A collection device (10) collects traffic from a core network (10N) connected to a plurality of operator networks (20N). Further, an analysis device has a plurality of functions of analyzing traffic. Further, a setting device sets a scenario that designates at least one of the plurality of functions. Further, a pre-processing device converts the traffic collected by the collection device (10) to traffic of a format suitable for the function designated by the scenario. Further, a distribution device distributes the traffic converted by the pre-processing device to a designated function.

A collection device (10) collects traffic from a core network (10N) connected to a plurality of operator networks (20N). Further, an analysis device has a plurality of functions of analyzing traffic. Further, a setting device sets a scenario that designates at least one of the plurality of functions. Further, a pre-processing device converts the traffic collected by the collection device (10) to traffic of a format suitable for the function designated by the scenario. Further, a distribution device distributes the traffic converted by the pre-processing device to a designated function.

A network monitoring device may receive flow-tap information that identifies a traffic flow characteristic and a signed URL associated with a signed URL platform from a mediation device. The network device may map the traffic flow characteristic to the signed URL in an entry of a flow-tap filter that is maintained within a data structure of the network device. The network device may analyze, using the flow-tap filter, network traffic of the network to detect a traffic flow that is associated with the traffic flow characteristic. The network device may generate, based on detecting the traffic flow in the network traffic, a traffic flow copy that is associated with the traffic flow. The network device may provide, based on the signed URL, the traffic flow copy to the signed URL platform, wherein the traffic flow copy is to be accessible to an authorized user device via the signed URL.

A network monitoring device may receive flow-tap information that identifies a traffic flow characteristic and a signed URL associated with a signed URL platform from a mediation device. The network device may map the traffic flow characteristic to the signed URL in an entry of a flow-tap filter that is maintained within a data structure of the network device. The network device may analyze, using the flow-tap filter, network traffic of the network to detect a traffic flow that is associated with the traffic flow characteristic. The network device may generate, based on detecting the traffic flow in the network traffic, a traffic flow copy that is associated with the traffic flow. The network device may provide, based on the signed URL, the traffic flow copy to the signed URL platform, wherein the traffic flow copy is to be accessible to an authorized user device via the signed URL.

Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways. In some such embodiments, the method forwards the copy of the set of packets to the controller cluster, which then uses the remote deep packet inspector to perform the remote DPI operation. The method receives the result of the second DPI operation, and when the generated first and second DPI parameters are different, generates a record regarding the difference.

Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways. In some such embodiments, the method forwards the copy of the set of packets to the controller cluster, which then uses the remote deep packet inspector to perform the remote DPI operation. The method receives the result of the second DPI operation, and when the generated first and second DPI parameters are different, generates a record regarding the difference.

Disclosed are a service detection method and apparatus, a device, and a non-transitory computer-readable storage medium. The service detection method may includes: determining a service time interval between service data; determining a matching result of the service time interval according to a set period value and a set jitter value in a preset periodicity judgment parameter; and determining that the service data is periodic service data in response to determining that the matching result of the current service time interval meets a periodicity condition according to a minimum number of matching time intervals and a maximum number of matching time intervals in the periodicity judgment parameter.

One or more computing devices, systems, and/or methods for latency evaluation and management resolution are provided. A fingerprint for traffic flow over a communication network from an application executing on a device to a multi-access edge (MEC) server instance hosted by a MEC platform may be identified. The fingerprint may be used to track the traffic flow between the application and the MEC server in order to measure round trip time latencies of the traffic flow. In response to a round trip time latency violating a latency management policy, segment latencies along segments of a communication travel path of the traffic flow from the device to the MEC platform may be measured. A management resolution function may be performed based upon one or more of the segment latencies exceeding a threshold.

Some embodiments provide a method for presenting a visualization of a data message flow within a logical network that is implemented across multiple sites. The method receives flow tracing data regarding the data message flow from a source endpoint in a first site to a second endpoint in a second site. The data message flow is processed according to logical forwarding elements (LFEs) implemented in at least the first and second sites. For each of the sites through which the data message flow passes, the method identifies the LFEs that process the data message flow in the site. The method presents a visualization for the data message flow. The visualization includes a separate section for each site through which the data message flow passes. Each section indicates at least a subset of the LFEs that process the data message flow in the corresponding site for the section.

Automatically detecting whether sessions are routed through proxy servers is provided. The system identifies a log with session information generated by a device for a session established between a client and a server traversing the device. The system compares a source internet protocol (“IP”) address for the session identified from the log with IP addresses of proxy servers. The system updates, responsive to a match based on the comparison, the log with an indication that the session was routed through a proxy server.