US20100085891A1 - Apparatus and method for analysing a network - Google Patents
Apparatus and method for analysing a network Download PDFInfo
- Publication number
- US20100085891A1 US20100085891A1 US12/520,114 US52011407A US2010085891A1 US 20100085891 A1 US20100085891 A1 US 20100085891A1 US 52011407 A US52011407 A US 52011407A US 2010085891 A1 US2010085891 A1 US 2010085891A1
- Authority
- US
- United States
- Prior art keywords
- flow
- unit
- programmable controller
- network
- metering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/20—Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Definitions
- the invention relates to an apparatus, a method and a computer program for analysing a network flow.
- IP Internet Protocol
- IPFIX IP Flow Information Export
- the NetFlow protocol provides technology for network accounting, bandwidth usage analysis, network anomaly detection, traffic engineering and capacity management.
- NetFlow is supported at routers, switches, metering appliances and software-based traffic meters. Some high-end routers and switches support NetFlow with dedicated hardware extensions.
- the present invention is directed to an apparatus, a computer system, a computer program and a method as defined in independent claims. Further embodiments of the invention are provided in the appended dependent claims.
- an apparatus for analysing to a network flow comprising
- the architecture of the apparatus according to this aspect of the invention allows for an efficient, flexible and fast implementation of a flow metering function that is able to support a large number of configuration options. Such configuration options might cover different versions of today's or future standards.
- This architecture provides the benefits of high performance without the drawback of fixed metering functionality and interfaces which only support a single standard.
- the modular approach of this architecture comprises a parser that is provided for receiving a network flow and for extracting flow identification information from this network flow.
- the parser can be programmed to extract any desirable combination of flow identification information from the network flow.
- the flow identification information might e.g. be contained in fields of packet headers of a network flow.
- the parser can be programmed to extract the corresponding header fields that are relevant for a specific protocol standard.
- the flow identification information might comprise e.g. the source and destination IP address, the source and destination port and the IP protocol of the analysed network flow.
- the network flow identified by the flow identification information is metered by a flow metering unit.
- the metering of the flow identification information might e.g. comprise timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
- Both the flow metering unit and the parser are controlled in parallel by a programmable controller.
- the programmable controller can be individually programmed for the respective application environment, the used protocol standards of to the network flow (e.g. NetFlow v5, v7, v9, IPFIX), the number of flows to be supported and the speed of the respective network.
- the parser and the flow metering unit are generic units. The specific functionality of these generic units is determined by the programmable controller.
- the flow metering unit is provided for sending flow status information to the programmable controller and the programmable controller is provided for sending flow metering instructions to the flow metering unit in dependence on the flow status information.
- Such a control loop between the flow metering unit and the programmable controller facilitates an efficient, fast and flexible flow metering process and processing.
- the parser is provided for sending parsing information to the programmable controller and the programmable controller is provided for sending parsing instructions to the parser in dependence on the parsing information.
- Such a control loop between the parser and the programmable controller facilitates an efficient, fast and flexible parsing process and processing.
- Such a parallel processing structure further facilitates an efficient, fast and flexible flow metering process and processing.
- the programmable controller comprises a program memory comprising two or more flow metering to programs.
- the two or more flow metering programs can e.g. be programmed for different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network.
- the programmable controller is implemented as programmable state machine.
- the implementation of the programmable controller as programmable state machine is a flexible and cost effective solution.
- the programmable state machine comprises a transition rule memory, a rule selector and a state register, wherein the rule selector is provided for receiving an external input signal and an internal input signal from the state register indicating the current state and wherein the rule selector is provided for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal comprising parsing and/or flow metering instructions when a transition rule applies.
- This embodiment is an efficient way of implementing the programmable state machine.
- the transition rule memory is provided for storing a set of transition rules.
- a set of transition rules may establish a flow metering program. For different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network a plurality of sets of transition rules might be loaded into the transition rule memory.
- the rule selector is provided for receiving an external input signal and an internal input signal from the state register.
- the internal input signal from the state register indicates the current state of the programmable state machine.
- the external input signal or the external input signals are received from the flow metering unit and/or the parser.
- the external input signal of the state machine may comprise flow status information, parser information and various other information.
- the rule selector observes the internal and external input signal by means of the transition rule memory for transition rules. If a predefined transition rules applies, the programmable state machine changes the state of the state register and generation an output signal comprising parsing and/or flow metering instructions
- the programmable state machine observes the flow status information and/or the parsing information for predefined states.
- the state machine changes its state, when such a predefined state is detected. Then the changing state of the state machine triggers control actions for the parser and/or the flow metering unit.
- the flow table unit comprises a memory for storing information about the network flows that are analysed by the apparatus.
- the flow table might e.g. use the 5-tuple definition to characterise a specific network flow.
- the flow table may provide an entry for each specific network flow characterized by the 5-tuple definition.
- a network flow is defined as a unidirectional sequence of packets that have the same source and destination IP address, the same source and destination port and the same IP protocol.
- the flow table may store flow metering information, e.g. to timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
- flow metering information e.g. to timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
- the flow table management unit is provided for managing the entries of the flow table.
- the flow table management unit is controlled by the programmable controller.
- This flow table management unit may be provided to execute various flow metering instructions received from the programmable controller.
- Such flow metering instructions may include instructions for updating the flow table unit, creating a new entry in the flow table unit and checking the status or specific entries of the flow table unit.
- the flow table management unit may be implemented using a conventional hard-wired state machine.
- the flow table management unit may check upon reception of a check-command from the programmable controller if the flow table already contains an entry for an identified network flow. As a result it could provide an indication (implemented as a single-bit flag) back to programmable controller that indicates if an entry for this identified network flow already exists or that the identified network flow is a new flow that is not present in the flow table of the flow table unit.
- the programmable controller may dispatch further flow metering instructions to the table management unit to either update an existing flow table entry, to create a new flow table entry or to create a complete new flow table with a corresponding “update”, “create new flow table entry” or “create new flow table” command.
- the flow information export unit is provided for exporting flow information to another location or entity.
- the flow information export unit is controlled by the programmable controller as well.
- the programmable controller may trigger the export of flow metering information by dispatching an export-command to the flow information export unit.
- the flow table management unit comprises a programmable hash function unit provided with two or more selectable hash functions for mapping the flow identification information on a hash index, wherein the programmable controller is provided for selecting one of the selectable hash functions.
- Hash functions are widely used to improve the efficiency of network flow analysis and network flow metering.
- different standards and different protocol versions of flow metering standards use different hash functions.
- the apparatus according to this embodiment of the invention can support these different standards and protocol versions.
- the programmable controller is provided for sending table management commands to the table management unit.
- Such table management commands may be e.g. an update-command, a create-command or a check-command.
- the apparatus is implemented as hardware assist device.
- the implementation of the apparatus as hardware assist device has the advantage that it can be implemented in a system without requiring processor or processing load of this system.
- a second aspect of the invention relates to a computer system comprising a central processing unit, a memory and a computer networking device, comprising an apparatus according to the first aspect of the invention for analysing the network flow in the computer networking device.
- the computer networking device may be e.g. a switch or a router.
- the apparatus works as hardware assist device for the central processing unit of the computer system. This allows for an analysis of the network flow without loading the central processor.
- a third aspect of the invention relates to a computer system comprising two or more virtual computing systems, further comprising an apparatus according to the first aspect of the invention, wherein the apparatus is provided for analysing the network flow between the virtual computing systems and/or between the virtual computing systems and an external device.
- This architecture allows for an efficient implementation of a network flow function within a virtualized environment.
- the software networking device may be e.g. a software switch, i.e. a switch implemented in software.
- the hardware networking device may be e.g. a hardware switch, i.e. a switch implemented in hardware.
- the external device can be e.g. another computer system, a network, the internet or any other destination.
- the apparatus is arranged in the hardware networking device.
- a fourth aspect of the invention relates to a method for analysing a network flow, comprising the steps of
- a fifth aspect of the invention relates to a flow metering computer program comprising instructions for carrying out a flow metering program on a programmable controller, the flow metering computer program being provided for controlling the flow metering unit and the parser of an apparatus according to the first aspect of the invention.
- FIG. 1 is a schematic drawing of an apparatus for analyzing a network flow according to an embodiment of the invention, comprising a programmable controller, a parser and a flow metering unit,
- FIG. 2 shows a schematic computer system comprising a computer networking to device and an apparatus for analysing the network flow in the computer networking device
- FIG. 3 is a schematic drawing of a programmable controller implemented as state machine
- FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in more detail
- FIG. 5 shows a flow chart illustrating a flow table update function of the flow metering unit
- FIG. 6 shows a flow chart illustrating the determination of expired table entries of a flow table unit
- FIG. 7 shows a flow chart illustrating the exportation of expired table entries of the flow table unit
- FIG. 8 shows a schematic drawing of a computer system comprising virtual computing systems and an apparatus for analysing the network flow between the virtual computing systems.
- FIG. 1 shows an apparatus 100 for analysing a network flow 105 according to an exemplary embodiment of the invention.
- the apparatus 100 comprises a parser 110 for extracting flow identification information from the network flow 105 .
- the network flow 105 may be any kind of communication traffic in a network, in particular end to end network traffic.
- the network flow 105 may comprise a sequence of data packets, wherein each data packet is part of a communication between two distinct network addresses.
- the apparatus 100 comprises a flow metering unit 130 for metering the network flow 105 and a programmable controller 140 for controlling the flow metering unit 130 and the parser 110 .
- the flow metering unit 130 is provided for sending flow status information to the programmable controller 140 and the programmable controller 140 is provided for sending flow metering instructions to the flow metering unit 130 in dependence on the flow status information. Furthermore, the parser 110 is provided for sending parsing information to the programmable controller 140 and the programmable controller 140 is provided for sending parsing instructions to the parser 110 in dependence on the parsing information.
- the programmable controller 140 comprises a central processing unit 150 and a program memory 160 .
- program memory 160 In the program memory 160 one or more flow metering programs 170 can be stored.
- the apparatus 100 is preferably implemented in hardware and may be used as hardware assist device. This is further illustrated with reference to FIG. 2 .
- FIG. 2 shows a computer system 200 comprising a central processing unit 210 , a memory 220 and a computer networking device 230 . Furthermore it comprises the apparatus 100 for analysing a network flow.
- the apparatus 100 is implemented in hardware as hardware assist device for the central processing unit 210 .
- the central processing unit 210 , the memory 220 , the computer networking device 230 and the apparatus 100 are coupled via an internal bus system 240 .
- the computer networking device 230 may be any kind of Input/Output device, e.g. a router or a switch.
- the computer networking device 230 serves as router between a first Local Area Network (LAN) 250 , a second LAN 260 and the Internet 270 .
- the computer networking device 230 is provided for routing network flows 280 between the first LAN 250 , the second LAN 260 and the Internet 270 .
