The present invention relates to a system and method for automatically analyzing the flow of traffic through a network, and in particular, for such a system and method in which software agents are distributed throughout the network according to a physical topology map in order to gather the traffic information.
Networks, including local area networks (LAN) and wide area networks (WAN), are becoming increasingly prevalent as the number of computers in organizations grows. Networks enable information to be shared between computers, and as such are important for the ease and convenience of storing and accessing data throughout an organization. Networks are implemented with a physical connection between at least two computers or other network hardware devices. This physical connection can be implemented through various types of physical connection media, including but not limited to, a cable or wireless communication, including optical, infra-red and radiowave based signals. Data is passed through this physical connection according to various protocols at different layers of the network. These protocols include but are not limited to, transmission control protocol (TCP), Internet protocol (IP), Internet packet exchange (IPX), systems network architecture (SNA), datagram delivery protocol (DDP) and so forth. At the data link layer, such protocols include, but are not limited to, Ethernet, token ring, fiber distributed data interface (FDDI) and so forth.
The traffic which passes through such a network must be monitored in order to maintain an efficient network. The flow of packets through the network is analyzed by detecting packets as they are transported from point to point on the network. Although there are known methods in the background art for detecting the flow of these packets, these methods have various limitations and disadvantages. For example, the standard for SNMP (Simple Network Management Protocol) includes a MIB (Management Information Base) about packet flow at a very high level, such that the number of packets being transmitted according to the TCP, UDP or ICMP protocols is detected, but not the source or destination network elements for these packets (see RFC 1156). Clearly, this information is not sufficient in order to provide a detailed analysis of the packet flows through the network.
More information is gathered according to a new version of this standard in the RMON standard (RFC 1213). The RMON standard is the basis for a number of hardware products, including OpenView.TM. (Hewlett-Packard, USA). In addition, software products based on RMON are also available. Products which are based on RMON suffer from a number of disadvantages. First, many individual hardware devices and/or software packages must be purchased and installed in order to effectively gather traffic information. Second, information is gathered according to user-configured thresholds, which must be separately configured for each hardware device at the device itself, such that central control is not possible. Third, the information is gathered in a manner which can overload the network, since the information is collected from the hardware devices and/or software packages through polling. Not only are large amounts of data collected each time, but additional polling can be triggered if a particular environmental condition is detected by an RMON-based hardware or software product, further overloading the network. Fourth, although this product is able to gather more information than previous versions of SNMP, data is collected separately for the source and destination addresses of packets and the network protocols according to which the packets were sent, such that the two types of data are difficult to correlate. Thus, RMON-based hardware and software products clearly cannot provide the detailed information required for a full analysis of the traffic flow through the network.
Other currently available products include "sniffer" software products, which are proprietary traffic flow detection software programs. These "sniffer" products suffer from the disadvantage of gathering too much information in an unfiltered manner, such that the useful information is hidden in a great deal of useless information. Furthermore, the excessive amount of gathered data can overload the network, while obscuring the important information for traffic analysis.
Other background art methods are disclosed in U.S. Pat. No. 5,430,709 and in U.S. Pat. No. 5,568,471. U.S. Pat. No. 5,430,709 discloses a method for monitoring communication over a network according to a particular protocol, such as the TCP/IP protocol. However, the disclosed method is limited to processing datagrams, as required for TCP/IP, and hence is not suitable for other types of traffic on a network. In addition, the method is particularly directed to monitoring sessions, rather than to collecting continuous information about traffic flow.
U.S. Pat. No. 5,568,471 also teaches a system and method with limited functionality. The disclosed invention is limited to operation with a single network element. The concept of collecting traffic data from a plurality of network elements is neither taught nor suggested. Certainly, the correlation of such data with a physical topology map is neither taught nor suggested. Thus, the disclosed system and method are quite limited and have a number of drawbacks.
One additional disadvantage of all of these background art methods for traffic analysis is that they do not adequately exploit information obtained from physical topology mapping. Various methods for determining the physical topology of a network are known in the art. One such method is disclosed in U.S. patent application Ser. No. 09/285,099, filed on Apr. 2, 1999, incorporated by reference as if fully set forth herein. An accurate picture of the physical topology is an important prerequisite for determining the traffic flow or "traffic topology map" of a network. Thus, the background art methods are also deficient for failing to directly incorporate physical topology information into the analysis of traffic flow through the network.
There is thus a need for, and it would be useful to have, a system and a method for automatic detection of the flow of traffic through a network without requiring specialized hardware devices, which is sufficiently flexible to permit mapping through substantially the entirety of all nodes in the network and which is able to analyze the flow of traffic through the network according to the physical topology map.