High availability of collectors of traffic reported by network sensors

US 10,181,987 B2
Filed: 06/02/2016
Issued: 01/15/2019
Est. Priority Date: 06/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a system and via a first collector device, a first data report generated by a capturing agent deployed on a host system in a network, the first data report comprising traffic data captured at the host system by the capturing agent;

receiving, by the system and via a second collector device, a second data report generated by the capturing agent deployed on the host system, the second data report comprising traffic data captured at the host system by the capturing agent;

determining, by the system, that the first data report and the second data report are both associated with the capturing agent based on a comparison of whether the first data report and the second data report are from the capturing agent or whether the first data report and the second data report encompass a same period of time;

in response to determining that the first and second data reports are both associated with the capturing agent, identifying, by the system, duplicate data contained in the first data report and the second data report; and

deduplicating, by the system, the first and second data reports to yield a deduplicated data report.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media for collector high availability. In some embodiments, a system receives, from a first collector device, a first data report generated by a capturing agent deployed on a host system in a network. The system can also receive, from a second collector device, a second data report generated by the capturing agent deployed on the host system. The first and second data reports can include traffic data captured at the host system by the capturing agent during a period of time. The system can determine that the first data report and the second data report are both associated with the capturing agent, and identify duplicate data contained in the first data report and the second data report. The system can then deduplicate the first and second data reports to yield a deduplicated data report.

580 Citations

20 Claims

1. A method comprising:
- receiving, by a system and via a first collector device, a first data report generated by a capturing agent deployed on a host system in a network, the first data report comprising traffic data captured at the host system by the capturing agent;
  
  receiving, by the system and via a second collector device, a second data report generated by the capturing agent deployed on the host system, the second data report comprising traffic data captured at the host system by the capturing agent;
  
  determining, by the system, that the first data report and the second data report are both associated with the capturing agent based on a comparison of whether the first data report and the second data report are from the capturing agent or whether the first data report and the second data report encompass a same period of time;
  
  in response to determining that the first and second data reports are both associated with the capturing agent, identifying, by the system, duplicate data contained in the first data report and the second data report; and
  
  deduplicating, by the system, the first and second data reports to yield a deduplicated data report.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, the method further comprising sending the deduplicated data report to at least one device in the network, the first and second data reports comprising:
    - a respective timestamp;
      
      a respective agent identifier which uniquely identifies the capturing agent from other capturing agents in the network; and
      
      a flow identifier which identifies one or more traffic flows captured by the capturing agent.
  - 3. The method of claim 1, wherein identifying duplicate data comprises determining that the second data report is a copy of the first data report, and wherein deduplicating the first and second data reports comprises discarding a first one of the first and second data reports and keeping a second one of the first and second data reports.
  - 4. The method of claim 1, wherein the capturing agent is configured to capture a set of data comprising at least one of usage data and traffic data at the host system, and report the set of data to both the first and second collector devices.
  - 5. The method of claim 1, wherein identifying duplicate data comprises determining that at least a first portion of content of the first data report is a duplicate of a second portion of content of the second data report, wherein the duplicate comprises same traffic data captured during the same period of time by the capturing agent, and wherein deduplicating the first and second data reports comprises:
    - selecting a first one of the first data report or the second data report to yield a selected data report; and
      
      filtering a respective one of the first portion of content or the second portion of content from the selected data report to yield the deduplicated data report.
  - 6. The method of claim 1, wherein the capturing agent resides in one of a hypervisor on the host system or a virtual machine on the hypervisor, the traffic data being associated with the one of the hypervisor or the virtual machine.
  - 7. The method of claim 1, wherein identifying duplicate data comprises determining that at least a first portion of content of the first data report is a duplicate of a second portion of content of the second data report, wherein the duplicate comprises same traffic data captured during the same period of time by the capturing agent, and wherein deduplicating the first and second data reports comprises:
    - merging contents of the first data report and the second data report to yield a merged data report; and
      
      filtering one of the first portion of content or the second portion of content from the merged data report to yield the deduplicated data report.
  - 8. The method of claim 1, wherein the capturing agent comprises at least one of a process, a kernel module, or a software driver.
  - 9. The method of claim 1, wherein the first collector device and the second collector device are both assigned to a flow associated with the traffic data based on a hash value generated by applying a hash function to a flow identifier associated with the flow.
  - 10. The method of claim 1, wherein the traffic data comprises one or more timestamps, one or more traffic identifiers, and an agent identifier that uniquely identifies the capturing agent in the network, the method further comprising:
    - determining that the first data report is associated with a first period of time based on a first respective timestamp;
      
      determining that the second data report is associated with a second period of time based on a second respective timestamp; and
      
      determining, based on the agent identifier associated with the capturing agent, that the first and second data reports were both generated by the capturing agent.

