DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1 and 3-20 are pending.
The claim objections have been withdrawn in view of the claim amendments.
The 101 rejection has been withdrawn upon further consideration.
The nonstatutory double patenting rejection has been withdrawn in view of the approval of the Terminal Disclaimer filed on 06/30/22.

Terminal Disclaimer
The terminal disclaimer filed on 06/30/22 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US Patent No. 10505828 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Examiner’s Amendment
An Examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s amendment was given in a discussion with Scott Watkins on 06/29/22.
The application has been amended as follows:
1. 	(Currently Amended) A method comprising: 
receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated based on traffic at the plurality of devices, the data being captured at a virtualization layer that includes a hypervisor, a first one of the plurality of devices including a leaf switch in a spine-leaf network fabric, and a second one of the plurality of devices includes a host of [[a]] the hypervisor coupled with the spine-leaf network fabric via the leaf switch; 
comparing characteristics of the data to determine a difference in the characteristics; and 
based on the difference, determining a state of at least one of the plurality of capturing agents, 
wherein, 
the data is generated based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the plurality of devices.

3. 	(Currently Amended) The method of claim [[2]] 1, wherein, the state includes unauthorized activity, and the characteristics includes amounts of traffic captured at the virtualization layer.

7. 	(Currently Amended) The method of claim 1, wherein the determining the state includes: 
determining a first traffic pattern for 
determining a second traffic pattern for 
determining a third traffic pattern for 
determining a fourth traffic pattern for 
comparing the first traffic pattern with the third traffic pattern to identify a first traffic pattern delta between the first traffic pattern and the third traffic pattern; 
comparing the second traffic pattern with the fourth traffic pattern to identify a second traffic pattern delta between the second traffic pattern and the fourth traffic pattern; 
determining whether the first traffic pattern delta or the second traffic pattern delta exceed a delta threshold; 
when the first traffic pattern delta exceeds the delta threshold, determining a first one of the plurality of capturing agents is in the state; and 
when the second traffic pattern delta exceeds the delta threshold, determining a second one of the plurality of capturing agents is in the state.

8. 	(Currently Amended) The method of claim 7, wherein: 
the first traffic pattern delta comprises a first delta in at least one of:  
a first amount of traffic captured during the first period of time and the second period of time; or 
a first frequency of 
the second traffic pattern delta comprises a second delta in at least one of:
a second amount of traffic captured during the first period of time and the second period of time; or 
a second frequency of 

15. 	(Currently Amended) A system comprising: 
one or more processors; and 
one or more computer-readable storage devices having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising: 
receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated based on traffic at the plurality of devices, the data being captured at a virtualization layer that includes a hypervisor, a first one of the plurality of devices including a leaf switch in a spine-leaf network fabric, and a second one of the plurality of devices includes a host of [[a]] the hypervisor coupled with the spine-leaf network fabric via the leaf switch; 
comparing characteristics of the data to determine a difference in the characteristics; and 
based on the difference, determining a state of at least one of the plurality of capturing agents, 
wherein, 
the data is generated based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the plurality of devices.

16. 	(Currently Amended) The system of claim 15, 
wherein, 
the characteristics includes amounts of traffic captured at the virtualization layer; and 
the determining of the state includes: 
determining an indication of a threshold discrepancy between a first amount of traffic captured at the host and a second amount of traffic captured at a leaf switch; and 
determining that the threshold discrepancy is at least partially a result of unauthorized activity at 

20. 	(Currently Amended) A computer-readable storage device storing instructions which, when executed by a processor, cause the processor to perform operations comprising: 
receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated based on traffic at the plurality of devices, the data being captured at a virtualization layer that includes a hypervisor, a first one of the plurality of devices including a leaf switch in a spine-leaf network fabric, and a second one of the plurality of devices includes a host of [[a]] the hypervisor coupled with the spine-leaf network fabric via the leaf switch; 
comparing characteristics of the data to determine a difference in the characteristics; and 
based on the difference, determining a state of at least one of the plurality of capturing agents, 
wherein, 
the data is generated based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the plurality of devices.

Allowance
Claims 1 and 3-20 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in independent claims 1, 15, and 20: “receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated based on traffic at the plurality of devices, the data being captured at a virtualization layer that includes a hypervisor, a first one of the plurality of devices including a leaf switch in a spine-leaf network fabric, and a second one of the plurality of devices includes a host of the hypervisor coupled with the spine-leaf network fabric via the leaf switch”, “comparing characteristics of the data to determine a difference in the characteristics”, and “based on the difference, determining a state of at least one of the plurality of capturing agents” in combination with other limitations as a whole and in the context recited in the claims.
	Dependent claims are allowed as they depend from allowable independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436