Probing hosts against network application profiles to facilitate classification of network traffic

US 7,554,983 B1
Filed: 12/20/2004
Issued: 06/30/2009
Est. Priority Date: 12/20/2004
Status: Active Grant

First Claim

Patent Images

1. An apparatus facilitating network traffic classification, comprising:

a memory for buffering packets corresponding to data flows traversing a network path;

a packet processor operative toassociate the buffered packets with corresponding data flows;

parse explicit attributes of at least one packet associated with the data flows into corresponding flow objects;

a traffic classification engine operative tocompare the flow objects to a plurality of traffic types, andif the comparison finds a matching traffic type in the plurality of traffic types, associate the data flow with the matching traffic type; and

a host probing module operative, as to a selected data flow between a first host and a second host, togenerate and transmit a probe packet to the first host;

receive a response to the probe packet;

compare the response to a profile corresponding to a network application; and

associate the data flow with an identifier corresponding to the network application, if the response matches the profile.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems directed to a network traffic classification mechanism that probes hosts against one or more network application profiles to facilitate identification of network applications corresponding to data flows traversing a network.

237 Citations

23 Claims

1. An apparatus facilitating network traffic classification, comprising:
- a memory for buffering packets corresponding to data flows traversing a network path;
  
  a packet processor operative toassociate the buffered packets with corresponding data flows;
  
  parse explicit attributes of at least one packet associated with the data flows into corresponding flow objects;
  
  a traffic classification engine operative tocompare the flow objects to a plurality of traffic types, andif the comparison finds a matching traffic type in the plurality of traffic types, associate the data flow with the matching traffic type; and
  
  a host probing module operative, as to a selected data flow between a first host and a second host, togenerate and transmit a probe packet to the first host;
  
  receive a response to the probe packet;
  
  compare the response to a profile corresponding to a network application; and
  
  associate the data flow with an identifier corresponding to the network application, if the response matches the profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1 wherein the host probing module operates in connection with a plurality of profiles each corresponding to a respective network application;
    - and wherein the host probing module is operative to select a profile from the plurality of profiles based on attributes of at least one packet in the selected data flow.
  - 3. The apparatus of claim 2 wherein each profile defines attributes of a probe packet and attributes of an expected response to the probe packet.
  - 4. The apparatus of claim 2 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a peer in a peer-to-peer network application.
  - 5. The apparatus of claim 2 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a client in a server-client network application.
  - 6. The apparatus of claim 2 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a server in a server-client network application.
  - 7. The apparatus of claim 1 wherein the traffic classification engine is operative to classify the data flows based on attributes of the packets in the data flows.
  - 8. The apparatus of claim 7 wherein the host probing module is operative to abort classification of the data flow if the traffic classification engine identifies the data flow as matching a network application.
  - 9. The apparatus of claim 8 wherein the traffic classification engine is operative to abort classification of the data flow if the host probing module identifies the data flow as matching a network application.

10. A method for classifying network traffic, comprising:
- detecting a data flow comprising at least one packet transmitted between a first host and a second host;
  
  classifying, based on attributes of the at least one packet, the data flow into a traffic class selected from a plurality of traffic classes;
  
  if, after encountering a threshold number of packets in the data flow, the traffic class identified in the classifying step does not correspond to a network application, thengenerating and transmitting a probe packet to the first host;
  
  receiving a response to the probe packet;
  
  comparing the response to a profile corresponding to a network application; and
  
  associating the data flow with a traffic class corresponding to the network application, if the response matches the profile.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10 further comprising selecting the profile from a plurality of profiles based on attributes of at least one packet in the selected data flow, wherein each profile in the plurality of profiles corresponds to a respective network application.
  - 12. The method of claim 11 wherein each profile defines attributes of the probe packet and attributes of an expected response to the probe packet.
  - 13. The method of claim 12 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a peer in a peer-to-peer network application.
  - 14. The method of claim 12 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a client in a server-client network application.
  - 15. The method of claim 12 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a server in a server-client network application.

16. A method for classifying network traffic, comprising:
- detecting a data flow comprising at least one packet transmitted between a first host and a second host;
  
  classifying, based on attributes of at least one packet of the data flow, the data flow into a traffic class selected from a plurality of traffic classes;
  
  selecting a profile from a plurality of profiles based on attributes of at least one packet the data flow, wherein each profile in the plurality of profiles corresponds to a respective network application;
  
  generating and transmitting a probe packet according to the selected profile to the first host;
  
  receiving a response to the probe packet;
  
  comparing the response to the selected profile; and
  
  associating the data flow with an identifier corresponding to the network application associated with the selected profile, if the response matches the selected profile;
  
  stopping the classifying step if a network application is associated with the flow; and
  
  aborting the receiving, comparing and associating steps if the classifying step yields a traffic class corresponding to a network application.

17. An apparatus facilitating network traffic classification, comprising:
- a memory for buffering packets corresponding to data flows traversing a network path;
  
  a packet processor operative toassociate the buffered packets with corresponding data flows;
  
  a host probing module operative, as to a selected data flow between a first host and a second host, and in connection with a plurality of profiles each corresponding to a respective network application, toselect a profile from the plurality of profiles based on attributes of at least one packet in the selected data flow, wherein each profile defines attributes of a probe packet and attributes of an expected response to the probe packet;
  
  generate and transmit a probe packet to the first host;
  
  receive a response to the probe packet;
  
  compare the response to the selected profile corresponding to a network application; and
  
  associate the data flow with an identifier corresponding to the network application, if the response matches the selected profile.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The apparatus of claim 17 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a peer in a peer-to-peer network application.
  - 19. The apparatus of claim 17 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a client in a server-client network application.
  - 20. The apparatus of claim 17 wherein at least one profile in the plurality of profiles defines parameters by which the host probing module emulates a server in a server-client network application.
  - 21. The apparatus of claim 17 further comprising a traffic classification engine operative to classify the data flows based on attributes of the packets in the data flows.
  - 22. The apparatus of claim 21 wherein the host probing module is operative to abort classification of the data flow if the traffic classification engine identifies the data flow as matching a network application.
  - 23. The apparatus of claim 22 wherein the traffic classification engine is operative to abort classification of the data flow if the host probing module identifies the data flow as matching a network application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Packeteer Incorporated (Gen Digital Inc.)
Inventors
Muppala, Suresh
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
Wong; Blanche

Application Number

US11/019,501
Time in Patent Office

1,653 Days
Field of Search

370/392, 370/410
US Class Current

370/392
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0896   Bandwidth or capacity manag...

H04L 43/026   using flow identification

H04L 43/0882   Utilisation of link capacity

H04L 43/50   Testing arrangements

Probing hosts against network application profiles to facilitate classification of network traffic

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

237 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Probing hosts against network application profiles to facilitate classification of network traffic

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

237 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others