FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION
(See Section 10 and Rule 13)
Title of invention: A Non Intrusive Method and System to Monitor On-Line Application Transaction
Applicant
TATA Consultancy Services
A company Incorporated in India under The Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India
The following specification particularly describes the invention and the manner in which it is to be performed.

FIELD OF THE INVENTION
The present invention relates to monitor on-line application transaction occurring on user's computer. More particularly the invention relates to monitor on-line application transaction occurring on user's computer without an intrusion.
The present invention is an improvement in or a modification of the invention described and claimed in an earlier Indian Patent Application no. 1574/MUM/2005.
DEFINITIONS
As used in this specification the following words are generally intended to have a meaning as set forth below, except to the extent that the context in which they are used indicate otherwise.
Data Packet: Format in which data is transmitted over a network. A packet contains the data itself as well as addresses, error checking, and other information necessary to ensure the packet arrives intact at its intended destination.
TCP/IP: The Internet protocol suite is the set of communications protocols that implement the protocol stack on which the Internet and most commercial networks run. It is sometimes called the TCP/IP protocol suite, after the two most important protocols in it: the Transmission Control Protocol (TCP) and the Internet Protocol (IP).
Non-intrusive Application: In the process of measurement, there is no overhead whatsoever to the application whose performance is being monitored by Present invention. In traditional hub based Ethernet Systems a packet on the network is received by all hosts on the same network. The packet is accepted by the host it is destined to and other hosts discard it. However any "other" host can enable the promiscuous mode in its network card, so that it can also read packets that are not destined to it. System of the present invention enables the promiscuous mode on the network card. So if system of the present invention and the application server reside on the same Ethernet hub network, system of the present invention can see any packet destined to and originating from the server. In a switched Ethernet Network port mirroring needs to be enabled to allow system of the present invention to capture packets destined to and originating from the application server. System of the present invention does not do any active communication over the network - i.e. it does not send any packets on the network. It also does not have any component or agent running on any of the application servers. That is why system of the present invention is non-intrusive.

BACKGROUND OF THE INVENTION
Management of interconnected intelligent computing systems has become the one of the core functions of the modern computing world. Efficient management postulate precise monitoring of transaction occurring over the network. Further, it is required to monitor on-line application transaction occurring on user's computer without an intrusion.
A non intrusive method and system to monitor on-line transaction, which is established at the server end is shown in detail and claimed in an earlier Indian Patent Application no. 1574/MUM/2005 of common ownership.
Though the non intrusive method and system to monitor on-line transaction established at the server end records request-response transactions that are visible from the server end, but such server end monitoring is unable to determine the unique user transactions because it is possible that the server side perceive the same internet protocol address for more than one user. Another disadvantage of using server end monitoring of on-line transaction is that the response time computation is an approximation, because the round trip time which is used to calculate response time is measured as an average of the round trip time samples of packets from server to client. It is also difficult to deduce which transactions are part of a web page using the non intrusive method and system to monitor on-line transaction established at the server, only the client or a user has this information.
To achieve efficient and optimized management of interconnected computing systems it is evident that there is a need to have the non intrusive method and system to monitor on-line transaction, which can be established at the user's end and which can characterize end user behavior accurately, including transaction patterns and think times. There is also a need for a solution that can provide a method and system that can measure the end user experience including response time and page response time accurately.
OBJECTIVES OF THE INVENTION
In accordance with the present invention, the primary objective is to provide an improved non-intrusive method and system for monitoring on-line application transaction occurring on user's computer.
Another objective of the present invention is to provide an improved non-intrusive method and system for monitoring on-line application transaction that can characterize end user behavior by measuring transaction patterns and time taken by the user.

Another objective of the present invention is to provide an improved non-intrusive method and system for monitoring on-line application transaction that can determine user experience by measuring transaction response time and the web page response time.
SUMMARY OF THE INVENTION
Before the present methods, systems, and hardware enablement are described, it is to be understood that this invention in not limited to the particular systems, and methodologies described, as there can be multiple possible embodiments of the present invention which are not expressly illustrated in the present disclosure. It is also to be understood that the terminology used in the description is for the purpose of describing the particular versions or embodiments only, and is not intended to limit the scope of the present invention which will be limited only by the appended claims.
The present invention provides a non intrusive method and system implemented at the user's computer to monitor application transaction occurring on user's computer.
In one aspect of the invention the end user behavior is characterized by measuring the transaction patterns and time taken by the user.
In another aspect of the invention the user experience is determined by measuring transaction response time and web page response time.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing summary, as well as the following detailed description of preferred embodiments, are better understood when read in conjunction with the appended drawings. For the purpose of illustrating the invention, there is shown in the drawings exemplary constructions of the invention; however, the invention is not limited to the specific methods and system disclosed. In the drawings:
Figure 1 is a block diagram showing architecture of the present Invention.
DETAILED DESCRIPTION OF THE INVENTION
Some embodiments of this invention, illustrating all its features, will now be discussed in detail.
The words "comprising," "having," "containing," and "including," and other forms thereof, are intended to
be equivalent in meaning and be open ended in that an item or items following any one of these words is

