FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION
(See Section 10 and Rule 13)
Title of application: A METHOD AND SYSTEM FOR NETWORK TRANSACTION ANALYSIS
Applicant
TATA Consultancy Services
A company Incorporated in India under The Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India
The following specification particularly describes the application and the manner in which it is to be performed.

FIELD OF THE APPLICATION
The present application relates to an agent based approach for network transaction analysis. Particularly the application relates to monitoring and analyzing network transaction in active mode using light weight agents, wherein the agents are configured and implemented on each of the server where the applications are hosted.
The present application is a modification of the application described and claimed in an earlier Indian Patent Application no. 1574/MUM/2005.
DEFINITIONS
As used in this specification the following words are generally intended to have a meaning as set forth below, except to the extent that the context in which they are used indicate otherwise.
Data Packet: Format in which data is transmitted over a network. A packet contains the data itself as well as addresses, error checking, and other information necessary to ensure the packet arrives intact at its intended destination.
TCP/IP: The Internet protocol suite is the set of communications protocols that implement the protocol stack on which the Internet and most commercial networks run. It is sometimes called the TCP/IP protocol suite, after the two most important protocols in it: the Transmission Control Protocol (TCP) and the Internet Protocol (IP).
Agent Server: agent server is the component of the agent which binds to a predetermined user configurable port on the server and listens for the monitoring server to contact capture, data pull and health check signals from monitoring server.
Agent C lient: a gent client is the application specific thread which is started for each application to be monitored on the host machine. The main function of this thread is to maintain the application specific instance of Windump/Tcpdump and transfer the files to the monitoring server which is listening at user configurable port as and when they are completed

Windump/Tcpdump: Windump/Tcpdump is the third party utility which is used for packet data capture. The data capture is filtered in nature based on the parameters passed to it by the Agent Client.
BACKGROUND OF THE APPLICATION
Management of complex computing systems is one of the major challenges of the modern computing world. Efficient management requires precise network analysis and monitoring of application transaction occuring across the network. Network analysis refers to the method of monitoring the network, which can be broadly classified into two categories, active and passive monitoring. The active network analyzer should be located in the node {server / desktop), affecting the performance of the application being monitored, wherein the passive network analyzer should be located in a separate and dedicated node. It does not affect the performance of the application being monitored.
A non intrusive method and system to monitor on-line transaction, which is established at the server end is shown in detail and claimed in an earlier Indian Patent Application no. 1574/MUM/2005 (Main Application).
In the current scenario, passive monitoring is done by using network/In-line taps and port mirroring for capturing the network data. There are certain drawbacks of network/In-line taps such as, it is an extra hardware and thus incurs a cost at deployment, and full-duplex communication is one of the major problems associated with it. For avoiding such problem two monitoring ports are needed along with channel bonding in the monitoring tool. Monitoring of larger application requires a lot of monitoring devices/ taps as each tap is used only to provide the data for each individual server. A security risk is always exists in the case of shared hosting on the server. Additionally, network taps may introduce new points of failure in the network; the network may be required to temporarily bring down when the taps are being setup.
Security risk is the major drawback associated with port mirroring. In many cases it is
considered a security risk as all the network traffic to a particular machine is mirrored, this is
significant in the case of a single server hosting more than one application. The switch
needs to be configured and rules need to be established for each server to be monitored,

wherein most enterprise switches do not mirror error packets and this leads to a loss of valuable diagnostic data. A switch generally has a few restricted ports which cannot be mirrored. The mirrored network traffic in some cases is unidirectional, i.e. only incoming data is available for diagnosis. Multiple ports mirrored to one port can cause buffer overflow and dropped packets.
With the objective of overcoming the problems associated with prior art and to achieve efficient and optimized management of interconnected computing systems it is evident that there is a need to have an agent based approach for network transaction analysis, wherein the agents can be implemented on each of the server where the applications are hosted. There is also a need for a solution that can configure light weight agents to capture network data relevant to a particular application and further transfer the captured network data for monitoring and analysis for improving overall system performance and reducing the security risk.
OBJECTIVES OF THE APPLICATION
In accordance with the present application, the primary objective is to provide an agent based approach for network transaction analysis in active mode.
Another objective of the present application is to enable a method and system for monitoring and analyzing network transaction in active mode using light weight agents, wherein the agents are deployed on each of the server where the applications are hosted.
Another objective of the present application is to enables a method and system for configuring light weight agents to capture network data relevant to a particular application
Yet another objective of the present application is to enables a method and system for transferring the captured network data for monitoring and analysis
Still another objective of the present application is to enables a method and system for improving overall system performance and reducing the security risk.

