Monitoring network traffic by using a monitor device

US 7,941,827 B2
Filed: 04/04/2006
Issued: 05/10/2011
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for associating packets according to user information defined in a directory service available through a networked environment, the networked environment providing an authentication service and a name service and including at least one client, the method comprising:

at a collector, obtaining user information from the directory service by obtaining at least one user object attribute set from the directory service, the directory service maintaining a directory of objects in a hierarchical framework, each of the objects representing a network entity and one or more attributes of the network entity, the hierarchical framework categorizing each of the objects as one of;

a resource;

a service; and

a person;

at a monitor configured to connect to the collector,identifying at least one authentication exchange packet from packets traversing on the networked environment;

extracting a first user ID and a first network address from the authentication exchange packet;

filtering packets traversing on the network environment that each have a network address equivalent to the first network address; and

at the collector, associating packets found in the filtering with the user information having a user name attribute equivalent to the first user ID.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A solution is provided for associating network traffic traversing on a networked environment according to a selected category item, such as a user name or other network entity identity-related information, by using a monitor device. The solution includes: obtaining user information from the directory service by obtaining at least one set of user object attributes from the directory service; identifying at least one authentication exchange packet from packets traversing on the networked environment; extracting a user ID and a network address from the authentication exchange packet; filtering or selecting packets traversing on the network environment that each have a network address equivalent to the extracted network address; and associating packets that were selected with user information having a name attribute equivalent to the extracted user ID.

66 Citations

View as Search Results

57 Claims

1. A computer implemented method for associating packets according to user information defined in a directory service available through a networked environment, the networked environment providing an authentication service and a name service and including at least one client, the method comprising:
- at a collector, obtaining user information from the directory service by obtaining at least one user object attribute set from the directory service, the directory service maintaining a directory of objects in a hierarchical framework, each of the objects representing a network entity and one or more attributes of the network entity, the hierarchical framework categorizing each of the objects as one of;
  
  a resource;
  
  a service; and
  
  a person;
  
  at a monitor configured to connect to the collector,identifying at least one authentication exchange packet from packets traversing on the networked environment;
  
  extracting a first user ID and a first network address from the authentication exchange packet;
  
  filtering packets traversing on the network environment that each have a network address equivalent to the first network address; and
  
  at the collector, associating packets found in the filtering with the user information having a user name attribute equivalent to the first user ID.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - validating the first user ID and first network address; and
      
      performing the filtering and the associating only if the first user ID and the first network address are found valid in the validating.
  - 3. The method of claim 1, further comprising:
    - validating the first user ID; and
      
      performing the filtering and the associating only if the first user ID is found valid in the validating.
  - 4. The method of claim 1, wherein the associating packets enables the monitoring of packets generated by a real user that corresponds to the user information having the user name attribute equivalent to the first user ID.
  - 5. The method of claim 1, wherein the obtaining user information further comprises:
    - storing the at least one user object attribute set in a memory store.
  - 6. The method of claim 1, wherein each of the at least one user object attribute set includes a user name attribute.
  - 7. The method of claim 6, wherein the each of the at least one user object attribute set further comprises a group ID attribute and organizational unit attribute corresponding to a real user for whom a user object has been created in the directory service.
  - 8. The method of claim 1, wherein the associating packets includes assigning a unique index to the packets found and to one of the at least one user object attribute set having the user name attribute.
  - 9. The method of claim 1, wherein the validating includes determining whether the first user ID includes a user name that matches a user name attribute from one of the user object attribute set, and if the match is found, finding the first user ID valid.
  - 10. The method of claim 1, wherein the validating further comprises determining whether a user account is logged on to a client that sent the authentication exchange packet.
  - 11. The method of claim 10, wherein the determining comprises:
    - using the first network address in a hostname request; and
      
      sending the host name request to the name service.
  - 12. The method of claim 11, wherein the determining further comprises:
    - receiving a hostname from the name service and using the first user ID in a user account query;
      
      sending the user account query to a client having the hostname; and
      
      finding the first network address valid if the client responds with a user account that includes a user name equivalent to the first user ID.
  - 13. The method of claim 12, wherein the sending the user account query includes using the SMB protocol.
  - 14. The method of claim 1, wherein the authentication service uses the Kerberos protocol during network authentication and the first user ID is in the form of a Kerberos principal name.
  - 15. The method of claim 1, wherein the extracting further comprisesextracting a second user ID and a second network address from another authentication exchange packet;
    - andassociating packets found in the filtering with the user information having a user name attribute equivalent to the second user ID.
  - 16. The method of claim 1, wherein the first network address is a destination network address if the authentication exchange packet is an authentication exchange response packet.

