Abstract: A network processing system is described that is able to monitor IP network traffic, including the ability to perform trap and trace on IP communications flowing over the IP network. The network processing system is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows, which allows the network processing system to search for predetermined search criteria contained within those flows. If a flow is found to contain a predetermined search criteria, the network processing system is able to maintain a record of the flow or to replicate the flow and save it or send it to another IP address for monitoring. The monitoring of a flow can include the entire contents of the flow, or any subset of information in the flow such as call identifying information.

Abstract: A system and method for allowing bidirectional network traffic to pass through a network address translation (“NAT”)/firewall device thereby allowing bidirectional traffic to flow between the private side of the NAT/firewall device and the public side of the NAT/firewall device while maintaining security between the public side and the private side is described. A network processing system on the public side of the NAT/firewall device anchors network traffic to and from the private side of the NAT/firewall device. A traversal client resides on the private side of the NAT/firewall device and has a secure connection with the network processing system. The traversal client is operable to pass signaling packets bound for a terminal on the private side of the NAT/firewall from the network processing system.

Abstract: A network processing system is described that is able to monitor IP network traffic, including the ability to perform trap and trace on IP communications flowing over the IP network. The network processing system is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows, which allows the network processing system to search for predetermined search criteria contained within those flows. If a flow is found to contain a predetermined search criteria, the network processing system is able to maintain a record of the flow or to replicate the flow and save it or send it to another IP address for monitoring. The monitoring of a flow can include the entire contents of the flow, or any subset of information in the flow such as call identifying information.

Abstract: A network processing system is described that is able to bind all the network traffic related to a bi-directional communication. Unidirectional processing engines take the data from line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows examined to determine if they are part of a bi-directional communication. If the flow is part of a bi-directional communication information related to the return flow or flows is extracted and passed to the unidirectional processing engine handling the flows in the opposite direction. This processing engine then pre-allocates resources in anticipation of the return flows. The pre-allocation of resources includes creating an entry in a session memory that contains state information on the flows passing through the network processing system.

Abstract: A network device for enforcing service level agreements is described that is able to scan the contents of entire data packets including header and payload information. The network device includes memory for storing subscriber information, policies and statistics. The traffic flow scanning processor scans the header and payload information from each data packet, which is used to associate each data packet with a particular subscriber, classify the type of network traffic in the data packet and to enforce the particular policies associated with the subscriber. The traffic flow scanning processor produces a treatment for the data packet based on the scanning. The scanned data packets and the associated treatments are then passed to a quality of service processor, which modifies the data packets if necessary and enforces resource allocation according to the preprogrammed policies.

Abstract: A network processing system is described that functions as a policy gateway in order to enforce programmable network policies designed to provide quality of service in and across networks. The programmable network policies are converted into an image load file using a management interface at a remote server, and sent to the network processing system where the image is loaded into a processing engine. The network processing system includes line interfaces to take the data from the network and to send processed data back onto the network. Unidirectional processing engines take the data from the line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows are then compared to the database of programmable network policies and the processing engine determines a treatment based on the results of the comparison.

Abstract: A content processor is described that is able to scan the contents of entire data packets including header and payload information. The content processor includes a queue engine operable to reorder out of order data packets and reassemble fragmented data packets. The queue engine sends the reordered and reassembled data packets to the context engine, which schedules the packets to be scanned. The packets are scanned by the content scanning engine using one or more string memories and one or more leaf string memories. The string memories are used by the content scanning engine to determine if there is a potential match between the data packet being scanned and any of the strings contained in database of known strings. If a potential match is identified, whether or not there is an exact match is determined using the leaf string memories and the leaf string compare engine. The scanning of the data packet results in a conclusion being generated by the content scanning engine.