A method of automatic and dynamic environment discovery and policy adaptation for a containerized environment is disclosed. A plurality of traffic monitoring policies for acquiring and monitoring data traffic transmitted between one or more components of a containerized environment are accessed. The containerized environment includes a plurality of software-implemented containers. The traffic monitoring policies are caused to be applied to one or more components in the containerized environment. A change to a configuration of the containerized environment is automatically detected. In response, one or more containers of the plurality of software-implemented containers are automatically identified as containers affected by the change. Based on that identification, a modification of a traffic monitoring policy is then automatically determined to produce a modified traffic monitoring policy, and the modified traffic monitoring policy is caused to be applied to one or more components in the containerized environment.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
2.
Flow-level deduplication of network traffic in a network traffic visibility system
A system and method for flow-level deduplication of network traffic are disclosed. A network node receives a first plurality of packets from a first network endpoint. The first plurality of packets represent a flow of data being communicated between the first network endpoint and a second network endpoint. The network node further receives a second plurality of packets from the second network endpoint. The network node identifies a sequence identifier of each packet of the first and second pluralities of packets. The network node determines that the first and second pluralities of packets are all associated with the same flow, based on the sequence identifiers of the first and second pluralities of packets. In response to that determination, the network node deduplicates the flow by discarding the first plurality of packets or the second plurality of packets. The network node may be a traffic visibility node.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
The present disclosure provides novel nucleic acid-guided nucleases and methods of using the nucleases for genome editing. The present disclosure further provides a system for editing a target region in a genome comprising a nucleic acid-guided nuclease, a heterologous guide nucleic acid for complexing with the nucleic acid-guided nuclease, and an editing polynucleotide configured to bind to the target region.
A method of providing clear text representing encrypted data to an entity that does not support an encryption/decryption protocol used to encrypt/decrypt the data is disclosed. A call to an encryption/decryption function implemented in a worker node is detected, wherein the call is to trigger encryption or decryption of a packet. In response to detecting the call, a clear text payload of the packet is captured from an entry point or an exit point of the encryption/decryption function. A modified packet is then created based on the captured clear text payload, including synthesizing a plurality of headers for the modified packet and appending the plurality of headers to the clear text payload. The modified packet is then sent to a processing entity that is external to the worker node.
A method of optimizing network traffic visibility resources comprises receiving, by a controller associated with a network traffic visibility system, information indicative of operation of the network traffic visibility system. The method further comprises facilitating, by the controller, control of resources in the network traffic visibility system, according to a configured resource control policy. The facilitating can include providing, by the controller, control signaling to cause maximization of network traffic monitoring fidelity for a plurality of Quality of Service (QoS) classes of network traffic, based on a specified fixed amount of one or more network resources associated with the network traffic visibility system. Alternatively or additionally, the facilitating can include providing, by the controller, control signaling to cause minimization of use of the one or more network resources, based on a specified fixed level of traffic monitoring fidelity associated with the plurality of QoS classes.
A network appliance receives a communication from a client device that includes a request to establish a network connection to a server. Prior to initiating a network connection between the network appliance and the server, the network appliance accesses a server certificate associated with the server. In response to a determination not to decrypt data transmitted between the client device and the server, the network appliance establishes a single connection between the network appliance and the server. The network appliance transmits encrypted data between the client device and the server only over the single connection.
A method of automatic and dynamic environment discovery and policy adaptation for a containerized environment is disclosed. A plurality of traffic monitoring policies for acquiring and monitoring data traffic transmitted between one or more components of a containerized environment are accessed. The containerized environment includes a plurality of software-implemented containers. The traffic monitoring policies are caused to be applied to one or more components in the containerized environment. A change to a configuration of the containerized environment is automatically detected. In response, one or more containers of the plurality of software-implemented containers are automatically identified as containers affected by the change. Based on that identification, a modification of a traffic monitoring policy is then automatically determined to produce a modified traffic monitoring policy, and the modified traffic monitoring policy is caused to be applied to one or more components in the containerized environment.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
8.
Engineered enveloped vectors and methods of use thereof
The present disclosure relates to a novel, engineered enveloped vector that can be used for gene delivery. The engineered enveloped vector comprises an engineered envelope comprising: (a) a viral envelope protein and optionally, (b) a non-viral membrane-bound protein. The present disclosure also provides a method of making and using the engineered enveloped vector.
The present disclosure provides novel nucleic acid-guided nucleases and methods of using the nucleases for genome editing. The present disclosure further provides a system for editing a target region in a genome comprising a nucleic acid-guided nuclease, a heterologous guide nucleic acid for complexing with the nucleic acid-guided nuclease, and an editing polynucleotide configured to bind to the target region.
Introduced here are network visibility appliances capable of implementing a distributed deduplication scheme by routing traffic amongst multiple instances of a deduplication program. Data traffic can be forwarded to a pool of multiple network visibility appliances that collectively ensure no duplicate copies of data packets exist in the data traffic. The network visibility appliances can route the traffic to different instances of the deduplication program so that duplicate copies of a data packet are guaranteed to arrive at the same instance of the deduplication program, regardless of which network visibility appliance(s) initially received the duplicate copies of the data packet.
A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.
H04L 41/12 - Discovery or management of network topologies
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 43/022 - Capturing of monitoring data by sampling
H04L 43/028 - Capturing of monitoring data by filtering
H04L 43/062 - Generation of reports related to network traffic
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable and recorded software used to intercept
transmitted and received network packets prior to encryption
and after decryption to allow for inspection and analysis of
the data in the network packets. Providing temporary use of non-downloadable software used to
intercept transmitted and received network packets prior to
encryption and after decryption to allow for inspection and
analysis of the data in the network packets.
