High speed packet capture

US 7,907,608 B2
Filed: 08/12/2005
Issued: 03/15/2011
Est. Priority Date: 08/12/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for reading data into an application, the method comprising:

reading a packet of data captured by a network interface coupled to a network interface driver that provides a communicative interface between the network interface and a kernel of a capture system;

storing the packet in a receiver packet memory in a wraparound fashion such that the packet is placed contiguously next to a last new packet received, and wherein the packet and the last new packet are stored as read only data in the receiver packet memory such that multiple applications can access the packets, wherein the network interface and the network interface driver are configured on a kernel side of an operating system provisioned within the capture system, and wherein the applications reside on an application side of the capture system that is different from the kernel side;

updating a head indicator, the head indicator identifying the last new packet in the receiver packet memory; and

representing the receiver packet memory as a virtual file, wherein a first application of the multiple applications is configured to migrate packets from the receiver packet memory by memory mapping the virtual file, the first application employing file system commands and handles to reference and to manipulate selected data in the receiver packet memory such that the virtual file is mapped in a read only mode to allow a second application of the multiple applications to access the selected data in the receiver packet memory, and wherein the capture system includes a control memory that provides a plurality of pointers to the receiver packet memory in order to allow access to the control memory by both the network interface driver and the first and second applications through an application interface.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Packets can be read from a network interface into an application using a single kernel copy. In one embodiment, the invention includes a receiver packet memory to store captured packets, and a network interface driver operating in a kernel of a device to read packets captured by network interface hardware into the kernel by storing captured packets in the receiver packet memory. Then, an application interface can expose the receiver packet memory to an application executing on the device by representing the receiver packet memory as a virtual file.

256 Citations

18 Claims

1. A method for reading data into an application, the method comprising:
- reading a packet of data captured by a network interface coupled to a network interface driver that provides a communicative interface between the network interface and a kernel of a capture system;
  
  storing the packet in a receiver packet memory in a wraparound fashion such that the packet is placed contiguously next to a last new packet received, and wherein the packet and the last new packet are stored as read only data in the receiver packet memory such that multiple applications can access the packets, wherein the network interface and the network interface driver are configured on a kernel side of an operating system provisioned within the capture system, and wherein the applications reside on an application side of the capture system that is different from the kernel side;
  
  updating a head indicator, the head indicator identifying the last new packet in the receiver packet memory; and
  
  representing the receiver packet memory as a virtual file, wherein a first application of the multiple applications is configured to migrate packets from the receiver packet memory by memory mapping the virtual file, the first application employing file system commands and handles to reference and to manipulate selected data in the receiver packet memory such that the virtual file is mapped in a read only mode to allow a second application of the multiple applications to access the selected data in the receiver packet memory, and wherein the capture system includes a control memory that provides a plurality of pointers to the receiver packet memory in order to allow access to the control memory by both the network interface driver and the first and second applications through an application interface.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising reading new packets from the memory-mapped virtual file by the first application.
  - 3. The method of claim 2, wherein reading the new packets comprises reading the new packets from a memory location indicated by a tail indicator, the tail indicator identifying the last packet read by the first application.
  - 4. The method of claim 3, wherein reading the new packets comprises reading the new packets from memory locations between the tail indicator and the head indicator.
  - 5. The method of claim 3, further comprising updating the tail indicator to account for the new packets read by the first application.
  - 6. The method of claim 3, wherein the head indicator comprises a head pointer into the receiver packet memory and the tail indicator comprises a tail pointer into the receiver packet memory.

7. A capture device comprising:
- a receiver packet memory to store captured packets that include data;
  
  a network interface driver operating in a kernel of the capture device to read packets captured by a network interface module into the kernel by storing captured packets in the receiver packet memory in a wraparound fashion such that the packet is placed contiguously next to a last new packet received, and wherein the packet and the last new packet are stored as read only data in the receiver packet memory such that multiple applications can access the packets; and
  