17. A system for associating packets according to user information defined in a directory service available through a networked environment, the networked environment providing an authentication service and a name service and including at least one client, the system comprising:
- a memory;
  
  a monitor configured to receive packets traversing through the networked environment;
  
  a collector configured to connect to the monitor and the networked environment, the collector configured to obtain user information from the directory service by obtaining at least one user object attribute set from the directory service, the directory service maintaining a directory of objects in a hierarchical framework, each of the objects representing a network entity and one or more attributes of the network entity, the hierarchical framework categorizing each of the objects as one of;
  
  a resource;
  
  a service; and
  
  a person;
  
  wherein the monitor is configured to;
  
  identify at least one authentication exchange packet from the packets;
  
  extract a first user ID and a first network address from the authentication exchange packet; and
  
  filter packets from the packets that each have a network address equivalent to the first network address; and
  
  wherein the collector is configured to associate packets filtered by the monitor with one of the at least one user object attribute set having a user name attribute equivalent to the first user ID.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 18. The system of claim 17, further comprising a memory store for storing the user information and the filtered packets having the network address.
  - 19. The system of claim 18, wherein the memory store comprises a database server accessible using the networked environment.
  - 20. The system of claim 18, further comprising a means for responding to a client query requesting packets associated with the user name, the means for responding having access to the memory store.
  - 21. The system of claim 17, wherein the monitor comprises a packet processing engine having at least one network port configured to couple to the networked environment.
  - 22. The system of claim 21, wherein the collector comprises a first computing device and the monitor further comprises a second computer device coupled to the packet processing engine and the first computing device.
  - 23. The system of claim 17, wherein the networked environment comprises a network tap configured to send the packets to the monitor without impeding the routing of the packets on the networked environment.
  - 24. The system of claim 17, wherein the networked environment comprises a network switch having a span port.
  - 25. The system of claim 17, wherein the networked environment comprises a network switch having a mirror port.
  - 26. The system of claim 17, whereinthe collector is configured to validate the first user ID and first network address;
    - andthe monitor is configured to perform the filtering and the collector is configured to perform the associating only if the collector finds the first user ID and the first network address valid.
  - 27. The system of claim 17, whereinthe collector is configured to validate the first user ID;
    - andthe monitor is configured to perform the filtering and the collector is configured to perform the associating only if the collector finds the first user ID valid.
  - 28. The system of claim 17, wherein:
    - the monitor is further configured to extract a second user ID and a second network address from another authentication exchange packet, and filter packets from the packets that each have a network address equivalent to the second network address; and
      
      the second network address is a destination network address if the authentication exchange packet is in the form of an authentication exchange response packet.

29. A system for associating packets according to user information defined in a directory service used in a networked environment, the networked environment providing an authentication service and a name service, the system comprising:
- a monitor that includes means for receiving packets traversing through the networked environment;
  
  a collector configured to connect to the monitor and the networked environment, the collector having a means for processing user information from the directory service by obtaining at least one user object attribute set from the directory service, the directory service maintaining a directory of objects in a hierarchical framework, each of the objects representing a network entity and one or more attributes of the network entity, the hierarchical framework categorizing each of the objects as one of;
  
  a resource;
  
  a service; and
  
  a person;
  
  wherein the monitor further comprises a means for identifying at least one authentication exchange packet from the received packets, a means for extracting a user ID and a first network address from the authentication exchange packet, and a means for filtering packets from the received packets that each have a network address equivalent to the first network address; and
  
  wherein the collector further comprises a means for associating packets filtered by the means for filtering with one of the at least one user object attribute set having a user name attribute equivalent to the user ID.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
- - 30. The system of claim 29, further including a memory for storing the user information and the filtered packets having the network address.
  - 31. The system of claim 29, further comprising a means for responding to a client query seeking packets associated with the user name, the means for responding having access to the memory store.
  - 32. The system of claim 29, whereinthe monitor further comprises a packet processing engine having a first network interface configured to couple to the networked environment and a second network interface;
    - andthe collector further comprises a third network interface coupled to the second network interface.
  - 33. The system of claim 32, wherein the coupling of the third network interface and the second network interface comprises a computer network.
  - 34. The system of claim 29, wherein the collector comprises a first computing device and the monitor further comprises a second computer device coupled to the packet processing engine and the first computing device.
  - 35. The system of claim 29, whereinthe collector is configured to validate the user ID and first network address;
    - andthe monitor is configured to perform the filtering and the collector is configured to perform the associating only if the collector finds the user ID and the first network address valid.
  - 36. The system of claim 29, whereinthe collector is configured to validate the user ID;
    - andthe monitor is configured to perform the filtering and the collector is configured to perform the associating only if the collector finds the user ID valid.

