DETAILED ACTION
	This application has been examined. Claims 1,3-21 are pending. Claim 2 is cancelled. Claim 21 is submitted as a new claim.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/29/2020 has been entered.
 
Response to Arguments
Applicant's arguments filed 11/29/2020 have been fully considered but they are moot in view of the new grounds for rejection. 
Zhang-Tian-Jadhav disclosed (re. Claim 1) decapsulating a plurality of header fields (Tian-Paragraph 65, The SDN controller 420 may decapsulate the VXLAN encapsulation, Paragraph 81, process for the SDN switch 412 to decapsulate the VXLAN-encapsulated Ethernet data packet may include: the SDN switch 412, based on the offset pop action [offset type: L1, offset length: 0 byte, pop length: 50 bytes], pops 50 bytes starting from the first byte of the outermost packet header of the VXLAN-encapsulated Ethernet data packet.)  of the first packet, the plurality of header fields including the tunnel identifier field (Tian- VXLAN tunnel which is indicated by the VNI 100 )   and the source port identifier field. (Tian-Paragraph 71, match fields may include: an ingress port field  )    and at least one additional field; (Tian-Paragraph 30,Paragraph 93, The SDN controller 420 may determine use an ingress port 412-3 field, an User Networks interface (UNI ) field 100 and an inner destination MAC address field to search flow table searching for VXLAN packets sent from the switch 413 to the switch 411, Zhang-Paragraph 67, layer 3 and layer 4 packet header fields (e.g., source and destination IP addresses, source and destination transport layer port numbers, transport protocol type ) 
determining, by the processing system, a first tunnel identifier from the tunnel identifier fields a first source port identifier from the source port identifier field, and a first value from the at least one additional field (Tian-Paragraph 30,Paragraph 93, The SDN controller 420 may determine use an ingress port 412-3 field, an User Networks interface (UNI ) field 100 and an inner destination MAC address field to search flow table searching for VXLAN packets sent from the switch 413 to the switch 411 )
assigning, by the processing system, the first packet to a first flow based on the first tunnel identifier, the first source port identifier, and the first value. (Jadhav-Paragraph 43 ,any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow )   



Zhang-Tian-Jadhav disclosed (re. Claim 1) obtaining, by the processing system, a second packet including a second header; (Zhang-Paragraph 123,create a new flow entry or set of flow entries such that future packets sent to the particular destination can be forwarded directly to their destination )
 	extracting, by the processing system, (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  a first second value from a tunnel identifier field of  the second header (Tian-Paragraph 75, learns a MAC address entry based on the inner source MAC address 00-00-00-00-00-02 and the VXLAN tunnel which is indicated by the VNI 100 )   and a third value from a source port identifier field of the second header (Tian-Paragraph 71, match fields may include: an ingress port field  )   without decapsulating the second packet; (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  
determining, by the processing system, that the first second value matches the first tunnel identifier (Zhang-Paragraph 66, packet header data structure 700 includes fields for the VLAN ID, source MAC address, destination MAC address, eight registers, and a tunnel ID (sometimes referred to as register 0). )   and that the third value matches the first source port identifier; (Zhang-Paragraph 41, When a packet meets the match conditions for a particular flow entry, the MFE 300 applies the set of actions specified by the flow entry to the packet , Paragraph 85, Paragraph 100, When the packet processing is complete (i.e., the packet has matched a flow entry specifying to drop the packet or deliver the packet to its destination) )  and
assigning, by the processing system, the second packet to the first flow in response to the determining that the first second value matches the first tunnel identifier and that the value matches the first source port identifier,   (Jadhav-Paragraph 43 ,any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow )    wherein the assigning is performed without determining whether any  values associated with any additional fields of the second header in addition to the tunnel identifier field and the source port identifier field match any identifiers of the plurality of fields in addition to the first tunnel identifier field and the first source port identifier field of the first packet.
Regarding packet inspection and matching, the Examiner notes where Zhang is not limited to analyzing and matching packets using every data field in the header space.  Zhang Paragraph 60 disclosed wherein analysis application(s) can use as input a flow region that spans the entire flow space (i.e., with every packet header field fully wildcarded), while other embodiments set certain fields (e.g., input ports). Furthermore Zhang Paragraph 92-93 disclosed the flow entries are organized in stages (e.g., ingress port mapping, one or more ACL stages, logical forwarding stages, tunneling stages, 
The Examiner notes wherein Zhang does not explicitly disclose using just two header field values: tunnel identifier (ID) and source port.
The  Supreme Court in KSR International Co. v. Teleflex Inc.,   identified a number of rationales to support a conclusion of obviousness which are consistent with the proper "functional approach" to the determination of obviousness as laid down in Graham.  An exemplary rationale that may support a conclusion of obviousness is that of:  (G) Some teaching, suggestion, or motivation in the prior art that would have led one of ordinary skill to modify the prior art reference or to combine prior art reference teachings to arrive at the claimed invention. 
  	The Examiner notes that at the time of the effective filing date of the claimed invention it would have been obvious to a person of ordinary skill in the networking art to use only certain fields (and not all fields) for analysis of the flow space as indicated by Zhang Paragraph 60.  Furthermore it would have been obvious to use the Zhang tunnel identifier (ID) field and source port field in the analysis wherein the context register is indicating the tunneling stage.  The motivation for the said implementation would have been to enable identifying flow entries that can be removed from the system at the earliest possible/relevant stage that may provide significant benefit in terms of memory usage.

