Modern computer networks comprise interconnected collections of computers. A primary function of such networks is the enablement of information exchange between member computers. As the member computers typically operate autonomously, without control as to when the other computers attempt to transmit information via the network, data is commonly divided into a number of smaller pieces which are then individually transmitted within packets or frames of data. This practice provides more uniform access to the network, as well as the opportunity to retransmit packets in case of interference between the packets of the various computers connected to the network. A given packet comprises that part of the data assigned to it, information defining the format of the packet, as well as other information such as the packet number and the addresses of the sender and receiver of the packet. The format of the data packet is specified via predefined protocols. Data packet formatting is complicated by the fact that networks are structured in layers. Typically data packets are sequentially encapsulated by one network layer after another with each having its own protocol. The composed data packet is often referred to as a protocol data unit (PDU). As a further complication, numerous different protocols are in common use at various layers of the network. While the bit pattern added to any given protocol data unit specifying that a particular encapsulation protocol was used has a length selected from a set of pre-specified lengths, a different protocol may have a length selected from a different set of pre-specified lengths. In addition, unrelated groups of computers using unknown protocols may also be connected to and use the same network.
Network environments are both complicated and dynamic. Thus, a very important activity in managing a network is to analyze the traffic, which it carries. For this purpose a protocol analyzer is used. A protocol analyzer typically attempts to identify those protocol data units that have been encapsulated with various preselected protocols. Previous solutions for such identification have relied upon using filters, or pattern comparators, which identify predefined combinations of protocols of interest. Any given combination of protocols forms a bit pattern which comprises sub-patterns of those protocols used to encapsulate the packet, with each of these sub-patterns beginning at specified fixed offsets within the protocol data unit. Only those protocol data units matching the anticipated pattern combination is identified as fulfilling the match criteria by any given filter. Such a filter is referred to as a “flat filter”. A salient feature of this technique is that one filter is required for each combination of protocols of interest.
Thus, this approach has the disadvantage that a large number of filters, in reality bit pattern comparators, may need to be employed. As an example, if the user is looking for protocol data units that contain voice traffic over the protocol xGCP, currently 13 flat filters would be needed. In addition, if the user does not know which of three different local area network (LAN) encapsulations is used, three sets of 13 filters or a total of 39 flat filters would be needed. Further, if the user does not know which of six different wide area network (WAN) encapsulations is used to carry the LAN traffic, he would need to set up six sets of 39 filters for a total of 234 filters. In such situations, hardware resources become prohibitively expensive and complicated. As such, providing them becomes impractical.
Also in a typical network situation, there could be data flowing between literally hundreds of different nodes of which the user may be interested in capturing data from only two of these. Due to the speed of modern networks and the limited memory space of typical modern network analyzers, the buffer space allocated for protocol data unit capture can be overrun quickly. The majority of the protocol data units captured could be from nodes for which the user has no interest. As an example, if the user knows the internet protocol (IP) address of two nodes of interest and would like to only capture data between these two nodes, unless he has detailed knowledge of the network it would be impossible for him to identify the IP addresses in the protocol data units unless he has at his disposal the numerous flat filters mentioned above.
Thus there is a need for better techniques for identifying combinations of multiple protocols used to encapsulate protocol data units. In particular, there is a need for a system capable of such identification, with related packet filtering, that does not require the large numbers of filters that present systems do.