SUMMARY OF THE APPLICATION
Before the present methods, systems, and hardware enablement are described, it is to be understood that this application in not limited to the particular systems, and methodologies described, as there can be multiple possible embodiments of the present application which are not expressly illustrated in the present disclosure. It is also to be understood that the terminology used in the description is for the purpose of describing the particular versions or embodiments only, and is not intended to limit the scope of the present application which will be limited only by the appended claims.
The present application provides an agent based approach for network transaction analysis in active mode.
In one aspect of the application, a method and system is provided for monitoring and analyzing network transaction in active mode using light weight agents, wherein the agents are implemented on each of the server where the applications are hosted. The present application also enables a method and system for configuring light weight agents to capture network data relevant to a particular application and further transferring the captured network data for monitoring and analysis, thus improving overall system performance and reducing the security risk.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing summary, as well as the following detailed description of preferred embodiments, are better understood when read in conjunction with the appended drawings. For the purpose of illustrating the application, there is shown in the drawings exemplary constructions of the application; however, the application is not limited to the specific methods and system disclosed. In the drawings:
Figure 1 is a block diagram showing implementation of the agent of the present application
Figure 2 is a block diagram showing technical architecture of the present application
Figure 3 is a block diagram showing the communication path the agent

DETAILED DESCRIPTION OF THE APPLICATION
Some embodiments of this application, illustrating all its features, will now be discussed in detail.
The words "comprising," "having," "containing," and "including," and other forms thereof, are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items.
It must also be noted that as used herein and in the appended claims, the singular forms "a," "an," and "the" include plural references unless the context clearly dictates otherwise. Although any systems and methods similar or equivalent to those described herein can be used in the practice or testing of embodiments of the present application, the preferred, systems and methods are now described.
The disclosed embodiments are merely exemplary of the application, which may be embodied in various forms.
The present application provides an intrusive method according to any claim of our patent application 1574/MUM/2005 additionally characterized to analyze at least one network transaction using at least one agent (100), the said method comprising capturing network transaction data relevant to at feast one application using a packet sniffer (308) and transferring the captured network transaction data to an enterprise monitoring server (108) for monitoring and analysis.
The present application provides an intrusive system to perform the method of claim 1 additionally characterized to analyze at least one network transaction using at least one agent (100), wherein the said system comprising of a packet sniffer (308) for capturing and transferring the network transaction data relevant to at least one application and the enterprise monitoring server (108} for monitoring and analysis the captured network transaction data.

Referring to Figure 1 is a block diagram showing implementation of the agent of the present Application.
In one embodiment of the application, monitoring and analysis of network transaction is done in active mode using a light weight agent (100). The agents (100) are deployed on each of the server where the applications are hosted. The agents (100) may be implemented on a web server (102), an application server (104) or a database server (106). The agents (100) are configuring to capture network data relevant to a particular application and further transferring the captured network data to the enterprise monitoring server (108) for monitoring and analysis, thus improving overall system performance and reducing the security risk.
The agent (100) once created and further refined to make it light weight for leaving a smaller footprint on the server in which it is deployed. For making the agent (100) light weight there are some techniques which are used: the dynamic polling frequency with a predefined minimum and maximum time interval. The agent (100) has a dedicated communication link for signals and one for file transfer, both are non-blocking in nature. The agent (100) is asynchronous in nature. Signals are immediately responded to even if the requested procedure takes time. A health check signal is implemented to enable the asynchronous feature especially while stopping the data capture as the transmission of any backlogged files can take some time. The agent (100) allows the configuration of the file size generated by Windump/Tcpdump because in case of heavy traffic the default size of 1MB per file is too small and leads to buffer overruns and data loss.
Referring to Figure 2 is a block diagram showing technical architecture of the present Application.
In an embodiment of the application, agent (100) is developed is in essence a client which controls a packet sniffer (308) (shown in Figure 3) to collect the network data and store it locally and when needed and further transferring the captured network data to enterprise monitoring server (108) for monitoring and analysis.
Tcpdump is used on Unix and Linux, and in case of Windows operating system Windump is used for data capture as they provide a comprehensive filtering mechanism and it had a

