System and method for correcting clock discrepancy in simultaneous network traffic captures

US 9,602,366 B1
Filed: 03/03/2010
Issued: 03/21/2017
Est. Priority Date: 03/03/2010
Status: Active Grant

First Claim

Patent Images

1. A method for determining clock disparities between a first clock in a first network monitor positioned to capture first data in a first segment of a network and a second clock in a second network monitor positioned to capture second data in a second segment of the network, the first and second data transmitted using at least one network transmission protocol, and the first and second network segments in different tiers of a multi-tiered network system, the method comprising the steps of:

receiving the first and second data, a packet of the first data traveling through a first network path of the multi-tiered network system and a packet of the second data traveling through a second network path of the multi-tiered network system different from the first network path, the traveling through the multiple tiers of the network system including terminating the packets of the first data and of the second data at a tier of the multi-tier system;

correlating the first and second data into one or more application sessions, wherein data correlated with a first application session is first application session data that includes packets from both the first data and the second data;

identifying a correct temporal sequence of said first application session data responsive to the at least one network transmission protocol and restraints of the multi-tiered network architecture, the restraints to which the identifying is responsive including locations in the multi-tiered network structure of the first and the second network monitors; and

determining the disparity between the first and second clocks by comparing timestamps of said first application session data with said correct temporal sequence of said first application session data and accounting for the disparity when analyzing data captured by at least one of said first network monitor and said second network monitor wherein the disparity corresponds to an offset value and a scaling value wherein said offset value and said scaling value is utilized when analyzing data captured by at least one of said first network monitor and said second network monitor.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for correcting clock discrepancy in simultaneous network traffic data captures in a multi-tiered, multi-session environment. The invention uses intrinsic constraints imposed by the nature of the traffic onto the possible temporal sequence of the packets, The invention uses the intrinsic restraints of the network architecture and the protocols used at each segment along with the time stamps in the various segments to determine both an offset and scale correction to the clock readings (timestamps) in the traces in order to obtain a correct temporal sequence of packets when using multiple capture agents/engines/network monitors.

13 Citations

View as Search Results

6 Claims

1. A method for determining clock disparities between a first clock in a first network monitor positioned to capture first data in a first segment of a network and a second clock in a second network monitor positioned to capture second data in a second segment of the network, the first and second data transmitted using at least one network transmission protocol, and the first and second network segments in different tiers of a multi-tiered network system, the method comprising the steps of:
- receiving the first and second data, a packet of the first data traveling through a first network path of the multi-tiered network system and a packet of the second data traveling through a second network path of the multi-tiered network system different from the first network path, the traveling through the multiple tiers of the network system including terminating the packets of the first data and of the second data at a tier of the multi-tier system;
  
  correlating the first and second data into one or more application sessions, wherein data correlated with a first application session is first application session data that includes packets from both the first data and the second data;
  
  identifying a correct temporal sequence of said first application session data responsive to the at least one network transmission protocol and restraints of the multi-tiered network architecture, the restraints to which the identifying is responsive including locations in the multi-tiered network structure of the first and the second network monitors; and
  
  determining the disparity between the first and second clocks by comparing timestamps of said first application session data with said correct temporal sequence of said first application session data and accounting for the disparity when analyzing data captured by at least one of said first network monitor and said second network monitor wherein the disparity corresponds to an offset value and a scaling value wherein said offset value and said scaling value is utilized when analyzing data captured by at least one of said first network monitor and said second network monitor.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein said first segment is between a first pair of devices in the network and a second segment is between a second pair of devices in the network wherein said first pair and second pair are different.
  - 3. The method of claim 1, wherein the identifying step includes the step of utilizing a first application protocol corresponding to the first application session to identify the correct temporal sequence.

4. A non-transitory computer readable storage medium structured to store instructions, to determine clock disparities between a first clock in a first network monitor positioned to capture first data in a first segment of a network and a second clock in a second network monitor positioned to capture second data in a second segment of the network, the first and second data transmitted using at least one network transmission protocol, and the first and second network segments being in different tiers of a multi-tiered network system, the instructions when executed cause a processor to perform operations including:
- receiving the first and second data, a packet of the first data traveling through a first network path of the multi-tiered network system and a packet of the second data traveling through a second network path of the multi-tiered network system different from the first network path, the traveling through the multiple tiers of the network system including terminating the packets of the first data and of the second data at a tier of the multi-tier system;
  
  correlating the first and second data into one or more application sessions, wherein data correlated with a first application session is first application session data that includes packets from both the first data and the second data;
  
  identifying a correct temporal sequence of said first application session data responsive to the at least one network transmission protocol and restraints of the multi-tiered network architecture, the restraints to which the identifying is responsive including locations in the multi-tiered network structure of at least the first and the second network monitors; and
  
  determining the disparity between the first and second clocks by comparing timestamps of said first application session data with said correct temporal sequence of said first application session data and accounting for the disparity when analyzing data captured by at least one of said first network monitor and said second network monitor wherein the disparity corresponds to an offset value and a scaling value wherein said offset value and said scaling value is utilized when analyzing data captured by at least one of said first network monitor and said second network monitor.
- View Dependent Claims (5, 6)
- - 5. The non-transitory computer readable storage medium of claim 4, wherein said first segment is between a first pair of devices in the network and a second segment is between a second pair of devices in the network wherein said first pair and second pair are different.
  - 6. The non-transitory computer readable storage medium of claim 4, wherein the identifying instruction includes the instruction of utilizing a first application protocol corresponding to the first application session to identify the correct temporal sequence order relationship.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetScout Systems Incorporated
Original Assignee
NetScout Systems Incorporated
Inventors
Manin, Dmitrii Yurievich
Primary Examiner(s)
Mejia, Anthony
Assistant Examiner(s)
BELCHER, HERMAN A

Application Number

US12/716,987
Time in Patent Office

2,575 Days
Field of Search

709/224
US Class Current

1/1
CPC Class Codes

G06F 1/10   Distribution of clock signa...

G06F 1/12   Synchronisation of differen...

H04J 3/0635   Clock or time synchronisati...

H04J 3/0667   Bidirectional timestamps, e...

H04L 43/04   Processing captured monitor...

H04L 43/0852   Delays

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/106   using time related informat...

H04L 43/12   Network monitoring probes

System and method for correcting clock discrepancy in simultaneous network traffic captures

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

6 Claims

Specification

Use Cases

Quick Links

Others

System and method for correcting clock discrepancy in simultaneous network traffic captures

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

6 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others