,
`
`. -
`a
`a a
`
`.
`
`.
`
`.
`
`
`
`W
`J
`t I-
`
`US. DEPT. OF COMMJPAT. & -
`
`PARTS OF APPLICATION
`FILED SEPARATELY
`NOTICE OF ALLOWANCE MAI-.ED
`
`ISSUE FEE
`Amount Due
`
`I Date Paid ,. I I,
`
`Label
`Area
`
`PTO-436A
`Rev. 8/92)
`
`Assistant Examiner
`
`I
`
`WARNING: The information disclosed herein may be restricted. Unauthorized dlscli
`-
`by the United States Code Title 35, Sections 122, 181 and 3C-
`Patent & Trademark Office is restricted to authorized employs!
`
`Petitioners' EX1018 Page 1
`
`

`
`riign priority claimed
`USC 119 conditions met
`
`yes
`yes
`/ Z t q & >
`rllied and Acknowledged Examiner's initials
`
`-
`
`'S OF APPLICATION
`1 SEPARATELY
`
`~
`
`I
`
`US. DEPT. Of COMMrPat. I TM Office- PT0436L (rev. 10-76
`I
`I
`1
`Microfiche
`AppeTldix
`6 E m i c r o f i c h e
`IC1 Dag=
`
`~
`
`1 -
`
`I
`
`r
`
`.
`
`
`
`CE OF ALLOWANCE MAILED
`
`PREPARED FOR ISSUE B
`I Docket Clerk
`
`CLAIMS ALLOWED
`Total Claims
`Print Claim
`
`Assistant Examiner
`
`Date Paid I
`
`ISSUE FEE
`
`it Due
`
`Sheets Drwg.
`
`DRAWING
`Figs. Drwg.
`
`Print Fig.
`
`Class
`
`Prlmarv Examine1
`ISSUE CLASSIFICATION
`Subclass
`
`ISSUE
`BATCH
`YUMBER
`
`Label
`Area
`
`WARNING: The information disclosed herein may be restricted. Unauthorized disclosure may be
`prohibited by the United States Code Title 35, Sections 122, 181 and 368.
`Possession outside the U.S. Patent & Trademark Office is restricted to authorized employees
`and contractors only.
`
`Petitioners' EX1018 Page 2
`
`

`
`B A R CODE L ABEL
`
`I llllll llllll Ill1 lllll lllll lllll lllll lllll11111111
`
`IAL NUMBtR
`
`07/76 1 , 269
`
`L
`
`U.S. PATENT APPLICATION
`
`09/ 1719 1
`
`395
`
`2306
`
`F O R E I G N F I L I N G L I C E N S E GRANTED 1 2 / 0 7 / 9 1
`
`-ATE OR
`COUNTRY
`
`SHEETS
`DRAW I NG
`
`TOTAL
`CLAIMS
`
`INDEPENDENT
`CLAIMS
`
`8
`
`MA
`
`38
`
`I
`I 30
`D A V I D L. F E I G E N B A U M
`F I S H & R I C H A R D S O N
`225 F R A N K L I N S T .
`BOSTON, MA 02110-2804
`
`NETWORK M O N I T O R I N G
`
`1
`2
`
`W
`
`W 6
`H I-
`
`This is to certify that annexed hereto is a true copy from the records of the United States
`Patent and Trademark Office of the application as originally filed which is identified above.
`By authority of the
`COMMISSIONER OF PATENTS AND TRADEMARKS
`
`Date
`
`Certifvina Officer
`
`Petitioners' EX1018 Page 3
`
`

`
`- _
`
`Entered
`or
`Counted
`
`CONTENTS
`
`Reoeiwd
`or
`MBiIed
`
`6.
`7.
`
`8.
`
`l?. -
`18. -
`
`Y
`
`C " " '
`
`
`
`Y
`
`" " "
`
`j
`
`'
`
`,
`
`l m
`
`-
`27. -
`
`.w
`
`30.
`i 1 --- 31. --
`
`' , I " '
`
`' ' I '
`
`"
`
`I "
`
`I
`
`.
`
`
`
`yr
`
`Petitioners' EX1018 Page 4
`
`

`
`PATENT AfV'LlCATloN
`
`3
`
`I
`
`'
`
`08505083.
`
`\ CONTENTS
`
`~
`
`APPROVED FOR LICENSE
`/ .
`IN1lIAI.S
`
`~
`
`Dafe
`Received
`'qr Mailed
`
`Petitioners' EX1018 Page 5
`
`

`
`1
`
`BOSTON
`(1916-1969)
`
`FREDERICK P. FISH
`(1855-1930)
`W.K. RICHARDSON
`(1858- 1951)
`
`F I S H & R I C H A R D S O N
`2 2 5 F R A N K L I N S T R E E T
`B O S T O N , M A S S A C H U S E T T S 0 2 I I O - 2 8 0 4
`
`TELEPHONE 6 I 7 / 5 4 2 - 5 0 7 0
`T E L E C O P I E R : 6 1 7 / 5 4 2 - 8 9 0 6
`CABLE: FISHRICH. BOSTON
`T E L E X : 2 0 0 1 5 4
`September 17, 1991
`
`Commissioner of Patents and Trademarks
`Washington, DC 20231
`
`SMALL ENTITY APPLICANT
`
`Dear Commissioner:
`
`WASHINOTON. D.C. OFFICE:
`601 THIRTEENTH STREET, N.W.
`WASHINOTON. D.C. 20005
`2 0 2 / 7 8 3 - 5 0 7 0
`
`Please find enclosed a patent application (including formal
`papers) as follows:
`
`Applicant: Ferdinand Engel, Kendall S. Jones, Kary Robertson, David M.
`Thompson and Gerard White
`: NETWORK MONITORING
`
`Title
`
`116 Pages of Specification; 1 Pages of Abstract; 10 Pages of Claims; 38 Sheets
`of Drawings; Appendix I (2 pages); Appendix I1 (25 pages); Appendix I11 (17
`pages); Appendix IV (2 pages); Appendix V (34 pages); Appendix VI (14
`microfiche containing 655 frames..
`
`Basic Filing Fee
`Total number of claims in excess of 20 times $10
`Number of independent claims in excess of 3 times $30
`Multiple dependent claims fee $100
`Total Filing Fee
`
`315
`100
`150
`
`$ 565
`
`If this application is found to be INCOMPLETE, or if it appears
`that a telephone conference would helpfully advance prosecution, please
`telephone the undersigned at (617) 542-5070.
`
`Kindly acknowledge receipt of the foregoing application by
`returning the enclosed self-addressed, stamped postcard.
`
`Respectful1 submitted,
`
`Z.&PL@
`
`I
`
`Eric L. Prahl
`Reg. No. 32,590
`'kxpress Mai c' rnai l i n g label number FB48718394XUS
`Date o f Deposit September 17, 1991
`hereby c e r t i f y under 37 CFR 1.10
`I
`t h i s
`t h a t
`Postal S,ervice as % xpress Mail Post O f f i c e
`correspondence i s b e i n deposited with the United States
`t o
`Addressee w i t h s u f f i c i e n t postage on the date indicated
`above and i s addressed t o the Comnissioner o f Patents
`and Trademarks, Washington, D.C.
`20231.
`
`Petitioners' EX1018 Page 6
`
`

`
`_-
`
`APPLICATION
`
`FOR
`
`UNITED STATES LETTERS PATENT
`
`TITLE.
`
`APPLICANT
`
`NETWORK MONITORING
`
`FERDINAND ENGEL, KENDALL S. JONES, KARY
`ROBERTSON, DAVID M. THOMPSON AND GERARD WHITE
`
`'kxpress Mai I" mai 1 ing label number FB487 l8394xUs
`Date of Deposit September 17, 1991
`hereby c e r t i f y under 37 CFR 1.10
`this
`that
`I
`Postal Service as % xpress Mail Post Office
`correspondence i s bein deposited with the United States
`t o
`Addresse;' with sufficient postage on the date indicated
`above and i s addressed t o the Comnissioner of Patents
`and Trademarks. Washington. D.C.
`20231.
`
`1
`
`I -
`
`-
`
`Petitioners' EX1018 Page 7
`
`

