Abstract: A system for network monitoring and network traffic analysis includes a plurality of network devices and a management station. Each of the plurality of network devices is associated with corresponding ones of a plurality of ports. Each of the plurality of network devices is configured to determine network traffic analysis data associated with a characteristic of network data traversing each of the plurality of ports. The management station is configured to determine a ranking of the plurality of ports based on the network traffic analysis data in response to a search request implicating the characteristic, and is configured to display the plurality of ports based on the ranking.

Abstract: A system for monitoring and visualization of network data includes a plurality of first devices and a second device coupled to the plurality of first devices over a network. Each first device is associated with corresponding ones of a plurality of ports. Each first device is configured to determine network traffic analysis information associated with a characteristic of network data traversing each of the ports, and to push the network traffic analysis information across a network independent of a solicitation from the network. The second device is configured to generate a map of the network including a visual indicator based on the network traffic analysis information, to receive an update of the network traffic analysis information from at least one of the first devices, and to refresh the visual indicator in real time to reflect the update of the network traffic analysis information.

Abstract: A system includes a first device and a second device configured to monitor a plurality of data flows traversing the second device. The second device is configured to collect statistics associated with the plurality of data flows, and includes traffic analysis logic that is configured to augment the plurality of data flows with data including statistical information based on the statistics and address information associated with the first device. The first device is configured to receive the data. The traffic analysis logic is operable to push the statistical information to the first device independently of a real-time request for at least a portion of the statistical information from the first device. The traffic analysis logic is configurable based on at least the address information.

Abstract: A system for monitoring and visualization of network data includes a plurality of first devices and a second device coupled to the plurality of first devices over a network. Each first device is associated with corresponding ones of a plurality of ports. Each first device is configured to determine network traffic analysis information associated with a characteristic of network data traversing each of the ports, and to push the network traffic analysis information across a network independent of a solicitation from the network. The second device is configured to generate a map of the network including a visual indicator based on the network traffic analysis information, to receive an update of the network traffic analysis information from at least one of the first devices, and to refresh the visual indicator in real time to reflect the update of the network traffic analysis information.

Abstract: An apparatus includes a plurality of microcode controlled state machines and a first circuit. At least one of the microcode controlled state machines is configured to process network data received by the apparatus and to apply a first rule to the network data to produce an associated output indicating a first characteristic of at least a portion of the network data. The first circuit is configured to store a first portion of the network data received by the apparatus prior to the determination of the first characteristic, and to store a second portion of the network data received by the apparatus subsequent to the determination of the first characteristic. The first circuit is also configured to preserve the first portion and the second portion of the network data in response to the determination of the first characteristic.

Abstract: A system includes a first device and a second device. The first device includes traffic analysis logic configured to process first data measured over each of a plurality of time intervals of a first time granularity to obtain second data associated with each of a plurality of time intervals of a second time granularity. The first time granularity is finer than the second time granularity. The second device is configured to receive and display the second data. The traffic analysis logic is configurable responsive to the second device to reduce a volume of the first data to obtain the second data such that an indication of a feature in the first data is maintained in the second data, where the feature would be obscured if the second data were based on an aggregate of the first data over each of the plurality of time intervals of the second time granularity.

Abstract: A system includes a first device and a second device configured to monitor a plurality of data flows traversing the second device. The second device is configured to collect statistics associated with the plurality of data flows, and includes traffic analysis logic that is configured to augment the plurality of data flows with data including statistical information based on the statistics and address information associated with the first device. The first device is configured to receive the data. The traffic analysis logic is operable to push the statistical information to the first device independently of a real-time request for at least a portion of the statistical information from the first device. The traffic analysis logic is configurable based on at least the address information.

Abstract: An apparatus includes microcode controlled state machines, data reduction logic, and push logic. At least one of the microcode controlled state machines is configured to generate first statistical data measured over time intervals of a first time granularity based on network data included in each of multiple data flows traversing the at least one of the microcode controlled state machines. The data reduction logic is configured to receive the first statistical data, and to obtain second statistical data having a volume reduced from a volume of the first statistical data based on performance of a mathematical operation on the first statistical data. The second statistical data is associated with time intervals of a second time granularity. The first time granularity is finer than the second time granularity. The push logic is configured to push the second statistical data across a network independent of a real-time request from the network.

