Managing timeouts for dynamic flow capture and monitoring of packet flows

US 7,633,944 B1
Filed: 11/20/2006
Issued: 12/15/2009
Est. Priority Date: 05/12/2006
Status: Active Grant

First Claim

Patent Images

1. A method for maintaining timers within a network flow capture device, the method comprising:

defining a timeout array comprising a plurality of elements, wherein the timeout array represents a span of time and the elements represent sequential units of time;

executing a communication protocol to receive information specifying one or more filter criteria for matching one or more packet flows and a timeout associated with the filter criteria; and

updating an element of the timeout array to identify the filter criteria, wherein the updated element represents a time unit within the span of time that corresponds to the timeout for the flow criteria.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing timeouts of filter criteria in a packet flow capture applications. The techniques allow for handling large amounts of timeouts used when monitoring a high volume of packet flows, without placing extreme demands on the operating system for managing the timeouts. The timeout data structure may be a circular array having a plurality of elements. The timeout array represents a span of time and the elements represent sequential units of time. Each element contains one or more pointers. The pointer may point to an entry in the filter table, or may be a null pointer. A timer thread periodically checks the timeout array to determine whether any timeouts occur at the current time. The timer thread checks the element of the array corresponding to the current time by computing an index into the array based on the current time.

Citations

22 Claims

1. A method for maintaining timers within a network flow capture device, the method comprising:
- defining a timeout array comprising a plurality of elements, wherein the timeout array represents a span of time and the elements represent sequential units of time;
  
  executing a communication protocol to receive information specifying one or more filter criteria for matching one or more packet flows and a timeout associated with the filter criteria; and
  
  updating an element of the timeout array to identify the filter criteria, wherein the updated element represents a time unit within the span of time that corresponds to the timeout for the flow criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - receiving a packet from a network via an interface card of a network device;
      
      determining whether contents of the packet match the filter criteria; and
      
      when the contents of the packet match the filter criteria, outputting the contents of the packet to a destination.
  - 3. The method of claim 1, wherein updating an element of the timeout array comprises computing an index into the array based on a current time to select the element of the array that corresponds to the timeout for the filter criteria.
  - 4. The method of claim 1, further comprising:
    - storing the filter criteria within a filter table, andwherein updating an element of the timeout array comprises updating a pointer within the element that corresponds to the timeout of the filter criteria to point to an entry in the filter table that stores the filter criteria.
  - 5. The method of claim 4, wherein each of the entries of the timeout array includes a total timeout pointer and an idle timeout pointer, wherein each of the total timeout pointer and the idle timeout pointer is a null pointer or a pointer to an entry in the filter table.
  - 6. The method of claim 1, further comprising:
    - selecting an element that corresponds to the current time; and
      
      when the element contains a pointer to an entry in a filter table, accessing the entry of the filter table to determine whether the entry indicates a refresh command was received for the entry.
  - 7. The method of claim 6, further comprising:
    - when the accessed entry indicates a refresh command was received for the entry, moving the pointer from the selected element to another element according to a value of a timeout in the accessed entry.
  - 8. The method of claim 7, further comprising:
    - when the pointer is a total timeout pointer and when the accessed entry indicates a refresh command was not received for the accessed entry, deleting the accessed entry from the filler table, and sending a notification that the accessed entry is being deleted.
  - 9. The method of claim 7, further comprising:
    - when the pointer is an idle timeout pointer and when the accessed entry indicates a refresh command was not received for the accessed entry, determining whether traffic was received that matched criteria contained in the accessed entry.
  - 10. The method of claim 9, wherein determining whether traffic was received that matched criteria contained in the accessed entry comprises comparing a traffic timestamp of the accessed entry to a current time.
  - 11. The method of claim 9, further comprising:
    - when traffic was not received for the accessed entry, deleting the accessed entry from the filter table, and sending a notification that the accessed entry is being deleted.
  - 12. The method of claim 1, wherein defining a timeout array comprising a plurality of elements comprises defining a timeout array wherein the elements represent sequential seconds.
  - 13. The method of claim 12, wherein defining a timeout array comprising a plurality of elements comprises defining a circular timeout array that represents one day, and wherein the elements represent 86,400 sequential seconds.
  - 14. The method of claim 1, wherein updating an element of the timeout array to identify the filter criteria comprises setting a pointer to point to an entry in a filter table containing a plurality of entries, wherein each entry of the filter table specifies a filter defining:
    - (i) at least one criteria of;
      
      a source IP address, a destination IP address, a source port, a destination port, or a protocol, (ii) a control source that requested the filter, (iii) a destination to which replicated packets matching the criteria should be sent, and (iv) at least one timeout indicating when the entry expires.
  - 15. The method of claim 1, wherein defining a timeout array comprises defining the array within user space of a service card within a network device.

16. A network device comprising:
- a timeout array comprising a plurality of elements, wherein the timeout array represents a span of time and the elements represent sequential units of time;
  
  a communication protocol to receive information specifying one or more filter criteria for matching one or more packet flows and a timeout associated with the criteria; and
  
  a flow match timer module that updates an element of the timeout array to identify the filter criteria, wherein the updated element represents a time unit within the span of time that corresponds to the timeout for the filter criteria.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The network device of claim 16, further comprising a periodic thread that selects an element of the timeout array based on a current time, wherein the periodic thread computes an index into the timeout array based on the current time to select an element of the array that corresponds to the current time.
  - 18. The network device of claim 17, wherein when the selected element contains a pointer to an entry in a filter table, the flow match timer module accesses the entry of the filter table to determine whether the entry indicates a refresh command was received for the entry.
  - 19. The network device of claim 16, wherein the elements of the timeout array represent sequential seconds.
  - 20. The network device of claim 19, wherein the timeout array comprises a circular timeout array representing one day, wherein the elements represent 86,400 sequential seconds.
  - 21. The network device of claim 16, further comprising a service card, wherein the timeout array is maintained within user space of the service card.

22. A network device comprising:
- a dynamic flow capture (DFC) service card executing a communication protocol to receive, from one or more control sources (CSs), flow capture information specifying at least one destination, filter criteria for matching one or more packet flows, and a timeout associated with the filter criteria;
  
  a network interface card to receive a packet from a network;
  
  a packet replication module to replicate the packet;
  
  a control unit to provide the replicated packet from the network interface card to the DFC service card; and
  
  a timeout array comprising a plurality of elements, wherein the timeout array represents a span of time and the elements represent sequential units of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Apte, Manoj, Deenadayalan, Saravanan, Chang, Szelap Philip
Primary Examiner(s)
Ton; Dang T
Assistant Examiner(s)
Zhao; Wei

Application Number

US11/561,726
Time in Patent Office

1,121 Days
Field of Search

370/392, 370/389, 370/465, 370/252, 710/62
US Class Current

370/392
CPC Class Codes

H04L 43/028   by filtering

H04L 45/38   Flow based routing

H04L 63/0263   Rule management

Managing timeouts for dynamic flow capture and monitoring of packet flows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Managing timeouts for dynamic flow capture and monitoring of packet flows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links