Dynamic snapshot value by turn for continuous packet capture

US 9,813,311 B1
Filed: 02/27/2017
Issued: 11/07/2017
Est. Priority Date: 10/10/2016
Status: Active Grant

First Claim

Patent Images

1. A method for capturing packets on a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:

providing a snapshot value for one or more network monitoring computers (NMCs); and

employing the one or more NMCs that are handling a network flow to perform actions, including;

monitoring one or more characteristics of one or more packets in the network flow;

employing the one or more characteristics of the network flow that indicate that a turn is occurring on the network flow to increase the snapshot value;

employing one or more conditions that indicate that the turn is complete to decrease the snapshot value; and

storing a portion of each of the one or more packets of the network flow in one or more datastores.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to capturing packets on a network. A snapshot value may be provided for a network monitoring computer (NMC). If the NMC may be provided packets of a network flow, characteristics of the network flow may be monitored. If the characteristics of the network flow indicate that a flow turn may be occurring on the network flow, the snapshot value may be modified by increasing it to a provided value. If conditions indicate that the flow turn may be complete, the snapshot value maybe reset by decreasing it to another provided value. A portion of each of the packets may be captured by the NMC, such that the size of the portion may be equivalent to the snapshot value. The captured portion of each of the packets may be stored in a memory of the NMC.

33 Citations

30 Claims

1. A method for capturing packets on a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
- providing a snapshot value for one or more network monitoring computers (NMCs); and
  
  employing the one or more NMCs that are handling a network flow to perform actions, including;
  
  monitoring one or more characteristics of one or more packets in the network flow;
  
  employing the one or more characteristics of the network flow that indicate that a turn is occurring on the network flow to increase the snapshot value;
  
  employing one or more conditions that indicate that the turn is complete to decrease the snapshot value; and
  
  storing a portion of each of the one or more packets of the network flow in one or more datastores.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the stored portion of each of the one or more packets is the based on one of the initial snapshot value, increased snapshot value or the decreased snapshot value.
  - 3. The method of claim 1, further comprising:
    - identifying one or more of the packets that correspond to the turn based on one of the increased snapshot value or the decreased snapshot value; and
      
      archiving the identified packets in the one or more datastores.
  - 4. The method of claim 1, further comprising employing one of the increased snapshot value or a new snapshot value to determine a portion of each of one or more packets in a new network flow that is stored in the one or more datastores.
  - 5. The method of claim 1, further comprising modifying a current snapshot value to another snapshot value based on one or more of a condition, rule, pattern, or heuristic.
  - 6. The method of claim 1, further comprising employing the one or more NSCs to set a new snapshot value that is employed to store one of a larger portion or a lesser portion of the one or more packets.
  - 7. The method of claim 1, wherein the one or more characteristics include one or more of an incoming volume or an outgoing volume of the network flow.
  - 8. The method of claim 1, further comprising discarding the stored portions of packets that are non-correspondent to the turn in the network flow.

9. A system for capturing network traffic in a network comprising:
- a network computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing a snapshot value for one or more network monitoring computers (NMCs); and
  
  employing the one or more NMCs that are handling a network flow to perform actions, including;
  
  monitoring one or more characteristics of one or more packets in the network flow;
  
  employing the one or more characteristics of the network flow that indicate that a turn is occurring on the network flow to increase the snapshot value;
  
  employing one or more conditions that indicate that the turn is complete to decrease the snapshot value; and
  
  storing a portion of each of the one or more packets of the network flow in one or more datastores; and
  
  a client computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions to provide the network flow.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the stored portion of each of the one or more packets is the based on one of the initial snapshot value, increased snapshot value or the decreased snapshot value.
  - 11. The system of claim 9, further comprising:
    - identifying one or more of the packets that correspond to the turn based on one of the increased snapshot value or the decreased snapshot value; and
      
      archiving the identified packets in the one or more datastores.
  - 12. The system of claim 9, further comprising employing one of the increased snapshot value or a new snapshot value to determine a portion of each of one or more packets in a new network flow that is stored in the one or more datastores.
  - 13. The system of claim 9, further comprising modifying a current snapshot value to another snapshot value based on one or more of a condition, rule, pattern, or heuristic.
  - 14. The system of claim 9, further comprising employing the one or more NSCs to set a new snapshot value that is employed to store one of a larger portion or a lesser portion of the one or more packets.
  - 15. The system of claim 9, wherein the one or more characteristics include one or more of an incoming volume or an outgoing volume of the network flow.
  - 16. The system of claim 9, further comprising discarding the stored portions of packets that are non-correspondent to the turn in the network flow.

