Digital communication systems where information is transmitted in data packages between a header and trailer are generally known as packet networks. Packets sent over a packet network are defined by a set of rules called protocols. A packet or frame typically includes some type of data or information in between a header and a trailer. Protocols analyzers connect to the communications bus of a packet network and collect and store information relating to the packets that are traveling on the bus. Typical types of information include the origin and type of packet, the number of bits in the frame, a timestamp, the destination address of the packet, and other information. This information is useful for network engineers in determining equipment requirements, the source of network problems, and in supervision and maintenance of a network.
Computer networks, such as local area networks (LANs), can use different protocols to send and receive data. Switched-packet networks use individual packets or frames of data that are routed individually through a network from a source to a destination. Each packet is comprised a number of layers of protocol headers and data, for one or more network protocols. Packets conforming to the network protocol must have elements that satisfy the defined data values at their respective offsets.
Network protocol analyzers, referred to colloquially as network “sniffers,” are helpful for network operations to capture and inspect packets as they travel through a particular location on the network. Packet inspections are performed in order to determine the quantities, distributions, and other parameters and protocols for packets. Analyzers capture and decode packets traveling between network hardware components. Packet details can be viewed to help isolate network problems and provide information on network traffic flow and monitoring. Some examples of network monitoring include traffic congestion, runaway traffic, traffic from each station or server, percent of bandwidth for a particular protocol, and isolation of traffic patterns. Protocol analyzers can capture packets in real time for immediate evaluation or save packets for a buffered analysis time, such as a first-in first-out buffer.
A network protocol must deterministically define the structure of packets formed according to the protocol. A protocol will define precisely the contents of a packet typically using a number of fields. Each field has a known offset from either the start of the packet or the start of the previous field. Offsets may be in bytes, bits, octets, or other units. For example, the specific order of the fields is defined, each field being followed by a specifically defined set of possible fields, each field have a specifically defined value or set of possible values.
Conventional protocol analyzers use microprocessors programmed by software to collect and store the packet information. However, systems cannot keep pace with high-speed network and data systems, therefore many systems resort to sampling data streams instead of analyzing each element of data. For example, the analyzer in U.S. Pat. No. 6,304,903 uses an input buffer, lookup table, and counter memory running in content addressable memory and random access memory for analyzing at least a portion of packets in a state machine. Some network analyzers use pattern matching to compare stored data for network protocols defining an FTP packet including an Internet Protocol (“IP”) address with the capered data from the network. Patterns of matching criteria are applied to a captured packet wherein the packet is scanned a number of times, equaling the number of matching criteria patterns. This process is resource intensive and typically cannot track every packet in network traffic. The protocol analyzers in U.S. Pat. No. 5,916,301 process data communications packets to determine whether they match network protocols using a parser table and a predictive parser.
The protocol analyzers in the prior art are based on comparing packet information with some type of lookup table or protocol database where the rules for packets are pre-defined for protocols or network management statistics, for example comparing whether a data element is a “match” to a particular network protocol. The rules are not dynamically changed to compare information, including protocols, between incoming packets in a transmission. Current analyzers only display message components and do not look at relationships across multiple packets. Therefore, there is a need for a network protocol analyzer that analyzes relationships across multiple packets and within individual packets to determine errors in a protocol-based transmission.