Systems and methods for determining characteristics of a network based on flow analysis

US 7,885,190 B1
Filed: 05/12/2004
Issued: 02/08/2011
Est. Priority Date: 05/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method for passively and automatically identifying a flow on a network, comprising:

passively reading, at a processor disposed between two endpoints, a first packet transmitted on the network from one of the two endpoints to the other;

decoding the first packet into a first plurality of protocol fields;

identifying, at the processor, a first source Internet protocol address, a first destination Internet protocol address, a first transport protocol, a first source port, a first destination port, and a first synchronization bit from the first plurality of protocol fields;

passively reading, at the processor, a second packet transmitted on the network from one of the two endpoints to the other;

decoding the second packet into a second plurality of protocol fields;

identifying, at the processor, a second source Internet protocol address, a second destination Internet protocol address, a second transport protocol, a second source port, a second destination port, a second acknowledged bit, and a second synchronization bit from the second plurality of protocol fields; and

if the first transport protocol comprises transmission control protocol, the second transport protocol comprises transmission control protocol, the first synchronization bit is set, the second synchronization bit is set, the second acknowledged bit is set, the first source Internet protocol address comprises the second destination Internet protocol address, the second source Internet protocol address comprises the first destination Internet protocol address, the first source port comprises the second destination port, and the second source port comprises the first destination port, thenidentifying, at the processor, only subsequent packets that correspond to one ofthe first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port andthe second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination portas being part of a same flow as the first packet and second packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.

170 Citations

26 Claims

1. A method for passively and automatically identifying a flow on a network, comprising:
- passively reading, at a processor disposed between two endpoints, a first packet transmitted on the network from one of the two endpoints to the other;
  
  decoding the first packet into a first plurality of protocol fields;
  
  identifying, at the processor, a first source Internet protocol address, a first destination Internet protocol address, a first transport protocol, a first source port, a first destination port, and a first synchronization bit from the first plurality of protocol fields;
  
  passively reading, at the processor, a second packet transmitted on the network from one of the two endpoints to the other;
  
  decoding the second packet into a second plurality of protocol fields;
  
  identifying, at the processor, a second source Internet protocol address, a second destination Internet protocol address, a second transport protocol, a second source port, a second destination port, a second acknowledged bit, and a second synchronization bit from the second plurality of protocol fields; and
  
  if the first transport protocol comprises transmission control protocol, the second transport protocol comprises transmission control protocol, the first synchronization bit is set, the second synchronization bit is set, the second acknowledged bit is set, the first source Internet protocol address comprises the second destination Internet protocol address, the second source Internet protocol address comprises the first destination Internet protocol address, the first source port comprises the second destination port, and the second source port comprises the first destination port, thenidentifying, at the processor, only subsequent packets that correspond to one ofthe first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port andthe second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination portas being part of a same flow as the first packet and second packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein an initiator of the first packet comprises a client.
  - 3. The method of claim 1, wherein an initiator of the second packet comprises a server.
  - 4. The method of claim 1, further comprising recording the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port.
  - 5. The method of claim 1, further comprising recording the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port.
  - 6. The method of claim 1, wherein the flow comprises a session.
  - 7. The method of claim 6, wherein an initiator of the first packet comprises a session initiator.
  - 8. The method of claim 6, wherein an initiator of the second packet comprises a session responder.
  - 9. The method of claim 1, further comprising identifying a plurality of packets that correspond to one ofthe first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port andthe second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port.
  - 10. The method of claim 9, further comprising recording one or more ofa time of a first packet of the plurality of packets,a time of a last packet of the plurality of packets,a number of the plurality of packets that comprise the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port,a number of the plurality of packets that comprise the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port,a number of bytes sent by the plurality of packets that comprise the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port, anda number of bytes sent by the plurality of packets that comprise the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port.
  - 11. The method of claim 9, further comprising terminating the flow if one packet of the plurality of packets comprises:
    - a finished bit, the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port;
      
      an acknowledged bit, the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port;
      
      a finished bit, the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port;
      
      oran acknowledged bit, the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port.
  - 12. The method of claim 10, wherein an initiator of the first packet comprises a client, wherein an initiator of the second packet comprises a server, and wherein the method further comprises determining one or more of services of the client, servers the client utilizes, an amount of data the client transfers, an amount of data the server serves, a number of connections per second the server handles, a load on the server over time, an amount of traffic generated by the client over time, clients the server serves, and a conversion size between the client and the server.
  - 13. The method of claim 10, further comprising identifying a host for the flow.

