Security researchers sometimes study the execution and propagation of software that they did not write, such as computer viruses. One method of studying software execution and propagation involves purposefully introducing the software into a testbed of networked computers. The researchers then observe how the software executes and spreads within the testbed.
There is sometimes concern that malicious software may be able to detect the researchers' monitoring efforts and change its behavior in response. Consequently, some researchers study the execution of software using logic analyzers, which passively read the data traveling over a wire or a bus.
Logic analyzers typically reside outside of the case of the monitored computer and connect to electrical circuits within the case of the monitored computer via wires. When many computers are monitored at once, the added bulk of physically separate logic analyzer units can become costly and cumbersome.
In cases where only the functional result of a virus infection is of interest, e.g. unwanted transmission of information from the host to the virus operator or a third party, it may be sufficient to use a protocol analyzer or “sniffer” on the network interface to track the network inputs and outputs of the machine under attack. However, in cases where it is desirable to analyze the structure and function of the attack code, it is desirable to discover the instruction flow that leads to the result.