A protocol analyzer (also known as a network analyzer, packet analyzer, protocol analyzer, or sniffer) is computer software or hardware that can intercept and log traffic passing over a digital communications network or part of a network. As data streams flow across the network, the protocol analyzer monitors and records select data from the data stream, and, if needed, decodes and analyzes its content according to an appropriate protocol or specification, particular to determine the presence of any events of interest, including but not limited to errors in data transmission.
Protocol analyzers often capture very large traces. Searching for errors or other events can be very slow, taking many minutes or even hours to accomplish. To solve this problem, some analyzers traditionally use hardware search engines, but these methods can only operate on the trace while it is in the analyzer's trace buffer, and are of no help when the trace is saved to a disk drive or other storage device. An example of this is found in U.S. Pat. No. 6,266,789 (“Bucher et al.”). The problem is further compounded because storage devices generally have much slower access times and transfer rates than protocol analyzers. To solve the problem of slow searches and slow analysis, some analyzers process the entire trace after the capture has completed in order to gather information that is subsequently used to speed up the search and analysis while the user is viewing the trace. The gathered information is used to speed up searches, create histograms, generate statistics, and aid in analysis of the protocol. Unfortunately, post-capture information gathering can be very time consuming, causing the user to wait many minutes (or even hours, in the case of very large traces) before a user can fully view and navigate the trace. An example of post-capture indexing in order to speed up the creation of a histogram is found in U.S. Pat. No. 6,745,351 (“Mastro”). The present invention significantly reduces the time to search and analyze trace data, whether in the trace buffer or saved to storage elsewhere, without incurring the typical delays of post-capture gathering and processing as disclosed in the prior art.