Efficient access to sparse packets in large repositories of stored network traffic

US 9,674,298 B1
Filed: 12/02/2016
Issued: 06/06/2017
Est. Priority Date: 02/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing a first packet from a network;

annotating the first packet with a time stamp specifying an arrival time of the first packet at a packet capture system coupled to the network;

storing the first packet in a first data file of a set of data files associated with predetermined intervals, the first data file corresponding to a first predetermined interval based on the time stamp;

creating a first primary index for the first packet, the first primary index containing a location to the first packet stored in the first data file on a storage device of the packet capture system;

storing the first primary index for the first packet in a first primary index file associated with the first data file corresponding to the first predetermined interval; and

creating a secondary index for the first packet, the secondary index having an ordered sequence of present indicators, wherein a first present indicator corresponds to the first primary index and the first data file of the first predetermined interval.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secondary indexing technique cooperates with primary indices of an indexing arrangement to enable efficient storage and access of metadata used to retrieve packets persistently stored in data files of a data repository. Efficient storage and access of the metadata used to retrieve the persistently stored packets may be based on a target value of the packets over a search time window. The metadata is illustratively organized as a metadata repository of primary index files that store the primary indices containing hash values of network flows of the packets, as well as offsets and paths to those packets stored in the data files. The technique includes one or more secondary indices having a plurality of present bits arranged in a binary format (i.e., a bit array) to indicate the presence of the target value in one or more packets stored in the data files over the search time window. Notably, the present bits may be used to reduce (i.e., “prune”) a relatively large search space of the stored packets (e.g., defined by the hash values) to a pruned search space of only those data files in which packets having the target value are stored.

145 Citations

23 Claims

1. A method comprising:
- capturing a first packet from a network;
  
  annotating the first packet with a time stamp specifying an arrival time of the first packet at a packet capture system coupled to the network;
  
  storing the first packet in a first data file of a set of data files associated with predetermined intervals, the first data file corresponding to a first predetermined interval based on the time stamp;
  
  creating a first primary index for the first packet, the first primary index containing a location to the first packet stored in the first data file on a storage device of the packet capture system;
  
  storing the first primary index for the first packet in a first primary index file associated with the first data file corresponding to the first predetermined interval; and
  
  creating a secondary index for the first packet, the secondary index having an ordered sequence of present indicators, wherein a first present indicator corresponds to the first primary index and the first data file of the first predetermined interval.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 4. The method of claim 1 further comprising storing the secondary index in a secondary index file associated with a search time window.
  - 5. The method of claim 4 wherein storing the secondary index in the secondary index file comprises organizing the secondary index file as a data structure that stores the secondary index over the search time window.
  - 6. The method of claim 5 wherein the data structure is a n-way trie and wherein the n-way trie is organized based on a target value.
  - 7. The method of claim 6 further comprising organizing the n-way trie as a plurality of internal nodes and leaf nodes, wherein each internal node is composed of an array of elements accessible by keys formed from subsets of the target value.
  - 8. The method of claim 7 wherein each element of each internal node contains a key of a child of the internal node and wherein one of the leaf nodes contains the secondary index.
  - 9. The method of claim 8 further comprising storing the n-way trie of the secondary index file on the storage device by only storing the leaf node having the first present indicator of the secondary index.
  - 10. The method of claim 9 further comprising storing a header file associated with the n-way trie of the secondary index file on the storage device, the header file containing one of the time stamp of an earliest second within the search time window associated with the secondary index file, a number of internal nodes allocated in the n-way trie, and the number of leaf nodes allocated in the n-way trie.
  - 11. The method of claim 1 wherein each of the predetermined intervals is one second, and wherein the time stamp of the first packet comprises the first predetermined interval between a beginning of a second and the beginning of a next second corresponding to the first data file.
  - 12. The method of claim 11 wherein each data file of the set of data files contains packets captured from the network and annotated with time stamps at the predetermined intervals of seconds.
  - 13. The method of claim 12 wherein the ordered sequence comprises 3600 present indicators and wherein the search time window is an hour.
  - 14. The method of claim 13 wherein asserted binary values of the 3600 present indicators within the ordered sequence identify the data files of the set of data files that contain at least one packet having a target value within the search time window of the hour.

2. The method of 1 wherein the first present indicator denotes an element of a network flow present in the first packet over a search time window.