not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items.
It must also be noted that as used herein and in the appended claims, the singular forms "a," "an," and
"the" include plural references unless the context clearly dictates otherwise. Although any systems and
methods similar or equivalent to those described herein can be used in the practice or testing of
embodiments of the present invention, the preferred, systems and methods are now described.
The disclosed embodiments are merely exemplary of the invention, which may be embodied in various
forms.
Referring to Figure 1 is a block diagram showing architecture of the present Invention. In order to ensure that the performance of critical systems, applications and websites are monitored to precision, it is necessary to have a method and system at the user's end, to collect application packets from the network, non-intrusively. The application monitoring tool captures packets at a high rate for further analysis of the data and provides a detailed view of application performance.
In one embodiment of the invention, a Packet Dumper (1) passively listens to the network interface. The Packet Dumper (1) takes the application details namely the IP address and port, as inputs. Every incoming packet is then matched to see whether it belongs to the application based on this input. Every matching packet is then dumped into a file. A new such file is created & the current file is closed every two minutes or whenever the file size exceeds a certain specified limit whichever is earlier. The location of the current file is then pushed into a Queue (3).
In another embodiment of the invention, a binary packet files (2) store the all the application related packets that have been captured by the Packet dumper (1) thread. These binary packet files (2) then serve as input for a Packet Analyzer (4). They can also be saved by a user who has captured packet data from a remote environment.
In another embodiment of the invention, an In Memory First in First out (FIFO) Queue (3) queue is used to hold information regarding packet dump files read for analysis but not yet processed by the Packet Analyzer (4). When the Packet Dumper (1) thread closes a packet dump file, the information regarding its location is en-queued at the head of this queue. The Packet Analyzer (4) de queues information from the queue and reads the location of the next packet dump file to be processed.
In another embodiment of the invention, the Packet Analyzer (4) determines the next packet dump file to be processed from the in memory FIFO Queue (3). The Packet Analyzer (4) maintains state variables for every open TCP connection in the form of a connection data structure. The Packet Analyzer (4) then

opens the packet dump file. For each packet encountered the Packet Analyzer (4) will try to match it to an existing connection. If no connection structure exists for the connection a new connection structure is allocated and the current packet is then processed against that connection. The state variables of that connection are updated accordingly. Based on the current state of the connection and the packet type it is classified as a request packet or a reply packet. A transaction data structure is created when the first request packet is encountered after making a new connection or after reply packet of a previous transaction. The transaction is printed after it is determined that the last reply packet belonging to the transaction has been sent. This happens when the TCP connection is torn down or a request packet belonging to the same connection is encountered. The transactions encountered in every packet dump file are then written into a corresponding output file.
In another embodiment of the invention, the Packet Analyzer (4) prints an Output & Statistics File (5), which is the analyzed information per transaction in the transaction data output files. There is one output file (5) per packet dump file. Each row in the packet dump file corresponds to performance details like response time of a single transaction. The Statistics File (5) is also printed by the Packet Analyzer (4). Each row in the Statistics file (5) contains aggregate application statistics like active connections, requests, replies, bytes in and bytes out. Consecutive rows in the Statistics file (5) correspond to consecutive time intervals of a given duration.
In another embodiment of the invention, an Application (9) is a user's computer which is being monitored by system of the present invention. As requests are serviced by the application (9) the packets belonging to each transaction are captured by the Packet Dumper (1), which is then stored to a packet dump file.
In another embodiment of the invention, a web browser has to execute multiple HTTP transactions to construct a web page. A Page Signature File (6) will have the URL of the first HTTP request that is fired for every page. This can be used for identifying all the HTTP transactions that are part of a page.
In yet another embodiment of the invention, the Page signature file (6) is provided as input to a Page Response Time calculator (7). The Page Response Time Calculator (7) continuously reads the output files. It takes as input the location of the Page Signature File (6) on startup and reads all the contents. Using information from the page signature file it groups all the HTTP transactions in the output files into web pages and calculates the page response times based on the start times and the response times of all the HTTP transactions within the group.
In still another embodiment of the invention, output of the Page Response Time calculator (7) is sent to an External Database (8) that is preconfigured.

The preceding description has been presented with reference to various embodiments of the invention. Persons skilled in the art and technology to which this invention pertains will appreciate that alterations and changes in the described structures and methods of operation can be practiced without meaningfully departing from the principle, spirit and scope of this invention.

WE CLAIM
1. A non intrusive method according to any claim of our patent application 1574/MUM/2G05
additionally characterized to monitor on-line application transaction occurring on user's computer,
wherein the said method is implemented at the user's computer, the said method comprising:
a. identifying application transactions based on packet data captured on the network for any
online TCP/IP based application running on the user's desktop;
b. determining the application transaction response time;
c. segregating the said transaction response time into processing time and network
response time;
d. determining the time spent by the client in sending a request message to the server;
e. segregating the said time into client and network time and server delay;
f. reporting the transaction request and its performance details; and
g. storing the application transaction details.
2. A method as claimed in claim 1, wherein the end user behavior is characterized by measuring transaction patterns and time taken by the user.
3. A method as claimed in claim 1, wherein the user experience is determined by measuring transaction response time and web page response time.
4. A non intrusive system to perform the method of claim 1 additionally characterized to monitor online application transaction occurring on user's computer, wherein the said system is implemented at the user's computer by:
a. packet dumper identifying application transactions based on packet data captured on the
network for any online TCP/IP based application running on the user's desktop;
b. packet analyzer determining the application transaction response time;
c. packet analyzer segregating the said transaction response time into processing time and
network response time;
d. packet analyzer determining the time spent by the client in sending a request message to
the server;
e. packet analyzer segregating the said time into client and network time and server delay;
f. packet analyzer reporting the transaction request and its performance details; and
g. preconfigured external database storing the application transaction details.