`
`q L
`r b
`
`f
`
`I ,'*(
`
`,-
`
`,.
`
`,
`
`I
`
`
`
`' /
`, '> __-
`Bl/761269
`
`A / /
`
`4
`
`\
`
`NETWORK MONITORING &-iq?(
`
`ATTORNEY'S DOCKET NO.: 00124/010002
`
`Cross Reference to Related Application
`
`------.-*.cI--/
`
`0
`5
`
`Reference to Microfiche Appendix
`A Microfiche Appendix containing fourteen microfiche
`accompanies this patent application pursuant to 37 CFR
`§1.96(b) and is designated as Appendix VI. The first
`thirteen microfiche each contain 4 9 frames and the
`10 fourteenth microfiche contains 18 frames.
`Backqround of the Invention
`
`The invention relates to monitoring and managing
`
`communication networks for computers.
`Today's computer networks are large complex systems
`15 with many components from a large variety of vendors. These
`networks often span large geographic areas ranging from a
`
`campus-like setting to world wide networks. While the
`
`network itself can be used by many different types of
`organizations, the purpose of these networks is to move
`
`20 information between computers. Typical applications are
`electronic mail, transaction processing, remote database,
`
`query, and simple file transfer. Usually, the organization
`that has installed and is running the network needs the
`network to be running properly in order to operate its
`
`,*.-
`
`i
`
`...
`
`'I
`
`Petitioners' EX1018 Page 8
`
`

`
`.I
`
`- 2 -
`;are' various controls provided by the different equipment to
`control and manage the network. Network management is the
`task of planning, engineering, securing and operating a
`network.
`
`5
`
`To manage the network properly, the Network Manager
`
`has sqme obvious needs. First, the Network Manager must
`
`trouble shoot problems.
`As the errors develop in a running
`network, the Network Manager must have some tools that
`notify him of the errors and allow him to diagnose and
`10 repair these errors. Second, the Network Manager needs to
`configure the network in such a manner that the network
`loading characteristics provide the best service possible
`for the network users.
`To do this the Network Manager must
`have tools that allow him visibility into access patterns,
`
`15 bottlenecks and general loading. With such data, the
`Network Manager can reconfigure the network components for
`better service.
`
`There are many different components that need to be
`managed in the network. These elements can be, but are not
`20 limited to: routers, bridges, PCIs, workstations,
`minicomputers, supercomputers, printers, file servers,
`switches and pbxls.
`
`Each component provides a protocol for
`reading and writing the management variables in the machine.
`These variables are usually defined by the component vendor
`
`and are usually referred to as a Management Information Base
`
`25
`4
`
`' '1
`
`Petitioners' EX1018 Page 9
`
`

`
`
`- 3 -
`(MIB). There are some standard MIB's, such as the IETF
`(Internet Engineering Task Force) MIB I and MIB I1 standard
`definitions. Through the reading and writing of MIB
`
`variables, software in other computers can manage or control
`
`10
`
`5 the component. The software in the component that provides
`remote access to the MIB variables is usually called an
`agent. Thus, an individual charged with the responsibility
`of managing a large network often will use various tools to
`manipulate the MIB's of various agents on the network.
`Unfortunately, the standards for accessing M I B s are
`not yet uniformly provided nor are the MIB definitions
`complete enough to manage an entire network. The Network
`Manager must therefore use several different types of
`computers to access the agents in the network. This poses a
`15 problem, since the errors occurring on the network will tend
`to show up in different computers and the Network Manager
`
`must therefore monitor several different screens to
`
`determine if the network is running properly. Even when the
`
`Network Manager is able to accomplish this task, the tools
`20 available are not sufficient for the Network Manager to
`function properly.
`
`Furthermore, there are many errors and loadings on
`
`the network that are not reported by agents. Flow control
`
`problems, retransmissions, on-off segment loading, network
`
`25
`
`capacities and utilizations are some of the types of data
`
`'
`
`Petitioners' EX1018 Page 10
`
`

`
`
`- 4 -
`that are not provided by the agents. Simple needs like
`charging each user for actual network usage are impossible.
`
`Summarv of the Invention
`In general, in one aspect, the invention features
`monitoring communications which occur in a network of nodes,
`
`5
`
`10
`
`each communication being effected by a transmission of one
`or more packets among two or more communicating nodes, each
`communication complying with a predefined communication
`protocol selected from among protocols available in the
`network. The contents of packets are detected passively and
`in real time, communication information associated with
`multiple protocols is derived from the packet contents.
`
`Preferred embodiments of the invention include the
`following features. The communication information derived
`
`15
`
`from the packet contents is associated with multiple layers
`
`of at least one of the protocols.
`In general, in another aspect, the invention
`features monitoring communication dialogs which occur in a
`
`network of nodes, each dialog being effected by a
`
`20
`
`transmission of one or more packets among two or more
`
`communicating nodes, each dialog complying with a predefined
`
`communication protocol selected from among protocols
`available in the network. Information about the states of
`
`dialogs occurring in the network and which comply with
`
`Petitioners' EX1018 Page 11
`
`

`
`
`- 5 -
`different selected protocols available in the network is
`derived from the packet contents.
`Preferred embodiments of the invention include the
`following features. A current state is maintained for each
`5 dialog, and the current state is updated in response to the
`detected contents of transmitted packets. For each dialog,
`a history of events is maintained based on information
`derived from the contents of packets, and the history of
`
`events is analyzed to derive information about the dialog.
`10 The analysis of the history includes counting events and
`gathering statistics about events. The history is monitored
`for dialogs which are inactive, and dialogs which have been
`
`inactive for a predetermined period of time are purged.
`example, the current state is updated to data state in
`15 response to observing the transmission of at least two data
`related packets from each node. Sequence numbers of data
`related packets stored in the history of events are analyzed
`
`For
`
`and retransmissions are detected based on the sequence
`numbers. The current state is updated based on each new
`20 packet associated with the dialog; if an updated current
`state cannot be determined, information about prior packets
`associated with the dialog is consulted as an aid in
`updating the state. The history of events may be searched
`
`to identify the initiator of a dialog.
`
`t
`
`Petitioners' EX1018 Page 12
`
`

`
`- 6 -
`The full set of packets associated with a dialog up
`to a point in time completely define a true state of the
`dialog at that point in time, and the step of updating the
`current state in response to the detected contents of
`
`5
`
`transmitted packets includes generating a current state
`(e.g., "unknownI1) which may not conform to the true state.
`
`The current state may be updated to the true state based on
`
`information about prior packets transmitted in the dialog.
`Each communication may involve multiple dialogs
`
`10
`
`corresponding to a specific protocol. Each protocol layer
`of the communication may be parsed and analyzed to isolate
`each dialog and statistics may be kept for each dialog. The
`protocols may include a connectionless-type protocol in
`
`which the state of a dialog is implicit in transmitted
`packets, and the step of deriving information about the
`
`15
`
`states of dialogs includes inferring the states of the
`
`dialogs from the packets. Keeping statistics for protocol
`
`layers may be temporarily suspended when parsing and
`
`statistics gathering is not rapid enough to match the rate
`
`of packets to be parsed.
`In general, in another aspect, the invention
`features monitoring the operation of the network with
`respect to specific items of performance during normal
`operation, generating a model of the network based on the
`monitoring, and setting acceptable threshold levels for the
`
`20
`
`25
`
`. " '
`
`, 9
`
`Petitioners' EX1018 Page 13
`
`

`
`- 7 -
`
`specific items of performance based on the model. In
`preferred embodiments, the operation of the network is
`monitored with respect to the specific items of performance
`during periods which may include abnormal operation.
`In general, in another aspect, the invention
`features the combination of a monitor connected to the
`network medium for passively, and in real time, monitoring
`
`5
`
`transmitted packets and storing information about dialogs
`associated with the packets, and a workstation for receiving
`10 the information about dialogs from the monitor and providing
`an interface to a user. In preferred embodiments, the
`workstation includes means for enabling a user to observe
`events of active dialogs.
`In general, in another aspect, the invention
`15 features apparatus for monitoring packet communications in a
`
`network of nodes in which communications may be in
`accordance with multiple protocols. The apparatus includes
`
`a monitor connected to a communication medium of the network
`
`for passively, and in real time, monitoring transmitted
`2 0 packets of different protocols and storing information about
`communications associated with the packets, the
`
`communications being in accordance with different protocols,
`
`and a workstation for receiving the information about the
`
`communications from the monitor and providing an interface
`25 to a user. The monitor and the workstation include means
`
`Petitioners' EX1018 Page 14
`
`

