The present invention relates generally to methods and apparatus for providing network troubleshooting tools for detecting, diagnosing, and repairing network failures, and more particularly relates to a method and apparatus for dynamically optimizing the central processor unit (CPU) cycles for analyzing data retrieved from the network in a manner for eliminating system freeze (inability to move a cursor with a mouse, for example) under high network load, and for allocating CPU cycles available for USER MODE processing in an Expert Analysis configuration, and KERNEL MODE processing, when monitoring networks such as high-speed connection-oriented multiplexing and switching networks (COMSN), including Asynchronous Transfer Mode (ATM) networks, 100 mbps Full Duplex Ethernet and Gigabit Ethernet networks.
Many different types of networks have been developed for permitting computers to communicate with each other in an organized manner. One such network for use within the same building by a plurality of computer users is known as a local area network (LAN). After the development of LAN networks, network systems were further developed for it, permitting computer users over a campus environment, such as those located in a large industrial site, to communicate with one another. To further extend to communicate across wider areas of the country or world, wide area networks (WAN) and/or ATM networks were developed. As these networks have grown in size and complexity, it became increasingly difficult to troubleshoot, maintain, and optimize the performance of such networks, particularly wide area networks.
With the invention of the World Wide Web (WWW), and the associated Internet, the complexities of maintaining such world wide advanced data communications far exceed the complexities of the largest WAN systems or networks. To improve communication over the Web or Internet, the ATM system was developed for providing technology for simultaneously transmitting data, voice and video traffic, and information over high band-width circuits. An ATM system network is one example of a high-speed connection-oriented multiplexing and switching network developed for the WWW. In the prior art, hardware has been developed for ATM systems, in conjunction with associated software platforms, to form a communications architecture based on the switching and relaying of small units of data, typically called xe2x80x9ccellsxe2x80x9d. These xe2x80x9ccellsxe2x80x9d may also be grouped into frames or xe2x80x9cpacketsxe2x80x9d. ATM systems or networks incorporate technology that advances the state-of-the-art to include a protocol structure for effectively integrating voice, data, and video over the same communications channel at virtually any speed. Other known services for providing data communication, such as the Internet, Internet protocol (IP), frame relay, Switched loci Multimegabit Data Service (SMDS), and Ethernet, cannot provide the aforesaid integration of voice, data, and video over the same communications channels, as provided by ATM-based services.
In other words, an ATM network consists of configurable networks between source devices and destination devices, with the network being formed by switches interconnected by links. Typically, cells of data which are 53 bytes in length, also grouped as packets, are routed by the switches. A virtual circuit (VC) is established between source devices and destination devices, and the cells or packets are routed across these virtual circuits. One or a plurality of links and switches typically comprise a virtual circuit. Note that a plurality of virtual circuits can be routed across a single link, the latter not being dedicated to any single virtual circuit.
Network Associates. Inc., of Santa Clara, Calif., has been in the forefront of technology for many years in developing and providing software for managing and troubleshooting computer networks. The software is known as Sniffer Software. The most recent Sniffer systems or Aft software readily permit LAN and WAN networks to be rapidly trouble-shooted for resolving problems in the associated network that are interfering with user communication within the network. Network Associates, Inc. (hereinafter NAI), has developed a Sniffer Enterprise Expert System that provides a probe for the rapid detection, diagnosis, and repair of network failures. NAI regularly publishes technical white papers on its public web site. Once accessed, the site can be searched for a listing of associated papers. Certain of these papers may be of interest relative to the present invention, and are incorporated herein as of the date of filing this Application, to the extent they do not conflict herewith.
