NETWORK SNIFFER FOR PERFORMING SERVICE LEVEL MANAGEMENT

Abstract

A network sniffer where the sniffer learns the structure of a web application, monitors the operation of the application, and optionally controls the processing of incoming requests to achieve optimal performance as defined in a service level agreement (SLA). The network sniffer is operative for example in enterprise web applications and in enterprise data centers that deploy web applications and optimally is adapted to maintain a consistent level of service of web applications.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1—is a non-limiting data center utilized for executing web applications (prior art);

FIGS. 2A, 2B and 2C—are diagrams of a data center constructed in accordance with exemplary embodiments of the present invention;

FIGS. 3A and 3B are block diagrams of a sniffer network disclosed in accordance with the present invention;

FIG. 4—is a flowchart describing the operation of a sniffer network in accordance with an embodiment of the present invention; and

FIG. 5—is an exemplary diagram of a site tree.

Claims

1. A network sniffer passively capturing data traffic flows between a plurality of clients and a plurality of web servers, the network sniffer comprising: a traffic processor for processing data traffic sent from the plurality of clients and from the plurality of web servers;an application learner for identifying transactions sent from the plurality of clients; anda monitor for monitoring and generating statistics respective of the operation of the web servers and their respective web applications.

2. The network sniffer of claim 1, further comprising a controller for performing corrective actions according to a plurality of predefined policies.

3. The network sniffer of claim 2, further comprising a common bus for providing a communication medium between the traffic processor, the application learner, the monitor, and the controller.

4. The network sniffer of claim 3, wherein the network sniffer is connected to a load balancer through a dedicated port.

5. The network sniffer of claim 4, wherein the dedicated port is a switch port analyzer (SPAN).

6. The network of claim 3, wherein the network sniffer is connected through a dedicated port to a switch, wherein the switch is coupled to the plurality of web servers.

7. The network sniffer of claim 3, wherein the network sniffer is connected to a network tap device to monitor traffic flow between a switch and a load balancer.

8. The network sniffer of claim 4, wherein the network sniffer is coupled to a plurality of traffic probes, wherein each of the traffic probes is connected to a web server.

9. The network sniffer of claim 1, wherein a web server includes a web application.

10. The network sniffer of claim 1, wherein the traffic sent from the clients includes at least hypertext transfer protocol (HTTP) requests.

11. The network sniffer of claim 1, wherein the traffic sent from the plurality of web servers includes at least HTTP replies.

12. The network sniffer of claim 11, the application learner further performing at least one of the following tasks: discovering transactions executed by the plurality of web servers;classifying incoming requests to discovered web transactions;collecting non-classified incoming requests; andgenerating a site tree.

13. The network sniffer of claim 12, wherein the site tree includes all identified applications that belong to a designate web site, wherein each identified application includes a list of transaction that construct the application.

14. The network sniffer of claim 12, wherein the collected incoming requests are saved in a first database coupled to the application learner.

15. The network sniffer of claim 14, wherein discovering the transactions further comprising: processing requests saved in the first database using at least a plurality of application definers; andsaving information related to the discovered web applications in a classify data structure (CDS).

16. The network sniffer of claim 15, wherein the CDS includes a list of identified sites, for each site a list of its web applications, and for each web application a list of transactions and modules that construct the web application.

17. The network sniffer of claim 16, wherein the CDS is saved in a second database, wherein the second database is coupled to the application learner.

18. The network sniffer of claim 1, wherein the statistics respective of the operation of the web servers are generated for each transaction and include at least one of the following measures: throughput, response time, number of errors, latency, and hits per second.

19. The network sniffer of claim 18, wherein the generated statistics are saved in a third database, wherein the third database is coupled to the monitor.

20. The network sniffer of claim 1, wherein the monitor is further producing a plurality of reports and a plurality of alerts based on the generated statistics.

21. The network sniffer of claim 1, wherein the corrective actions include at least one of: scheduling requests to reduce response time, shaping traffic to balance the load, and recovery actions on web servers.

22. The network sniffer of claim 21, wherein each of the plurality of predefined policies defines at least one corrective action to be performed.

23. The network sniffer of claim 22, wherein a policy is determined for a web server, a web application, a module, and a transaction.

24. The network sniffer of claim 22, wherein each policy is assigned with a priority and time periods to be activated.

25. A method for maintaining a level of service of web applications, comprising: passively sniffing network traffic flows from a plurality of clients and a plurality of web servers;generating a context for each request sent from a client to a web server and for each reply sent from a web server to a client;determining whether the context belongs to an identified transaction;gathering statistics respective of the identified transaction; andgenerating a plurality of reports and alarms based on the gathered statistics.

26. The method of claim 25, further comprising: determining whether at least one policy predefined for the identified application is violated; andperforming a plurality of corrective actions if at least one policy is determined to be violated.

27. The method of claim 25, wherein passively sniffing network traffic further comprising at least one of: receiving traffic from a load balancer coupled to the plurality of the web servers;receiving traffic from a switch coupled to the plurality of the web servers;receiving traffic from a network tap device connected between a load balancer and a switch; andreceiving traffic from each of the web servers.

28. The method of claim 26, wherein learning new transaction is performed using at least one of: an application definer, and a correlation process.

29. The method of claim 28, wherein learning transactions further includes: discovering applications and modules of the transactions that construct each of the web applications; andgenerating a site tree.

30. The method of claim 25, wherein the request is at least a hypertext transfer protocol (HTTP) request and the reply is a HTTP reply.

31. The method of claim 30, wherein generating the context includes: parsing the HTTP request.

32. The method of claim 25, wherein the gathered statistics include measures on at least one of: throughput, response time, number of errors, hits per second, and latency.

33. The method of claim 26, wherein performing the corrective actions further comprising: instructing a load balancer to perform at least one of: redirecting requests, reprioritizing requests; and sending spoof replies.

34. A computer program product including a computer-readable medium comprising software instructions operable to enable a computer to perform a method for maintaining a level of service of web applications, comprising: passively sniffing network traffic flows from a plurality of clients and a plurality of web servers;generating a context for each request sent from a client to a web server and for each reply sent from a web server to a client;determining whether the context belongs to an identified transaction;gathering statistics respective of the transaction; andgenerating a plurality of reports and alarms based on the gather statistics.

35. The computer program of claim 34, further comprising: determining whether at least one policy predefined for the identified application is violated; andperforming a plurality of corrective actions if at least one policy is determined to be violated.

36. The computer program of claim 34, wherein passively sniffing network traffic further comprising at least one of: receiving traffic from a load balancer coupled to the plurality of the web servers;receiving traffic from a switch coupled to the plurality of the web servers;receiving traffic from a network tap device connected between a load balancer and a switch; andreceiving traffic from each of the web servers.

37. The computer program of claim 35, wherein learning a transaction is performed using at least one of: an application definer, and a correlation process.

38. The computer program of claim 37, wherein learning transactions further includes: discovering applications and modules of the transactions that construct each of the web applications; andgenerating a site tree.

39. The computer program of claim 34, wherein the request is at least a hypertext transfer protocol (HTTP) request and the reply is a HTTP reply.

40. The computer program of claim 39, wherein generating the context includes: parsing the HTTP request.

41. The computer program of claim 35, wherein the gathered statistics include measures on at least one of: throughput, response time, number of errors, hits per second, and latency.

42. The computer program of claim 35, wherein performing the corrective actions further comprising: instructing a load balancer to perform at least one of: redirecting requests, reprioritizing requests; and sending spoof replies.