System and method for correcting clock discrepancy in simultaneous network traffic captures
First Claim
1. A method for determining clock disparities between a first clock in a first network monitor positioned to capture first data in a first segment of a network and a second clock in a second network monitor positioned to capture second data in a second segment of the network, the first and second data transmitted using at least one network transmission protocol, and the first and second network segments in different tiers of a multi-tiered network system, the method comprising the steps of:
- receiving the first and second data, a packet of the first data traveling through a first network path of the multi-tiered network system and a packet of the second data traveling through a second network path of the multi-tiered network system different from the first network path, the traveling through the multiple tiers of the network system including terminating the packets of the first data and of the second data at a tier of the multi-tier system;
correlating the first and second data into one or more application sessions, wherein data correlated with a first application session is first application session data that includes packets from both the first data and the second data;
identifying a correct temporal sequence of said first application session data responsive to the at least one network transmission protocol and restraints of the multi-tiered network architecture, the restraints to which the identifying is responsive including locations in the multi-tiered network structure of the first and the second network monitors; and
determining the disparity between the first and second clocks by comparing timestamps of said first application session data with said correct temporal sequence of said first application session data and accounting for the disparity when analyzing data captured by at least one of said first network monitor and said second network monitor wherein the disparity corresponds to an offset value and a scaling value wherein said offset value and said scaling value is utilized when analyzing data captured by at least one of said first network monitor and said second network monitor.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for correcting clock discrepancy in simultaneous network traffic data captures in a multi-tiered, multi-session environment. The invention uses intrinsic constraints imposed by the nature of the traffic onto the possible temporal sequence of the packets, The invention uses the intrinsic restraints of the network architecture and the protocols used at each segment along with the time stamps in the various segments to determine both an offset and scale correction to the clock readings (timestamps) in the traces in order to obtain a correct temporal sequence of packets when using multiple capture agents/engines/network monitors.
13 Citations
6 Claims
-
1. A method for determining clock disparities between a first clock in a first network monitor positioned to capture first data in a first segment of a network and a second clock in a second network monitor positioned to capture second data in a second segment of the network, the first and second data transmitted using at least one network transmission protocol, and the first and second network segments in different tiers of a multi-tiered network system, the method comprising the steps of:
-
receiving the first and second data, a packet of the first data traveling through a first network path of the multi-tiered network system and a packet of the second data traveling through a second network path of the multi-tiered network system different from the first network path, the traveling through the multiple tiers of the network system including terminating the packets of the first data and of the second data at a tier of the multi-tier system; correlating the first and second data into one or more application sessions, wherein data correlated with a first application session is first application session data that includes packets from both the first data and the second data; identifying a correct temporal sequence of said first application session data responsive to the at least one network transmission protocol and restraints of the multi-tiered network architecture, the restraints to which the identifying is responsive including locations in the multi-tiered network structure of the first and the second network monitors; and determining the disparity between the first and second clocks by comparing timestamps of said first application session data with said correct temporal sequence of said first application session data and accounting for the disparity when analyzing data captured by at least one of said first network monitor and said second network monitor wherein the disparity corresponds to an offset value and a scaling value wherein said offset value and said scaling value is utilized when analyzing data captured by at least one of said first network monitor and said second network monitor. - View Dependent Claims (2, 3)
-
-
4. A non-transitory computer readable storage medium structured to store instructions, to determine clock disparities between a first clock in a first network monitor positioned to capture first data in a first segment of a network and a second clock in a second network monitor positioned to capture second data in a second segment of the network, the first and second data transmitted using at least one network transmission protocol, and the first and second network segments being in different tiers of a multi-tiered network system, the instructions when executed cause a processor to perform operations including:
-
receiving the first and second data, a packet of the first data traveling through a first network path of the multi-tiered network system and a packet of the second data traveling through a second network path of the multi-tiered network system different from the first network path, the traveling through the multiple tiers of the network system including terminating the packets of the first data and of the second data at a tier of the multi-tier system; correlating the first and second data into one or more application sessions, wherein data correlated with a first application session is first application session data that includes packets from both the first data and the second data; identifying a correct temporal sequence of said first application session data responsive to the at least one network transmission protocol and restraints of the multi-tiered network architecture, the restraints to which the identifying is responsive including locations in the multi-tiered network structure of at least the first and the second network monitors; and determining the disparity between the first and second clocks by comparing timestamps of said first application session data with said correct temporal sequence of said first application session data and accounting for the disparity when analyzing data captured by at least one of said first network monitor and said second network monitor wherein the disparity corresponds to an offset value and a scaling value wherein said offset value and said scaling value is utilized when analyzing data captured by at least one of said first network monitor and said second network monitor. - View Dependent Claims (5, 6)
-
Specification