Network flow data export

US 6,308,148 B1
Filed: 12/20/1996
Issued: 10/23/2001
Est. Priority Date: 05/28/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for exporting data responsive to patterns of message flows passing through a routing device of a network, said method including the steps of:

receiving a plurality of packetized message flows defined by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;

collecting history information regarding the plurality of message flows at the routing device;

filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;

aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the subset of message flows in a database of a storage element for use by one or more external application programs; and

tracing said history information to identify a source or a destination device for said subset of message flows.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a system for collecting, exporting and using data relating to message flows responsive to message flow patterns in a flow switching network. A router collects and aggregates flow information using a variety of criteria, including (1) ranges of addresses for source and destination, (2) information about packets in the flow, including number and frequency of packets in the flow, size of packets in the flow (total size and distribution), (3) protocol used for the flow, including for example whether the flow uses electronic mail protocol, file transfer protocol, hypertext transfer protocol, real-time audiovisual data transmission protocol, or some other protocol, (4) other administrative criteria which may be pertinent to the flow, including for example initiation time or duration of the flow, and (5) possible aggregations or combinations of these criteria. The router provides the aggregated information to one or more filters at an output port. Each filter selects only a subset of the total set of flows; filters may be combined to create compound filters. Filters may be coupled to aggregators, which further aggregate flow data and may store flow data for use by application programs. Application programs may identify useful information in the flow data and may either (1) present that data to an operator for review, or (2) use that data to adjust features or parameters of the network. The router may also collect information so that flows which are improper or otherwise unusual can be traced to particular source and destination devices.

373 Citations

17 Claims

1. A method for exporting data responsive to patterns of message flows passing through a routing device of a network, said method including the steps of:
- receiving a plurality of packetized message flows defined by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
  
  collecting history information regarding the plurality of message flows at the routing device;
  
  filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
  
  aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the subset of message flows in a database of a storage element for use by one or more external application programs; and
  
  tracing said history information to identify a source or a destination device for said subset of message flows.
- View Dependent Claims (2, 3)
- - 2. A method as recited in claim 1, further comprising the steps of:
3. A method as recited in claim 1, further comprising the steps of:
- automatically displaying through a network management application program, based on the aggregated message flow information, event information that identifies an attempt to violate a security policy as determined according to one or more administrative policies.

4. A system for exporting data responsive to message flow patterns, said system includingmeans for receiving a message flow defined by transport protocol fields as a set of packets for a particular TCP or UDP transport connection traveling in a single direction on a network;
- means for collecting, from a router on the network, history information regarding a plurality of message flows, and for receiving a plurality of flow data packets of the message flows that are generated by the router;
  
  a filter coupled to said flow data packets that filters the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
  
  an aggregator coupled to the filter and that aggregates the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the sub-plurality of message flows in a database of a storage element for use by one or more external application programs; and
  
  means for tracing said history information to identify a source or a destination device for said selected message flow.
- View Dependent Claims (5)
- - 5. A system as recited in claim 4, further comprising means for communicating the stored aggregated message flow information to an application program for use in modifying a performance parameter of the router that improves performance of the router based on the aggregated message flow information.

6. A method for improving performance of a routing device in a network responsive to message flow patterns of messages passing through the routing device, said method including the steps of:
- receiving a plurality of message flows represented by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
  
  filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
  
  aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the sub-plurality of message flows and occupies less storage than the sub-plurality of message flows in a database of a storage element for use by one or more external application programs; and
  
  communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in improving performance of the routing device.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. A method as recited in claim 6, wherein the step of communicating the stored aggregated message flow information to the routing device comprises the step of communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in achieving fairness among a plurality of devices that communicate packets in the network with respect to an administrative policy selected from among:
    - pricing according to time of day;
      
      pricing according to relative loading;
      
      granting greater or preferential access to particular users or preferred classes of users;
      