13.
One-armed inline decryption/encryption proxy operating in transparent bridge mode
A proxy device coupled to a network receives communications between a client and a server on the network. The proxy device operates transparently to the client and the server, while coupled to receive and process the communications from a node on the network via a network port in a one-armed configuration. The proxy device communicates packets of the communications with an external tool coupled to the proxy device via a tool port and operates transparently to the nod and the tool. In certain embodiments, the tool may be a network security device, such as a firewall.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Provided herein are compositions comprising recombinant mammalian cells that express recombinant T cell rectors with specificity against EBV or CMV peptide:MHC antigens. Also provided are therapeutic methods of using the recombinant mammalian cells as cell therapies against viral infections.
A network appliance receives a communication from a client device that includes a request to establish a network connection to a server. Prior to initiating a network connection between the network appliance and the server, the network appliance accesses a server certificate issued by the server. In response to a determination, based on application of a policy to the server certificate, not to decrypt data transmitted between the client device and the server, the network appliance establishes only a single connection between the network appliance and the server. The network appliance transmits encrypted data between the client device and the server over the single connection.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable and recorded software used to intercept transmitted and received network packets prior to encryption and after decryption to allow for inspection and analysis of the data in the network packets Providing temporary use of non-downloadable software used to intercept transmitted and received network packets prior to encryption and after decryption to allow for inspection and analysis of the data in the network packets
Introduced here are network visibility appliances capable of implementing a distributed deduplication scheme by routing traffic amongst multiple instances of a deduplication program. Data traffic can be forwarded to a pool of multiple network visibility appliances that collectively ensure no duplicate copies of data packets exist in the data traffic. The network visibility appliances can route the traffic to different instances of the deduplication program so that duplicate copies of a data packet are guaranteed to arrive at the same instance of the deduplication program, regardless of which network visibility appliance(s) initially received the duplicate copies of the data packet.
Systems and methods are disclosed for analyzing traffic received at a network visibility node to determine traffic levels relative to capacity at tools communicatively coupled to the network visibility node and throttling traffic when the traffic levels exceed tool capacity. In an illustrative embodiment, streams received at a network visibility node are analyzed to predict a traffic level) for a given traffic flow. The predicted level of traffic for a given traffic flow is used to decide whether to forward traffic associated with the given traffic flow to a tool port of the network visibility node that is communicatively coupled to an external tool.
At least one technique for distributing traffic from a visibility node to a network tool is disclosed. In certain embodiments, the visibility node has a tool port through which to receive a plurality of packets which each include a compressed header. The visibility node determines, for each packet, whether a given network tool has received the compressed header in decompressed format based on a header-to-tool mapping structure. The structure includes information indicative of which packet headers each of the plurality of network tools have received in decompressed format. If the visibility node determines that the tool previously received the decompressed header, the visibility node transmits the packet to the network tool in compressed format. If the visibility node determines that the tool has not previously received the decompressed header, the visibility node decompresses the compressed header prior to transmitting the packet to the given network tool.
Provided herein are compositions comprising recombinant mammalian cells that express recombinant T cell receptors with specificity against gp100 peptide:MHC antigens. Also provided are therapeutic methods of using the recombinant mammalian cells as cell therapies against melanoma tumors.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
downloadable computer software and computer hardware for test access point and terminal access point for computer network and application monitoring, visibility, analytics, and security providing temporary use of non-downloadable computer software for test access point and terminal access point computer network and application monitoring, visibility, analytics, and security
22.
Optimal control of network traffic visibility resources and distributed traffic processing resource control system
A method of optimizing network traffic visibility resources comprises receiving, by a controller associated with a network traffic visibility system, information indicative of operation of the network traffic visibility system. The method further comprises facilitating, by the controller, control of resources in the network traffic visibility system, according to a configured resource control policy. The facilitating can include providing, by the controller, control signaling to cause maximization of network traffic monitoring fidelity for a plurality of Quality of Service (QoS) classes of network traffic, based on a specified fixed amount of one or more network resources associated with the network traffic visibility system. Alternatively or additionally, the facilitating can include providing, by the controller, control signaling to cause minimization of use of the one or more network resources, based on a specified fixed level of traffic monitoring fidelity associated with the plurality of QoS classes.
A method of optimizing network traffic visibility resources comprises receiving, by a controller associated with a network traffic visibility system, information indicative of operation of the network traffic visibility system. The method further comprises facilitating, by the controller, control of resources in the network traffic visibility system, according to a configured resource control policy. The facilitating can include providing, by the controller, control signaling to cause maximization of network traffic monitoring fidelity for a plurality of Quality of Service (QoS) classes of network traffic, based on a specified fixed amount of one or more network resources associated with the network traffic visibility system. Alternatively or additionally, the facilitating can include providing, by the controller, control signaling to cause minimization of use of the one or more network resources, based on a specified fixed level of traffic monitoring fidelity associated with the plurality of QoS classes.
Provided herein are compositions comprising recombinant mammalian cells that express recombinant T cell rectors with specificity against EBV or CMV peptide:MHC antigens. Also provided are therapeutic methods of using the recombinant mammalian cells as cell therapies against viral infections.
C40B 30/04 - Methods of screening libraries by measuring the ability to specifically bind a target molecule, e.g. antibody-antigen binding, receptor-ligand binding
C12N 15/10 - Processes for the isolation, preparation or purification of DNA or RNA
A proxy device coupled to a network receives communications between a client and a server on the network. The proxy device operates transparently to the client and the server, while coupled to receive and process the communications from a node on the network via a network port in a one-armed configuration. The proxy device communicates packets of the communications with an external tool coupled to the proxy device via a tool port and operates transparently to the nod and the tool. In certain embodiments, the tool may be a network security device, such as a firewall.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Introduced here are visibility platforms able to process the traffic handled by the gateways of an Evolved Packet Core (EPC) with Control and User Plane Separation (CUPS). A visibility platform can include a control processing node (CPN) and one or more user processing nodes (UPNs). The visibility platform may populate a data structure in which the CPN and UPNs are associated with locations along an interface on which Sx/N4 traffic is exchanged between the control and user planes. Each location may be representative of the point on the Sx/N4 interface at which Sx/N4 traffic processed by the corresponding node is acquired. The CPN can use the data structure to program session flows that impact how user traffic is handled by the UPNs.
With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. A visibility platform can be used to monitor virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, or OpenStack. But it can be difficult to manage how the visibility platform handles incoming virtualized traffic. Introduced here, therefore, are graphs that visually represent the network fabric of a visibility platform. When the network fabric of the visibility platform is represented as a graph, an end user can easily modify the network fabric, for example, by adding, removing, or modifying nodes that represent network objects, adding, removing, or modifying connections between pairs of nodes that represent traffic flows between pairs of network objects, etc.
H04L 29/08 - Transmission control procedure, e.g. data link level control procedure
H04L 41/046 - Network management architectures or arrangements comprising network management agents or mobile agents therefor
H04L 41/12 - Discovery or management of network topologies
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 43/022 - Capturing of monitoring data by sampling
H04L 43/028 - Capturing of monitoring data by filtering
H04L 43/062 - Generation of reports related to network traffic
A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
H04L 43/022 - Capturing of monitoring data by sampling
H04L 41/12 - Discovery or management of network topologies
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 43/028 - Capturing of monitoring data by filtering
H04L 43/062 - Generation of reports related to network traffic
Disclosed is a technique for providing packet filter maps with high branching factors in a system for managing network traffic in a visibility fabric. A high branching factor enables a map to branch out more than two ways. High branching factors can be realized by allowing a map to be affiliated with more than one action set. For example, each rule of the map may be affiliated with a unique action set that is executed only when the corresponding rule is satisfied.
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
H04L 43/022 - Capturing of monitoring data by sampling
H04L 41/12 - Discovery or management of network topologies
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 43/028 - Capturing of monitoring data by filtering
H04L 43/062 - Generation of reports related to network traffic
Introduced here are visibility platforms able to process the traffic handled by the gateways of an Evolved Packet Core (EPC) with Control and User Plane Separation (CUPS). A visibility platform can include a control processing node (CPN) and one or more user processing nodes (UPNs). The visibility platform may populate a data structure in which the CPN and UPNs are associated with locations along an interface on which Sx/N4 traffic is exchanged between the control and user planes. Each location may be representative of the point on the Sx/N4 interface at which Sx/N4 traffic processed by the corresponding node is acquired. The CPN can use the data structure to program session flows that impact how user traffic is handled by the UPNs.
A method of operating a network visibility node is disclosed. In certain embodiments, the network visibility node has a plurality of network ports through which to communicate data with a plurality of network hosts and has a plurality of tool ports through which to communicate data with a plurality of network tools. The network visibility node accesses a port group map associated with a plurality of tool port groups of the network visibility node, where each of the tool port groups includes one or more tool ports of the network visibility node, and where the port group map contains a separate tool alias for each tool port group of the plurality of tool port groups. Each tool alias can correspond to a different type of network traffic. The network visibility node uses the port group map to ascertain a tool port group through which to communicate the plurality of packets with a particular network tool.
Introduced here are network visibility platforms having total processing capacity that can be dynamically varied in response to determining how much network traffic is currently under consideration. A visibility platform can include one or more network appliances, each of which includes at least one instance of an application configured to process data packets. Rather than forward all traffic to a single application instance for processing, the traffic can instead be distributed amongst a pool of application instances to collectively ensure that no data packets are dropped due to over-congestion. Moreover, the visibility platform can be designed such that application instances are elastically added/removed, as necessary, based on the volume of traffic currently under consideration.
With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind spots.
An apparatus for a network includes: a processing unit having a filter generation module configured for: receiving an indication that a packet matches a user-defined filter; and creating one or more derivative filters based at least in part on the received indication, wherein a first derivative filter of the one or more derivative filters provides a finer grade of filtration compared to the user-defined filter; and a non-transitory medium configured for storing the one or more derivative filters.
A network visibility appliance automatically and dynamically determines a data traffic sampling policy that it should apply, i.e., a policy for determining which flows the network appliance should forward to one or more tools. The technique can be used to adjust for changes in network traffic to avoid exceeding performance constraints (e.g., maximum throughput) of network analytic tools, while maintaining high efficiency of usage of the tools. In the technique, a policy engine monitors network traffic characteristics in a subscriber throughput table and dynamically determines a sampling policy to apply, so as to decrease and/or increase traffic throughput to a given tool, so that the tool is efficiently used.
A network visibility appliance automatically and dynamically determines a data traffic sampling policy that it should apply, i.e., a policy for determining which flows the network appliance should forward to one or more tools. The technique can be used to adjust for changes in network traffic to avoid exceeding performance constraints (e.g., maximum throughput) of network analytic tools, while maintaining high efficiency of usage of the tools. In the technique, a policy engine monitors network traffic characteristics in a subscriber throughput table and dynamically determines a sampling policy to apply, so as to decrease and/or increase traffic throughput to a given tool, so that the tool is efficiently used.
A network appliance stores a session identifier that uniquely identifies a network communication session between a first device and the network appliance. A first communication is received from the first device over the network communication session. The network appliance also receives from a proxy tool, a second communication that includes a header specifying the session identifier and that includes data generated by the proxy in response to the first communication. The network appliance associates the first communication with the second communication using the session identifier. An encrypted representation of the data generated by the proxy is transmitted to a second device based on the association between the first communication and the second communication.
A network appliance receives a communication from a client device that includes a request to establish a network connection to a server. The network appliance establishes, in response to the communication, a single connection between the network appliance and the server based on application of a policy that causes the network appliance to determine not to decrypt data transmitted between the client device and the server. The network appliance transmits encrypted data between the client device and the server over the single connection.
A network appliance stores a session identifier that uniquely identifies a network communication session between a first device and the network appliance. A first communication is received from the first device over the network communication session. The network appliance also receives from a proxy tool, a second communication that includes a header specifying the session identifier and that includes data generated by the proxy in response to the first communication. The network appliance associates the first communication with the second communication using the session identifier. An encrypted representation of the data generated by the proxy is transmitted to a second device based on the association between the first communication and the second communication.
Disclosed are a method and apparatus for assisting in the physical wiring or debugging of connections between devices, which may include one or more network visibility appliances. In at least one embodiment, the computer system receives first user input that specifies a first port of a plurality of selectable physical ports or a connection between the first port and a second port of the plurality of selectable physical ports. At least one of the first port or the second port is on a device that is external to the computer system. In response to the first user input, the computer system sends a first signal to the device to trigger the device to output a first visual indication in proximity to the first port, the first visual indication identifying the first port and a status of at least one of the first port or the connection.
Introduced here are network visibility platforms having total processing capacity that can be dynamically varied in response to determining how much network traffic is currently under consideration. A visibility platform can include one or more network appliances, each of which includes at least one instance of an application configured to process data packets. Rather than forward all traffic to a single application instance for processing, the traffic can instead be distributed amongst a pool of application instances to collectively ensure that no data packets are dropped due to over-congestion. Moreover, the visibility platform can be designed such that application instances are elastically added/removed, as necessary, based on the volume of traffic currently under consideration.
A method for providing user access to a network switch appliance, includes: receiving from a user a request to access configuration item for the network switch appliance, the network switch appliance configured to pass packets received from a network to network monitoring instruments; and determining, using a processing unit, whether to allow the user to access the configuration item for the network switch appliance based on information regarding the user.
Improved network visibility may be achieved by deriving network traffic information from numerous visibility platforms that are communicatively coupled to one another. In some embodiments, an end user interacts with a distributed visibility fabric via a user interface, which can include a high-level representation of each visibility platform. The end user can then map the network objects of each visibility platform onto a series of network visibility appliances. This technique allows certain network objects (e.g., maps) to be intelligently distributed amongst the series of network visibility appliances.
Introduced here are network visibility appliances capable of implementing a distributed deduplication scheme by routing traffic amongst multiple instances of a deduplication program. Data traffic can be forwarded to a pool of multiple network visibility appliances that collectively ensure no duplicate copies of data packets exist in the data traffic. The network visibility appliances can route the traffic to different instances of the deduplication program so that duplicate copies of a data packet are guaranteed to arrive at the same instance of the deduplication program, regardless of which network visibility appliance(s) initially received the duplicate copies of the data packet.
A packet broker deployed in a visibility fabric may intelligently assign identifiers to data packets that are routed through sequences of one or more network tools for monitoring and/or security purposes. Guiding techniques based on these identifiers offer flexible support for multiple network tool operational modes. For example, the packet broker may be able to readily address changes in the state of a network tool connected to the packet broker by modifying certain egress translation schemes and/or ingress translation schemes. The “state” of a network tool can be “up” (i.e., ready for service) or “down” (i.e., out of service) based on, for example, the network tool's ability to pass through health-probing data packets dispatched by the packet broker.
A method performed by a network device includes: receiving an input indicating a change in an auxiliary network from a first configuration to a second configuration, wherein the auxiliary network is configured to obtain copies of packets from a traffic production network; determining a first network policy, wherein the first network policy is for application in the auxiliary network when the auxiliary network is in the first configuration; and determining a second network policy by the network device based on the received input and the first network policy, wherein the second network policy is for application in the auxiliary network when the auxiliary network is in the second configuration.
A network appliance may be coupled to a network tool configured to monitor the traffic within a computer network. Often, the network tool is operable in two modes (i.e., an inline mode and an out-of-band mode). Before the network tool is deployed as an inline device, however, it is desirable to verify that the network tool is secure. Described herein are systems and techniques for verifying network tools prior to deployment as inline devices. More specifically, the network appliance may be configured to modify the content of a data packet (e.g., by altering a bit) and transmit the modified data packet downstream to a network tool. The network appliance can monitor the network tool to make sure the network tool drops or returns the modified data packet. These techniques allow the network appliance to controllably simulate the receipt of malicious traffic by the network tool.
A laminate curtain can suppress electromagnetic radiation leakage from an electronic appliance, as well as assist in managing cables interconnected to the electronic appliance. More specifically, a laminate curtain can include a conductive elastomer panel that absorbs spurious electromagnetic radiation generated by the electronic appliance, a conductive adhesive film disposed along one side of the conductive elastomer panel, and a conductive support frame affixed to the conductive adhesive film. The laminate curtain can be installed within a mounting frame, which secures the laminate curtain to the electronic appliance. Electromagnetic radiation that is absorbed by the conductive elastomer panel can travel to the electronic appliance via the conductive adhesive film, the conductive support frame, and the mounting frame. Thus, the conductive elastomer panel can be used to form a ground plane that catches and shunts the spurious electromagnetic radiation to the electronic appliance, which is grounded.
A method for providing user access to a network switch appliance, includes: receiving from a user a request to access configuration item for the network switch appliance, the network switch appliance configured to pass packets received from a network to network monitoring instruments; and determining, using a processing unit, whether to allow the user to access the configuration item for the network switch appliance based on information regarding the user.
Methods and systems are disclosed for analyzing control signaling messages over a network to inform policy-based sampling of network flows using a network visibility node communicatively coupled to the network. In an illustrative embodiment, session dialog information is extracted from control signaling messages exchanged between subscriber devices initiating a communications session and tracked. A network flow associated with the communications session is selected for sampling at the network visibility node based on the tracked session dialog information. Packets associated with the network flow are then forwarded by the network visibility node to an external tool for processing.
Systems and methods are disclosed for analyzing traffic received at a network visibility node to determine traffic levels relative to capacity at tools communicatively coupled to the network visibility node and throttling traffic when the traffic levels exceed tool capacity. In an illustrative embodiment, streams received at a network visibility node are analyzed to predict a traffic level for a given traffic flow. The predicted level of traffic for a given traffic flow is used to decide whether to forward traffic associated with the given traffic flow to a tool port of the network visibility node that is communicatively coupled to an external tool.
With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind sports.
An inline-bypass switch system includes: a first inline-bypass switch appliance having a first bypass component, a first switch coupled to the first bypass component, and a first controller; and a second inline-bypass switch appliance having a second bypass component, a second switch coupled to the second bypass component, and a second controller; wherein the first controller in the first inline-bypass switch appliance is configured to provide a state signal that is associated with a state of the first inline-bypass switch appliance; and wherein the second controller in the second inline-bypass switch appliance is configured to control the second bypass component based at least in part on the state signal.
A disclosed method performed by a network device can include intercepting cryptographic certificates of host servers received in response to requests for encrypted connections between host servers and user devices, and determining that each encrypted connection is a suspicious connection or a normal connection based on a certificate validation policy. The method can further include causing decryption or metadata analysis of any suspicious encrypted connection and bypassing decryption or metadata analysis of any normal encrypted connection.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
The disclosed techniques include at least one method. The method includes receiving, by a network device, incoming packets communicated over a computer network, and detecting flows to which the incoming packets belong. Each incoming packet belongs to a flow of the flows. The method further includes sampling each incoming packet that satisfies a flow condition having a flow interval of packets for the flow of the incoming packet, and sampling each incoming packet that satisfies a global condition having a global interval of packets irrespective of the flow of the incoming packet. The method further includes storing any sampled packets or information indicative of any sampled packets.
A laminate curtain can suppress electromagnetic radiation leakage from an electronic appliance, as well as assist in managing cables interconnected to the electronic appliance. More specifically, a laminate curtain can include a conductive elastomer panel that absorbs spurious electromagnetic radiation generated by the electronic appliance, a conductive adhesive film disposed along one side of the conductive elastomer panel, and a conductive support frame affixed to the conductive adhesive film. The laminate curtain can be installed within a mounting frame, which secures the laminate curtain to the electronic appliance. Electromagnetic radiation that is absorbed by the conductive elastomer panel can travel to the electronic appliance via the conductive adhesive film, the conductive support frame, and the mounting frame. Thus, the conductive elastomer panel can be used to form a ground plane that catches and shunts the spurious electromagnetic radiation to the electronic appliance, which is grounded.
A network appliance described herein allows the user to selectively forward the flow of packets received through a network port, to a particular egress port. The network appliance creates virtual ports, which can be assigned to the one or more egress ports. The network appliance assigns the flow of packets to the one or more virtual ports in the network appliance. The network appliance decides a forwarding treatment to be applied to the flow of packets, for forwarding the flow of packets to the egress tool ports, based on the virtual port to which the flow of packets is assigned and based on a detected network characteristic. The forwarding treatment can be a decision to drop the flow of packets, or to send the flow of packets to the egress port assigned to the virtual port.
A network appliance deployed in a visibility fabric may intelligently drop certain low priority traffic to avoid indiscriminate dropping of data packets across all flow maps during periods of high congestion. More specifically, the network appliance may determine the data packets of a flow map should be dropped based on priority measures assigned on a per-flow map basis. Such a technique enables the network appliance to drop low priority traffic and forward high priority traffic downstream. Also introduced herein are techniques for metering traffic in order to gain better control over the traffic that is forwarded to an egress port of a network appliance. Because a network tool connected to the egress port can become easily overwhelmed, the network appliance may filter the traffic based on the priority of the flow maps to ensure that the network tool does not receive more traffic than can be handled.
A method for providing user access to a network switch appliance, includes: receiving from a user a request to access configuration item for the network switch appliance, the network switch appliance configured to pass packets received from a network to network monitoring instruments; and determining, using a processing unit, whether to allow the user to access the configuration item for the network switch appliance based on information regarding the user.
Introduced here is a technique for using a network switch device, which may include commodity switching fabric, to route packets through an inline tool, without introducing any additional information to the packets. The introduced technique modifies standard capability of packet forwarding and learning port-to-MAC address associations to route data packets through the inline tool. The technique may include applying two override settings to the network device. A first override setting involves a forwarding rule that is based on the arrival port and the content of the packet. A second override setting involves disabling the MAC address learning mechanism for the packet received from the inline tool via the second tool port of the network device.
09 - Scientific and electric apparatus and instruments
Goods & Services
Computer network hardware with embedded computer software used for computer network security and monitoring computer network traffic; computer software used for computer network security and monitoring computer network traffic
62.
Network switch device for routing network traffic through an inline tool
Introduced here is a technique for using a network switch device, which may include commodity switching fabric, to route packets through an inline tool, without introducing any additional information to the packets. The introduced technique modifies standard capability of packet forwarding and learning port-to-MAC address associations to route data packets through the inline tool. The technique may include applying two override settings to the network device. A first override setting involves a forwarding rule that is based on the arrival port and the content of the packet. A second override setting involves disabling the MAC address learning mechanism for the packet received from the inline tool via the second tool port of the network device.
Techniques are disclosed for monitoring usage of network traffic rules applied by devices on a computer network. Operations in accordance with the disclosed techniques can be performed at one or more network visibility nodes that operate as part of a visibility fabric, for example for monitoring traffic on the network. In certain embodiments, packets associated with the traffic are received at a network visibility node communicatively coupled to the network that is operable to enable visibility across the network. The network visibility node can access network traffic rules that mirror the network traffic rules applied at devices on the network. The network visibility node can further process the received packets using the accessed network traffic rules to identify packets or flows of packets that satisfy criteria associated with the accessed network traffic rules.
With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind sports.
With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. A visibility platform can be used to monitor virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, or OpenStack. But it can be difficult to manage how the visibility platform handles incoming virtualized traffic. Introduced here, therefore, are graphs that visually represent the network fabric of a visibility platform. When the network fabric of the visibility platform is represented as a graph, an end user can easily modify the network fabric, for example, by adding, removing, or modifying nodes that represent network objects, adding, removing, or modifying connections between pairs of nodes that represent traffic flows between pairs of network objects, etc.
Improved network visibility may be achieved by deriving network traffic information from numerous visibility platforms that are communicatively coupled to one another. In some embodiments, an end user interacts with a distributed visibility fabric via a user interface, which can include a high-level representation of each visibility platform. The end user can then map the network objects of each visibility platform onto a series of network visibility appliances. This technique allows certain network objects (e.g., maps) to be intelligently distributed amongst the series of network visibility appliances.
Disclosed is a technique for providing packet filter maps with high branching factors in a system for managing network traffic in a visibility fabric. A high branching factor enables a map to branch out more than two ways. High branching factors can be realized by allowing a map to be affiliated with more than one action set. For example, each rule of the map may be affiliated with a unique action set that is executed only when the corresponding rule is satisfied.
A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.
A network appliance described herein allows the user to selectively forward the flow of packets received through a network port, to a particular egress port. The network appliance creates virtual ports, which can be assigned to the one or more egress ports. The network appliance assigns the flow of packets to the one or more virtual ports in the network appliance. The network appliance decides a forwarding treatment to be applied to the flow of packets, for forwarding the flow of packets to the egress tool ports, based on the virtual port to which the flow of packets is assigned and based on a detected network characteristic. The forwarding treatment can be a decision to drop the flow of packets, or to send the flow of packets to the egress port assigned to the virtual port.
An inline-bypass switch system includes: a first inline-bypass switch appliance having a first bypass component, a second bypass component, a first switch coupled to the first bypass component and the second bypass component, and a first controller; and a second inline-bypass switch appliance having a third bypass component, a fourth bypass component, a second switch coupled to the third bypass component and the fourth bypass component, and a second controller; wherein the first controller in the first inline-bypass switch appliance is configured to provide one or more state signals that is associated with a state of the first inline-bypass switch appliance; and wherein the second controller in the second inline-bypass switch appliance is configured to control the second bypass component based at least in part on the one or more state signals.
A network appliance may include a signal splitter that splits an incoming signal into multiple portions. The signal splitter can direct one portion of the incoming signal to a switching fabric and another portion of the incoming signal to an optical switch. By monitoring the power intensity of the portion of the incoming signal received by the switching fabric, the network appliance can seamlessly switch between a bypass traffic path and a pass-through traffic path without losing network traffic caused by gaps in network connectivity. Such a configuration also enables the network appliance to maintain an accurate record of the logical connectivity state even when the network appliance is in the bypass state (i.e., when network traffic bypasses the switching fabric of the network appliance).
A packet broker deployed in a visibility fabric may intelligently assign identifiers to data packets that are routed through sequences of one or more network tools for monitoring and/or security purposes. Guiding techniques based on these identifiers offer flexible support for multiple network tool operational modes. For example, the packet broker may be able to readily address changes in the state of a network tool connected to the packet broker by modifying certain egress translation schemes and/or ingress translation schemes. The “state” of a network tool can be “up” (i.e., ready for service) or “down” (i.e., out of service) based on, for example, the network tool's ability to pass through health-probing data packets dispatched by the packet broker.
A packet broker deployed in a visibility fabric may intelligently assign identifiers to data packets that are routed through sequences of one or more network tools for monitoring and/or security purposes. However, in some instances, it may be desirable for data packets the one or more network tools in a load-balanced manner rather than a cascaded manner. Accordingly, the packet broker may initially form a trunk group (i.e., a predefined group of ports that are treated as one port) based on input provided by an administrator. A group of network tools that share a load (i.e., a traffic flow) through trunking facilitated by the packet broker are referred to as a “trunk group” of network tools.
A network appliance deployed in a visibility fabric may intelligently drop certain low priority traffic to avoid indiscriminate dropping of data packets across all flow maps during periods of high congestion. More specifically, the network appliance may determine the data packets of a flow map should be dropped based on priority measures assigned on a per-flow map basis. Such a technique enables the network appliance to drop low priority traffic and forward high priority traffic downstream. Also introduced herein are techniques for metering traffic in order to gain better control over the traffic that is forwarded to an egress port of a network appliance. Because a network tool connected to the egress port can become easily overwhelmed, the network appliance may filter the traffic based on the priority of the flow maps to ensure that the network tool does not receive more traffic than can be handled.
A packet broker deployed in a visibility fabric may intelligently assign identifiers to data packets that are routed through sequences of one or more network tools for monitoring and/or security purposes. More specifically, the packet broker may apply packet-matching criteria to incoming data packets to determine a predetermined sequence of network tools through which the data packets are to be guided. For example, the packet broker may guide a data packet through a predetermined sequence of network tools by translating an internal identifier added to the data packet to an external identifier before transmission to each of the network tools, and translating the external identifier to a different internal identifier each time the data packet is received from each of the network tools.
A method of packet processing, includes: providing a plurality of network appliances that form a cluster, wherein two or more of the plurality of network appliances in the cluster are located at different geographical locations, are communicatively coupled via a private network or an Internet, and are configured to collectively perform out-of-band packet processing; receiving a packet by one of the network appliances in the cluster; processing the packet using two or more of the plurality of the appliances in the cluster; and passing the packet to one or more network monitoring tools after the packet is processed.
With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind sports.
Ternary content-addressable memory (TCAM) of an ingress appliance in a visibility fabric may include rules for filtering traffic received by the ingress appliance. But the TCAM has limited space for rules and can become easily exhausted. By migrating rules to other visibility nodes in the visibility fabric, the techniques introduced here allow the TCAM to be virtually extended across multiple visibility nodes. More specifically, upon receiving a data packet at an ingress port, the ingress visibility node can tag the data packet with an identifier based on which ingress port received the data packet. The ingress visibility node can then determine, based on the identifier, whether the data packet should be filtered using a rule stored in the TCAM of the ingress visibility node or a rule stored in the TCAM of some visibility node in the visibility fabric.
A fabric manager includes: a processing unit having a service chain creation module configured to create a service chain by connecting some of a plurality of nodes via virtual links; wherein the some of the plurality of nodes represent respective network components of an auxiliary network configured to obtain packets from a traffic production network; and wherein the service chain is configured to control an order of the network components represented by the some of the plurality of nodes packets are to traverse.
A network appliance may include a signal splitter that splits an incoming signal into multiple portions. The signal splitter can direct one portion of the incoming signal to a switching fabric and another portion of the incoming signal to an optical switch. By monitoring the power intensity of the portion of the incoming signal received by the switching fabric, the network appliance can seamlessly switch between a bypass traffic path and a pass-through traffic path without losing network traffic caused by gaps in network connectivity. Such a configuration also enables the network appliance to maintain an accurate record of the logical connectivity state even when the network appliance is in the bypass state (i.e., when network traffic bypasses the switching fabric of the network appliance).
A method of monitoring virtualized network includes receiving information regarding the virtualized network, wherein the information is received at a port of a network switch appliance, receiving a packet at a network port of the network switch appliance, and using the received information to determine whether to process the packet according to a first packet processing scheme or a second packet processing scheme, wherein the first packet processing scheme involves performing header stripping, and performing packet transmission to one of a plurality of instrument ports at the network switch appliance after the header stripping, each of the instrument ports configured for communicatively coupling to a network monitoring instrument, and wherein the second packet processing scheme involves performing packet transmission to one of the plurality of instrument ports at the network switch appliance without performing any header stripping.
A method performed by a network device includes: receiving a first packet by the network device, wherein the first packet is tapped from a network; identifying a session to which the first packet belongs when the first packet has one or more values that at least partially match one or more terms, wherein the act of identifying the session is performed by the network device; receiving a second packet by the network device; determining whether the second packet belongs to the session; and performing a packet processing action by the network device based on the identified session; wherein the session is identified based on a first criterion, and the act of determining whether the second packet belongs to the session is performed based on a second criterion that is different from the first criterion.
An inline-bypass switch system includes: a first inline-bypass switch appliance having a first bypass component, a first switch coupled to the first bypass component, and a first controller; and a second inline-bypass switch appliance having a second bypass component, a second switch coupled to the second bypass component, and a second controller; wherein the first controller in the first inline-bypass switch appliance is configured to provide a state signal that is associated with a state of the first inline-bypass switch appliance; and wherein the second controller in the second inline-bypass switch appliance is configured to control the second bypass component based at least in part on the state signal.
A method of identifying targets for monitoring includes: obtaining a user-defined filter map, the user-defined filter map having one or more filter rules for matching against network traffic when the user-defined filter map is used by a network system to process the network traffic; and determining a set of one or more targets by a processing unit based at least in part on the user-defined filter map, wherein the processing unit comprises a target selection module configured to access a list of available targets from a database, and select the one or more targets from the list of available targets based at least in part on the user-defined filter map.
A method for providing user access to a network switch appliance, includes: receiving from a user a request to access configuration item for the network switch appliance, the network switch appliance configured to pass packets received from a network to network monitoring instruments; and determining, using a processing unit, whether to allow the user to access the configuration item for the network switch appliance based on information regarding the user.
A network appliance may be coupled to a network tool configured to monitor the traffic within a computer network. Often, the network tool is operable in two modes (i.e., an inline mode and an out-of-band mode). Before the network tool is deployed as an inline device, however, it is desirable to verify that the network tool is secure. Described herein are systems and techniques for verifying network tools prior to deployment as inline devices. More specifically, the network appliance may be configured to modify the content of a data packet (e.g., by altering a bit) and transmit the modified data packet downstream to a network tool. The network appliance can monitor the network tool to make sure the network tool drops or returns the modified data packet. These techniques allow the network appliance to controllably simulate the receipt of malicious traffic by the network tool.
Systems of redundant in-line network switch appliances are described. In an embodiment, a system includes a primary network switch appliance and a secondary network switch appliance communicatively coupled in-line between nodes on a computer network. A tool, for example for network monitoring, is communicatively coupled to the primary network switch appliance. In use, when the primary network switch appliance is in a first state, a bypass switch of the primary network switch appliance is configured to complete a communication path between the tool and a node on the computer network via a switching fabric of the primary network switch appliance. When the primary network switch appliance is in a second state, the bypass switch is configured to complete a communication path between the tool and the node on the computer network via the secondary network switch appliance, bypassing the switching fabric of the primary network switch appliance.
Embodiments are disclosed for monitoring the performance of an in-line tool without adding data to network traffic routed through the in-line tool. In some embodiments, performance of the in-line tool is based on a measured latency introduced by the processing of packets through the in-line tool. In some embodiments, network traffic is adaptively routed based on the measured latency at the in-line tool.
Introduced herein is a technology for a network switch device to route network packets through a inline tool, without introducing additional information to the network packets. The technology records an association between an input network port and a signature (e.g., source MAC address) of the network packet, before forwarding the packet to the inline tool. When receiving the packet back from the inline tool, the network device recognizes that the packet signature is associated with the input network port, and that the input network port is paired with a particular output network port. Thus, the network device identifies the output network port for sending the packet, without modifying contents of the packet.
Embodiments are disclosed for a network switch appliance with a traffic broker that facilitates routing of network traffic between pairs of end nodes on a computer network through a configurable sequence of in-line tools.
A method performed by a network device that taps to a network having a routing device, includes: receiving a first packet tapped from the network; determining a first information regarding an input interface of the routing device based on a destination address of the first packet; receiving a second packet tapped from the network; determining a second information regarding an output interface of the routing device based on a source address of the second packet; determining a first CRC for the first packet; determining a second CRC for the second packet; and comparing the first CRC with the second CRC at the network device to determine whether the first packet and the second packet are the same.
Ternary content-addressable memory (TCAM) of an ingress appliance in a visibility fabric may include rules for filtering traffic received by the ingress appliance. But the TCAM has limited space for rules and can become easily exhausted. By migrating rules to other visibility nodes in the visibility fabric, the techniques introduced here allow the TCAM to be virtually extended across multiple visibility nodes. More specifically, upon receiving a data packet at an ingress port, the ingress visibility node can tag the data packet with an identifier based on which ingress port received the data packet. The ingress visibility node can then determine, based on the identifier, whether the data packet should be filtered using a rule stored in the TCAM of the ingress visibility node or a rule stored in the TCAM of some visibility node in the visibility fabric.
A switch appliance includes a first network port for communication with a first node, where the first network port is configured to receive a packet, and a second network port for communication with a second node. The switch appliance further includes a first instrument port for communication with a first inline tool, a buffer, and a processing unit coupled to the first network port, the second network port, the first instrument port and the buffer. The processing unit is configured to determine whether a packet processing state has been set as an inline-tool processing state or a bypass state, and is configured to pass the packet to the second network port for transmission to the second node, and to store a copy of the packet in the buffer, if the packet processing state has not been set as the inline-tool processing state nor the bypass state.
An inline-bypass switch system includes: a first inline-bypass switch appliance having a first bypass component, a first switch coupled to the first bypass component, and a first controller; and a second inline-bypass switch appliance having a second bypass component, a second switch coupled to the second bypass component, and a second controller; wherein the first controller in the first inline-bypass switch appliance is configured to provide a state signal that is associated with a state of the first inline-bypass switch appliance; and wherein the second controller in the second inline-bypass switch appliance is configured to control the second bypass component based at least in part on the state signal.
An inline-bypass switch system includes: a first inline-bypass switch appliance having a first bypass component, a second bypass component, a first switch coupled to the first bypass component and the second bypass component, and a first controller; and a second inline-bypass switch appliance having a third bypass component, a fourth bypass component, a second switch coupled to the third bypass component and the fourth bypass component, and a second controller; wherein the first controller in the first inline-bypass switch appliance is configured to provide one or more state signals that is associated with a state of the first inline-bypass switch appliance; and wherein the second controller in the second inline-bypass switch appliance is configured to control the second bypass component based at least in part on the one or more state signals.
A network switch apparatus, includes: a network port configured to receive a packet; instrument ports configured to communicate with respective network monitoring instruments; a packet duplication module configured to copy the packet to provide multiple packets that are identical to each other: a tagging module configured to tag the multiple packets with different respective identifiers to obtain tagged packets; and a processing unit coupled to the instrument ports; wherein the processing unit is configured to determine whether a first one of the tagged packets satisfies a first criterion, whether a second one of the tagged packets satisfies a second criterion, process the first one of the tagged packets in a first manner if the first one of the tagged packets satisfies the first criterion, and process the second one of the tagged packets in a second manner if the second one of the tagged packets satisfies the second criterion.
An apparatus for a network includes: a processing unit having a filter generation module configured for: receiving an indication that a packet matches a user-defined filter; and creating one or more derivative filters based at least in part on the received indication, wherein a first derivative filter of the one or more derivative filters provides a finer grade of filtration compared to the user-defined filter; and a non-transitory medium configured for storing the one or more derivative filters.