Jadhav disclosed (re. Claim 1) assigning, by the processing system, (Jadhav-Paragraph 43 ,any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow )   the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.
The Examiner notes that Jadhav Paragraph 43 disclosed wherein the generation of a flow ID to assign to a network packet may only take place when a network packet associated with a traffic flow is observed/received for the first time.  Any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow.  Thus Jadhav disclosed (re. Claim 1) ‘wherein the assigning is performed without determining any additional values associated with the second packet’.

 
The Applicant presents the following argument(s) [in italics]:
 	…the Applicant’s claims specifically recite that the assigning is performed without determining values associated with additional fields of a header in addition to a tunnel identifier field and a source port identifier field. Thus, assigning a packet to a flow using a value associated with any header field that is not the tunnel identifier field or the source port identifier field would be contrary to the claims. As discussed above, Jadhav discloses using several types of packet information that are associated with header fields that are not the tunnel identifier field or the source port identifier field…Moreover, although Zhang discloses that some analysis applications may use as input flow regions that span certain header fields rather than the entire flow space (See Zhang, paragraph 0060), Zhang does not disclose specifically which analysis applications may use only certain header fields, or which header fields would be used by such applications… Examples of the Applicant’s disclosure determine flow membership of subsequent packets belonging to the same flow by extracting just two header field values: tunnel identifier (ID) and source port. …
The Examiner respectfully disagrees with the Applicant.
Zhang is not relied upon to disclose assigning a packet to a flow using  the tunnel identifier field or the source port identifier field.
Tian disclosed (re. Claim 1) assigning a packet to a flow using  the tunnel identifier field or the source port identifier field. (Tian-Paragraph 71, match fields may include: an ingress port field  )   

Zhang-Tian-Jadhav disclosed (re. Claim 1) ‘wherein the assigning is performed without determining whether any additional values associated with any fields of the header of the second packet in addition to the tunnel identifier field and the source port identifier field match any identifiers of the header of the first packet in addition to the first tunnel identifier and the first source port identifier of the first packet’.
 

The Examiner notes wherein Zhang does not explicitly disclose using just two header field values: tunnel identifier (ID) and source port.
The  Supreme Court in KSR International Co. v. Teleflex Inc.,   identified a number of rationales to support a conclusion of obviousness which are consistent with the proper "functional approach" to the determination of obviousness as laid down in Graham.  An exemplary rationale that may support a conclusion of obviousness is that of:  (G) Some teaching, suggestion, or motivation in the prior art that would have led one of ordinary skill to modify the prior art reference or to combine prior art reference teachings to arrive at the claimed invention. 
  	The Examiner notes that at the time of the effective filing date of the claimed invention it would have been obvious to a person of ordinary skill in the networking art to use only certain fields (and not all fields) for analysis of the flow space as indicated by 
Regarding flow matching, the Examiner notes where Zhang is not relied upon to disclose (re. Claim 1) assigning, by the processing system, the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.
Jadhav disclosed (re. Claim 1) assigning, by the processing system, (Jadhav-Paragraph 43 ,any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow )   the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.
The Examiner notes that Jadhav Paragraph 43 disclosed wherein the generation of a flow ID to assign to a network packet may only take place when a network packet associated with a traffic flow is observed/received for the first time.  Any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow.  Thus Jadhav disclosed (re. Claim 1) ‘wherein the assigning is performed without determining any additional values associated with the second packet’.

in italics]:
 	…Notably, the packet analyzer does not necessarily have to decapsulate subsequent packets through various protocol layer headers. Rather, the packet analyzer may skip to the bit positions, byte positions, etc. where the tunnel ID and source port ID fields…
The Examiner respectfully disagrees with the Applicant.
Tian disclosed wherein the packet analyzer ‘may skip to the bit positions, byte positions, etc. where the tunnel ID and source port ID fields’ and thus does not necessarily have to decapsulate subsequent packets because Tian extracts the field from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field.
The Examiner notes wherein the Tian extraction process does not require a decapsulation process because Tian does not require matching packet fields with a predetermined protocol data structure and can extract the field values without having to process the packet knowing and/or using the protocol with which it has been encoded. 
Tian disclosed (re. Claim 1) extracting, by the processing system, (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  a first second value from a tunnel identifier field of  the second header (Tian-Paragraph 75, learns a MAC address entry based on the inner source MAC address 00-00-00-00-00-02 and the VXLAN tunnel which is indicated by the VNI 100 )   and a third value from a source port identifier field of second header (Tian-Paragraph 71, match fields may include: an ingress port field  )   without decapsulating the second packet; (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  

Priority
	 The effective date of the claims described in this application is 3/18/2019.


Information Disclosure Statement
 The Applicant is respectfully reminded that each individual associated with the filing and prosecution of a patent application has a duty of candor and good faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individual to be material to patentability as defined in 37 CFR  1.56.

There were no information disclosure statements filed with this application.
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

Claims 1-10,12-13,17,19-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (USPGPUB 2015/0016279) further in view of Tian (USPGPUB 2018/0048593) further in view of Jadhav (USPGPUB 2018/0063178).
In regard to Claim 1
Zhang Paragraph 44-Paragraph 45 disclosed the MFE sends the packet to a service node, which is a specific type of MFE that handles broadcast, unknown, and multicast (BUM) packets, possibly among other features. The service node, in addition to forwarding the packet to its destination, returns information to the MFE, allowing the MFE to create a new flow entry or set of flow entries such that future packets sent to the particular destination can be forwarded directly to their destination. The creation of new flow entries through such learning actions may cause future packets to be processed by flow entries the use of which would not be detected on a first pass of the flow reachability analysis. Accordingly, some embodiments perform a first iteration of the flow reachability analysis to determine the flow entries that would be created by the learning actions, then perform a second iteration of the analysis with these new flow entries, to determine all of the flow entries that could be used in the network.
Zhang Paragraph 47 disclosed using headerspace analysis to identify a set of flow entries that eventually cause a packet to be processed by a particular flow entry. That is, the analysis of the paths can determine all of the different flow entries that are matched by packets which eventually match a particular flow entry as well as identifying all of the different flow entries matched by packets after matching the particular flow entry.

obtaining, by a processing system including at least one processor, a first packet;
determining, by the processing system, a first tunnel identifier from a tunnel identifier field of a header of the first packet (Zhang-Paragraph 66, packet header data structure 700 includes fields for the VLAN ID, source MAC address, destination MAC address, eight registers, and a tunnel ID (sometimes referred to as register 0). )   and a first source port identifier from a source port identifier field of the header of the first packet; (Zhang-Paragraph 67, layer 3 and layer 4 packet header fields (e.g., source and destination IP addresses, source and destination transport layer port numbers, transport protocol type ) 
assigning, by the processing system, the first packet to a first flow; (Zhang-Paragraph 41, When a packet meets the match conditions for a particular flow entry, the MFE 300 applies the set of actions specified by the flow entry to the packet , Paragraph 85, Paragraph 100, When the packet processing is complete (i.e., the packet has matched a flow entry specifying to drop the packet or deliver the packet to its destination) ) 
obtaining, by the processing system, a second packet; (Zhang-Paragraph 123,create a new flow entry or set of flow entries such that future packets sent to the particular destination can be forwarded directly to their destination )