- the apparatus 100 is provided for analysing and meter the network flow in the computer networking device 230 .
- FIG. 3 shows a schematic block diagram of a programmable controller 300 according to another exemplary embodiment of the invention.
- the programmable controller 300 is implemented as programmable state machine.
- the programmable controller 300 comprises a transition rule memory 310 , a rule selector 320 and a state register 330 .
- the rule selector 320 is provided for receiving as external input signal 340 parsing information from the parser 110 and flow status information from the flow metering unit 130 of FIG. 1 .
- the rule selector 320 is provided for receiving an internal input signal 350 from the state register 330 . This internal input signal 350 indicates the current state of the state register 330 .
- the rule selector 320 observes the internal input signal 350 and the external input signal 340 by means of the transition rule memory 310 for transition rules.
- the rule selector 320 is provided for changing the state of the state register 330 and sending parsing instructions to the parser 110 and/or flow metering instructions to the flow metering unit 130 of FIG. 1 .
- FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in more detail.
- the parser 110 can be programmed by means of the programmable controller 140 to extract any desirable flow identification information from the network flow 105 .
- the network flow 105 comprises packets including a packet header and the parser 110 uses the packet headers to extract the flow identification information.
- the parser 110 may be programmed to extract any desirable combination of header fields from the packet header that will be used for flow identification. Examples of such header fields include IP source and destination addresses, Transmission Control Protocol (TCP) source and destination port numbers, Multi-Protocol Label Switching (MPLS) and Virtual Local to Area Network (VLAN) tags etc.
- TCP Transmission Control Protocol
- MPLS Multi-Protocol Label Switching
- VLAN Virtual Local to Area Network
- the parser 110 can be programmed to extract the corresponding header fields that are relevant for that protocol standard.
- the parser 110 is provided for writing the flow identification information of these header fields into a register unit 400 .
- the register unit 400 comprises registers with flow identification information derived from packet headers.
- This flow identifying information is provided as input to a programmable hash function unit 410 .
- the programmable hash function unit 410 maps the flow identification information stored in the register unit 400 on a hash index. In other words, the programmable hash function unit 410 maps the actual values of the selected header fields upon a hash index.
- the programmable hash function unit 410 may provide a variety of hash functions that cover all desired functions for the protocol versions that the apparatus 100 shall support.
- the programmable controller 140 is provided for selecting one of the available hash functions. The selection of one of the hash functions may be implemented by sending a hash identifier corresponding to that hash function from the programmable controller 140 to the programmable hash function unit 410 .
- Such a hash identifier can consist of a short bit vector that uniquely corresponds to one of the implemented hash functions.
- the flow metering unit 130 further comprises a flow table management unit 420 .
- the flow table management unit 420 is provided to receive the hash index of the respective flow identification information of the respective packet header from the programmable hash function unit 410 .
- the flow table management unit 420 manages and controls a flow table unit 430 .
- the flow table management unit 420 can execute as flow metering instructions flow table management commands.
- Such flow table management commands may include e.g. commands for updating the flow table unit 430 , for creating a new entry in the flow table unit 430 , for checking entries of the flow table unit 430 , for removing entries from the flow table unit 430 and for scanning the entries of the flow table unit 430 .
- the flow table management unit 420 is implemented by means of a hardwired state machine.
- the flow table management commands are sent from the programmable controller 140 to the flow table management unit 420 .
- the flow table unit 430 comprises a memory that stores network flow entries for network flows identified by the respective hash index.
- the network flow entries comprise key fields that define the flow and content fields that comprise information about the defined flow.
- the content fields are updated with every new packet of the network flow.
- the flow table unit 430 might e.g. use the 5-tuple definition to characterise and define the network flow in the key fields.
- the key fields would comprise the source and destination IP address, the source and destination port and the IP protocol of the respective network flow.
- the flow table may store in the corresponding content fields flow metering information, e.g. timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
- flow metering information e.g. timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
- the flow table management unit 420 upon reception of check-command from the programmable controller 140 , the flow table management unit 420 will check if the flow table unit 430 already contains an entry for the network flow identified by the respective hash index. In return it will provide as flow status information an indication to the programmable controller 140 that indicates that the respective network flow exists or that the hash index corresponds to a new network flow that is not present in the flow table unit 430 .
- the flow table management unit 420 can also have direct access to the actual register values of the register unit 400 , i.e. to the flow identification information stored in the register unit 400 .
- the programmable controller 140 may dispatch as flow metering instructions table management commands to the flow table management unit 420 to either update an existing flow table entry or to create a new flow table entry by means of an update or a create command.
- the programmable controller 140 is provided for controlling the scanning of the flow table unit 430 for expired flow table entries.
- the to programmable controller 140 will test the value of a programmable timer 450 which can be configured to meet the characteristics of the supported protocol versions of the respective network analysis protocol. This will trigger the programmable controller 140 to send as table management command a scan instruction to the flow table management unit 420 after certain periods and/or at regular configurable intervals.
- the flow table management unit 420 will then scan the flow table unit 430 and report any expired flow table entries to the programmable controller 140 .
- the programmable controller 140 can send a remove-command to remove these flow table entries to the flow table management unit 420 .
- the programmable controller 140 can trigger the export of these expired flow table entries. In the latter case, the programmable controller 140 triggers the creation of a flow information packet containing information on the expired network flow.
- the programmable controller 140 sends a “generate packet” command to a flow information export unit 440 .
- the flow information export unit 440 is also denoted as packet generator.
- the flow information export unit 440 can be implemented using a hardwired state machine.
- the flow information export unit 440 exports a flow information packet containing network flow information to a central server or any other destination.
- the flow metering functions of the flow metering unit 130 can be implemented, configured and executed differently depending on the application environment, the used protocol standards (e.g. NetFlow v5, v7, v9, IPFIX), the number of network flows to be supported or the speed of the respective network.
- the used protocol standards e.g. NetFlow v5, v7, v9, IPFIX
- NetFlow v9 and IPFIX do not use fixed record fields, but a variable number of fields defined in flow templates.
- a template determines the content of the flow table and the amount of exported network flow information.
- multiple network flows can be aggregated and mapped on the same flow table entry.
- the flow table might contain various types of information for each network flow.
- the rules that determine when network flow information will be exported can vary.
- FIG. 5 shows a flow chart illustrating a flow table update function of the flow to metering unit 130 .
- a step 510 the apparatus 100 receives a data packet of a network flow that is observed.
- the parser 110 parses the header of the data packet, extracts the flow identification information and writes it in the register unit 400 .
- the programmable hash function unit 410 calculates the hash index of the flow identification information and the flow table management unit 420 performs a flow table (hash table) lookup in the flow table unit 430 .
- the flow table management unit 420 evaluates whether a flow table entry already exists for the respective hash index. If this is the case, the flow table management unit 420 updates in step 550 the respective flow table entry in the flow table unit 430 . If this is not the case, the flow table management unit 420 creates in step 560 a new flow table entry in the flow table unit 430 .
- FIG. 6 shows a flow chart illustrating the determination of expired flow table entries in the flow table unit 430 .
- step 600 the programmable controller 140 sends as flow metering instruction a scan-command to the flow table management unit 420 . This can happen after certain time periods and/or at regular configurable intervals.
- the flow table management unit 420 will then scan the flow table unit 430 .
- step 610 the flow table management unit 420 selects an initial entry of the flow table unit 430 and determines in step 620 the time t since the last update. If the time t is larger than a predefined time, e.g. determined by the timer 450 , the respective entry of the flow table unit 430 is marked as expired.
- step 650 it is checked whether all entries of the flow table unit 430 have been processed, i.e. have been checked for expiration.
- step 650 If this is not the case, the flow table management unit 420 will select the next entry and continue with step 620 . If the result of step 650 is that all entries of the flow table unit 430 have been processed, the scanning has been completed. The scanning function of the flow table management unit 420 waits then in step 670 for a time t' until it receives a new scan-command from the programmable controller 140 .
- FIG. 7 shows a flow chart illustrating the export of expired table entries to a server or another destination.
- step 700 the programmable controller 140 triggers the export process by sending a “generate packet” command to the flow information export unit (packet generator) 440 .
- flow information export unit 440 selects an initial entry of the flow table unit 430 and checks in step 720 if the respective entry is marked as expired. If this is the case, the flow information export unit 440 creates and transmits in step 730 a flow information packet containing network flow information of the expired network flow of the respective flow table entry.
- the flow information export unit 440 may export a flow information packet to a central server or any other destination.
- the respective table entry is removed from the flow table unit 430 .
- step 750 the flow information export unit 440 checks if all table entries have been processed, i.e. checked for flows that are marked as expired. If the result of step 720 is that the respective flow table entry is not marked as expired, the export process continues with step 750 as well. If the checking of step 750 is negative, in step 760 the next flow table entry is selected for processing and the export process is continued with step 720 . If the checking of step 750 is positive, the export process is finished for the meantime. The exportation function of the flow information export unit 440 waits then in step 770 for a time t′′ until it receives a new generate packet command from the programmable controller 140 .
- FIG. 8 shows a schematic drawing of a virtualized server environment comprising an apparatus for analyzing the network flow between virtual computing systems.
- the virtualized server environment comprises a computer system 800 comprising two or more virtual computing systems 810 that run on a central processing unit 820 of the computer system 800 .
- the computer system 800 comprises further a software networking device 830 for internal communication between the virtual computing systems 810 and a hardware networking device 840 for external communication between the virtual computing systems 810 and an external device 850 .
- the software networking device 830 is provided for managing and controlling the internal communication between the virtual computing systems 810 . It may be e.g. a software switch, i.e. a switch implemented in software.
- the hardware networking device 840 may be e.g. a network adapter or a hardware switch. It is provided for managing and controlling the external communication between the virtual computing systems 810 and an external device 850 .
- the external device 850 can be e.g. another computer system, a network, the internet or any other destination the computer system 800 would like to communicate with.
- the hardware networking device 840 comprises the apparatus 100 for analysing a network flow.
- the apparatus 100 is implemented in hardware as hardware assist device for the central processing unit 820 of the computer system 800 .
- the virtual computing systems 810 may communicate with each other via the software networking device 830 and a virtual local network 860 .
- the virtual local network 860 could be e.g. a Virtual Local Area Network (VLAN).
- VLAN Virtual Local Area Network
- the hardware networking device 840 can communicate with the virtual computing systems 810 and with the software networking device 830 by means of a virtual Input/Output (I/O) server partition 870
- the software networking device 830 is provided for forwarding the network flow or parts of the network flow occurring in the software networking device 830 to the apparatus 100 .
- the hardware networking device 840 is provided for forwarding the network flow or parts of the network flow occurring in the hardware networking device 840 to the apparatus 100 .