14. A method for passively and automatically identifying a flow on a network, comprising:
- passively reading, at a processor disposed between two endpoints, a first packet transmitted on the network from one of the two endpoints to the other;
  
  decoding the first packet into a first plurality of protocol fields;
  
  identifying, at the processor, a first source Internet protocol address, a first destination Internet protocol address, a first transport protocol, a first source port, and a first destination port from the first plurality of protocol fields;
  
  passively reading, at the processor, a second packet transmitted on the network from one of the two endpoints to the other;
  
  decoding the second packet into a second plurality of protocol fields;
  
  identifying, at the processor, a second source Internet protocol address, a second destination Internet protocol address, a second transport protocol, a second source port, and a second destination port from the second plurality of protocol fields; and
  
  if the first transport protocol comprises user datagram protocol, the second transport protocol comprises user datagram protocol, the first source Internet protocol address comprises the second destination Internet protocol address, the second source Internet protocol address comprises the first destination Internet protocol address, the first source port comprises the second destination port, and the second source port comprises the first destination port, then identifying, at the processor, only subsequent packets that comprise one ofthe first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port andthe second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination portas being part of a same flow as the first packet and the second packet.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The method of claim 14, wherein an initiator of the first packet comprises a client.
  - 16. The method of claim 14, wherein an initiator of the second packet comprises a server.
  - 17. The method of claim 14, further comprising recording the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port.
  - 18. The method of claim 14, further comprising recording the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port.
  - 19. The method of claim 14, wherein the flow comprises a session.
  - 20. The method of claim 19, wherein an initiator of the first packet comprises a session initiator.
  - 21. The method of claim 19, wherein an initiator of the second packet comprises a session responder.
  - 22. The method of claim 14, further comprising identifying a plurality of packets that comprises one ofthe first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port andthe second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port.
  - 23. The method of claim 22, further comprising recording one or more ofa time of a first packet of the plurality of packets,a time of a last packet of the plurality of packets,a number of the plurality of packets that comprise the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port,a number of the plurality of packets that comprise the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port,a number of bytes sent by the plurality of packets that comprise the first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port, anda number of bytes sent by the plurality of packets that comprise the second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination port.
  - 24. The method of claim 14, further comprising terminating the flow if a packet comprising one ofthe first source Internet protocol address, the first destination Internet protocol address, the first transport protocol, the first source port, and the first destination port andthe second source Internet protocol address, the second destination Internet protocol address, the second transport protocol, the second source port, and the second destination portis not identified in a predefined time period.
  - 25. The method of claim 22, wherein an initiator of the first packet comprises a client, wherein an initiator of the second packet comprises a server, and wherein the method further comprises determining one or more of services of the client, servers the client utilizes, an amount of data the client transfers, an amount of data the server serves, a number of connections per second the server handles, a load on the server over time, an amount of traffic generated by the client over time, clients the server serves, and a conversion size between the client and the server.
  - 26. The method of claim 22, further comprising identifying a host for the flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Roesch, Martin, Dempster, Ronald A.
Primary Examiner(s)
Rao; Seema S
Assistant Examiner(s)
Davenport; Mon Cheri S

Application Number

US10/843,374
Time in Patent Office

2,463 Days
Field of Search

370/392, 370/469, 370/235, 370/389, 370/401, 709/224, 709/225, 709/229, 709/238
US Class Current

370/235
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 67/125 involving control of end-de...

Systems and methods for determining characteristics of a network based on flow analysis

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

170 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for determining characteristics of a network based on flow analysis

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links