The Examiner notes wherein Zhang does not explicitly disclose using just two header field values: tunnel identifier (ID) and source port.
wherein the assigning is performed without determining whether any additional values associated with any fields of the header of the second packet in addition to the tunnel identifier field and the source port identifier field match any identifiers of the header of the first packet in addition to the first tunnel identifier and the first source port identifier of the first packet’.
While Zhang substantially disclosed the claimed invention Zhang does not disclose (re. Claim 1) extracting, by the processing system, a first value from a tunnel identifier field of a header of the second packet and a second value from a source port identifier field of the header of the second packet;
determining, by the processing system, that the first value matches the first tunnel identifier and that the second value matches the first source port identifier; and
assigning, by the processing system, the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.
Tian Paragraph 15, Paragraph 20 disclosed a flexible approach to matching which uses a match offset field. A flow entry is generated for the flow and an offset match field is generated in match fields of the flow entry based on an offset matching operation that needs to be performed. The offset match field may include a match position, a match length, a match mask and a match value.
Tian Figure 3, Paragraph 49 disclosed wherein it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received 
Tian disclosed (re. Claim 1) extracting, by the processing system, (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  a first second value from a tunnel identifier field of  the second header (Tian-Paragraph 75, learns a MAC address entry based on the inner source MAC address 00-00-00-00-00-02 and the VXLAN tunnel which is indicated by the VNI 100 )   and a third value from a source port identifier field of the second header (Tian-Paragraph 71, match fields may include: an ingress port field  )   without decapsulating the second packet; (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  
Tian disclosed wherein the packet analyzer ‘may skip to the bit positions, byte positions, etc. where the tunnel ID and source port ID fields’ and thus does not necessarily have to decapsulate subsequent packets because Tian extracts the field from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field.
The Examiner notes wherein the Tian extraction process does not require a decapsulation process because Tian does not require matching packet fields with a predetermined protocol data structure and can extract the field values without having to process the packet knowing and/or using the protocol with which it has been encoded. 

Zhang and Tian are analogous art because they present concepts and practices regarding packet flow management.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Tian into Zhang.  The motivation for the said combination would have been to enable an SDN switch to correctly match an flow entry for an unsupported protocol packet, such as a VXLAN packet, an EVI packet, or the like, wherein the said packets are to be sent via a tunnel and encapsulated and/or decapsulated. (Tian-Paragraph 15)

Zhang-Tian disclosed (re. Claim 1) determining, by the processing system, that the first value (Tian- VXLAN tunnel which is indicated by the VNI 100 )   matches the first tunnel identifier (Zhang- Paragraph 66, packet header data structure 700 includes   a tunnel ID (sometimes referred to as register 0) )  and that the second value (Tian-Paragraph 71, match fields may include: an ingress port field  )    matches the first source port identifier; (Zhang-Paragraph 67, layer 3 and layer 4 packet header fields (e.g., source and destination IP addresses, source and destination transport layer port numbers, transport protocol type ) and
While Zhang-Tian substantially disclosed the claimed invention Zhang-Tian does not disclose (re. Claim 1) assigning, by the processing system,   the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.
Jadhav Paragraph 30 disclosed wherein a segment enforcer (112X, 112Y, 112Z) may be deployed (adjacent to or on) include, but are not limited to, a network device with a switch port analyzer (SPAN) port, a network device with a test access point (TAP) port.
Jadhav Paragraph 43 disclosed wherein any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow.
Jadhav disclosed (re. Claim 1) assigning, by the processing system, (Jadhav-Paragraph 43 ,any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow )   the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.
Zhang,Tian and Jadhav are analogous art because they present concepts and practices regarding packet flow management.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Jadhav into Zhang-Tian.  The motivation for the said combination would have been to enable monitoring a strategic position within the internal network (104) that provides a segment enforcer visibility to the east-west traffic flowing within a segment of the internal network (104) and enable identifying IoT devices within the internal network as prime targets for the execution of network threats.(Jadhav-Paragraph 2)
Zhang-Tian-Jadhav disclosed (re. Claim 1) decapsulating a plurality of header fields (Tian-Paragraph 65, The SDN controller 420 may decapsulate the VXLAN encapsulation, Paragraph 81, process for the SDN switch 412 to decapsulate the VXLAN-encapsulated Ethernet data packet may include: the SDN switch 412, based on the offset pop action [offset type: L1, offset length: 0 byte, pop length: 50 bytes], pops 50 bytes starting from the first byte of the outermost packet header of the VXLAN-encapsulated Ethernet data packet.)  of the first packet, the plurality of header fields including the tunnel identifier field (Tian- VXLAN tunnel which is indicated by the VNI 100 )   and the source port identifier field. (Tian-Paragraph 71, match fields may include: an ingress port field  )    and at least one additional field; (Tian-Paragraph 30,Paragraph 93, The SDN controller 420 may determine use an ingress port 412-3 field, an User Networks interface (UNI ) field 100 and an inner destination MAC address field to search flow table searching for VXLAN packets sent from the switch 413 to the switch 411, Zhang-Paragraph 67, layer 3 and layer 4 packet header fields (e.g., source and destination IP addresses, source and destination transport layer port numbers, transport protocol type ) 
determining, by the processing system, a first tunnel identifier from the tunnel identifier fields a first source port identifier from the source port identifier field, and a first value from the at least one additional field (Tian-Paragraph 30,Paragraph 93, The SDN controller 420 may determine use an ingress port 412-3 field, an User Networks interface (UNI ) field 100 and an inner destination MAC address field to search flow table searching for VXLAN packets sent from the switch 413 to the switch 411 )
assigning, by the processing system, the first packet to a first flow based on the first tunnel identifier, the first source port identifier, and the first value. (Jadhav-Paragraph 43 ,any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow )   



