SELECTIVE PACKET CAPTURE

US 20140351415A1
Filed: 05/24/2013
Published: 11/27/2014
Est. Priority Date: 05/24/2013
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method executed by one or more processors, the method comprising:

identifying a packet capture rule from a set of packet capture rules, the packet capture rule including a trigger condition and an action to perform when the trigger condition is detected;

monitoring a network flow to detect whether the network flow satisfies the packet capture rule'"'"'s trigger condition, wherein monitoring the network flow includes analyzing one or more packets included in the network flow to determine a set of protocol metadata associated with the network flow; and

selectively performing the action associated with the packet capture rule on the network flow based on a result of the monitoring.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for providing selective packet capture are described. One example method includes identifying a packet capture rule from a set of packet capture rules, the packet capture rule including a trigger condition and an action to perform when the trigger condition is detected; monitoring a network flow to detect whether the network flow satisfies the packet capture rule'"'"'s trigger condition, wherein monitoring the network flow includes analyzing one or more packets included in the network flow to determine a set of protocol metadata associated with the network flow; and selectively performing the action associated with the packet capture rule on the network flow based on a result of the monitoring.

216 Citations

20 Claims

1. A computer-implemented method executed by one or more processors, the method comprising:
- identifying a packet capture rule from a set of packet capture rules, the packet capture rule including a trigger condition and an action to perform when the trigger condition is detected;
  
  monitoring a network flow to detect whether the network flow satisfies the packet capture rule'"'"'s trigger condition, wherein monitoring the network flow includes analyzing one or more packets included in the network flow to determine a set of protocol metadata associated with the network flow; and
  
  selectively performing the action associated with the packet capture rule on the network flow based on a result of the monitoring.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein monitoring the network flow comprises detecting that the network flow satisfies the packet capture rule'"'"'s trigger condition, and wherein selectively performing the action comprises performing the action associated with the packet capture rule upon detecting that the network flow satisfies the packet capture rule'"'"'s trigger condition.
  - 3. The method of claim 1, wherein the trigger condition specifies one or more protocol metadata values, and detecting the trigger condition includes detecting that the one or more protocol metadata values are included in the set of protocol metadata associated with the network flow.
  - 4. The method of claim 1, wherein the trigger condition specifies one or more content values, and detecting the trigger condition includes detecting the one or more content values within the one or more packets associated with the network flow.
  - 5. The method of claim 1, wherein the action to perform when the trigger condition is detected includes enabling a full packet capture, and performing the action includes enabling a full packet capture.
  - 6. The method of claim 5, wherein enabling the full packet capture on the network flow includes storing the one or more packets.
  - 7. The method of claim 1, wherein the action to perform when the trigger condition is detected includes enabling content extraction, and performing the action includes extracting at least part of the one or more packets included in the network flow.
  - 8. The method of claim 1, further comprising:
    - determining that the network flow is an encrypted network flow;
      
      enabling full packet capture for the network flow upon determining that the network flow is the encrypted network flow;
  - 9. The method of claim 1, further comprising:
    - determining that the network flow is associated with an unknown protocol;
      
      enabling full packet capture for the network flow upon determining that the network flow is associated with the unknown protocol;
  - 10. The method of claim 1, further comprising:
    - determining that the network flow is associated with the at least one of;
      
      Dynamic Host Configuration Protocol (DHCP), or Domain Name Service (DNS) protocol;
      
      storing protocol metadata values for the network flow.
  - 11. The method of claim 1, further comprising:
    - determining that the network flow is associated with the at least one of;
      
      MySQL, or Transparent Network Substrate (TNS) protocol;
      
      storing protocol metadata values for the network flow.
  - 12. The method of claim 1, further comprising:
    - determining that the network flow is associated with the Server Message Block (SMB) protocol;
      
      storing protocol metadata values for the network flow;
      
      performing content extraction on one or more files transferred during the network flow; and
      
      storing the content extracted from the one or more files.
  - 13. The method of claim 1, further comprising:
    - determining that the network flow is associated with at least one of;
      
      the Secure Socket Layer (SSL) protocol, or the Transport Layer Security (TLS) protocol; and
      
      performing full packet capture on the network flow.

14. A system comprising:
- a processor configured to execute computer program instructions; and
  
  a computer storage medium encoded with computer program instructions that, when executed by the processor, cause the system to perform operations comprising;
  
  identifying a packet capture rule from a set of packet capture rules, the packet capture rule including a trigger condition and an action to perform when the trigger condition is detected;
  
  monitoring a network flow to detect whether the network flow satisfies the packet capture rule'"'"'s trigger condition, wherein monitoring the network flow includes analyzing one or more packets included in the network flow to determine a set of protocol metadata associated with the network flow; and
  
  selectively performing the action associated with the packet capture rule on the network flow based on a result of the monitoring.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein monitoring the network flow comprises detecting that the network flow satisfies the packet capture rule'"'"'s trigger condition, and wherein selectively performing the action comprises performing the action associated with the packet capture rule upon detecting that the network flow satisfies the packet capture rule'"'"'s trigger condition.
  - 16. The system of claim 14, wherein the trigger condition specifies one or more protocol metadata values, and detecting the trigger condition includes detecting that the one or more protocol metadata values are included in the set of protocol metadata associated with the network flow.
  - 17. The system of claim 14, wherein the trigger condition specifies one or more content values, and detecting the trigger condition includes detecting the one or more content values within the one or more packets associated with the network flow.
  - 18. The system of claim 14, wherein the action to perform when the trigger condition is detected includes enabling a full packet capture, and performing the action includes enabling a full packet capture.
  - 19. The system of claim 18, wherein enabling the full packet capture on the network flow includes storing the one or more packets.

20. A computer-implemented method executed by one or more processors, the method comprising:
- identifying a packet capture rule from a set of packet capture rules, the packet capture rule including a trigger condition and an action to perform when the trigger condition is detected, the trigger condition including at least one of;
  
  one or more protocol metadata values, or one or more content values, the action including at least one of;
  
  enabling a full packet capture, or enabling content extraction;
  
  monitoring a network flow to detect whether the network flow satisfies the packet capture rule'"'"'s trigger condition, monitoring the network flow including analyzing one or more packets included in the network flow to determine a set of protocol metadata associated with the network flow; and
  
  selectively performing the action associated with the packet capture rule on the network flow based on a result of the monitoring, performing the action including at least one of;
  
  extracting at least part of the one or more packets included in the network flow;
  
  orstoring the one or more packets associated with the network flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Packetsled, Inc.
Original Assignee
Packetsled, Inc.
Inventors
Harrigan, Matthew G., Neumann, Kurt

Application Number

US13/902,519
Publication Number

US 20140351415A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 43/028   by filtering

H04L 43/045   for graphical visualisation...

H04L 43/12   Network monitoring probes

H04L 63/1408   by monitoring network traff...

SELECTIVE PACKET CAPTURE

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

216 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SELECTIVE PACKET CAPTURE

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

216 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links