Field of the Invention
The embodiments described herein generally relate to processing traffic captured on a data connection, and more particularly to inferring an order for collected packets of data captured by a tap on a network connection between two endpoints.
Description of the Related Art
Structured database technology has become a critical component in many corporate technology initiatives. With the success of the Internet, the use of database technology has exploded in consumer and business-to-business applications. However, with the popularity of database architectures, risks and challenges have arisen, such as complex and difficult-to-identify performance issues and subtle gaps in security that can allow confidential data to be accessed by unauthorized users.
A large fraction of database applications use a database server which has structured data stored and indexed. Clients access the database server to store, update, and query the structured data. The clients may communicate with the database server using standard networking technology, such as Transmission Control Protocol (TCP), Internet Protocol (IP), Ethernet, and/or the like, using various physical or virtual media, and via one or more intervening servers (e.g., a web server and/or application server).
Below the application and/or database layer, a sequenced byte protocol, such as TCP or Sequenced Packet Exchange (SPX), is generally used to ensure delivery of messages between client and server systems in the face of potentially unreliable lower-level transport mechanisms. These protocols may exchange multiple packets to deliver a single byte of data. The transmission and/or reception of such packets may be asynchronous, such that the order of the packets is not necessarily the same as the order of the byte stream required by the application or database layer. These protocols are designed to work when packets are lost or corrupted between two network agents, such as a client system and server system.
Many network sessions may be established between a server (e.g., database server) and one or more client systems. Generally, each session operates asynchronously with respect to the other sessions, and the data and control information from a plurality of sessions may overlap temporally. In addition, multiple encapsulation technologies and physical layer technologies may be used between a server and its clients.
There are a number of network-tapping technologies that can be used to extract a copy of the packet stream flowing between two or more network agents (also referred to herein as “endpoints” or “hosts”). However, a network tap attempting to observe an exchange will not witness an exact copy of the traffic as seen by either network agent. Rather, the network tap will receive a unique third-party view of the packets, which may comprise a subset or superset of the packets seen by the network agents.
While many uncertainties as to the order of request data may be resolved using data embedded in underlying protocols and transports, these mechanisms are designed to operate at either end of a network conversation (i.e., at the network agents). What is needed is a mechanism that allows such data to be ordered from the third-party perspective of a network tap.