Packet structure for mirrored traffic flow
First Claim
1. A method comprising:
- receiving, by an analyzer, routable packets from an intercept device, wherein the routable packets contain packets intercepted from a network flow associated with a network user, wherein each of the routable packets includes a header prepended to a respective intercepted packet by the intercept device to form the routable packets;
extracting the intercepted packets from the routable packets by removing the header;
by the analyzer, processing the header to obtain information from the header, wherein the header includes user information that identifies the network user, wherein the header identifies an interface of the intercept device used to intercept the packets associated with the network user, and wherein the header includes session information unique to a session associated with the network user; and
after processing the header, analyzing, by the analyzer, the intercepted packets based at least in part on some of the information obtained from the header.
0 Assignments
0 Petitions
Accused Products
Abstract
Network traffic associated with a user is lawfully intercepted by mirroring data packets flowing to and from the user for which interception has been designated. A unique packet structure enables analysis of mirrored data packets of any network type. In one implementation, a packet structure comprises routable packets that encapsulate the mirrored packet stream. The routable packet structure may be formed by prepending a correlation header to each mirrored packet. The correlation header includes a routing header to allow the mirrored packets to be transportable across the public Internet. In addition, an intercept header may be embedded within the correlation header to easily support various analyzer-specific implementations. The intercept header may include a version field that is extensible for the various analyzer implementations.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, by an analyzer, routable packets from an intercept device, wherein the routable packets contain packets intercepted from a network flow associated with a network user, wherein each of the routable packets includes a header prepended to a respective intercepted packet by the intercept device to form the routable packets; extracting the intercepted packets from the routable packets by removing the header; by the analyzer, processing the header to obtain information from the header, wherein the header includes user information that identifies the network user, wherein the header identifies an interface of the intercept device used to intercept the packets associated with the network user, and wherein the header includes session information unique to a session associated with the network user; and after processing the header, analyzing, by the analyzer, the intercepted packets based at least in part on some of the information obtained from the header. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable storage medium comprising instructions to cause a programmable processor to:
-
receive routable packets from an intercept device, wherein the routable packets contain packets intercepted from a network flow associated with a network user, wherein each of the routable packets includes a header prepended to a respective intercepted packet by the intercept device to form the routable packets; extract the intercepted packets from the routable packets by removing the header; process the header to obtain information from the header, wherein the header includes user information that identifies the network user, wherein the header identifies an interface of the intercept device used to intercept the packets associated with the network user, and wherein the header includes session information unique to a session associated with the network user; and after processing the header, analyze the intercepted packets based at least in part on some of the information obtained from the header. - View Dependent Claims (11, 12, 13, 14)
-
-
15. An analyzer comprising:
-
an intercept device interface that receives routable packets from an intercept device, wherein the routable packets contain packets intercepted from a network flow associated with a network user, wherein each of the routable packets includes a header prepended to a respective intercepted packet by the intercept device to form the routable packets, wherein the intercept device interface extracts the intercepted packets from the routable packets by removing the header, wherein the analyzer processes the header to obtain information from the header, wherein the header includes user information that identifies the network user, wherein the header identifies an interface of the intercept device used to intercept the packets associated with the network user, and wherein the header includes session information unique to a session associated with the network user, and wherein the analyzer, after processing the header, analyzes the intercepted packets based at least in part on some of the information obtained from the header. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification