Methods are provided to categorize and filter node metadata by adding a priority field to the node metadata, obtained as part of in-band network telemetry data collection. The methods involve obtaining, by a first network device, a packet having a header and a payload and adding, by the first network device, to the header of the packet, metadata which includes first telemetry data and a metadata priority level that indicates a priority of the first telemetry data added to the header of the packet by the first network device. The methods further involve providing the packet to a second network device in a path of a network.

A service process control method includes selecting, according to an execution policy of at least one service deployed on a network device, M data processors for processing a packet received by the network device, determining a processing sequence for the selected M data processors to process the packet, and invoking the selected M data processors to sequentially process, according to the processing sequence, the packet. An execution sequence for a data processor to process the packet is dynamically generated according to a policy set corresponding to the service.

A service process control method includes selecting, according to an execution policy of at least one service deployed on a network device, M data processors for processing a packet received by the network device, determining a processing sequence for the selected M data processors to process the packet, and invoking the selected M data processors to sequentially process, according to the processing sequence, the packet. An execution sequence for a data processor to process the packet is dynamically generated according to a policy set corresponding to the service.

A method of controlling a packet stream generated by an application installed in a mobile terminal, the stream being intended to be sent by the terminal over a communications network managed by an operator. The method includes the following acts implemented in the terminal, for at least one packet generated by the application: obtaining a first packet having a first header and payload data; transmitting a request message to a security module installed in the terminal, the message including a parameter of the first header; receiving a response from the security module, which includes an instruction relating to transmission of a second packet, the response being based on the parameter and established according to a processing rule; preparing the second packet by modifying the first header into a second header, based on the instruction, the second packet including the second header and the payload data; and transmitting the second packet.

A method of controlling a packet stream generated by an application installed in a mobile terminal, the stream being intended to be sent by the terminal over a communications network managed by an operator. The method includes the following acts implemented in the terminal, for at least one packet generated by the application: obtaining a first packet having a first header and payload data; transmitting a request message to a security module installed in the terminal, the message including a parameter of the first header; receiving a response from the security module, which includes an instruction relating to transmission of a second packet, the response being based on the parameter and established according to a processing rule; preparing the second packet by modifying the first header into a second header, based on the instruction, the second packet including the second header and the payload data; and transmitting the second packet.

A transmitting apparatus is provided. The transmitting apparatus includes: a packet generator generating a packet including a header and a payload from an input stream including a plurality of input packets; and a signal processor signal-processing the packet, wherein the header includes a base header which includes: a first field indicating a packet type of the input packets; wherein when the first field is set to a value indicating that the packet type of the input packets is a TS packet, the base header comprises a second field indicating a number of TS packets included in the payload and a third field set to a first value indicating that the header of the packet does not comprises an additional header or a second value indicating that the header of the packet further comprises the additional header, and wherein the third field is set to the second value when TS header compression to remove at least one header of the TS packets is applied to generate the packet.

A transmitting apparatus is provided. The transmitting apparatus includes: a packet generator generating a packet including a header and a payload from an input stream including a plurality of input packets; and a signal processor signal-processing the packet, wherein the header includes a base header which includes: a first field indicating a packet type of the input packets; wherein when the first field is set to a value indicating that the packet type of the input packets is a TS packet, the base header comprises a second field indicating a number of TS packets included in the payload and a third field set to a first value indicating that the header of the packet does not comprises an additional header or a second value indicating that the header of the packet further comprises the additional header, and wherein the third field is set to the second value when TS header compression to remove at least one header of the TS packets is applied to generate the packet.

Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

Some embodiments provide a network forwarding IC with packet processing pipelines, at least one of which includes a parser, a set of match-action stages, and a deparser. The parser is configured to receive a packet and generate a PHV including a first number of data containers storing data for the packet. A first match-action stage is configured to receive the PHV from the parser and expand the PHV to a second, larger number of data containers storing data for the packet. Each of a set of intermediate match-action stage is configured to receive the expanded PHV from a previous stage and provide the expanded PHV to a subsequent stage. A final match-action stage is configured to receive the expanded PHV and reduce the PHV to the first number of data containers. The deparser is configured to receive the reduced PHV from the final match-action stage and reconstruct the packet.

Some embodiments provide a network forwarding IC with packet processing pipelines, at least one of which includes a parser, a set of match-action stages, and a deparser. The parser is configured to receive a packet and generate a PHV including a first number of data containers storing data for the packet. A first match-action stage is configured to receive the PHV from the parser and expand the PHV to a second, larger number of data containers storing data for the packet. Each of a set of intermediate match-action stage is configured to receive the expanded PHV from a previous stage and provide the expanded PHV to a subsequent stage. A final match-action stage is configured to receive the expanded PHV and reduce the PHV to the first number of data containers. The deparser is configured to receive the reduced PHV from the final match-action stage and reconstruct the packet.