      or granting greater access or preferential access to particular message flows or classes of message flows.
  - 8. A method as recited in claim 6, wherein the step of communicating the stored aggregated message flow information to the routing device comprises the step of communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in achieving a particular quality of service treatment of the message flows.
  - 9. A method as recited in claim 6, wherein the step of communicating the stored aggregated message flow information to the routing device comprises the step of communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in prioritizing different types of message traffic, in response to relative loading of particular types of message flows on a communication link that is coupled to the routing device.
  - 10. A method as recited in claim 6, wherein the step of communicating the stored aggregated message flow information to the routing device comprises the step of communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in prioritizing different types of message traffic, in response to relative loading of particular protocols used in the message flows in response to an amount of network bandwidth actually being used for the protocols on a communication link that is coupled to the routing device.
  - 11. A method as recited in claim 6, wherein the step of communicating the stored aggregated message flow information to the routing device comprises the step of communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in limiting use of a particular protocol to no more than a selected fraction of network bandwidth for that protocol.

12. A computer-readable medium carrying one or more instructions for exporting data responsive to patterns of message flows passing through a routing device, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving a plurality of packetized message flows defined by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
  
  collecting history information regarding the plurality of message flows at the routing device;
  
  filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
  
  aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the sub-plurality of message flows in a database of a storage element for use by one or more external application programs; and
  
  tracing said history information to identify a source or a destination device for said selected message flow.

13. A computer-readable medium carrying one or more instructions for improving performance of a routing device in a network responsive to patterns of message flows passing through the routing device, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving a plurality of message flows represented by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
  
  filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
  
  aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the sub-plurality of message flows and occupies less storage than the sub-plurality of message flows in a database of a storage element for use by one or more external application programs; and
  
  communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in improving performance of the routing device.

14. A method for exporting data representing one or more message flows that pass through a routing device of a network, said method including the steps of:
- receiving a plurality of packetized message flows defined by transport protocol fields, each of the flows comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
  
  filtering the message flows using a first filter to result in selecting a first subset of said message flows, wherein all packets selected by the first filter for the first subset of message flows have the same originating domain value;
  
  filtering the first subset of message flows using a second filter to result in selecting a second subset of said message flows, wherein all packets selected by the second filter for the second subset of message flows have the same protocol value;
  
  aggregating the second subset of message flows by creating and storing first aggregated message flow information that represents the second subset of message flows in a database of a first storage element;
  
  receiving the first aggregated message flow information from the first storage element at a display application program that computes one or more charges to one or more users of the network based on the first aggregated message flow information.
- View Dependent Claims (15)
- - 15. A method as recited in claim 14, further comprising the steps of:

16. A network data flow export system configured to export data representing one or more message flows that pass through a routing device of a network, the system comprising:
- a first filter that receives a plurality of packetized message flows defined by transport protocol fields, each of the flows comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network and that filters the message flows to result in selecting a first subset of said message flows, wherein all packets selected by the first filter for the first subset of message flows have the same originating domain value;
  
  a second filter that filters the first subset of message flows to result in selecting a second subset of said message flows, wherein all packets selected by the second filter for the second subset of message flows have the same protocol value;
  
  a first aggregator that aggregates the second subset of message flows by creating and storing first aggregated message flow information that represents the second subset of message flows in a database of a first storage element;
  
  means for communicating the first aggregated message flow information from the first storage element to a display application program that computes one or more charges to one or more users of the network based on the first aggregated message flow information.
- View Dependent Claims (17)
- - 17. An apparatus as recited in claim 16, further comprising:

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kerr, Darren R., Bruins, Barry L.
Primary Examiner(s)
Teska, Kevin J.
Assistant Examiner(s)
PHAN, THAI Q

Application Number

US08/771,438
Time in Patent Office

1,768 Days
Field of Search

395/500, 395/200.54, 395/200.63, 395/200.64, 370/401, 370/411, 370/353, 370/355, 370/408, 703/26, 703/27, 703/22, 707/104
US Class Current

703/27
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/566   Routing instructions carrie...

H04L 47/2441   relying on flow classificat...

Y10S 707/99945   Object-oriented database st...

Y10S 707/99948   Application of database or ...

Network flow data export

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

373 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Network flow data export

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

373 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links