1. Field of the Invention
The present invention relates generally to computer networks, and more particularly but not exclusively to monitoring of computer network traffic.
2. Description of the Background Art
Computer viruses, worms, Trojans, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, malicious codes are commonly collectively referred to as “viruses.”
Various antivirus products for protecting a computer network from viruses are commercially available. These antivirus products may be implemented in software, hardware, or combination of both. When an antivirus product finds a virus in data transmitted over the network, the antivirus product needs to identify the computer that originally transmitted the data. This way, the network administrator or some alerting mechanism may be notified of the possibly infected computer for virus scanning and removal or other remedial step.
If the infected computer is behind a Network Address Translation (NAT) server, identification of the infected computer is problematic because the NAT server does not use the infected computer's IP address when communicating with computers on the other side of the NAT server. Therefore, a traffic monitor working with an antivirus product on the other side of the NAT server will not be able to particularly identify the infected computer. Moving the traffic monitor on the same side of the NAT server as the infected computer does not really address the issue because there may be more than one NAT server in the network. That is, this approach will require multiple traffic monitors when employed in computer networks with multiple NAT servers.
A NAT server maintains a NAT table for keeping track of computer communication sessions. A traffic monitor may get a copy of the NAT table to identify the infected computer. A problem with this approach is that some NAT tables are maintained using a dynamic mechanism, making it difficult to trace the source of virus infected network data.