Zhang-Tian-Jadhav disclosed (re. Claim 1) obtaining, by the processing system, a second packet including a second header; (Zhang-Paragraph 123,create a new flow entry or set of flow entries such that future packets sent to the particular destination can be forwarded directly to their destination )
it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  a first second value from a tunnel identifier field of  the second header (Tian-Paragraph 75, learns a MAC address entry based on the inner source MAC address 00-00-00-00-00-02 and the VXLAN tunnel which is indicated by the VNI 100 )   and a third value from a source port identifier field of the second header (Tian-Paragraph 71, match fields may include: an ingress port field  )   without decapsulating the second packet; (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  
determining, by the processing system, that the first second value matches the first tunnel identifier (Zhang-Paragraph 66, packet header data structure 700 includes fields for the VLAN ID, source MAC address, destination MAC address, eight registers, and a tunnel ID (sometimes referred to as register 0). )   and that the third value matches the first source port identifier; (Zhang-Paragraph 41, When a packet meets the match conditions for a particular flow entry, the MFE 300 applies the set of actions specified by the flow entry to the packet , Paragraph 85, Paragraph 100, When the packet processing is complete (i.e., the packet has matched a flow entry specifying to drop the packet or deliver the packet to its destination) )  and
assigning, by the processing system, the second packet to the first flow in response to the determining that the first second value matches the first tunnel identifier and that the value matches the first source port identifier,   (Jadhav-Paragraph 43 ,any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow )    wherein the assigning is performed without determining whether any  values associated with any additional fields of the second header in addition to the tunnel identifier field and the source port identifier field match any identifiers of the plurality of fields in addition to the first tunnel identifier field and the first source port identifier field of the first packet.
Regarding packet inspection and matching, the Examiner notes where Zhang is not limited to analyzing and matching packets using every data field in the header space.  Zhang Paragraph 60 disclosed wherein analysis application(s) can use as input a flow region that spans the entire flow space (i.e., with every packet header field fully wildcarded), while other embodiments set certain fields (e.g., input ports). Furthermore Zhang Paragraph 92-93 disclosed the flow entries are organized in stages (e.g., ingress port mapping, one or more ACL stages, logical forwarding stages, tunneling stages, etc.), and the context register that identifies the stage is set to the value corresponding to the first stage upon input. Zhang Paragraph 95 disclosed wherein packet might be defined in the packet header representation (e.g., the input port and the context register).
just two header field values: tunnel identifier (ID) and source port.
The  Supreme Court in KSR International Co. v. Teleflex Inc.,   identified a number of rationales to support a conclusion of obviousness which are consistent with the proper "functional approach" to the determination of obviousness as laid down in Graham.  An exemplary rationale that may support a conclusion of obviousness is that of:  (G) Some teaching, suggestion, or motivation in the prior art that would have led one of ordinary skill to modify the prior art reference or to combine prior art reference teachings to arrive at the claimed invention. 
  	The Examiner notes that at the time of the effective filing date of the claimed invention it would have been obvious to a person of ordinary skill in the networking art to use only certain fields (and not all fields) for analysis of the flow space as indicated by Zhang Paragraph 60.  Furthermore it would have been obvious to use the Zhang tunnel identifier (ID) field and source port field in the analysis wherein the context register is indicating the tunneling stage.  The motivation for the said implementation would have been to enable identifying flow entries that can be removed from the system at the earliest possible/relevant stage that may provide significant benefit in terms of memory usage.
Regarding flow matching, the Examiner notes where Zhang is not relied upon to disclose (re. Claim 1) assigning, by the processing system, the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.
any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow )   the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.
The Examiner notes that Jadhav Paragraph 43 disclosed wherein the generation of a flow ID to assign to a network packet may only take place when a network packet associated with a traffic flow is observed/received for the first time.  Any subsequent network packet determined to match a previously identified traffic flow is assigned the flow ID of that traffic flow.  Thus Jadhav disclosed (re. Claim 1) ‘wherein the assigning is performed without determining any additional values associated with the second packet’.