37. A system for associating packets according to user information defined as part of a networked environment, the system comprising:
- a networked environment having at least one client, a database server and a plurality of network services, including a directory service, an authentication service, and a name service, and wherein the user information is maintained by the directory service;
  
  a monitor configured to receive packets traversing through the networked environment;
  
  a collector coupled to the monitor and the networked environment, the directory service maintaining a directory of objects in a hierarchical framework, each of the objects representing a network entity and one or more attributes of the network entity, the hierarchical framework categorizing each of the objects as one of;
  
  a resource;
  
  a service; and
  
  a person;
  
  a collector coupled to the monitor and the networked environment;
  
  wherein the monitor is configured to;
  
  identify an authentication exchange packet from the packets received, the authentication exchange packet having a user ID and network address;
  
  identify packets received that have the network address; and
  
  send the packets identified to the collector; and
  
  wherein the collector is configured to;
  
  obtain user information corresponding to the user ID by querying the directory service using the user ID; and
  
  associate the packets identified with the user information.
- View Dependent Claims (38, 39, 40, 41)
- - 38. The system of claim 37, wherein the monitor comprises a packet processing engine having at least one network port configured to couple to the networked environment and to receive the packets traversing through the networked environment.
  - 39. The system of claim 38, wherein the collector and the monitor are each implemented using a general purpose computing device, respectively.
  - 40. The system of claim 37, wherein:
    - the collector and the monitor are implemented using a single general purpose computing device; and
      
      the computing device, comprises a first network interface configured to receive the packets traversing through the networked environment, and a second network interface configured to couple to a computer network of the networked environment.
  - 41. The system of claim 37, whereinthe collector is configured to validate the user ID;
    - andthe monitor is configured to identify the packets received and the collector is configured to associate the packets identified only if the collector finds the user ID valid.

42. A computer program embodied on at least one computer-readable medium for executing a method for associating packets according to user information defined in a directory service available through a networked environment, the networked environment providing an authentication service and a name service and including at least one client, the method comprising:
- at a collector, obtaining user information from the directory service by obtaining at least one user object attribute set from the directory service, the directory service maintaining a directory of objects in a hierarchical framework, each of the objects representing a network entity and one or more attributes of the network entity, the hierarchical framework categorizing each of the objects as one of;
  
  a resource;
  
  a service; and
  
  a person;
  
  at a monitor configured to connect to the collector,identifying at least one authentication exchange packet from packets traversing on the networked environment;
  
  extracting a first user ID and a first network address from the authentication exchange packet; and
  
  selecting packets traversing on the network environment that each have a network address equivalent to the first network address; and
  
  at the collector, associating packets found in the selecting with the user information having a user name attribute equivalent to the first user ID.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 43. The computer program of claim 42, further comprising:
    - validating the first user ID and first network address; and
      
      performing the selecting and the associating only if the first user ID and the first network address are found valid in the validating.
  - 44. The computer program of claim 42, further comprising:
    - validating the first user ID; and
      
      performing the selecting and the associating only if the first user ID is found valid in the validating.
  - 45. The computer program of claim 42, wherein the associating packets enables the monitoring of packets generated by a real user that corresponds to the user information having the user name attribute equivalent to the first user ID.
  - 46. The computer program of claim 42, wherein the processing further comprises:
    - storing the at least one user object attribute set in a memory store.
  - 47. The computer program of claim 42, wherein each of the at least one user object attribute set include the user name attribute.
  - 48. The computer program of claim 47, wherein the each of the at least one user object attribute set further comprises a group ID attribute and organizational unit attribute that both correspond to a real user for whom a user object has been created in the directory service.
  - 49. The computer program of claim 47, wherein the associating packets includes assigning a unique index to the packets found and to one of the at least one user object attribute set having the user name attribute.
  - 50. The computer program of claim 42, wherein the validating includes determining whether the first user ID includes a user name that matches a user name attribute from one of the user object attribute set, and if the match is found, finding the first user ID valid.
  - 51. The computer program of claim 42, wherein the validating further comprises determining whether a real user is logged on to a client that sent the authentication exchange packet.
  - 52. The computer program of claim 51, wherein the determining comprises:
    - using the first network address in a hostname request; and
      
      sending the hostname request to the name service.
  - 53. The computer program of claim 52, wherein the determining further comprises:
    - receiving a hostname from the name service and using the first user ID in a user account query;
      
      sending the user account query to a client having the hostname; and
      
      finding the first network address valid if the client responds with a user account that includes a user name equivalent to the first user ID.
  - 54. The computer program of claim 53, wherein the sending the user account query includes using the SMB protocol.
  - 55. The computer program of claim 42, wherein the authentication service uses the Kerberos protocol during network authentication and the first user ID is in the form of a Kerberos principal name.
  - 56. The computer program of claim 42, wherein the first network address is a destination network address and the authentication exchange packet is an authentication exchange response packet.
  - 57. The computer program of claim 42, whereinthe extracting further comprises extracting a second user ID and a second network address from another authentication exchange packet;
    - andassociating packets found in the selecting with the user information having a user name attribute equivalent to the second user ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
PacketMotion Incorporated (Broadcom, Inc.)
Inventors
Erlund, Maxine R., John, Pramod, Chen, Tsehua A., Christensen, Mitchell T.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US11/398,014
Publication Number

US 20060179141A1
Time in Patent Office

1,862 Days
Field of Search

726/4, 726/3, 726/2
US Class Current

726/4
CPC Class Codes

G06F 16/00   Information retrieval; Data...

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/535   Tracking the activity of th...

Monitoring network traffic by using a monitor device

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

57 Claims

Specification

Use Cases

Quick Links

Others

Monitoring network traffic by using a monitor device

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

57 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others