b'No. __________\n===============================================================================================\n\nIn The\n\nSupreme Court of the United States\n---------------------------------\xe2\x99\xa6---------------------------------\n\nNETSCOUT SYSTEMS, INC., NETSCOUT SYSTEMS TEXAS, LLC,\nfka TEKTRONIX TEXAS, LLC dba TEKTRONIX COMMUNICATIONS,\nPetitioners,\nv.\nPACKET INTELLIGENCE LLC,\nRespondent.\n---------------------------------\xe2\x99\xa6---------------------------------\n\nOn Petition For A Writ Of Certiorari\nTo The United States Court Of Appeals\nFor The Federal Circuit\n---------------------------------\xe2\x99\xa6---------------------------------\n\nSUPPLEMENTAL APPENDIX\n---------------------------------\xe2\x99\xa6---------------------------------\n\nMICHAEL J. LYONS\nAHREN C. HSU-HOFFMAN\nTHOMAS Y. NOLAN\nMORGAN, LEWIS & BOCKIUS LLP\n1400 Page Mill Road\nPalo Alto, California 94304\nERIC KRAEUTLER\nJULIE GOLDEMBERG\nMORGAN, LEWIS & BOCKIUS LLP\n1701 Market Street\nPhiladelphia, Pennsylvania 19103\n\nWILLIAM R. PETERSON\nCounsel of Record\nMORGAN, LEWIS & BOCKIUS LLP\n1000 Louisiana Street, Suite 4000\nHouston, Texas 77002\n(713) 890-5188\nwilliam.peterson@morganlewis.com\nJASON D. FRANK\nMORGAN, LEWIS & BOCKIUS LLP\nOne Federal Street\nBoston, Massachusetts 02110\n\nCounsel for Petitioners\n===============================================================================================\nCOCKLE LEGAL BRIEFS (800) 225-6964\nWWW.COCKLELEGALBRIEFS.COM\n\n\x0cVOLUME II\nTABLE OF CONTENTS\nPage\nPatent 6,665,725, December 16, 2003 .................................... App. II-1\nCertificate of Correction, June 29, 2004 ........................... App. II-72\nCertificate of Correction, October 8, 2013 ........................ App. II-74\nPatent 6,839,751, August 3, 2004 ......................................... App. II-75\nCertificate of Correction, March 8, 2005 ..........................App. II-120\nPatent 6,954,789, August 3, 2004 ........................................App. II-121\nCertificate of Correction, March 7, 2006 ..........................App. II-161\nCertificate of Correction, October 1, 2013 .......................App. II-162\n\nApp. II-i\n\n\x0cUSOO6665725B1\n\n(12) United States Patent\n\n(10) Patent No.:\n\nDietz et al.\n\nUS 6,665,725 B1\n\n(45) Date of Patent:\n\n(54) PROCESSING PROTOCOLSPECIFIC\nINFORMATION IN PACKETS SPECIFIED BY\n\nDec. 16, 2003\n\n5,414,704 A\n5/1995 Spinney ....................... 370/60\n(List continued on next page.)\n\nA PROTOCOL DESCRIPTION LANGUAGE\n\npage.\n\nOTHER PUBLICATIONS\n\n(75) Inventors: Russell S. Dietz, San Jose, CA (US);\nAndrew A. Koppenhaver, Littleton,\nCO (US); James F. Torgerson,\nAndover, MN (US)\n\n\xe2\x80\x9cTechnical Note: the Narus System,\xe2\x80\x9d Downloaded Apr. 29,\n1999 from www.narus.com, Narus Corporation, Redwood\nCity California.\n\n(73) Assignee: Hi/fn, Inc., Los Gatos, CA (US)\n\nE.\'EC R. (N\'Dinh\n\n(*) Notice:\n\nSubject to any disclaimer, the term of this\n\n(74) Attorney, Agent, or Firm-Dov Rosenfeld; Inventek\n\npatent is extended or adjusted under 35\n\n(57)\nABSTRACT\nA method of performing protocol Specific operations on a\npacket passing through a connection point on a computer\nnetwork. The packet contents conform to protocols of a\nlayered model wherein the protocol at a at a particular layer\nlevel may include one or a set of child protocols defined for\nthat level. The method includes receiving the packet and\nreceiving a Set of protocol descriptions for protocols may be\nused in the packet. A protocol description for a particular\n\nU.S.C. 154(b) by 537 days.\n(21) Appl. No.: 09/609,179\n(22) Filed:\n\nJun. 30, 2000\n\nRelated U.S. Application Data\n(60) Provisional application No. 60/141903, filed on Jun. 30,\n1999.\n\n(51) Int. Cl. ................................................ G06F 13/00\n\nprotocol at a particular layer level includes any child pro\n\n(52) U.S. Cl. ....................... 709/230; 709/246; 709/228;\n\ntocols of the particular protocol, and for any child protocol,\n\n370/389\n(58) Field of Search ................................. 709/203, 206,\n709/216, 217, 222, 246, 225, 228, 230,\n232; 703/26; 370/489, 13, 17\n\n(56)\n\nwhere in the packet information related to the particular\nchild protocol may be found. A protocol description also\nincludes any protocol Specific operations to be performed on\nthe packet for the particular protocol at the particular layer\nlevel. The method includes performing the protocol Specific\noperations on the packet specified by the set of protocol\ndescriptions based on the base protocol of the packet and the\nchildren of the protocols used in the packet. A particular\n\nReferences Cited\nU.S. PATENT DOCUMENTS\n\n4,736,320 A\n\n4/1988 Bristol ....................... 343oo\n\n5,101,402 A\n5,247,517 A\n5,247,693 A\n\n3/1992 Chui et al. .................... 370/17\n9/1993 Ross et al. .\n... 370/85.5\n9/1993 Bristol ......\n... 709/203\n\nthe descriptions into a data Structure. The compiling may\nfurther include compressing the data Structure into a com\npressed data Structure. The protocol Specific operations may\n\n5:\nA\n2- - -a-\n\ns\n\nfying\ninformation. The protocol Specific operations may also\ninclude State processing operations defined for a particular\n\n4,891.639 A\n\n5,315,580 A\n\nembodiment includes providing the protocol descriptions in\n\n1/1990 Nakamura .340/825.5\n\na high-level protocol description language, and compiling to\n\n5/1994 Phaal .......................... 370/13\n\ninclude parsing and extraction operations to eXtract identi\n\nMiss\net al... s\na KC C al. .............\n\n22,\nE.\nE. E.O.C. state of a conversational flow of the packet.\n5,394,394 A\n2/1995 Crowther et al. ............. 370/60\n5,414,650 A\n\n5/1995 Hekhuis ................ 364/715.02\n\n17 Claims, 20 Drawing Sheets\n- 324\n\n?\nPACKET\n\nACOUSITO\nDEVICE\n\n502\n\nPASER\n\nANAZE\n\nDATABASE\nOF\n\nFLOWS\n\n(MEMORY)\n\n-\n\n? 1504\n\nHOST\n\nPROCESSOF\n\n- 1506\nhOS\n\nNEMORY\n\nMONITOR\n\n300\n\n1510\n\n1508\n\nS. Ce\nNETWORK sea\nINTERFACE DISK\nCARD\n\nApp. II-1\n\n&\nDB\n\n\x0cUS 6,665,725 B1\nPage 2\n\nU.S. PATENT DOCUMENTS\n5,430,709 A\n\n3.\nA\n2 - - -2\n\n5,500,855 A\n5,511,215 A\n\n7/1995 Galloway .................... 370/13\n\nS.\nWE\nkvetal\nf\naclawsky et a\n\n... 709/\n\n4/1996 Terasaka et al. .\n\n... 709/246\n\n3/1996 Hershey et al...\n\n5,568,471 A\n\n10/1996 Hershey et al...\n\n5,586.266 A\n\n12/1996 Hershey et al...\n\n5,608,662 A\n\n3/1997 Large et al. ..\n\n5,574,875 A\n\n5,606,668 A\n5,634,009\n5,651,002\n5,680,585\n5,684.954\n5,703,877\n\n5,787.253 A\n\n5,805,808 A\n5,812,529 A\n\n11/1996 Stansfield et al.\n\n"70%\n\n5,819,028\nA\n5,825,774. A\n\n... 370/17\n\n5,826,017\n5.835,726\n5,838,919\n5,841,895\n5,850,386\n5,850,388\n\n... 370/17\n... 395/403\n\n... 709/216\n\n2/1997 Shwed ....................... 709/216\n\n... 364/724.01\n\n5,862,335 A\n\nA\n5/1997 Iddon et al. ................ 709/206\nA\n7/1997 Van Seters et al.\n... 370/392\nA : 10/1997 Bruell ................ ... 703/26\nA\n11/1997 Kaiserswerth et al. ...... 709/203\nA\n12/1997 Nuber et al. .....\n... 370/395\n\n5,721.827 A : 2/1998 Logan et al. .\n5,732.213 A\n5,740,355 A\n5,761,424 A\n\n5,878.420 A\n\n10/1998 Manghirmalani et al. ... 709/203\n\n10/1998 Ready et al. ............... 370/401\n\n10/1998\n11/1998\n11/1998\n11/1998\n12/1998\n12/1998\n\nHolzmann .....\n...\nShwed et al. ..... ...\nSchwaller et al.\n...\nHuffman ........... ...\nAnderson et al. ...........\nAnderson et al. ...........\n\n709/206\n709/228\n709/208\n382/155\n370/241\n370/252\n\n1/1999 Welch, Jr. et al. .......... 709/232\n\n3/1999 de la Sale ....\n\n... 707/10\n\n5,893,155 A\n\n4/1999 Cheriton .....\n\n5,917,821 A\n\n6/1999 Gobuyan et al. ........... 370/392\n\n5,903,754 A\n6,014,380 A\n\n... 709/217\n\n711/144\n\n5/1999 Pearson ...................... 709/238\n1/2000 Hendel et al. ....\n\n... 370/392\n\n3/1998 Gessel et al. ............... 709/216\n4/1998 Watanabe et al.\n395/183.21\n\n6,272,151 B1 * 8/2001 Gupta et al. ................ 370/489\n\n6/1998 Adams et al.\n\n... 709/232\n\n6.519.568 B1 * 2/2003 H\n\n7/1998 Southard ......\n\n... 709/238\n\n5,764,638 A\n\n6/1998 Ketchum ...\n\n5,784,298 A\n\n7/1998 Hershey et al. ............. 364/557\n\n5,781,735 A\n\nA\nA\nA\nA\nA\nA\n\n7/1998 McCreery et al. .......... 709/227\n\n9/1998 Hansani et al. ...\n... 709/203\n9/1998 Czarnik et al. ............. 370/245\n\n6,430,409 B1\n\n8/2002 Rossmann ............... 455/422.1\n\n6,516,337 B1 * 2/2003 Trippet al. ....\n\n... 370/401\n\n2- - - 2\n\n* cited by examiner\n\nApp. II-2\n\nf\n\ntal\n\n... 709/202\n\narvey et al. . . . . . . . . . . . . . . . . .\n\nTO5/1\nf\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\n1OO\n\nCLIENT 3\n\nSheet 1 of 20\n\nUS 6,665,725 B1\n\n-\n\nCLIENT 4\n\n-\n\nANALYZER\n\n1 O7\n\n108\n116\n\n-N106\n\nY10\n\n121\n\nDATA COMMUNICATIONS\nNETWORK\n\n102\n\n125\n\n123\n\nF\n\nSERVER 2\n\nN\n\n112\n\nCLIENT 2\n\n105\n\nFIG. 1\n\nApp. II-3\n\nY--/\n\nCLIENT 1\n\n18\n\nO4\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 2 of 20\n\nUS 6,665,725 B1\n\nCN\n\nApp. II-4\n\n\x0cApp. II-5\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 4 of 20\n\nHGH EVEL\nPACKET\nDECODING\nDESCRIPTIONS\n\nGENERATE\n\nPARSE AND\n\nEXTRACT\n\nOPERATIONS\n\nUS 6,665,725 B1\n\n402\n\nVRA\n\nCOMPLE\n\nDESCRIPTIONS\n\nPACKET\nSTATE\n\nINSTRUTIONS\nOPERATIONS\n\n407\n\n4O6 2ATTERNPARs\n\n(525\n\nPROCESSOR\nINSTRUCTION\nDATABASE\n\nEXTRACTION\nDATABASE\n\nLOAD\nPARSING\nSUBSYSTEM\nMEMORY\n\nLOAD STATE\nNSTRUCTIO\n\nDATABASE\nMEMORY\n\n400\n\nFIG. 4\nApp. II-6\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nUS 6,665,725 B1\n\nSheet 5 of 20\n\nOU-50\n/nputpacket/ 5O2\n503\n\nLOAD PACKET\nCOMPONENT\n\n512\nBUID\n\n504\n\nORE INPACKE\n\nPACKET\nKEY\n\nFETCH NODE AND\nPROCESS FROM\nPATTERN\n\n513\n\nMORE\nPATTERN\nNODEST?\n\nNEXT\nPACKET\n\nCOMPONE\n\n511\n\nAPPLY NODE AND\n\nPROCESS TO\nCOMPONENT\n\n510\n\nV\n\n5OO\n\nAZ\n\nPATTERN\n\nNODE\n\n509\n\nEXTRACT\n\nELEMENTS\n\nFIG. 5\nApp. II-7\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 6 of 20\n\nUS 6,665,725 B1\n\nOU-601\nPACKET\n\n6O2\n\nCOMPONENT AND\nPATTERN NODE\n603\n\nLOAD PACKET\nCOMPONENT\n\n61O\n\n604\n\nMORE PACKE\nCOMPONENT\n\nLOAD KEY\nBUFFER\n\nYES\n\nFETCH\nEXTRACTION\nAND PROCESS FRO\n\n(F)\n\nPATTERNS\n\n605\n\nNO\n\n611\n606\n\nORE EXTRACTION\n\nNO\n\nELEMENTS?\n\n6O7\n\nNEXT\n\nPACKET\nCOMPONEN\n\n609\n\nYES\nAPPLY EXTRACTION\n\nESSESS\n\n6OO\n\nMORE TO\nEXTRACT?\n\nFIG. 6\n\n608\n\nYE\n\nApp. II-8\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 7 of 20\n\nUS 6,665,725 B1\n\nOU-701\nEY BUFFER AND\n\nPATTERN NODE\n\n703\n\nLOAD PATTERN\nNODE ELEMENT\n\n704\n\nMORE PATTER\n\n702\n\n708\n\nOUTPUT TO\n\nOREFA S?\n\nANALYZER\n\nYES\n\nHASHKEYBUFFER\nELEMENT FROM\nPATTERN NODE\n\n7O6\n707\n\n(EB)\n705\n\nPACKKEY & HAS\n\nNEXT PACKET\nCOMPONENT\n\nFIG. 7\nApp. II-9\n\n709\n\nN\n\n700\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 8 of 20\n\nUS 6,665,725 B1\n\nOU-80\nUFKB ENTRY FOR\nPACKET\n\n8OO Y\n\n8O2\n\nCOMPUTE\nCONVERSATION. 803\nRECORD BIN FROM HASH\nRECQUEST RECORD BIN/\nBUCKET FROM CACHE\n\n805\n\n804\n\nNO\n\nORE BUCKET\nIN THE BIN?\n\n806\n\nSETUFKBFOR\n\nPACKETAS "NEW"\n\nYES\nCOMPARE CURRENT BIN\nAND BUCKET RECORD KEY\nTO PACKET\n\n807\n\nNEXT BUCKET-NO servacs\n\n8O8\n\nYES\n\n809\n\nMARK RECORDBN AND\n\nBUCKET IN PROCESS IN\n\n- 80\n\nCACHE AND TIMESTAMP\n\n811\n\nSET UFKB FOR PACKET\nAS FOUND"\n\n812\n\nUPDATE STATISTICS FOR\nRECORD IN CACHE\n\n813 vC\nApp. II-10\n\nFIG. 8\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\n90\n\nSheet 9 of 20\n\n902\n\nUS 6,665,725 B1\n\n910\nRPC\nBIND LOOKUF\nREGUEST\n909\n\nEXTRACT PROGRAM\n\nEXTRACT PORT\n\nGET\'PROGRAM\',\n\nGET\'PROGRAM\',\n\n\'PROTOCOL (TCP OR\nUDP)\n\n"PROTOCOL (TCP OR\nUDP)\'\n\nVERSION\', \'PORTAND\n\n\'VERSION AND\n\nSAVE REGUEST\n\nCREATE SERVER STAT\n904\n\nSAVE PROGRAM",\n\nSAVE PROGRAM\',\nVERSION\', \'PORTAND\n\'PROTOCOL (TCP OR\nUDP)\' WITH NETWORK\n\n\'VERSION AND\n\n"PROTOCOL (TCP OR\nUDP)\' WITH\nDESTINATION\n\nADDRESS IN SERVER\nSTATE DATABASE. KEY\n\nNETWORKADDRESS.\nBOTH MAKEAKEY.\n\nON SERVER ADDRESS\n\nAND TCP OR UDP PORT.\n\nRPC\nBIND\nLOOKUP\nREPLY\n\ngoo/\n\nLOOKUP REGUES\nFIND PROGRAM\nAND VERSION\n\nWITH LOOKUP OF\nSOURCE NETWORK\nADDRESS.\n\nFIG. 9\nApp. II-11\n\nEXTRACT\n\nPROGRAM\nGET "PORTAND\n\n"PROTOCOL (TCP\nOR UDP)\'.\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 10 of 20\n\nPATTERN\n\n100\n\nRECOGNITION\nDATABASE\nMEMORY\n\n100\n\nUS 6,665,725 B1\n\nEXTRACTION\n\nOPERATIONS\nDATABASE\nMEMORY\n\n1001\n1OO\n\n1 OO4\n\n1031\n\nINFO OUT\nCONTRL IN\n\nHOST INTERFACE MULTIPLEXR & CONTROLREGISTERS\n\n1031\n\n1006\n\nPATTERN\nRECOGNITN\nENGINE\n\n1007\n\nEXTRACTION ENGINE\n\n(SLICER)\n\n(PRE)\n\n1008\n\nPACKET\nINPUT\n\nPARSER INPUT BUFFER\nMEMORY\n\nPARSER\n\nOUTPUT PACKETKEY\n\nBUFFER AND PAYLOA2\nMEMORY\n\n1012\n1021\n\nSE) INPUT\nBUFFER\nINTERFACE\nVY\n\nPACKET\n1 O2\n\n1023\n\nANALYZER DATA REA)Y\n\nINTERFACE\nCONTROL\n\nCONTROL\n\nFIG. 10\n\nApp. II-12\n\nANALYZER\nREADY\n\n1027\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 11 of 20\n\nUS 6,665,725 B1\n\n1100 1101\n\n103\n1107\n\nSE\nENGINE\nPROCESSR\nINSTRUCN\nDATABASE\n\n1115\n\n1118 1122\n\nANZEF\n\nSST\n\nC2SO\n(ACIC)\n\n(HIB)\n\n() INTERFACE)\nINTER\nAND\nFACE\n\n(SPID)\n\nPARSER\n\nFLOW\nKEY\n\nFACE\n\n(UFKB)\n\nINTER(-)BUFFER\nPROCESSR\n\n(SP)\n\nFLOW\nINSERTION/\nDELETION\nENGINE\n\n(FIDE)\n\nApp. II-13\n\n1119 1123\n\n() CONTROL\n(UMC)\n\nINTER\n\nFACE\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 12 of 20\n\nUS 6,665,725 B1\n12O1\n\n12OO\n\n1206\n\nTA\n\nREQUESTNEXT\nBUCKET FROM\nCACHE\n\nUFKB ENTRY FOR\nPACKET WITH\nSTATUS"NEW"\n\n1202\n\nACCESS\nCONVERSATION\nRECORD BIN\n\n1203\n\nREGUEST RECORD BIN/\nBUCKET FROM CACHE\n\n1204\n\nNO CBIN/BUCKETEMPTY\n\n1205\n\nYES\n\n1208\n\nNO\n\nP\n\n12O7\n\nWITH TIMESTAMP\n\nYES\n1210\n\nINSERT KEY AND HASH\nN BUCKET, MARK"USED\n\nSET UFKBFOR\nPACKETAS\nDROP\n\nOMPARE CURRENT BIN-1209\n\nAND BUCKETRECORD\nKEY TO PACKET\n\nMARK RECORD BIN AND\nBUCKET\'IN PROCESS\nAND NEW" IN CACHE\n\nFOR RECORD IN CACHE\n\nC\n\nFIG. 12\nApp. II-14\n\n1213\n\n1211\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\n1300 -\n\nSheet 13 of 20\n\nUS 6,665,725 B1\n\nUFKBENTRY FOR\n\nPACKET WITH STATUS\n"NEW OR FOUND"\n\nv\n\nSET STATE PROCESSOR\nINSTRUCTION POINTERTO\nALUE FOUND IN UFKBENTRY\n\nFETCH INSTRUCTION FROM\nSTATE PROCESSOR\nINSTRUCTION MEMORY\n\n1302\n\n1303\n\n1304\n\nPERFORM\nOPERATION BASED - 1305\nON THE STATE INSTRUCTION\nPROCESSOR\nINSTRUCTION\nPOINTERTO\nVALUE FOUND IN\nCURRENT STATE\n\nNO\n\nDONE PROCESSING\nSTATES FOR THIS\nPACKET?\n\n1308\n1310\n\nSAVE STATE\nPROCESSOR\nINSTRUCTION\nNO\nPOINTER IN\nCURRENTFLOW\nRECORD\n\n1307\n\nYES\n\nDONE PROCESSING\nTATES FOR THIS FLO\n\n1309\n\nYES\n\nSET AND SAVE FLOW REMOVA\nSTATE PROCESSOR\n\nNSTRUCTION IN CURRENT\nFLOW RECORD\n\nd) ran\n\nFIG. 13\nApp. II-15\n\n1311\n\n\x0cApp. II-16\n\n\x0cU.S. Patent\n\nUS 6,665,725 B1\n\nLO\n\ny\n\nLEXIOW/c)]\n\nApp. II-17\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 16 of 20\n\nSrc Hash (2\n\nNL2 Ofset = 12\nFIG 16\n\nApp. II-18\n\nUS 6,665,725 B1\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\n1702\n\nOffset\n\n12.\n\n1704\n\nIDP = 0x0600*\n\nIP = 0x0800*\nCHAOSNET = 0x0804\nARP = 0x0806\n\nType I/A\ny\n\n1708\n1710\n\nVIP = OxOBAD*\nVLOOP OXOBAE\nVECHO = OxOBAF\n\n17O6\n\nNETBIOS-3COM = 0x3COO\nOx3CODE\nDEC-MOP = 0x6001\nDEC-RC E Ox60O2\nDEC-DRP = 0x6003 *\nDEC-LAT = 0x6004\nDEC-DIAG = 0x6005\nDEC-LAVC = 0x6007\nRARP = 0x8035\nATALK = 0x809B\nVLOOP = 0x80C4\nVECHO = 0x80C5\n\nType (2)\nHash 1\n\n)\n\nNL3L Ofset = 14\n\nUS 6,665,725 B1\n\nSheet 17 of 20\n\nV- 1700\n\nFIG. 17A\n\nu/\n\n1712\n\nSNA-THE Ox8OD5\nATALKARP = 0x80F3\nIPX = 0x8137*\nSNMP = 0x814Cit\nIPv6 = 0x86DD\n\n-1\n\nLOOPBACK - 0x9000\n\nApple = 0x080007\n* L3 Decoding\n# L5 Decoding\n\nL3 to\n\nyerASE/TyEE/ESA\nsigh/\nCO diffs.\n////Kierifi\xc3\xa9r////Flag/Flag/6F56\n\n,\nZ/7Z/Protocol)A\xc3\xa9.\nSheskyi\n-1\n\n/25iors 3 Fagging/\n\n1752\n\nICMP = 1\n\nGMP = 2\n\nGGP = 3\n\nTCP\nEGP\nIGRP\nPUP\nCHAOS\nUDP\nDP\nISO-TP4\nDDP\nISO-IP\n\n= 6*\n=8\n=9\n= 12\n- 16\n\n= 17*\n= 22h\n= 29\n= 37\n= 8O\n\nVIP = 83 it\n\nEIGRP = 88\nOSPF = 89\n\nProtocol (1)\n\nFIG. 17B\n\nL4 Offset = L3+ (IHL14)\n\nApp. II-19\n\n* L4 Decoding\n# L3 Re-Decoding\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 18 of 20\n\nPROTOCOL\n\nTYPE (ID)\n\nFIG. 18A\n\n\xc2\xa72LO O\n\n\xc3\x88?\xc3\xb5 \xc3\xb5I\xc3\x92\n\nEL\xc3\x858EGIO\n\nFIG. 18B\nApp. II-20\n\nUS 6,665,725 B1\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 19 of 20\n\nUS 6,665,725 B1\n\n1901\n\n191\n\n92\n\nCOMMON. PDL\n\n1903\n\nFLOWS.PDL\n\n1905\n\nVIRTUAL PDL\n\n1907\n\nETHERNET.PDL\n\nETHERTYPE\n\n1913\n\nPPDL\n\n1915\n\nTCPPDL\n\n1917\n\nRPC.PDL\n\n1919\n\nNFS.PDL\n\n1928/O FIG. 19\nApp. II-21\n\n\x0cU.S. Patent\n\nDec. 16, 2003\n\nSheet 20 0f 20\n\nUS 6,665,725 B1\n\n2 OO\n\nREAD IN PDL SOURCE\n\nMODULES\n\nPARSE MODULES FOR\nSYNTAX\n\nFIRST PASS, CREATE\n\nALL PARSEELEMENTS\n\n2009\n\n2005\n\n2007\n\n2NDPASS,\nBUILD FO\nSIGNATURE ELEMENT\nTHIRD PASS, CREATE\n\n2011\n\nFORTH PASS, BUILD\n\n2013\n\nREAD IN LAYERING\nSOURCE MODULES\n\n2015\n\nWALK LAYERING LINKS\nFOREACH PDL\n\n2017\n\nPAYLOAD ELEMENTS\n\nSTATES FOREACH LINK\n\n2019\n\n2003\n\nOUTPUT CPL\nINTERMEDIATEFILE\n\n2021/O\nApp. II-22\n\nFIG. 2O\n\n\x0c1\n\nUS 6,665,725 B1\n\n2\npackets the network monitor should determine the protocol\n(e.g., http, ftp, H.323, VPN, etc.), the application/use within\nthe protocol (e.g., voice, Video, data, real-time data, etc.),\nand an end user\'s pattern of use within each application or\nthe application context (e.g., options Selected, Service\ndelivered, duration, time of day, data requested, etc.). Also,\nthe network monitor should not be reliant upon server\nresident information Such as log files. Rather, it should allow\n\nPROCESSING PROTOCOLSPECIFIC\nINFORMATION IN PACKETS SPECIFIED BY\nA PROTOCOL DESCRIPTION LANGUAGE\nCROSS-REFERENCE TO RELATED\nAPPLICATION\n\nThis application claims the benefit of U.S. Provisional\nPatent Application Serial No. 60/141,903 for METHOD\n\na user Such as a network administrator or an Internet Service\n\nAND APPARATUS FOR MONITORING TRAFFIC IN A\n\nprovider (ISP) the means to measure and analyze network\n\nNETWORK to inventors Dietz, et al., filed Jun. 30, 1999, the\n\ncontents of which are incorporated herein by reference.\nThis application is related to the following U.S. patent\napplications, each filed concurrently with the present\napplication, and each assigned to Apptitude, Inc., the\nassignee of the present invention:\nU.S. patent application Ser. No. 09/608,237 for\n\n15\n\nMETHOD AND APPARATUS FOR MONITORING\n\nTRAFFICINANETWORK, to inventors Dietz, et al.,\n\nfiled Jun. 30, 2000, and incorporated herein by refer\n\nState of each of these conversational flows.\n\nCCC.\n\nRelated and incorporated by reference U.S. patent appli\n\nU.S. patent application Ser. No. 09/608,126 for\nRE-USING INFORMATION FROM DATA TRANS\nACTIONS FOR MAINTAINING STATISTICS IN\n\nNETWORK MONITORING, to inventors Dietz, et al.,\n\n25\n\nfiled Jun. 30, 2000, and incorporated herein by refer\nCCC.\n\nU.S. patent application Ser. No. 09/608,266 for ASSO\nCIATIVE CACHE STRUCTURE FOR LOOKUPS\nAND UPDATES OF FLOW RECORDS IN ANET\n\nWORK MONITOR, to inventors Sarkissian, et al., filed\n\nJun. 30, 2000, and incorporated herein by reference.\nU.S. patent application Ser. No. 09/608,267 for STATE\n\nPROCESSOR FOR PATTERN MATCHING IN A 35\n\nNETWORK MONITOR DEVICE, to inventors\n\nSarkissian, et al., filed Jun. 30, 2000, and incorporated\nherein by reference.\nFIELD OF INVENTION\n\nThe present invention relates to computer networks, Spe\ncifically to the real-time elucidation of packets communi\ncated within a data network, including classification accord\ning to protocol and application program.\n\n40\n\nThere has long been a need for network activity monitors.\nThis need has become especially acute, however, given the\nrecent popularity of the Internet and other interconnected\nnetworks. In particular, there is a need for a real-time\nnetwork monitor that can provide details as to the applica\ntion programs being used. Such a monitor Should enable\nnon-intrusive, remote detection, characterization, analysis,\nand capture of all information passing through any point on\n\nthe network (i.e., of all packets and packet Streams passing\nthrough any location in the network). Not only should all the\npackets be detected and analyzed, but for each of these\n\nincludes carrying out protocol Specific operations on indi\nvidual packets including extracting information from header\nfields in the packet to use for building a signature for\nidentifying the conversational flow of the packet and for\nrecognizing future packets as belonging to a previously\nencountered flow. A parser Subsystem includes a parser for\nrecognizing different patterns in the packet that identify the\nprotocols used. For each protocol recognized, a Slicer\nextracts important packet elements from the packet. These\n\nform a signature (i.e., key) for the packet. The slicer also\n\npreferably generates a hash for rapidly identifying a flow\nthat may have this signature from a database of known\nThe flow Signature of the packet, the hash and at least\nSome of the payload are passed to an analyzer Subsystem. In\na hardware embodiment, the analyzer Subsystem includes a\n\nunified flow key buffer (UFKB) for receiving parts of\npackets from the parser Subsystem and for Storing Signatures\nin process, a lookup/update engine (LUE) to lookup a\n\n45\n\ndatabase of flow records for previously encountered con\nVersational flows to determine whether a signature is from\n\nan existing flow, a State processor (SP) for performing State\nprocessing, a flow insertion and deletion engine (FIDE) for\n\n50\n\ninserting new flows into the database of flows, a memory for\nStoring the database of flows, and a cache for Speeding up\naccess to the memory containing the flow database. The\nLUE, SP, and FIDE are all coupled to the UFKB, and to the\ncache.\n\n55\n\nBACKGROUND\n\ncation Ser. No. 09/608,237 for METHOD AND APPARA\nTUS FOR MONITORING TRAFFIC IN ANETWORK, to\ninventors Dietz, et al, describes a network monitor that\n\nflows.\n\nCOPYRIGHT NOTICE\n\nA portion of the disclosure of this patent document\ncontains material that is Subject to copyright protection. The\ncopyright owner has no objection to the facsimile reproduc\ntion by anyone of the patent document or the patent\ndisclosure, as it appears in the Patent and Trademark Office\npatent file or records, but otherwise reserves all copyright\nrights whatsoever.\n\nactivity objectively; to customize the type of data that is\ncollected and analyzed; to undertake real time analysis, and\nto receive timely notification of network problems.\nThe recognizing and classifying in Such a network moni\ntor should be at all protocol layer levels in conversational\nflows that pass in either direction at a point in a network.\nFurthermore, the monitor Should provide for properly ana\nlyzing each of the packetS eXchanged between a client and\na Server, maintaining information relevant to the current\n\n60\n\n65\n\nEach flow-entry includes one or more Statistical measures,\ne.g., the packet count related to the flow, the time of arrival\nof a packet, the time differential.\nIn the preferred hardware embodiment, each of the LUE,\nState processor, and FIDE operate independently from the\nother two engines. The State processor performs one or more\noperations Specific to the State of the flow.\nA network analyzer should be able to analyze many\ndifferent protocols. At a base level, there are a number of\nStandards used in digital telecommunications, including\nEthernet, HDLC, ISDN, Lap B, ATM, X.25, Frame Relay,\n\nDigital Data Service, FDDI (Fiber Distributed Data\nInterface), T1, and others. Many of these Standards employ\n\ndifferent packet and/or frame formats. For example, data is\n\nApp. II-23\n\n\x0c3\n\nUS 6,665,725 B1\n\ntransmitted in ATM and frame-relay systems in the form of\n\nfixed length packets (called \xe2\x80\x9ccells\xe2\x80\x9d) that are 53 octets (i.e.,\nbytes) long. Several Such cells may be needed to make up the\n\ninformation that might be included in the packet employed\nby Some other protocol for the same payload information\nfor example in a conversational flow that uses the frame\nrelay Standard or the Ethernet protocol.\nIn order for a network monitor to be able to analyze\ndifferent packet or frame formats, the monitor needs to be\nable to perform protocol Specific operations on each packet\nwith each packet carrying information conforming to dif\nferent protocols and related to different applications. For\nexample, the monitor needs to be able to parse packets of\ndifferent formats into fields to understand the data encapsu\nlated in the different fields. As the number of possible packet\nformatS or types increases, the amount of logic required to\nparse these different packet formats also increases.\nPrior art network monitors exist that parse individual\npackets and look for information at different fields to use for\nbuilding a signature for identifying packets. Chiu, et al.,\ndescribe a method for collecting information at the Session\nlevel in a computer network in U.S. Pat. No. 5,101,402,\n\ntitled \xe2\x80\x9cAPPARATUS AND METHOD FOR REAL-TIME\nMONITORING OF NETWORK SESSIONS AND A\n\nLOCAL AREANETWORK.\xe2\x80\x9d In this patent, there are fixed\nlocations Specified for particular types of packets. For\nexample, if a DECnet packet appears, the Chiu System looks\n\n15\n\nBRIEF DESCRIPTION OF THE DRAWINGS\n25\n\nat Six specific fields (at 6 locations) in the packet in order to\n\nidentify the Session of the packet. If, on the other hand, an\nIP packet appears, a different Set of Six locations are exam\nined. The system looks only at the lowest levels up to the\nprotocol layer. There are fixed locations for each of the fields\nthat specified the next level. With the proliferation of\nprotocols, clearly the Specifying of all the possible places to\nlook to determine the Session becomes more and more\n\n35\n\ndifficult. Likewise, adding a new protocol or application is\ndifficult.\n\nIt is desirable to be able to adaptively determine the\nlocations and the information extracted from any packet for\nthe particular type of packet. In this way, an optimal Signa\nture may be defined using a protocol-dependent and packet\ncontent-dependent definition of what to look for and where\nto look for it in order to form a signature.\n\nThere thus is also a need for a network monitor that can\n\nbe tailored or adapted for different protocols and for different\napplication programs. There thus is also a need for a network\nmonitor that can accommodate new protocols and for new\napplication programs. There also is a need for means for\nSpecifying new protocols and new levels, including new\napplications. There also is a need for a mechanism to\ndescribe protocol Specific operations, including, for\nexample, what information is relevant to packets and pack\nets that need to be decoded, and to include Specifying\nparsing operations and extraction operations. There also is a\nneed for a mechanism to describe State operations to perform\non packets that are at a particular State of recognition of a\nflow in order to further recognize the flow.\nSUMMARY\n\nOne embodiment of the invention is a method of per\nforming protocol Specific operations on a packet passing\nthrough a connection point on a computer network. The\npacket contents conform to protocols of a layered model\nwherein the protocol at a particular layer level may include\none or a set of child protocols defined for that level. The\nmethod includes receiving the packet and receiving a set of\n\n4\nprotocol descriptions for protocols may be used in the\npacket. A protocol description for a particular protocol at a\nparticular layer level includes any child protocols of the\nparticular protocol, and for any child protocol, where in the\npacket information related to the particular child protocol\nmay be found. A protocol description also includes any\nprotocol Specific operations to be performed on the packet\nfor the particular protocol at the particular layer level. The\nmethod includes performing the protocol Specific operations\non the packet Specified by the Set of protocol descriptions\nbased on the base protocol of the packet and the children of\nthe protocols used in the packet. A particular embodiment\nincludes providing the protocol descriptions in a high-level\nprotocol description language, and compiling to the descrip\ntions into a data Structure. The compiling may further\ninclude compressing the data Structure into a compressed\ndata Structure. The protocol Specific operations may include\nparsing and extraction operations to extract identifying\ninformation. The protocol Specific operations may also\ninclude State processing operations defined for a particular\nState of a conversational flow of the packet.\n\n40\n\n45\n\nAlthough the present invention is better understood by\nreferring to the detailed preferred embodiments, these\nshould not be taken to limit the present invention to any\nSpecific embodiment because Such embodiments are pro\nVided only for the purposes of explanation. The\nembodiments, in turn, are explained with the aid of the\nfollowing figures.\nFIG. 1 is a functional block diagram of a network embodi\nment of the present invention in which a monitor is con\nnected to analyze packets passing at a connection point.\nFIG. 2 is a diagram representing an example of some of\nthe packets and their formats that might be exchanged in\nStarting, as an illustrative example, a conversational flow\nbetween a client and Server on a network being monitored\nand analyzed. A pair of flow Signatures particular to this\nexample and to embodiments of the present invention is also\nillustrated. This represents Some of the possible flow Signa\ntures that can be generated and used in the process of\nanalyzing packets and of recognizing the particular Server\napplications that produce the discrete application packet\neXchanges.\nFIG. 3 is a functional block diagram of a process embodi\nment of the present invention that can operate as the packet\nmonitor shown in FIG.1. This process may be implemented\nin Software or hardware.\n\n50\n\n55\n\n60\n\n65\n\nFIG. 4 is a flowchart of a high-level protocol language\ncompiling and optimization process, which in one embodi\nment may be used to generate data for monitoring packets\naccording to versions of the present invention.\nFIG. 5 is a flowchart of a packet parsing proceSS used as\npart of the parser in an embodiment of the inventive packet\nmonitor.\n\nFIG. 6 is a flowchart of a packet element extraction\nprocess that is used as part of the parser in an embodiment\nof the inventive packet monitor.\nFIG. 7 is a flowchart of a flow-signature building process\nthat is used as part of the parser in the inventive packet\nmonitor.\n\nFIG. 8 is a flowchart of a monitor lookup and update\nprocess that is used as part of the analyzer in an embodiment\nof the inventive packet monitor.\nFIG. 9 is a flowchart of an exemplary Sun Microsystems\nRemote Procedure Call application than may be recognized\nby the inventive packet monitor.\n\nApp. II-24\n\n\x0cUS 6,665,725 B1\n\nS\nFIG. 10 is a functional block diagram of a hardware parser\nSubsystem including the pattern recognizer and extractor\nthat can form part of the parser module in an embodiment of\nthe inventive packet monitor.\nFIG. 11 is a functional block diagram of a hardware\nanalyzer including a State processor that can form part of an\nembodiment of the inventive packet monitor.\nFIG. 12 is a functional block diagram of a flow insertion\nand deletion engine process that can form part of the\nanalyzer in an embodiment of the inventive packet monitor.\nFIG. 13 is a flowchart of a State processing process that\ncan form part of the analyzer in an embodiment of the\ninventive packet monitor.\nFIG. 14 is a simple functional block diagram of a proceSS\nembodiment of the present invention that can operate as the\npacket monitor shown in FIG. 1. This process may be\nimplemented in Software.\nFIG. 15 is a functional block diagram of how the packet\n\npackets passing in either direction past its connection point\n121 and, according to one aspect of the invention, can\nelucidate what application programs are associated with\neach packet. The monitor 108 is shown examining packets\n\n(i.e., datagrams) between the network interface 116 of the\nserver 110 and the network. The monitor can also be placed\nat other points in the network, Such as connection point 123\n\nbetween the network 102 and the interface 118 of the client\n\n15\n\nnetwork with a processor Such as a microprocessor.\n\nFIG. 16 is an example of the top (MAC) layer of an\n\ninvention.\n\n25\n\nFIG.17A is an example of the header of an Ethertype type\nof Ethernet packet of FIG.16 and some of the elements that\nmay be extracted to form a signature according to one aspect\nof the invention.\n\nFIG. 17B is an example of an IP packet, for example, of\nthe Ethertype packet shown in FIGS. 16 and 17A, and some\nof the elements that may be extracted to form a Signature\naccording to one aspect of the invention.\nFIG. 18A is a three dimensional structure that can be used\n\nto Store elements of the pattern, parse and extraction data\nbase used by the parser Subsystem in accordance to one\n\n35\n\nembodiment of the invention.\n\nFIG. 18B is an alternate form of storing elements of the\npattern, parse and extraction database used by the parser\nSubsystem in accordance to another embodiment of the\n\n104, or Some other location, as indicated Schematically by\nconnection point 125 somewhere in network 102. Not\nshown is a network packet acquisition device at the location\n123 on the network for converting the physical information\non the network into packets for input into monitor 108. Such\npacket acquisition devices are common.\nVarious protocols may be employed by the network to\nestablish and maintain the required communication, e.g.,\nTCP/IP, etc. Any network activity-for example an appli\n\ncation program run by the client 104 (CLIENT 1) commu\nnicating with another running on the server 110 (SERVER\n2)-will produce an exchange of a sequence of packets over\n\nmonitor of FIG. 3 (and FIGS. 10 and 11) may operate on a\n\nEthernet packet and Some of the elements that may be\nextracted to form a signature according to one aspect of the\n\n6\n\nin the interior of the cloud. A monitor 108 examines the\n\nnetwork 102 that is characteristic of the respective programs\nand of the network protocols. Such characteristics may not\nbe completely revealing at the individual packet level. It\nmay require the analyzing of many packets by the monitor\n108 to have enough information needed to recognize par\nticular application programs. The packets may need to be\nparsed then analyzed in the context of various protocols, for\nexample, the transport through the application Session layer\nprotocols for packets of a type conforming to the ISO\nlayered network model.\nCommunication protocols are layered, which is also\n\nreferred to as a protocol stack. The ISO (International\nStandardization Organization) has defined a general model\n\nthat provides a framework for design of communication\nprotocol layers. This model, shown in table from below,\nServes as a basic reference for understanding the function\nality of existing communication protocols.\n\n40\n\ninvention.\n\nFIG. 19 shows various PDL file modules to be compiled\ntogether by the compiling process illustrated in FIG. 20 as\nan example, in accordance with a compiling aspect of the\n\nISO MODEL\n\nLayer\n\nFunctionality\n\nExample\n\n7\n\nApplication\n\nTelnet, NFS, Novell NCP, HTTP,\n\n6\n\nPresentation\n\nH.323\nXDR\n\n4\n3\n2\n\nTransport\nNetwork\nData Link\n\nTCP, Novel SPX, UDP, etc.\nIP, Novell IPX, VIP, AppleTalk, etc.\nNetwork Interface Card (Hardware\n\n1.\n\nPhysical\n\n45\n\ninvention.\n\nFIG. 20 is a flowchart of the process of compiling\nhigh-level language files according to an aspect of the\n\ninvention.\n\n5\n50\n\nDETAILED DESCRIPTION OF THE\nPREFERRED EMBODIMENTS\n\nNote that this document includes hardware diagrams and\ndescriptions that may include Signal names. In most cases,\nthe names are Sufficiently descriptive, in other cases how\never the Signal names are not needed to understand the\noperation and practice of the invention.\nOperation in a Network\nFIG. 1 represents a system embodiment of the present\ninvention that is referred to herein by the general reference\nnumeral 100. The system 100 has a computer network 102\n\nthat communicates packets (e.g., IP datagrams) between\n\nvarious computers, for example between the clients 104-107\nand servers 110 and 112. The network is shown Schemati\n\ncally as a cloud with Several network nodes and linkS shown\n\n55\n\n60\n\nSession\n\nRPC, NBTBIOS, SNMP, etc.\n\nInterface). MAC layer\n\nEthernet, Token Ring, Frame Relay,\n\nATM, T1 (Hardware Connection)\n\nDiferent communications protocols employ different lev\nels of the ISO model or may use a layered model that is\nsimilar to but which does not exactly conform to the ISO\nmodel. A protocol in a certain layer may not be visible to\nprotocols employed at other layers. For example, an appli\n\ncation (Level 7) may not be able to identify the source\ncomputer for a communication attempt (Levels 2-3).\n\nIn Some communication arts, the term \xe2\x80\x9cframe\' generally\nrefers to encapsulated data at OSI layer 2, including a\n65\n\ndestination address, control bits for flow control, the data or\n\npayload, and CRC (cyclic redundancy check) data for error\n\nchecking. The term "packet\' generally refers to encapsu\nlated data at OSI layer 3. In the TCP/IP world, the term\n\nApp. II-25\n\n\x0cUS 6,665,725 B1\n\n7\n"datagram\' is also used. In this specification, the term\n"packet\' is intended to encompass packets, datagrams,\nframes, and cells. In general, a packet format or frame\nformat refers to how data is encapsulated with various fields\nand headers for transmission acroSS a network. For example,\na data packet typically includes an address destination field,\na length field, an error correcting code (ECC) field, or cyclic\nredundancy check (CRC) field, as well as headers and\nfooters to identify the beginning and end of the packet. The\nterms \xe2\x80\x9cpacket format\xe2\x80\x9d and \xe2\x80\x9cframe format,\xe2\x80\x9d also referred to\nas \xe2\x80\x9ccell format,\xe2\x80\x9d are generally Synonymous.\nMonitor 108 looks at every packet passing the connection\npoint 121 for analysis. However, not every packet carries the\nSame information useful for recognizing all levels of the\nprotocol. For example, in a conversational flow associated\nwith a particular application, the application will cause the\nServer to Send a type-A packet, but So will another. If,\nthough, the particular application program always follows a\ntype-A packet with the Sending of a type-B packet, and the\nother application program does not, then in order to recog\nnize packets of that application\'s conversational flow, the\nmonitor can be available to recognize packets that match the\ntype-B packet to associate with the type-A packet. If Such is\nrecognized after a type-A packet, then the particular appli\ncation program\'s conversational flow has started to reveal\n\n15\n\npreviously encountered packets (the State), and of the pos\n\n25\n\nitself to the monitor 108.\n\nFurther packets may need to be examined before the\nconversational flow can be identified as being associated\nwith the application program. Typically, monitor 108 is\nSimultaneously also in partial completion of identifying\nother packet eXchanges that are parts of conversational flows\nasSociated with other applications. One aspect of monitor\n108 is its ability to maintain the state of a flow. The state of\na flow is an indication of all previous events in the flow that\nlead to recognition of the content of all the protocol levels,\ne.g., the ISO model protocol levels. Another aspect of the\ninvention is forming a signature of extracted characteristic\nportions of the packet that can be used to rapidly identify\npackets belonging to the same flow.\nIn real-world uses of the monitor 108, the number of\n\npackets on the network 102 passing by the monitor 108\'s\nconnection point can exceed a million per Second.\nConsequently, the monitor has very little time available to\nanalyze and type each packet and identify and maintain the\nState of the flows passing through the connection point. The\nmonitor 108 therefore masks out all the unimportant parts of\neach packet that will not contribute to its classification.\nHowever, the parts to mask-out will change with each packet\ndepending on which flow it belongs to and depending on the\nstate of the flow.\n\nThe recognition of the packet type, and ultimately of the\nasSociated application programs according to the packets\nthat their executions produce, is a multi-step proceSS within\nthe monitor 108. At a first level, for example, several\napplication programs will all produce a first kind of packet.\nA first "signature\' is produced from Selected parts of a\npacket that will allow monitor 108 to identify efficiently any\npackets that belong to the same flow. In Some cases, that\npacket type may be Sufficiently unique to enable the monitor\nto identify the application that generated Such a packet in the\nconversational flow. The Signature can then be used to\nefficiently identify all future packets generated in traffic\nrelated to that application.\nIn other cases, that first packet only starts the process of\nanalyzing the conversational flow, and more packets are\nnecessary to identify the associated application program. In\n\n8\n\nSuch a case, a Subsequent packet of a Second type-but that\npotentially belongs to the same conversational flow-is\nrecognized by using the Signature. At Such a Second level,\nthen, only a few of those application programs will have\nconversational flows that can produce Such a Second packet\ntype. At this level in the process of classification, all appli\ncation programs that are not in the Set of those that lead to\nSuch a Sequence of packet types may be excluded in the\nprocess of classifying the conversational flow that includes\nthese two packets. Based on the known patterns for the\nprotocol and for the possible applications, a signature is\nproduced that allows recognition of any future packets that\nmay follow in the conversational flow.\nIt may be that the application is now recognized, or\nrecognition may need to proceed to a third level of analysis\nusing the Second level Signature. For each packet, therefore,\nthe monitor parses the packet and generates a Signature to\ndetermine if this signature identified a previously encoun\ntered flow, or shall be used to recognize future packets\nbelonging to the same conversational flow. In real time, the\npacket is further analyzed in the context of the Sequence of\n\n35\n\nSible future Sequences Such a past Sequence may generate in\nconversational flows associated with different applications.\nA new signature for recognizing future packets may also be\ngenerated. This process of analysis continues until the\napplications are identified. The last generated Signature may\nthen be used to efficiently recognize future packets associ\nated with the same conversational flow. Such an arrange\nment makes it possible for the monitor 108 to cope with\nmillions of packets per Second that must be inspected.\nAnother aspect of the invention is adding Eavesdropping.\nIn alternative embodiments of the present invention capable\nof eavesdropping, once the monitor 108 has recognized the\nexecuting application programs passing through Some point\n\nin the network 102 (for example, because of execution of the\napplications by the client 105 or server 110), the monitor\n\n40\n\n45\n\nSends a message to Some general purpose processor on the\nnetwork that can input the same packets from the same\nlocation on the network, and the processor then loads its own\nexecutable copy of the application program and uses it to\nread the content being eXchanged over the network. In other\nwords, once the monitor 108 has accomplished recognition\nof the application program, eavesdropping can commence.\nThe Network Monitor\n\n50\n\nFIG. 3 shows a network packet monitor 300, in an\nembodiment of the present invention that can be imple\nmented with computer hardware and/or Software. The Sys\ntem 300 is similar to monitor 108 in FIG.1. A packet 302 is\nexamined, e.g., from a packet acquisition device at the\n\nlocation 121 in network 102 (FIG. 1), and the packet\n\n55\n\n60\n\nevaluated, for example in an attempt to determine its\ncharacteristics, e.g., all the protocol information in a multi\nlevel model, including what Server application produced the\npacket.\nThe packet acquisition device is a common interface that\nconverts the physical Signals and then decodes them into\nbits, and into packets, in accordance with the particular\n\nnetwork (Ethernet, frame relay, ATM, etc.). The acquisition\n\ndevice indicates to the monitor 108 the type of network of\nthe acquired packet or packets.\n65\n\nAspects shown here include: (1) the initialization of the\n\nmonitor to generate what operations need to occur on\npackets of different types-accomplished by compiler and\n\noptimizer 310, (2) the processing parsing and extraction of\n\nApp. II-26\n\n\x0c9\n\nUS 6,665,725 B1\n\nSelected portions-of packets to generate an identifying\n\nSignature-accomplished by parser Subsystem 301, and (3)\n\nthe analysis of the packets-accomplished by analyzer 303.\nThe purpose of compiler and optimizer 310 is to provide\nprotocol specific information to parser subsystem 301 and to\nanalyzer Subsystem 303. The initialization occurs prior to\noperation of the monitor, and only needs to re-occur when\nnew protocols are to be added.\nA flow is a Stream of packets being eXchanged between\nany two addresses in the network. For each protocol there\n\nand recognition (PAR) engine that analyzes and recognizes\n\npatterns in the packets. In particular, the PAR locates the\nnext protocol field in the header and determines the length\nof the header, and may perform certain other tasks for certain\ntypes of protocol headers. An example of this is type and\n\nlength comparison to distinguish an IEEE 802.3 (Ethernet)\npacket from the older type 2 (or Version 2) Ethernet packet,\nalso called a DIGITAL-Intel-Xerox (DIX) packet. The PAR\n\nare known to be Several fields, Such as the destination\n\n(recipient), the Source (the Sender), and So forth, and these\n\nand other fields are used in monitor 300 to identify the flow.\nThere are other fields not important for identifying the flow,\nSuch as checksums, and those parts are not used for identi\n\n15\n\nfication.\n\nParser Subsystem 301 examines the packets using pattern\nrecognition proceSS 304 that parses the packet and deter\nmines the protocol types and associated headers for each\nprotocol layer that exists in the packet 302. An extraction\nprocess 306 in parser Subsystem 301 extracts characteristic\n25\n\nbase (parsing/extractions database) 308 filled by the com\nThe protocol description language (PDL) files 336\n\n35\n\n40\n\nthe different States and State transitions that occur in different\n\nconversational flows, and the State operations that need to be\n\n45\n\n50\n\n55\n\nperformed (e.g., patterns that need to be examined and new\nSignatures that need to be built) during any State of a\nThus, compiling the PDL files and layer selections pro\nvides monitor 300 with the information it needs to begin\nprocessing packets. In an alternate embodiment, the contents\nof one or more of databases 308 and 326 may be manually\nor otherwise generated. Note that in Some embodiments the\nlayering Selections information is inherent rather than\nexplicitly described. For example, since a PDL file for a\n\nitself to allow for any State processing that requires further\ndata from the packet. An improved embodiment of the parser\nSubsystem might generate a parser record that has Some\npredefined Structure and that includes the Signature, the\nhash, Some flags related to Some of the fields in the parser\nrecord, and parts of the packet\'s payload that the parser\nSubsystem has determined might be required for further\nprocessing, e.g., for State processing.\nNote that alternate embodiments may use Some function\nother than concatenation of the Selected portions of the\npacket to make the identifying Signature. For example, Some\n\xe2\x80\x9cdigest function\' of the concatenated Selected portions may\n\nbe used.\n\nThe parser record is passed onto lookup process 314\n\nconversational flow to further the task of analyzing the\nconversational flow.\n\nSignature depends on the protocols used in the packet. For\nSome protocols, the extracted components may include\nSource and destination addresses. For example, Ethernet\nframes have end-point addresses that are useful in building\na better flow signature. Thus, the Signature typically includes\nthe client and Server address pairs. The Signature is used to\nrecognize further packets that are or may be part of this flow.\nIn the preferred embodiment, the building of the flow key\nincludes generating a hash of the Signature using a hash\nfunction. The purpose if using Such a hash is conventional\nto spread flow-entries identified by the Signature acroSS a\ndatabase for efficient Searching. The hash generated is\npreferably based on a hashing algorithm and Such hash\ngeneration is known to those in the art.\nIn one embodiment, the parser passes data from the\n\npacket-a parser record\xe2\x80\x94that includes the signature (i.e.,\nSelected portions of the packet), the hash, and the packet\n\ntwo sets of internal data structures. The first is the set of\n\nparsing/extraction operations 308. The pattern Structures\ninclude parsing information and describe what will be\nrecognized in the headers of packets, the extraction opera\ntions are what elements of a packet are to be extracted from\nthe packets based on the patterns that get matched. Thus,\ndatabase 308 of parsing/extraction operations includes infor\nmation describing how to determine a set of one or more\nprotocol dependent extraction operations from data in the\npacket that indicate a protocol used in the packet.\nThe other internal data structure that is built by compiler\n310 is the set of state patterns and processes 326. These are\n\nextracts Selected parts of the packet, including identifying\ninformation from the packet as required for recognizing this\npacket as part of a flow. The extracted information is put in\nSequence and then processed in block 312 to build a unique\n\nflow signature (also called a \xe2\x80\x9ckey\xe2\x80\x9d) for this flow. A flow\n\npiler and optimizer 310.\n\ndescribes both patterns and States of all protocols that an\noccur at any layer, including how to interpret header\ninformation, how to determine from the packet header\ninformation the protocols at the next layer, and what infor\nmation to extract for the purpose of identifying a flow, and\nultimately, applications and Services. The layer Selections\ndatabase 338 describes the particular layering handled by the\nmonitor. That is, what protocols run on top of what protocols\nat any layer level. Thus 336 and 338 combined describe how\none would decode, analyze, and understand the information\nin packets, and, furthermore, how the information is layered.\nThis information is input into compiler and optimizer 310.\nWhen compiler and optimizer 310 executes, it generates\n\nalso uses the pattern Structures and extraction operations\ndatabase 308 to identify the next protocol and parameters\nasSociated with that protocol that enables analysis of the\nnext protocol layer. Once a pattern or a set of patterns has\nbeen identified, it/they will be associated with a set of none\nor more extraction operations. These extraction operations\n\n(in the form of commands and associated parameters) are\npassed to the extraction process 306 implemented by an\nextracting and information identifying (EII) engine that\n\nportions (signature information) from the packet 302. Both\n\nthe pattern information for parsing and the related extraction\noperations, e.g., extraction masks, are Supplied from a\nparsing-pattern-structures and extraction-operations data\n\n10\n\nprotocol includes the child protocols, the parent protocols\nalso may be determined.\nIn the preferred embodiment, the packet 302 from the\nacquisition device is input into a packet buffer. The pattern\nrecognition process 304 is carried out by a pattern analysis\n\nwhich looks in an internal data Store of records of known\n60\n\nflows that the System has already encountered, and decides\n\n(in 316) whether or not this particular packet belongs to a\n\nknown flow as indicated by the presence of a flow-entry\nmatching this flow in a database of known flows 324. A\n65\n\nrecord in database 324 is associated with each encountered\nflow.\n\nThe parser record enters a buffer called the unified flow\n\nkey buffer (UFKB). The UFKB stores the data on flows in\n\nApp. II-27\n\n\x0cUS 6,665,725 B1\n\n11\na data Structure that is similar to the parser record, but that\nincludes a field that can be modified. In particular, one or the\nUFKB record fields Stores the packet Sequence number, and\nanother is filled with state information in the form of a\nprogram counter for a State processor that implements State\nprocessing 328.\nThe determination (316) of whether a record with the\nSame signature already exists is carried out by a lookup\nengine (LUE) that obtains new UFKB records and uses the\nhash in the UFKB record to lookup if there is a matching\nknown flow. In the particular embodiment, the database of\nknown flows 324 is in an external memory. A cache is\nassociated with the database 324. A lookup by the LUE for\na known record is carried out by accessing the cache using\nthe hash, and if the entry is not already present in the cache,\nthe entry is looked up (again using the hash) in the external\n\n12\nultimately classifying the flows by application (level 7 in the\nISO model). It does this by proceeding from state-to-state\n\n15\n\nmemory.\n\nThe flow-entry database 324 stores flow-entries that\ninclude the unique flow-signature, State information, and\nextracted information from the packet for updating flows,\nand one or more Statistical about the flow. Each entry\ncompletely describes a flow. Database 324 is organized into\n\nbins that contain a number, denoted N, of flow-entries (also\ncalled flow-entries, each a bucket), with N being 4 in the\npreferred embodiment. Buckets (i.e., flow-entries) are\n\naccessed via the hash of the packet from the parser Sub\n\nis encountered. As an example, a state process (set of State\noperations) at a particular State may build a new signature\n\n25\n\nsystem 301 (i.e., the hash in the UFKB record). The hash\n\nSpreads the flows across the database to allow for fast\nlookups of entries, allowing shallower buckets. The designer\nselects the bucket depth N based on the amount of memory\nattached to the monitor, and the number of bits of the hash\n\ndata value used. For example, in one embodiment, each\nflow-entry is 128 bytes long, so for 128K flow-entries, 16\nMbytes are required. Using a 16-bit hash gives two flow\nentries per bucket. Empirically, this has been shown to be\nmore than adequate for the vast majority of cases. Note that\nanother embodiment uses flow-entries that are 256 bytes\nlong.\n\nHerein, whenever an access to database 324 is described,\nit is to be understood that the access is via the cache, unless\n\notherwise Stated or clear from the context.\n\nIf there is no flow-entry found matching the Signature, i.e.,\nthe Signature is for a new flow, then a protocol and State\nidentification process 318 further determines the state and\nprotocol. That is, process 318 determines the protocols and\nwhere in the State Sequence for a flow for this protocols this\npacket belongs. Identification process 318 uses the extracted\n\n35\n\n40\n\n45\n\nfor future recognition packets of the next State.\nBy maintaining the State of the flows and knowing that\nnew flows may be set up using the information from\npreviously encountered flows, the network traffic monitor\n\n300 provides for (a) Single-packet protocol recognition of\nflows, and (b) multiple-packet protocol recognition of flows.\n\nMonitor 300 can even recognize the application program\nfrom one or more disjointed Sub-flows that occur in Server\nannouncement type flows. What may seem to prior art\nmonitors to be Some unassociated flow, may be recognized\nby the inventive monitor using the flow signature to be a\nSub-flow associated with a previously encountered Sub-flow.\nThus, state processor 328 applies the first state operation\nto the packet for this particular flow-entry. A process 330\ndecides if more operations need to be performed for this\nState. If So, the analyzer continues looping between block\n330 and 328 applying additional state operations to this\nparticular packet until all those operations are completed\nthat is, there are no more operations for this packet in this\nstate. A process 332 decides if there are further states to be\nanalyzed for this type of flow according to the State of the\nflow and the protocol, in order to fully characterize the flow.\nIf not, the conversational flow has now been fully charac\nterized and a process 334 finalizes the classification of the\nconversational flow for the flow.\n\nIn the particular embodiment, the state processor 328\nStarts the State processing by using the last protocol recog\n\ninformation and makes reference to the database 326 of State\n\npatterns and processes. Process 318 is then followed by any\nState operations that need to be executed on this packet by\na state processor 328.\nIf the packet is found to have a matching flow-entry in the\n\n50\n\ndetermines, from the looked-up flow-entry, if more classi\nfication by State processing of the flow Signature is neces\nSary. If not, a process 322 updates the flow-entry in the\n\n55\n\ndatabase 324 (e.g., in the cache), then a process 320\n\nflow-entry database 324 (e.g., via the cache). Updating\n\nincludes updating one or more Statistical measures Stored in\nthe flow-entry. In our embodiment, the Statistical measures\nare Stored in counters in the flow-entry.\nIf State processing is required, State process 328 is com\nmenced. State processor 328 carries out any State operations\nspecified for the state of the flow and updates the state to the\nnext State according to a set of State instructions obtained\nform the State pattern and processes database 326.\nThe state processor 328 analyzes both new and existing\nflows in order to analyze all levels of the protocol Stack,\n\nbased on predefined State transition rules and State opera\ntions as Specified in State processor instruction database 326.\nA State transition rule is a rule typically containing a test\nfollowed by the next-state to proceed to if the test result is\ntrue. An operation is an operation to be performed while the\nState processor is in a particular State-for example, in order\nto evaluate a quantity needed to apply the State transition\nrule. The State processor goes through each rule and each\nState proceSS until the test is true, or there are no more tests\nto perform.\nIn general, the Set of State operations may be none or more\noperations on a packet, and carrying out the operation or\noperations may leave one in a State that causes exiting the\nSystem prior to completing the identification, but possibly\nknowing more about what State and State processes are\nneeded to execute next, i.e., when a next packet of this flow\n\n60\n\nnized by the parser as an offset into a jump table (jump\nvector). The jump table finds the State processor instructions\n\nto use for that protocol in the State patterns and processes\ndatabase 326. Most instructions test something in the unified\nflow key buffer, or the flow-entry in the database of known\nflows 324, if the entry exists. The state processor may have\nto test bits, do comparisons, add, or Subtract to perform the\ntest. For example, a common operation carried out by the\nState processor is Searching for one or more patterns in the\npayload part of the UFKB.\nThus, in 332 in the classification, the analyzer decides\n\nwhether the flow is at an end State. If not at an end State, the\n\nflow-entry is updated (or created if a new flow) for this\nflow-entry in process 322.\n\nFurthermore, if the flow is known and if in 332 it is\n\n65\n\ndetermined that there are further States to be processed using\nlater packets, the flow-entry is updated in proceSS 322.\nThe flow-entry also is updated after classification final\nization So that any further packets belonging to this flow will\n\nApp. II-28\n\n\x0c13\n\nUS 6,665,725 B1\n\n14\ncalled an Ethernet Type/Version 2 and a DIX (DIGITAL\nIntel-Xerox packet) -or an IEEE 803.2 packet. Continuing\nwith the IEEE 802.3 packet, one of the children nodes may\nbe the IP protocol, and one of the children of the IP protocol\nmay be the TCP protocol.\nFIG. 16 shows the header 1600 (base level 1) of a\ncomplete Ethernet frame (i.e., packet) of information and\n\nbe readily identified from their Signature as belonging to this\nfully analyzed conversational flow.\nAfter updating, database 324 therefore includes the set of\nall the conversational flows that have occurred.\n\nThus, the embodiment of present invention shown in FIG.\n3 automatically maintains flow-entries, which in one aspect\nincludes Storing States. The monitor of FIG.3 also generates\ncharacteristic parts of packets-the Signatures-that can be\nused to recognize flows. The flow-entries may be identified\nand accessed by their signatures. Once a packet is identified\n\nincludes information on the destination media access control\n\naddress (Dst MAC 1602) and the source media access\ncontrol address (Src MAC 1604). Also shown in FIG. 16 is\nsome (but not all) of the information specified in the PDL\n\nto be from a known flow, the state of the flow is known and\n\nthis knowledge enables State transition analysis to be per\nformed in real time for each different protocol and applica\ntion. In a complex analysis, State transitions are traversed as\nmore and more packets are examined. Future packets that\nare part of the same conversational flow have their State\nanalysis continued from a previously achieved State. When\nenough packets related to an application of interest have\nbeen processed, a final recognition State is ultimately\nreached, i.e., a Set of States has been traversed by State\nanalysis to completely characterize the conversational flow.\nThe Signature for that final State enables each new incoming\npacket of the same conversational flow to be individually\nrecognized in real time.\nIn this manner, one of the great advantages of the present\ninvention is realized. Once a particular set of State transitions\n\nfiles for extraction the Signature.\n\nFIG. 17A now shows the header information for the next\n\n15\n\n25\n\nThe new states for the flow-those associated with a set of\n\nthe 3-D structure is preferred.\n\nAn alternate embodiment of the data Structure used in\n\n35\n\n40\n\n45\n\n50\n\nDetailed Operation\nFIG. 4 diagrams an initialization system 400 that includes\nthe compilation process. That is, part of the initialization\ngenerates the pattern Structures and extraction operations\n\n55\n\nnodes. The packet type is the root of a tree (called level 0).\nEach protocol is either a parent node or a terminal node. A\nparent node links a protocol to other protocols (child\nprotocols) that can be at higher layer levels. Thus a protocol\n\nmay have Zero or more children. Ethernet packets, for\nexample, have Several variants, each having a basic format\n\nthat remains Substantially the same. An Ethernet packet (the\nroot or level 0 node) may be an Ethertype packet-also\n\ndatabase 308 is illustrated in FIG. 18B. Thus, like the 3-D\n\nstructure of FIG. 18A, the data structure permits rapid\nSearches to be performed by the pattern recognition process\n304 by indexing locations in a memory rather than perform\ning address link computations. In this alternate embodiment,\nthe PRD 308 includes two parts, a single protocol table 1850\n\n(PT) which has an entry for each protocol known for the\nmonitor, and a series of Look Up Tables 1870 (LUTs) that\n\nare used to identify known protocols and their children. The\nprotocol table includes the parameters needed by the pattern\n\nis encountered.\n\nThe different protocols that can exist in different layers\nmay be thought of as nodes of one or more trees of linked\n\nThe pattern, parse, and extraction database (pattern rec\nognition database, or PRD) 308 generated by compilation\n\na 3-D representation 1800 (which may be considered as an\nindexed set of 2-D representations). A compressed form of\n\nState transitions for one or more potential applications-are\nadded to the records of previously encountered States for\neasy recognition and retrieval when a new packet in the flow\n\ndatabase 308 and the state instruction database 328. Such\ninitialization can occur off-line or from a central location.\n\npossible children for an Ethertype packet as indicated by\nwhat child recognition pattern is found offset 12. FIG. 17B\nshows the structure of the header of one of the possible next\nlevels, that of the IP protocol. The possible children of the\nIP protocol are shown in table 1752.\nprocess 310, in one embodiment, is in the form of a three\ndimensional Structure that provides for rapidly Searching\npacket headers for the next protocol. FIG. 18A shows such\n\ntransitions.\n\nWhen each new conversational flow Starts, Signatures that\nrecognize the flow are automatically generated on-the-fly,\nand as further packets in the conversational flow are\nencountered, signatures are updated and the States of the Set\nof State transitions for any potential application are further\ntraversed according to the State transition rules for the flow.\n\ntype packet 1700, the relevant information from the packet\nthat indicates the next layer level is a two-byte type field\n1702 containing the child recognition pattern for the next\nlevel. The remaining information 1704 is shown hatched\n\nbecause it not relevant for this level. The list 1712 shows the\n\nhas been traversed for the first time and ends in a final State,\n\na short-cut recognition pattern-a Signature-can be gener\nated that will key on every new incoming packet that relates\nto the conversational flow. Checking a signature involves a\nSimple operation, allowing high packet rates to be Success\nfully monitored on the network.\nIn improved embodiments, Several State analyzers are run\nin parallel So that a large number of protocols and applica\ntions may be checked for. Every known protocol and appli\ncation will have at least one unique Set of State transitions,\nand can therefore be uniquely identified by watching Such\n\nlevel (level-2) for an Ethertype packet 1700. For an Ether\n\nanalysis and recognition process 304 (implemented by PRE\n1006) to evaluate the header information in the packet that\nis associated with that protocol, and parameters needed by\nextraction process 306 (implemented by slicer 1007) to\n\nprocess the packet header. When there are children, the PT\ndescribes which bytes in the header to evaluate to determine\nthe child protocol. In particular, each PT entry contains the\nheader length, an offset to the child, a Slicer command, and\nSome flags.\nThe pattern matching is carried out by finding particular\n\xe2\x80\x9cchild recognition codes\' in the header fields, and using\nthese codes to index one or more of the LUTs. Each LUT\n\nentry has a node code that can have one of four values,\nindicating the protocol that has been recognized, a code to\nindicate that the protocol has been partially recognized\n60\n\n65\n\n(more LUT lookups are needed), a code to indicate that this\n\nis a terminal node, and a null node to indicate a null entry.\nThe next LUT to lookup is also returned from a LUT lookup.\nCompilation process is described in FIG. 4. The source\ncode information in the form of protocol description files is\nshown as 402. In the particular embodiment, the high level\ndecoding descriptions includes a set of protocol description\nfiles 336, one for each protocol, and a set of packet layer\n\nApp. II-29\n\n\x0cUS 6,665,725 B1\n\n15\nselections 338, which describes the particular layering (sets\nof trees of protocols) that the monitor is to be able to handle.\nA compiler 403 compiles the descriptions. The set of\npacket parse-and-extract operations 406 is generated (404),\n\n16\n\nIf a component is successfully loaded in 503, the node and\n\nprocesses are fetched (505) from the pattern, parse and\n\nextraction database 308 to provide a set of patterns and\nprocesses for that node to apply to the loaded packet\n\nand a set of packet State instructions and operations 407 is\nprocessor that implements State processing process 328.\nData files for each type of application and protocol to be\nrecognized by the analyzer are downloaded from the pattern,\nparse, and extraction database 406 into the memory Systems\n\ndetermine if the fetch pattern node operation 505 completed\nSuccessfully, indicating there was a pattern node that loaded\nin 505. If not, step 511 moves to the next packet component.\nIf yes, then the node and pattern matching process are\napplied in 507 to the component extracted in 503. A pattern\n\n500 description and FIG. 5; the extraction process 600\ndescription and FIG. 6; and the parsing Subsystem hardware\n\nparser Subsystem 301 has found a node in the parsing\nelements; the parser subsystem 301 proceeds to step 509 to\n\ncomponent. The parser Subsystem 301 checks (506) to\n\ngenerated (405) in the form of instructions for the state\n\nof the parser and extraction engines. (See the parsing process\n\nmatch obtained in 507 (as indicated by test 508) means the\n\ndescription and FIG. 10). Data files for each type of appli\n\ncation and protocol to be recognized by the analyzer are also\ndownloaded from the State-processor instruction database\n\nextract the elements.\n15\n\nand to step 505 to fetch the next node and process. Thus,\nthere is an \xe2\x80\x9capplying patterns\' loop between 508 and 505.\nOnce the parser Subsystem 301 completes all the patterns\nand has either matched or not, the parser subsystem 301\n\nNote that generating the packet parse and extraction\noperations builds and links the three dimensional Structure\n\n(one embodiment) or the or all the lookup tables for the\nPRD.\n\nBecause of the large number of possible protocol trees and\nsubtrees, the compiler process 400 includes optimization\nthat compares the trees and Subtrees to see which children\nshare common parents. When implemented in the form of\nthe LUTs, this proceSS can generate a single LUT from a\nplurality of LUTs. The optimization process further\nincludes a compaction process that reduces the Space needed\n\nmoves to the next packet component (511).\n\n25\n\nAS an example of compaction, consider the 3-D Structure\nof FIG. 18A that can be thought of as a set of 2-D structures\neach representing a protocol. To enable Saving Space by\nusing only one array per protocol which may have several\nparents, in one embodiment, the pattern analysis SubproceSS\n\nkeeps a \xe2\x80\x9ccurrent header\' pointer. Each location (offset)\n\nlosing the identity of any of the original 2-D arrays (i.e., all\nthe 2-D arrays continue to exist logically). Folding can occur\n\nbetween any 2-D arrays irrespective of their location in the\ntree as long as certain conditions are met. Multiple arrayS\nmay be combined into a single array as long as the individual\nentries do not conflict with each other. A fold number is then\n\nand a pattern node available in a buffer (602). Step 603 loads\n\nprocess of FIG. 5. If the load completed (test 604), indicat\n35\n\ncomponents are extracted from each packet 302 one element\n\n40\n\n45\n\n50\n\nsystem 301 builds the packet signature (512)-the next stage\n(FIG. 6).\n\nthere are extraction elements to apply, the parser Subsystem\n301 in step 607 applies that extraction process to the packet\ncomponent based on an extraction instruction received from\nthat pattern node. This removes and Saves an element from\nthe packet component.\nIn step 608, the parser Subsystem 301 checks if there is\nmore to extract from this component, and if not, the parser\nSubsystem 301 moves back to 603 to load the next packet\ncomponent at hand and repeats the process. If the answer is\nyes, then the parser Subsystem 301 moves to the next packet\ncomponent ratchet. That new packet component is then\nloaded in step 603. As the parser subsystem 301 moved\nthrough the loop between 608 and 603, extra extraction\nprocesses are applied either to the Same packet component\nif there is more to extract, or to a different packet component\nif there is no more to extract.\n\n55\n\n60\n\nat a time. A check is made (504) to determine if the\n\nload-packet-component operation 503 Succeeded, indicating\nthat there was more in the packet to process. If not, indi\ncating all components have been loaded, the parser Sub\n\ning that there was indeed another packet component, the\nparser Subsystem 301 fetches in 605 the extraction and\nprocess elements received from the pattern node component\n\nin 602. If the fetch was successful (test 606), indicating that\n\nthe alternate embodiment of FIG. 18B.\n\npacket buffer in step 502. Step 503 loads the next (initially\nthe first) packet component from the packet 302. The packet\n\nwill fail (indicated by test 504), and the parser subsystem\n\nthe packet component available from the pattern analysis\n\nused to associate each element with its original array. A\nsimilar folding process is used for the set of LUTs 1850 in\nIn 410, the analyzer has been initialized and is ready to\nperform recognition.\nFIG. 5 shows a flowchart of how actual parser subsystem\n301 functions. Starting at 501, the packet 302 is input to the\n\nOnce all the packet components have been the loaded and\nprocessed from the input packet 302, then the load packet\n\n301 moves to build a packet signature which is described in\nFIG. 6 FIG. 6 is a flow chart for extracting the information\nfrom which to build the packet signature. The flow starts at\n601, which is the exit point 513 of FIG. 5. At this point\nparser Subsystem 301 has a completed packet component\n\nto store the data of the PRD.\n\nindex for each protocol 2-D array in the 3-D structure is a\nrelative location starting with the start of header for the\nparticular protocol. Furthermore, each of the two\ndimensional arrays is sparse. The next Step of the\noptimization, is checking all the 2-D arrays against all the\nother 2-D arrays to find out which ones can share memory.\nMany of these 2-D arrays are often Sparsely populated in that\nthey each have only a Small number of valid entries. So, a\nprocess of "folding\xe2\x80\x9d is next used to combine two or more\n2-D arrays together into one physical 2-D array without\n\nIf applying the node process to the component does not\n\nproduce a match (test 508), the parser Subsystem 301 moves\n(510) to the next pattern node from the pattern database 308\n\n407 into the state processor. (see the state processor 1108\ndescription and FIG. 11.).\n\n65\n\nThe extraction process thus builds the Signature, extract\ning more and more components according to the information\nin the patterns and extraction database 308 for the particular\npacket. Once loading the next packet component operation\n\n603 fails (test 604), all the components have been extracted.\nThe built signature is loaded into the signature buffer (610)\n\nand the parser Subsystem 301 proceeds to FIG. 7 to complete\nthe Signature generation process.\nReferring now to FIG. 7, the process continues at 701. The\nSignature buffer and the pattern node elements are available\n\n(702). The parser subsystem 301 loads the next pattern node\nelement. If the load was successful (test 704) indicating\nthere are more nodes, the parser subsystem 301 in 705\n\nApp. II-30\n\n\x0c17\n\nUS 6,665,725 B1\n\nhashes the Signature buffer element based on the hash\nelements that are found in the pattern node that is in the\nelement database. In 706 the resulting signature and the hash\nare packed. In 707 the parser subsystem 301 moves on to the\nnext packet component which is loaded in 703.