Method of reconstructing network communications

US 7,277,957 B2
Filed: 07/09/2002
Issued: 10/02/2007
Est. Priority Date: 07/17/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for reconstructing network communications comprising the steps of:

capturing network packets by;

attaching a network capture device to a network;

using the network capture device to capture network packets as the packets are passed across the network;

storing the plurality of network packets on a first mass storage device in chronological order;

selecting a portion of the captured network packets based on a first predetermined set of criteria;

sorting the selected packets, by the steps of;

(a) reading a first packet from the selected packets;

(b) decoding the first packet;

(c) determining whether the first packet relates to a request or to a response;

(d) if the first packet relates to a request or to a response, adding the packet to a sorted list corresponding to a second predetermined set of criteria that are satisfied by the packet; and

(e) repeating steps (a), (b), (c) and (d) on additional captured packets until all packets relating to the first predetermined set of criteria have been sorted;

recreating a predetermined network communication by the steps of;

(f) retrieving a packet in the sorted list that is associated with the predetermined network communication;

(g) determining whether the retrieved packet is a request packet or a response packet;

(h) if the retrieved packet is a request packet, storing request information as formatted data in a designated storage medium;

(i) if the retrieved packet is a response packet, determining whether there is a given file associated with the response packet;

(j) if the retrieved packet is the first response packet containing data from the given file and that is a response to at least one request packet, initiating reconstruction of the content from the given file into a reconstructed file;

(k) if the given file is a script-type file, appending a name that represents the given file to a script master list;

(l) appending data in the response packet that is related to the given file to the reconstructed file;

(m) determining whether the response packet is the last response packet associated with the given file;

(n) if the response packet is not the last response packet associated with the given file, retrieving the next packet from the sorted list and repeating steps (f) through (m) for all of the packets from the sorted list; and

(o) if the response packet is the last response packet associated with the given file, closing the reconstructed file; and

displaying on a computer monitor;

a hexadecimal representation of the content of at least one packet;

a decode of at least one packet;

a listing of packets associated with the network communication;

a visual representation of request and response packets associated with the network communication; and

a composite visual reconstruction of any text or graphic information contained in at least one packet;

wherein the data from the first response packet is stored in a cache to expedite subsequent retrieval;

wherein the data from the first response packet is stored in the cache unless the data includes script attributes.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for reconstructing network communication sessions is disclosed. The packets comprising the communication are captured and sorted into a sorted list. The sorted packets are decoded and the information from those packets is used to reconstruct the content and context of the network communication. The reconstructed communication is then displayed on a computer monitor using a web browser or other display program. The user is provided with commands to facilitate navigation of the reconstructed network communication.

186 Citations

38 Claims

1. A method for reconstructing network communications comprising the steps of:
- capturing network packets by;
  
  attaching a network capture device to a network;
  
  using the network capture device to capture network packets as the packets are passed across the network;
  
  storing the plurality of network packets on a first mass storage device in chronological order;
  
  selecting a portion of the captured network packets based on a first predetermined set of criteria;
  
  sorting the selected packets, by the steps of;
  
  (a) reading a first packet from the selected packets;
  
  (b) decoding the first packet;
  
  (c) determining whether the first packet relates to a request or to a response;
  
  (d) if the first packet relates to a request or to a response, adding the packet to a sorted list corresponding to a second predetermined set of criteria that are satisfied by the packet; and
  
  (e) repeating steps (a), (b), (c) and (d) on additional captured packets until all packets relating to the first predetermined set of criteria have been sorted;
  
  recreating a predetermined network communication by the steps of;
  
  (f) retrieving a packet in the sorted list that is associated with the predetermined network communication;
  
  (g) determining whether the retrieved packet is a request packet or a response packet;
  
  (h) if the retrieved packet is a request packet, storing request information as formatted data in a designated storage medium;
  
  (i) if the retrieved packet is a response packet, determining whether there is a given file associated with the response packet;
  
  (j) if the retrieved packet is the first response packet containing data from the given file and that is a response to at least one request packet, initiating reconstruction of the content from the given file into a reconstructed file;
  
  (k) if the given file is a script-type file, appending a name that represents the given file to a script master list;
  