In regard to Claim 19
  Claim 19 (re. non-transitory computer-readable medium) recites substantially similar limitations as Claim 1.  Claim 19 is rejected on the same basis as Claim 1.
 In regard to Claim 20
  Claim 20 (re. device) recites substantially similar limitations as Claim 1.  Claim 20 is rejected on the same basis as Claim 1.
In regard to Claim 3
Zhang-Tian-Jadhav disclosed (re. Claim 3) wherein the first flow is characterized by the first tunnel identifier (Zhang- Paragraph 66, packet header data structure 700 includes   a tunnel ID (sometimes referred to as register 0) )   and the first source port identifier. (Zhang-Paragraph 67, layer 3 and layer 4 packet header fields (e.g., source and destination IP addresses, source and destination transport layer port numbers, transport protocol type ) 
In regard to Claim 4,21
Zhang-Tian-Jadhav disclosed (re. Claim 4,21) determining an offset (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field ) of the tunnel identifier field of the header of the first packet (Zhang- Paragraph 66, packet header data structure 700 includes   a tunnel ID (sometimes referred to as register 0) )   and an offset of the source port identifier field of the header of the first packet. (Zhang-Paragraph 67, layer 3 and layer 4 packet header fields (e.g., source and destination IP addresses, source and destination transport layer port numbers, transport protocol type ) 
In regard to Claim 5
Zhang-Tian-Jadhav disclosed (re. Claim 5) wherein the offset of the tunnel identifier field comprises a number of data units from a start of the first packet to a start of the tunnel identifier field. (Zhang-Paragraph 53, bit range for analysis includes the first L bits of a packet that make up the packet header and M bits of metadata (e.g., register values, etc.) stored for the packet ) 
In regard to Claim 6
 bit range for analysis includes the first L bits of a packet that make up the packet header and M bits of metadata (e.g., register values, etc.) stored for the packet )
In regard to Claim 7
Zhang-Tian-Jadhav disclosed (re. Claim 7) wherein the first value is extracted from the second packet using the offset of the tunnel identifier field, (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field ) and wherein the second value is extracted from the second packet using the offset of the source port identifier field. (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )
In regard to Claim 8
Zhang-Tian-Jadhav disclosed (re. Claim 8) obtaining a third packet;
extracting at least one value from the third packet in accordance with at least one of the offset of the tunnel identifier field or the offset of the source port identifier field; (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  
determining that the at least one value does not match the at least one of the first tunnel identifier or the first source port identifier; (Tian- Paragraph 18, When failing to find a matching flow entry, the SDN switch may send the packet as the first packet of a flow, Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  and
determining that the third packet does not belong to the first flow in response to the determining that the at least one value does not match the at least one of the first tunnel identifier or the first source port identifier.(Jadhav-Paragraph 45, if it is determined that the network packet flow ID cannot be found within the flow ID table (e.g., the network packet flow ID does not match the flow ID included in any of the table entries of the flow ID table).. in determining that the flow ID for the network packet could not be found within the flow ID table, a new table entry is generated ) 
In regard to Claim 9
Zhang-Tian-Jadhav disclosed (re. Claim 9) assigning the third packet to a second flow in response to the determining that the third packet does not belong to the first flow. (Jadhav-Paragraph 45, if it is determined that the network packet flow ID cannot be found within the flow ID table (e.g., the network packet flow ID does not match the flow ID included in any of the table entries of the flow ID table).. in determining that the flow ID for the network packet could not be found within the flow ID table, a new table entry is generated )
In regard to Claim 10
Zhang-Tian-Jadhav disclosed (re. Claim 10) determining a second tunnel identifier (Zhang-Paragraph 66, packet header data structure 700 includes fields for the VLAN ID, source MAC address, destination MAC address, eight registers, and a tunnel ID (sometimes referred to as register 0). )    and a second source port identifier from a plurality of header fields of the third packet, (Zhang-Paragraph 67, layer 3 and layer 4 packet header fields (e.g., source and destination IP addresses, source and destination transport layer port numbers, transport protocol type ) wherein the second flow is characterized by the second tunnel identifier and the second source port identifier.

