Methods and apparatus for analyzing and management of application traffic on networks

US 7,804,787 B2
Filed: 06/30/2006
Issued: 09/28/2010
Est. Priority Date: 07/08/2005
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing traffic on a network, comprising:

at one or more monitoring devices connected to the network, monitoring packets exchanged between devices on the network by extracting from the packets header information comprising one or more of a source address, source port, destination address, and destination port;

at a computing device;

storing information that associates ranges of addresses and ports with applications that may be occurring between two devices on the network;

identifying application flows occurring on the network based on header information of packets, wherein an application flow consists of a collection of packets exchanged between two devices on the network for a single application, wherein identifying comprises comparing one or more elements of the header information of packets with the stored information pertaining to possible applications occurring on the network and assigning a packet to an application flow based on said comparing, wherein identifying further comprises examining the header information of a packet to determine whether it identifies a port hop and modifying the stored information to identify a new port associated with an application flow if a port hop is identified in the packet;

wherein when a port hop is detected in a collection of packets associated with an application flow previously identified from an original collection of packets, said assigning comprises assigning the collection of packets to the same application flow as the original collection of packets prior to the port hop in order to track the collection of packets after the port hop and the original collection of packets as one application flow; and

analyzing data pertaining to the application flows that are identified to generate statistics from the identified application flows that indicate performance of the network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method are provided for analyzing traffic on a network by monitoring packets sent between devices on the network and identifying applications occurring between devices on the network based on information derived from monitoring the packets. Techniques are provided to examine header information of the packets, such as information in the header of Internet Protocol (IP) packets, to identify applications that are occurring on the network. In some cases, information about the packet beyond the header information is examined to match a packet to a particular application. Using these techniques, a list is built of all of the applications occurring between devices on the network. Parameters may be generated to track one or more of the response time, latency and traffic volume associated with a particular device on the network.

Citations

40 Claims

1. A method for analyzing traffic on a network, comprising:
- at one or more monitoring devices connected to the network, monitoring packets exchanged between devices on the network by extracting from the packets header information comprising one or more of a source address, source port, destination address, and destination port;
  
  at a computing device;
  
  storing information that associates ranges of addresses and ports with applications that may be occurring between two devices on the network;
  
  identifying application flows occurring on the network based on header information of packets, wherein an application flow consists of a collection of packets exchanged between two devices on the network for a single application, wherein identifying comprises comparing one or more elements of the header information of packets with the stored information pertaining to possible applications occurring on the network and assigning a packet to an application flow based on said comparing, wherein identifying further comprises examining the header information of a packet to determine whether it identifies a port hop and modifying the stored information to identify a new port associated with an application flow if a port hop is identified in the packet;
  
  wherein when a port hop is detected in a collection of packets associated with an application flow previously identified from an original collection of packets, said assigning comprises assigning the collection of packets to the same application flow as the original collection of packets prior to the port hop in order to track the collection of packets after the port hop and the original collection of packets as one application flow; and
  
  analyzing data pertaining to the application flows that are identified to generate statistics from the identified application flows that indicate performance of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein identifying comprises comparing port numbers contained in the header information for the packet with stored information that associates port numbers with a corresponding application.
  - 3. The method of claim 1, and further comprising storing a list of a plurality of applications determined to be occurring on the network based on said identifying.
  - 4. The method of claim 3, wherein identifying comprises assigning a packet to an application already contained in said list when there is a match between one or more of the elements of the header information of the packet with similar such information for an application in said list, and adding a new application to said list when there is not a match between one or more elements of the header information of the packet with similar such information of an application already in said list.
  - 5. The method of claim 1, wherein identifying comprises assigning further packets to a particular application contained in said list when it is determined that said further packets are associated with said particular application even though their header information indicates a different port or address.
  - 6. The method of claim 1, wherein identifying further comprises comparing content of a packet, beyond the header information, when it is determined that one or more elements of the packet fall within ranges of addresses and ports for a specific application in said stored information to determine whether the said specific application is occurring on the network.
  - 7. The method of claim 1, and further comprising storing data describing a hierarchy of applications, the hierarchy comprising at least one top node associated with an application and a plurality of intermediate nodes associated with corresponding sub-applications that are functionally related to the application of the top node, and wherein the data describing the hierarchy comprises data describing standard port numbers and any dynamically assigned port numbers for each of the plurality of applications and sub-applications in said hierarchy.
  - 8. The method of claim 7, wherein identifying comprises examining content of a packet, beyond the header information, to determine whether the packet is associated with a sub-application with respect to an application in said hierarchy.
  - 9. The method of claim 1, wherein said analyzing comprises analyzing performance of the network based on accumulated data pertaining to applications that are determined to be occurring on the network.
  - 10. The method of claim 9, wherein said analyzing comprises generating a list of applications determined to be occurring over time on the network, wherein said list associates applications with local and remote host devices transmitting the packets associated with the application flow.
  - 11. The method of claim 9, wherein said analyzing comprises determining the throughput associated with each of the applications.
  - 12. The method of claim 9, wherein said analyzing further comprises determining one or more of the traffic volume, latency and response time of devices acting as application servers on the network.
  - 13. The method of claim 9, wherein said analyzing comprises categorizing the applications into classes including legitimate business applications and non-business legitimate applications.
  - 14. The method of claim 9, and further comprising displaying a list of applications determined to be occurring on the network based on said application flows.
  - 15. The method of claim 14, wherein said displaying further comprises displaying said list of applications grouped by host device.
  - 16. The method of claim 14, wherein said displaying comprises displaying only those applications associated with a particular host device.
  - 17. The method of claim 14, wherein said displaying comprises displaying said list of applications grouped by server device.