  (l) appending data in the response packet that is related to the given file to the reconstructed file;
  
  (m) determining whether the response packet is the last response packet associated with the given file;
  
  (n) if the response packet is not the last response packet associated with the given file, retrieving the next packet from the sorted list and repeating steps (f) through (m) for all of the packets from the sorted list; and
  
  (o) if the response packet is the last response packet associated with the given file, closing the reconstructed file; and
  
  displaying on a computer monitor;
  
  a hexadecimal representation of the content of at least one packet;
  
  a decode of at least one packet;
  
  a listing of packets associated with the network communication;
  
  a visual representation of request and response packets associated with the network communication; and
  
  a composite visual reconstruction of any text or graphic information contained in at least one packet;
  
  wherein the data from the first response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the first response packet is stored in the cache unless the data includes script attributes.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising the step of providing a user with a means of controlling the display of the network communication.
  - 3. The method of claim 1 further comprising the step permitting a user to control the display of the network communication by selecting a command to implement at least one of the following operations:
    - playing the script master list in chronological order;
      
      playing the script master list in chronological order using a predetermined timing sequence;
      
      stopping the playing of the script master list;
      
      going to the next script in the script master list;
      
      going to the previous script in the script master list;
      
      going to the first script in the script master list;
      
      going to the last script in the script master list;
      
      orgoing to a user-selected script in the script master list.
  - 4. The method of claim 1 wherein the given file includes characteristics that must be processed in order to perform the reconstruction.
  - 5. The method of claim 1 further comprising ignoring the response if the response is a redirect.

6. A method for reconstructing network communications comprising the steps of:
- capturing network packets;
  
  selecting a portion of the captured network packets based on a first predetermined set of criteria;
  
  sorting the selected packets by a process comprising the steps of;
  
  (a) decoding a first packet from the selected packets;
  
  (b) if the first packet relates to a request or to a response, adding the packet to a sorted list corresponding to a second predetermined set of criteria that are satisfied by the packet; and
  
  (c) repeating steps (a) and (b) on additional captured packets until all packets relating to the first predetermined set of criteria have been sorted;
  
  recreating a predetermined network communication by a process comprising the steps of;
  
  (d) retrieving a packet in the sorted list that is associated with the predetermined network communication;
  
  (e) if the retrieved packet is a request packet, storing request information;
  
  (f) if the retrieved packet is a response packet having a given file associated therewith and tat is a response to at least one request packet, reconstructing the content from the given file into a reconstructed file;
  
  (g) determining whether the response packet is the last response packet associated with the given file;
  
  (h) if the response packet is not the last response packet associated with the given file, retrieving the next packet from the sorted list and repeating steps (d) through (g) for all of the packets from the sorted list; and
  
  (i) if the response packet is the last response packet associated with the given file, closing the reconstructed file; and
  
  displaying a representation of at least a portion of the network communication on a computer monitor;
  
  wherein data from a first response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the first response packet is stored in the cache unless the data includes script attributes.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6 wherein the request information is stored as formatted data in a designated storage medium.
  - 8. The method of claim 6 wherein if the retrieved packet is the first response packet containing the data from the given file, reconstruction of the content from the given file into a reconstructed file is initiated.
  - 9. The method of claim 6 wherein, if the given file is a script-type file, a file name tat represents the given file is appended to a script master list.
  - 10. The method of claim 6 wherein the packets are captured by a process comprising the steps of:
    - attaching a network capture device to a network;
      
      using the network capture device to capture network packets as the packets are passed across the network; and
      
      storing the plurality of network packets on a first mass storage device in chronological order.
  - 11. The method of claim 6 wherein the display step includes displaying at least one of:
    - a hexadecimal representation of the content of at least one packet;
      
      a decode of at least one packet;
      
      a listing of packets associated with the network communication;
      
      a visual representation of request mid response packets associated with the network communication; and
      
      a composite visual reconstruction of any text or graphic information contained in at least one packet.