\nThe 703 to 707 loop continues until there are no more\n\nIt may be that the bucket of the bin did not lead to a\n\nSignature match (test 808). In Such a case, the analyzer in\n\n809 moves to the next bucket for this bin. Step 804 again\nlooks up the cache for another bucket from that bin. The\nlookup/update engine thus continues lookup up buckets of\nthe bin until there is either a match in 808 or operation 804\n\nis not successful (test 805), indicating that there are no more\n\npatterns of elements left (test 704). Once all the patterns of\n\nelements have been hashed, processes 304,306 and 312 of\nparser subsystem 301 are complete. Parser subsystem 301\nhas generated the Signature used by the analyzer Subsystem\n\nbuckets in the bin and no match was found.\n\nIf no match was found, the packet belongs to a new (not\npreviously encountered) flow. In 806 the system indicates\n\n303.\n\nthat the record in the unified flow key buffer for this packet\nis new, and in 812, any Statistical updating operations are\nperformed for this packet by updating the flow-entry in the\ncache. The update operation exits at 813. A flow insertion/\n\nA parser record is loaded into the analyzer, in particular,\n\ninto the UFKB in the form of a UFKB record which is\n\nSimilar to a parser record, but with one or more different\nfields.\n\nFIG. 8 is a flow diagram describing the operation of the\n\n15\n\nlookup/update engine (LUE) that implements lookup opera\n\ntion 314. The process starts at 801 from FIG. 7 with the\nparser record that includes a Signature, the hash and at least\nparts of the payload. In 802 those elements are shown in the\nform of a UFKB-entry in the buffer. The LUE, the lookup\nengine 314 computes a \xe2\x80\x9crecord bin number\xe2\x80\x9d from the hash\nfor a flow-entry. A bin herein may have one or more\n\xe2\x80\x9cbuckets\xe2\x80\x9d each containing a flow-entry. The preferred\nembodiment has four buckets per bin.\nSince preferred hardware embodiment includes the cache,\n\nbe clear to those in the art.\n25\n\nall data accesses to records in the flowchart of FIG. 8 are\n\ntimestamp added. Step 811 indicates to the UFKB that the\nUFKB-entry in 802 has a status of \xe2\x80\x9cfound.\xe2\x80\x9d The \xe2\x80\x9cfound\xe2\x80\x9d\nindication allows the State processing 328 to begin proceSS\ning this UFKB element. The preferred hardware embodi\nment includes one or more State processors, and these can\noperate in parallel with the lookup/update engine.\nIn the preferred embodiment, a Set of Statistical operations\nis performed by a calculator for every packet analyzed. The\nStatistical operations may include one or more of counting\nthe packets associated with the flow; determining Statistics\nrelated to the size of packets of the flow; compiling Statistics\non differences between packets in each direction, for\nexample using timestamps, and determining Statistical rela\ntionships of timestamps of packets in the same direction.\nThe Statistical measures are kept in the flow-entries. Other\nStatistical measures also may be compiled. These Statistics\nmay be used singly or in combination by a Statistical\nprocessor component to analyze many different aspects of\nthe flow. This may include determining network usage\nmetrics from the Statistical measures, for example to ascer\ntain the network\'s ability to transfer information for this\napplication. Such analysis provides for measuring the qual\nity of Service of a conversation, measuring how well an\napplication is performing in the network, measuring network\nresources consumed by an application, and So forth.\nTo provide for Such analyses, the lookup/update engine\nupdates one or more counters that are part of the flow-entry\n\n(in the cache) in step 812. The process exits at 813. In our\n\nembodiment, the counters include the total packets of the\nflow, the time, and a differential time from the last timestamp\nto the present timestamp.\n\ndeletion engine (FIDE) creates a new record for this flow\n(again via the cache).\n\nThus, the updatelookup engine ends with a UFKB-entry\nfor the packet with a \xe2\x80\x9cnew\xe2\x80\x9d status or a \xe2\x80\x9cfound\xe2\x80\x9d status.\nNote that the above system uses a hash to which more\nthan one flow-entry can match. A longer hash may be used\nthat corresponds to a single flow-entry. In Such an\nembodiment, the flow chart of FIG. 8 is simplified as would\n\nStated as being to or from the cache.\nThus, in 804, the system looks up the cache for a bucket\nfrom that bin using the hash. If the cache Successfully\nreturns with a bucket from the bin number, indicating there\nare more buckets in the bin, the lookup/update engine\n\ncompares (807) the current signature (the UFKB-entry\'s\nSignature) from that in the bucket (i.e., the flow-entry\nsignature). If the signatures match (test 808), that record (in\nthe cache) is marked in step 810 as \xe2\x80\x9cin process\xe2\x80\x9d and a\n\n18\n\nThe Hardware System\nEach of the individual hardware elements through which\nthe data flows in the system are now described with refer\nence to FIGS. 10 and 11. Note that while we are describing\na particular hardware implementation of the invention\nembodiment of FIG. 3, it would be clear to one skilled in the\n\nart that the flow of FIG.3 may alternatively be implemented\nin Software running on one or more general-purpose\nprocessors, or only partly implemented in hardware. An\nimplementation of the invention that can operate in Software\n35\n\nis shown in FIG. 14. The hardware embodiment (FIGS. 10\nand 11) can operate at over a million packets per second,\n\nwhile the Software system of FIG. 14 may be suitable for\nslower networks. To one skilled in the art it would be clear\n\n40\n\n45\n\n50\n\n55\n\nthat more and more of the System may be implemented in\nSoftware as processors become faster.\n\nFIG. 10 is a description of the parsing subsystem (301,\nshown here as Subsystem 1000) as implemented in hard\n\nware. Memory 1001 is the pattern recognition database\nmemory, in which the patterns that are going to be analyzed\nare stored. Memory 1002 is the extraction-operation data\nbase memory, in which the extraction instructions are Stored.\nBoth 1001 and 1002 correspond to internal data structure\n308 of FIG. 3. Typically, the system is initialized from a\n\nmicroprocessor (not shown) at which time these memories\n\nare loaded through a host interface multiplexor and control\nregister 1005 via the internal buses 1003 and 1004. Note that\nthe contents of 1001 and 1002 are preferably obtained by\ncompiling process 310 of FIG. 3.\nA packet enters the parsing System via 1012 into a parser\ninput buffer memory 1008 using control signals 1021 and\n1023, which control an input buffer interface controller\n1022. The buffer 1008 and interface control 1022 connect to\n\na packet acquisition device (not shown). The buffer acqui\n\n60\n\n65\n\nSition device generates a packet Start Signal 1021 and the\n\ninterface control 1022 generates a next packet (i.e., ready to\nreceive data) signal 1023 to control the data flow into parser\ninput buffer memory 1008. Once a packet starts loading into\nthe buffer memory 1008, pattern recognition engine (PRE)\n\n1006 carries out the operations on the input buffer memory\ndescribed in block 304 of FIG. 3. That is, protocol types and\nasSociated headers for each protocol layer that exist in the\npacket are determined.\n\nApp. II-31\n\n\x0c19\n\nUS 6,665,725 B1\n\nThe PRE searches database 1001 and the packet in buffer\n1008 in order to recognize the protocols the packet contains.\nIn one implementation, the database 1001 includes a series\nof linked lookup tables. Each lookup table uses eight bits of\naddressing. The first lookup table is always at address Zero.\nThe Pattern Recognition Engine uses a base packet offset\nfrom a control register to Start the comparison. It loads this\n\n5\n\nvalue into a current offset pointer (COP). It then reads the\n\nbyte at base packet offset from the parser input buffer and\nuses it as an address into the first lookup table.\nEach lookup table returns a word that links to another\nlookup table or it returns a terminal flag. If the lookup\nproduces a recognition event the database also returns a\ncommand for the slicer. Finally it returns the value to add to\nthe COP\n\n1109.\n\n15\n\n(CAMs) defined for future protocol additions.\n\n25\n\nblocks 306 and 312 of FIG. 3. The commands are sent from\nPRE 1006 to slicer 1007 in the form of extraction instruction\n\npointers which tell the extraction engine 1007 where to a\nfind the instructions in the extraction operations database\n\nThus, when the PRE 1006 recognizes a protocol it outputs\nboth the protocol identifier and a process code to the\nextractor. The protocol identifier is added to the flow sig\nnature and the proceSS code is used to fetch the first\n\n35\n\ninclude an operation code and usually Source and destination\noffsets as well as a length. The offsets and length are in\nbytes. A typical operation is the MOVE instruction. This\ninstruction tells the slicer 1007 to copy n bytes of data\nunmodified from the input buffer 1008 to the output buffer\n1010. The extractor contains a byte-wise barrel shifter so\nthat the bytes moved can be packed into the flow Signature.\n\n40\n\ninstruction from the instruction database 1002. Instructions\n\nbuffer (UFKB) 1103. UFKB is comprised of memory set up\n\nrecords in the UFKB 1103: the lookup/update engine (LUE)\n1107, the state processor (SP) 1108, and the flow insertion\nand deletion engine (FIDE) 1110. Each of these is imple\nmented by one or more finite state machines (FSM\'s). There\nis bi-directional access between each of the finite State\n\nmachines and the unified flow key buffer 1103. The UFKB\nrecord includes a field that Stores the packet Sequence\n\n45\n\nThe extractor contains another instruction called HASH.\n\nThis instruction tells the extractor to copy from the input\nbuffer 1008 to the HASH generator.\nThus these instructions are for extracting Selected element\n\n50\n\nthe data to a parser output buffer memory 1010. Some\ninstructions also generate a hash.\nThe extraction engine 1007 and the PRE operate as a\npipeline. That is, extraction engine 1007 performs extraction\noperations on data in input buffer 1008 already processed by\n\n55\n\n(S) of the packet in the input buffer memory and transferring\n\nPRE 1006 while more (i.e., later arriving) packet informa\n\ntion is being simultaneously parsed by PRE 1006. This\nprovides high processing Speed Sufficient to accommodate\nthe high arrival rate Speed of packets.\nOnce all the Selected parts of the packet used to form the\nSignature are extracted, the hash is loaded into parser output\nbuffer memory 1010. Any additional payload from the\npacket that is required for further analysis is also included.\nThe parser output memory 1010 is interfaced with the\nanalyzer subsystem by analyzer interface control 1011. Once\n\nWith the SPID 1109 loaded, the analyzer subsystem 1100\nreceives parser records comprising packet signatures and\npayloads that come from the parser into the unified flow key\n\nto maintain UFKB records. A UFKB record is essentially a\nparser record; the UFKB holds records of packets that are to\nbe processed or that are in process. Furthermore, the UFKB\nprovides for one or more fields to act as modifiable Status\nflags to allow different processes to run concurrently.\nThree processing engines run concurrently and access\n\nare sent to the extraction engine 1007 that extracts informa\ntion from the packet to build the parser record. Thus, the\noperations of the extraction engine are those carried out in\n\nmemory (i.e., slicer instruction database) 1002.\n\nThe analyzer subsystem 1100 includes a hostbus interface\n1122 using an analyzer host interface controller 1118, which\nin turn has access to a cache System 1115. The cache System\nhas bi-directional access to and from the State processor of\nthe system 1108. State processor 1108 is responsible for\ninitializing the State processor instruction database memory\n1109 from information given over the host bus interface\n1122.\n\nhas two full sixteen bit content addressable memories\n\nThus, whenever the PRE recognizes a pattern, it also\n\nall the information of a packet is in the parser output buffer\nmemory 1010, a data ready signal 1025 is asserted by\nanalyzer interface control. The data from the parser Sub\nsystem 1000 is moved to the analyzer subsystem via 1013\nwhen an analyzer ready Signal 1027 is asserted.\nFIG. 11 shows the hardware components and dataflow for\nthe analyzer Subsystem that performs the functions of the\nanalyzer Subsystem 303 of FIG.3. The analyzer is initialized\nprior to operation, and initialization includes loading the\nState processing information generated by the compilation\nprocess 310 into a database memory for the State processing,\n\ncalled state processor instruction database (SPID) memory\n\nThe PRE 1006 includes of a comparison engine. The\ncomparison engine has a first Stage that checks the protocol\ntype field to determine if it is an 802.3 packet and the field\nshould be treated as a length. If it is not a length, the protocol\nis checked in a Second Stage. The first stage is the only\nprotocol level that is not programmable. The Second Stage\n\ngenerates a command for the extraction engine (also called\na "slicer\xe2\x80\x9d) 1007. The recognized patterns and the commands\n\n20\n\n60\n\nnumber, and another that is filled with state information in\n\nthe form of a program counter for the state processor 1108\nthat implements State processing 328. The Status flags of the\nUFKB for any entry includes that the LUE is done and that\nthe LUE is transferring processing of the entry to the State\nprocessor. The LUE done indicator is also used to indicate\nwhat the next entry is for the LUE. There also is provided a\nflag to indicate that the State processor is done with the\ncurrent flow and to indicate what the next entry is for the\nState processor. There also is provided a flag to indicate the\nState processor is transferring processing of the UFKB-entry\nto the flow insertion and deletion engine.\nA new UFKB record is first processed by the LUE 1107.\nA record that has been processed by the LUE 1107 may be\nprocessed by the state processor 1108, and a UFKB record\ndata may be processed by the flow insertion/deletion engine\n110 after being processed by the state processor 1108 or only\nby the LUE. Whether or not a particular engine has been\napplied to any unified flow key buffer entry is determined by\nStatus fields Set by the engines upon completion. In one\nembodiment, a status flag in the UFKB-entry indicates\nwhether an entry is new or found. In other embodiments, the\nLUE issues a flag to pass the entry to the State processor for\nprocessing, and the required operations for a new record are\nincluded in the SP instructions.\n\n65\n\nNote that each UFKB-entry may not need to be processed\nby all three engines. Furthermore, some UFKB entries may\nneed to be processed more than once by a particular engine.\n\nApp. II-32\n\n\x0cUS 6,665,725 B1\n\n21\nEach of these three engines also has bi-directional acceSS\nto a cache Subsystem 1115 that includes a caching engine.\nCache 1115 is designed to have information flowing in and\nout of it from five different points within the system: the\nthree engines, external memory via a unified memory con\ntroller (UMC) 1119 and a memory interface 1123, and a\nmicroprocessor via analyzer host interface and control unit\n(ACIC) 1118 and host interface bus (HIB) 1122. The ana\nlyzer microprocessor (or dedicated logic processor) can thus\ndirectly insert or modify data in the cache.\nThe cache subsystem 1115 is an associative cache that\nincludes a set of content addressable memory cells (CAMs)\neach including an address portion and a pointer portion\npointing to the cache memory (e.g., RAM) containing the\ncached flow-entries. The CAMS are arranged as a Stack\nordered from a top CAM to a bottom CAM. The bottom\nCAM\'s pointerpoints to the least recently used (LRU) cache\nmemory entry. Whenever there is a cache miss, the contents\nof cache memory pointed to by the bottom CAM are\nreplaced by the flow-entry from the flow-entry database 324.\nThis now becomes the most recently used entry, So the\ncontents of the bottom CAM are moved to the top CAM and\n\n15\n\nall CAM contents are shifted down. Thus, the cache is an\n\nasSociative cache with a true LRU replacement policy.\nThe LUE 1107 first processes a UFKB-entry, and basi\ncally performs the operation of blocks 314 and 316 in FIG.\n3. A signal is provided to the LUE to indicate that a \xe2\x80\x9cnew\xe2\x80\x9d\nUFKB-entry is available. The LUE uses the hash in the\nUFKB-entry to read a matching bin of up to four buckets\nfrom the cache. The cache System attempts to obtain the\nmatching bin. If a matching bin is not in the cache, the cache\n1115 makes the request to the UMC 1119 to bring in a\nmatching bin from the external memory.\nWhen a flow-entry is found using the hash, the LUE 1107\nlooks at each bucket and compares it using the Signature to\nthe signature of the UFKB-entry until there is a match or\n\n25\n\n35\n\nthere are no more buckets.\n\nIf there is no match, or if the cache failed to provide a bin\nof flow-entries from the cache, a time Stamp in Set in the flow\nkey of the UFKB record, a protocol identification and state\ndetermination is made using a table that was loaded by\ncompilation process 310 during initialization, the Status for\nthe record is Set to indicate the LUE has processed the\nrecord, and an indication is made that the UFKB-entry is\nready to Start State processing. The identification and State\ndetermination generates a protocol identifier which in the\npreferred embodiment is a \xe2\x80\x9cjump vector\' for the state\nprocessor which is kept by the UFKB for this UFKB-entry\nand used by the State processor to start State processing for\nthe particular protocol. For example, the jump vector jumps\nto the Subroutine for processing the State.\nIf there was a match, indicating that the packet of the\nUFKB-entry is for a previously encountered flow, then a\ncalculator component enters one or more Statistical measures\nStored in the flow-entry, including the timestamp. In\naddition, a time difference from the last Stored timestamp\nmay be Stored, and a packet count may be updated. The State\nof the flow is obtained from the flow-entry is examined by\nlooking at the protocol identifier stored in the flow-entry of\ndatabase 324. If that value indicates that no more classifi\n\ncation is required, then the Status for the record is Set to\nindicate the LUE has processed the record. In the preferred\nembodiment, the protocol identifier is a jump vector for the\nState processor to a Subroutine to State processing the\nprotocol, and no more classification is indicated in the\npreferred embodiment by the jump vector being Zero. If the\n\n40\n\n45\n\n50\n\n55\n\n60\n\n65\n\n22\nprotocol identifier indicates more processing, then an indi\ncation is made that the UFKB-entry is ready to start state\nprocessing and the Status for the record is Set to indicate the\nLUE has processed the record.\nThe state processor 1108 processes information in the\ncache system according to a UFKB-entry after the LUE has\ncompleted. State processor 1108 includes a state processor\nprogram counter SPPC that generates the address in the State\nprocessor instruction database 1109 loaded by compiler\nprocess 310 during initialization. It contains an Instruction\nPointer (SPIP) which generates the SPID address. The\ninstruction pointer can be incremented or loaded from a\nJump Vector Multiplexor which facilitates conditional\nbranching. The SPIP can be loaded from one of three\nsources: (1) A protocol identifier from the UFKB, (2) an\nimmediate jump vector form the currently decoded\ninstruction, or (3) a value provided by the arithmetic logic\nunit (SPALU) included in the state processor.\nThus, after a Flow Key is placed in the UFKB by the LUE\nwith a known protocol identifier, the Program Counter is\ninitialized with the last protocol recognized by the Parser.\nThis first instruction is a jump to the Subroutine which\nanalyzes the protocol that was decoded.\nThe State Processor ALU (SPALU) contains all the\nArithmetic, Logical and String Compare functions necessary\nto implement the State Processor instructions. The main\nblocks of the SPALU are: The A and B Registers, the\nInstruction Decode & State Machines, the String Reference\nMemory the Search Engine, an Output Data Register and an\nOutput Control Register\nThe Search Engine in turn contains the Target Search\nRegister Set, the Reference Search Register Set, and a\nCompare block which compares two operands by exclusive\nor-ing them together.\nThus, after the UFKB sets the program counter, a\nSequence of one or more State operations are be executed in\nstate processor 1108 to further analyze the packet that is in\nthe flow key buffer entry for this particular packet.\nFIG. 13 describes the operation of the state processor\n1108. The state processor is entered at 1301 with a unified\nflow key buffer entry to be processed. The UFKB-entry is\nnew or corresponding to a found flow-entry. This UFKB\nentry is retrieved from unified flow key buffer 1103 in 1301.\nIn 1303, the protocol identifier for the UFKB-entry is used\nto Set the State processor\'s instruction counter. The State\nprocessor 1108 starts the process by using the last protocol\nrecognized by the parser subsystem 301 as an offset into a\njump table. The jump table takes us to the instructions to use\nfor that protocol. Most instructions test Something in the\nunified flow key buffer or the flow-entry if it exists. The state\nprocessor 1108 may have to test bits, do comparisons, add or\nSubtract to perform the test.\nThe first state processor instruction is fetched in 1304\nfrom the state processor instruction database memory 1109.\nThe State processor performs the one or more fetched\noperations (1304). In our implementation, each single State\nprocessor instruction is very primitive (e.g., a move, a\ncompare, etc.), So that many Such instructions need to be\nperformed on each unified flow key buffer entry. One aspect\nof the State processor is its ability to Search for one or more\n(up to four) reference Strings in the payload part of the\nUFKB entry. This is implemented by a search engine\ncomponent of the State processor responsive to special\nSearching instructions.\nIn 1307, a check is made to determine if there are any\nmore instructions to be performed for the packet. If yes, then\n\nApp. II-33\n\n\x0c23\n\nUS 6,665,725 B1\n\n24\nin place to complete the record. In 1211 the System marks the\nrecord bin and bucket as \xe2\x80\x9cin process\xe2\x80\x9d and as \xe2\x80\x9cnew\xe2\x80\x9d in the\ncache System (and hence in the external memory). In 1212,\n\nin 1308 the system sets the state processor instruction\n\npointer (SPIP) to obtain the next instruction. The SPIP may\n\nbe set by an immediate jump vector in the currently decoded\ninstruction, or by a value provided by the SPALU during\nprocessing.\nThe next instruction to be performed is now fetched\n\nthe initial Statistical measures for the flow-record are Set in\n\n(1304) for execution. This state processing loop between\n\n1304 and 1307 continues until there are no more instructions\n\nto be performed.\nAt this stage, a check is made in 1309 if the processing on\nthis particular packet has resulted in a final State. That is, is\nthe analyzer is done processing not only for this particular\npacket, but for the whole flow to which the packet belongs,\nand the flow is fully determined. If indeed there are no more\nstates to process for this flow, then in 1311 the processor\nfinalizes the processing. Some final States may need to put\na State in place that tells the System to remove a flow-for\nexample, if a connection disappears from a lower level\n\n15\n\nindicates to the UFKB that the flow insertion and deletion\n\nconnection identifier. In that case, in 1311, a flow removal\n\nstate is set and saved in the flow-entry. The flow removal\n\nstate may be a NOP (no-op) instruction which means there\nare no removal instructions.\n\nOnce the appropriate flow removal instruction as Specified\n\nfor this flow (a NOP or otherwise) is set and saved, the\n\nprocess is exited at 1313. The state processor 1108 can now\nobtain another unified flow key buffer entry to process.\nIf at 1309 it is determined that processing for this flow is\nnot completed, then in 1310 the system saves the state\nprocessor instruction pointer in the current flow-entry in the\ncurrent flow-entry. That will be the next operation that will\nbe performed the next time the LRE 1107 finds packet in the\nUFKB that matches this flow. The processor now exits\nprocessing this particular unified flow key buffer entry at\n\n25\n\nand Some are maintained in the cache 1115. The cache\n\nand to understand the data Structures that exists on the other\n\n35\n\nthe flow needs to be inserted or deleted from the database of\n\n40\n\nflows, control is then passed on to the flow insertion/deletion\nengine 1110 for that flow signature and packet entry. This is\ndone by the state processor setting another flag in the UFKB\nfor this UFKB-entry indicating that the state processor is\npassing processing of this entry to the flow insertion and\ndeletion engine.\nThe flow insertion and deletion engine 1110 is responsible\nfor maintaining the flow-entry database. In particular, for\ncreating new flows in the flow database, and deleting flows\nfrom the database So that they can be reused.\nThe process of flow insertion is now described with the\naid of FIG. 12. Flows are grouped into bins of buckets by the\nhash value. The engine processes a UFKB-entry that may be\nnew or that the State processor otherwise has indicated needs\nto be created. FIG. 12 shows the case of a new entry being\n\ncreated. A conversation record bin (preferably containing 4\nbuckets for four records) is obtained in 1203. This is a bin\n\nthat matches the hash of the UFKB, so this bin may already\nhave been sought for the UFKB-entry by the LUE. In 1204\nthe FIDE 1110 requests that the record bin/bucket be main\ntained in the cache system 1115. If in 1205 the cache system\n1115 indicates that the bin/bucket is empty, step 1207 inserts\n\n45\n\n50\n\nSide of memory interface 1123. The lookup/update engine\n1107 is able to request that the cache system pull a particular\nflow or \xe2\x80\x9cbuckets\xe2\x80\x9d of flows from the unified memory con\ntroller 1119 into the cache system for further processing. The\nstate processor 1108 can operate on information found in the\ncache System once it is looked up by means of the lookup/\nupdate engine request, and the flow insertion/deletion engine\n1110 can create new entries in the cache System if required\nbased on information in the unified flow key buffer 1103.\nThe cache retrieves information as required from the\nmemory through the memory interface 1123 and the unified\nmemory controller 1119, and updates information as\nrequired in the memory through the memory controller 1119.\nThere are Several interfaces to components of the System\nexternal to the module of FIG. 11 for the particular hardware\nimplementation. These include host bus interface 1122,\nwhich is designed as a generic interface that can operate with\nany kind of external processing System Such as a micropro\n\ncessor or a multiplexor (MUX) system. Consequently, one\ncan connect the overall traffic classification system of FIGS.\n11 and 12 into Some other processing System to manage the\nclassification System and to extract data gathered by the\nSystem.\n\n55\n\n60\n\nthe flow signature (with the hash) into the bucket and the\n\nbucket is marked \xe2\x80\x9cused\' in the cache engine of cache 1115\nusing a timestamp that is maintained throughout the process.\nIn 1209, the FIDE 1110 compares the bin and bucket record\nflow Signature to the packet to Verify that all the elements are\n\noperations are completed for this UFKB-entry. This also lets\nthe UFKB provide the FIDE with the next UFKB record.\nOnce a set of operations is performed on a unified flow\nkey buffer entry by all of the engines required to access and\nmanage a particular packet and its flow Signature, the unified\nflow key buffer entry is marked as \xe2\x80\x9ccompleted.\xe2\x80\x9d That\nelement will then be used by the parser interface for the next\npacket and flow Signature coming in from the parsing and\nextracting System.\nAll flow-entries are maintained in the external memory\nSystem 1115 is intelligent enough to access the flow database\n\n1313.\n\nNote that State processing updates information in the\nunified flow key buffer 1103 and the flow-entry in the cache.\nOnce the state processor is done, a flag is set in the UFKB\nfor the entry that the state processor is done. Furthermore, If\n\nthe cache System. This in the preferred embodiment clearS\nthe Set of counters used to maintain Statistics, and may\nperform other procedures for Statistical operations requires\nby the analyzer for the first packet Seen for a particular flow.\nBack in step 1205, if the bucket is not empty, the FIDE\n1110 requests the next bucket for this particular bin in the\ncache system. If this succeeds, the processes of 1207, 1209,\n1211 and 1212 are repeated for this next bucket. If at 1208,\nthere is no valid bucket, the unified flow key buffer entry for\nthe packet is Set as \xe2\x80\x9cdrop, indicating that the System cannot\nprocess the particular packet because there are no buckets\nleft in the system. The process exits at 1213. The FIDE 1110\n\n65\n\nThe memory interface 1123 is designed to interface to any\nof a variety of memory Systems that one may want to use to\nstore the flow-entries. One can use different types of\nmemory Systems like regular dynamic random access\n\nmemory (DRAM), synchronous DRAM, synchronous\ngraphic memory (SGRAM), static random access memory\n(SRAM), and so forth.\n\nFIG. 10 also includes some \xe2\x80\x9cgeneric\' interfaces. There is\na packet input interface 1012-a general interface that\nworks in tandem with the signals of the input buffer interface\ncontrol 1022. These are designed so that they can be used\nwith any kind of generic Systems that can then feed packet\ninformation into the parser. Another generic interface is the\n\nApp. II-34\n\n\x0c25\n\nUS 6,665,725 B1\n\ninterface of pipes 1031 and 1033 respectively out of and into\nhost interface multiplexor and control registers 1005. This\nenables the parsing System to be managed by an external\nSystem, for example a microprocessor or another kind of\nexternal logic, and enables the external System to program\nand otherwise control the parser.\nThe preferred embodiment of this aspect of the invention\n\nis described in a hardware description language (HDL) Such\n\nas VHDL or Verilog. It is designed and created in an HDL\nSo that it may be used as a Single chip System or, for instance,\nintegrated into another general-purpose System that is being\ndesigned for purposes related to creating and analyzing\ntraffic within a network. Verilog or other HDL implemen\ntation is only one method of describing the hardware.\nIn accordance with one hardware implementation, the\nelements shown in FIGS. 10 and 11 are implemented in a set\n\n15\n\nof six field programmable logic arrays (FPGA\'s). The\n\nboundaries of these FPGA\'s are as follows. The parsing\nSubsystem of FIG. 10 is implemented as two FPGAS; one\nFPGA, and includes blocks 1006, 1008 and 1012, parts of\n1005, and memory 1001. The second FPGA includes 1002,\n1007, 1013, 1011 parts of 1005. Referring to FIG. 11, the\nunified look-up buffer 1103 is implemented as a single\nFPGA. State processor 1108 and part of state processor\ninstruction database memory 1109 is another FPGA. Por\ntions of the State processor instruction database memory\n1109 are maintained in external SRAM\'s. The lookup/\nupdate engine 1107 and the flow insertion/deletion engine\n\n25\n\n1110 are in another FPGA. The Sixth FPGA includes the\n\ncache system 1115, the unified memory control 1119, and the\nanalyzer host interface and control 1118.\nNote that one can implement the System as one or more\nVSLI devices, rather than as a set of application specific\n\nintegrated circuits (ASIC\'s) such as FPGA\'s. It is antici\npated that in the future device densities will continue to\nincrease, So that the complete System may eventually form\n\n35\n\na Sub-unit (a \xe2\x80\x9ccore\xe2\x80\x9d) of a larger single chip unit.\nOperation of the Invention\n\nFIG. 15 shows how an embodiment of the network\n\nmonitor 300 might be used to analyze traffic in a network\n102. Packet acquisition device 1502 acquires all the packets\nfrom a connection point 121 on network 102 so that all\npackets passing point 121 in either direction are Supplied to\nmonitor 300. Monitor 300 comprises the parser Sub-system\n301, which determines flow signatures, and analyzer Sub\nSystem 303 that analyzes the flow signature of each packet.\nA memory 324 is used to store the database of flows that are\ndetermined and updated by monitor 300. A host computer\n1504, which might be any processor, for example, a general\npurpose computer, is used to analyze the flows in memory\n324. As is conventional, host computer 1504 includes a\nmemory, say RAM, shown as host memory 1506. In\naddition, the host might contain a disk. In one application,\nthe system can operate as an RMON probe, in which case the\nhost computer is coupled to a network interface card 1510\n\n40\n\n(SNMP) implementation. FIG. 15 describes how one would,\n\n45\n\n50\n\n55\n\n60\n\nfor example, implement an RMON probe, where a network\ninterface card is used to send RMON information to the\n\nnetwork. Commercial SNMP implementations also are\navailable, and using Such an implementation can Simplify\nthe process of porting the preferred embodiment of the\ninvention to any platform.\n\nIn addition, MIB Compilers are available. An MIB Com\npiler is a tool that greatly simplifies the creation and main\ntenance of proprietary MIB extensions.\nExamples of Packet Elucidation\nMonitor 300, and in particular, analyzer 303 is capable of\ncarrying out State analysis for packet eXchanges that are\ncommonly referred to as "server announcement\' type\neXchanges. Server announcement is a process used to ease\ncommunications between a Server with multiple applications\nthat can all be Simultaneously accessed from multiple cli\nents. Many applications use a server announcement process\nas a means of multiplexing a single port or Socket into many\napplications and Services. With this type of exchange, mes\nSages are Sent on the network, in either a broadcast or\nmulticast approach, to announce a Server and application,\nand all Stations in the network may receive and decode these\nmessages. The messages enable the Stations to derive the\nappropriate connection point for communicating that par\nticular application with the particular Server. Using the\nServer announcement method, a particular application com\nmunicates using a Service channel, in the form of a TCP or\nUDP socket or port as in the IP protocol Suite, or using a SAP\nas in the Novell IPX protocol suite.\nThe analyzer 303 is also capable of carrying out \xe2\x80\x9cin\nStream analysis\xe2\x80\x9d of packet eXchanges. The \xe2\x80\x9cin-stream analy\nSis\' method is used either as a primary or Secondary recog\nnition process. As a primary process, in-stream analysis\nassists in extracting detailed information which will be used\nto further recognize both the Specific application and appli\ncation component. A good example of in-stream analysis is\nany Web-based application. For example, the commonly\nused Point Cast Web information application can be recog\nnized using this process, during the initial connection\nbetween a PointCast Server and client, Specific key tokens\nexist in the data eXchange that will result in a Signature being\ngenerated to recognize PointCast.\nThe in-stream analysis proceSS may also be combined\nwith the Server announcement process. In many cases\nin-Stream analysis will augment other recognition processes.\nAn example of combining in-stream analysis with Server\nannouncement can be found in busineSS applications Such as\nSAP and BAAN.\n\nthat is connected to the network 102.\n\nThe preferred embodiment of the invention is supported\nby an optional Simple Network Management Protocol\n\n26\n\n65\n\n"Session tracking\xe2\x80\x9d also is known as one of the primary\nprocesses for tracking applications in client/server packet\neXchanges. The process of tracking Sessions requires an\ninitial connection to a predefined Socket or port number. This\nmethod of communication is used in a variety of transport\nlayer protocols. It is most commonly seen in the TCP and\nUDP transport protocols of the IP protocol.\nDuring the Session tracking, a client makes a request to a\nServer using a specific port or Socket number. This initial\nrequest will cause the server to create a TCP or UDP port to\neXchange the remainder of the data between the client and\nthe server. The server then replies to the request of the client\nusing this newly created port. The original port used by the\nclient to connect to the Server will never be used again\nduring this data eXchange.\n\nOne example of session tracking is TFTP (Trivial File\nTransfer Protocol), a version of the TCP/IP FTP protocol\nthat has no directory or password capability. During the\nclient/server exchange process of TFTP, a specific port (port\nnumber 69) is always used to initiate the packet exchange.\n\nThus, when the client begins the process of communicating,\na request is made to UDP port 69. Once the server receives\nthis request, a new port number is created on the Server. The\n\nApp. II-35\n\n\x0c27\n\nUS 6,665,725 B1\n\nUDP or TCP socket. Once the port Mapper process on the\nSun RPC Server receives the request, the Specific mapping is\nreturned in a directed reply to the client.\n\nServer then replies to the client using the new port. In this\nexample, it is clear that in order to recognize TFTP; network\nmonitor 300 analyzes the initial request from the client and\ngenerates a Signature for it. Monitor 300 uses that Signature\nto recognize the reply. Monitor 300 also analyzes the reply\nfrom the Server with the key port information, and uses this\nto create a signature for monitoring the remaining packets of\nthis data eXchange.\n\n1. A client (CLIENT 3, 106 in FIG. 1) sends a TCP packet\nto SERVER2 (110 in FIG. 1) on port 111, with an RPC\nBind Lookup Request (rpcBindLookup). TCP or UDP\nport 111 is always associated Sun RPC. This request\n\nSpecifies the program (as a program identifier), version,\nand might specify the protocol (UDP or TCP).\n2. The server SERVER 2 (110 in FIG. 1) extracts the\n\nNetwork monitor 300 can also understand the current\n\nState of particular connections in the network. Connection\noriented exchanges often benefit from State tracking to\ncorrectly identify the application. An example is the com\nmon TCP transport protocol that provides a reliable means\nof sending information between a client and a server. When\na data eXchange is initiated, a TCP request for Synchroni\nZation message is sent. This message contains a specific\nSequence number that is used to track an acknowledgement\nfrom the Server. Once the Server has acknowledged the\nSynchronization request, data may be exchanged between\nthe client and the Server. When communication is no longer\nrequired, the client Sends a finish or complete message to the\nServer, and the Server acknowledges this finish request with\na reply containing the Sequence numbers from the request.\nThe States of Such a connection-oriented exchange relate to\nthe various types of connection and maintenance messages.\nServer Announcement Example\nThe individual methods of Server announcement proto\ncols vary. However, the basic underlying proceSS remains\nSimilar. A typical Server announcement message is Sent to\none or more clients in a network. This type of announcement\nmessage has specific content, which, in another aspect of the\ninvention, is Salvaged and maintained in the database of\nflow-entries in the System. Because the announcement is\nSent to one or more Stations, the client involved in a future\n\npacket eXchange with the Server will make an assumption\nthat the information announced is known, and an aspect of\nthe inventive monitor is that it too can make the same\nassumption.\nSun-RPC is the implementation by Sun Microsystems,\n\n15\n\nthe Specific port number (e.g., port number port) on\n\nSpecific RPC program identifier (e.g., Program\nprogram) and the protocol (UDP or TCP) for use.\n\n25\n\n35\n\n40\n\na programming interface that allows one program to use the\n\nServices of another on a remote machine. A Sun-RPC\n\ncapture Server announcements.\n\nA remote program or client that wishes to use a Server or\nprocedure must establish a connection, for which the RPC\nprotocol can be used.\nEach server running the Sun-RPC protocol must maintain\na proceSS and database called the port Mapper. The port\nMapper creates a direct association between a Sun-RPC\n\nprogram or application and a TCP or UDP socket or port (for\nTCP or UDP implementations). An application or program\nnumber is a 32-bit unique identifier assigned by ICANN (the\nInternet Corporation for Assigned Names and Numbers,\nwww.icann.org), which manages the huge number of param\neters associated with Internet protocols (port numbers,\nrouter protocols, multicast addresses, etc.) Each port Mapper\non a Sun-RPC server can present the mappings between a\nunique program number and a specific transport Socket\nthrough the use of Specific request or a directed announce\nment. According to ICANN, port number 111 is associated\n\nprogram identifier and version identifier from the\nrequest. The Server also uses the fact that this packet\ncame in using the TCP transport and that no protocol\nwas specified, and thus will use the TCP protocol for its\nreply.\n3. The server 110 sends a TCP packet to port number 111,\nwith an RPC Bind Lookup Reply. The reply contains\nwhich future transactions will be accepted for the\n\nInc. (Palo Alto, Calif.) of the Remote Procedure Call (RPC),\n\nexample is now used to explain how monitor 300 can\n\n45\n\nIt is desired that from now on every time that port number\nport is used, the packet is associated with the application\nprogram program until the number port no longer is to be\nasSociated with the program program. Network monitor\n300 by creating a flow-entry and a signature includes a\nmechanism for remembering the exchange So that future\npackets that use the port number port will be associated by\nthe network monitor with the application program pro\ngram.\nIn addition to the Sun RPC Bind Lookup request and\nreply, there are other ways that a particular program-Say\nprogram-might be associated with a particular port\nnumber, for example number port. One is by a broadcast\nannouncement of a particular association between an appli\ncation service and a port number, called a Sun RPC port\nMapper Announcement. Another, is when Some Server-Say\nthe same SERVER 2-replies to some client-say CLIENT\n1-requesting Some portMapper assignment with a RPC\nportMapper Reply. Some other client-say CLIENT\n2-might inadvertently See this request, and thus know that\nfor this particular server, SERVER 2, port number port is\nasSociated with the application Service program. It is\ndesirable for the network monitor 300 to be able to associate\n\nany packets to SERVER 2 using port number port with the\napplication program program.\nFIG.9 represents a dataflow 900 of some operations in the\n\nmonitor 300 of FIG. 3 for Sun Remote Procedure Call.\n50\n\nSuppose a client 106 (e.g., CLIENT 3 in FIG. 1) is com\n\nmunicating via its interface to the network 118 to a server\n\n110 (e.g., SERVER 2 in FIG. 1) via the server\'s interface to\n\nthe network 116. Further assume that Remote Procedure\n\n55\n\n60\n\nCall is used to communicate with the server 110. One path\nin the data flow 900 starts with a step 910 that a Remote\nProcedure Call bind lookup request is issued by client 106\nand ends with the server state creation step 904. Such RPC\nbind lookup request includes values for the program,\nversion, and protocol to use, e.g., TCP or UDP. The\nprocess for Sun RPC analysis in the network monitor 300\nincludes the following aspects.:\nProcess 909: Extract the program, \xe2\x80\x9cversion, and pro\n\ntocol (UDP or TCP). Extract the TCP or UDP port\n(process 909) which is 111 indicating Sun RPC.\n\nwith Sun RPC.\n\nAs an example, consider a client (e.g., CLIENT 3 shown\nas 106 in FIG. 1) making a specific request to the server\n(e.g., SERVER 2 of FIG. 1, shown as 110) on a predefined\n\n28\n\n65\n\nProcess 908: Decode the Sun RPC packet. Check RPC\ntype field for ID. If value is portMapper, save paired\n\nApp. II-36\n\nSocket (i.e., dest for destination address, Src for Source\n\n\x0cUS 6,665,725 B1\n\n29\naddress). Decode ports and mapping, save ports with\nSocket/addr key. There may be more than one pairing\nper mapper packet. Form a signature (e.g., a key). A\n\nused to identify the destination-port pattern. The order\nindicates the client-Server message direction. A sixth field\n\nAt some later time, the server (process 907) issues a RPC\n\nfollowing eighth field \xe2\x80\x9cQA\xe2\x80\x9d 221 (for question mark) indi\n\ndenoted \xe2\x80\x9ci\'\xe2\x80\x9d 219 is an element that is being requested by the\n\nflow-entry is created in database 324. The saving of the\nrequest is now complete.\n\nclient from the server. A seventh field denoted \xe2\x80\x9csa\xe2\x80\x9d 220 is\nthe service requested by the client from server 110. The\n\nbind lookup reply. The packet monitor 300 will extract a\nSignature from the packet and recognize it from the previ\nously stored flow. The monitor will get the protocol port\n\ncates that the client 106 wants to know what to use to access\n\napplication \xe2\x80\x9csa\'. A tenth field \xe2\x80\x9cQP 223 is used to indicate\nthat the client wants the Server to indicate what protocol to\nuse for the particular application.\nPacket 206 initiates the Sequence of packet eXchanges,\ne.g., a RPC Bind Lookup Request to SERVER 2. It follows\na well-defined format, as do all the packets, and is trans\n\nnumber (906) and lookup the request (905). A new signature\n(i.e., a key) will be created and the creation of the server\nstate (904) will be stored as an entry identified by the new\n\nSignature in the flow-entry database. That Signature now\nmay be used to identify packets associated with the Server.\nThe server state creation step 904 can be reached not only\nfrom a Bind Lookup Request/Reply pair, but also from a\nRPC Reply portMapper packet shown as 901 or an RPC\nAnnouncement portMapper shown as 902. The Remote\nProcedure Call protocol can announce that it is able to\nprovide a particular application Service. Embodiments of the\npresent invention preferably can analyze when an exchange\n\nmitted to the server 110 on a well-known service connection\n\n15\n\n25\n\nSimilar Set of operations, for example, Saving the informa\ntion obtained from the announcement. The RPC Reply\nportMapper step 901 could be in reply to a portMapper\nrequest, and is also broadcast. It includes all the Service\nparameterS.\n\nThus monitor 300 creates and saves all Such states for\n\nlater classification of flows that relate to the particular\nService program.\nFIG. 2 shows how the monitor 300 in the example of Sun\nRPC builds a signature and flow states. A plurality of packets\n206-209 are exchanged, e.g., in an exemplary Sun Micro\nsystems Remote Procedure Call protocol. A method embodi\nment of the present invention might generate a pair of flow\nsignatures, \xe2\x80\x9csignature-1\' 210 and \xe2\x80\x9csignature-2\xe2\x80\x9d 212, from\ninformation found in the packets 206 and 207 which, in the\nexample, correspond to a Sun RPC Bind Lookup request and\nreply, respectively.\nConsider first the Sun RPC Bind Lookup request. Sup\npose packet 206 corresponds to Such a request Sent from\nCLIENT 3 to SERVER 2. This packet contains important\ninformation that is used in building a signature according to\nan aspect of the invention. A Source and destination network\naddress occupy the first two fields of each packet, and\naccording to the patterns in pattern database 308, the flow\nsignature (shown as KEY1230 in FIG. 2) will also contain\nthese two fields, so the parser Subsystem 301 will include\nthese two fields in signature KEY 1 (230). Note that in FIG.\n2, if an address identifies the client 106 (shown also as 202),\nthe label used in the drawing is \xe2\x80\x9cC\xe2\x80\x9d. If such address\nidentifies the server 110 (shown also as server 204), the label\nused in the drawing is \xe2\x80\x9cS\xe2\x80\x9d. The first two fields 214 and 215\nin packet 206 are \xe2\x80\x9cS\xe2\x80\x9d and C\xe2\x80\x9d because packet 206 is\nprovided from the server 110 and is destined for the client\n106. Suppose for this example, \xe2\x80\x9cS\xe2\x80\x9d is an address numeri\n\ncally less than address \xe2\x80\x9cC\xe2\x80\x9d. A third field \xe2\x80\x9cp\' 216 identifies\n\nthe particular protocol being used, e.g., TCP, UDP, etc.\nIn packet 206, a fourth field 217 and a fifth field 218 are\nused to communicate port numbers that are used. The\nconversation direction determines where the port number\nfield is. The diagonal pattern in field 217 is used to identify\na Source-port pattern, and the hash pattern in field 218 is\n\nPacket 207 is the first sent in reply to the client 106 from\nthe server. It is the RPC Bind Lookup Reply as a result of\nthe request packet 206.\nPacket 207 includes ten fields 224-233. The destination\n\nStations that have received the announcement of a Service in\nthe network.\n\nThe RPC Announcement portMapper announcement 902\n\nidentifier (port 111 indicating Sun RPC).\n\nand Source addresses are carried in fields 224 and 225, e.g.,\nindicated \xe2\x80\x9cC\xe2\x80\x9d and \xe2\x80\x9cS\xe2\x80\x9d, respectively. Notice the order is\nnow reversed, since the client-Server message direction is\n\noccurs between a client and a Server, and also can track those\n\nis a broadcast. Such causes various clients to execute a\n\n30\n\n35\n\n40\n\n45\n\n50\n\n55\n\n60\n\n65\n\nfrom the server 110 to the client 106. The protocol \xe2\x80\x9cp\' is\nused as indicated in field 226. The request "i" is in field 229.\nValues have been filled in for the application port number,\ne.g., in field 233 and protocol \xe2\x80\x9cp\xe2\x80\x9d in field 233.\n\nThe flow signature and flow states built up as a result of\nthis exchange are now described. When the packet monitor\n300 sees the request packet 206 from the client, a first flow\nsignature 210 is built in the parser Subsystem 301 according\nto the pattern and extraction operations database 308. This\nSignature 210 includes a destination and a Source address\n240 and 241. One aspect of the invention is that the flow\nkeys are built consistently in a particular order no matter\nwhat the direction of conversation. Several mechanisms may\nbe used to achieve this. In the particular embodiment, the\nnumerically lower address is always placed before the\nnumerically higher address. Such least to highest order is\nused to get the best Spread of Signatures and hashes for the\nlookup operations. In this case, therefore, Since we assume\n\xe2\x80\x9cS\xe2\x80\x9d<\xe2\x80\x9cC\xe2\x80\x9d, the order is address \xe2\x80\x9cS\xe2\x80\x9d followed by client\naddress \xe2\x80\x9cC\xe2\x80\x9d. The next field used to build the signature is a\nprotocol field 242 extracted from packet 206\'s field 216, and\n\nthus is the protocol \xe2\x80\x9cp". The next field used for the\n\nSignature is field 243, which contains the destination Source\nport number shown as a crosshatched pattern from the field\n218 of the packet 206. This pattern will be recognized in the\npayload of packets to derive how this packet or Sequence of\npackets exists as a flow. In practice, these may be TCP port\nnumbers, or a combination of TCP port numbers. In the case\nof the Sun RPC example, the crosshatch represents a set of\n\nport numbers of UDS for p" that will be used to recognize\nthis flow (e.g., port 111). Port 111 indicates this is Sun RPC.\nSome applications, such as the Sun RPC Bind Lookups, are\ndirectly determinable ("known\xe2\x80\x9d) at the parser level. So in\nthis case, the Signature KEY-1 points to a known application\ndenoted \xe2\x80\x9ca\xe2\x80\x9d (Sun RPC Bind Lookup), and a next-state that\n\nthe State processor should proceed to for more complex\nrecognition jobs, denoted as State \xe2\x80\x9cst\' is placed in the field\n245 of the flow-entry.\nWhen the Sun RPC Bind Lookup reply is acquired, a flow\nSignature is again built by the parser. This flow signature is\nidentical to KEY-1. Hence, when the signature enters the\nanalyzer subsystem 303 from the parser subsystem 301, the\ncomplete flow-entry is obtained, and in this flow-entry\nindicates State \xe2\x80\x9cst\'. The operations for State \xe2\x80\x9cst,\xe2\x80\x9d in the\nState processor instruction database 326 instructs the State\n\nApp. II-37\n\n\x0c31\n\nUS 6,665,725 B1\n\nprocessor to build and Store a new flow Signature, shown as\n\nKEY-2 (212) in FIG. 2. This flow signature built by the state\n\nprocessor also includes the destination and a Source\naddresses 250 and 251, respectively, for server \xe2\x80\x9cS\xe2\x80\x9d fol\n\nlowed by (the numerically higher address) client \xe2\x80\x9cC\xe2\x80\x9d. A\n\nprotocol field 252 defines the protocol to be used, e.g., \xe2\x80\x9cp\xe2\x80\x9d,\n\n5\n\nwhich is obtained from the reply packet. A field 253 contains\na recognition pattern also obtained from the reply packet. In\nthis case, the application is Sun RPC, and field 254 indicates\n\napplication \xe2\x80\x9ca\xe2\x80\x9d. Two such packets 208 and 209 are shown,\n\none in each direction. They use the particular application\nService requested in the original Bind Lookup Request, and\neach will be recognized because the signature KEY-2 will be\n\nThe different protocols that can exist in different layers\nmay be thought of as nodes of one or more trees of linked\n\n15\n\n25\n\nThus the flow signature for the recognition of application\n\neXchange Sequences occur for this example when a rela\ntively simple Sun Microsystems Remote Procedure Call\nbind lookup request instruction executes. More complicated\neXchanges than this may generate more than two flow\nSignatures and their corresponding States. Each recognition\nmay involve Setting up a complex State transition diagram to\nbe traversed before a \xe2\x80\x9cfinal\xe2\x80\x9d resting state such as \xe2\x80\x9cst,\xe2\x80\x9d in\nfield 255 is reached. All these are used to build the final set\nof flow Signatures for recognizing a particular application in\nthe future.\n\nEmbodiments of the present invention automatically gen\nerate flow Signatures with the necessary recognition patterns\nand State transition climb procedure. Such comes from\nanalyzing packets according to parsing rules, and also gen\nerating State transitions to Search for. Applications and\nprotocols, at any level, are recognized through State analysis\nof Sequences of packets.\nNote that one in the art will understand that computer\nnetworks are used to connect many different types of\ndevices, including network appliances Such as telephones,\n\xe2\x80\x9cInternet\' radios, pagers, and So forth. The term computer as\nused herein encompasses all Such devices and a computer\nnetwork as used herein includes networks of Such comput\n\nData Service, FDDI (Fiber Distributed Data Interface), and\n\n35\n\n40\n\nT1, among others. Many of these packet types use different\npacket and/or frame formats. For example, data is transmit\nted in ATM and frame-relay systems in the form of fixed\n\nlength packets (called \xe2\x80\x9ccells\') that are 53 octets (i.e., bytes)\n\nlong, Several Such cells may be needed to make up the\ninformation that might be included in a Single packet of\nSome other type.\nNote that the term packet herein is intended to encompass\npackets, datagrams, frames and cells. In general, a packet\nformat or frame format refers to how data is encapsulated\n\nwith various fields and headers for transmission acroSS a\n45\n\n50\n\n55\n\nnetwork. For example, a data packet typically includes an\naddress destination field, a length field, an error correcting\n\ncode (ECC) field or cyclic redundancy check (CRC) field, as\n\nwell as headers and footers to identify the beginning and end\nof the packet. The terms \xe2\x80\x9cpacket format,\xe2\x80\x9d \xe2\x80\x9cframe format\xe2\x80\x9d\nand \xe2\x80\x9ccell format are generally Synonymous.\nThe packet monitor 300 can analyze different protocols,\nand thus can perform different protocol Specific operations\non a packet wherein the protocol headers of any protocol are\nlocated at different locations depending on the parent pro\ntocol or protocols used in the packet. Thus, the packet\nmonitor adapts to different protocols according to the con\ntents of the packet. The locations and the information\nextracted from any packet are adaptively determined for the\nparticular type of packet. For example, there is no fixed\ndefinition of what to look for or where to look in order to\n\n60\n\nCS.\n\nAlthough the present invention has been described in\nterms of the presently preferred embodiments, it is to be\nunderstood that the disclosure is not to be interpreted as\n\nAS an example of the tree Structure, consider an Ethernet\npacket. One of the children nodes may be the IP protocol,\nand one of the children of the IP protocol may be the TCP\nprotocol. Another child of the IP may be the UDP protocol.\nA packet includes at least one header for each protocol\nused. The child protocol of a particular protocol used in a\npacket is indicated by the contents at a location within the\nheader of the particular protocol. The contents of the packet\nthat specify the child are in the form of a child recognition\nA network analyzer preferably can analyze many different\nprotocols. At a base level, there are a number of packet types\nused in digital telecommunications, including Ethernet,\nHDLC, ISDN, Lap B, ATM, X.25, Frame Relay, Digital\n\nto-State.\n\n\xe2\x80\x9ca\xe2\x80\x9d is automatically set up by predefining what packet\n\nbe at higher layer levels. Thus a protocol may have Zero or\n\npattern.\n\nfields 260 and 261. A field 262 defines the protocol as \xe2\x80\x9cp\xe2\x80\x9d,\n\nand a field 263 defines the destination port number.\nSome network-server application recognition jobs are So\nSimple that only a single State transition has to occur to be\nable to pinpoint the application that produced the packet.\nOthers require a Sequence of State transitions to occur in\norder to match a known and predefined climb from State\n\nnodes. The packet type is the root of a tree (called base\nlevel). Each protocol is either a parent node of Some other\nprotocol at the next later or a terminal node. A parent node\nlinks a protocol to other protocols (child protocols) that can\nmore children.\n\nbuilt in each case.\n\nThe two flow signatures 210 and 212 always order the\ndestination and source address fields with server \xe2\x80\x9cS\xe2\x80\x9d fol\nlowed by client \xe2\x80\x9cC\xe2\x80\x9d. Such values are automatically filled in\nwhen the addresses are first created in a particular flow\nSignature. Preferably, large collections of flow Signatures are\nkept in a lookup table in a least-to-highest order for the best\nSpread of flow Signatures and hashes.\nThereafter, the client and Server exchange a number of\npackets, e.g., represented by request packet 208 and\nresponse packet 209. The client 106 sends packets 208 that\nhave a destination and Source address S and C, in a pair of\n\nlimiting. Various alterations and modifications will no doubt\nbecome apparent to those or ordinary skill in the art after\nhaving read the above disclosure. Accordingly, it is intended\nthat the claims be interpreted as covering all alterations and\nmodifications as fall within the true Spirit and Scope of the\npresent invention.\nThe Pattern Parse and Extraction Database Format\n\nthis application \xe2\x80\x9ca\xe2\x80\x9d. A next-state field 255 defines the next\nState that the State processor should proceed to for more\ncomplex recognition jobs, e.g., a state \xe2\x80\x9cst". In this particular\n\nexample, this is a final state. Thus, KEY-2 may now be used\nto recognize packets that are in any way associated with the\n\n32\n\n65\n\nform the flow Signature. In Some prior art Systems, Such as\nthat described in U.S. Pat. No. 5,101,402 to Chiu, et al., there\n\nare fixed locations Specified for particular types of packets.\nWith the proliferation of protocols, the specifying of all the\npossible places to look to determine the Session becomes\nmore and more difficult. Likewise, adding a new protocol or\napplication is difficult. In the present invention, the number\nof levels is variable for any protocol and is whatever number\n\nApp. II-38\n\n\x0c33\n\nUS 6,665,725 B1\n\nis Sufficient to uniquely identify as high up the level System\n\n34\n\nFIG. 17B shows the structure of the header of one of the\n\nas we wish to go, all the way to the application level (in the\nOSI model).\n\npossible next levels, that of the IP protocol. The possible\nchildren of the IP protocol are shown in table 1752. The\n\nsame. An Ethernet packet (the root node) may be an Ether\n\nparent protocol. Also included in FIG. 17B are some of the\nfields to be extracted for the Signature, and an indication of\nwhere the next levels header would start in the packet.\n\nheader Starts at a different location (L3) depending on the\n\nEven the same protocol may have different variants.\nEthernet packets for example, have Several known variants,\neach having a basic format that remains Substantially the\n\nNote that the information shown in FIGS. 16, 17A, and\n\ntype packet-also called an Ethernet Type/Version 2 and a\n\nDIX (DIGITAL-Intel-Xerox packet)\xe2\x80\x94or an IEEE Ethernet\n(IEEE 803.x) packet. A monitor should be able to handle all\n\ntypes of Ethernet protocols. With the Ethertype protocol, the\ncontents that indicate the child protocol is in one location,\nwhile with an IEEE type, the child protocol is specified in a\ndifferent location. The child protocol is indicated by a child\nrecognition pattern.\n\n15\n\nFIG. 16 shows the header 1600 (base level 1) of a\ncomplete Ethernet frame (i.e., packet) of information and\n\nincludes information on the destination media acceSS control\n\naddress (Dst MAC 1602) and the source media access\ncontrol address (Src MAC 1604). Also shown in FIG. 16 is\nsome (but not all) of the information specified in the PDL\n\nfiles for extraction the Signature. Such information is also to\nbe specified in the parsing Structures and extraction opera\ntions database 308. This includes all of the header informa\n\ntion at this level in the form of 6 bytes of Dst MAC\ninformation 1606 and 6 bytes of Src MAC information 1610.\nAlso specified are the Source and destination address\ncomponents, respectively, of the hash. These are shown as 2\nbyte Dst Hash 1608 from the Dst MAC address and the 2\nbyte Src Hash 1612 from the Src MAC address. Finally,\n\n25\n\ninformation is included (1614) on where to the header starts\nfor information related to the next layer level. In this case the\n\nnext layer level (level 2) information starts at packet offset\n\n12.\nFIG. 17A now shows the header information for the next\n\n35\n\nlevel (level-2) for an Ethertype packet 1700.\n\nFor an Ethertype packet 1700, the relevant information\nfrom the packet that indicates the next layer level is a\ntwo-byte type field 1702 containing the child recognition\npattern for the next level. The remaining information 1704\n\n40\n\nlist 1712 shows the possible children for an Ethertype packet\nas indicated by what child recognition pattern is found offset\nAlso shown is Some of the extracted part used for the\nparser record and to locate the next header information. The\nSignature part of the parser record includes extracted part\n1702. Also included is the 1-byte Hash component 1710\n\nfrom this information.\n\nAn offset field 1710 provides the offset to go to the next\nlevel information, i.e., to locate the Start of the next layer\nlevel header. For the Ethertype packet, the start of the next\nlayer header 14 bytes from the start of the frame.\nOther packet types are arranged differently. For example,\nin an ATM System, each ATM packet comprises a five-Octet\n\xe2\x80\x9cheader\xe2\x80\x9d segment followed by a forty-eight octet \xe2\x80\x9cpayload\xe2\x80\x9d\nSegment. The header Segment of an ATM cell contains\ninformation relating to the routing of the data contained in\nthe payload Segment. The header Segment also contains\ntraffic control information. Eight or twelve bits of the header\n\nIn one embodiment, the data structure is in the form of a\n\nthree-dimensional structure. Note that this three dimensional\n\n45\n\n50\n\nFIG. 18A shows such a 3-D representation 1800 (which\nmay be considered as an indexed set of 2-D representations).\n\nThe three dimensions of this data structure are:\n\n01 indicates an Ethernet frame. 64 indicates IP, 16\n\nindicates an IEEE type Ethernet packet, etc. Depending\non how many protocols the packet parser can handle, M\nmay be a large number; M may grow over time as the\ncapability of analyzing more protocols is added to\n\n55\n\nmonitor 300. When the 3-D structure is considered a set\n\nof 2-D Structures, the type ID is an indeX to a particular\n\n60\n\nteen bits of the header segment contain the Virtual Channel\n\nrouting information represented by the VPI and VCI bits into\nthe addresses of physical or logical network links and routes\neach ATM cell appropriately.\n\nStructure in turn is typically Stored in memory as a set of\ntwo-dimensional Structures whereby one of the three dimen\nSions of the 3-D Structure is used as an indeX to a particular\n2-D array. This forms a first index to the data structure.\n\n1. Type identifier 1:M). This is the identifier that identi\nfies a type of protocol at a particular level. For example,\n\nsegment contain the Virtual Path Identifier (VPI), and six\n\nIdentifier (VCI). Each ATM exchange translates the abstract\n\nmation used by the pattern recognition engine (PRE) 1006\n\nenables the parser subsystem 301 to perform rapid searches.\n\nis shown hatched because it not relevant for this level. The\n12.\n\n17B would be specified to the monitor in the form of PDL\nfiles and compiled into the database 308 of pattern structures\nand extraction operations.\nThe parsing subsystem 301 performs operations on the\npacket header data based on information Stored in the\ndatabase 308. Because data related to protocols can be\nconsidered as organized in the form of a tree, it is required\nin the parsing Subsystem to Search through data that is\noriginally organized in the form of a tree. Since real time\noperation is preferable, it is required to carry out Such\nSearches rapidly.\nData structures are known for efficiently Storing informa\ntion organized as trees. Such Storage-efficient means typi\ncally require arithmetic computations to determine pointers\nto the data nodes. Searching using Such Storage-efficient data\nStructures may therefore be too time consuming for the\npresent application. It is therefore desirable to Store the\nprotocol data in Some form that enables rapid Searches.\nIn accordance with another aspect of the invention, the\ndatabase 308 is stored in a memory and includes a data\nStructure used to Store the protocol Specific operations that\nare to be performed on a packet. In particular, a compressed\nrepresentation is used to Store information in the pattern\nparse and extraction database 308 used by the pattern\nrecognition process 304 and the extraction process 306 in\nthe parser subsystem 301. The data structure is organized for\nrapidly locating the child protocol related information by\nusing a set of one or more indices to index the contents of\nthe data structure. A data Structure entry includes an indi\ncation of validity. Locating and identifying the child proto\ncol includes indexing the data structure until a valid entry is\nfound. Using the data Structure to Store the protocol infor\n\n65\n\n2-D structure.\n\n2. Size 1:64). The size of the field of interest within the\npacket.\n3. Location 1:512). This is the offset location within the\npacket, expressed as a number of octets (bytes).\nAt any one of these locations there may or may not be\nvalid data. Typically, there will not be valid data in most\n\nApp. II-39\n\n\x0c35\n\nUS 6,665,725 B1\n\nlocations. The size of the 3-D array is Mby 64 by 512, which\ncan be large; M for example may be 10,000. This is a sparse\n\n3-D matrix with most entries empty (i.e., invalid).\n\nEach array entry includes a "node code\' that indicates the\n\nnature of the contents. This node code has one of four\n\nvalues: (1) a \xe2\x80\x9cprotocol node code indicating to the pattern\nrecognition process 304 that a known protocol has been\nrecognized as the next (i.e., child) protocol; (2) a \xe2\x80\x9cterminal\xe2\x80\x9d\n\n5\n\nnode code indicating that there are no children for the\nprotocol presently being Searched, i.e., the node is a final\n\nmonitor 300 indicating the type of packet. This header is\nused to determine the virtual base layer entry point to the\nparser Subsystem. Thus, even at the base layer, the parser\nSubsystem can identify the type of packet.\nInitially, the search starts at the child of the virtual base,\nas obtained in the header Supplied by the acquisition device.\nIn the case of the example, this has ID value 01, which is the\n2-D array in the overall 3-D structure for Ethernet packets.\nThus hardware implementing pattern analysis proceSS304\n\n(e.g., pattern recognition engine (PRE) 1006 of FIG. 10)\nsearches to determine the children (if any) for the 2-D array\n\nnode in the protocol tree; (3) a \xe2\x80\x9cnull\xe2\x80\x9d (also called \xe2\x80\x9cflush\xe2\x80\x9d)\n\nnode code indicating that there is no valid entry.\nIn the preferred embodiment, the possible children and\nother information are loaded into the data Structure by an\ninitialization that includes compilation process 310 based on\nthe PDL files 336 and the layering selections 338. The\nfollowing information is included for any entry in the data\nStructure that represents a protocol.\n\nthat has protocol ID 01. In the preferred embodiment that\n\nuses the 3-D data structure, the hardware PRE 1006 searches\n\nup to four lengths (i.e., sizes) simultaneously. Thus, the\n15\n\nprocess 304 Searches in groups of four lengths. Starting at\nprotocol ID 01, the first two sets of 3-D locations searched\nC\n\n(a) A list of children (as type IDs) to search next. For\nexample, for an Ethernet type 2, the children are\nEthertype (IP, IPX, etc, as shown in 1712 of FIG. 17).\n\n(1, 1, 1)\n(1, 2, 1)\n(1, 3, 1)\n(1, 4, 1)\n\nThese children are compiled into the type codes. The\ncode for IP is 64, that for IPX is 83, etc.\n\n(b) For each of the IDs in the list, a list of the child\n\nrecognition patterns that need to be compared. For\nexample, 64:0800 in the list indicates that the value\n\nto look for is 0800 (hex) for the child to be type ID 64\n(which is the IP protocol). 83:8137 in the list indi\ncates that the value to look for is 8137 (hex) for the\nchild to be type ID 83 (which is the IPX protocol), etc.\n(c) The extraction operations to perform to build the\n\n25\n\nout. If there is also a hash key component, for instance,\nthen information on that is included. For example, for\n\n35\n\nan Ethertype packet, the 2-byte type (1706 in FIG. 17)\n\nis used in the Signature. Furthermore, a 1-byte hash\n\n(1708 in FIG. 17A) of the type is included. . Note\n\nfurthermore, the child protocol starts at offset 14.\nAn additional item may be the \xe2\x80\x9cfold.\xe2\x80\x9d Folding is used to\nreduce the Storage requirements for the 3-D Structure. Since\neach 2-D array for each protocol ID may be sparsely\npopulated, multiple arrays may be combined into a single\n2-D array as long as the individual entries do not conflict\nmore detail below.\n\nIn the case of the Ethernet, the next protocol field may\nindicate a length, which tells the parser that this is a IEEE\ntype packet, and that the next protocol is elsewhere.\nNormally, the next protocol field contains a value which\nidentifies the next, i.e., child protocol.\nThe entry point for the parser Subsystem is called the\nVirtual base layer and contains the possible first children,\ni.e., the packet types. An example Set of protocols written in\n\na high level protocol description language (PDL) is included\n\nherein. The set includes PDL files, and the file describing all\n\nthe possible entry points (i.e., the virtual base) is called\n\nVirtual.pdl. There is only one child, 01, indicating the\nEthernet, in this file. Thus, the particular example can only\nhandle Ethernet packets. In practice, there can be multiple\nentry points.\nIn one embodiment, the packet acquisition device pro\nvides a header for every packet acquired and input into\n\n(Ethernet) at packet offset 12, there is information in the\npacket having a length of 2 bytes (octets) that may relate to\nthe next (child) protocol. The information, for example, may\n\nbe about a child for this protocol eXpressed as a child\nrecognition pattern. The list of possible child recognition\npatterns that may be in that part of the packet is obtained\nfrom the data Structure.\n\n40\n\nThe Ethernet packet Structure comes in two flavors, the\nEthertype packet and newer IEEE types, and the packet\n\nlocation that indicates the child is different for both. The\n\n45\n\nwith each other. A fold number is then used to associate each\n\nelement. For a given lookup, the fold number of the lookup\nmust match the fold number entry. Folding is described in\n\nAt each Stage of a Search, the analysis process 304\nexamines the packet and the 3-D data Structure to See if there\n\nContinuing with the example, Suppose the pattern analysis\nprocess 304 finds something at 1, 2, 12. By this, we mean\nthat the process 304 has found that for protocol ID value 01\n\n(offset, length, flow signature value identifier), the\nflow signature value identifier indicating where the\n\noperations (AND, ORs, etc.) may need to be carried\n\n(1, 1, 2)\n(1, 2, 2)\n(1, 3, 2)\n(1, 4, 2)\n\nis a match (by looking at the node code). If no valid data is\nfound, e.g., using the node code, the size is incremented (to\nmaximum of 4) and the offset is then incremented as well.\n\nidentifying Signature for the flow. The format used is\nextracted entry goes in the Signature, including what\n\n36\n\n50\n\nlocation that for the Ethertype packet indicates the child is\na \xe2\x80\x9clength\xe2\x80\x9d for the IEEE type, so a determination is made for\nthe Ethernet packet whether the \xe2\x80\x9cnext protocol\xe2\x80\x9d location\n\ncontains a value or a length (this is called a \xe2\x80\x9cLENGTH\'\noperation). A successful LENGTH operation is indicated by\n\ncontents less than or equal to 05DC, then this is an IEEE\ntype Ethernet frame. In Such a case, the child recognition\npattern is looked for elsewhere. Otherwise, the location\ncontains a value that indicates the child.\n\nNote that while this capability of the entry being a value\n\n55\n\n(e.g., for a child protocol ID) or a length (indicating further\nanalysis to determine the child protocol) is only used for\n\nEthernet packets, in the future, other packets may end up\nbeing modified. Accordingly, this capability in the form of a\nmacro in the PDL files still enables such future packets to be\ndecoded.\n\n60\n\n65\n\nContinuing with the example, suppose that the LENGTH\noperation fails. In that case, we have an Ethertype packet,\n\nand the next protocol field (containing the child recognition\npattern) is 2 bytes long starting at offset 12 as shown as\n\npacket field 1702 in FIG. 17A. This will be one of the\nchildren of the Ethertype shown in table 1712 in FIG. 17A.\n\nThe PRE uses the information in the data structure to check\n\nwhat the ID code is for the found 2-byte child recognition\npattern. For example, if the child recognition pattern is 0800\n\nApp. II-40\n\n\x0cUS 6,665,725 B1\n\n37\n(Hex), then the protocol is IP. If the child recognition pattern\nis OBAD (Hex) the protocol is VIP (VINES).