1. Field of the Invention
The present invention relates to a protocol analyzer for monitoring a selected communication between two entities on a data network in accordance with a predetermined protocol.
2. Description of the Prior Art
A data network is a network (with or without nodes performing switching functions) interconnecting a plurality of data processing devices. Such networks are often used to interconnect a number of computers, but can also be used for other data communication purposes, such as telephone-type networks.
Information is generally transmitted in the form of messages, and an individual message will often be divided into a number of discrete packets. In such a network, the routing of the packets may be at least partially controlled or determined by the various nodes in the network. In some cases, the route taken by the packets of a message is fixed for a connection, and all packets follow that route. In others, the various packets for a connection may follow different routes through the network. Usually, a number of packets of different connections will be interleaved on any particular link between two adjacent nodes in the network.
Such networks tend to suffer from faults. Both cause and effect of a fault may be immediately evident. For example, the physical linkage between two nodes may be interrupted; or no packets may be received from a particular node. However, network faults are often subtle in both their causes and effects, and it may even not be clear whether there is a fault or not. For example, a poor response time of the network may be due to a fault or an unusual and extreme workload imposed on it.
A variety of instruments are available for network fault diagnosis (using the term "diagnosis" in a broad sense). At the lowest level, there are voltage level testers, continuity testers, etc. At a slightly higher level, there are signal presence testers such as LED instruments.
However, many network faults occur at a higher level and take the form of a violation of the operating procedure or protocol, which the communicating entities have generally implicitly agreed. Matters are further complicated by the fact that when, for example, two computers communicate over a network, they generally do so using a multi-layered protocol stack to format and control the communication process. In such cases, at least conceptually, a protocol entity of each layer of the protocol stack of one computer communicates with a corresponding protocol entity of the same layer of the other computer, this communication being by the exchange of so-called "protocol data units" that carry control information relevant to the protocol layer concerned as well as user data. Thus, several protocols, each at a different level, are concurrently in use, any one of which could give rise to a communication fault.
Because a protocol is describable in terms of a set of states with transitions between the determined states, at least in part, by the type of protocol data unit received (this type being set by the control information of the protocol data unit), it is possible to identify protocol violations by examining the sequence of protocol data units passing over the network between the relevant pair of communicating entities. A protocol analyzer is an instrument designed to carry out such a task.
In using a protocol analyzer, the analyzer is attached to a suitable point in the network. It detects and analyses packets to produce a listing of the protocol data units relevant to the protocol being monitored (generally a low-level, e.g., link level protocol). By inspecting this listing, the operator can see the nature of the traffic at the point and recognize various kinds of errors.
The simplest form of listing is a listing of all protocol data units associated with the protocol being monitored. However, analysis of such a "raw" listing is an onerous task. There will usually be a large variety of sets of such protocol data units passing any given point in the network, each set having a different source and/or destination entity. Further, both the number and the complexity of the protocols used in a typical large system are not easy to manage.
It has therefore been known to make the data collection by protocol analyzers "programmable." That is, the analyzer can be programmed by the user to respond only to conditions determined by the user. These conditions can be regarded as a filter which operates on the input data stream, and can be described as "mask" filtering.
The user can thereby select only protocol data units passing between two selected protocol entities. The user can also set the analyzer to respond only to certain sequences of protocol data units; obviously, the chosen sequences will usually be those indicative of errors or abnormal conditions. As just noted, however, the complexity of a protocol can often be high, and the number of protocols or variations thereof is also liable to be large. Thus programming the analyzer is an arduous task, and the user is quite likely to program it so as to detect only a limited number of "likely" abnormal conditions, and to rely on a continuous scrolling display of all protocol data units to detect other abnormal conditions.
It is an object of the present invention to provide a protocol analyzer that facilitates the task of detecting protocol violations.