12. A method for reconstructing network communications comprising the steps of:
- selecting a plurality of network packets based on a first predetermined set of criteria;
  
  sorting the selected packets into a sorted list;
  
  recreating a network communication by a process comprising the steps of;
  
  (a) retrieving a packet in the sorted list that is associated with the network communication;
  
  (b) if the retrieved packet is a request packet, storing request information;
  
  (c) if the retrieved packet is a response packet having a given file associated therewith and that is a response to at Least one request packet, reconstructing the content from the given file into a reconstructed file; and
  
  (d) repeating steps (a) through (c) for all of the packets from the sorted list that are associated with the network communication;
  
  wherein data from the response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the response packet is stored in the cache unless the data includes script attributes.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12 wherein the packets are sorted into the sorted list by a process comprising the steps of:
    - (e) decoding a first packet from the selected packets;
      
      (f) if the first packet relates to a request or to a response, adding the packet to a sorted list corresponding to a second predetermined set of criteria that are satisfied by the packet; and
      
      (g) repeating steps (e) and (f) on additional captured packets until all packets relating to the first predetermined set of criteria have been sorted.
  - 14. The method of claim 12 wherein the process of recreating the network communication further comprises the steps of determining whether the retrieved packet is a request packet and, if so, storing any request information in a designated storage medium.
  - 15. The method of claim 12 wherein the process of recreating the network communication further comprises the steps of determining whether there is a given file associated with the retrieved packet and, if so, reconstructing the content from the given file into a reconstructed file.
  - 16. The method of claim 15 wherein the process of recreating the network communication further comprises the steps of determining whether the given file is a script-type file and, if so, appending a name that represents the given file to a script master list.
  - 17. The method of claim 12 further comprising the steps of capturing network packets by:
    - attaching a network capture device to a network;
      
      using the network capture device to capture network packets as the packets are passed across the network; and
      
      storing the plurality of network packets on a first mass storage device in chronological order.
  - 18. The method of claim 12 further comprising the step of displaying on a computer monitor at least one of:
    - a hexadecimal representation of the content of at least one packet;
      
      a decode of at least one packet;
      
      a listing of packets associated with the network communication;
      
      a visual representation of request and response packets associated with the network communication; and
      
      a composite visual reconstruction of any text or graphic information contained in at least one packet.
  - 19. The method of claim 18 further comprising the step of providing a user with a means of controlling the display of the network communication.
  - 20. The method of claim 18 further comprising the step of permitting a user to control the display the network communication by selecting a command to implement at least one of the following operations:
    - playing the script master list in chronological order;
      
      playing the script master list in chronological order using a predetermined timing sequence;
      
      stopping the playing of the script master list;
      
      going to the next script in the script master list;
      
      going to the previous script in the script master list;
      
      going to the first script in the script master list;
      
      going to the last script in the script master list;
      
      orgoing to a user-selected script in the script master list.
  - 21. The method of claim 12 wherein the reconstructed file is stored in the cache.

22. A method for reconstructing network communications, comprising:
- selecting a plurality of network packets;
  
  sorting the selected packets into a sorted list; and
  
  recreating a network communication by;
  
  retrieving a packet in the sorted list that is associated with the network communication,if the retrieved packet is a request packet, storing request information, andif the retrieved packet is a response packet that is a response to at least one request packet, reconstructing content associated with the retrieved packet;
  
  wherein data from the response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the response packet is stored in the cache unless the data includes script attributes.

23. A computer program product embodied on a computer readable medium for reconstructing network communications, comprising:
- computer code for selecting a plurality of network packets;
  
  computer code for sorting the selected packets into a sorted list; and
  
  computer code for recreating a network communication by;
  
  retrieving a packet in the sorted list that is associated with the network communication,if the retrieved packet is a request packet, storing request information, andif the retrieved packet is a response packet that is a response to at least one request packet, reconstructing content associated with the retrieved packet;
  
  wherein data from the response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the response packet is stared in the cache unless the data includes script attributes.

24. A system for reconstructing network communications, comprising:
- a network analyzer for selecting a plurality of network packets, sorting the selected packets into a sorted list, and recreating a network communication;
  
  wherein the network communication is recreated by retrieving a packet in the sorted list that is associated with the network communication, storing request information if the retrieved packet is a request packet, and reconstructing content associated with the retrieved packet if the retrieved packet is a response packet that is a response to at least one request packet;
  
  wherein data from the response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the response packet is stored in the cache unless the data include script attributes.