\n\nNote that an alternate embodiment may keep a separate\ntable that includes all the child recognition patterns and their\ncorresponding protocol ID\'s\nTo follow the example, Suppose the child recognition\npattern at 1, 2, 12 is 0800, indicating IP. The ID code for\n\n5\n\nSO.\n\nEach 2-D structure in FIG. 18A represents a protocol. To\nenable Saving Space by using only one array per protocol\nwhich may have Several parents, in one embodiment, the\npattern analysis Subprocess keeps a \xe2\x80\x9ccurrent header\' pointer.\n\nthe IP protocol is 64). To continue with the Ethertype\n\nexample, once the parser matches one of the possible\nchildren for the protocl-in the example, the protocol type\nis IP with an ID of 64-then the parser continues the search\nfor the next level. The ID is 64, the length is unknown, and\n\noffset is known to be equal or larger than 14 bytes (12 offset\nfor type, plus 2, the length of type), so the Search of the 3-D\nStructure commences from location (64, 1) at packet offset\n14. A populated node is found at (64.2) at packet offset 14.\n\nEach location (offset) index for each protocol 2-D array in\n\n15\n\nHeading details are shown as 1750 in FIG. 17B. The\npossible children are shown in table 1752.\n\nAlternatively, Suppose that at (1, 2, 12) there was a length\n\n1211. This indicates that this is an IEEE type Ethernet\nframe, which stores its type elsewhere. The PRE now\n\n14.\n\n25\n\nIn our example, Suppose there is a \xe2\x80\x9cprotocol node code\n\nfound at (16, 2) at packet offset 14, and the next protocol is\n\nspecified by child recognition pattern 0800. This indicates\nthat the child is the IP protocol, which has type ID 64. Thus\n\nthe Search continues, starting at (64, 1) at packet offset 16.\n\nCompression.\nAS noted above, the 3-D data structure is very large, and\nsparsely populated. For example, if 32 bytes are Stored at\neach location, then the length is Mby 64 by 512 by 32 bytes,\nwhich is M. megabytes. If M = 10,000, then this is about 10\ngigabytes. It is not practical to include 10 Gbyte of memory\nin the parser Subsystem for storing the database 308. Thus a\ncompressed form of Storing the data is used in the preferred\nembodiment. The compression is preferably carried out by\nan optimizer component of the compilation process 310.\nRecall that the data structure is sparse. Different embodi\nments may use different compression Schemes that take\nadvantage of the Sparseness of the data structure. One\n\nembodiment uses a modification of multi-dimensional run\n\nlength encoding.\n\n35\n\n40\n\n45\n\n50\n\nprotocol (i.e., each value of the protocol ID). The 2-D\n\nstructures are shown as 1802-1, 1802-2,..., 1802-M for up\nto M protocol ID\'s. One table entry is shown as 1804. Note\nthat the gaps in table are used to illustrate that each 2-D\nStructure table is typically large.\nConsider the Set of trees that represent the possible\nprotocols. Each node represents a protocol, and a protocol\n\nmay have a child or be a terminal protocol. The base (root)\n\nof the tree has all packet types as children. The other nodes\n\n55\n\n60\n\nform the nodes in the tree at various levels from level 1 to\n\nthe final terminal nodes of the tree. Thus, one element in the\n\nbase node may reference node ID 1, another element in the\nbase node may reference node ID 2 and So on. AS the tree\nis traversed from the root, there may be points in the tree\nwhere the same node is referenced next. This would occur,\n\nSpective of their location in the tree as long as certain\nconditions are met.\n\nASSume two 2-D arrays are being considered for folding.\nCall the first 2-D arrays A and the second 2-D array B. Since\nboth 2-D arrays are partially populated, 2-D array B can be\ncombined with 2-D arrays A if and only if none of the\nindividual elements of these two 2-D arrays that have the\nsame 2-D location conflict. If the result is foldable, then the\n\nAnother embodiment uses a Smaller number two\ndimensional Structures to Store the information that other\n\nwise would be in one large three-dimensional Structure. The\nSecond Scheme is used in the preferred embodiment.\nFIG. 18A illustrated how the 3-D array 1800 can be\nconsidered a set of 2-D arrays, one 2-D array for each\n\nthe 3-D structure is a relative location starting with the start\nof header for the particular protocol.\nEach of the two-dimensional arrayS is sparse. The next\nStep of the optimization, is checking all the 2-D arrayS\nagainst all the other 2-D arrays to find out which ones can\nshare memory. Many of these 2-D arrays are often sparsely\npopulated in that they each have only a Small number of\nvalid entries. So, a process of "folding is next used to\ncombine two or more 2-D arrays together into one physical\n2-D array without losing the identity of any of the original\n\n2-D arrays (i.e., all the 2-D arrays continue to exist\nlogically). Folding can occur between any 2-D arrays irre\n\ncontinues its Search at the same level, but for a new ID, that\n\nof an IEEE type Ethernet frame. An IEEE Ethernet packet\nhas protocol ID 16, so the PRE continues its search of the\nthree-dimensional Space with ID 16Starting at packet offset\n\n38\n\nfor example, when an application protocol like Telnet can\nrun on several transport connections like TCP or UDP.\nRather than repeating the Telnet node, only one node is\nrepresented in the patterns database 308 which can have\nSeveral parents. This eliminates considerable Space explo\n\n65\n\nvalid entries of 2-D array B are combined with the valid\nentries of 2-D array A yielding one physical 2-D array.\nHowever, it is necessary to be able to distinguish the original\n2-D array A entries from those of 2-D array B. For example,\nif a parent protocol of the protocol represented by 2-D array\nB wants to reference the protocol ID of 2-D array B, it must\nnow reference 2-D array A instead. However, only the\nentries that were in the original 2-D array B are valid entries\nfor that lookup. To accomplish this, each element in any\ngiven 2-D array is tagged with a fold number. When the\noriginal tree is created, all elements in all the 2-D arrays are\ninitialized with a fold value of Zero. Subsequently, if 2-D\narray B is folded into 2-D array A, all valid elements of 2-D\narray B are copied to the corresponding locations in 2-D\narray A and are given different fold numbers than any of the\nelements in 2-D array A. For example, if both 2-D array A\n\nand 2-D array B were original 2-D arrays in the tree (i.e., not\npreviously folded) then, after folding, all the 2-D array A\n\nentries would still have fold 0 and the 2-D array B entries\nwould now all have a fold value of 1. After 2-D array B is\nfolded into 2-D array A, the parents of 2-D array B need to\nbe notified of the change in the 2-D array physical location\nof their children and the associated change in the expected\nfold value.\n\nThis folding process can also occur between two 2-D\narrays that have already been folded, as long as none of the\nindividual elements of the two 2-D arrays conflict for the\nSame 2-D array location. AS before, each of the valid\nelements in 2-D array B must have fold numbers assigned to\nthem that are unique from those of 2-D array A. This is\naccomplished by adding a fixed value to all the 2-D array B\nfold numbers as they are merged into 2-D array A. This fixed\nvalue is one larger than the largest fold value in the original\n2-D array A. It is important to note that the fold number for\nany given 2-D array is relative to that 2-D array only and\ndoes not span acroSS the entire tree of 2-D arrayS.\n\nApp. II-41\n\n\x0c39\n\nUS 6,665,725 B1\n\nThis process of folding can now be attempted between all\ncombinations of two 2-D arrays until there are no more\ncandidates that qualify for folding. By doing this, the total\nnumber of 2-D arrays can be significantly reduced.\n\nWhenever a fold occurs, the 3-D structure (i.e., all 2-D\narrays) must be searched for the parents of the 2-D array\n\n5\n\nbeing folded into another array. The matching pattern which\npreviously was mapped to a protocol ID identifying a single\n2-D array must now be replaced with the 2-D array ID and\n\nIf the entry looked up in the specified next LUT by this\nmethod matches the expected next fold value Specified in the\nvirtual base entry, the lookup is deemed valid. The node\n\nThus, in the compressed data Structure, each entry valid\nentry includes the fold number for that entry, and\nadditionally, the expected fold for the child.\n\ncode is then examined. If it is an intermediate node then the\n\nAn alternate embodiment of the data Structure used in\n\nStructure described above, it permits rapid Searches to be\nperformed by the pattern recognition process 304 by index\ning locations in a memory rather than performing address\nlink computations. The structure, like that of FIG. 18A, is\nSuitable for implementation in hardware, for example, for\nimplementation to work with the pattern recognition engine\n\n15\n\n(the child recognition pattern) can be found in the header, the\n\n25\n\nlength of the next protocol field, flags to indicate the header\nlength and type, and one or more Slicer commands, the Slicer\ncan build the key components and hash components for the\npacket at this protocol at this layer level.\nFor any protocol, there also are one or more lookup tables\n\n(LUTs). Thus database 308 for this embodiment also\n\nincludes a set of LUTS 1870. Each LUT has 256 entries\n\nindexed by one byte of the child recognition pattern that is\nextracted from the next protocol field in the packet. Such a\nprotocol Specification may be several bytes long, and So\nseveral of LUTs 1870 may need to be looked up for any\nprotocol.\nEach LUTs entry includes a 2-bit \xe2\x80\x9cnode code\xe2\x80\x9d that\nindicates the nature of the contents, including its validity.\n\nThis node code has one of four values: (1) a \xe2\x80\x9cprotocol\xe2\x80\x9d node\n\n35\n\n40\n\ncode indicating to the pattern recognition engine 1006 that\n\na known protocol has been recognized; (2) an \xe2\x80\x9cintermediate\'\n\nnode code, indicating that a multi-byte protocol code has\nbeen partially recognized, thus permitting chaining a Series\n\nof LUTs together before; (3) a \xe2\x80\x9cterminal\xe2\x80\x9d node code indi\n\n45\n\ncating that there are no children for the protocol presently\nbeing Searched, i.e., the node is a final node in the protocol\n\ntree; (4) a \xe2\x80\x9cnull\xe2\x80\x9d (also called \xe2\x80\x9cflush\xe2\x80\x9d and \xe2\x80\x9cinvalid\xe2\x80\x9d) node\ncode indicating that there is no valid entry.\nIn addition to the node code, each LUT entry may include\n\n50\n\nthe next LUT number, the next protocol number (for looking\nup the protocol table 1850), the fold of the LUT entry, and\n\nthe next fold to expect. Like in the embodiment implement\ning a compressed form of the 3-D representation, folding is\nused to reduce the Storage requirements for the Set of LUTs.\nSince the LUTs 1870 may be sparsely populated, multiple\nLUTs may be combined into a single LUT as long as the\n\n55\n\nindividual entries do not conflict with each other. A fold\nnumber is then used to associate each element with its\n\n60\n\nis obtained from the previous table lookup (the \xe2\x80\x9cnext fold to\nexpect\xe2\x80\x9d field). The present implementation uses 5-bits to\n\n65\n\noriginal LUT.\nFor a given lookup, the fold number of the lookup must\nmatch the fold number in the lookup table. The expected fold\ndescribe the fold and thus allows up to 32 tables to be folded\ninto one table.\n\nnext table field obtained from the LUT lookup is used as the\nmost significant bits of the address. The next expected fold\nis also extracted from the entry. The pattern recognition\nengine 1006 then uses the next byte from the child recog\nnition pattern as the for the next LUT lookup.\nThus, the operation of the PRE continues until a terminal\n\ncode is found. The next (initially base layer) protocol is\nlooked up in the protocol table 1850 to provide the PRE\n1006 with information on what field in the packet (in input\nbuffer memory 1008 of parser subsystem 1000) to use for\n\n(PRE) 1006 of FIG. 10.\nA table 1850, called the protocol table (PT) has an entry\nfor each protocol known by the monitor 300, and includes\nSome of the characteristics of each protocol, including a\ndescription of where the field that Specifies next protocol\n\nWhen using the data structure of FIG. 18B, when a packet\narrives at the parser, the virtual base has been pre-pended or\nis known. The virtual base entry tells the packet recognition\nengine where to find the first child recognition pattern in the\npacket. The pattern recognition engine then extracts the\nchild recognition pattern bytes from the packet and uses\n\nthem as an address into the virtual base table (the first LUT).\n\nthe next fold number (i.e., expected fold).\n\ndatabase 308 is illustrated in FIG. 18B. Thus, like the 3-D\n\n40\n\nobtaining the child recognition pattern of the next protocol,\nincluding the Size of the field. The child recognition pattern\nbytes are fetched from the input buffer memory 1008. The\nnumber of bytes making up the child recognition pattern is\nalso now known.\n\nThe first byte of the protocol code bytes is used as the\nlookup in the next LUT. If a LUT lookup results in a node\ncode indicating a protocol node or a terminal node, the Next\nLUT and next expected fold is set, and the \xe2\x80\x9cnext protocol\xe2\x80\x9d\nfrom LUT lookup is used as an index into the protocol table\n1850. This provides the instructions to the slicer 1007, and\nwhere in the packet to obtain the field for the next protocol.\nThus, the PRE 1006 continues until it is done processing all\n\nthe fields (i.e., the protocols), as indicated by the terminal\nnode code reached.\n\nNote that when a child recognition pattern is checked\nagainst a table there is always an expected fold. If the\nexpected fold matches the fold information in the table, it is\n\nused to decide what to do next. If the fold does not match,\n\nthe optimizer is finished.\nNote also that an alternate embodiment may use different\nsize LUTs, and then index a LUT by a different amount of\nthe child recognition pattern.\nThe present implementation of this embodiment allows\nfor child recognition patterns of up to four bytes. Child\nrecognition patterns of more than 4 bytes are regarded as\nSpecial cases.\nIn the preferred embodiment, the database is generated by\nthe compiler process 310. The compiler process first builds\na single protocol table of all the links between protocols.\nLinkS consist of the connection between parent and child\nprotocols. Each protocol can have Zero or more children. If\na protocol has children, a link is created that consists of the\nparent protocol, the child protocol, the child recognition\npattern, and the child recognition pattern size. The compiler\nfirst extracts child recognition patterns that are greater than\ntwo bytes long. Since there are only a few of these, they are\nhandled Separately. NeXt Sub links are created for each link\nthat has a child recognition pattern size of two.\nAll the links are then formed into the LUTs of 256 entries.\n\nOptimization is then carried out. The first step in the\noptimization is checking all the tables against all the other\ntables to find out which ones can share a table. This process\nproceeds the same way as described above for two\ndimensional arrayS, but now for the Sparse lookup tables.\n\nPart of the initialization process (e.g., compiler process\n310) loads a slicer instruction database with data items\n\nApp. II-42\n\n\x0cUS 6,665,725 B1\n\n41\nincluding of instruction, Source address, destination address,\nand length. The PRE 1006 when it sends a slicer instruction\nSends this instruction as an offset into the Slicer instruction\n\ndatabase. The instruction or Op code tells the slicer what to\nextract from the incoming packet and where to put it in the\nflow signature. Writing into certain fields of the flow Signa\nture automatically generates a hash. The instruction can also\n\ntell the Slicer how to determine the connection Status of\n\ncertain protocols.\nNote that alternate embodiments may generate the\npattern, parse and extraction database other than by com\npiling PDL files.\nThe Compilation Process\nThe compilation process 310 is now described in more\ndetail. This process 310 includes creating the parsing pat\nterns and extractions database 308 that provides the parsing\nSubsystem 301 with the information needed to parse packets\nand extract identifying information, and the State processing\ninstructions database 326 that provides the State processes\nthat need to be performed in the State processing operation\n\n15\n\n328.\n\nInput to the compiler includes a Set of files that describe\neach of the protocols that can occur. These files are in a\n\nconvenient protocol description language (PDL) which is a\n\nhigh level language. PDL is used for Specifying new proto\ncols and new levels, including new applications. The PDL is\nindependent of the different types of packets and protocols\nthat may be used in the computer network. A set of PDL files\nis used to describe what information is relevant to packets\nand packets that need to be decoded. The PDL is further used\nto Specify State analysis operations. Thus, the parser Sub\nSystem and the analyzer Subsystems can adapt and be\nadapted to a variety of different kinds of headers, layers, and\ncomponents and need to be extracted or evaluated, for\nexample, in order to build up a unique signature.\nThere is one file for each packet type and each protocol.\nThus there is a PDL file for Ethernet packets and there is a\nPDL file for frame relay packets. The PDL files are compiled\nto form one or more databases that enable monitor 300 to\n\nperform different protocol Specific operations on a packet\nwherein the protocol headers of any protocol are located at\ndifferent locations depending on the parent protocol or\nprotocols used in the packet. Thus, the packet monitor adapts\nto different protocols according to the contents of the packet.\nIn particular, the parser Subsystem 301 is able to extract\ndifferent types of data for different types of packets. For\nexample, the monitor can know how to interpret a Ethernet\npacket, including decoding the header information, and also\nhow to interpret an frame relay packet, including decoding\n\n25\n\n35\n\n40\n\n45\n\ncontents of these PDL files are attached as an APPENDIX\n\n50\n\nthe header information.\n\nThe Set of PDL files, for example, may include a generic\nEthernet packet file. There also is included a PDL file for\neach variation Ethernet file, for example, an EEE Ethernet\nfile.\n\nThe PDL file for a protocol provides the information\nneeded by compilation process 310 to generate the database\n308. That database in turn tells the parser subsystem how to\nparse and/or extract information, including one or more of\nwhat protocol-specific components of the packet to extract\nfor the flow Signature, how to use the components to build\nthe flow signature, where in the packet to look for these\ncomponents, where to look for any child protocols, and what\nchild recognition patterns to look for. For Some protocols,\nthe extracted components may include Source and destina\ntion addresses, and the PDL file may include the order to use\n\n42\nthese addresses to build the key. For example, Ethernet\nframes have end-point addresses that are useful in building\na better flow signature. Thus the PDL file for an Ethernet\npacket includes information on how the parsing Subsystem\nis to extract the Source and destination addresses, including\nwhere the locations and sizes of those addresses are. In a\nframe-relay base layer, for example, there are no specific end\npoint addresses that help to identify the flow better, so for\nthose type of packets, the PDL file does not include infor\nmation that will cause the parser Subsystem to extract the\nend-point addresses.\nSome protocols also include information on connections.\nTCP is an example of such a protocol. Such protocol use\nconnection identifiers that exist in every packet. The PDL\nfile for Such a protocol includes information about what\nthose connection identifiers are, where they are, and what\ntheir length is. In the example of TCP, for example running\nover IP, these are port numbers. The PDL file also includes\ninformation about whether or not there are States that apply\nto connections and disconnections and what the possible\nchildren are States. So, at each of these levels, the packet\nmonitor 300 learns more about the packet. The packet\nmonitor 300 can identify that a particular packet is part of a\nparticular flow using the connection identifier. Once the flow\nis identified, the System can determine the current State and\nwhat States to apply that deal with connections or discon\nnections that exist in the next layer up to these particular\npackets.\nFor the particular PDL used in the preferred embodiment,\na PDL file may include none or more FIELD statement each\ndefining a specific String of bits or bytes (i.e., a field) in the\npacket. A PDL file may further include none or more\nGROUP statements each used to tie together several defined\nfields. A set of Such tied together fields is called a group. A\nPDL file may further include none or more PROTOCOL\nStatements each defining the order of the fields and groups\nwithin the header of the protocol. A PDL file may further\ninclude none or more FLOW statements each defining a flow\nby describing where the address, protocol type, and port\nnumbers are in a packet. The FLOW statement includes a\ndescription of how children flows of this protocol are\ndetermined using State operations. States associated may\nhave State operations that may be used for managing and\nmaintaining new States learned as more packets of a flow are\nanalyzed.\nFIG. 19 shows a set of PDL files for a layering structure\nfor an Ethernet packet that runs TCP on top of IP. The\n\n55\n\nhereto. Common.pdl (1903) is a file containing the common\n\nprotocol definitions, i.e., Some field definitions for com\nmonly used fields in various network protocols. Flows.pdl\n\n(1905) is a file containing general flow definitions. Virtu\nalpdl (1907) is a PDL file containing the definition for the\nVirtualBase layer used. Ethernet.pdl (1911) is the PDL file\n\ncontaining the definition for the Ethernet packet. The deci\nsion on Ethertype vs. IEEE type Ethernet file is described\nherein. If this is Ethertype, the selection is made from the file\n\nEthertype.pdl (1913). In an alternate embodiment, the Ether\n\n60\n\ntype Selection definition may be in the same Ethernet file\n1911. In a typical implementation, PDL files for other\n\nEthernet types would be included. IPpdl (1915) is a PDL file\nTCP.pdl (1917) is the PDL file containing the packet defi\ncontaining the packet definitions for the Internet Protocol.\n\n65\n\nnitions for the Transmission Control Protocol, which in this\n\ncase is a transport Service for the IP protocol. In addition to\nextracting the protocol information the TCP protocol defi\nnition file assists in the process of identification of connec\n\nApp. II-43\n\n\x0c43\n\nUS 6,665,725 B1\n\ntions for the processing of States. In a typical Set of files,\nthere also would be a file UDP.pdl for the User Datagram\n\n44\nCOPYRIGHT NOTICE\n\nA portion of this of this document included with the patent\ncontains material which is Subject to copyright protection.\n\nProtocol (UDP) definitions. RPC.pdl (1919) is a PDL file file\n\ncontaining the packet definitions for Remote Procedure\n\nThe copyright owner (Apptitude, Inc., of San Jose, Calif.,\nformerly Technically Elite, Inc.) has no objection to the\n\nCalls.\n\nNFS.pdl (1921) is a PDL file containing the packet\n\ndefinitions for the Network File System. Other PDL files\nwould typically be included for all the protocols that might\nbe encountered by monitor 300.\nInput to the compilation process 310 is the set of PDL files\n\nfacsimile reproduction by anyone of the patent document or\nthe patent disclosure or this document, as it appears in the\nPatent and Trademark Office patent file or records, but\notherwise reserves all copyright rights whatsoever. Copy\n\nto process 310 may also include layering information shown\nin FIG. 3 as datagram layer selections 338. The layer\nSelections information describes the layering of the\n\n1. INTRODUCTION\n\nrightC) 1997-1999 by Apptitude, Inc. (formerly Technically\nElite, Inc.). All Rights Reserved.\n\n(e.g., the files of FIG. 19) for all protocols of interest. Input\nprotocols-what protocol(s) may be on top of any particular\n\nprotocols. For example, IP may run over Ethernet, and also\nover many other types of packets. TCP may run on top of IP.\nUDP also may run on top of IP. When no layering informa\ntion is explicitly included, it is inherent; the PDL files\ninclude the children protocols, and this provides the layering\n\n15\n\nguide, protocol descriptions (PDL files) are referred to as\n\nPDL or rules when there in no risk of confusion with other\n\ninformation.\n\nThe compiling process 310 is illustrated in FIG. 20. The\ncompiler loads the PDL source files into a scratch pad\n\nmemory (step 2003) and reviews the files for the correct\nsyntax (parse step 2005). Once completed, the compiler\n\ncreates an intermediate file containing all the parse elements\n\n25\n\n(step 2007). The intermediate file in a format called \xe2\x80\x9cCom\npiled Protocol Language\xe2\x80\x9d (CPL). CPL instructions have a\n\nfixed layer format, and include all of the patterns,\nextractions, and States required for each layer and for the\nentire tree for a layer. The CPL file includes the number of\nprotocols and the protocol definitions. A protocol definition\nfor each protocol can include one or more of the protocol\nname, the protocol ID, a header Section, a group identifica\ntion Section, Sections for any particular layers, announce\nment Sections, a payload Section, a children Section, and a\nstates section. The CPL file is then run by the optimizer to\ncreate the final databases that will be used by monitor 300.\nIt would be clear to those in the art that alternate imple\nmentations of the compilation process 310 may include a\ndifferent form of intermediate output, or no intermediate\n\n(4GL). This means is describes what needs to be done\n\n35\n\n40\n\nWith the flow signature operations complete, the PDL\n\nextract the payload elements from each PDL module. These\npayload elements are used by states in other PDL modules\nat higher layers in the processing.\nThe last pass is to create the State operations required by\neach PDL module. The state operations are complied from\n\n50\n\nThese databases are used by programs like: mfkeys,\n\nwhich produces flow keys (also called flow signatures);\nfiles.\n\n1.2 Guide Conventions\n\n55\n\nThe CPL file is now run through an optimizer that\ngenerates the final databases used by monitor 300.\n\nthe invention, permits the automatic generation of the data\nbases used by the parser and analyzer Sub-Systems, and also\nallows for including new and modified protocols and appli\ncations to the capability of the monitor.\n\nNetscope compiler (nsc), which produces the MeterFlow\ndatabase (MeterFlow.db) and the Netscope database\n(Netscope.db). The MeterFlow database contains the flow\n\nmfcpl, which produces flow definitions in CPL format;\nmfpkts which produces Sample packets of all known proto\ncols; and netscope, which decodes SnifferTM and tcpdump\n\nthe PDL files and created in CPL form for later use (2013).\n\nPROTOCOL DEFINITION LANGUAGE (PDL)\nREFERENCE GUIDE (VERSION AO.02)\nIncluded herein is this reference guide (the \xe2\x80\x9cguide\xe2\x80\x9d) for\nthe page description language (PDL) which, in one aspect of\n\nIn addition, it is used to describe network flows by\ndefining which fields are the address fields, which are the\nprotocol type fields, etc.\nOnce a PDL file is written, it is compiled using the\n\nheader definitions.\n45\n\nSignature (and hash key) and for links between layers\n(2009).\ncompiler creates (Step 2011) the operations required to\n\n(CPL) optimization utility.\n\ndefinitions and the NetScope database contains the protocol\n\nAfter the parse elements have been created, the compiler\n\nthe extraction operations in CPL that are required at each\nlevel for each PDL module for the building of the flow\n\ntypes of descriptions.\nPDL uses both form and organization similar to the data\nStructure definition part of the C programming language and\nthe PERL scripting language. Since PDL was derived from\na language used to decode network packet contact, the\nauthors have mixed the language format with the require\nments of packet decoding. This results in an expressive\nlanguage that is very familiar and comfortable for describing\npacket content and the details required representing a flow.\n1.1 Summary\nThe PDL is a non-procedural Forth Generation language\nwithout describing how to do it. The details of how are\nhidden in the compiler and the Compiled Protocol Layout\n\noutput at all, directly generating the final database(s).\n\nbuilds the flow signature elements (step 2009). This creates\n\nThe inventive protocol Definition Language (PDL) is a\n\nSpecial purpose language used to describe network protocols\nand all the fields within the protocol headers. Within this\n\n60\n\n65\n\nThe following conventions will be used throughout this\nguide:\nSmall courier typeface indicates C code examples or\nfunction names. Functions are written with parentheses after\n\nthem function (O), variables are written just as their names\nvariables, and structure names are written prefixed with\n"struct\xe2\x80\x9d struct packet.\nItalics indicate a filename (for instance, mworkS/base/h/\nbase.h). Filenames will usually be written relative to the root\ndirectory of the distribution.\nConstants are expressed in decimal, unless written\n\xe2\x80\x9cOX ... \', the C language notation for hexadecimal numbers.\nNote that any contents on any line in a PDL file following\n\ntwo hyphen (--) are ignored by the compiler. That is, they are\nCOmmentS.\n\nApp. II-44\n\n\x0c45\n\nUS 6,665,725 B1\n\n2. PROGRAM STRUCTURE\n\nA MeterFlow PDL decodes and flow set is a non-empty\nSequence of Statements.\nThere are four basic types of Statements or definitions\navailable in MeterFlow PDL:\n\n5\n\nFIELD,\nGROUP\n\nPROTOCOL and\nFLOW.\n\n46\n\n2.1.3 LENGTH \xe2\x80\x9cExpression\xe2\x80\x9d\nThis attribute defines an expression for determining the\nFIELD\'s length. Expressions are arithmetic and can refer to\nthe value of other FIELD\'s in the packet by adding a S to the\n\nreferenced field\'s name. For example, \xe2\x80\x9c(StcpHeaderLen4)-\n\n20\xe2\x80\x9d is a valid expression if tcpHeaderLen is another field\ndefined for the current packet.\n2.1.4 FLAGS FieldFlags\nThe attribute defines some special flags for a FIELD. The\ncurrently Supported FieldFlags are:\n\n2.1 Field Definitions\n\nThe FIELD definition is used to define a specific string of\nbits or bytes in the packet. The FIELD definition has the\nfollowing format:\n\n15\n\nName FIELD\n\nSYNTAX Type {Enums\n\nSAMELAYER\nNOLABEL\nNOSHOW\nSWAPPED\n\n2.1.5 ENCAP FieldName, FieldName2\nThis attribute defines how one packet is encapsulated\ninside another. Which packet is determined by the value of\nthe FieldName field. If no packet is found using FieldName\n\nDISPLAY-HINT \xe2\x80\x9cFormatString\xe2\x80\x9d\nLENGTH \xe2\x80\x9cExpression\xe2\x80\x9d\nFLAGS FieldFlags\nENCAP FieldName , FieldName2\nLOOKUP LookupType Filename\nENCODING EncodingType\n\nthen FieldName2 is tried.\n\n25\n\n2.1.6 LOOKUP LookupType Filename\nThis attribute defines how to lookup the name for a\nparticular FIELD value. The currently supported Lookup\nTypes are:\n\nDEFAULT \xe2\x80\x9cvalue\'\n\nDESCRIPTION \xe2\x80\x9cDescription\xe2\x80\x9d\nWhere only the FIELD and SYNTAX lines are required.\nAll the other lines are attribute lines, which define special\ncharacteristics about the FIELD. Attribute lines are optional\nand may appear in any order. Each of the attribute lines are\n\nSERVICE\nHOSTNAME\nMACADDRESS\nFILE file\n\ndescribed in detail below:\n\n2.1.1 SYNTAX Type {Enums})\n\nThis attribute defines the type and, if the type is an INT,\nBYTESTRING, BITSTRING, or SNMPSEQUENCE type,\nthe enumerated values for the FIELD. The currently defined\n\n35\n\n40\n\nBITSTRING(numEits)\nLSTRING(len Bytes)\n\nNSTRING\nDNSSTRING\nSNMPOID\nSNMPSEQUENCE\n\nSNMPTIMETICKS\n\nCOMBO field1 field2\n\nInteger that is numBits bits long.\nUnsigned integer that is numBits\nbits long.\nString that is numBytesbytes long.\nString that ranges in size from\nR1 to R2 bytes.\nString that is numBits bits long.\nString with lenBytes header.\nNull terminated string.\nDNS encoded string.\nSNMP Object Identifier.\nSNMP Sequence.\n\nHexDump\n\nPrint in hexdump format.\n\n2.1.8 DEFAULT \xe2\x80\x9cvalue\'\nThis attribute defines the default value to be used for this\n\nfield when generating Sample packets of this protocol.\n2.1.9 DESCRIPTION \xe2\x80\x9cDescription\xe2\x80\x9d\nThis attribute defines the description of the FIELD. It is\nused for informational purposes only.\n2.2 Group Definitions\nThe GROUP definition is used to tie several related\n\nformat:\nName GROUP\n\nLENGTH \xe2\x80\x9cExpression\xe2\x80\x9d\n\nSNMP TimeTicks.\n\nPrint as a num byte hexidecimal number.\nPrint as a num byte decimal number.\nPrint as a num byte octal number.\nPrint as a num byte binary number.\nPrint num bytes in ASCII format.\n\n2.1.7 ENCODING EncodingType\nThis attribute defines how a FIELD is encoded. Currently,\n\nFIELDs together. The GROUP definition has the following\n50\n\nOPTIONAL \xe2\x80\x9cCondition\'\n\n2.1.2. DISPLAY-HINT \xe2\x80\x9cFormatString\xe2\x80\x9d\nThis attribute is for specifying how the value of the\nFIELD is displayed. The currently supported formats are:\n\nText\n\n45\n\nCombination pseudo field.\n\nNumx\nNumd\nNumo\nNumb\nNuma\n\nUse getservbyport( ).\nUse gethostbyaddr().\nUse SMETERFLOW/conf/mac2ip.cf.\nUse file to lookup value.\n\nthe only supported EncodingType is BER (for Basic Encod\ning Rules defined by ASN.1).\n\ntypes are:\n\nINT(numEits)\nUNSIGNED INT(numBits)\nBYTESTRING(numEytes)\nBYTESTRING(R1 ... R2)\n\nDisplay field on the same layer as the previous field.\nDon\'t display the field name with the value.\nDecode the field but don\xe2\x80\x99t display it.\nThe integer value is swapped.\n\n55\n\nSUMMARIZE \xe2\x80\x9cCondition\xe2\x80\x9d: \xe2\x80\x9cFormat String\xe2\x80\x9d\n\xe2\x80\x9cCondition\xe2\x80\x9d: \xe2\x80\x9cFormatString\xe2\x80\x9d . . . )\nDESCRIPTION \xe2\x80\x9cDescription\xe2\x80\x9d\n\n::={Name=FieldOrGroup, Name=FieldorCroup ... }\n\n60\n\nWhere only the GROUP and ::=lines are required. All the\nother lines are attribute lines, which define Special charac\nteristics for the GROUP. Attribute lines are optional and may\nappear in any order. Each attribute line is described in detail\n\nbelow:\n\nPrint as ASCII text.\n\n65\n\n2.2.1 LENGTH \xe2\x80\x9cExpression\xe2\x80\x9d\nThis attribute defines an expression for determining the\nGROUP\'s length. Expressions are arithmetic and can refer\nto the value of other FIELD\'s in the packet by adding a Sto\nthe referenced field\'s name. For example,\n\nApp. II-45\n\n\x0cUS 6,665,725 B1\n\n47\n\xe2\x80\x9c(StcpHeaderLen 4)-20\xe2\x80\x9d is a valid expression if tcpHead\nerLen is another field defined for the current packet.\n\n-continued\n\n2.2.2 OPTIONAL \xe2\x80\x9cCondition\n\nS:field\n\nThis attribute defines a condition for determining whether\na GROUP is present or not. Valid conditions are defined in\n\nDisplays the field value (in raw format).\n\nS#field\nS*field\n\nthe Conditions section below.\n\nCounts all occurrences of field.\nLists all occurrences of field.\n\n2.2.3 SUMMARIZE \xe2\x80\x9cCondition\xe2\x80\x9d: \xe2\x80\x9cFormatString\xe2\x80\x9d\n\xe2\x80\x9cCondition":\xe2\x80\x9cFormatString\xe2\x80\x9d . . . )\nThis attribute defines how a GROUP will be displayed in\n\n2.3.2. DESCRIPTION \xe2\x80\x9cDescription\xe2\x80\x9d\nThis attribute defines the description of the PROTOCOL.\nIt is used for informational purposes only.\n\nare defined in the Conditions section below. Any FIELD\'s\nvalue can be referenced within the FormatString by pro\nceeding the FIELD\'s name with a S. In addition to FIELD\nnames there are several other special S keywords:\n\nmine the protocol format. It is used for informational pur\nposes only.\n\n2.3.3 REFERENCE \xe2\x80\x9cReference\xe2\x80\x99\nThis attribute defines the reference material used to deter\n\nDetail mode. A different format (FormatString) can be\nspecified for each condition (Condition). Valid conditions\n\nSLAYER\nSGROUP\nSLABEL\nSfield\n\nS:field\n\n15\n\n::= { Name = Field Or Group\nName=FieldOrGroup ... }\n23.4\n\nThis defines the Order of the FIELDS and GROUPS within\nthe PROTOCOL.\n\nDisplays the current protocol layer.\nDisplays the entire GROUP as a table.\nDisplays the GROUP label.\nDisplays the field value (use\n\n2.4 FLOW Definitions\n\nThe FLOW definition is used to define a network flow by\ndescribing where the address, protocol type, and port num\nbers are in a packet. The FLOW definition has the following\n\nenumerated name if available).\nDisplays the field value (in raw format).\n\n2.2.4 DESCRIPITION \xe2\x80\x9cDescription\xe2\x80\x9d\nThis attribute defines the description of the GROUP. It is\nused for informational purposes only.\n22.5\n::= { Name = Field Or Group\nI,\n\n25\n\nThis defines the order of the fields and subgroups within\n\nthe GROUP\n\n2.3 PROTOCOL Definitions\n\n35\n\nThe PROTOCOL definition is used to define the order of\n\nthe FIELDs and GROUPs within the protocol header. The\nPROTOCOL definition has the following format:\nName PROTOCOL\n\nSUMMARIZE \xe2\x80\x9cCondition":\xe2\x80\x9cFormatString\xe2\x80\x9d \xe2\x80\x9cCondition\n":\xe2\x80\x9cFormatString" . . . )\nDESCRIPTION \xe2\x80\x9cDescription\xe2\x80\x9d\nREFERENCE \xe2\x80\x9cReference\xe2\x80\x99\n\n::= {Name=FieldOrGroup, Name=FieldOrGroup ... }\n\nformat:\nName FLOW\n\nHEADER Option, Option . . . )\nDLC-LAYER {Option, Option . . . )\nNET-LAYER {Option, Option ... }\nCONNECTION Option, Option . . .\nPAYLOAD {Option, Option ... }\nCHILDREN Option, Option . . . )\n\nName=FieldOrGroup ... }\n\n40\n\nSTATE-BASED\nSTATES \xe2\x80\x9cDefinitions\'\n\nWhere only the FLOW line is required. All the other lines\nare attribute lines, which define Special characteristics for\nthe FLOW. Attribute lines are optional and may appear in\nany order. However, at least one attribute line must be\npresent. Each attribute line is described in detail below:\n\n2.4.1 HEADER Option, Option . . . )\n\nThis attribute is used to describe the length of the protocol\nheader. The currently Supported Options are:\n\n45\n\nWhere only the PROTOCOL and ::=lines are required. All\nthe other lines are attribute lines, which define Special\n\nLENGTH = number\nLENGTH = field\n\ncharacteristics for the PROTOCOL. Attribute lines are\n\noptional and may appear in any order. Each attribute line is\ndescribed in detail below:\n\nIN-WORDS\n\n50\n\n2.3.1 SUMMARIZE \xe2\x80\x9cCondition\xe2\x80\x9d: \xe2\x80\x9cFormatString\xe2\x80\x9d\n\xe2\x80\x9cCondition":\xe2\x80\x9cFormatString". . . )\n\nplayed in Summary mode. A different format (FormatString)\ncan be specified for each condition (Condition). Valid con\n\nditions are defined in the Conditions section below. Any\nFIELD\'s value can be referenced within the FormatString by\nproceeding the FIELD\'s name with a S. In addition to\nFIELD names there are several other special S keywords:\n\n55\n\nIf the protocol is a data link layer protocol, this attribute\ndescribes it. The currently Supported Options are:\nDESTINATION = field\nSOURCE = field\n\n60\n\nPROTOCOL\n\nTUNNELING\n\nDisplays the current protocol layer.\nDisplays the entire SNMP VarBind list.\nDisplays the field value (use\n\nenumerated name if available).\n\nHeader is a fixed length of size number.\nHeader is variable length determined\nby value of field.\nThe units of the header length are\nin 32-bit words rather than bytes.\n\n2.4.2 DLC-LAYER (Option, Option . . . )\n\nThis attribute defines how a PROTOCOL will be dis\n\nSLAYER\nSVARBIND\nSfield\n\nI,\n\n65\n\nIndicates which field is the DLC\ndestination address.\nIndicates which field is the DLC\nsource address.\nIndicates this is a data link\n\nlayer protocol.\nIndicates this is a tunneling protocol.\n\n2.4.3 NET-LAYER (Option, Option ... }\n\nIf the protocol is a network layer protocol, then this\nattribute describes it. The currently supported Options are:\n\nApp. II-46\n\n\x0cUS 6,665,725 B1\n\n49\nDESTINATION = field\n\nValue1 == Value2\n\nIndicates which field is the\nnetwork destination address.\nIndicates which field is the\nnetwork source address.\n\nSOURCE = field\n\nValue1 = Value2\n\nIndicates this is a tunneling protocol.\nIndicates this protocol supports\nfragmentation. There are currently\ntwo fragmentation types: IPV4 and\n\nTUNNELING\n\nFRAGMENTATION = type\n\nIPV6.\n\nattribute describes how connections are established and torn\n\nCONNECT.COMPLETE = \xe2\x80\x9cflag\nDISCONNECT-START = \xe2\x80\x9cflag\xe2\x80\x9d\nDISCONNECT.COMPLETE = \xe2\x80\x9cflag\xe2\x80\x9d\nINHERITED\n\n15\n\nIndicates when a connection\nhas been established.\nIndicates when a connection\nIndicates when a connection\nhas been torn down.\nIndicates this is a\n\n25\n\n(field names preceded by a S) or constant values. Note that\ncompound conditional Statements (using AND and OR) are\nnot currently Supported.\n\nnetwork.\n\nThe basic format of a state definition is:\n\nState Name: Operand Parameters Operand\nParameters . . . )\nThe various States of a particular flow are described using\nthe following operands:\n2.6.1 CHECKCONNECT, Operand\nChecks for connection. Once connected executeS oper\n\nconnection-oriented protocol\nbut the parent protocol is\nwhere the connection is\nestablished.\n\n2.45 PAYLOAD {Option, Option ... }\n\nThis attribute describes how much of the payload from a\npacket of this type should be stored for later use during\nanalysis. The currently Supported Options are:\n\nField matches the regular expression regex.\n\nMany applications running over data networks utilize\ncomplex methods of classifying traffic through the use of\nmultiple States. State definitions are used for managing and\nmaintaining learned States from traffic derived from the\n\nis being initiated.\n\nis being torn down.\n\nValue1 is greater than Value2.\n\nValue1 is less than Value2.\n\n26 STATE DEFINITIONS\n\nIndicates the connection\nidentifier field.\nIndicates when a connection\n\nCONNECT-START = \xe2\x80\x9cflag\xe2\x80\x9d\n\nValue1 > Value2\n\nWhere Valuel and Value2 can be either FIELD references\n\nIf the protocol is a connection-oriented protocol, then this\n\ndown. The currently Supported Options are:\n\nValue1 does not equal Value2.\n\nValue1 <= Value2\nValue1 >= Value2\nField m/regex/\n\n1O\n\nValue1 equals Value2.\nWorks with string values.\n\nWorks with string values.\nValue1 is less than or equal to Value2.\nValue1 is greater than or equal to Value2.\n\nValue1 < Value2\n\n2.4.4 CONNECTION Option, Option ... }\n\nIDENTIFIER = field\n\nSO\n\n35\n\nand.\n26.2 GOTO State\n\nGoes to State, using the current packet.\n\n2.63 NEXT State\n\nINCLUDE-HEADER Indicates that the protocol header\nLENGTH = number\nDATA = field\n\n40\n\nshould be included.\n\nIndicates how many bytes of the payload\nshould be stored.\n\n2.6.5 CHILD Protocol\n\nIndicates which field contains the payload.\n\n2.4.6 CHILDREN Option, Option . . . )\n\nJump to child protocol and perform State-based process\n\n45\n\nThis attribute describes how children protocols are deter\nmined. The currently Supported Options are:\n50\n\nDESTINATION = field\nSOURCE = field\nLLCCHECK = flow\n\nIndicates which field is the destination port.\nIndicates which field is the source port.\n\nIndicates that if the DESTINATION field\nis less than 0 x 05DC then use flow\ninstead of the current flow definition.\n\n55\n\n2.47 STATE-BASED\nThis attribute indicates that the flow is a state-based flow.\n2.48 STATES \xe2\x80\x9cDefinitions\'\n\nThis attribute describes how children flows of this pro\ntocol are determined using States. See the State Definitions\n\nConditions are used with the OPTIONAL and SUMMA\n\nRIZE attributes and may consist of the following:\n\ning (if any) in the child.\n\n2.6.6 WAIT Numpackets, Operand1, Operand2\nWaits the Specified number of packets. Executes operand1\nwhen the Specified number of packets have been received.\nExecuteS operand2 when a packet is received but it is leSS\nthan the number of Specified packets.\n2.6.7 MATCH \'String Weight Offset LF-offset Range\nLF-range, Operand\nSearches for a String in the packet, executes operand if\nfound.\n\n2.6.8 CONSTANT Number Offset Range, Operand\nChecks for a constant in a packet, executes operand if\nfound.\n\n60\n\nSection below for how these states are defined.\n2.5 CONDITIONS\n\nGoes to State, using the next packet.\n2.6.4 DEFAULT Operand\nExecutes operand when all other operands fail.\n\n65\n\n2.6.9 EXTRACTIP Offset Destination, Operand\nExtracts an IP address from the packet and then executes\noperand.\n2.6.10 EXTRACTPORT Offset Destination, Operand\nExtracts a port number from the packet and then executes\noperand.\n2.6.11 CREATEREDIRECTEDFLOW. Operand\nCreates a redirected flow and then executes operand.\n\nApp. II-47\n\n\x0cUS 6,665,725 B1\n\nS1\n\n52\n\n3. EXAMPLE PDL RULES\n\n-continued\n\nThe following section contains several examples of PDL\n\nipData FIELD\n\nRule files.\n\nSYNTAX\nENCAP\nDISPLAY-HINT\nPROTOCOL\n\n3.1 Ethernet\nip\n\nThe following is an example of the PDL for Ethernet:\n\nSUMMARIZE\n\n\xe2\x80\x9cSFragmentOffset = 0\xe2\x80\x9d\n\xe2\x80\x9cIpFragment ID=SIdentification Offset=SFragmentoffset\n*\xe2\x80\x9cDefault :\n\n1O\n\nMacAddress\n\nFIELD\n\nSYNTAX\n\nDISPLAY-HINT\nLOOKUP\nDESCRIPTION\n\netherType\n\nDISPLAY-HINT\n\nLOOKUP\n\nDESCRIPTION\n\netherData\n\nSYNTAX\nENCAP\nDISPLAY-HINT\nethernet\n\n\xe2\x80\x9c1x:\nMACADDRESS\n\n::= { Version=ipVersion, HeaderLength=ipHeaderLength,\n\nINT(16)\n\n\xe2\x80\x9c1x:\n\nFILE \xe2\x80\x9cEtherType.cf.\n\nFragment=ipFragment, Data=ipData }\n\nip\n\nFLOW\n\nHEADER LENGTH=Header Length, IN-WORDS\nNET-LAYER {\n\nBYTESTRING(46.1500)\netherType\n\xe2\x80\x9cHexDump\xe2\x80\x9d\n\nSOURCE=IpSrc,\nDESTINATION=IpDest,\n\nFRAGMENTATION=IPV4,\n\nDESCRIPTION\n\xe2\x80\x9cEthernet data\nPROTOCOL\nDESCRIPTION\n\xe2\x80\x9cProtocol format for an Ethernet frame\nREFERENCE\n\xe2\x80\x9cRFC 894\n\nTUNNELING\n\n25\n\nipFragData\n\n::= { MacDest=macAddress, MacSrc=macAddress, EtherType=etherType,\nData=etherData }\n\nethernet\n\nTypeOfService=ipTypeOfService, Length=ipLength,\nIdentification=UInt16, IpFlags=ipFlags,\nFragmentOffset=ipFragmentOffset, TimeToLive=Int8,\nProtocol=ipProtocol, Checksum=ByteStr2,\nIpSrc=ipAddress, IpDest=ipAddress, Options=ipOptions,\n\n15\n\n\xe2\x80\x9cEthernet type field\xe2\x80\x9d\n\nFIELD\n\n\xe2\x80\x9cIP Protocol=SProtocol\n\nDESCRIPTION\n\xe2\x80\x9cProtocol format for the Internet Protocol\nREFERENCE \xe2\x80\x9cRFC 791\n\nBYTESTRING (6)\n\n\xe2\x80\x9cMAC layer physical address\'\n\nFIELD\nSYNTAX\n\nCHILDREN DESTINATION=Protocol }\n\nipFragment\n\nFLOW\n\nHEADER LENGTH-14 }\nDLC-LAYER {\n\n40\n\nipOptionData\n\nHere is an example of the PDL for the IP protocol:\nipOptions\n45\n\n\xe2\x80\x9cIP address\n\nipHeaderLength\n\nFIELD\nSYNTAX\n\nDEFAULT\n\nFIELD\n\nipLength\nipFlags\n\nFIELD\n\nSYNTAX\nFIELD\n\nSYNTAX\n\nIpFragmentOffset\nipProtocol\n\nBYTESTRING(4)\n\nFIELD\nSYNTAX\nFIELD\n\n\xe2\x80\x9cIP option code\xe2\x80\x9d\nFIELD\n\nSYNTAX UNSIGNED INT(8)\nDESCRIPTION\n\xe2\x80\x9cLength of IP option\nFIELD\n\nSYNTAX\nENCAP\nDISPLAY-HINT\nGROUP\n\nLENGTH\n\nBYTESTRING(0.1500)\nipOptionCode\n\xe2\x80\x9cHexDump\xe2\x80\x9d\n\n\xe2\x80\x9c(ipHeaderLength * 4) - 20\n\n::= { Code=ipOptionCode, Length=ipOptionLength, Pointer=UInt8,\nData=ipOption Data }\n3.3 TCP\n\n50\n\nHere is an example of the PDL for the TCP protocol:\n\nINT(4)\n4\n\nBITSTRING(8) { minCost(1),\n\n55\n\nmaxReliability(2),\nmaxThruput(3),\nminDelay (4) }\n\nSYNTAX UNSIGNED INT(16)\nFIELD\n\n\xe2\x80\x9cSFragmentOffset - O\n\n\xe2\x80\x9cHexDump\xe2\x80\x9d\n\n\xe2\x80\x9c1d.\nHOSTNAME\n\nSYNTAX INT(4)\n\nipTypeOfService\n\nOPTIONAL\n\nDISPLAY-HINT\nGROUP\n\nDESCRIPTION\n\nipOptionLength\n\n3.2 IP Version 4\n\nipversion\n\n\xe2\x80\x9cipLength - ipHeaderLength * 4\n\nSYNTAX INT(8) { ipRR(0x07), ipTimestamp(Ox44),\nipLSRR(0x83),\nipsSRR(0x89) }\n\n35\n\nCHILDREN DESTINATION=EtherType,\nLLC-CHECK=llc }\n\nDISPLAY-HINT\nLOOKUP\nDESCRIPTION\n\nBYTESTRING(1.1500)\n\nLENGTH\n\nipOptionCode FIELD\n\nPROTOCOL\n\nFIELD\nSYNTAX\n\nFIELD\nSYNTAX\n\n::= { Data=ipFragData }\n\nSOURCE=MacSrc,\nDESTINATION=MacDest,\nTUNNELING,\n\nipAddress\n\nBYTESTRING(0.1500)\nipProtocol\n\xe2\x80\x9cHexDump\xe2\x80\x9d\n\n60\n\nBITSTRING(3) { moreFrags(0),\n\ntepPort FIELD\n\nSYNTAX UNSIGNED INT(16)\nLOOKUP FILE \xe2\x80\x9cTepPort.cf.\ntepHeader Len FIELD\nSYNTAX INT(4)\ntopFlags FIELD\nSYNTAX BITSTRING(12) { fin(0), syn(1), rst (2), psh(3),\nack(4), urg(5) }\ntepData FIELD\n\ndontFrag(1)}\n\nSYNTAX BYTESTRING(0.1564)\nLENGTH" (SipLength- (SipHeaderLength 4)) (StepHeaderLen; 4)\n\nINT(13)\n\nSYNTAX INT(8)\nLOOKUP FILE \xe2\x80\x9cIpProtocol.cf.\n\n65\n\ntop\n\nApp. II-48\n\nENCAP\nDISPLAY-HINT\nPROTOCOL\n\ntopport\n\xe2\x80\x9cHexDump\xe2\x80\x9d\n\n\x0cUS 6,665,725 B1\n\nS3\n\nS4\n\n-continued\n\n-continued\nS1: WAIT 2, GOTO S2, NEXT S1\n\nSUMMARIZE\n\xe2\x80\x9cDefault\n\nDEFAULT NEXT SO\nS2: MATCH\n\n\xe2\x80\x9cTCPACK=SAck WIN=SWindowSize\n\nDESCRIPTION\n\xe2\x80\x9cProtocol format for the Transmission Control Protocol\nREFERENCE\n\xe2\x80\x9cRFC 793\n\nWn\\rn\nVnyn\nPOST ?tds?\n\nAck=UInt32, HeaderLength=tcpHeaderLen, TcpFlags=tcpFlags,\nWindowSize=UInt16, Checksum=ByteStr2,\n\n\xe2\x80\x9c.hts HTTP/1.0\n\n::= { SrcPort=tcpPort, DestPort=tcpPort, SequenceNum=UInt32,\ntop\n\nUrgentPointer=UInt16, Options=tcpCoptions, Data=tcpData }\n\njdbc:sybase:Tas\n\nHEADER LENGTH=HeaderLength, IN-WORDS\nCONNECTION {\n\nPCN-The Poin\n\nFLOW\n\nIDENTIFIER=SequenceNum,\nCONNECT-START-\xe2\x80\x9cTepFlags:1\xe2\x80\x9d,\nCONNECT COMPLETE=\xe2\x80\x9cTepFlags:4,\nDISCONNECT-START-\xe2\x80\x9cTepFlags:0,\nDISCONNECT.COMPLETE=\xe2\x80\x9cTepFlags:4\xe2\x80\x9d\n\n\xe2\x80\x9ct: BW-C15\n\nDEFAULT NEXT S3\nS3: MATCH\n\nPAYLOAD ( INCLUDE-HEADER }\nCHILDREN DESTINATION=DestPort, SOURCE-SrcPort\ntopOptionKind FIELD\nSYNTAX UNSIGNED INT(8) tcpoptEnd(0),\ntopNop(1),\ntopMSS(2), tcpWscale(3), tcpTimestamp(4) }\ntopOption DataFIELD\n\n\xe2\x80\x9cType of TCP option\xe2\x80\x9d\n\nSYNTAX\nENCAP\nFLAGS\n\n25\n\ntopOptions\n\nGROUP\n\nLENGTH\n\n::= { Option=tcpCoptionKind, OptionLength=UInt8,\nOption Data=tcpCoption Data }\n\nMmodified? :\n\xe2\x80\x9cHTTP ShttpData\xe2\x80\x9d\n\n50\n\n\xe2\x80\x9cHTTP ShttpData\xe2\x80\x9d\nShttpData mf-HTML.cf. :\n\n500 0\n\n1 0,\n\n500 0\n\n1 0,\n\n500 4 1 255 0,\n\nCHILD mimexworld\n\nFLOW\n\nSTATE-BASED\nFLOW\nSTATE-BASED\nSTATES\n\xe2\x80\x9cSO: MATCH\n\nmidi\n\n\xe2\x80\x9cHTTPHTML document\n\n55\n\nShttpData m/ GIF?:\n\n\xe2\x80\x9cHTTP GIF image\n\nimpeg\nvnd.rn-realaudio\n\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cHTTP Data\n\nwaw\n\nDESCRIPTION\n\xe2\x80\x9cProtocol format for HTTP\n\n60\n\n::= { Data=httpData }\n\nhttp FLOW\n\nx-aiff\nx-midi\n\nHEADER LENGTH=0}\nCONNECTION INHERITED }\nPAYLOAD ( INCLUDE-HEADER, DATA=Data, LENGTH=256}\n\xe2\x80\x9cSO: CHECKCONNECT, GOTO S1\n\n1 0,\n\nbasic\n\n\xe2\x80\x9cShttpData m/Ccontent-?\xe2\x80\x9d :\n\nSTATES\n\n500 0\n\nCHILD mimeVideo\n\nDEFAULT GOTO SO\n\nmimeAudio\n\n1 0,\n\nCHILD mimeText\n\nx-world\n\n\xe2\x80\x9cShttpData m/GETHTTPIHEAD POST? :\n\xe2\x80\x9cHTTP ShttpData\xe2\x80\x9d\n\xe2\x80\x9cShttpData m/Ddate Sserver Lllast\n\n900 0 0\n\nCHILD mimeImage\n\ntext\n\nmimApplication\n\n1 0,\n\nCHILD mimeAudio\n\nvideo\n45\n\n900 0 0\n\nCHILD mimeApplication\n\nimage\n40\n\nx-mpeg\n65\n\nDEFAULT NEXT SO\n\nApp. II-49\n\n100 4 1 255 0,\n\nCHILD backweb\n\nFLOW\n\naudio\n\nHere is an example of the PDL for the HTTP protocol:\n\nCHILD pointcast\n\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nSTATES\n\napplication\n\n3.4 HTTP (With State)\n\nCHILD mime\n\nFLOW\n\n35 * SO: MATCH\n\n\xe2\x80\x9cText\nDISPLAY-HINT\nNOLABEL\nFLAGS\nPROTOCOL\nhttp\nSUMMARIZE\n\n500 4 1 255 0,\n\nSTATE-BASED\n\nmime\n\n::= { MaxSegmentSize=UInt16 }\n\nhttpData FIELD\nSYNTAX BYTESTRING(1.1500)\nLENGTH \xe2\x80\x9c(SipLength - (SipHeaderLength * 4)) (StepHeaderLen * 4)\n\nPCN-The Poin\n\nFLOW\n\nbackweb\n\ntcpMSS PROTOCOL\n\n100 4 1 255 0,\n\nCHILD backweb\n\nSTATE-BASED\n\npointcast\n\n\xe2\x80\x9c(StepHeader Len * 4) - 20\xe2\x80\x9d\n\nCHILD pointcast\n\nSTATE-BASED\n\nsybaseTas\n\nSAMELAYER\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\n500 4 1 255 0,\n\nFLOW\n\nsybase.Jdbc\n\nBYTESTRING(0.1500)\ntepOptionKind\n\n5040 1271,\n\nCHILD sybase.Jdbc\n5040 1271,\nCHILD sybaseTds\n\n50 00 00, NEXT S3\n50 00 00, NEXT S3\n800 00 255 0,\n\nDEFAULT NEXT SO\n\nsybaseWebsql\n\nCHILD sybaseWebsql\n\nWn\\rn\nVnyn\nContent-Type:\n\n\xe2\x80\x9ct: BW-C-\n\nDESCRIPTION\n\n900 OO 255 0, NEXT S3\n900 OO 255 0, NEXT S3\n500 0 1271,\n\nx-mpgurl\n\nOO 0 0 1 0,\n\nCHILD pdBasicAudio\n\nOO 0 0 1 0,\n\nCHILD pdMidi\n\nOO 0 0 1 0,\n\nCHILD pdMpeg2Audio\nOO 0 0 1 0,\n\nCHILD pdRealAudio\n\nOO 0 0 1 0,\n\nCHILD dWay\n\nOO 0 0 1 0,\n\nCHILD pdAiff\n\nOO 0 0 1 0,\n\nCHILD pdMidi\n\nOO 0 0 1 0,\n\nCHILD pdMpeg2Audio\nOO 0 0 1 0,\n\nCHILD pdMpeg3Audio\n\n\x0cUS 6,665,725 B1\n-continued\nx-pn-realaudio\nx-wav\nmimeImage\nmimeText\nmimeVideo\nmimexworld\n\npdBasicAudio\npdMidi\npdMpeg2Audio\npdMpeg3Audio\npdRealAudio\npdWav\npdAiff\n\nDEFAULT GOTO SO\n\nS6\n\ndevices, including network appliances Such as telephones,\n\xe2\x80\x9cInternet\' radios, pagers, and So forth. The term computer as\nused herein encompasses all Such devices and a computer\nnetwork as used herein includes networks of Such comput\n\n100 0 0 1 0,\n\nCHILD pdRealAudio\n100 0 0 1 0,\n\nCS.\n\nCHILD pdWav\n\nFLOW\n\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\n\nFLOW\n\nSTATE-BASED\n\n15\n\nFLOW\n\nAlthough the present invention has been described in\nterms of the presently preferred embodiments, it is to be\nunderstood that the disclosure is not to be interpreted as\nlimiting. Various alterations and modifications will no doubt\nbecome apparent to those or ordinary skill in the art after\nhaving read the above disclosure. Accordingly, it is intended\nthat the claims be interpreted as covering all alterations and\nmodifications as fall within the true Spirit and Scope of the\npresent invention.\n\nSTATE-BASED\n\nAPPENDIX: SOME PDL FILES\n\nSTATE-BASED\n\nThe following pages include Some PDL files as examples.\nIncluded herein are the PDL contents of the following files.\nA reference to PDL is also included herein. Note that any\n\nFLOW\nFLOW\n\nSTATE-BASED\n\nFLOW\n\ncontents on any line following two hyphen (--) are ignored\n\nSTATE-BASED\n\nFLOW\n\nSTATE-BASED\n\nFLOW\n\nSTATE-BASED\n\n25\n\nEmbodiments of the present invention automatically gen\nerate flow Signatures with the necessary recognition patterns\nand State transition climb procedure. Such comes from\nanalyzing packets according to parsing rules, and also gen\nerating State transitions to Search for. Applications and\nprotocols, at any level, are recognized through State analysis\nof Sequences of packets.\nNote that one in the art will understand that computer\nnetworks are used to connect many different types of\n\nby the compiler. That is, they are comments.\ncommon.pdl.,\nflows.pdl;\nVirtual.pdl.,\nethernet.pdl.,\n\nIEEE8032.pdl and IEEE8033.pdl (ethertype files);\nTCP.pd1 and UDP.pdl;\nRPC.pdl;\nNFS.pdl; and\nHTTP.pdl.\n\n-- Common.pdl - Common protocol definitions\n-- Description:\nThis file contains some field definitions for commonly used fields\nin various network protocols.\n-- Copyright:\nCopyright (c) 1996-1999 Apptitude, Inc.\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: Common.pdl.v 1.7 1999/04/13 15:47:56 skip Exp S\nFIELD\n\nSYNTAX INT(4)\nFIELD\n\nSYNTAX INT(8)\nFIELD\n\nInt24\nInt32\nInto4\nUnt&\nUnt16\nUnt24\nUInt32\n\nSYNTAX INT(16)\nFIELD\n\nSYNTAX INT(24)\nFIELD\n\nSYNTAX INT(32)\nFIELD\n\nSYNTAX INT(64)\nFIELD\n\nSYNTAX UNSIGNED INT(8)\nFIELD\n\nSYNTAX UNSIGNED INT(16)\nFIELD\n\nSYNTAX UNSIGNED INT(24)\nFIELD\n\nApp. II-50\n\n\x0cUS 6,665,725 B1\n\n57\n-continued\n\nSYNTAX UNSIGNED INT(32)\n\nUInte4\n\nFIELD\n\nSYNTAX UNSIGNED INT(64)\n\nSnt16\n\nFIELD\n\nSYNTAX INT(16)\n\nSUInt16\n\nFLAGS SWAPPED\nFIELD\n\nSYNTAX UNSIGNED INT(16)\nFLAGS SWAPPED\nFIELD\n\nSInt32\n\nSYNTAX INT(32)\n\nByteStr1\n\nFLAGS SWAPPED\n\nFIELD\n\nSYNTAX BYTESTRING(1)\n\nByteStr2\n\nFIELD\n\nSYNTAX BYTESTRING(2)\n\nByteStr4\n\nFIELD\n\nSYNTAX BYTESTRING(4)\n\nPad1\n\nFIELD\n\nSYNTAX BYTESTRING(1)\nFLAGS NOSHOW\nFIELD\n\nPad\n\nSYNTAX BYTESTRING(2)\nFLAGS NOSHOW\nFIELD\n\nPad3\n\nSYNTAX BYTESTRING(3)\nFLAGS NOSHOW\nFIELD\n\nPad4\n\nSYNTAX BYTESTRING(4)\nFLAGS NOSHOW\nFIELD\n\nPad5\n\nSYNTAX BYTESTRING(5)\n\nmacAddress\n\nSYNTAX\n\nFLAGS NOSHOW\nFIELD\n\nDISPLAY-HINT\nLOOKUP\nDESCRIPTION\n\nBYTESTRING(6)\n\n\xe2\x80\x9c1x:\nMACADDRESS\n\n\xe2\x80\x9cMAC layer physical address\'\n\nipAddress\nFIELD\nSYNTAX\nBYTESTRING(4)\nDISPLAY-HINT\nLOOKUP\nDESCRIPTION\n\xe2\x80\x9cIP address\n\n\xe2\x80\x9c1d.\nHOSTNAME\n\nipv6Address\nFIELD\nSYNTAX\nBYTESTRING(16)\nDISPLAY-HINT \xe2\x80\x9c1d.\nDESCRIPTION\n\xe2\x80\x9cIPV6 address\n\n-- Flows.pdl - General FLOW definitions\n-- Description:\nThis file contains general flow definitions.\n-- Copyright:\nCopyright (c) 1998-1999 Apptitude, Inc.\n(fomerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: Flows.pdl.lv 1.12 1999/04/13 15:47:57 skip Exp S\n\nchaosnet\n\nFLOW\n\nSila\n\nFLOW\n\nspanningTree FLOW\nOracleTNS FLOW\n\nPAYLOAD ( INCLUDE-HEADER, LENGTH-256 }\n\nciscoOUIFLOW\n\n1gmp\nGGP\nST\n\nFLOW\nFLOW\nFLOW\n\nApp. II-51\n\n58\n\n\x0cUS 6,665,725 B1\n\n59\n-continued\negp\n\nigp\n\nFLOW\n\nFLOW\n\nBBN-RCC-MON FLOW\nNVP2\nFLOW\nPUP\nFLOW\nARGUS\nFLOW\nEMCON FLOW\nXNET\nFLOW\nMUX\nFLOW\nDCN-MEAS FLOW\nHMP\nFLOW\nPRM\nFLOW\nTRUNK1 FLOW\nTRUNK2 FLOW\nLEAF1\nFLOW\nLEAF2\nFLOW\nRDP\nFLOW\nIRTP\nFLOW\nISO-TP4\nFLOW\nNETBLT, FLOW\nMFE-NSP\nFLOW\nMERITINP\nFLOW\nSEP\nFLOW\nPC3\nFLOW\nIDPR\nFLOW\nXTP\nFLOW\nDDP\nFLOW\nIDPR-CMTP\nFLOW\nTPPs\nFLOW\nIL\nFLOW\nSIP\nFLOW\nSDRP\nFLOW\nSIP-SR\nFLOW\nSIP-FRAG\nFLOW\nIDRP\nFLOW\nRSVP\nFLOW\nMHRP\nFLOW\nBNA\nFLOW\nSIPP-ESP\nFLOW\nSIPP-AH\nFLOW\nINLSP\nFLOW\nSWIPE\nFLOW\nNHRP\nFLOW\nCFTP\nFLOW\nSAT EXPAK\nFLOW\nKRYPTOLAN FLOW\nRVD\nFLOW\nIPPC\nFLOW\nSAT MON\nFLOW\nVISA\nFLOW\nIPCV\nFLOW\nCPNX\nFLOW\nCPHB\nFLOW\nWSN\nFLOW\nPVP\nFLOW\nBR-SATMON FLOW\nSUN-ND FLOW\nWB-MON FLOW\nWB-EXPAK FLOW\nISO-IP\nFLOW\nVMTP\nFLOW\nSECURE-VMTP FLOW\nTTP\nFLOW\nNSFNETIGP\nFLOW\nDGP\nFLOW\nTCF\nFLOW\nIGRP\nFLOW\nOSPFIGP\nFLOW\n\nSprite-RPC\n\nLARP\nMTP\nAX25\nIPIP\nMICP\nSCC-SP\nETHERIP\nencap\nGMTP\n\nFLOW\n\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\n\nApp. II-52\n\n60\n\n\x0cUS 6,665,725 B1\n\n61\n-continued\n--\n\nUDP Protocols\n\ncompressnet FLOW\nrje\n\nFLOW\n\nCCO\n\nFLOW\n\ndiscard\n\nsystat\n\ndaytime\nqotd\nmsp\n\nchargen\n\nFLOW\n\nFLOW\n\nFLOW\nFLOW\nFLOW\n\nFLOW\n\nbif\nwho\n\nFLOW\nFLOW\n\nloadav\n\nFLOW\n\nsyslog\n\nFLOW\n\nnotify\nFLOW\nacmaint dbd FLOW\nacmaint transd\n\npuparp\n\nFLOW\n\nOCK\n\nFLOW\n\napplix\n--\n\nFLOW\n\nFLOW\n\nTCP Protocols\n\ntopmux\ntelnet\n\nprivMail\n\nFLOW\n\nFLOW\n\nCONNECTION INHERITED }\nFLOW\n\nnsw-fe\n\nFLOW\n\ntime\nrap\n\nFLOW\nFLOW\n\nmsg-icp\nmsg-auth\ndisp\nprivPrint\nrip\ngraphics\nacSeWe\n\nnicname\n\nmpm-flags\nmpm\n\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nmpm-snd\nni-ftp\n\nFLOW\nFLOW\n\nfinger\n\nFLOW\n\nisi-gl\n\nFLOW\n\nauditol\n\nFLOW\n\nre-mail-ck\nFLOW\nla-maint\nFLOW\nXns-time\nFLOW\nXns-ch\nFLOW\nXns-auth\n\nFLOW\n\nprivTerm\n\nFLOW\n\nprivFile\n\nFLOW\n\nXns-mail\nni-mail\n\nFLOW\n\nFLOW\n\naCaS\n\nFLOW\n\ncovia\ntacacs-ds\n\nFLOW\nFLOW\n\nsqlnet\ngopher\nnetris-1\nnetris-2\nnetris-3\nnetris-4\nprivDial\ndeos\n\nprivRJE\nvettcp\n\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\nFLOW\n\nFLOW\n\nFLOW\n\nhosts2-ins\nFLOW\nxfer\nFLOW\nctf\nFLOW\nmit-ml-dev\nFLOW\nmfcobol\nFLOW\nkerberos\nFLOW\n\nsu-mit-tg\ndnsix\nmit-dov\nmpp\n\ndep\nobjcall\n\nFLOW\n\nFLOW\nFLOW\nFLOW\n\nFLOW\nFLOW\n\nApp. II-53\n\n\x0cUS 6,665,725 B1\n-continued\nSupdup\n\ndixie\nswift-rvf\ntacnews\n\nmetagram\nnewacct\n\nhostname\n\niso-tsap\ngppitnp\n\nCSnet-nS\n\nFLOW\n\nFLOW\nFLOW\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\nFLOW\n\nFLOW\n\nthreeCom-tsmux\nFLOW\nrtelnet\nFLOW\nSnagas\nFLOW\nmcidas\nFLOW\nauth\nFLOW\naudionews\nFLOW\n\nsftp\nFLOW\nansanotify\nFLOW\nuucp-path\nFLOW\nsqlserv\nFLOW\ncfdptkt\nFLOW\nerpc\n\nFLOW\n\nntp\n\nFLOW\n\nsmakynet\nansatrader\n\nlocus-map\nunitary\nlocus-con\n\nFLOW\nFLOW\n\nFLOW\nFLOW\n\nFLOW\n\ngss-xlicen\nFLOW\npwdgen\nFLOW\ncisco-fna\ncisco-tna\n\ncisco-sys\nStatSrw\n\ningres-net\nloc-Srv\n\nprofile\n\nFLOW\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nemfis-data\nFLOW\nemfis-cnt\nFLOW\nbl-idm\nFLOW\n\nimap2\n\nFLOW\n\nCWS\nlaaC\n\nFLOW\nFLOW\n\nCOS\n\nFLOW\n\niso-tp0\niso-ip\naed-512\n\nsql-net\nhems\n\nbftp\n\nSgmp\n\nnetsc-prod\nnetsc-dev\n\nFLOW\nFLOW\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nsqlsrv\nFLOW\nknet-cmp\nFLOW\npcmail-srv\nFLOW\nnss-routing\nFLOW\nSgmp-traps\n\nFLOW\n\ncmip-agent\n\nFLOW\n\ncmip-man\n\nXns-courier\nS-le\nal\nSWC\nSeC\n\nprint-Srv\nmultiplex\n\nFLOW\nFLOW\n\nFLOW\nFLOW\nFLOW\nFLOW\n\nFLOW\nFLOW\n\ncl-1\nFLOW\nxyplex-mux\nFLOW\n\nmailq\n\nwinnet\n\nFLOW\n\nFLOW\n\ngenrad-mux\nFLOW\nXdmcp\nFLOW\nnextstep\n\nFLOW\n\nbgp\n\nFLOW\n\nunify\n\nFLOW\n\nris\n\naudit\nocbinder\n\nFLOW\nFLOW\nFLOW\n\nApp. II-54\n\n64\n\n\x0cUS 6,665,725 B1\n-continued\nOCSCWC\nFLOW\nFLOW\nremote-kis\nFLOW\nkis\nFLOW\naci\nFLOW\nmumps\nFLOW\nFLOW\ngacp\nFLOW\nprospero\nFLOW\nOS-S\nFLOW\nSrimp\nFLOW\nirc\ndn\xc3\xb3-nlm-aud\nFLOW\ndn\xc3\xb3-Smm-red\nFLOW\nFLOW\ndils\nFLOW\ndis-mon\nFLOW\nSX\nFLOW\nSC\nFLOW\nat-rtmp\nFLOW\nat-nbp\nFLOW\nat-3\nFLOW\nat-echo\nFLOW\nat-5\nFLOW\nat-Zis\nFLOW\nat-7\nFLOW\nat-8\nFLOW\ntam\nFLOW\nZ39-50\nFLOW\nanet\nFLOW\nVmpwscs\nFLOW\nsoftpc\nFLOW\natls\nFLOW\ndbase\nFLOW\nmpp\nFLOW\nuarps\nFLOW\nimap3\nFLOW\n1n-spx\nFLOW\nrsh-spx\ncdc\nFLOW\nS-CaS\nFLOW\nink\nFLOW\nFLOW\ndisp3270\nFLOW\npdap\nFLOW\naWSew\nFLOW\nZSCW\nFLOW\natServ\nFLOW\ncsi-sgwp\nFLOW\nclearcase\nFLOW\nulistserv\nFLOW\negent-1\nFLOW\negent-2\nFLOW\nhassle\nFLOW\nnip\nFLOW\nETOS\nFLOW\ndSETOS\nFLOW\nis 99c\nFLOW\nis 99s\nFLOW\nhip-collector\nhip-managed-node FLOW\n\nhp-alarm-mgr\n\nFLOW\n\nFLOW\nFLOW\nFLOW\naSa\nFLOW\naurp\nFLOW\nunidata-ldm\nFLOW\nldap\nFLOW\nuis\nFLOW\nsynotics-relay\nFLOW\nsynotics-broker\nFLOW\ndis\nFLOW\nembl-ndt\nFLOW\nnetcp\nFLOW\nnetware-ip\nFLOW\nmptin\nFLOW\nkryptolan\nFLOW\nwork-sol\nFLOW\nups\nFLOW\ngenie\nFLOW\ndecap\nFLOW\nnced\naS\n\nibm-app\n\nApp. II-55\n\n\x0cUS 6,665,725 B1\n\n67\n-continued\nincld\n\nimsp\n\nFLOW\n\nFLOW\n\ntimbuktu\nprim-sm\nprm-nim.\n\nFLOW\nFLOW\nFLOW\n\nrint\n\nFLOW\n\nsmsp\ninfoseek\nbnet\n\nFLOW\nFLOW\nFLOW\n\nOX\n\nFLOW\n\nariell\n\nFLOW\n\nariel2\nariel3\n\nFLOW\nFLOW\n\ndecladebug\n\nFLOW\n\nsynoptics-trap\n\nsilverplatter\nhyper-g\nSmpte\n\nFLOW\n\nFLOW\nFLOW\n\nFLOW\n\nopc-job-start\n\nFLOW\n\nopc-job-track\n\nFLOW\n\nsmartsdp\n\nFLOW\n\nicad-el\nSvrloc\n\nOCS Cill\nOCS all\n\nutmpsd\nutmpcd\niasd\nninsp\n\nFLOW\n\nFLOW\n\nFLOW\nFLOW\n\nFLOW\nFLOW\n\nFLOW\nFLOW\n\nmobileip-agent\nFLOW\nmobilip-min\nFLOW\ndina-cml\nconscim\n\ndisfgw\ndasp\nSgcp\n\nFLOW\nFLOW\n\nFLOW\nFLOW\n\nFLOW\n\ndecvms-sysmgt FLOW\n\ncvc hostd\nFLOW\nhttps\nFLOW\n\nCONNECTION INHERITED }\n\nSmpp\nFLOW\nmicrosoft-ds\nFLOW\nddm-rdb\nFLOW\nddm-dfm\nFLOW\n\nddm-byte\n\nas-servermap\ntServer\nCXCC\n\nlogin\ncmd\n\nprinter\ntalk\nntalk\nutime\nefs\ntimed\n\ntempo\n\ncourier\nconference\nnetnews\n\nnetwall\n\napertus-ldp\nLlucp\n\nFLOW\n\nFLOW\nFLOW\n\nFLOW\n\nCONNECTION INHERITED }\nFLOW\n\nCONNECTION INHERITED }\nFLOW\nCONNECTION INHERITED }\nFLOW\n\nCONNECTION INHERITED }\nFLOW\nCONNECTION INHERITED }\nFLOW\n\nCONNECTION INHERITED }\nFLOW\nFLOW\nFLOW\n\nFLOW\n\nFLOW\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nuucp-rlogin\nFLOW\nklogin\nFLOW\n\nkshell\nFLOW\nnew-rwho\nFLOW\ndisf\nFLOW\nremotefs\nFLOW\nrmonitor\nFLOW\nmonitor\nFLOW\nchshell\nFLOW\n\np9fs\n\nFLOW\n\nApp. II-56\n\n68\n\n\x0cUS 6,665,725 B1\n\n69\n-continued\nwhoami\n\nFLOW\n\nmeter\n\nFLOW\n\nnqs\nsift-uft\n\nFLOW\nFLOW\nFLOW\n\nipcserver\n\nnpmp-trap\n\nFLOW\n\nFLOW\n\nnpmp-local\nFLOW\nnpmp-gui\nFLOW\nginad\nFLOW\ndoom\n\nFLOW\n\nmdqs\n\nFLOW\n\nelcsd\n\nFLOW\n\nentrustmanager\nnetviewdm1\nnetviewdm2\nnetviewdm3\n\nnetgw\n\nFLOW\n\nnetrcs\n\nFLOW\n\nflexilm\n\nfujitsu-dev\n\nFLOW\n\nFLOW\nFLOW\nFLOW\n\nFLOW\n\nFLOW\n\nris-cm\nFLOW\nkerberos-adm FLOW\nrfile\nFLOW\npump\nFLOW\n\nqrh\n\nFLOW\n\nnlogin\n\nFLOW\n\nCO\nS\nXe\n\nFLOW\nFLOW\nFLOW\n\nrrh\ntell\n\nFLOW\nFLOW\n\nquotad\ncycleserv\n\nFLOW\nFLOW\n\nOSCW\n\nFLOW\n\nwebster\n\nphonebook\n\nFLOW\n\nFLOW\n\nvid\ncadlock\n\nFLOW\nFLOW\n\nsubmit\n\nFLOW\n\nentomb\nWpages\nWpgs\n\nFLOW\nFLOW\nFLOW\n\nrtip\nFLOW\ncycleserv2\nFLOW\nrpasswd\n\nconcert\n\nFLOW\n\nFLOW\n\nmdbs daemon FLOW\n\ndevice\nXtreelic\nmaitrd\n\nbusboy\ngarcon\n\npuprouter\nsocks\n\nFLOW\nFLOW\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\nFLOW\n\n-- Virtual.pdl - Virtual Layer definition\n-- Description:\nThis file contains the definition for the VirtualBase layer used\nby the embodiment.\n-- Copyright:\nCopyright (c) 1998-1999 Apptitude,\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: Virtual.pdl.v 1.13 1999/04/13 15:48:03 skip Exp S\n\n-- This includes two things: the flow signature (called FLOWKEY) that the\n-- system that is going to use.\n--\n\nnote that not all elements are in the HASH. Reason is that these non-HASHED\n\n-- elements may be varied without the HASH changing, which allows the system\n-- to look up multiple buckets with a single HASH. That is, the MeyMatchFlag,\n-- StateStatus Flag and MulipacketID may be varied.\n\nFLOWKEY {\n\nApp. II-57\n\n70\n\n\x0cUS 6,665,725 B1\n\n71\n-continued\n\nKey MatchFlags, -- to tell the system which of the in-HASH elements have to\n-- match for the this particular flow record.\n-- Flows for which complete signatures may not yet have\n-- been generated may then be stored in the system\nStateStatusFlags,\nGroup Id1\nGroup Id2\nDLCProtocol\n-- Ethernet V 2\n\nNetworkProtocol\nTunnelProtocol\n\nTunnelTransport\nTransportProtocol\nApplicationProtocol\nDLCAddresses(8)\n\nIN-HASH, -- user defined\nIN-HASH, -- user defined\nIN-HASH, , -- data link protocol - lowest level we\n-- evaluate. It is the type for the\nIN-HASH,\nIN-HASH,\n\n-- IP, etc.\n-- IP over IPx, etc.\n\nIN-HASH,\nIN-HASH,\nIN-HASH,\nIN-HASH, -- lowest level address\n\nNetworkAddresses(16) IN-HASH,\nTunnelAddresses(16) IN-HASH,\nConnectionIds\n\nMultiPacketd\n\nIN-HASH,\n\n-- used for fragmentaion purposes\n\n-- now define all of the children. In this example, only one virtual\n\n-- child - Ethernet.\nvirtualChildren\nFIELD\n\n--\n\nSYNTAX INT(*) { ethernet (1)}\n\nnow define the base for the children. In this case, it is the same as\n\n-- for the overall system. There may be multiples.\nVirtualBase\n\nPROTOCOL\n\n::= { VirtualChildren=virtualChildren\n\n-- The following is the header that every packet has to have and\n-- that is placed into the system by the packet acquisition system.\nVirtualBase\n\nFLOW\n\nHEADER LENGTH-8 }\nCHILDREN DESTINATION=VirtualChildren } -- this will be\n-- Ethernet for this example.\n-- the VirtualBAse will be 01 for these packets.\n--\n\nEthernet.pdl - Ethernet frame definition\n\n-- Description:\n-----\n\nThis file contains the definition for the Ethernet frame. In this\n\nPDL file, the decision on EtherType vs. IEEE is made. If this is\nEtherType, the selection is made from this file. It would be possible\nto move the EtherType selection to another file, if that would assist\nin the modularity.\n\n-- Copyright:\nCopyright (c) 1994-1998 Apptitude, Inc.\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: Ethernet.pdl.v 1.13 1999/01/26 15:15:57 skip Exp S\n\n-- Enumerated type of a 16 bit integer that contains all of the\n-- possible values of interest in the etherType field of an\n-- Ethernet V2 packet.\netherType\n\nFIELD\n\nSYNTAX\n\nINT(16) {xns(0x0600), ip(0x0800),\n\nchaos.net(Ox0804), arp(0x0806),\nvines(Oxbad),\nvinesLoop(OxObae), vinesLoop (Ox80c4),\nvinesEcho (Oxbaf), vines Echo(0x80c5),\nnetbios(Ox3c00, netbios(Ox3c01),\nnetbios(Ox3c02), netbios(Ox3c03),\nnetbios(Ox3c04), netbios(Ox3c05),\nnetbios(Ox3c06), netbios(Ox3c07)\nnetbios(Ox3c08), netbios(Ox3c09)\nnetbios(Ox3c0a), netbios(Ox3cOb),\nnetbios(Ox3cOc), netbios(Ox3cOd)\ndec(0x6000), mop(0x6001), mop2(0x6002)\ndrp(0x6003), lat(0x6004), decDiag(0x6005),\n\nApp. II-58\n\n\x0cUS 6,665,725 B1\n\n73\n-continued\n\nDISPLAY-HINT\n\nLOOKUP\n\nDESCRIPTION\n\nlavcCOx6007), rarp(0x8035), appleTalk(0x809b),\nsna(0x80d5), aarp(Ox8Of3), ipx(Ox8137)\nSnmp(0x814c), ipv6(Ox86dd), loopback(0x9000) }\n\xe2\x80\x9c1x:\n\nFILE \xe2\x80\x9cEtherType.cf.\n\n\xe2\x80\x9cEthernet type field\xe2\x80\x9d\n\n-- The unformatted data field in and Ethernet V2 type frame\netherData\n\nFIELD\n\nSYNTAX\nENCAP\n\nBYTESTRING(46.1500)\netherType\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\nDESCRIPTION\n\xe2\x80\x9cEthernet data\n\n-- The layout and structure of an Ethernet V2 type frame with\n-- the address and protocol fields in the correct offset position\nethernet\n\nPROTOCOL\nDESCRIPTION\n\xe2\x80\x9cProtocol format for an Ethernet frame\nREFERENCE\n\xe2\x80\x9cRFC 894\n\n::= { MacDest=macAddress, MacSrc=macAddress, EtherType=etherType,\nData=etherData )\n--------\n\nThe elements from this Ethernet frame used to build a flow key\nto classify and track the traffic. Notice that the total length\nof the header for this tyoe of packet is fixed and at 14 bytes or\noctets in length. The special field, LLC-CHECK, is specific to\nEthernet frames for the decoding of the base Ethernet type value.\nIf it is NOT LLC, the protocol field in the flow is set to the\nEtherType value decoded from the packet.\n\nethernet\n\nFLOW\n\nHEADER LENGTH-14 }\nDLC-LAYER {\n\nSOURCE=MacSrc,\nDESTINATION=MacDest,\nTUNNELING,\nPROTOCOL\n\nCHILDREN DESTINATION=EtherType, LLC-CHECK=11c }\n-- IEEE8022.pdl - IEEE 802.2 frame definitions\n-- Description:\nThis file contains the definition for the IEEE 802.2 Link Layer\nprotocols including the SNAP (Sub-network Access Protocol).\n-- Copyright:\nCopyright (c) 1994-1998 Apptitude, Inc.\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\n--\n\nIEEE 802.2 LLC\n\nSId: IEEE8022.pdiv i.18 1999/01/26 15:15:58 skip Exp S\n\n11cSap FIELD\n\nSYNTAX\n\nINT(16) { ipx(0xFFFF), ipx(0xEOEO), isoNet (0xFEFE),\nnetbios(0xFOFO), vsnap(OXAAAA), ip(0x0606),\nvines(OxBCBC), xns(Ox8080), spanningTree(Ox4242),\nsna(OxOcOc), sna(0x0808), sna(0x0404) }\n\nDISPLAY-HINT \xe2\x80\x9cx:\nDESCRIPTION\n\xe2\x80\x9cService Access Point\n11cControl\nFIELD\n\n-- This is a special field. When the decoder encounters this field, it\n-- invokes the hard-coded LLC decoder to decode the rest of the packet.\n-- This is necessary because LLC decoding requires the ability to\n-- handle forward references which the current PDL format does not\n\n-- support at this time.\nSYNTAX\n\nDESCRIPTION\n\xe2\x80\x9cControl field\n\nUNSIGNED INT(8)\n\nApp. II-59\n\n\x0cUS 6,665,725 B1\n\n75\n-continued\n11cPduType\n\nFIELD\n\n11cData\n\nFIELD\n\nSYNTAX BITSTRING(2) { 11cInformation(0), 11cSupervisory(1),\n11cInformation (2), 11cUnnumbererd (3) }\nSYNTAX\nENCAP\nFLAGS\n\nBYTESTRING(38.1492)\n11cPduType\n\nSAMELAYER\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\n11c\n\nPROTOCOL\nSUMMARIZE\n\n\xe2\x80\x9cS11cPduType == 11cUnnumbered\xe2\x80\x9d :\n\xe2\x80\x9cLLC (SSAP) SModifier\xe2\x80\x9d\n\xe2\x80\x9c$11cPduType == 11cSupervisory :\n\xe2\x80\x9cLLC (SSAP) SFunction N(R)=SNR\xe2\x80\x9d\n\n\xe2\x80\x9cS11cPduType == 02:\n\n\xe2\x80\x9cLLC (SSAP) N(R)=SNRN(S)=SNS\n\xe2\x80\x9cLLC (SSAP) $11cPduType\xe2\x80\x9d\n\n\xe2\x80\x9cDefault\n\nDESCRIPTION\n\xe2\x80\x9cIEEE 802.2 LLC frame format\n\n::= { SAP=11cSap, Control=11cControl, Data=11cData }\n\n11c\n\nFLOW\n\nHEADER LENGTH-3 }\nDLC-LAYER { PROTOCOL}\nCHILDREN DESTINATION-SAP }\n\n11cUnnumbered Data FIELD\n\nSYNTAX\nENCAP\n\nBYTESTRING(0.1500)\n11cSap\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\n11cUnnumbered PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cLLC (SSAP) SModifier\xe2\x80\x9d\n::= { Data=11cUnnumberedData }\n\n11cSupervisoryData\nSYNTAX\n\nFIELD\nBYTESTRING(0.1500)\n\n11cSupervisory\n\nPROTOCOL\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cLLC (SSAP) SFunction N(R)=SNR\xe2\x80\x9d\n::= { Data=11cSupervisoryData }\n\n11cInformationData\n\nSYNTAX\nENCAP\n\nFIELD\n\nBYTESTRING(0.1500)\n11cSap\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\n11cInformation\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\nPROTOCOL\n\n\xe2\x80\x9cLLC (SSAP) N(R)=SNRN(S)=SNS\n::= { Data=11cInformation Data }\n\n--\n\nSNAP\n\nsnapOrgCode FIELD\nSYNTAX\nDESCRIPTION\n\nBYTESTRING(3) { snap(\xe2\x80\x9c00:00:00, ciscooU1("00:00:0C),\n\nappleOUI(\xe2\x80\x9c08:00:07)\n\n\xe2\x80\x9cProtocol ID or Organizational Code\'\n\nvsnapData\nFIELD\nSYNTAX\nENCAP\nFLAGS\n\nBYTESTRING(46.1500)\nsnapOrgCode\n\nSAMELAYER\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\nvsnap\n\nDESCRIPTION\n\xe2\x80\x9cSNAP LLC data\n\nPROTOCOL\n\nDESCRIPTION\n\xe2\x80\x9cSNAP LLC Frame\n\n::= { OrgCode=SnapCrgCode, Data=vsnapData }\n\nvsnap\n\nsnapType\n\nFLOW\n\nHEADER LENGTH-3 }\nDLC-LAYER PROTOCOL}\nCHILDREN DESTINATION=OrgCode :\nFIELD\n\nSYNTAX\n\nINT(16) {xns(Ox0600), ip(0x0800), arp(0x0806)\nvines (Oxbad),\nmop(0x6001), mop2(0x6002), drp(0x6003),\nlat(0x6004), decidiag(0x6005), lavcCOx6007)\n\nApp. II-60\n\n\x0cUS 6,665,725 B1\n\n77\n-continued\n\nrarp(Ox8035), appleTalk(0x809B), sna(0x80d5),\naarp(0x80F3), ipx(0x8137), snimp(Ox814c), ipv6(Ox86dd) }\n\nDISPLAY-HINT\n\nLOOKUP\n\nDESCRIPTION\n\nsnapData\n\n\xe2\x80\x9c1x:\n\nFILE \xe2\x80\x9cEtherType.cf.\n\n\xe2\x80\x9cSNAP type field\xe2\x80\x9d\n\nSYNTAX\nENCAP\n\nFIELD\n\nBYTESTRING(46.1500)\nsnapType\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\nDESCRIPTION\n\xe2\x80\x9cSNAP data\nPROTOCOL\nSUMMARIZE\n\nSnap\n\n\xe2\x80\x9cSOrgCode == 00:00:00\xe2\x80\x9d\n\xe2\x80\x9cSNAP Type=SSnapType\xe2\x80\x9d\n\xe2\x80\x9cDefault\n\n\xe2\x80\x9cVSNAP Org=SOrgCode Type=SSnapType\xe2\x80\x9d\n\nDESCRIPTION\n\xe2\x80\x9cSNAP Frame\n\n::={ SnapType=snapType, Data=snapData }\n\nSnap\n\nFLOW\n\nHEADER LENGTH-2}\nDLC-LAYER { PROTOCOL}\nCHILDREN DESTINATION=SnapType }\n\n-- IEEE8023.pdl - IEEE 802.3 frame definitions\n-- Description:\nThis file contains the definition for the IEEE 802.3 (Ethernet)\nprotocols.\n-- Copyright:\nCopyright (c) 1994-1998 Apptitude, Inc.\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\n--\n\nIEEE 802.3\n\nSId: IEEE8023.pdl.v 1.7 1999/01/26 15:15:58 skip Exp S\n\nieee8023Length\n\nFIELD\n\nSYNTAX UNSIGNED INT(16)\n\nieee8023Data\n\nFIELD\n\nSYNTAX\nENCAP\n\nLENGTH\n\nieee8023\n\nBYTESTRING(38.1492)\n\n=11c\n\n\xe2\x80\x9cSieee8023Length\xe2\x80\x9d\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\nPROTOCOL\nDESCRIPTION\n\n\xe2\x80\x9cIEEE 802.3 (Ethernet) frame\xe2\x80\x9d\n\xe2\x80\x9cRFC 1042\n::= { MacDest=macAddress, Mac:Src=macAddress, Length=ieee8023Length,\nData=ieee8023Data }\nREFERENCE\n\n-- IP.pdl - Internet Protocol (IP) definitions\n-- Description:\nThis file contains the packet definitions for the Internet\nProtocol. These elements are all of the fields, templates and\n-- processes required to recognize, decode and classify IP datagrams\n-- found within packets.\n-- Copyright:\nCopyright (c) 1994-1998 Apptitude, Inc.\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: IPpdl.v 1.14 1999/01/26 15:15:58 skip Exp S\n\n-- The following are the fields that make up an IP datagram.\n-- Some of these fields are used to recognize datagram elements, build\n\nApp. II-61\n\n\x0cUS 6,665,725 B1\n\n79\n-continued\n\n-- flow signatures and determine the next layer in the decode process.\nipVersion\n\nFIELD\n\nSYNTAX INT(4)\nDEFAULT\n\nipHeaderLength\n\nFIELD\n\nipTypeOfService\n\nFIELD\n\n4\n\nSYNTAX INT(4)\n\nSYNTAXBITSTRING(8) { minCost(1), maxReliability(2),\nmaxThruput(3), minDelay (4) }\n\nipLength\n\nFIELD\n\nSYNTAX UNSIGNED INT(16)\n-- This field will tell us if we need to do special processing to support\n-- the payload of the datagram existing in multiple packets.\nipFlags\n\nFIELD\n\nSYNTAX BITSTRING(3) { moreFrags(0), dontFrag(1)}\n\nipFragmentOffset FIELD\nSYNTAX INT(13)\n\n-- This field is used to determine the children or next layer of the\n-- datagram.