18. A tangible computer readable memory medium storing instructions, that when executed by a computer, cause the computer to perform functions of:
- monitoring packets on a network exchanged between devices on the network by extracting from the packets header information comprising one or more of a source address, source port, destination address, and destination port;
  
  storing information that associates ranges of addresses and ports with applications that may be occurring between two devices on the network;
  
  identifying application flows occurring on the network based on header information of packets, wherein an application flow consists of a collection of packets exchanged between two devices on the network for a single application, wherein identifying comprises comparing one or more elements of the header information of packets with the stored information pertaining to possible applications occurring on the network and assigning a packet to an application flow based on the comparison, wherein the instructions for identifying comprise instructions for examining the header information of a packet to determine whether it identifies a port hop and to modify the stored information to identify a new port associated with an application flow if a port hop is identified in the packet;
  
  when a port hop is detected in a collection of packets associated with an application flow previously identified from an original collection of packets, assigning the collection of packets to the same application flow as the original collection of packets prior to the port hop in order track the collection of packets after the port hop and the original collection of packets as one application flow; and
  
  analyzing data pertaining to the application flows that are identified to generate statistics from the identified application flows that indicate performance of the network.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The computer readable memory medium of claim 18, wherein said instructions for identifying comprise instructions for comparing port numbers contained in the header information for the packet with stored information that associates port numbers with a corresponding application.
  - 20. The computer readable memory medium of claim 18, and further comprising instructions, that when executed, cause the computer to store a list of a plurality of applications determined to be occurring on the network based on said identifying.
  - 21. The computer readable memory medium of claim 20, wherein the instructions for identifying comprise instructions for assigning a packet to an application already contained in said list when there is a match between one or more of the elements of the header information of the packet with similar such information for an application in said list, and further comprising instructions, that when executed by the computer, add a new application to said list when there is not a match between one or more elements of the header information of the packet with similar such information of an application already in said list.
  - 22. The computer readable memory medium of claim 18, wherein the instructions for identifying comprise instructions for comparing one or more elements of the header information of the packet with stored information that associates ranges of addresses and ports with specific applications.
  - 23. The computer readable memory medium of claim 18, wherein the instructions for identifying further comprise instructions for examining content of a packet, beyond the header information, to determine whether said specific application is occurring on the network.
  - 24. The computer readable memory medium of claim 18, and further comprising instructions that, when executed by the computer, cause the computer to store data describing a hierarchy of applications, the hierarchy comprising at least one top node associated with an application and a plurality of intermediate nodes associated with corresponding sub-applications that are functionally related to the application of the top node, and wherein the data describing the hierarchy comprises data describing standard port numbers and any dynamically assigned port numbers for each of the plurality of applications and sub-applications in said hierarchy.
  - 25. The computer readable memory medium of claim 18, wherein the instructions for analyzing comprise instructions for analyzing performance of the network based on accumulated data pertaining to applications that are determined to be occurring on the network.
  - 26. The computer readable memory medium of claim 25, wherein the instructions for analyzing comprise instructions for generating a list of applications determined to be occurring over time on the network, wherein said list associates applications with local and remote host devices transmitting the packets associated with the application flow.
  - 27. The computer readable memory medium of claim 26, wherein the instructions for analyzing comprise instructions for determining the throughput associated with each of the applications.
  - 28. The computer readable memory medium of claim 27, wherein the instructions for said displaying comprise instructions for displaying said list of applications grouped by host device.
  - 29. The computer readable memory medium of claim 27, wherein the instructions for displaying comprise instructions for displaying only those applications associated with a particular host device.

