ATTRIBUTES OF CAPTURED OBJECTS IN A CAPTURE SYSTEM

US 20140289416A1
Filed: 03/21/2014
Published: 09/25/2014
Est. Priority Date: 05/22/2006
Status: Active Grant

First Claim

Patent Images

1-16. -16. (canceled)

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for capturing objects and balancing systems resources in a capture system are described. An object is captured, metadata associated with the objected generated, and the object and metadata stored.

18 Citations

View as Search Results

40 Claims

1-16. -16. (canceled)

17. At least one non-transitory machine-readable medium having instructions stored therein and when executed, the instructions cause one or more processors to:
- capture a plurality of packets being transmitted over a network through a capture system that includes a processor and a network interface for receiving packets;
  
  reconstruct a captured object from the plurality of packets, wherein the captured object is one of a plurality of captured objects reconstructed from the plurality of packets; and
  
  determine an association between the captured object and a computer name of a computer sending or receiving the captured object, wherein the association is determined from one or more log files of the network, wherein the capture system is configured to operate in a temporal identification mode, which uses a rolling storage mechanism to store the captured object and to indicate the association between the captured object and the computer name of the computer.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The at least one non-transitory machine-readable medium of claim 17, wherein at least one of the log files includes an Internet Protocol (IP) assignment related to a media access control (MAC) address of the computer and a computer name of the computer.
  - 19. The at least one non-transitory machine-readable medium of claim 18, wherein a Dynamic Host Configuration Protocol (DHCP) log is initialized in order to record current relationships between computer names, Internet Protocol (IP) addresses, and media access control (MAC) addresses of computers in the network, wherein the network has a dynamic configuration system.
  - 20. The at least one non-transitory machine-readable medium of claim 17, wherein the instructions cause the one or more processors to:
    - generate metadata of the captured object, the metadata including an indication of the association between the captured object and the computer name of the computer.
  - 21. The at least one non-transitory machine-readable medium of claim 20, wherein the instructions cause the one or more processors to:
    - search a plurality of metadata of captured objects based on the computer name to determine which one or more captured objects are associated with the computer name.
  - 22. The at least one non-transitory machine-readable medium of claim 21, wherein the instructions cause the one or more processors to:
    - compare at least one logon log file to the one or more log files of the network to determine a user identifier associated with the computer at a time corresponding to the captured object being sent or received by the computer, wherein the search of the plurality of metadata based on the computer name provides information indicating the user identifier is associated with the captured object.
  - 23. The at least one non-transitory machine-readable medium of claim 20, wherein the metadata includes an indication of a mode in which the capture system is configured to operate, wherein the mode is one of the temporal identification mode and the tiered location tagging mode.
  - 24. The at least one non-transitory machine-readable medium of claim 17, wherein the computer name is determined from the one or more log files by:
    - identifying an Internet Protocol (IP) address associated with the captured object; and
      
      reading the one or more log files to determine the computer name associated with the IP address, wherein the one or more log files are updated when the IP address is assigned to a new computer.

25. A capture system for capturing objects propagating through a network, the capture system comprising:
- a network interface module configured to receive a plurality of packets being transmitted over the network;
  
  a packet capture module configured to capture the plurality of packets received by the network interface module; and
  
  an object assembly module configured to reconstruct a captured object from the plurality of packets, wherein the captured object is one of a plurality of captured objects reconstructed from the plurality of packets,wherein the capture system is configured to operate in a temporal identification mode to determine an association between the captured object and a computer name of a computer sending or receiving the captured object, wherein the association is determined from one or more log files of the network, wherein a rolling storage mechanism is used in the temporal identification mode to store the captured object and to indicate the association between the captured object and the computer name of the computer.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The capture system of claim 25, wherein at least one of the log files includes an Internet Protocol (IP) assignment related to a media access control (MAC) address of the computer and a computer name of the computer.
  - 27. The capture system of claim 25, wherein metadata of the captured object is generated, the metadata including an indication of the association between the captured object and the computer name of the computer.
  - 28. The capture system of claim 27, wherein, in the temporal identification mode, the capture system is configured to:
    - store the metadata as a tag in a tag database; and
      
      search a plurality of tags in the tag database based on the computer name to determine which one or more captured objects are associated with the computer name.
  - 29. The capture system of claim 28, wherein, in the temporal identification mode, the capture system is configured to:
    - compare at least one logon log file to the one or more log files of the network to determine a user identifier associated with the computer at a time corresponding to the captured object being sent or received by the computer, wherein the search of the plurality of tags based on the computer name provides information indicating the user identifier is associated with the captured object.
  - 30. The capture system of claim 25, wherein, in the temporal identification mode, the capture system is configured to:
    - identify an Internet Protocol (IP) address associated with the captured object; and
      
      read the one or more log files to determine the computer name associated with the IP address, wherein the one or more log files are updated when the IP address is assigned to a new computer.

