Network monitoring

US 6,115,393 A
Filed: 07/21/1995
Issued: 09/05/2000
Est. Priority Date: 04/12/1991
Status: Expired due to Fees

First Claim

Patent Images

1. A method for monitoring a plurality of communication dialogs occurring in a network of nodes, each dialog of said plurality of dialogs being effected by a transmission of one or more packets among two or more communicating nodes, each dialog of said plurality of dialogs complying with a different predefined communication protocol selected from among a plurality of protocols available in said network, said plurality of dialogs representing multiple different protocols from among said plurality of available protocols, said method comprising:

passively, in real time, and on an ongoing basis, detecting the contents of packets;

from the detected contents of said packets, identifying all of the dialogs of said plurality of communication dialogs occurring in said network;

deriving from said detected contents of said packets, information about the identified dialogs; and

for each of the identified dialogs, storing the derived information about that identified dialog.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Monitoring is done of communications which occur in a network of nodes, each communication being effected by a transmission of one or more packets among two or more communicating nodes, each communication complying with a predefined communication protocol selected from among protocols available in the network. The contents of packets are detected passively and in real time, communication information associated with multiple protocols is derived from the packet contents.

632 Citations

25 Claims

1. A method for monitoring a plurality of communication dialogs occurring in a network of nodes, each dialog of said plurality of dialogs being effected by a transmission of one or more packets among two or more communicating nodes, each dialog of said plurality of dialogs complying with a different predefined communication protocol selected from among a plurality of protocols available in said network, said plurality of dialogs representing multiple different protocols from among said plurality of available protocols, said method comprising:
- passively, in real time, and on an ongoing basis, detecting the contents of packets;
  
  from the detected contents of said packets, identifying all of the dialogs of said plurality of communication dialogs occurring in said network;
  
  deriving from said detected contents of said packets, information about the identified dialogs; and
  
  for each of the identified dialogs, storing the derived information about that identified dialog.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1 wherein the derived information is information about the states of the identified dialogs.
  - 3. The method of claim 2 wherein said step of deriving information about the states of dialogs comprises;
    - maintaining a current state for each dialog; and
      
      updating the current state in response to the detected contents of packets detected at a later time.
  - 4. The method of claim 2 wherein said step of deriving information about the states of dialogs comprises:
    - maintaining, for each dialog, a history of events based on information derived from the contents of packets; and
      
      analyzing the history of events to derive information about the dialog.
  - 5. The method of claim 4 wherein said step of analyzing the history includes counting events.
  - 6. The method of claim 4 wherein said step of analyzing the history includes gathering statistics about events.
  - 7. The method of claim 4 further comprising:
    - monitoring the history of events for dialogs which are inactive; and
      
      purging from the history of events dialogs which have been inactive for a predetermined period of time.
  - 8. The method of claim 3 wherein said step of deriving information about the states of dialogs comprises updating said current state in response to observing the transmission of at least two data related packets between nodes.
  - 9. The method of claim 4 wherein said step of analyzing the history of events comprises:
    - analyzing sequence numbers of data related packets stored in said history of events; and
      
      detecting retransmissions based on said sequence numbers.
  - 10. The method of claim 3 further comprising:
    - updating the current state based on each new packet associated with said dialog; and
      
      if an updated current state cannot be determined, consulting information about prior packets associated with said dialog as an aid in updating said state.
  - 11. The method of claim 4 further comprising searching said history of events to identify the initiator of a dialog.
  - 12. The method of claim 4, further comprising searching the history of events for packets which have been retransmitted.
  - 13. The method of claim 3 wherein the full set of packets associated with a dialog up to a point in time completely define a true state of the dialog at that point in time, said step of updating the current state in response to the detected contents of transmitted packets comprises generating a current state which may not conform to the true state.
  - 14. The method of claim 4 wherein the step of updating the current state comprises updating the current state to indicate that it is unknown.
  - 15. The method of claim 13 further comprising updating the current state to the true state based on information about prior packets transmitted in the dialog.
  - 16. The method of claim 14 further comprising updating the current state to the true state based on information about prior packets transmitted in the dialog.
  - 17. The method of claim 2 wherein said step of deriving information about the states of dialogs occurring in said network comprises parsing said packets in accordance with more than one but fewer than all layers of a corresponding communication protocol.
  - 18. The method of claim 1 is wherein each said communication protocol includes multiple layers, and each dialog complies with one of said layers.
  - 19. The method of claim 2 wherein said multiple different protocols include a connectionless-type protocol in which the state of a dialog is implicit in transmitted packets, and said step of deriving information about the states of dialogs includes inferring the states of said dialogs from said packets.
  - 20. The method of claim 3 further comprising:
    - parsing said packets in accordance with a corresponding communication protocol; and
      
      temporarily suspending parsing of some layers of said protocol when parsing is not rapid enough to match the rate of packets to be parsed.
  - 21. The method of claim 1 further comprising storing the derived communication information in a database.
  - 22. The method of claim 21 further comprising, in response to an inquiry from a remotely located entity, retrieving from the database data regarding communications about which communication information had previously been detected and stored and sending the retrieved data to said remotely located entity.
  - 23. The method of claim 1 wherein said multiple different protocols include protocols for different layers of a protocol stack as well as protocols for different protocol stacks.

24. Apparatus for monitoring a plurality of communication dialogs which occur in a network of nodes, each dialog of said plurality of dialogs being effected by a transmission of one or more packets among two or more communicating nodes, each dialog of said plurality of dialogs complying with a different predefined communication protocol selected from among a plurality of protocols available in said network, said plurality of dialogs representing multiple different protocols from among said plurality of available protocols, said apparatus comprising:
- a monitor connected to the network medium, said monitor programmed to perform the tasks of passively, in real time, and on an ongoing basis;
  
  (1) monitoring transmitted packets;
  
  (2) from the monitored packets, identifying all of the dialogs of said plurality of communication dialogs;
  
  (3) from the monitored packets, deriving communication information associated with said plurality of communication dialogs; and
  
  (4) for each of the identified dialogs, storing the communication information about that identified dialog that is derived from said monitored packets; and
  
  a workstation for receiving said information about dialogs from said monitor and providing an interface through which said communication information about the identified dialogs is displayed to a user.
- View Dependent Claims (25)
- - 25. The apparatus of claim 24 wherein said workstation further comprises means for enabling a user to observe events of active dialogs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Concord Communications Incorporated (Broadcom, Inc.)
Inventors
Thompson, David M., Robertson, Kary, White, Gerard, Engel, Ferdinand, Jones, Kendall S.
Primary Examiner(s)
Patel, Ajit

Application Number

US08/505,083
Time in Patent Office

1,873 Days
Field of Search

370/94.1, 370/85.13, 370/85.14, 370/94.2, 370/110.1, 370/79, 370/241, 370/252, 370/254, 370/465, 370/464, 370/466, 370/467, 370/469, 395/200, 395/183.15, 395/189.01, 395/189.04, 395/200.54, 395/285, 395/831, 371/20.1
US Class Current

370/469
CPC Class Codes

H04L 41/0213 Standardised network manage...

Network monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

632 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Network monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

632 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links