1. Field of the Invention
The present invention relates, in general, to protocol analyzer systems, and, more particularly, to software, systems and methods for remotely managing protocol analyzer data buffers.
2. Relevant Background
Protocol analyzers are tools used to monitor, troubleshoot, and manage data networks. Data networks are used to conduct data traffic, usually in the form of data packets, between network connected devices. A protocol analyzer, also called a xe2x80x9csnifferxe2x80x9d, is coupled to the data network and monitors all network data traffic. Protocol analyzers typically include filters that specify selection criteria for packets such as type, size, source node identification, destination node identification, and the like. Network packets that meet specified criteria are identified and logged for later analysis.
Businesses and individuals are increasingly reliant on data networks to improve productivity and add value to the computing devices that use the data network. The devices coupled to networks are increasingly heterogeneous and may use a variety of protocols over a single physical network. Further, businesses increasingly employ multiple networks of different types. These factors increase the difficulty and importance of network management.
A complex network comprises a plurality of segments where each segment is roughly equivalent to a local area network (LAN). Segments are coupled together by internetwork technologies such as wide area network (WAN) systems using, for example, the public switched telephone network (PSTN) to internetwork segments. The quantity of data transported across a typical network and the rate at which that data is transported create a formidable data management problem for protocol analysis systems. Data packets must be captured from the network traffic, filtered, and logged by dedicated hardware physically coupled to the network segment under study. Logs taken over even a short period of time can result in megabytes or gigabytes of data stored in the protocol analyzer""s buffer.
As networks become more complex, it is desirable to perform many network management functions remotely in a centralized fashion. In a complex network, effective protocol analysis at the segment level requires a distributed solution in which a protocol analyzer is coupled to each network segment to be analyzed. However, the analysis operations are most efficiently implemented in a centralized manner so that a single host can access data from any given segment for analysis. Remote management may be performed over long distances, or may simply involve managing a first network from a management console attached to a second network. Remote management avoids the difficulty and inefficiency associated with a requirement that the management tool be physically connected to the network to be managed.
In a distributed analyzer, a remote probe is coupled to the network to be managed while the analysis and display software are executed in a host computer. The host computer includes. network connection mechanisms to couple to the remote probe and download data from the remote probe using, for example, remote monitor (RMON) standard protocols. The remote probe includes high-speed hardware for capturing packets and storing them in a buffer or data file within the analyzer. The remote probe also includes large amounts of physical storage for holding the captured packets.
However, the massive quantity of data captured in a typical environment creates a significant obstacle in remote management. The captured data must be transported from the remote probe to the host machine. In the past this transport has been performed by out of band communication links or slowly transporting it over the networks and internetwork(s) connecting the probe and the host. However, the time required to transport this data is unacceptable and the transport adversely affects network performance while the captured data is moving through the networks. A need exists for systems, methods and software to more efficiently transport probe data gathered by a remote protocol analyzer probe.
Moreover, the amount of working memory (e.g., random access memory or xe2x80x9cRAMxe2x80x9d) in a typical host analysis computer is a fraction of the size captured by the remote buffer. Even if the entire probe buffer contents could be efficiently transported to the host, the host tends to struggle in manipulating and analyzing files larger than its available working memory. A need exists for a mechanism that enables a user to specify only a portion of a probe buffer that can be efficiently manipulated by the host computer.
Briefly stated, the present invention involves a method and system for gathering data by monitoring data packets on a network. At least some of the packets are captured in a data buffer. Preferably, each captured packet is classified according to a preselected classification system and each captured packet is marked with an indicia of its classification. An analysis program is executed on a network coupled computer. The analysis program displays data about the buffer contents, including the indicia when available, before transferring the buffer contents to the analysis program. A user of the analysis program can select portions of the buffer contents for transfer as an alternative to transferring the entire buffer contents.
In another aspect, the present invention involves a probe buffer for capturing data packets from a network. Filter routines executing in the probe operate to receive packets from the network and select packets meeting predefined criteria. Classification routines operable in cooperation with the filter routines to associate a class code with each of the selected packets. A packet buffer has a plurality of entries where each entry is sized to hold a captured packet. A class tracking buffer has a plurality of entries where each entry corresponds with an entry in the packet buffer and holds the class code associated with the packet held in the corresponding packet buffer.