Abstract: Described are data structures, and methodology for forming same, for network protocol processing. A method for creating data structures for firewalling and network address translating is described. A method for creating data structures for physical layer addressing is described. A method for security protocol support using a data structure is described. A method for creating at least one data structure sized responsive to whether a firewall is activated is described. A data structure for routing packets is described. A method of forming hashing table chains is described. Additionally, method and apparatus for tracking packet states is described. More particularly, Transmission Control Protocol (“TCP”) tracking of states for packets is described. In an embodiment, a division between software states and hardware states is made as a packet is processed by both software and hardware. Additionally, method and apparatus for network protocol processing are described.

Abstract: A method of setting up a delegated connection for processing by an offload unit is described. The method comprises establishing a TCP connection and determining whether or not to delegate the TCP connection for processing by the offload unit, producing a delegated connection, and setting up the delegated connection by creating a delegated connection table entry. When frames are received on the delegated connection by the offload unit, the offload unit determines if user buffers are available. When user buffers are available, the offload unit uploads payload data to the user buffers. When user buffers are not available, the offload unit uploads a portion of the payload data to a buffer allocated in Operating System memory space.

Abstract: A method and apparatus for processing data received and transmitted on a TCP connection is described. An offload unit processes received data for which a special case does not exist, to produce payload data, which is uploaded directly to application memory. The offload unit partially processes received data for which a special case does exist and uploads the partially processed received data to a buffer stored in system memory. The partially processed received data is then further processed by a TCP stack to produce payload data, which is copied to application memory.

Abstract: A method and apparatus for editing outbound frames and generating acknowledgements for a TCP connection is described. Acknowledgements are automatically generated and included in outbound frames during data transmissions with minimal processor intervention.

Abstract: A system and methods of uploading payload data to user buffers in system memory and of uploading partially processed frame data to legacy buffers allocated in Operating System memory space are described. User buffers are stored in a portion of system memory allocated to an application program, therefore data stored in user buffers does not need to be copied from another portion of system memory to the portion of system memory allocated to the application program. When partially processed frame data is uploaded by hardware to a legacy buffer in system memory, a tag, uniquely identifying the legacy buffer location is transferred by the hardware to a TCP stack, enabling the TCP stack to locate the legacy buffer.

Abstract: A method and apparatus for transmitting commands between a TCP stack and an offload unit and for communicating receive and transmit data buffer locations is described. A command ring buffer stored in system memory is used to transmit commands from the TCP stack to the offload unit and to transmit command status from the offload unit to the TCP stack. A notification ring buffer is used to transmit connection information from the offload unit to the TCP stack. Other ring buffers are used to transmit locations of transmit buffers or receive buffers stored in system memory from the TCP stack to the offload unit.

Abstract: A method and apparatus for storing and accessing connection information is described. A delegated connection table stores an entry for each connection delegated by a TCP stack for processing by an offload unit. A portion of the delegated connection table storing receive buffer information is accessed by the TCP stack without disrupting receive or transmit traffic. The offload unit offloads some TCP processing from a host processor and processes data received on connections not stored in the delegated connection table while accepting incoming data.

Abstract: A method for selecting a network interface card (NIC) to be used to send an outgoing data packet from a server computer system having a plurality of NICs coupled thereto. The outgoing data packet is addressed using an Internet Protocol (IP) address and a Transmission Control Protocol (TCP) port number. A load balancing scheme is executed in order to select a NIC from the plurality of NICs. In one embodiment, the load balancing scheme is a function of the IP address; in alternate embodiments, the load balancing scheme is a function of the IP address and either the destination or source TCP port number. The media access control (MAC) address that represents the selected NIC is inserted in the outgoing data packet. The data packet is then sent using the selected NIC.

Abstract: A method for load balancing incoming data packets in a server computer system adapted to have a plurality of network interface cards coupled thereto and communicatively coupled to client computer systems in a network. A first media access control (MAC) address for a first NIC is selected using a load balancing scheme. A first directed data packet containing the first MAC address and a network address for the server computer system is sent to a first client computer system. The first MAC address and the network address are stored in a protocol cache of the first client computer system. A second MAC address for a second NIC is also selected using the load balancing scheme. A second directed packet containing the second MAC address and the network address is sent to a second client computer system. The second MAC address and the network address are stored in a protocol cache of the second client computer system.

Abstract: A method and system for detecting a non-functioning network interface card (NIC) in a server computer system adapted to have a plurality of network interface cards coupled thereto and communicatively coupled to client computer systems in a network. A directed packet is sent from a first NIC to a second NIC, and a direct packet is also sent from the second NIC to the first NIC. The server computer system monitors the NICs to determine whether the directed packet from the first NIC is received by the second NIC. The server computer system also monitors the first NIC to determine whether the directed packet from the second NIC is received by the first NIC. The server computer system determines whether the first NIC is functioning using the results from the monitoring. When the first NIC is determined to be non-functioning, the functions of the first NIC are automatically switched from the first NIC to one of the plurality of NICs.

Abstract: Secure wiretap support for Internet Protocol security. Specifically, one embodiment of the present invention includes a system for allowing controlled access to a networked communication. The system comprises an intermediate device that includes memory. The memory of the intermediate device is for storing a policy rule therein. The intermediate device is adapted to download the policy rules governing access to a desired location. The system further comprises a client which is coupled to the intermediate device. The client is adapted to receive the policy rule when the intermediate device downloads it to the client. As such, any communication data intended to travel between a first destination and the client is forwarded to a second destination. Therefore, the present invention provides a method and system for providing law enforcement agencies the ability to wiretap specific encrypted communications.