For the purposes of this invention, a frame is a known data stream that contains a header, a trailer, and data of some type in between the header and the trailer. The combination of the header and the trailer, per frame, specifies the overall length of the frame, including the contents made up of the header and the trailer, as well as the type of data that resides between the header and the trailer within the frame. An ATM Sniffer is a newly introduced product of Network Associates, Inc. that permits a user to extract full duplex or bidirectional individual and successive frames that are being communicated between an ATM host device or switch, and an ATM network to which a number of user devices may be connected. Note that the Sniffer product simply is connected to a subsection of an ATM network, and it is not necessarily extracting frames that are being outputted by a host device(s), but frames that are being communicated over a given network path between a number of devices. Note that for the purposes of this Application, connection to an ATM network means connection to a subsection of the network. These devices are ATM devices. Note that an ATM host device can be an individual personal computer (PC) that has a special card installed in it to permit it to interface with an ATM network for the purposes of communicating data. Also, an ATM edge device is a type of server device that permits an ATM network to be connected through the device to a number of work stations, for example, or other computer devices connected into a network that is connected to the server or edge device. Note that there are a plurality of different types of ATM frames, and the present invention can be utilized with any particular type of frame through appropriate design of the software. However, the present invention is not limited to use in ATM Sniffer products, and can be applied for use in other Sniffer LAN (Ethernet, Token Ring, Gigabit Ethernet, etc.) network analyzers to optimize the allocation of CPU cycles.
In the realm of network analysis, there usually exists a passive station somewhere in the network connection that is able to see all traffic on the portion of the network to which it is connected. This is known as promiscuous mode analysis. Typically a network probe is connected to this network such that it is capable of analyzing each data event on the network. As the capacity of corporate and internet networks increase, there exists a point at which the time required to analyze a single network data event (typically a received packet) exceeds the amount of time between such network data events. Therefore, the network analysis probe must employ some method of throttling the CPU to insure that the probe does not spend all of its CPU cycles analyzing data. For this type of probe, it is usually important for it to respond to the particular user interface employed to view the data objects that are created by the network analysis component of the probe. From experiments with a 400 MHz Pentium II computer, it has been determined that 90% of the CPU cycles can be allocated to network analysis. This leaves 10% of the CPU cycles for all user interface software processes.
As previously mentioned, network analyzers are employed for use for monitoring and troubleshooting many different types of networks. Examples of such networks with analyzer probes shown installed for such monitoring and troubleshooting purposes are shown in FIGS. 1 through 3. Note that these Probes can be other than an NAI Sniffer Expert System.
In FIG. 1, an Ethernet shared media LAN (local area network) is shown to include an xe2x80x9cEthernet 10/100xe2x80x9d, for providing bidirectional communication between two user stations 102 and 104, a server station 106, and a printer 108, in this example. Also, an analyzer probe 110 is connected to the Ethernet 100 for monitoring and analyzing data flowing through the network 100. Note that personal computers are one example of the user stations 102 and 104, and the server 106.
In FIG. 2, two Ethernet shared media LAN networks, in this example each include three users 102, 104, and 105, and a printer 108, communicating over an Ethernet 10/100 network 100, are each connected to a common 10/100/1000 Ethernet switch 112, that in turn provides bidirectional communication with the latter via an FDX Uplink 114 (Full Duplex), to a server 116, and via a Gigabit uplink 118 bidirectional communication with a second server 120. Also as shown, in this example, an analyzer probe 122 is connected between the Ethernet switch 112 via two FDX Uplinks 114 for monitoring data flowing between Ethernet switch 112 and server 116. Similarly, another analyzer probe 124 is connected via two Gigabit Uplinks 118, as shown, for monitoring data or communication between Ethernet switch 112 and server 120.
