Network flow data export
First Claim
1. A method for exporting data responsive to patterns of message flows passing through a routing device of a network, said method including the steps of:
- receiving a plurality of packetized message flows defined by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
collecting history information regarding the plurality of message flows at the routing device;
filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the subset of message flows in a database of a storage element for use by one or more external application programs; and
tracing said history information to identify a source or a destination device for said subset of message flows.
4 Assignments
0 Petitions
Accused Products
Abstract
The invention provides a system for collecting, exporting and using data relating to message flows responsive to message flow patterns in a flow switching network. A router collects and aggregates flow information using a variety of criteria, including (1) ranges of addresses for source and destination, (2) information about packets in the flow, including number and frequency of packets in the flow, size of packets in the flow (total size and distribution), (3) protocol used for the flow, including for example whether the flow uses electronic mail protocol, file transfer protocol, hypertext transfer protocol, real-time audiovisual data transmission protocol, or some other protocol, (4) other administrative criteria which may be pertinent to the flow, including for example initiation time or duration of the flow, and (5) possible aggregations or combinations of these criteria. The router provides the aggregated information to one or more filters at an output port. Each filter selects only a subset of the total set of flows; filters may be combined to create compound filters. Filters may be coupled to aggregators, which further aggregate flow data and may store flow data for use by application programs. Application programs may identify useful information in the flow data and may either (1) present that data to an operator for review, or (2) use that data to adjust features or parameters of the network. The router may also collect information so that flows which are improper or otherwise unusual can be traced to particular source and destination devices.
-
Citations
17 Claims
-
1. A method for exporting data responsive to patterns of message flows passing through a routing device of a network, said method including the steps of:
-
receiving a plurality of packetized message flows defined by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
collecting history information regarding the plurality of message flows at the routing device;
filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the subset of message flows in a database of a storage element for use by one or more external application programs; and
tracing said history information to identify a source or a destination device for said subset of message flows. - View Dependent Claims (2, 3)
automatically displaying through a display application program, based on the aggregated message flow information, accounting information pertaining to network usage for use in charging users of the network for their use.
-
-
3. A method as recited in claim 1, further comprising the steps of:
automatically displaying through a network management application program, based on the aggregated message flow information, event information that identifies an attempt to violate a security policy as determined according to one or more administrative policies.
-
4. A system for exporting data responsive to message flow patterns, said system including
means for receiving a message flow defined by transport protocol fields as a set of packets for a particular TCP or UDP transport connection traveling in a single direction on a network; -
means for collecting, from a router on the network, history information regarding a plurality of message flows, and for receiving a plurality of flow data packets of the message flows that are generated by the router;
a filter coupled to said flow data packets that filters the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
an aggregator coupled to the filter and that aggregates the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the sub-plurality of message flows in a database of a storage element for use by one or more external application programs; and
means for tracing said history information to identify a source or a destination device for said selected message flow. - View Dependent Claims (5)
-
-
6. A method for improving performance of a routing device in a network responsive to message flow patterns of messages passing through the routing device, said method including the steps of:
-
receiving a plurality of message flows represented by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the sub-plurality of message flows and occupies less storage than the sub-plurality of message flows in a database of a storage element for use by one or more external application programs; and
communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in improving performance of the routing device. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A computer-readable medium carrying one or more instructions for exporting data responsive to patterns of message flows passing through a routing device, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving a plurality of packetized message flows defined by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
collecting history information regarding the plurality of message flows at the routing device;
filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the sub-plurality of message flows in a database of a storage element for use by one or more external application programs; and
tracing said history information to identify a source or a destination device for said selected message flow.
-
-
13. A computer-readable medium carrying one or more instructions for improving performance of a routing device in a network responsive to patterns of message flows passing through the routing device, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving a plurality of message flows represented by transport protocol fields and each comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
filtering the message flows to result in selecting at least one subset of said message flows, wherein all message flows in the subset of message flows satisfy a selected criterion;
aggregating the sub-plurality of message flows by creating and storing at least one set of aggregated message flow information that represents the sub-plurality of message flows and occupies less storage than the sub-plurality of message flows in a database of a storage element for use by one or more external application programs; and
communicating the stored aggregated message flow information to the routing device for use in modifying a parameter value of the routing device that results in improving performance of the routing device.
-
-
14. A method for exporting data representing one or more message flows that pass through a routing device of a network, said method including the steps of:
-
receiving a plurality of packetized message flows defined by transport protocol fields, each of the flows comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network;
filtering the message flows using a first filter to result in selecting a first subset of said message flows, wherein all packets selected by the first filter for the first subset of message flows have the same originating domain value;
filtering the first subset of message flows using a second filter to result in selecting a second subset of said message flows, wherein all packets selected by the second filter for the second subset of message flows have the same protocol value;
aggregating the second subset of message flows by creating and storing first aggregated message flow information that represents the second subset of message flows in a database of a first storage element;
receiving the first aggregated message flow information from the first storage element at a display application program that computes one or more charges to one or more users of the network based on the first aggregated message flow information. - View Dependent Claims (15)
filtering the first subset of message flows using a third filter to result in selecting a third subset of said message flows, wherein all packets selected by the third filter for the third subset of message flows satisfy a criterion other than those used by the first filter and second filter;
aggregating the third subset of message flows by creating and storing second aggregated message flow information that represents the third subset of message flows in a second storage element;
consolidating the first aggregated message flow information and the second aggregated message flow information in a consolidated database;
receiving consolidated message flow information from the consolidated database;
computing one or more charges to one or more users of the network based on the consolidated message flow information.
-
-
16. A network data flow export system configured to export data representing one or more message flows that pass through a routing device of a network, the system comprising:
-
a first filter that receives a plurality of packetized message flows defined by transport protocol fields, each of the flows comprising a plurality of sets of packets for a particular TCP or UDP transport connection traveling in a single direction on the network and that filters the message flows to result in selecting a first subset of said message flows, wherein all packets selected by the first filter for the first subset of message flows have the same originating domain value;
a second filter that filters the first subset of message flows to result in selecting a second subset of said message flows, wherein all packets selected by the second filter for the second subset of message flows have the same protocol value;
a first aggregator that aggregates the second subset of message flows by creating and storing first aggregated message flow information that represents the second subset of message flows in a database of a first storage element;
means for communicating the first aggregated message flow information from the first storage element to a display application program that computes one or more charges to one or more users of the network based on the first aggregated message flow information. - View Dependent Claims (17)
a third filter that filters the first subset of message flows to result in selecting a third subset of said message flows, wherein all packets selected by the third filter for the third subset of message flows satisfy a criterion other than those used by the first filter and second filter;
a second aggregator that aggregates the third subset of message flows by creating and storing second aggregated message flow information that represents the third subset of message flows in a database of a second storage element;
a consolidator that consolidates the first aggregated message flow information and the second aggregated message flow information in a consolidated database;
means for communicating the consolidated message flow information from the consolidated database to a display application program that computes one or more charges to one or more users of the network based on the consolidated message flow information.
-
Specification