Abstract: Method for monitoring network performance in a telecommunication network coupled with a plurality of Virtual Machines (VM) arranged in a cluster format is disclosed. A packet is received at a VM smart cluster device. Metadata is extracted from the packet. The packet can be distributed to one of the plurality of VMs. Key performance indicator (KPI) session related data associated with a subscriber in one of the plurality of VMs that receives the distributed packet can be generated.

Abstract: Disclosed herein is a method to determine a geolocation that includes receiving, by a processor, from a base station (BS), radio predictors, a user equipment (UE) location history, and a geolocation of a first UE for which a minimization of drive test (MDT) mode is activated, radio predictors and a UE location history of a second UE for which the MDT mode is not activated, and cell physical parameters. The method includes training, by the processor, a machine learning (ML) model at least based on the radio predictors, the UE location history, and the geolocation of the first UE, and the cell physical parameters. The method includes executing, by the processor, the ML model to determine the azimuth of the second UE and providing, by the processor, to a downstream application, a geolocation of the second UE at least based on the azimuth and the TA of the second UE.

Abstract: An illustrative embodiment disclosed herein is a non-transitory computer readable medium. The medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to identify a user database record associated with a user equipment (UE) using a mobile identity (ID), associate a Next Generation application protocol (NGAP) session with the user database record using an NGAP ID, capture a ciphered message associated with the NGAP session, decipher the ciphered message associated with the NGAP session, extract, from the deciphered message, session details associated with the UE, and store the session details in a session detail record.

Abstract: An illustrative embodiment disclosed herein is a non-transitory computer readable medium. In some embodiments, the medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to capture a first message transmitted over a packet forwarding control protocol (PFCP) interface, extract a permanent ID and a first user plane tunnel endpoint identifier (TEID) from the first message, store the permanent ID and the first user plane TEID in a PFCP protocol data unit (PDU) session record, store the permanent ID in a session details record, capture a second message transmitted over a user plane interface after the first message is transmitted, extract a second user plane TEID from the second message, wherein the second user plane TEID matches the first user plane TEID, and retrieve the session details record using the second user plane TEID.

Abstract: A method for restoring an HPACK table is disclosed. A static table is maintained. Control plane signaling data packets are collected via a probe. A dynamic table is generated from the control plane signaling data packets. An event affecting operation of the probe may be detected. A first control plane signaling data packet may be collected by the probe subsequent to detection of the event. The dynamic table may be reorganized. The reorganized dynamic table may be stored in memory.

Abstract: A system and computer-implemented method of managing botnet attacks to a computer network is provided. The system and method includes receiving a DNS request included in network traffic, each DNS request included in the network traffic and including a domain name of a target host and identifying a source address of a source host, wherein the translation of the domain name, if translated, provides an IP address to the source host that requested the translation. The domain name of the DNS request is compared to a botnet domain repository, wherein the botnet domain repository includes one or more entries, each entry having a confirmation indicator that indicates whether the entry corresponds to a confirmed botnet.

Abstract: A method and system of transmitting network traffic through a stack having at least two switches is provided. The method includes receiving encapsulated network traffic via an inbound stack port of a switch of the stack, wherein the encapsulated network traffic was encapsulated with a flow identification (flow ID), and wherein the flow ID is assigned to a particular flow and is unique across the stack. The method further includes decapsulating the encapsulated network traffic using the flow ID contingent upon the switch being configured to decapsulate using the flow ID and transmitting the decapsulated network traffic from the switch in accordance with mapping information associated with the flow ID, wherein the switch is preconfigured with the mapping information.

Abstract: Correlating captured packets with synthetic application testing is provided. A device captures packets associated with a plurality of processes that include one or more synthetic transactions and one or more transactions responsive to user input. A packet capture data set can lack process identifiers (PIDs). The device captures first finger-printing data including first PIDs and attributes associated with the plurality of processes, and second finger-printing data comprising second PIDs corresponding to the one or more synthetic transactions. The device applies a first filter generated from the second PIDs in the second finger-printing data to a first finger-printing data set, and a second filter generated from the filtered attributes of a filtered finger-printing data set to the packet capture data set. The device provides a filtered packet capture data set to manage a performance of one or more processes of the plurality of processes.

Abstract: A system and method of accessing a container environment having one or more containers is provided. The method of the disclosure includes receiving the container network namespace assigned to the container as established in a container runtime, switching from a host container network namespace to the container network namespace of the container, opening the container network interface of the container network namespace for allowing access to packets received or transmitted by the container network interface, and accessing the packets.

Abstract: An illustrative embodiment disclosed herein is a non-transitory computer readable medium. In some aspects, the non-transitory computer readable medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to capture a transaction transmitted over an N12 interface, extract, from the transaction, one of an expected response (XRES) or an authentication token (AUTN), a user identifier (ID), and a cipher key, capture a first message transmitted over an N1 interface, and determine that the first message is associated with the user ID and the cipher key extracted from the transaction.

Abstract: In some embodiments, a non-transitory computer readable medium is disclosed. In some embodiments, the medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to capture a first message transmitted over an N11 interface, extract at least one type of session ID and a first Next Generation Application Protocol (NGAP) tunnel endpoint identifier (TEID) from the first message, store the at least one type of session ID and the first NGAP TEID in a first N11 protocol data unit (PDU) session record, capture a second message transmitted over an N3 interface, extract a general packet radio service (GPRS) tunneling protocol (GTP)-user plane (U) TEID from the second message, wherein the GTP-U TEID matches the first NGAP TIED, and retrieve information associated with session details record using the GTP-U TEID.

