The present invention relates generally to the field of diagnostic equipment for computer networks. More specifically, the present invention relates to an indexing system for protocol analyzers that provides a more efficient and effective interface to display and manipulate large amounts of trace data from computer data and storage networks.
As the capacity and complexity of computer networks continues to increase, there is an ever-increasing need for diagnostic equipment that can efficiently monitor and diagnose problems with these networks. In a computer network, data is communicated across the network according to a particular interface language or xe2x80x9cprotocol.xe2x80x9d A protocol analyzer is a diagnostic device that can be connected to a computer network in order to record or xe2x80x9ctracexe2x80x9d data communicated across that network in an effort to capture information about performance and/or potential problems on the network.
The requirements and capacity of a protocol analyzer will depend upon the protocol and configuration of the network to which it is to be attached. In computer networks, protocol analyzers traditionally have been designed for a given communication interface protocol that will be used either in a computer data network involving communications among computer systems (these networks transmitted relatively smaller amounts of data sent over longer distances at relatively slower speeds), or in a storage channel network involving communications between a computer and an associated storage system (these networks transmitted relatively larger amounts of data sent over shorter distances at relatively faster speeds). Examples of protocol analyzers for computer data networks include the Domino(trademark) analyzer from Wavetek, Wandel and Goltermann that is the subject of U.S. Pat. No. 5,850,388, the LAN900 expert protocol analyzer from Digitech and the AX/4000 broadband test system from Adtech. Generally, protocol analyzers for computer data networks have been more concerned with capturing statistical trend and occurrence information as, for example, described in U.S. Pat. Nos. 5,434,845 and 5,740,355. Examples of protocol analyzers for storage channel networks include the IFC-20 Fibre Channel analyzer from I-TECH Corp., the assignee of the present invention, the FCAccess analyzer from Ancot and the GT and GLA analyzers from Finisar. Protocol analyzers for storage channel networks are more often concerned with capturing actual trace data information as, for example, described in U.S. Pat. Nos. 4,949,252 and 5,649,085.
With the advent of higher speed network protocols such as Fibre Channel for storage channel networks and Gigbit Ethernet and ATM/OC3 for computer data networks, the amount of information that must be monitored by a protocol analyzer has increased dramatically. For the capture of statistical trend and occurrence information, this increase has not affected the performance of the protocol analyzers because the only operational limitation is the speed at which trend and occurrence information can be collected in counters or the like. More complicated analysis of these networks is usually done in the form of reports that are generated after the fact and not in real time. For the capture and analysis of trace data, however, the increase in network speed has had a significant impact on the performance of protocol analyzers. Prior to the advent of these high speed network protocols, the amount of high speed memory required by a protocol analyzer to capture data for a trace rarely exceeded 1 Mbyte. Downloading and analysis of this amount of trace data was easily handled by the processor systems that would then display this information such that access to the information was usually in near real time. Delays of more than a second to view the results of traces were rare. With higher speed computer networks, it is not uncommon for the amount of trace data being captured to be larger than 100 Mbytes and even up to 1 Gbyte or more. Moreover, with more complex networks, it is also typical that such trace data will be collected simultaneously from a number of channels, rather than only from a single channel, thereby further increasing the amount of trace data that must be analyzed. It is also common for there to be large segments of time in which relatively little data of interest is being communicated across the computer network, as well as small segments of time in which very large amounts of data are being communicated across the computer network. The result has been either lengthy delays from several seconds to several minutes in order to view trace data of interest or the need to severely limit the total trace depth of the protocol analyzer when the analysis and presentation of trace information needs to be done on more of a near real time basis.
One solution to this problem is to provide a hardware search engine for the protocol analyzer that can avoid the need to download the entire trace data file from the protocol analyzer to a user""s computer in order to locate specific patterns in the trace data. Such a hardware search engine is the subject of the previously referenced co-pending application entitled Deep Trace Memory System For A Protocol Analyzer. While the use of a hardware search engine can work well to identify particular patterns in the trace data, it has not afforded a solution to the challenge presented when overall statistics are desired such as a histograms or graphs of activity or incident levels across the entire range of trace data.
Various innovations have been made with respect to the graphic display of data outside the field of protocol analyzers and computer networks. U.S. Pat. No. 5,917,499 describes the display of at least two superimposed levels of detail for an element on a graph in response to a user input. U.S. Pat. No. 5,485,564 describes forming a graphical display of data in which a range of value along one of the axis of the graph is omitted. U.S. Pat. No. 5,874,950 describes a technique for creating a set of samples of digitized audio data from which a graph is generated, where each of the set of samples is generated as a representative sample of the entire data set by using a high, low, first and last data value from each of multiple subsets of the audio data. U.S. Pat. No. 5,371,842 describes a technique for reducing the data flow rate from which a graph will be generated in the context of digitized measurement data. In this patent, the objective is to reduce the rate of a continuous stream of digital from a first bandwidth that cannot be plotted in real time to a second bandwidth that can be plotted in real time.