preexisting program for conversion of the raw file of these utilities to the format used by the present application.
In an embodiment of the application, TCP packet dump engine (202) dumps the TCP packet in raw format. The engine leverage tcpdump/windump library to dump the packets. Packet filtering engine (204) filters the dumps packets according to the user inputs and dumps only the required packets in specific file. Binary encoding engine (206) encodes the dumped file using Unicode standard before sending the file through network. Data compression engine (208), before sending through the network to minimize the network traffic the raw encoded TCP dump packet file is compressed. Upto 50% compression is achieved thorough the algorithm that have been used. Finally this raw encoded compressed TCP dump file is being sent to the enterprise monitoring server (108) periodically through socket (210). This sending period can be configured by the user.
Referring to Figure 3 is a block diagram showing the communication path the agent.
The agent (100) is configured to monitor more than one application per server using a multithreaded approach. The agent is divided into 3 parts, agent server ( 304} which is the component of the agent that binds to a predetermined user configurable port on the server and listens for the monitoring server to contact capture, data pull and health check signals from monitoring server. Second, an agent client (306), which is the application specific thread which starts for each application to be monitored on the host machine. The main function of this thread is to maintain the application specific instance of Windump/Tcpdump and transfer the files to the monitoring server which is listening at user configurable port as and when they are completed- Windump/Tcpdump (not shown in the figure) is the third party utility which is used for packet data capture. The data capture is filtered in nature based on the parameters passed to it by the agent client (306). The windump/tcpdump utility is third party packages and does not provide us any method to identify whenever a new file has been generated by them they use a numerical index incrementation in the original file name provided to it. The next file is generated only when the previous file is finished being written. We use this feature to determine the file to be determined each time the next file is found the previous file is transmitted.

This approach allows maintaining one instance of the agent server (304) and as per monitoring requirements new instances of the agent client (306) are started for each new application to be monitored. The agent server (304) is communicatively coupled with the network analysis tool (302) by both ways. The agent client (306) is communicatively coupled with the network analysis tool (302) by one way. A Packet Sniffer (308) is communicatively coupled with agent client (306).
To minimize the disk utilization on the application server the default setting of the agent (100) is to transmit the files to the enterprise monitoring server (108) as and when they are generated. The agent client (306) keeps on polling the working directory of the agent for new files generated by the Windump/Tcpdump utility. The polling has a maximum and minimum time period defined for the polling and depending on the frequency of the files found the polling frequency changes dynamically. Once transmitted the local copy of the file is deleted thus conserving the local disk space. This is a tradeoff the user has to consider lower local disk space usage or lower network usage during the data capture. A certain data loss and corruption was noticed in some of the files that were transmitted from the application server (104) to the enterprise monitoring server (108), which is due to a loss in transmission of the binary data. To overcome the problem, file transfer logic was enhanced to make use of bit 64 encoding and decoding to ensure data integrity during transfer.
The methodology and techniques described with respect to the exemplary embodiments can be performed using a machine or other computing device within which a set of instructions. when executed, may cause the machine to perform any one or more of the methodologies discussed above. In some embodiments, the machine operates as a standalone device. In some embodiments, the machine may be connected (e.g., using a network) to other machines. In a networked deployment, the machine may operate in the capacity of a server or a client user-machine in a server-client user network environment, or as a peer machine in a peer-to-peer (or distributed) network environment.
The machine may comprise a server computer, a client user computer, a personal computer (PC), a tablet PC, a laptop computer, a desktop computer, a control system, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term "machine" shall also be taken to include any collection of machines that

individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
The machine may include a processor (e.g., a central processing unit (CPU), a graphics processing unit (GPU, or both), a main memory and a static memory, which communicate with each other via a bus. The machine may further include a video display unit (e.g., a liquid crystal displays (LCD), a flat panel, a solid state display, or a cathode ray tube (CRT)). The machine may include an input device (e.g., a keyboard) or touch-sensitive screen, a cursor control device (e.g., a mouse), a disk drive unit, a signal generation device (e.g., a speaker or remote control) and a network interface device.
The disk drive unit may include a machine-readable medium on which is stored one or more sets of instructions (e.g., software) embodying any one or more of the methodologies or functions described herein, including those methods illustrated above. The instructions may also reside, completely or at least partially, within the main memory, the static memory, and/or within the processor during execution thereof by the machine. The main memory and the processor also may constitute machine-readable media.
Dedicated hardware implementations including, but not limited to, application specific integrated circuits, programmable logic arrays and other hardware devices can likewise be constructed to implement the methods described herein. Applications that may include the apparatus and systems of various embodiments broadly include a variety of electronic and computer systems. Some embodiments implement functions in two or more specific interconnected hardware modules or devices with related control and data signals communicated between and through the modules, or as portions of an app/rcatron-spectfic integrated circuit. Thus, the example system is applicable to software, firmware, and hardware implementations.
In accordance with various embodiments of the present disclosure, the methods described herein are intended for operation as software programs running on a computer processor. Furthermore, software implementations can include, but not limited to, distributed processing or component/object distributed processing, parallel processing, or virtual machine processing can also be constructed to implement the methods described herein.

The present disclosure contemplates a machine readable medium containing instructions, or that which receives and executes instructions from a propagated signal so that a device connected to a network environment can send or receive voice, video or data, and to communicate over the network using the instructions. The instructions may further be transmitted or received over a network via the network interface device.
While the machine-readable medium can be a single medium, the term "machine-readable medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term "machine-readable medium" shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure.
The term "machine-readable medium" shall accordingly be taken to include, but not be limited to: tangible media; solid-state memories such as a memory card or other package that houses one or more read-only (non-volatile) memories, random access memories, or other re-writable (volatile) memories; magneto-optical or optical medium such as a disk or tape; non-transitory mediums or other self-contained information archive or set of archives is considered a distribution medium equivalent to a tangible storage medium. Accordingly, the disclosure is considered to include any one or more of a machine-readable medium or a distribution medium, as listed herein and including art-recognized equivalents and successor media, in which the software implementations herein are stored.
The illustrations of arrangements described herein are intended to provide a general understanding of the structure of various embodiments, and they are not intended to serve as a complete description of all the elements and features of apparatus and systems that might make use of the structures described herein. Many other arrangements will be apparent to those of skill in the art upon reviewing the above description. Other arrangements may be utilized and derived therefrom, such that structural and logical substitutions and changes may be made without departing from the scope of this disclosure. Figures are also merely representational and may not be drawn to scale. Certain proportions thereof may be exaggerated, while others may be minimized. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.

The preceding description has been presented with reference to various embodiments. Persons skilled in the art and technology to which this application pertains will appreciate that alterations and changes in the described structures and methods of operation can be practiced without meaningfully departing from the principle, spirit and scope.
ADVANTAGES OF THE INVENTION
• Light weight, has a negligible footprint allowing an active analysis.
• Filtering option to capture data of a particular application.
• Only the executable needs to be placed in the server and the properties file updated to start data capture and analysis.
• Once started does not need any maintenance or monitoring, it can be controlled from the remote monitoring server.

WE CLAIM
1. An intrusive method according to any claim of our patent application 1574/MUM/2005 additionally characterized to analyze at least one network transaction using at least one agent (100), the said method comprising capturing network transaction data relevant to at least one application using a packet sniffer (308) and transferring the captured network transaction data to an enterprise monitoring server (108) for monitoring and analysis.
2. The method as claimed in claim 1, wherein capturing the said network transaction data relevant to at least one application using a said packet sniffer (308) comprising:
a. dumping the TCP packet in raw format TCP using a packet dump engine (202);
b. filtering the dumped packets according to the user preferences using a packet
filtering engine (204);
c. encoding the dumped and filtered file standard using a binary encoding engine
(206);
d. compressing the encoded file using a data compression engine (208); and
e. sending the compressed file to the enterprise monitoring server (108) through
socket (210).
3. The method as claimed in claim 1, wherein the said agent (100) is a light weight agent.
4. The method as claimed in claim 1, wherein the said agent (100) is implemented on each of the location in the network where the said transaction application is hosted.
5. An intrusive system to perform the method of claim 1 additionally characterized to analyze at least one network transaction using at least one agent (100), wherein the said system comprising of a packet sniffer (308) for capturing and transferring the network transaction data relevant to at least one application and an enterprise monitoring server (108) for monitoring and analysis the captured network transaction data.

6. The system as claimed in claim 5, wherein capturing the said network transaction data relevant to at least one application using a said packet sniffer (308) comprising of:
a. a packet dump engine (202) adapted to dump the TCP packet in raw format
TCP;
b. a packet filtering engine (204) adapted to filter the dumped packets according to
the user preferences;
c. a binary encoding engine (206) adapted to encode the dumped and filtered file
standard;
d. a data compression engine (208) adapted to compress the encoded file; and
e. a socket (210) adapted to send through the compressed file to the enterprise
monitoring server (108).