Automated passive discovery of applications

摘要

Embodiments are directed to monitoring communication over a network using a network monitoring device (NMD) to discover devices, roles, applications, and application dependencies present on the monitored networks. A NMD may monitor network packets that may be flowing on monitored networks. Using OSI L2-to-L3 data the NMD may determine the devices that may be on the monitored networks. Also, the NMD may determine the network protocols that may be in use on the monitored networks. Further, the NMD may reassemble monitored network packets into transactions based on knowledge regarding the network protocols are in use on the monitored networks. The NMD may perform various tests to determine the applications that may be running on the discovered devices. Some of the tests used by the NMD may examine OSI L4-L7 data that may be included in the transactions.

主权项

1. A method for monitoring communication over a network with a network device that is operative to perform actions, comprising:
passively monitoring a plurality of packets on the network, wherein the monitored packets include at least a portion of data associated with layers four through seven (L4-L7 data) of the Open Systems Interconnection (OSI) model; and discovering one or more other network devices on the network based on examining the L2-L3 data associated with the at least one or more other network device, wherein one or more determined roles for the one or more other network devices corresponds to a confidence score; and discovering at least one application that is operating on the network based on testing the L4-L7 data that is included in each transaction, wherein at least a portion of the L4-L7 data is scanned to identify at least one pattern of at least one application transaction that is associated with the at least one application, and wherein each pattern is at least one of previously provided or determined from payload data for at least one network packet.