Automatic network traffic analysis

US 6,137,782 A
Filed: 06/17/1999
Issued: 10/24/2000
Est. Priority Date: 07/21/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for automatically analyzing a traffic flow for a plurality of network elements on a network, each of the plurality of network elements being connected to the network through a hardware connector, the method comprising the steps of:

(a) providing a physical topology map of the network;

(b) selecting a selected plurality of network elements on the network according to said physical topology map, such that said selected plurality of network elements are distributed in the network;

(c) setting the hardware connector of each of said selected plurality of network elements to detect packets flowing through the network;

(d) analyzing each detected packet to determine at least a source address and a destination address for said detected packet;

(e) sorting said source addresses and destination addresses for said detected packets to determine traffic information between each pair of network elements exchanging at least one packet, such that the traffic flow for said plurality of network elements is determined;

(f) comparing said physical topology map to said traffic information;

(g) if there is a discrepancy between said physical topology map and said traffic information, detecting a suspected change in said physical topology of the network;

(h) examining said suspected change by exchanging test packets between a plurality of the network elements; and

(i) if said suspected change is an actual change, altering said physical topology map according to said test packets.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method for automatic analysis of the traffic topology map of the network, by correlating information from agents which are in communication with the network. The physical topology map is preferably used as a foundation for the traffic mapping process, in order to indicate how the physical components are connected. Preferably, the traffic information is gathered through the operation of a plurality of agents, which are distributed throughout the network according to the physical topology map and which are operated by a computer or other electronic device connected to the network. The traffic mapping process then analyzes the traffic flow between the agents. Thus, the exact process by which the physical topology map is determined is not important.

166 Citations

31 Claims

1. A method for automatically analyzing a traffic flow for a plurality of network elements on a network, each of the plurality of network elements being connected to the network through a hardware connector, the method comprising the steps of:
- (a) providing a physical topology map of the network;
  
  (b) selecting a selected plurality of network elements on the network according to said physical topology map, such that said selected plurality of network elements are distributed in the network;
  
  (c) setting the hardware connector of each of said selected plurality of network elements to detect packets flowing through the network;
  
  (d) analyzing each detected packet to determine at least a source address and a destination address for said detected packet;
  
  (e) sorting said source addresses and destination addresses for said detected packets to determine traffic information between each pair of network elements exchanging at least one packet, such that the traffic flow for said plurality of network elements is determined;
  
  (f) comparing said physical topology map to said traffic information;
  
  (g) if there is a discrepancy between said physical topology map and said traffic information, detecting a suspected change in said physical topology of the network;
  
  (h) examining said suspected change by exchanging test packets between a plurality of the network elements; and
  
  (i) if said suspected change is an actual change, altering said physical topology map according to said test packets.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein step (e) further comprises the step of:
    - (i) analyzing said detected packets to remove packets detected by a plurality of network elements, such that each packet is reported from only one network element.
  - 3. The method of claim 2, wherein step (i) further comprises the step of:
    - (A) determining a number of packets sent from a first network element to a second network element according to a largest number of packets reported from one network element.
  - 4. The method of claim 1, wherein step (c) includes the step of:
    - (i) collecting packets for a predetermined period of time, such that at least step (e) is not performed until said predetermined period of time has elapsed.
  - 5. The method of claim 1, wherein the network is divided into a plurality of segments and wherein at least one network element is selected for each segment of the network.
  - 6. The method of claim 1, wherein each of said selected plurality of network elements is a computer operating an agent software program, said agent software program collecting said traffic information.

7. A method for automatically analyzing a traffic flow for a plurality of network elements on a network, each of the plurality of network elements being connected to the network through a hardware connector, the method comprising the steps of:
- (a) providing a physical topology map of the network;
  
  (b) selecting a selected plurality of network elements on the network according to said physical topology map, such that said selected plurality of network elements are distributed in the network;
  
  (c) setting the hardware connector of each of said selected plurality of network elements to detect packets flowing through the network;
  
  (d) analyzing each detected packet to determine at least a source address and a destination address for said detected packet; and
  
  (e) sorting said source addresses and destination addresses for said detected packets to determine traffic information between each pair of network elements exchanging at least one packet, such that the traffic flow for said plurality of network elements is determined;
  
  wherein the network features a plurality of server network elements and wherein only said plurality of server network elements are said selected plurality of network elements.