25. A system for reconstructing network communications, comprising:
- means for selecting a plurality of network packets,means for sorting the selected packets into a sorted list, andmeans for recreating a network communication;
  
  wherein the network communication is recreated by retrieving a packet in the sorted list that is associated with the network communication, storing request information if the retrieved packet is a request packet, and reconstructing content associated with the retrieved packet if the retrieved packet is a response packet that is a response to at least one request packet;
  
  wherein data from the response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the response packet is stored in the cache unless the data includes script attributes.

26. A method for displaying a reconstructed network communication, comprising:
- acquiring packets associated with a network communication;
  
  displaying a hexadecimal representation associated wit at least one of the packets;
  
  displaying a decode associated with at least one of the packets;
  
  displaying a listing of the packets associated with the network communication anddisplaying a visual representation of request packets and response packets associated with the network communication;
  
  wherein a network analyzer selects a plurality of the packets, sorts the packets into a sorted list, and recreates the network communication;
  
  wherein the network communication is recreated by retrieving a packet in the sorted list that is associated with the network communication, storing request information if the retrieved packet is a request packet, and reconstructing content associated with the retrieved packet if the retrieved packet is a response packet that is a response to at least one request packet;
  
  wherein data from the response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the response packet is stored in the cache unless the data includes script attributes.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. The method of claim 26 further comprising displaying a composite visual reconstruction of at least one of text information and graphic information contained in at least one of the packets.
  - 28. The method of claim 26 further comprising displaying command buttons which allow a user to display least one of a next page, a previous page, and a first page associated with the visual representation of the request and the response packets.
  - 29. The method of claim 26 further comprising an exit command button that allows a user to exit the display of the visual representation of the request packets and the response packets.
  - 30. The method of claim 26 wherein the visual representation of the request packets and the response packets is displayed according to a timing of an original network communication associated with the reconstructed network communication.
  - 31. The method of claim 30 wherein the timing is determined according to a time stamp associated with each request packet and response packet which is read and decoded to identify a time interval between packets in the original network communication.
  - 32. The method of claim 30 wherein the visual representation displayed according to the timing of the original network communication is only displayed upon a selection of a play command by a user.

33. A method for permitting a user to control the display of a network communication, comprising:
- capturing a plurality of network communications between a first computer and a second computer;
  
  playing a script master list in chronological order by displaying the captured network communications in the chronological order;
  
  stopping the playing of the script master list;
  
  going to a next script in the script master list; and
  
  going to a previous script in the script master list;
  
  wherein a network analyzer selects a plurality of network packets, sorts the network packets into a sorted list, and recreates the network communications;
  
  wherein each of the network communications is recreated by retrieving a packet in the sorted list that is associated with the network communication, storing request information if the retrieved packet is a request packet, and reconstructing content associated with tho retrieved packet if the retrieved packet is a response packet that is a response to at least one request packet;
  
  wherein data from the response packet is stored in a cache to expedite subsequent retrieval;
  
  wherein the data from the response packet is stored in the cache unless the data includes script attributes.
- View Dependent Claims (34, 35, 36, 37, 38)
- - 34. The method of claim 33 further comprising going to a first script in the script master list.
  - 35. The method of claim 33 further comprising going to a last script in the script master list.
  - 36. The method of claim 33 further comprising going to a user-selected script in the script master list.
  - 37. The method of claim 33 further comprising playing the script master list in chronological order using a predetermined timing sequence.
  - 38. The method of claim 33 wherein the captured network communications include web pages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Rowley, Bevan S., Huntington, Stephen G.
Primary Examiner(s)
Dalencourt; Yves

Application Number

US10/191,933
Publication Number

US 20030028662A1
Time in Patent Office

1,911 Days
Field of Search

709/231, 709/224, 709/223, 370/241, 713/200, 713/201, 714/39, 714/447
US Class Current

709/231
CPC Class Codes

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 67/14   Session management for real...

H04L 69/06   Notations for structuring o...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/164   Adaptation or special uses ...

H04L 69/22   Parsing or analysis of headers

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Method of reconstructing network communications

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method of reconstructing network communications

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links