Packet structure for mirrored traffic flow
First Claim
1. A method comprising:
- with a network device, intercepting packets of a network flow associated with a network user;
with the network device, forming routable packets that contain the intercepted packets;
embedding user information within the routable packets that identifies the network user;
embedding information within the routable packets that identifies an interface of an intercept device used to intercept the packets associated with the network user, wherein the information comprises session information unique to a session associated with the network user; and
forwarding the routable packets through a network to an analyzer.
3 Assignments
0 Petitions
Accused Products
Abstract
Network traffic associated with a user is lawfully intercepted by mirroring data packets flowing to and from the user for which interception has been designated. A unique packet structure enables analysis of mirrored data packets of any network type. In one implementation, a packet structure comprises routable packets that encapsulate the mirrored packet stream. The routable packet structure may be formed by prepending a correlation header to each mirrored packet. The correlation header includes a routing header to allow the mirrored packets to be transportable across the public Internet. In addition, an intercept header may be embedded within the correlation header to easily support various analyzer-specific implementations. The intercept header may include a version field that is extensible for the various analyzer implementations.
-
Citations
50 Claims
-
1. A method comprising:
-
with a network device, intercepting packets of a network flow associated with a network user; with the network device, forming routable packets that contain the intercepted packets; embedding user information within the routable packets that identifies the network user; embedding information within the routable packets that identifies an interface of an intercept device used to intercept the packets associated with the network user, wherein the information comprises session information unique to a session associated with the network user; and forwarding the routable packets through a network to an analyzer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A network device comprising a mirroring module that intercepts packets of a network flow associated with a network user, and forwards routable packets that contain the intercepted packets through a network to an analyzer,
wherein the mirroring module forms each of the routable packets to include a header that comprises: -
an interception identifier field that identifies the network user; and an account session field that identifies an interface of the network device from which the packets were intercepted, wherein the account session field comprises a session unique portion of an account session identification integer. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A network device comprising:
-
a mirroring module that intercepts packets of a network flow associated with a network user, and forms routable packets that contain the intercepted packets, wherein the mirroring module forms each of the routable packets to include a header that comprises; a destination field that identifies a network address associated with an analyzer; an interception identifier field that identifies the network user; a version field that includes analyzer-specific information; and an account session field that identifies an interface of the network device from which the packets were intercepted, wherein the account session field comprises a session unique portion of an account session identification integer.
-
-
45. A non-transitory computer readable medium comprising a packet generated by a network device from a network flow associated with a network user, wherein the packet comprises:
-
a destination field that directs a router to forward the packet to an analyzer; an interception identifier field that identifies the network user; a version field that controls analysis of the packet by the analyzer; and an account session field that identifies an interface of the network device from which the packets were intercepted, wherein the account session field comprises a session unique portion of an account session identification integer.
-
-
46. A non-transitory computer-readable medium comprising instructions to cause a programmable processor to:
-
intercept packets of a network flow associated with a network user; form routable packets that contain the intercepted packets; embed user information within the routable packets that identifies the network user; embed information within the routable packets that identifies an interface of an intercept device used to intercept the packets associated with the network user, wherein the information comprises session information unique to a session associated with the network user; and forward the routable packets through a network to an analyzer. - View Dependent Claims (47, 48, 49, 50)
-
Specification