\nipProtocol\nipData\n\nFIELD\n\nSYNTAX INT(8)\nLOOKUP FILE \xe2\x80\x9cIpProtocol.cf.\nFIELD\nSYNTAX\nENCAP\n\nBYTESTRING(0.1500)\nipProtocol\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\n-- Detailed packet layout for the IP datagram. This includes all fields\n-- and format. All offsets are relative to the beginning of the header.\nip PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cSFragmentOffset = 0\xe2\x80\x9d:\n\n\xe2\x80\x9cIPFragment ID=SIdentification Offset=SFragmentOffset\n\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cIP Protocol=SProtocol\n\n::= {\n\nDESCRIPTION\n\xe2\x80\x9cProtocol format for the Internet Protocol\nREFERENCE\n\xe2\x80\x9cRFC 791\n\nVersion=ipVersion, HeaderLength=ipHeaderLength,\nTypeOfService=ipTypeOfService, Length=ipLength,\nIdentification=UInt16, IpFlags=ipFlags,\nFragmentOffset=ipFragmentOffset, TimeToLive=Int8,\nProtocol=ipProtocol, Checksum=ByteStr2,\nIpSrc=ipAddress, IpDest=ipAddress, Options=ipOptions,\n\nFragment=ipFragment, Data=ipData }\n\n------ip\n\nThis is the description of the signature elements required to build a flow\nthat includes the IP network layer protocol. Notice that the flow builds on\nthe lower layers. Only the fields required to complete IP are included.\nThis flow requires the support of the fragmentation engine as well as the\npotential of having a tunnel. The child field is found from the IP\nprotocol field\nFLOW\n\nHEADER LENGTH=HeaderLength, IN-WORDS\nNET-LAYER {\nSOURCE=IpSrc,\nDESTINATION=IpDest,\n\nFRAGMENTATION=IPV4,\n\nTUNNELING\n\nCHILDREN DESTINATION=Protocol }\n\nipFragData\n\nipFragment\n\nFIELD\nSYNTAX\n\nBYTESTRING(1.1500)\n\nOPTIONAL\n\n\xe2\x80\x9cSFragmentOffset - O\n\nLENGTH\n\xe2\x80\x9cSipLength - SipHeaderLength * 4\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\nGroup\n\n::= { Data=ipFragData }\n\nipOptionCode FIELD\n\nSYNTAXINT(8) {ipRR(0x07), ipTimestamp(Ox44),\nipLSRR(0x83), ipsSRR(0x89) }\nDESCRIPTION\n\n\xe2\x80\x9cIP option code\xe2\x80\x9d\n\nApp. II-62\n\n80\n\n\x0cUS 6,665,725 B1\n\n81\n-continued\nipOptionLength\n\nFIELD\n\nipOption Data\n\nSYNTAX UNSIGNED INT(8)\nDESCRIPTION\n\xe2\x80\x9cLength of IP option\nFIELD\n\nipOptions\n\nGROUP\n\n::= {\n\nSYNTAX\nENCAP\n\nBYTESTRING(0.1500)\nipOptionCode\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\nLENGTH\n\xe2\x80\x9c(SipHeaderLength * 4) - 20\nCode=ipOptionCode, Length=ipOptionLength, Pointer=UInt8,\nData=ipOption Data }\n\n-- TCP.pdl - Transmission Control Protocol (TCP) definitions\n-- Description:\nThis file contains the packet definitions for the Transmission\nControl Protocol. This protocol is a transport service for\n-- the IP protocol. In addition to extracting the protocol information\n-- the TCP protocol assists in the process of identification of connections\n-- for the processing of states.\n-- Copyright:\nCopyright (c) 1994-1998 Apptitude, Inc.\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: TCP.pdl.v 1.9 1999/01/26 15:16:02 skip Exp S\n\n-- This is the 16 bit field where the child protocol is located for\n-- the next layer beyond TCP.\ntepPort FIELD\n\nSYNTAX UNSIGNED INT(16)\nLOOKUP FILE \xe2\x80\x9cTepPort.cf.\ntepHeader Len FIELD\nSYNTAX INT(4)\ntopFlags FIELD\nSYNTAXBITSTRING (12) { fin(0), syn(1), rst(2), psh(3), ack(4), urg(5) }\ntepData FIELD\n\nSYNTAX\n\nLENGTH\nENCAP\n\nBYTESTRING(0.1564)\n\n\xe2\x80\x9c(SipLength - (SipHeaderLength * 4)) - (StepHeaderLen * 4)\n\ntopPort\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\n-- The layout of the TCP datagram found in a packet. Offset based on the\n-- beginning of the header for TCP.\ntcp PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cTCPACK=SAck WIN=SWindowSize\n\n::= {\n\nDESCRIPTION\n\xe2\x80\x9cProtocol format for the Transmission Control Protocol\nREFERENCE\n\xe2\x80\x9cRFC 793\n\nSrcport=tcpPort, DestPort=tcpPort, SequenceNum=UInt32,\nAck=UInt32, HeaderLength=tcpHeaderLen, TcpFlags=tcpFlags,\nWindowSize=UInt16, Checksum=ByteStr2,\n\nUrgentPointer=UInt16, Options=tcpCoptions, Data=tcpData }\n\n----top\n\nThe flow elements required to build a key for a TCP datagram.\nNoticed that this FLOW description has a CONNECTION section. This is\nused to describe what connection state is reached for each setting\nof the TcpFlags field.\nFLOW\n\nHEADER LENGTH=HeaderLength, IN-WORDS\nCONNECTION {\nIDENTIFIER=SequenceNum,\nCONNECT-START-\xe2\x80\x9cTepFlags:1\xe2\x80\x9d,\nCONNECT.COMPLETE=\xe2\x80\x9cTepFlags:4,\nDISCONNECT-START-\xe2\x80\x9cTepFlags:0,\nDISCONNECT.COMPLETE=\xe2\x80\x9cTepFlags:4\xe2\x80\x9d\n\nPAYLOAD ( INCLUDE-HEADER }\nCHILDREN DESTINATION=DestPort, SOURCE-SrcPort\ntopOptionKind FIELD\nSYNTAX UNSIGNED INT(8) { tepOptEnd(0), tcpNop(1), tcpMSS(2),\n\nApp. II-63\n\n\x0cUS 6,665,725 B1\n\n83\n-continued\nDESCRIPTION\n\ntepWscale(3), tcpTimestamp(4) }\n\n\xe2\x80\x9cType of TCP option\xe2\x80\x9d\ntopOption Data FIELD\nSYNTAX\nENCAP\n\nBYTESTRING(0.1500)\ntepOptionKind\n\nFLAGS\n\nSAMELAYER\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\ntopOptions\n\nGROUP\n\nLENGTH\n\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9c(StepHeaderLen * 4) - 20\xe2\x80\x9d\n\n\xe2\x80\x9cOption=SOption, Len=SOptionLength, SOption Data\'\n::= { Option=tcpCoptionKind, optionLength=UInt8, Option Data=tcpCoption Data }\n\ntepMSS\n\nPROTCCOL\n\n::= { MaxSegmentSize=UInt16\n\n-- UDP.pdl - User Datagram Protocol (UDP) definitions\n-- Description:\nThis file contains the packet definitions for the User Datagram\nProtocol.\n\n-- Copyright:\nCopyright (c) 1994-1998 Apptitude, Inc.\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: UDP.pdl.v 1.9 1999/01/26 15:16:02 skip Exp S\n\nudpPort\n\nFIELD\n\nSYNTAX UNSIGNED INT(16)\nLOOKUPFILE \xe2\x80\x9cUdpport.cf.\nudpLength FIELD\n\nSYNTAX\nudpData FIELD\n\nSYNTAX\nENCAP\n\nUNSIGNED INT(16)\n\nBYTESTRING(0.1500)\nudpPort\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\nudp\n\nPROTOCOL\n\nSUMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cUDP Dest=SDestPort Src=SSrcPort\n\nDESCRIPTION\n\n\xe2\x80\x9cProtocol format for the User Datagram Protocol.\xe2\x80\x9d\n\nREFERENCE\n\n::= {\n\n\xe2\x80\x9cRFC 768\n\nSrcPort=udpPort, DestPort=udpPort, Length=udpLength,\nChecksum=ByteStr2, Data=udpData }\n\nudp\n\nFLOW\n\nHEADER LENGTH-8 }\nCHILDREN DESTINATION=DestPort, SOURCE=Sreport\n\n-- RPC.pdl - Remote Procedure Calls (RPC) definitions\n-- Description:\nThis file contains the packet definitions for Remote Procedure\nCalls.\n\n-- Copyright:\nCopyright (c) 1994-1999 Apptitude,\n(formerly Technically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: RPC.pdl.v 1.7 1999/01/26 15:16:01 skip Exp S\n\nrpcType\n\nFIELD\n\nSYNTAX UNSIGNED INT(32) { rpcCall(O), rpcReply(1)}\n\nrpcData\nFIELD\nSYNTAX\nENCAP\nFLAGS\n\nrpc\n\nBYTESTRING(0.100)\nrpcType\nSAMELAYER\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\nPROTOCOL\nSUMMARIZE\n\n\xe2\x80\x9cSType == rpcCall\xe2\x80\x9d\n\nApp. II-64\n\n\x0cUS 6,665,725 B1\n\n85\n-continued\n\n\xe2\x80\x9cRPCSProgram\xe2\x80\x9d\n\xe2\x80\x9cSReplyStatus == rpcAcceptedReply:\n\xe2\x80\x9cRPC Reply Status=SStatus\xe2\x80\x9d\n\xe2\x80\x9cSReplyStatus == rpcDenied Reply\n\xe2\x80\x9cRPC Reply Status=S:Status, AuthStatus=SAuthStatus\'\n\xe2\x80\x9cDefault\n\xe2\x80\x9cRPCSProgram\xe2\x80\x9d\n\nDESCRIPTION\n\xe2\x80\x9cProtocol format for RPC\nREFERENCE\n\xe2\x80\x9cRFC 1057\n\n::= { XID=UInt32, Type=rpcType, Data=rpcData }\n\nrpc\n\nFLOW\n\nHEADER LENGTH=0}\nPAYLOAD DATA=XID, LENGTH-256}\n\nrpcProgram FIELD\n\nSYNTAX UNSIGNED INT(32) {portMapper(100000), infs(100003),\nmount(100005), lockManager(100021), status.Monitor(100024)}\n\nrpcProcedure GROUP\n\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cProgram=SProgram, Version=SVersion, Procedure=SProcedure\'\n::= { Program=rpcProgram, Version=UInt32, Procedure=UInt32\nrpcAuthFlavor FIELD\n\nSYNTAX UNSIGNED INT(32) { null(O), unix(1), short (2) }\nFIELD\nSYNTAX LSTRING(4)\n\nrpcMachine\n\nrpcGroup\n\nGROUP\n\nLENGTH \xe2\x80\x9cSNumGroups * 4\n\n::= { Gid=Int32 }\nGROUP\nLENGTH \xe2\x80\x9cSCredential Length\xe2\x80\x9d\n::= { Stamp=UInt32, Machine=rpcMachine, Uid=Int32, Gid=Int32,\nNumCiroups=UInt32, Groups=rpcGroup\n\nrpcCredentials\n\nrpcVerifierData\n\nFIELD\n\nSYNTAX\n\nBYTESTRING(0.400)\n\nLENGTH\n\nrpcEncap\n\n\xe2\x80\x9cSVerifier Length\xe2\x80\x9d\n\nFIELD\n\nSYNTAX COMBO Program Procedure\n\nLOOKUP FILE \xe2\x80\x9cRPC.cf\nrpcCalData FIELD\n\nSYNTAX\nENCAP\nrpcCall\n\nBYTESTRING(0.100)\nrpcEncap\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\nPROTOCOL\nDESCRIPTION\n\xe2\x80\x9cProtocol format for RPC call\n\n::= { RPCVersion=UInt32, Procedure=rpcProcedure,\n\nCredentialAuthFlavor=rpcAuthFlavor, Credential Length=UInt32,\nCredentials=rpcCredentials,\nVerifier AuthFlavor=rpcAuthFlavor, VerifierLength=UInt32,\n\nVerifier=rpcVerifierData, Encap=rpcEncap, Data=rpcCall Data }\nrpcReplyStatus\n\nFIELD\n\nSYNTAX INT(32) { rpcAcceptedReply(0), rpcDenied Reply(1)}\n\nrpcReplyData FIELD\nSYNTAX\nENCAP\nFLAGS\n\nBYTESTRING(0.40000)\nrpcReplyStatus\nSAMELAYER\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\nrpcReply\n\nPROTOCOL\n\nDESCRIPTION\n\n\xe2\x80\x9cProtocol format for RPC reply\n\n::= { ReplyStatus=rpcReplyStatus, Data=rpcReplyData }\n\nrpcAcceptStatus\n\nFIELD\n\nrpcAcceptEncap\n\nFIELD\n\nSYNTAX INT(32) { Success(O), ProgUnavail(1), ProgMismatch (2),\nProcUnavail(3), Garbage Args(4), SystemError(5)\nSYNTAX BYTESTRING(O)\nFLAGS NOSHOW\n\nrpcAcceptData FIELD\nSYNTAX\nENCAP\n\nBYTESTRING(0.40000)\nrpcAcceptEncap\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\nApp. II-65\n\n\x0cUS 6,665,725 B1\n\n87\n-continued\n\nrpcAcceptedReply PROTOCOL\n\n::= { Verifier AuthFlavor=rpcAuthFlavor, VerifierLength=UInt32,\nVerifier=rpcVerifierData, Status=rpcAcceptStatus,\nEncap=rpcAcceptEncap, Data=rpcAcceptData }\n\nrpcDeniedstatus\n\nFIELD\n\nSYNTAX INT(32) { rpcVersionMismatch(O), rpcAuthError(1)}\n\nrpcAuthStatus FIELD\n\nSYNTAX INT(32) { Okay(0), BadCredential(1), RejectedCredential(2),\nBadVerifier(3), ReDectedVerifier(4), TooWeak(5),\nInvalid Response(6), Failed(7) }\nrpcDenied Reply\nPROTOCOL\n::= { Status=rpcDeniedStatus, AuthStatus=rpcAuthStatus\nrpcBindLookup PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cRPC GetPort Prog=SProg, Ver=SVer, Proto=SProtocol\xe2\x80\x9d\n::= { Prog=rpcProgram, Ver=UInt32, Protocol=UInt32\n\nrpcBindLookupReply PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault\n\n\xe2\x80\x9cRPC GetPortReply Port=SPort\xe2\x80\x9d\n::= { Port=UInt32 }\n-- NFS.pdl - Network File System (NFS) definitions\n-- Description:\nThis file contains the packet definitions for the Network File\nSystem.\n-- Copyright:\nCopyright (c) 1994-1998 Apptitude, Inc.\n(formerly Techhically Elite, Inc.)\nAll rights reserved.\n--\n\nRCS:\n\nSId: NFS.pdl.lv 1.3 1999/01/26 15:15:59 skip Exp S\n\nnfsString\n\nFIELD\n\nSYNTAX LSTRING(4)\n\nnfshandle\n\nFIELD\n\nSYNTAX\n\nBYTESTRING(32)\n\nDISPLAY-HINT\n\n\xe2\x80\x9c16xyn\n\nSYNTAX\n\nBYTESTRING(0.100)\n\nnfsData\n\nFIELD\n\ns\n\nDISPLAY-HINT \xe2\x80\x9cHexDump\xe2\x80\x9d\n\nnfsAccess\nPROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS Access SFlename\n\n::= { Handle=nfsHandle, Filename=nfsString }\n\nnfsStatus\n\nFIELD\n\nSYNTAX INT(32) { OK(0), NoSuchFile(2) }\n\nnfsAccessReply\n\nPROTOCOL\n\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS Access Reply SStatus\xe2\x80\x9d\n::= { Status=nfsStatus\nFIELD\nSYNTAX UNSIGNED INT(32)\n\nnfsMode\n\nDISPLAY-HINT \xe2\x80\x9c40\nnfsCreate\nPROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS Create SFlename\n\n::= { Handle=nfsHandle, Filename=nfsString, Filler=Int8, Mode=nfsMode,\nUid=Int32, Gid=Int32, Size=Int32, AccessTime=Int\xc3\xa94, ModTime=Int\xc3\xa94}\nnfsFileType FIELD\nSYNTAX INT(32) { Regular(1), Directory(2)}\n\nnfsCreateReply\n\nPROTOCOL\n\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS CreateReply SStatus\xe2\x80\x9d\n::= { Status=nfsStatus, Handle=nfsHandle, FileType=nfsFileType,\n\nMode=nfsMode, Links=UInt32, Uid=Int32, Gid=Int32, Size=Int32,\n\nBlockSize=Int32, NumBlocks=Int\xc3\xa94, FileSysld=UInt32, FileId=UInt32,\n\nAccessTime=Int\xc3\xa94, ModTime=Int\xc3\xa94, InodeChangeTime=Int\xc3\xa94}\n\nnfsRead\n\nPROTOCOL\n\nApp. II-66\n\n88\n\n\x0cApp. II-67\n\n\x0cUS 6,665,725 B1\n\n91\n-continued\ninfsRemoveDir PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS Rim Dir SName\n\n::= { Handle=nfsHandle, Name=nfsString\n\nnfsRemoveDirReply PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS Rm DirReply SStatus\xe2\x80\x9d\n::= { Status=nfsStatus\n\ninfsMakeDir PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS MkDir SName\n\n::= { Handle=nfsHandle, Name=nfsString\n\nnfsMakeDirReply PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS MkDirReply SStatus\xe2\x80\x9d\n::= { Status=nfsStatus\n\nnfsRemove\nPROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS Remove SName\n\n::= { Handle=nfsHandle, Name=nfsString\n\nnfsRemoveReply PROTOCOL\nSUMMARIZE\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cNFS RemoveReply SStatus\xe2\x80\x9d\n::= { Status=nfsStatus\nHTTP.pdl - Hypertext Transfer Protocol (HTTP) definitions\nDescription:\nThis file contains the packet definitions for the Hypertext Transfer\nProtocol.\n\nCopyright:\nCopyright (c) 1994-1999 Apptitude, Inc.\n(formerly Technically Elite, Inc.)\nAll rights reserved.\nRCS:\n\nSId: HTTP.pdl.v 1.13 1999/04/13 15:47:57 skip Exp S\n\nhttpData\n\nFIELD\n\nSYNTAX\n\nBYTESTRING(1.1500)\n\nDISPLAY-HINT\nFLAGS\nPROTOCOL\nSUMMARIZE\n\n\xe2\x80\x9cText\nNOLABEL\n\nLENGTH\n\nhttp\n\n\xe2\x80\x9c(SipLength - (SipHeaderLength * 4)) - (StepHeaderLen\n\n\xe2\x80\x9cShttpData m/GETHTTPIHEAD POST? :\n\xe2\x80\x9cHTTP ShttpData\xe2\x80\x9d\n\xe2\x80\x9cShttpData m/Ddate Sserver IL1 ast-Mmodified? :\n\xe2\x80\x9cHTTP ShttpData\xe2\x80\x9d\n\n\xe2\x80\x9cShttpData m/ Ccontent-f:\n\xe2\x80\x9cHTTP ShttpData\xe2\x80\x9d\n\n\xe2\x80\x9cShttpData m/ <HTML.cf. :\n\xe2\x80\x9cHTTP (HTML document\n\xe2\x80\x9cShttpData m? GIF?:\n\xe2\x80\x9cHTTP GIF image\n\xe2\x80\x9cDefault:\n\n\xe2\x80\x9cHTTP Data\n\nDESCRIPTION\n\xe2\x80\x9cProtocol format for HTTP\n\nhttp\n\nFLOW\n\nCONNECTION INHERITED }\nPAYLOAD ( INCLUDE-HEADER, DATA=Data, LENGTH=256}\nSTATES\n\n\xe2\x80\x9cSO: CHECKCONNECT, GOTO S1\nS1:\n\nS2:\n\nDEFAULT NEXT SO\n\nWAIT 2, GOTO S2, NEXT S1\nDEFAULT NEXT SO\nNATCH\n\nWn\\rn\n\n900 OO 255 0, NEXT S3\n\nApp. II-68\n\n92\n\n\x0cUS 6,665,725 B1\n\n93\n-continued\nVnyin\nPOST ?tds?\n\xe2\x80\x9c.hts HTTP/1.0\n\n900 00 255 0, NEXT 53\n\njdbc:sybase:Tds\n\nS3:\n\nPCN-The Poin\n\xe2\x80\x9ct: BW-CDEFAULT NEXT S3\nMATCH\n\nWn\\rn\nVnyin\n\nContent-Type:\n\nPCN-The Poin\n\xe2\x80\x9ct: BW-CDEFAULT NEXT SO\n\nsybaseWebsql\n\n500 0 1271, CHILD sybaseWebsq1\n5040 1271, CHILD sybase.Jdbc\n5040 1271, CHILD sybaseTds\n500 4 1 255 0, CHILD pointcast\n100 4 1 255 0, CHILD backweb\n\n50 00 00, NEXT S3\n50 00 00, NEXT S3\n800 00 255 0, CHILD mime\n\n500 4 1 255 0, CHILD pointcast\n100 4 1 255 0, CHILD backweb\n\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nSTATES\n\xe2\x80\x9cSO:\nMATCH\n\nsybase.Jdbc\nsybaseTas\npointcast\nbackweb\nmime\n\n\'application 9000 0 1 0, CHILD mimeApplication\naudio\n\nimage\n\nmimeApplication FLOW\nmimeAudio\n\nSTATE-BASED\n\nmimeImage\nmimeText\nmimeVideo\nmimexworld\n\npdBasicAudio\npdMidi\npdMpeg2Audio\npdMpeg3Audio\n\npdAiff\n\n0, CHILD mimeText\n0, CHILD mimeVideo\n0, CHILD mimeXworld\n\nFLOW\n\nbasic\nmidi\nimpeg\nvnd.m-realaudio\nwaw\nx-aiff\nx-midi\nx-mpeg\nx-mpgurl\nx-pn-realaudio\nx-wav\n\npdWav\n\n1 0, CHILD mimeAudio\n\n500 0 1 0, CHILD mimeImage\n\ntext\n500 0 1\nvideo\n500 0 1\nx-world\n500 4 1 255\nDEFAULT GOTO SO\n\nSTATE-BASED\nSTATES\nMATCH\n\npdRealAudio\n\n900 0 0\n\nDEFAULT GOTO SO\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\nFLOW\nSTATE-BASED\n\n1000 0 1 0, CHILD pdBasicAudio\n1000 0 1 0, CHILD pdMidi\n1000 0 1 0, CHILD pdMpeg2Audio\n1000 0 1 0, CHILD pdRealAudio\n1000 0 1 0, CHILD pdWav\n1000 0 1 0, CHILD pdAiff\n1000 0 1 0, CHILD pdMidi\n1000 0 1 0, CHILD pdMpeg2Audio\n1000 0 1 0, CHILD pdMpeg3Audio\n1000 0 1 0, CHILD pdRealAudio\n1000 0 1 0, CHILD pdWav\n\nApp. II-69\n\n94\n\n\x0cWhat is claimed is:\n\n95\n\nUS 6,665,725 B1\n\n5. A method according to claim 4, wherein the data\nStructure is compressed according to a compression Scheme\nthat takes advantage of the Sparseness of valid entries in the\n\n1. A method of performing protocol Specific operations on\na packet passing through a connection point on a computer\nnetwork, the method comprising:\n\ndata Structure.\n\n(a) receiving the packet:\n(b) receiving a set of protocol descriptions for a plurality\n\nof protocols that conform to a layered model, a protocol\ndescription for a particular protocol at a particular layer\nlevel including:\n\n(i) if there is at least one child protocol of the protocol\n\nat the particular layer level, the-one or more child\nprotocols of the particular protocol at the particular\nlayer level, the packet including for any particular\nchild protocol of the particular protocol at the par\nticular layer level information at one or more loca\ntions in the packet related to the particular child\nprotocol,\n\n1O\n\n15\n\n(ii) the one or more locations in the packet where\n\ninformation is Stored related to any child protocol of\nthe particular protocol, and\n\n9. A method according to claim 8, wherein the compres\n\nSion Scheme combines two or more tables that have no\n25\n\nconflicting common entries.\n10. A method of performing protocol Specific operations\non a packet passing through a connection point on a com\nputer network, the method comprising:\n\n(a) receiving the packet;\n(b) receiving a set of protocol descriptions for a plurality\n\n(c) performing the protocol specific operations on the\n\npacket Specified by the Set of protocol descriptions\nbased on the base protocol of the packet and the\nchildren of the protocols used in the packet,\nthe method further comprising:\nStoring a database in a memory, the database generated\nfrom the Set of protocol descriptions and including a\ndata Structure containing information on the possible\nprotocols and organized for locating the child protocol\nrelated information for any protocol, the data Structure\ncontents indexed by a set of one or more indices, the\ndatabase entry indexed by a particular set of indeX\nvalues including an indication of validity,\nwherein the child protocol related information includes a\nchild recognition pattern,\n\n6. A method according to claim 5, wherein the compres\nSion Scheme combines two or more arrays that have no\nconflicting common entries.\n7. A method according to claim 1, wherein the data\nStructure includes a set of tables, each table identified by a\nfirst index, at least one table for each protocol, each table\nfurther indexed by a Second indeX being the child recogni\ntion pattern, the data structure further including a table that\nfor each protocol provides the location in the packet where\nthe child protocol related information is Stored, Such that\nfinding a valid entry in the data Structure provides the\nlocation in the packet for finding the child recognition\npattern for an identified protocol.\n8. A method according to claim 7, wherein the data\nStructure is compressed according to a compression Scheme\nthat takes advantage of the Sparseness of valid entries in the\nset of tables.\n\n(iii) if there is at least one protocol Specific operation to\n\nbe performed on the packet for the particular proto\ncol at the particular layer level, the one or more\nprotocol Specific operations to be performed on the\npacket for the particular protocol at the particular\nlayer level; and\n\nof protocols that conform to a layered model, a protocol\ndescription for a particular protocol at a particular layer\nlevel including:\n\n(i) if there is at least one child protocol of the protocol\nat the particular layer level, the-one or more child\nprotocols of the particular protocol at the particular\nlayer level, the packet including for any particular\nchild protocol of the particular protocol at the par\nticular layer level information at one or more loca\ntions In the packet related to the particular child\nprotocol,\n\n35\n\n(ii) the one or more locations in the packet where\n\n40\n\ninformation is Stored related to any child protocol of\nthe particular protocol, and\n\nwherein step (c) of performing the protocol specific opera\n\ntions includes, at any particular protocol layer level Starting\nfrom the base level, Searching the packet at the particular\nprotocol for the child field, the Searching including indexing\nthe data structure until a valid entry is found, and\nwhereby the data Structure is configured for rapid Searches\nusing the index Set.\n2. A method according to claim 1, wherein the protocol\ndescriptions are provided in a protocol description language,\nthe method further comprising:\ncompiling the PDL descriptions to produce the database.\n3. A method according to claim 1, wherein the data\nStructure comprises a set of arrays, each array identified by\na first index, at least one array for each protocol, each array\nfurther indexed by a Second indeX being the location in the\npacket where the child protocol related information is\nStored, Such that finding a valid entry in the data structure\nprovides the location in the packet for finding the child\nrecognition pattern for an identified protocol.\n4. A method according to claim 3, wherein each array is\nfurther indexed by a third index being the size of the region\nin the packet where the child protocol related information is\nStored, Such that finding a valid entry in the data structure\nprovides the location and the size of the region in the packet\nfor finding the child recognition pattern.\n\n96\n\n(iii) if there is at least one protocol specific operation to\n\nbe performed on the packet for the particular proto\ncol at the particular layer level, the one or more\nprotocol Specific operations to be performed on the\npacket for the particular protocol at the particular\nlayer level: and\n\n45\n\n50\n\n55\n\n(c) performing the protocol specific operations on the\n\npacket Specified by the Set of protocol descriptions\nbased on the base protocol of the packet and the\nchildren of the protocols used in the packet,\nwherein the protocol Specific operations include one or more\nparsing and extraction operations on the packet to extract\nSelected portions of the packet to form a function of the\nSelected portions for identifying the packet as belonging to\na conversational flow.\n\n11. A method according to claim 10, wherein step (c) of\n\n60\n\nperforming protocol Specific operations is performed recur\nsively for any children of the children.\n12. A method according to claim 10, wherein which\n\nprotocol specific operations are performed is step (c)\n65\n\ndepends on the contents of the packet Such that the method\nadapts to different protocols according to the contents of the\npacket.\n13. A method according to claim 10, wherein the protocol\ndescriptions are provided in a protocol description language.\n\nApp. II-70\n\n\x0c97\n\nUS 6,665,725 B1\n\n14. A method according to claim 13, further comprising:\ncompiling the PDL descriptions to produce a database and\nStore the database in a memory, the database generated\nfrom the Set of protocol descriptions and including a\ndata Structure containing information on the possible\nprotocols and organized for locating the child protocol\nrelated information for any protocol, the data Structure\ncontents indexed by a set of one or more indices, the\ndatabase entry indexed by a particular set of indeX\nvalues including an indication of validity,\nwherein the child protocol related information includes a\nchild recognition pattern, and\nwherein the Step of performing the protocol Specific opera\ntions includes, at any particular protocol layer level Starting\nfrom the base level, Searching the packet at the particular\nprotocol for the child field, the Searching including indexing\nthe data structure until a valid entry is found,\nwhereby the data Structure is configured for rapid Searches\nusing the index Set.\n15. A method according to claim 10, further comprising:\nlooking up a flow-entry database comprising at least one\nflow-entry for each previously encountered conversa\ntional flow, the looking up using at least Some of the\nSelected packet portions and determining if the packet\nmatches an flow-entry in the flow-entry database\nif the packet is of an existing flow, classifying the packet\nas belonging to the found existing flow; and\nif the packet is of a new flow, Storing a new flow-entry for\nthe new flow in the flow-entry database, including\nidentifying information for future packets to be iden\ntified with the new flow-entry;\nwherein for at least one protocol, the parsing and extraction\noperations depend on the contents of one or more packet\nheaders.\n\n16. A method according to claim 10, wherein the protocol\nSpecific operations further include one or more State pro\ncessing operations that are a function of the State of the flow\nof the packet.\n\n98\n\n17. A method of performing protocol Specific operations\non a packet passing through a connection point on a com\nputer network, the method comprising:\n5\n\n(a) receiving the packet;\n(b) receiving a set of protocol descriptions for a plurality\n\nof protocols that conform to a layered model, a protocol\ndescription for a particular protocol at a particular layer\nlevel including:\n\n(i) if there is at least one child protocol of the protocol\n\nat the particular layer level, the one or more child\nprotocols of the particular protocol at the particular\nlayer level, the packet including for any particular\nchild protocol of the particular protocol at the par\nticular layer level information at one or more loca\ntions in the packet related to the particular child\nprotocol,\n\n15\n\n(ii) the one or more locations in the packet where\n\ninformation is Stored related to any child protocol of\nthe particular protocol, and\n\n(iii) if there is at least one protocol specific operation to\n\nbe performed on the packet for the particular proto\ncol at the particular layer level, the one or more\nprotocol Specific operations to be performed on the\npacket for the particular protocol at the particular\nlayer level; and\n\n25\n\n(c) performing the protocol specific operations on the\n\n35\n\npacket Specified by the Set of protocol descriptions\nbased on the base protocol of the packet and the\nchildren of the protocols used in the packet,\nwherein the packet belongs to a conversational flow of\npackets having a Set of one or more States, and wherein the\nprotocol Specific operations include one or more State pro\ncessing operations that are a function of the state of the\nconversational flow of the packet, the State of the conver\nsational flow of the packet being indicative of the Sequence\nof any previously encountered packets of the same conver\nsational flow as the packet.\n\nApp. II-71\n\nk\n\nk\n\nk\n\nk\n\nk\n\n\x0cUNITED STATES PATENT AND TRADEMARK OFFICE\n\nCERTIFICATE OF CORRECTION\nPATENT NO.\nDATED\n\n: 6,665,725 B1\n: December 16, 2003\n\nPage 1 of 2\n\nINVENTOR(S) : Dietz et al.\n\nIt is certified that error appears in the above-identified patent and that said Letters Patent is\nhereby corrected as shown below:\nColumn 6\n\nLine 47, change \xe2\x80\x9cNBTBIOS\' to -- NETBIOS --.\nLine 55, change \xe2\x80\x9cDiferent\xe2\x80\x9d to -- Different --.\nColumn 16\n\nLine 27, change \xe2\x80\x9cFIG. 6 FIG 6\xe2\x80\x9d to\n-- FIG. 6.\nFIG6 --.\n\nColumn 18\n\nLine 17, change "updatelookup\' to -- update-lookup --.\nColumn 25\n\nLine 38, change "Server-Say\xe2\x80\x9d to -- Server\xe2\x80\x94Say --.\nColumn 53,\n\nLine 4, change \xe2\x80\x9cDefault\xe2\x80\x9d to -- \xe2\x80\x9cDefault\' : --.\nLine 45, shift \xe2\x80\x9cDISPLAY-HINT to the right so its beginning lines up with the\nbeginning of \xe2\x80\x9cSYNTAX\xe2\x80\x9d in line 42 and with the beginning of \xe2\x80\x9cLENGTH\' in line 43.\nLine 46, shift \xe2\x80\x9cFLAGS\xe2\x80\x99 to the right So its beginning lines up with the beginning of\n\xe2\x80\x9cSYNTAX\xe2\x80\x9d in line 42 and with the beginning of \xe2\x80\x9cLENGTH" in line 43.\nColumn 61\n\nAprox. line 32, change \xe2\x80\x9crip\xe2\x80\x9d to -- r1p --.\nColumn 71\n\nLine 9, from the bottom, change \xe2\x80\x9cnetbios (0x3c00, to -- netbios (0x3c00) --.\nColumn 73\n\nAprOX. Line 25, change "tyop\' to -- type --.\nColumn 79\n\nLine 4 from the bottom, change \xe2\x80\x9cSYNTAXINT(8) to -- SYNTAX INT (8) --.\n\nApp. II-72\n\n\x0cUNITED STATES PATENT AND TRADEMARK OFFICE\n\nCERTIFICATE OF CORRECTION\nPATENT NO.\nDATED\n\n: 6,665,725 B1\n: December 16, 2003\n\nPage 2 of 2\n\nINVENTOR(S) : Dietz et al.\n\nIt is certified that error appears in the above-identified patent and that said Letters Patent is\nhereby corrected as shown below:\nColumn 81\n\nApprox. line 41, change \xe2\x80\x9cSYNTAXBITSRING(12) to -- SYNTAX BITSTRING\n(12) --.\nColumn 83\n\nApprox. line 36, change \xe2\x80\x9cLOOKUPFILE\xe2\x80\x9d to -- LOOKUP FILE--.\nColumn 93\n\nApprox. line 45, change \xe2\x80\x9cvnd.m-relaudio\xe2\x80\x9d to -- \'vnd.rn-realaudio\' --.\nColumn 96\n\nLine 38, change \xe2\x80\x9cIn\xe2\x80\x9d to -- in --.\n\nSigned and Sealed this\nTwenty-ninth Day of June, 2004\n\nWDJ\nJON W. DUDAS\n\nActing Director of the United States Patent and Trademark Office\n\nApp. II-73\n\n\x0cUNITED STATES PATENT AND TRADEMARK OFFICE\n\nCERTIFICATE OF CORRECTION\nPATENT NO.\n\n: 6,665,725 B1\n\nAPPLICATIONNO.\n\n: 09/609179\n\nDATED\n\n: December 16, 2003\n\nINVENTOR(S)\n\nPage 1 of 1\n\n: Russell S. Dietz, Andrew A. Koppenhaver and James F. Torgerson\n\nIt is certified that error appears in the above-identified patent and that said Letters Patent is hereby corrected as shown below:\nIN THE CLAIMS:\n\nColumn 1, lines 15 and 16, claim 14, change \xe2\x80\x9csearching the packet at the particular protocol\nto-searching the packet at the particular protocol level--.\n\nSigned and Sealed this\nEighth Day of October, 2013\n2\n\n2-Y\n\nxx\n\n. .\n26-e- 2. 13\ns?\n\n*\xc3\xa9-...s\xc3\xa9 -\n\nTeresa Stanek Rea\n\nDeputy Director of the United States Patent and Trademark Office\n\nApp. II-74\n\n\x0cUSOO6839751B1\n\n(12) United States Patent\n\n(10) Patent No.:\n\nDietz et al.\n\n(45) Date of Patent:\n\nUS 6,839,751 B1\n\nJan. 4, 2005\n\n(54) RE-USING INFORMATION FROM DATA\n\n6,330,226 B1 * 12/2001 Chapman et al. ........... 370/232\n\n(75) Inventors: Russell S. Dietz, San Jose, CA (US);\nJoseph R. Maixner, Aptos, CA (US);\n\n6,625,657 B1 * 85.8 Ri al.\n- - - 29:\n6,651,099 B1 * 11/2003 Dietz et al. ................. 709/224\n\nTRANSACTIONS FOR MAINTAINING\nSTATISTICS IN NETWORK MONITORING\n\n6,363,056 B1 * 3/2002 Beigi et al. .......\n... 370/252\n6,381,306\nLawson etetal.al. ....\n...............\n379/32\n6.424,624 B1\nB1 ** 4/2002\n7/2002 Galand\n... 370/231\n6.453345 B2\n\nAndrew A. K.\n\nh\nLittlet\nAny openniver\nten,\n\n... 709/224\n\nOTHER PUBLICATIONS\n\nNOV94: Packet Filtering in the SNMP Remote Monitor ;\nwww.skrymir.com/dobbs/articles/1994/9411/9411h/\n\n(73) Assignee: Hi/fn, Inc., Los Gatos, CA (US)\n(*) Notice:\n\n9/2002 Trcka et al. ......\n\nSubject to any disclaimer, the term of this\npatent is extended or adjusted under 35\n\n9411 h.htm.*\n\n(21) Appl. No.: 09/608,126\n\nGTrace-A Graphical Traceroute Tool authored by Ram\nPeriakaruppan, Evi Nemeth ; http://www.caida.org/out\nreach/papers/1999/GTrace/index.xml.*\nAdvanced Methods for Storage and Retrieval in Image ;\nhttp://www.cs.itulane.edu/www/Prototype/proposal.html;\n\n(22) Filed:\n\nMeasurement and analvsis\nDECT propag\npropagation\ny of the digital\n9.\n\nU.S.C. 154(b) by 728 days.\n\n1998.*\n\nJun. 30, 2000\n\nchannel; IEEE 1998.*\n\nRelated U.S. Application Data\n\n(60) Provisional application No. 60/141903, filed on Jun. 30,\n1999.\n\n(51) Int. Cl. .............................................. G06F 15/173\n(58) Field of Search ................................. 709/223, 224,\n709/231, 232, 230; 370/252, 231; 379/32;\n704/43; 714/39; 340/825\n(56)\n\nReferences Cited\nU.S. PATENT DOCUMENTS\n4,972,453 A 11/1990 Daniel et all\n\n5.53533s. A\n\n5703877\n5,720,032\n5,761,429\n5,799,154.\n\n5,802,054\n5,850,388\n5,892,754\n6,097.699\n6115393\n\n379/9.03\n\n7/1996 Krause et al... 709/222\n\nA 12/1997 Nuber et al. ................ 370/395\nA * 2/1998 Picazo, Jr. et al........... 709/250\nA * 6/1998 Thompson .................. 709/224\nA * 8/1998 Kuriyan ...................... 709/223\n\nA : 9/1998 Bellenger ................... 370/401\nA * 12/1998 Anderson et al. ........... 370/252\nA\n4/1999 Kompella et al. .......... 370/236\nA\n8/2000 Chen et al. ................. so\nA\n9/2000 Engel et al. ................ 370/469\n\n6269,330 B1\n\n7/2001 Cidon et al. ... 704/43\n\n6.279,113 B1 * 8/2001 Vaidya ....................... 713/201\n6,282.570 B1 * 8/2001 Leung et al. ............... 709/224\n\nr\n\nCLIENT 3\n\n-\n\nclient\n\nsk -\n\ncited by examiner\n\nPrimary Examiner Thong Vu\n\n(74) Attorney, Agent, or Firm--Dov Rosenfeld; Inventek\nA method of and monitor apparatus for analyzing a flow of\npackets passing through a connection point on a computer\nnetwork. The method includes receiving a packet from a\npacket acquisition device, and looking up a flow-entry\ndatabase containing flow-entries for previously encountered\nconversational flows. The looking up to determine if the\nreceived packet is of an existing flow. Each and every packet\n\nis processed. If the packet is of an existing flow, the method\n\nupdates the flow-entry of the existing flow, including Storing\none or more Statistical measures kept in the flow-entry. If the\npacket is of a new flow, the method Stores a new flow-entry\nfor the new flow in the flow-entry database, including\n\nStoring one or more Statistical measures kept in the flow\nentry. The Statistical measures are used to determine metrics\nlated to the fl\nTh\ntri\nbe b\ntrics f\nrelated to line Ilow. I ne metrics may be base metrics Irom\nwhich quality of Service metrics are determined, or may be\n\nthe quality of Service metrics.\n\n21 Claims, 18 Drawing Sheets\n\nCLIENT 4\n\nANAYZER\n\n107\n\n108\n\nSERVER 3\n\n--/\n\n16\nO\n\n1 21\n\nO6\nDATA COMMUNCATIONS\nNETWORK\n\nO2\n\n125\n\nSERVER 2-\n\n23\n2\n\nCLIENT 2-7\n\n05\n\nApp. II-75\n\n-\n\nCLIENT1\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 1 of 18\n\nUS 6,839,751 B1\n\n100\n\n-N\n\nANAYZER\n\n1 O7\n\n116\n\nFl\n\nSERVER 2\n\nCLIENT 3\n\nN106\n\nY10\n\n121\n\nDATA COMMUNICATIONS\nNETWORK\n\n102\n\n125\n123\n\nSERVER 2\n\n-N\n\n112\n\n-\n\n105\n\nCLIENT 2-1\n\nFIG. 1\n\nApp. II-76\n\n-Y\n\n118\n\n-/\n\nCLIENT 1\n\n104\n\n\x0cApp. II-77\n\n\x0cApp. II-78\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 4 of 18\n\n402\n\nHGH LEVEL\nPACKET\nDECODING\n\nGENERATE\nPACKET\nPARSE AND\nEXTRACT\nOPERATIONS\n\nUS 6,839,751 B1\n\nPACKET\n\nCOMPLE\nDESCRIPTIONS\n\nSTATE\nINSTRUCTION\nAND\nOPERATIONS\n\n4O6 2ATTENPARs\n\nPR\xc3\xb3Cessor\n\nEXTRACTION\n\nINSTRUCTION\n\nDATABASE\n\nDATABASE\n\nLOAD\n\nLOAD STATE\n\nSUBSYSTEM\n\nDATABASE\n\nPARSING\n\nMEMORY\n\nNSTRUCTION\nMEMORY\n\n400\n\nO\n\nFIG. 4\nApp. II-79\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 5 of 18\n\n503\n\nLOAD PACKET\nCOMPONENT\n\n504\n\nORE INPACKE2.\n\nUS 6,839,751 B1\n\nPACKET\nKEY\n\nFETCH NODE AND\nPROCESS FROM\nPATTERN\n513\n\nMORE\n\nNEXT\n\nPATTERN\n\nPACKET\n\nNODES\nAPPLY NOD\n\nCOMPONE\n\n51\n\nAND\n\nPROCESS TO\n\nCOMPONENT\n51O\n\nV\n\n5OO\n\nw\n\nPATTERN\n\nNODE\n\n509\n\nApp. II-80\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 6 of 18\n\nUS 6,839,751 B1\n\nOU-601\nPACKET\nCOMPONENT AND\n\n602\n\nPATTERN NODE\n\n603\n\nLOAD PACKET\nCOMPONENT\n\n610\n\n6 O4\n\nMORE PACKE\nCOMPONENT\n\nLOAD KEY\nBUFFER\n\nYES\n\nFETCH EXTRACTION\n\n(F)\n\nAND PROCESS FROM\nPATTERNS\n\n605\n\nNO\n\n611\n606\n\nORE EXTRACTION\n\nNO\n\nELEMENTS?\n\nNEXT\n\nPACKET\n\nCOMPONEN\n\n609\n\nYES\n6O7\n\nAPPLY EXTRACTION\n\nSRES\n\n6OO\n\nMORE TO\n\n608\n\nEXTRACT?\n\nFIG. 6\n\nYE\n\nApp. II-81\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 7 of 18\n\nUS 6,839,751 B1\n\nOU-701\nEY BUFFER AND\nPATTERN NODE\n\n702\n\n703\n\nLOAD PATTERN\nNODE ELEMENT\n\n704\n\nMORE PATTERN\n\nOUTPUT TO\n\nYES\n\n(EB)\n\nORE,\n\nHASHKEYBUFFER\nELEMENT FROM\nPATTERN NODE\n\n7O6\n707\n\n708\n\nANALYZER\n\n705\n\nPACKKEY & HAS\n\nNEXT PACKET\nCOMPONENT\n\nFIG. 7\n\nApp. II-82\n\n709\n\nN\n\n700\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 8 of 18\n\nO\n\nUS 6,839,751 B1\n\n8O1\n\nUFKBENTRY FOR\nPACKET\n\n8OO Y\n\n802\n\nCOMPUTE\nCONVERSATION-803\nRECORD BIN FROM HASH\nREGUEST RECORD BIN/\nBUCKET FROM CACHE\n\n805\n\n804\n\nNO\n\nORE BUCKET\nIN THE BIN?\n\n806\n\nSETUFKBFOR\n\nPACKETAS"NEW"\n\nYES\nCOMPARE CURRENT BIN\nAND BUCKETRECORD KEY\nTO PACKET\n\n807\n\nNEXT BUCKET-NO service\n\n808\n\nYES\n809\n\nMARK RECORD BIN AND\n\nBUCKET IN PROCESS IN\nCACHE AND TIMESTAMP\n\n811\n\nSET UFKB FOR PACKET\nASFOUND"\n\n812\n\nUPDATE STATISTICS FOR\n\n810\n\nRECORD IN CACHE\n\n98 vC\nApp. II-83\n\nFIG. 8\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\n901\n\n902\n\nANNOUNCME\nPORTMAPPER\n\nPORTMAPPER\n\nUS 6,839,751 B1\n\nSheet 9 of 18\n\n9 O\n\nRPC\nBIND LOOKUP\nREGUEST\n909\n\n903\n\nEXTRACT PROGRAM\n\nEXTRACT PORT\n\nGET PROGRAM\',\nVERSION\', \'PORTAND\n"PROTOCOL (TCP OR\n\nGET PROGRAM",\n"VERSION AND\n\n\'PROTOCOL (TCP OR\n\nUDP)\n\nUDP)\n\nSAVE REGUEST\n\nCREATE SERVER STATE\n904\n\nSAVE PROGRAM",\n\nSAVE PROGRAM",\nVERSION\', \'PORTAND\n\n\'VERSION AND\n\n\'PROTOCOL (TCP OR\n\n\'PROTOCOL (TCP OR\nUDP) WITH\n\nADDRESS IN SERVER\n\nNETWORKADDRESS.\n\nUDP)\' WITH NETWORK\n\nDESTINATION\n\nSTATE DATABASE KEY\n\nBOTH MAKE A KEY.\n\nON SERVER ADDRESS\n\nAND TCP OR UDP PORT.\n\nRPC\n\nBIND\n\nLOOKUP\nREPLY\n\ngo/\n\nLOOKUP REGUES\nFIND PROGRAM"\n\nAND VERSION\nWITHOOKUP OF\nSOURCE NETWORK\n\nADDRESS.\n\nFIG. 9\nApp. II-84\n\nEXTRACT\nPROGRAM\nGET "PORT AND\n\n\'PROTOCOL (TCP\nOR UDP)\'.\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 10 0f 18\n\nPATTERN\n\n100\n\nRECOGNITION\nDATABASE\nMEMORY\n\nEXTRACTION\n\nOPERATIONS\nDATABASE\nMEMORY\n\n1001\n\n1 OO\n\nUS 6,839,751 B1\n\n100\n\n1004\n\n1 O31\n\nHOST INTERFACE MULTIPLEXR 8 CONTROLREGISTERS\n\nINFOOUT\nCONTRL IN\n1031\n\n1 OO6\n\nPATTERN\n\n1007\n\nRECOGNITN\n\nEXTRACTION ENGINE\n\nENGINE\n\n(SLICER)\n\n(PRE)\n\n1008\n\nPACKET \\ PARSER INPUT BUFFER\nINPUT\n\nMEMORY\n\nPARSER\n\nOUTPUT PACKETKEY\n\nBUFFER AND PAYLOAD\nMEMORY\n\n1012\n1021\n\nPAERT INPUT BUFFER\nV\n\nA.\n\nPACKET\n1 O2\n\n1023\n\nANALYZER DATA READ\n\nNTERFACE\nCONTROL\n\nINTERFACE\nCONTROL\n\nFIG. 1 O\n\nApp. II-85\n\nANALYZER\nREADY\n\nO27\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 11 of 18\n\nUS 6,839,751 B1\n\n1100 101\n\n11 O3\n\n1115\n\nEE\n\nENGINE\n\nPROCESSR\nINSTRUCN\nDATABASE\n\n1118 \xc2\xb0\nANALYZER\nSST\nINTERFACES\nA59 INTER\nFACE\n\nC2SO\n(\n)\n\n(HIB)\n\n(SPID)\n\nPARSER\n\nUNIFIED\nFLOW\nKEY\n\nFACE\n\n(UFKB)\n\nINTERK.BUFFER\n\nPROCESSR\n(SP)\n\nFLOW\nINSERTION/\n\nCDELET6N-)\nENGINE\n\n(FIDE)\n\n1110\n\nFIG. 11\n\nApp. II-86\n\n1119 112\n\nUNIFIED\n\nMEMORY\n\nCONTROL\n\nFACE\n\nMEMORY AN INTER\n\n(UMC)\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 12 of 18\n\nUS 6,839,751 B1\n\nUFKB ENTRY FOR\nPACKET WITH\nSTATUS"NEW"\n1200\n\nTA\n\nACCESS\nCONVERSATION\n\n1203\n\nREGUEST RECORD BIN/\n\n1204\n\nRECORD BIN\n\nBUCKET FROM CACHE\n\nRECQUEST NEXT\n12O6\n\nBUCKET FROM\nCACHE\n\n1202\n\nBN/BUCKETEMPTY\n\n1205\n\nYES\n\nNo NNSERKEYAND\nHAS\nBUCKET, MARK"USED\n\n1208\n\nWITH TIMESTAMP\n\nYES\n1210\n\n12O7\n\nSET UFKBFOR\n\nPACKETAS\n\nOMPARE CURRENT BIN 1209\n\nAND BUCKETRECORD\nKEY TO PACKET\n\nDROP\n\nMARK RECORD BIN AND\n\nBUCKET\'IN PROCESS\nAND "NEW" IN CACHE\n\nSET INITIAL STATISTICS\n\nFOR RECORD IN CACHE\n1213\n\nFIG. 12\nApp. II-87\n\n1211\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 13 0f 18\n\nQuito\n\n1300 - NA\n\nUFKBENTRY FOR\n\nPACKET WITH STATUS\n"NEW OR \'FOUND"\n\nSET STATE PROCESSOR\nINSTRUCTION POINTERTO\nALUE FOUND IN UFKB ENTRY\n\nINSTRUCTION\n\nPOINTERTO\n\nPERFORM OPERATION BASED\n\n1305\n\nNO\n\n3O8\n\nINSTRUCTION\nPOINTER IN\n\nCURRENT FLOW\nRECORD\n\nDONE PROCESSING\n\nSTATES FOR THIS\n\n1307\n\nPACKET2\n\nCURRENT STATE\nSAVE STATE\n\n1303\n\n1304\n\nVALUE FOUND IN\n\nPROCESSOR\n\n1302\n\nFETCH INSTRUCTION FROM\nSTATE PROCESSOR\nINSTRUCTION MEMORY\n\nON THE STATE INSTRUCTION\n\nSET STATE\nPROCESSOR\n\nUS 6,839,751 B1\n\n131 O\n\nNO\n\nYES\n\nDONE PROCESSING\n\nTATES FOR THIS FLOW2\n\nYES\nSET AND SAVE FLOW REMOVA\nSTATE PROCESSOR\nINSTRUCTION IN CURRENT\nFLOW RECORD\n\nApp. II-88\n\n1309\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 14 of 18\n\nHESWCHIWES\xc3\x85 TS\nApp. II-89\n\nUS 6,839,751 B1\n\n\x0cU.S. Patent\n\nUS 6,839,751 B1\n\nNOLISQV\n\nLEXIOWE EOLAC]\n\nApp. II-90\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nSheet 16 of 18\n\nNL2 Ofset = 12\nFIG 16\n\nApp. II-91\n\nUS 6,839,751 B1\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\n1702\n\n1704\n\noffset\n\n12613 YType\n1708\n\nIDP = 0x06OO*\n\nIP = 0x0800\nCHAOSNET = 0x0804\nARP = 0x0806\nVIP = OxOBAD*\nVLOOP OxOBAE\n\nI/////////A\ny\n\nUS 6,839,751 B1\n\nSheet 17 0f 18\n\n1706\n\nVECHO = OxOBAF\n\nNETBIOS-3COM: Ox3COO\n\nOx3CODE\n\nType (2)\n\nDEC-MOPE Ox6001\nDEC-RC = 0x6002\nDEC-DRP = 0x6003 *\nDEC-LAT = 0x6004\n\nHash 1\n\nDEC-DIAG = 0x6005\n\nFIG. 17A\n\nul\n1712\n\nDEC-LAVC = 0x6007\nRARP = 0x8035\nATALK = 0x809B\nVLOOP = 0x80C4\nVECHO = 0x80C5\n\nSNATH = 0x8005\nATALKARP = 0x80F3\nIPX = 0x8137*\nSNMP = 0x814Cit\nIPv6 - 0x86DD *\nLOOPBACK = 0x9000\n\nApple = 0x080007\n\n* L3 Decoding\n# L5 Decoding\n\nL3 to\n\nSEEZ\n////serifier/Flag?/Flag/6ffs\n\nE,\nAIE/Protocol)Ale/Cheskyi,\n- 1)\n//////95iis,8. Fadzig//////////\n\n1752\n\nICMP = 1\nGMP = 2\nGGP = 3\n\nTCP = 6*\n\nEGP\nIGRP\nPUP\nCHAOS\nUDP\nDP\nSO-TP4\nDDP\nISO-IP\nVIP\nEIGRP\n\n=8\n=9\n= 12\nE 16\n= 17 *\n= 22#.\n= 29\n= 37\n= 80\n= 83#\n= 88\n\nOSPF = 89\n\n* L4 Decoding\n\nProtocol (1)\n\n# L3 Re-Decoding\n\nL4 Offset = L3 + (IHL/4)\n\nApp. II-92\n\n\x0cU.S. Patent\n\nJan. 4, 2005\n\nUS 6,839,751 B1\n\nSheet 18 of 18\n\nPROTOCOL\n\n#7 7,\n/\n;\n\'\n//\n\n1802-2\n\n1802-1\n\nL UT NUM\n\nFIG. 18B\nApp. II-93\n\n)\n\n1.\n\n870\n\n\x0c1\n\nUS 6,839,751 B1\n\n2\nand an end user\'s pattern of use within each application or\nthe application context (e.g., options Selected, Service\ndelivered, duration, time of day, data requested, etc.). Also,\nthe network monitor should not be reliant upon server\nresident information Such as log files. Rather, it should allow\n\nRE-USING INFORMATION FROM DATA\nTRANSACTIONS FOR MAINTAINING\nSTATISTICS IN NETWORK MONITORING\nCROSS-REFERENCE TO RELATED\nAPPLICATION\n\na user Such as a network administrator or an Internet Service\n\nprovider (ISP) the means to measure and analyze network\n\nThis application claims the benefit of U.S. Provisional\nPatent Application Ser. No. 60/141,903 for METHOD AND\n\nactivity objectively; to customize the type of data that is\ncollected and analyzed; to undertake real time analysis, and\nto receive timely notificatior of network problems.\nRelated and incorporated by reference U.S. patent appli\n\nAPPARATUS FOR MONITORING TRAFFIC IN ANET\n\nWORK to inventors Dietz, et al., filed Jun. 30, 1999, the\n\ncontents of which are incorporated herein by reference.\nThis application is related to the following U.S. patent\napplications, each filed concurrently with the present\napplication, and each assigned to Apptitude, Inc., the\nassignee of the present invention:\nU.S. patent application Ser. No. 09/608,237 for\n\n15\n\nMETHOD AND APPARATUS FOR MONITORING\n\nTRAFFICINANETWORK, to inventors Dietz, et al., filed\n\nJun. 30, 2000, and incorporated herein by reference.\nU.S. patent application Ser. No. 09/609,179 for PRO\n\nCESSING PROTOCOL SPECIFIC INFORMATION IN\nPACKETS SPECIFIED BY APROTOCOL DESCRIPTION\n\nLANGUAGE, to inventors Koppenhaver, et al., filed Jun.\n30, 2000, and incorporated herein by reference.\nU.S. patent application Ser. No. 09/608,266 for ASSO\n\n25\n\n2000, and incorporated herein by reference.\nU.S. patent application Ser. No. 09/608,267 for STATE\n\nWORK MONITOR DEVICE, to inventors Sarkissian, et al.,\n35\n\n40\n\ninserting new flows into the database of flows, a memory for\nStoring the database of flows, and a cache for Speeding up\naccess to the memory containing the flow database. The\nLUE, SP, and FIDE are all coupled to the UFKB, and to the\ncache.\n\nCOPYRIGHT NOTICE\n45\n\n50\n\nBACKGROUND\n\nthe network (i.e., of all packets and packet Streams passing\nthrough any location in the network). Not only should all the\n\ndatabase of flow records for previously encountered con\nVersational flows to determine whether a signature is from\n\nan existing flow, a State processor (SP) for performing State\nprocessing, a flow insertion and deletion engine (FIDE) for\n\nFIELD OF INVENTION\n\nThere has long been a need for network activity monitors.\nThis need has become especially acute, however, given the\nrecent popularity of the Internet and other interconnected\nnetworks. In particular, there is a need for a real-time\nnetwork monitor that can provide details as to the applica\ntion programs being used. Such a monitor Should enable\nnon-intrusive, remote detection, characterization, analysis,\nand capture of all information passing through any point on\n\npreferably generates a hash for rapidly identifying a flow\nthat may have this signature from a database of known\n\nunified flow key buffer (UFKB) for receiving parts of\npackets from the parser Subsystem and for Storing Signatures\nin process, a lookup/update engine (LUE) to lookup a\n\nPROCESSOR FOR PATTERN MATCHING IN A NET\n\nA portion of the disclosure of this patent document\ncontains material that is Subject to copyright protection. The\ncopyright owner has no objection to the facsimile reproduc\ntion by anyone of the patent document or the patent\ndisclosure, as it appears in the Patent and Trademark Office\npatent file or records, but otherwise reserves all copyright\nrights whatsoever.\n\nform a signature (i.e., key) for the packet. The slicer also\n\nThe flow Signature of the packet, the hash and at least\nSome of the payload are passed to an analyzer Subsystem. In\na hardware embodiment, the analyzer Subsystem includes a\n\nMONITOR, to inventors Sarkissian, et al., filed Jun. 30,\n\nThe present invention relates to computer networks, Spe\ncifically to the real-time elucidation of packets communi\ncated within a data network, including classification accord\ning to protocol and application program.\n\nincludes carrying out protocol Specific operations on indi\nvidual packets including extracting information from header\nfields in the packet to use for building a signature for\nidentifying the conversational flow of the packet and for\nrecognizing future packets as belonging to a previously\nencountered flow. A parser Subsystem includes a parser for\nrecognizing different patterns in the packet that identify the\nprotocols used. For each protocol recognized, a Slicer\nextracts important packet elements from the packet. These\nflows.\n\nCIATIVE CACHE STRUCTURE FOR LOOKUPS AND\nUPDATES OF FLOW RECORDS IN A NETWORK\n\nfiled Jun. 30, 2000, and incorporated herein by reference.\n\ncation Ser. No. 09/607,237 for METHOD AND APPARA\nTUS FOR MONITORING TRAFFIC IN ANETWORK, to\ninventors Dietz, et al, describes a network monitor that\n\nEach flow-entry includes one or more Statistical measures,\ne.g., the packet count related to the flow, the time of arrival\nof a packet, the time differential.\nIn the preferred hardware embodiment, each of the LUE,\nState processor, and FIDE operate independently from the\nother two engines. The State processor performs one or more\noperations Specific to the State of the flow.\nIt is advantageous to collect Statistics on packets passing\nthrough a point in a network rather than to Simply count each\nand every packet. By maintaining Statistical measures in the\nflow-entries related to a conversational flow, embodiments\n\n55\n\nof the present invention enable Specific metrics to be col\nlected in real-time that otherwise would not be possible. For\nexample, it is desirable to maintain metrics related to\n\nbi-directional conversations based on the entire flow for\n60\n\neach exchange in the conversation. By maintaining the State\nof flow, embodiments of the present invention also enable\ncertain metrics related to the states of flows to be deter\nmined.\n\nMost prior-art network traffic monitors that use statistical\nmetrics collect only end-point and end-of-Session related\n65 Statistics. Examples of Such commonly used metrics include\n(e.g., http, ftp, H.323, VPN, etc.), the application/use within packet counts, byte counts, Session connection time, Session\nthe protocol (e.g., voice, Video, data, real-time data, etc.), timeouts, Session and transport response times and others.\nApp. II-94\npackets be detected and analyzed, but for each of these\npackets the network monitor should determine the protocol\n\n\x0c3\n\nUS 6,839,751 B1\n\n4\nBecause the monitor 300 can be programmed to collect a\ndiverse Set of metrics, the System can be used as a data\nSource for metrics required in a number of environments. In\nparticular, the metricS may be used to monitor and analyze\nthe quality and performance of traffic flows related to a\nSpecific Set of applications. Other implementation could\ninclude metrics related to billing and charge-back for Spe\n\nAll of these deal with events that can be directly related to\nan event in a Single packet. These prior-art Systems cannot\ncollect Some important performance metrics that are related\nto a complete Sequence of packets of a flow or to Several\ndisjointed Sequences of the same flow in a network.\nTime based metrics on application data packets are impor\ntant. Such metrics could be determined if all the timestamps\nand related data could be stored and forwarded for later\n\ncific traffic flow and events with the traffic flows. Yet other\n\nanalysis. However when faced with thousands or millions of\nconversations per Second on ever faster networks, Storing all\nthe data, even if compressed, would take too much\nprocessing, memory, and manager down load time to be\npractical.\nThus there is a need for maintaining and reporting time\n\nbase metrics from Statistical measures accumulated from\n\nimplementations could be programmed to provide metrics\nuseful for troubleshooting and capacity planning and related\ndirectly to a focused application and Service.\nSUMMARY\n\npackets in a flow.\nNetwork data is properly modeled as a population and not\na Sample. Thus, all the data needs to be processed. Because\nof the nature of application protocols, just Sampling Some of\nthe packets may not give good measured related to flows.\nMissing just one critical packet, Such as one the Specified an\nadditional port that data will be transmitted on, or what\napplication will be run, can cause valid data to be lost.\nThus there is also a need for maintaining and reporting\n\n15\n\nfrom every packet in a flow.\n\n25\n\ntime-base metricS from Statistical measures accumulated\nThere also is a need to determine metrics related to a\n\nSequence of events. A good example is relative jitter. Mea\nSuring the time from the end of one packet in one direction\nto another packet with the same signature in the same\ndirection collects data that relates normal jitter. This type of\njitter metric is good for measuring broad signal quality in a\npacket network. However, it is not specific to the payload or\ndata item being transported in a cluster of packets.\nUsing the State processing described herein, because the\nState processor can Search for Specific data payloads,\nembodiments of monitor 300 can be programmed to collect\nthe same jitter metric for a group of packets in a flow that are\nall related to a specific data payload. This allows the\ninventive System to provide metrics more focused on the\ntype of quality related to a Set of packets. This in general is\nmore desirable than metrics related to Single packets when\nevaluating the performance of a System in a network.\nSpecifically, the monitor system 300 can be programmed\nto maintain any type of metric at any State of a conversa\ntional flow. Also the system 300 can have the actual statistics\nprogrammed into the State at any point. This enables\nembodiments of the monitor System to collect metrics\nrelated to network usage and performance, as well as metrics\nrelated to Specific States or Sequences of packets.\nSome of the Specific metrics that can be collected only\nwith States are events related to a group of traffic in one\n\n35\n\n40\n\n45\n\n50\n\ndirection, events related to the Status of a communication\n\nSequence in one or both directions, events related to the\neXchange of packets for a specific application in a specific\nSequence. This is only a Small Sample of the metrics that\nrequires an engine that can relate the State of a flow to a Set\n\n55\n\nof metrics.\n\nIn addition, because the monitor 300 provides greater\nVisibility to the Specific application in a conversation or flow,\nthe monitor 300 can be programmed to collect metrics that\nmay be specific to that type of application or Service. In other\n\n60\n\nword, if a flow is for an Oracle Database server, an embodi\n\nment of monitor 300 could collect the number of packets\nrequired to complete a transaction. Only with both State and\napplication classification can this type of metric be derived\n\nfrom the network.\n\n65\n\nAnother aspect of the invention is determining quality of\nService metrics based on each and every packet. A method\nof and monitor apparatus for analyzing a flow of packets\npassing through a connection point on a computer network\nare disclosed that may include Such quality of Service\nmetrics. The method includes receiving a packet from a\npacket acquisition device, and looking up a flow-entry\ndatabase containing flow-entries for previously encountered\nconversational flows. The looking up to determine if the\nreceived packet is of an existing flow. Each and every packet\nis processed. If the packet is of an existing flow, the method\nupdates the flow-entry of the existing flow, including Storing\none or more Statistical measures kept in the flow-entry. If the\npacket is of a new flow, the method Stores a new flow-entry\nfor the new flow in the flow-entry database, including\nStoring one or more Statistical measures kept in the flow\nentry. The Statistical measures are used to determine metrics\nrelated to the flow. The metrics may be base metrics from\nwhich quality of Service metrics are determined, or may be\nthe quality of Service metrics.\nBRIEF DESCRIPTION OF THE DRAWINGS\n\nAlthough the present invention is better understood by\nreferring to the detailed preferred embodiments, these\nshould not be taken to limit the present invention to any\nSpecific embodiment because Such embodiments are pro\nVided only for the purposes of explanation. The\nembodiments, in turn, are explained with the aid of the\nfollowing figures.\nFIG. 1 is a functional block diagram of a network embodi\nment of the present invention in which a monitor is con\nnected to analyze packets passing at a connection point.\nFIG. 2 is a diagram representing an example of Some of\nthe packets and their formats that might be exchanged in\nStarting, as an illustrative example, a conversational flow\nbetween a client and Server on a network being monitored\nand analyzed. A pair of flow Signatures particular to this\nexample and to embodiments of the present invention is also\nillustrated. This represents Some of the possible flow Signa\ntures that can be generated and used in the process of\nanalyzing packets and of recognizing the particular Server\napplications that produce the discrete application packet\neXchanges.\nFIG. 3 is a functional block diagram of a process embodi\nment of the present invention that can operate as the packet\nmonitor shown in FIG.1. This process may be implemented\nin Software or hardware.\n\nFIG. 4 is a flowchart of a high-level protocol language\ncompiling and optimization process, which in one embodi\nment may be used to generate data for monitoring packets\naccording to versions of the present invention.\nFIG. 5 is a flowchart of a packet parsing proceSS used as\npart of the parser in an embodiment of the inventive packet\nmonitor.\n\nApp. II-95\n\n\x0cUS 6,839,751 B1\n\n6\nthat communicates packets (e.g., IP datagrams) between\n\nS\nFIG. 6 is a flowchart of a packet element extraction\nprocess that is used as part of the parser in an embodiment\nof the inventive packet monitor.\nFIG. 7 is a flowchart of a flow-signature building process\nthat is used as part of the parser in the inventive packet\n\nvarious computers, for example between the clients 104-107\nand servers 110 and 112. The network is shown Schemati\n\ncally as a cloud with Several network nodes and links shown\nin the interior of the cloud. A monitor 108 examines the\npackets passing in either direction past its connection point\n121 and, according to one aspect of the invention, can\nelucidate what application programs are associated with\neach packet. The monitor 108 is shown examining packets\n\nmonitor.\n\nFIG. 8 is a flowchart of a monitor lookup and update\nprocess that is used as part of the analyzer in an embodiment\nof the inventive packet monitor.\nFIG. 9 is a flowchart of an exemplary Sun Microsystems\nRemote Procedure Call application than may be recognized\nby the inventive packet monitor.\nFIG. 10 is a functional block diagram of a hardware parser\nSubsystem including the pattern recognizer and extractor\nthat can form part of the parser module in an embodiment of\nthe inventive packet monitor.\nFIG. 11 is a functional block diagram of a hardware\nanalyzer including a State processor that can form part of an\nembodiment of the inventive packet monitor.\nFIG. 12 is a functional block diagram of a flow insertion\nand deletion engine process that can form part of the\nanalyzer in an embodiment of the inventive packet monitor.\nFIG. 13 is a flowchart of a State processing process that\ncan form part of the analyzer in an embodiment of the\ninventive packet monitor.\nFIG. 14 is a simple functional block diagram of a proceSS\nembodiment of the present invention that can operate as the\npacket monitor shown in FIG. 1. This process may be\nimplemented in Software.\nFIG. 15 is a functional block diagram of how the packet\n\n(i.e., datagrams) between the network interface 116 of the\nserver 110 and the network. The monitor can also be placed\nat other points in the network, Such as connection point 123\n\nbetween the network 102 and the interface 118 of the client\n15\n\n25\n\nmonitor of FIG. 3 (and FIGS. 10 and 11) may operate on a\n\nnetwork with a processor Such as a microprocessor.\n\nFIG. 16 is an example of the top (MAC) layer of an\n\nEthernet packet and Some of the elements that may be\nextracted to form a signature according to one aspect of the\n\n35\n\n104, or Some other location, as indicated Schematically by\nconnection point 125 somewhere in network 102. Not\nshown is a network packet acquisition device at the location\n123 on the network for converting the physical information\non the network into packets for input into monitor 108. Such\npacket acquisition devices are common.\nVarious protocols may be employed by the network to\nestablish and maintain the required communication, e.g.,\nTCP/IP, etc. Any network activity-for example an appli\n\ncation program run by the client 104 (CLIENT 1) commu\nnicating with another running on the server 110 (SERVER\n2)-will produce an exchange of a sequence of packets over\n\nnetwork 102 that is characteristic of the respective programs\nand of the network protocols. Such characteristics may not\nbe completely revealing at the individual packet level. It\nmay require the analyzing of many packets by the monitor\n108 to have enough information needed to recognize par\nticular application programs. The packets may need to be\nparsed then analyzed in the context of various protocols, for\nexample, the transport through the application Session layer\nprotocols for packets of a type conforming to the ISO\nlayered network model.\nCommunication protocols are layered, which is also\n\nreferred to as a protocol stack. The ISO (International\nStandardization Organization) has defined a general model\n\ninvention.\n\nFIG.17A is an example of the header of an Ethertype type\nof Ethernet packet of FIG.16 and some of the elements that\nmay be extracted to form a signature according to one aspect\n\n40\n\nthat provides a framework for design of communication\nprotocol layers. This model, shown in table form below,\nServes as a basic reference for understanding the function\nality of existing communication protocols.\n\nFIG. 17B is an example of an IP packet, for example, of\nthe Ethertype packet shown in FIGS. 16 and 17A, and some\nof the elements that may be extracted to form a Signature\naccording to one aspect of the invention.\n\n45\n\nISO MODEL\n\nof the invention.\n\nFIG. 18A is a three dimensional structure that can be used\n\nto Store elements of the pattern, parse and extraction data\nbase used by the parser Subsystem in accordance to one\nembodiment of the invention.\n\n50\n\nFIG. 18B is an alternate form of storing elements of the\npattern, parse and extraction database used by the parser\nSubsystem in accordance to another embodiment of the\ninvention.\n\n55\n\nDETAILED DESCRIPTION OF THE\nPREFERRED EMBODIMENTS\n\nLayer\n\nFunctionality\n\nExample\n\n7\n\nApplication\n\nTelnet, NFS, Novell NCP, HTTP,\n\n6\n\nPresentation\n\nH.323\nXDR\n\n4\n3\n2\n\nTransport\nNetwork\nData Link\n\nTCP, Novel SPX, UDP, etc.\nIP, Novell IPX, VIP, AppleTalk, etc.\nNetwork Interface Card (Hardware\n\n1.\n\nPhysical\n\n5\n\nSession\n\nRPC, NETBIOS, SNMP, etc.\n\nInterface). MAC layer\n\nEthernet, Token Ring, Frame Relay,\n\nATM, T1 (Hardware Connection)\n\nDifferent communication protocols employ different lev\nNote that this document includes hardware diagrams and els of the ISO model or may use a layered model that is\ndescriptions that may include Signal names. In most cases, 60 similar to but which does not exactly conform to the ISO\nthe names are Sufficiently descriptive, in other cases how model. A protocol in a certain layer may not be visible to\never the Signal names are not needed to understand the protocols employed at other layers. For example, an appli\noperation and practice of the invention.\ncation (Level 7) may not be able to identify the source\nOperation in a Network\ncomputer for a communication attempt (Levels 2-3).\nFIG. 1 represents a system embodiment of the present 65 In So communication arts, the term "frame\' generally\ninvention that is referred to herein by the general reference refers to encapsulated data at OSI layer 2, including a\nnumeral 100. The system 100 has a computer network 102 destination address, control bits for flow control, the data or\nApp. II-96\n\n\x0cUS 6,839,751 B1\n\n7\npayload, and CRC (cyclic redundancy check) data for error\nchecking. The term "packet\' generally refers to encapsu\nlated data at OSI layer 3. In the TCP/IP world, the term\n"datagram\' is also used. In this specification, the term\n"packet\' is intended to encompass packets, datagrams,\nframes, and cells. In general, a packet format or frame\nformat refers to how data is encapsulated with various fields\nand headers for transmission acroSS a network. For example,\na data packet typically includes an address destination field,\na length field, an error correcting code (ECC) field, or cyclic\nredundancy check (CRC) field, as well as headers and\nfooters to identify the beginning and end of the packet. The\nterms \xe2\x80\x9cpacket format\xe2\x80\x9d and \xe2\x80\x9cframe format,\xe2\x80\x9d also referred to\nas \xe2\x80\x9ccell format,\xe2\x80\x9d are generally Synonymous.\nMonitor 108 looks at every packet passing the connection\npoint 121 for analysis. However, not every packet carries the\nSame information useful for recognizing all levels of the\nprotocol. For example, in a conversational flow associated\nwith a particular application, the application will cause the\nServer to Send a type-A packet, but So will another. If,\nthough, the particular application program always follows a\ntype-A packet with the Sending of a type-B packet, and the\nother application program does not, then in order to recog\nnize packets of that application\'s conversational flow, the\nmonitor can be available to recognize packets that match the\ntype-B packet to associate with the type-A packet. If Such is\nrecognized after a type-A packet, then the particular appli\ncation program\'s conversational flow has started to reveal\n\n15\n\npreviously encountered packets (the State), and of the pos\n\n25\n\nitself to the monitor 108.\n\nFurther packets may need to be examined before the\nconversational flow can be identified as being associated\nwith the application program. Typically, monitor 108 is\nsimultaneously also in partial completion of identifying\nother packet eXchanges that are parts of conversational flows\nasSociated with other applications. One aspect of monitor\n108 is its ability to maintain the state of a flow. The state of\na flow is an indication of all previous events in the flow that\nlead to recognition of the content of all the protocol levels,\ne.g., the ISO model protocol levels. Another aspect of the\ninvention is forming a signature of extracted characteristic\nportions of the packet that can be used to rapidly identify\npackets belonging to the same flow.\n\n35\n\nstate of the flow.\n\nSible future Sequences Such a past Sequence may generate in\nconversational flows associated with different applications.\nA new signature for recognizing future packets may also be\ngenerated. This process of analysis continues until the\napplications are identified. The last generated Signature may\nthen be used to efficiently recognize future packets associ\nated with the same conversational flow. Such an arrange\nment makes it possible for the monitor 108 to cope with\nmillions of packets per second that must be inspected.\nAnother aspect of the invention is adding Eavesdropping.\nIn alternative embodiments of the present invention capable\nof eavesdropping, once the monitor 108 has recognized the\nexecuting application programs passing through Some point\n\nin the network 102 (for example, because of execution of the\napplications by the client 105 or server 110), the monitor\n\n40\n\nIn real-world uses of the monitor 108, the number of\n\npackets on the network 102 passing by the monitor 108\'s\nconnection point can exceed a million per Second.\nConsequently, the monitor has very little time available to\nanalyze and type each packet and identify and maintain the\nState of the flows passing through the connection point. The\nmonitor 108 therefore masks out all the unimportant parts of\neach packet that will not contribute to its classification.\nHowever, the parts to mask-out will change with each packet\ndepending on which flow it belongs to and depending on the\n\n8\n\nnecessary to identify the associated application program. In\nSuch a case, a Subsequent packet of a Second type-but that\npotentially belongs to the same conversational flow-is\nrecognized by using the Signature. At Such a Second level,\nthen, only a few of those application programs will have\nconversational flows that can produce Such a Second packet\ntype. At this level in the process of classification, all appli\ncation programs that are not in the Set of those that lead to\nSuch a Sequence of packet types may be excluded in the\nprocess of classifying the conversational flow that includes\nthese two packets. Based on the known patterns for the\nprotocol and for the possible applications, a signature is\nproduced that allows recognition of any future packets that\nmay follow in the conversational flow.\nIt may be that the application is now recognized, or\nrecognition may need to proceed to a third level of analysis\nusing the Second level Signature. For each packet, therefore,\nthe monitor parses the packet and generates a Signature to\ndetermine if this signature identified a previously encoun\ntered flow, or shall be used to recognize future packets\nbelonging to the same conversational flow. In real time, the\npacket is further analyzed in the context of the Sequence of\n\n45\n\n50\n\nSends a message to Some general purpose processor on the\nnetwork that can input the same packets from the same\nlocation on the network, and the processor then loads its own\nexecutable copy of the application program and uses it to\nread the content being eXchanged over the network. In other\nwords, once the monitor 108 has accomplished recognition\nof the application program, eavesdropping can commence.\nThe Network Monitor\n\nFIG. 3 shows a network packet monitor 300, in an\nembodiment of the present invention that can be imple\nmented with computer hardware and/or Software. The Sys\ntem 300 is similar to monitor 108 in FIG.1. A packet 302 is\nexamined, e.g., from a packet acquisition device at the\n\nlocation 121 in network 102 (FIG. 1), and the packet\n\nThe recognition of the packet type, and ultimately of the evaluated, for example in an attempt to determine its\nasSociated application programs according to the packets characteristics, e.g., all the protocol information in a multi\nthat their executions produce, is a multi-step proceSS within 55 level model, including what Server application produced the\nthe monitor 108. At a first level, for example, several packet.\napplication programs will all produce a first kind of packet.\nThe packet acquisition device is a common interface that\nA first "signature\' is produced from Selected parts of a converts the physical Signals and then decodes them into\npacket that will allow monitor 108 to identify efficiently any bits, and into packets, in accordance with the particular\npackets that belong to the same flow. In Some cases, that 60 network (Ethernet, frame relay, ATM, etc.). The acquisition\npacket type may be Sufficiently unique to enable the monitor device indicates to the monitor 108 the type of network of\nto identify the application that generated Such a packet in the the acquired packet or packets.\nconversational flow. The Signature can then be used to\nAspects shown here include: (1) the initialization of the\nefficiently identify all future packets generated in traffic monitor to generate what operations need to occur on\n65 packets of different types-accomplished by compiler and\nrelated to that application.\nIn other cases, that first packet only starts the process of optimizer 310, (2) the processing parsing and extraction of\nanalyzing the conversational flow, and more packets are Selected portions-of packets to generate an identifying\nApp. II-97\n\n\x0cUS 6,839,751 B1\n\n9\nSignature-accomplished by parser Subsystem 301, and (3)\n\nIn the preferred embodiment, the packet 302 from the\nacquisition device is input into a packet buffer. The pattern\nrecognition process 304 is carried out by a pattern analysis\n\nthe analysis of the packets-accomplished by analyzer 303.\nThe purpose of compiler and optimizer 310 is to provide\nprotocol specific information to parser subsystem 301 and to\nanalyzer Subsystem 303. The initialization occurs prior to\noperation of the monitor, and only needs to re-occur when\nnew protocols are to be added.\nA flow is a Stream of packets being eXchanged between\nany two addresses in the network. For each protocol there\n\nand recognition (PAR) engine that analyzes and recognizes\n\npatterns in the packets. In particular, the PAR locates the\nnext protocol field in the header and determines the length\nof the header, and may perform certain other tasks for certain\ntypes of protocol headers. An example of this is type and\n\nlength comparison to distinguish an IEEE 802.3 (Ethernet)\npacket from the older type 2 (or Version 2) Ethernet packet,\nalso called a DIGITAL-Intel-Xerox (DIX) packet. The PAR\n\nare known to be Several fields, Such as the destination\n\n(recipient), the Source (the Sender), and So forth, and these\n\nand other fields are used in monitor 300 to identify the flow.\nThere are other fields not important for identifying the flow,\nSuch as checksums, and those parts are not used for identi\nfication.\n\nParser Subsystem 301 examines the packets using pattern\nrecognition proceSS 304 that parses the packet and deter\nmines the protocol types and associated headers for each\nprotocol layer that exists in the packet 302. An extraction\nprocess 306 in parser Subsystem 301 extracts characteristic\n\n15\n\nthe pattern information for parsing and the related extraction\noperations, e.g., extraction masks, are Supplied from a\nparsing-pattern-structures and extraction-operations data\npiler and optimizer 310.\n\n25\n\nThe protocol description language (PDL) files 336\n\ndescribes both patterns and States of all protocols that an\noccur at any layer, including how to interpret header\ninformation, how to determine from the packet header\ninformation the protocols at the next layer, and what infor\nmation to extract for the purpose of identifying a flow, and\nultimately, applications and Services. The layer Selections\ndatabase 338 describes the particular layering handled by the\nmonitor. That is, what protocols run on top of what protocols\nat any layer level. Thus 336 and 338 combined describe how\none would decode, analyze, and understand the information\nin packets, and, furthermore, how the information is layered.\nThis information is input into compiler and optimizer 310.\nWhen compiler and optimizer 310 executes, it generates\n\n35\n\n40\n\ntwo sets of internal data structures. The first is the set of\n\nparsing/extraction operations 308. The pattern Structures\ninclude parsing information and describe what will be\nrecognized in the headers of packets, the extraction opera\ntions are what elements of a packet are to be extracted from\nthe packets based on the patterns that get matched. Thus,\ndatabase 308 of parsing/extraction operations includes infor\nmation describing how to determine a set of one or more\nprotocol dependent extraction operations from data in the\npacket that indicate a protocol used in the packet.\nThe other internal data structure that is built by compiler\n310 is the set of state patterns and processes 326. These are\n\n45\n\n50\n\nthe different States and State transitions that occur in different\n\nconversational flows, and the State operations that need to be\n\nperformed (e.g., patterns that need to be examined and new\nSignatures that need to be built) during any State of a\nconversational flow to further the task of analyzing the\n\nalso uses the pattern Structures and extraction operations\ndatabase 308 to identify the next protocol and parameters\nasSociated with that protocol that enables analysis of the\nnext protocol layer. Once a pattern or a set of patterns has\nbeen identified, it/they will be associated with a set of none\nor more extraction operations. These extraction operations\n\n(in the form of commands and associated parameters) are\npassed to the extraction process 306 implemented by an\nextracting and information identifying (EII) engine that\n\nportions (signature information) from the packet 302. Both\nbase (parsing/extractions database) 308 filled by the com\n\n10\n\n55\n\nextracts Selected parts of the packet, including identifying\ninformation from the packet as required for recognizing this\npacket as part of a flow. The extracted information is put in\nSequence and then processed in block 312 to build a unique\n\nflow signature (also called a \xe2\x80\x9ckey\xe2\x80\x9d) for this flow. A flow\n\nSignature depends on the protocols used in the packet. For\nSome protocols, the extracted components may include\nSource and destination addresses. For example, Ethernet\nframes have end-point addresses that are useful in building\na better flow signature. Thus, the Signature typically includes\nthe client and Server address pairs. The Signature is used to\nrecognize further packets that are or may be part of this flow.\nIn the preferred embodiment, the building of the flow key\nincludes generating a hash of the Signature using a hash\nfunction. The purpose if using Such a hash is conventional\nto spread flow-entries identified by the Signature acroSS a\ndatabase for efficient Searching. The hash generated is\npreferably based on a hashing algorithm and Such hash\ngeneration is known to those in the art.