31. A method, comprising:
- capturing a plurality of packets being transmitted over a network through a capture system that includes a processor and a network interface for receiving packets;
  
  reconstructing a captured object from the plurality of packets, wherein the captured object is one of a plurality of captured objects reconstructed from the plurality of packets; and
  
  determining an association between the captured object and a computer name of a computer sending or receiving the captured object, wherein the association is determined from one or more log files of the network, wherein the capture system is configured to operate in a temporal identification mode, which uses a rolling storage mechanism to store the captured object and to indicate the association between the captured object and the computer name of the computer.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The method of claim 31, wherein at least one of the log files includes an Internet Protocol (IP) assignment related to a media access control (MAC) address of the computer and a computer name of the computer,
  - 33. The method of claim 31, further comprising:
    - generating metadata of the captured object, the metadata including an indication of the association between the captured object and the computer name of the computer.
  - 34. The method of claim 33, further comprising:
    - storing the metadata as a tag in a tag database; and
      
      searching a plurality of tags in the tag database based on the computer name to determine which one or more captured objects are associated with the computer name.
  - 35. The method of claim 34, further comprising:
    - comparing at least one logon log file to the one or more log files of the network to determine a user identifier associated with the computer at a time corresponding to the captured object being sent or received by the computer, wherein the search of the plurality of tags based on the computer name provides information indicating the user identifier is associated with the captured object.

36. At least one non-transitory machine-readable medium having instructions stored therein and when executed, the instructions cause one or more processors to:
- capture a plurality of packets being transmitted over a network through a capture system that includes a processor and a network interface for receiving packets;
  
  reconstruct a captured object from the plurality of packets; and
  
  generate metadata of the captured object, the metadata including an indication of a mode in which the capture system is configured to operate,wherein, when the metadata indicates the capture system is in a temporal identification mode, the instructions cause the one or more processors to;
  
  determine an association between the captured object and a computer name of a computer sending or receiving the captured object; and
  
  indicate, in the metadata of the captured object, the association between the captured object and the computer name of the computer,wherein, when the metadata indicates the capture system is in a tiered location tagging mode, the instructions cause the one or more processors to;
  
  determine a tiered location classification of a captured packet associated with the captured object;
  
  indicate, in the metadata of the captured object, the tiered location classification associated with the captured packet.
- View Dependent Claims (37, 38, 39, 40)
- - 37. The at least one non-transitory machine-readable medium of claim 36, wherein source and destination addresses in a packet header are used to identify location attributes associated with the captured object, wherein a plurality of tiers are populated with the identified location attributes.
  - 38. The at least one non-transitory machine-readable medium of claim 36, wherein the tiered location classification of the captured packet is determined by comparing an Internet Protocol (IP) address of the captured packet to a known tier mapping of the capture system.
  - 39. The at least one non-transitory machine-readable medium of claim 36, wherein a plurality of tiers can be configured for searching in order to identify particular objects associated with location attributes that are organized within the tiers.
  - 40. The at least one non-transitory machine-readable medium of claim 39, wherein one of a plurality of tiers describes one of:
    - an origination of the captured packet being associated with a particular country, the origination of the captured packet being associated with a particular geographic location of a country, the origination of the captured packet being associated with a workgroup, and the origination of the captured packet being associated with a physical building structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Erik De La Iglesia, Ratinder Paul Singh Ahuja, Rick Lowe, William Deninger
Inventors
Ahuja, Ratinder Paul Singh, Deninger, William, de la Iglesia, Erik, Lowe, Rick

Granted Patent

US 9,094,338 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/226
CPC Class Codes

H04L 43/106   using time related informat...

H04L 43/18   Protocol analysers

H04L 43/50   Testing arrangements

H04L 63/0209   Architectural arrangements,...

ATTRIBUTES OF CAPTURED OBJECTS IN A CAPTURE SYSTEM

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

ATTRIBUTES OF CAPTURED OBJECTS IN A CAPTURE SYSTEM

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others