- the software networking device 830 may use the virtual Input/Output (I/O) server partition 870 for forwarding the network flow or parts of the network flow to the apparatus 100 .
- the hardware networking device 840 may use a hardware bus 880 for forwarding the network flow or parts of the network flow to the apparatus 100 .
- the computer system 800 allows for monitoring and analysing the network flow between the virtual computing systems 810 and/or between the virtual computing systems 810 and the external device 850 in a scalable way. There is no additional software needed on the computer system 800 and on the virtual computing systems 810 .
- the described techniques may be implemented as a method, apparatus or article of manufacture involving software, firmware, micro-code, hardware and/or any combination thereof.
- article of manufacture refers to code or logic implemented in a medium, where such medium may comprise hardware logic [e.g., an integrated circuit chip, Programmable Gate Array (PGA), Application Specific Integrated Circuit (ASIC), etc.] or a computer readable medium, such as magnetic storage medium (e.g., hard disk drives, floppy disks, tape, etc.), optical storage (CD-ROMs, optical disks, etc.), volatile and non-volatile memory devices [e.g., Electrically Erasable Programmable Read Only Memory (EEPROM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), flash, firmware, programmable logic, etc.].
- EEPROM Electrically Erasable Programmable Read Only Memory
- ROM Read Only Memory
- PROM Programmable Read Only Memory
- RAM
- Code in the computer readable medium is accessed and executed by a processor.
- the medium in which the code or logic is encoded may also comprise transmission signals propagating through space or a transmission media, such as an optical fiber, copper wire, etc.
- the transmission signal in which the code or logic is encoded may further comprise a wireless signal, satellite transmission, radio waves, infrared signals, Bluetooth, etc.
- the transmission signal in which the code or logic is encoded is capable of being transmitted by a transmitting station and received by a receiving station, where the code or logic encoded in the transmission signal may be decoded and stored in hardware or a computer readable medium at the receiving and transmitting stations or devices.
- the “article of manufacture” may comprise a combination of hardware and software components in which the code is embodied, processed, and executed.
- the article of manufacture may comprise any information bearing medium.
- the article of manufacture comprises a storage medium having stored therein instructions that when executed by a machine results in operations being performed.
- Certain embodiments can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements.
- the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc.
- certain embodiments can take the form of a computer program product accessible from a computer usable or computer readable medium providing program code for use by or in connection with a computer or any instruction execution system.
- a computer usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
- the medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium.
- Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk—read only memory (CD-ROM), compact disk—read/write (CD-R/W) and DVD.
- Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise.
- devices that are in communication with each other may communicate directly or indirectly through one or more intermediaries.
- a description of an embodiment with several components in communication with each other does not imply that all such components are required.
- a variety of optional components are described to illustrate the wide variety of possible embodiments.
- process steps, method steps, algorithms or the like may be described in a sequential order, such processes, methods and algorithms may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order.
- the steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously, in parallel, or concurrently.
- Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.
Abstract
The invention relates to an apparatus for analysing a network flow, comprising—a parser for extracting flow identification information from the network flow, —a flow metering unit for metering the network flow, —a programmable controller for controlling the flow metering unit and the parser.
Description
- The invention relates to an apparatus, a method and a computer program for analysing a network flow.
- Communication networks, e.g. networks according to the Internet Protocol (IP) are complex and difficult to analyse and to monitor with respect to the end-to-end network traffic flows, also denoted as network flows. A known protocol for analyzing a network flow is the NetFlow protocol that is currently being standardized by the Internet Engineering Task Force (IETF). Details are provided in IETF IP Flow Information Export (IPFIX) at http://www.ietf.org/html.charters/ipfix-charter.html.
- The NetFlow protocol provides technology for network accounting, bandwidth usage analysis, network anomaly detection, traffic engineering and capacity management.
- NetFlow is supported at routers, switches, metering appliances and software-based traffic meters. Some high-end routers and switches support NetFlow with dedicated hardware extensions.
- The realization of extensions in a router or switch for NetFlow or for other network analysis protocols is typically expensive because the extension has to be well integrated into the specific forwarding and routing architecture of the router or switch.
- It is an object of the invention to provide improved solutions for network flow analysis. It is a further object of the invention to provide an improved apparatus, an improved method, an improved computer system and an improved computer program for analysing a network flow.
- The present invention is directed to an apparatus, a computer system, a computer program and a method as defined in independent claims. Further embodiments of the invention are provided in the appended dependent claims.
- According to a first aspect of the invention there is provided an apparatus for analysing to a network flow, comprising
-
- a parser for extracting flow identification information from the network flow,
- a flow metering unit for metering the network flow,
- a programmable controller for controlling the flow metering unit and the parser.
- The architecture of the apparatus according to this aspect of the invention allows for an efficient, flexible and fast implementation of a flow metering function that is able to support a large number of configuration options. Such configuration options might cover different versions of today's or future standards. This architecture provides the benefits of high performance without the drawback of fixed metering functionality and interfaces which only support a single standard.
- The modular approach of this architecture comprises a parser that is provided for receiving a network flow and for extracting flow identification information from this network flow. The parser can be programmed to extract any desirable combination of flow identification information from the network flow. The flow identification information might e.g. be contained in fields of packet headers of a network flow. As an example, the parser can be programmed to extract the corresponding header fields that are relevant for a specific protocol standard. The flow identification information might comprise e.g. the source and destination IP address, the source and destination port and the IP protocol of the analysed network flow.
- The network flow identified by the flow identification information is metered by a flow metering unit. The metering of the flow identification information might e.g. comprise timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
- Both the flow metering unit and the parser are controlled in parallel by a programmable controller. The programmable controller can be individually programmed for the respective application environment, the used protocol standards of to the network flow (e.g. NetFlow v5, v7, v9, IPFIX), the number of flows to be supported and the speed of the respective network. Hence the parser and the flow metering unit are generic units. The specific functionality of these generic units is determined by the programmable controller.
- According to an embodiment of this aspect of the invention the flow metering unit is provided for sending flow status information to the programmable controller and the programmable controller is provided for sending flow metering instructions to the flow metering unit in dependence on the flow status information.
- Such a control loop between the flow metering unit and the programmable controller facilitates an efficient, fast and flexible flow metering process and processing.
- According to another embodiment of this aspect of the invention the parser is provided for sending parsing information to the programmable controller and the programmable controller is provided for sending parsing instructions to the parser in dependence on the parsing information.
- Such a control loop between the parser and the programmable controller facilitates an efficient, fast and flexible parsing process and processing.
- According to another embodiment of this aspect of the invention the programmable controller is provided for
-
- evaluating in parallel two or more flow status information values of the flow metering unit,
- sending two or more flow metering instructions in parallel to the flow metering unit.
- Such a parallel processing structure further facilitates an efficient, fast and flexible flow metering process and processing.
- According to another embodiment of this aspect of the invention the programmable controller comprises a program memory comprising two or more flow metering to programs.
- The two or more flow metering programs can e.g. be programmed for different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network.
- This allows for changing the configuration and application of the apparatus very quickly and easily. Furthermore, it is a flexible and cost effective solution.
- According to another embodiment of this aspect of the invention the programmable controller is implemented as programmable state machine.
- The implementation of the programmable controller as programmable state machine is a flexible and cost effective solution.
- According to another embodiment of this aspect of the invention the programmable state machine comprises a transition rule memory, a rule selector and a state register, wherein the rule selector is provided for receiving an external input signal and an internal input signal from the state register indicating the current state and wherein the rule selector is provided for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal comprising parsing and/or flow metering instructions when a transition rule applies.
- This embodiment is an efficient way of implementing the programmable state machine.
- The transition rule memory is provided for storing a set of transition rules. A set of transition rules may establish a flow metering program. For different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network a plurality of sets of transition rules might be loaded into the transition rule memory.
- The rule selector is provided for receiving an external input signal and an internal input signal from the state register. The internal input signal from the state register indicates the current state of the programmable state machine. The external input signal or the external input signals are received from the flow metering unit and/or the parser. The external input signal of the state machine may comprise flow status information, parser information and various other information.
- The rule selector observes the internal and external input signal by means of the transition rule memory for transition rules. If a predefined transition rules applies, the programmable state machine changes the state of the state register and generation an output signal comprising parsing and/or flow metering instructions
- In other words, the programmable state machine observes the flow status information and/or the parsing information for predefined states. The state machine changes its state, when such a predefined state is detected. Then the changing state of the state machine triggers control actions for the parser and/or the flow metering unit.
- According to another embodiment of this aspect of the invention the flow-metering unit comprises
-
- a flow table unit
- a flow table management unit and
- a flow information export unit.
- The flow table unit comprises a memory for storing information about the network flows that are analysed by the apparatus. The flow table might e.g. use the 5-tuple definition to characterise a specific network flow. In other words, the flow table may provide an entry for each specific network flow characterized by the 5-tuple definition. According to the example of the 5-tuple definition, a network flow is defined as a unidirectional sequence of packets that have the same source and destination IP address, the same source and destination port and the same IP protocol.
- For each such entry the flow table may store flow metering information, e.g. to timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
- The flow table management unit is provided for managing the entries of the flow table. The flow table management unit is controlled by the programmable controller. This flow table management unit may be provided to execute various flow metering instructions received from the programmable controller. Such flow metering instructions may include instructions for updating the flow table unit, creating a new entry in the flow table unit and checking the status or specific entries of the flow table unit. The flow table management unit may be implemented using a conventional hard-wired state machine.
- As an example, the flow table management unit may check upon reception of a check-command from the programmable controller if the flow table already contains an entry for an identified network flow. As a result it could provide an indication (implemented as a single-bit flag) back to programmable controller that indicates if an entry for this identified network flow already exists or that the identified network flow is a new flow that is not present in the flow table of the flow table unit.
- In response to receiving the indication that a network flow either exists or not, the programmable controller may dispatch further flow metering instructions to the table management unit to either update an existing flow table entry, to create a new flow table entry or to create a complete new flow table with a corresponding “update”, “create new flow table entry” or “create new flow table” command.
- The flow information export unit is provided for exporting flow information to another location or entity. The flow information export unit is controlled by the programmable controller as well. The programmable controller may trigger the export of flow metering information by dispatching an export-command to the flow information export unit.
- According to another embodiment of this aspect of the invention the flow table management unit comprises a programmable hash function unit provided with two or more selectable hash functions for mapping the flow identification information on a hash index, wherein the programmable controller is provided for selecting one of the selectable hash functions.
- Hash functions are widely used to improve the efficiency of network flow analysis and network flow metering. However, different standards and different protocol versions of flow metering standards use different hash functions. By means of providing a programmable hash function unit, the apparatus according to this embodiment of the invention can support these different standards and protocol versions.
- According to another embodiment of this aspect of the invention the programmable controller is provided for sending table management commands to the table management unit.
- Such table management commands may be e.g. an update-command, a create-command or a check-command.
