Method and system for transport protocol reconstruction and timer synchronization for non-intrusive capturing and analysis of packets on a high-speed distributed network
First Claim
1. In a packet analysis device, a method for reconstructing a transport protocol data flow from Transmission Control Protocol (TCP) packets transmitted from a first device to a second device in a first direction on a first channel and from the second device to the first device in a second direction on a second channel, a first part of the TCP packets captured by a first packet capturing device on the first channel and time stamped by a first timer and delivered to the packet analysis device and a second part of the TCP packets captured by a second packet capturing device on the second channel and time stamped by a second timer and delivered to the packet analysis device, the method comprising:
- selecting a TCP packet for evaluation captured by the first packet capturing device in the first direction;
determining whether there is a missing TCP packet in the second direction;
responsive to determining that there is a missing TCP packet in the second direction,storing the TCP packet for evaluation in a first list; and
creating an acknowledgement timer associated with the TCP packet stored in the first list, the acknowledgment timer being created in the packet analysis device remote from the first device and the second device and indicating a maximum time to wait for the missing TCP packet to arrive in the second direction until treating the missing TCP packet as lost;
determining whether there is a missing TCP packet in the first direction; and
responsive to determining that there is a missing TCP packet in the first direction,storing the TCP packet in the first list, andcreating a retransmission timer associated with the TCP packet stored in the first list, the retransmission timer being created in the packet analysis device remote from the first device and the second device and indicating a maximum time to wait for retransmission of the missing TCP packet in the first direction until identifying the missing TCP packet as lost.
5 Assignments
0 Petitions
Accused Products
Abstract
A transport protocol data flow reconstruction method delays determination that a missing packet is lost for a period of time. For an evaluated TCP packet in a first direction, the method determines if a TCP packet is missing in a second direction, in which case the method stores the evaluated TCP packet in a list and creates an acknowledgement timer indicating a maximum time to wait until treating the missing TCP packet as lost. Expiration of the acknowledgment timer indicates a missing packet in the second direction. The method determines if a TCP packet is missing in the first direction, in which case the method stores the evaluated TCP packet in the list and creates a retransmission timer indicating a maximum time to wait until treating the missing TCP packet as lost. Expiration of the retransmission timer indicates a missing packet in the first direction.
37 Citations
30 Claims
-
1. In a packet analysis device, a method for reconstructing a transport protocol data flow from Transmission Control Protocol (TCP) packets transmitted from a first device to a second device in a first direction on a first channel and from the second device to the first device in a second direction on a second channel, a first part of the TCP packets captured by a first packet capturing device on the first channel and time stamped by a first timer and delivered to the packet analysis device and a second part of the TCP packets captured by a second packet capturing device on the second channel and time stamped by a second timer and delivered to the packet analysis device, the method comprising:
-
selecting a TCP packet for evaluation captured by the first packet capturing device in the first direction; determining whether there is a missing TCP packet in the second direction; responsive to determining that there is a missing TCP packet in the second direction, storing the TCP packet for evaluation in a first list; and creating an acknowledgement timer associated with the TCP packet stored in the first list, the acknowledgment timer being created in the packet analysis device remote from the first device and the second device and indicating a maximum time to wait for the missing TCP packet to arrive in the second direction until treating the missing TCP packet as lost; determining whether there is a missing TCP packet in the first direction; and responsive to determining that there is a missing TCP packet in the first direction, storing the TCP packet in the first list, and creating a retransmission timer associated with the TCP packet stored in the first list, the retransmission timer being created in the packet analysis device remote from the first device and the second device and indicating a maximum time to wait for retransmission of the missing TCP packet in the first direction until identifying the missing TCP packet as lost. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer readable storage medium including instructions when executed by a processor adapted to perform a method, in a packet analysis device, for reconstructing a transport protocol data flow from Transmission Control Protocol (TCP) packets transmitted from a first device to a second device in a first direction on a first channel and from the second device to the first device in a second direction on a second channel, a first part of the TCP packets captured by a first packet capturing device on the first channel and time stamped by a first timer and delivered to the packet analysis device and a second part of the TCP packets captured by a second packet capturing device on the second channel and time stamped by a second timer and delivered to the packet analysis device, the method comprising:
-
selecting a TCP packet for evaluation captured by the first packet capturing device in the first direction; determining whether there is a missing TCP packet in the second direction; responsive to determining that there is a missing TCP packet in the second direction, storing the TCP packet for evaluation in a first list, and creating an acknowledgement timer associated with the TCP packet stored in the first list, the acknowledgment timer being created in the packet analysis device remote from the first device and the second device and indicating a maximum time to wait for the missing TCP packet to arrive in the second direction until identifying the missing TCP packet as lost; determining whether there is a missing TCP packet in the first direction; and responsive to determining that there is a missing TCP packet in the first direction, storing the TCP packet in the first list; and creating a retransmission timer associated with the TCP packet stored in the first list, the retransmission timer being created in the packet analysis device remote from the first device and the second device and indicating a maximum time to wait for retransmission of the missing TCP packet in the first direction until treating the identifying data packet as lost. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A system for reconstructing a transport protocol data flow from Transmission Control Protocol (TCP) packets transmitted from a first device to a second device in a first direction on a first channel and from the second device to the first device in a second direction on a second channel, the system coupled to a first packet capturing device for capturing a first part of the TCP packets on the first channel and to a second packet capturing device for capturing a second part of the TCP packets on the second channel, the first packet capturing device including a first timer for timestamping the first part of the TCP packets and delivering the TCP packets to the system and the second packet capturing device including a second timer for timestamping the second part of the TCP packets and delivering the TCP packets to the system, the system remote from the first device and the second device and the system comprising:
-
a network interface card coupled to the first and second packet capturing devices for receiving the first and second parts of the TCP packets; and a processor adapted to perform; selecting a TCP packet for evaluation captured by the first packet capturing device in the first direction; determining whether there is a missing TCP packet in the second direction; responsive to determining that there is a missing TCP packet in the second direction, storing the TCP packet for evaluation in a first list, and creating an acknowledgement timer associated with the data packet stored in the first list, the acknowledgment timer being created in the system remote from the first device and the second device and indicating a maximum time to wait for the missing TCP packet to arrive in the second direction until identifying the missing TCP packet as lost; determining whether there is a missing TCP packet in the first direction; and responsive to determining that there is a missing TCP packet in the first direction, storing the TCP packet in the first list, and creating a retransmission timer associated with the TCP packet stored in the first list, the retransmission timer being created in the system remote from the first device and the second device and indicating a maximum time to wait for retransmission of the missing TCP packet in the first direction until identifying the missing TCP packet as lost. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
-
30. A system for reconstructing TCP packets transmitted from a first device to a second device in a first direction on a first channel and from the second device to the first device in a second direction on a second channel, a first part of the TCP packets captured by a first packet capturing device on the first channel and time stamped by a first timer and a second part of the TCP packets captured by a second packet capturing device on the second channel and time stamped by a second timer, the system comprising:
-
a network interface module coupled to the first and second packet capturing devices for receiving the captured TCP packets; a packet reordering module coupled to the network interface module and reordering the captured TCP packets according to their timestamps imposed by the first and second timers; an acknowledgment timer remote from the first device and the second device and coupled to the packet reordering module and indicating the maximum time that the packet reordering module will wait for a missing packet in the second direction in the captured TCP packets to arrive until the packet reordering module identifies the missing packet as lost; and a retransmission timer remote from the first device and the second device and coupled to the packet reordering module and indicating the maximum time that the packet reordering module will wait for the missing packet in the first direction in the captured TCP packets to be retransmitted until the packet reordering module identifies the missing packet as lost.
-
Specification