This invention relates to protocol analysis of signal networks, and more particularly to knowledge based systems for performing such analysis.
As known, networks represent shared access arrangements in which several network devices, such as computers or workstations (collectively xe2x80x9cstationsxe2x80x9d), are interconnected by a common communications medium to allow users to share computing resources, such as file servers and printers, as well as application software and user work product. The communication medium may be wireline, such as by coaxial, twisted pair, or fiber optic cable, or wireless, such as cellular or radio frequency (RF) transmission. The networks may range from bridged segments of local area networks (LANs) located in a department or single floor of a building, to a wide area network (WAN) of LANs which are geographically distributed and interconnected through switching devices, such as routers or bridges.
Depending on performance requirements, the different LANs within a WAN may have different physical connection configurations (or xe2x80x9ctopologiesxe2x80x9d), such as Ethernet or Token Ring. They may also have different vendor proprietary LAN hardware and software with different signal protocols that govern the exchange of information between the stations in the LAN. When these different topology and different protocol LANs are interconnected, which is referred to as xe2x80x9cinternetworkingxe2x80x9d, there must be an exchange of signal protocols. The Open Standards Interconnect (OSI) seven layer interconnect model developed by the International Organization for Standardization, and which is incorporated by reference herein, describes how information is exchanged between software applications on workstations in different networks by passing the information through a hierarchy of protocol layers.
Networks must be managed to ensure their performance. This includes monitoring signal traffic for trends related to signal volume, routing, and transmission speed to pro-actively plan for network growth and to avoid signal congestion and network downtime. This also includes detecting and diagnosing network operational problems which affect performance to both prevent problems and to restore network operation with minimum downtime following the detection of a problem. These are the responsibilities of a network administrator, whose network duties require both anticipation of performance changes and diagnosis of performance failures. This requires the availability of network statistics related to performance, and network administrators commonly collect an archive of network management statistics that indicate network utilization, growth and reliability, to facilitate near-term problem isolation and longer-term network planning.
The general categories of statistics monitored include those related to: utilization, performance, availability, and stability within a monitoring period. These may defined as follows:
Utilization statistics relates to network traffic-versus-capacity (i.e. efficiency) and the statistics include frame count, frames-per-second (FPS), the frequency of occurrence of certain protocols, and certain application level statistics;
Performance statistics relate to quality of service issues, such as traffic delays, the number of packet collisions, and the number of message packets dropped;
Availability statistics gauge the accessibility of different OSI protocol layers within the network, and include line availability as percentage of uptime, root availability, and application availability; and
Stability statistics describe short term fluctuation in the network which degrade service, including: number of fast line status transitions, number of fast root changes (root flapping, next hop count stability, and short term ICM behavior).
Some of these statistics are empirical (xe2x80x9cmeasured statisticsxe2x80x9d) and obtained by counting the occurrence of the selected metric, and others require analysis of actual frame content (xe2x80x9canalysis-derived statisticsxe2x80x9d). Protocol analyzers are the known instruments for providing these measured and analysis-derived statistics.
To be of analytical value the acquired statistical values must be capable of being correlated in a real time composite which quantitatively measures real time network performance. Measured statistics are readily acquired in real time with hardware counters and time stamped counts, which acquire and report the data in real-time. With analysis-derived statistics, however, the network frames are captured in real time but the analysis must necessarily occur in machine time. User selected (xe2x80x9cfilteredxe2x80x9d) network frames are real time captured, time-stamped, serially numbered, and stored in a queue for analysis. The frames are then analyzed in machine time and the analysis-derived statistics are reported with their associated frame time-stamp, thereby allowing them to be correlated with the measured statistics.
In the event of xe2x80x9cburstyxe2x80x9d traffic patterns, the sequenced capture, storage, and analysis is prone to experiencing a back-up resulting from the inability of the process time to keep pace with the rate of frame capture. When this occurs, the capture is halted and network frames are lost until the back-up clears. The lost frames represent lost analytical data. In addition, however, the analyzer has no quantitative measure of the number of frames lost. The result is a loss in data integrity and a corresponding loss in the accuracy of the resulting statistical composite.
Even with accurate performance statistics, the ability to diagnose network failures quickly, or at all, relies on the education and practical experience of the network administrator in general, and their experience with a network in particular. So much of a network""s cyclic performance is he result of cyclic user demand, or of user custom, or of the manner of doing business, that xe2x80x9cinstitutional memoryxe2x80x9d is an important asset in diagnosing failures. Similarly, so much of network failures are the result of human error that the xe2x80x9cfamilialxe2x80x9d experience of the administrator with the user group is also important. Unfortunately, the continued rapid growth in network installations and expansions often requires that less experienced personnel be made responsible for administration. There is a demand, therefore, for network tools in the form of knowledge based systems which may assist in the diagnosis of network performance by lesser experience personnel as well as increasing the speed and accuracy of failure diagnosis even by experienced administrators.
An object of the present invention is to provide an improved method for performing expert analysis of network performance based on the review of acquired network statistical data, including either one or both of measured statistics and analysis-derived statistics, related to network events and to signal frame transmissions between network addressed stations.
According to the present invention, the method incorporates the use of a programmed expert knowledge base in the form of a rules-based inference engine, in combination with a structured interview of a network user, to focus the analysis of the statistical data to more accurately diagnose network performance. In further accord with the present invention the method steps include interviewing the user to determine the purpose of the analysis and the existence of any user known network performance conditions, identifying a source of network performance data, obtaining the network performance data, analyzing the network performance data; and reporting the results of the review to the user. In further accord with the present invention the rules-based inference engine includes inference rules grouped rules in one or more categories, each category being associated with the occurrence or absence of one or more network performance conditions, wherein the rules are capable of inferring the existence of network performance conditions in response to the satisfaction and, alternately, the non-satisfaction of one or more rules in dependence on the presence and, alternately, the absence of one or more detected network events or one or more signal frame transmissions, as manifested in the network performance data.
In still further accord with the present invention; the method includes displaying a first user interactive interface which presents the user with a series of statements identifying different network conditions, each statement having accompanying user elected optioned responses which prompt the user in a structured dialog to provide information related to pretest network conditions known to the user; and enabling and, alternatively disabling, categories of the inference rules in dependence on the elected user optioned responses to the displayed statements. In yet still further accord with the present invention, the method includes displaying a second user interactive interface presenting a user optioned election to select a source of the network performance data from among one or ore network connected protocol analyzers and, alternately, from one or more captured files of network performance data; and specifying, in response to the user electing a protocol analyzer as the source of the network performance data, and in dependence on the user optioned responses to the statements of the first user interactive interface, the boundary conditions for the network performance data to be obtained, including the station addresses of the signal frame data to be acquired.
In yet still further accord with the present invention, the method defines the interdependencies among the inference rules in each category; and prioritizes the interdependencies, from a high priority to a low priority, in dependence on the user elected responses to either one, and to both, of the first and the second user interactive interfaces, thereby increasing and, alternately, decreasing the inferential importance of the satisfaction and, alternately, the non-satisfaction of each rule in dependence on the user identified network conditions.
In yet still further accord with the present invention, the method ranks the reported the inferences by the priority of the interdependency established among the rules, and lists the ranked inferences for review by the user in a manner which distinguishes major network conditions from minor network conditions, and it permits the user to electively view the supporting information for each listed inference.
These and other objects, features, and advantages of the present invention will become more apparent in light of the following detailed description of a best mode embodiment thereof, as illustrated in the accompanying Drawing.