`
`- 8 -
`for relaying the information about multiple protocols with
`
`5
`
`respect to communication in the different protocols from the
`monitor to the workstation in accordance with a single
`common network management protocol.
`In general, in another aspect, the invention
`features diagnosing communication problems between two nodes
`in a network of nodes interconnected by links. The
`operation of the network is monitored with respect to
`specific items of performance during normal operation. A
`10 model of normal operation of the network is generated based
`on the monitoring. Acceptable threshold levels are set for
`the specific items of performance based on the model. The
`
`operation of the network is monitored with respect to the
`specific items of performance during periods which may
`15 include abnormal operation. When abnormal operation of the
`network with respect to communication between the two nodes
`
`is detected, the problem is diagnosed by separately
`
`analyzing the performance of each of the nodes and each of
`the links connecting the two nodes to isolate the abnormal
`20 operation.
`In general, in another aspect, the invention
`
`features a method of timing the duration of a transaction of
`interest occurring in the course of communication between
`nodes of a network, the beginning of the transaction being
`defined by the sending of a first packet of a particular
`
`25
`
`!
`
`1
`
`1 -
`
`" .-
`
`Petitioners' EX1018 Page 15
`
`

`
`- 9 -
`kind from one node to the other, and the end of the
`transaction being defined by the sending of another packet
`In the method,
`of a particular kind between the nodes.
`packets transmitted in the network are monitored passively
`
`5
`
`10
`
`and in real time. The beginning time of the transaction is
`determined based on the appearance of the first packet.
`determination is made of when the other packet has been
`transmitted. The timing of the duration of the transaction
`is ended upon the appearance of the other packet.
`In general, in another aspect, the invention
`features, tracking node address to node name mappings in a
`
`A
`
`network of nodes of the kind in which each node has a
`possibly nonunique node name and a unique node address
`
`within the network and in which node addresses can be
`
`15
`
`assigned and reassigned to node names dynamically using a
`
`name binding protocol message incorporated within a packet.
`
`In the method, packets transmitted in the network are
`
`20
`
`monitored, and a table linking node names to node addresses
`is updated based on information contained in the name
`binding protocol messages in the packets.
`One advantage of the invention is that it enables a
`network manager to passively monitor multi-protocol networks
`
`at multiple layers of the communications. In addition, it
`
`organizes and presents network performance statistics in
`terms of dialogs which are occurring at any desired level of
`
`25
`
`Petitioners' EX1018 Page 16
`
`

`
`:?
`
`- 10 -
`the communication. This technique of organizing and
`displaying network performance statistics provides an
`
`effective and useful view of network performance and
`
`facilitates a quick diagnosis of network problems.
`Other advantages and features will become apparent
`
`5
`
`from the following description of the preferred embodiment
`and from the claims.
`
`Description of the Preferred Embodiments
`Fig. 1 is a block diagram of a network;
`Fig. 2 s9owCthe layered structure of a network
`communication and a protocol tree within that layered
`
`-/”’
`
`I
`
`10
`
`environment;
`
`Fig.,S/illustrates the structure of an
`
`#**W
`
`/@
`
`/ ‘
`
`15
`
`ethernet/IP/TCP pasS;ket;
`Fig. 4 illustrates the different layers of a
`communication between two nodes;
`Fig. 5-SGWs the software modules within the
`Monitor;
`Fig. 6 shows the structure of the Monitor software
`20 in terms of tasks and intertask communication mechanisms;
`Figs. 7a-c show the STATS data structures which
`store performance statistics relating to the data link
`layer;
`
`1
`
`.1
`
`R
`
`’ ’
`
`I
`
`Petitioners' EX1018 Page 17
`
`

