Abstract: A method is disclosed for high-speed processing of structured application messages in a network device. According to one aspect, a network device receives a structured application layer message and identifies, in message classification requirements at the network device, a reference to a classification portion of the structured application layer message and an operation portion of the structured application layer message. The system extracts, based on one or more expressions, a portion of the message for classifying the structured application layer message and classifies the message using the extracted portion and according to the message classification requirements. At least in part by accessing information indicated by one or more location identifiers, at least one operation is performed on the classified structured application layer message.

Abstract: A method is disclosed for high-speed processing of structured application messages in a network device. According to one aspect, a network device receives a structured application layer message and identifies, in message classification requirements at the network device, a reference to a classification portion of the structured application layer message and an operation portion of the structured application layer message. The system extracts, based on one or more expressions, a portion of the message for classifying the structured application layer message and classifies the message using the extracted portion and according to the message classification requirements. At least in part by accessing information indicated by one or more location identifiers, at least one operation is performed on the classified structured application layer message.

Abstract: A method is disclosed for high-speed processing of structured application messages in a network device. According to one aspect, a network device receives a set of message classification rules that have been prepared beforehand by a system administrator or customer. The system analyzes the message classification rules to determine what part(s) of the message are necessary to classify a message according to the message classification rules. This allows the system to consider only the relevant parts of the message and ignore the rest of the message. The system extracts the portion of the message necessary for classifying the message and classifies the message using the values of the extracted information and the message classification rules. A unique sequence of operations is implied by the message classification and those operations must then be applied to the message.

Abstract: A method is disclosed for generating a network topology representation based on inspection of application messages at a network device. According to one aspect, a network device receives a request packet, routes the packet to the destination, and extracts and stores correlation information from a copy of the request packet. When the network device receives a response packet, it examines the contents of a copy of the response packet using context-based correlation rules and matches the response packet with the appropriate stored request packet correlation information. It analyzes recorded correlation information to determine application-to-application mapping and calculate application response times. Another embodiment inserts custom headers that contain information used to match a response packet with a request packet into request packets.

Abstract: Enforcing network service level agreements in a network infrastructure element comprises receiving, at the network infrastructure element, an application-layer message comprising one or more of the packets; forwarding the application-layer message toward a destination endpoint and concurrently copying the application-layer message without disrupting the forwarding; using the copied application-layer message, discovering one or more applications or services that are using the network; using the copied application-layer message, identifying one or more network-layer condition metrics, and identifying one or more application-layer condition metrics; determining, based on the identified network-layer condition metrics and the application-layer condition metrics, whether one or more conditions of a service level agreement are violated; and in response to determining a violation, performing one or more responsive operations on one or more network elements.

Abstract: Custom or user-defined application program extensions may be loaded into a network infrastructure element such as a router or switch without restarting the device. For example, a network element has program extensibility logic operable for receiving one or more user program extensions that comprise logic operable to interface with the application program and perform message processing functions or protocol processing functions that are not in the application program; installing the one or more user program extensions without restarting the apparatus; receiving one or more packets representing an application message; selecting a particular one of the user program extensions based on a protocol associated with the message; loading the particular one of the user program extensions; executing business logic of the application program associated with the received message; and invoking a function of the particular one of the user program extensions in response to a call in the business logic.

Abstract: A network element such as a router or switch provides application-level quality of service for application-layer messages processed in the network element, using application QoS logic which when executed by the one or more processors is operable to cause receiving an application-layer message; matching one or more attributes of the application-layer message to the message classification rules; determining a message classification of the application-layer message based on the matching; selecting one of the network-level QoS values using the mapping and based on the determined message classification; and marking a network-level header of the application-layer message using the selected QoS value. As a result, attributes of application messages at OSI Layer 5, 6, or 7 can be used to determine how to mark packets of the messages with QoS values at OSI Layer 2, 3 or 4, integrating application-level concepts of order and priority into network-layer QoS mechanisms.

Abstract: A method is disclosed for protecting a network against a denial-of-service attack by inspecting application layer messages at a network element. According to one aspect, when a network element intercepts data packets that contain an application layer message, the network element constructs the message from the payload portions of the packets. The network element determines whether the message satisfies specified criteria. The criteria may indicate characteristics of messages that are suspected to be involved in a denial-of-service attack, for example. If the message satisfies the specified criteria, then the network element prevents the data packets that contain the message from being received by the application for which the message was intended. The network element may accomplish this by dropping the packets, for example. As a result, the application's host does not waste processing resources on messages whose only purpose might be to deluge and overwhelm the application.

Abstract: A method is disclosed for application layer message-based network element management of server failures. According to one aspect, a network element such as a router intercepts session state information that is contained in a request from a client and locally stores the session state information. As a result, application servers to which the requests are directed do not need to store the session state information. If an application server fails, then the network element can use the session state information stored at the network element to continue the session with another application server, transparently to the client application that is involved in the session.

Abstract: A method is disclosed for interpreting an application message at a network element using sampling and heuristics. Using this method, a network element such as a router can determine, based solely on a data packet's packet headers, whether the network element ought to invest the time and processing power required to inspect and interpret the data packet's payload portion, or whether the network element can send the data packet toward the data packet's destination without inspecting and interpreting the data packet's payload portion. According to one aspect, while in a sampling state, the network element determines shared packet header characteristics possessed by packet headers of all data packets that require application layer message inspection. While in a processing state, the network element forgoes application layer message inspection relative to data packets whose packet headers do not possess the shared packet header characteristics. The network element alternates between the states.

