Event correlation in a network merging local graph models from distributed nodes
US-2016219066-A1 · Jul 28, 2016 · US
Flow deduplication across a cluster of network monitoring devices
US9660879B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9660879-B1 |
| Application number | US-201615219016-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jul 25, 2016 |
| Priority date | Jul 25, 2016 |
| Publication date | May 23, 2017 |
| Grant date | May 23, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments are directed to monitoring flows of packets over a network. If a network monitoring computer (NMC) in a cluster of NMCs observes a new network flow, the NMC may perform a variety of actions to determine the NMC that is responsible for monitoring the new network flow. Network traffic associated with the new network flow may be buffered in a non-transitory processor readable media. The new network flow may be registered with the plurality of NMCs, providing an identifier that corresponds to one NMC. Registering may include, assigning the NMC a responsibility to monitor the new network flow. If the identifier corresponds to the NMC that observed the new network flow, the network traffic associated with the new network flow is processed using that NMC. If the identifier corresponds to another NMC, the buffered network traffic is forwarded to the other NMC.
First claim
Opening claim text (preview).
What is claimed as new and desired to be protected by Letters Patent of the United States is: 1. A method for monitoring flows of packets over a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising: employing a network monitoring computer (NMC) in a plurality of NMCs, that is provided a new network flow, to perform further actions, including: buffering network traffic information associated with the new network flow in a non-transitory processor readable media; registering the new network flow with the plurality of NMCs, wherein registration provides an identifier that corresponds to one or more of the plurality of NMCs and provides an indication that the one or more NMCs that correspond to the identifier have registered an interest in one or more network flows that are related to the new network flow; forwarding network traffic information that is associated with the one or more related network flows to the one or more NMCs that correspond to the identifier; employing the identifier, which corresponds to the NMC that was provided the new network flow, to process network traffic associated with the new network flow using the NMC that was provided the new network flow; and employing the identifier, which corresponds to another NMC, to forward the buffered network traffic information to the other NMC. 2. The method of claim 1 , wherein registering the new network flow with the plurality of NMCs, further comprises, assigning the one or more NMCs to monitor the new network flow, wherein the one or more NMCs correspond to the identifier. 3. The method of claim 1 , further comprising, when a provided network flow is absent from a network flow table of the NMC, classifying the provided network flow is the new network flow. 4. The method of claim 1 , wherein registering the new network flow with the plurality of NMCs, further comprises providing the identifier based on a hashing of some or all of the tuple information that is associated with the new network flow. 5. The method of claim 1 , further comprising, storing information associated with the new network flow in a network flow table, wherein the information includes, one or more of tuple information, the identifier, or a timeout value. 6. The method of claim 1 , wherein registering the new network flow with the plurality of NMCs, further comprises, providing the identifier based on an execution of one or more defined static policies. 7. A system for monitoring flows of packets over a network comprising: a network computer, comprising: a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including: employing a network monitoring computer (NMC) in a plurality of NMCs, that is provided a new network flow, to perform further actions, including: buffering network traffic information associated with the new network flow in a non-transitory processor readable media; registering the new network flow with the plurality of NMCs, wherein registration provides an identifier that corresponds to one or more of the plurality of NMCs and provides an indication that the one or more NMCs that correspond to the identifier have registered an interest in one or more network flows that are related to the new network flow; forwarding network traffic information that is associated with the one or more related network flows to the one or more NMCs that correspond to the identifier; employing the identifier, which corresponds to the NMC that was provided the new network flow, to process network traffic associated with the new network flow using the NMC that was provided the new network flow; and employing the identifier, which corresponds to another NMC, to forward the buffered network traffic information to the other NMC; and a client computer, comprising: a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including: providing the new network flow to the NMC in the plurality of NMCs. 8. The system of claim 7 , wherein registering the new network flow with the plurality of NMCs, further comprises, assigning the one or more NMCs to monitor the new network flow, wherein the one or more NMCs correspond to the identifier. 9. The system of claim 7 , further comprising, when a provided network flow is absent from a network flow table of the NMC, classifying the provided network flow is the new network flow. 10. The system of claim 7 , wherein registering the new network flow with the plurality of NMCs, further comprises, providing the identifier based on a hashing of some or all of the tuple information that is associated with the new network flow. 11. The system of claim 7 , further comprising, storing information associated with the new network flow in a network flow table, wherein the information includes, one or more of tuple information, the identifier, or a timeout value. 12. The system of claim 7 , wherein registering the new network flow with the plurality of NMCs, further comprises, providing the identifier based on an execution of one or more defined static policies. 13. A processor readable non-transitory storage media that includes instructions for monitoring flows of packets over a network, wherein execution of the instructions by one or more processors performs actions, comprising: employing a network monitoring computer (NMC) in a plurality of NMCs, that is provided a new network flow, to perform further actions, including: buffering network traffic information associated with the new network flow in a non-transitory processor readable media; registering the new network flow with the plurality of NMCs, wherein registration provides an identifier that corresponds to one or more of the plurality of NMCs and provides an indication that the one or more NMCs that correspond to the identifier have registered an interest in one or more network flows that are related to the new network flow; forwarding network traffic information that is associated with the one or more related network flows to the one or more NMCs that correspond to the identifier; employing the identifier, which corresponds to the NMC that was provided the new network flow, to process network traffic associated with the new network flow using the NMC that was provided the new network flow; and employing the identifier, which corresponds to another NMC, to forward the buffered network traffic information to the other NMC. 14. The media of claim 13 , wherein registering the new network flow with the plurality of NMCs, further comprises, assigning the one or more NMCs to monitor the new network flow, wherein the one or more NMCs correspond to the identifier. 15. The media of claim 13 , further comprising, when a provided network flow is absent from a network flow table of the NMC, classifying the provided network flow is the new network flow. 16. The media of claim 13 , wherein registering the new network flow with the plurality of NMCs, further comprises, providing the identifier based on a hashing of some or all of the tuple information that is associated with the new network flow. 17. The media of claim 13 , further comprising, storing information associated with the new network flow in a network flow table, wherein the information includes, one or more of tuple information, the identifier, or a timeout value. 18. The media of claim 13 , wherei
Assignees
Inventors
Classifications
Parsing or analysis of headers · CPC title
Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields · CPC title
- H04L43/026Primary
using flow identification · CPC title
Electricity · mapped topic
Provisioning of proxy services (store-and-forward switching systems in data switching networks H04L12/54) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9660879B1 cover?
- Embodiments are directed to monitoring flows of packets over a network. If a network monitoring computer (NMC) in a cluster of NMCs observes a new network flow, the NMC may perform a variety of actions to determine the NMC that is responsible for monitoring the new network flow. Network traffic associated with the new network flow may be buffered in a non-transitory processor readable media. Th…
- Who is the assignee on this patent?
- Extrahop Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L43/026. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 23 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).