`
`Y
`
`- 11 -
`a event/state table describing the
`
`Fig.
`
`/,r''
`
`operation of the state machine for a TCP connection;
`Fig. 9a is a history data structure that is
`identified by a pointer found in the appropriate dialog
`5 statistics data wishin STATS;
`/ *"
`Fig. 9b is a record from the history table;
`Fig. 10 $SF/;' flow diagram of the Look - for - Data - State
`< ".
`routine;
`Fig. l14.ridfla flow diagram of the Look - for - Initiator
`10 routine that is called by the Look - for - Data - State routine;
`Fig. 12 is a flow diagram of the
`Look - for - Retransmission routine which is called by the
`Look - -
`at History routine;
`Fig. 1+is a diagram of the major steps in
`15 processing a frame through the Real Time Parser (RTP);
`Fig. 14 is a diagram of the major steps in the
`processing a statistics threshold event;
`Fig. 15 is a diagram of the major steps in the
`processing of a database update;
`Fig. 16 is a diagram of the major steps in the
`processing of a monitor control request;
`Fig. 1 7 ~ i s a logical map of the network as displayed
`by the Management Workstation;
`
`20
`
`Fig. lp',is a basic summary tool display screen;
`
`I
`
`Petitioners' EX1018 Page 18
`
`

`
`- 12 -
`Fig. 1 6 s a protocol selection menu that may be
`invoked through the summary tool display screen;
`/”--
`Figs. 20a-g are examples of the statistical
`
`//”-
`
`/*-
`
`5
`
`10
`
`15
`
`20
`
`#*+-
`
`variables which are displayed for different protocols;
`Fig. 21..*is an example of information that is
`displayed in the dialogs panel of the summary tool display
`screen ;
`
`Fig. 22 is+%”’kasic data screen presenting a rate
`-
`values panel, a count values panel and a protocols seen
`panel ;
`
`/e*
`
`I * a traffic matrix screen;
`.’
`Fig. 2 4 is..a flow diagram of the algorithm for
`adaptively establishing network thresholds based upon actual
`
`”e
`d-
`
`network performance;
`Fig. 25 yis,‘’a simple multi-segment network;
`I *‘
`Fig. 26 iF-+a flow diagram of the operation of the
`.( ‘
`diagnostic analyzer algorithm;
`
`@‘
`
`Fig. 27.-i’s a flow diagram of the source node
`analyzer algorithm;
`Fig. 28 4 s a flow diagram of the sink node analyzer
`algorithm;
`Fig. 29,-is a flow diagram of the link analysis
`
`’
`
`logic;
`
`Fig. 39&fs a flow diagram of the DLL problem
`checking routine;
`
`ri*
`
`25
`
`Petitioners' EX1018 Page 19
`
`

`
`5
`
`I ”
`
`Fig. 31 is a flow diagram of the IP problem checking
`routine;
`Fig. 32 *is” a flow diagram of the IP link component
`problem checking roytine;
`Fig. 33”%s a flow diagram of the DLL link component
`problem checking routine;
`Fig. p f l ’ g h o w s the structure of the event timing
`database;
`Fig. 35yi.k a flow diagram of the operation of the
`10 event timing module (ETM) in the Network Monitor;
`Fig. 36‘+is a network which includes an Appletalk@
`segment ;
`Fig. 37“is a Name Table that is maintained by the
`Address Tracking Module (ATM);
`w*d “
`Fig. 3% is a flow diagram of the operation of the
`ATM; and
`Fig. 39#‘*fS a flow diagram of the operation of the
`
`15
`
`ATM .
`
`v
`
`b&
`Also attached hereto
`20 following appendices:
`Appendix I identifies the SNMP MIB subset that is
`
`the claims are the
`
`supported by the Monitor and the Management Workstation (2
`pages) ;
`
`Petitioners' EX1018 Page 20
`
`

`
`- 14 -
`Appendix I1 defines the extension to the standard
`MIB that are supported by the Monitor and the Management
`Workstation ( 2 5 pages);
`Appendix I11 is a summary of the protocol variables
`5 for which the Monitor gathers statistics and a brief
`description of the variables, where appropriate (17 pages);
`Appendix IV is a list of the Summary Tool Values
`Display Fields with brief descriptions ( 2 pages); and
`Appendix V is a description of the actual screens
`10 for the Values Tool (34 pages).
`Appendix VI is a microfiche appendix presenting
`source code for the real time parser, the statistics data
`
`structures and the statistics modules.
`
`Structure and Operation
`
`c
`
`15 The Network:
`A typical network, such as the one shown in Fig. 1,
`includes at least three major components, namely, network
`nodes 2, network elements 4 and communication lines 6.
`Network nodes 2 are the individual computers on the network.
`20 They are the very reason the network exists. They include
`but are not limited to workstations (WS), personal computers
`(PC), file servers (FS), compute servers (CS) and host
`computers (e+, a VAX), to name but a few. The term server
`
`Petitioners' EX1018 Page 21
`
`

