The present invention relates to network analyzers, and more particularly to filtering and analyzing network communications utilizing a network analyzer.
Open Systems Interconnection (OSI) (a.k.a. ISO) is a standard description for how messages are transmitted between any two points on a network. The purpose of the description is to guide designers of products so that such products will consistently work with other products. The reference model defines seven layers of functions that take place at each end of a communication. Although OSI is not always strictly adhered to in terms of keeping related functions together in a well-defined layer, many if not most products involved in telecommunications use the OSI model.
By this design, the process of communication between two end points in a telecommunication network can be divided into layers, with each layer adding its own set of related functions. Each communicating user is at a computer equipped with these seven layers of function. In a given message between users, there is a flow of data through each layer in a transmitting computer at one end and, at the other end, when the message arrives, another flow of data through the layers in a receiving computer. The actual programming and hardware that furnishes these seven layers of function is usually a combination of the computer operating system, applications (such as a Web browser), TCP/IP or alternative transport and network protocols, and the software and hardware that enable one to put a signal on one of the lines attached to a computer.
Prior art FIG. 1 illustrates the seven OSI standard layers 10. As shown, the OSI reference model defines seven layers of functions that take place at each end of a communication.
The layers may be categorized in two groups. The upper four layers are used whenever a message passes from or to a user. The lower three layers (up to the xe2x80x9cnetwork layerxe2x80x9d i.e. Layer 3) are used when any message passes through the host computer. Messages intended for the host computer pass to the upper layers. Messages destined for some other host are not passed up to the upper layers, but rather forwarded to another host. Table 1 sets forth the seven layers, and a short description thereof.
Network assessment tools referred to as xe2x80x9canalyzersxe2x80x9d are often relied upon to analyze networks communications at each of the foregoing layers. One example of such analyzers is the SNIFFER ANALYZER(trademark) device manufactured by NETWORK ASSOCIATES, INC(trademark). All analyzers have similar objectives such as determining why network performance is slow, understanding the specifics about excessive traffic, and/or gaining visibility into various parts of the network.
The SNIFFER ANALYZER(trademark) device analyzes many layers of network protocols. Although the user can provide some amount of filtering to focus in on a particular problem at hand, the creation of such filters is complicated and does not adapt to the problems detected in the network. This causes more analysis to be provided than needed to detect and solve the network problems, which translates into a greater need for memory and CPU cycles (bandwidth) to provide such processing. Moreover, since the analyzer system processes network communications from the bottom layers to the top layers, the analysis must traverse many layers and encounter an enormous amount of processing.
The end result is that the analysis system may not be able to keep up with the analysis, and is forced to ignore what could be relevant network conversations due to bandwidth starvation. In addition, due to the lack of precision filtering capability, more conversations than required result in unneeded analysis, which in turn starves the analysis system of resources.
There is thus a need for technique of more efficiently analyzing network communications, while still focusing on the correct network communications.
A system, method and computer program product are provided for filtering communications over a network. Initially, a user is allowed to select from a plurality of network communication protocol layers associated with communications over a network. This may be accomplished in any manner such as allowing the user to select from the layers themselves, various faults that are inherent to certain layers, etc. An adaptive filter is then generated which is capable of collecting communications only involving the selected network communication protocol layers based on the user selection. Such adaptive filter is then used to collect the communications involving the selected network communication protocol layers. Further, an analysis process is executed for analyzing information at the selected network communication protocol layers of the collected communications for the detection of faults therein.
In one embodiment, the user may be allowed to select from a plurality of faults associated with the communications over the network. Further, a probe may be generated for analyzing the collected communications for the selected faults. It should be noted that the collected communications are then analyzed only for the selected faults utilizing a plurality of the probes which are capable of being utilized by the analysis process. Moreover, the adaptive filter may be stored for use at a later time.
As an option, the user may be allowed to select the network communication protocol layers and the faults utilizing a graphical user interface. Such graphical user interface may be adapted for allowing a user to select from a plurality of network communication protocol layers associated with the communications over the network. Further, the graphical user interface may be adapted for allowing the user to select from a plurality of faults associated with the communications over the network. In use, the adaptive filter and the probe are capable of being constructed based on the user selections.
During the analysis process, it may be determined that a problem exists at a lower one of the network communication protocol layers. If such problem exists, an additional analysis process may be initiated for analyzing information at the lower network communication protocol layer of the collected communications for the detection of faults.
Still yet, an additional adaptive filter may be generated. Such additional adaptive filters may be used to collect the communications associated with the lower network communication protocol layer for analysis by the additional analysis process. In a similar manner, an additional probe may be generated for analyzing the collected communications for faults associated with the lower network communication protocol layer. By this feature, the communications filtered by the additional adaptive filter may be analyzed for faults utilizing the additional probe during the additional analysis process.
In another embodiment, the analysis process(es) may involve matching bit patterns with the collected communications. Further, an alarm event may be executed based on the analysis process.
Also provided is a system, method and computer program product for top-down analysis of communications over a network. Initially, a plurality of predetermined network communication protocol layers of collected communications are analyzed. Further, it is determined whether a problem exists at a lower one of the network communication protocol layers. If it is determined that a problem exists at the lower network communication protocol layer, an additional analysis process may then be executed for analyzing the lower network communication protocol layer of the collected communications. An efficiency of the analysis is thus improved by avoiding the additional analysis process when it is unnecessary.
By this design, a user is given several options on which to focus an analysis. First, a user may select a given network layer and, more specifically, a given network protocol at which to start analysis. The user can then monitor a complete set of possible issues at a given layer, focus on a given protocol on the layer, and/or narrow the analysis down to a set of one or more problems detectable in a given protocol on a given layer. Having defined the focus of the analysis, the present embodiment then analyzes the network data stream and if any selected issues are detected, a warning is issued to the user. If the detected problem is a symptom of an underlying cause at a lower layer, the analysis expands automatically via the use of adaptive filters to detect such underlying causes in the other layers. This process may be continued until the root cause of the fault is detected.