In FIG. 3, an example is shown of use of analyzer probes 300, 302, and 303 for monitoring data communications or traffic associated with an ATM network 304. A router 306 is connected via a DS3 North American Standard Physical Transmission Interface for digital transmission using TDM (Time Division Multiplexing) operating at 44.736-Mbps to probe 300. Another DS3 physical transmission interface is used to connect probe 300 to an ATM switch 308. The ATM switch 308 is connected via an optical carrier level OC-12 having a transmission speed of 622.8 Mbps to an ATM Network 304. The network 304 is also connected via an optical carrier level signal OC3 having a transmission speed of 155.2 Mbps to probe 302, the latter also being connected by another OC-3 carrier level signal link to an ATM switch 310. The switch 310 is also connected via another standard physical transmission interface DS3 to a router 312, and via a DS1 standard physical transmission interface operating at 1.544 Mbps to another router 314. The ATM network 304 is also connected via yet another DS3 digital transmission physical interface to another ATM switch 316, the latter also being connected via a DS1 standard physical transmission interface to the analyzer probe 303. The probe 303 is connected by another DS1 digital transmission interface to yet another router 318. In the example of FIG. 3, router 312 is associated with New York City, router 314 with Baltimore Maryland, router 318 with Dallas Texas, and so forth. Note as previously mentioned that the present invention is not limited for use with ATM networks, but can be used with many different networks, for example such as other high-speed connection-oriented multiplexing and switching networks.
In summary, the network examples of FIGS. 1 through 3 are shown as examples of typical connection types that are supported by network analyzers or analyzer probes, as indicated. FIG. 1 shows a typical shared media LAN, in an Ethernet configuration. FIG. 2 is an example of the typical switched Ethernet network with a full-duplex uplink or Ethernet trunking uplink to a shared server. Lastly, FIG. 3 shows a typical ATM network carrying data between multiple WAN sites. As shown in FIG. 3, three analyzer probes 300, 302, and 303 are inserted at various points in the network to analyze full-duplex ATM links between ATM switches 308, 310, and 316, routers 306, 312, 314, and 318, and the ATM network 304.
With further reference to FIG. 3, the following table identifies the types of connections shown therein, in relation to their expected maximum event rates, respectively:
As shown in Table 1, the per-packet time is very short for many of the networks or network connection types. For example, for a personal computer or CPU that includes a 400 MHz microprocessor, a single instruction can be executed in 2.5 nanoseconds. Accordingly, for the fastest link or connection shown, approximately 140 CPU instructions can occur between packets, which is insufficient to permit analysis of a single packet. Accordingly, in order to provide sufficient CPU instructions to user interface components, it is necessary to provide CPU throttling of the analysis subsystem.
An object of the present invention is to provide a method and apparatus for throttling CPU cycles, when required for providing more efficient use of and a greater number of CPU cycles during times of heavy traffic on a network, for permitting an analyzer probe to monitor and analyze a greater number of data packets retrieved from the network being monitored during such times of heavy traffic or data transfer in the network. This is accomplished, in a first embodiment of the invention, through use of a method and apparatus that includes two modes of operation. The first mode of operation provides a device driver in an analyzer probe connected in a network to respond to every receive interrupt generated by a network interface adapter card buffer during times of low traffic or data transfers in the monitored network, for transferring data packets received from a receive buffer of the network interface adapter to a RAM buffer for analysis. In the second mode of operation, when the rate of traffic is greater than a preset threshold, the receive interrupts from the network interface adapter card are ignored, and replaced by polling at regular intervals of the receive buffer of the network interface adapter for transferring packets to the RAM buffer of the analyzer. Accordingly, under heavy traffic conditions, through use of the present invention, fewer packets are lost by the analyzer. In this manner, more CPU time is made available for performing processing not associated with the analyzer probe.
In a second embodiment of the invention, when the time spent by the CPU in processing received data packets, in the first or second modes of operation, exceeds a predetermined percentage of the total CPU time available between operating systems ticks, data packet processing is terminated, to free the CPU to perform other processing. In a Windows NT operating system, for example, the first and second modes of operation are operated in a Kernel mode, and when data packet processing is terminated as indicated, the CPU transfers to a User mode.
In a third embodiment of the invention operating concurrently with the first and second embodiments of the invention, whenever an Expert Analyzer Software process is activated, the percentage of CPU available time allocated to Kernel Mode processing is made dependent upon the percentage of unanalyzed data in a frame capture memory operable in a User Mode. As the percentage of unanalyzed data in the frame capture memory increases from one range to a next range, the percentage of CPU time allocated to Kernel Mode Frame Processing is progressively decreased.