Abstract: Systems and methods provide concurrent security processing for multiple network security tools. An input packet is received at a network packet forwarding system from a network packet source, and the network packet forwarding system concurrently sends an output packet based upon the input packet to multiple security tools. Return packets are received based upon the output packet from the security tools after their respective security processing. Once return packets are received from each of the security tools, the network packet forwarding system forwards a secure packet to a packet destination. If a timeout occurs before all return packets are received, the network packet forwarding system can assume that the original packet was unsafe and discard information stored for the input packet. If security tools are configured to modify packets, these modifications can also be tracked.

Abstract: Latency-based timeouts are used for concurrent security processing by multiple in-line network security tools. A network system forwards secure network packets to the tools and uses latency-based timeouts with respect to the return of processed packets from the tools. Initially, the network system measures processing latencies for the tools and sets at least one timeout threshold based upon the processing latencies. The network system then receives an input packet from a network source, generates a timestamp, concurrently sends an output packet to the tools based upon the input packet, tracks return packets from the tools, and determines whether a timeout has occurred with respect to the timeout threshold based upon a difference between the timestamp and a current timestamp. If a timeout does not occur, a secure packet is forwarded to a network destination. If a timeout does occur, return packet tracking for the input packet is ended.

Abstract: Latency-based timeouts are used for concurrent security processing by multiple in-line network security tools. A network system forwards secure network packets to the tools and uses latency-based timeouts with respect to the return of processed packets from the tools. Initially, the network system measures processing latencies for the tools and sets at least one timeout threshold based upon the processing latencies. The network system then receives an input packet from a network source, generates a timestamp, concurrently sends an output packet to the tools based upon the input packet, tracks return packets from the tools, and determines whether a timeout has occurred with respect to the timeout threshold based upon a difference between the timestamp and a current timestamp. If a timeout does not occur, a secure packet is forwarded to a network destination. If a timeout does occur, return packet tracking for the input packet is ended.

Abstract: Systems and methods provide concurrent security processing for multiple network security tools. An input packet is received at a network packet forwarding system from a network packet source, and the network packet forwarding system concurrently sends an output packet based upon the input packet to multiple security tools. Return packets are received based upon the output packet from the security tools after their respective security processing. Once return packets are received from each of the security tools, the network packet forwarding system forwards a secure packet to a packet destination. If a timeout occurs before all return packets are received, the network packet forwarding system can assume that the original packet was unsafe and discard information stored for the input packet. If security tools are configured to modify packets, these modifications can also be tracked.

Abstract: Signature-based latency extraction systems and related methods are disclosed for network packet communications. Disclosed embodiments generate packet signatures (e.g., hash values) for packets received with respect to points within a network packet communication system. For each received packet, its packet signature is compared to packet signatures stored for previously received packets. If no match is found, the packet signature and a timestamp associated with the newly received packet are stored within one or more packet data tables. If a match is found, then the difference between the timestamp associated with the newly received packet and a timestamp stored with the matching packet signature are used to determine a latency value. The latency values can then be used to determine a variety of latency-related parameters for the network infrastructure being measured, and classification information can also be used to generate latency-related histograms. A variety of embodiments can be implemented.

Abstract: Traffic differentiator systems for network devices and related methods are disclosed that determine difference packets from multiple packet streams. Some embodiments are configured to receive two streams of packets with one stream being a processed version of another stream and then to determine difference packets within a lookup time window that is, for example, associated with a processing time for the second stream to be a processed version of the first stream. Difference packets within a lookup time window can also be determined for packets received within a single combined stream of packets. Difference packets and/or related statistical information is then output for additional processing, as desired. The streams of packets can be associated with ingress and egress packets for a network device, and the difference packets and related statistical information can be used to determine packets that are removed, added, and/or modified by the network device.

Abstract: Signature-based latency extraction systems and related methods are disclosed for network packet communications. Disclosed embodiments generate packet signatures (e.g., hash values) for packets received with respect to points within a network packet communication system. For each received packet, its packet signature is compared to packet signatures stored for previously received packets. If no match is found, the packet signature and a timestamp associated with the newly received packet are stored within one or more packet data tables. If a match is found, then the difference between the timestamp associated with the newly received packet and a timestamp stored with the matching packet signature are used to determine a latency value. The latency values can then be used to determine a variety of latency-related parameters for the network infrastructure being measured, and classification information can also be used to generate latency-related histograms. A variety of embodiments can be implemented.

Abstract: Unified mapping tables with source/destination labels for packet forwarding systems are disclosed. In certain embodiments, local source/destination records are stored, and information from these local source/destination records are exchanged. Source/destination records from different packet forwarding systems are then combined to form unified mapping tables. Source records include general labels, descriptions of packet sources, and packet parameters to identify the source packets. Destination records include general labels, descriptions of packet destinations, and packet parameters to identify the packet destinations. The general source/destination labels are human-readable generalized descriptors that allow users/administrators of packet forwarding systems to more easily configure and define filters that determine how packets are forwarded by the packet forwarding systems.

Abstract: Traffic differentiator systems for network devices and related methods are disclosed that determine difference packets from multiple packet streams. Some embodiments are configured to receive two streams of packets with one stream being a processed version of another stream and then to determine difference packets within a lookup time window that is, for example, associated with a processing time for the second stream to be a processed version of the first stream. Difference packets within a lookup time window can also be determined for packets received within a single combined stream of packets. Difference packets and/or related statistical information is then output for additional processing, as desired. The streams of packets can be associated with ingress and egress packets for a network device, and the difference packets and related statistical information can be used to determine packets that are removed, added, and/or modified by the network device.