Not applicable.
Not applicable.
A protocol analyzer (also known as a network analyzer, packet analyzer, protocol analyzer, or sniffer) is computer software or hardware that can intercept and log traffic passing over a digital communications network or part of a network. As data streams flow across the network, the protocol analyzer monitors and records select data from the data stream, and, if needed, decodes and analyzes its content according to an appropriate protocol or specification, particular to determine the presence of any events of interest, including but not limited to errors in data transmission.
Protocol analyzers often capture very large traces. Searching for errors or other events can be very slow, taking many minutes or even hours to accomplish. To solve this problem, some analyzers traditionally use hardware search engines, but these methods can only operate on the trace while it is in the analyzer's trace buffer, and are of no help when the trace is saved to a disk drive or other storage device. An example of this is found in U.S. Pat. No. 6,266,789 (“Bucher et al.”). The problem is further compounded because storage devices generally have much slower access times and transfer rates than protocol analyzers. To solve the problem of slow searches and slow analysis, some analyzers process the entire trace after the capture has completed in order to gather information that is subsequently used to speed up the search and analysis while the user is viewing the trace. The gathered information is used to speed up searches, create histograms, generate statistics, and aid in analysis of the protocol. Unfortunately, post-capture information gathering can be very time consuming, causing the user to wait many minutes (or even hours, in the case of very large traces) before a user can fully view and navigate the trace. An example of post-capture indexing in order to speed up the creation of a histogram is found in U.S. Pat. No. 6,745,351 (“Mastro”). The present invention significantly reduces the time to search and analyze trace data, whether in the trace buffer or saved to storage elsewhere, without incurring the typical delays of post-capture gathering and processing as disclosed in the prior art.
The present invention discloses a method and apparatus for recording trace data in a way that significantly reduces the time required to search for specific events, to create an index, to create a histogram, or to analyze the protocol. During capture, the analyzer recognizes infrequent events and sets an Event-Present Flag (“EP Flag”) indicating that a specific event has occurred. The trace is divided into pages, with a separate set of Event-Present Flags for each page indicating whether an event occurred in that page of the trace. This division of a trace into separate pages results in significant efficiencies.
For instance, when searching the trace for an infrequent event, only the pages identified as containing the infrequent event need be searched, thus reducing both the overall percentage and number of pages of the trace that need to be searched. The overall improvement in search performance may be measured by a number of ways. For instance, overall improvement in search performance may be measured as a multiplier determined by dividing the number of pages in the trace by the number of pages containing the event. This method is more effective for events that occur rarely, and is most effective for events that do not occur in the trace. Thus the method provides the greatest speed improvement for events that take the longest time to search. The method has the unique advantage of providing fast searches without special search hardware or the need for post-capture processing of the entire trace, and with a minimal increase in trace size.
To clarify the advantages and features of the present invention, a brief description of the drawings is provided. These drawings depict only typical embodiments of the invention and should not be considered limiting of its scope.
The process of capturing trace data into a trace memory is well known in the art. See for example, U.S. Pat. No. 5,457,694 (“Smith”) for a detailed description. The present invention may thus be applied to almost any prior art method for capturing trace data, e.g., by being inserted into the data path of the captured data before the trace memory controller writes the trace data into trace memory. The invention can be optimized for a specific bus to produce the fastest searching and analysis while minimizing the additional memory required to store the Event Present Flags (“EP Flags”). This optimization requires an understanding of the bus protocol and the relative frequency of the various events occurring on the bus. Since it is desirable to use the available memory efficiently, tradeoffs can be made, including but not limited to, which events should be grouped together into a single flag, which events should have their own flag, and which events should not be represented by a flag at all. One of skill in the art will recognize additional permutations and the examples provided here are not meant to be exhaustive.
Additionally, it is important to avoid creating too many EP Flags, or the time required to save a trace to a mass storage device will increase too much. For example, increasing the size of the trace by 20% will result in a 20% increase in the time required, to save the trace. Also, since additional logic is required to recognize each event, the diminishing performance returns that result from adding more EP Flags will no longer be worth the cost at some point. In order to minimize the number of EP Flags required, extremely rare events can be grouped together into a single EP Flag rather than each having its own separate EP Flag. One example of events that can be grouped together is the various types of errors that occur on the bus, such as encoding/decoding errors, disparity errors, and framing errors. These errors normally occur very infrequently. Accordingly, it may be advantageous to group all of these different kinds of errors into a single EP Flag called “Any Error.” Additional examples of rarely occurring events that can be grouped together are rare messages, such as messages used for error recovery or messages used for initial configuration. By grouping multiple rare events into a single EP Flag, it is possible to both save memory space and significantly improve search speed for certain events. Although adding EP Flags may actually increase the trace size by a few percent, it can reduce search and analysis performance time by orders of magnitude. This is particularly true in the case of EP Flags representing events that occur rarely.
