Patent Application
20140115166
1. Field of the Invention
The present disclosure relates to network usage monitoring, and more particularly, to visualizing resource utilization according to one or more filtering criterion.
2. Description of the Related Art
Communication networks, such as the Internet, corporate intranets, cellular communication networks, etc., are the chosen form of information distribution. A means for monitoring information distributed from such communication networks is of ever increasing importance as such communication networks become ever more ubiquitous. Network monitoring provides valuable information, statistical or otherwise, to network service providers, network users or network beneficiaries, such as network advertisers.
In the context of network monitoring, conventional approaches such as filtering and the like, involve inputting, for example, a desired filter expression to a network monitoring device. In turn, the network monitor device executes the desired filter expression via one or more additional network devices (e.g., capture devices, routing devices, etc.). However, depending on the network configuration, a simple filter expression, when executed, can result in unexpectedly large network monitoring resources. Excessively burdening network monitoring resources negatively impacts overall network monitoring and (in certain come instances) may even burden the underlying communication of information.
In one embodiment of the invention, a filtering system (e.g., a captured network traffic distribution device (e.g., a network tap or similar device) or a stacked network of captured network traffic distribution devices in communication with one another) may be configured to receive instructions to deploy filtering resources to filter captured data packets according to at least one criterion or parameter. The instructions may be analyzed and a projected amount of filtering resources required to filter the captured traffic according to the received instruction may be projected and then provided to a user via, for example, an interface.
In another embodiment of the subject invention, a network filtering device receives an instruction to deploy filtering resources (e.g., of a filtering system, etc.) to filter captured network traffic in a communication network according to at least one criterion. Notably, the instruction is received from a user via an interface (e.g., a graphic user interface) communicatively coupled to the filtering system. The network filtering device further analyzes the received instruction and projects, responsive to the analysis, an amount of filtering resources required to filter the captured traffic according to the received instruction. The network filtering device also provides the projected amount to the user via the interface (e.g., a graph displayed).
In certain embodiments, the network filtering device determines whether the projected amount exceeds a threshold amount of filtering resources. Further still, the network filtering device also provides an alternate filtering instruction to the user responsively to at least one of the analysis of the received instruction and the projection.
In other embodiments, the network filter device further determines an objective of the filtering instruction responsively to the analysis of the received instruction, determines an alternative filtering instruction consistent with the objective, and provides the alternate filtering instruction to the user via the interface.
These and other features of the systems and methods of the subject invention will become more readily apparent to those skilled in the art from the following detailed description of the preferred embodiments taken in conjunction with the drawings.
The present application is illustrated by way of example, and not limitation, in the figures of the accompanying drawings, in which:
Throughout the drawings, the same reference numerals and characters, unless otherwise stated, are used to denote like features, elements, components, or portions of the illustrated embodiments. Moreover, while the subject invention will now be described in detail with reference to the drawings, the description is done in connection with the illustrative embodiments. It is intended that changes and modifications can be made to the described embodiments without departing from the true scope and spirit of the subject invention as defined by the appended claims.
Described herein are methods, systems and apparatus for determining allocation of filtering resources for the filtering of captured data packets. In one embodiment of the invention, a filtering system (e.g., a captured network traffic distribution device (e.g., a network tap or similar device) or a stacked network of captured network traffic distribution devices in communication with one another) may be configured to receive instructions to deploy filtering resources to filter captured data packets according to at least one criterion or parameter. The instructions may be analyzed and a projected amount of filtering resources required to filter the captured traffic according to the received instruction may be projected and then provided to a user via, for example, an interface.
The analysis and projection may be performed by, or under the direction of, a processor resident in and/or in communication with the filtering system that executes instructions for performing these activities. The instructions may be stored in a computer readable storage medium (e.g., a read-only memory (ROM), erasable programmable read only memory (EPROM), electrically erasable programmable read only memory (EEPROM), random access memory (RAM), flash memory, or other form of storage device) communicatively coupled to the processor.
System 100 may include two communication devices 110a and 110b communicatively coupled to one another. Exemplary communication devices 110a and 110b include personal computers, mobile computing devices, mobile telephones, computer enabled mobile telephones, etc. Communication device 110a may generate a data packet 140 and transmit data packet 140 to a one or more devices, e.g., a routing device 120, communication device 110b, etc., via one or more communication links. Exemplary data packets 140 include requests to initiate a communication session. Routing device 120 may be any router enabled to route data packets through communication system 100. Communication device 110a may also receive data packet(s) 140 from communication device 110b via a communication link.
System 100 may also include a filtering system 130, which may be any system capable of receiving and filtering captured network traffic, (e.g., data packets 140). In some embodiments, filtering system 130 may include one or more network captured traffic distribution device(s) (e.g., a network tap or similar device). Filtering system 130 may include a plurality of ports (ref.