In regard to Claim 12
Zhang-Tian-Jadhav disclosed (re. Claim 12) wherein the source port identifier field comprises a transport layer protocol header field. (Zhang-Paragraph 67, layer 3 and layer 4 packet header fields (e.g., source and destination IP addresses, source and destination transport layer port numbers, transport protocol type ) 
In regard to Claim 13
Zhang-Tian-Jadhav disclosed (re. Claim 13) wherein the transport layer protocol header field comprises: a uniform datagram protocol header field; or a transmission control protocol header field.(Zhang-Paragraph 24, Ethernet frames, TCP segments, UDP datagrams, IP packets ) 
In regard to Claim 17
 Zhang-Tian-Jadhav disclosed (re. Claim 17) wherein the first packet and the second packet are obtained from a network tap deployed on at least one link of a telecommunication network. (Jadhav-Paragraph 30,a segment enforcer (112X, 112Y, 112Z) may be deployed  on  a network device with a switch port analyzer (SPAN) port, a network device with a test access point (TAP) port) ) 
 


Claims 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (USPGPUB 2015/0016279) further in view of Tian (USPGPUB 2018/0048593) further in view of Jadhav (USPGPUB 2018/0063178) further in view of Hsu (USPGPUB 2015/0215841)
In regard to Claim 11
While Zhang-Tian-Jadhav substantially disclosed the claimed invention Zhang-Tian-Jadhav does not disclose (re. Claim 11) wherein the first tunnel identifier comprises a general packet radio service tunnel identifier.
Hsu Paragraph 37 disclosed wherein the communication sessions to which different subsets of traffic entering network switch 118 belong can be identified using GTP correlation cluster (GCC) 120.
Hsu disclosed (re. Claim 11) wherein the first tunnel identifier comprises a general packet radio service tunnel identifier.(Hsu-Paragraph 4, GPRS Tunneling Protocol (GTP) is a group of Internet Protocol (IP)-based communications protocols used to carry packets conforming to the GPRS standard within GSM, UMTS and LTE networks. , Paragraph 71, GCC 120 can create session map 204 to map the particular GTP-C packet's IMSI to designated attributes such as a source IP address, a destination IP address, a transmission control protocol (TCP) port, and a tunnel identifier (TEID) specified in the particular GTP-C packet.) 
Zhang,Tian,Jadhav and Hsu are analogous art because they present concepts and practices regarding packet flow management.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Hsu into Zhang-Tian-Jadhav.  The motivation for the said combination would have been to enable ensuring a network switch will forward copies of non-control packets belonging to a particular communication session to the same analytic server even if address pairs of non-control packets within that particular communication session differ due to mobile device movement. (Hsu-Paragraph 47)

Claims 14-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (USPGPUB 2015/0016279) further in view of Tian (USPGPUB 2018/0048593) further in view of Jadhav (USPGPUB 2018/0063178) further in view of Whiteside (US Patent 10033613).
In regard to Claim 14
Zhang-Tian-Jadhav disclosed (re. Claim   14)   extracting the first value and the second value from the second packet.  (Tian- Figure 3, Paragraph 49, it is determined that match fields of the flow entry include an offset match field, then a field is extracted from a received packet according to a match position of the offset match field and the number of bytes indicated by a match length of the offset match field )  

While Zhang-Tian-Jadhav substantially disclosed the claimed invention Zhang-Tian-Jadhav does not disclose (re. Claim 14) wherein the performed within a defined time window from the assigning of the first packet to the first flow.
Whiteside disclosed wherein flow caching involves storing information about packet flows, which can be derived from the packets seen at a network node. The information stored for the packet flows may include information identifying the packet flow, and/or statistics about the packet flow.
Whiteside Column 14 Lines 25-40 disclosed data collection interval may initially be set to an initial value that is estimated to be reasonable. The interval may then be adjusted each time the large flow data memory 364 is read. In some implementations, the interval may be increased or decreased in one second increments or increments of a fraction of a second, or in gradually decreasing increments (e.g., one second, one half second, one quarter second, one eight second, etc.). In some cases, the increment may be increased when it is found that the interval has needed to be adjusted in the same direction more than once in a row. Ideally, the interval should be adjusted until there are no overflows or collision errors.
Whiteside disclosed (re. Claim 14) wherein the performed within a defined time window from the assigning of the first packet to the first flow. (Whiteside-Column 14 Lines 25-40, data collection interval may initially be set to an initial value that is estimated to be reasonable ) 