The size of a trace page should be chosen to be within a reasonable range. It is desirable for a page to be at least as large as the largest packet or frame that will be captured during the trace. Much larger pages than this result in a higher percentage of pages that have an asserted EP Flag, thus resulting in longer average search times. Much smaller pages result in lower memory efficiency since a higher percentage of memory is being used to store the asserted EP Flags. In general, it has been found that a useful page size is equal to approximately twice the size of the largest packet or frame captured. Since most protocol analyzers give the user various filtering options which filter unwanted data during capture, the optimum page size may be different depending on the filtering options chosen. For example, users can choose to truncate longer packets, which may result in a smaller optimum page size.
There are two methods for storing the Event Present flags (EP flags) described. One method is to store the EP flags in memory that is separate from the main trace data. The other method is to embed the EP flags with the main trace data so that the trace data and EP Flags are stored in the same memory by the memory controller.
Below is a detailed description of the preferred embodiments of the invention. The descriptions serve to illustrate only typical embodiments of the invention and should not be read as limiting in any way the scope of the invention.
Referring to
Referring to
Referring to
Referring to
Referring to
Referring to
Referring to
An additional element that may be incorporated is a timeout counter that calculates the time elapsed before or between recognition of events of interest, e.g., Events A, B, or C. A timeout counter can be set to “restart” upon too little time having elapsed before recognition of an event of interest or too much time having elapsed since the recognition of the last event of interest. Upon determination of either too little or too much time having elapsed, State 1 is entered and the sequence starts over again.
Another element is an event counter which may be employed to calculate the number of events that have elapsed before or between recognition of events of interest, e.g., Events A, B, or C. An event counter can be set to “restart” upon too few events counted before recognition of an event of interest or too many events counted since the recognition of the last event of interest. Upon determination of either too few or too many events counted, State 1 is entered and the sequence starts over again.
The definition of the Event Present Flags may be predefined, or they may be dynamically defined, such as where the first occurrence of an event of interest assigns the event to the next available Event Present Flag, and from that point forward that Event Present Flag in each page represents that event. By dynamically assigning the meaning of the Event-Present Flags, the flags are utilized more efficiently because flags are only used for those events that occurred in the trace. Events that would have been assigned a flag if they had occurred are known to have not occurred if no flag is assigned to them.
Referring to
This application claims priority to U.S. Provisional Application No. 61/277,634 (“Smith”), filed Sep. 28, 2009, which is incorporated herein by reference.
Number | Name | Date | Kind |
---|---|---|---|
3925780 | Van Voorhis | Dec 1975 | A |
4430702 | Schiebe et al. | Feb 1984 | A |
4598364 | Gum et al. | Jul 1986 | A |
5457694 | Smith | Oct 1995 | A |
6134676 | VanHuben et al. | Oct 2000 | A |
6230313 | Callahan et al. | May 2001 | B1 |
6266789 | Bucher et al. | Jul 2001 | B1 |
6393587 | Bucher et al. | May 2002 | B2 |
6526044 | Cookmeyer et al. | Feb 2003 | B1 |
6738083 | Allen | May 2004 | B2 |
6745351 | Mastro | Jun 2004 | B1 |
6915466 | Mastro et al. | Jul 2005 | B2 |
6931574 | Coupal et al. | Aug 2005 | B1 |
6961925 | Callahan et al. | Nov 2005 | B2 |
7298746 | De La Iglesia et al. | Nov 2007 | B1 |
7669177 | Gerber et al. | Feb 2010 | B2 |
7739667 | Callahan et al. | Jun 2010 | B2 |
20020129339 | Callahan et al. | Sep 2002 | A1 |
20020177878 | Poore et al. | Nov 2002 | A1 |
20040024995 | Swaine | Feb 2004 | A1 |
20040268314 | Kollman et al. | Dec 2004 | A1 |
20050091269 | Gerber et al. | Apr 2005 | A1 |
20050105769 | Sloan et al. | May 2005 | A1 |
20050154838 | DeWitt et al. | Jul 2005 | A1 |
20060101416 | Callahan et al. | May 2006 | A1 |
20060268732 | Smith | Nov 2006 | A1 |
20060268859 | Smith | Nov 2006 | A1 |
20060268860 | Smith | Nov 2006 | A1 |
20060268914 | Smith | Nov 2006 | A1 |
20060271823 | Smith | Nov 2006 | A1 |
20060271853 | Marcos et al. | Nov 2006 | A1 |
20060288037 | Sundararajan et al. | Dec 2006 | A1 |
20070255847 | Smith | Nov 2007 | A1 |
20090271434 | George | Oct 2009 | A1 |
20110119469 | Ohmacht | May 2011 | A1 |
20110246836 | Walker et al. | Oct 2011 | A1 |
Number | Date | Country | |
---|---|---|---|
61277634 | Sep 2009 | US |