30. A system for monitoring a network, comprising:
- at least one network monitoring device connected in the network so as to monitor packets exchanged between devices on the network by extracting from the packets header information comprising one or more of a source address, source port, destination address, and destination port; and
  
  a computer coupled to said at least one network monitoring device that identifies applications occurring between devices on the network based on information derived from said at least one network monitoring device, wherein the computer is configured to;
  
  store information that associates ranges of addresses and ports with applications that may be occurring between two devices on the network;
  
  identify application flows occurring on the network based on header information of packets, wherein an application flow consists of a collection of packets exchanged between two devices on the network for a single application, by comparing one or more elements of the header information of packets with the stored information pertaining to possible applications occurring on the network and assigning a packet to an application flow based on the comparison, and to examine the header information of a packet to determine whether it identifies a port hop in order to modify the stored information to identify a new port associated with an application flow if a port hop is identified in the packet;
  
  when a port hop is detected in a collection of packets associated with an application flow previously identified from an original collection of packets, assign the collection of packets to the same application flow as the original collection of packets prior to the port hop in order track the collection of packets after the port hop and the original collection of packets as one application flow; and
  
  analyze data pertaining to the application flows that are identified to generate statistics from the identified application flows that indicate performance of the network.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. The system of claim 30, wherein said computer is configured to compare port numbers contained in the header information for the packet with stored information that associates port numbers with a corresponding application.
  - 32. The system of claim 30, wherein said computer is configured to store a list of a plurality of applications determined to be occurring on the network.
  - 33. The system of claim 32, wherein the computer is configured to assign a packet to an application already contained in said list when there is a match between one or more of the elements of the header information of the packet with similar such information for an application in said list, and adds a new application to said list when there is not a match between one or more elements of the header information of the packet with similar such information of an application already in said list.
  - 34. The system of claim 30, wherein said computer compares one or more elements of the header information of the packet with stored information that associates ranges of addresses and ports with specific applications.
  - 35. The system of claim 30, wherein said computer compares content of a packet, beyond the header information, to determine whether a specific application is occurring on the network.
  - 36. The system of claim 30, wherein the computer is configured to assign further packets to a particular application contained in said list when it is determined that said further packets are associated with said particular application even though their header information indicates a different port or address.
  - 37. The system of claim 30, wherein the computer is configured to analyze performance of the network based on accumulated data pertaining to applications that are determined to be occurring on the network.
  - 38. The system of claim 37, wherein the computer is configured to generate a list of applications determined to be occurring over time on the network, wherein said list associates applications with local and remote host devices transmitting the packets associated with the application flow.
  - 39. The system of claim 37, wherein the computer is configured to determine throughput associated with each of the applications and one or more of traffic volume, latency and response time of devices acting as application servers on the network.
  - 40. The system of claim 30, wherein the computer is further configured to store data describing a hierarchy of applications, the hierarchy comprising at least one top node associated with an application and a plurality of intermediate nodes associated with corresponding sub-applications that are functionally related to the application of the top node, and wherein the data describing the hierarchy comprises data describing standard port numbers and any dynamically assigned port numbers for each of the plurality of applications and sub-applications in said hierarchy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetScout Systems Incorporated
Original Assignee
Fluke Corporation (Fortive Corp.)
Inventors
Tucker, Matthew A., Kannan, Naresh Kumar, Kobryn, Jeff, Laver, Kent, Nisbet, Thomas R., Brandyburg, Gordon, Menzies, James Thomas
Primary Examiner(s)
Sefcheck; Gregory B
Assistant Examiner(s)
Kang; Suk Jin

Application Number

US11/477,868
Publication Number

US 20070011317A1
Time in Patent Office

1,551 Days
Field of Search

None
US Class Current

370/252
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 43/045   for graphical visualisation...

H04L 43/0852   Delays

H04L 43/0888   Throughput

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/12   Network monitoring probes

H04L 67/63   Routing a service request d...

H04L 69/22   Parsing or analysis of headers

Methods and apparatus for analyzing and management of application traffic on networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for analyzing and management of application traffic on networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links