In regard to Claim 15
Zhang-Tian-Jadhav-Whiteside disclosed (re. Claim 15) reducing the defined time window (Whiteside- Column 14 Lines 25-40,  the interval may be increased or decreased in one second increments or increments of a fraction of a second, or in gradually decreasing increments )  when a collision probability between the first flow and at least a second flow exceeds a collision probability threshold.(Whiteside-Column 15 Lines 10-20, When there were too many collision errors… the threshold may be reduced, Column 19 Lines 5-15, error statistics may keep track of  the number of times a collision was seen for this data entry, and/or an approximation of how many individual flows collided on this data entry )
Claims 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (USPGPUB 2015/0016279) further in view of Tian (USPGPUB 2018/0048593) further in view of Jadhav (USPGPUB 2018/0063178) further in view of Whiteside (US Patent 10033613) further in view of Padiyar (US Patent 8160089).
In regard to Claim 16

Padiyar Column 7 Lines 20-35 disclosed obtaining the number of collisions over a predetermined period of time, also referred to as a collision rate. The driver 204 adjusts the current IPG value by a step size and sets the device 202 to a new IPG value. The driver 204 waits a select period of time and again retrieves the number of collisions over a the period of time from the network device 202. If the number of collisions or the new collision rate is reduced, the newer IPG value is maintained, otherwise, the previous IPG value is re-written to the device. The driver 204 can make additional adjustments until a range of possible IPG values are employed and tested and can then select one that is suitable (e.g., the IPG value that provided the lowest number of collisions). Alternately, the driver 204 can make additional adjustments until an IPG value is obtained that yields a suitable collision rate.
Padiyar disclosed  (re. Claim 16) wherein the collision probability comprises a rate (Padiyar- Column 7 Lines 20-35,obtaining the number of collisions over a predetermined period of time, also referred to as a collision rate )  at which packets from the at least the second flow comprising the first tunnel identifier and the first source port identifier are detected within the defined time window.
 Zhang,Tian,Jadhav and Padiyar are analogous art because they present concepts and practices regarding packet flow management.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Padiyar into .
Claims 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (USPGPUB 2015/0016279) further in view of Tian (USPGPUB 2018/0048593) further in view of Jadhav (USPGPUB 2018/0063178) further in view of Ishikawa (USPGPUB 2017/0353478)
In regard to Claim 18
While Zhang-Tian-Jadhav substantially disclosed the claimed invention Zhang-Tian-Jadhav does not disclose (re. Claim 18) wherein the first packet and the second packet are hashed to a destination queue of a plurality of destination queues, wherein the destination queue is assigned to a single thread of the processing system.
Ishikawa Paragraph 161 disclosed wherein network tap 110 is configured to detect packets that are possibly an attack or an attack sign, and to output the detected packets to mirror ports 132U-1 to 132U-n.

Ishikawa disclosed (re. Claim 18) wherein the first packet and the second packet are hashed  (Ishikawa- Paragraph 147, packet transmitting module 109 outputting mirror packets to each mirror port 132 based on a round-robin method or a hash method for each attack type) to a destination queue of a plurality of destination queues, (Ishikawa- Paragraph 130, queue accumulation judgment module 10931 is configured to judge in which queue the packet information 260 is to be accumulated. The queue 10932 includes four queues for each mirror port 132  )  wherein the destination queue is assigned to a single thread of the processing system.
Zhang,Tian,Jadhav and Ishikawa are analogous art because they present concepts and practices regarding packet flow management.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Ishikawa into Zhang-Tian-Jadhav.  The motivation for the said combination would have been to enable handling different attack types, refining the attack types to a certain extent based on primary screening by the packet relay apparatus, and dividing packets after the screening among the analyzers based on the attack type to be handled by each analyzer.(Ishikawa-Paragraph 8)



Conclusion

Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please refer to the enclosed PTO-892 form.
 


 Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREG C BENGZON whose telephone number is (571)272-3944.  The examiner can normally be reached on Monday - Friday 8 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964.  The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


	/GREG C BENGZON/           Primary Examiner, Art Unit 2444