`
`- 15 -
`is often used as though it was different from a node, but it
`is, in fact, just a node providing special services.
`In general, network elements 4 are anything that
`
`5
`
`10
`
`participate in the service of providing data movement in a
`network, i.e., providing the basic communications. They
`include, but are not limited to, LAN's, routers, bridges,
`gateways, multiplexors, switches and connectors. Bridges
`serve as connections between different network segments.
`They keep track of the nodes which are connected to each of
`When they see a
`the segments to which they are connected.
`packet on one segment that is addressed to a node on another
`
`of their segments, they grab the packet from the one segment
`
`and transfer it to the proper segment. Gateways generally
`provide connections between different network segments that
`are operating under different protocols and serve to convert
`
`15
`
`communications from one protocol to the other. Nodes send
`
`packets to routers so that they may be directed over the
`
`20
`
`appropriate segments to the intended destination node.
`Finally, network or communication lines 6 are the
`components of the network which connect nodes 2 and elements
`4 together so that communications between nodes 2 may take
`place. They can be private lines, satellite lines or Public
`
`.
`
`Carrier lines. They are expensive resources and are usually
`
`managed as separate entities. Often networks are organized
`
`25
`
`into segments 8 that are connected by network elements 4 . A
`
`Petitioners' EX1018 Page 22
`
`

`
`- 16 -
`segment 8 is a section of a LAN connected at a physical
`level (this may include repeaters). Within a segment, no
`
`protocols at layers above the physical layer are needed to
`enable signals from two stations on the same segment to
`5 reach each other (i.e., there are no routers, bridges,
`
`gateways. . . ) .
`
`The Network Monitor and the Manaqement Workstation:
`In the described embodiment, there are two basic
`elements to the monitoring system which is to be described,
`10 namely, a Network Monitor 10 and a Management Workstation
`12. Both elements interact with each other over the local
`area network (LAN).
`
`Network Monitor 10 (referred to hereinafter simply
`as Monitor 10) is the data collection module which is
`15 attached to the LAN. It is a high performance real time
`front end processor which collects packets on the network
`
`and performs some degree of analysis to search for actual or
`
`potential problems and to maintain statistical information
`
`for use in later analysis. In general, it performs the
`
`20 following functions. It operates in a promiscuous mode to
`capture and analyze all packets on the segment and it
`extracts all items of interest from the frames. It
`generates alarms to notify the Management Workstation of the
`
`.
`
`occurrence of significant events. It receives commands from
`
`Petitioners' EX1018 Page 23
`
`

`
`- 17 -
`the Management Workstation, processes them appropriately and
`
`returns responses.
`Management Workstation 12 is the operator interface.
`It collects and presents troubleshooting and performance
`5 information to the user.
`It is based on the SunNet Manager
`(SNM) product and provides a graphical network-map-based
`interface and sophisticated data presentation and analysis
`tools. It receives information from Monitor 10, stores it
`and displays the information in various ways. It also
`10 instructs Monitor 10 to perform certain actions. Monitor
`10, in turn, sends responses and alarms to Management
`Workstation 12 over either the primary LAN or a backup
`serial link 14 using SNMP with the MIB extensions defined
`later.
`
`15
`
`These devices can be connected to each other over
`
`various types of networks and are not limited to connections
`
`over a local area network. As indicated in Fig. 1, there
`can be multiple Workstations 12 as well as multiple Monitors
`
`10.
`
`20
`
`Before describing these components in greater
`detail, background information will first be reviewed
`
`regarding communication protocols which specify how
`
`communications are conducted over the network and regarding
`the structure of the packets.
`
`Petitioners' EX1018 Page 24
`
`