17. A processor readable non-transitory storage media that includes instructions for capturing packets on a network, wherein execution of the instructions by one or more processors performs actions, comprising:
- providing a snapshot value for one or more network monitoring computers (NMCs); and
  
  employing the one or more NMCs that are handling a network flow to perform actions, including;
  
  monitoring one or more characteristics of one or more packets in the network flow;
  
  employing the one or more characteristics of the network flow that indicate that a turn is occurring on the network flow to increase the snapshot value;
  
  employing one or more conditions that indicate that the turn is complete to decrease the snapshot value; and
  
  storing a portion of each of the one or more packets of the network flow in one or more datastores.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The media of claim 17, wherein the stored portion of each of the one or more packets is the based on one of the initial snapshot value, increased snapshot value or the decreased snapshot value.
  - 19. The media of claim 17, further comprising:
    - identifying one or more of the packets that correspond to the turn based on one of the increased snapshot value or the decreased snapshot value; and
      
      archiving the identified packets in the one or more datastores.
  - 20. The media of claim 17, further comprising employing one of the increased snapshot value or a new snapshot value to determine a portion of each of one or more packets in a new network flow that is stored in the one or more datastores.
  - 21. The media of claim 17, further comprising modifying a current snapshot value to another snapshot value based on one or more of a condition, rule, pattern, or heuristic.
  - 22. The media of claim 17, further comprising employing the one or more NSCs to set a new snapshot value that is employed to store one of a larger portion or a lesser portion of the one or more packets.
  - 23. The media of claim 17, wherein the one or more characteristics include one or more of an incoming volume or an outgoing volume of the network flow.
  - 24. The media of claim 17, further comprising discarding the stored portions of packets that are non-correspondent to the turn in the network flow.

25. A network computer for capturing packets in a network, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing a snapshot value for one or more network monitoring computers (NMCs); and
  
  employing the one or more NMCs that are handling a network flow to perform actions, including;
  
  monitoring one or more characteristics of one or more packets in the network flow;
  
  employing the one or more characteristics of the network flow that indicate that a turn is occurring on the network flow to increase the snapshot value;
  
  employing one or more conditions that indicate that the turn is complete to decrease the snapshot value; and
  
  storing a portion of each of the one or more packets of the network flow in one or more datastores.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The network computer of claim 25, wherein the stored portion of each of the one or more packets is the based on one of the initial snapshot value, increased snapshot value or the decreased snapshot value.
  - 27. The network computer of claim 25, further comprising:
    - identifying one or more of the packets that correspond to the turn based on one of the increased snapshot value or the decreased snapshot value; and
      
      archiving the identified packets in the one or more datastores.
  - 28. The network computer of claim 25, further comprising employing one of the increased snapshot value or a new snapshot value to determine a portion of each of one or more packets in a new network flow that is stored in the one or more datastores.
  - 29. The network computer of claim 25, further comprising modifying a current snapshot value to another snapshot value based on one or more of a condition, rule, pattern, or heuristic.
  - 30. The network computer of claim 25, further comprising employing the one or more NSCs to set a new snapshot value that is employed to store one of a larger portion or a lesser portion of the one or more packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Leone, Alexander Christian
Primary Examiner(s)
Pezzlo, John

Application Number

US15/443,868
Time in Patent Office

253 Days
Field of Search

370252, 370389, 370401, 370463
US Class Current
CPC Class Codes

H04L 43/022   by sampling

H04L 43/024   by adaptive sampling

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/12   Network monitoring probes

H04L 43/18   Protocol analysers

Dynamic snapshot value by turn for continuous packet capture

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic snapshot value by turn for continuous packet capture

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links