Packet structure for mirrored traffic flow

US 8,116,307 B1
Filed: 09/23/2004
Issued: 02/14/2012
Est. Priority Date: 09/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

with a network device, intercepting packets of a network flow associated with a network user;

with the network device, forming routable packets that contain the intercepted packets;

embedding user information within the routable packets that identifies the network user;

embedding information within the routable packets that identifies an interface of an intercept device used to intercept the packets associated with the network user, wherein the information comprises session information unique to a session associated with the network user; and

forwarding the routable packets through a network to an analyzer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network traffic associated with a user is lawfully intercepted by mirroring data packets flowing to and from the user for which interception has been designated. A unique packet structure enables analysis of mirrored data packets of any network type. In one implementation, a packet structure comprises routable packets that encapsulate the mirrored packet stream. The routable packet structure may be formed by prepending a correlation header to each mirrored packet. The correlation header includes a routing header to allow the mirrored packets to be transportable across the public Internet. In addition, an intercept header may be embedded within the correlation header to easily support various analyzer-specific implementations. The intercept header may include a version field that is extensible for the various analyzer implementations.

209 Citations

50 Claims

1. A method comprising:
- with a network device, intercepting packets of a network flow associated with a network user;
  
  with the network device, forming routable packets that contain the intercepted packets;
  
  embedding user information within the routable packets that identifies the network user;
  
  embedding information within the routable packets that identifies an interface of an intercept device used to intercept the packets associated with the network user, wherein the information comprises session information unique to a session associated with the network user; and
  
  forwarding the routable packets through a network to an analyzer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein forming routable packets comprises forming the routable packets to contain the intercepted packets within payloads of the routable packets.
  - 3. The method of claim 1, wherein forming routable packets comprises prepending a header to each of the intercepted packets to form a respective one of the routable packets.
  - 4. The method of claim 3, wherein the header comprises a correlation header and wherein prepending the correlation header comprises prepending a routing header and an intercept header.
  - 5. The method of claim 4, wherein the routing header comprises a User Datagram Protocol/Internet Protocol (UDP/IP) header and the intercept header comprises an analyzer-specific header.
  - 6. The method of claim 1, wherein intercepting packets comprises intercepting packets that conform to the second layer (L2) of the Open System Interconnection (OSI) model.
  - 7. The method of claim 6, wherein forming routable packets comprises associating forwarding information with each of the intercepted packets to form the routable packets that conform to a layer higher than the second layer of the OSI model.
  - 8. The method of claim 7, wherein the routable packets conform to the third layer (L3) of the OSI model.
  - 9. The method of claim 7, wherein the forwarding information includes a network address for the analyzer.
  - 10. The method of claim 1, further comprising embedding analysis information within the routable packets for use by the analyzer.
  - 11. The method of claim 1, wherein the interface comprises one of an asynchronous transfer mode (ATM) interface, a Layer 2 Tunneling Protocol (L2TP) session interface, a Fast Ethernet interface, a Gigabit Ethernet interface, a serial interface or an Internet Protocol (IP) interface.
  - 12. The method of claim 1, further comprising embedding version information within the routable packets, wherein the version information identifies an analyzer type associated with the analyzer.
  - 13. The method of claim 1, wherein intercepting packets comprises copying the packets associated with the network flow to produce mirrored packets.
  - 14. The method of claim 1, further comprising;
    - receiving with a router an intercept request issued by an authentication device, wherein the intercept request identifies the network user; and
      
      intercepting the packets associated with the network user in response to the intercept request.
  - 15. The method of claim 14, wherein receiving with a router an intercept request comprises receiving the intercept request from a Remote Authentication Dial-In User Service (RADIUS) server.
  - 16. The method of claim 14, wherein the intercept request specifies a network address associated with the analyzer.
  - 17. The method of claim 14, wherein the intercept request specifies a network session associated with the user.
  - 18. The method of claim 1, wherein intercepting the packets comprises intercepting the packets with a broadband remote access server (BRAS).
  - 19. The method of claim 1, wherein intercepting the packets comprises intercepting the packets with a router.

20. A network device comprising a mirroring module that intercepts packets of a network flow associated with a network user, and forwards routable packets that contain the intercepted packets through a network to an analyzer,wherein the mirroring module forms each of the routable packets to include a header that comprises:
- an interception identifier field that identifies the network user; and
  