Abstract: A system for network monitoring and network traffic analysis includes a plurality of network devices and a management station. Each of the plurality of network devices is associated with corresponding ones of a plurality of ports. Each of the plurality of network devices is configured to determine network traffic analysis data associated with a characteristic of network data traversing each of the plurality of ports. The management station is configured to determine a ranking of the plurality of ports based on the network traffic analysis data in response to a search request implicating the characteristic, and is configured to display the plurality of ports based on the ranking.

Abstract: An apparatus is described that performs prioritized matching through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that the plurality of microcode controlled state machines apply rules to the input data to determine matches and produce priority indicators, wherein each match has an associated priority indicator. At least one of the matches is selected based on the priority indicators. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

Abstract: An apparatus is described that performs biased and weighted sampling of network traffic to facilitate network monitoring. One embodiment of the apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines. A first individual microcode controlled state machine applies a first rule to the input data to determine first instructions associated with a first subset of the input data based on first sampling information associated with the first rule. A second individual microcode controlled state machine applies a second rule to the input data to determine second instructions associated with a second subset of the input data based on second sampling information associated with the second rule. The second sampling information differs from the first sampling information.

Abstract: An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier.

Abstract: An apparatus that facilitates network security for input network traffic includes microcode controlled state machines, each of which includes a computation kernel. Rules applied to a network traffic segment are distributed across the computation kernels. At least two of the computation kernels include condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in microcode to produce modification instructions. A distribution circuit routes the network traffic segment to each of the microcode controlled state machines. A circuit generates a modification command by combining the modification instructions from each of the at least two computation kernels, and performs a modification of the input network traffic based on the modification command to produce modified output network traffic that facilitates network security.

Abstract: An embodiment of an apparatus that facilitates network security and traffic monitoring for input network traffic includes a plurality of microcode controlled state machines, each of which includes a computation kernel. A plurality of rules applied to a network traffic segment are distributed across the computation kernels. Each of the computation kernels includes condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in the microcode to produce an associated output. A distribution circuit routes the network traffic segment to each of the plurality of microcode controlled state machines. An aggregation circuit generates a decision on which forwarding of the network traffic segment is based, where the decision is a logical combination of the associated output of each of the computation kernels.

Abstract: An apparatus is described that provides security and monitoring in a networking architecture. One embodiment of the apparatus includes a physical layer interface that includes a physical layer receiver and a decoder for converting physical layer data from the physical layer receiver to data link layer information, wherein the decoder processes input data corresponding to the physical layer data based on rules conditioned on higher layer information to generate output data corresponding to the data link layer information; and a controller for provisioning the physical layer interface. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features, traffic management, and network traffic analysis.

Abstract: An apparatus is described that facilitates selective mirroring through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a port included in a set of at least one port, wherein each port in the set receives input traffic, a data processor that processes input data from the set of at least one port to generate mirrored data, based on rules with bitwise granularity across a header and a payload of the input data, and a mirror port selectable from the set of at least one port that transmits output traffic corresponding to the mirrored data. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of selective mirroring that enables flexible, advanced network security and monitoring features and network traffic analysis.

Abstract: An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier.

Abstract: An apparatus is described that performs biased and weighted sampling of network traffic to facilitate network monitoring. One embodiment of the apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines. A first individual microcode controlled state machine applies a first rule to the input data to determine first instructions associated with a first subset of the input data based on first sampling information associated with the first rule. A second individual microcode controlled state machine applies a second rule to the input data to determine second instructions associated with a second subset of the input data based on second sampling information associated with the second rule. The second sampling information differs from the first sampling information.

Abstract: An apparatus is described that performs prioritized matching through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that the plurality of microcode controlled state machines apply rules to the input data to determine matches and produce priority indicators, wherein each match has an associated priority indicator. At least one of the matches is selected based on the priority indicators. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

Abstract: A cryptographic processor having an in-line (i.e., “bump-in-the-wire”) architecture processes data packets between a trusted domain and a untrusted domain, according to a predetermined security protocol. The cryptographic processor can be implemented as a stand-alone device, without requiring a change in the configuration of the host machine. Unlike a conventional hardware acceleration of a “bump-in-the-stack” implementation, which is typically implemented as a layer between the native IP layer and the network drivers in an IP protocol stack and uses a single bus interface (e.g., a PCI-X bus) for all data traffic, the cryptographic processor acts as a security gateway, providing separate interfaces for the trusted and the untrusted domains. The cryptographic processor includes pipeline stages for carrying a feedback encryption algorithm with optimal throughput.