\nIn one embodiment, the parser passes data from the\n\npacket-a parser record\xe2\x80\x94that includes the signature (i.e.,\nSelected portions of the packet), the hash, and the packet\nitself to allow for any State processing that requires further\ndata from the packet. An improved embodiment of the parser\nSubsystem might generate a parser record that has Some\npredefined Structure and that includes the Signature, the\nhash, Some flags related to Some of the fields in the parser\nrecord, and parts of the packet\'s payload that the parser\nSubsystem has determined might be required for further\nprocessing, e.g., for State processing.\nNote that alternate embodiments may use Some function\nother than concatenation of the Selected portions of the\npacket to make the identifying Signature. For example, Some\n\xe2\x80\x9cdigest function\' of the concatenated Selected portions may\n\nbe used.\n\nThe parser record is passed onto lookup process 314\n\nwhich looks in an internal data Store of records of known\n\nflows that the System has already encountered, and decides\nThus, compiling the PDL files and layer selections pro (in 316) whether or not this particular packet belongs to a\nvides monitor 300 with the information it needs to begin 60 known flow as indicated by the presence of a flow-entry\nprocessing packets. In an alternate embodiment, the contents matching this flow in a database of known flows 324. A\nof one or more of databases 308 and 326 may be manually record in database 324 is associated with each encountered\nor otherwise generated. Note that in Some embodiments the flow.\nlayering Selections information is inherent rather than\nThe parser record enters a buffer called the unified flow\nexplicitly described. For example, since a PDL file for a 65 key buffer (UFKB). The UFKB stores the data on flows in\nprotocol includes the child protocols, the parent protocols a data Structure that is similar to the parser record, but that\nincludes a field that can be modified. In particular, one or the\nalso may be determined.\nApp. II-98\nconversational flow.\n\n\x0cUS 6,839,751 B1\n\n11\nUFKB record fields Stores the packet Sequence number, and\nanother is filled with state information in the form of a\n\nprogram counter for a State processor that implements State\nprocessing 328.\n\nThe determination (316) of whether a record with the\n\nSame signature already exists is carried out by a lookup\n\nengine (LUE) that obtains new UFKB records and uses the\n\nhash in the UFKB record to lookup if there is a matching\nknown flow. In the particular embodiment, the database of\nknown flows 324 is in an external memory. A cache is\nassociated with the database 324. A lookup by the LUE for\na known record is carried out by accessing the cache using\nthe hash, and if the entry is not already present in the cache,\n\nthe entry is looked up (again using the hash) in the external\nmemory.\n\nThe flow-entry database 324 stores flow-entries that\ninclude the unique flow-signature, State information, and\nextracted information from the packet for updating flows,\nand one or more Statistical about the flow. Each entry\ncompletely describes a flow. Database 324 is organized into\n\n15\n\nbins that contain a number, denoted N, of flow-entries (also\ncalled flow-entries, each a bucket), with N being 4 in the\npreferred embodiment. Buckets (i.e., flow-entries) are\n\naccessed via the hash of the packet from the parser Sub\n\nsystem 301 (i.e., the hash in the UFKB record). The hash\n\nSpreads the flows across the database to allow for fast\nlookups of entries, allowing shallower buckets. The designer\nselects the bucket depth N based on the amount of memory\n\n25\n\nattached to the monitor, and the number of bits of the hash\n\ndata value used. For example, in one embodiment, each\nflow-entry is 128 bytes long, so for 128K flow-entries, 16\nMbytes are required. Using a 16-bit hash gives two flow\nentries per bucket. Empirically, this has been shown to be\nmore than adequate for the vast majority of cases. Note that\nanother embodiment uses flow-entries that are 256 bytes\nlong.\n\n35\n\nHerein, whenever an access to database 324 is described,\nit is to be understood that the access is via the cache, unless\n\notherwise Stated or clear from the context.\n\nIf there is no flow-entry found matching the Signature, i.e.,\nthe Signature is for a new flow, then a protocol and State\nidentification process 318 further determines the state and\nprotocol. That is, process 318 determines the protocols and\nwhere in the State Sequence for a flow for this protocols this\npacket belongs. Identification process 318 uses the extracted\ninformation and makes reference to the database 326 of State\n\npatterns and processes. Process 318 is then followed by any\nState operations that need to be executed on this packet by\na state processor 328.\nIf the packet is found to have a matching flow-entry in the\n\ndatabase 324 (e.g., in the cache), then a process 320\n\ndetermines, from the looked-up flow-entry, if more classi\nfication by State processing of the flow Signature is neces\nSary. If not, a process 322 updates the flow-entry in the\n\nflow-entry database 324 (e.g., via the cache). Updating\n\nincludes updating one or more Statistical measures Stored in\nthe flow-entry. In our embodiment, the Statistical measures\nare Stored in counters in the flow-entry.\nIf State processing is required, State process 328 is com\nmenced. State processor 328 carries out any State operations\nspecified for the state of the flow and updates the state to the\nnext State according to a set of State instructions obtained\nform the State pattern and processes database 326.\nThe state processor 328 analyzes both new and existing\nflows in order to analyze all levels of the protocol Stack,\n\nultimately classifying the flows by application (level 7 in the\nISO model). It does this by proceeding from state-to-state\n\n40\n\n12\nbased on predefined State transition rules and State opera\ntions as Specified in State processor instruction database 326.\nA State transition rule is a rule typically containing a test\nfollowed by the next-state to proceed to if the test result is\ntrue. An operation is an operation to be performed while the\nState processor is in a particular State-for example, in order\nto evaluate a quantity needed to apply the State transition\nrule. The State processor goes through each rule and each\nState proceSS until the test is true, or there are no more tests\nto perform.\nIn general, the Set of State operations may be none or more\noperations on a packet, and carrying out the operation or\noperations may leave one in a State that causes exiting the\nSystem prior to completing the identification, but possibly\nknowing more about what State and State processes are\nneeded to execute next, i.e., when a next packet of this flow\nis encountered. As an example, a state process (set of State\noperations) at a particular State may build a new signature\nfor future recognition packets of the next State.\nBy maintaining the State of the flows and knowing that\nnew flows may be set up using the information from\npreviously encountered flows, the network traffic monitor\n300 provides for (a) Single-packet protocol recognition of\nflows, and (b) multiple-packet protocol recognition of flows.\nMonitor 300 can even recognize the application program\nfrom one or more disjointed Sub-flows that occur in Server\nannouncement type flows. What may seem to prior art\nmonitors to be Some unassociated flow, may be recognized\nby the inventive monitor using the flow signature to be a\nSub-flow associated with a previously encountered Sub-flow.\nThus, State processor 328 applies the first State operation\nto the packet for this particular flow-entry. A process 330\ndecides if more operations need to be performed for this\nState. If So, the analyzer continues looping between block\n330 and 328 applying additional state operations to this\nparticular packet until all those operations are completed\nthat is, there are no more operations for this packet in this\nstate. A process 332 decides if there are further states to be\nanalyzed for this type of flow according to the State of the\nflow and the protocol, in order to fully characterize the flow.\nIf not, the conversational flow has now been fully charac\nterized and a process 334 finalizes the classification of the\nconversational flow for the flow.\n\n45\n\n50\n\n55\n\nIn the particular embodiment, the state processor 328\nStarts the State processing by using the last protocol recog\n\nnized by the parser as an offset into a jump table (jump\nvector). The jump table finds the State processor instructions\n\nto use for that protocol in the State patterns and processes\ndatabase 326. Most instructions test something in the unified\nflow key buffer, or the flow-entry in the database of known\nflows 324, if the entry exists. The state processor may have\nto test bits, do comparisons, add, or Subtract to perform the\ntest. For example, a common operation carried out by the\nState processor is Searching for one or more patterns in the\npayload part of the UFKB.\nThus, in 332 in the classification, the analyzer decides\n\nwhether the flow is at an end State. If not at an end State, the\n\nflow-entry is updated (or created if a new flow) for this\nflow-entry in process 322.\n\n60\n\n65\n\nFurthermore, if the flow is known and if in 332 it is\n\ndetermined that there are further States to be processed using\nlater packets, the flow-entry is updated in proceSS 322.\nThe flow-entry also is updated after classification final\nization So that any further packets belonging to this flow will\nbe readily identified from their Signature as belonging to this\nfully analyzed conversational flow.\nAfter updating, database 324 therefore includes the set of\nall the conversational flows that have occurred.\n\nApp. II-99\n\n\x0c13\n\nUS 6,839,751 B1\n\n14\n\nThus, the embodiment of present invention shown in FIG.\n3 automatically maintains flow-entries, which in one aspect\nincludes Storing States. The monitor of FIG.3 also generates\ncharacteristic parts of packets-the Signatures-that can be\nused to recognize flows. The flow-entries may be identified\nand accessed by their signatures. Once a packet is identified\n\nincludes information on the destination media access control\n\nthis knowledge enables State transition analysis to be per\nformed in real time for each different protocol and applica\ntion. In a complex analysis, State transitions are traversed as\nmore and more packets are examined. Future packets that\nare part of the same conversational flow have their State\nanalysis continued from a previously achieved State. When\nenough packets related to an application of interest have\nbeen processed, a final recognition State is ultimately\nreached, i.e., a Set of States has been traversed by State\nanalysis to completely characterize the conversational flow.\nThe Signature for that final State enables each new incoming\npacket of the same conversational flow to be individually\nrecognized in real time.\nIn this manner, one of the great advantages of the present\ninvention is realized. Once a particular set of State transitions\n\ntype packet 1700, the relevant information from the packet\nthat indicates the next layer level is a two-byte type field\n1702 containing the child recognition pattern for the next\nlevel. The remaining information 1704 is shown hatched\n\naddress (Dst MAC 1602) and the source media access\ncontrol address (Src MAC 1604). Also shown in FIG. 16 is\nsome (but not all) of the information specified in the PDL\n\nfiles for extraction the Signature.\n\nFIG. 17A now shows the header information for the next\n\nto be from a known flow, the state of the flow is known and\n\nlevel (level-2) for an Ethertype packet 1700. For an Ether\n\nbecause it not relevant for this level. The list 1712 shows the\n\n15\n\nThe pattern, parse, and extraction database (pattern rec\nognition database, or PRD) 308 generated by compilation\n\nprocess 310, in one embodiment, is in the form of a three\ndimensional Structure that provides for rapidly Searching\npacket headers for the next protocol. FIG. 18A shows such\n\nhas been traversed for the first time and ends in a final State,\n\na short-cut recognition pattern-a signature-an be gener\nated that will key on every new incoming packet that relates\nto the conversational flow. Checking a signature involves a\nSimple operation, allowing high packet rates to be Success\nfully monitored on the network.\nIn improved embodiments, Several State analyzers are run\nin parallel So that a large number of protocols and applica\ntions may be checked for. Every known protocol and appli\ncation will have at least one unique Set of State transitions,\nand can therefore be uniquely identified by watching such\n\n25\n\nThe new states for the flow-those associated with a set of\n\nState transitions for one or more potential applications-are\nadded to the records of previously encountered States for\neasy recognition and retrieval when a new packet in the flow\n\ndatabase 308 and the state instruction database 328. Such\ninitialization can occur off-line or from a central location.\n\nThe different protocols that can exist in different layers\nmay be thought of as nodes of one or more trees of linked\n\nnodes. The packet type is the root of a tree (called level 0).\nEach protocol is either a parent node or a terminal node. A\nparent node links a protocol to other protocols (child\nprotocols) that can be at higher layer levels. Thus a protocol\n\n35\n\n40\n\n45\n\nwith the IEEE 802.3 packet, one of the children nodes may\nbe the IP protocol, and one of the children of the IP protocol\nmay be the TCP protocol.\n\nAn alternate embodiment of the data Structure used in\n\n(PT) which has an entry for each protocol known for the\nmonitor, and a series of Look Up Tables 1870 (LUTs) that\n\nare used to identify known protocols and their children. The\nprotocol table includes the parameters needed by the pattern\n\nanalysis and recognition process 304 (implemented by PRE\n1006) to evaluate the header information in the packet that\nis associated with that protocol, and parameters needed by\nextraction process 306 (implemented by slicer 1007) to\n\nprocess the packet header. When there are children, the PT\ndescribes which bytes in the header to evaluate to determine\nthe child protocol. In particular, each PT entry contains the\nheader length, an offset to the child, a Slicer command, and\nSome flags.\nThe pattern matching is carried out by finding particular\n\xe2\x80\x9cchild recognition codes\' in the header fields, and using\nthese codes to index one or more of the LUTs. Each LUT\n\n50\n\nentry has a node code that can have one of four values,\nindicating the protocol that has been recognized, a code to\nindicate that the protocol has been partially recognized\n\n(more LUT lookups are needed), a code to indicate that this\n\n55\n\nmay have Zero or more children. Ethernet packets, for\nexample, have Several variants, each having a basic format\n\nthat remains Substantially the same. An Ethernet packet (the\nroot or level 0 node) may be an Ethertype packet\xe2\x80\x94also\ncalled an Ethernet Type/Version 2 and a DIX (DIGITAL\nIntel-Xerox packet) -or an IEEE 803.2 packet. Continuing\n\nthe 3-D structure is preferred.\n\nstructure of FIG. 18A, the data structure permits rapid\nSearches to be performed by the pattern recognition process\n304 by indexing locations in a memory rather than perform\ning address link computations. In this alternate embodiment,\nthe PRD 308 includes two parts, a single protocol table 1850\n\nis encountered.\n\nDetailed operation\nFIG. 4 diagrams an initialization system 400 that includes\nthe compilation process. That is, part of the initialization\ngenerates the pattern Structures and extraction operations\n\na 3-D representation 1800 (which may be considered as an\nindexed set of 2-D representations). A compressed form of\ndatabase 308 is illustrated in FIG. 18B. Thus, like the 3-D\n\ntransitions.\n\nWhen each new conversational flow Starts, Signatures that\nrecognize the flow are automatically generated on-the-fly,\nand as further packets in the conversational flow are\nencountered, signatures are updated and the States of the Set\nof State transitions for any potential application are further\ntraversed according to the State transition rules for the flow.\n\npossible children for an Ethertype packet as indicated by\nwhat child recognition pattern is found offset 12. FIG. 17B\nshows the structure of the header of one of the possible next\nlevels, that of the IP protocol. The possible children of the\nIP protocol are shown in table 1752.\n\n60\n\n65\n\nis a terminal node, and a null node to indicate a null entry.\nThe next LUT to lookup is also returned from a LUT lookup.\nCompilation process is described in FIG. 4. The source\ncode information in the form of protocol description files is\nshown as 402. In the particular embodiment, the high level\ndecoding descriptions includes a set of protocol description\nfiles 336, one for each protocol, and a set of packet layer\n\nselections 338, which describes the particular layering (sets\nof trees of protocols) that the monitor is to be able to handle.\nA compiler 403 compiles the descriptions. The set of\npacket parse-and-extract operations 406 is generated (404),\nand a set of packet State instructions and operations 407 is\n\ngenerated (405) in the form of instructions for the state\n\nprocessor that implements State processing process 328.\nData files for each type of application and protocol to be\nApp. II-100\n\nFIG. 16 shows the header 1600 (base level 1) of a\ncomplete Ethernet frame (i.e., packet) of information and\n\n\x0c15\n\nUS 6,839,751 B1\n\nrecognized by the analyzer are downloaded from the pattern,\nparse, and extraction database 406 into the memory Systems\n\n16\n\nof the parser and extraction engines. (See the parsing process\n\nin 505. If not, step 511 moves to the next packet component.\nIf yes, then the node and pattern matching process are\napplied in 507 to the component extracted in 503. A pattern\n\ndescription and FIG. 10). Data files for each type of appli\n\nparser Subsystem 301 has found a node in the parsing\nelements; the parser subsystem 301 proceeds to step 509 to\n\n407 into the state processor. (see the state processor 1108\ndescription and FIG. 11.).\n\nproduce a match (test 508), the parser Subsystem 301 moves\n(510) to the next pattern node from the pattern database 308\n\n500 description and FIG. 5; the extraction process 600\ndescription and FIG. 6; and the parsing Subsystem hardware\n\nmatch obtained in 507 (as indicated by test 508) means the\n\ncation and protocol to be recognized by the analyzer are also\ndownloaded from the State-processor instruction database\n\nextract the elements.\n\nIf applying the node process to the component does not\n\nNote that generating the packet parse and extraction\noperations builds and links the three dimensional Structure\n\n(one embodiment) or the or all the lookup tables for the\nPRD.\n\nBecause of the large number of possible protocol trees and\nsubtrees, the compiler process 400 includes optimization\nthat compares the trees and Subtrees to see which children\nshare common parents. When implemented in the form of\nthe LUTs, this proceSS can generate a single LUT from a\nplurality of LUTs. The optimization process further\nincludes a compaction process that reduces the Space needed\n\n15\n\nlosing the identity of any of the original 2-D arrays (i.e., all\nthe 2-D arrays continue to exist logically). Folding can occur\n\nbetween any 2-D arrays irrespective of their location in the\ntree as long as certain conditions are met. Multiple arrayS\nmay be combined into a single array as long as the individual\n\nFIG. 6\n\nFIG. 6 is a flow chart for extracting the information from\nwhich to build the packet signature. The flow starts at 601,\nwhich is the exit point 513 of FIG. 5. At this point parser\nSubsystem 301 has a completed packet component and a\n\n25\n\nIf the fetch was successful (test 606), indicating that there\nare extraction elements to apply, the parser subsystem 301 in\n\n35\n\n40\n\n45\n\nat a time. A check is made (504) to determine if the\n\nload-packet-component operation 503 Succeeded, indicating\nthat there was more in the packet to process. If not, indi\ncating all components have been loaded, the parser Sub\n\nsystem 301 builds the packet signature (512)-the next stage\n(FIG. 6).\nIf a component is successfully loaded in 503, the node and\nprocesses are fetched (505) from the pattern, parse and\n\nextraction database 308 to provide a set of patterns and\nprocesses for that node to apply to the loaded packet\n\ncomponent. The parser Subsystem 301 checks (506) to\n\nStep 607 applies that extraction process to the packet com\nponent based on an extraction instruction received from that\npattern node. This removes and Saves an element from the\npacket component.\nIn step 608, the parser Subsystem 301 checks if there is\nmore to extract from this component, and if not, the parser\nSubsystem 301 moves back to 603 to load the next packet\ncomponent at hand and repeats the process. If the answer is\nyes, then the parser Subsystem 301 moves to the next packet\ncomponent ratchet. That new packet component is then\nloaded in step 603. As the parser subsystem 301 moved\nthrough the loop between 608 and 603, extra extraction\nprocesses are applied either to the Same packet component\nif there is more to extract, or to a different packet component\nif there is no more to extract.\n\n50\n\npacket buffer in step 502. Step 503 loads the next (initially\nthe first) packet component from the packet 302. The packet\n\ncomponents are extracted from each packet 302 one element\n\npacket component available from the pattern analysis pro\nthat there was indeed another packet component, the parser\nSubsystem 301 fetches in 605 the extraction and process\nelements received from the pattern node component in 602.\n\nthe alternate embodiment of FIG. 18B.\n\nIn 410, the analyzer has been initialized and is ready to\nperform recognition.\nFIG. 5 shows a flowchart of how actual parser subsystem\n301 functions. Starting at 501, the packet 302 is input to the\n\npattern node available in a buffer (602). Step 603 loads the\ncess of FIG. 5. If the load completed (test 604), indicating\n\nentries do not conflict with each other. A fold number is then\n\nused to associate each element with its original array. A\nsimilar folding process is used for the set of LUTs 1850 in\n\nOnce all the packet components have been the loaded and\nprocessed from the input packet 302, then the load packet\n\n301 moves to build a packet signature which is described in\n\nkeeps a \xe2\x80\x9ccurrent header\' pointer. Each location (offset)\n\nindex for each protocol 2-D array in the 3-D structure is a\nrelative location starting with the start of header for the\nparticular protocol. Furthermore, each of the two\ndimensional arrays is sparse. The next step of the\noptimization, is checking all the 2-D arrays against all the\nother 2-D arrays to find out which ones can share memory.\nMany of these 2-D arrays are often Sparsely populated in that\nthey each have only a Small number of valid entries. So, a\nprocess of "folding\xe2\x80\x9d is next used to combine two or more\n2-D arrays together into one physical 2-D array without\n\nmoves to the next packet component (511).\n\nwill fail (indicated by test 504), and the parser subsystem\n\nto store the data of the PRD.\n\nAS an example of compaction, consider the 3-D Structure\nof FIG. 18A that can be thought of as a set of 2-D structures\neach representing a protocol. To enable Saving Space by\nusing only one array per protocol which may have Several\nparents, in one embodiment, the pattern analysis SubproceSS\n\nand to step 505 to fetch the next node and process. Thus,\nthere is an \xe2\x80\x9capplying patterns\' loop between 508 and 505.\nOnce the parser Subsystem 301 completes all the patterns\nand has either matched or not, the parser subsystem 301\n\nThe extraction process thus builds the Signature, extract\ning more and more components according to the information\nin the patterns and extraction database 308 for the particular\npacket. Once loading the next packet component operation\n\n603 fails (test 604), all the components have been extracted.\nThe built signature is loaded into the signature buffer (610)\n55\n\n60\n\n65\n\nand the parser Subsystem 301 proceeds to FIG. 7 to complete\nthe Signature generation process.\nReferring now to FIG. 7, the process continues at 701. The\nSignature buffer and the pattern node elements are available\n\n(702). The parser subsystem 301 loads the next pattern node\nelement. If the load was successful (test 704) indicating\n\nthere are more nodes, the parser subsystem 301 in 705\nhashes the Signature buffer element based on the hash\nelements that are found in the pattern node that is in the\nelement database. In 706 the resulting signature and the hash\nare packed. In 707 the parser Subsystem 301 moves on to the\nnext packet component which is loaded in 703.\nThe 703 to 707 loop continues until there are no more\n\ndetermine if the fetch pattern node operation 505 completed\nSuccessfully, indicating there was a pattern node that loaded patterns of elements left (test 704). Once all the patterns of\nApp. II-101\n\n\x0c17\n\nUS 6,839,751 B1\n\n18\nIf no match was found, the packet belongs to a new (not\npreviously encountered) flow. In 806 the system indicates\n\nelements have been hashed, processes 304,306 and 312 of\nparser subsystem 301 are complete. Parser subsystem 301\nhas generated the Signature used by the analyzer Subsystem\n\nthat the record in the unified flow key buffer for this packet\nis new, and in 812, any Statistical updating operations are\nperformed for this packet by updating the flow-entry in the\ncache. The update operation exits at 813. A flow insertion/\n\n303.\n\nA parser record is loaded into the analyzer, in particular,\n\ninto the UFKB in the form of a UFKB record which is\n\ndeletion engine (FIDE) creates a new record for this flow\n(again via the cache).\n\nSimilar to a parser record, but with one or more different\nfields.\nFIG. 8 is a flow diagram describing the operation of the\n\nThus, the update/lookup engine ends with a UFKB-entry\nfor the packet with a \xe2\x80\x9cnew\xe2\x80\x9d status or a \xe2\x80\x9cfound\xe2\x80\x9d status.\nNote that the above system uses a hash to which more\nthan one flow-entry can match. A longer hash may be used\nthat corresponds to a single flow-entry. In Such an\nembodiment, the flow chart of FIG. 8 is simplified as would\n\nlookup/update engine (LUE) that implements lookup opera\n\ntion 314. The process starts at 801 from FIG. 7 with the\nparser record that includes a Signature, the hash and at least\nparts of the payload. In 802 those elements are shown in the\nform of a UFKB-entry in the buffer. The LUE, the lookup\nengine 314 computes a \xe2\x80\x9crecord bin number\xe2\x80\x9d from the hash\nfor a flow-entry. A bin herein may have one or more\n\xe2\x80\x9cbuckets\xe2\x80\x9d each containing a flow-entry. The preferred\nembodiment has four buckets per bin.\nSince preferred hardware embodiment includes the cache,\n\n15\n\nall data accesses to records in the flowchart of FIG. 8 are\n\nStated as being to or from the cache.\nThus, in 804, the system looks up the cache for a bucket\nfrom that bin using the hash. If the cache Successfully\nreturns with a bucket from the bin number, indicating there\nare more buckets in the bin, the lookup/update engine\n\ncompares (807) the current signature (the UFKB-entry\'s\nSignature) from that in the bucket (i.e., the flow-entry\nsignature). If the signatures match (test 808), that record (in\nthe cache) is marked in step 810 as \xe2\x80\x9cin process\xe2\x80\x9d and a\n\ntimestamp added. Step 811 indicates to the UFKB that the\nUFKB-entry in 802 has a status of \xe2\x80\x9cfound.\xe2\x80\x9d The \xe2\x80\x9cfound\xe2\x80\x9d\nindication allows the State processing 328 to begin proceSS\ning this UFKB element. The preferred hardware embodi\nment includes one or more State processors, and these can\noperate in parallel with the lookup/update engine.\nIn the preferred embodiment, a Set of Statistical operations\nis performed by a calculator for every packet analyzed. The\nStatistical operations may include one or more of counting\nthe packets associated with the flow; determining Statistics\nrelated to the size of packets of the flow; compiling Statistics\non differences between packets in each direction, for\nexample using timestamps, and determining Statistical rela\ntionships of timestamps of packets in the same direction.\nThe Statistical measures are kept in the flow-entries. Other\nStatistical measures also may be compiled. These Statistics\nmay be used singly or in combination by a Statistical\nprocessor component to analyze many different aspects of\nthe flow. This may include determining network usage\nmetrics from the Statistical measures, for example to ascer\ntain the network\'s ability to transfer information for this\napplication. Such analysis provides for measuring the qual\nity of Service of a conversation, measuring how well an\napplication is performing in the network, measuring network\nresources consumed by an application, and So forth.\nTo provide for Such analyses, the lookup/update engine\nupdates one or more counters that are part of the flow-entry\n\n(in the cache) in step 812. The process exits at 813. In our\n\n25\n\nart that the flow of FIG.3 may alternatively be implemented\nin Software running on one or more general-purpose\nprocessors, or only partly implemented in hardware. An\nimplementation of the invention that can operate in Software\n\nis shown in FIG. 14. The hardware embodiment (FIGS. 10\nand 11) can operate at over a million packets per second,\n\nwhile the Software system of FIG. 14 may be suitable for\nslower networks. To one skilled in the art it would be clear\n\nthat more and more of the System may be implemented in\nSoftware as processors become faster.\n\nFIG. 10 is a description of the parsing subsystem (301,\nshown here as subsystem 1000) as implemented in hard\n\n35\n\n40\n\n45\n\nware. Memory 1001 is the pattern recognition database\nmemory, in which the patterns that are going to be analyzed\nare stored. Memory 1002 is the extraction-operation data\nbase memory, in which the extraction instructions are Stored.\nBoth 1001 and 1002 correspond to internal data structure\n308 of FIG. 3. Typically, the system is initialized from a\n\nmicroprocessor (not shown) at which time these memories\n\nare loaded through a host interface multiplexor and control\nregister 1005 via the internal buses 1003 and 1004. Note that\nthe contents of 1001 and 1002 are preferably obtained by\ncompiling process 310 of FIG. 3.\nA packet enters the parsing System via 1012 into a parser\ninput buffer memory 1008 using control signals 1021 and\n1023, which control an input buffer interface controller\n1022. The buffer 1008 and interface control 1022 connect to\n\na packet acquisition device (not shown). The buffer acqui\n\n50\n\n55\n\n60\n\n809 moves to the next bucket for this bin. Step 804 again\nlooks up the cache for another bucket from that bin. The\nlookup/update engine thus continues lookup up buckets of\nthe bin until there is either a match in 808 or operation 804\n\n65\n\nSition device generates a packet Start Signal 1021 and the\n\ninterface control 1022 generates a next packet (i.e., ready to\nreceive data) signal 1023 to control the data flow into parser\ninput buffer memory 1008. Once a packet starts loading into\nthe buffer memory 1008, pattern recognition engine (PRE)\n\n1006 carries out the operations on the input buffer memory\ndescribed in block 304 of FIG. 3. That is, protocol types and\nasSociated headers for each protocol layer that exist in the\npacket are determined.\nThe PRE searches database 1001 and the packet in buffer\n1008 in order to recognize the protocols the packet contains.\nIn one implementation, the database 1001 includes a series\nof linked lookup tables. Each lookup table uses eight bits of\naddressing. The first lookup table is always at address Zero.\nThe Pattern Recognition Engine uses a base packet offset\nfrom a control register to start the comparison. It loads this\n\nvalue into a current offset pointer (COP). It then reads the\n\nbyte at base packet offset from the parser input buffer and\nuses it as an address into the first lookup table.\nApp. II-102\n\nis not successful (test 805), indicating that there are no more\n\nbuckets in the bin and no match was found.\n\nThe Hardware System\nEach of the individual hardware elements through which\nthe data flows in the system are now described with refer\nence to FIGS. 10 and 11. Note that while we are describing\na particular hardware implementation of the invention\nembodiment of FIG. 3, it would be clear to one skilled in the\n\nembodiment, the counters include the total packets of the\nflow, the time, and a differential time from the last timestamp\nto the present timestamp.\nIt may be that the bucket of the bin did not lead to a\n\nSignature match (test 808). In Such a case, the analyzer in\n\nbe clear to those in the art.\n\n\x0c19\n\nUS 6,839,751 B1\n\nThe analyzer subsystem 1100 includes a hostbus interface\n1122 using an analyzer host interface controller 1118, which\nin turn has access to a cache System 1115. The cache System\nhas bi-directional access to and from the State processor of\nthe system 1108. State processor 1108 is responsible for\ninitializing the State processor instruction database memory\n1109 from information given over the host bus interface\n\nEach lookup table returns a word that links to another\nlookup table or it returns a terminal flag. If the lookup\nproduces a recognition event the database also returns a\ncommand for the slicer. Finally it returns the value to add to\nthe COP\nThe PRE 1006 includes of a comparison engine. The\ncomparison engine has a first Stage that checks the protocol\ntype field to determine if it is an 802.3 packet and the field\nshould be treated as a length. If it is not a length, the protocol\nis checked in a Second Stage. The first stage is the only\nprotocol level that is not programmable. The Second Stage\n\n1122.\n\nWith the SPID 1109 loaded, the analyzer subsystem 1100\nreceives parser records comprising packet signatures and\npayloads that come from the parser into the unified flow key\n\nhas two full sixteen bit content addressable memories\n\n(CAMs) defined for future protocol additions.\nThus, whenever the PRE recognizes a pattern, it also\ngenerates a command for the extraction engine (also called\na "slicer\xe2\x80\x9d) 1007. The recognized patterns and the commands\n\nbuffer (UFKB) 1103. UFKB is comprised of memory set up\n\n15\n\nare sent to the extraction engine 1007 that extracts informa\ntion from the packet to build the parser record. Thus, the\noperations of the extraction engine are those carried out in\n\nis bi-directional access between each of the finite State\n\n25\n\ninstruction from the instruction database 1002. Instructions\n\ninclude an operation code and usually Source and destination\noffsets as well as a length. The offsets and length are in\nbytes. A typical operation is the MOVE instruction. This\ninstruction tells the slicer 1007 to copy n bytes of data\nunmodified from the input buffer 1008 to the output buffer\n1010. The extractor contains a byte-wise barrel shifter so\nthat the bytes moved can be packed into the flow Signature.\nThe extractor contains another instruction called HASH.\n\n35\n\nThis instruction tells the extractor to copy from the input\nbuffer 1008 to the HASH generator.\nThus these instructions are for extracting Selected element\n\n(S) of the packet in the input buffer memory and transferring\n\nthe data to a parser output buffer memory 1010. Some\ninstructions also generate a hash.\nThe extraction engine 1007 and the PRE operate as a\npipeline. That is, extraction engine 1007 performs extraction\noperations on data in input buffer 1008 already processed by\n\nPRE 1006 while more (i.e., later arriving) packet informa\n\ntion is being simultaneously parsed by PRE 1006. This\nprovides high processing Speed Sufficient to accommodate\nthe high arrival rate Speed of packets.\nOnce all the Selected parts of the packet used to form the\nSignature are extracted, the hash is loaded into parser output\nbuffer memory 1010. Any additional payload from the\npacket that is required for further analysis is also included.\nThe parser output memory 1010 is interfaced with the\nanalyzer subsystem by analyzer interface control 1011. Once\nall the information of a packet is in the parser output buffer\nmemory 1010, a data ready signal 1025 is asserted by\nanalyzer interface control. The data from the parser Sub\nsystem 1000 is moved to the analyzer subsystem via 1013\nwhen an analyzer ready Signal 1027 is asserted.\nFIG. 11 shows the hardware components and dataflow for\nthe analyzer Subsystem that performs the functions of the\nanalyzer Subsystem 303 of FIG. 3. The analyzer is initialized\nprior to operation, and initialization includes loading the\nState processing information generated by the compilation\nprocess 310 into a database memory for the State processing,\n\ncalled state processor instruction database (SPID) memory\n1109.\n\nto maintain UFKB records. A UFKB record is essentially a\nparser record; the UFKB holds records of packets that are to\nbe processed or that are in process. Furthermore, the UFKB\nprovides for one or more fields to act as modifiable Status\nflags to allow different processes to run concurrently.\nThree processing engines run concurrently and access\n\nrecords in the UFKB 1103: the lookup/update engine (LUE)\n1107, the state processor (SP) 1108, and the flow insertion\nand deletion engine (FIDE) 1110. Each of these is imple\nmented by one or more finite state machines (FSM\'s). There\n\nblocks 306 and 312 of FIG. 3. The commands are sent from\nPRE 1006 to slicer 1007 in the form of extraction instruction\n\npointers which tell the extraction engine 1007 where to a\nfind the instructions in the extraction operations database\nmemory (i.e., slicer instruction database) 1002.\nThus, when the PRE 1006 recognizes a protocol it outputs\nboth the protocol identifier and a process code to the\nextractor. The protocol identifier is added to the flow sig\nnature and the proceSS code is used to fetch the first\n\n20\n\n40\n\n45\n\n50\n\n55\n\n60\n\n65\n\nmachines and the unified flow key buffer 1103. The UFKB\nrecord includes a field that Stores the packet Sequence\n\nnumber, and another that is filled with state information in\n\nthe form of a program counter for the state processor 1108\nthat implements State processing 328. The Status flags of the\nUFKB for any entry includes that the LUE is done and that\nthe LUE is transferring processing of the entry to the State\nprocessor. The LUE done indicator is also used to indicate\nwhat the next entry is for the LUE. There also is provided a\nflag to indicate that the State processor is done with the\ncurrent flow and to indicate what the next entry is for the\nState processor. There also is provided a flag to indicate the\nState processor is transferring processing of the UFKB-entry\nto the flow insertion and deletion engine.\nA new UFKB record is first processed by the LUE 1107.\nA record that has been processed by the LUE 1107 may be\nprocessed by the state processor 1108, and a UFKB record\ndata may be processed by the flow insertion/deletion engine\n1110 after being processed by the state processor 1108 or\nonly by the LUE. Whether or not a particular engine has\nbeen applied to any unified flow key buffer entry is deter\nmined by Status fields Set by the engines upon completion.\nIn one embodiment, a status flag in the UFKB-entry indi\ncates whether an entry is new or found. In other\nembodiments, the LUE issues a flag to pass the entry to the\nState processor for processing, and the required operations\nfor a new record are included in the SP instructions.\n\nNote that each UFKB-entry may not need to be processed\nby all three engines. Furthermore, some UFKB entries may\nneed to be processed more than once by a particular engine.\nEach of these three engines also has bi-directional access\nto a cache Subsystem 1115 that includes a caching engine.\nCache 1115 is designed to have information flowing in and\nout of it from five different points within the system: the\nthree engines, external memory via a unified memory con\n\ntroller (UMC) 1119 and a memory interface 1123, and a\n\nmicroprocessor via analyzer host interface and control unit\n\n(ACIC) 1118 and host interface bus (HIB) 1122. The ana\nlyzer microprocessor (or dedicated logic processor) can thus\n\ndirectly insert or modify data in the cache.\nThe cache subsystem 1115 is an associative cache that\n\nincludes a set of content addressable memory cells (CAMs)\neach including an address portion and a pointer portion\npointing to the cache memory (e.g., RAM) containing the\n\nApp. II-103\n\n\x0cUS 6,839,751 B1\n\n21\ncached flow-entries. The CAMS are arranged as a Stack\nordered from a top CAM to a bottom CAM. The bottom\nCAM\'s pointerpoints to the least recently used (LRU) cache\nmemory entry. Whenever there is a cache miss, the contents\nof cache memory pointed to by the bottom CAM are\nreplaced by the flow-entry from the flow-entry database 324.\nThis now becomes the most recently used entry, So the\ncontents of the bottom CAM are moved to the top CAM and\nall CAM contents are shifted down. Thus, the cache is an\n\nasSociative cache with a true LRU replacement policy.\nThe LUE 1107 first processes a UFKB-entry, and basi\ncally performs the operation of blocks 314 and 316 in FIG.\n3. A signal is provided to the LUE to indicate that a \xe2\x80\x9cnew\xe2\x80\x9d\nUFKB-entry is available. The LUE uses the hash in the\nUFKB-entry to read a matching bin of up to four buckets\nfrom the cache. The cache System attempts to obtain the\nmatching bin. If a matching bin is not in the cache, the cache\n1115 makes the request to the UMC 1119 to bring in a\nmatching bin from the external memory.\nWhen a flow-entry is found using the hash, the LUE 1107\nlooks at each bucket and compares it using the Signature to\nthe signature of the UFKB-entry until there is a match or\n\n15\n\nthere are no more buckets.\n\nIf there is no match, or if the cache failed to provide a bin\nof flow-entries from the cache, a time Stamp in Set in the flow\nkey of the UFKB record, a protocol identification and state\ndetermination is made using a table that was loaded by\ncompilation process 310 during initialization, the Status for\nthe record is Set to indicate the LUE has processed the\nrecord, and an indication is made that the UFKB-entry is\nready to Start State processing. The identification and State\ndetermination generates a protocol identifier which in the\npreferred embodiment is a \xe2\x80\x9cjump vector\' for the state\nprocessor which is kept by the UFKB for this UFKB-entry\nand used by the State processor to start State processing for\nthe particular protocol. For example, the jump vector jumps\nto the Subroutine for processing the State.\nIf there was a match, indicating that the packet of the\nUFKB-entry is for a previously encountered flow, then a\ncalculator component enters one or more Statistical measures\nStored in the flow-entry, including the timestamp. In\naddition, a time difference from the last Stored timestamp\nmay be Stored, and a packet count may be updated. The State\nof the flow is obtained from the flow-entry is examined by\nlooking at the protocol identifier stored in the flow-entry of\ndatabase 324. If that value indicates that no more classifi\n\ncation is required, then the Status for the record is Set to\nindicate the LUE has processed the record. In the preferred\nembodiment, the protocol identifier is a jump vector for the\nState processor to a Subroutine to State processing the\nprotocol, and no more classification is indicated in the\npreferred embodiment by the jump vector being Zero. If the\nprotocol identifier indicates more processing, then an indi\ncation is made that the UFKB-entry is ready to start state\nprocessing and the Status for the record is Set to indicate the\nLUE has processed the record.\nThe state processor 1108 processes information in the\ncache system according to a UFKB-entry after the LUE has\ncompleted. State processor 1108 includes a state processor\nprogram counter SPPC that generates the address in the State\nprocessor instruction database 1109 loaded by compiler\nprocess 310 during initialization. It contains an Instruction\n\n25\n\n35\n\n40\n\n45\n\n50\n\n55\n\n60\n\nPointer (SPIP) which generates the SPID address. The\n\ninstruction pointer can be incremented or loaded from a\nJump Vector Multiplexor which facilitates conditional\nbranching. The SPIP can be loaded from one of three\n\nsources: (1) A protocol identifier from the UFKB, (2) an\n\n65\n\n22\nimmediate jump vector form the currently decoded\ninstruction, or (3) a value provided by the arithmetic logic\nunit (SPALU) included in the state processor.\nThus, after a Flow Key is placed in the UFKB by the LUE\nwith a known protocol identifier, the Program Counter is\ninitialized with the last protocol recognized by the Parser.\nThis first instruction is a jump to the Subroutine which\nanalyzes the protocol that was decoded.\nThe State Processor ALU (SPALU) contains all the\nArithmetic, Logical and String Compare functions necessary\nto implement the State Processor instructions. The main\nblocks of the SPALU are: The A and B Registers, the\nInstruction Decode & State Machines, the String Reference\nMemory the Search Engine, an Output Data Register and an\nOutput Control Register\nThe Search Engine in turn contains the Target Search\nRegister Set, the Reference Search Register Set, and a\nCompare block which compares two operands by exclusive\nor-ing them together.\nThus, after the UFKB sets the program counter, a\nSequence of one or more State operations are be executed in\nstate processor 1108 to further analyze the packet that is in\nthe flow key buffer entry for this particular packet.\nFIG. 13 describes the operation of the state processor\n1108. The state processor is entered at 1301 with a unified\nflow key buffer entry to be processed. The UFKB-entry is\nnew or corresponding to a found flow-entry. This UFKB\nentry is retrieved from unified flow key buffer 1103 in 1301.\nIn 1303, the protocol identifier for the UFKB-entry is used\nto Set the State processor\'s instruction counter. The State\nprocessor 1108 starts the process by using the last protocol\nrecognized by the parser subsystem 301 as an offset into a\njump table. The jump table takes us to the instructions to use\nfor that protocol. Most instructions test Something in the\nunified flow key buffer or the flow-entry if it exists. The state\nprocessor 1108 may have to test bits, do comparisons, add or\nSubtract to perform the test.\nThe first state processor instruction is fetched in 1304\nfrom the state processor instruction database memory 1109.\nThe State processor performs the one or more fetched\noperations (1304). In our implementation, each single State\nprocessor instruction is very primitive (e.g., a move, a\ncompare, etc.), So that many Such instructions need to be\nperformed on each unified flow key buffer entry. One aspect\nof the State processor is its ability to Search for one or more\n(up to four) reference Strings in the payload part of the\nUFKB entry. This is implemented by a search engine\ncomponent of the State processor responsive to special\nSearching instructions.\nIn 1307, a check is made to determine if there are any\nmore instructions to be performed for the packet. If yes, then\nin 1308 the system sets the state processor instruction\npointer (SPIP) to obtain the next instruction. The SPIP may\nbe set by an immediate jump vector in the currently decoded\ninstruction, or by a value provided by the SPALU during\nprocessing.\nThe next instruction to be performed is now fetched\n(1304) for execution. This state processing loop between\n1304 and 1307 continues until there are no more instructions\nto be performed.\nAt this stage, a check is made in 1309 if the processing on\nthis particular packet has resulted in a final State. That is, is\nthe analyzer is done processing not only for this particular\npacket, but for the whole flow to which the packet belongs,\nand the flow is fully determined. If indeed there are no more\nstates to process for this flow, then in 1311 the processor\nfinalizes the processing. Some final States may need to put\n\nApp. II-104\n\n\x0c23\n\nUS 6,839,751 B1\n\n24\noperations are completed for this UFKB-entry. This also lets\nthe UFKB provide the FIDE with the next UFKB record.\nOnce a set of operations is performed on a unified flow\nkey buffer entry by all of the engines required to access and\nmanage a particular packet and its flow Signature, the unified\nflow key buffer entry is marked as \xe2\x80\x9ccompleted.\xe2\x80\x9d That\nelement will then be used by the parser interface for the next\npacket and flow Signature coming in from the parsing and\nextracting System.\nAll flow-entries are maintained in the external memory\n\na State in place that tells the System to remove a flow-for\nexample, if a connection disappears from a lower level\n\nconnection identifier. In that case, in 1311, a flow removal\n\nstate is set and saved in the flow-entry. The flow removal\n\nstate may be a NOP (no-op) instruction which means there\nare no removal instructions.\n\nOnce the appropriate flow removal instruction as Specified\n\nfor this flow (a NOP or otherwise) is set and saved, the\n\nprocess is exited at 1313. The state processor 1108 can now\nobtain another unified flow key buffer entry to process.\nIf at 1309 it is determined that processing for this flow is\nnot completed, then in 1310 the system saves the state\nprocessor instruction pointer in the current flow-entry in the\ncurrent flow-entry. That will be the next operation that will\nbe performed the next time the LRE 1107 finds packet in the\nUFKB that matches this flow. The processor now exits\nprocessing this particular unified flow key buffer entry at\n\nand Some are maintained in the cache 1115. The cache\n\nSystem 1115 is intelligent enough to access the flow database\n\nand to understand the data Structures that exists on the other\n\n15\n\n1313.\n\nNote that State processing updates information in the\nunified flow key buffer 1103 and the flow-entry in the cache.\nOnce the state processor is done, a flag is set in the UFKB\nfor the entry that the State process or is done. Furthermore,\nIf the flow needs to be inserted or deleted from the database\n\nof flows, control is then passed on to the flow insertion/\ndeletion engine 1110 for that flow Signature and packet entry.\nThis is done by the State processor Setting another flag in the\nUFKB for this UFKB-entry indicating that the state proces\nSor is passing processing of this entry to the flow insertion\nand deletion engine.\nThe flow insertion and deletion engine 1110 is responsible\nfor maintaining the flow-entry database. In particular, for\ncreating new flows in the flow database, and deleting flows\nfrom the database So that they can be reused.\nThe process of flow insertion is now described with the\naid of FIG. 12. Flows are grouped into bins of buckets by the\nhash value. The engine processes a UFKB-entry that may be\nnew or that the State processor otherwise has indicated needs\nto be created. FIG. 12 shows the case of a new entry being\n\ncreated. A conversation record bin (preferably containing 4\nbuckets for four records) is obtained in 1203. This is a bin\n\nthat matches the hash of the UFKB, so this bin may already\nhave been sought for the UFKB-entry by the LUE. In 1204\nthe FIDE 1110 requests that the record bin/bucket be main\ntained in the cache system 1115. If in 1205 the cache system\n1115 indicates that the bin/bucket is empty, step 1207 inserts\n\nthe flow signature (with the hash) into the bucket and the\n\nbucket is marked \xe2\x80\x9cused\' in the cache engine of cache 1115\nusing a timestamp that is maintained throughout the process.\nIn 1209, the FIDE 1110 compares the bin and bucket record\nflow Signature to the packet to Verify that all the elements are\nin place to complete the record. In 1211 the System marks the\nrecord bin and bucket as \xe2\x80\x9cin process\xe2\x80\x9d and as \xe2\x80\x9cnew\xe2\x80\x9d in the\n\n25\n\ncessor or a multiplexor (MUX) system. Consequently, one\n\n35\n\ncan connect the overall traffic classification system of FIGS.\n11 and 12 into Some other processing System to manage the\nclassification System and to extract data gathered by the\n\n40\n\nThe memory interface 1123 is designed to interface to any\nof a variety of memory Systems that one may want to use to\nstore the flow-entries. One can use different types of\nmemory Systems like regular dynamic random access\n\n45\n\n50\n\ncache System (and hence in the external memory). In 1212,\n\nthe initial Statistical measures for the flow-record are Set in\n\nthe cache System. This in the preferred embodiment clearS\nthe Set of counters used to maintain Statistics, and may\nperform other procedures for Statistical operations requires\nby the analyzer for the first packet Seen for a particular flow.\nBack in step 1205, if the bucket is not empty, the FIDE\n1110 requests the next bucket for this particular bin in the\ncache system. If this succeeds, the processes of 1207, 1209,\n1211 and 1212 are repeated for this next bucket. If at 1208,\nthere is no valid bucket, the unified flow key buffer entry for\nthe packet is Set as \xe2\x80\x9cdrop, indicating that the System cannot\nprocess the particular packet because there are no buckets\nleft in the system. The process exits at 1213. The FIDE 1110\n\nSide of memory interface 1123. The lookup/update engine\n1107 is able to request that the cache system pull a particular\nflow or \xe2\x80\x9cbuckets\xe2\x80\x9d of flows from the unified memory con\ntroller 1119 into the cache system for further processing. The\nstate processor 1108 can operate on information found in the\ncache System once it is looked up by means of the lookup/\nupdate engine request, and the flow insertion/deletion engine\n1110 can create new entries in the cache System if required\nbased on information in the unified flow key buffer 1103.\nThe cache retrieves information as required from the\nmemory through the memory interface 1123 and the unified\nmemory controller 1119, and updates information as\nrequired in the memory through the memory controller 1119.\nThere are Several interfaces to components of the System\nexternal to the module of FIG. 11 for the particular hardware\nimplementation. These include host bus interface 1122,\nwhich is designed as a generic interface that can operate with\nany kind of external processing System Such as a micropro\n\n55\n\nSystem.\n\nmemory (DRAM), synchronous DRAM, synchronous\ngraphic memory (SGRAM), static random access memory\n(SRAM), and so forth.\n\nFIG. 10 also includes some \xe2\x80\x9cgeneric\' interfaces. There is\na packet input interface 1012-a general interface that\nworks in tandem with the signals of the input buffer interface\ncontrol 1022. These are designed so that they can be used\nwith any kind of generic Systems that can then feed packet\ninformation into the parser. Another generic interface is the\ninterface of pipes 1031 and 1033 respectively out of and into\nhost interface multiplexor and control registers 1005. This\nenables the parsing System to be managed by an external\nSystem, for example a microprocessor or another kind of\nexternal logic, and enables the external System to program\nand otherwise control the parser.\nThe preferred embodiment of this aspect of the invention\n\nis described in a hardware description language (HDL) Such\n\n60\n\n65\n\nas VHDL or Verilog. It is designed and created in an HDL\nSo that it may be used as a single chip System or, for instance,\nintegrated into another general-purpose System that is being\ndesigned for purposes related to creating and analyzing\ntraffic within a network. Verilog or other HDL implemen\ntation is only one method of describing the hardware.\nIn accordance with one hardware implementation, the\nelements shown in FIGS. 10 and 11 are implemented in a set\n\nof six field programmable logic arrays (FPGA\'s). The\n\nboundaries of these FPGA\'s are as follows. The parsing\nApp. II-105\n\nindicates to the UFKB that the flow insertion and deletion\n\n\x0c25\n\nUS 6,839,751 B1\n\nSubsystem of FIG. 10 is implemented as two FPGAS; one\nFPGA, and includes blocks 1006, 1008 and 1012, parts of\n1005, and memory 1001. The second FPGA includes 1002,\n1007, 1013, 1011 parts of 1005. Referring to FIG. 11, the\nunified look-up buffer 1103 is implemented as a single\nFPGA. State processor 1108 and part of state processor\ninstruction database memory 1109 is another FPGA. Por\ntions of the State processor instruction database memory\n1109 are maintained in external SRAM\'s. The lookup/\nupdate engine 1107 and the flow insertion/deletion engine\n1110 are in another FPGA. The Sixth FPGA includes the\n\ncache system 1115, the unified memory control 1119, and the\nanalyzer host interface and control 1118.\nNote that one can implement the System as one or more\nVSLI devices, rather than as a set of application specific\n\nintegrated circuits (ASIC\'s) such as FPGA\'s. It is antici\n\n15\n\npated that in the future device densities will continue to\nincrease, So that the complete System may eventually form\n\na Sub-unit (a \xe2\x80\x9ccore\xe2\x80\x9d) of a larger single chip unit.\nOperation of the Invention\n\nFIG. 15 shows how an embodiment of the network\n\nmonitor 300 might be used to analyze traffic in a network\n102. Packet acquisition device 1502 acquires all the packets\nfrom a connection point 121 on network 102 so that all\npackets passing point 121 in either direction are Supplied to\nmonitor 300. Monitor 300 comprises the parser Sub-system\n301, which determines flow signatures, and analyzer Sub\nSystem 303 that analyzes the flow signature of each packet.\nA memory 324 is used to store the database of flows that are\ndetermined and updated by monitor 300. A host computer\n1504, which might be any processor, for example, a general\npurpose computer, is used to analyze the flows in memory\n324. As is conventional, host computer 1504 includes a\nmemory, say RAM, shown as host memory 1506. In\naddition, the host might contain a disk. In one application,\nthe system can operate as an RMON probe, in which case the\nhost computer is coupled to a network interface card 1510\n\n(SNMP) implementation. FIG. 15 describes-how one would,\n\nfor example, implement an RMON probe, where a network\n\nmunicates using a Service channel, in the form of a TCP or\nUDP socket or port as in the IP protocol Suite, or using a SAP\nas in the Novell IPX protocol suite.\nThe analyzer 303 is also capable of carrying out \xe2\x80\x9cin\nStream analysis\xe2\x80\x9d of packet eXchanges. The \xe2\x80\x9cin-stream analy\nSis\' method is used either as a primary or Secondary recog\nnition process. As a primary process, in-stream analysis\nassists in extracting detailed information which will be used\nto further recognize both the Specific application and appli\ncation component. A good example of in-stream analysis is\nany Web-based application. For example, the commonly\nused Point Cast Web information application can be recog\nnized using this process, during the initial connection\nbetween a PointCast Server and client, Specific key tokens\nexist in the data eXchange that will result in a Signature being\ngenerated to recognize PointCast.\nThe in-stream analysis proceSS may also be combined\nwith the Server announcement process. In many cases\nin-Stream analysis will augment other recognition processes.\nAn example of combining in-stream analysis with Server\nannouncement can be found in busineSS applications Such as\nSAP and BAAN.\n\n25\n\n35\n\nthat is connected to the network 102.\n\nThe preferred embodiment of the invention is supported\nby an optional Simple Network Management Protocol\n\n26\n\n40\n\n"Session tracking\xe2\x80\x9d also is known as one of the primary\nprocesses for tracking applications in client/server packet\neXchanges. The process of tracking Sessions requires an\ninitial connection to a predefined Socket or port number. This\nmethod of communication is used in a variety of transport\nlayer protocols. It is most commonly seen in the TCP and\nUDP transport protocols of the IP protocol.\nDuring the Session tracking, a client makes a request to a\nServer using a specific port or Socket number. This initial\nrequest will cause the server to create a TCP or UDP port to\neXchange the remainder of the data between the client and\nthe server. The server then replies to the request of the client\nusing this newly created port. The original port used by the\nclient to connect to the Server will never be used again\nduring this data eXchange.\n\nOne example of session tracking is TFTP (Trivial File\nTransfer Protocol), a version of the TCP/IP FTP protocol\nthat has no directory or password capability. During the\nclient/server exchange process of TFTP, a specific port (port\nnumber 69) is always used to initiate the packet exchange.\n\nThus, when the client begins the process of communicating,\nnetwork. Commercial SNMP implementations also are\na request is made to UDP port 69. Once the server receives\navailable, and using Such an implementation can Simplify 45 this request, a new port number is created on the Server. The\nthe process of porting the preferred embodiment of the Server then replies to the client using the new port. In this\ninvention to any platform.\nexample, it is clear that in order to recognize TFTP; network\nIn addition, MIB Compilers are available. An MIB Com monitor 300 analyzes the initial request from the client and\npiler is a tool that greatly simplifies the creation and main generates a signature for it. Monitor 300 uses that Signature\n50 to recognize the reply. Monitor 300 also analyzes the reply\ntenance of proprietary MIB extensions.\nExamples of Packet Elucidation\nfrom the Server with the key port information, and uses this\nMonitor 300, and in particular, analyzer 303 is capable of to create a signature for monitoring the remaining packets of\ncarrying out State analysis for packet eXchanges that are this data eXchange.\nNetwork monitor 300 can also understand the current\ncommonly referred to as "server announcement\' type\neXchanges. Server announcement is a process used to ease 55 State of particular connections in the network. Connection\ncommunications between a Server with multiple applications oriented exchanges often benefit from State tracking to\nthat can all be Simultaneously accessed from multiple cli correctly identify the application. An example is the com\nents. Many applications use a server announcement proceSS mon TCP transport protocol that provides a reliable means\nas a means of multiplexing a single port or Socket into many of sending information between a client and a server. When\napplications and Services. With this type of eXchange, mes 60 a data eXchange is initiated, a TCP request for Synchroni\nSages are Sent on the network, in either a broadcast or Zation message is sent. This message contains a specific\nmulticast approach, to announce a Server and application, Sequence number that is used to track an acknowledgement\nand all Stations in the network may receive and decode these from the Server. Once the Server has acknowledged the\nmessages. The messages enable the Stations to derive the Synchronization request, data may be exchanged between\nappropriate connection point for communicating that par 65 the client and the Server. When communication is no longer\nticular application with the particular Server. Using the required, the client Sends a finish or complete message to the\nServer announcement method, a particular application com Server, and the Server acknowledges this finish request with\nApp. II-106\ninterface card is used to send RMON information to the\n\n\x0c27\n\nUS 6,839,751 B1\n\na reply containing the Sequence numbers from the request.\nThe States of Such a connection-oriented exchange relate to\nthe various types of connection and maintenance messages.\nServer Announcement Example\nThe individual methods of Server announcement proto\ncols vary. However, the basic underlying proceSS remains\nSimilar. A typical Server announcement message is Sent to\none or more clients in a network. This type of announcement\nmessage has specific content, which, in another aspect of the\ninvention, is Salvaged and maintained in the database of\nflow-entries in the System. Because the announcement is\nSent to one or more Stations, the client involved in a future\n\npacket eXchange with the Server will make an assumption\nthat the information announced is known, and an aspect of\nthe inventive monitor is that it too can make the same\nassumption.\nSun-RPC is the implementation by Sun Microsystems,\n\n15\n\nInc. (Palo Alto, Calif.) of the Remote Procedure Call (RPC),\n\na programming interface that allows one program to use the\n\nany packets to SERVER 2 using port number port with the\napplication program program.\nFIG.9 represents a dataflow 900 of some operations in the\n\nexample is now used to explain how monitor 300 can\ncapture Server announcements.\n\nprogram or application and a TCP or UDP socket or port (for\nTCP or UDP implementations). An application or program\nnumber is a 32-bit unique identifier assigned by ICANN (the\nInternet Corporation for ASSigned Names and Numbers,\nwww.icann.org), which manages the huge number of param\neters associated with Internet protocols (port numbers,\nrouter protocols, multicast addresses, etc.) Each port Mapper\non a Sun-RPC server can present the mappings between a\nunique program number and a specific transport Socket\nthrough the use of Specific request or a directed announce\nment. According to ICANN, port number 111 is associated\n\nwith Sun RPC.\n\nAs an example, consider a client (e.g., CLIENT 3 shown\nas 106 in FIG. 1) making a specific request to the server\n(e.g., SERVER 2 of FIG. 1, shown as 110) on a predefined\n\nUDP or TCP socket. Once the port Mapper process on the\nSun RPC Server receives the request, the Specific mapping is\nreturned in a directed reply to the client.\n\nmonitor 300 of FIG. 3 for Sun Remote Procedure Call.\n\nSuppose a client 106 (e.g., CLIENT 3 in FIG. 1) is com\n25\n\nSpecifies the program (as a program identifier), version,\nand might specify the protocol (UDP or TCP).\n2. The server SERVER 2 (110 in FIG. 1) extracts the\n\nprogram identifier and version identifier from the\nrequest. The Server also uses the fact that this packet\ncame in using the TCP transport and that no protocol\nwas specified, and thus will use the TCP protocol for its\nreply.\n3. The server 110 sends a TCP packet to port number 111,\nwith an RPC Bind Lookup Reply. The reply contains\n\nthe specific port number (e.g., port number port) on\n\nwhich future transactions will be accepted for the\n\nSpecific RPC program identifier (e.g., Program\nprogram) and the protocol (UDP or TCP) for use.\n\nmunicating via its interface to the network 118 to a server\n\n110 (e.g., SERVER 2 in FIG. 1) via the server\'s interface to\n\nthe network 116. Further assume that Remote Procedure\n\n35\n\nCall is used to communicate with the server 110. One path\nin the data flow 900 starts with a step 910 that a Remote\nProcedure Call bind lookup request is issued by client 106\nand ends with the server state creation step 904. Such RPC\nbind lookup request includes values for the program,\nversion, and protocol to use, e.g., TCP or UDP. The\nprocess for Sun RPC analysis in the network monitor 300\nincludes the following aspects.:\nProcess 909: Extract the program, \xe2\x80\x9cversion, and pro\n\ntocol (UDP or TCP). Extract the TCP or UDP port\n(process 909) which is 111 indicating Sun RPC.\n\n40\n\n45\n\n1. A client (CLIENT 3, 106 in FIG. 1) sends a TCP packet\nto SERVER2 (110 in FIG. 1) on port 111, with an RPC\nBind Lookup Request (rpcBindLookup). TCP or UDP\nport 111 is always associated Sun RPC. This request\n\nasSociated with the program program. Network monitor\n300 by creating a flow-entry and a signature includes a\nmechanism for remembering the exchange So that future\npackets that use the port number port will be associated by\nthe network monitor with the application program pro\ngram.\nIn addition to the Sun RPC Bind Lookup request and\nreply, there are other ways that a particular program-Say\nprogram-might be associated with a particular port\nnumber, for example number port. One is by a broadcast\nannouncement of a particular association between an appli\ncation service and a port number, called a Sun RPC port\nMapper Announcement. Another, is when Some Server-Say\nthe same SERVER 2-replies to some client-say CLIENT\n1-requesting Some portMapper assignment with a RPC\nportMapper Reply. Some other client-say CLIENT\n2-might inadvertently See this request, and thus know that\nfor this particular server, SERVER 2, port number port is\nasSociated with the application Service program. It is\ndesirable for the network monitor 300 to be able to associate\n\nServices of another on a remote machine. A Sun-RPC\n\nA remote program or client that wishes to use a Server or\nprocedure must establish a connection, for which the RPC\nprotocol can be used.\nEach server running the Sun-RPC protocol must maintain\na proceSS and database called the port Mapper. The port\nMapper creates a direct association between a Sun-RPC\n\n28\n\nProcess 908: Decode the Sun RPC packet. Check RPC\ntype field for ID. If value is portMapper, save paired\n\nSocket (i.e., dest for destination address, Src for Source\naddress). Decode ports and mapping, save ports with\nSocket/addr key. There may be more than one pairing\nper mapper packet. Form a signature (e.g., a key). A\nflow-entry is created in database 324. The saving of the\nrequest is now complete.\n\nAt some later time, the server (process 907) issues a RPC\n\n50\n\n55\n\n60\n\nbind lookup reply. The packet monitor 300 will extract a\nSignature from the packet and recognize it from the previ\nously stored flow. The monitor will get the protocol port\n\nnumber (906) and lookup the request (905). A new signature\n(i.e., a key) will be created and the creation of the server\nstate (904) will be stored as an entry identified by the new\nSignature in the flow-entry database. That Signature now\nmay be used to identify packets associated with the Server.\nThe server state creation step 904 can be reached not only\nfrom a Bind Lookup Request/Reply pair, but also from a\nRPC Reply portMapper packet shown as 901 or an RPC\nAnnouncement portMapper shown as 902. The Remote\nProcedure Call protocol can announce that it is able to\nprovide a particular application Service. Embodiments of the\npresent invention preferably can analyze when an exchange\noccurs between a client and a Server, and also can track those\n\nStations that have received the announcement of a Service in\n\nIt is desired that from now on every time that port number 65 the network.\nport is used, the packet is associated with the application\nThe RPC Announcement portMapper announcement 902\nprogram program until the number port no longer is to be is a broadcast. Such causes various clients to execute a\nApp. II-107\n\n\x0c29\n\nUS 6,839,751 B1\n\nSimilar Set of operations, for example, Saving the informa\ntion obtained from the announcement. The RPC Reply\nportMapper step 901 could be in reply to a portMapper\nrequest, and is also broadcast. It includes all the Service\nparameterS.\n\nThus monitor 300 creates and saves all Such states for\n\nlater classification of flows that relate to the particular\nService program.\nFIG. 2 shows how the monitor 300 in the example of Sun\nRPC builds a signature and flow states. A plurality of packets\n206-209 are exchanged, e.g., in an exemplary Sun Micro\nsystems Remote Procedure Call protocol. A method embodi\nment of the present invention might generate a pair of flow\nsignatures, \xe2\x80\x9csignature-1\' 210 and \xe2\x80\x9csignature-2\xe2\x80\x9d 212, from\ninformation found in the packets 206 and 207 which, in the\nexample, correspond to a Sun RPC Bind Lookup request and\nreply, respectively.\nConsider first the Sun RPC Bind Lookup request. Sup\npose packet 206 corresponds to Such a request Sent from\nCLIENT 3 to SERVER 2. This packet contains important\ninformation that is used in building a signature according to\nan aspect of the invention. A Source and destination network\naddress occupy the first two fields of each packet, and\naccording to the patterns in pattern database 308, the flow\n\nsignature (shown as KEY1230 in FIG. 2) will also contain\nthese two fields, so the parser Subsystem 301 will include\n\n15\n\n25\n\nthe label used in the drawing is \xe2\x80\x9cC\xe2\x80\x9d. If such address\n\nidentifies the server 110 (shown also as server 204), the label\n\ncally less than address \xe2\x80\x9cC\xe2\x80\x9d. A third field \xe2\x80\x9cp\' 216 identifies\n\nthe particular protocol being used, e.g., TCP, UDP, etc.\nIn packet 206, a fourth field 217 and a fifth field 218 are\nused to communicate port numbers that are used. The\nconversation direction determines where the port number\nfield is. The diagonal pattern in field 217 is used to identify\na Source-port pattern, and the hash pattern in field 218 is\nused to identify the destination-port pattern. The order\nindicates the client-Server message direction. A sixth field\n\ndenoted \xe2\x80\x9ci\'\xe2\x80\x9d 219 is an element that is being requested by the\n\nclient from the server. A seventh field denoted \xe2\x80\x9csa\xe2\x80\x9d 220 is\nthe service requested by the client from server 110. The\n\n35\n\n40\n\n45\n\nidentifier (port 111 indicating Sun RPC).\n\nthe state processor should proceed to for more complex\nrecognition jobs, denoted as State \xe2\x80\x9cst\xe2\x80\x9d is placed in the field\n245 of the flow-entry.\nWhen the Sun RPC Bind Lookup reply is acquired, a flow\nSignature is again built by the parser. This flow signature is\nidentical to KEY-1. Hence, when the signature enters the\nanalyzer subsystem 303 from the parser subsystem 301, the\ncomplete flow-entry is obtained, and in this flow-entry\nindicates State \xe2\x80\x9cst\'. The operations for State \xe2\x80\x9cst,\xe2\x80\x9d in the\nState processor instruction database 326 instructs the State\nprocessor to build and Store a new flow signature, shown as\nKEY-2 (212) in FIG. 2. This flow signature built by the state\nprocessor also includes the destination and a Source\naddresses 250 and 251, respectively, for server \xe2\x80\x9cS\xe2\x80\x9d fol\nlowed by (the numerically higher address) client \xe2\x80\x9cC\xe2\x80\x9d. A\n\n50\n\n55\n\nexample, this is a final state. Thus, KEY-2 may now be used\nto recognize packets that are in any way associated with the\n\nPacket 207 is the first sent in reply to the client 106 from\nthe server. It is the RPC Bind Lookup Reply as a result of\nthe request packet 206.\nPacket 207 includes ten fields 224-233. The destination\n\nport numbers of UDS for p" that will be used to recognize\nthis flow (e.g., port 111). Port 111 indicates this is Sun RPC.\nSome applications, such as the Sun RPC Bind Lookups, are\ndirectly determinable ("known\xe2\x80\x9d) at the parser level. So in\nthis case, the Signature KEY-1 points to a known application\ndenoted \xe2\x80\x9ca\xe2\x80\x9d (Sun RPC Bind Lookup), and a next-state that\n\nwhich is obtained from the reply packet. A field 253 contains\na recognition pattern also obtained from the reply packet. In\nthis case, the application is Sun RPC, and field 254 indicates\n\ncates that the client 106 wants to know what to use to access\n\nmitted to the server 110 on a well-known service connection\n\nSignature is field 243, which contains the destination Source\nport number shown as a crosshatched pattern from the field\n218 of the packet 206. This pattern will be recognized in the\npayload of packets to derive how this packet or Sequence of\npackets exists as a flow. In practice, these may be TCP port\nnumbers, or a combination of TCP port numbers. In the case\nof the Sun RPC example, the crosshatch represents a set of\n\nprotocol field 252 defines the protocol to be used, e.g., \xe2\x80\x9cp\xe2\x80\x9d\n\nfollowing eighth field \xe2\x80\x9cQA\xe2\x80\x9d 221 (for question mark) indi\n\napplication \xe2\x80\x9csa\'. A tenth field \xe2\x80\x9cQP\xe2\x80\x9d 223 is used to indicate\nthat the client wants the Server to indicate what protocol to\nuse for the particular application.