Communication networks are widely used today; the variety of networks includes the Internet, wide-area networks (WANs), local-area networks (LANs), telephony networks, and wireless networks. The networks operate by sending small blocks of bytes in the form of packets which can range in size from 64 bytes up to over 1.5 thousand bytes. Often a plurality of ordered packets are required to communicate a message or data. A variety of protocols allow sequences of packets to be chained together into extended messages and/or data feeds; such flows can be separated from other messages and data feeds.
The importance of network monitoring and testing is growing as well as the requirements for related methods and equipment. Monitoring devices may be implemented within a network for monitoring communications along the network. The monitoring devices are referred to as “eavesdropping devices” or “passive probes” because they are generally not a party to the communication but are instead monitoring such communication for some reason, such as for performance monitoring of the network, or testing.
A network monitoring system may include a packet store, a specific node in the network which stores at least some of the packets that pass through the network. This approach allows data mining at a later date using a packet analyzing tool. In conventional storage systems, packets are stored in the order they are received. When a user requests a specific flow, the bulk of the stored packets are searched for the packets that belong to the requested flow. This is inefficient because the user has to deal with massive amounts of extraneous and irrelevant data and each packet in the store is individually evaluated whether it belongs to the flow of interest. Furthermore, there is no a priori way to verify the existence of a specific flow. Instead, the information store must be searched to determine the existence of the flow, which can take hours.
Accordingly, there is a need for a method for storing packets which enables easy retrieval of packets which belong to a desired flow, and for a system which implements the storing and retrieval methods.