Methods and computer program products for monitoring the contents of network traffic in a network device

US 8,645,532 B2
Filed: 09/13/2011
Issued: 02/04/2014
Est. Priority Date: 09/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring the contents of network traffic in a network device, the method comprising:

collecting, in substantially real-time using at least one of;

a kernel space driver interface, network traffic data sent by the network device, and network traffic data received at the network device;

parsing the collected network traffic data, wherein parsing comprises;

extracting, from the collected network traffic data, transaction data corresponding to at least one logical transaction defined by a network protocol, andstoring an indicator of a quantity of the collected network traffic data that was consumed; and

generating an event incorporating the extracted transaction data,wherein the collecting network traffic data, parsing the collected network traffic data, and generating an event comprise operations performed using at least one computer processor, andwherein collecting network traffic data comprises collecting network traffic data according to at least one predicate, the at least one predicate corresponding to at least one characteristic of network traffic data to be collected.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods and computer program products monitoring the contents of network traffic in a network device. Methods may include collecting, using a kernel space driver interface, network traffic data sent by and/or received at the network device, parsing the collected network traffic data to extract transaction data corresponding to at least one logical transaction defined by a network protocol and storing an indicator of a quantity of the collected network traffic data that was parsed, and generating an event incorporating the extracted transaction data.

27 Citations

View as Search Results

20 Claims

1. A method for monitoring the contents of network traffic in a network device, the method comprising:
- collecting, in substantially real-time using at least one of;
  
  a kernel space driver interface, network traffic data sent by the network device, and network traffic data received at the network device;
  
  parsing the collected network traffic data, wherein parsing comprises;
  
  extracting, from the collected network traffic data, transaction data corresponding to at least one logical transaction defined by a network protocol, andstoring an indicator of a quantity of the collected network traffic data that was consumed; and
  
  generating an event incorporating the extracted transaction data,wherein the collecting network traffic data, parsing the collected network traffic data, and generating an event comprise operations performed using at least one computer processor, andwherein collecting network traffic data comprises collecting network traffic data according to at least one predicate, the at least one predicate corresponding to at least one characteristic of network traffic data to be collected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method according to claim 1, wherein the at least one predicate corresponds to a network port on which network traffic data arrives, a remote Internet Protocol (IP) address from which network data originates, or a network application sending or receiving network data.
  - 3. A method according to claim 1, wherein collecting network traffic data comprises transferring the collected network traffic data into a memory buffer accessible in both kernel space and user space, andwherein a size of the memory buffer is configurable.
  - 4. A method according to claim 1, wherein collecting network traffic data comprises transferring the collected network traffic data into a memory buffer accessible in both kernel space and user space, andwherein a size of the memory buffer is adaptive based on available memory.
  - 5. A method according to claim 1, wherein parsing the collected network traffic data comprises:
    - determining, based on the collected network traffic data, that parsing a subsequent portion of network traffic is not performed; and
      
      storing an indicator, responsive to the determining, that both the collected network traffic data and the subsequent portion of network traffic were consumed.
  - 6. A method according to claim 1, wherein parsing the collected network traffic comprises:
    - determining that a quantity of the collected network traffic data is not sufficient to extract the at least one logical transaction; and
      
      storing an indicator, responsive to the determining, that none of the collected network traffic data was consumed.
  - 7. A method according to claim 1, wherein parsing the collected network traffic comprises:
    - determining that the collected network traffic data that corresponds to a network flow cannot be parsed;
      
      storing an indicator, responsive to the determining, that subsequent network traffic data that corresponds to the network flow is not parsed.
  - 8. A method according to claim 1, wherein parsing the collected network traffic comprises storing, in memory or a persistent data store, at least one attribute of the extracted transaction data.
  - 9. A method according to claim 1, wherein parsing the collected network traffic data comprises executing a script within a script interpreter that is incorporated into an executable application.
  - 10. A method according to claim 1, further comprising generating filtered transaction data based on the extracted transaction data,wherein generating filtered transaction data comprises modifying or deleting data within the extracted transaction data, or supplementing the extracted transaction data, andwherein generating an event comprises generating an event incorporating the filtered transaction data.
  - 11. A method according to claim 10, wherein generating filtered transaction data comprises:
    - identifying extracted transaction data corresponding to a plurality of related logical transactions; and
      
      representing the plurality of related logical transactions as a single transaction in the generated filtered transaction data.
  - 12. A method according to claim 10, wherein generating filtered transaction data comprises storing, in memory or a persistent data store, at least one attribute of the filtered transaction data.
  - 13. A method according to claim 10, wherein generating filtered transaction data comprises executing a script within a script interpreter that is incorporated into an executable application.
  - 14. A method according to claim 1, further comprising:
    - aggregating transaction data that corresponds to a predefined time interval,wherein generating an event comprises generating, responsive to aggregating transaction data, an event incorporating the aggregated transaction data.
  - 15. A method according to claim 1, further comprising:
    - compressing transaction data that corresponds to a predefined time interval,wherein generating an event comprises generating, responsive to compressing transaction data, an event incorporating the compressed transaction data.
  - 16. A computer program product comprising a non-transitory computer readable storage medium having computer readable program code embodied therein, the computer readable program code configured to carry out the method of claim 1.

17. A computer program product comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code configured to collect, in substantially real-time using at least one of;
  
  a kernel space driver interface, network traffic data sent by the network device, and network traffic data received at a network device;
  
  computer readable program code configured to parse the collected network traffic data, wherein the computer readable program code configured to parse comprises;
  
  computer readable program code configured to extract, from the collected network traffic data, transaction data corresponding to at least one logical transaction defined by a network protocol, andcomputer readable program code configured to store an indicator of a quantity of the collected network traffic data that was parsed; and
  
  computer readable program code configured to generate an event incorporating the extracted transaction data,wherein the computer readable program code configured to collect network traffic data collects network traffic data according to at least one predicate, the at least one predicate corresponding to at least one characteristic of network traffic data to be collected.
- View Dependent Claims (18, 19, 20)
- - 18. A computer program product according to claim 17, further comprising computer readable program code configured to generate filtered transaction data based on the extracted transaction data,wherein the computer readable program code configured to generate filtered transaction data comprises computer readable program code configured to modify or delete data within the extracted transaction data, or supplement the extracted transaction data, andwherein the computer readable program code configured to generate an event comprises computer readable program code configured to generate an event incorporating the filtered transaction data.
  - 19. A computer program product according to claim 17, further comprising:
    - computer readable program code configured to aggregate transaction data that corresponds to a predefined time interval,wherein the computer readable program code configured to generate an event comprises computer readable program code configured to generate, responsive to aggregating transaction data, an event incorporating the aggregated transaction data.
  - 20. A computer program product according to claim 17, further comprising:
    - computer readable program code configured to compress transaction data that corresponds to a predefined time interval,wherein the computer readable program code configured to generate an event comprises computer readable program code configured to generate, responsive to compressing transaction data, an event incorporating the compressed transaction data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
BlueStripe Software, Inc. (Microsoft Corporation)
Inventors
Reynolds, Patrick A., Yumerefendi, Aydan R., Nethercutt, Glenn T.
Primary Examiner(s)
NANO, SARGON N

Application Number

US13/231,118
Publication Number

US 20130067018A1
Time in Patent Office

875 Days
Field of Search

709201-203, 709/223, 709/227
US Class Current

709/224
CPC Class Codes

H04L 12/6418 Hybrid transport

Methods and computer program products for monitoring the contents of network traffic in a network device

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and computer program products for monitoring the contents of network traffic in a network device

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links