Packet structure for mirrored traffic flow

US 8,537,818 B1
Filed: 02/03/2012
Issued: 09/17/2013
Est. Priority Date: 09/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an analyzer, routable packets from an intercept device, wherein the routable packets contain packets intercepted from a network flow associated with a network user, wherein each of the routable packets includes a header prepended to a respective intercepted packet by the intercept device to form the routable packets;

extracting the intercepted packets from the routable packets by removing the header;

by the analyzer, processing the header to obtain information from the header, wherein the header includes user information that identifies the network user, wherein the header identifies an interface of the intercept device used to intercept the packets associated with the network user, and wherein the header includes session information unique to a session associated with the network user; and

after processing the header, analyzing, by the analyzer, the intercepted packets based at least in part on some of the information obtained from the header.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network traffic associated with a user is lawfully intercepted by mirroring data packets flowing to and from the user for which interception has been designated. A unique packet structure enables analysis of mirrored data packets of any network type. In one implementation, a packet structure comprises routable packets that encapsulate the mirrored packet stream. The routable packet structure may be formed by prepending a correlation header to each mirrored packet. The correlation header includes a routing header to allow the mirrored packets to be transportable across the public Internet. In addition, an intercept header may be embedded within the correlation header to easily support various analyzer-specific implementations. The intercept header may include a version field that is extensible for the various analyzer implementations.

34 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, by an analyzer, routable packets from an intercept device, wherein the routable packets contain packets intercepted from a network flow associated with a network user, wherein each of the routable packets includes a header prepended to a respective intercepted packet by the intercept device to form the routable packets;
  
  extracting the intercepted packets from the routable packets by removing the header;
  
  by the analyzer, processing the header to obtain information from the header, wherein the header includes user information that identifies the network user, wherein the header identifies an interface of the intercept device used to intercept the packets associated with the network user, and wherein the header includes session information unique to a session associated with the network user; and
  
  after processing the header, analyzing, by the analyzer, the intercepted packets based at least in part on some of the information obtained from the header.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the intercepted packets are contained within payloads of the routable packets.
  - 3. The method of claim 1, wherein the header comprises a correlation header and wherein removing the correlation header comprises removing a routing header and an intercept header.
  - 4. The method of claim 3, wherein the routing header comprises a User Datagram Protocol/Internet Protocol (UDP/IP) header and the intercept header comprises an analyzer-specific header.
  - 5. The method of claim 1, wherein the header includes analysis information that specifies a manner in which the intercepted packets are to be analyzed.
  - 6. The method of claim 1, wherein the header includes version information that identifies an analyzer type associated with the analyzer.
  - 7. The method of claim 1, wherein the header includes forwarding information that includes a network address for the analyzer.
  - 8. The method of claim 1, wherein extracting the intercepted packets comprises extracting intercepted packets that conform to the second layer (L2) of the Open System Interconnection (OSI) model from routable packets that conform to the third layer (L3) of the OSI model.
  - 9. The method of claim 1, further comprising:
    - generating packet analysis information based on the analyzed intercepted packets; and
      
      sending the packet analysis information to a law enforcement agency.

10. A computer-readable storage medium comprising instructions to cause a programmable processor to:
- receive routable packets from an intercept device, wherein the routable packets contain packets intercepted from a network flow associated with a network user, wherein each of the routable packets includes a header prepended to a respective intercepted packet by the intercept device to form the routable packets;
  
  extract the intercepted packets from the routable packets by removing the header;
  
  process the header to obtain information from the header, wherein the header includes user information that identifies the network user, wherein the header identifies an interface of the intercept device used to intercept the packets associated with the network user, and wherein the header includes session information unique to a session associated with the network user; and
  
  after processing the header, analyze the intercepted packets based at least in part on some of the information obtained from the header.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer-readable storage medium of claim 10, wherein the header includes analysis information that specifies a manner in which the intercepted packets are to be analyzed.
  - 12. The computer-readable storage medium of claim 10, wherein the header comprises a correlation header comprising a routing header and an intercept header.
  - 13. The computer-readable storage medium of claim 10, wherein the header includes version information that identifies an analyzer type associated with the analyzer.
  - 14. The computer-readable storage medium of claim 10, wherein the header includes forwarding information that includes a network address for the analyzer.

15. An analyzer comprising:
- an intercept device interface that receives routable packets from an intercept device, wherein the routable packets contain packets intercepted from a network flow associated with a network user, wherein each of the routable packets includes a header prepended to a respective intercepted packet by the intercept device to form the routable packets,wherein the intercept device interface extracts the intercepted packets from the routable packets by removing the header,wherein the analyzer processes the header to obtain information from the header, wherein the header includes user information that identifies the network user, wherein the header identifies an interface of the intercept device used to intercept the packets associated with the network user, and wherein the header includes session information unique to a session associated with the network user, andwherein the analyzer, after processing the header, analyzes the intercepted packets based at least in part on some of the information obtained from the header.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The analyzer of claim 15, wherein the header comprises a correlation header comprising a routing header and an intercept header.
  - 17. The analyzer of claim 15, wherein the header includes at least one of analysis information that specifies a manner in which the intercepted packets are to be analyzed, version information that identifies an analyzer type associated with the analyzer, and forwarding information that includes a network address for the analyzer.
  - 18. The analyzer of claim 15, wherein the header that comprises:
    - a destination field that identifies a network address associated with the analyzer;
      
      an interception identifier field that identifies the network user;
      
      a version field that includes analyzer-specific information; and
      
      an account session field that identifies an interface of the network device from which the packets were intercepted.
  - 19. The analyzer of claim 15, wherein the intercept device interface extracts intercepted packets that conform to the second layer (L2) of the Open System Interconnection (OSI) model from routable packets that conform to the third layer (L3) of the OSI model.
  - 20. The analyzer of claim 15, wherein the analyzer generates packet analysis information based on the analyzed intercepted packets, and sends the packet analysis information to a law enforcement agency.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Thesayi, Suresh R., Harkness, Derek, Waclawik, Jim
Primary Examiner(s)
Gauthier, Gerald
Assistant Examiner(s)
King, Simon

Application Number

US13/365,833
Time in Patent Office

592 Days
Field of Search

370/389, 370/471, 370/474, 709/227, 709/238
US Class Current

370/389
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 45/00   Routing or path finding of ...

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

H04L 63/306   intercepting packet switche...

H04L 69/22   Parsing or analysis of headers

Packet structure for mirrored traffic flow

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Packet structure for mirrored traffic flow

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links