Abstract: A method is disclosed for performing message and transformation adapter functions in a network element on behalf of an application. According to one aspect, the network element determines an application layer message that is collectively contained in payload portions of data packets. The application layer message conforms to an application layer protocol, such as Hypertext Transfer Protocol (HTTP). The network element determines the application layer protocol to which the application layer message conforms. Based on the application layer protocol, an adapter is selected from among a plurality of adapters that are accessible to the network element. The application layer message is provided to the selected adapter, which converts the application layer message into a “canonical” message that is not specific to any particular application layer protocol.

Abstract: Enforcing network service level agreements in a network infrastructure element comprises receiving, at the network infrastructure element, an application-layer message comprising one or more of the packets; forwarding the application-layer message toward a destination endpoint and concurrently copying the application-layer message without disrupting the forwarding; using the copied application-layer message, discovering one or more applications or services that are using the network; using the copied application-layer message, identifying one or more network-layer condition metrics, and identifying one or more application-layer condition metrics; determining, based on the identified network-layer condition metrics and the application-layer condition metrics, whether one or more conditions of a service level agreement are violated; and in response to determining a violation, performing one or more responsive operations on one or more network elements.

Abstract: A network element such as a router or switch provides application-level quality of service for application-layer messages processed in the network element, using application QoS logic which when executed by the one or more processors is operable to cause receiving an application-layer message; matching one or more attributes of the application-layer message to the message classification rules; determining a message classification of the application-layer message based on the matching; selecting one of the network-level QoS values using the mapping and based on the determined message classification; and marking a network-level header of the application-layer message using the selected QoS value. As a result, attributes of application messages at OSI Layer 5, 6, or 7 can be used to determine how to mark packets of the messages with QoS values at OSI Layer 2, 3 or 4, integrating application-level concepts of order and priority into network-layer QoS mechanisms.

Abstract: Custom or user-defined application program extensions may be loaded into a network infrastructure element such as a router or switch without restarting the device. For example, a network element has program extensibility logic operable for receiving one or more user program extensions that comprise logic operable to interface with the application program and perform message processing functions or protocol processing functions that are not in the application program; installing the one or more user program extensions without restarting the apparatus; receiving one or more packets representing an application message; selecting a particular one of the user program extensions based on a protocol associated with the message; loading the particular one of the user program extensions; executing business logic of the application program associated with the received message; and invoking a function of the particular one of the user program extensions in response to a call in the business logic.

Abstract: A method is disclosed for application layer message-based network element management of server failures. According to one aspect, a network element such as a router intercepts session state information that is contained in a request from a client and locally stores the session state information. As a result, application servers to which the requests are directed do not need to store the session state information. If an application server fails, then the network element can use the session state information stored at the network element to continue the session with another application server, transparently to the client application that is involved in the session.

Abstract: A method is disclosed for interpreting an application message at a network element using sampling and heuristics. Using this method, a network element such as a router can determine, based solely on a data packet's packet headers, whether the network element ought to invest the time and processing power required to inspect and interpret the data packet's payload portion, or whether the network element can send the data packet toward the data packet's destination without inspecting and interpreting the data packet's payload portion. According to one aspect, while in a sampling state, the network element determines shared packet header characteristics possessed by packet headers of all data packets that require application layer message inspection. While in a processing state, the network element forgoes application layer message inspection relative to data packets whose packet headers do not possess the shared packet header characteristics. The network element alternates between the states.

Abstract: A method is disclosed for high-speed processing of structured application messages in a network device. According to one aspect, a network device receives a set of message classification rules that have been prepared beforehand by a system administrator or customer. The system analyzes the message classification rules to determine what part(s) of the message are necessary to classify a message according to the message classification rules. This allows the system to consider only the relevant parts of the message and ignore the rest of the message. The system extracts the portion of the message necessary for classifying the message and classifies the message using the values of the extracted information and the message classification rules. A unique sequence of operations is implied by the message classification and those operations must then be applied to the message.

Abstract: A method is disclosed for generating a network topology representation based on inspection of application messages at a network device. According to one aspect, a network device receives a request packet, routes the packet to the destination, and extracts and stores correlation information from a copy of the request packet. When the network device receives a response packet, it examines the contents of a copy of the response packet using context-based correlation rules and matches the response packet with the appropriate stored request packet correlation information. It analyzes recorded correlation information to determine application-to-application mapping and calculate application response times. Another embodiment inserts custom headers that contain information used to match a response packet with a request packet into request packets.

Abstract: A method is disclosed for protecting a network against a denial-of-service attack by inspecting application layer messages at a network element. According to one aspect, when a network element intercepts data packets that contain an application layer message, the network element constructs the message from the payload portions of the packets. The network element determines whether the message satisfies specified criteria. The criteria may indicate characteristics of messages that are suspected to be involved in a denial-of-service attack, for example. If the message satisfies the specified criteria, then the network element prevents the data packets that contain the message from being received by the application for which the message was intended. The network element may accomplish this by dropping the packets, for example. As a result, the application's host does not waste processing resources on messages whose only purpose might be to deluge and overwhelm the application.

Abstract: A method is disclosed for performing message and transformation adapter functions in a network element on behalf of an application. According to one aspect, the network element determines an application layer message that is collectively contained in payload portions of data packets. The application layer message conforms to an application layer protocol, such as Hypertext Transfer Protocol (HTTP). The network element determines the application layer protocol to which the application layer message conforms. Based on the application layer protocol, an adapter is selected from among a plurality of adapters that are accessible to the network element. The application layer message is provided to the selected adapter, which converts the application layer message into a “canonical” message that is not specific to any particular application layer protocol.