DETAILED ACTION
Office Action Summary
Claims 1-20 are pending in the instant application.
Claims 1-20 are rejected under 35 USC § 103.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-20 rejected under 35 U.S.C. 103 as being unpatentable over Jing (CN 110113349) (ART furnished in IDS 5/11/2021) hereinafter referred to as Jing in view of Harrell (US Pre-Grant Publication No: 2019/349403) hereinafter referred to as Harrell and further in view of Mcgrew et al. (EP 3 382 960) (ART furnished in IDS 5/11/2021) hereinafter referred to as Mcgrew.

As per claim 1, Jing teaches A method comprising: establishing, by a telemetry exporter in a network, a 
obtaining, by the telemetry exporter, packet copies of a plurality of packets sent between devices via the network; (Jing, [0006], [0013] and [0016])
forming, by the telemetry exporter, a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy; (Jing, [0006], [0009], [0010] and [0013])

But Jing does not teach using a tunnel for communication, applying, by the telemetry exporter, compression to the formed set of traffic telemetry data; and compressing the data
However Harrell [0046] and [0066] teaches using tunnel for communication between sender and receiver.
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify the invention of Jing with the method of Harrell which uses tunnel for communication as using tunnels is a known secure way to transmit data.
And Mcgrew [0031] teaches using compression in order to transmit data.
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify the invention of Jing with the method of Mcgrew which uses compression as sending compressed data helps save bandwidth and is a known way to modify data.

As per claim 2, Jing in view of Harrell and Mcgrew teaches The method as in claim 1, wherein the plurality of packets are encrypted, and wherein the traffic analysis service uses a machine learning-based classifier to classify the set of traffic telemetry data. (Jing, [0001], [0003])

As per claim 3, Jing in view of Harrell and Mcgrew teaches The method as in claim 1, wherein the discarded portion of the one or more packet copies comprises a payload of that packet copy. (Jing, [0003], [0006] and [0013])

As per claim 4, Jing in view of Harrell and Mcgrew teaches The method as in claim 1, wherein the filter policy specifies one or more packet 2 headers of the packet copies to be included in the set of traffic telemetry data. (Jing, [0003], [0006] and [0013])

As per claim 5, Jing in view of Harrell and Mcgrew teaches The method as in claim 5, wherein the filter policy further specifies that Transport Layer Security (TLS) handshake records in the packet copies should be included in the set of traffic telemetry data. (Jing, [0003], [0006] and [0013])

As per claim 6, Jing in view of Harrell and Mcgrew teaches The method as in claim 5, wherein the filter policy further specifies that Domain Name System (DNS) responses in the packet copies should be included in the set of traffic telemetry data. (Jing, [0003], [0006] and [0013] and DNS information is a well known information used in network communication)

As per claim 7, Jing in view of Harrell and Mcgrew teaches The method as in claim 1, wherein applying compression to the formed set of traffic telemetry data comprises: applying header 

As per claim 8, Jing in view of Harrell and Mcgrew teaches The method as in claim 1, wherein the filter policy further specifies that packet copies of initial Transmission Control Protocol (TCP) packets from the plurality of packets that were sent prior to an acknowledgement should be included in the set of traffic telemetry data. (Jing, [0003], [0006] and [0013] and using TCP packets are well known and used in network communication)

As per claim 9, Jing in view of Harrell and Mcgrew teaches The method as in claim 1, further comprising: dynamically adjusting, by the telemetry exporter, the filter policy, based on an instruction received from the traffic analysis service. (Jing, claim 5)

Claims 11-19 teach the apparatus claims that correspond to the method claims 1-9 and are rejected using the same rational.
Claim 20 teaches the non-transitory, computer-readable medium that corresponds to the method claims 1-9 and are rejected using the same rational.

Other Related Art
Sood (US 20180341494) teaches “Generally discussed herein are systems, devices, and methods for network security monitoring (NSM). A hardware queue manager (HQM) may include an input interface to receive first data from at least a first worker thread, queue duplication circuitry to generate a copy of at least a portion of the first data to create first copied data, and an output interface to (a) 
Janakiraman (US 20150372910) teaches “A network sensor that features a data store and a packet processing engine. In communication with the data store, the packet processing engine comprises (1) a cache management logic and (2) deduplication logic. The cache management logic is configured to analyze packets to determine whether (a) a packet under analysis include duplicated data and (b) content of the packet is targeted for storage in a same continuous logical storage area as the duplicated data. The deduplication logic, when activated by the cache management logic, is configured to generate a deduplication reference for insertion into the packet prior to storage.”
Nanda (US 20160191545 A1) teaches “The disclosed computer-implemented method for monitoring virtual networks may include (1) identifying a virtual network containing at least one virtualized switching device that routes network traffic from a source port within the virtual network to a destination port, (2) providing, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy, (3) intercepting, at the source port, a packet destined for the destination port, (4) determining that at least one characteristic of the packet satisfies at least one of the rules, and (5) in response to determining that the characteristic of the packet satisfies at least one of the rules, forwarding a copy of the packet to a virtual tap port that analyzes the packet for security threats. Various other methods, systems, and computer-readable media are also disclosed.”
Knapp (US 20100050256 A1) teaches “A computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is described. The method includes capturing IP packets from a computer network, stripping packet header data from the captured IP packets, reviewing the stripped packet header data for multiple occurrences of matching 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906.  The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SIMON P KANAAN/Primary Examiner, Art Unit 2492