hash function for a more efficient representation of the certain input data.
  - 4. The method of claim 1, further comprising checking for a presence of a network packet data of interest by identifying a set bit in one or more of the plurality of bit masks.
  - 5. The method of claim 1, further comprising querying the plurality of database units to extract a matched packet data in one of the packet capture repository and the file system.
  - 6. The method of claim 5, further comprising reconstructing a packet flow based on the matched packet data.
  - 7. The method of claim 6, wherein reconstructing the matched packet data includes presenting information associated with the matched packet data in a suitable format to convenience analysis of the presented information.
  - 8. The method of claim 5, further comprising performing at least one of data analytics, data statistics, data forensics, and data metrics based on the matched packet data in one of the packet capture repository and the file system.
  - 9. The method of claim 5, further comprising querying a database to apply a pattern matching scheme to extract the matched packet data in one of the packet capture repository and the file system.
  - 10. The method of claim 1, wherein the header, flow or content information associated with the network packet data comprises one or more of a protocol type, an application type, an encapsulation type, a physical identifying information, a source identification data, or a destination identification data.
  - 11. The method of claim 10, wherein the protocol type associated with the network packet data comprises at least one of a hypertext transfer protocol (HTTP), a simple mail transfer protocol (SMTP), a remote procedure call (RPC) protocol, voice over internet protocol (VoIP), a peer-to-peer protocol, a file transfer protocol (FTP), a streaming media protocol, and an instant messaging protocol.
  - 12. The method of claim 1, wherein an artifact type associated with the network packet data comprises at least one of a word processing document, a spreadsheet document, a database, a multimedia content, a multimedia file, an e-mail, an instant messaging communication, a compressed file, an executable file, a web page, a presentation document, a program file, and a data package.
  - 13. The method of claim 1, further comprising storing at least one of the index bit mask, the plurality of database units, or a hash value computed for certain input data from the plurality of database units in at least one of a compressed format or an encrypted format for efficient and secure recording.

14. A method of network database maintenance comprising:
- providing a memory slot allocation of a fixed size, the slot configured to store in real time a flow of packets over a network;
  
  providing a plurality of database units for the slot, each of the plurality of database units being designated to store a particular packet header, packet flow or content attribute of the packets stored in the slot;
  
  inserting in real-time a packet header, packet flow or content information in the plurality of database units, the packet header, packet flow or content information associated with the network packet data stored in the slot,indexing each of the plurality of database units to point to a memory location of the network packet data in the slot;
  
  computing a hash on certain input values from the plurality of database units for the purpose of more efficient representation of the certain input data; and
  
  providing an index bit mask for each of the plurality of database units, the index bit masks configured to include a bit for each of the particular packet header, packet flow, hash value, or content attribute identified for a particular database unit.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The method of claim 14, wherein a size of each database unit of the plurality of database units is based on a size of the header, packet flow, or content information associated with the network packet data included thereof.
  - 16. The method of claim 14, further comprising:
    - allocating a first database unit for a first packet header attribute, the first packet header attribute having a plurality of possible states; and
      
      setting a first bit in a first bit mask for the first packet header attribute, the bit associated with one particular state of the plurality of possible states.
  - 17. The method of claim 16, further comprising:
    - querying the first bit mask to determine whether the first bit is set;
      
      querying the first database unit if the bit is set to identify a location of packet data in one of the packet capture repository and the file system, the packet data having a header attribute state corresponding to the first bit.
  - 18. The method of claim 17, further comprising reconstructing the matched packet data in one of the packet capture repository and the file system.
  - 19. The method of claim 18, comprising querying the database to apply a pattern matching scheme to extract the matched packet data in one of the packet capture repository and the file system.
  - 20. The method of claim 17, further comprising performing at least one of data analytics, data statistics, data forensics, and data metrics based on the matched packet data in one of the packet capture repository and the file system.
  - 21. The method of claim 14, wherein the header, packet flow or content information associated with the network packet data comprises one or more of a protocol type, an application type, an encapsulation type, a physical identifying information, a source identification data, or a destination identification data.
  - 22. The method of claim 21, wherein the protocol type associated with the network packet data comprises at least one of a hypertext transfer protocol (HTTP), a simple mail transfer protocol (SMTP), a remote procedure call (RPC) protocol, voice over internet protocol (VoIP), a peer-to-peer protocol, a file transfer protocol (FTP), a streaming media protocol, and an instant messaging protocol.
  - 23. The method of claim 22, wherein reconstructing the matched packet data includes presenting information associated with the matched packet data in a suitable format to convenience analysis of the presented information.
  - 24. The method of claim 14, wherein an artifact type associated with the network packet data comprises at least one of a word processing document, a spreadsheet document, a database, a multimedia content, a multimedia file, an e-mail, an instant messaging communication, a compressed file, an executable file, a web page, a presentation document, a program file, and a data package.
  - 25. The method of claim 14, further comprising storing at least one of the index bit mask, the plurality of database units, or the hash in at least one of a compressed format or an encrypted format on a file system.

26. A computing system comprising:
- one of a packet capture repository and a file system to store a network packet data, the network packet data including a header and content information; and
  
  an index module to index each database unit of a plurality of database units to point to a memory location of the network packet data in one of the packet capture repository and the file system, a plurality of index bit masks being created on at least one of each database unit of the plurality of database units or each hashed representation of each database unit of the plurality of database units to facilitate grouping of a similar header or content information associated with the network packet data sequentially recorded in real-time in the plurality of database units in an order of arrival of the network packet data.
- View Dependent Claims (27)
- - 27. The system of claim 26, wherein the network packet data is from one of an Asynchronous Transfer Mode (ATM) network, an Ethernet, a 3G network, a 4G network, and a wireless network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Solera Networks, Inc. (Gen Digital Inc.)
Inventors
Wood, Matthew S., Levy, Joseph H., Tveit, Paal

Application Number

US12/946,559
Publication Number

US 20110125749A1
Time in Patent Office

Days
Field of Search
US Class Current

707/737
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/028   by filtering

Y02D 30/50   in wire-line communication ...

Method and Apparatus for Storing and Indexing High-Speed Network Traffic Data

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Storing and Indexing High-Speed Network Traffic Data

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links