Systems and methods for determining characteristics of a network based on flow analysis
First Claim
1. A method for passively and automatically identifying a flow on a network, comprising:
- passively reading, at a processor disposed between two endpoints, a first packet transmitted on the network from one of the two endpoints to the other;
decoding the first packet into a first plurality of protocol fields;
identifying, at the processor, a first source Internet protocol address, a first destination Internet protocol address, a first transport protocol, a first source port, a first destination port, and a first synchronization bit from the first plurality of protocol fields;
passively reading, at the processor, a second packet transmitted on the network from one of the two endpoints to the other;
decoding the second packet into a second plurality of protocol fields;
identifying, at the processor, a second source Internet protocol address, a second destination Internet protocol address, a second transport protocol, a second source port, a second destination port, a second acknowledged bit, and a second synchronization bit from the second plurality of protocol fields; and
if the first transport protocol comprises transmission control protocol, the second transport protocol comprises transmission control protocol, the first synchronization bit is set, the second synchronization bit is set, the second acknowledged bit is set, the first source Internet protocol address comprises the second destination Internet protocol address, the second source Internet protocol address comprises the first destination Internet protocol address, the first source port comprises the second destination port, and the second source port comprises the first destination port, thenidentifying, at the processor, only subsequent packets that correspond to one ofthe first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port andthe second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination portas being part of a same flow as the first packet and second packet.
3 Assignments
0 Petitions
Accused Products
Abstract
A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.
170 Citations
26 Claims
-
1. A method for passively and automatically identifying a flow on a network, comprising:
-
passively reading, at a processor disposed between two endpoints, a first packet transmitted on the network from one of the two endpoints to the other; decoding the first packet into a first plurality of protocol fields; identifying, at the processor, a first source Internet protocol address, a first destination Internet protocol address, a first transport protocol, a first source port, a first destination port, and a first synchronization bit from the first plurality of protocol fields; passively reading, at the processor, a second packet transmitted on the network from one of the two endpoints to the other; decoding the second packet into a second plurality of protocol fields; identifying, at the processor, a second source Internet protocol address, a second destination Internet protocol address, a second transport protocol, a second source port, a second destination port, a second acknowledged bit, and a second synchronization bit from the second plurality of protocol fields; and if the first transport protocol comprises transmission control protocol, the second transport protocol comprises transmission control protocol, the first synchronization bit is set, the second synchronization bit is set, the second acknowledged bit is set, the first source Internet protocol address comprises the second destination Internet protocol address, the second source Internet protocol address comprises the first destination Internet protocol address, the first source port comprises the second destination port, and the second source port comprises the first destination port, then identifying, at the processor, only subsequent packets that correspond to one of the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port and the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port as being part of a same flow as the first packet and second packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for passively and automatically identifying a flow on a network, comprising:
-
passively reading, at a processor disposed between two endpoints, a first packet transmitted on the network from one of the two endpoints to the other; decoding the first packet into a first plurality of protocol fields; identifying, at the processor, a first source Internet protocol address, a first destination Internet protocol address, a first transport protocol, a first source port, and a first destination port from the first plurality of protocol fields; passively reading, at the processor, a second packet transmitted on the network from one of the two endpoints to the other; decoding the second packet into a second plurality of protocol fields; identifying, at the processor, a second source Internet protocol address, a second destination Internet protocol address, a second transport protocol, a second source port, and a second destination port from the second plurality of protocol fields; and if the first transport protocol comprises user datagram protocol, the second transport protocol comprises user datagram protocol, the first source Internet protocol address comprises the second destination Internet protocol address, the second source Internet protocol address comprises the first destination Internet protocol address, the first source port comprises the second destination port, and the second source port comprises the first destination port, then identifying, at the processor, only subsequent packets that comprise one of the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port and the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port as being part of a same flow as the first packet and the second packet. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification