WO2005109754A1 - Systeme et procede de surveillance et d'analyse en temps reel pour trafic et contenu de reseau - Google Patents
Systeme et procede de surveillance et d'analyse en temps reel pour trafic et contenu de reseau Download PDFInfo
- Publication number
- WO2005109754A1 WO2005109754A1 PCT/US2005/014733 US2005014733W WO2005109754A1 WO 2005109754 A1 WO2005109754 A1 WO 2005109754A1 US 2005014733 W US2005014733 W US 2005014733W WO 2005109754 A1 WO2005109754 A1 WO 2005109754A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- probes
- probe
- query
- traffic
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/024—Standardisation; Integration using relational databases for representation of network management data, e.g. managing via structured query language [SQL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0852—Delays
- H04L43/0858—One way delays
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0817—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
- H04L43/0829—Packet loss
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0888—Throughput
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
- H04L43/106—Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps
Definitions
- the present invention relates generally to a method and system that enables a user to monitor and analyze network traffic and content. More particularly, a user will be able to sift through a high volume of packets of information flowing in real-time to look for patterns, locate resources, aggregate data and correlate information.
- BACKGROUND OF THE INVENTION The Internet is the fastest growing medium of all time. Part of its popularity and phenomenal growth has been attributed to the invention of the search engine. Today, more than 319 million web searches are performed daily by the world's 665 million internet users. But there remains a need in the art for a technology that can tap into humanity's digital communications (including voice, video and data, etc.), automatically organizing and filing away the information it encounters into a collection of massive databases that can be analyzed in real-time.
- the present invention exemplifies a real-time performance monitoring platform for IP networks.
- the platform allows service providers to observe and monitor the dynamics of packet traffic in large networks in real-time.
- the platform consists of network probes which capture traffic at line rate and perform detailed analysis, measure quality of service metrics along network paths between pairs of probes, and store all analysis and measurement results in relational tables.
- the platform also consists of a centralized management console which allows users to issue queries to extract and compute data from tables stored on probes in real-time, provides a front-end for interactive visualization of traffic, and manages and configures the network probes.
- a typical installation of the platform consists of a collection of the hardware probes placed at strategic monitoring points in the network and the web-based appliance centralized management console.
- An operator configures and operates the system via the console which presents information collected from the network probes.
- the present invention utilizes distributed query propagation and processing to achieve real-time performance.
- Network probes autonomously detect the presence of other probes during power up and create a peer-to-peer network encompassing other probes in the network.
- Queries issued from the console are propagated along a minimal delay spanning tree to all probes.
- Intermediate results are incrementally aggregated at each probe so that the amount of time required to execute a query is proportional only to the length of the longest path. This allows queries for very large networks to be completed in near real-time.
- Network parameters that an operator utilizing the present invention may wish to monitor include, but are not limited to, flow statistics, traffic composition, quality of service statistics, and TCP statistics.
- Flow statistics may include top flows in the network ranked by bit rate, packet rate, or byte control, as well as source, destination addresses, ports, Type-of-Service, application, protocol, packet size histogram and TCP statistics for TCP flows.
- Traffic composition may include the break down of total traffic by application type, Type-of-Service and protocol for the whole network and at each monitoring point.
- Quality of service statistics may include one way/round-trip end-to-end/hop-by-hop delay, the average, max, min and histogram of end-to-end/hop-by-hop jitter, and the end-to-end/hop-by- hop loss rate.
- TCP statistics may include statistics for zero-window events, push bit set, urgent bit set, and resets, as well as number of open/closed connections and average connection setup times.
- this monitoring and analysis tool allows the information carried by computer networks to be automatically captured, organized and stored in databases that can be searched in real-time. Like a web search engine which allows users to see the billions of web pages on the Internet in terms of keywords and phrases, this tool makes accessible information about the network's structure and the content flowing through its millions of connections. When deployed in corporate networks, the present invention allows its users to sift through billions of packets of information flowing in real-time to look for patterns, locate resources, aggregate data or correlate information.
- An exemplary embodiment of the present invention can analyze information generated by all popular network applications including the web, email, instant messaging, etc. and can be extended to process information generated by other proprietary applications. This analysis is performed across each point in the network where the present invention is installed, actively aggregating, correlating and processing information in parallel. Both simple keyword searches like a web search engine, as well as sophisticated structured database queries may be used, making it a unique tool for mining, processing and analyzing a network and its traffic content.
- Network service providers can use an exemplary embodiment of the present invention to visualize and analyze network usage patterns, perform tests, correlate distributed measurements, and to understand the real-time dynamics of traffic that flows through their global networks.
- Security providers can use an exemplary embodiment of the present invention to detect unauthorized network intrusions, isolate suspicious online activity or log packets of malicious traffic.
- Governments and law enforcement agencies can use an exemplary embodiment of the present invention to search for specific patterns of communication, correlate events in space and time and track network traffic to physical locations.
- information research organizations can use an exemplary embodiment of the present invention to understand online consumer behavior, identify trends and analyze their impact as they are occurring.
- Some corporate users such as network service providers, can utilize an exemplary embodiment of the present invention to generate new revenue streams by offering new services to their customers. Examples of such services include real-time traffic analysis, pattern searching or security monitoring.
- Other corporate users can simply benefit from the real-time speed of the present invention to reduce response times in the event of failures, identify problems before they occur or to improve overall network resource utilization.
- the present invention is in essence a supercomputer constructed from a federation of off-the-shelf PCs, each augmented with specialized hardware (described below, exemplary embodiment of the acquisition element 210) that allows the processing of network traffic at rates above a billion bits per second.
- the present invention achieves its speed through parallel processing controlled by distributed algorithms (e.g., the echo pattern discussed below and in separate filings U.S. Serial No. 60/461,221 and International Application No. PCT/US2004/010646, hereby incorporated by reference) designed to maximize search speed and robustness.
- the present invention can theoretically search, extract or process information from a network of 200 million nodes in as fast as 2 seconds; accessing each node sequentially would require more than 3 weeks using the fastest PC available today.
- the present invention has the potential to change the way large networked systems are managed, maintained and used in fundamental ways.
- the technology can be a key enabler for whole new classes of applications that exploit real-time searching, data correlation and aggregation. Indeed many of the potential applications of the technology are just being developed, in areas as diverse as infrastructure performance management, cyber defense and homeland security.
- Figure 1 is a block diagram depicting a system and method for searching for network traffic and content data.
- Figure 2 is a block diagram depicting the functional elements of a network probe.
- Figure 3 illustrates the network architecture of a scalable analysis element of a network probe.
- Figure 4 illustrates an exemplary distributed architecture of the present invention.
- Figure 5 is a matrix representing an exemplary active traffic flow.
- Figure 6 illustrates an exemplary network instrumented with the present invention.
- Figure 7 illustrates wire-speed monitoring of a network probe.
- Figure 8 is a screenshot of an exemplary configuration page for a centralized management console.
- Figure 9 illustrates how to connect an exemplary network probe to a switch/router for monitoring.
- Figure 10 is a screenshot of an exemplary configuration page for a network probe.
- Figure 11 illustrates two network probes connected together via the synchronization ports.
- Figure 12 is a screenshot of an exemplary configuration page for a network probe.
- Figures 13, 14, 15, and 16 are screenshots of exemplary matrices and charts representing monitored traffic flows which can be viewed using the centralized management console.
- Figure 17 is a screenshot illustrating a web-interface supported by the centralized management console which allows users to type in queries.
- Figures 18 and 19 are screenshots illustrating tools a user can use to generate matrices and charts to view monitored traffic flow data.
- Figure 20 is a screenshot of an exemplary query results chart which can be viewed using the centralized management console.
- the same reference numerals and characters, unless otherwise stated, are used to denote like features, elements, components or portions of the illustrated embodiments.
- the subject invention will now be described in detail with reference to the figures, it is done so in connection with the illustrative embodiments. It is intended that changes and modifications can be made to the described embodiments without departing from the true scope and spirit of the subject invention as defined by the appended claims.
- FIG. 4 illustrates an exemplary network enabled by the present invention.
- the network consists of a collection of network probes, 410, connected to switches/routers to be monitored, 415, and a centralized management console
- the network probes consist logically of a search, data collection, correlation and aggregation engine (called the query engine), 430, an interface tap for passive wire-speed packet monitoring and protocol analysis (called the tap), 440, and an input, 450, for synchronized time source, 455.
- the network probes, 410 are placed at strategic points in the network and collaboratively create a distributed searchable, data collection, correlation, and aggregation grid.
- the centralized management console, 420 provides an interface to the distributed system and allows the creation and dispatch of searches to the system.
- the network probes are typically placed at significant demarcation points in the network.
- Each probe supports a frame capture interface that is typically attached to a mirrored or tapped port on a switch/router and a traffic injection interface that is connected to the same switch/router. Traffic statistics captured by each probe are correlated in real-time with data from other probes across the network, to provide network-wide views on the conditions and states of various paths and regions in the network. Each probe can also be configured to periodically inject test traffic into the network to estimate the quality of service of paths between probes.
- the query engine, 430, in a probe is optimized to execute queries which involve either retrieving data stored on the probe, or aggregating intermediate results to be returned. Depending on the nature of the computation being performed, the query engine can typically execute hundreds of queries per second.
- the tap, 440 is a hardware assisted packet filter that can decode and process Layer 1 and above packets at wire-speed. Under the control of a real-time operating system, the tap can also be programmed to inject packets into the network at precise intervals to simulate loading conditions. High level call generators are bundled that allow the simulation of most IEFT and VoIP protocols. The tap may be chosen from a wide-variety of hardware interfaces and speeds ranging from Fast Ethernet and 1GB Ethernet up to OC-192.
- An exemplary hardware specification for a centralized management console is a Xeon Class 1U rackmount server running Red Hat Linux 9 with 512MB RAM, 73GB SCSI HD, and 1 10/100/1 OOOBaseTX Management Port.
- An exemplary configuration page for a console is shown in Figure 8.
- An exemplary hardware specification for a network probe is a Xeon Class 1U rackmount appliance with 4 RJ-45 ports: 1 x Management Port (10/100/lOOOBaseTX), 1 x Traffic Injection Port (10/100/lOOOBaseTX), 1/2 x Capture Port (GIGE/OC12/OC48/OC192), and 1 x Synchronization Port.
- Figure 9 illustrates how to connect a network probe to a switch/router for monitoring.
- the Management Port, 910 is connected to the Management Network, 920.
- the Management Network 920 is a logical network, interconnecting devices and applications that are used to monitor and control the network being managed.
- the Management Network 920 may be a physically separate network or share the physical resources of the managed network.
- the Injection Port, 930 is connected to the port closest to the router/switch, 940.
- the Capture Port, 950 is connected to the router/switch, 940.
- the network probe uses specialized hardware (described below, exemplary embodiment of the acquisition element 210) to timestamp each frame as it is captured.
- the synchronization port, 960 allows probes to get timing from an external reference clock (GPS or CDMA) with 50- 100ns accuracy.
- a synchronization port may be hooked to a synchronization port of another probe or it may be connected to an external timing source.
- Figure 11 illustrates two network probes connected via their respective synchronization ports.
- Network Probe 1 , 1110 synchronizes with NTP server, 1120, via the Management Port 1130.
- Network Probe 2, 1140 synchronizes with Network Probe 1 , via the Synchronization Ports, 1150.
- Exemplary configuration pages for a network probe are shown in Figures 10 and 12.
- the present invention employs both simple keywords as well as structured queries for searching its infrastructure. When searching with keywords, the present invention operates like a search engine, checking its distributed repositories for patterns that match the keyword.
- the present invention preferably utilizes a query language which is modeled after the Structured Query Language (SQL), the industry standard language for relational databases.
- SQL Structured Query Language
- the syntax and semantics of the query language used in the present invention is preferably designed to resemble SQL. From a systems integration viewpoint, there is only a slight difference between writing scripts and programs to collect, aggregate and correlate information in the network and writing database applications. The complexities that are typically associated with distributed programming may be abstracted away by the language. In effect, an SQL-like query language turns a network into a large real-time database whose contents can be quickly retrieved.
- the queries return information in tabular format, preferably encapsulated in the Extensible Markup Language (XML).
- XML Extensible Markup Language
- results can be posted through a number of channels, such as socket and web-based APIs, to third party applications, management systems or stored in enterprise databases.
- the results may also be displayed to a user through a web-based API for generating charts and reports.
- Figures 18 and 19 illustrate the types of charts and reports that may be generated.
- Figure 20 illustrates how query results may be displayed to a user. Queries created at the console are dispatched in parallel across the network to the network probes along a minimal delay spanning tree and the results are propagated back along the spanning tree with aggregation being performed by intermediate network probes. The dispatch point, forwarding and aggregation paths traversed by a query are chosen so as to minimize the overall delay.
- FIG. 1 is a block diagram depicting a system and method for searching for network traffic and content data.
- the user at computer 105 submits a query, shown by arrow 110, to the centralized management console 115 (console).
- the console transmits the query to a network probe for processing, as shown by arrow 120.
- that network probe in turn propagates the query to other network probes across the network (which may in turn propagate the query further, 140) where the required data is collected.
- each network probe aggregates data from child nodes when appropriate and returns the collected data to the parent.
- the required data is sent back to the console at step 160.
- the console formats the query results for user presentation.
- configuration of both the centralized management console and the network probes are accomplished by using an SSL-enabled web-browser to connect to the IP address of the units' management interface.
- the default IP address of the management interface on the console and a network probe is 192.168.1.100 and 192.168.1.50 respectively.
- the user To initially configure each network probe, the user must supply the IP address of the console's management interface. Once this is accomplished further detailed configuration of a probe can be achieved from the console's web interface.
- Each network probe is supplied with the address of the console during initial configuration. In the boot up process, and periodically afterwards, each probe registers its address with the console.
- An exemplary embodiment of the present invention uses a query language modeled after the Structured Query Language (SQL).
- SQL Structured Query Language
- the query language used in the present invention is a flexible SQL-like language (encapsulated in XML) designed to allow the querying, aggregation and correlation of management information from network nodes to be specified without programming.
- the queries can be very compact performing operations in a single statement that ordinarily require thousands of lines of code.
- the queries can be stored as templates and reused in many applications with similar data retrieval and processing requirements by changing only a few parameters in the templates.
- An exemplary embodiment of the present invention includes an extensive library of pre-built query templates and functions for computing common network statistics.
- Query tables can be exported in XML to third party applications for other uses. The following is a non-exhaustive list of examples of searches that may be conducted on a system according to the present invention:
- the SQL-like language includes extensions to SQL, such as the definition of the start node, which relate to the distributed nature of the network database and the real-time quality of network information.
- the syntax of an exemplary query is given as follows: SELECT ⁇ columns> FROM ⁇ tables> [ ON ⁇ startnode> [ FOR ⁇ hops> ]] [ WHERE ⁇ conditions> ] [ GROUP BY ⁇ groups> [ HAVING ⁇ having> ]] [ ORDER BY ⁇ ordering> ] [ LIMIT ⁇ limit> ]
- ⁇ columns>, ⁇ groups> and ⁇ ordering> refer to columns of the virtual global tables (see below) or to operations on these columns
- ⁇ tables> refers to the names of virtual global tables
- ⁇ startnode> refers to the IP address of the start node of the query
- ⁇ hops> restricts the execution of the query to a specific distance from the start node
- a query in this SQL-like language is executed against a set of global virtual tables, which consist of all data records that make up the local tables stored on the network probes. For each type of local table, there is a corresponding virtual global table with the same structure.
- An exemplary implementation includes the following global virtual tables; namely, the Device, Interface, System and Flow tables.
- Each global query is translated into three SQL sub-queries, which are executed on the network probes against their local tables. This translation process is described below.
- Query A "List the heaviest flows currently in the network"
- Query A lists addresses and ports of the top 3 IP flows in the network, ordered by their bit rate in the three minute interval between 2004-04-18 05:23:00 and 2004-04-18 05:26:00 UTC.
- MAX((ByteCount*8)/SamplingInterval) as BitRate, Srclp, Dstlp, DstPort FROM Flow
- Query B "Find the gateway with most FTP traffic currently"
- Query B identifies the subnet that generates the highest volume of FTP traffic through a single gateway during over the last 5 seconds.
- the result of the query identifies that gateway and provides the volume of the subnet's traffic through the gateway router.
- the function SUBNET() takes two arguments, the first an IP address and the second a subnet address, and returns true, if the given address is in the specified subnet.
- Query C "Identify all flows currently traversing two given routers.” Query C identifies all flows traversing the two routers 192.168.1.1 and 192.168.4.1 during the past 5 seconds.
- the aggregate function SET_CONCAT() coalesces all records in a group into a single record by concatenating the value of each record and removing duplicates.
- the function STRSTR() takes two strings and returns true, if the second string is found within the first. Note that the column PathSet returned by the query provides an unordered set of the addresses of routers traversed by each flow. SELECT Srclp, Dstlp, SrcPort, DstPort, SET_CONCAT(DeviceIp) as PathSet FROM Flow, Device
- the process of translating a global query to SQL sub-queries is tightly coupled with the state machine of the echo pattern and utilizes it to accomplish two key tasks - data transport and incremental aggregation.
- the explorer messages are used to propagate SQL sub-queries while the echo messages are used to carry back the results.
- the echo pattern state machine is used to trigger incremental aggregation when the results are returned from a network probe's neighbors.
- the process begins when a query is submitted to the start node defined in the query, for example, see query G below.
- the start node translates G into three SQL sub-queries SI, S2, and S3. SI and S2 are propagated via explorer messages to all network probes in the system.
- TEMP_TABLE On each network probe, including the start node, SI is executed against the local database to yield a temporary local table named TEMP_TABLE. If a network probe is a leaf node in the execution tree, the records in the network probe's TEMP_TABLE is carried back to its parent via echo messages and TEMP_TABLE is deleted. Otherwise, the records carried in each echo message received from its neighbors are appended to its local TEMP_TABLE. When the last echo message is received on the network probe, S2 is executed against its TEMP_TABLE and the result returned via an echo message to the network probe's parent. Its local TEMP_TABLE is then deleted.
- GROUP BY Srclp, Dstlp, SrcPort, DstPort HAVING STRSTR(PathSet,”192.168.1.1”) and STRSTR(PathSet, "192.168.4.1”) G is mapped into SI as follows: G is pre-pended with a statement that creates a temporary table TEMP_TABLE and the "HAVING" clause in G is deleted.
- GROUP BY Srclp, Dstlp, SrcPort, DstPort G is mapped into S2 as follows: The tables specified in the "FROM” clause are replaced with TEMP_TABLE, the "WHERE” and “HAVING” clauses in G are deleted and all aggregate functions (i.e., SET_CONCAT() in this case) in the "SELECT” clause are re-applied to their corresponding columns (i.e., PathSet in this case), in TEMP_TABLE. The "WHERE” clause is dropped because record filtering has already been performed by sub-query S 1 while the "HAVING" clause is omitted for the same reason as in sub-query SI .
- S3 The replacement of aggregate functions with column names is necessary because aggregation has been completed by S2.
- the primary purpose of S3 is to filter out groups of records which do not satisfy the conditions specified in the "HAVING" clause in G. S3:
- the SET_CONCAT() function used to illustrate sub- query S2 above is a commutative and associative string aggregate function that can be computed incrementally at each network probe.
- an echo carrying a list of IP addresses from a network probe's neighbors is simply concatenated with the list from the previous echo.
- MIN(), MAX(), SUM() also have these properties.
- other functions such as the SQL AVG() aggregate function, do not. In such cases, distinct distributed versions of these functions have will have to be implemented that support the aggregation of partial results in an incremental distributed manner. Fortunately, most commercial Relational Database Management Systems support the development of these user defined aggregate functions.
- users can issue queries in three ways: (1) interactive querying - the centralized management console supports a web-interface that allows the user to type in an SQL statement, as exemplified in Figure 17.
- the return result is a table in XML displayed on the user's browser as illustrated in Figure 20; (2) issuing queries via HTTP post - web-based applications can post SQL queries to the centralized management console and receive results back in XML table; (3) issuing queries via well-known TCP socket - applications can use a socket-based interface to post SQL queries to the centralized management console.
- the syntax of the SQL used is compliant to SQL-92.
- an exemplary embodiment of the present invention also includes a comprehensive library of extended "select" and "group by" functions for computing network-specific statistics (e.g., histograms, jitter, path, etc.).
- FIG. 2 is a block diagram depicting the functional elements of a network probe.
- a query sent from the console as in Fig. 1, arrow 110, is processed by each receiving network probe.
- An exemplary embodiment of the network probe has four main functional elements: acquisition, analysis, storage, and processing.
- acquisition element captures network packets and frames from a monitoring point in the network.
- these packets are passed to the analysis element, 220, which decodes and computes statistics, indices and summaries.
- the resulting data produced by the analysis element is then stored in a high performance database, 230. Finally, this data may be accessed in real time when processing a search, query or computation by the processing element, 240.
- An exemplary embodiment of the acquisition element 210 of the network probe can be constructed from high performance off-the-shelf Network Interface Cards (NIC) that support a Direct Memory Access (DMA) interface, an example of which is the DAG series of NICs produced by Endace Measurement
- NIC Network Interface Cards
- DMA Direct Memory Access
- NIC Interrupt-based NICs
- Other interrupt-based NICs can also be employed to construct this element; however the tradeoff may be in the loss of some packets when the link utilization is high.
- NIC vendors will either supply a proprietary kernel driver with their hardware or include standard drivers that will work in a number of popular operating systems. In either case, this element can be developed to operate over the supplied proprietary driver or to utilize open sourced packet filter libraries such as libpcap (available at http://sourceforge.net/proiects/libpcap/).
- An exemplary embodiment of the analysis element 220 of a network probe is based on an architecture that utilizes parallel pipelining to speed up packet processing and analysis.
- the analysis functional element 220 of the network probes utilizes a multi-staged tree pipelining architecture that exploits parallel processing to allow the decoding and analysis of a packet stream at arbitrary speeds.
- the element itself can consist of a single protocol analysis element or a network of active nodes each of which contains a protocol analysis element coupled with the distributed processing element of a network probe.
- Figure 3 illustrates the architecture of the analysis element 220 in the network.
- the square boxes, 300, represents active nodes with distributed SQL processing functionality described below (processing element 240).
- Each active node, 300 is a location for a network probe, such as a switch or router.
- the rounded rectangles, 310 represent the protocol analysis functionality of each active node that captures, decodes and stores packets on a local database for subsequent querying.
- the thick solid arrow, 320 represents the original packet stream captured at rate R by active node 1.
- the dotted arrows, 330 represent the packet stream after it has been processed by active node 1, 301, which includes packets as well as timestamps.
- Each active node with the exception of active node 1, 301, is capable of capturing packets at a rate less than R/2 and processing it at a rate of R/n.
- Active node 1, 301 is capable of capturing and timestamping packets at rate R but processing it at rate R/n.
- all packets arriving on active node 1, 301 are timestamped. A fraction of these (R/n), is directed to the protocol analysis function on the node. The remaining fraction of packets is transmitted, together with their timestamps, to active node 2, 302, and active node 3, 303, in equal proportions.
- a fraction of the received packets and timestamps (R/n) is directed to the protocol analysis function on each node while the remaining is transmitted in equal proportions to their peers in stage 3 where the process is repeated.
- R/n the rate of incoming packets and timestamps is reduced by the action of active nodes in the previous stage. In the final stage, this rate is less than R/n so that all of the packets and timestamp can be processed by the protocol analysis function on the node.
- the architecture of the system has advantages which include, but are not limited to the following: • Active nodes can be added to increase the rate in which packets can be processed without limitation. • Each new active node added only lengthens the pipeline by log n stages.
- the total number of stages in the pipeline can be shortened further by configuring each active node to transmit to more than two peers (e.g., three or more).
- the resulting pipeline will be an k-ary tree instead of a binary tree as shown in Figure 4. Aside from this, no other changes are required in the architecture.
- An exemplary embodiment of the storage element 230 of the network probe depicted in Figure 2 can be constructed from any off-the-shelf relational database system that supports the Structured Query Language (SQL).
- the database schema of each network probe consists of a collection of relational database tables that contain information generated by the analysis element 220. Each table contains records of identical structures, which can be accessed via a local interface.
- Each such record contains data gathered by the network probe from its attached router via an access protocol — SNMP or Command Line Interface.
- network probes share the same schema, meaning that the type and the structure of information they collect are identical.
- each table holds information about traffic generated or consumed by a single type of application. The structure of each is thus highly specific to the type of application it represents.
- the list below provides the schema for tables representing data gathered from the traffic generated by a number of commonly used applications.
- Email transaction table This table may contain records representing email transactions between mail clients and servers.
- each record contains, but is not limited to the following list of fields: source and destination IP addresses and port, sender, receiver, subject, cc, bcc, mail agent, mail protocol (SMTP, ESTMP, POP, IMAP, etc.), content type, action (sending, receiving, relaying), and timestamp.
- HTTP transaction table This table may contain records representing HTTP transactions between browsers, proxies and web servers.
- each record contains, but is not limited to the following list of fields: source and destination IP address and port, HTTP-version, transaction type (request or response), method (get, post, head, put, delete, trace, connect), request-URI, status code, user-agent, from, host, content-type, length, and timestamp • SIP transaction table
- This table may contain records representing SIP calls between SIP user agents, gateways and servers.
- each record contains, but is not limited to the following list of fields: source and destination IP address and port, SIP- version, transaction type (request or response), method (register, invite, ack, cancel, bye, options), request-URI, status code, from, to, caller-ID, contact, and timestamp.
- This table may contain records representing FTP transactions between FTP clients and servers.
- each record contains, but is not limited to the following list of fields: source and destination IP address and port, command
- This table may contain records representing instant messages between instant messaging clients and servers.
- each record contains, but is not limited to the following list of fields: source and destination IP address and port, protocol (YAHOO, MSN,AOL, ICQ, IRC), from, to, cc, datetime, subject, and timestamp.
- P2P activity table This table may contain records representing P2P application searches and search results.
- each record contains, but is not limited to the following list of fields: source and destination IP address and port, protocol (Gnutella, Fastrack, etc.), descriptor Header (Ping, Pong, Query, QueryHit, Push), search criteria string, shared file names, shared file sizes, user, and timestamp.
- the network probe also contains a number of tables that represent general IP, TCP and layer 2 traffic. These tables may include, but are not limited to the following:
- This table may contain records representing network traffic flows sampled from a sequence of packets captured from the network.
- a record would contain fields which include, but are not limited to the following: source and destination IP address and ports, layer 2 source and destination address, IP packet header options, for example, Type-of-Service, TTL etc., packet count and byte count, sampling duration, and timestamp of the sample.
- Frame table This table may contain records representing layer 2 frames captured by the acquisition element from the network.
- a record would contain fields which include, but are not limited to the following: source and destination MAC addresses, frame count and byte count, sampling duration, and timestamp of the sample.
- TCP connection table This table may contain records corresponding to TCP connection events observed in the network.
- a record would contain fields which include, but are not limited to the following: source and destination IP address and port of the connection, connection event type (e.g., SYN, SYNACK, FIN, RESET, etc.), TCP sequence number, and timestamp of the event.
- An exemplary embodiment of the processing element 240 of the network probe depicted n Figure 2 is based on an architecture that utilizes distributed SQL queries to collect and process information from the network. As networks grow larger and more dynamic, the ability to create network views in real-time becomes increasingly important. To compute such views, measurements must be taken from various points in a network and statistical methods applied to infer state abstractions.
- An exemplary embodiment of the processing element 240 utilizes the relation model as the fundamental abstraction to model network data and compute network views, for the following reasons.
- the relational model providing the basis for most commercial database management systems today, is known for its flexibility and expressiveness for formulating queries through the use of a relational algebra.
- the maturity of this technology and the availability of tools and resources for manipulating relational data reduce the cost of developing, maintaining and operating new applications.
- a network view may be understood as the result of a (distributed) relational query on these tables.
- An exemplary embodiment of the processing element 240 supports the creation of, but is not limited to, the following categories of real-time views of the network: 1. Views of traffic flows; 2. Views of traffic composition; 3. Views of end-to-end quality of service statistics, including packet delay, jitter and loss; 4. Views of statistical measures of traffic characteristics such as frame or packet sizes; 5.
- connection-oriented protocols like TCP; 6. Views of topology information, such as the connectivity distribution of the network nodes or the current number of sinks of IP multicast sessions; 7. Views derived from statistical correlation of point measurements, e.g., the coefficient of correlation between traffic volume and delay between two end-points.
- the dynamics of the system operates as follows. A network administrator sends a query via HTTP to the centralized management console, which dispatches it to a start node (a network probe) in the network. For processing a query in the network, the system uses the echo pattern and a query aggregator that is invoked by the pattern on each node.
- sub queries are distributed to the targeted node and the query aggregator performs the local database access.
- partial results carried back by echo messages are incrementally added to the results obtained from the local query, on all nodes of echo's execution tree.
- the resulting table of the global query is sent from the start node, which is the root node of the execution tree, to the console, which forwards it to the administrator.
- a local table is constructed that initially holds data of the top ten flows passing through X's attached router.
- X's neighbors are received via echo messages
- additional rows containing data of the top ten flows from X's neighbors' routers are added to the local table.
- the query aggregator on X re-executes the original sub query on the local table, retaining only records of the top ten flows. This table is then sent as part of an echo message to X's parent.
- An exemplary embodiment of the centralized management console includes a set of a set of PHP scripts running on an Apache HTTP server and a
- MySQL database daemon A MySQL database daemon also runs on each network probe to interpret the local queries generated by the query aggregator and to insert records with data collected from the attached routers.
- An exemplary embodiment of the present invention includes a method which allows network operators to visualize and track thousands of active traffic flows in a network in real-time. Much of today's network traffic is comprised of sustained high volume 'streams' of data between pairs of computers. At the lowest level, each of these streams is the aggregation of thousands of individual packets from the same source headed towards the same destination. However, modeling traffic in the network in terms of 'streams' or flows instead of disparate packets provides a better insight into the dynamics and utilization of resources in a network.
- An exemplary method of the present invention utilizes packet level information in the network to create a graphical network-view of active flows in a continuously scrolling display.
- this method provides a network operator with a live view of the traffic dynamics in a network in significant detail.
- a flow is a sequence of datagrams with identical source and destination addresses and port numbers.
- the construction of a flow matrix requires a table of records, one for each datagram captured in the network. Each record should include the following information: • Source and destination addresses and port numbers of the datagram • Size of the datagram • A timestamp indicating when the packet was captured
- Figure 5 shows an exemplary active traffic flow matrix of a network with many active flows.
- Network flows in the matrix are represented as horizontal lines of varying thickness, 510.
- Time is represented on the horizontal axis and is marked out in discrete intervals at the top of the matrix, 520.
- Each flow can vary in thickness over a minimum pre-determined period of time (e.g., 3 seconds). This minimum period is called a slice and represents the sampling time window of statistics about the flow.
- statistics such as its average bit rate or packet rate can be computed.
- These statistics can be represented in the matrix visually as an indication of the dynamics of the flow. For example, in Figure 5, the thickness of a slice represents the average bit rate of the flow over the slice.
- the matrix scrolls in the direction of the time axis providing a continuously updated view of network traffic over a window of time proportional to its width.
- the matrix may represent only samples of the most interesting flows. For example, the top 25 ranked flows in terms of bit rate. Colors are used in the matrix to represent flows with similar characteristics, 530; for example, flows carrying similar kinds of traffic (e.g., video) may be similarly colored.
- the vertical position of a flow in the matrix can be used to indicate several properties of the flow. For example, flows which have been in the matrix longer may be placed lower, or flows representing applications with real-time constraints may be positioned higher than others with no time constraints.
- the movement of sinking and floating flows may be used by the matrix to highlight subtle trends in the traffic dynamics of the network.
- a matrix such as that shown in Figure 5, may also permit drill-down analysis of selected flows.
- clicking on a flow, 510 may display a graph of the flow rate, the source and destination addresses of the flow, and the intermediate nodes traversed by the flow.
- right-clicking on a flow, 510 may bring up a menu that permits users to search for similar flows in a number of ways, for example, flows traversing the common set of nodes or flows originating or terminating from the same region in the network.
- the active traffic flow matrix can capture the dynamics of thousands of flows in a single display, a matrix diagram of a network is, in essence, a compact representation of the complete traffic dynamics of the network over a specific window in time. Additional examples of traffic flow matrices and charts are shown in Figures 13, 14, 15, and 16.
- the centralized management console has several screens that use Java applets to provide real-time scrolling views of network traffic, therefore to view all screens on the console a browser would be used that supports a plug-in for Sun's Java standard edition version 1.4.2 and above.
- Figure 6 illustrates an example of how a typical provider's network can be instrumented with the present invention.
- Today operators have networks that typically consist of dozens of points of presence (POPs) and span multiple peering points over a wide geographical distance. Getting a good insight into the end-to-end behavior of traffic in the network is non-trivial since the path of a typical packet may span multiple provider's networks during which it may be encapsulated and de- capsulated any number of times.
- POPs points of presence
- network probes, 610 are attached at all ingress and egress routers at POPs, 620, in a provider's network as well as to some routers within a POP.
- the network probes can be grouped into clusters depending on whether they are monitoring edge routers/switches or internal routers.
- the network probes monitor all traffic entering and exiting their attached router at wire-speed, analyzing source- destination addresses, ports and decoding selected protocols.
- the network probes also generate active test traffic between each POP to evaluate the performance of the service and network infrastructure. Because each network probe has access to a synchronized time source, one-way delay measurements with sub-millisecond accuracy can be obtained between any pair of measurement points.
- Figure 7 illustrates how the network probes, 710, accomplish active and passive monitoring on a router or switch. Passive monitoring is achieved through the use of mirrored ports, 720. These ports are available on select routers and switches and allow incoming traffic from all ports to be duplicated onto the mirrored port. Attaching a network probe to the mirrored port allows the probe to access all traffic passing through the monitored device, 750. This is indicated by the solid line, 730.
- the network probe is also attached to a regular port which is used to inject specially marked packets into the network (indicated by dotted lines, 740). As the injected traffic passes through the probe instrumented devices, 750, they are passively monitored by the probes. To ensure maximum accuracy, network probes may be equipped with special hardware to timestamp packets as they arrive from the mirrored ports without any CPU intervention. With GPS synchronized clocks, the accuracy of these timestamps are on the order of 100ns. In a similar way to delay measurements, other one-way metrics such as loss, jitter, throughput, packet count, and packet size distribution can also be obtained. Detailed statistics pertaining to TCP and other application layer protocols can also be measured and correlated.
- a network probe can also monitor attached devices via traditional management channels such as SNMP, Telnet and Cisco Netflow.
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Algebra (AREA)
- Databases & Information Systems (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US56708404P | 2004-04-30 | 2004-04-30 | |
US60/567,084 | 2004-04-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005109754A1 true WO2005109754A1 (fr) | 2005-11-17 |
Family
ID=35320557
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2005/014733 WO2005109754A1 (fr) | 2004-04-30 | 2005-05-02 | Systeme et procede de surveillance et d'analyse en temps reel pour trafic et contenu de reseau |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2005109754A1 (fr) |
Cited By (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1684463A1 (fr) * | 2005-01-20 | 2006-07-26 | Agilent Technologies | Système de surveillance, ainsi que procédé d'échantillonnage de datagrammes et appareil correspondant |
WO2007139691A2 (fr) * | 2006-05-22 | 2007-12-06 | At & T Corp | Procédé pour implémenter et faire des rapports de mesures sur un réseau unidirectionnel |
WO2008051399A2 (fr) * | 2006-10-19 | 2008-05-02 | Lucent Technologies Inc. | Procédé et appareil dotes de fonctions de surveillance améliorés non intrusives |
WO2009024169A1 (fr) * | 2007-08-21 | 2009-02-26 | Nec Europe Ltd. | Méthode de détection d'attaques de systèmes multimédia et système multimédia avec fonctionnalité de détection d'attaques |
CN101145977B (zh) * | 2006-09-11 | 2010-06-16 | 中兴通讯股份有限公司 | 一种IP数据网Qos监测系统及其测量方法 |
GB2472231A (en) * | 2009-07-29 | 2011-02-02 | Roke Manor Research | A means of monitoring a network where request/response sequence takes place on different pathways |
US20110085461A1 (en) * | 2009-10-14 | 2011-04-14 | Ying Liu | Flexible network measurement |
WO2011060377A1 (fr) * | 2009-11-15 | 2011-05-19 | Solera Networks, Inc. | Procédé et appareil permettant en temps réel une identification et un enregistrement des artefacts |
US7961674B2 (en) | 2009-01-27 | 2011-06-14 | Sony Corporation | Multi-tier wireless home mesh network with a secure network discovery protocol |
US7969899B2 (en) | 2006-07-05 | 2011-06-28 | Nxp B.V. | Electronic device, system on chip and method of monitoring data traffic |
WO2011079385A1 (fr) * | 2009-12-30 | 2011-07-07 | Neuralitic Systems | Procédé et système pour analytique de parcours d'abonné |
US7990897B2 (en) | 2009-03-11 | 2011-08-02 | Sony Corporation | Method and apparatus for a wireless home mesh network with network topology visualizer |
CN102299923A (zh) * | 2011-08-18 | 2011-12-28 | 工业和信息化部电信传输研究所 | 一种互联网性能测量系统中的探针注册方法 |
US8116336B2 (en) | 2009-01-27 | 2012-02-14 | Sony Corporation | Distributed IP address assignment protocol for a multi-hop wireless home mesh network with collision detection |
WO2013116152A1 (fr) | 2012-01-31 | 2013-08-08 | Db Networks, Inc. | Systèmes et méthodes pour l'extraction de données d'application structurées à partir d'une liaison de communication |
US8521732B2 (en) | 2008-05-23 | 2013-08-27 | Solera Networks, Inc. | Presentation of an extracted artifact based on an indexing technique |
US20130227152A1 (en) * | 2010-11-03 | 2013-08-29 | Lg Electronics Inc. | Method for searching for device and communication device using same |
US8614954B2 (en) | 2006-10-26 | 2013-12-24 | Hewlett-Packard Development Company, L.P. | Network path identification |
US8666985B2 (en) | 2011-03-16 | 2014-03-04 | Solera Networks, Inc. | Hardware accelerated application-based pattern matching for real time classification and recording of network traffic |
US8904177B2 (en) | 2009-01-27 | 2014-12-02 | Sony Corporation | Authentication for a multi-tier wireless home mesh network |
US8964634B2 (en) | 2009-02-06 | 2015-02-24 | Sony Corporation | Wireless home mesh network bridging adaptor |
WO2015039016A1 (fr) * | 2013-09-13 | 2015-03-19 | Network Kinetix, LLC | Analyse de trafic sur le réseau en parallèle à la transmission |
EP2860912A1 (fr) * | 2013-10-11 | 2015-04-15 | Telefonica Digital España, S.L.U. | Procédé de corrélation de données de trafic de réseau dans des systèmes distribués et programme informatique associé |
US9185125B2 (en) | 2012-01-31 | 2015-11-10 | Db Networks, Inc. | Systems and methods for detecting and mitigating threats to a structured data storage system |
WO2016138280A1 (fr) * | 2015-02-25 | 2016-09-01 | FactorChain Inc. | Système de gestion de contexte d'événement |
CN106161067A (zh) * | 2015-04-15 | 2016-11-23 | 中国移动通信集团公司 | 一种网管节点统计的测试方法和系统 |
US9525642B2 (en) | 2012-01-31 | 2016-12-20 | Db Networks, Inc. | Ordering traffic captured on a data connection |
US9532227B2 (en) * | 2013-09-13 | 2016-12-27 | Network Kinetix, LLC | System and method for an automated system for continuous observation, audit and control of user activities as they occur within a mobile network |
EP3151470A1 (fr) * | 2015-09-30 | 2017-04-05 | Juniper Networks, Inc. | Procédure analytique de réseau interconnecté |
EP3061210A4 (fr) * | 2013-10-21 | 2017-09-06 | Nyansa, Inc. | Système et procédé permettant d'observer et de commander un réseau programmable au moyen d'un gestionnaire de réseau à distance |
US9811562B2 (en) | 2015-02-25 | 2017-11-07 | FactorChain Inc. | Event context management system |
US10193741B2 (en) | 2016-04-18 | 2019-01-29 | Nyansa, Inc. | System and method for network incident identification and analysis |
US10200267B2 (en) | 2016-04-18 | 2019-02-05 | Nyansa, Inc. | System and method for client network congestion detection, analysis, and management |
US10230609B2 (en) | 2016-04-18 | 2019-03-12 | Nyansa, Inc. | System and method for using real-time packet data to detect and manage network issues |
EP3611957A1 (fr) * | 2013-11-01 | 2020-02-19 | Viavi Solutions Inc. | Techniques de fourniture de visualisation et d'analyse de données de performance |
US10666494B2 (en) | 2017-11-10 | 2020-05-26 | Nyansa, Inc. | System and method for network incident remediation recommendations |
US20200412603A1 (en) * | 2018-03-09 | 2020-12-31 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and system for managing transmission of probe messages for detection of failure |
US11005721B1 (en) | 2020-06-30 | 2021-05-11 | Juniper Networks, Inc. | Scalable control plane for telemetry data collection within a distributed computing system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6381221B1 (en) * | 1998-03-18 | 2002-04-30 | Cisco Technology, Inc. | System and method for monitoring line performance in a digital communication network |
US20030214913A1 (en) * | 2002-05-17 | 2003-11-20 | Chao Kan | Passive network monitoring system |
US6717914B1 (en) * | 1999-05-27 | 2004-04-06 | 3Com Corporation | System for probing switched virtual circuits in a connection oriented network |
US20040090923A1 (en) * | 2002-11-07 | 2004-05-13 | Chao Kan | Network monitoring system responsive to changes in packet arrival variance and mean |
-
2005
- 2005-05-02 WO PCT/US2005/014733 patent/WO2005109754A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6381221B1 (en) * | 1998-03-18 | 2002-04-30 | Cisco Technology, Inc. | System and method for monitoring line performance in a digital communication network |
US6717914B1 (en) * | 1999-05-27 | 2004-04-06 | 3Com Corporation | System for probing switched virtual circuits in a connection oriented network |
US20030214913A1 (en) * | 2002-05-17 | 2003-11-20 | Chao Kan | Passive network monitoring system |
US20040090923A1 (en) * | 2002-11-07 | 2004-05-13 | Chao Kan | Network monitoring system responsive to changes in packet arrival variance and mean |
Cited By (86)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1684463A1 (fr) * | 2005-01-20 | 2006-07-26 | Agilent Technologies | Système de surveillance, ainsi que procédé d'échantillonnage de datagrammes et appareil correspondant |
US7953020B2 (en) | 2006-05-22 | 2011-05-31 | At&T Intellectual Property Ii, L.P. | Method for implementing and reporting one-way network measurements |
WO2007139691A2 (fr) * | 2006-05-22 | 2007-12-06 | At & T Corp | Procédé pour implémenter et faire des rapports de mesures sur un réseau unidirectionnel |
WO2007139691A3 (fr) * | 2006-05-22 | 2008-01-24 | At & T Corp | Procédé pour implémenter et faire des rapports de mesures sur un réseau unidirectionnel |
US7969899B2 (en) | 2006-07-05 | 2011-06-28 | Nxp B.V. | Electronic device, system on chip and method of monitoring data traffic |
CN101145977B (zh) * | 2006-09-11 | 2010-06-16 | 中兴通讯股份有限公司 | 一种IP数据网Qos监测系统及其测量方法 |
WO2008051399A2 (fr) * | 2006-10-19 | 2008-05-02 | Lucent Technologies Inc. | Procédé et appareil dotes de fonctions de surveillance améliorés non intrusives |
WO2008051399A3 (fr) * | 2006-10-19 | 2008-06-12 | Lucent Technologies Inc | Procédé et appareil dotes de fonctions de surveillance améliorés non intrusives |
KR101110595B1 (ko) | 2006-10-19 | 2012-02-16 | 알카텔-루센트 유에스에이 인코포레이티드 | 개선된 비침입 모니터링 기능들을 위한 방법 및 장치 |
US8000321B2 (en) | 2006-10-19 | 2011-08-16 | Alcatel Lucent | Method and apparatus for improved non-intrusive monitoring functions |
US8614954B2 (en) | 2006-10-26 | 2013-12-24 | Hewlett-Packard Development Company, L.P. | Network path identification |
US9032515B2 (en) | 2007-08-21 | 2015-05-12 | Nec Europe Ltd. | Method for detecting attacks to multimedia systems and multimedia system with attack detection functionality |
JP2010537525A (ja) * | 2007-08-21 | 2010-12-02 | エヌイーシー ヨーロッパ リミテッド | マルチメディアシステムへの攻撃を検知する方法および攻撃検知機能を備えたマルチメディアシステム |
KR101175081B1 (ko) * | 2007-08-21 | 2012-08-21 | 엔이씨 유럽 리미티드 | 멀티미디어 시스템들에 대한 공격을 검출하기 위한 방법 및 공격 검출 기능을 갖는 멀티미디어 시스템 |
WO2009024169A1 (fr) * | 2007-08-21 | 2009-02-26 | Nec Europe Ltd. | Méthode de détection d'attaques de systèmes multimédia et système multimédia avec fonctionnalité de détection d'attaques |
US8521732B2 (en) | 2008-05-23 | 2013-08-27 | Solera Networks, Inc. | Presentation of an extracted artifact based on an indexing technique |
US8687553B2 (en) | 2009-01-27 | 2014-04-01 | Sony Corporation | Multi-tier wireless home mesh network with a secure network discovery protocol |
US9444639B2 (en) | 2009-01-27 | 2016-09-13 | Sony Corporation | Multi-tier wireless home mesh network with a secure network discovery protocol |
US8116336B2 (en) | 2009-01-27 | 2012-02-14 | Sony Corporation | Distributed IP address assignment protocol for a multi-hop wireless home mesh network with collision detection |
US8904177B2 (en) | 2009-01-27 | 2014-12-02 | Sony Corporation | Authentication for a multi-tier wireless home mesh network |
US8130704B2 (en) | 2009-01-27 | 2012-03-06 | Sony Corporation | Multi-tier wireless home mesh network with a secure network discovery protocol |
US8644220B2 (en) | 2009-01-27 | 2014-02-04 | Sony Corporation | Multi-tier wireless home mesh network with a secure network discovery protocol |
US7961674B2 (en) | 2009-01-27 | 2011-06-14 | Sony Corporation | Multi-tier wireless home mesh network with a secure network discovery protocol |
US8964634B2 (en) | 2009-02-06 | 2015-02-24 | Sony Corporation | Wireless home mesh network bridging adaptor |
US10383030B2 (en) | 2009-03-11 | 2019-08-13 | Sony Corporation | Method and apparatus for a wireless home mesh network with network topology visualizer |
US7990897B2 (en) | 2009-03-11 | 2011-08-02 | Sony Corporation | Method and apparatus for a wireless home mesh network with network topology visualizer |
US8824336B2 (en) | 2009-03-11 | 2014-09-02 | Sony Corporation | Method and apparatus for a wireless home mesh network with network topology visualizer |
GB2472231A (en) * | 2009-07-29 | 2011-02-02 | Roke Manor Research | A means of monitoring a network where request/response sequence takes place on different pathways |
EP2460316A1 (fr) * | 2009-07-29 | 2012-06-06 | Roke Manor Research Limited | Système de sondes en réseau |
US9015309B2 (en) | 2009-07-29 | 2015-04-21 | Roke Manor Research Limited | Networked probe system |
GB2472231B (en) * | 2009-07-29 | 2012-03-07 | Roke Manor Research | Networked probe system |
US20110085461A1 (en) * | 2009-10-14 | 2011-04-14 | Ying Liu | Flexible network measurement |
US8730819B2 (en) * | 2009-10-14 | 2014-05-20 | Cisco Teechnology, Inc. | Flexible network measurement |
WO2011060377A1 (fr) * | 2009-11-15 | 2011-05-19 | Solera Networks, Inc. | Procédé et appareil permettant en temps réel une identification et un enregistrement des artefacts |
WO2011079385A1 (fr) * | 2009-12-30 | 2011-07-07 | Neuralitic Systems | Procédé et système pour analytique de parcours d'abonné |
US9877181B2 (en) | 2010-11-03 | 2018-01-23 | Lg Electronics Inc. | Device discovery method and communication device thereof |
US9369947B2 (en) * | 2010-11-03 | 2016-06-14 | Lg Electronics Inc. | Method for searching for device and communication device using same |
US20130227152A1 (en) * | 2010-11-03 | 2013-08-29 | Lg Electronics Inc. | Method for searching for device and communication device using same |
US8666985B2 (en) | 2011-03-16 | 2014-03-04 | Solera Networks, Inc. | Hardware accelerated application-based pattern matching for real time classification and recording of network traffic |
CN102299923A (zh) * | 2011-08-18 | 2011-12-28 | 工业和信息化部电信传输研究所 | 一种互联网性能测量系统中的探针注册方法 |
CN102299923B (zh) * | 2011-08-18 | 2015-06-17 | 工业和信息化部电信传输研究所 | 一种互联网性能测量系统中的探针注册方法 |
US9185125B2 (en) | 2012-01-31 | 2015-11-10 | Db Networks, Inc. | Systems and methods for detecting and mitigating threats to a structured data storage system |
US9525642B2 (en) | 2012-01-31 | 2016-12-20 | Db Networks, Inc. | Ordering traffic captured on a data connection |
WO2013116152A1 (fr) | 2012-01-31 | 2013-08-08 | Db Networks, Inc. | Systèmes et méthodes pour l'extraction de données d'application structurées à partir d'une liaison de communication |
US9100291B2 (en) | 2012-01-31 | 2015-08-04 | Db Networks, Inc. | Systems and methods for extracting structured application data from a communications link |
CN104081730A (zh) * | 2012-01-31 | 2014-10-01 | Db网络公司 | 用于从通信链路提取结构化应用程序数据的系统和方法 |
US9955023B2 (en) * | 2013-09-13 | 2018-04-24 | Network Kinetix, LLC | System and method for real-time analysis of network traffic |
US9210061B2 (en) | 2013-09-13 | 2015-12-08 | Network Kinetix, LLC | System and method for real-time analysis of network traffic |
US9369366B2 (en) * | 2013-09-13 | 2016-06-14 | Network Kinetix, LLC | System and method for real-time analysis of network traffic |
US9529621B2 (en) * | 2013-09-13 | 2016-12-27 | Network Kinetix, LLC | System and method for real-time analysis of network traffic |
