This invention relates to packet oriented multi-port bridges and routers and, in particular, to the monitoring of packet traffic arriving at the bridges and routers or generated internally.
Multi-port bridges and routers allow the connection of two or more packet-based networks of possibly different types. Information in such networks is transmitted by means of packets, each containing data and appropriate addressing information. The purpose of the bridge or router is to relay packets between network segments (a process called forwarding) so that stations connected to different network segments may communicate. An example of a packet-based network protocol is that implemented by the IEEE 802.3 Ethernet standard.
Larger networks can be built by using multiple bridges, routers, or combinations thereof, and the extent and topology of a multi-bridge or multi-router network can be quite complex. Even small single-bridge networks can exhibit complex behavior which may affect performance, security or other aspects of network operations. Analysis of such issues and their correction is usually the responsibility of a network manager, who must examine transmissions on the network and make adjustments to network parameters.
Monitoring of packet networks can be carried out with monitoring devices such as Sniffer(trademark) from Network General of Menlo Park, Calif. or LANalyzer(trademark) from Novell, Inc. of Provo, Utah. These devices are connected to the network medium, such as coaxial cable, and examine each network transmission regardless of the actual destination of the packets. Typically, network monitors provide the capability of filtering the examined transmission so that only packets with properties of interest to the network manager are captured or displayed. Facilities are usually provided to gather statistics, such as error rates, traffic between stations or groups of stations and so forth, as well as the packets themselves. Because of the need to capture and analyze large amounts of data, and the potential complexity of filtering, network monitors are expensive relative to other network components such as stations or bridges.
A serious limitation of prior-art network monitors is that the monitor must be connected physically to the network segment to be monitored. In a multi-port bridge where several network segments are connected by a bridge, it is only possible to examine one of the attached network segments at a time since the bridge isolates the physical media of the network segments. A further limitation is that the network monitor is not able to easily differentiate packets originating on the attached network segment and those originating on other network segments attached to the bridge and forwarded to the monitored network segment, especially if the packets have wrong addresses due to malfunction or sabotage. A router, moreover, replaces the source address of the packet by the router address, which makes it even more difficult for the network monitor to determine where the packet originated. In particular, it may be difficult or impossible for the monitor to isolate, for example, all the packets originating on a selected network segment.
One prior art approach to overcoming the limitation of connecting the monitor to only one network segment is the Distributed Sniffer(trademark) from Network General. Each Sniffer is a network monitor coupled to a processing element that can be controlled over the network. If several network segments attached to a bridge are to be monitored, then one Distributed Sniffer must be attached to each physical network segment. Operation of each Distributed Sniffer can be controlled over the network from a network-attached station using an upper level protocol such as TELNET. With this approach, one station located on any attached network segment can view results obtained from each Distributed Sniffer. The clear disadvantage of this approach is the cost of multiple Sniffers. A further shortcoming is a limited ability to correlate information gathered on different Sniffers. In particular, a Sniffer detecting a packet may be unable to determine the network segment on which the packet originated even if that network segment is connected to another Sniffer which has detected the packet, because the two Sniffers may be unable to determine whether the packet they have detected is the same packet or two different packets.
Additionally, each Distributed Sniffer must use some portion of the bandwidth of the monitored network to send information to the monitoring station, and thus the performance of the monitored network is affected.
According to the invention, monitoring of any or all network segments on a multi-port bridge or router may be carried out from a network segment on one port, referred to as a monitoring port. Packets of a selected network segment attached to a port designated as the monitored port are forwarded to their normal destination ports, if any, and also to the monitoring port. Monitored ports and monitoring ports may be specified in any number, thus allowing, for example, packet traffic from several ports to be simultaneously monitored at one port. To carry out monitoring, a network monitor of conventional design may be connected to the monitoring port and will thus be able to view traffic just as if it were connected directly to a monitored port.
Port monitoring is enabled, disabled and specified via a supervisory access terminal attached to the bridge or router. Alternately, these supervisory functions are carried out from any network-attached terminal using well-known protocols. Using the supervisory access terminal, the network manager is able to define the type of traffic to be copied to the monitoring port. Several traffic types are allowed, for example, monitoring of all packets incoming to a selected port, all packets forwarded to a selected port or all packets generated within the bridge or router and then transmitted on a selected port. In particular, the packets originating on a selected network segment can be isolated for viewing on the network monitor. Further, the monitoring of traffic forwarded between selected pairs of ports is allowed.
Forwarding of a packet from a monitored port to a monitoring port does not require the packet to be copied from one place to another in the bridge""s internal buffer memory. Instead, an indirect scheme is specified, that allows a packet to be sent to one or more destination ports without moving the packet. Internal data structures are defined to support efficient packet forwarding and to define the ports to which a packet should be forwarded under various circumstances. The data structures are intended to promote efficient forwarding and also to support simple and regular modification when a port monitoring command is issued from the supervisory access terminal.
Efficiency is also promoted through the use of a Bridging Cache that stores recent forwarding decisions for possible use in the near future.
It is therefore an object of this invention to allow a port monitoring device located on one port to monitor traffic on any other port or ports of the bridge or router.
A further object is to allow selection of the type of packet traffic to be monitored.
It is another object of the invention to controllably restrict monitoring to those packets forwarded from one selected port to another selected port.
Another object of the invention is to xe2x80x9ctransmitxe2x80x9d a single packet to multiple ports in an efficient manner and without the need to make multiple copies of the packet itself.
Yet another object of the invention is to promote an efficient way to carry out the forwarding computations.
It is also an object of the invention to improve the performance of the forwarding computation by caching recent forwarding results in anticipation that they will be used in the near future.
Other objects and features of the invention are described below.