Numerous tools have been developed to aid in network management. One example of such tools is a “network analyzer.” In general, a network analyzer is a program that monitors and analyzes network traffic, detecting bottlenecks and problems. Using this information, a network manager can keep traffic flowing efficiently, and in a secure manner. A network analyzer may also be used to capture data being transmitted on a network. The term “network analyzer” may further be used to describe a program that analyzes data other than network traffic, or may also be used to classify packets into flows. For example, a database can be analyzed for certain kinds of duplication. Still yet, network analyzers may carry out various security operations (i.e. intrusion detection, etc.). One example of a network analyzer is the SNIFFER® product manufactured by NETWORK ASSOCIATES, INC®.
Network analyzers are often capable of analyzing network traffic across a plurality of protocol layers. Such networking protocols exist at different layers in a stack based on the Open Systems Interconnection (OSI) model for networking.
Network analysis architecture is often loosely based on the OSI model for layering. Protocols are classified by where they occur in the OSI stack. See, for example, Table 1.
TABLE 1Service(OSI Application)Application(OSI Application)Session(OSI Session)Connection(OSI Transport)Station(OSI Network)DLC(OSI Data Link)GlobalSubnet(OSI Network)
Network analyzers often employ a set of expert protocol interpreters (EPIs), each written to parse protocol header information in real time, or in post-analysis mode, in order to carry out network analysis. EPIs parse header data to perform functions such as those set forth in Table 2.
TABLE 2Identify and graphically depict network objects such asstations, TCP connections, HTTP applications, etc.Count frames and bytes per protocol and objectTrack state informationDiagnose problems based on state information and timingconditions
Traditionally, network analyzers have successfully analyzed a wide variety of protocols and identified a large number of network objects and associated faults, based on the single dimensional OSI model of networks.
FIG. 1A illustrates an example 10 of network analyzer objects resulting from analysis of a HTTP session, in accordance with the prior art. In this example, the resultant frame 15 is similar to that shown in the present figure.
In the context of the present figure, the following EPIs of Table 3 are called, and analysis progresses up the stack through the frame. Table 3 further indicates the order in which such EPIs are called.
TABLE 3HTTP Service5thHTTP App4thTCP3rdIP2ndETHER1st
An exemplary decode of the foregoing scenario is shown in Table 4.
TABLE 4ETHER DLCSA = DLC1DA = DLC2IPSA = IP1DA = 1P2TCPHTTP
With recent innovations in mobile wireless phone systems, data communications from cell phones or other similar portable devices have become common. It is now possible to attach a laptop computer to a cell phone and surf the Internet, or use a single-unit device to accomplish the same. This may be accomplished using various types of tunneling protocols such as IP tunneling, Generic Routing Encapsulation (GRE) and General Packet Radio Service (GPRS) tunneling protocols.
FIG. 1B illustrates an example of a communication 20 involving tunneling, in accordance with the prior art. As shown, IP3 and IP4 represent IP tunnel endpoints that are carrying an HTTP session in a TCP connection between IP1 and IP2 (dashed line). In this scenario, IP1 is issuing an “HTTP Get” to IP2 through an IP tunnel connected by IP3 and IP4 (solid line). In this example, the resultant frame 25 is similar to that shown in the present figure.
The addition of the second IP header shown in FIG. 1B thus adds a new dimension to the object model. There is thus a need for a network analyzer capable of analyzing traffic inside a tunnel.