US9532227B2 (en) * | 2013-09-13 | 2016-12-27 | Network Kinetix, LLC | System and method for an automated system for continuous observation, audit and control of user activities as they occur within a mobile network |
US10250755B2 (en) * | 2013-09-13 | 2019-04-02 | Network Kinetix, LLC | System and method for real-time analysis of network traffic |
WO2015039016A1 (fr) * | 2013-09-13 | 2015-03-19 | Network Kinetix, LLC | Analyse de trafic sur le réseau en parallèle à la transmission |
US10701214B2 (en) | 2013-09-13 | 2020-06-30 | Network Kinetix, LLC | System and method for real-time analysis of network traffic |
EP2860912A1 (fr) * | 2013-10-11 | 2015-04-15 | Telefonica Digital España, S.L.U. | Procédé de corrélation de données de trafic de réseau dans des systèmes distribués et programme informatique associé |
EP3061210A4 (fr) * | 2013-10-21 | 2017-09-06 | Nyansa, Inc. | Système et procédé permettant d'observer et de commander un réseau programmable au moyen d'un gestionnaire de réseau à distance |
US10630547B2 (en) | 2013-10-21 | 2020-04-21 | Nyansa, Inc | System and method for automatic closed loop control |
US10601654B2 (en) | 2013-10-21 | 2020-03-24 | Nyansa, Inc. | System and method for observing and controlling a programmable network using a remote network manager |
US11469947B2 (en) | 2013-10-21 | 2022-10-11 | Vmware, Inc. | System and method for observing and controlling a programmable network using cross network learning |
US11469946B2 (en) | 2013-10-21 | 2022-10-11 | Vmware, Inc. | System and method for observing and controlling a programmable network using time varying data collection |
US11916735B2 (en) | 2013-10-21 | 2024-02-27 | VMware LLC | System and method for observing and controlling a programmable network using cross network learning |
US11374812B2 (en) | 2013-10-21 | 2022-06-28 | Vmware, Inc. | System and method for observing and controlling a programmable network via higher layer attributes |
EP3611957A1 (fr) * | 2013-11-01 | 2020-02-19 | Viavi Solutions Inc. | Techniques de fourniture de visualisation et d'analyse de données de performance |
US11271823B2 (en) | 2013-11-01 | 2022-03-08 | Viavi Solutions Inc | Techniques for providing visualization and analysis of performance data |
US11573963B2 (en) | 2015-02-25 | 2023-02-07 | Sumo Logic, Inc. | Context-aware event data store |
US11960485B2 (en) | 2015-02-25 | 2024-04-16 | Sumo Logic, Inc. | User interface for event data store |
WO2016138280A1 (fr) * | 2015-02-25 | 2016-09-01 | FactorChain Inc. | Système de gestion de contexte d'événement |
US9811562B2 (en) | 2015-02-25 | 2017-11-07 | FactorChain Inc. | Event context management system |
US10127280B2 (en) | 2015-02-25 | 2018-11-13 | Sumo Logic, Inc. | Automatic recursive search on derived information |
US10061805B2 (en) | 2015-02-25 | 2018-08-28 | Sumo Logic, Inc. | Non-homogenous storage of events in event data store |
US10795890B2 (en) | 2015-02-25 | 2020-10-06 | Sumo Logic, Inc. | User interface for event data store |
CN106161067B (zh) * | 2015-04-15 | 2019-06-21 | 中国移动通信集团公司 | 一种网管节点统计的测试方法和系统 |
CN106161067A (zh) * | 2015-04-15 | 2016-11-23 | 中国移动通信集团公司 | 一种网管节点统计的测试方法和系统 |
US10296551B2 (en) | 2015-09-30 | 2019-05-21 | Juniper Networks, Inc. | Analytics for a distributed network |
EP3151470A1 (fr) * | 2015-09-30 | 2017-04-05 | Juniper Networks, Inc. | Procédure analytique de réseau interconnecté |
US10200267B2 (en) | 2016-04-18 | 2019-02-05 | Nyansa, Inc. | System and method for client network congestion detection, analysis, and management |
US10601691B2 (en) | 2016-04-18 | 2020-03-24 | Nyansa, Inc. | System and method for using real-time packet data to detect and manage network issues |
US11102102B2 (en) | 2016-04-18 | 2021-08-24 | Vmware, Inc. | System and method for using real-time packet data to detect and manage network issues |
US10230609B2 (en) | 2016-04-18 | 2019-03-12 | Nyansa, Inc. | System and method for using real-time packet data to detect and manage network issues |
US10193741B2 (en) | 2016-04-18 | 2019-01-29 | Nyansa, Inc. | System and method for network incident identification and analysis |
US11706115B2 (en) | 2016-04-18 | 2023-07-18 | Vmware, Inc. | System and method for using real-time packet data to detect and manage network issues |
US11431550B2 (en) | 2017-11-10 | 2022-08-30 | Vmware, Inc. | System and method for network incident remediation recommendations |
US10666494B2 (en) | 2017-11-10 | 2020-05-26 | Nyansa, Inc. | System and method for network incident remediation recommendations |
US20200412603A1 (en) * | 2018-03-09 | 2020-12-31 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and system for managing transmission of probe messages for detection of failure |
US11451450B2 (en) | 2020-06-30 | 2022-09-20 | Juniper Networks, Inc. | Scalable control plane for telemetry data collection within a distributed computing system |
US11005721B1 (en) | 2020-06-30 | 2021-05-11 | Juniper Networks, Inc. | Scalable control plane for telemetry data collection within a distributed computing system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2005109754A1 (fr) | Systeme et procede de surveillance et d'analyse en temps reel pour trafic et contenu de reseau | |
US9565076B2 (en) | Distributed network traffic data collection and storage | |
US8549139B2 (en) | Method and system for monitoring control signal traffic over a computer network | |
Meyer et al. | Decentralizing control and intelligence in network management | |
US7246101B2 (en) | Knowledge-based system and method for reconstructing client web page accesses from captured network packets | |
Zhou et al. | Online internet traffic monitoring system using spark streaming | |
Han et al. | The architecture of NG-MON: A passive network monitoring system for high-speed IP networks | |
So-In | A survey of network traffic monitoring and analysis tools | |
Mahmood et al. | Network traffic analysis and SCADA security | |
Duffield et al. | Trajectory engine: A backend for trajectory sampling | |
Erman | Bittorrent traffic measurements and models | |
Kind et al. | Advanced network monitoring brings life to the awareness plane | |
Viipuri | Traffic analysis and modeling of IP core networks | |
Pezaros | Network traffic measurement for the next generation Internet | |
Hall | Multi-layer network monitoring and analysis | |
Olatunde et al. | A scalable architecture for network traffic monitoring and analysis using free open source software | |
KR102537370B1 (ko) | 대용량 네트워크 모니터링을 위한 실시간 패킷 분석 방법 및 장치 | |
Ilie et al. | Traffic measurements of P2P systems | |
Kaczmarski et al. | Content delivery network monitoring | |
Watson et al. | An extensible probe architecture for network protocol performance measurement | |
Siqi et al. | Research on Quality Assurance Method of Key Business Transmission in Large Scientific Research Intranet | |
Gutiérrez et al. | An advanced measurement meta-repository | |
Uithol et al. | Section 2: Network monitoring based on flow measurement techniques | |
Hernes | Design, implementation, and evaluation of network monitoring tasks with the stream data stream management system | |
Han et al. | Design of Next Generation High-Speed IP Network Traffic Monitoring and Analysis System |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |