Attributes of captured objects in a capture system

US 9,094,338 B2
Filed: 03/21/2014
Issued: 07/28/2015
Est. Priority Date: 05/22/2006
Status: Expired due to Fees

First Claim

Patent Images

1. At least one non-transitory machine-readable medium having instructions stored therein and when executed, the instructions cause one or more processors to:

capture a plurality of packets being transmitted over a network through a capture system that includes a processor and a network interface for receiving packets;

reconstruct a captured object from the plurality of packets, wherein the captured object is one of a plurality of captured objects reconstructed from the plurality of packets;

determine an association between the captured object and a computer name of a computer sending or receiving the captured object, wherein the association is determined by identifying a network address associated with the captured object and reading one or more log files of the network to determine the computer name associated with the network address, wherein the one or more log files are to be updated if the network address is assigned to another computer, wherein the captured object is to be stored in a storage location in a rolling storage;

generate metadata of the captured object, the metadata including an indication of an association between the storage location and the computer name of the computer; and

search a plurality of metadata of captured objects based on the computer name to determine one or more storage locations in the rolling storage that contain captured objects associated with the computer.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for capturing objects and balancing systems resources in a capture system are described. An object is captured, metadata associated with the objected generated, and the object and metadata stored.

450 Citations

17 Claims

1. At least one non-transitory machine-readable medium having instructions stored therein and when executed, the instructions cause one or more processors to:
- capture a plurality of packets being transmitted over a network through a capture system that includes a processor and a network interface for receiving packets;
  
  reconstruct a captured object from the plurality of packets, wherein the captured object is one of a plurality of captured objects reconstructed from the plurality of packets;
  
  determine an association between the captured object and a computer name of a computer sending or receiving the captured object, wherein the association is determined by identifying a network address associated with the captured object and reading one or more log files of the network to determine the computer name associated with the network address, wherein the one or more log files are to be updated if the network address is assigned to another computer, wherein the captured object is to be stored in a storage location in a rolling storage;
  
  generate metadata of the captured object, the metadata including an indication of an association between the storage location and the computer name of the computer; and
  
  search a plurality of metadata of captured objects based on the computer name to determine one or more storage locations in the rolling storage that contain captured objects associated with the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The at least one non-transitory machine-readable medium of claim 1, wherein at least one of the log files includes an Internet Protocol (IP) assignment related to a media access control (MAC) address of the computer and the computer name of the computer.
  - 3. The at least one non-transitory machine-readable medium of claim 2, wherein a Dynamic Host Configuration Protocol (DHCP) log is initialized in order to record current relationships between computer names, Internet Protocol (IP) addresses, and media access control (MAC) addresses of computers in the network, wherein the network has a dynamic configuration system.
  - 4. The at least one non-transitory machine-readable medium of claim 1, wherein the search of the plurality of metadata includes searching a plurality of tags in a tag database.
  - 5. The at least one non-transitory machine-readable medium of claim 1, wherein the instructions, when executed, cause the one or more processors to:
    - compare at least one logon log file to the one or more log files of the network to determine a user identifier associated with the computer at a time corresponding to the captured object being sent or received by the computer, wherein the search of the plurality of metadata based on the computer name provides information indicating the user identifier is associated with the captured object.
  - 6. The at least one non-transitory machine-readable medium of claim 1, wherein the metadata includes an indication of a mode in which the capture system is configured to operate, wherein the mode is one of a temporal identification mode and a tiered location tagging mode.
  - 7. The at least one non-transitory machine-readable medium of claim 1, wherein the network address isan Internet Protocol (IP) address.

8. A capture system for capturing objects propagating through a network, the capture system comprising:
- at least one processor;
  
  a network interface module that, when executed by the at least one processor, is to receive a plurality of packets being transmitted over the network;
  
  a packet capture module that, when executed by the at least one processor, is to capture the plurality of packets received by the network interface module; and
  
  an object assembly module that, when executed by the at least one processor, is to reconstruct a captured object from the plurality of packets, wherein the captured object is one of a plurality of captured objects reconstructed from the plurality of packets,wherein the capture system is to;
  
  determine an association between the captured object and a computer name of a computer sending or receiving the captured object, wherein the association is determined by identifying a network address associated with the captured object and reading one or more log files of the network to determine the computer name associated with the network address, wherein the one or more log files are to be updated if the network address is assigned to another computer;
  
  store the captured object in a storage location of a rolling storage;
  
  generate metadata of the captured object, the metadata including an indication of an association between the storage location and the computer name of the computer; and
  
  search a plurality of metadata of captured objects based on the computer name to determine one or more storage locations in the rolling storage that contain captured objects associated with the computer.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The capture system of claim 8, wherein at least one of the log files includes an Internet Protocol (IP) assignment related to a media access control (MAC) address of the computer and the computer name of the computer.
  - 10. The capture system of claim 8, wherein the capture system is to:
    - store the metadata as a tag in a tag database, wherein the search of the plurality of metadata includes searchinga plurality of tags in the tag database.
  - 11. The capture system of claim 10, wherein the capture system is to:
    - compare at least one logon log file to the one or more log files of the network to determine a user identifier associated with the computer at a time corresponding to the captured object being sent or received by the computer, wherein the search of the plurality of tags based on the computer name provides information indicating the user identifier is associated with the captured object.
  - 12. The capture system of claim 8, wherein the network address isan Internet Protocol (IP) address.

13. A method, comprising:
- capturing a plurality of packets being transmitted over a network through a capture system that includes a processor and a network interface for receiving packets;
  
  reconstructing a captured object from the plurality of packets, wherein the captured object is one of a plurality of captured objects reconstructed from the plurality of packets;
  
  determine an association between the captured object and a computer name of a computer sending or receiving the captured object, wherein the association is determined by identifying a network address associated with the captured object and reading one or more log files of the network to determine the computer name associated with the network address, wherein the one or more log files are to be updated if the network address is assigned to another computer, wherein the capture system is to store the captured object in a storage location of a rolling storage;
  
  generate metadata of the captured object, the metadata including an indication of an association between the storage location and the computer name of the computer; and
  
  search a plurality of metadata of captured objects based on the computer name to determine one or more storage locations in the rolling storage that contain captured objects associated with the computer.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein at least one of the log files includes an Internet Protocol (IP) assignment related to a media access control (MAC) address of the computer and the computer name of the computer.
  - 15. The method of claim 13, further comprising:
    - storing the metadata as a tag in a tag database, wherein the searching of the plurality of metadata includessearching a plurality of tags in the tag database.
  - 16. The method of claim 15, further comprising:
    - comparing at least one logon log file to the one or more log files of the network to determine a user identifier associated with the computer at a time corresponding to the captured object being sent or received by the computer, wherein the search of the plurality of tags based on the computer name provides information indicating the user identifier is associated with the captured object.
  - 17. The method of claim 13, wherein the network address is an Internet Protocol (IP) address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ahuja, Ratinder Paul Singh, Deninger, William, de la Iglesia, Erik, Lowe, Rick
Primary Examiner(s)
Taylor, Nicholas
Assistant Examiner(s)
Williams, Clayton R

Application Number

US14/222,477
Publication Number

US 20140289416A1
Time in Patent Office

494 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 43/106   using time related informat...

H04L 43/18   Protocol analysers

H04L 43/50   Testing arrangements

H04L 63/0209   Architectural arrangements,...

Attributes of captured objects in a capture system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

450 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Attributes of captured objects in a capture system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

450 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links