8. A method for automatically analyzing a traffic flow for a plurality of network elements on a network, each of the plurality of network elements being connected to the network through a hardware connector, the method comprising the steps of:
- (a) providing a physical topology map of the network;
  
  (b) selecting a selected plurality of network elements on the network according to said physical topology map, such that said selected plurality of network elements are distributed in the network;
  
  (c) setting the hardware connector of each of said selected plurality of network elements to detect packets flowing through the network;
  
  (d) analyzing each detected packet to determine at least a source address and a destination address for said detected packet;
  
  (e) sorting said source addresses and destination addresses for said detected packets to determine traffic information between each pair of network elements exchanging at least one packed, such that the traffic flow for said plurality of network elements is determined;
  
  (f) comparing said physical topology map to said traffic information; and
  
  (g) if there is a discrepancy between said physical topology map and said traffic information, detecting a suspected change in said physical topology of the network, wherein said discrepancy is a lack of expected traffic information between at least two network elements.

9. A method for automatically analyzing a traffic flow for a plurality of network elements on a network, each of the plurality of network elements being connected to the network through a hardware connector, the method comprising the steps of:
- (a) providing a physical topology map of the network;
  
  (b) selecting a selected plurality of network elements on the network according to said physical topology map, such that said selected plurality of network elements are distributed in the network;
  
  (c) setting the hardware connector of each of said selected plurality of network elements to detect packets flowing through the network;
  
  (d) analyzing each detected packet to determine at least a source address and a destination address for said detected packet; and
  
  (e) sorting said source addresses and destination addresses for said detected packets to determine traffic information between each pair of network elements exchanging at least one packet, such that the traffic flow for said plurality of network elements is determined, the step further comprising the steps of;
  
  (i) determining a link between each pair of network elements exchanging at least one packet; and
  
  (ii) constructing a traffic map from said plurality of links;
  
  wherein said link comprises at least one layer 2 link determined for layer 2, and at least one layer 3 link determined for layer 3, both layer 2 address information and layer 3 address information are detected, such that step (i) further comprises the step of correlating layer 2 address information and layer 3 address information in order to correlate said at least one layer 2 link to said at least one layer 3 link.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, wherein step (i) further comprises the step of determining a frequency of traffic flow according to a number of packets traveling on said link per unit of time.
  - 11. The method of claim 9, further comprising the steps of:
    - (f) displaying the traffic map through a GUI (graphical user interface) display to a user.
  - 12. The method of claim 11, wherein said GUI display features traffic information displayed according to said frequency of traffic flow.
  - 13. The method of claim 12, wherein said frequency is selected by the user.
  - 14. The method of claim 13, wherein steps (a) to (e) are repeated for a reporting period of time, said reporting period of time having a start time and an end time.
  - 15. The method of claim 14, wherein said start time and said end time are selected by the user.
  - 16. The method of claim 15, wherein the traffic map does not include information for a period of time if at least one network element failed to report said traffic information during said period of time.
  - 17. The method of claim 16, wherein each network element in the traffic map is represented by a graphic icon, and each link is represented by a connecting line for connecting said graphic icon, and wherein a special graphic icon representing a broadcasting or multicasting network element is placed at one edge of said GUI display.
  - 18. The method of claim 17, wherein said special graphic icon is represented without any connecting lines representing said links.

19. A system for automatic traffic mapping of a plurality of network elements on a network, the network element being connected to the network through a hardware connector, comprising:
- (a) a plurality of agents, each of said plurality of agents being operated by a network element, for receiving packets from the network through the hardware connector, and for analyzing said packets to determine at least a source address and a destination address for said packets; and
  
  (b) a central management engine (CME) for receiving said source address and said destination address for said packets, and for determining a frequency of packet flow between each pair of network elements, the traffic map being determined according to said frequency of traffic flow;
  
  wherein at least one network element is a switch, said switch featuring a monitored port and a monitoring port, and wherein said agent is installed on a network element connected to said monitoring port, such that said traffic data is reported from said monitored port.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The system of claim 19, wherein at least one network element is an end node.
  - 21. The system of claim 20, wherein said end node operating each of said plurality of agents is a computer and each of said plurality of agents is a software module.
  - 22. The system of claim 21, wherein said computer is connected to the network through a network connector device set to promiscuous mode and said agent further includes:
    - (i) a network monitor for binding to said network connector device of said computer and for detecting information received by said network connector device;
      
      (ii) a network parser for filtering said information detected by said network monitor according to at least one characteristic of said information; and
      
      (iii) a data transfer module for transferring said information to said CME.
  - 23. The system of claim 22, further comprising:
    - (c) a physical topology map, each of the network elements being located on said physical topology map;
      
      wherein said plurality of agents is selected according to a location of each network element on said physical topology map.
  - 24. The system of claim 23, wherein the network is divided into a plurality of segments, such that said plurality of agents is selected such that each segment has only one agent receiving said packets.
  - 25. The system of claim 24, wherein said agent further includes:
    - (iv) a database for storing a list of known source addresses and known destination addresses for said information, such that if at least one of a source address or a destination address of said information is not known, said data transfer module sends an event to said CME with said unknown address.
  - 26. The system of claim 24, wherein said CME further comprises a LPC process for comparing the traffic map to said physical topology map to determine if there is a discrepancy between the traffic map and said physical topology map.
  - 27. The system of claim 26, wherein said discrepancy is a suspected network element suspected for moving a location within the network.
  - 28. The system of claim 27, wherein said LPC process sends test packets to said suspected network element and said suspected network element sends response packets to said LPC process, such that if said agents on a segment of said suspected network element hear at least one of said test packets and said response packets, said suspected network element is determined to have moved said location within the network.
  - 29. The system of claim 19, further comprising:
    - (c) a graphical user interface for displaying the traffic map.

30. A method for automatically analyzing a traffic flow for a plurality of network elements on a network, each of the plurality of network elements being connected to the network through a hardware connector, the method comprising the steps of:
- (a) providing a physical topology map of the network;
  
  (b) selecting a selected plurality of network elements on the network according to said physical topology map, such that said selected plurality of network elements are distributed in the network;
  
  (c) setting the hardware connector of each of said selected plurality of network elements to detect packets flowing through the network;
  
  (d) analyzing each detected packet to determine at least a source address and a destination address for said detected packet;
  
  (e) sorting said source addresses and destination addresses for said detected packets to determine traffic information between each pair of network elements exchanging at least one packet, such that the traffic flow for said plurality of network elements is determined, and such that the traffic map does not include information for a period of time if at least one network element failed to report said traffic information during said period of time; and
  
  (f) displaying the traffic map through a GUI (graphical user interface) display to a user.

31. A system for automatic traffic mapping of a plurality of network elements on a network, the network element being connected to the network through a hardware connector, the network being divided into a plurality of segments, the system comprising:
- (a) a plurality of agents, each of said plurality of agents being operated by a network element, for receiving packets from the network through the hardware connector, and for analyzing said packets to determine at least a source address and a destination address for said packets, each agent including a database for storing a list of known source addresses and known destination addresses for said information, such that if at least one of a source address or a destination address of said information is not known, said agent sends an event to said CME with said unknown address;
  
  (b) a central management engine (CME) for receiving said source address and said destination address for said packets, and for determining a frequency of packet flow between each pair of network elements, the traffic map being determined according to said frequency of traffic flow; and
  
  (c) a physical topology map, each of the network elements being located on said physical topology map, such that said plurality of agents is selected according to a location of each network element on said physical topology map;
  
  wherein said CME further comprises a LPC process for comparing the traffic map to said physical topology map to determine if a suspected network element is suspected for moving a location within the network, said LPC process sending test packets to said suspected network element and said suspected network element sending response packets to said LPC process, such that if an agent on a segment of said suspected network element hear at least one of said test packets or said response packets, said suspected network element is determined to have moved said location within the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Mercury Interactive Corp. (HP Inc.)
Inventors
Sharon, Azulai, Levy, Ran, Raz, David, Haiut, Alexander, Cohen, Yaacov, Stroh, Ariel
Primary Examiner(s)
Vu, Huy D.
Assistant Examiner(s)
Harper, Kevin C.

Application Number

US09/334,675
Time in Patent Office

495 Days
Field of Search

370/254, 370/255, 370/400, 370/401, 370/402, 370/403, 370/408, 370/389, 370/241, 370/242, 370/244, 370/253, 709/220, 709/223, 709/238, 709/221
US Class Current

370/255
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/046   comprising network manageme...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

Automatic network traffic analysis

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic network traffic analysis

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links