\nPacket 206 initiates the Sequence of packet eXchanges,\ne.g., a RPC Bind Lookup Request to SERVER 2. It follows\na well-defined format, as do all the packets, and is trans\n\nThe flow signature and flow states built up as a result of\nthis exchange are now described. When the packet monitor\n300 sees the request packet 206 from the client, a first flow\nsignature 210 is built in the parser Subsystem 301 according\nto the pattern and extraction operations database 308. This\nSignature 210 includes a destination and a Source address\n240 and 241. One aspect of the invention is that the flow\nkeys are built consistently in a particular order no matter\nwhat the direction of conversation. Several mechanisms may\nbe used to achieve this. In the particular embodiment, the\nnumerically lower address is always placed before the\nnumerically higher address. Such least to highest order is\nused to get the best Spread of Signatures and hashes for the\nlookup operations. In this case, therefore, Since we assume\n\xe2\x80\x9cS\xe2\x80\x9d<\xe2\x80\x9cC\xe2\x80\x9d, the order is address \xe2\x80\x9cS\xe2\x80\x9d followed by client\naddress \xe2\x80\x9cC\xe2\x80\x9d. The next field used to build the signature is a\nprotocol field 242 extracted from packet 206\'s field 216, and\n\nthus is the protocol \xe2\x80\x9cp". The next field used for the\n\nthese two fields in signature KEY 1 (230). Note that in FIG.\n2, if an address identifies the client 106 (shown also as 202),\n\nused in the drawing is \xe2\x80\x9cS\xe2\x80\x9d. The first two fields 214 and 215\nin packet 206 are \xe2\x80\x9cS\xe2\x80\x9d and \xe2\x80\x9cC\xe2\x80\x9d because packet 206 is\nprovided from the server 110 and is destined for the client\n106. Suppose for this example, \xe2\x80\x9cS\xe2\x80\x9d is an address numeri\n\n30\n\n60\n\nthis application \xe2\x80\x9ca\xe2\x80\x9d. A next-state field 255 defines the next\nState that the State processor should proceed to for more\ncomplex recognition jobs, e.g., a state \xe2\x80\x9cst". In this particular\napplication \xe2\x80\x9ca\xe2\x80\x9d. Two such packets 208 and 209 are shown,\n\none in each direction. They use the particular application\nService requested in the original Bind Lookup Request, and\neach will be recognized because the signature KEY-2 will be\n\nbuilt in each case.\n\nThe two flow signatures 210 and 212 always order the\ndestination and source address fields with server \xe2\x80\x9cS\xe2\x80\x9d fol\nlowed by client \xe2\x80\x9cC\xe2\x80\x9d. Such values are automatically filled in\nfrom the server 110 to the client 106. The protocol \xe2\x80\x9cp\' is when the addresses are first created in a particular flow\nused as indicated in field 226. The request "i" is in field 229. 65 Signature. Preferably, large collections of flow Signatures are\nValues have been filled in for the application port number, kept in a lookup table in a least-to-highest order for the best\ne.g., in field 233 and protocol \xe2\x80\x9cp\xe2\x80\x9d in field 233.\nSpread of flow Signatures and hashes.\nApp. II-108\nand Source addresses are carried in fields 224 and 225, e.g.,\nindicated \xe2\x80\x9cC\xe2\x80\x9d and \xe2\x80\x9cS\xe2\x80\x9d, respectively. Notice the order is\nnow reversed, since the client-Server message direction is\n\n\x0c31\n\nUS 6,839,751 B1\n\nThereafter, the client and Server exchange a number of\npackets, e.g., represented by request packet 208 and\nresponse packet 209. The client 106 sends packets 208 that\nhave a destination and Source address S and C, in a pair of\n\nThe base functions are chosen to be simple to calculate in\nreal time and from which complete QOS metrics may be\ndetermined. Other breakdowns of functions clearly are pos\nsible within the scope of the invention.\nSuch metric determining may be carried out, for example,\nby the State processor running instructions in the State\nprocessor instruction and pattern database 326. Such base\nmetrics may then be sent by the analyzer Subsystem via a\nmicroprocessor or logic circuit connected to the monitor.\nAlternatively, Such metric determining may be carried out by\n\nfields 260 and 261. A field 262 defines the protocol as \xe2\x80\x9cp\xe2\x80\x9d,\n\nand a field 263 defines the destination port number.\nSome network-Server application recognition jobs are So\nSimple that only a single State transition has to occur to be\nable to pinpoint the application that produced the packet.\nOthers require a Sequence of State transitions to occur in\norder to match a known and predefined climb from State\n\na microprocessor (or Some other logic) connected to the\n\nto-State.\n\nThus the flow signature for the recognition of application\n\n\xe2\x80\x9ca\xe2\x80\x9d is automatically set up by predefining what packet\n\neXchange Sequences occur for this example when a rela\ntively simple Sun Microsystems Remote Procedure Call\nbind lookup request instruction executes. More complicated\neXchanges than this may generate more than two flow\nSignatures and their corresponding States. Each recognition\nmay involve Setting up a complex State transition diagram to\nbe traversed before a \xe2\x80\x9cfinal\xe2\x80\x9d resting state such as \xe2\x80\x9cst,\xe2\x80\x9d in\nfield 255 is reached. All these are used to build the final set\nof flow Signatures for recognizing a particular application in\n\n15\n\nRe-Using Information from Flows for Maintaining Metrics\nThe flow-entry of each flow stores a set of statistical\nmeasures for the flow, including the total number of packets\n\n25\n\nin the flow, the time of arrival, and the differential time from\nthe last arrival.\n\n(QOS) by providing QOS Metrics.\nQuality of Service Traffic Statistics (Metrics)\n\nThis next Section defines the common Structure that may\n\n35\n\n40\n\n1504. The main reason for the breakdown is that the\n\nponents may be configured to access flow-entry records via\ncache system 1115 to enable the microprocessor to deter\nmine and report the base metrics.\nThe QOS Metrics may broken into the following Metrics\nGroups. The names are descriptive. The list is not\nexhaustive, and other metrics may be used. The QOS metrics\nmetrics.\nTraffic Metrics Such as CSTraffic and SCTraffic.\nJitter Metrics Such as CSTraffic and CS Traffic.\n\nEXchange Re Sp on Se Metric S Such S\nCS Exchange Response Time Start To Start,\nCS Exchange Response Time End To Start,\nCS Exchange Response Time Start To End,\nSC Exchange Response Time Start To Start,\nSCExchangeResponseTimeEndToStart, and SCExchang\neResponseTimeStartToEnd.\nTransaction Response Metric S. Such as\nCSTransaction Response Time Start To Start,\nCS Application Response Time End To Start,\nCS Application Response Time Start To End,\nS C Transaction Response Time Start To Start,\nSCApplicationResponseTimeEndToStart, and SCApplica\ntion ResponseTimeStartToEnd.\n\nConnection Metrics such as Connection Establishment\n\nand ConnectionGracefulTermination, and Connection Tim\n\nConnection Sequence Me tric S. Such as\n\n45\n\n50\n\nCS Connection Re transmissions,\nSC Connection Re transmissions,\nand\nCSConnectionOutOfCorders, SCConnectionOutOfC)rders.\nConnection Window Metrics, CSConnectionWindow,\nSCConnectionWindow, CSConnection FrozenWindows,\nSC Connection Frozen Windows,\nCSConnectionClosed Windows, and SCConnectionClosed\n\nWindows.\n\nOOS Base Metrics\n\n55\n\ning to one aspect of the invention. It also defines the\n\nin an embodiment of the invention to support QOS. The base\nmetrics are determined as part of State processing or by a\nprocessor connected to monitor 300, and the QOS metrics\nare determined from the base metrics by the host computer\n\nface and control 1118 and host bus interface. These com\n\neoutTermination.\n\nbe applied for the Quality of Service (QOS) Metrics accord\n\n\xe2\x80\x9coriginal\xe2\x80\x9d (or \xe2\x80\x9cbase\xe2\x80\x9d) set of metrics that may be determined\n\nflow-entry database 324. In our preferred hardware imple\nmentation shown in FIGS. 10 and 11, such a microprocessor\nis connected cache System 1115 via an analyzer host inter\n\nbelow include client-to-server (CS) and server-to-client (SC)\n\nthe future.\n\nReferring again to FIG. 3, the State processing proceSS\n328 performs operations defined for the state of the flow, for\nexample for the particular protocol so far identified for the\nflow. One aspect of the invention is that from time to time,\na Set of one or more metrics related t the flow may be\ndetermined using one or more of the Statistical measures\nStored in the flow-entry. Such metric determining may be\ncarried out, for example, by the State processor running\ninstructions in the State processor instruction and pattern\ndatabase 326. Such metrics may then be sent by the analyzer\nSubsystem to a host computer connected to the monitor.\nAlternatively, Such metric determining may be carried out by\na processor connected to the flow-entry database 324. In our\npreferred hardware implementation shown in FIG. 10, an\nanalyzer host interface and control 1118 may be configured\nto configured to acceSS flow-entry records via cache System\n1115 to output to a processor via the hostbus interface. The\nprocessor may then do the reporting of the base metrics.\nFIG. 15 describes how the monitor system can be set up\nwith a host computer 1504. The monitor 300 sends metrics\nfrom time to time to the host computer 1504, and the host\ncomputer 1504 carries out part of the analysis.\nThis following section describes how the monitor of the\ninvention can be used to monitor the Quality of Service\n\n32\n\n60\n\nThe Simplest means of representing a group of data is by\nfrequency distributions in Sub-ranges. In the preferred\nembodiment, there are Some rules in creating the Sub-ranges.\nFirst the range needs to be known. Second a Sub-range size\nneeds to be determined. Fixed Sub-range Sizes are preferred,\nalternate embodiments may use variable Sub-range sizes.\nDetermining complete frequency distributions may be\ncomputationally expensive. Thus, the preferred embodiment\nuses metricS determined by Summation functions on the\nindividual data elements in a population.\nThe metrics reporting process provides data that can be\n\nused to calculate useful Statistical measurements. In one\n\ncomplete QOS metricS may be computationally complex, 65 embodiment, the metrics reporting process is part of the State\ninvolving Square roots and other functions requiring more processing that is carried out from time to time according to\ncomputational resources than may be available in real time. the State, and in another embodiment, the metricS reporting\nApp. II-109\n\n\x0c33\n\nUS 6,839,751 B1\n\nproceSS carried out from time to time by a microprocessor\nhaving access to flow records. Preferably, the metrics report\ning process provides base metricS and the final QOS metrics\ncalculations are carried out by the host computer 1504. In\naddition to keeping the real time State processing Simple, the\npartitioning of the tasks in this way provides metrics that are\nScalable. For example, the base metricS from two intervals\nmay be combined to metrics for larger intervals.\nConsider, for example is the arithmetic mean defined as\nthe sum of the data divided by the number of data elements.\nX=\n\nRange R=X-X\n\n15\n\n25\n\nX(X) sum of all the data point values squared for the\n\n35\n\nN\n\n(), X2)-2X N(XX) + N(X)\n\nTrend information, which may be the trend between\npolled intervals and the trend within an interval. Trend\ning between polled intervals is a management applica\ntion function. Typically the management Station would\ntrend on the average of the reported interval. The trend\nwithin an interval is presented as an enumerated type\nand can easily be generated by Subtracting the first\nvalue in the interval from the last and assigning trend\nbased on the Sign value.\nOne or more of the following different data elements may\nbe included in various implementation of the metric.\nenumeration can be based on this easy calculation.\n\nmaintained in flow-entries. It is not necessary to cache all the\n\nN XEN\n\nN\n\nSum of the deltas (i.e., differential values). The trend\n\nA metric is used to describe events over a time interval.\nThe base metrics are determined from Statistical measures\nevents and then count them at the end of the interval. The\n\nN\n\nAlternate Embodiments\n\nmetric.\n\nbase metrics have also been designed to be easily Scaleable\nin terms of combining adjacent intervals.\nThe following rules are applied when combining base\nmetrics for contiguous time intervals.\n\nX (X2)\n\nStandard Deviation O =\n\nX (X-X)\nN\n\nthe same.\nThe base metricS have been chosen to maximize the\n\nX. maximum data point value for the metric.\nX minimum data point value for the metric.\n\nXX\nN\n\nRoot Mean Square RMS =\n\nWariance O =\n\namount of data available while minimizing the amount of\nmemory needed to Store the metric and minimizing the\nprocessing requirement needed to generate the metric. The\nbase metrics are provided in a metric data Structure that\ncontains five unsigned integer values.\nN count of the number of data points for the metric.\nXX Sum of all the data point values for the metric.\n\nit.\'\n\nArithmetic Mean X =\n\nN\n\nTwo base metrics provided by the metricS reporting\nproceSS are the Sum of the X, and the number of elements N.\nThe host computer 1504 performs the division to obtain the\naverage. Furthermore, two sets base metrics for two inter\nvals may be combined by adding the sum of the X\'s and by\nadding the number of elements to get a combined Sum and\nnumber of elements. The average formula then works just\n\n34\n\nSum of the absolute values of the delta values. This would\n40\n\n45\n\nprovide a measurement of the overall movement within\nan interval.\n\nSum of positive delta Values and Sum of the negative delta\nvalues. Expanding each of these with an associated\ncount and maximum would give nice information.\nThe statistical measurement of skew can be obtained by\n\nadding X(X) to the existing metric.\n\nThe Statistical measurement of kurtosis can be obtained\n\nX.na. MAXOX)\nX, MIN(X)\n\nIn addition to the above five values, a \xe2\x80\x9ctrend\xe2\x80\x99 indicator is\n\n50\n\nincluded in the preferred embodiment data structure. This is\nprovided by an enumerated type. The reason for this is that\nthe preferred method of generating trend information is by\nSubtract an initial first value for the interval from the final\n\nvalue for the interval. Only the sign of the resulting number\nmay have value, for example, to determine an indication of\n\n55\n\nTypical operations that may be performed on the base\n\nFreatiency\ni\ny Tineinterval\n\nMaximum X.\nMinimum X.\n\nthe data.\nVarious metrics are now described in more detail.\nTraffic Metrics\nCSTraffic\nDefinition\n\ntrend.\n\nmetrics include:\nNumber N.\n\nby adding X(X) and X (X") to the existing metric.\n\nData to calculate a slope of a least-Squares line through\n\nThis metric contains information about the volume of\n\n60\n\ntraffic measured for a given application and either a specific\nClient-Server Pair or a specific Server and all of its clients.\nThis information duplicates, Somewhat, that which may\n\nbe found in the standard, RMON II, AL/NL Matrix Tables.\n\nIt has been included here for convenience to applications\nand the associated benefit of improved performance by\navoiding the need to access different functional RMON\nareas when performing QOS Analysis.\nApp. II-110\n65\n\n\x0cUS 6,839,751 B1\n\n35\n\n36\n-continued\n\nMetric Specification\n\nMetric Specification\nMetric\n\nApplicability Units\n\nPackets Count of the # of Packets\n\nXE\n\nApplicable\n\nOctets\n\nSum total of the # of Octets in\n\nMaximum Applicable\n\nto the Server.\n\nMinimum Applicable\n\nMetric\n\nApplicability\n\nUnits\n\nN\n\nApplicable\n\nXE\n\nApplicable\n\nMaximum Not Applicable\nMinimum Not Applicable\n\nDescription\n\nfrom the Client(s) to the Server\nthese packets from the Client(s)\n\nSCTraffic\nDefinition\nThis metric contains information about the volume of\n\napplication and either a specific Client-Server Pair or a\nspecific Server and all of its clients. Specifically, SCJitter\nmeasures the Jitter for Data Messages from the Client to the\n\nServer.\n25\n\nUnits\n\nN\n\nApplicable\n\nPackets Count of the # of Packets\n\nXE\n\nApplicable\n\nOctets\n\nMaximum\nMinimum\n\nNot Applicable\nNot Applicable\n\nDescription\n\nconsidered within the measurement of this metric.\n\nfrom the Server to the Client(s)\nSum total of the # of Octets\n\nin these packets from the Server\nto the Client(s).\n\nJitter Metrics\nCSJitter\nDefinition\n\nMetric Specification\n35\n\n40\n\nThis metric contains information about the Jitter (e.g.\nInter-packet Gap) measured for data packets for a given\n\napplication and either a specific Client-Server Pair or a\nspecific Server and all of its clients. Specifically, CSJitter\nmeasures the Jitter for Data Messages from the Client to the\n\nServer.\n\nA Data Message starts with the 1 Transport Protocol\nData Packet/Unit (TPDU) from the Client to the Server and\nis demarcated (or terminated) by 1\' Subsequent Data Packet\nin the other direction. Client to Server Inter-packet Gaps are\nmeasured between Data packets within the Message. Note\nthat in our implementalions, ACKnowledgements are not\n\n50\n\n55\n\nMetric Specification\nApplicability Units\n\nDescription\n\nN\n\nApplicable\n\nInter-\n\nCount of the # of Inter-Packet\n\nGaps\n\nClient(s) to the Server\n\nGaps measured for Data from the\n\nDescription\n\nApplicable\n\nInter-\n\nCount of the # of Inter-Packet\n\nXE\n\nApplicable\n\nuSeconds\n\nSum total of the Delta Times\n\nMaximum\n\nApplicable\n\nuSeconds\n\nThe maximum Delta Time of\n\nMinimum\n\nApplicable\n\nuSeconds\n\nThe minimum Delta Time of\n\nPacket\n\nGaps\n\nGaps measured for Data from\n\nthe Server to the Client(s).\n\nin these Inter-Packet Gaps.\n\nInter-Packet Gaps measured\n\nInter-Packet Gaps measured.\n\nDefinition\n\nThis metric contains information about the Transport\nlevel response time measured for data packets for a given\napplication and either a specific Client-Server Pair or a\nspecific Server and all of its clients. Specifically, CSExchan\ngeResponseTimeStartToStart measures the response time\nbetween start of Data Messages from the Client to the Server\nand the Start of their Subsequent response Data Messages\nfrom the Server to the Client.\n\n60\n\nMetric\n\nApplicability Units\n\nN\n\nExchange Response Metrics\nCSExchangeResponseTimeStartToStart\n\nAlso, there is no consideration in the measurement for\n\nretransmissions or out-of-order data packets. The interval\nbetween the last packet in a Data Message from the Client\nto the Server and the 1 packet of the Next Message in the\nSame direction is not interpreted as an Inter-Packet Gap.\n\nMetric\n\n45\n\nconsidered within the measurement of this metric.\n\nPacket\n\nA Data Message starts with the 1 Transport Protocol\nData Packet/Unit (TPDU) from the Server to the Client and\nis demarcated (or terminated) by 1\' subsequent Data Packet\n\nin the other direction. Server to Client Inter-packet Gaps are\nmeasured between Data packets within the Message. Note\nthat in our implementalions, ACKnowledgements are not\n\nMetric Specification\nApplicability\n\nDefinition\n\nThis metric contains information about the Jitter (e.g.\nInter-packet Gap) measured for data packets for a given\n\nbe found in the standard, RMON II, AL/NL Matrix Tables.\n\nMetric\n\nuSeconds Sum total of the Delta Times in\nthese Inter-Packet Gaps\nuSeconds The maximum Delta Time of Inter\nPacket Gaps measured\nuSeconds The minimum Delta Time of Inter\nPacket Gaps measured.\n\nSCJitter\n15\n\ntraffic measured for a given application and either a specific\nClient-Server Pair or a specific Server and all of its clients.\nThis information duplicates, Somewhat, that which may\nIt has been included here for convenience to applications\nand the associated benefit of improved performance by\navoiding the need to access different functional RMON\nareas when performing QOS Analysis.\n\nDescription\n\n65\n\nA Client->Server Data Message starts with the 1 Trans\nport Protocol Data Packet/Unit (TPDU) from the Client to\nthe Server and is demarcated (or terminated) by 1 subse\n\nquent Data Packet in the other direction. The total time\nbetween the start of the Client->Server Data Message and\nthe start of the Server->Client Data Message is measured\nwith this metric. Note that ACKnowledgements are not\nconsidered within the measurement of this metric.\n\nApp. II-111\n\n\x0cUS 6,839,751 B1\n\n37\n\n38\nA Client->Server Data Message starts with the 1 Trans\nport Protocol Data Packet/Unit (TPDU) from the Client to\nthe Server and is demarcated (or terminated) by 1 subse\n\nAlso, there is no consideration in the measurement for\n\nretransmissions or out-of-order data packets.\n\nquent Data Packet in the other direction. The end of the\n\nResponse Message in the other direction (e.g. from the\nServer to the Client) is demarcated by the last data of the\nMessage prior to the 1 data packet of the next Client to\n\nMetric Specification\nMetric\n\nApplicability Units\n\nDescription\n\nN\n\nApplicable\n\nCount of the # Client->Server\nMessages measured for Data\n\nClient->\nServer\n\nMessages Exchanges from the Client(s)\nXE\n\nApplicable\n\nMaximum\n\nApplicable\n\nMinimum\n\nApplicable\n\n1O\n\nto the Server\n\nuSeconds Sum total of the Start-to-Start\nDelta Times in these Exchange\nResponse Times\nuSeconds The maximum Start-to-Start\nDelta Time of these Exchange\nResponse Times\nuSeconds The minimum Start-to-Start\nDelta Time of these Exchange\nResponse Times\n\nmeasurement of this metric.\n\nAlso, there is no consideration in the measurement for\n\n15\n\nretransmissions or out-of-order data packets.\nMetric Specification\n\nCSExchangeResponseTimeEndToStart\nDefinition\n\nThis metric contains information about the Transport\nlevel response time measured for data packets for a given\napplication and either a specific Client-Server Pair or a\nspecific Server and all of its clients. Specifically, CSExchan\ngeResponseTimeEndToStart measures the response time\nbetween end of Data Messages from the Client to the Server\nand the Start of their Subsequent response Data Messages\n\nServer Message. The total time between the start of the\nClient->Server Data Message and the end of the Server\n>Client Data Message is measured with this metric. Note\nthat ACKnowledgements are not considered within the\n\nMetric\n\nApplicability Units\n\nDescription\n\nN\n\nApplicable\n\nCount of the # Client->Server\nand Server->Client Exchange\n\nmessage pairs measured for Data\nExchanges Exchanges from the Client(s)\n25\n\nXE\n\nApplicable\n\nMaximum Applicable\n\nfrom the Server to the Client.\n\nA Client->Server Data Message starts with the 1 Trans\nport Protocol Data Packet/Unit (TPDU) from the Client to\n\nMinimum Applicable\n\nthe Server and is demarcated (or terminated) by 1\' subse\n\nquent Data Packet in the other direction. The total time\nbetween the end of the Client->Server Data Message and the\nstart of the Server->Client Data Message is measured with\nthis metric. Note that ACKnowledgements are not consid\n\n35\n\nAlso, there is no consideration in the measurement for\n40\n\nMetric Specification\nMetric\n\nApplicability Units\n\nDescription\n\nN\n\nApplicable\n\nCount of the # Client->Server\nMessages measured for Data\n\nClient->\nServer\n\nApplicable\n\nMaximum\n\nApplicable\n\nMinimum\n\nApplicable\n\nto the Server\n\nuSeconds Sum total of the End-to-Start\nDelta Times in these Exchange\nResponse Times\nuSeconds The maximum End-to-Start\nDelta Time of these Exchange\nResponse Times\nuSeconds The minimum End-to-Start\nDelta Time of these Exchange\nResponse Times\n\nSCExchangeResponseTimeStartToStart\nDefinition\n\nThis metric contains information about the Transport\nlevel response time measured for data packets for a given\napplication and either a specific Client-Server Pair or a\nspecific Server and all of its clients. Specifically, SCExchan\ngeResponseTimeStartToStart measures the response time\nbetween start of Data Messages from the Server to the Client\nand the Start of their Subsequent response Data Messages\nfrom the Client to the Server.\n\n45\n\nMessages Exchanges from the Client(s)\nXE\n\n50\n\nA Server->Client Data Message starts with the 1 Trans\nport Protocol Data Packet/Unit (TPDU) from the Server to\nthe Client and is demarcated (or terminated) by 1\' subse\n\nquent Data Packet in the other direction. The total time\nbetween the start of the Server->Client Data Message and\nthe start of the Client->Sever Data Message is measured\nwith this metric. Note that ACKnowledgements are not\nconsidered within the measurement of this metric.\n\nAlso, there is no consideration in the measurement for\n\n55\n\nretransmissions or out-of-order data packets.\n\nCSExchangeResponseTimeStartToEnd\nDefinition\n\nto the Server\n\nuSeconds Sum total of the Start-to-End\nDelta Times in these Exchange\nResponse Times\nuSeconds The maximum Start-to-End\nDelta Time of these Exchange\nResponse Times\nuSeconds The minimum Start-to-End Delta\nTime of these Exchange Response\nTimes\n\nered within the measurement of this metric.\n\nretransmissions or out-of-order data packets.\n\nClient->\nServer\nMessage\n\nThis metric contains information about the Transport 60 Metric\nlevel response time measured for data packets for a given N\napplication and either a specific Client-Server Pair or a\nspecific Server and all of its clients. Specifically, CSExchan\ngeResponseTimeEndToStart measures the response time XE\nbetween Start of Data Messages from the Client to the 65\nServer and the End of their subsequent response Data\nMessages from the Server to the Client.\nApp. II-112\n\nMetric Specification\nApplicability Units\n\nApplicable\n\nDescription\n\nServer-> Count of the # Server->Client\nClient\nMessages measured for Data\n\nMessages Exchanges from the Client(s)\n\nApplicable\n\nto the Server\n\nuSeconds Sum total of the Start-to-Start\nDelta Times in these Exchange\nResponse Times\n\n\x0cUS 6,839,751 B1\n\n39\n\nClient Message. The total time between the start of the\nServer->Client Data Message and the end of the Client\n>Server Data Message is measured with this metric. Note\nthat ACKnowledgements are not considered within the\n\n-continued\n\nMetric Specification\nMetric\n\nApplicability Units\n\nMaximum\n\nApplicable\n\nMinimum\n\nApplicable\n\nmeasurement of this metric.\n\nDescription\n\nuSeconds The maximum Start-to-Start\nDelta Time of these Exchange\nResponse Times\nuSeconds The minimum Start-to-Start\nDelta Time of these Exchange\nResponse Times\n\nAlso, there is no consideration in the measurement for\n\nretransmissions or out-of-order data packets.\n1O\n\nSCExchangeResponseTimeEndToStart\nDefinition\n\nThis metric contains information about the Transport\nlevel response time measured for data packets for a given\napplication and either a specific Client-Server Pair or a\nspecific Server and all of its clients. Specifically, SCExchan\ngeResponseTimeEndToStart measures the response time\nbetween end of Data Messages from the Server to the Client\nand the Start of their Subsequent response Data Messages\n\nA Server->Client Data Message starts with the 1 Trans\nport Protocol Data Packet/Unit (TPDU) from the Server to\nthe Client and is demarcated (or terminated) by 1\' subse\n\nXE\n\nApplicable\n\nMaximum Applicable\nMinimum Applicable\n\n40\n\nto the Server\n\n50\n\nDefinition\n\nport Protocol Data Packet/Unit (TPDU) from the Server to\nthe Client and is demarcated (or terminated) by 1. Subse\nquent Data Packet in the other direction. The end of the\nResponse Message in the other direction (e.g. from the\nServer to the Client) is demarcated by the last data of the\nMessage prior to the 1 data packet of the next Server to\n\nTimes\n\nuSeconds The minimum Start-to-End Delta\nTime of these Exchange Response\nTimes\n\nThis metric contains information about the Application\nlevel response time measured for application transactions for\na given application and either a specific Client-Server Pair or\na specific Server and all of its clients. Specifically, CSTrans\nactionResponseTimeStartToStart measures the response\ntime between Start of an application transaction from the\nClient to the Server and the start of their subsequent trans\naction response from the Server to the Client.\n\nA Client->Server transaction starts with the 1 Transport\nProtocol Data Packet/Unit (TPDU) of a transaction request\nfrom the Client to the Server and is demarcated (or\nterminated) by 1. Subsequent data packet of the response to\nSured with this metric.\nThis metric is considered a \xe2\x80\x9cbest-effort\' measurement.\n\nTimes\n\nThis metric contains information about the Transport\nlevel response time measured for data packets for a given\napplication and either a specific Client-Server Pair or a\nspecific Server and all of its clients. Specifically, SCExchan\ngeResponseTimeEndToStart measures the response time\nbetween Start of Data Messages from the Server to the\nClient and the End of their subsequent response Data\nMessages from the Client to the Server.\nA Server->Client Data Message starts with the 1 Trans\n\nMessage message pairs measured for Data\nExchanges Exchanges from the Server to the\nClient(s)\nuSeconds Sum total of the Start-to-End\nDelta Times in these Exchange\nResponse Times\nuSeconds The maximum Start-to-End Delta\nTime of these Exchange Response\n\nthe transaction request. The total time between the Start of\nthe Client->Server transaction request and the Start of the\nactual transaction response from the Server->Client is mea\n\nuSeconds Sum total of the End-to-Start\nDelta Times in these Exchange\nResponse Times\nuSeconds The maximum End-to-Start\nDelta Time of these Exchange\nResponse Times\nuSeconds The minimum End-to-Start Delta\nTime of these Exchange Response\n\nSCExchangeResponseTimeStartToEnd\n\nCount of the # Server->Client\n\nand Client->Server Exchange\n\nDefinition\n\nDescription\n\nMessages Exchanges from the Client(s)\n\nServer\n\nDescription\n\nTransaction Response Metrics\nCSTransaction ResponseTimeStartToStart\n\n35\n\nServer-> Count of the # Server->Client\nClient\nMessages measured for Data\n\nApplicable\n\nClient-\n\n25\n\nretransmissions or out-of-order data packets.\n\nApplicable\n\nApplicable\n\nMinimum Applicable\n\nAlso, there is no consideration in the measurement for\n\nN\n\nApplicability Units\n\nN\n\nMaximum Applicable\n\nered within the measurement of this metric.\n\nApplicability Units\n\nMetric\n\nXE\n\nquent Data Packet in the other direction. The total time\nbetween the end of the Server->Client Data Message and the\nstart of the Client->Server Data Message is measured with\nthis metric. Note that ACKnowledgements are not consid\n\nMetric Specification\n\nMetric Specification\n\n15\n\nfrom the Client to the Server.\n\nMetric\n\n40\n\nSystems implementing this metric should make a \xe2\x80\x9cbest\neffort\xe2\x80\x9d to demarcate the Start and end of requests and\nresponses with the Specific application\'s definition of a\nlogical transaction. The lowest level of Support for this\nmetric would make this metric the equivalent of CSExchan\ngeResponseTimeStartToStart.\n\n55\n\nMetric Specification\nMetric\n\nApplicability Units\n\nN\n\nApplicable\n\nXE\n\nApplicable\n\nuSeconds\n\nSum total of the Start-to-Start\n\nMaximum Applicable\n\nuSeconds\n\nThe maximum Start-to-Start\n\n60\n\n65\n\nApp. II-113\n\nDescription\n\nClient->Svir Count of the # Client->Server\nTransaction Transaction Requests measured\nRequests\nfor Application requests from\nthe Client(s) to the Server\n\nDelta Times in these Application\nResponse Times\nDelta Time of these Application\nResponse Times\n\n\x0cUS 6,839,751 B1\n\n41\n\n42\nin the other direction (e.g. from the Server to the Client) is\ndemarcated by the last data of the transaction response prior\n\n-continued\n\nto the 1 data of the next Client to Server Transaction\n\nMetric Specification\nMetric\n\nApplicability Units\n\nMinimum Applicable\n\nuSeconds\n\nRequest. The total time between the start of the Client\n>Server transaction request and the end of the Server\n>Client transaction response is measured with this metric.\n\nDescription\nThe minimum Start-to-Start\n\nThis metric is considered a \xe2\x80\x9cbest-effort\' measurement.\n\nDelta Time of these Application\nResponse Times\n\nSystems implementing this metric should make a \xe2\x80\x9cbest\neffort\xe2\x80\x9d to demarcate the Start and end of requests and\nresponses with the Specific application\'s definition of a\nlogical transaction. The lowest level of Support for this\nmetric would make this metric the equivalent of CSExchan\ngeResponseTimeStartToEnd.\n\nCSApplication ResponseTimeEndToStart\nDefinition\n\nThis metric contains information about the Application\nlevel response time measured for application transactions for\na given application and either a Specific Client-Server Pair or\na specific Server and all of its clients. Specifically, CSA.pplicationResponseTimeEndToStart measures the response\ntime between end of an application transaction from the\nClient to the Server and the start of their subsequent trans\naction response from the Server to the Client.\nA Client->Server transaction starts with the 1 Transport\n\n15\n\nMetric Specification\n\nProtocol Data Packet/Unit (TPDU) of a transaction request\nfrom the Client to the Server and is demarcated (or\nterminated) by 1. Subsequent data packet of the response to\n\nthe transaction request The total time between the end of the\nClient->Server transaction request and the Start of the actual\ntransaction response from the Server->Client is measured\n\nApplicability Units\n\nDescription\n\nN\n\nApplicable\n\nClient->Svir Count of the # Client->Server\nTransaction Transaction Requests measured\nRequests\nfor Application requests from\n\nXE\n\nApplicable\n\nuSeconds\n\nMaximum Applicable\n\nuSeconds\n\nThe maximum End-to-Start\n\nMinimum Applicable\n\nuSeconds\n\nThe minimum End-to-Start\n\nthe Client(s) to the Server\nSum total of the End-to-Start\nDelta Times in these Application\nResponse Times\n\n25\n\n35\n\n40\n\nCount of the # Client<->Server\n\nrequest/response pairs measured\n\nApplicable\n\nuSeconds\n\nSum total of the Start-to-End\n\nMaximum Applicable\n\nuSeconds\n\nThe maximum Start-to-End\n\nMinimum Applicable\n\nuSeconds\n\nThe minimum Start-to-End Delta\n\nClient(s) to the Server\n\nDelta Times in these Application\nResponse Times\nDelta Time of these Application\nResponse Times\n\nTime of these Application\nResponse Times\n\nThis metric contains information about the Application\nlevel response time measured for application transactions for\na given application and either a Specific Client-Server Pair or\na specific Server and all of its clients. Specifically, SCTrans\nactionResponseTimeStartToStart measures the response\ntime between Start of an application transaction from the\nServer to the Client and the start of their subsequent trans\naction response from the Client to the Server.\nA Server->Client transaction starts with the 1 Transport\n\n45\n\nProtocol Data Packet/Unit (TPDU) of a transaction request\nfrom the Server to the Client and is demarcated (or\nterminated) by 1. Subsequent data packet of the response to\n\n50\n\nSured with this metric.\nThis metric is considered a \xe2\x80\x9cbest-effort\' measurement.\n\nDefinition\n\nProtocol Data Packet/Unit (TPDU) a transaction request\nfrom the Client to the Server and is demarcated (or\nterminated) by 1\' Subsequent data packet of the response to\n\nClient->\n\nServer\n\nDefinition\n\nCSApplication ResponseTimeStartToEnd\nThis metric contains information about the Application\nlevel response time measured for application transactions for\na given application and either a Specific Client-Server Pair or\na specific Server and all of its clients. Specifically, CSTrans\nactionResponseTimeStartToEnd measures the response time\nbetween Start of an application transaction from the Client\nto the Server and the End of their subsequent transaction\nresponse from the Server to the Client.\nA Client->Server transaction starts with the 1 Transport\n\nApplicable\n\nDescription\n\nSCTransactionResponseTimeStartToStart\n\nDelta Time of these Application\nResponse Times\nDelta Time of these Application\nResponse Times\n\nN\n\nXE\n\nMetric Specification\nMetric\n\nApplicability Units\n\nTransactions for transactions from the\n\nwith this metric\nThis metric is considered a \xe2\x80\x9cbest-effort\' measurement.\n\nSystems implementing this metric should make a \xe2\x80\x9cbest\neffort\xe2\x80\x9d to demarcate the Start and end of requests and\nresponses with the Specific application\'s definition of a\nlogical transaction. The lowest level of Support for this\nmetric would make this metric the equivalent of CSExchan\ngeResponseTimeEndToStart.\n\nMetric\n\n55\n\nthe transaction request. The total time between the Start of\nthe Server->Client transaction request and the Start of the\nactual transaction response from the Client->Server is mea\n\nSystems implementing this metric should make a \xe2\x80\x9cbest\neffort\xe2\x80\x9d to demarcate the Start and end of requests and\nresponses with the Specific application\'s definition of a\nlogical transaction. The lowest level of Support for this\nmetric would make this metric the equivalent of SCExchan\ngeResponseTimeStartToStart.\nMetric Specification\n\n60\n\nMetric\n\nApplicability Units\n\nN\n\nApplicable\n\n65\n\nthe transaction request. The end of the Transaction Response\nApp. II-114\n\nDescription\n\nSvr->Client Count of the # Server->\nTransaction Client Transaction Requests\nRequests\nmeasured for Application\nrequests from the Server to\n\nthe Client(s)\n\n\x0cUS 6,839,751 B1\n\n43\n\n44\nbetween Start of an application transaction from the Server\nto the Client and the End of their subsequent transaction\nresponse from the Client to the Server.\nA Server->Client transaction starts with the 1 Transport\nProtocol Data Packet/Unit (TPDU) a transaction request\nfrom the Server to the Client and is demarcated (or\nterminated) by 1\' Subsequent data packet of the response to\nthe transaction request. The end of the Transaction Response\nin the other direction (e.g. from the Client to the Server) is\ndemarcated by the last data of the transaction response prior\n\n-continued\n\nMetric Specification\nMetric\n\nApplicability Units\n\nDescription\n\nXE\n\nApplicable\n\nuSeconds\n\nMaximum Applicable\n\nuSeconds\n\nThe maximum Start-to-Start\n\nMinimum Applicable\n\nuSeconds\n\nThe minimum Start-to-Start\n\nSum total of the Start-to-Start\n\nDelta Times in these Application\nResponse Times\nDelta Time of these Application\nResponse Times\n\nto the 1 data of the next Server to Client Transaction\n\nDelta Time of these Application\nResponse Times\n\nSCApplicationResponseTimeEndToStart\n\n15\n\nDefinition\n\nThis metric contains information about the Application\nlevel response time measured for application transactions for\na given application and either a Specific Client-Server Pair or\na specific Server and all of its clients. Specifically, SCAp\nplicationResponseTimeEndToStart measures the response\ntime between end of an application transaction from the\nServer to the Client a and the start of their subsequent\ntransaction response from the Client to the Server.\n\nA Server->Client transaction starts with the 1 Transport\nProtocol Data Packet/Unit (TPDU) of a transaction request\nfrom the Server to the Client and is demarcated (or\nterminated) by 1\' Subsequent data packet of the response to\n\nThis metric is considered a \xe2\x80\x9cbest-effort\' measurement.\n\nSystems implementing this metric should make a \xe2\x80\x9cbest\neffort\xe2\x80\x9d to demarcate the Start and end of requests and\nresponses with the Specific application\'s definition of a\nlogical transaction. The lowest level of Support for this\nmetric would make this metric the equivalent of SCExchan\ngeResponseTimeStartToEnd.\nMetric Specification\n\n25\n\nthe transaction request The total time between the end of the\nServer->Client transaction request and the Start of the actual\ntransaction response from the Client->Server is measured\n\nMetric\n\nApplicability Units\n\nDescription\n\nN\n\nApplicable\n\nCount of the # Server <->\n\nServer ->\n\nClient\n\nXE\n\nApplicable\n\nuSeconds\n\n35\n\nMaximum Applicable\n\nuSeconds\n\nN\n\nApplicable\n\nSvr -> Client Count of the #Server ->\nTransaction Client Transaction\n\nRequests\n\nXE\n\nApplicable\n\nDescription\n\nuSeconds\n\nRequests measured for\nApplication requests\nfrom the Server to the Client(s)\nSum total of the End-to-Start\nDelta Times in\n\nuSeconds\n\nMinimum Applicable\n\nuSeconds\n\nTimes\nThe minimum End-to-Start\nDelta Time of\n\nuSeconds\n\nThe minimum Start-to-End\nDelta Time of\n\nTimes\n\nConnection Metrics\nConnectionEstablishment\nDefinition\n\n50\n\nServer. The information contain, in essence, includes:\n\nnumber of connections established the Client(s) to the\n# Transport Connections Successfully established\nSet-up Times of the established connections\nMax. it of Simultaneous established connections.\n\n55\n\n# Failed Connection establishment attempts (due to either\ntimeout or rejection)\n\nNote that the \xe2\x80\x9cif of CURRENT Established Transport\nConnections\xe2\x80\x9d may be derived from this metric along with\n\nTimes\n\nDefinition\n\nTimes\n\nThis metric contains information about the transport-level\nconnection establishment for a given application and either\na specific Client-Server Pair or a specific Server and all of\nits clients. Specifically, ConnectionsEstablishment measures\n\nthese Application Response\n\nSCApplicationResponseTimeStartToEnd\n\nDelta Time of\n\n45\n\nTimes\nThe maximum End-to-Start\nDelta Time of\n\nthese Application Response\n\nThe maximum Start-to-End\n\nthese Application Response\n\nthese Application Response\n\nMaximum Applicable\n\nTimes\n\nthese Application Response\n\nMinimum Applicable\n\nMetric Specification\nApplicability Units\n\nfrom the Server to the Client(s)\n\nSum total of the Start-to-End\nDelta Times in\n\nthese Application Response\n\n40\n\nMetric\n\nClient request/response pairs\n\nTransactions measured for transactions\n\nwith this metric\nThis metric is considered a \xe2\x80\x9cbest-effort\' measurement.\n\nSystems implementing this metric should make a \xe2\x80\x9cbest\neffort\xe2\x80\x9d to demarcate the Start and end of requests and\nresponses with the Specific application\'s definition of a\nlogical transaction. The lowest level of Support for this\nmetric would make this metric the equivalent of SCExchan\ngeResponseTimeEndToStart.\n\nRequest. The total time between the start of the Server\n>Client transaction request and the end of the Client->Server\ntransaction response is measured with this metric.\n\nthe Connection GracefulTermination and Connection Tim\n60\n\neoutTermination metrics, as follows:\n\n# current connections:=="# Successfully established\xe2\x80\x9d\n\xe2\x80\x9c#terminated gracefully\'\n\xe2\x80\x9c#terminated by time-out\xe2\x80\x9d\nThe set-up time of a connection is defined to be the delta\ntime between the first transport-level, Connection Establish\n\nThis metric contains information about the Application\nlevel response time measured for application transactions for\na given application and either a Specific Client-Server Pair or 65\na specific Server and all of its clients. Specifically, SCTrans ment Request (i.e., SYN, CR-TPDU, etc.) and the first Data\nactionResponseTimeStartToEnd measures the response time Packet eXchanged on the connection.\nApp. II-115\n\n\x0cUS 6,839,751 B1\n\n45\n\n46\n\nMetric Specification\nMetric\n\nApplicability Units\n\nConnections Count of the # Connections\nEstablished from\n\nN\n\nApplicable\n\nConnections Count of the # Connections\n\nuSeconds\n\nSum total of the Connection\n\nXE\n\nApplicable\n\nmSeconds\n\nthese Established connections\nCount of the MAXIMUM\nsimultaneous # Connections\n\nMaximum Not\n\nMetric\n\nApplicability Units\n\nN\n\nApplicable\n\nApplicable\n\nXE\n\nMaximum Applicable\n\nMetric Specification\n5\n\nConnections\n\nDescription\n\nthe Client(s) to the Server\nSet-up Times in\n\nApplicable\n\nto the Server\nConnections Count of the Failed\nsimultaneous # Connections\n\nto the Server\n\nSum total of the Connection\n\nDurations (Lifetimes) of these\nterminated connections\n\nMinimum Not\n\nApplicable\n\n15\n\nConnection Sequence Metrics\n\nEstablished from the Client(s)\n\nCSConnectionRetransmissions\nDefinition\n\nto the Server\n\nThis metric contains information about the transport-level\nconnection health for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, CSConnection Retransmissions mea\n\nConnectionGraceful Termination\nDefinition\n\nThis metric contains information about the transport-level\nconnections terminated gracefully for a given application\nand either a specific Client-Server Pair or a specific Server\nand all of its clients. Specifically, Connections.GracefulTer\nmination measures gracefully terminated connections both\nin Volume and Summary connection duration. The informa\n\nTimed-out between Client(s)\n\nApplicable\n\nEstablished from the Client(s)\n\nMinimum Not\n\nDescription\n\nSures number of actual events within established connection\n\nlifetimes in which Transport, data-bearing PDUs (packets)\n25\n\nfrom the Client->Server were retransmitted.\n\nNote that retransmission events as seen by the Network\nMonitoring device indicate the \xe2\x80\x9cduplicate\xe2\x80\x9d presence of a\nTPDU as observed on the network.\n\ntion contain, in essence, includes:\n\n# Gracefully terminated Transport Connections\n\nDurations (lifetimes) of gracefully terminated connec\n\nMetric Specification\n\ntions.\n\n35\n\nMetric Specification\nMetric\n\nApplicability Units\n\nN\n\nApplicable\n\nConnections Count of the # Connections\nGracefully Terminated\n\nXE\n\nApplicable\n\nmSeconds\n\nMaximum Not\n\nDescription\n\nbetween Client(s) to the Server\nSum total of the Connection\n\n40\n\nDurations (Lifetimes) of\nthese terminated connections\n\nApplicable\n\nMinimum Not\n\n45\n\nApplicable\n\nApplicability\n\nUnits\n\nDescription\n\nN\n\nApplicable\n\nEvents\n\nCount of the #Data TPDU\nretransmissions from the\n\nXE\nMaximum\nMinimum\n\nNot Applicable\nNot Applicable\nNot Applicable\n\nClient(s) to the Server\n\nSCConnectionRetransmissions\nDefinition\n\nThis metric contains information about the transport-level\nconnection health for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, SCConnection Retransmissions mea\n\nSures number of actual events within established connection\n\nlifetimes in which Transport, data-bearing PDUs (packets)\n\nConnection TimeoutTermination\nDefinition\n\nfrom the Server->Client were retransmitted.\n\nThis metric contains information about the transport-level\n\n50\n\nNote that retransmission events as seen by the Network\nMonitoring device indicate the \xe2\x80\x9cduplicate\xe2\x80\x9d presence of a\n\n55\n\nMetric Specification\n\nconnections terminated non-gracefully (e.g. Timed-Out) for\n\na given application and either a Specific Client-Server Pair or\na specific Server and all of its clients. Specifically, Connec\ntionsTimeOut Termination measures previously established\nand timed-out connections both in Volume and Summary\nconnection duration. The information contain, in essence,\nincludes:\n\n# Timed-out Transport Connections\n\nDurations (lifetimes) of timed-out terminated connec\n\ntions.\nThe duration factor of this metric is considered a \xe2\x80\x9cbest\n\neffort\' measurement. Independent network monitoring\ndevices cannot really know when network entities actually\ndetect connection timeout conditions and hence may need to\nextrapolate or estimate when connection timeouts actually\nOCC.\n\nMetric\n\n60\n\n65\n\nTPDU as observed on the network.\n\nMetric\n\nApplicability\n\nUnits\n\nDescription\n\nN\n\nApplicable\n\nEvents\n\nCount of the #Data\nTPDU retransmissions\n\nXE\nMaximum\nMinimum\n\nNot Applicable\nNot Applicable\nNot Applicable\n\nCSConnectionOutOfC)rders\nDefinition\n\nfrom the Server to the Client(s)\n\nThis metric contains information about the transport-level\nconnection health for a given application and either a\nApp. II-116\n\n\x0cUS 6,839,751 B1\n\n47\n\n48\n\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, CSConnectionOutOfCorders measures\nnumber of actual events within established connection life\n\ntimes in which Transport, data-bearing PDUs (packets) from\n\nthe Client->Server were detected as being out of Sequential\n\nMetric Specification\n5\n\norder.\n\nNote that retransmissions (or duplicates) are considered to\n\nbe different than out-of-order events and are tracked Sepa\nrately in the CSConnection Retransmissions metric.\n\nMetric\n\nApplicability\n\nUnits\n\nDescription\n\nN\n\nApplicable\n\nEvents\n\nCount of the # ACKTPDU\nretransmissions from the\n\nXE\n\nNot Applicable Increments\n\nMaximum Not Applicable Increments\nMinimum Not Applicable Increments\n\nMetric Specification\n15\n\nMetric\n\nApplicability\n\nUnits\n\nDescription\n\nN\n\nApplicable\n\nEvents\n\nCount of the # Out-of-Order\n\nXE\nMaximum\nMinimum\n\nSCConnectionWindow\nDefinition\n\nThis metric contains information about the transport-level\nconnection windows for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, SSConnectionWindow measures num\nber of Transport-level Acknowledges within established\n\nTPDU events from the Client(s)\nto the Server\n\nNot Applicable\nNot Applicable\nNot Applicable\n\nClient(s) to the Server\nSum total of the Window\nSizes of the Acknowledges\nThe maximum Window Size\nof these Acknowledges\nThe minimum Window Size\nof these Acknowledges\n\nconnection lifetimes and their relative sizes from the to\nServer->Client.\n\nSCConnectionOutOfC)rders\nDefinition\n\nThis metric contains information about the transport-level\nconnection health for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, SCConnectionOutOfCorders measures\n\n25\n\nNote that the number of DATA TPDUs (packets) may be\n\nestimated by differencing the Acknowledge count of this\n\nmetric and the overall traffic from the Client to the Server\n\n(see SCTraffic above). A slight error in this calculation may\n\noccur due to Connection Establishment and Termination\n\nTPDUS, but it should not be significant.\n\nnumber of actual events within established connection life\n\ntimes in which Transport, data-bearing PDUs (packets) from\n\nthe Server->Client were detected as being out of Sequential\n\nMetric Specification\n\norder.\n\nNote that retransmissions (or duplicates) are considered to\n\nbe different than out-of-order events and are tracked Sepa\nrately in the SCConnection Retransmissions metric.\n\n40\n\nMetric Specification\nMetric\n\nApplicability\n\nUnits\n\nDescription\n\nN\n\nApplicable\n\nEvents\n\nCount of the # Out-of-Order\nTPDU events from the Server\n\nXE\nMaximum\nMinimum\n\nNot Applicable\nNot Applicable\nNot Applicable\n\n35\n\nto the Client(s)\n\n45\n\n50\n\nConnection Window Metrics\nCSConnectionWindow\nDefinition\n\nThis metric contains information about the transport-level\nconnection windows for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, CSConnectionWindow measures num\nber of Transport-level Acknowledges within established\nconnection lifetimes and their relative sizes from the Client\n>Server.\n\nNote that the number of DATA TPDUs (packets) may be\n\nestimated by differencing the Acknowledge count of this\n\nmetric and the overall traffic from the Client to the Server\n\n(see CSTraffic above). A slight error in this calculation may\noccur due to Connection Establishment and Termination\n\n55\n\nMetric\n\nApplicability Units\n\nN\n\nApplicable\n\nEvents\n\nXE\n\nApplicable\n\nIncrements\n\nMaximum Applicable\n\nIncrements\n\nMinimum Applicable\n\nIncrements\n\nDescription\nCount of the # ACKTPDU\n\nretransmissions from the Server\n\nto the Client(s)\n\nSum total of the Window\nSizes of the Acknowledges\nThe maximum Window Size\nof these Acknowledges\nThe minimum Window Size\nof these Acknowledges\n\nCSConnectionFrozenWindows\nDefinition\n\nThis metric contains information about the transport-level\nconnection windows for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, CS ConnectionWindow measures num\nber of Transport-level Acknowledges from Client->Server\nwithin established connection lifetimes which validly\nacknowledge data, but either\nfailed to increase the upper window edge,\nreduced the upper window edge\nMetric Specification\n\n60\n\nMetric\n\nApplicability\n\nUnits\n\nN\n\nApplicable\n\nEvents\n\nXE\nMaximum\n65 Minimum\n\nTPDUS, but it should not be significant.\n\nApp. II-117\n\nNot Applicable\nNot Applicable\nNot Applicable\n\nDescription\nCount of the #ACKTPDU with\n\nfrozen/reduced windows from\n\nthe Client(s) to the Server\n\n\x0cUS 6,839,751 B1\n\n49\n\nSCConnectionFrozenWindows\nDefinition\n\nThis metric contains information about the transport-level\nconnection windows for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, SCConnectionWindow measures num\nber of Transport-level Acknowledges from Server->Client\nwithin established connection lifetimes which validly\nacknowledge data, but either\nfailed to increase the upper window edge,\nreduced the upper window edge\n\n5\n\nSO\n\nand State transition climb procedure. Such comes from\nanalyzing packets according to parsing rules, and also gen\nerating State transitions to Search for. Applications and\nprotocols, at any level, are recognized through State analysis\nof Sequences of packets.\nNote that one in the art will understand that computer\nnetworks are used to connect many different types of\ndevices, including network appliances Such as telephones,\n\xe2\x80\x9cInternet\' radios, pagers, and So forth. The term computer as\nused herein encompasses all Such devices and a computer\nnetwork as used herein includes networks of Such comput\nCS.\n\nMetric Specification\nMetric\n\nApplicability\n\nUnits\n\nN\n\nApplicable\n\nEvents\n\nXE\nMaximum\nMinimum\n\nNot Applicable\nNot Applicable\nNot Applicable\n\nDescription\n\n15\n\nCount of the #ACKTPDU with\n\nfrozen/reduced windows from\n\nthe Client(s) to the Server\n\nWhat is claimed is:\n\nCSConnectionClosed Windows\nDefinition\n\nThis metric contains information about the transport-level\nconnection windows for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, CSConnectionWindow measures num\nber of Transport-level Acknowledges from Client->Server\nwithin established connection lifetimes which fully closed\nthe acknowledge/sequence window.\nMetric Specification\nMetric\n\nApplicability\n\nUnits\n\nDescription\n\nN\n\nApplicable\n\nEvents\n\nCount of the # ACK\nTPDU with Closed windows\n\nfrom the Client(s)\n\nXE\nMaximum\nMinimum\n\nto the Server\n\nNot Applicable\nNot Applicable\nNot Applicable\n\nAlthough the present invention has been described in\nterms of the presently preferred embodiments, it is to be\nunderstood that the disclosure is not to be interpreted as\nlimiting. Various alterations and modifications will no doubt\nbecome apparent to those or ordinary skill in the art after\nhaving read the above disclosure. Accordingly, it is intended\nthat the claims be interpreted as covering all alterations and\nmodifications as fall within the true Spirit and Scope of the\npresent invention.\n\nSCConnectionClosed Windows\nDefinition\n\n25\n\ncoupled to the connection point;\n\ndatabase for containing one or more flow-entries for\npreviously encountered conversational flows, the look\ning up to determine if the received packet is of an\nexisting flow, a conversational flow including an\neXchange of a Sequence of one or more packets in any\n\n35\n\n40\n\n50\n\nApplicability\n\nUnits\n\nDescription\n\nApplicable\n\nEvents\n\nCount of the # ACK\nTPDU with Closed windows\n\nXE\nMaximum\nMinimum\n\nNot Applicable\nNot Applicable\nNot Applicable\n\nfrom the Client(s) to the Server\n\nparticular activity using a particular layered set of one\nor more network protocols, a conversational flow fur\nther having a set of one or more States, including an\n\n(c) if the packet is of an existing flow, identifying the last\nencountered State of the flow, performing any State\noperations Specified for the State of the flow, and\nupdating the flow-entry of the existing flow including\nStoring one or more Statistical measures kept in the\nflow-entry; and\n\nd) if the packet is of a new flow, performing any state\n\noperations required for the initial State of the new flow\nand storing a new flow-entry for the new flow in the\nflow-entry database, including Storing one or more\nStatistical measures kept in the flow-entry,\nwherein every packet passing though the connection point is\nreceived by the packet acquisition device, and\n\nwherein at least one step of the set consisting of of step (a)\nand Step (b) includes identifying the protocol being used in\n\nMetric Specification\nN\n\ndirection between two network entities as a result of a\n\ninitial State,\n\n55\n\nMetric\n\n(a) receiving a packet from a packet acquisition device\n\n(b) for each received packet, looking up a flow-entry\n\n45\n\nThis metric contains information about the transport-level\nconnection windows for a given application and either a\nspecific Client-Server Pair or a specific Server and all of its\nclients. Specifically, SCConnectionWindow measures num\nber of Transport-level Acknowledges from Server->Client\nwithin established connection lifetimes which fully closed\nthe acknowledge/sequence window.\n\n1. A method of analyzing a flow of packets passing\nthrough a connection point on a computer network, the\nmethod comprising:\n\n60\n\nthe packet from a plurality of protocols at a plurality of\nprotocol layer levels,\nsuch that the flow-entry database is to store flow entries for\na plurality of conversational flows using a plurality of\nprotocols, at a plurality of layer levels, including levels\nabove the network layer.\n\n2. A method according to claim 1, wherein step (b)\n\nincludes\n\nextracting identifying portions from the packet,\nwherein the extracting at any layer level is a function of the\n65 protocol being used at the layer level, and\nEmbodiments of the present invention automatically gen wherein the looking up uses a function of the identifying\nerate flow Signatures with the necessary recognition patterns portions.\nApp. II-118\n\n\x0cS1\n\nUS 6,839,751 B1\n\n52\n(a) a packet acquisition device coupled to the connection\n\n3. A method according to claim 1, wherein the Steps are\ncarried out in real time on each packet passing through the\nconnection point.\n4. A method according to claim 1, wherein the one or\n\npoint and configured to receive packets passing through\nthe connection point;\n\n(b) a memory for Storing a database for containing one or\n\nmore Statistical measures include measures Selected from the\n\nSet consisting of the total packet count for the flow, the time,\nand a differential time from the last entered time to the\npresent time.\n5. A method according to claim 1, further including\nreporting one or more metrics related to the flow of a\nflow-entry from one or more of the Statistical measures in the\nflow-entry.\n6. A method according to claim 1, wherein the metrics\n\n1O\n\n(c) an analyzer Subsystem coupled to the packet acquisi\n\ninclude one or more quality of Service (QOS) metrics.\n\n7. A method according to claim 5, wherein the reporting\n\nis carried out from time to time, and wherein the one or more\n\n15\n\nmetrics are base metrics related to the time interval from the\n\nlast reporting time.\n8. A method according to claim 7, further comprising\n\ncalculating one or more quality of Service (QOS) metrics\nfrom the base metrics.\n\n9. A method according to claim 7, wherein the one or\n\nmore metrics are Selected to be Scalable Such that metrics\n\nfrom contiguous time intervals may be combined to deter\nmine respective metricS for the combined interval.\n10. A method according to claim 1, wherein step (c)\nincludes if the packet is of an existing flow, identifying the\nlast encountered State of the flow and performing any State\noperations Specified for the State of the flow Starting from the\n\n25\n\n35\n\nis carried out from time to time, and wherein the one or more\nmetrics are base metrics related to the time interval from the\n\nlast reporting time.\n13. A method according to claim 12, wherein the reporting\nis part of the State operations for the State of the flow.\n14. A method according to claim 10, wherein the state\noperations include updating the flow-entry, including Storing\nidentifying information for future packets to be identified\nwith the flow-entry.\n15. A method according to claim 14, further including\nreceiving further packets, wherein the State processing of\neach received packet of a flow furthers the identifying of the\napplication program of the flow.\n16. A method according to claim 15, wherein one or more\nmetrics related to the State of the flow are determined as part\nof the state operations specified for the state of the flow.\n17. A packet monitor for examining packets passing\nthrough a connection point on a computer network, each\npackets conforming to one or more protocols, the monitor\ncomprising:\n\ntion device configured to lookup for each received\npacket whether a received packet belongs to a flow\nentry in the flow-entry database, to update the flow\nentry of the existing flow including Storing one or more\nStatistical measures kept in the flow-entry in the case\nthat the packet is of an existing flow, and to Store a new\nflow-entry for the new flow in the flow-entry database,\nincluding Storing one or more Statistical measures kept\nin the flow-entry if the packet is of a new flow,\nwherein the analyzer Subsystem is further configured to\nidentify the protocol being used in the packet from a\nplurality of protocols at a plurality of protocol layer levels,\nand\n\nlast encountered State of the flow; and wherein step (d)\n\nincludes if the packet is of a new flow, performing any State\noperations required for the initial State of the new flow.\n11. A method according to claim 10, further including\nreporting one or more metrics related to the flow of a\nflow-entry from one or more of the Statistical measures in the\nflow-entry.\n12. A method according to claim 11, wherein the reporting\n\nmore flow-entries for previously encountered conver\nsational flows to which a received packet may belong,\na conversational flow including an exchange of a\nSequence of one or more packets in any direction\nbetween two network entities as a result of a particular\nactivity using a particular layered Set of one or more\nnetwork protocols, a conversational flow further having\na Set of one or more States, including an initial State; and\n\n40\n\nwherein the database is to store flow entries for a plurality\nof conversational flows using a plurality of protocols, at a\nplurality of layer levels, including levels above the network\nlayer.\n18. A packet monitor according to claim 17, further\ncomprising:\na parser Subsystem coupled to the packet acquisition\ndevice and to the analyzer Subsystem configured to\nextract identifying information from a received packet,\nwherein each flow-entry is identified by identifying infor\nmation Stored in the flow-entry, and wherein the cache\nlookup uses a function of the extracted identifying informa\ntion.\n\n19. A packet monitor according to claim 17, wherein the\n\none or more Statistical measures include measures Selected\n\nfrom the Set consisting of the total packet count for the flow,\n45\n\nthe time, and a differential time from the last entered time to\n\nthe present time.\n20. A packet monitor according to claim 17, further\nincluding a Statistical processor configured to determine one\nor more metrics related to a flow from one or more of the\n\n50\n\nstatistical measures in the flow-entry of the flow.\n21. A packet monitor according to claim 20, wherein the\nStatistical processor determine and reports the one or more\nmetrics from time to time.\n\nApp. II-119\n\n\x0cUNITED STATES PATENT AND TRADEMARK OFFICE\n\nCERTIFICATE OF CORRECTION\nPATENT NO.\nDATED\n\n: 6,839,751 B1\n: January 4, 2005\n\nPage 1 of 1\n\nINVENTOR(S) : Dietz et al.\n\nIt is certified that error appears in the above-identified patent and that said Letters Patent is\nhereby corrected as shown below:\nColumn 6\n\nLine 65, please change \xe2\x80\x9cIn So\xe2\x80\x9d to -- In Some --.\nColumn 13\n\nLine 23, please change, \xe2\x80\x9cpattern\xe2\x80\x94a signature\xe2\x80\x94an be\' to -- pattern\xe2\x80\x94a signature\xe2\x80\x94can\n\nbe --.\n\nColumn 51\n\nLine 13, please change "claim 1\' to -- claim 7 --.\n\nSigned and Sealed this\nEighth Day of March, 2005\n\nWDJ\nJON W. DUDAS\n\nDirector of the United States Patent and Trademark Office\n\nApp. II-120\n\n\x0cUSOO6954789B2\n\n(12) United States Patent\n\n(10) Patent No.:\n\nDietz et al.\n\n(45) Date of Patent:\n\n(54) METHOD AND APPARATUS FOR\n\nMONITORING TRAFFIC IN A NETWORK\n\n2003-44510 A\n\nAdvanced Methods for Storage and Retrieval in Image;\nhttp://www.cs.itulane.edu/ww/Prototype/proposal.html;\n1998.\n(Continued)\nPrimary Examiner Moustafa M. Meky\n(74) Attorney, Agent, or Firm--Dov Rosenfeld; Inventek\n\n-\n\n(57)\n\nSubject to any disclaimer, the term of this\n\npatent is extended or adjusted under 35\nU.S.C. 154(b) by 0 days.\n\nOct. 14, 2003\n\nPrior Publication Data\n\nof Selected portions of the packet. The parsing/extraction\n\noperations depend on one or more of the protocols to which\nthe packet conforms. The method further includes looking\n\nUS 2004/0083299 A1 Apr. 29, 2004\nO\n\nO\n\nup a flow-entry database containing flow-entries for previ\n\nRelated U.S. Application Data\n\nously encountered conversational flows. The lookup uses the\nSelected packet portions and determining if the packet is of\nan existing flow. If the packet is of an existing flow, the\n\n(63) Sylpri.N.608.237, filed on Jun.\n\n(60) Provisional\napplication No. 60/141903, filed on Jun. 30,\n1999.\n\nt\n\nInt. C.\n\n- ------ ----- --------- -- --- ------ --- -----------\n\nli R. E, as less tO R\n\neXISung Ilow, and II line pacKel ISOI a new Ilow, Line meuno\n\n7\n\n(51)\n\nABSTRACT\n\nA monitor for and a method of examining packets passing\nthrough a connection point on a computer network. Each\npackets conforms to one or more protocols. The method\nincludes receiving a packet from a packet acquisition device\nand performing one or more parsing/extraction operations\non the packet to create a parser record comprising a function\n\n(21) Appl. No.: 10/684,776\n(65)\n\n2/2003\n\nOTHER PUBLICATIONS\n\nJoseph R. Maixner, Aptos, CA (US);\nAndrew A. Koppenhaver, Littleton,\nCO (US); William H. Bares,\nGermantown, TN (US); Haig A.\nSarkissian, San Antonio, TX (US);\nJames F. Torgerson, Andover, MN\n(US)\n(73) Assignee: Hi/fn, Inc., Los Gatos, CA (US)\n\n(22) Filed:\n\nOct. 11, 2005\n\nFOREIGN PATENT DOCUMENTS\n\nJP\n\n(75) Inventors: Russell S. Dietz, San Jose, CA (US);\n\n(*) Notice:\n\nUS 6,954,789 B2\n\nstores a new flow-entry for the new flow in the flow-entry\n\nGO6F 15/173\n\ndatabase, including identifying information for future pack\n\n(52) U.S. Cl. ........................................ 709/224; 370/392\n\nets to be identified with the new flow-entry. For the packet\n\n709/220, 223, 224, 231, 232, 236, 238-240,\n246; 370/389, 392\n\nexisting flow. Such updating may include Storing one or\nmore Statistical measures. Any Stage of a flow, State is\nmaintained, and the method performs any State processing\nfor an identified state to further the process of identifying the\nflow. The method thus examines each and every packet\npassing through the connection point in real time until the\napplication program associated with the conversational flow\n\n(58) Field of Search ................................. 709/200, 201,\n\n(56)\n\nof an existing flow, the method updates the flow-entry of the\n\nReferences Cited\nU.S. PATENT DOCUMENTS\n\n3,949,369 A\n4,458.310 A\n4,559,618 A\n\n4/1976 Churchill, Jr. .............. 711/128\n7/1984 Chang ........................ 711/119\n\nis determined.\n\n12/1985 Houseman et al. ........... 365/49\n\n49 Claims, 18 Drawing Sheets\n\n(Continued)\nPARSER 30\nExact\n3LDUNUE\nNIFYING\nINFORMATIC -ConVERSATIO\n\n{Elly\n\n324\nLookiP\n\nO\n\nFROM\nKNOWN\n\nRECOR8\n\n(DB324\n\nAACE\n\nYS\n\n318\n\nAfterNARs\nAND\nEXTRACTION\nDATABASE\n\n310\n\nPROTOCOL\n\n& STATE\nENFCAT\n\nR\n\nCLASSIFICATIO\n320\n\n"Low"\n\nKNOWN\n\nRCR\n\nYES\n\nRXESSOR\nNSTRUCTIN\nDATABASE\n\nCOMPLER\nAND\n\nPTIMZER\n\nPROTOCOL.\n\nSCPTC\nLANGUAGE\n\nATASRAM\nAyer\n\nSELECTIONS\n\nSTATE\n\nPCSSN\n\ndialos\n\nANALY2ER\n\n303\n\nApp. II-121\n\n\x0cUS 6,954,789 B2\nPage 2\n\nU.S. PATENT DOCUMENTS\n4,736,320\n4,891,639\n4,910,668\n4,972,453\n5,101,402\n5,247,517\n5,247,693\n\nA\nA\nA\nA\nA\nA\nA\nA\nA\n\n11/1998\n11/1998\n11/1998\n12/1998\n\nShwed et al. .......... 395/200.59\nSchwaller et al. ..... 395/200.54\nHuffman ..................... 382/155\nAnderson et al.\n370/241\nAnderson et al. ........... 370/252\nWelch, Jr. et al. ...... 395/200.54\nde la Salle ................... 707/10\nCheriton ..................... 711/144\nPearson ...................... 395/680\n\nA\nA\nA\nA\nA\nA\nA\n\n3/1990 Okamoto et al. ........... 711/207\n11/1990 Daniel, III et al. ........... 379/10\n3/1992 Chiu et al. .................... 370/17\n9/1993 Ross et al. ..\n370/85.5\n9/1993 Bristol ....................... 395/800\n\n5,878.420\n5,893,155\n5,903,754\n\n5,315,580 A\n5,339,268 A\n5,351.243 A\n\n5/1994 Phaal\n... 370/13\n8/1994 Machida ...................... 365/49\n9/1994 Kalkunte et al. ............. 370/92\n\n6,003,123 A\n6,014,380 A\n6,097.699 A\n\n12/1999 Carter et al. ................ 711/207\n1/2000 Hendel et al. .............. 370/392\n8/2000 Chen et al. ..\n370/231\n\n12/1994 Hershey et al. ............. 364/550\n\n6,118,760 A\n\n9/2000 Zaumen et al. ............. 370/229\n\n5,249,292 A\n\n5,365,514. A\n\n5,375,070 A\n\n5,394,394 A\n5,414,650 A\n\n5,414,704\n5,430,709\n5,432,776\n5,493,689\n5,500,855\n\nA\nA\nA\nA\nA\n\n5.530,958\n5.535,338\n5,568,471\n5,574,875\n5,586,266\n5,606,668\n5,608,662\n5,634,009\n\n5,680,585.\n5,684.954.\n5,703,877\n5,720,032\n5,721.827\n5,732.213\n\n4/1988 Bristol ....................... 364/300\n1/1990 Nakamura ............. 340/825.5\n\n5.835,726.\n5,838,919\n5,841,895\n5,850,386\n\n9/1993 Chiappa ..................... 395/650\n\n11/1994. Hershey et al. ...\n2/1995\n5/1995\n5/1995\n7/1995\n7/1995\n\n... 370/17\n\nCrowther et al. ............. 370/60\nHekhuis\n364/715.02\n\nA\nA\nA\nA\nA\nA\nA\nA\n\n6/1996\n7/1996\n10/1996\n11/1996\n12/1996\n2/1997\n3/1997\n5/1997\n\nAgarwal et al. ..\n711/3\nKrause et al. ......... 395/2002\nHershey et al. ............... 370/17\nStansfield et al. .......... 395/403\nHershey et al......... 395/200.11\nShwed .................. 395/200.11\nLarge et al.\n. 364/724.01\nIddon et al. ...\n395/200.11\n\n6,452,915\n6,453,345\n6,453,360\n6,466,985\n6,483,804\n6,510,509\n6,516,337\n6,519,568\n\nA\nA\nA\nA\nA\nA\n\n10/1997\n11/1997\n12/1997\n2/1998\n2/1998\n3/1998\n\nBruell ......................... 703/26\nKaiserswerth et al. ... 395/2002\nNuber et al. ................ 370/395\nPicazo, Jr. et al........ 395/2002\nLogan et al. ..... ... 709/217\nGessel et al. .......... 395/200.11\n\n5,651,002 A\n\n5,740,355. A\n\n7/1997 Van Seters et al.\n\n... 370/392\n\n4/1998 Watanabe et al....... 395/183.21.\n\n5,749,087 A\n\n5/1998 Hoover et al. .............. 711/108\n\n5,761,429 A\n5,764,638 A\n\n6/1998 Thompson .....\n6/1998 Ketchum ....\n\n5,761,424 A\n\n5,781,735 A\n\n5.2.\nA\n2 a?\n\nA\nA\nA\nA\nA\n\n5,825,774. A\n\n6/1998 Adams et al. .\n\n7/1998\n\nSouthard\n\n- ------\n\n395/200.47\n\n... 709/224\n... 370/401\n395/200.54\n\n2./1998\n1998 McCreery\nHershey etetal.al..............\n364/557\n..... 395/200.61\n\n8/1998\n9/1998\n9/1998\n9/1998\n10/1998\n\nKuriyan .........\n... 709/223\nBellenger ...\n... 370/401\nHasani et al. ..... ... 395/2002\nCzarnik et al. ............. 370/245\n\nManghirmalani\n\net al. .............\n\n... 395/185.1\n\n10/1998 Ready et al. ............... 370/401\n\n6/1999 Gobuyan et al.\n\n370/392\n\n9/2000 Engel et al. ................ 370/469\n\n6.243,667 B1 * 6/2001 Kerr et al. ...\n... 703/27\n6,269,330 B1,\n7/2001 Cidon et al. .................. 704/43\n\n4/1996\n4/1996\n\n6/1996 Colloff et al. .............. 711/136\n\n3/1999\n4/1999\n5/1999\n\n6,115,393 A\n\n6,272,151\n6.279,113\n6,282.570\n6,330,226\n6,363,056\n\n2/1996\n3/1996\n\n12/1998\n1/1999\n\n5,917,821 A\n\nSpinney ....................... 370/60\nGalloway .................... 370/13\nHarper ..........\n... 370/17\nWaclawsky et al. ........ 395/821\nHershey et al. ............... 370/17\nCorrea\n395/800\nTerasaka et al. ............ 395/800\n\n5,511,213 A\n5,511,215. A\n5.530,834 A\n\n5,799,154\n5,802,054\n5,805,808\n5,812,529\n5,819,028\n\n5,850,388\n5,862,335\n\nB1\nB1\nB1\nB1\nB1\n6,381,306 B1\n6,424,624 B1\n\n6,430,409 B1\n\nB1\nB2\nB1\nB1\nB1\nB1\nB1\nB1\n\n8/2001\n8/2001\n8/2001\n12/2001\n3/2002\n\n370/489\n713/201\n709/224\n370/232\n370/252\n\n4/2002 Lawson et al. ............... 379/32\n7/2002 Galand et al. .............. 370/231\n8/2002 Rossmann ..\n455/422.1\n\n* 9/2002\n9/2002\n* 9/2002\n* 10/2002\n* 11/2002\n* 1/2003\n2/2003\n2/2003\n\n6,570,875 B1 *\n\nGupta et al. ................\nVaidya .......\nLeung et al. ...............\nChapman et al. ...........\nBeigi et al. .....\n\nJorgensen ................... 370/238\nTrcka et al. ................ 709/224\nMuller et al.\n709/250\nGoyal et al. ................ 709/238\nMuller et al. ............... 370/230\nChopra et al.\n... 712/13\nTripp et al. ................. 709/202\nHarvey et al. ................. 705/1\n\n5/2003 Hegde - - - - -\n\n370/389\n\n6,625,657 B1\n9/2003 Bullard ....................... 709/237\n6,651,099 B1 11/2003 Dietz et al. ................. 709/224\n6,791.947 B2 * 9/2004 Oskouyet al. ............. 370/238\n\nOTHER PUBLICATIONS\n\nMeasurement and Analysis of the Digital DECT propagation\nChannel; IEEE, 1998.\n\nR, Periakaruppam and E. Nemeth. \xe2\x80\x9cGTrace-A Graphical\n\nTraceroute Tool. 1999 USenix LISA. Available on\nwww.caida.org, URL: http://www.caida.org/outreach/pa\npers/1999/GTrace/GTrace.pdf.\n\nW. ssStallings. \xe2\x80\x9cPacket Filtering in the SNMP Remote Moni\n\ntor. Nov. 1994. Available on www.ddj.com, URL: http://\nwww.dd.com/documents/s=1013/dd9411h/9411h.htm.\n\xe2\x80\x9cTechnical Note: the Narus System,\xe2\x80\x9d Downloaded Apr. 29,\n1999 from www.narus.com, Narus Corporation, Redwood\n\nCity California.\n\n* cited by examiner\n\nApp. II-122\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\n100\n\nSheet 1 of 18\n\nCLIENT 4\n\nUS 6,954,789 B2\n\n108\n\nN\n\nANALYZER\n\n107\n\n116\n\nC\n\nCLIENT 3\n\nSERVER 2\n\nN106\n\ny\n\n121\n\nDATA COMMUNICATIONS\nNETWORK\n\n1 O2\n\n125\n\n123\n\nN\n\n112\n\nH\n\nCLIENT 2\n\n118\n\n105\n\nCLIENT 1\nO4\n\nFIG. 1\n\nApp. II-123\n\nO\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 2 of 18\n\nVNHOZE|TAo]HEdVS\n\nZ9O0Z1)|\nApp. II-124\n\n:\nL8NBITO\n\nUS 6,954,789 B2\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 3 of 18\n\nLOWH_XE\n019\n\nApp. II-125\n\nUS 6,954,789 B2\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nUS 6,954,789 B2\n\nSheet 4 of 18\n\nO-Y-40\nHIGH LEVEL\nPACKET\n\n402\n\nDECODING\nDESCRIPTIONS\n404\n\n405\nVRA\n\nGENERATE\n\nPACKET\nPARSE AND\n\nCOMPLE\n\nDESCRIPTIONS\n\nEXTRACT\nOPERATIONS\n\nPACKET\nSTATE\n\nOPERATIONS\n403\n407\n\n406 2ATTERN,\nAND PARSE\nEXTRACTION\nDATABASE\n\nSTATE\n\n408\n\nLOAD\nPARSING\nSUBSYSTEM\n\nMEMORY\n\n409\n\nPROCESSOR\nNSTRUCTION\nDATABASE\n\nLOAD STATE\nNSTRUCTIO\nDATABASE\nMEMORY\n\n400\n\nApp. II-126\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 5 of 18\n\n503\n\nLOAD PACKET\n\n504\n\nORE IN PACKEC\n\nUS 6,954,789 B2\n\nCOMPONENT\n\nPACKET\nKEY\n\nFETCH NODE AND\nPROCESS FROM\nPAERN\n\n513\n\nMORE\n\nNEXT\n\nPATTERN\n\nPACKET\n\nCOMPONE\n\nNODES\nAs\n\nY NOD\n\n511\n\nAN\n\nPROCESS TO\nCOMPONENT\n\n51O.\n\n5OO\n\nV\n\nPATTERN\nNODE\n\n509\n\nApp. II-127\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 6 of 18\n\nO\n\nUS 6,954,789 B2\n\n601\n\nPACKET\n\n602\n\nCOMPONENT AND\nPATTERN NODE\n\n603\n\nLOAD PACKET\nCOMPONENT\n\n610\n\n604\n\nMORE PACKE\n\nLOAD KEY\nBUFFER\n\nCOMPONENT\nYES\n\nFETCH EXTRACTION\n\nAND PROCESS FRO\nPAERNS\n\n()\n605\n\nNO\n\n611\n\n606\n\nORE EXTRACTION\n\nELEMENTS?