This application relates to the following group of applications. Each application in the group relates to, and incorporates by reference, each other application in the group. The invention of each application is assigned to the assignee of this invention. The group of applications includes the following.
1. Field of the Invention
This invention relates to the field of network management. In particular, the invention relates to session reconstruction in a network environment.
2. Description of the Related Art
The Internet protocol (IP) that is widely used on the Internet does not provide a committed quality of service. Several protocols have been developed to compliment standard implementations of IP to provide varying degrees of support for committed quality of service networks.
One set of extensions is the Differentiated Services (diffserv) specified by RFC 2474 and RFC 2475, that provides for using portions of the IP header information to store information about the types of service (TOS). Another approach is the resource reservation protocol (RSVP) specified by RFCs 2205-2210. In some instances, where appropriate, the two can be used together to provide a committed quality of service over an IP network.
The provision of a committed quality of service network is distinct from the monitoring the network and billing for usage of the network. Existing network monitoring processes such as RMON2, and RMON, specified by RFC 2074 and RFC 2021 are designed to report statistics based on information available in the packet headers, e.g. source and destination address. With RMON2, this can be broken down on a per port basis. The granularity of the reports depends on the sampling of the RMON trace. The returned statistics are basic measures of number of bytes and number of packets.
Netflow((trademark)), from Cisco Corporation, San Jose, Calif., adds to these abilities by providing measures based on the terms of service, e.g. diffserv style flag, and the IP port used. Similarly, Firewall-1((trademark)) and Floodgate-1((trademark)) from Check Point Software Technologies, Ramat Gan, Israel, offers a similar set of features to Netflow((trademark)). Both Netflow((trademark)) and Firewall-1 ((trademark))/Floodgate-1((trademark)) focus on reporting per flow statistics.
Previous techniques do not support quality of service related evaluation of network usage. Previous systems do not allow for reconstructing sessions, where each session may be comprised of multiple flows. Previous systems do not provide for application specific event monitoring. Previous systems to not handle large volumes of data received over different network devices well. Accordingly, what is needed is a session reconstruction system that supports measuring quality of service, reconstruction of sessions that include multiple flows, application specific event monitoring within flows, and distributed session reconstruction.
A system, method and computer program product are provided for gathering statistics associated with a network session. Initially, a plurality of packets is received at a plurality of analyzers. Such packets are analyzed to identify a plurality of flows. Further identified are a session associated with the plurality of flows and at least one application associated with the session. The session is then reconstructed utilizing the identified application for analysis purposes. A plurality of statistics associated with the session is then gathered based on the analysis.