Method and system for identifying matching packets
First Claim
1. A method, comprising:
- receiving, by a device, a first subset of a first plurality of packets,the first plurality of packets being associated with a first location in a network, andthe first subset of the first plurality of packets being selected based on a filter;
receiving, by the device, a second subset of a second plurality of packets,the second plurality of packets being associated with a second location in the network,the second location being different than the first location, andthe second subset of the second plurality of packets being selected based on the filter;
parsing, by the device, each packet in the first subset and the second subset to extract invariant header fields from an outermost internet protocol (IP) header until a minimal set of invariant header fields is obtained, for each packet, that uniquely identifies each packet throughout the network, or until the minimal set of invariant header fields cannot be obtained for each packet,the minimal set of invariant header fields including a minimum set of invariant header fields, of each packet, that uniquely identifies each packet throughout the network within a particular time period,the particular time period being long enough in duration to allow each packet to traverse the network, but short enough in duration to prevent a same packet signature from being computed for different packets,the minimal set of invariant header fields not being obtainable for a particular packet with a particular protocol combination,the particular protocol combination including no known identifier or sequence number that uniquely identifies the particular packet at the first location and the second location;
computing, by the device, a packet signature from the minimal set of invariant header fields for each packet in the first subset and the second subset for which a minimal set of invariant header fields is obtained; and
comparing, by the device, packet signatures associated with the first subset and packet signatures associated with the second subset to identify matching packets with a same packet signature in the first subset and the second subset.
4 Assignments
0 Petitions
Accused Products
Abstract
In a method of identifying matching packets at different locations in a network, a first plurality of packets is received at a first location in the network, and a first subset thereof is selected in accordance with a filter. A second plurality of packets is received at a second location in the network, and a second subset thereof is selected in accordance with the same filter. Each packet in the first and second subsets is parsed to extract invariant header fields from an outermost IP header inwards, until a minimal set of invariant header fields is obtained for that packet, or until it is determined that a minimal set is not obtainable for that packet. A packet signature is computed from the minimal set for each packet having a minimal set, and the packet signatures are compared to identify matching packets in the first and second subsets.
39 Citations
20 Claims
-
1. A method, comprising:
-
receiving, by a device, a first subset of a first plurality of packets, the first plurality of packets being associated with a first location in a network, and the first subset of the first plurality of packets being selected based on a filter; receiving, by the device, a second subset of a second plurality of packets, the second plurality of packets being associated with a second location in the network, the second location being different than the first location, and the second subset of the second plurality of packets being selected based on the filter; parsing, by the device, each packet in the first subset and the second subset to extract invariant header fields from an outermost internet protocol (IP) header until a minimal set of invariant header fields is obtained, for each packet, that uniquely identifies each packet throughout the network, or until the minimal set of invariant header fields cannot be obtained for each packet, the minimal set of invariant header fields including a minimum set of invariant header fields, of each packet, that uniquely identifies each packet throughout the network within a particular time period, the particular time period being long enough in duration to allow each packet to traverse the network, but short enough in duration to prevent a same packet signature from being computed for different packets, the minimal set of invariant header fields not being obtainable for a particular packet with a particular protocol combination, the particular protocol combination including no known identifier or sequence number that uniquely identifies the particular packet at the first location and the second location; computing, by the device, a packet signature from the minimal set of invariant header fields for each packet in the first subset and the second subset for which a minimal set of invariant header fields is obtained; and comparing, by the device, packet signatures associated with the first subset and packet signatures associated with the second subset to identify matching packets with a same packet signature in the first subset and the second subset. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system, comprising:
-
a first probe to; receive a first plurality of packets at a first location in a network; and select a first subset of the first plurality of packets in accordance with a filter; a second probe to; receive a second plurality of packets at a second location in the network, the second location being different than the first location; and select a second subset of the second plurality of packets in accordance with the filter; and a packet-matching unit to; parse each packet in the first subset and the second subset to extract invariant header fields from an outermost interne protocol (IP) header until a set of invariant header fields is obtained, for each packet, that uniquely identifies each packet throughout the network, or until the set of invariant header fields cannot be obtained for each packet, the set of invariant header fields including a minimum set of invariant header fields, of each packet, that uniquely identifies each packet throughout the network within a particular time period, the particular time period being long enough in duration to allow each packet to traverse the network, but short enough in duration to prevent a same packet signature from being computed for different packets, the set of invariant header fields not being obtainable for a particular packet with a particular protocol combination, the particular protocol combination including no known identifier or sequence number that uniquely identifies the particular packet at the first location and the second location; compute a packet signature from the set of invariant header fields for each packet in the first subset and the second subset for which a set of invariant header fields is obtained; and compare packet signatures associated with the first subset and packet signatures associated with the second subset to identify matching packets with a same packet signature in the first subset and the second subset. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A device, comprising:
one or more processors to; receive a first subset of a first plurality of packets, the first plurality of packets being associated with a first location in a network, and the first subset of the first plurality of packets being selected based on a filter; receive a second subset of a second plurality of packets, the second plurality of packets being associated with a second location in the network, the second location being different than the first location, and the second subset of the second plurality of packets being selected based on the filter; parse each packet in the first subset and the second subset to extract invariant header fields from an outermost interne protocol (IP) header until a set of invariant header fields is obtained, for each packet, that uniquely identifies each packet throughout the network, or until the set of invariant header fields cannot be obtained for each packet, the set of invariant header fields including a minimum set of invariant header fields, of each packet, that uniquely identifies each packet throughout the network within a particular time period, the particular time period being long enough in duration to allow each packet to traverse the network, but short enough in duration to prevent a same packet signature from being computed for different packets, the set of invariant header fields not being obtainable for a particular packet with a particular protocol combination, the particular protocol combination including no known identifier or sequence number that uniquely identifies the particular packet at the first location and the second location; compute a packet signature from the set of invariant header fields for each packet in the first subset and the second subset for which a minimal set of invariant header fields is obtained; and compare packet signatures associated with the first subset and packet signatures associated with the second subset to identify matching packets with a same packet signature in the first subset and the second subset.
Specification