11. A system comprising:
- one or more processors; and
  
  one or more computer-readable storage devices having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving, from a first collector device, a first data report generated by a capturing agent deployed on a host system in a network, the first data report comprising traffic data captured at the host system by the capturing agent during a period of time;
  
  receiving, from a second collector device, a second data report generated by the capturing agent deployed on the host system, the second data report comprising traffic data captured at the host system by the capturing agent during the period of time;
  
  determining that the first data report and the second data report are both associated with the capturing agent based on a comparison of whether the first data report and the second data report are from the capturing agent or whether the first data report and the second data report encompass a same period of time;
  
  in response to determining that the first and second data reports are both associated with the capturing agent, identifying duplicate data contained in the first data report and the second data report; and
  
  deduplicating the first and second data reports to yield a deduplicated data report.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, the one or more computer-readable storage devices storing additional instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising sending the deduplicated data report to at least one device in the network, the first and second data reports comprising:
    - a respective timestamp associated with the period of time;
      
      a respective agent identifier which uniquely identifies the capturing agent from other capturing agents in the network; and
      
      a flow identifier which identifies one or more traffic flows captured by the capturing agent.
  - 13. The system of claim 11, wherein identifying duplicate data comprises determining that the second data report is a copy of the first data report, and wherein deduplicating the first and second data reports comprises discarding a first one of the first and second data reports and keeping a second one of the first and second data reports.
  - 14. The system of claim 11, wherein the host system comprises a server, and wherein the capturing agent resides in a hypervisor on the server.
  - 15. The system of claim 11, wherein identifying duplicate data comprises determining that at least a first portion of content of the first data report is a duplicate of a second portion of content of the second data report, wherein the duplicate comprises same traffic data captured during the same period of time by the capturing agent, and wherein deduplicating the first and second data reports comprises:
    - selecting a first one of the first data report or the second data report to yield a selected data report; and
      
      filtering a respective one of the first portion of content or the second portion of content from the selected data report to yield the deduplicated data report.

16. A computer-readable storage device storing instructions which, when executed by a processor, cause the processor to perform operations comprising:
- receiving, by a system from a first collector device, a first data report generated by a capturing agent deployed on a host system in a network, the first data report comprising traffic data captured at the host system by the capturing agent during a period of time;
  
  receiving, by the system from a second collector device, a second data report generated by the capturing agent deployed on the host system, the second data report comprising traffic data captured at the host system by the capturing agent during the period of time;
  
  determining, by the system, that the first data report and the second data report are both associated with the capturing agent based on a comparison of whether the first data report and the second data report are from the capturing agent or whether the first data report and the second data report encompass a same period of time;
  
  in response to determining that the first and second data reports are both associated with the capturing agent, identifying, by the system, duplicate data contained in the first data report and the second data report; and
  
  deduplicating, by the system, the first and second data reports to yield a deduplicated data report.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable storage device of claim 16, storing additional instructions which, when executed by the processor, cause the processor to perform operations further comprising sending the deduplicated data report to at least one device in the network, the first and second data reports comprising:
    - a respective timestamp associated with the period of time;
      
      a respective agent identifier which uniquely identifies the capturing agent from other capturing agents in the network; and
      
      a flow identifier which identifies one or more traffic flows captured by the capturing agent.
  - 18. The computer-readable storage device of claim 16, wherein identifying duplicate data comprises determining that at least a first portion of content of the first data report is a duplicate of a second portion of content of the second data report, wherein the duplicate comprises same traffic data captured during the same period of time by the capturing agent, and wherein deduplicating the first and second data reports comprises:
    - merging contents of the first data report and the second data report to yield a merged data report; and
      
      filtering one of the first portion of content or the second portion of content from the merged data report to yield the deduplicated data report.
  - 19. The computer-readable storage device of claim 16, wherein identifying duplicate data comprises determining that at least a first portion of content of the first data report is a duplicate of a second portion of content of the second data report, wherein the duplicate comprises same traffic data captured during the same period of time by the capturing agent, and wherein deduplicating the first and second data reports comprises:
    - selecting a first one of the first data report or the second data report to yield a selected data report; and
      
      filtering a respective one of the first portion of content or the second portion of content from the selected data report to yield the deduplicated data report.
  - 20. The computer-readable storage device of claim 16, wherein the first collector device and the second collector device are both assigned to a flow associated with the traffic data based on a result of applying a hash function to a flow identifier associated with the flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gandham, Shashidhar, Prasad, Rohit Chandra, Singh, Abhishek Ranjan, Yadav, Navindra, Deen, Khawar, Malhotra, Varun Sagar
Primary Examiner(s)
Wasel, Mohamed A

Application Number

US15/171,807
Publication Number

US 20160359704A1
Time in Patent Office

957 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/137   Hash-based content-based in...

