This subsystem allows collection and storage of information on data transmission (mobile Internet, broadband access) and telematics services usage. The following activity information is collected:

  • Data transfer (IP, TCP/UDP);
  • Internet access (HTTP, WAP);
  • E-mails (SMTP, IMAP, POP3, web mail for services without encription);
  • Instant messages (ICQ, MSN, Yahoo messenger, Jabber, Agent);
  • Files transfer (FTP);
  • Audio transfer (SIP, H323, IAX2);

Several AAA protocols are supported (GTP-C, RADIUS etc.) as well as encapsulation (GTP, GRE, IEEE 802.1Q etc.), which allows the solution to be used on different types of networks.

Traffic is transferred for analyses via 1/10/100 Gigabit Ethernet interfaces. Traffic analyzers are available in the following configurations: 1*1GbE, 2*1GbE, 1*10GbE, 2*10GbE, 4*10GbE, 8*10GbE, 1*100GbE.

Traffic analyzers use data from Netflow protocol or similar to get information about NAT/PAT addresses translation. Traffic and translation events correlation is done in the memory, also separate packets are correlated “on the fly” to transport sessions. This allows preparation of the data with optimal structure for loading into the storage.

Also traffic analyzer is able to receive commands from Spectr application to start or to stop control, thus implementing full traffic interception for particular subscribers. For the collected traffic detailed analyses is done – streams classification, re-assembling of fragmented data, statistics collection. This allows conveniently visualize collected data, including web pages, e-mails and instant messages.

Subscribers’ traffic copied at concentration points is used as data source. Copying can be done via SPAN ports, TAPs or specialized network appliances (Gigamon, NetOptics). These methods do not require network topology change and do not create additional load for the network.

Another source of data are internetwork screen logs, transferred via Netflow, Syslog or similar. Logs are pre-processed in real time by a specialized collector to receive information about translated IP addresses and ports, this data is then correlated with traffic. A broad range of log formats is supported, e.g. from networking equipment of such vendor, as Cisco, Huawei, Juniper.

Provided below is list of data, collected and stored for mobile Internet. For broadband internet different users’ identifiers are collected. The exact list of fields in this case depends on network architecture and authentication protocols used.

User session level:

  • Start time;
  • Duration;
  • IMSI
  • IMEI
  • Access Point Name
  • Location Area Code
  • Cell ID

Network (transport) session level:

  • Time of establishing;
  • Duration;
  • Internal IP address;
  • Internal port;
  • Translated (external) IP-address;
  • Translated (external) port;
  • Destination IP-address;
  • Destination port;

Application protocols events level:

  • Time of event;
  • HTTP Method, Version, Host, URI, Referer, Content-Type, User-Agent
  • Receiver’s and sender’s E-mail (for SMTP, IMAP, POP);
  • Receiver’s and sender’s UIN (for ICQ, MSN, AIM, Yahoo);
  • VoIP identifiers;
  • FTP commands and logins;

Queries are possible against:

  • Subscribers’ identifiers (MSISDN, IMSI or IMEI for mobile network, login for BB);
  • Internal IP address;
  • Translated IP address;
  • Destination IP address;
  • HTTP Host;
  • E-Mail address;
  • VoIP identifier;
  • UIN;
  • FTP login;