Filtering system 130 may be communicatively coupled to a mirror port 160 present on routing device 120 to receive a traffic flow of captured data packets, including data packet 140, from routing device 120 via mirror port 160. Filtering system 130 may also be communicatively coupled to a traffic capture point 165 located along a communication link between communication device 110a and routing device 120 and/or between communication devices 110a and 110b and thereby may capture data packets, like data packet 140, via an inline network traffic capture point at traffic capture point 165. Filtering system 130 may communicate a modified data packet 145 to an external device 150 via, for example, a port, as discussed below. External device 150 may include multiple input/output ports that may operate in duplex or half-duplex mode. The input/output ports may be associated with configuration information and may be enabled to execute an auto-negotiation process. In some cases, an external port may be a small form-factor pluggable (SFP) port. Exemplary external devices 150 include network monitors and network analyzing devices.
Received data packets may be forwarded to a switch 205. Switch 205 may be communicatively coupled to ingress ports 210, processor 215, and/or egress ports 220 and may perform a switching function, such as forwarding a data packet received by an ingress port 210 to, for example, processor 215 and/or an egress port 220. In some embodiments, switch 205 may be, for example, an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA).
Processor 215, which is communicatively coupled to switch 205, a memory 225, and/or a management port 230, may be any appropriate processing device, such as a central processing unit (CPU) and/or a FPGA and may execute one or more instructions resident in a memory 225. For example, processor 215 may be enabled to execute one or more of the steps of the processes described herein. Processor 215 may be managed by, for example, a user and/or administrator, like user/administrator 155 via, for example, a management port, like management port 230.
Processor 215 may also be completely self-contained. For example if processor 215 is implemented as a field programmable gate array (FPGA), filtering system 130 may not require the use of external memory 225. In some embodiments, processor 215 and/or switch 205 may filter captured data packets according to one or more instructions received by filtering system 130 and/or resident in memory 225.
Memory 225 may be any appropriate data storage device and may store one or more instructions executable by processor 215, and/or switch 205. Memory 225 may be any appropriate data storage device, like static random access memory (SRAM), dynamic random access memory (DRAM), read-only memory (ROM), flash memory, a magnetic computer storage device (e.g. hard disk, floppy disk, and magnetic tape), and optical media and may store one or more instructions executable by processor 215 and/or switch 205.
In step 405, an instruction to deploy filtering resources of a filtering system
such that the filtering system filters captured network traffic according to at least one criterion may be received from a user. The instructions may be received via an interface, such as interface 300, communicatively coupled to the filtering system.
The received instruction may then be analyzed (step 410) and an amount of filtering resources required to filter the captured traffic according to the received instruction may be projected responsively to the analysis (step 415) and provided to the user (step 420). The projected filtering resource consumption may be provided to the user via any appropriate medium including, but not limited to, a percentage of filtering resources consumed when the instruction is executed, a percentage of filtering resources remaining unused when the instruction is executed, a graph (e.g., bar graph, line graph), a table, and/or a chart (e.g., pie chart).
On some occasions, it may be determined whether the projected amount of resource consumption exceeds a threshold amount of filtering resources (step 425). When the threshold is exceeded, a notice of the excess may be provided to the user via, for example, the interface (step 430). On some occasions, a recommendation or alternate filtering instruction may be provided to the user when the projected amount of resource consumption exceeds the threshold.
Optionally, an objective of the filtering instruction may be determined (step 435) and, on some occasions, an alternative instruction and/or process consistent with the objective may be determined (step 445). The alternative instruction may be, for example, more efficient at achieving the objective (e.g., executes more quickly, load balances filtering across multiple filtering devices, and/or requires reduced processing time) than the received instruction. For example, when the instruction indicates that captured data packets that include data matching a first and second criteria but not a third criteria are to be transmitted to a particular egress port may be more efficiently implemented by rearranging the filtering sequence (e.g., filtering out all captured data packets that do not include data matching the third criteria and then filtering for data packets that do include data matching the first and second criteria), the alternate instruction may be provided to the user via the interface (step 450) and process 400 may end.
In the preceding discussion various embodiments of the present invention were described as being implemented with the aid of computer-implemented processes or methods (a.k.a. programs or routines). Such programs may be rendered in any computer-readable language and, in general, are meant to encompass any series of logical steps performed in a sequence to accomplish the stated purpose. Any part of the foregoing description that was presented in terms of algorithms and/or symbolic representations of operations on data within a computer memory should be understood as steps requiring physical manipulations of physical quantities (usually represented in the form of electrical or magnetic signals) within computer-readable storage devices. Accordingly, throughout the preceding description of the present invention, terms such as “processing”, “computing”, “calculating”, “determining”, “displaying” or the like, should be understood as referring to the actions and processes of an appropriately programmed computer processor, or similar electronic device, that manipulates and transforms data represented as physical (electronic) quantities within the computer processor's registers and any associated memories or other storage devices into other data similarly represented as physical quantities within those memories or registers or other such information storage devices. The programs comprise computer-executable instructions stored on one or more such computer-readable storage mediums accessible to the computer processor, for example any type of disk including hard disks, floppy disks, optical disks, compact disk read only memories (CD-ROMs), and magnetic-optical disks, ROMs, RAMs, EPROMs, EEPROMs, flash memories, or other forms of storage media accessible to the computer processor.
The present application claims priority of U.S. Provisional Patent Application Ser. No. 61/718,149, filed on Oct. 24, 2012, the content of which is herein incorporated by reference.
| Number | Date | Country | |
|---|---|---|---|
| 61718149 | Oct 2012 | US |
