Network analysis system and method
First Claim
Patent Images
1. A packet-based network analysis system, comprising:
- a correlator processor configured to;
receive from a plurality of capture devices packet records corresponding to packets communicated over a network and store the packet records in a data store, each packet record generated by a capture device in response to the capture device receiving a packet communicated over the network and having a timestamp corresponding to a time the capture device received the packet;
determine if a received packet record received by a first capture device at a particular time corresponds to a retransmitted packet and/or a duplicate packet by comparing the received packet record to the packet records stored in the data store, wherein;
determining the received packet record received by the first capture device at the particular time corresponds to a retransmitted packet comprises determining that the received packet record has been previously received by the first capture device prior to the particular time and previously stored in the data store as a packet record; and
determining the received packet record received by the first capture device at the particular time corresponds to a duplicate packet comprises determining that;
the received packet record has been received by a second capture device and is stored in the data store as a packet record; and
the received packet record has not previously been received by the first capture device prior to the particular time;
in response to determining that the received packet record corresponds to a retransmitted packet based on the comparison of the received packet record to a packet record stored in the data store, classify the packet record stored in the data store as a retransmitted packet record;
in response to determining that the received packet record corresponds to a duplicate packet based on a comparison of the received packet record to a packet record stored in the data store;
designate the second capture device as a master capture device;
calculate and store a timing offset between the master capture device and the first capture device from the timestamp of the received packet record received by the first capture device corresponding to the duplicate packet and the timestamp of the received packet record received by the second capture device only when the received packet record received by the first capture device corresponds to only a duplicate packet record; and
apply the timing offset to the timestamps of subsequent packet records received by the first capture device to timestamp synchronize packet records received by the first capture device to the master capture device only when the received packet record received by the first capture device corresponds to only a duplicate packet record; and
discard the received packet record and classify the packet record stored in the data store as a duplicate packet record; and
generate correlated packet records from the packet records stored in the data store, the correlated packet records representative of the order in which the packets were transmitted in the network;
wherein;
determining a received packet record received by the first capture device that corresponds to a retransmitted packet further corresponds to a duplicate packet record by determining that the received packet record has been previously received by the first capture device and previously stored in the data store as a packet record and has been previously received by a second capture device, wherein a timing offset is not applied to the retransmitted packet that further corresponds to a duplicate packet.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for analyzing a packet-based network includes a correlator processor that is configured to receive packet records corresponding to packets communicated over a network and store the packet records in a data store. The correlator processor is also configured to generate correlated packet records from the packet records stored in the data store, the correlated packet records representative of the order in which the packets were transmitted in the network.
75 Citations
15 Claims
-
1. A packet-based network analysis system, comprising:
-
a correlator processor configured to; receive from a plurality of capture devices packet records corresponding to packets communicated over a network and store the packet records in a data store, each packet record generated by a capture device in response to the capture device receiving a packet communicated over the network and having a timestamp corresponding to a time the capture device received the packet; determine if a received packet record received by a first capture device at a particular time corresponds to a retransmitted packet and/or a duplicate packet by comparing the received packet record to the packet records stored in the data store, wherein; determining the received packet record received by the first capture device at the particular time corresponds to a retransmitted packet comprises determining that the received packet record has been previously received by the first capture device prior to the particular time and previously stored in the data store as a packet record; and determining the received packet record received by the first capture device at the particular time corresponds to a duplicate packet comprises determining that; the received packet record has been received by a second capture device and is stored in the data store as a packet record; and the received packet record has not previously been received by the first capture device prior to the particular time; in response to determining that the received packet record corresponds to a retransmitted packet based on the comparison of the received packet record to a packet record stored in the data store, classify the packet record stored in the data store as a retransmitted packet record; in response to determining that the received packet record corresponds to a duplicate packet based on a comparison of the received packet record to a packet record stored in the data store; designate the second capture device as a master capture device; calculate and store a timing offset between the master capture device and the first capture device from the timestamp of the received packet record received by the first capture device corresponding to the duplicate packet and the timestamp of the received packet record received by the second capture device only when the received packet record received by the first capture device corresponds to only a duplicate packet record; and apply the timing offset to the timestamps of subsequent packet records received by the first capture device to timestamp synchronize packet records received by the first capture device to the master capture device only when the received packet record received by the first capture device corresponds to only a duplicate packet record; and discard the received packet record and classify the packet record stored in the data store as a duplicate packet record; and generate correlated packet records from the packet records stored in the data store, the correlated packet records representative of the order in which the packets were transmitted in the network; wherein; determining a received packet record received by the first capture device that corresponds to a retransmitted packet further corresponds to a duplicate packet record by determining that the received packet record has been previously received by the first capture device and previously stored in the data store as a packet record and has been previously received by a second capture device, wherein a timing offset is not applied to the retransmitted packet that further corresponds to a duplicate packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A correlator processor for analyzing packet transmissions in a packet-based network, the correlator processor comprising:
-
a data store; a communication subsystem; and a processing subsystem in data communication with the communication subsystem and the data store; wherein the correlator processor is configured to; receive from a plurality of capture devices packet records corresponding to packets communicated over a network and store the packet records in a data store, each packet record generated by a capture device in response to the capture device receiving a packet communicated over the network; and generate correlated packet records from the packet records stored in the data store, the correlated packet records comprising hop data and timing data representative of the packet path and packet transmission times in the network for each corresponding packet, the correlated packet records filtered of duplicate packet records for duplicate packet transmissions and duplicate packet retransmissions; wherein the correlator processor is configured to; determine if a received packet record received by a first capture device at a particular time corresponds to a retransmitted packet and/or a duplicate packet by comparing the received packet record to the packet records stored in the data store, wherein; determining the received packet record received by the first capture device at the particular time corresponds to a retransmitted packet comprises determining that the received packet record has been previously received by the first capture device prior to the particular time and previously stored in the data store as a packet record; and determining the received packet record received by the first capture device at the particular time corresponds to a duplicate packet comprises determining the received packet record has been received by a second capture device and is stored in the data store as a packet record; and the received packet record has not previously been received by the first capture device prior to the particular time; in response to determining that the received packet record corresponds to a retransmitted packet based on the comparison of the received packet record to a packet record stored in the data store, classify the packet record stored in the data store as a retransmitted packet record; in response to determining that the received packet record corresponds to a duplicate packet based on a comparison of the received packet record to a packet record stored in the data store, discard the received packet record; thereby filtering the packet records for duplicate packet transmissions and duplicate packet retransmissions; wherein; each packet record generated by a capture device in response to the capture device receiving a packet communicated over the network includes a timestamp corresponding to a time the capture device received the packet; and the correlator processor is further configured to; designate the second capture device as a master capture device; calculate and store a timing offset between the master capture device and the first capture device from the timestamp of the received packet record received by the first capture device corresponding to a duplicate packet record and the timestamp of the received packet record received by the second capture device only when the received packet record received by the first capture device corresponds to only a duplicate packet record; and apply the timing offset to the timestamps of subsequent packet records received by the first capture device to timestamp synchronize packet records received by the first capture device to the master capture device; determine a received packet record by the first capture device that corresponds to a retransmitted packet further corresponds to a duplicate packet record by determining that the received packet record has been previously received by the first capture device and previously stored in the data store as a packet record and has been previously received by a second capture device, wherein a timing offset is not applied to the retransmitted packet that further corresponds to a duplicate packet.
-
-
14. A computer implemented method for analyzing a packet-based network, comprising:
-
receiving from a plurality of capture devices packet records corresponding to packets communicated over the network and storing the packet records, each packet record generated by a capture device in response to the capture device receiving a packet communicated over the network; determining if a received packet record received by a first capture device at a particular time corresponds to a retransmitted packet and/or a duplicate packet by comparing the received packet record to the packet records stored in the data store, wherein; determining the received packet record received by the first capture device at the particular time corresponds to a retransmitted packet comprises determining that the received packet record has been previously received by the first capture device prior to the particular time and previously stored in the data store as a packet record; determining the received packet record received by the first capture device at the particular time corresponds to a duplicate packet comprises determining that; the received packet record has been received by a second capture device and is stored in the data store as a packet record; and the received packet record has not previously been received by the first capture device prior to the particular time; in response to determining that the received packet record corresponds to a retransmitted packet based on the comparison of the received packet record to a packet record stored in the data store, classify the packet record stored in the data store as a retransmitted packet record; in response to determining that the received packet record corresponds to a duplicate packet based on a comparison of the received packet record to a packet record stored in the data store, discard the received packet record; and generating correlated packet records from the stored packet records, the correlated packet records representative of the order in which the packets were transmitted in the network; wherein; each packet record generated by a capture device in response to the capture device receiving a packet communicated over the network includes a timestamp corresponding to a time the capture device received the packet; and further comprising; designating the second capture device as a master capture device; calculating and storing a timing offset between the master capture device and the first capture device from the timestamp of the received packet record corresponding to a duplicate packet record received by the first capture device and the timestamp of the received packet record received by the second capture device only when the received packet record received by the first capture device corresponds to only a duplicate packet record; and apply the timing offset to the timestamps of subsequent packet records received by the first capture device to timestamp synchronize packet records received by the first capture device to the master capture device; determining a received packet record by the first capture device that corresponds to a retransmitted packet further corresponds to a duplicate packet record by determining that the received packet record has been previously received by the first capture device and previously stored in the data store as a packet record and has been previously received by a second capture device, wherein a timing offset is not applied to the retransmitted packet that further corresponds to a duplicate packet. - View Dependent Claims (15)
-
Specification