  an account session field that identifies an interface of the network device from which the packets were intercepted, wherein the account session field comprises a session unique portion of an account session identification integer.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 21. The network device of claim 20, wherein the mirroring module forms the routable packets to contain the intercepted packets within payloads of the routable packets.
  - 22. The network device of claim 20, wherein the mirroring module prepends the header to each of the intercepted packets to form a respective one of the routable packets.
  - 23. The network device of claim 22, wherein the header comprises a correlation header that includes a routing header and an intercept header.
  - 24. The network device of claim 23, wherein the routing header comprises a User Datagram Protocol/Internet Protocol (UDP/IP) header and the intercept header comprises an analyzer-specific header.
  - 25. The network device of claim 20, wherein the intercepted packets conform to the second layer (L2) of the Open System Interconnection (OSI) model.
  - 26. The network device of claim 25, wherein the mirroring module associates forwarding information with each of the intercepted packets to form the routable packets that conform to a layer higher than the second layer of the OSI model.
  - 27. The network device of claim 26, wherein the routable packets conform to the third layer (L3) of the OSI model.
  - 28. The network device of claim 26, wherein the forwarding information includes a network address for the analyzer.
  - 29. The network device of claim 20, wherein the mirroring module embeds analysis information within the routable packets for use by the analyzer.
  - 30. The network device of claim 20, wherein the mirroring module embeds user information within the routable packets, wherein the user information identifies the network user.
  - 31. The network device of claim 20, further comprising an interface that receives the network flow and intercepts the packets, wherein the mirroring module embeds information within the routable packets that identifies the interface.
  - 32. The network device of claim 31, wherein the interface comprises one of an asynchronous transfer mode (ATM) interface, a Layer 2 Tunneling Protocol (L2TP) session interface, a Fast Ethernet interface, a Gigabit Ethernet interface, a serial interface or an Internet Protocol (IP) interface.
  - 33. The network device of claim 20, wherein the mirroring module embeds version information within the routable packets, wherein the version information identifies an analyzer type associated with the analyzer.
  - 34. The network device of claim 20, wherein the mirroring module copies the packets associated with the network flow to produce mirrored packets.
  - 35. The network device of claim 20, wherein the network device comprises a broadband remote access server (BRAS).
  - 36. The network device of claim 20, wherein the network device comprises a router.
  - 37. The network device of claim 36, wherein the router includes an authentication module that receives an intercept request issued by an authentication device, wherein the intercept request identifies the network user.
  - 38. The network device of claim 37, wherein the router intercepts the packets associated with the network user in response to the intercept request.
  - 39. The network device of claim 37, wherein the router receives the intercept request from a Remote Authentication Dial-In User Service (RADIUS) server.
  - 40. The network device of claim 37, wherein the intercept request specifies a network address associated with the analyzer.
  - 41. The network device of claim 37, wherein the intercept request specifies a network session associated with the user.
  - 42. The network device of claim 20, further comprising a control unit that maintains routing information in accordance with a topology of a network, wherein the control unit forwards the routable packets to the analyzer in accordance with the routing information.
  - 43. The network device of claim 20, wherein the header further comprises:
    - a destination field that identifies a network address associated with the analyzer; and
      
      a version field that includes analyzer-specific information.

44. A network device comprising:
- a mirroring module that intercepts packets of a network flow associated with a network user, and forms routable packets that contain the intercepted packets,wherein the mirroring module forms each of the routable packets to include a header that comprises;
  
  a destination field that identifies a network address associated with an analyzer;
  
  an interception identifier field that identifies the network user;
  
  a version field that includes analyzer-specific information; and
  
  an account session field that identifies an interface of the network device from which the packets were intercepted, wherein the account session field comprises a session unique portion of an account session identification integer.

45. A non-transitory computer readable medium comprising a packet generated by a network device from a network flow associated with a network user, wherein the packet comprises:
- a destination field that directs a router to forward the packet to an analyzer;
  
  an interception identifier field that identifies the network user;
  
  a version field that controls analysis of the packet by the analyzer; and
  
  an account session field that identifies an interface of the network device from which the packets were intercepted, wherein the account session field comprises a session unique portion of an account session identification integer.

46. A non-transitory computer-readable medium comprising instructions to cause a programmable processor to:
- intercept packets of a network flow associated with a network user;
  
  form routable packets that contain the intercepted packets;
  
  embed user information within the routable packets that identifies the network user;
  
  embed information within the routable packets that identifies an interface of an intercept device used to intercept the packets associated with the network user, wherein the information comprises session information unique to a session associated with the network user; and
  
  forward the routable packets through a network to an analyzer.
- View Dependent Claims (47, 48, 49, 50)
- - 47. The non-transitory computer-readable medium of claim 46, wherein the instructions cause the programmable processor to form the routable packets to contain the intercepted packets within payloads of the routable packets.
  - 48. The non-transitory computer-readable medium of claim 46, wherein the instructions cause the programmable processor to prepend a header to each of the intercepted packets to form a respective one of the routable packets.
  - 49. The non-transitory computer-readable medium of claim 46, wherein the instructions cause the programmable processor to:
    - intercept packets that conform to the second layer (L2) of the Open System Interconnection (OSI) model; and
      
      associate forwarding information with each of the intercepted packets to form the routable packets that conform to a layer higher than the second layer of the OSI model.
  - 50. The non-transitory computer-readable medium of claim 49, wherein the routable packets conform to the third layer (L3) of the OSI model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Harkness, Derek, Thesayi, Suresh, Waclawik, Jim
Primary Examiner(s)
Tsang, Fan
Assistant Examiner(s)
King, Simon

Application Number

US10/948,072
Time in Patent Office

2,700 Days
Field of Search

726/22, 709/246, 709/203, 709/227, 709/238, 370/409, 370/389, 370/471, 370/474
US Class Current

370/389
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 45/00   Routing or path finding of ...

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

H04L 63/306   intercepting packet switche...

H04L 69/22   Parsing or analysis of headers

Packet structure for mirrored traffic flow

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

209 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Packet structure for mirrored traffic flow

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

209 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links