G06F 16/162   Delete operations erasing i...

G06F 16/17   Details of further file sys...

G06F 16/173   Customisation support for f...

G06F 16/174   Redundancy elimination perf...

G06F 16/1744   using compression, e.g. spa...

G06F 16/1748   De-duplication implemented ...

G06F 16/2322   using timestamps

G06F 16/235   Update request formulation

G06F 16/2365   Ensuring data consistency a...

G06F 16/24578   using ranking

G06F 16/248   Presentation of query results

G06F 16/285   Clustering or classification

G06F 16/288   Entity relationship models

G06F 16/29   Geographical information da...

G06F 16/9535   Search customisation based ...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595 : Network integration; Enabli...

G06F 21/53 : by executing in a restricte...

G06F 21/552 : involving long-term monitor...

G06F 21/556 : involving covert channels, ...

G06F 21/566 : Dynamic detection, i.e. det...

G06F 2221/033 : Test or assess software

G06F 2221/2101 : Auditing as a secondary aspect

G06F 2221/2105 : Dual mode as a secondary as...

G06F 2221/2111 : Location-sensitive, e.g. ge...

G06F 2221/2115 : Third party

G06F 2221/2145 : Inheriting rights or proper...

G06F 3/0482 : Interaction with lists of s...

G06F 3/04842 : Selection of displayed obje...

G06F 3/04847 : Interaction techniques to c...

G06F 9/45558 : Hypervisor-specific managem...

G06N 20/00 : Machine learning

G06N 99/00 : Subject matter not provided...

G06T 11/206 : Drawing of charts or graphs

H04J 3/0661 : using timestamps

H04J 3/14 : Monitoring arrangements for...

H04L 1/242 : by comparing a transmitted ...

H04L 41/046 : comprising network manageme...

H04L 41/0668 : by dynamic selection of rec...

H04L 41/0803 : Configuration setting

H04L 41/0806 : for initial configuration o...

H04L 41/0816 : the condition being an adap...

H04L 41/0893 : Assignment of logical group...

H04L 41/0894 : Policy-based network config...

H04L 41/12 : Discovery or management of ...

H04L 41/16 : using machine learning or a...

H04L 41/22 : comprising specially adapte...

H04L 41/40 : using virtualisation of net...

H04L 43/02 : Capturing of monitoring data

H04L 43/026 : using flow identification

H04L 43/04 : Processing captured monitor...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 43/0805 : by checking availability

H04L 43/0811 : by checking connectivity

H04L 43/0829 : Packet loss

H04L 43/0841 : Round trip packet loss

H04L 43/0858 : One way delays

H04L 43/0864 : Round trip delays

H04L 43/0876 : Network utilisation, e.g. v...

H04L 43/0882 : Utilisation of link capacity

H04L 43/0888 : Throughput

H04L 43/10 : Active monitoring, e.g. hea...

H04L 43/106 : using time related informat...

H04L 43/12 : Network monitoring probes

H04L 43/16 : Threshold monitoring

H04L 43/20 : the monitoring system or th...

H04L 45/306 : Route determination based o...

H04L 45/38 : Flow based routing

H04L 45/46 : Cluster building

H04L 45/507 : Label distribution

H04L 45/66 : Layer 2 routing, e.g. in Et...

H04L 45/74 : Address processing for routing

H04L 47/11 : Identifying congestion

H04L 47/20 : Traffic policing

H04L 47/2441 : relying on flow classificat...

H04L 47/2483 : involving identification of...

H04L 47/28 : in relation to timing consi...

H04L 47/31 : by tagging of packets, e.g....

H04L 47/32 : by discarding or delaying d...

H04L 61/5007 : Internet protocol [IP] addr...

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0263 : Rule management

H04L 63/06 : for supporting key manageme...

H04L 63/0876 : based on the identity of th...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 63/16 : Implementing security featu...

H04L 63/20 : for managing network securi...

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1001 : for accessing one among a p...

H04L 67/12 : specially adapted for propr...

H04L 67/51 : Discovery or management the...

H04L 67/535 : Tracking the activity of th...

H04L 67/75 : Indicating network or usage...

H04L 69/16 : Implementation or adaptatio...

H04L 69/22 : Parsing or analysis of headers

H04L 7/10 : Arrangements for initial sy...

H04L 9/0866 : involving user or device id...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3242 : involving keyed hash functi...

H04W 72/54 : based on quality criteria

H04W 84/18 : Self-organising networks, e...

View All

High availability of collectors of traffic reported by network sensors

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

580 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

High availability of collectors of traffic reported by network sensors

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

580 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links