`
`- 18 -
`
`The Protocol Tree:
`As shown in Fig. 2, communication over the network
`is organized as a series of layers or levels, each one built
`upon the next lower one, and each one specified by one or
`5 more protocols (represented by the boxes). Each layer is
`responsible for handling a different phase of the
`
`communication between nodes on the network. The protocols
`
`for each layer are defined so that the services offered by
`any layer are relatively independent of the services offered
`
`10 by the neighbors above and below. Although the identities
`and number of layers may differ depending on the network
`(i.e., the protocol set defining communication over the
`
`network), in general, most of them share a similar structure
`and have features in common.
`For purposes of the present description, the Open
`
`15
`
`Systems Interconnection (OSI) model will be presented as
`representative of structured protocol architectures. The
`OS1 model, developed by the International Organization for
`Standardization, includes seven layers. As indicated in
`Fig. 2, there is a physical layer, a data link layer (DLL),
`a network layer, a transport layer, a session layer, a
`
`20
`
`presentation layer and an application layer, in that order.
`As background for what is to follow, the function of each of
`these layers will be briefly described.
`
`Petitioners' EX1018 Page 25
`
`

`
`- 19 -
`The physical layer provides the physical medium for
`the data transmission. It specifies the electrical and
`
`5
`
`mechanical interfaces of the network and deals with bit
`level detail. The data link layer is responsible for
`ensuring an error-free physical link between the
`communicating nodes.
`It is responsible for creating and
`recognizing frame boundaries (i.e., the boundaries of the
`
`packets of data that are sent over the network.) The
`
`10
`
`network layer determines how packets are routed within the
`network. The transport layer accepts data from the layer
`above it (i.e., the session layer), breaks the packets up
`
`into smaller units, if required, and passes these to the
`
`network layer for transmission over the network. It may
`
`insure that the smaller pieces all arrive properly at the
`other end. The session layer is the user's interface into
`
`15
`
`the network. The user must interface with the session layer
`in order to negotiate a connection with a process in another
`machine. The presentation layer provides code conversion
`and data reformatting for the user's application. Finally,
`
`2 0
`
`the application layer selects the overall network service
`for the user's application.
`
`Fig. 2 also shows the protocol tree which is
`A protocol tree
`implemented by the described embodiment.
`shows the protocols that apply to each layer and it
`identifies by the tree structure which protocols at each
`
`25
`
`\
`
`'\
`
`Petitioners' EX1018 Page 26
`
`

`
`- 20 -
`layer can run "on top of" the protocols of the next lower
`layer. Though standard abbreviations are used to identify
`
`the protocols, for the convenience of the reader, the
`
`I -
`
`meaning of the abbreviations are as follows:
`----
`'i
`-\ ;:L\,(L ' !">
`5
`
`ARP
`ETHERNET
`
`Address Resolution Protocol
`Ethernet Data Link Control
`
`10
`
`15
`
`FTP
`
`ICMP
`
`IP
`LLC
`
`MAC
`NFS
`NSP
`
`RARP
`
`SMTP
`
`SNMP
`
`TCP
`TFTP
`UDP
`
`File Transfer Protocol
`
`Internet Control Message Protocol
`
`Internet Protocol
`802.2 Logical Link Control
`802.3 CSMA/CD Media Access Control
`Network File System
`Name Server Protocol
`Reverse Address Resolution Protocol
`
`Simple Mail Transfer Protocol
`
`Simple Network Management Protocol
`
`Transmission Control Protocol
`Trivial File Transfer Protocol
`User Datagram Protocol
`
`Two terms are commonly used to describe the protocol tree,
`namely, a protocol stack and a protocol family (or suite).
`A protocol stack generally refers to the underlying
`protocols that are used when sending a message over a
`
`Petitioners' EX1018 Page 27
`
`

`
`- 21 -
`network. For example, FTP/TCP/IP/LLC is a protocol stack.
`A protocol family is a loose association of protocols which
`tend to be used on the same network (or derive from a common
`
`source). Thus, for example, the TCP/IP family includes IP,
`
`5
`
`TCP, UDP, ARP, TELNET and FTP. The Decnet family includes
`the protocols from Digital Equipment Corporation. And the
`SNA family includes the protocols from IBM.
`
`The Packet:
`
`10
`
`The relevant protocol stack defines the structure of
`each packet that is sent over the network. Fig. 3 , which
`shows an TCP/IP packet, illustrates the typical structure of
`
`a packet. In general, e