1. Field of the Invention
The present invention relates generally to tools for network performance and protocol analysis, and more specifically to a user interface and method for visually displaying information about packet traces in a network environment, using thread diagrams.
2. Description of Background Art
Conventional network protocol analysis tools, such as Sniffer Basic by Network Associates, Inc. (www.nai.com), evaluate network performance with respect to the transfer of individual packets across network connections. For example, packet transfer times can be measured and aggregated into a performance metric. Such analysis is generally able to provide detailed information regarding a network protocol at the packet level.
However, in many situations, analysis of application-level behavior is desired. For example, one may wish to analyze the behavior of an application such as a web browser, which makes use of a network protocol, in order to determine whether the performance of the application is satisfactory, and to diagnose problems in application-level behavior.
Application-level behavior can be extracted from packet-level analysis by pruning a protocol analyzer trace to determine the application level information that is of interest. Information relevant to a particular transaction or communication must be extracted and synthesized from the packet-level data. Such a technique is time-consuming and often yields inaccurate results.
In addition, such a technique fails to provide any easy-to-use graphical user interface for viewing application-level protocol analysis data. Thus, the technique fails to provide the viewer of the output with the necessary information, presented in a coherent manner, for diagnosing and solving network protocol deficiencies and problems.
What is needed is a method and user interface for displaying network performance and protocol analysis results in a coherent and visually understandable manner. What is further needed is a method and user interface for accurately providing application-level protocol analysis without requiring time-consuming analysis of packet-level trace information.
The present invention overcomes the limitations of conventional network analyzer software products by providing a user interface and computer-implemented method that employs graphical techniques to enable the user to quickly identify performance problems in network traffic and application behavior, including parallelism faults, timing gaps, and the like.
The user interface of the present invention operates as part of a network analyzer software product coupled to a network having a plurality of nodes. The nodes transmit packets of data between them, which packets are monitored by the network analyzer. The user interface comprises a time axis listing a plurality of times. These times may be listed in any useful time format, whether absolute or relative time (with respect to some arbitrary starting time). The user interface further includes a plurality of thread names listed along a second axis that is perpendicular to the time axis. Each thread name is associated with a thread, which includes at least one sequence of packets transmitted between two or more nodes and forming a discrete transaction between the nodes. The present invention determines which packets belong in a particular thread by analyzing the stream of packets and making a protocol-specific determination of the packets that should be grouped together.
In general, a transaction consists of an application-level communication between two nodes. Thus, a request by one node for a file stored at a second node, and the subsequent delivery of the requested file, can be considered a single transaction, and can therefore be represented as a single thread. More specifically, in the Hypertext Transfer Protocol (HTTP), a GET request by a client browser and the delivery of the requested web page together form a single thread, even though there are at least two discrete sequences of packets. The sequence of packets that makes up a thread need not be contiguous, as a single node may participate in several different threads at the same time. For example, a server node may be serving numerous different client nodes at the same time, and thus have a distinct thread occurring with each of the clients, with the packets being serially transmitted and received by the server node belonging to these many different threads.
The plurality of thread names are listed according to a sequence of threads between the nodes of the network. Each thread name is further associated with a thread graphic in the user interface. Each thread graphic begins at the time of a first packet in the associated thread and extends parallel to the time axis to the time of a last packet in the associated thread. The thread graphic thus shows the overall duration of the associated thread, along with its starting and ending times. A thread graphic may be color-coded with respect to various quantitative measures, such as its total size, average packet size, number of packets, number of bytes, and so forth, or qualitative aspects, such as protocol type. Color-coding, or other distinctive visual features, may also be provided for other relevant quantitative values or qualitative characteristics of the thread.
Since several thread names are listed, and each one has its associated thread graphic showing its duration and its beginning and end, the user can readily see when one thread ends or begins with respect to any other thread. This makes it very simple to identify parallelism faults, where multiple different threads are occurring concurrently between the same two nodes, or gaps between the end of one thread and the beginning of another (indicating a loss of optimum bandwidth utilization). These types of problems degrade network or application performance, and their diagnosis can be vital to improving application operation.
In addition, the user interface of the present invention makes clear the interdependence among different parts of a networked application, and facilitates thread grouping in an interactive, dynamic manner. The user is also able to quickly narrow down an area of interest by zooming.
The present invention thus facilitates analysis of packet-level operational characteristics in a packet trace that groups packets in coherent, application-level structure.
A method in accordance with the present invention includes receiving a plurality of packets on networks, identifying in the packets a plurality of threads between pairs of nodes on the network, displaying a time axis including a plurality of times, listing the names of the threads in perpendicular to the time axis, and then for each thread name, displaying a thread graphic beginning, with respect to the time axis, at a time of a first packet in the sequence of packets of the thread, and ending at the time of a last packet in the sequence of packets. The method may also implement thread grouping as specified by the user.