3. The method of 2 wherein the element is one of an internet protocol address and a port number.

15. A method comprising:
- capturing a packet from a network;
  
  annotating the packet with a time stamp specifying an arrival time of the packet at a packet capture system coupled to the network;
  
  storing the packet in a data file of a set of data files associated with predetermined intervals, the data file corresponding to a predetermined interval based on the time stamp;
  
  creating a first primary index for the packet, the first primary index containing a location to the packet stored in the data file on a storage device of the packet capture system;
  
  storing the first primary index for the packet in a first primary index file associated with the data file corresponding to the predetermined interval;
  
  creating a secondary index for the packet, the secondary index having an ordered sequence of indicators, wherein a first indicator corresponds to the first primary index and the data file of the predetermined interval, wherein the indicator denotes presence of a target value in the packet;
  
  organizing the secondary index file as a trie based on the target value; and
  
  in response to a request to retrieve the packet having the target value, traversing the trie until reaching a leaf node of the trie containing the secondary index for the packet.

16. A system comprising:
- one or more processors coupled to a network;
  
  a plurality of storage repositories coupled to the one or more processors, the storage repositories including a data repository having data files configured to store packets captured from the network and a metadata repository having primary and secondary index files configured to store primary and secondary indices, the primary indices having hash values along with locations to the captured packets stored in the data files, the hash values calculated from a hash function applied to network flows of the captured packets, the secondary indices having a plurality of indicators denoting presence of a target value in one or more of the captured packets; and
  
  a memory coupled to the one or more processors and configured to store one or more processes of an operating system, the one or more processes executable by the one or more processors to use the indicators of the secondary indices to prune a search space of the captured packets as defined by the hash values to a pruned search space of only the data files of the data repository storing captured packets having the target value, the one or more processes further executable to use the locations of the primary indices having the hash values defined by the pruned search space to retrieve the captured packets having the target value from the data repository.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16 wherein the target value is an element of a network flow over a search time window.
  - 18. The system of claim 16 wherein the secondary index file is organized as a data structure that stores the secondary indices over a search time window.
  - 19. The system of claim 18 wherein the data structure is a n-way trie having a plurality of internal nodes and leaf nodes, wherein each internal node is composed of an array of elements accessible by keys formed from subsets of the target value.

20. A method comprising:
- capturing a first packet from a network;
  
  annotating the first packet with a time stamp specifying an arrival time of the first packet at a packet capture system coupled to the network;
  
  storing the first packet in a first data storage container corresponding to a first predetermined interval based on the time stamp;
  
  creating a first primary index for the first packet, the first primary index containing a location to the first packet stored in the first data storage container on a storage device of the packet capture system;
  
  storing the first primary index for the first packet in a first primary index storage container associated with the first data storage container corresponding to the first predetermined interval; and
  
  creating a secondary index for the first packet, the secondary index having an ordered sequence of present indicators, wherein a first present indicator corresponds to the first primary index and the first data storage container of the first predetermined interval.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20 wherein the first primary index storage container is arranged for access separate from the first data storage container.
  - 22. The method of claim 20 further comprising storing the secondary index in a secondary index storage container associated with a search time window.

23. A non-transitory computer readable medium including program instructions for execution on one or more processors, the program instructions configured to:
- capture a packet from a network;
  
  annotate the packet with a time stamp specifying an arrival time of the packet;
  
  store the packet in a data file of a set of data files associated with predetermined intervals, the data file corresponding to a predetermined interval based on the time stamp;
  
  create a primary index for the packet, the primary index containing a location to the packet stored in the data file;
  
  store the primary index for the packet in a primary index file associated with the data file corresponding to the predetermined interval; and
  
  create a secondary index for the packet, the secondary index having an ordered sequence of indicators, wherein an indicator corresponds to the primary index and the data file of the predetermined interval, and wherein the indicator denotes presence of a target value in the packet stored in the data file over a search time window.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Edwards, Dennis Lee, Fauerbach, Christopher Hayes
Primary Examiner(s)
Thompson, Jr., Otis L

Application Number

US15/368,352
Time in Patent Office

186 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 43/106   using time related informat...

H04L 67/5682   Policies or rules for updat...

H04L 69/28   Timers or timing mechanisms...

H04L 69/324   in the data link layer [OSI...

Efficient access to sparse packets in large repositories of stored network traffic

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient access to sparse packets in large repositories of stored network traffic

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links