Abstract: A method and system of configuring a stack of switches includes configuring a switch with mapping information based on a user input flow mapping that defines destination port(s) (local destination port(s) and/or remote destination port(s)) for a flow to exit the stack. The mapping information includes any local destination port(s) via which the flow can exit the stack from the switch and an outbound stack port for each of any remote destination port(s) via which the flow can be transmitted from the switch to a downstream switch. The method further includes creating a decapsulation entry having a flow ID for the flow, wherein the flow ID is assigned to the flow and is unique across the stack, and configuring the switch with access to a decapsulation algorithm configured to use the flow ID via the decapsulation entry to decapsulate encapsulated network traffic of the flow received from an upstream switch.

Abstract: In some embodiments, a non-transitory computer readable medium is disclosed. In some embodiments, the medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to capture a first message transmitted over an N11 interface, extract at least one type of session ID and a first Next Generation Application Protocol (NGAP) tunnel endpoint identifier (TEID) from the first message, store the at least one type of session ID and the first NGAP TEID in a first N11 protocol data unit (PDU) session record, capture a second message transmitted over an N3 interface, extract a general packet radio service (GPRS) tunneling protocol (GTP)-user plane (U) TEID from the second message, wherein the GTP-U TEID matches the first NGAP TIED, and retrieve information associated with session details record using the GTP-U TEID.

Abstract: Method for monitoring network performance in a telecommunication network coupled with a plurality of Virtual Machines (VM) arranged in a cluster format is disclosed. A packet is received at a VM smart cluster device. Metadata is extracted from the packet. The packet can be distributed to one of the plurality of VMs. Key performance indicator (KPI) session related data associated with a subscriber in one of the plurality of VMs that receives the distributed packet can be generated.

Abstract: Correlating captured packets with synthetic application testing is provided. A device captures packets associated with a plurality of processes that include one or more synthetic transactions and one or more transactions responsive to user input. A packet capture data set can lack process identifiers (PIDs). The device captures first finger-printing data including first PIDs and attributes associated with the plurality of processes, and second finger-printing data comprising second PIDs corresponding to the one or more synthetic transactions. The device applies a first filter generated from the second PIDs in the second finger-printing data to a first finger-printing data set, and a second filter generated from the filtered attributes of a filtered finger-printing data set to the packet capture data set. The device provides a filtered packet capture data set to manage a performance of one or more processes of the plurality of processes.

Abstract: A method and system of transmitting network traffic through a stack having at least two switches is provided. The method includes receiving encapsulated network traffic via an inbound stack port of a switch of the stack, wherein the encapsulated network traffic was encapsulated with a flow identification (flow ID), and wherein the flow ID is assigned to a particular flow and is unique across the stack. The method further includes decapsulating the encapsulated network traffic using the flow ID contingent upon the switch being configured to decapsulate using the flow ID and transmitting the decapsulated network traffic from the switch in accordance with mapping information associated with the flow ID, wherein the switch is preconfigured with the mapping information.

Abstract: A method and system of configuring a stack of switches includes configuring a switch with mapping information based on a user input flow mapping that defines destination port(s) (local destination port(s) and/or remote destination port(s)) for a flow to exit the stack. The mapping information includes any local destination port(s) via which the flow can exit the stack from the switch and an outbound stack port for each of any remote destination port(s) via which the flow can be transmitted from the switch to a downstream switch. The method further includes creating a decapsulation entry having a flow ID for the flow, wherein the flow ID is assigned to the flow and is unique across the stack, and configuring the switch with access to a decapsulation algorithm configured to use the flow ID via the decapsulation entry to decapsulate encapsulated network traffic of the flow received from an upstream switch.

Abstract: Decrypting synthetic transactions with beacon packets is provided. A probe receives, from a client device, a start beacon packet that identifies a test of a service provided by one or more servers. The probe establishes, responsive to receipt of the start beacon packet, a log for the test. The probe stores, in the log established responsive to the start beacon packet, data packets transmitted between the client device and the one or more servers subsequent to the start beacon packet and encrypted with a key using a security protocol. The probe receives, from the client device, key information used to decrypt the data packets of the test encrypted with the key using the security protocol. The probe provides at least one of the data packets for evaluation or decryption using the key information to determine a performance of the service.

Abstract: An illustrative embodiment disclosed herein is a non-transitory computer readable medium. In some embodiments, the medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to capture a first message transmitted over a packet forwarding control protocol (PFCP) interface, extract a permanent ID and a first user plane tunnel endpoint identifier (TEID) from the first message, store the permanent ID and the first user plane TEID in a PFCP protocol data unit (PDU) session record, store the permanent ID in a session details record, capture a second message transmitted over a user plane interface after the first message is transmitted, extract a second user plane TEID from the second message, wherein the second user plane TEID matches the first user plane TEID, and retrieve the session details record using the second user plane TEID.

Abstract: A system and method for monitoring one or more Mobility Management Entities (MMEs) with a plurality of scalable Virtual Machines (VM)/probes arranged in a cluster format. A ciphered packet is received from a MME at a smart cluster device/probe whereby data is aggregated from the individual clustered VMs/probes for distribution to a monitoring device. The smart cluster device/probe is preferably configured to decipher the ciphered packet received from the MME and extract metadata from the deciphered packet to identify subscriber information for the received packet. The deciphered packet is then distributed to one of the plurality of clustered probes to balance the load amongst the plurality of clustered probes. The balancing of loads is based upon prescribed load balancing criteria such that each packet received for an identified subscriber is sent to a same probe such that load balancing is performed on a per subscriber basis and/or with other state-based criteria.