\n\n6O7\n\nNO\n\nNEXT\n\nPACKET\nCOMPONEN\n\n609\n\nYES\nAPPLY EXTRACTIO\n\nES\nP\n\nN 600\n\nMORE TO\nEXTRACT?\n\nF.G. 6\n\n608\nYE\n\nApp. II-128\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 7 of 18\n\nEY BUFFER AND\nPATTERN NODES\n\n703\n\nLOAD PATTERN\nNODE EUEMENT\n\n704\n\nMORE\nPATER\nNODES2\n\n702\n\n708\n\nAE\n\nYES\n\nASHKEY BUFFER\n\nELEMENT FROM\nPATTERN NODE\n\nUS 6,954,789 B2\n\n(FB\n705\n709\n\nPACK KEY & HAS\n\n700\n\nNEXT PACKET\n\nCOMPONEN\n\nFG. 7\n\nApp. II-129\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 8 of 18\n\nUS 6,954,789 B2\n\nOU-80\nUFKB ENTRY FOR\n\n800 Y\n\nCOMPUTE\nCONVERSATION-803\nRECORD BIN FROM HASH\nRECQUEST RECORD BIN/\nBUCKET FROM CACHE\n\n805\n\nORE BUCKET\nIN THE BIN?\n\n804\n\nNO\n\n806\n\nSETUFKBFOR\n\nPACKETAS "NEW"\n\nYES\nCOMPARE CURRENT BIN\nAND BUCKET RECORD KEY\nTO PACKET\n\n807\n\nNEXT BUCKET-NC searcs\n\n808\n\nYES\n\n809\n\nMARK RECORD BIN AND\nBUCKET \'N PROCESS IN\nCACHE AND MESTAMP\n\n811\n\nSET UFKB FOR PACKET\nAS FOUND"\n\n812\n\nUPDATE STATISTICS FOR\nRECORD IN CACHE\n\n810\n\n813 vO FIG. 8\nApp. II-130\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\n901\n\nSheet 9 of 18\n\n902\n\nPORTMAPP\n\nANNOUNCME\nPORTMAPPER\n\nUS 6,954,789 B2\n\n910\n\nRPC\nBND LOOKUP\nREOUEST\n909\n\nEXTRACT PROGRAM\nGET\'PROGRAM",\n\nEXTRACT PORT\n\n\'PROTOCOL (TCP OR\nUDP)\n\n\'PROTOCOL (TCP OR\nUDP)\n\nGET \'PROGRAM",\n\n"VERSION\', \'PORT AND\n\n\'VERSION AND\n\nSAVE REGUEST\n\nCREATE SERVER STATE\n\n904\n\nSAVE PROGRAM\',\n\nSAVE PROGRAM",\n\n"VERSION" AND\n\n"VERSION", "PORT AND\n\'PROTOCOL (TCP OR\nUDP)\' WITH NETWORK\n\n"PROTocol (TCP oR\nUDP)\' WITH\nDESTINATION\n\nADDRESSN SERVER\nSTATE DATABASE. KEY\nON SERVER ADDRESS\nAND TCP OR UDP PORT.\n\nNETWORKADDRESS.\nBOTH MAKE A KEY.\n\nRPC\nBIND\nLOOKUP\nREPLY\n\ngo/\n\nLOOKUP REGUES\nFND PROGRAM"\nAND "VERSION\'\nWITH LOOKUP OF\nSOURCE NETWORK\nADDRESS,\n\nFIG. 9\nApp. II-131\n\nEXTRACT\nPROGRAM\nGET "PORTAND\n\n\'PROTOCOL (TCP\nOR UDP)\'.\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nPATTERN\nRECOGNITION\nDATABASE\n\n100\n\nMEMORY\n\n1 OO\n\nSheet 10 of 18\n\nUS 6,954,789 B2\n\nEXTRACTION\nOPERATIONS\nDATABASE\n\n1001\n\nMEMORY\n\n1 OO\n\n1004\n\nO31\n\nINFOOUT\nCONTRN\n\nHOST INTERFACE MULTIPLEXR & CONTROLREGISTERS\n\n1031\n1 OO6\n\nPATTERN\nRECOGNITN\n\n1007\n\nEXTRACTION ENGINE\n\nENGINE\n\n(SLICER)\n\n(PRE)\n\nto\nA\n\n7m\n\nPARSER INPUT BUFFER\n\nINPUT\n\nMEMORY\n\nPARSER\n\nOUTPUT PACKETKEY\n\nBUFFER AND PAYLOAZ\n\nMEMORY\n\n1012\n1021\n\nPACKET\nSTART\nVX\n\nPACKET\n\n1023\n\n02\n\nINPUT BUFFER\nINTERFACE\nCONTROL\n\nANALYZER\n\nINTERFACE\n\nCONTROL\n\nFIG. 1O\n\nApp. II-132\n\nDATA READY\nREADY\n\n1027\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 11 of 18\n\nUS 6,954,789 B2\n\n1100 10\n\n1 103\n\n1 O7\n\nSEE\n\nENGINE\n(LUE)\nSTATE\n\nPROCESSR\nINSTRUCN\n\n115\n\n111s 12\n\nANALYZEF\n\nHOST\n\'SS\n() INTERAC (). INTER\nFACE\nC9NTROL\n(HiB)\n(ACIC)\n\nDATABASE\n\nPARSER\n\nUNFED\nFLOW\nKEY\n\nINTER.K.BUFFER\nFACE\n\n(UFKB)\n\nPROCESSR\n\n(SP)\n\n1119 112\n\nUNIFIED\n\nENGINE\n\n(FIDE)\n\nApp. II-133\n\nMEMORY\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 12 of 18\n\nUS 6,954,789 B2\n\n201\n\n12O6\n\nRECUEST NEXT\nBUCKET FROM\nCACHE\n\nNO\n\nUFKB ENTRY FOR\nPACKET WITH\nSTATUS \'NEW"\n\n12O2\n\nACCESS\nCONVERSATION\nRECORD BIN\n\n12O3\n\nREOUEST RECORD BIN/\nBUCKET FROM CACHE\n\n1204\n\nCBN/BUCKETEMPTY\n\n1205\n\nYES\n1208\n\nNSERT KEY AND HASH\nN BUCKET, MARK"USED\nWITH TIMESTAMP\n\nB\n\nES\n121 O\n\nSET UFKBFOR\n\nPACKETAS\n\'DROP\'\n\n12O7\n\nOMPARE CURRENT BIN1 1209\n\nAND BUCKETRECORD\n\nKEY TO PACKET\n\nMARK RECORD BN AND\n\nBUCKET IN PROCESS\'\nAND "NEW" N CACHE\n\nFOR RECORD IN CACHE\n\nC\n\nFIG. 12\nApp. II-134\n\n23\n\n1211\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nSheet 13 of 18\n\nUS 6,954,789 B2\n\nQu-o\n\n1300 -\n\nUFKB ENTRY FOR\n\nPACKET WITH STATUS\n\n"NEW" o "FOUND"\n\n1302\n\nSET STATE PROCESSOR\nNSTRUCTION POINTERTO\nALUE FOUND IN UFKB ENTRY\n\n1303\n\nFETCH INSTRUCTION FROM\n\n1304\n\nSTATE PROCESSOR\n\nINSTRUCTION MEMORY\n\nPERFORM\nOPERATION BASED - 1305\nON THE STATE INSTRUCTION\nSET STATE\n\nPROCESSOR\n\nINSTRUCTION\n\nPOINTERTO\nVALUE FOUND IN\nCURRENT STATE\nSAVE STATE\n\nNO\n\n1308\n131 O\n\nPROCESSOR\nINSTRUCTION\nNO\nPOINTERN\nCURRENT FLOW\nRECORD\n\nDONE PROCESSING\n\nSTATES FOR THIS\nPACKET?\n\n1307\n\nYES\n\nDONE PROCESSING\nTATES FOR THIS FLO\n\n1309\n\nYES\n\nSET AND SAVE FLOW REMOVA\nSTATE PROCESSOR\nINSTRUCTION IN CURRENT\nFLOW RECORD\n\nd) ran\n\nFIG. 13\nApp. II-135\n\n1311\n\n\x0cU.S. Patent\n\nUS 6,954,789 B2\n\nON\n\nELVISSI\xc3\x84TVN\\/\n\nApp. II-136\n\n\x0cApp. II-137\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nDst Hash (2\n\nSheet 16 of 18\n\nDst MAC (6)\n\nApp. II-138\n\nUS 6,954,789 B2\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nUS 6,954,789 B2\n\nSheet 17 of 18\n\n1702\n\noffset\n\n12.\n\n\\\n\n1704\n\nSType\n\n/////////A\ny\n\n1708\n17 O\n\n1706\n\nType (2)\nh 1\n\n)\n\nNL3 Ofset = 14\n\nYK- 1700\n\nFIG. 17A\n\n1712\n\nDP = 0x06OO\nIP = 0x0800\nCHAOSNET = OxO804\nARP = 0x0806\nVIP = OxOBAD\nVLOOP = OxOBAE\nVECHO = 0x0BAF\nNETBIOS-3COM = 0x3COO Ox3COD\nDEC-MOP - 0x6001\nDEC-RC = 0x6002\nDEC-DRP = 0x6003 *\nDEC-LAT = 0x6004\nDEC-DIAG = 0x6005\nDEC-LAVC = 0x6007\nRARP = 0x8035\nATALK = 0x809B\nVLOOP = 0x80C4\nVECHO = 0x80C5\nSNA-TH - 0x80D5"\nATALKARP = 0x80F3\nIPX = 0x8137\nSNMP - 0x814C#\nPv6 = 0x86DD"\nLOOPBACK = 0x9000\n\nApple = 0x080007\n* L3 Decoding\n# L5 Decoding\n\nL3 to\n\nYES/SEEEEEEEEErg/\nW Ag/ ffs\n\n...\n(IFTHApostly-A551:\n- 1)\n//////535, Eadgig////////////\n\n1752\nCMP\nGMP\nGGP\nTCP\nEGP\nIGRP\nPUP\nCHAOS\nUDP\nIDP\nSO-TP4\nDDP\nISO-IP\n\n=1\nat 2\n=3\n=6\n=8\n=9\n= 12\n= 16\n= 1.7"\n= 22 it\n= 29\n= 37 if\n= 8O\n\nVIP = 83#\n\nEIGRP = 88\n\nOSPF = 89\n\nProtocol (1)\n\nFIG. 17B\n\nL4 Offset = L3 + (IHL14)\n\nApp. II-139\n\n* L4 Decoding\n# L3 Re-Decoding\n\n\x0cU.S. Patent\n\nOct. 11, 2005\n\nUS 6,954,789 B2\n\nSheet 18 of 18\n\nPROTOCOL\nA-1800\n\n7/- 7-\n\n|CH1I0-TNE3\n\n1642\n\n[I I\n\nTOCL?Hd\n\n# #7\xe2\x80\x99\n\n[//7- 7- 7-\'7/,-7-7-7-7!/, T T\n\n##\n\n??\n\n},/7 7 7\n\nFIG. 18B\n\nApp. II-140\n\n\x0c1\n\nUS 6,954,789 B2\n\nMETHOD AND APPARATUS FOR\nMONITORING TRAFFIC IN A NETWORK\nCROSS-REFERENCE TO RELATED\nAPPLICATION\n\nThis invention is a continuation of U.S. patent application\n\nSer. No. 09/608,237 for METHOD AND APPARATUS FOR\n\nMONITORING TRAFFIC IN A NETWORK to inventors\n\nDietz, et al., filed Jun. 30, 2000, now U.S. Pat. No. 6,651,\n\n099, the contents of which are incorporated herein by\nreference.\nThis invention claims the benefit of U.S. Provisional\n\nPatent Application Ser. No. 60/141,903 for METHOD AND\n\nAPPARATUS FOR MONITORING TRAFFIC IN ANET 15\n\nWORK to inventors Dietz, et al., filed Jun. 30, 1999, the\n\ncontents of which are incorporated herein by reference.\nThis application is related to the following U.S. patent\napplications, each filed concurrently with the present\napplication, and each assigned to the assignee of the present\ninvention:\n\nU.S. patent application Ser. No. 09/609,179 for PRO\n\nCESSING PROTOCOL SPECIFIC INFORMATION IN\nPACKETS SPECIFIED BY APROTOCOL DESCRIPTION\n\nLANGUAGE, to inventors Koppenhaver, et al., filed Jun.\n30, 2000, now U.S. Pat. No. 6,665,725, and incorporated\nherein by reference.\nU.S. patent application Ser. No. 09/608,126 for\n\n25\n\nRE-USING INFORMATION FROM DATA TRANSAC\nTIONS FOR MAINTAINING STATISTICS IN NET\n\nWORK MONITORING, to inventors Dietz, et al., filed Jun.\n\nThough Netflow(R) (Cisco Systems, Inc., San Jose, Calif.),\n\nMONITOR, to inventors Sarkissian, et al., filed Jun. 30,\n\n40\n\nPROCESSOR FOR PATTERN MATCHING IN A NET\n\nWORK MONITOR DEVICE, to inventors Sarkissian, et al.,\nfiled Jun. 30, 2000, now U.S. Pat. No. 6,789,116, and\n45\n\nFIELD OF INVENTION\n\nThe present invention relates to computer networks, Spe\ncifically to the real-time elucidation of packets communi\ncated within a data network, including classification accord\ning to protocol and application program.\n\n50\n\nBACKGROUND TO THE PRESENT\nINVENTION\n\nThere has long been a need for network activity monitors.\nThis need has become especially acute, however, given the\nrecent popularity of the Internet and other internets-an\n\xe2\x80\x9cinternet\' being any plurality of interconnected networks\nwhich forms a larger, single network. With the growth of\nnetworks used as a collection of clients obtaining Services\nfrom one or more Servers on the network, it is increasingly\nimportant to be able to monitor the use of those Services and\nto rate them accordingly. Such objective information, for\n\nexample, as which Services (i.e., application programs) are\n\nAnother disadvantage of creating log files is that the\nprocess requires data logging features of network elements\nto be enabled, placing a Substantial load on the device, which\nresults in a Subsequent decline in network performance.\nAdditionally, log files can grow rapidly, there is no Standard\nmeans of Storage for them, and they require a significant\nRMON2, and other network monitors are available for the\n\nCIATIVE CACHE STRUCTURE FOR LOOKUPS AND 35\nUPDATES OF FLOW RECORDS IN A NETWORK\n\nincorporated herein by reference.\n\ngateWay.\n\namount of maintenance.\n\n30, 2000, now U.S. Pat. No. 6,839,751, and incorporated\nherein by reference.\nU.S. patent application Ser. No. 09/608,266 for ASSO\n\n2000, now U.S. Pat. No. 6,771,646, and incorporated herein\nby reference.\nU.S. patent application Ser. No. 09/608,267 for STATE\n\n2\nespecially important that Selected users be able to acceSS a\nnetwork remotely in order to generate reports on network\nuse in real time. Similarly, a need exists for a real-time\nnetwork monitor that can provide alarms notifying Selected\nusers of problems that may occur with the network or site.\nOne prior art monitoring method uses log files. In this\nmethod, Selected network activities may be analyzed retro\nSpectively by reviewing log files, which are maintained by\nnetwork Servers and gateways. Log file monitors must\naccess this data and analyze (\xe2\x80\x9cmine\') its contents to deter\nmine Statistics about the Server or gateway. Several problems\nexist with this method, however. First, log file information\ndoes not provide a map of real-time usage; and Secondly, log\nfile mining does not Supply complete information. This\nmethod relies on logs maintained by numerous network\ndevices and Servers, which requires that the information be\nSubjected to refining and correlation. Also, Sometimes infor\nmation is simply not available to any gateway or Server in\norder to make a log file entry.\nOne Such case, for example, would be information con\ncerning NetMeeting(R) (Microsoft Corporation, Redmond,\nWash.) Sessions in which two computers connect directly on\nthe network and the data is never Seen by a Server or a\n\n55\n\nreal-time monitoring of networks, they lack Visibility into\napplication content and are typically limited to providing\nnetwork layer level information.\nPattern-matching parser techniques wherein a packet is\nparsed and pattern filters are applied are also known, but\nthese too are limited in how deep into the protocol Stack they\ncan examine packets.\nSome prior art packet monitors classify packets into\nconnection flows. The term \xe2\x80\x9cconnection flow\xe2\x80\x9d is commonly\nused to describe all the packets involved with a single\nconnection. A conversational flow, on the other hand, is the\n\nSequence of packets that are exchanged in any direction as\na result of an activity-for instance, the running of an\napplication on a Server as requested by a client. It is desirable\nto be able to identify and classify conversational flows rather\nthan only connection flows. The reason for this is that Some\nconversational flows involve more than one connection, and\n\nSome even involve more than one exchange of packets\nbetween a client and Server. This is particularly true when\nusing client/server protocols such as RPC, DCOMP, and\nSAP, which enable a service to be set up or defined prior to\nany use of that Service.\n\nAn example of such a case is the SAP (Service Adver\ntising Protocol), a NetWare (Novell Systems, Provo, Utah)\n\n60\n\nprotocol used to identify the Services and addresses of\nServers attached to a network. In the initial eXchange, a client\nmight send a SAP request to a server for print service. The\nserver would then send a SAP reply that identifies a par\nticular address-for example, SAPi?5-as the print service\non that Server. Such responses might be used to update a\n\nbeing used, who is using them, how often they have been 65 table in a router, for instance, known as a Server Information\naccessed, and for how long, is very useful in the mainte Table. A client who has inadvertently seen this reply or who\nnance and continued operation of these networks. It is has access to the table (via the router that has the Service\nApp. II-141\n\n\x0cUS 6,954,789 B2\n\n3\nInformation Table) would know that SAPH5 for this particu\n\nlar Server is a print Service. Therefore, in order to print data\non the Server, Such a client would not need to make a request\nfor a print Service, but would simply Send data to be printed\nSpecifying SAPiS. Like the previous exchange, the trans\nmission of data to be printed also involves an exchange\nbetween a client and a Server, but requires a Second con\nnection and is therefore independent of the initial eXchange.\nIn order to eliminate the possibility of disjointed conversa\ntional eXchanges, it is desirable for a network packet monitor\nto be able to \xe2\x80\x9cvirtually concatenate\xe2\x80\x9d-that is, to link-the\nfirst eXchange with the Second. If the clients were the same,\nthe two packet eXchanges would then be correctly identified\nas being part of the same conversational flow.\nOther protocols that may lead to disjointed flows, include\n\nRPC (Remote Procedure Call); DCOM (Distributed Com\nponent Object Model), formerly called Network OLE\n(Microsoft Corporation, Redmond, Wash.); and CORBA\n(Common Object Request Broker Architecture). RPC is a\nprogramming interface from Sun MicroSystems (Palo Alto,\nCalif.) that allows one program to use the Services of another\nprogram in a remote machine. DCOM, Microsoft\'s coun\nterpart to CORBA, defines the remote procedure call that\nallows those objects-objects are Self-contained Software\nmodules-to be run remotely over the network. And\nCORBA, a standard from the Object Management Group\n\n4\nets to extract information to identify Session of a packet. For\nexample, if a DECnet packet appears, the 402 patent looks\nat Six specific fields (at 6 locations) in the packet in order to\nidentify the Session of the packet. If, on the other hand, an\nIP packet appears, a different Set of six different locations is\nspecified for an IP packet. With the proliferation of\nprotocols, clearly the Specifying of all the possible places to\nlook to determine the Session becomes more and more\n\n15\n\n802.3 packet from the older Ethernet Type 2 (or Version 2)\nDIX (Digital-Intel-Xerox) packet.\n\nThe 402 patent System is able to recognize up to the\nSession layer. In the present invention, the number of levels\nexamined varies for any particular protocol. Furthermore,\nthe present invention is capable of examining up to whatever\nlevel is Sufficient to uniquely identify to a required level,\n\neven all the way to the application level (in the OSI model).\n\n25\n\n(OMG) for communicating between distributed objects,\nprovides a way to execute programs (objects) written in\n\nmura teaches a network monitoring System in U.S. Pat. No.\n4,891,639, titled \xe2\x80\x9cMONITORING SYSTEM OF NET.\n\nWhat is needed, therefore, is a network monitor that\n\n35\n\n40\n\n45\n\nprovider (ISP) the means to measure and analyze network\n50\n\n55\n\nsational flow.\n\nThe data value in monitoring network communications\nhas been recognized by many inventors. Chiu, et al.,\ndescribe a method for collecting information at the Session\nlevel in a computer network in U.S. Pat. No. 5,101,402,\n\ntitled \xe2\x80\x9cAPPARATUS AND METHOD FOR REAL-TIME\nMONITORING OF NETWORK SESSIONS AND A\n\nLOCAL AREA NETWORK\xe2\x80\x9d (the \xe2\x80\x9c402 patent\xe2\x80\x9d). The 402\n\nWORK.\xe2\x80\x9d Ross, et al., teach a method and apparatus for\nanalyzing and monitoring network activity in U.S. Pat. No.\n5,247,517, titled \xe2\x80\x9cMETHOD AND APPARATUS FOR\nANALYSIS NETWORKS,\xe2\x80\x9d McCreery, et al., describe an\nInternet activity monitor that decodes packet data at the\nInternet protocol level layer in U.S. Pat. No. 5,787.253,\ntitled \xe2\x80\x9cAPPARATUS AND METHOD OF ANALYZING\n\nINTERNET ACTIVITY.\xe2\x80\x9d The McCreery method decodes\nIP-packets. It goes through the decoding operations for each\npacket, and therefore uses the processing overhead for both\nrecognized and unrecognized flows. In a monitor implemen\ntation of the present invention, a signature is built for every\nflow Such that future packets of the flow are easily recog\nnized. When a new packet in the flow arrives, the recogni\ntion proceSS can commence from where it last left off, and\na new Signature built to recognize new packets of the flow.\nSUMMARY\n\na user Such as a network administrator or an Internet Service\n\nactivity objectively; to customize the type of data that is\ncollected and analyzed; to undertake real time analysis, and\nto receive timely notification of network problems.\nConsidering the previous SAP example again, because\none features of the invention is to correctly identify the\nSecond exchange as being associated with a print Service on\nthat Server, Such exchange would even be recognized if the\nclients were not the same. What distinguishes this invention\nfrom prior art network monitors is that it has the ability to\nrecognize disjointed flows as belonging to the same conver\n\nOther prior art systems also are known. Phael describes a\nnetwork activity monitor that processes only randomly\nselected packets in U.S. Pat. No. 5,315,580, titled \xe2\x80\x9cNET\n\nWORK MONITORING DEVICE AND SYSTEM. Naka\n\ndifferent programming languages running on different plat\nforms regardless of where they reside in a network.\n\nmakes it possible to continuously analyze all user Sessions\non a heavily trafficked network. Such a monitor should\nenable non-intrusive, remote detection, characterization,\nanalysis, and capture of all information passing through any\npoint on the network (i.e., of all packets and packet streams\npassing through any location in the network). Not only\nshould all the packets be detected and analyzed, but for each\nof these packets the network monitor should determine the\nprotocol (e.g., http, ftp, H.323, VPN, etc.), the application/\nuse within the protocol (e.g., voice, Video, data, real-time\ndata, etc.), and an end user\'s pattern of use within each\napplication or the application context (e.g., options selected,\nService delivered, duration, time of day, data requested, etc.).\nAlso, the network monitor should not be reliant upon Server\nresident information Such as log files. Rather, it should allow\n\ndifficult. Likewise, adding a new protocol or application is\ndifficult. In the present invention, the locations examined\nand the information extracted from any packet are adap\ntively determined from information in the packet for the\nparticular type of packet. There is no fixed definition of what\nto look for and where to look in order to form an identifying\nSignature. A monitor implementation of the present\ninvention, for example, adapts to handle differently IEEE\n\n60\n\nIn its various embodiments the present invention provides\na network monitor that can accomplish one or more of the\nfollowing objects and advantages:\nRecognize and classify all packets that are exchanges\nbetween a client and Server into respective client/server\napplications.\nRecognize and classify at all protocol layer levels con\nVersational flows that pass in either direction at a point\nin a network.\n\nDetermine the connection and flow progreSS between\nclients and Servers according to the individual packets\neXchanged over a network.\nBe used to help tune the performance of a network\naccording to the current mix of client/server applica\ntions requiring network resources.\n\nMaintain statistics relevant to the mix of client/server\n65\n\napplications using network resources.\nReport on the occurrences of Specific Sequences of pack\nets used by particular applications for client/server\n\nnetwork conversational flows.\npatent Specifies fixed locations for particular types of pack\nApp. II-142\n\n\x0cUS 6,954,789 B2\n\n6\nhigher layer levels. For example, An Ethernet packet (the\nroot node) may be an Ethertype packet\xe2\x80\x94also called an\nEthernet Type/Version 2 and a DIX (DIGITAL-Intel-Xerox\npacket) or an IEEE 802.3 packet. Continuing with the\n\nS\nOther aspects of embodiments of the invention are:\nProperly analyzing each of the packetS eXchanged\nbetween a client and a Server and maintaining infor\nmation relevant to the current State of each of these\nconversational flows.\n\nIEEE 802.3-type packet, one of the children nodes may be\nthe IP protocol, and one of the children of the IP protocol\nmay be the TCP protocol.\nThe pattern database includes a description of the differ\nent headers of packets and their contents, and how these\n\nProviding a flexible processing System that can be tailored\nor adapted as new applications enter the client/server\nmarket.\n\nMaintaining Statistics relevant to the conversational flows\nin a client/Sever network as classified by an individual\napplication.\nReporting a specific identifier, which may be used by\nother network-oriented devices to identify the series of\npackets with a specific application for a specific client/\nServer network conversational flow.\n\nIn general, the embodiments of the present invention\novercome the problems and disadvantages of the art.\nAS described herein, one embodiment analyzes each of\nthe packets passing through any point in the network in\neither direction, in order to derive the actual application used\n\nrelate to the different nodes in a tree. The PRE traverses the\ntree as far as it can. If a node does not include a link to a\n\n15\n\nto communicate between a client and a Server. Note that\n\nthere could be Several Simultaneous and overlapping appli\ncations executing over the network that are independent and\nasynchronous.\nA monitor embodiment of the invention successfully\nclassifies each of the individual packets as they are seen on\nthe network. The contents of the packets are parsed and\n\n(i.e., key) for the packet. The Slicer also preferably generates\n\n25\n\n35\n\ncontroller (MAC) or a segmentation and reassemble module\nis used to provide packets to the parser Subsystem of the\nmonitor.\n\n45\n\n50\n\n55\n\nIn a hardware implementation, the parsing Subsystem\ncomprises two Sub-parts, the pattern analysis and recogni\n\ntion engine (PRE), and an extraction engine (slicer). The\n\nPRE interprets each packet, and in particular, interprets\nindividual fields in each packet according to a pattern\n\n60\n\ndatabase.\n\nThe different protocols that can exist in different layers\nmay be thought of as nodes of one or more trees of linked\nnodes. The packet type is the root of a tree. Each protocol is\neither a parent node or a terminal node. A parent node links\n\ndatabase of flow records for previously encountered con\nversational flows to determine whether a signature is from\nan existing flow, a State processor (SP) for performing State\nprocessing, a flow insertion and deletion engine (FIDE) for\ninserting new flows into the database of flows, a memory for\nStoring the database of flows, and a cache for Speeding up\naccess to the memory containing the flow database. The\nLUE, SP, and FIDE are all coupled to the UFKB, and to the\ncache.\n\n40\n\ncircuits (ASIC) or field programmable gate arrays (FPGA).\n\nIn one embodiment, the monitor comprises a parser Sub\nSystem that forms a Signature from a packet. The monitor\nfurther comprises an analyzer Subsystem that receives the\nSignature from the parser Subsystem.\nA packet acquisition device Such as a media acceSS\n\na hash for rapidly identifying a flow that may have this\nSignature from a database of known flows.\nThe flow Signature of the packet, the hash and at least\nSome of the payload are passed to an analyzer Subsystem. In\na hardware embodiment, the analyzer Subsystem includes a\n\nunified flow key buffer (UFKB) for receiving parts of\npackets from the parser Subsystem and for Storing Signatures\nin process, a lookup/update engine (LUE) to lookup a\n\nSelected parts are assembled into a signature (also called a\nkey) that may then be used identify further packets of the\n\nSame conversational flow, for example to further analyze the\nflow and ultimately to recognize the application program.\nThus the key is a function of the selected parts, and in the\npreferred embodiment, the function is a concatenation of the\nSelected parts. The preferred embodiment forms and remem\nbers the State of any conversational flow, which is deter\nmined by the relationship between individual packets and\nthe entire conversational flow over the network. By remem\nbering the state of a flow in this way, the embodiment\ndetermines the context of the conversational flow, including\nthe application program it relates to and parameterS Such as\nthe time, length of the conversational flow, data rate, etc.\nThe monitor is flexible to adapt to future applications\ndeveloped for client/server networks. New protocols and\nprotocol combinations may be incorporated by compiling\nfiles written in a high-level protocol description language.\nThe monitor embodiment of the present invention is\npreferably implemented in application-Specific integrated\n\ndeeper level, pattern matching is declared complete. Note\nthat protocols can be the children of Several parents. If a\nunique node was generated for each of the possible parent/\nchild trees, the pattern database might become excessively\nlarge. Instead, child nodes are shared among multiple\nparents, thus compacting the pattern database.\nFinally the PRE can be used on its own when only\nprotocol recognition is required.\nFor each protocol recognized, the Slicer extracts important\npacket elements from the packet. These form a Signature\n\nThe unified flow key buffer thus contains the flow signa\nture of the packet, the hash and at least Some of the payload\nfor analysis in the analyzer Subsystem. Many operations can\nbe performed to further elucidate the identity of the appli\ncation program content of the packet involved in the client/\nServer conversational flow while a packet Signature exists in\nthe unified flow signature buffer. In the particular hardware\nembodiment of the analyzer subsystem several flows may be\nprocessed in parallel, and multiple flow Signatures from all\nthe packets being analyzed in parallel may be held in the one\nUFKB.\n\nThe first Step in the packet analysis process of a packet\nfrom the parser Subsystem is to lookup the instance in the\ncurrent database of known packet flow Signatures. A lookup/\n\nupdate engine (LUE) accomplishes this task using first the\n\nhash, and then the flow signature. The Search is carried out\nin the cache and if there is no flow with a matching Signature\nin the cache, the lookup engine attempts to retrieve the flow\nfrom the flow database in the memory. The flow-entry for\npreviously encountered flows preferably includes State\ninformation, which is used in the State processor to execute\nany operations defined for the State, and to determine the\nnext State. A typical State operation may be to Search for one\nor more known reference Strings in the payload of the packet\nStored in the UFKB.\n\nOnce the lookup processing by the LUE has been com\npleted a flag Stating whether it is found or is new is Set within\na protocol to other protocols (child protocols) that can be at the unified flow signature buffer structure for this packet\nApp. II-143\n65\n\n\x0cUS 6,954,789 B2\n\n7\nflow Signature. For an existing flow, the flow-entry is\nupdated by a calculator component of the LUE that adds\nvalues to counters in the flow-entry database used to Store\n\nFIG. 6 is a flowchart of a packet element extraction\nprocess that is used as part of the parser in an embodiment\nof the inventive packet monitor.\nFIG. 7 is a flowchart of a flow-signature building process\nthat is used as part of the parser in the inventive packet\n\none or more Statistical measures of the flow. The counters are\n\nused for determining network usage metrics on the flow.\nAfter the packet flow Signature has been looked up and\ncontents of the current flow signature are in the database, a\nState processor can begin analyzing the packet payload to\nfurther elucidate the identity of the application program\ncomponent of this packet. The exact operation of the State\nprocessor and functions performed by it will vary depending\non the current packet Sequence in the Stream of a conver\nsational flow. The State processor moves to the next logical\noperation Stored from the previous packet Seen with this\nSame flow Signature. If any processing is required on this\npacket, the State processor will execute instructions from a\n\nmonitor.\n\n15\n\ndatabase of State instruction for this State until there are\n\neither no more left or the instruction Signifies processing.\nIn the preferred embodiment, the State processor functions\nare programmable to provide for analyzing new application\nprograms, and new Sequences of packets and States that can\narise from using Such application.\nIf during the lookup proceSS for this particular packet flow\nSignature, the flow is required to be inserted into the active\n\ndatabase, a flow insertion and deletion engine (FIDE) is\n\ninitiated. The State processor also may create new flow\nSignatures and thus may instruct the flow insertion and\ndeletion engine to add a new flow to the database as a new\n\n25\n\nitem.\n\nIn the preferred hardware embodiment, each of the LUE,\nState processor, and FIDE operate independently from the\nother two engines.\n\nFIG. 8 is a flowchart of a monitor lookup and update\nprocess that is used as part of the analyzer in an embodiment\nof the inventive packet monitor.\nFIG. 9 is a flowchart of an exemplary Sun Microsystems\nRemote Procedure Call application than may be recognized\nby the inventive packet monitor.\nFIG. 10 is a functional block diagram of a hardware parser\nSubsystem including the pattern recognizer and extractor\nthat can form part of the parser module in an embodiment of\nthe inventive packet monitor.\nFIG. 11 is a functional block diagram of a hardware\nanalyzer including a State processor that can form part of an\nembodiment of the inventive packet monitor.\nFIG. 12 is a functional block diagram of a flow insertion\nand deletion engine process that can form part of the\nanalyzer in an embodiment of the inventive packet monitor.\nFIG. 13 is a flowchart of a State processing process that\ncan form part of the analyzer in an embodiment of the\ninventive packet monitor.\nFIG. 14 is a simple functional block diagram of a process\nembodiment of the present invention that can operate as the\npacket monitor shown in FIG. 1. This process may be\nimplemented in Software.\nFIG. 15 is a functional block diagram of how the packet\n\nmonitor of FIG. 3 (and FIGS. 10 and 11) may operate on a\n\nnetwork with a processor Such as a microprocessor.\n\nBRIEF DESCRIPTION OF THE DRAWINGS\n\nAlthough the present invention is better understood by\nreferring to the detailed preferred embodiments, these\nshould not be taken to limit the present invention to any\nSpecific embodiment because Such embodiments are pro\nVided only for the purposes of explanation. The\nembodiments, in turn, are explained with the aid of the\nfollowing figures.\nFIG. 1 is a functional block diagram of a network embodi\nment of the present invention in which a monitor is con\nnected to analyze packets passing at a connection point.\nFIG. 2 is a diagram representing an example of Some of\nthe packets and their formats that might be exchanged in\nStarting, as an illustrative example, a conversational flow\nbetween a client and Server on a network being monitored\nand analyzed. A pair of flow Signatures particular to this\nexample and to embodiments of the present invention is also\nillustrated. This represents Some of the possible flow Signa\ntures that can be generated and used in the process of\nanalyzing packets and of recognizing the particular Server\napplications that produce the discrete application packet\neXchanges.\nFIG. 3 is a functional block diagram of a process embodi\nment of the present invention that can operate as the packet\nmonitor shown in FIG.1. This process may be implemented\n\n8\n\n35\n\nFIG. 16 is an example of the top (MAC) layer of an\n\nEthernet packet and Some of the elements that may be\nextracted to form a signature according to one aspect of the\ninvention.\n\n40\n\nFIG.17A is an example of the header of an Ethertype type\nof Ethernet packet of FIG.16 and some of the elements that\nmay be extracted to form a signature according to one aspect\nof the invention.\n\n45\n\nFIG. 17B is an example of an IP packet, for example, of\nthe Ethertype packet shown in FIGS. 16 and 17A, and some\nof the elements that may be extracted to form a Signature\naccording to one aspect of the invention.\nFIG. 18A is a three dimensional structure that can be used\n\n50\n\nto Store elements of the pattern, parse and extraction data\nbase used by the parser Subsystem in accordance to one\nembodiment of the invention.\n\nFIG. 18B is an alternate form of storing elements of the\npattern, parse and extraction database used by the parser\nSubsystem in accordance to another embodiment of the\n\n55\n\ninvention.\n\nDETAILED DESCRIPTION OF THE\nPREFERRED EMBODIMENTS\n\nNote that this document includes hardware diagrams and\ndescriptions that may include Signal names. In most cases,\nFIG. 4 is a flowchart of a high-level protocol language the names are Sufficiently descriptive, in other cases how\ncompiling and optimization process, which in one embodi ever the Signal names are not needed to understand the\nment may be used to generate data for monitoring packets operation and practice of the invention.\naccording to versions of the present invention.\nOperation in a Network\nFIG. 5 is a flowchart of a packet parsing proceSS used as 65\nFIG. 1 represents a system embodiment of the present\npart of the parser in an embodiment of the inventive packet\nmonitor.\ninvention that is referred to herein by the general reference\nApp. II-144\nin Software or hardware.\n\n60\n\n\x0c9\n\nUS 6,954,789 B2\n\n10\n\nnumeral 100. The system 100 has a computer network 102\n\ndestination address, control bits for flow control, the data or\n\nvarious computers, for example between the clients 104-107\n\nchecking. The term "packet\' generally refers to encapsu\nlated data at OSI layer 3. In the TCP/IP world, the term\n"datagram\' is also used. In this specification, the term\n"packet\' is intended to encompass packets, datagrams,\nframes, and cells. In general, a packet format or frame\nformat refers to how data is encapsulated with various fields\nand headers for transmission acroSS a network. For example,\na data packet typically includes an address destination field,\n\npayload, and CRC (cyclic redundancy check) data for error\n\nthat communicates packets (e.g., IP datagrams) between\nand servers 110 and 112. The network is shown Schemati\n\ncally as a cloud with Several network nodes and linkS shown\nin the interior of the cloud. A monitor 108 examines the\npackets passing in either direction past its connection point\n121 and, according to one aspect of the invention, can\nelucidate what application programs are associated with\neach packet. The monitor 108 is shown examining packets\n\n5\n\n(i.e., datagrams) between the network interface 116 of the\n\na length field, an error correcting code (ECC) field, or cyclic\nredundancy check (CRC) field, as well as headers and\n\nserver 110 and the network. The monitor can also be placed\nat other points in the network, Such as connection point 123\n\nbetween the network 102 and the interface 118 of the client\n\n104, or Some other location, as indicated Schematically by\nconnection point 125 somewhere in network 102. Not\nshown is a network packet acquisition device at the location\n123 on the network for converting the physical information\non the network into packets for input into monitor 108. Such\npacket acquisition devices are common.\nVarious protocols may be employed by the network to\nestablish and maintain the required communication, e.g.,\nTCP/IP, etc. Any network activity-for example an appli\n\ncation program run by the client 104 (CLIENT 1) commu\nnicating with another running on the server 110 (SERVER\n2)-will produce an exchange of a sequence of packets over\n\nnetwork 102 that is characteristic of the respective programs\nand of the network protocols. Such characteristics may not\nbe completely revealing at the individual packet level. It\nmay require the analyzing many packets by the monitor 108\nto have enough information needed to recognize particular\napplication programs. The packets may need to be parsed\nthen analyzed in the context of various protocols, for\nexample, the transport through the application Session layer\nprotocols for packets of a type conforming to the ISO\nlayered network model.\nCommunication protocols are layered, which is also\n\n15\n\n25\n\nitself to the monitor 108.\n\n35\n\nreferred to as a protocol stack. The ISO (International\nStandardization Organization) has defined a general model\n\nthat provides a framework for design of communication\nprotocol layers. This model, shown in table form below,\nServes as a basic reference for understanding the function\nality of existing communication protocols.\n\nfooters to identify the beginning and end of the packet. The\nterms \xe2\x80\x9cpacket format\xe2\x80\x9d and \xe2\x80\x9cframe format,\xe2\x80\x9d also referred to\nas \xe2\x80\x9ccell format,\xe2\x80\x9d are generally Synonymous.\nMonitor 108 looks at every packet passing the connection\npoint 121 for analysis. However, not every packet carries the\nSame information useful for recognizing all levels of the\nprotocol. For example, in a conversational flow associated\nwith a particular application, the application will cause the\nServer to Send a type-A packet, but So will another. If,\nthough, the particular application program always follows a\ntype-A packet with the Sending of a type-B packet, and the\nother application program does not, then in order to recog\nnize packets of that application\'s conversational flow, the\nmonitor can be available to recognize packets that match the\ntype-B packet to associate with the type-A packet. If Such is\nrecognized after a type-A packet, then the particular appli\ncation program\'s conversational flow has started to reveal\n\n40\n\nFurther packets may need to be examined before the\nconversational flow can be identified as being associated\nwith the application program. Typically, monitor 108 is\nSimultaneously also in partial completion of identifying\nother packet eXchanges that are parts of conversational flows\nasSociated with other applications. One aspect of monitor\n108 is its ability to maintain the state of a flow. The state of\na flow is an indication of all previous events in the flow that\nlead to recognition of the content of all the protocol levels,\ne.g., the ISO model protocol levels. Another aspect of the\ninvention is forming a signature of extracted characteristic\nportions of the packet that can be used to rapidly identify\npackets belonging to the same flow.\nIn real-world uses of the monitor 108, the number of\n\n45\nISO MODEL\n\nLayer\n\nFunctionality\n\nExample\n\n7\n\nApplication\n\nTelnet, NFS, Novell NCP, HTTP,\n\n6\n\nPresentation\n\nH.323\nXDR\n\n4\n3\n2\n\nTransport\nNetwork\nData Link\n\nTCP, Novel SPX, UDP, etc.\nIP, Novell IPX, VIP, AppleTalk, etc.\nNetwork Interface Card (Hardware\n\n5\n\nSession\n\n50\n\nRPC, NETBIOS, SNMP, etc.\n\npackets on the network 102 passing by the monitor 108\'s\nconnection point can exceed a million per Second.\nConsequently, the monitor has very little time available to\nanalyze and type each packet and identify and maintain the\nState of the flows passing through the connection point. The\nmonitor 108 therefore masks out all the unimportant parts of\neach packet that will not contribute to its classification.\nHowever, the parts to mask-out will change with each packet\ndepending on which flow it belongs to and depending on the\nstate of the flow.\n\nThe recognition of the packet type, and ultimately of the\nasSociated\napplication programs according to the packets\nATM, T1 (Hardware Connection)\nthat their executions produce, is a multi-step process within\nthe monitor 108. At a first level, for example, several\nDifferent communication protocols employ different lev application programs will all produce a first kind of packet.\nels of the ISO model or may use a layer model that is similar 60 A first "signature\' is produced from Selected parts of a\nto but which does not exactly conform to the ISO model. A packet that will allow monitor 108 to identify efficiently any\nprotocol in a certain layer may not be visible to protocols packets that belong to the same flow. In Some cases, that\nemployed at other layers. For example, an application (Level packet type may be Sufficiently unique to enable the monitor\n7) may not be able to identify the source computer for a to identify the application that generated Such a packet in the\n65 conversational flow. The Signature can then be used to\ncommunication attempt (Levels 2-3).\nIn Some communication arts, the term "frame\' generally efficiently identify all future packets generated in traffic\nrefers to encapsulated data at OSI layer 2, including a related to that application.\nApp. II-145\n1.\n\nPhysical\n\nInterface). MAC layer\n\nEthernet, Token Ring, Frame Relay,\n\n55\n\n\x0cUS 6,954,789 B2\n\n11\nIn other cases, that first packet only starts the process of\nanalyzing the conversational flow, and more packets are\nnecessary to identify the associated application program. In\nSuch a case, a Subsequent packet of a Second type-but that\npotentially belongs to the same conversational flow-is\nrecognized by using the Signature. At Such a Second level,\nthen, only a few of those application programs will have\nconversational flows that can produce Such a Second packet\ntype. At this level in the process of classification, all appli\ncation programs that are not in the Set of those that lead to\nSuch a Sequence of packet types may be excluded in the\nprocess of classifying the conversational flow that includes\nthese two packets. Based on the known patterns for the\nprotocol and for the possible applications, a signature is\nproduced that allows recognition of any future packets that\nmay follow in the conversational flow.\nIt may be that the application is now recognized, or\nrecognition may need to proceed to a third level of analysis\nusing the Second level Signature. For each packet, therefore,\nthe monitor parses the packet and generates a Signature to\ndetermine if this signature identified a previously encoun\ntered flow, or shall be used to recognize future packets\nbelonging to the same conversational flow. In real time, the\npacket is further analyzed in the context of the Sequence of\npreviously encountered packets (the State), and of the pos\nSible future Sequences Such a past Sequence may generate in\nconversational flows associated with different applications.\nA new signature for recognizing future packets may also be\ngenerated. This process of analysis continues until the\napplications are identified. The last generated Signature may\nthen be used to efficiently recognize future packets associ\nated with the same conversational flow. Such an arrange\nment makes it possible for the monitor 108 to cope with\nmillions of packets per Second that must be inspected.\nAnother aspect of the invention is adding Eavesdropping.\nIn alternative embodiments of the present invention capable\nof eavesdropping, once the monitor 108 has recognized the\nexecuting application programs passing through Some point\nin the network 102 (for example, because of execution of the\napplications by the client 105 or server 110), the monitor\nSends a message to Some general purpose processor on the\nnetwork that can input the same packets from the same\nlocation on the network, and the processor then loads its own\nexecutable copy of the application program and uses it to\nread the content being eXchanged over the network. In other\nwords, once the monitor 108 has accomplished recognition\nof the application program, eavesdropping can commence.\n\n12\npackets of different types-accomplished by compiler and\n\noptimizer 310, (2) the processing parsing and extraction of\nSelected portions-of packets to generate an identifying\n\nSignature-accomplished by parser Subsystem 301, and (3)\n\nthe analysis of the packets-accomplished by analyzer 303.\nThe purpose of compiler and optimizer 310 is to provide\nprotocol specific information to parser Subsystem 301 and to\nanalyzer Subsystem 303. The initialization occurs prior to\noperation of the monitor, and only needs to re-occur when\nnew protocols are to be added.\nA flow is a stream of packets being eXchanged between\nany two addresses in the network. For each protocol there\nare known to be Several fields, Such as the destination\n\n15\n\nlocation 121 in network 102 (FIG. 1), and the packet\n\nevaluated, for example in an attempt to determine its\ncharacteristics, e.g., all the protocol information in a multi\nlevel model, including what Server application produced the\npacket.\nThe packet acquisition device is a common interface that\nconverts the physical Signals and then decodes them into\nbits, and into packets, in accordance with the particular\n\nnetwork (Ethernet, frame relay, ATM, etc.). The acquisition\n\nand other fields are used in monitor 300 to identify the flow.\nThere are other fields not important for identifying the flow,\nSuch as checksums, and those parts are not used for identi\nfication.\n\nParser Subsystem 301 examines the packets using pattern\nrecognition proceSS 304 that parses the packet and deter\nmines the protocol types and associated headers for each\nprotocol layer that exists in the packet 302. An extraction\nprocess 306 in parser subsystem 301 extracts characteristic\n\n25\n\nportions (signature information) from the packet 302. Both\n\nthe pattern information for parsing and the related extraction\noperations, e.g., extraction masks, are Supplied from a\nparsing-pattern-structures and extraction-operations data\n\nbase (parsing/extractions database) 308 filled by the com\npiler and optimizer 310.\n\n35\n\n40\n\n45\n\nThe Network Monitor\n\nFIG. 3 shows a network packet monitor 300, in an\nembodiment of the present invention that can be imple\nmented with computer hardware and/or Software. The SyS\ntem 300 is similar to monitor 108 in FIG.1. A packet 302 is\nexamined, e.g., from a packet acquisition device at the\n\n(recipient), the Source (the Sender), and So forth, and these\n\n50\n\n55\n\nThe protocol description language (PDL) files 336\ndescribes both patterns and States of all protocols that an\noccur at any layer, including how to interpret header\ninformation, how to determine from the packet header\ninformation the protocols at the next layer, and what infor\nmation to extract for the purpose of identifying a flow, and\nultimately, applications and Services. The layer Selections\ndatabase 338 describes the particular layering handled by the\nmonitor. That is, what protocols run on top of what protocols\nat any layer level. Thus 336 and 338 combined describe how\none would decode, analyze, and understand the information\nin packets, and, furthermore, how the information is layered.\nThis information is input into compiler and optimizer 310.\nWhen compiler and optimizer 310 executes, it generates\n\ntwo sets of internal data structures. The first is the set of\n\nparsing/extraction operations 308. The pattern Structures\ninclude parsing information and describe what will be\nrecognized in the headers of packets, the extraction opera\ntions are what elements of a packet are to be extracted from\nthe packets based on the patterns that get matched. Thus,\ndatabase 308 of parsing/extraction operations includes infor\nmation describing how to determine a Set of one or more\nprotocol dependent extraction operations from data in the\npacket that indicate a protocol used in the packet.\nThe other internal data structure that is built by compiler\n310 is the set of state patterns and processes 326. These are\nthe different States and State transitions that occur in different\n\nconversational flows, and the State operations that need to be\n60\n\nperformed (e.g., patterns that need to be examined and new\nSignatures that need to be built) during any State of a\nconversational flow to further the task of analyzing the\nconversational flow.\n\nThus, compiling the PDL files and layer selections pro\nvides monitor 300 with the information it needs to begin\n65 processing packets. In an alternate embodiment, the contents\nAspects shown here include: (1) the initialization of the of one or more of databases 308 and 326 may be manually\nmonitor to generate what operations need to occur on or otherwise generated. Note that in Some embodiments the\nApp. II-146\ndevice indicates to the monitor 108 the type of network of\nthe acquired packet or packets.\n\n\x0c13\n\nUS 6,954,789 B2\n\nlayering Selections information is inherent rather than\nexplicitly described. For example, since a PDL file for a\nprotocol includes the child protocols, the parent protocols\nalso may be determined.\nIn the preferred embodiment, the packet 302 from the\nacquisition device is input into a packet buffer. The pattern\nrecognition proceSS 304 is carried out by a pattern analysis\n\n5\n\nand recognition (PAR) engine that analyzes and recognizes\n\npatterns in the packets. In particular, the PAR locates the\nnext protocol field in the header and determines the length\nof the header, and may perform certain other tasks for certain\ntypes of protocol headers. An example of this is type and\n\nlength comparison to distinguish an IEEE 802.3 (Ethernet)\npacket from the older type 2 (or Version 2) Ethernet packet,\nalso called a DIGITAL-Intel-Xerox (DIX) packet. The PAR\n\nalso uses the pattern Structures and extraction operations\ndatabase 308 to identify the next protocol and parameters\nasSociated with that protocol that enables analysis of the\nnext protocol layer. Once a pattern or a set of patterns has\nbeen identified, it/they will be associated with a set of none\nor more extraction operations. These extraction operations\n\n15\n\n14\nThe parser record enters a buffer called the unified flow\nkey buffer (UFKB). The UFKB stores the data on flows in\na data Structure that is similar to the parser record, but that\nincludes a field that can be modified. In particular, one or the\nUFKB record fields Stores the packet Sequence number, and\nanother is filled with state information in the form of a\nprogram counter for a State processor that implements State\nprocessing 328.\nThe determination (316) of whether a record with the\nSame signature already exists is carried out by a lookup\nengine (LUE) that obtains new UFKB records and uses the\nhash in the UFKB record to lookup if there is a matching\nknown flow. In the particular embodiment, the database of\nknown flows 324 is in an external memory. A cache is\nassociated with the database 324. A lookup by the LUE for\na known record is carried out by accessing the cache using\nthe hash, and if the entry is not already present in the cache,\nthe entry is looked up (again using the hash) in the external\nmemory.\n\nThe flow-entry database 324 stores flow-entries that\ninclude the unique flow-signature, State information, and\nextracted information from the packet for updating flows,\nand one or more Statistical about the flow. Each entry\ncompletely describes a flow. Database 324 is organized into\n\n(in the form of commands and associated parameters) are\npassed to the extraction proceSS 306 implemented by an\nextracting and information identifying (EII) engine that\n\nextracts Selected parts of the packet, including identifying\ninformation from the packet as required for recognizing this\npacket as part of a flow. The extracted information is put in\nSequence and then processed in block 312 to build a unique\n\nbins that contain a number, denoted N, of flow-entries (also\ncalled flow-entries, each a bucket), with N being 4 in the\npreferred embodiment. Buckets (i.e., flow-entries) are\n\nSignature depends on the protocols used in the packet. For\nSome protocols, the extracted components may include\nSource and destination addresses. For example, Ethernet\nframes have end-point addresses that are useful in building\na better flow signature. Thus, the Signature typically includes\nthe client and Server address pairs. The Signature is used to\nrecognize further packets that are or may be part of this flow.\nIn the preferred embodiment, the building of the flow key\nincludes generating a hash of the Signature using a hash\nfunction. The purpose if using Such a hash is conventional\nto spread flow-entries identified by the Signature acroSS a\ndatabase for efficient Searching. The hash generated is\npreferably based on a hashing algorithm and Such hash\ngeneration is known to those in the art.\nIn one embodiment, the parser passes data from the\n\nSpreads the flows across the database to allow for fast\nlookups of entries, allowing shallower buckets. The designer\nselects the bucket depth N based on the amount of memory\n\naccessed via the hash of the packet from the parser Sub\n\nflow signature (also called a \xe2\x80\x9ckey\xe2\x80\x9d) for this flow. A flow\n\npacket-a parser record\xe2\x80\x94that includes the signature (i.e.,\nSelected portions of the packet), the hash, and the packet\n\nitself to allow for any State processing that requires further\ndata from the packet. An improved embodiment of the parser\nSubsystem might generate a parser record that has Some\npredefined Structure and that includes the Signature, the\nhash, Some flags related to Some of the fields in the parser\nrecord, and parts of the packet\'s payload that the parser\nSubsystem has determined might be required for further\nprocessing, e.g., for State processing.\nNote that alternate embodiments may use Some function\nother than concatenation of the Selected portions of the\npacket to make the identifying Signature. For example, Some\n\xe2\x80\x9cdigest function\' of the concatenated Selected portions may\n\nsystem 301 (i.e., the hash in the UFKB record). The hash\nattached to the monitor, and the number of bits of the hash\n\n35\n\n40\n\ndata value used. For example, in one embodiment, each\nflow-entry is 128 bytes long, so for 128K flow-entries, 16\nMbytes are required. Using a 16-bit hash gives two flow\nentries per bucket. Empirically, this has been shown to be\nmore than adequate for the vast majority of cases. Note that\nanother embodiment uses flow-entries that are 256 bytes\nlong.\n\nHerein, whenever an access to database 324 is described,\nit is to be understood that the access is via the cache, unless\n\notherwise Stated or clear from the context.\n\n45\n\nIf there is no flow-entry found matching the Signature, i.e.,\nthe Signature is for a new flow, then a protocol and State\nidentification process 318 further determines the state and\nprotocol. That is, process 318 determines the protocols and\nwhere in the State Sequence for a flow for this protocols this\npacket belongs. Identification process 318 uses the extracted\n\n50\n\ninformation and makes reference to the database 326 of State\n\n55\n\ndatabase 324 (e.g., in the cache), then a process 320\n\npatterns and processes. Process 318 is then followed by any\nState operations that need to be executed on this packet by\na state processor 328.\nIf the packet is found to have a matching flow-entry in the\n\ndetermines, from the looked-up flow-entry, if more classi\nfication by State processing of the flow Signature is neces\nSary. If not, a proceSS 322 updates the flow-entry in the\n\nflow-entry database 324 (e.g., via the cache). Updating\n\nbe used.\n\nincludes updating one or more Statistical measures Stored in\nthe flow-entry. In our embodiment, the Statistical measures\nflows that the System has already encountered, and decides are Stored in counters in the flow-entry.\nIf State processing is required, State process 328 is com\n(in 316) whether or not this particular packet belongs to a\nknown flow as indicated by the presence of a flow-entry menced. State processor 328 carries out any State operations\nmatching this flow in a database of known flows 324. A 65 specified for the state of the flow and updates the state to the\nrecord in database 324 is associated with each encountered\nnext State according to a set of State instructions obtained\nflow.\nform the State pattern and processes database 326.\nApp. II-147\nThe parser record is passed onto lookup process 314\n\nwhich looks in an internal data Store of records of known\n\n60\n\n\x0c15\n\nUS 6,954,789 B2\n\nThe state processor 328 analyzes both new and existing\nflows in order to analyze all levels of the protocol Stack,\n\nThe flow-entry also is updated after classification final\nization So that any further packets belonging to this flow will\nbe readily identified from their Signature as belonging to this\nfully analyzed conversational flow.\nAfter updating, database 324 therefore includes the set of\n\nultimately classifying the flows by application (level 7 in the\nISO model). It does this by proceeding from state-to-state\n\nbased on predefined State transition rules and State opera\ntions as Specified in State processor instruction database 326.\nA State transition rule is a rule typically containing a test\nfollowed by the next-state to proceed to if the test result is\ntrue. An operation is an operation to be performed while the\nState processor is in a particular State-for example, in order\nto evaluate a quantity needed to apply the State transition\nrule. The State processor goes through each rule and each\nState proceSS until the test is true, or there are no more tests\nto perform.\nIn general, the Set of State operations may be none or more\noperations on a packet, and carrying out the operation or\noperations may leave one in a State that causes exiting the\nSystem prior to completing the identification, but possibly\nknowing more about what State and State processes are\nneeded to execute next, i.e., when a next packet of this flow\n\nall the conversational flows that have occurred.\n\nThus, the embodiment of present invention shown in FIG.\n3 automatically maintains flow-entries, which in one aspect\nincludes Storing States. The monitor of FIG.3 also generates\ncharacteristic parts of packets-the Signatures-that can be\nused to recognize flows. The flow-entries may be identified\nand accessed by their signatures. Once a packet is identified\nto be from a known flow, the state of the flow is known and\n\n15\n\nis encountered. As an example, a state process (set of State\noperations) at a particular State may build a new signature\n\nfor future recognition packets of the next State.\nBy maintaining the State of the flows and knowing that\nnew flows may be set up using the information from\npreviously encountered flows, the network traffic monitor\n\n25\n\n300 provides for (a) Single-packet protocol recognition of\nflows, and (b) multiple-packet protocol recognition of flows.\n\nMonitor 300 can even recognize the application program\nfrom one or more disjointed Sub-flows that occur in Server\nannouncement type flows. What may seem to prior art\nmonitors to be Some unassociated flow, may be recognized\nby the inventive monitor using the flow signature to be a\nSub-flow associated with a previously encountered Sub-flow.\nThus, State processor 328 applies the first State operation\nto the packet for this particular flow-entry. A process 330\ndecides if more operations need to be performed for this\nState. If So, the analyzer continues looping between block\n330 and 328 applying additional state operations to this\nparticular packet until all those operations are completed\nthat is, there are no more operations for this packet in this\nstate. A process 332 decides if there are further states to be\nanalyzed for this type of flow according to the State of the\nflow and the protocol, in order to fully characterize the flow.\nIf not, the conversational flow has now been fully charac\nterized and a process 334 finalizes the classification of the\n\nnized by the parser as an offset into a jump table (jump\nvector). The jump table finds the State processor instructions\n\nto use for that protocol in the State patterns and processes\ndatabase 326. Most instructions test something in the unified\nflow key buffer, or the flow-entry in the database of known\nflows 324, if the entry exists. The state processor may have\nto test bits, do comparisons, add, or Subtract to perform the\ntest. For example, a common operation carried out by the\nState processor is Searching for one or more patterns in the\npayload part of the UFKB.\nThus, in 332 in the classification, the analyzer decides\n\n35\n\n40\n\n45\n\na short-cut recognition pattern-a Signature-can be gener\nated that will key on every new incoming packet that relates\nto the conversational flow. Checking a signature involves a\nSimple operation, allowing high packet rates to be Success\nfully monitored on the network.\nIn improved embodiments, Several State analyzers are run\nin parallel So that a large number of protocols and applica\ntions may be checked for. Every known protocol and appli\ncation will have at least one unique Set of State transitions,\nand can therefore be uniquely identified by watching Such\ntransitions.\n\nWhen each new conversational flow Starts, Signatures that\nrecognize the flow are automatically generated on-the-fly,\nand as further packets in the conversational flow are\nencountered, signatures are updated and the States of the Set\nof State transitions for any potential application are further\ntraversed according to the State transition rules for the flow.\n\nThe new states for the flow-those associated with a set of\n\n50\n\nState transitions for one or more potential applications-are\nadded to the records of previously encountered States for\neasy recognition and retrieval when a new packet in the flow\nis encountered.\n\n55\n\nDetailed Operation\nFIG. 4 diagrams an initialization system 400 that includes\nthe compilation process. That is, part of the initialization\ngenerates the pattern Structures and extraction operations\n\ndatabase 308 and the state instruction database 328. Such\ninitialization can occur off-line or from a central location.\n60\n\nwhether the flow is at an end State. If not at an end State, the\n\nflow-entry is updated (or created if a new flow) for this\nflow-entry in process 322.\n\nFurthermore, if the flow is known and if in 332 it is\n\nthis knowledge enables State transition analysis to be per\nformed in real time for each different protocol and applica\ntion. In a complex analysis, State transitions are traversed as\nmore and more packets are examined. Future packets that\nare part of the same conversational flow have their State\nanalysis continued from a previously achieved State. When\nenough packets related to an application of interest have\nbeen processed, a final recognition State is ultimately\nreached, i.e., a Set of States has been traversed by State\nanalysis to completely characterize the conversational flow.\nThe Signature for that final State enables each new incoming\npacket of the same conversational flow to be individually\nrecognized in real time.\nIn this manner, one of the great advantages of the present\ninvention is realized. Once a particular set of State transitions\nhas been traversed for the first time and ends in a final State,\n\nconversational flow for the flow.\n\nIn the particular embodiment, the state processor 328\nStarts the State processing by using the last protocol recog\n\n16\n\n65\n\nThe different protocols that can exist in different layers\nmay be thought of as nodes of one or more trees of linked\n\nnodes. The packet type is the root of a tree (called level 0).\nEach protocol is either a parent node or a terminal node. A\nparent node links a protocol to other protocols (child\nprotocols) that can be at higher layer levels. Thus a protocol\n\ndetermined that there are further States to be processed using may have Zero or more children. Ethernet packets, for\nlater packets, the flow-entry is updated in process 322.\nexample, have Several variants, each having a basic format\nApp. II-148\n\n\x0cUS 6,954,789 B2\n\n17\nthat remains Substantially the same. An Ethernet packet (the\nroot or level 0 node) may be an Ethertype packet-also called\nan Ethernet Type/Version 2 and a DIX (DIGITAL-Intel\nXerox packet)\xe2\x80\x94or an IEEE 803.2 packet. Continuing with\n\nselections 338, which describes the particular layering (sets\nof trees of protocols) that the monitor is to be able to handle.\n\nthe IEEE 802.3 packet, one of the children nodes may be the\nIP protocol, and one of the children of the IP protocol may\nbe the TCP protocol.\n\nA compiler 403 compiles the descriptions. The set of\n\npacket parse-and-extract operations 406 is generated (404),\n\nand a set of packet State instructions and operations 407 is\n\ngenerated (405) in the form of instructions for the state\n\nFIG. 16 shows the header 1600 (base level 1) of a\ncomplete Ethernet frame (i.e., packet) of information and\n\nprocessor that implements State processing process 328.\nData files for each type of application and protocol to be\nrecognized by the analyzer are downloaded from the pattern,\nparse, and extraction database 406 into the memory Systems\n\nincludes information on the destination media acceSS control\n\naddress (Dst MAC 1602) and the source media access\ncontrol address (Src MAC 1604). Also shown in FIG. 16 is\nsome (but not all) of the information specified in the PDL\n\nfiles for extraction the Signature.\n\nFIG. 17A now shows the header information for the next\n\nof the parser and extraction engines. (See the parsing process\n15\n\ncation and protocol to be recognized by the analyzer are also\ndownloaded from the State-processor instruction database\n\ntype packet 1700, the relevant information from the packet\nthat indicates the next layer level is a two-byte type field\n1702 containing the child recognition pattern for the next\nlevel. The remaining information 1704 is shown hatched\n\n407 into the state processor. (see the state processor 1108\ndescription and FIG. 11.).\n\nNote that generating the packet parse and extraction\noperations builds and links the three dimensional Structure\n\nbecause it not relevant for this level. The list 1712 shows the\n\n(one embodiment) or the or all the lookup tables for the\n\n25\n\nThe pattern, parse, and extraction database (pattern rec\nognition database, or PRD) 308 generated by compilation\n\nprocess 310, in one embodiment, is in the form of a three\ndimensional Structure that provides for rapidly Searching\npacket headers for the next protocol. FIG. 18A shows such\n\na 3-D representation 1800 (which may be considered as an\nindexed set of 2-D representations). A compressed form of\nthe 3-D structure is preferred.\n\nAn alternate embodiment of the data Structure used in\n\n35\n\nstructure of FIG. 18A, the data structure permits rapid\nSearches to be performed by the pattern recognition proceSS\n304 by indexing locations in a memory rather than perform\ning address link computations. In this alternate embodiment,\nthe PRD 308 includes two parts, a single protocol table 1850\n\n40\n\nare used to identify known protocols and their children. The\nprotocol table includes the parameters needed by the pattern\n\n45\n\n50\n\n(more LUT lookups are needed), a code to indicate that this\n\nAS an example of compaction, consider the 3-D Structure\nof FIG. 18A that can be thought of as a set of 2-D structures\neach representing a protocol. To enable Saving Space by\nusing only one array per protocol which may have Several\nparents, in one embodiment, the pattern analysis SubproceSS\nindex for each protocol 2-D array in the 3-D structure is a\nrelative location starting with the start of header for the\nparticular protocol. Furthermore, each of the two\ndimensional arrays is sparse. The next Step of the\noptimization, is checking all the 2-D arrays against all the\nother 2-D arrays to find out which ones can share memory.\nMany of these 2-D arrays are often Sparsely populated in that\nthey each have only a Small number of valid entries. So, a\nprocess of "folding\xe2\x80\x9d is next used to combine two or more\n2-D arrays together into one physical 2-D array without\n\nlosing the identity of any of the original 2-D arrays (i.e., all\nthe 2-D arrays continue to exist logically). Folding can occur\n\nbetween any 2-D arrays irrespective of their location in the\ntree as long as certain conditions are met. Multiple arrayS\nmay be combined into a single array as long as the individual\n55\n\nentries do not conflict with each other. A fold number is then\n\nused to associate each element with its original array. A\nsimilar folding process is used for the set of LUTs 1850 in\nthe alternate embodiment of FIG. 18B.\n\nthese codes to index one or more of the LUTs. Each LUT\n\nentry has a node code that can have one of four values,\nindicating the protocol that has been recognized, a code to\nindicate that the protocol has been partially recognized\n\nBecause of the large number of possible protocol trees and\nsubtrees, the compiler process 400 includes optimization\nthat compares the trees and Subtrees to see which children\nshare common parents. When implemented in the form of\nthe LUTs, this proceSS can generate a single LUT from a\nplurality of LUTs. The optimization process further\nincludes a compaction process that reduces the Space needed\n\nkeeps a \xe2\x80\x9ccurrent header\' pointer. Each location (offset)\n\n(PT) which has an entry for each protocol known for the\nmonitor, and a series of Look Up Tables 1870 (LUTs) that\n\nprocess the packet header. When there are children, the PT\ndescribes which bytes in the header to evaluate to determine\nthe child protocol. In particular, each PT entry contains the\nheader length, an offset to the child, a Slicer command, and\nSome flags.\nThe pattern matching is carried out by finding particular\n\xe2\x80\x9cchild recognition codes\' in the header fields, and using\n\nPRD.\n\nto store the data of the PRD.\n\ndatabase 308 is illustrated in FIG. 18B. Thus, like the 3-D\n\nanalysis and recognition process 304 (implemented by PRE\n1006) to evaluate the header information in the packet that\nis associated with that protocol, and parameters needed by\nextraction process 306 (implemented by slicer 1007) to\n\n500 description and FIG. 5; the extraction process 600\ndescription and FIG. 6; and the parsing Subsystem hardware\n\ndescription and FIG. 10). Data files for each type of appli\n\nlevel (level-2) for an Ethertype packet 1700. For an Ether\n\npossible children for an Ethertype packet as indicated by\nwhat child recognition pattern is found offset 12. FIG. 17B\nshows the structure of the header of one of the possible next\nlevels, that of the IP protocol. The possible children of the\nIP protocol are shown in table 1752.\n\n18\n\ndecoding descriptions includes a set of protocol description\nfiles 336, one for each protocol, and a set of packet layer\n\n60\n\nIn 410, the analyzer has been initialized and is ready to\nperform recognition.\nFIG. 5 shows a flowchart of how actual parser subsystem\n301 functions. Starting at 501, the packet 302 is input to the\n\nis a terminal node, and a null node to indicate a null entry. packet buffer in step 502. Step 503 loads the next (initially\nThe next LUT to lookup is also returned from a LUT lookup. the first) packet component from the packet 302. The packet\nCompilation process is described in FIG. 4. The source 65 components are extracted from each packet 302 one element\ncode information in the form of protocol description files is at a time. A check is made (504) to determine if the\nshown as 402. In the particular embodiment, the high level load-packet-component operation 503 Succeeded, indicating\nApp. II-149\n\n\x0c19\n\nUS 6,954,789 B2\n\n20\n\nthat there was more in the packet to process. If not, indi\ncating all components have been loaded, the parser Sub\n\nReferring now to FIG. 7, the process continues at 701. The\nSignature buffer and the pattern node elements are available\n\nIf a component is successfully loaded in 503, the node and\n\nthere are more nodes, the parser subsystem 301 in 705\nhashes the Signature buffer element based on the hash\nelements that are found in the pattern node that is in the\nelement database. In 706 the resulting signature and the hash\nare packed. In 707 the parser Subsystem 301 moves on to the\nnext packet component which is loaded in 703.\nThe 703 to 707 loop continues until there are no more\n\nsystem 301 builds the packet signature (512)-the next stage\n(FIG. 6).\n\n(702). The parser subsystem 301 loads the next pattern node\nelement. If the load was successful (test 704) indicating\n\nprocesses are fetched (505) from the pattern, parse and\n\nextraction database 308 to provide a set of patterns and\nprocesses for that node to apply to the loaded packet\n\ncomponent. The parser Subsystem 301 checks (506) to\n\ndetermine if the fetch pattern node operation 505 completed\nSuccessfully, indicating there was a pattern node that loaded\nin 505. If not, step 511 moves to the next packet component.\nIf yes, then the node and pattern matching process are\napplied in 507 to the component extracted in 503. A pattern\n\nmatch obtained in 507 (as indicated by test 508) means the\n\npatterns of elements left (test 704). Once all the patterns of\n15\n\nparser Subsystem 301 has found a node in the parsing\nelements; the parser subsystem 301 proceeds to step 509 to\n\n303.\n\nA parser record is loaded into the analyzer, in particular,\n\nextract the elements.\n\ninto the UFKB in the form of a UFKB record which is\n\nIf applying the node process to the component does not\n\nSimilar to a parser record, but with one or more different\n\nproduce a match (test 508), the parser Subsystem 301 moves\n(510) to the next pattern node from the pattern database 308\n\nand to step 505 to fetch the next node and process. Thus,\nthere is an \xe2\x80\x9capplying patterns\' loop between 508 and 505.\nOnce the parser subsystem 301 completes all the patterns\nand has either matched or not, the parser subsystem 301\n\nfields.\n\nFIG. 8 is a flow diagram describing the operation of the\n\nlookup/update engine (LUE) that implements lookup opera\n\n25\n\nmoves to the next packet component (511).\n\nOnce all the packet components have been the loaded and\nprocessed from the input packet 302, then the load packet\n\nwill fail (indicated by test 504), and the parser subsystem\n\n301 moves to build a packet signature which is described in\nFIG. 6\n\nFIG. 6 is a flow chart for extracting the information from\nwhich to build the packet signature. The flow starts at 601,\nwhich is the exit point 513 of FIG. 5. At this point parser\nSubsystem 301 has a completed packet component and a\n\n35\n\npacket component available from the pattern analysis pro\n\ncess of FIG. 5. If the load completed (test 604), indicating\nIf the fetch was successful (test 606), indicating that there\n\ntion 314. The process starts at 801 from FIG. 7 with the\nparser record that includes a Signature, the hash and at least\nparts of the payload. In 802 those elements are shown in the\nform of a UFKB-entry in the buffer. The LUE, the lookup\nengine 314 computes a \xe2\x80\x9crecord bin number\xe2\x80\x9d from the hash\nfor a flow-entry. A bin herein may have one or more\n\xe2\x80\x9cbuckets\xe2\x80\x9d each containing a flow-entry. The preferred\nembodiment has four buckets per bin.