  an application interface configured to expose the receiver packet memory to a first application of the multiple applications executing on the capture device by representing the receiver packet memory as a virtual file, wherein the network interface module and the network interface driver are configured on a kernel side of an operating system provisioned within the capture device, and wherein the applications reside on an application side of the capture device that is different from the kernel side, and wherein the first application is configured to migrate packets from the receiver packet memory by memory mapping the virtual file, the first application employing file system commands and handles to reference and to manipulate selected data in the receiver packet memory such that the virtual file is mapped in a read only mode to allow a second application of the multiple applications to access the selected data in the receiver packet memory, and wherein the capture device includes a control memory that provides a plurality of pointers to the receiver packet memory in order to allow access to the control memory by both the network interface driver and the first and second applications through the application interface.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The capture device of claim 7, further comprising a control memory containing a head indicator and a tail indicator.
  - 9. The capture device of claim 8, wherein the head indicator comprises a head pointer pointing to the last packet written to the receiver packet memory by the network interface driver, and the tail indicator comprises a tail pointer pointing to the last packet processed by the first application.
  - 10. The capture device of claim 9, wherein the first application migrates packets from the kernel to the first application by performing memory read operations on the memory-mapped virtual file.
  - 11. The capture device of claim 10, wherein the first application performs read operations by reading packets between the head pointer and the tail pointer.
  - 12. The capture device of claim 11, wherein the first application updates the tail pointer after each packet migration.
  - 13. The capture device of claim 7, wherein the network interface module comprises a network interface controller (NIC).

14. A non-transitory machine-readable medium having stored thereon data representing instructions that, when executed by a processor running an operating system kernel and at least one application, cause the processor to perform operations comprising:
- reading a packet of data captured by a network interface by coupled to a network interface driver that provides a communicative interface between the network interface and a kernel of a capture system,the packet of data being part of a document that includes a plurality of objects that identify characteristics of the document,wherein the document is captured based on a capture rule that specifies the objects, andwherein the capture rule designates whether to discard or to store the objects of the document, andwherein the capture rule is part of a default rule sot for a capture system configured to monitor network traffic and capture the document;
  
  storing the packet in a receiver packet memory in a wraparound fashion such that the packet is placed contiguously next to a last new packet received, andwherein the packet and the last new packet are stored as read only data in the receiver packet memory such that multiple applications can access the packets,wherein the network interface and the network interface driver are configured on a kernel side of an operating system provisioned within the capture system, andwherein the applications reside on an application side of the capture system that is different from the kernel side;
  
  updating a head indicator, the head indicator identifying the last new packet in the receiver packet memory; and
  
  exposing the receiver packet memory to the application by representing the receiver packet memory as a virtual filewherein a first application of the multiple applications is configured to migrate packets from the receiver packet memory by memory mapping the virtual file,the first application employing file system commands and handles to reference and to manipulate selected data in the receiver packet memory such that the virtual file is mapped in a read only mode to allow a second application of the multiple applications to access the selected data in the receiver packet memory, andwherein the capture system includes a control memory that provides a plurality of pointers to the receiver packet memory in order to allow access to the control memory by both the network interface driver and the first and second applications through an application interface.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The machine-readable medium of claim 14, wherein the instructions further cause the processor have the first application to read new packets from the memory-mapped virtual file.
  - 16. The machine-readable medium of claim 15, wherein reading the new packets comprises reading the new packets from a memory location indicated by a tail indicator, the tail indicator identifying the last packet read by the first application.
  - 17. The machine-readable medium of claim 16, wherein reading the new packets comprises reading the new packets from memory locations between the tail indicator and the head indicator.
  - 18. The machine-readable medium of claim 16, wherein the instructions further cause the processor to have the first application update the tail indicator to account for the new packets read by the first application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Broeker, Stephen, Liu, Weimin, Lowe, Rick, Deninger, William, de la Iglesia, Erik
Primary Examiner(s)
Ton; Dang T
Assistant Examiner(s)
Preval; Lionel

Application Number

US11/202,438
Publication Number

US 20070036156A1
Time in Patent Office

2,041 Days
Field of Search

370/389, 370/395.5, 709/230, 709/203, 709/231, 709/225, 705/72, 705/77, 714/751, 710/48, 713/200, 347/29
US Class Current

370/389
CPC Class Codes

G06F 12/00   Accessing, addressing or al...

H04L 1/0083   Formatting with frames or p...

H04L 67/125   involving control of end-de...

H04L 69/12   Protocol engines

H04L 69/22   Parsing or analysis of headers

High speed packet capture

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

256 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

High speed packet capture

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

256 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links