It is necessary to monitor the packets travelling on a local area network in order to manage the network. A network manager is a person who keeps track of network usage, the type of packets travelling on the network, the number of packets on the network, and so forth. The network manager must have information from the network as to the packet traffic. A network monitor is a station on the network which records packet traffic information, and makes the information available to the network manager.
Filtering is the term used for reading, decoding, and sorting MAC level fields, LLC level fields, and other fields of a packet. The network monitor must filter the fields of a packet at the speed at which bits of the packet arrive at the interface to the network. The full content of the MAC level, LLC level, and other fields, both header fields and trailer fields, must be filtered at the speed at which packets travel on the network.
For example, the following fields may need to be filtered: the MAC level fields, the LLC header fields, and also the PID field of SNAP SAP packets, for the purpose of monitoring packet types, where the monitoring must be performed "on the fly" as the packet arrives at the monitor station. Additionally, any packet having an error may be monitored.
A technique employed in the past for analyzing the bytes of the packet, both MAC and LLC fields, has been to read the packets into memory and then to read the packets out of memory so that software can analyze the header bytes. However, the software is slow: in firstly transferring the bytes to memory; and in secondly analyzing the header bytes of the packet by reading the packets out of packet buffer memory.
Also a further technique employed in the past is to use a CAM match scheme to decode the FC field and the DA field of a packet, where the FC is the frame control field according to the FDDI ANSI Standard, and the DA field is the destination address of the packet. A limitation on a straight CAM match scheme is that an ordinary CAM is too small to hold the combinations of bits needed for filtering the variety of types of packets normally travelling on a local area network. And a monitor must report on a large variety of packet types.
The problem of analyzing the full content of both MAC fields, the LLC header fields, and other fields, remains unsolved as a task which can be accomplished at the rate at which packets may arrive at the host computer in a modern local area network. For example, the standard IEEE 802.2 MAC and LLC packets contain approximately twenty two bytes. Each byte has 8 bits, and so there are a possible two to the 176 power unique combinations of bits. This is approximately 10**53 combinations. A CAM match scheme is unable to provide the required number of combinations.
And in a modern local area network such as the FDDI optical fiber network, bits arrive at the rate of 100 megabits per second, or approximately 450,000 packets per second may arrive at the host computer. This arrival rate of bits is, in some cases, faster than the CPU of the host computer can execute software to read the packets into memory, much less filter the field contents.
It is desirable to filter the MAC fields, the LLC fields and other fields of a packet for monitoring purposes at the speed at which the bits of the packet travel on the local area network.