- According to another embodiment of this aspect of the invention the apparatus is implemented as hardware assist device.
- The implementation of the apparatus as hardware assist device has the advantage that it can be implemented in a system without requiring processor or processing load of this system.
- A second aspect of the invention relates to a computer system comprising a central processing unit, a memory and a computer networking device, comprising an apparatus according to the first aspect of the invention for analysing the network flow in the computer networking device.
- The computer networking device may be e.g. a switch or a router. The apparatus works as hardware assist device for the central processing unit of the computer system. This allows for an analysis of the network flow without loading the central processor.
- A third aspect of the invention relates to a computer system comprising two or more virtual computing systems, further comprising an apparatus according to the first aspect of the invention, wherein the apparatus is provided for analysing the network flow between the virtual computing systems and/or between the virtual computing systems and an external device.
- This allows for monitoring and analysing the network flow between the virtual computing systems in a scalable way without any additional software to be available on the computer system and on the virtual computing systems.
- According to a further embodiment of this aspect of the invention the computer system comprises
-
- a software networking device for internal communication between the virtual computing systems,
- a hardware networking device for external communication between the virtual computing systems and an external device,
wherein the software networking device and the hardware networking device are provided for forwarding the network flow between the virtual computing systems and/or between the virtual computing systems and an external device for an analysis to the apparatus according to the first aspect of the invention.
- This architecture allows for an efficient implementation of a network flow function within a virtualized environment.
- The software networking device may be e.g. a software switch, i.e. a switch implemented in software. The hardware networking device may be e.g. a hardware switch, i.e. a switch implemented in hardware.
- The external device can be e.g. another computer system, a network, the internet or any other destination.
- According to a further embodiment of this aspect of the invention the apparatus is arranged in the hardware networking device.
- A fourth aspect of the invention relates to a method for analysing a network flow, comprising the steps of
-
- extracting flow identification information from the network flow by means of a parser,
- metering the network flow by means of a flow metering unit,
- controlling the flow metering unit and the parser by means of a programmable controller.
- A fifth aspect of the invention relates to a flow metering computer program comprising instructions for carrying out a flow metering program on a programmable controller, the flow metering computer program being provided for controlling the flow metering unit and the parser of an apparatus according to the first aspect of the invention.
- Preferred embodiments of the present invention are described in detail below, by way of example only, with reference to the following schematic drawings, in which:
-
FIG. 1 is a schematic drawing of an apparatus for analyzing a network flow according to an embodiment of the invention, comprising a programmable controller, a parser and a flow metering unit, -
FIG. 2 shows a schematic computer system comprising a computer networking to device and an apparatus for analysing the network flow in the computer networking device, -
FIG. 3 is a schematic drawing of a programmable controller implemented as state machine, -
FIG. 4 is a schematic drawing of the apparatus ofFIG. 1 in more detail, -
FIG. 5 shows a flow chart illustrating a flow table update function of the flow metering unit, -
FIG. 6 shows a flow chart illustrating the determination of expired table entries of a flow table unit, -
FIG. 7 shows a flow chart illustrating the exportation of expired table entries of the flow table unit, -
FIG. 8 shows a schematic drawing of a computer system comprising virtual computing systems and an apparatus for analysing the network flow between the virtual computing systems. - The drawings are provided for illustrative purposes only and do not necessarily represent practical examples of the present invention to scale. In the figures, same reference signs are used to denote the same or like parts.
-
FIG. 1 shows anapparatus 100 for analysing anetwork flow 105 according to an exemplary embodiment of the invention. Theapparatus 100 comprises aparser 110 for extracting flow identification information from thenetwork flow 105. Thenetwork flow 105 may be any kind of communication traffic in a network, in particular end to end network traffic. Thenetwork flow 105 may comprise a sequence of data packets, wherein each data packet is part of a communication between two distinct network addresses. Theapparatus 100 comprises aflow metering unit 130 for metering thenetwork flow 105 and aprogrammable controller 140 for controlling theflow metering unit 130 and theparser 110. - The
flow metering unit 130 is provided for sending flow status information to theprogrammable controller 140 and theprogrammable controller 140 is provided for sending flow metering instructions to theflow metering unit 130 in dependence on the flow status information. Furthermore, theparser 110 is provided for sending parsing information to theprogrammable controller 140 and theprogrammable controller 140 is provided for sending parsing instructions to theparser 110 in dependence on the parsing information. - The
programmable controller 140 comprises acentral processing unit 150 and aprogram memory 160. In theprogram memory 160 one or moreflow metering programs 170 can be stored. - The
apparatus 100 is preferably implemented in hardware and may be used as hardware assist device. This is further illustrated with reference toFIG. 2 . -
FIG. 2 shows acomputer system 200 comprising acentral processing unit 210, amemory 220 and acomputer networking device 230. Furthermore it comprises theapparatus 100 for analysing a network flow. Theapparatus 100 is implemented in hardware as hardware assist device for thecentral processing unit 210. Thecentral processing unit 210, thememory 220, thecomputer networking device 230 and theapparatus 100 are coupled via aninternal bus system 240. - The
computer networking device 230 may be any kind of Input/Output device, e.g. a router or a switch. In the example ofFIG. 2 thecomputer networking device 230 serves as router between a first Local Area Network (LAN) 250, asecond LAN 260 and theInternet 270. Accordingly, thecomputer networking device 230 is provided for routing network flows 280 between thefirst LAN 250, thesecond LAN 260 and theInternet 270. Theapparatus 100 is provided for analysing and meter the network flow in thecomputer networking device 230. -
FIG. 3 shows a schematic block diagram of aprogrammable controller 300 according to another exemplary embodiment of the invention. Theprogrammable controller 300 is implemented as programmable state machine. Theprogrammable controller 300 comprises atransition rule memory 310, arule selector 320 and astate register 330. Therule selector 320 is provided for receiving asexternal input signal 340 parsing information from theparser 110 and flow status information from theflow metering unit 130 ofFIG. 1 . Furthermore, therule selector 320 is provided for receiving an internal input signal 350 from thestate register 330. Thisinternal input signal 350 indicates the current state of thestate register 330. Therule selector 320 observes theinternal input signal 350 and theexternal input signal 340 by means of thetransition rule memory 310 for transition rules. When a transition rule applies, therule selector 320 is provided for changing the state of thestate register 330 and sending parsing instructions to theparser 110 and/or flow metering instructions to theflow metering unit 130 ofFIG. 1 . - More details for implementation of a programmable state machine as shown in
FIG. 3 are described in US 2005/0132342A1 which is herewith incorporated by reference. -
FIG. 4 is a schematic drawing of the apparatus ofFIG. 1 in more detail. - The
parser 110 can be programmed by means of theprogrammable controller 140 to extract any desirable flow identification information from thenetwork flow 105. According to an exemplary embodiment of the invention thenetwork flow 105 comprises packets including a packet header and theparser 110 uses the packet headers to extract the flow identification information. Accordingly, theparser 110 may be programmed to extract any desirable combination of header fields from the packet header that will be used for flow identification. Examples of such header fields include IP source and destination addresses, Transmission Control Protocol (TCP) source and destination port numbers, Multi-Protocol Label Switching (MPLS) and Virtual Local to Area Network (VLAN) tags etc. Based on the protocol standard of the respective network analysis protocol, theparser 110 can be programmed to extract the corresponding header fields that are relevant for that protocol standard. Theparser 110 is provided for writing the flow identification information of these header fields into aregister unit 400. Hence theregister unit 400 comprises registers with flow identification information derived from packet headers. - This flow identifying information is provided as input to a programmable
hash function unit 410. The programmablehash function unit 410 maps the flow identification information stored in theregister unit 400 on a hash index. In other words, the programmablehash function unit 410 maps the actual values of the selected header fields upon a hash index. The programmablehash function unit 410 may provide a variety of hash functions that cover all desired functions for the protocol versions that theapparatus 100 shall support. Theprogrammable controller 140 is provided for selecting one of the available hash functions. The selection of one of the hash functions may be implemented by sending a hash identifier corresponding to that hash function from theprogrammable controller 140 to the programmablehash function unit 410. Such a hash identifier can consist of a short bit vector that uniquely corresponds to one of the implemented hash functions. - The
flow metering unit 130 further comprises a flowtable management unit 420. The flowtable management unit 420 is provided to receive the hash index of the respective flow identification information of the respective packet header from the programmablehash function unit 410. The flowtable management unit 420 manages and controls aflow table unit 430. The flowtable management unit 420 can execute as flow metering instructions flow table management commands. Such flow table management commands may include e.g. commands for updating theflow table unit 430, for creating a new entry in theflow table unit 430, for checking entries of theflow table unit 430, for removing entries from theflow table unit 430 and for scanning the entries of theflow table unit 430. Preferably the flowtable management unit 420 is implemented by means of a hardwired state machine. The flow table management commands are sent from theprogrammable controller 140 to the flowtable management unit 420. Theflow table unit 430 comprises a memory that stores network flow entries for network flows identified by the respective hash index. The network flow entries comprise key fields that define the flow and content fields that comprise information about the defined flow. The content fields are updated with every new packet of the network flow. Theflow table unit 430 might e.g. use the 5-tuple definition to characterise and define the network flow in the key fields. In this example the key fields would comprise the source and destination IP address, the source and destination port and the IP protocol of the respective network flow. - For each such key field the flow table may store in the corresponding content fields flow metering information, e.g. timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
- As an example, upon reception of check-command from the
programmable controller 140, the flowtable management unit 420 will check if theflow table unit 430 already contains an entry for the network flow identified by the respective hash index. In return it will provide as flow status information an indication to theprogrammable controller 140 that indicates that the respective network flow exists or that the hash index corresponds to a new network flow that is not present in theflow table unit 430. Dependent on the hash function the flowtable management unit 420 can also have direct access to the actual register values of theregister unit 400, i.e. to the flow identification information stored in theregister unit 400. - In response to receiving the flow status information that an identified network flow either exists or not, the
programmable controller 140 may dispatch as flow metering instructions table management commands to the flowtable management unit 420 to either update an existing flow table entry or to create a new flow table entry by means of an update or a create command. - Furthermore, the
programmable controller 140 is provided for controlling the scanning of theflow table unit 430 for expired flow table entries. For this purpose, the toprogrammable controller 140 will test the value of aprogrammable timer 450 which can be configured to meet the characteristics of the supported protocol versions of the respective network analysis protocol. This will trigger theprogrammable controller 140 to send as table management command a scan instruction to the flowtable management unit 420 after certain periods and/or at regular configurable intervals. The flowtable management unit 420 will then scan theflow table unit 430 and report any expired flow table entries to theprogrammable controller 140. In response theprogrammable controller 140 can send a remove-command to remove these flow table entries to the flowtable management unit 420. Furthermore, theprogrammable controller 140 can trigger the export of these expired flow table entries. In the latter case, theprogrammable controller 140 triggers the creation of a flow information packet containing information on the expired network flow. Theprogrammable controller 140 sends a “generate packet” command to a flowinformation export unit 440. The flowinformation export unit 440 is also denoted as packet generator. The flowinformation export unit 440 can be implemented using a hardwired state machine. The flowinformation export unit 440 exports a flow information packet containing network flow information to a central server or any other destination. - By means of this programmable concept of the
apparatus 100 the flow metering functions of theflow metering unit 130 can be implemented, configured and executed differently depending on the application environment, the used protocol standards (e.g. NetFlow v5, v7, v9, IPFIX), the number of network flows to be supported or the speed of the respective network. - For example, NetFlow v9 and IPFIX do not use fixed record fields, but a variable number of fields defined in flow templates. A template determines the content of the flow table and the amount of exported network flow information. In addition, multiple network flows can be aggregated and mapped on the same flow table entry. The flow table might contain various types of information for each network flow. Furthermore, the rules that determine when network flow information will be exported can vary.
-
FIG. 5 shows a flow chart illustrating a flow table update function of the flow tometering unit 130. - In a
step 510 theapparatus 100 receives a data packet of a network flow that is observed. Instep 520 theparser 110 parses the header of the data packet, extracts the flow identification information and writes it in theregister unit 400. Instep 530 the programmablehash function unit 410 calculates the hash index of the flow identification information and the flowtable management unit 420 performs a flow table (hash table) lookup in theflow table unit 430. Instep 540 the flowtable management unit 420 evaluates whether a flow table entry already exists for the respective hash index. If this is the case, the flowtable management unit 420 updates instep 550 the respective flow table entry in theflow table unit 430. If this is not the case, the flowtable management unit 420 creates in step 560 a new flow table entry in theflow table unit 430. -
FIG. 6 shows a flow chart illustrating the determination of expired flow table entries in theflow table unit 430. - In
step 600 theprogrammable controller 140 sends as flow metering instruction a scan-command to the flowtable management unit 420. This can happen after certain time periods and/or at regular configurable intervals. The flowtable management unit 420 will then scan theflow table unit 430. Instep 610 the flowtable management unit 420 selects an initial entry of theflow table unit 430 and determines instep 620 the time t since the last update. If the time t is larger than a predefined time, e.g. determined by thetimer 450, the respective entry of theflow table unit 430 is marked as expired. Instep 650 it is checked whether all entries of theflow table unit 430 have been processed, i.e. have been checked for expiration. If this is not the case, the flowtable management unit 420 will select the next entry and continue withstep 620. If the result ofstep 650 is that all entries of theflow table unit 430 have been processed, the scanning has been completed. The scanning function of the flowtable management unit 420 waits then instep 670 for a time t' until it receives a new scan-command from theprogrammable controller 140. -
FIG. 7 shows a flow chart illustrating the export of expired table entries to a server or another destination. - In
step 700 theprogrammable controller 140 triggers the export process by sending a “generate packet” command to the flow information export unit (packet generator) 440. Instep 710 flowinformation export unit 440 selects an initial entry of theflow table unit 430 and checks instep 720 if the respective entry is marked as expired. If this is the case, the flowinformation export unit 440 creates and transmits in step 730 a flow information packet containing network flow information of the expired network flow of the respective flow table entry. The flowinformation export unit 440 may export a flow information packet to a central server or any other destination. In a followingstep 740 the respective table entry is removed from theflow table unit 430. In a followingstep 750 the flowinformation export unit 440 checks if all table entries have been processed, i.e. checked for flows that are marked as expired. If the result ofstep 720 is that the respective flow table entry is not marked as expired, the export process continues withstep 750 as well. If the checking ofstep 750 is negative, instep 760 the next flow table entry is selected for processing and the export process is continued withstep 720. If the checking ofstep 750 is positive, the export process is finished for the meantime. The exportation function of the flowinformation export unit 440 waits then instep 770 for a time t″ until it receives a new generate packet command from theprogrammable controller 140. -
FIG. 8 shows a schematic drawing of a virtualized server environment comprising an apparatus for analyzing the network flow between virtual computing systems. - The virtualized server environment comprises a
computer system 800 comprising two or morevirtual computing systems 810 that run on acentral processing unit 820 of thecomputer system 800. Thecomputer system 800 comprises further asoftware networking device 830 for internal communication between thevirtual computing systems 810 and ahardware networking device 840 for external communication between thevirtual computing systems 810 and anexternal device 850. - The
software networking device 830 is provided for managing and controlling the internal communication between thevirtual computing systems 810. It may be e.g. a software switch, i.e. a switch implemented in software. - The
hardware networking device 840 may be e.g. a network adapter or a hardware switch. It is provided for managing and controlling the external communication between thevirtual computing systems 810 and anexternal device 850. Theexternal device 850 can be e.g. another computer system, a network, the internet or any other destination thecomputer system 800 would like to communicate with. - The
hardware networking device 840 comprises theapparatus 100 for analysing a network flow. Theapparatus 100 is implemented in hardware as hardware assist device for thecentral processing unit 820 of thecomputer system 800. - The
virtual computing systems 810 may communicate with each other via thesoftware networking device 830 and a virtuallocal network 860. The virtuallocal network 860 could be e.g. a Virtual Local Area Network (VLAN). - The
hardware networking device 840 can communicate with thevirtual computing systems 810 and with thesoftware networking device 830 by means of a virtual Input/Output (I/O)server partition 870 - The
software networking device 830 is provided for forwarding the network flow or parts of the network flow occurring in thesoftware networking device 830 to theapparatus 100. Thehardware networking device 840 is provided for forwarding the network flow or parts of the network flow occurring in thehardware networking device 840 to theapparatus 100. Thesoftware networking device 830 may use the virtual Input/Output (I/O)server partition 870 for forwarding the network flow or parts of the network flow to theapparatus 100. Thehardware networking device 840 may use ahardware bus 880 for forwarding the network flow or parts of the network flow to theapparatus 100. - The
computer system 800 allows for monitoring and analysing the network flow between thevirtual computing systems 810 and/or between thevirtual computing systems 810 and theexternal device 850 in a scalable way. There is no additional software needed on thecomputer system 800 and on thevirtual computing systems 810. - The disclosed embodiments may be combined with one or several of the other embodiments shown and/or described. This is also possible for one or more features of the embodiments.
- The described techniques may be implemented as a method, apparatus or article of manufacture involving software, firmware, micro-code, hardware and/or any combination thereof. The term “article of manufacture” as used herein refers to code or logic implemented in a medium, where such medium may comprise hardware logic [e.g., an integrated circuit chip, Programmable Gate Array (PGA), Application Specific Integrated Circuit (ASIC), etc.] or a computer readable medium, such as magnetic storage medium (e.g., hard disk drives, floppy disks, tape, etc.), optical storage (CD-ROMs, optical disks, etc.), volatile and non-volatile memory devices [e.g., Electrically Erasable Programmable Read Only Memory (EEPROM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), flash, firmware, programmable logic, etc.]. Code in the computer readable medium is accessed and executed by a processor. The medium in which the code or logic is encoded may also comprise transmission signals propagating through space or a transmission media, such as an optical fiber, copper wire, etc. The transmission signal in which the code or logic is encoded may further comprise a wireless signal, satellite transmission, radio waves, infrared signals, Bluetooth, etc. The transmission signal in which the code or logic is encoded is capable of being transmitted by a transmitting station and received by a receiving station, where the code or logic encoded in the transmission signal may be decoded and stored in hardware or a computer readable medium at the receiving and transmitting stations or devices. Additionally, the “article of manufacture” may comprise a combination of hardware and software components in which the code is embodied, processed, and executed. Of course, those skilled in the art will recognize that many modifications may be made without departing from the scope of embodiments, and that the article of manufacture may comprise any information bearing medium. For example, the article of manufacture comprises a storage medium having stored therein instructions that when executed by a machine results in operations being performed.
- Certain embodiments can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements. In a preferred embodiment, the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc.
- Furthermore, certain embodiments can take the form of a computer program product accessible from a computer usable or computer readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk—read only memory (CD-ROM), compact disk—read/write (CD-R/W) and DVD.
- The terms “certain embodiments”, “an embodiment”, “embodiment”, “embodiments”, “the embodiment”, “the embodiments”, “one or more embodiments”, “some embodiments”, and “one embodiment” mean one or more (but not all) embodiments to unless expressly specified otherwise. The terms “including”, “comprising”, “having” and variations thereof mean “including but not limited to”, unless expressly specified otherwise. The enumerated listing of items does not imply that any or all of the items are mutually exclusive, unless expressly specified otherwise. The terms “a”, “an” and “the” mean “one or more”, unless expressly specified otherwise.
- Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise. In addition, devices that are in communication with each other may communicate directly or indirectly through one or more intermediaries. Additionally, a description of an embodiment with several components in communication with each other does not imply that all such components are required. On the contrary a variety of optional components are described to illustrate the wide variety of possible embodiments. Further, although process steps, method steps, algorithms or the like may be described in a sequential order, such processes, methods and algorithms may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order. The steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously, in parallel, or concurrently.
- When a single device or article is described herein, it will be apparent that more than one device/article (whether or not they cooperate) may be used in place of a single device/article. Similarly, where more than one device or article is described herein (whether or not they cooperate), it will be apparent that a single device/article may be used in place of the more than one device or article. The functionality and/or the features of a device may be alternatively embodied by one or more other devices which are not explicitly described as having such functionality/features. Thus, other embodiments need not include the device itself.
- Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.
Claims (18)
1. An apparatus for analysing a network flow, the apparatus comprising:
a parser for extracting flow identification information from the network flow;
a flow metering unit for metering the network flow; and
a programmable controller for controlling the flow metering unit and the parser.
2. The apparatus according to claim 1 , wherein the flow metering unit is configured for sending flow status information to the programmable controller and wherein the programmable controller is configured for sending flow metering instructions to the flow metering unit in dependence on the flow status information.
3. The apparatus according to claim 1 , wherein the parser is configured for sending parsing information to the programmable controller and wherein the programmable controller is configured for sending parsing instructions to the parser in dependence on the parsing information.
4. The apparatus according to claim 1 , wherein the programmable controller is configured for:
evaluating in parallel two or more flow status information values of the flow metering unit; and
sending two or more flow metering instructions in parallel to the flow metering unit.
5. The apparatus according to claim 1 , wherein the programmable controller comprises a program memory having two or more flow metering programs.
6. The apparatus according to claim 1 , wherein the programmable controller is implemented as state machine.
7. The apparatus according to claim 6 , wherein the state machine comprises:
a transition rule memory;
a rule selector; and
a state register;
wherein the rule selector is configured for receiving an external input signal and an internal input signal from the state register indicating the current state and wherein the rule selector is configured for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal having parsing and/or flow metering instructions when a transition rule applies.
8. The apparatus according to claim 1 , wherein the flow metering unit comprises:
a flow table unit;
a flow table management unit; and
a flow information export unit.
9. The apparatus according to claim 8 , wherein the flow table management unit comprises a programmable hash function unit provided with two or more selectable hash functions for mapping the flow identification information on a hash index, wherein the programmable controller is configured for selecting one of the selectable hash functions.
10. The apparatus according to claim 8 , wherein the programmable controller is configured for sending table management commands to the table management unit.
11. The apparatus according to claim 1 , wherein the apparatus is implemented as hardware assist device.
12. The apparatus according to claim 1 , further comprising:
a central processing unit;
a memory; and
a computer networking device.
13. The apparatus according to claim 12 , wherein the apparatus is implemented in hardware as hardware assist device for the central processing unit.
14. The apparatus according to claim 1 , further comprising:
two or more virtual computing systems;
wherein the apparatus is provided for analysing the network flow between the virtual computing systems and/or between the virtual computing systems and an external device.
15. The apparatus according to claim 14 , further comprising:
a software networking device for internal communication between the virtual computing systems; and
a hardware networking device for external communication between the virtual computing systems and an external device;
wherein the software networking device and the hardware networking device are provided for forwarding the network flow between the virtual computing systems and/or between the virtual computing systems and an external device for an analysis to the apparatus.
16. The apparatus according to claim 15 , wherein the apparatus is arranged in the hardware networking device.
17. A method for analysing a network flow, comprising the steps of:
extracting flow identification information from the network flow using a parser;
metering the network flow using a flow metering unit; and
controlling the flow metering unit and the parser using a programmable controller.
18. A computer readable program product tangibly embodying computer executable instructions which when implemented, causes the computer to carry out an analysis of a network flow according to the steps of the method according to claim 17 .
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06126520.3 | 2006-12-19 | ||
EP06126520 | 2006-12-19 | ||
PCT/IB2007/054447 WO2008075224A1 (en) | 2006-12-19 | 2007-11-02 | Apparatus and method for analysing a network flow |
Publications (1)
Publication Number | Publication Date |
---|---|
US20100085891A1 true US20100085891A1 (en) | 2010-04-08 |
Family
ID=39322548
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/520,114 Abandoned US20100085891A1 (en) | 2006-12-19 | 2007-11-02 | Apparatus and method for analysing a network |
US13/868,402 Expired - Fee Related US8861397B2 (en) | 2006-12-19 | 2013-04-23 | Apparatus and method for analyzing a network |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/868,402 Expired - Fee Related US8861397B2 (en) | 2006-12-19 | 2013-04-23 | Apparatus and method for analyzing a network |
Country Status (6)
Country | Link |
---|---|
US (2) | US20100085891A1 (en) |
JP (1) | JP5102844B2 (en) |
KR (1) | KR20090099519A (en) |
CN (1) | CN101563908B (en) |
CA (1) | CA2669932A1 (en) |
WO (1) | WO2008075224A1 (en) |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100226282A1 (en) * | 2009-03-04 | 2010-09-09 | Cisco Technology, Inc. | System and method for exporting structured data in a network environment |
US20110058481A1 (en) * | 2009-09-09 | 2011-03-10 | Lee Chang-Yong | Device and method for generating statistical information for voip traffic analysis and abnormal voip detection |
US20110154132A1 (en) * | 2009-12-23 | 2011-06-23 | Gunes Aybay | Methods and apparatus for tracking data flow based on flow state values |
US20120072737A1 (en) * | 2009-03-06 | 2012-03-22 | Geert Jan Schrijen | System for establishing a cryptographic key depending on a physical system |
US20130262703A1 (en) * | 2012-04-03 | 2013-10-03 | Cisco Technology, Inc. | System and method for reducing netflow traffic in a network environment |
US8593970B2 (en) | 2008-09-11 | 2013-11-26 | Juniper Networks, Inc. | Methods and apparatus for defining a flow control signal related to a transmit queue |
US8717889B2 (en) | 2008-12-29 | 2014-05-06 | Juniper Networks, Inc. | Flow-control in a switch fabric |
US8724487B1 (en) | 2010-02-15 | 2014-05-13 | Cisco Technology, Inc. | System and method for synchronized reporting in a network environment |
US8811183B1 (en) | 2011-10-04 | 2014-08-19 | Juniper Networks, Inc. | Methods and apparatus for multi-path flow control within a multi-stage switch fabric |
US8811163B2 (en) | 2008-09-11 | 2014-08-19 | Juniper Networks, Inc. | Methods and apparatus for flow control associated with multi-staged queues |
US8854972B1 (en) * | 2013-01-25 | 2014-10-07 | Palo Alto Networks, Inc. | Security device implementing flow lookup scheme for improved performance |
US20140307736A1 (en) * | 2013-04-16 | 2014-10-16 | Suresh Krishnan | Method for providing a parser to extract information from fields of a data packet header |
US9032089B2 (en) | 2011-03-09 | 2015-05-12 | Juniper Networks, Inc. | Methods and apparatus for path selection within a network based on flow duration |
US9065773B2 (en) | 2010-06-22 | 2015-06-23 | Juniper Networks, Inc. | Methods and apparatus for virtual channel flow control associated with a switch fabric |
US20150277882A1 (en) * | 2014-03-26 | 2015-10-01 | Telefonaktiebolaget L M Ericsson (Publ) | Processing packets by generating machine code from pre-compiled code fragments |
US20170063690A1 (en) * | 2015-08-26 | 2017-03-02 | Barefoot Networks, Inc. | Packet header field extraction |
US9660940B2 (en) | 2010-12-01 | 2017-05-23 | Juniper Networks, Inc. | Methods and apparatus for flow control associated with a switch fabric |
EP2667545A4 (en) * | 2011-01-17 | 2017-08-23 | Nec Corporation | Network system, controller, switch, and traffic monitoring method |
US10225381B1 (en) | 2015-08-26 | 2019-03-05 | Barefoot Networks, Inc. | Configuring a switch for extracting packet header fields |
US10356115B2 (en) * | 2017-03-31 | 2019-07-16 | Level 3 Communications, Llc | Creating aggregate network flow time series in network anomaly detection systems |
CN110059904A (en) * | 2017-12-13 | 2019-07-26 | 罗伯特·博世有限公司 | The automatic method for working out the rule of rule-based anomalous identification in a stream |
US10686735B1 (en) | 2017-04-23 | 2020-06-16 | Barefoot Networks, Inc. | Packet reconstruction at deparser |
US11146468B1 (en) * | 2021-03-08 | 2021-10-12 | Pensando Systems Inc. | Intelligent export of network information |
US11223520B1 (en) | 2017-01-31 | 2022-01-11 | Intel Corporation | Remote control plane directing data plane configurator |
US11362967B2 (en) | 2017-09-28 | 2022-06-14 | Barefoot Networks, Inc. | Expansion of packet data within processing pipeline |
US20220200876A1 (en) * | 2016-06-13 | 2022-06-23 | Hewlett Packard Enterprise Development Lp | Hierarchical aggregation of select network traffic statistics |
US11388053B2 (en) | 2014-12-27 | 2022-07-12 | Intel Corporation | Programmable protocol parser for NIC classification and queue assignments |
WO2022193196A1 (en) * | 2021-03-17 | 2022-09-22 | 华为技术有限公司 | Network message handling device and method, and electronic device |
US11503141B1 (en) | 2017-07-23 | 2022-11-15 | Barefoot Networks, Inc. | Stateful processing unit with min/max capability |
US11677851B2 (en) | 2015-12-22 | 2023-06-13 | Intel Corporation | Accelerated network packet processing |
Families Citing this family (42)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2484878B (en) * | 2009-08-13 | 2015-01-07 | Ibm | Automatic address range detection for IP networks |
EP2478677B1 (en) * | 2009-09-15 | 2013-07-10 | Napatech A/S | An apparatus for analyzing a data packet, a data packet processing system and a method |
CN101841436B (en) * | 2010-03-02 | 2012-06-27 | 北京星网锐捷网络技术有限公司 | Method for testing performance of IPFIX (Internet Protocol Flow Information Export) server, device and system thereof |
JP5560936B2 (en) * | 2010-06-16 | 2014-07-30 | 富士通株式会社 | Configuration information acquisition method, virtual probe, and configuration information acquisition control device |
US8897134B2 (en) * | 2010-06-25 | 2014-11-25 | Telefonaktiebolaget L M Ericsson (Publ) | Notifying a controller of a change to a packet forwarding configuration of a network element over a communication channel |
IL210897A (en) | 2011-01-27 | 2017-12-31 | Verint Systems Ltd | Systems and methods for flow table management |
US9825884B2 (en) | 2013-12-30 | 2017-11-21 | Cavium, Inc. | Protocol independent programmable switch (PIPS) software defined data center networks |
US9516145B2 (en) | 2014-06-19 | 2016-12-06 | Cavium, Inc. | Method of extracting data from packets and an apparatus thereof |
US9497294B2 (en) | 2014-06-19 | 2016-11-15 | Cavium, Inc. | Method of using a unique packet identifier to identify structure of a packet and an apparatus thereof |
US9438703B2 (en) | 2014-06-19 | 2016-09-06 | Cavium, Inc. | Method of forming a hash input from packet contents and an apparatus thereof |
US10050833B2 (en) | 2014-06-19 | 2018-08-14 | Cavium, Inc. | Method of reducing latency in a flexible parser and an apparatus thereof |
US9628385B2 (en) | 2014-06-19 | 2017-04-18 | Cavium, Inc. | Method of identifying internal destinations of networks packets and an apparatus thereof |
US9531848B2 (en) | 2014-06-19 | 2016-12-27 | Cavium, Inc. | Method of using generic modification instructions to enable flexible modifications of packets and an apparatus thereof |
US9961167B2 (en) * | 2014-06-19 | 2018-05-01 | Cavium, Inc. | Method of modifying packets to a generic format for enabling programmable modifications and an apparatus thereof |
US9742694B2 (en) | 2014-06-19 | 2017-08-22 | Cavium, Inc. | Method of dynamically renumbering ports and an apparatus thereof |
US9473601B2 (en) | 2014-06-19 | 2016-10-18 | Cavium, Inc. | Method of representing a generic format header using continuous bytes and an apparatus thereof |
