Patent Grant
8443075
This invention relates to networking, and more particularly to monitoring and analysis of network traffic and determination of whether transactions data are to be stored based on pattern matching.
In complex and large computer networking environment, large amounts of data will be passed across the network. The data will represent a variety of different applications and users and protocols, and from the perspective of network analysis, the amount of data can be overwhelming. From a network monitoring perspective, the amount of data quickly becomes too large and ways to efficiently process the information become important. Data storage of monitored data can quickly become an issue. As an example, in monitoring traffic resulting from a user accessing web sites, it is typical for many image type data to be transferred. From the perspective of the network monitoring for troubleshooting or performance analysis, the image data would likely not be desired to be stored. Heretofore, there was no ability to easily determine that the data should or should not be stored at the time of data collection by the monitoring device.
In accordance with the invention, a network monitoring system and device employs configurable pattern matching to determine whether monitored network traffic transaction data should be stored or not.
Accordingly, it is an object of the present invention to provide an improved network monitor system that allows configuration to determine whether or not to store monitored transaction data.
It is a further object of the present invention to provide an improved network monitor system that employs pattern matching of monitored data with a configuration specification to determine whether or not to store monitored transaction data.
It is yet another object of the present invention to provide an improved network monitor and system to allow specification of patterns and locations inside sets of data and specification of whether to store transactions based on pattern matching.
The subject matter of the present invention is particularly pointed out and distinctly claimed in the concluding portion of this specification. However, both the organization and method of operation, together with further advantages and objects thereof, may best be understood by reference to the following description taken in connection with accompanying drawings wherein like reference characters refer to like elements.
The system according to a preferred embodiment of the present invention comprises a network monitoring system, apparatus and method, wherein pattern matching is employed to determine whether to store transactions data during monitoring.
Referring to
A network analysis product 14 is also connected to the network, and may include a user interface 16 that enables a user to interact with the network analysis product to operate the analysis product and obtain data therefrom, whether at the location of installation or remotely from the physical location of the analysis product network attachment.
The network analysis product comprises hardware and software, CPU, memory, interfaces and the like to operate to connect to and monitor traffic on the network, as well as performing various testing and measurement operations, transmitting and receiving data and the like. When remote, the network analysis product typically is operated by running on a computer or workstation interfaced with the network.
The analysis product comprises an analysis engine 18 which receives the packet network data and interfaces with application transaction details data store 24.
In operation, the network test instrument is attached to the network, and observes transmissions on the network to collect information.
In observing data, the network test instrument generates analysis transactions data based on the network data. In accordance with the invention, decisions of whether to store or not to store the transaction data is made, based on a configurable pattern match.
To provide the functionality, a data pattern, along with specifications for data location, including a specified section of the transaction data, and the location inside of the specified section of an observed network transaction may be specified, for example by a user. The configuration strings (patterns) may be stored in a file for use by the system. Pattern matching is performed on the transaction data, enabling data to be saved only if the end user has predetermined it is of interest (by specifying it in the pattern matching data and location specification, enabling the end user to screen out unwanted, or unnecessary, network transaction data from being stored, with the additional benefit of increased data storage capacity. Since in a busy or large network, vast amounts of data and resulting transaction data can result, the invention provides a user with the ability to specify what transactional and statistical data the user thinks is important, and storing data that the user has indicated is of interest, rather than storing all or most of the data and then later excluding un-important data.
In a particular embodiment, a configuration file 44 is provided that contains configuration strings (patterns) providing definitions for data patterns based upon inclusion in multiple data types, in conjunction with sets of vectors and an algorithm to determine the pattern membership. The data location in different locations of the transaction data, along with data position (prefix, i.e., must occur at the start of the data, suffix, i.e., must occur at the end of the data, or exist anyplace in the data) in the given transaction location, is specified in the configuration file. The configuration file is read and processed into arrays of vectors based upon data types and size of source data. Network transaction data can then be processed through the vector sets, discriminated by data type, and quickly determined to contain any of the given patterns, which can then be used to determine transaction storage.
