1. Technical Field
The present disclosure relates to the storage and retrieval of computer network packet traffic using summary information commonly referred to as network flow information. In this disclosure, bidirectional flow, i.e. commonly referred to as connection information, is represented in a single flow record similar to RFC 5103.
2. Background Information
A network flow is a collection, e.g., sequence, of packets transmitted over a computer network from a port on a source computer to a port on a destination computer utilizing a protocol. Conceptually, network flow information is a summary of a communication between two computer endpoints. Many manufacturers include network monitoring and flow information export capabilities in their network switches and routers, resulting in many accepted representation formats. Common to all formats are data fields identifying the endpoints of the communication and summary information for the packets included in the flow.
Exported network flow records may be collected and stored by a network flow collector program. Techniques for record storage are dependent on the requirements of the collector and the anticipated use of the data. Each collector is associated with a search and retrieval mechanism designed to take advantage of its storage facilities.
The Berkeley Packet Filter (BPF) mechanism was developed at Lawrence Berkeley Laboratory and is a known filtering mechanism used for processing packets. The mechanism includes a language and virtual machine used for creating simple programs that filter packets. The instruction set includes primitives for fetching, comparing, and performing arithmetic operations on data from the packet. A packet is filtered, i.e., accepted or rejected, based on the results of the program.
One of the first implementations to incorporate BPF is tcpdump, a tool widely used for monitoring computer communication networks. Like BPF, tcpdump was developed at Lawrence Berkeley Laboratory. The command-line program implements a low-level application programming interface (API) for sniffing packets from a network interface and for performing file I/O operations.
The software source code for the packet capture interface and BPF is available as a standalone library, commonly referred to as libpcap. The library is available to the public under the Berkeley System Distribution (BSD) license. Because of its portability, flexibility, and simple implementation, libpcap is considered the de facto mechanism for packet capture and filtering.