US9635146B2 (en) | 2014-06-19 | 2017-04-25 | Cavium, Inc. | Method of using bit vectors to allow expansion and collapse of header layers within packets for enabling flexible modifications and an apparatus thereof |
US10616380B2 (en) | 2014-06-19 | 2020-04-07 | Cavium, Llc | Method of handling large protocol layers for configurable extraction of layer information and an apparatus thereof |
US9531849B2 (en) | 2014-06-19 | 2016-12-27 | Cavium, Inc. | Method of splitting a packet into individual layers for modification and intelligently stitching layers back together after modification and an apparatus thereof |
US9606781B2 (en) * | 2014-11-14 | 2017-03-28 | Cavium, Inc. | Parser engine programming tool for programmable network devices |
US9582251B2 (en) * | 2014-11-14 | 2017-02-28 | Cavium, Inc. | Algorithm to achieve optimal layout of decision logic elements for programmable network devices |
US9660879B1 (en) * | 2016-07-25 | 2017-05-23 | Extrahop Networks, Inc. | Flow deduplication across a cluster of network monitoring devices |
CN110100415B (en) * | 2016-12-30 | 2024-04-05 | 比特梵德荷兰私人有限责任公司 | System for preparing network traffic for rapid analysis |
US10476673B2 (en) | 2017-03-22 | 2019-11-12 | Extrahop Networks, Inc. | Managing session secrets for continuous packet capture systems |
US9967292B1 (en) | 2017-10-25 | 2018-05-08 | Extrahop Networks, Inc. | Inline secret sharing |
US10389574B1 (en) | 2018-02-07 | 2019-08-20 | Extrahop Networks, Inc. | Ranking alerts based on network monitoring |
US10038611B1 (en) | 2018-02-08 | 2018-07-31 | Extrahop Networks, Inc. | Personalization of alerts based on network monitoring |
US10270794B1 (en) | 2018-02-09 | 2019-04-23 | Extrahop Networks, Inc. | Detection of denial of service attacks |
US10411978B1 (en) | 2018-08-09 | 2019-09-10 | Extrahop Networks, Inc. | Correlating causes and effects associated with network activity |
US10594718B1 (en) | 2018-08-21 | 2020-03-17 | Extrahop Networks, Inc. | Managing incident response operations based on monitored network activity |
CN111400025B (en) * | 2019-01-03 | 2023-05-26 | 阿里巴巴集团控股有限公司 | Traffic scheduling method, device and system |
US10965702B2 (en) | 2019-05-28 | 2021-03-30 | Extrahop Networks, Inc. | Detecting injection attacks using passive network monitoring |
US11165814B2 (en) | 2019-07-29 | 2021-11-02 | Extrahop Networks, Inc. | Modifying triage information based on network monitoring |
US10742530B1 (en) | 2019-08-05 | 2020-08-11 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
US11388072B2 (en) | 2019-08-05 | 2022-07-12 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
US10742677B1 (en) | 2019-09-04 | 2020-08-11 | Extrahop Networks, Inc. | Automatic determination of user roles and asset types based on network monitoring |
US11165823B2 (en) | 2019-12-17 | 2021-11-02 | Extrahop Networks, Inc. | Automated preemptive polymorphic deception |
WO2022066910A1 (en) | 2020-09-23 | 2022-03-31 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
US11463466B2 (en) | 2020-09-23 | 2022-10-04 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
US11349861B1 (en) | 2021-06-18 | 2022-05-31 | Extrahop Networks, Inc. | Identifying network entities based on beaconing activity |
US11296967B1 (en) | 2021-09-23 | 2022-04-05 | Extrahop Networks, Inc. | Combining passive network analysis and active probing |
US11843606B2 (en) | 2022-03-30 | 2023-12-12 | Extrahop Networks, Inc. | Detecting abnormal data access based on data similarity |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5781729A (en) * | 1995-12-20 | 1998-07-14 | Nb Networks | System and method for general purpose network analysis |
US20030061401A1 (en) * | 2001-09-25 | 2003-03-27 | Luciani Luis E. | Input device virtualization with a programmable logic device of a server |
US6665725B1 (en) * | 1999-06-30 | 2003-12-16 | Hi/Fn, Inc. | Processing protocol specific information in packets specified by a protocol description language |
US20050132342A1 (en) * | 2003-12-10 | 2005-06-16 | International Business Machines Corporation | Pattern-matching system |
US20050238022A1 (en) * | 2004-04-26 | 2005-10-27 | Rina Panigrahy | Stateful flow of network packets within a packet parsing processor |
US20070115825A1 (en) * | 2000-04-19 | 2007-05-24 | Caspian Networks, Inc. | Micro-Flow Management |
US20070140128A1 (en) * | 2001-11-02 | 2007-06-21 | Eric Klinker | System and method to provide routing control of information over networks |
US20070237079A1 (en) * | 2006-03-30 | 2007-10-11 | Alcatel | Binned duration flow tracking |
US20070248084A1 (en) * | 2006-04-20 | 2007-10-25 | Alcatel | Symmetric connection detection |
US8239565B2 (en) * | 2006-11-21 | 2012-08-07 | Nippon Telegraph And Telephone Corporation | Flow record restriction apparatus and the method |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6304903B1 (en) * | 1997-08-01 | 2001-10-16 | Agilent Technologies, Inc. | State machine for collecting information on use of a packet network |
US6606301B1 (en) * | 1999-03-01 | 2003-08-12 | Sun Microsystems, Inc. | Method and apparatus for early random discard of packets |
US6738349B1 (en) * | 2000-03-01 | 2004-05-18 | Tektronix, Inc. | Non-intrusive measurement of end-to-end network properties |
JP2002374251A (en) * | 2001-06-14 | 2002-12-26 | Nec Corp | Network monitoring system, data amount count method used for the same, and program thereof |
US7519070B2 (en) * | 2002-09-12 | 2009-04-14 | International Business Machines Corporation | Method and apparatus for deep packet processing |
US7760719B2 (en) * | 2004-06-30 | 2010-07-20 | Conexant Systems, Inc. | Combined pipelined classification and address search method and apparatus for switching environments |
US7529191B2 (en) * | 2005-02-18 | 2009-05-05 | Broadcom Corporation | Programmable metering behavior based on table lookup |
US20060271870A1 (en) * | 2005-05-31 | 2006-11-30 | Picsel Research Limited | Systems and methods for navigating displayed content |
US8074011B2 (en) | 2006-12-06 | 2011-12-06 | Fusion-Io, Inc. | Apparatus, system, and method for storage space recovery after reaching a read count limit |
-
2007
- 2007-11-02 JP JP2009542288A patent/JP5102844B2/en not_active Expired - Fee Related
- 2007-11-02 WO PCT/IB2007/054447 patent/WO2008075224A1/en active Application Filing
- 2007-11-02 CA CA002669932A patent/CA2669932A1/en not_active Abandoned
- 2007-11-02 KR KR1020097011405A patent/KR20090099519A/en not_active Application Discontinuation
- 2007-11-02 CN CN2007800473111A patent/CN101563908B/en not_active Expired - Fee Related
- 2007-11-02 US US12/520,114 patent/US20100085891A1/en not_active Abandoned
-
2013
- 2013-04-23 US US13/868,402 patent/US8861397B2/en not_active Expired - Fee Related
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5781729A (en) * | 1995-12-20 | 1998-07-14 | Nb Networks | System and method for general purpose network analysis |
US6665725B1 (en) * | 1999-06-30 | 2003-12-16 | Hi/Fn, Inc. | Processing protocol specific information in packets specified by a protocol description language |
US20070115825A1 (en) * | 2000-04-19 | 2007-05-24 | Caspian Networks, Inc. | Micro-Flow Management |
US20030061401A1 (en) * | 2001-09-25 | 2003-03-27 | Luciani Luis E. | Input device virtualization with a programmable logic device of a server |
US20070140128A1 (en) * | 2001-11-02 | 2007-06-21 | Eric Klinker | System and method to provide routing control of information over networks |
US20050132342A1 (en) * | 2003-12-10 | 2005-06-16 | International Business Machines Corporation | Pattern-matching system |
US20050238022A1 (en) * | 2004-04-26 | 2005-10-27 | Rina Panigrahy | Stateful flow of network packets within a packet parsing processor |
US20070237079A1 (en) * | 2006-03-30 | 2007-10-11 | Alcatel | Binned duration flow tracking |
US20070248084A1 (en) * | 2006-04-20 | 2007-10-25 | Alcatel | Symmetric connection detection |
US8239565B2 (en) * | 2006-11-21 | 2012-08-07 | Nippon Telegraph And Telephone Corporation | Flow record restriction apparatus and the method |
Cited By (70)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8964556B2 (en) | 2008-09-11 | 2015-02-24 | Juniper Networks, Inc. | Methods and apparatus for flow-controllable multi-staged queues |
US9876725B2 (en) | 2008-09-11 | 2018-01-23 | Juniper Networks, Inc. | Methods and apparatus for flow-controllable multi-staged queues |
US8811163B2 (en) | 2008-09-11 | 2014-08-19 | Juniper Networks, Inc. | Methods and apparatus for flow control associated with multi-staged queues |
US10931589B2 (en) | 2008-09-11 | 2021-02-23 | Juniper Networks, Inc. | Methods and apparatus for flow-controllable multi-staged queues |
US8593970B2 (en) | 2008-09-11 | 2013-11-26 | Juniper Networks, Inc. | Methods and apparatus for defining a flow control signal related to a transmit queue |
US8717889B2 (en) | 2008-12-29 | 2014-05-06 | Juniper Networks, Inc. | Flow-control in a switch fabric |
US20100226282A1 (en) * | 2009-03-04 | 2010-09-09 | Cisco Technology, Inc. | System and method for exporting structured data in a network environment |
US8125920B2 (en) * | 2009-03-04 | 2012-02-28 | Cisco Technology, Inc. | System and method for exporting structured data in a network environment |
US20120072737A1 (en) * | 2009-03-06 | 2012-03-22 | Geert Jan Schrijen | System for establishing a cryptographic key depending on a physical system |
US9252960B2 (en) * | 2009-03-06 | 2016-02-02 | Intrinsic Id B.V. | System for establishing a cryptographic key depending on a physical system |
US8259723B2 (en) * | 2009-09-09 | 2012-09-04 | Korea Internet & Security Agency | Device and method for generating statistical information for VoIP traffic analysis and abnormal VoIP detection |
US20110058481A1 (en) * | 2009-09-09 | 2011-03-10 | Lee Chang-Yong | Device and method for generating statistical information for voip traffic analysis and abnormal voip detection |
US11323350B2 (en) | 2009-12-23 | 2022-05-03 | Juniper Networks, Inc. | Methods and apparatus for tracking data flow based on flow state values |
US9967167B2 (en) | 2009-12-23 | 2018-05-08 | Juniper Networks, Inc. | Methods and apparatus for tracking data flow based on flow state values |
US20110154132A1 (en) * | 2009-12-23 | 2011-06-23 | Gunes Aybay | Methods and apparatus for tracking data flow based on flow state values |