Referring to
Note that in a particular use of the system, there may typically be plural patterns and locations for the patterns that would be indicated by the configuration file, for complex monitoring of network systems. The configuration file is suitably provided by a user specification of specific items of interest, or may be a pre-defined configuration set of items of typical interest relevant to specific monitoring needs for typical users.
The operational steps are suitably performed by the processor(s) 38 (
In accordance with the system, apparatus and method, a user is able to specify pattern matching to apply to transaction data and an indication of store or don't store for matching data, allowing enhanced flexibility and ease of monitoring of high volume network traffic systems so that only transaction data that may be of current or future interest to the user is stored.
By providing the ability to store or not store transaction data matching a particular pattern, as well as the ability to specify types of pattern matching or location, whether to look at a complete data set or a subset thereof, enhanced monitoring and analysis of network traffic of any transaction type, of any application type, is provided. More efficient use of storage is obtained and the user is provided with data more focused to the interest or desire of the user. The user is able to specify what data is important for storage instead of storing all data and requiring later elimination of data that is not of interest.
The system, method and apparatus may suitably be implemented within a network test instrument.
While a preferred embodiment of the present invention has been shown and described, it will be apparent to those skilled in the art that many changes and modifications may be made without departing from the invention in its broader aspects. The appended claims are therefore intended to cover all such changes and modifications as fall within the true spirit and scope of the invention.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6611873 | Kanehara | Aug 2003 | B1 |
| 7095421 | Vijayakumar et al. | Aug 2006 | B2 |
| 7454457 | Lowery et al. | Nov 2008 | B1 |
| 7577736 | Ovenden | Aug 2009 | B1 |
| 7987239 | Agarwalla et al. | Jul 2011 | B2 |
| 8099476 | Biderman et al. | Jan 2012 | B2 |
| 20020052798 | Nishikado et al. | May 2002 | A1 |
| 20040010473 | Hsu et al. | Jan 2004 | A1 |
| 20040034800 | Singhal et al. | Feb 2004 | A1 |
| 20050010727 | Cuomo et al. | Jan 2005 | A1 |
| 20060253566 | Stassinopoulos et al. | Nov 2006 | A1 |
| 20070140131 | Malloy et al. | Jun 2007 | A1 |
| 20080225711 | Raszuk et al. | Sep 2008 | A1 |
| 20100095064 | Aviles | Apr 2010 | A1 |
| 20100169459 | Biderman et al. | Jul 2010 | A1 |
| 20100218250 | Mori et al. | Aug 2010 | A1 |
| 20100223425 | Meagher et al. | Sep 2010 | A1 |
| 20100278186 | Ackerman et al. | Nov 2010 | A1 |
| Number | Date | Country |
|---|---|---|
| 1635534 | Mar 2006 | EP |
| 0052904 | Sep 2000 | WO |
| Entry |
|---|
| Nevil Brownlee the University of Auckland: “SRI: A language for Describing Traffic A Flows and Specifying Actions for Flow Groups; draft-ietf-rtfm-ruleset-language-06.txt” , IETF Standard-Work Ing-Draft , Internet Engineering Task Force, IETF, CH, vol. rtfm, no. 6, Jun. 1, 1999 , XP015027075, ISSN: 0000-0004. |
| Nevil Brownlee the University of Auckland Cyndi Mills GTE Laboratories et al: “Traffic Flow Measurement: Architecture; draft-ietf-rtfm-architecture- 08.txt”, IETF Standard-Working-Draft, Internet Engineering Task Force, IETF, CH, vol. rtfm, No. 8, Aug. 1, 1999, XP015027045, ISSN: 0000-0004. |
| “NetFlow Services and Applications”, Cisco White Paper, XX, XX, Mar. 1, 1999, pp. 1-27, XP002258359. |
| Number | Date | Country | |
|---|---|---|---|
| 20110106936 A1 | May 2011 | US |