\nSince preferred hardware embodiment includes the cache,\nall data accesses to records in the flowchart of FIG. 8 are\n\npattern node available in a buffer (602). Step 603 loads the\n\nthat there was indeed another packet component, the parser\nSubsystem 301 fetches in 605 the extraction and process\nelements received from the pattern node component in 602.\n\nelements have been hashed, processes 304,306 and 312 of\nparser subsystem 301 are complete. Parser subsystem 301\nhas generated the Signature used by the analyzer Subsystem\n\n40\n\nStated as being to or from the cache.\nThus, in 804, the system looks up the cache for a bucket\nfrom that bin using the hash. If the cache Successfully\nreturns with a bucket from the bin number, indicating there\nare more buckets in the bin, the lookup/update engine\n\ncompares (807) the current signature (the UFKB-entry\'s\nSignature) from that in the bucket (i.e., the flow-entry\nsignature). If the signatures match (test 808), that record (in\nthe cache) is marked in step 810 as \xe2\x80\x9cin process\xe2\x80\x9d and a\n\ntimestamp added. Step 811 indicates to the UFKB that the\nUFKB-entry in 802 has a status of \xe2\x80\x9cfound.\xe2\x80\x9d The \xe2\x80\x9cfound\xe2\x80\x9d\n45 indication allows the State processing 328 to begin proceSS\ning this UFKB element. The preferred hardware embodi\nment includes one or more State processors, and these can\noperate in parallel with the lookup/update engine.\nIn the preferred embodiment, a Set of Statistical operations\n50 is performed by a calculator for every packet analyzed. The\nStatistical operations may include one or more of counting\nthe packets associated with the flow; determining Statistics\nrelated to the size of packets of the flow; compiling Statistics\non differences between packets in each direction, for\n55 example using timestamps, and determining Statistical rela\ntionships of timestamps of packets in the same direction.\nThe Statistical measures are kept in the flow-entries. Other\nStatistical measures also may be compiled. These Statistics\nif there is no more to extract.\nmay be used singly or in combination by a Statistical\nThe extraction process thus builds the Signature, extract 60 processor component to analyze many different aspects of\ning more and more components according to the information the flow. This may include determining network usage\nin the patterns and extraction database 308 for the particular metrics from the Statistical measures, for example to ascer\npacket. Once loading the next packet component operation tain the network\'s ability to transfer information for this\n603 fails (test 604), all the components have been extracted. application. Such analysis provides for measuring the qual\nThe built signature is loaded into the signature buffer (610) 65 ity of Service of a conversation, measuring how well an\nand the parser Subsystem 301 proceeds to FIG. 7 to complete\napplication is performing in the network, measuring network\nthe Signature generation process.\nresources consumed by an application, and So forth.\nApp. II-150\n\nare extraction elements to apply, the parser Subsystem 301 in\nStep 607 applies that extraction process to the packet com\nponent based on an extraction instruction received from that\npattern node. This removes and Saves an element from the\npacket component.\nIn step 608, the parser Subsystem 301 checks if there is\nmore to extract from this component, and if not, the parser\nSubsystem 301 moves back to 603 to load the next packet\ncomponent at hand and repeats the process. If the answer is\nyes, then the parser Subsystem 301 moves to the next packet\ncomponent ratchet. That new packet component is then\nloaded in step 603. As the parser subsystem 301 moved\nthrough the loop between 608 and 603, extra extraction\nprocesses are applied either to the same packet component\nif there is more to extract, or to a different packet component\n\n\x0cUS 6,954,789 B2\n\n21\nTo provide for Such analyses, the lookup/update engine\nupdates one or more counters that are part of the flow-entry\n(in the cache) in step 812. The process exits at 813. In our\nembodiment, the counters include the total packets of the\nflow, the time, and a differential time from the last timestamp\nto the present timestamp.\nIt may be that the bucket of the bin did not lead to a\nSignature match (test 808). In Such a case, the analyzer in\n809 moves to the next bucket for this bin. Step 804 again\nlooks up the cache for another bucket from that bin. The\nlookup/update engine thus continues lookup up buckets of\nthe bin until there is either a match in 808 or operation 804\nis not successful (test 805), indicating that there are no more\n\nbuckets in the bin and no match was found.\n\nIf no match was found, the packet belongs to a new (not\npreviously encountered) flow. In 806 the system indicates\n\n15\n\nthat the record in the unified flow key buffer for this packet\nis new, and in 812, any Statistical updating operations are\nperformed for this packet by updating the flow-entry in the\ncache. The update operation exits at 813. A flow insertion/\n\ndeletion engine (FIDE) creates a new record for this flow\n(again via the cache).\n\nThus, the update/lookup engine ends with a UFKB-entry\nfor the packet with a \xe2\x80\x9cnew\xe2\x80\x9d status or a \xe2\x80\x9cfound\xe2\x80\x9d status.\nNote that the above system uses a hash to which more\nthan one flow-entry can match. A longer hash may be used\nthat corresponds to a single flow-entry. In Such an\nembodiment, the flow chart of FIG. 8 is simplified as would\n\nthe COP\n\n25\n\n(CAMs) defined for future protocol additions.\n\nThus, whenever the PRE recognizes a pattern, it also\n\ngenerates a command for the extraction engine (also called\na "slicer\xe2\x80\x9d) 1007. The recognized patterns and the commands\n\n35\n\n40\n\npointers which tell the extraction engine 1007 where to a\nfind the instructions in the extraction operations database\n\n45\n\nThus, when the PRE 1006 recognizes a protocol it outputs\nboth the protocol identifier and a process code to the\nextractor. The protocol identifier is added to the flow sig\nnature and the proceSS code is used to fetch the first\n\nis shown in FIG. 14. The hardware embodiment (FIGS. 10\nand 11) can operate at over a million packets per second,\n\nwhile the Software system of FIG. 14 may be suitable for\nslower networks. To one skilled in the art it would be clear\n\nthat more and more of the System may be implemented in\nSoftware as processors become faster.\n\nFIG. 10 is a description of the parsing subsystem (301,\nshown here as subsystem 1000) as implemented in hard\n\nware. Memory 1001 is the pattern recognition database\nmemory, in which the patterns that are going to be analyzed\nare stored. Memory 1002 is the extraction-operation data\nbase memory, in which the extraction instructions are Stored.\nBoth 1001 and 1002 correspond to internal data structure\n308 of FIG. 3. Typically, the system is initialized from a\n\nmicroprocessor (not shown) at which time these memories\n\nare sent to the extraction engine 1007 that extracts informa\ntion from the packet to build the parser record. Thus, the\noperations of the extraction engine are those carried out in\n\nblocks 306 and 312 of FIG. 3. The commands are sent from\nPRE 1006 to slicer 1007 in the form of extraction instruction\n\nembodiment of FIG.3, it would be clear to one skilled in the\n\nart that the flow of FIG.3 may alternatively be implemented\nin Software running on one or more general-purpose\nprocessors, or only partly implemented in hardware. An\nimplementation of the invention that can operate in Software\n\nThe PRE 1006 includes of a comparison engine. The\ncomparison engine has a first Stage that checks the protocol\ntype field to determine if it is an 802.3 packet and the field\nshould be treated as a length. If it is not a length, the protocol\nis checked in a Second Stage. The first stage is the only\nprotocol level that is not programmable. The Second Stage\n\nhas two full sixteen bit content addressable memories\n\nbe clear to those in the art.\n\nThe Hardware System\nEach of the individual hardware elements through which\nthe data flows in the system are now described with refer\nence to FIGS. 10 and 11. Note that while we are describing\na particular hardware implementation of the invention\n\n22\nreceive data) signal 1023 to control the data flow into parser\ninput buffer memory 1008. Once a packet starts loading into\nthe buffer memory 1008, pattern recognition engine (PRE)\n1006 carries out the operations on the input buffer memory\ndescribed in block 304 of FIG. 3. That is, protocol types and\nasSociated headers for each protocol layer that exist in the\npacket are determined.\nThe PRE searches database 1001 and the packet in buffer\n1008 in order to recognize the protocols the packet contains.\nIn one implementation, the database 1001 includes a series\nof linked lookup tables. Each lookup table uses eight bits of\naddressing. The first lookup table is always at address Zero.\nThe Pattern Recognition Engine uses a base packet offset\nfrom a control register to start the comparison. It loads this\nvalue into a current offset pointer (COP). It then reads the\nbyte at base packet offset from the parser input buffer and\nuses it as an address into the first lookup table.\nEach lookup table returns a word that links to another\nlookup table or it returns a terminal flag. If the lookup\nproduces a recognition event the database also returns a\ncommand for the slicer. Finally it returns the value to add to\n\n50\n\nmemory (i.e., slicer instruction database) 1002.\n\ninstruction from the instruction database 1002. Instructions\n\ninclude an operation code and usually Source and destination\noffsets as well as a length. The offsets and length are in\nbytes. A typical operation is the MOVE instruction. This\ninstruction tells the slicer 1007 to copy n bytes of data\nunmodified from the input buffer 1008 to the output buffer\n1010. The extractor contains a byte-wise barrel shifter so\nthat the bytes moved can be packed into the flow Signature.\nThe extractor contains another instruction called HASH.\n\n55\n\nare loaded through a host interface multiplexor and control\nregister 1005 via the internal buses 1003 and 1004. Note that\nthe contents of 1001 and 1002 are preferably obtained by\ncompiling process 310 of FIG. 3.\nA packet enters the parsing System via 1012 into a parser\ninput buffer memory 1008 using control signals 1021 and\n1023, which control an input buffer interface controller\n\n60\n\na packet acquisition device (not shown). The buffer acqui\n\n65\n\nThis instruction tells the extractor to copy from the input\nbuffer 1008 to the HASH generator.\nThus these instructions are for extracting Selected element\n\n(s) of the packet in the input buffer memory and transferring\n\n1022. The buffer 1008 and interface control 1022 connect to\n\nthe data to a parser output buffer memory 1010. Some\ninstructions also generate a hash.\nThe extraction engine 1007 and the PRE operate as a\npipeline. That is, extraction engine 1007 performs extraction\noperations on data in input buffer 1008 already processed by\n\nPRE 1006 while more (i.e., later arriving) packet informa\n\ntion is being simultaneously parsed by PRE 1006. This\nprovides high processing Speed Sufficient to accommodate\ninterface control 1022 generates a next packet (i.e., ready to the high arrival rate Speed of packets.\nApp. II-151\nSition device generates a packet Start Signal 1021 and the\n\n\x0c23\n\nUS 6,954,789 B2\n\nOnce all the Selected parts of the packet used to form the\nSignature are extracted, the hash is loaded into parser output\nbuffer memory 1010. Any additional payload from the\npacket that is required for further analysis is also included.\nThe parser output memory 1010 is interfaced with the\nanalyzer subsystem by analyzer interface control 1011. Once\nall the information of a packet is in the parser output buffer\nmemory 1010, a data ready signal 1025 is asserted by\nanalyzer interface control. The data from the parser Sub\nsystem 1000 is moved to the analyzer subsystem via 1013\nwhen an analyzer ready Signal 1027 is asserted.\nFIG. 11 shows the hardware components and dataflow for\nthe analyzer Subsystem that performs the functions of the\nanalyzer Subsystem 303 of FIG. 3. The analyzer is initialized\nprior to operation, and initialization includes loading the\nState processing information generated by the compilation\nprocess 310 into a database memory for the State processing,\n\n24\nembodiments, the LUE issues a flag to pass the entry to the\nState processor for processing, and the required operations\nfor a new record are included in the SP instructions.\n\nNote that each UFKB-entry may not need to be processed\nby all three engines. Furthermore, some UFKB entries may\nneed to be processed more than once by a particular engine.\nEach of these three engines also has bi-directional access\nto a cache Subsystem 1115 that includes a caching engine.\nCache 1115 is designed to have information flowing in and\nout of it from five different points within the system: the\nthree engines, external memory via a unified memory con\n\ntroller (UMC) 1119 and a memory interface 1123, and a\n\nmicroprocessor via analyzer host interface and control unit\n\n15\n\ndirectly insert or modify data in the cache.\nThe cache subsystem 1115 is an associative cache that\n\ncalled state processor instruction database (SPID) memory\n\nincludes a set of content addressable memory cells (CAMs)\neach including an address portion and a pointer portion\npointing to the cache memory (e.g., RAM) containing the\n\n1109.\n\nThe analyzer Subsystem 1100 includes a hostbus interface\n1122 using an analyzer host interface controller 1118, which\nin turn has access to a cache System 1115. The cache System\nhas bidirectional access to and from the State processor of\nthe system 1108. State processor 1108 is responsible for\ninitializing the State processor instruction database memory\n1109 from information given over the host bus interface\n\ncached flow-entries. The CAMS are arranged as a Stack\nordered from a top CAM to a bottom CAM. The bottom\n\nCAM\'s pointerpoints to the least recently used (LRU) cache\n\n25\n\n1122.\n\nWith the SPID 1109 loaded, the analyzer subsystem 1100\nreceives parser records comprising packet Signatures and\npayloads that come from the parser into the unified flow key\n\nrecords in the UFKB 1103: the lookup/update engine (LUE)\n1107, the state processor (SP) 1108, and the flow insertion\nand deletion engine (FIDE) 1110. Each of these is imple\nmented by one or more finite state machines (FSM\'s). There\n\n35\n\n40\n\nis bidirectional access between each of the finite State\n\nmachines and the unified flow key buffer 1103. The UFKB\nrecord includes a field that Stores the packet Sequence\n\nnumber, and another that is filled with state information in\n\nmemory entry. Whenever there is a cache miss, the contents\nof cache memory pointed to by the bottom CAM are\nreplaced by the flow-entry from the flow-entry database 324.\nThis now becomes the most recently used entry, So the\ncontents of the bottom CAM are moved to the top CAM and\nall CAM contents are shifted down. Thus, the cache is an\n\nbuffer (UFKB) 1103. UFKB is comprised of memory set up\n\nto maintain UFKB records. A UFKB record is essentially a\nparser record; the UFKB holds records of packets that are to\nbe processed or that are in process. Furthermore, the UFKB\nprovides for one or more fields to act as modifiable Status\nflags to allow different processes to run concurrently.\nThree processing engines run concurrently and acceSS\n\n(ACIC) 1118 and host interface bus (HIB) 1122. The ana\nlyzer microprocessor (or dedicated logic processor) can thus\n\nasSociative cache with a true LRU replacement policy.\nThe LUE 1107 first processes a UFKB-entry, and basi\ncally performs the operation of blocks 314 and 316 in FIG.\n3. A signal is provided to the LUE to indicate that a \xe2\x80\x9cnew\xe2\x80\x9d\nUFKB-entry is available. The LUE uses the hash in the\nUFKB-entry to read a matching bin of up to four buckets\nfrom the cache. The cache System attempts to obtain the\nmatching bin. If a matching bin is not in the cache, the cache\n1115 makes the request to the UMC 1119 to bring in a\nmatching bin from the external memory.\nWhen a flow-entry is found using the hash, the LUE 1107\nlooks at each bucket and compares it using the Signature to\nthe signature of the UFKB-entry until there is a match or\nthere are no more buckets.\n\n45\n\nIf there is no match, or if the cache failed to provide a bin\nof flow-entries from the cache, a time Stamp in Set in the flow\nkey of the UFKB record, a protocol identification and state\ndetermination is made using a table that was loaded by\ncompilation process 310 during initialization, the Status for\nthe record is Set to indicate the LUE has processed the\nrecord, and an indication is made that the UFKB-entry is\nready to Start State processing. The identification and State\ndetermination generates a protocol identifier which in the\npreferred embodiment is a \xe2\x80\x9cjump vector\' for the state\nprocessor which is kept by the UFKB for this UFKB-entry\nand used by the State processor to start State processing for\nthe particular protocol. For example, the jump vector jumps\nto the Subroutine for processing the State.\nIf there was a match, indicating that the packet of the\nUFKB-entry is for a previously encountered flow, then a\ncalculator component enters one or more Statistical measures\nStored in the flow-entry, including the timestamp. In\naddition, a time difference from the last Stored timestamp\nmay be Stored, and a packet count may be updated. The State\nof the flow is obtained from the flow-entry is examined by\nlooking at the protocol identifier stored in the flow-entry of\n\nthe form of a program counter for the state processor 1108\nthat implements State processing 328. The Status flags of the\nUFKB for any entry includes that the LUE is done and that\nthe LUE is transferring processing of the entry to the State 50\nprocessor. The LUE done indicator is also used to indicate\nwhat the next entry is for the LUE. There also is provided a\nflag to indicate that the State processor is done with the\ncurrent flow and to indicate what the next entry is for the\nState processor. There also is provided a flag to indicate the 55\nState processor is transferring processing of the UFKB-entry\nto the flow insertion and deletion engine.\nA new UFKB record is first processed by the LUE 1107.\nA record that has been processed by the LUE 1107 may be\nprocessed by the state processor 1108, and a UFKB record 60\ndata may be processed by the flow insertion/deletion engine\n1110 after being processed by the state processor 1108 or\nonly by the LUE. Whether or not a particular engine has\nbeen applied to any unified flow key buffer entry is deter\nmined by Status fields Set by the engines upon completion. 65\nIn one embodiment, a status flag in the UFKB-entry indi\ncates whether an entry is new or found. In other database 324.\nApp. II-152\n\nIf that value indicates that no more classifi\n\n\x0c25\n\nUS 6,954,789 B2\n\ncation is required, then the Status for the record is Set to\nindicate the LUE has processed the record. In the preferred\nembodiment, the protocol identifier is a jump vector for the\nState processor to a Subroutine to State processing the\nprotocol, and no more classification is indicated in the\npreferred embodiment by the jump vector being Zero. If the\nprotocol identifier indicates more processing, then an indi\ncation is made that the UFKB-entry is ready to start state\nprocessing and the Status for the record is Set to indicate the\nLUE has processed the record.\nThe state processor 1108 processes information in the\ncache system according to a UFKB-entry after the LUE has\ncompleted. State processor 1108 includes a state processor\nprogram counter SPPC that generates the address in the State\nprocessor instruction database 1109 loaded by compiler\nprocess 310 during initialization. It contains an Instruction\n\n26\n(up to four) reference Strings in the payload part of the\n\nUFKB entry. This is implemented by a search engine\ncomponent of the State processor responsive to special\nSearching instructions.\nIn 1307, a check is made to determine if there are any\nmore instructions to be performed for the packet. If yes, then\nin 1308 the system sets the state processor instruction\n\npointer (SPIP) to obtain the next instruction. The SPIP may\n\nbe set by an immediate jump vector in the currently decoded\ninstruction, or by a value provided by the SPALU during\nprocessing.\nThe next instruction to be performed is now fetched\n\n(1304) for execution. This state processing loop between\n\n15\n\nPointer (SPIP) which generates the SPID address. The\n\ninstruction pointer can be incremented or loaded from a\nJump Vector Multiplexor which facilitates conditional\nbranching. The SPIP can be loaded from one of three\n\nsources: (1) A protocol identifier from the UFKB, (2) an\nimmediate jump vector form the currently decoded\n\ninstruction, or (3) a value provided by the arithmetic logic\nunit (SPALU) included in the state processor.\n\nThus, after a Flow Key is placed in the UFKB by the LUE\nwith a known protocol identifier, the Program Counter is\ninitialized with the last protocol recognized by the Parser.\nThis first instruction is a jump to the Subroutine which\nanalyzes the protocol that was decoded.\n\n25\n\noperations (1304). In our implementation, each single State\nprocessor instruction is very primitive (e.g., a move, a\ncompare, etc.), So that many Such instructions need to be\n\nconnection identifier. In that case, in 1311, a flow removal\n\nstate is set and saved in the flow-entry. The flow removal\n\nstate may be a NOP (no-op) instruction which means there\nare no removal instructions.\n\nOnce the appropriate flow removal instruction as Specified\n\nThe State Processor ALU (SPALU) contains all the\nArithmetic, Logical and String Compare functions necessary\n\nto implement the State Processor instructions. The main\nblocks of the SPALU are: The A and B Registers, the\nInstruction Decode & State Machines, the String Reference\nMemory the Search Engine, an Output Data Register and an\nOutput Control Register\nThe Search Engine in turn contains the Target Search\nRegister Set, the Reference Search Register Set, and a\nCompare block which compares two operands by exclusive\nor-ing them together.\nThus, after the UFKB sets the program counter, a\nSequence of one or more State operations are be executed in\nstate processor 1108 to further analyze the packet that is in\nthe flow key buffer entry for this particular packet.\nFIG. 13 describes the operation of the state processor\n1108. The state processor is entered at 1301 with a unified\nflow key buffer entry to be processed. The UFKB-entry is\nnew or corresponding to a found flow-entry. This UFKB\nentry is retrieved from unified flow key buffer 1103 in 1301.\nIn 1303, the protocol identifier for the UFKB-entry is used\nto Set the State processor\'s instruction counter. The State\nprocessor 1108 starts the process by using the last protocol\nrecognized by the parser subsystem 301 as an offset into a\njump table. The jump table takes us to the instructions to use\nfor that protocol. Most instructions test Something in the\nunified flow key buffer or the flow-entry if it exists. The state\nprocessor 1108 may have to test bits, do comparisons, add or\nSubtract to perform the test.\nThe first state processor instruction is fetched in 1304\nfrom the state processor instruction database memory 1109.\nThe State processor performs the one or more fetched\n\n1304 and 1307 continues until there are no more instructions\n\nto be performed.\nAt this stage, a check is made in 1309 if the processing on\nthis particular packet has resulted in a final State. That is, is\nthe analyzer is done processing not only for this particular\npacket, but for the whole flow to which the packet belongs,\nand the flow is fully determined. If indeed there are no more\nstates to process for this flow, then in 1311 the processor\nfinalizes the processing. Some final States may need to put\na State in place that tells the System to remove a flow-for\nexample, if a connection disappears from a lower level\n\nfor this flow (a NOP or otherwise) is set and saved, the\nprocess is exited at 1313. The state processor 1108 can now\n\n40\n\nobtain another unified flow key buffer entry to process.\nIf at 1309 it is determined that processing for this flow is\nnot completed, then in 1310 the system saves the state\nprocessor instruction pointer in the current flow-entry in the\ncurrent flow-entry. That will be the next operation that will\nbe performed the next time the LRE 1107 finds packet in the\nUFKB that matches this flow. The processor now exits\nprocessing this particular unified flow key buffer entry at\n\n45\n\nNote that State processing updates information in the\nunified flow key buffer 1103 and the flow-entry in the cache.\nOnce the state processor is done, a flag is set in the UFKB\nfor the entry that the state processor is done. Furthermore, If\n\n35\n\n50\n\n55\n\n60\n\n1313.\n\nthe flow needs to be inserted or deleted from the database of\n\nflows, control is then passed on to the flow insertion/deletion\nengine 1110 for that flow signature and packet entry. This is\ndone by the state processor setting another flag in the UFKB\nfor this UFKB-entry indicating that the state processor is\npassing processing of this entry to the flow insertion and\ndeletion engine.\nThe flow insertion and deletion engine 1110 is responsible\nfor maintaining the flow-entry database. In particular, for\ncreating new flows in the flow database, and deleting flows\nfrom the database So that they can be reused.\nThe process of flow insertion is now described with the\naid of FIG. 12. Flows are grouped into bins of buckets by the\nhash value. The engine processes a UFKB-entry that may be\nnew or that the State processor otherwise has indicated needs\nto be created. FIG. 12 shows the case of a new entry being\n\ncreated. A conversation record bin (preferably containing 4\nbuckets for four records) is obtained in 1203. This is a bin\n\nthat matches the hash of the UFKB, so this bin may already\nhave been sought for the UFKB-entry by the LUE. In 1204\nperformed on each unified flow key buffer entry. One aspect the FIDE 1110 requests that the record bin/bucket be main\nof the State processor is its ability to Search for one or more tained in the cache system 1115. If in 1205 the cache system\nApp. II-153\n65\n\n\x0c27\n\nUS 6,954,789 B2\n\n1115 indicates that the bin/bucket is empty, step 1207 inserts\n\nFIG. 10 also includes some \xe2\x80\x9cgeneric\' interfaces. There is\na packet input interface 1012-a general interface that\nworks in tandem with the signals of the input buffer interface\ncontrol 1022. These are designed so that they can be used\nwith any kind of generic Systems that can then feed packet\ninformation into the parser. Another generic interface is the\ninterface of pipes 1031 and 1033 respectively out of and into\nhost interface multiplexor and control registers 1005. This\nenables the parsing System to be managed by an external\nSystem, for example a microprocessor or another kind of\nexternal logic, and enables the external System to program\nand otherwise control the parser.\nThe preferred embodiment of this aspect of the invention\n\nthe flow signature (with the hash) into the bucket and the\n\nbucket is marked \xe2\x80\x9cused\' in the cache engine of cache 1115\nusing a timestamp that is maintained throughout the process.\nIn 1209, the FIDE 1110 compares the bin and bucket record\nflow Signature to the packet to Verify that all the elements are\nin place to complete the record. In 1211 the System marks the\nrecord bin and bucket as \xe2\x80\x9cin process\xe2\x80\x9d and as \xe2\x80\x9cnew\xe2\x80\x9d in the\n\ncache System (and hence in the external memory). In 1212,\n\nthe initial Statistical measures for the flow-record are Set in\n\nthe cache System. This in the preferred embodiment clearS\nthe Set of counters used to maintain Statistics, and may\nperform other procedures for Statistical operations requires\nby the analyzer for the first packet Seen for a particular flow.\nBack in step 1205, if the bucket is not empty, the FIDE\n1110 requests the next bucket for this particular bin in the\ncache system. If this succeeds, the processes of 1207, 1209,\n1211 and 1212 are repeated for this next bucket. If at 1208,\nthere is no valid bucket, the unified flow key buffer entry for\nthe packet is Set as \xe2\x80\x9cdrop, indicating that the System cannot\nprocess the particular packet because there are no buckets\nleft in the system. The process exits at 1213. The FIDE 1110\n\n15\n\nindicates to the UFKB that the flow insertion and deletion\n\noperations are completed for this UFKB-entry. This also lets\nthe UFKB provide the FIDE with the next UFKB record.\nOnce a set of operations is performed on a unified flow\nkey buffer entry by all of the engines required to acceSS and\nmanage a particular packet and its flow Signature, the unified\nflow key buffer entry is marked as \xe2\x80\x9ccompleted.\xe2\x80\x9d That\nelement will then be used by the parser interface for the next\npacket and flow Signature coming in from the parsing and\nextracting System.\nAll flow-entries are maintained in the external memory\nand some are maintained in the cache 1115. The cache\n\nSystem 1115 is intelligent enough to access the flow database\n\ncessor or a multiplexor (MUX) System. Consequently, one\n\nThe memory interface 1123 is designed to interface to any\nof a variety of memory Systems that one may want to use to\nstore the flow-entries. One can use different types of\nmemory Systems like regular dynamic random access\n\nmemory (DRAM), synchronous DRAM, synchronous\ngraphic memory (SGRAM), static random access memory\n(SRAM), and so forth.\n\nas VHDL or Verilog. It is designed and created in an HDL\nSo that it may be used as a single chip System or, for instance,\nintegrated into another general-purpose System that is being\ndesigned for purposes related to creating and analyzing\ntraffic within a network. Verilog or other HDL implemen\ntation is only one method of describing the hardware.\nIn accordance with one hardware implementation, the\nelements shown in FIGS. 10 and 11 are implemented in a set\n\nof six field programmable logic arrays (FPGA\'s). The\n\n35\n\n40\n\ncache system 1115, the unified memory control 1119, and the\nanalyzer host interface and control 1118.\nNote that one can implement the System as one or more\nVSLI devices, rather than as a set of application specific\n\n25\n\n1110 are in another FPGA. The Sixth FPGA includes the\n\nintegrated circuits (ASIC\'s) such as FPGA\'s. It is antici\npated that in the future device densities will continue to\nincrease, So that the complete System may eventually form\n\na Sub-unit (a \xe2\x80\x9ccore\xe2\x80\x9d) of a larger single chip unit.\n\n45\n\nOperation of the Invention\nFIG. 15 shows how an embodiment of the network\n\n50\n\n55\n\ncan connect the overall traffic classification system of FIGS.\n11 and 12 into Some other processing System to manage the\nclassification System and to extract data gathered by the\nSystem.\n\nis described in a hardware description language (HDL) Such\n\nboundaries of these FPGA\'s are as follows. The parsing\nSubsystem of FIG. 10 is implemented as two FPGAS; one\nFPGA, and includes blocks 1006, 1008 and 1012, parts of\n1005, and memory 1001. The second FPGA includes 1002,\n1007, 1013, 1011 parts of 1005. Referring to FIG. 11, the\nunified look-up buffer 1103 is implemented as a single\nFPGA. State processor 1108 and part of state processor\ninstruction database memory 1109 is another FPGA. Por\ntions of the State processor instruction database memory\n1109 are maintained in external SRAM\'s. The lookup/\nupdate engine 1107 and the flow insertion/deletion engine\n\nand to understand the data Structures that exists on the other\n\nSide of memory interface 1123. The lookup/update engine\n1107 is able to request that the cache system pull a particular\nflow or \xe2\x80\x9cbuckets\xe2\x80\x9d of flows from the unified memory con\ntroller 1119 into the cache system for further processing. The\nstate processor 1108 can operate on information found in the\ncache System once it is looked up by means of the lookup/\nupdate engine request, and the flow insertion/deletion engine\n1110 can create new entries in the cache System if required\nbased on information in the unified flow key buffer 1103.\nThe cache retrieves information as required from the\nmemory through the memory interface 1123 and the unified\nmemory controller 1119, and updates information as\nrequired in the memory through the memory controller 1119.\nThere are Several interfaces to components of the System\nexternal to the module of FIG. 11 for the particular hardware\nimplementation. These include host bus interface 1122,\nwhich is designed as a generic interface that can operate with\nany kind of external processing System Such as a micropro\n\n28\n\n60\n\nmonitor 300 might be used to analyze traffic in a network\n102. Packet acquisition device 1502 acquires all the packets\nfrom a connection point 121 on network 102 so that all\npackets passing point 121 in either direction are Supplied to\nmonitor 300. Monitor 300 comprises the parser Sub-system\n301, which determines flow signatures, and analyzer Sub\nSystem 303 that analyzes the flow Signature of each packet.\nA memory 324 is used to store the database of flows that are\ndetermined and updated by monitor 300. A host computer\n1504, which might be any processor, for example, a general\npurpose computer, is used to analyze the flows in memory\n324. As is conventional, host computer 1504 includes a\nmemory, say RAM, shown as host memory 1506. In\naddition, the host might contain a disk. In one application,\nthe system can operate as an RMON probe, in which case the\nhost computer is coupled to a network interface card 1510\nthat is connected to the network 102.\n\n65\n\nThe preferred embodiment of the invention is supported\nby an optional Simple Network Management Protocol\n\n(SNMP) implementation. FIG. 15 describes how one would,\n\nApp. II-154\n\n\x0c29\n\nUS 6,954,789 B2\n\nclient/server exchange process of TFTP, a specific port (port\nnumber 69) is always used to initiate the packet exchange.\n\ninterface card is used to send RMON information to the\n\nnetwork. Commercial SNMP implementations also are\navailable, and using Such an implementation can Simplify\nthe process of porting the preferred embodiment of the\ninvention to any platform.\nIn addition, MIB Compilers are available. An MIB Com\npiler is a tool that greatly simplifies the creation and main\ntenance of proprietary MIB extensions.\nExamples of Packet Elucidation\nMonitor 300, and in particular, analyzer 303 is capable of\ncarrying out State analysis for packet eXchanges that are\ncommonly referred to as "server announcement\' type\neXchanges. Server announcement is a process used to ease\ncommunications between a Server with multiple applications\nthat can all be Simultaneously accessed from multiple cli\nents. Many applications use a server announcement proceSS\nas a means of multiplexing a single port or Socket into many\napplications and Services. With this type of eXchange, mes\nSages are Sent on the network, in either a broadcast or\nmulticast approach, to announce a Server and application,\nand all Stations in the network may receive and decode these\nmessages. The messages enable the Stations to derive the\nappropriate connection point for communicating that par\nticular application with the particular Server. Using the\nServer announcement method, a particular application com\nmunicates using a Service channel, in the form of a TCP or\nUDP socket or port as in the IP protocol Suite, or using a SAP\nas in the Novell IPX protocol Suite.\nThe analyzer 303 is also capable of carrying out \xe2\x80\x9cin\nStream analysis\xe2\x80\x9d of packet eXchanges. The \xe2\x80\x9cin-stream analy\nSis\' method is used either as a primary or Secondary recog\nnition process. As a primary process, in-stream analysis\nassists in extracting detailed information which will be used\nto further recognize both the Specific application and appli\ncation component. A good example of in-stream analysis is\nany Web-based application. For example, the commonly\nused Point Cast Web information application can be recog\nnized using this process, during the initial connection\nbetween a PointCast Server and client, Specific key tokens\nexist in the data eXchange that will result in a Signature being\ngenerated to recognize PointCast.\nThe in-stream analysis proceSS may also be combined\nwith the Server announcement process. In many cases\nin-Stream analysis will augment other recognition processes.\nAn example of combining in-stream analysis with Server\nannouncement can be found in busineSS applications Such as\nSAP and BAAN.\n\n"Session tracking\xe2\x80\x9d also is known as one of the primary\nprocesses for tracking applications in client/server packet\neXchanges. The process of tracking Sessions requires an\ninitial connection to a predefined Socket or port number. This\nmethod of communication is used in a variety of transport\nlayer protocols. It is most commonly seen in the TCP and\nUDP transport protocols of the IP protocol.\nDuring the Session tracking, a client makes a request to a\nServer using a specific port or Socket number. This initial\nrequest will cause the server to create a TCP or UDP port to\neXchange the remainder of the data between the client and\nthe server. The server then replies to the request of the client\nusing this newly created port. The original port used by the\nclient to connect to the Server will never be used again\nduring this data eXchange.\n\nOne example of session tracking is TFTP (Trivial File\nTransfer Protocol), a version of the TCP/IP FTP protocol\n\n30\n\nthat has no directory or password capability. During the\n\nfor example, implement an RMON probe, where a network\n\n15\n\n25\n\n35\n\n40\n\nThus, when the client begins the process of communicating,\na request is made to UDP port 69. Once the server receives\nthis request, a new port number is created on the Server. The\nServer then replies to the client using the new port. In this\nexample, it is clear that in order to recognize TFTP; network\nmonitor 300 analyzes the initial request from the client and\ngenerates a signature for it. Monitor 300 uses that Signature\nto recognize the reply. Monitor 300 also analyzes the reply\nfrom the Server with the key port information, and uses this\nto create a signature for monitoring the remaining packets of\nthis data eXchange.\nNetwork monitor 300 can also understand the current\n\nState of particular connections in the network. Connection\noriented exchanges often benefit from State tracking to\ncorrectly identify the application. An example is the com\nmon TCP transport protocol that provides a reliable means\nof sending information between a client and a server. When\na data eXchange is initiated, a TCP request for Synchroni\nZation message is sent. This message contains a specific\nSequence number that is used to track an acknowledgement\nfrom the Server. Once the Server has acknowledged the\nSynchronization request, data may be exchanged between\nthe client and the Server. When communication is no longer\nrequired, the client Sends a finish or complete message to the\nServer, and the Server acknowledges this finish request with\na reply containing the Sequence numbers from the request.\nThe States of Such a connection-oriented exchange relate to\nthe various types of connection and maintenance messages.\nServer Announcement Example\nThe individual methods of Server announcement proto\ncols vary. However, the basic underlying proceSS remains\nSimilar. A typical Server announcement message is Sent to\none or more clients in a network. This type of announcement\nmessage has specific content, which, in another aspect of the\ninvention, is Salvaged and maintained in the database of\nflow-entries in the System. Because the announcement is\nSent to one or more Stations, the client involved in a future\n\n45\n\npacket eXchange with the Server will make an assumption\nthat the information announced is known, and an aspect of\nthe inventive monitor is that it too can make the same\nassumption.\nSun-RPC is the implementation by Sun Microsystems,\n\nInc. (Palo Alto, Calif.) of the Remote Procedure Call (RPC),\n\na programming interface that allows one program to use the\n\n50\n\nServices of another on a remote machine. A Sun-RPC\n\nexample is now used to explain how monitor 300 can\ncapture Server announcements.\n\n55\n\n60\n\n65\n\nA remote program or client that wishes to use a server or\nprocedure must establish a connection, for which the RPC\nprotocol can be used.\nEach server running the Sun-RPC protocol must maintain\na proceSS and database called the port Mapper. The port\nMapper creates a direct association between a Sun-RPC\n\nprogram or application and a TCP or UDP socket or port (for\nTCP or UDP implementations). An application or program\nnumber is a 32-bit unique identifier assigned by ICANN (the\nInternet Corporation for Assigned Names and Numbers,\nwww.icann.org), which manages the huge number of param\neters associated with Internet protocols (port numbers,\nrouter protocols, multicast addresses, etc.) Each port Mapper\n\non a Sun-RPC server can present the mappings between a\nunique program number and a specific transport Socket\nApp. II-155\n\n\x0c31\n\nUS 6,954,789 B2\n\nthrough the use of Specific request or a directed announce\nment. According to ICANN, port number 111 is associated\n\nProcess 908: Decode the Sun RPC packet. Check RPC\ntype field for ID. If value is portMapper, save paired\n\nwith Sun RPC.\n\nSocket (i.e., dest for destination address, Src for Source\naddress). Decode ports and mapping, save ports with\nSocket/addr key. There may be more than one pairing\nper mapper packet. Form a signature (e.g., a key). A\n\nAs an example, consider a client (e.g., CLIENT 3 shown\nas 106 in FIG. 1) making a specific request to the server\n(e.g., SERVER 2 of FIG. 1, shown as 10) on a predefined\n\nUDP or TCP socket. Once the port Mapper process on the\nSun RPC Server receives the request, the Specific mapping is\nreturned in a directed reply to the client.\n\n1. A client (CLIENT 3, 106 in FIG. 1) sends a TCP packet\nto SERVER2 (110 in FIG. 1) on port 111, with an RPC\nBind Lookup Request (rpcBindLookup). TCP or UDP\nport 111 is always associated Sun RPC. This request\nSpecifies the program (as a program identifier), version,\nand might specify the protocol (UDP or TCP).\n2. The server SERVER 2 (110 in FIG. 1) extracts the\n\nflow-entry is created in database 324. The saving of the\nrequest is now complete.\n\nAt some later time, the server (process 907) issues a RPC\n\nbind lookup reply. The packet monitor 300 will extract a\nSignature from the packet and recognize it from the previ\nously stored flow. The monitor will get the protocol port\n15\n\nnumber (906) and lookup the request (905). A new signature\n(i.e., a key) will be created and the creation of the server\nstate (904) will be stored as an entry identified by the new\n\n25\n\noccurs between a client and a Server, and also can track those\n\nprogram identifier and version identifier from the\nrequest. The Server also uses the fact that this packet\ncame in using the TCP transport and that no protocol\nwas specified, and thus will use the TCP protocol for its\nreply.\n3. The server 110 sends a TCP packet to port number 111,\nwith an RPC Bind Lookup Reply. The reply contains\n\nthe specific port number (e.g., port number port) on\nSpecific RPC program identifier (e.g., Program\nprogram) and the protocol (UDP or TCP) for use.\n\nwhich future transactions will be accepted for the\n\nIt is desired that from now on every time that port number\nport is used, the packet is associated with the application\nprogram program until the number port no longer is to be\nasSociated with the program program. Network monitor\n300 by creating a flow-entry and a signature includes a\nmechanism for remembering the exchange So that future\npackets that use the port number port will be associated by\nthe network monitor with the application program pro\ngram.\nIn addition to the Sun RPC Bind Lookup request and\nreply, there are other ways that a particular program-Say\nprogram-might be associated with a particular port\nnumber, for example number port. One is by a broadcast\nannouncement of a particular association between an appli\ncation service and a port number, called a Sun RPC port\nMapper Announcement. Another, is when Some Server-Say\nthe same SERVER 2-replies to some client-say CLIENT\n1-requesting Some portMapper assignment with a RPC\nportMapper Reply. Some other client-say CLIENT\n2-might inadvertently See this request, and thus know that\nfor this particular server, SERVER 2, port number port is\nasSociated with the application Service program. It is\n\nSimilar Set of operations, for example, Saving the informa\ntion obtained from the announcement. The RPC Reply\nportMapper step 901 could be in reply to a portMapper\nrequest, and is also broadcast. It includes all the Service\nparameterS.\n35\n\n40\n\n45\n\n50\n\nSuppose a client 106 (e.g., CLIENT 3 in FIG. 1) is com\n\n110 (e.g., SERVER 2 in FIG. 1) via the server\'s interface to\n\nthe network 116. Further assume that Remote Procedure\n\nCall is used to communicate with the server 110. One path\nin the data flow 900 starts with a step 910 that a Remote\nProcedure Call bind lookup request is issued by client 106\nand ends with the server state creation step 904. Such RPC\nbind lookup request includes values for the program,\nversion, and protocol to use, e.g., TCP or UDP. The\nprocess for Sun RPC analysis in the network monitor 300\nincludes the following aspects.:\nProcess 909: Extract the program, \xe2\x80\x9cversion, and pro\n\nStations that have received the announcement of a Service in\nthe network.\n\nThe RPC Announcement portMapper announcement 902\n\nmonitor 300 of FIG. 3 for Sun Remote Procedure Call.\n\nmunicating via its interface to the network 118 to a server\n\nSignature in the flow-entry database. That Signature now\nmay be used to identify packets associated with the Server.\nThe server state creation step 904 can be reached not only\nfrom a Bind Lookup Request/Reply pair, but also from a\nRPC Reply portMapper packet shown as 901 or an RPC\nAnnouncement portMapper shown as 902. The Remote\nProcedure Call protocol can announce that it is able to\nprovide a particular application Service. Embodiments of the\npresent invention preferably can analyze when an exchange\n\nis a broadcast. Such causes various clients to execute a\n\ndesirable for the network monitor 300 to be able to associate\n\nany packets to SERVER 2 using port number port with the\napplication program program.\nFIG.9 represents a dataflow 900 of some operations in the\n\n32\n\n55\n\nThus monitor 300 creates and saves all Such states for\n\nlater classification of flows that relate to the particular\nService program.\nFIG.2 shows how the monitor 300 in the example of Sun\nRPC builds a signature and flow states. A plurality of packets\n206-209 are exchanged, e.g., in an exemplary Sun Micro\nsystems Remote Procedure Call protocol. A method embodi\nment of the present invention might generate a pair of flow\nsignatures, \xe2\x80\x9csignature-1\' 210 and \xe2\x80\x9csignature-2\xe2\x80\x9d 212, from\ninformation found in the packets 206 and 207 which, in the\nexample, correspond to a Sun RPC Bind Lookup request and\nreply, respectively.\nConsider first the Sun RPC Bind Lookup request. Sup\npose packet 206 corresponds to Such a request Sent from\nCLIENT 3 to SERVER 2. This packet contains important\ninformation that is used in building a signature according to\nan aspect of the invention. A Source and destination network\naddress occupy the first two fields of each packet, and\naccording to the patterns in pattern database 308, the flow\n\nsignature (shown as KEY1230 in FIG. 2) will also contain\n\nthese two fields, so the parser subsystem 301 will include\n\nthese two fields in signature KEY 1 (230). Note that in FIG.\n2, if an address identifies the client 106 (shown also as 202),\n\nthe label used in the drawing is \xe2\x80\x9cC\xe2\x80\x9d. If such address\n\n60\n\nidentifies the server 110 (shown also as server 204), the label\n\nused in the drawing is \xe2\x80\x9cS\xe2\x80\x9d. The first two fields 214 and 215\nin packet 206 are \xe2\x80\x9cS\xe2\x80\x9d and C\xe2\x80\x9d because packet 206 is\nprovided from the server 110 and is destined for the client\n106. Suppose for this example, \xe2\x80\x9cS\xe2\x80\x9d is an address numeri\n\ncally less than address \xe2\x80\x9cC\xe2\x80\x9d. A third field "p" 216 identifies\n\nthe particular protocol being used, e.g., TCP, UDP, etc.\nIn packet 206, a fourth field 217 and a fifth field 218 are\nused to communicate port numbers that are used. The\nApp. II-156\n\ntocol (UDP or TCP). Extract the TCP or UDP port\n(process 909) which is 111 indicating Sun RPC.\n\n65\n\n\x0c33\n\nUS 6,954,789 B2\n\nState processor instruction database 326 instructs the State\nprocessor to build and Store a new flow signature, shown as\n\nconversation direction determines where the port number\nfield is. The diagonal pattern in field 217 is used to identify\na Source-port pattern, and the hash pattern in field 218 is\nused to identify the destination-port pattern. The order\nindicates the client-Server message direction. A sixth field\n\nKEY-2 (212) in FIG. 2. This flow signature built by the state\n\nprocessor also includes the destination and a Source\naddresses 250 and 251, respectively, for server \xe2\x80\x9cS\xe2\x80\x9d fol\n\ndenoted \xe2\x80\x9ci\'\xe2\x80\x9d 219 is an element that is being requested by the\n\nlowed by (the numerically higher address) client \xe2\x80\x9cC\xe2\x80\x9d. A\nprotocol field 252 defines the protocol to be used, e.g., \xe2\x80\x9cp\xe2\x80\x9d\n\nclient from the server. A seventh field denoted \xe2\x80\x9csa\xe2\x80\x9d 220 is\nthe service requested by the client from server 110. The\nfollowing eighth field \xe2\x80\x9cQA\xe2\x80\x9d 221 (for question mark) indi\n\nwhich is obtained from the reply packet. A field 253 contains\na recognition pattern also obtained from the reply packet. In\nthis case, the application is Sun RPC, and field 254 indicates\n\ncates that the client 106 wants to know what to use to access\n\napplication \xe2\x80\x9csa\'. A tenth field \xe2\x80\x9cQP 223 is used to indicate\nthat the client wants the Server to indicate what protocol to\nuse for the particular application.\nPacket 206 initiates the Sequence of packet eXchanges,\ne.g., a RPC Bind Lookup Request to SERVER 2. It follows\na well-defined format, as do all the packets, and is trans\n\nthis application \xe2\x80\x9ca\xe2\x80\x9d. A next-state field 255 defines the next\nState that the State processor should proceed to for more\ncomplex recognition jobs, e.g., a state \xe2\x80\x9cst". In this particular\n\n15\n\nidentifier (port 111 indicating Sun RPC).\n\nPacket 207 is the first sent in reply to the client 106 from\nthe server. It is the RPC Bind Lookup Reply as a result of\nthe request packet 206.\n\nThe flow signature and flow states built up as a result of\nthis exchange are now described. When the packet monitor\n300 sees the request packet 206 from the client, a first flow\nsignature 210 is built in the parser Subsystem 301 according\nto the pattern and extraction operations database 308. This\nSignature 210 includes a destination and a Source address\n240 and 241. One aspect of the invention is that the flow\nkeys are built consistently in a particular order no matter\nwhat the direction of conversation. Several mechanisms may\nbe used to achieve this. In the particular embodiment, the\nnumerically lower address is always placed before the\nnumerically higher address. Such least to highest order is\nused to get the best Spread of Signatures and hashes for the\nlookup operations. In this case, therefore, Since we assume\n\xe2\x80\x9cS\xe2\x80\x9d<\xe2\x80\x9cC\xe2\x80\x9d, the order is address \xe2\x80\x9cS\xe2\x80\x9d followed by client\naddress \xe2\x80\x9cC\xe2\x80\x9d. The next field used to build the signature is a\nprotocol field 242 extracted from packet 206\'s field 216, and\n\n25\n\nport numbers of UDS for p\' that will be used to recognize\nthis flow (e.g., port 111). Port 111 indicates this is Sun RPC.\n\n35\n\n45\n\nstate \xe2\x80\x9cst,\xe2\x80\x9d is placed in the field 245 of the flow-entry.\nWhen the Sun RPC Bind Lookup reply is acquired, a flow\nSignature is again built by the parser. This flow signature is\nidentical to KEY-1. Hence, when the signature enters the\nanalyzer subsystem 303 from the parser Subsystem 301, the\ncomplete flow-entry is obtained, and in this flow-entry\nindicates State \xe2\x80\x9cst\'. The operations for State \xe2\x80\x9cst\xe2\x80\x9d in the\n\nThus the flow signature for the recognition of application\n\n\xe2\x80\x9ca\xe2\x80\x9d is automatically set up by predefining what packet\n\neXchange Sequences occur for this example when a rela\ntively simple Sun Microsystems Remote Procedure Call\nbind lookup request instruction executes. More complicated\neXchanges than this may generate more than two flow\nSignatures and their corresponding States. Each recognition\nmay involve Setting up a complex State transition diagram to\nbe traversed before a \xe2\x80\x9cfinal\xe2\x80\x9d resting state such as \xe2\x80\x9cst\xe2\x80\x9d in\nfield 255 is reached. All these are used to build the final set\n\n50\n\n55\n\ndirectly determinable ("known\xe2\x80\x9d) at the parser level. So in\n\ndenoted \xe2\x80\x9ca\xe2\x80\x9d (Sun RPC Bind Lookup), and a denoted as\n\nand a field 263 defines the destination port number.\nSome network-Server application recognition jobs are SO\nSimple that only a single State transition has to occur to be\nable to pinpoint the application that produced the packet.\nOthers require a Sequence of State transitions to occur in\norder to match a known and predefined climb from State\nto-State.\n\n40\n\nSome applications, such as the Sun RPC Bind Lookups, are\n\nthis case, the Signature KEY-1 points to a known application\n\nThe two flow signatures 210 and 212 always order the\ndestination and source address fields with server \xe2\x80\x9cS\xe2\x80\x9d fol\nlowed by client \xe2\x80\x9cC\xe2\x80\x9d. Such values are automatically filled in\nwhen the addresses are first created in a particular flow\nSignature. Preferably, large collections of flow Signatures are\nkept in a lookup table in a least-to-highest order for the best\nSpread of flow Signatures and hashes.\nThereafter, the client and Server exchange a number of\npackets, e.g., represented by request packet 208 and\nresponse packet 209. The client 106 sends packets 208 that\nhave a destination and Source address S and C, in a pair of\n\nfields 260 and 261. A field 262 defines the protocol as \xe2\x80\x9cp\xe2\x80\x9d,\n\nthus is the protocol \xe2\x80\x9cp\'. The next field used for the\n\nSignature is field 243, which contains the destination Source\nport number shown as a crosshatched pattern from the field\n218 of the packet 206. This pattern will be recognized in the\npayload of packets to derive how this packet or Sequence of\npackets exists as a flow. In practice, these may be TCP port\nnumbers, or a combination of TCP port numbers. In the case\nof the Sun RPC example, the crosshatch represents a set of\n\napplication \xe2\x80\x9ca\xe2\x80\x9d. Two such packets 208 and 209 are shown,\n\nbuilt in each case.\n\nPacket 207 includes ten fields 224-233. The destination\n\nfrom the server 110 to the client 106. The protocol \xe2\x80\x9cp\' is\nused as indicated in field 226. The request "i" is in field 229.\nValues have been filled in for the application port number,\ne.g., in field 233 and protocol \xe2\x80\x9cp\xe2\x80\x9d in field 233.\n\nexample, this is a final state. Thus, KEY-2 may now be used\nto recognize packets that are in any way associated with the\n\none in each direction. They use the particular application\nService requested in the original Bind Lookup Request, and\neach will be recognized because the signature KEY-2 will be\n\nmitted to the server 110 on a well-known service connection\n\nand Source addresses are carried in fields 224 and 225, e.g.,\nindicated \xe2\x80\x9cC\xe2\x80\x9d and \xe2\x80\x9cS\xe2\x80\x9d, respectively. Notice the order is\nnow reversed, since the client-Server message direction is\n\n34\n\n60\n\nof flow Signatures for recognizing a particular application in\nthe future.\n\nEmbodiments of the present invention automatically gen\nerate flow Signatures with the necessary recognition patterns\nand State transition climb procedure. Such comes from\nanalyzing packets according to parsing rules, and also gen\nerating State transitions to Search for. Applications and\nprotocols, at any level, are recognized through State analysis\nof Sequences of packets.\nNote that one in the art will understand that computer\nnetworks are used to connect many different types of\ndevices, including network appliances Such as telephones,\n\xe2\x80\x9cInternet\' radios, pagers, and So forth. The term computer as\nused herein encompasses all Such devices and a computer\nnetwork as used herein includes networks of Such comput\n\n65 CS.\n\nAlthough the present invention has been described in\nterms of the presently preferred embodiments, it is to be\nApp. II-157\n\n\x0c35\n\nUS 6,954,789 B2\n\n12. A method according to claim 1, wherein the parsing/\nextraction operations are according to a database of parsing/\nextraction operations that includes information describing\nhow to determine a set of one or more protocol dependent\nextraction operations from data in the packet that indicate a\nprotocol used in the packet.\n\nunderstood that the disclosure is not to be interpreted as\nlimiting. Various alterations and modifications will no doubt\nbecome apparent to those or ordinary skill in the art after\nhaving read the above disclosure. Accordingly, it is intended\nthat the claims be interpreted as covering all alterations and\nmodifications as fall within the true Spirit and Scope of the\npresent invention.\nWe claim:\n1. A method of examining packets passing through a\nconnection point on a computer network, each packets\nconforming to one or more protocols, the method compris\ning:\n\n13. A method according to claim 1, wherein step (d)\n\nincludes if the packet is of an existing flow, obtaining the last\nencountered State of the flow and performing any State\noperations Specified for the State of the flow Starting from the\n\nlast encountered State of the flow; and wherein step (e)\n\n(a) receiving a packet from a packet acquisition device;\n(b) performing one or more parsing/extraction operations\n\non the packet to create a parser record comprising a\nfunction of Selected portions of the packet;\n\n15\n\n(c) looking up a flow-entry database comprising none or\nmore flow-entries for previously encountered conver\nsational flows, the looking up using at least Some of the\nSelected packet portions and determining if the packet\nis of an existing flow;\n\n(d) if the packet is of an existing flow, classifying the\npacket as belonging to the found existing flow; and\n\n(e) if the packet is of a new flow, Storing a new flow-entry\n\nfor the new flow in the flow-entry database, including\nidentifying information for future packets to be iden\ntified with the new flow-entry,\nwherein the parsing/extraction operations depend on one or\nmore of the protocols to which the packet conforms.\n2. A method according to claim 1, wherein each packet\npassing through the connection point is examined in real\n\n25\n\nmore Statistical measures include measures Selected from the\n\nSet consisting of the total packet count for the flow, the time,\n\n19. A packet monitor for examining packets passing\nthrough a connection point on a computer network, each\npackets conforming to one or more protocols, the monitor\ncomprising:\n\n35\n\npoint and configured to receive packets passing through\nthe connection point;\naccept a packet from the packet acquisition device;\n\n40\n\n(c) a parser Subsystem coupled to the input buffer memory\n\n45\n\n(d) a memory for Storing a database comprising none or\n\nand including a slicer, the parsing Subsystem config\nured to extract Selected portions of the accepted packet\nand to output a parser record containing the Selected\nportions,\nmore flow-entries for previously encountered conver\nsational flows, each flow-entry identified by identifying\ninformation stored in the flow-entry;\n\n(e) a lookup engine coupled to the output of the parser\n50\n\ninclude the Source and destination addresses.\n\n8. A method according to claim 7, wherein the function of\nthe Selected portions for packets of the same flow is con\nSistent independent of the direction of the packets.\n9. A method according to claim 8, wherein the source and\ndestination addresses are placed in an order determined by\n\n(a) a packet acquisition device coupled to the connection\n(b) an input buffer memory coupled to and configured to\n\nand a differential time from the last entered time to the\n\npresent time.\n6. A method according to claim 1, wherein the function of\nthe Selected portions of the packet forms a Signature that\nincludes the Selected packet portions and that can identify\nfuture packers, wherein the lookup operation uses the Sig\nnature and wherein the identifying information Stored in the\nnew or updated flow-entry is a signature for identifying\nfuture packets.\n7. A method according to clalm 1, wherein at least one of\nthe protocols of the packet uses Source and destination\naddresses, and wherein the Selected portions of the packet\n\nincludes if the packet is of a new flow, performing any State\noperations required for the initial State of the new flow.\n14. A method according to claim 13, wherein the State\nprocessing of each received packet of a flow furthers the\nidentifying of the application program of the flow.\n15. A method according to claim 13, wherein the state\noperations include updating the flow-entiy, including Storing\nidentifying information for future packets to be identified\nwith the flow-entry.\n16. A method according to claim 15, wherein the state\nprocessing of each received packet of a flow furthers the\nidentifying of the application program of the flow.\n17. A method according to claim 13, wherein the state\noperations include Searching the parser record for the exist\nence of one or more reference Strings.\n18. A method according to claim 13, wherein the state\noperations are carried out by a programmable State processor\naccording to a database of protocol dependent State opera\ntions.\n\ntime.\n\n3. A method according to claim 1, wherein classifying the\npacket as belonging to the found existing flow includes\nupdating the flow-entry of the existing flow.\n4. A method according to claim 3, wherein updating\nincludes Storing one or more Statistical measures Stored in\nthe flow-entry of the existing flow.\n5. A method according to claim 4, wherein the one or\n\n36\n\n55\n\nSubsystem and to the flow-entry memory and config\nured to lookup whether the particular packet whose\nparser record is output by the parser Subsystem has a\nmatching flow-entry, the looking up using at least Some\nof the Selected packet portions and determining if the\npacket is of an existing flow; and\n\n(f) a flow insertion engine coupled to the flow-entry\n\nmemory and to the lookup engine and configured to\ncreate a flow-entry in the flow-entry database, the\nflow-entry including identifying information for future\nthe order of numerical values of the addresses in the function 60\npackets to be identified with the new flow-entry, the\nlookup engine configured Such that if the packet is of an\nof Selected portions.\nexisting flow, the monitor classifies the packet as\n10. A method according to claim 9, wherein the numeri\ncally lower address is placed before the numerically higher\nbelonging to the found existing flow; and if the packet\naddress in the function of Selected portions.\nis of a new flow, the flow insertion engine Stores a new\nflow-entry for the new flow in the flow-entry database,\n11. A method according to claim 1, wherein the looking up 65\nincluding identifying information for future packets to\nof the flow-entry database uses a hash of the Selected packet\nportions.\nbe identified with the new flow-entry,\nApp. II-158\n\n\x0c37\n\nUS 6,954,789 B2\n\nwherein the operation of the parser Subsystem depends on\none or more of the protocols to which the packet conforms.\n20. A monitor according to claim 19, wherein each packet\npassing through the connection point is accepted by the\npacket buffer memory and examined by the monitor in real\ntime.\n\n21. A monitor according to claim 19, wherein the lookup\nengine updates the flow-entry of an existing flow in the case\nthat the lookup is Successful.\n22. A monitor according to claim 19, further including a\nmechanism for building a hash from the Selected portions,\nwherein the hash is included in the input for a particular\npacket to the lookup. engine, and wherein the hash is used\nby the lookup engine to Search the flow-entry database.\n23. A monitor according to ciaim 19, further including a\nmemory containing a database of parsing/extraction\noperations, the parsing/extraction database memory coupled\nto the parser Subsystem, wherein the parsing/extraction\noperations are according to one or more parsing/extraction\noperations looked up from the parsing/extraction database.\n24. A monitor according to claim 23, wherein the database\nof parsing/extraction operations includes information\ndescribing how to determine a set of one or more protocol\ndependent extraction operations from data in the packet that\nindicate a protocol used in the packet.\n25. A monitor according to claim 19, further including a\n\nflow-key-buffer (UFKB) coupled to the output of the parser\n\n15\n\n25\n\ntranslating the protocol description language com\nmands into a plurality of State patterns and State\noperations that are initialized into the State patterns/\noperations memory.\n33. A packet monitor according to claim 19, further\ncomprising:\na cache Subsystem coupled to and between the lookup\nengine and the flow-entry database memory providing\nfor fast access of a set of likely-to-be-accessed flow\nentries from the flow-entry database.\n34. A packet monitor according to claim 33, wherein the\ncache Subsystem is an associative cache Subsystem includ\n\ning one or more content addressable memory cells (CAMs).\n35. A packet monitor according to claim 34, wherein the\ncache Subsystem is also a least-recently-used cache memory\n\nUFKB.\n\nfrom the last encountered state of the flow in the case that the\n\nused in packets encountered by the monitor and any\nchildren protocols thereof, and\ntranslating the protocol description language com\nmands into a plurality of parsing/extraction opera\ntions that are initialized into the parsing/extraction\noperations memory.\n32. A packet monitor according to claim 28, further\ncomprising:\na compiler processor coupled to the parsing/extraction\noperations memory, the compiler processor configured\nto run a compilation process that includes:\nreceiving commands in a high-level protocol descrip\ntion language that describe a correspondence\nbetween a Set of one or more application programs\nand the State transition patterns/operations that occur\nas a result of particular conversational flow\nSequences associated with an application programs,\nand\n\nSubsystem and to the lookup engine and to the flow insertion\nengine, wherein the output of the parser monitor is coupled\nto the lookup engine via the UFKB, and wherein the flow\ninsertion engine is coupled to the lookup engine via the\n\n26. A method according to claim 19, further including a\nState processor coupled to the lookup engine and to the\nflow-entry-database memory, and configured to perform any\nState operations Specified for the State of the flow Starting\n\n38\n\nSuch that a cache miss updates the least recently used cache\nentry.\n35\n\n36. A packet monitor according to claim 19, wherein each\nflow-entry Stores one or more Statistical measures about the\nflow, the monitor further comprising\na calculator for updating at least one of the Statistical\nmeasures in the flow-entry of the accepted packet.\n37. A packet monitor according to claim 36, wherein the\n\npacket is from an existing flow, and to perform any State\noperations required for the initial State of the new flow in the\ncase that the packet is from an existing flow.\n27. A method according to claim 19, wherein the set of 40\npossible State operations that the State processor is config one or more Statistical measures include measures Selected\nured to perform includes Searching for one or more patterns from the Set consisting of the total packet count for the flow,\nin the packet portions.\nthe time, and a differential time from the last entered time to\n28. A monitor according to claim 26, wherein the State the present time.\nprocessor is programmable, the monitor further including a 45 38. A packet monitor according to claim 36, further\nState patterns/operations memory coupled to the State including a Statistical processor configured to determine one\nprocessor, the State operations memory configured to Store a or more network usage metrics related to the flow from one\ndatabase of protocol dependent State patterns/operations.\nor more of the Statistical measures in a flow-entry.\n29. A monitor according to claim 25, further including a\n39. A monitor according to claim 19, wherein:\nstate processor coupled to the UFKB and to the flow-entry 50 flow-entry-database is organized into a plurality of bins\ndatabase memory, and configured to perform any State\nthat each contain N-number of flow-entries, and\noperations Specified for the State of the flow Starting from the\nwherein Said bins are accessed via a hash data value\nlast encountered State of the flow in the case that the packet\ncreated by a parser Subsystem based on the Selected\nis from an existing flow, and to perform any State operations\npacket portions, wherein N is one or more.\nrequired for the initial state of the new flow in the case that 55 40. A monitor according to claim 39, wherein the hash\nthe packet is from an existing flow.\ndata value is used to spread a plurality of flow-entries acroSS\n30. A monitor according to claim 26, wherein the state the flow-entry-database and allows fast lookup of a flow\noperations include updating the flow-entry, including iden entry and shallower buckets.\ntifying information for future packets to be identified with\n41. A monitor according to claim 26, wherein the State\nthe flow-entry.\n60 processor analyzes both new and existing flows in order to\n31. A packet monitor according to claim 19, further classify them by application and proceeds from State-to-State\ncomprising:\nbased on a set of predefined rules.\na compiler processor coupled to the parsing/extraction\n42. A monitor according to claim 19, wherein the lookup\noperations memory, the compiler processor configured engine begins processing as Soon as a parser record arrives\n65 from the parser Subsystem.\nto run a compilation process that includes:\nreceiving commands in a high-level protocol descrip\n43. A monitor according to claim 26, wherein the lookup\ntion language that describe the protocols that may be engine provides for flow State entry checking to see if a flow\nApp. II-159\n\n\x0c39\n\nUS 6,954,789 B2\n\nkey should be sent to the State processor, and that outputs a\nprotocol identifier for the flow.\n44. A method of examining packets passing through a\nconnection point on a computer network, the method com\nprising:\n\n(a) receiving a packet from a packet acquisition device;\n(b) performing one or more parsing/extraction operations\n\non the packet according to a database of parsing/\nextraction operations to create a parser record compris\ning a function of Selected portions of the packet, the\ndatabase of parsing/extraction operations including\ninformation on how to determine a set of one or more\n\nprotocol dependent extraction operations from data in\nthe packet that indicate a protocol is used in the packet;\n\n(c) looking up a flow-entry database comprising none or\n\n15\n\nmore flow-entries for previously encountered conver\nsational flows, the looking up using at least Some of the\nSelected packet portions, and determining if the packet\nis of an existing flow;\n\n(d) if the packet is of an existing flow, obtaining the last\n\nencountered State of the flow and performing any State\noperations Specified for the State of the flow Starting\nfrom the last encountered state of the flow; and\n\n(e) if the packet is of a new flow, performing any analysis\n\nrequired for the initial State of the new flow and Storing\na new flow-entry for the new flow in the flow-entry\n\n25\n\n40\n\ndatabase, including identifying information for future\npackets to be identified with the new flow-entry.\n45. A method according to claim 44, wherein one of the\nState operations Specified for at least one of the States\nincludes updating the flow-entry, including identifying\ninformation for future packets to be identified with the\nflow-entry.\n46. A method according to claim 44, wherein one of the\nState operations Specified for at least one of the States\nincludes Searching the contents of the packet for at least one\nreference String.\n47. A method according to claim 45, wherein one of the\nState operations Specified for at least one of the States\nincludes creating a new flow-entry for future packets to be\nidentified with the flow, the new flow-entry including iden\ntifying information for future packets to be identified with\nthe flow-entry.\n48. A method according to claim 44, further comprising\nforming a Signature from the Selected packet portions,\nwherein the lookup operation uses the Signature and wherein\nthe identifying information Stored in the new or updated\nflow-entry is a Signature for identifying future packets.\n49. A method according to claim 44, wherein the state\noperations are according to a database of protocol dependent\nState operations.\n\nApp. II-160\n\n\x0cUNITED STATES PATENT AND TRADEMARK OFFICE\n\nCERTIFICATE OF CORRECTION\nPATENT NO.\nDATED\n\n: 6,954,789 B2\n: October 11, 2005\n\nPage 1 of 1\n\nINVENTOR(S) : Dietz et al.\n\nIt is certified that error appears in the above-identified patent and that said Letters Patent is\nhereby corrected as shown below:\n\nColumn 9,\nLine 60, change \xe2\x80\x9clayer model\xe2\x80\x9d to -- layered model --.\nColumn 33,\nLine 60, insert between \xe2\x80\x9cand a\' and \xe2\x80\x9cdenoted as\xe2\x80\x9d the phrase -- next-state that the State\nprocessor Should proceed to for more complex recognition jobs, --.\nColumn 35,\nLline 51, change \xe2\x80\x9cclalm\xe2\x80\x9d to -- claim --.\nColumn 37,\nLine 14, change "ciaim\xe2\x80\x9d to -- claim --.\n\nSigned and Sealed this\nSeventh Day of March, 2006\n\nWDJ\nJON W. DUDAS\n\nDirector of the United States Patent and Trademark Office\n\nApp. II-161\n\n\x0cUNITED STATES PATENT AND TRADEMARK OFFICE\n\nCERTIFICATE OF CORRECTION\nPATENT NO.\n\nAPPLICATIONNO.\n\n: 6,954,789 B2\n\nPage 1 of 1\n\n: 10/684776\n\nDATED\n\n: October 11, 2005\n\nINVENTOR(S)\n\n: Russell S. Dietz et al.\n\nIt is certified that error appears in the above-identified patent and that said Letters Patent is hereby corrected as shown below:\nIN THE CLAIMS:\n\nColumn 35, line 47, claim 6, change \xe2\x80\x9cpackers to --packets--.\nColumn 36, line 18, claim 15, change \xe2\x80\x9centiy to --entry--.\nColumn 37, line 32, claim 26, change \xe2\x80\x9cmethod to --monitor--.\nColumn 37, line 40, claim 27, change \xe2\x80\x9cmethod to --monitor--.\nColumn 37, lines 55 and 56, claim 29, change \xe2\x80\x9cfor the initial state of the new flow in the case that\nthe packet is from an existing flow to --for the initial state of the new flow in the case that the packet\nis not from an existing flow--.\n\nSigned and Sealed this\nFirst Day of October, 2013\n2\n\n2-Y\n\nxx\n\n. .\n26-e- 2. 13\ns?\n\n*\xc3\xa9-...s\xc3\xa9 -\n\nTeresa Stanek Rea\n\nDeputy Director of the United States Patent and Trademark Office\n\nApp. II-162\n\n\x0c'