US10554528B2 (en) | 2009-12-23 | 2020-02-04 | Juniper Networks, Inc. | Methods and apparatus for tracking data flow based on flow state values |
US9264321B2 (en) | 2009-12-23 | 2016-02-16 | Juniper Networks, Inc. | Methods and apparatus for tracking data flow based on flow state values |
US8724487B1 (en) | 2010-02-15 | 2014-05-13 | Cisco Technology, Inc. | System and method for synchronized reporting in a network environment |
US9065773B2 (en) | 2010-06-22 | 2015-06-23 | Juniper Networks, Inc. | Methods and apparatus for virtual channel flow control associated with a switch fabric |
US9705827B2 (en) | 2010-06-22 | 2017-07-11 | Juniper Networks, Inc. | Methods and apparatus for virtual channel flow control associated with a switch fabric |
US11711319B2 (en) | 2010-12-01 | 2023-07-25 | Juniper Networks, Inc. | Methods and apparatus for flow control associated with a switch fabric |
US10616143B2 (en) | 2010-12-01 | 2020-04-07 | Juniper Networks, Inc. | Methods and apparatus for flow control associated with a switch fabric |
US9660940B2 (en) | 2010-12-01 | 2017-05-23 | Juniper Networks, Inc. | Methods and apparatus for flow control associated with a switch fabric |
EP2667545A4 (en) * | 2011-01-17 | 2017-08-23 | Nec Corporation | Network system, controller, switch, and traffic monitoring method |
US9716661B2 (en) | 2011-03-09 | 2017-07-25 | Juniper Networks, Inc. | Methods and apparatus for path selection within a network based on flow duration |
US9032089B2 (en) | 2011-03-09 | 2015-05-12 | Juniper Networks, Inc. | Methods and apparatus for path selection within a network based on flow duration |
US9426085B1 (en) | 2011-10-04 | 2016-08-23 | Juniper Networks, Inc. | Methods and apparatus for multi-path flow control within a multi-stage switch fabric |
US8811183B1 (en) | 2011-10-04 | 2014-08-19 | Juniper Networks, Inc. | Methods and apparatus for multi-path flow control within a multi-stage switch fabric |
US9065767B2 (en) * | 2012-04-03 | 2015-06-23 | Cisco Technology, Inc. | System and method for reducing netflow traffic in a network environment |
US20130262703A1 (en) * | 2012-04-03 | 2013-10-03 | Cisco Technology, Inc. | System and method for reducing netflow traffic in a network environment |
US8854972B1 (en) * | 2013-01-25 | 2014-10-07 | Palo Alto Networks, Inc. | Security device implementing flow lookup scheme for improved performance |
US9848068B2 (en) * | 2013-04-16 | 2017-12-19 | Telefonaktiebolaget L M Ericsson (Publ) | Method for providing a parser to extract information from fields of a data packet header |
US20140307736A1 (en) * | 2013-04-16 | 2014-10-16 | Suresh Krishnan | Method for providing a parser to extract information from fields of a data packet header |
US9189218B2 (en) * | 2014-03-26 | 2015-11-17 | Telefonaktiebolaget L M Ericsson (Publ) | Processing packets by generating machine code from pre-compiled code fragments |
US20150277882A1 (en) * | 2014-03-26 | 2015-10-01 | Telefonaktiebolaget L M Ericsson (Publ) | Processing packets by generating machine code from pre-compiled code fragments |
US11394611B2 (en) | 2014-12-27 | 2022-07-19 | Intel Corporation | Programmable protocol parser for NIC classification and queue assignments |
US11394610B2 (en) | 2014-12-27 | 2022-07-19 | Intel Corporation | Programmable protocol parser for NIC classification and queue assignments |
US11388053B2 (en) | 2014-12-27 | 2022-07-12 | Intel Corporation | Programmable protocol parser for NIC classification and queue assignments |
US20170063690A1 (en) * | 2015-08-26 | 2017-03-02 | Barefoot Networks, Inc. | Packet header field extraction |
US11425038B2 (en) | 2015-08-26 | 2022-08-23 | Barefoot Networks, Inc. | Packet header field extraction |
US11425039B2 (en) | 2015-08-26 | 2022-08-23 | Barefoot Networks, Inc. | Packet header field extraction |
US11411870B2 (en) | 2015-08-26 | 2022-08-09 | Barefoot Networks, Inc. | Packet header field extraction |
US10432527B1 (en) | 2015-08-26 | 2019-10-01 | Barefoot Networks, Inc. | Packet header field extraction |
US11245778B1 (en) | 2015-08-26 | 2022-02-08 | Barefoot Networks, Inc. | Configuring a switch for extracting packet header fields |
US9825862B2 (en) * | 2015-08-26 | 2017-11-21 | Barefoot Networks, Inc. | Packet header field extraction |
US10225381B1 (en) | 2015-08-26 | 2019-03-05 | Barefoot Networks, Inc. | Configuring a switch for extracting packet header fields |
US11677851B2 (en) | 2015-12-22 | 2023-06-13 | Intel Corporation | Accelerated network packet processing |
US20220200876A1 (en) * | 2016-06-13 | 2022-06-23 | Hewlett Packard Enterprise Development Lp | Hierarchical aggregation of select network traffic statistics |
US11757740B2 (en) | 2016-06-13 | 2023-09-12 | Hewlett Packard Enterprise Development Lp | Aggregation of select network traffic statistics |
US11757739B2 (en) | 2016-06-13 | 2023-09-12 | Hewlett Packard Enterprise Development Lp | Aggregation of select network traffic statistics |
US11223520B1 (en) | 2017-01-31 | 2022-01-11 | Intel Corporation | Remote control plane directing data plane configurator |
US11463385B2 (en) | 2017-01-31 | 2022-10-04 | Barefoot Networks, Inc. | Messaging between remote controller and forwarding element |
US11245572B1 (en) | 2017-01-31 | 2022-02-08 | Barefoot Networks, Inc. | Messaging between remote controller and forwarding element |
US11606318B2 (en) | 2017-01-31 | 2023-03-14 | Barefoot Networks, Inc. | Messaging between remote controller and forwarding element |
US11271956B2 (en) | 2017-03-31 | 2022-03-08 | Level 3 Communications, Llc | Creating aggregate network flow time series in network anomaly detection systems |
US11757913B2 (en) | 2017-03-31 | 2023-09-12 | Level 3 Communications, Llc | Creating aggregate network flow time series in network anomaly detection systems |
US10356115B2 (en) * | 2017-03-31 | 2019-07-16 | Level 3 Communications, Llc | Creating aggregate network flow time series in network anomaly detection systems |
US11606381B2 (en) | 2017-03-31 | 2023-03-14 | Level 3 Communications, Llc | Creating aggregate network flow time series in network anomaly detection systems |
US10757028B1 (en) | 2017-04-23 | 2020-08-25 | Barefoot Networks, Inc. | Configurable forwarding element deparser |
US11425058B2 (en) | 2017-04-23 | 2022-08-23 | Barefoot Networks, Inc. | Generation of descriptive data for packet fields |
US10694006B1 (en) | 2017-04-23 | 2020-06-23 | Barefoot Networks, Inc. | Generation of descriptive data for packet fields |
US10686735B1 (en) | 2017-04-23 | 2020-06-16 | Barefoot Networks, Inc. | Packet reconstruction at deparser |
US11503141B1 (en) | 2017-07-23 | 2022-11-15 | Barefoot Networks, Inc. | Stateful processing unit with min/max capability |
US11750526B2 (en) | 2017-07-23 | 2023-09-05 | Barefoot Networks, Inc. | Using stateful traffic management data to perform packet processing |
US11362967B2 (en) | 2017-09-28 | 2022-06-14 | Barefoot Networks, Inc. | Expansion of packet data within processing pipeline |
US11700212B2 (en) | 2017-09-28 | 2023-07-11 | Barefoot Networks, Inc. | Expansion of packet data within processing pipeline |
US10958675B2 (en) * | 2017-12-13 | 2021-03-23 | Robert Bosch Gmbh | Method for the automated creation of rules for a rule-based anomaly recognition in a data stream |
CN110059904A (en) * | 2017-12-13 | 2019-07-26 | 罗伯特·博世有限公司 | The automatic method for working out the rule of rule-based anomalous identification in a stream |
US11146468B1 (en) * | 2021-03-08 | 2021-10-12 | Pensando Systems Inc. | Intelligent export of network information |
WO2022193196A1 (en) * | 2021-03-17 | 2022-09-22 | 华为技术有限公司 | Network message handling device and method, and electronic device |
Also Published As
Publication number | Publication date |
---|---|
US8861397B2 (en) | 2014-10-14 |
CN101563908A (en) | 2009-10-21 |
WO2008075224A1 (en) | 2008-06-26 |
US20130238792A1 (en) | 2013-09-12 |
CA2669932A1 (en) | 2008-06-26 |
KR20090099519A (en) | 2009-09-22 |
JP5102844B2 (en) | 2012-12-19 |
CN101563908B (en) | 2013-01-09 |
JP2010514313A (en) | 2010-04-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8861397B2 (en) | Apparatus and method for analyzing a network | |
US11876883B2 (en) | Packet processing method, network node, and system | |
JP7035227B2 (en) | Data packet detection methods, devices, and systems | |
EP2429128B1 (en) | Flow statistics aggregation | |
US9065767B2 (en) | System and method for reducing netflow traffic in a network environment | |
US20200021512A1 (en) | Methods, systems, and computer readable media for testing a network node using source code | |
JP4774357B2 (en) | Statistical information collection system and statistical information collection device | |
JP5660198B2 (en) | Network system and switching method | |
CN103004158A (en) | Network device with a programmable core | |
US20220407791A1 (en) | Network performance detection method and apparatus, and network device | |
CN110324198A (en) | Loss treating method and packet loss processing unit | |
CN109547288B (en) | Programmable flow measuring method for protocol independent forwarding network | |
CN107070719B (en) | Equipment management method and device | |
CN110071843B (en) | Fault positioning method and device based on flow path analysis | |
KR20120062174A (en) | Apparatus and method for dynamic processing a variety of characteristics packet | |
US7715317B2 (en) | Flow generation method for internet traffic measurement | |
CN114500354A (en) | Switch control method, device, control equipment and storage medium | |
US20230327983A1 (en) | Performance measurement in a segment routing network | |
US20050169277A1 (en) | Label switched data unit content evaluation | |
François et al. | Bpp over p4: exploring frontiers and limits in programmable packet processing | |
CN114157595B (en) | Communication system, data processing method and related equipment | |
CN115225545B (en) | Message transmission method and device | |
JP7359299B2 (en) | Packet identification device, packet identification method, and packet identification program | |
JP4669453B2 (en) | Flow information processing apparatus and method | |
CN108075939B (en) | Network quality detection system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION,NEW YO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIND, ANDREAS;LUNTEREN, JAN VAN;REEL/FRAME:022848/0519 Effective date: 20090615 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |