The present invention relates to network analyzers, and more particularly to capture file formats.
Network assessment tools referred to as xe2x80x9canalyzersxe2x80x9d are often relied upon to analyze networks communications at a plurality of layers. One example of such analyzers is the Sniffer(copyright) device manufactured by Network Associates(copyright), Inc. Analyzers have similar objectives such as determining why network performance is slow, understanding the specifics about excessive traffic, and/or gaining visibility into various parts of the network.
In use, network analyzers often take the form of a program that monitors and analyzes network traffic, detecting bottlenecks and problems. Using this information, a network manager can keep traffic flowing efficiently. A network analyzer can also be used legitimately or illegitimately to capture data being transmitted on a network. For example, a network router reads every packet of data passed to it, determining whether it is intended for a destination within the router""s network or whether it should be passed further along the Internet. A router with a network analyzer, however, may be able to read the data in the packet as well as the source and destination addresses. It should be noted that network analyzers may also analyze data other than network traffic. For example, a database could be analyzed for certain kinds of duplication, etc.
One problem with prior art network analyzers is that such products currently employ xe2x80x9cimportxe2x80x9d and xe2x80x9cexportxe2x80x9d filters to allow such network analyzers to read and write capture file formats of other existing and legacy network analyzers. In particular, import filters import network traffic information into the latest network analyzer-compatible capture file format, the CAP file format. The CAP file format is used by the current versions of the network analyzers. On the other hand, output filters create legacy capture file formats by converting the CAP file format to formats compatible with older network analyzers. The legacy formats include extensions such as .ATC, .ENC, .TRC, .SYC, etc. Third party vendors may then use these legacy formats to exchange data between their products and the network analyzers that handle only the CAP file format.
These import and export filters thus allow third party network analyzers to utilize captured information without relying on the proprietary network analyzer that collected and stored the captured information in a specified file format (i.e. CAP file format). This results in an economic disadvantage for those that manufacture and sell such proprietary network analyzers. Further, security issues arise as a result of this easily read information being readily available to any network analyzer.
There is thus a need for a solution which provides controlled exchange of data between proprietary network analyzers and other third party tools.
A system, method and computer program product are provided for analyzing a network. Initially, network traffic information relating to network traffic is collected. Next, the network traffic information is encrypted. In use, the network traffic information is capable of being analyzed by a network analyzer adapted for decrypting the network traffic information.
In one embodiment, the network traffic information may include total packet information relating to a total number of packets associated with the network traffic, total byte information relating to a total number of bytes associated with the network traffic, and/or network utilization information relating to network utilization associated with the network traffic.
In another embodiment, the network traffic information may be compressed. Further, such network traffic information may be compressed before being encrypted. As an option, the network traffic information may include a format including a compression header having a compression algorithm field with a compression algorithm used for compressing the network traffic information. Such compression header further may include a compression parameter field, pre-compression buffer size field, post-compression buffer size field, compression time field, and/or reserved field.
In still another embodiment, the encrypted network traffic information may be written to memory. When analysis is to occur, the encrypted network traffic information may be read from the memory and decrypted utilizing the network analyzer capable of decrypting the network traffic information.
As an option, the network traffic information may be encrypted utilizing one of a plurality of keys. Further, the network traffic information may include a format including an encryption header having an encryption field with an encryption algorithm used for encrypting the network traffic information. Such encryption header may further include a key number field, a key length field, a block size field, a pre-encryption buffer length field, a post-encryption buffer length field, a compressed indicator field, a buffer encryption field, an encryption time field, and/or reserved field.
Optionally, an indication may be received from a user as to whether the network traffic information is to be compressed. Upon receiving the indication from the user to compress the network traffic information, the network traffic information may be compressed.
From the perspective of a network analyzer used to analyze the encrypted network traffic information, the encrypted network traffic information is initially read from memory. Thereafter, the network traffic information is optionally decompressed, and then decrypted. Finally, the network traffic information is analyzed.
To accomplish this, a data structure may be stored in a computer readable medium. Such data structure may include a data object for containing encrypted network traffic information relating to network traffic. Associated therewith is an encryption object for describing the encryption of the network traffic information in the data object.
The present techniques thus prevent unauthorized interchange of files of network traffic information between proprietary network analyzers and third party network analyzers. This is accomplished by optionally compressing and always encrypting such files before writing them to memory. When the file is read from memory, it is decrypted and optionally decompressed before being used. A software module in the form of a DLL or the like may be used to accomplish this. Such software module may be incorporated into designated network analyzer products, and may also provide read and/or write access to the network traffic information to authorized third party tools.