Abstract: A system, method and computer program product are provided for network and network application monitoring. Accordingly, one or more media modules are each coupled to an associated network segment. In the case of network application monitoring, each media module is coupled to a network segment on which a network application is running. Each media module monitors and collects data relating to traffic on the associated network segment corresponding to the network application, wherein each media module is tailored for network analysis. An application server module is coupled to the at least one media module and receives the data and analyzes the data for helping to improve the performance of the network and/or network application.

Abstract: A system and a method are disclosed for establishing a baseline and the corresponding bands of data for alarming, etc. Historical raw data are aggregated and grouped. For example, the data may be and hourly grouped as 168 groups of data in a weekly frame. Clusters of the groups of data are then formed based on dynamic data window by analyzing statistical similarity among the 168 groups of data. Data in each cluster of groups, originated from the raw data at specific hour(s) of day on specific day(s) of week, are used as historical data to predict a baseline and the envelopes at these associated hour(s) and day(s). Generating a baseline includes determining a mapping function, which transforms data in a cluster to become normal or nearly normal. A mean and standard deviation of the transformed data are calculated. Envelopes are determined using the mean and the standard deviation. An inverse transformation function is uniquely derived.

Abstract: Critical servers are identified in a network, based upon network flow records collected from the network for a predetermined period. A plurality of rules are applied to application-server pairs based upon the collected network flow records to identify, among the application-server pairs, candidate application-server pairs that satisfy at least one of the plurality of rules during the predetermined period in excess of a predetermined number of times, in which case the application-server pair is identified as a candidate application-server pair. A global application-server list including application-server pairs identified across all of the sources is determined. A critical server list including servers corresponding to the global application-server list is generated. Various network mappings comprised of the servers in the critical server list are created, and network measures corresponding to the mappings are displayed.

Abstract: In one embodiment, a network architecture includes a plurality of application monitoring modules for monitoring network traffic data in a plurality of network segments. Network monitoring modules include a staging area that receives network traffic data from a packet capture and analysis engine and an indexing area that stores the data in meta-flow tuples with associated measures divided into time interval buckets. Index tables store dimension-based sorted pointers to the storage locations in the data buckets. HyperLock queries collect time aggregated results for measure based operators with respect to a queried dimension. For each value of the queried dimension, the time interval buckets are traversed compiling a partial result that is finally stored in a stack as the time aggregated value. The stored sorted pointers are used to determine the starting location in each bucket with respect to the next value of the queried dimension.

Abstract: Network data is stored and retrieved from a network data repository configured for rapid data access and efficient usage of storage space. The network data repository includes a plurality of flow record folders. A flow record folder includes a location index and one or more circular buffers of record tables, each circular buffer corresponding to network data collected from a particular location. Network data is aggregated with more or less detail in different flow record folders, and network data in different flow record folders is retained for varying amounts of time.

Abstract: According to one embodiment, a network architecture includes a plurality of application monitoring modules for monitoring network traffic data that store the data in meta-flow tuples with associated measures. The meta-flow tuples include a protocol dimension with a value corresponding to a leaf node in a protocol identifier array. The protocol identifier array represents a protocol tree structure based on a set of nodes with pointers to parent, sibling, and child nodes corresponding to the protocol tree. The pointers include protocol identifier values that correspond to memory offset values with respect to the array. For queried protocol dimensions, the protocol identifier array is used to traverse the protocol tree from the leaf node in the meta-flow to a matching node matching the queried protocol. If the queried protocol is found in the protocol lineage of the meta-flow, the measures for the meta-flow are used to satisfy the query.

Abstract: A system, method and computer program product are provided for calculating application verb response times. Initially, packet data is received after which the packet data is aggregated into either an existent flow, or a new flow. In use, information is collected relating to verbs associated with the flow(s). Such information relating to the verbs is then stored so that it can be used to calculate response times associated therewith.

Abstract: A system, method and computer program product are provided for filtering various voice protocols. A plurality of voice protocols is initially displayed. Next, an indication is received from a user as to the selection of the voice protocols. It is further determined as to a particular filtering mode that is currently operating. Next, the selected voice protocols are filtered in the determined filtering mode.

Abstract: A probe apparatus, method and computer program product for application monitoring are provided. A data collection module collects data from a network segment. A flow processor coupled to the data collection module classifies the collected data into a plurality of flows. A capture system coupled to the flow processor filters and buffers the collected data. A main processor processes the filtered data.

Abstract: A system, method and computer program product are provided for copying data from an asynchronous transfer mode (ATM) connection table. In use, an ATM connection table on an ATM network is monitored. During such monitoring, it is determined whether entries of the ATM connection table are active. If the entries are active, associated data is periodically transferred from the active entries of the ATM connection table to memory. Identifiers associated with the data are utilized for identification purposes. The transferred data in the memory may then be subsequently utilized with an application program.

Abstract: A segmentation and re-assembly (SAR) decode engine receives protocol data units of data from a communication channel between two computers, sequences the protocol data units, and re-assembles the data in the protocol data units into the messages exchanged by the computers. The SAR decode engine is responsible for unpacking the payloads from the protocol data units as instructed by a protocol interpreter associated with the protocol data unit, and for creating and maintaining a flow object database containing flow objects representing the data flows at each protocol layer. The SAR decode engine creates a protocol flow object for each protocol layer and logically links the protocol flow object to circuit flow objects that define two one-way circuits within the channel. The circuit flow objects linked to a protocol flow object are logical representations of the protocol data units for the next higher protocol layer.

Abstract: A system for network traffic analysis comprises a classification engine operable to parse received frames, each frame comprising a plurality of layers of protocols and each frame having a type corresponding to a highest layer protocol or network address of the frame, and to provide pre-analysis of the received frames to generate classification information on a flow-basis and on a per packet-basis, a filter processing engine operable to reduce the received frames based on a type of each frame indicated by the generated classification information to form information representing filtered frames and an analysis block operable to perform detailed analysis on layers of protocols of the filtered frames and generate objects representing the analysis.

Abstract: A system for network traffic analysis comprises a classification engine operable to parse received frames and provide pre-analysis of the received frames to generate classification information on a flow-basis and on a per packet-basis, a filter processing engine operable to reduce the received frames based on the generated classification information to form information representing filtered frames, and an analysis block operable to perform detailed analysis on contents of the filtered frames and generate objects representing the analysis, wherein the analysis performed by the analysis block is controlled by at least one component defining a particular type of analysis performed to be on a protocol.

Abstract: Primary and alternate circuits on protocol flow objects representing application protocol layers in a communications channel are linked to connect multiplexed requests and replies. Various protocol flow objects are arranged in a hierarchical flow tree data structure that corresponds to multiple protocol layers in the channel. One branch of the flow tree data structure is selected to represent a reply, and source-destination address pairs for lower layer protocol flow objects for the reply are used to identify the branch of the flow tree data structure that represents the corresponding request. In one aspect, the address pairs for network and transport layer protocol flow objects for the reply are used to identify the request branch. In a further aspect, a link layer protocol object corresponding to the link layer protocol object for the reply may be used to reduce the number of network and transport protocol flow objects examined to identify the request branch.

Abstract: A system, method and computer program product are provided for correlating request packets and reply packets during network analysis. Initially, first information is monitored associated with at least one layer of a request packet that resides above a data link control layer thereof. Further monitored is second information associated with at least one layer of a reply packet that resides above the data link control layer thereof. The request packet and the reply packet are then correlated utilizing the first information and the second information. A network is then analyzed based on the correlated request packet and reply packet.

Abstract: A segmentation and re-assembly (SAR) decode engine receives protocol data units of data from a communication channel between two computers, sequences the protocol data units, and re-assembles the data in the protocol data units into the messages exchanged by the computers. The SAR decode engine is responsible for unpacking the payloads from the protocol data units as instructed by a protocol interpreter associated with the protocol data unit, and for creating and maintaining a flow object database containing flow objects representing the data flows at each protocol layer. The SAR decode engine creates a protocol flow object for each protocol layer and logically links the protocol flow object to circuit flow objects that define two one-way circuits within the channel. The circuit flow objects linked to a protocol flow object are logical representations of the protocol data units for the next higher protocol layer.

Abstract: A system and method for identifying and analyzing active channels in an asynchronous transfer mode (ATM) network. The system and method monitor an ATM network signal channel to identify setup, connect, and release messages which permit identification of active switched virtual circuits and the service type used for that active virtual circuit's traffic. The system and method also possess the simultaneous ability to open a plurality of ATM network channels during a time period; to automatically monitor each of the plurality of open channels to identify any active channels from among the open channels; and to automatically identify the type of traffic transmitted on the open channels. By systematically identifying the active channels in the ATM network, the ATM network analysis device can further analyze the traffic on the active channels.