U.S. Pat. No. 6,057,839 describes a visualization tool for graphically displaying trace data produced by a parallel processing computer system. The object of the invention is to create a visualization tool that allows a user to easily digest statistical trace information from a large number of parallel processing computers at the same time. This is preferably done by creating multiple strip traces and an average utilization trace strip that are graphically displayed on the same screen. The trace data used to generate these traces strips is retrieved from data stored in trace files in time sequential order, one datum at a time using conventional logic for trace retrieval.
Although existing protocol analyzers for computer networks can provide valuable information about performance and problems on such networks, the advent of higher speed computer networks has presented a problem in making trace information captured by a protocol analyzer available on a near real time basis due to the massive amounts of trace data that may be involved in analyzing a problem. Accordingly, it would be desirable to provide a solution to this problem that did not involve restricting the amount of trace data that could be obtained or significantly increasing the cost or complexity of the protocol analyzer.
The present invention is an indexing system that provides a more efficient and effective interface to display and manipulate large amounts of trace data from computer data and storage networks that is captured and stored in the trace memory of a protocol analyzer. An index of the trace data in the trace memory is generated by reading a selected granularity percentage of the trace data in the trace memory. A host processor connected to the protocol analyzer generates at least two graphic representations on a computer display device of the trace data in response to and based on the index. A first graphic representation is generated by setting the selected granularity percentage at a first percentage and a second graphic representation similar to the first graphic representation is generated while the first graphic representation is being displayed by setting the selected percentage at a second percentage that is greater than the first percentage to regenerate the index. In this way, the first graphic representation is generated in near real time and the second graphic representation is generated at a later time and improves the granularity of the second graphic representation as compared to the first graphic representation. Preferably, the graphic representation is a histogram representative of activity levels within the trace data.
A method and computer-readable storage medium containing programming instructions for generating graphical representations of large volumes of trace data captured from a computer network using a protocol analyzer operably connected to the computer network is also disclosed. The method includes the steps of generating a first index of the trace data by accessing only a first granularity percentage of the trace data. A graphic representation is then displayed on a computer display device of the trace data in response to and based on the first index. While the graphic representation is being displayed, at least a second index of the trace data is generated by accessing a second granularity percentage of the trace data, where the second percentage is greater than the first percentage. Once the second index is completed, the graphic representation of the trace data on the computer display device is updated in response to and based on the second index.
Preferably, each index is generated using a hardware search engine and software executing on the protocol analyzer that calculates an estimated page location in the trace memory based on the selected percentage and requests the hardware search engine to return a next data value from the trace memory in response to the estimated page location. In the case where the computer network is a storage channel network and the trace data comprises frames of packetized data having a header portion and a data portion, the first and second index are generated by analyzing the header portion to determine an activity associated with the frame.
In the preferred embodiment for use with a Fibre Channel network, a histogram representative of levels of activity in the frames of trace data used to create the first and second index is displayed to a user. Preferably, a user can selectively identify frame data to be displayed on the computer display device by using a pointing device to identify locations within the histogram that are of interest. In this embodiment, the trace memory is at least 100 Mbytes of storage. The first histogram is generated in near real time or less than about two seconds from a completion of storing the trace data in the trace memory. The first histogram is based on a coarse index in which the first percentage is less than about 5% and the second histogram is based on a fine index in which the second percentage is greater than the first percentage and less than or equal to 100%. Preferably, the system further includes at least a third percentage used to generate a rough index and an associated third histogram in which the third percentage is greater than the first percentage and less than the second percentage. Preferably, the first percentage is less than about 2.5%, the second percentage is greater than about 25% and the third percentage is greater than about 5% and less than about 25%. Additional passes to generate additional levels of index granularity may also be added and the fine index for the second percentage does not need to be created at a 100% granularity level.
The preferred embodiment affords significant improvement in the amount of time required to generate histograms for trace data from a Fibre Channel computer network. In the case of a full two channel trace of 512 Mbytes per channel worth of trace data, a coarse histogram at a 1% granularity level can be generated by the present invention in about 1 second, as compared to the nearly 1 minute required for the same protocol analyzer and host processor to generate a histogram based on analysis of 100% of the trace data for each channel trace. In the context where the histogram is used as a mechanism to identify portions of the trace data for further review, this time savings allows the user to begin identifying and accessing desired trace data almost immediately, instead of having to wait for a minute or more to even begin looking at the trace data. The further refinements in granularity of the histogram that are provided by the rough index and fine index are filled in as available to increase the resolution at which the user can view the histogram; however, the critical ability of the user to begin utilizing the histogram to identify and access trace data does not need to wait for these more detailed indexes to be completed. Thus, a user can view a graphic representation of the complete trace and begin to identify and access trace data of interest in near real time almost immediately upon completion of the trace.