Patent application number | Description | Published |
20080209045 | Capture and Resumption of Network Application Sessions - A system and method for capture and resumption of network application sessions in a network system. A transaction may be detected between a client and server that includes application session state information. The session state information may relate to a session between the client and the server. The Application session state information may be recorded in response to the detection of the transaction, and the application session state information may not be deleted according to session information expiration policies (e.g., of the client). User input may be received which requests to review the captured network application session. Correspondingly, a network request comprising captured credentials of the captured session may be generated and forwarded to the server. The network request may be usable to enable resumption of the captured network application session. | 08-28-2008 |
20080222717 | Detecting Anomalous Network Application Behavior - System and Method for detecting anomalous network application behavior. Network traffic between at least one client and one or more servers may be monitored. The client and the one or more servers may communicate using one or more application protocols. The network traffic may be analyzed at the application-protocol level to determine anomalous network application behavior. Analyzing the network traffic may include determining, for one or more communications involving the client, if the client has previously stored or received an identifier corresponding to the one or more communications. If no such identifier has been observed in a previous communication, then the one or more communications involving the client may be determined to be anomalous. A network monitoring device may perform one or more of the network monitoring, the information extraction, or the information analysis. | 09-11-2008 |
20090141634 | Adaptive Network Traffic Classification Using Historical Context - Adaptive network traffic classification using historical context. Network traffic may be monitored and classified by considering several attributes using packet filters, regular expressions, context-free grammars, rule sets, and/or protocol dissectors, among other means and by applying a variety of techniques such as signature matching and statistical analysis. Unlike static systems, the classification decisions may be reexamined from time to time or after subsequent processing determines that the traffic does not conform to the protocol specification corresponding to the classification decision. Historical context may be used to adjust the classification strategy for similar or related traffic. | 06-04-2009 |
20140269276 | TRIGGER BASED RECORDING OF FLOWS WITH PLAY BACK - The various embodiments provide selective real-time monitoring of one or more flows of packets over a network, real-time buffering of packets for the one or more monitored flows, real-time recording of packets for one or more monitored flows and its corresponding buffered packets based on initiation of at least one trigger, and real-time analysis of the one or more recorded flows of packets regarding at least the occurrence of the at least one trigger. One or more flows of packets may be selected for monitoring by an administrator or an automated process based on different factors. In at least one of the various embodiments, the one or more monitored flows of packets are tagged and threaded so that they are separately accessible in a ring buffer. | 09-18-2014 |
20140269777 | RESYNCHRONIZATION OF PASSIVE MONITORING OF A FLOW BASED ON HOLE DETECTION - Embodiments are directed towards resynchronizing the processing of a monitored flow based on hole detection. A network monitoring device (NMD) may be employed to passively monitor flows of packets for a session between endpoints. The NMD may receive copies of the monitored flow and perform processes on the monitored flow. In some situations, some copies of packets may not be fully processed by the NMD, creating a hole in the processing. If a hole is detected in the monitored flow and the processing of the monitored flow is desynchronized, then the NMD may suspend processing until it is resynchronized or for a remainder of the session. If the processing is desynchronized, then the NMD may resynchronize the processing by resuming the processing of the monitored flow at a downstream position of the monitored flow based on the detected hole. | 09-18-2014 |
20140280907 | AUTOMATED PASSIVE DISCOVERY OF APPLICATIONS - Embodiments are directed to monitoring communication over a network using a network monitoring device (NMD) to discover devices, roles, applications, and application dependencies present on the monitored networks. A NMD may monitor network packets that may be flowing on monitored networks. Using OSI L2-to-L3 data the NMD may determine the devices that may be on the monitored networks. Also, the NMD may determine the network protocols that may be in use on the monitored networks. Further, the NMD may reassemble monitored network packets into transactions based on knowledge regarding the network protocols are in use on the monitored networks. The NMD may perform various tests to determine the applications that may be running on the discovered devices. Some of the tests used by the NMD may examine OSI L4-L7 data that may be included in the transactions. | 09-18-2014 |
20140280908 | DE-DUPLICATING OF PACKETS IN FLOWS AT LAYER 3 - Embodiments are directed towards receiving packets communicated over at least one network, determining layer 3 header information for the received packets, normalizing the determined layer 3 header information for each received packet, employing a determined value based on the normalized layer 3 header information to detect each received packet that is a duplicate, disregarding duplicate packets, and enabling monitoring and analysis of at least selected flows that include packets that are determined to be non-duplicated. Also, if the determined layer 3 header information indicates that the received packet is fragmented, that packet is de-fragmented at least in accordance with a fragment offset. Additionally, normalization may include at least one of masking at least one value in the layer 3 header information, or rolling back changes in the layer 3 header information. | 09-18-2014 |
20150019867 | RESYNCHRONIZATION OF PASSIVE MONITORING OF A FLOW BASED ON HOLE DETECTION - Embodiments are directed towards resynchronizing the processing of a monitored flow based on hole detection. A network monitoring device (NMD) may be employed to passively monitor flows of packets for a session between endpoints. The NMD may receive copies of the monitored flow and perform processes on the monitored flow. In some situations, some copies of packets may not be fully processed by the NMD, creating a hole in the processing. If a hole is detected in the monitored flow and the processing of the monitored flow is desynchronized, then the NMD may suspend processing until it is resynchronized or for a remainder of the session. If the processing is desynchronized, then the NMD may resynchronize the processing by resuming the processing of the monitored flow at a downstream position of the monitored flow based on the detected hole. | 01-15-2015 |
20150036501 | TRIGGER BASED RECORDING OF FLOWS WITH PLAY BACK - The various embodiments provide selective real-time monitoring of one or more flows of packets over a network, real-time buffering of packets for the one or more monitored flows, real-time recording of packets for one or more monitored flows and its corresponding buffered packets based on initiation of at least one trigger, and real-time analysis of the one or more recorded flows of packets regarding at least the occurrence of the at least one trigger. One or more flows of packets may be selected for monitoring by an administrator or an automated process based on different factors. In at least one of the various embodiments, the one or more monitored flows of packets are tagged and threaded so that they are separately accessible in a ring buffer. | 02-05-2015 |