Method and apparatus for real-time protocol analysis using an auto-throttling front end process
First Claim
Patent Images
1. A method for monitoring and analyzing data flow at a point in a network to which a plurality of devices are connected, said method comprising:
- connecting a probe to a point in said network selected for monitoring, said probe including a central processor unit (CPU) responsive in Kernel mode for receiving an interrupt each time a data packet is received by a network interface card (NIC) of said probe, said NIC generating said interrupt for terminating present processing of said CPU for transferring data packets for processing in the Kernel mode;
programming said CPU such that said CPU itself operates in one mode to respond to said interrupts for data packet processing at times when said NIC is receiving data packets below a predetermined traffic rate;
programming said CPU such that said CPU itself operates in another mode to both terminate responding to said interrupts whenever the data packet traffic rate is equal to or above said predetermined traffic rate, and to respond to a polling pulse at a predetermined polling rate while maintaining Kernel mode processing until such time that the traffic rate reduces to below said predetermined traffic rate, whereafter normal NIC interrupts are then responded to by said CPU;
terminating CPU processing of data packets whenever the time spent by said CPU in such processing exceeds a predetermined percentage of the total CPU time available, wherein the predetermined percentage is 90%;
wherein said programming said CPU includes calibrating said CPU to determine how many processor ticks are available for each system tick by;
determining the number of processor ticks per second, determining the number of system ticks per second, and dividing the number of processor ticks per second by the number of system ticks per second;
wherein said data packets are processed to perform network analysis by filtering said data packets in real-time;
analyzing said data packets to gather statistics;
performing triggering operations; and
identifying problems with said network where the statistics include;
a host table, a matrix table, and a protocol distribution.
6 Assignments
0 Petitions
Accused Products
Abstract
In a probe system for monitoring and analyzing data flow and associated activities between devices connected in common to a point in a network, the probe'"'"'s driver runs in a “Kernel mode” on Windows NT for analyzing packets of data retrieved from the network, whereby programming is provided for operating the Kernel mode driver to monitor the rate of traffic or data packets entering an NIC card buffer, for causing the CPU to respond to an interrupt issued by the NIC everytime a data packet is received at a traffic rate below a predetermined threshold to access data packets entering the NIC card buffer, and to cause the CPU to respond to polling pulses at regular predetermined intervals to access data packets, when the traffic rate exceeds the predetermined threshold, for providing more CPU cycles to analyze the data packets. Processing by the CPU of data packets is terminated if more than a predetermined percentage of the available CPU time between system ticks has been expended, such that the entire CPU time is not consumed by processing received data packets.
-
Citations
10 Claims
-
1. A method for monitoring and analyzing data flow at a point in a network to which a plurality of devices are connected, said method comprising:
-
connecting a probe to a point in said network selected for monitoring, said probe including a central processor unit (CPU) responsive in Kernel mode for receiving an interrupt each time a data packet is received by a network interface card (NIC) of said probe, said NIC generating said interrupt for terminating present processing of said CPU for transferring data packets for processing in the Kernel mode;
programming said CPU such that said CPU itself operates in one mode to respond to said interrupts for data packet processing at times when said NIC is receiving data packets below a predetermined traffic rate;
programming said CPU such that said CPU itself operates in another mode to both terminate responding to said interrupts whenever the data packet traffic rate is equal to or above said predetermined traffic rate, and to respond to a polling pulse at a predetermined polling rate while maintaining Kernel mode processing until such time that the traffic rate reduces to below said predetermined traffic rate, whereafter normal NIC interrupts are then responded to by said CPU;
terminating CPU processing of data packets whenever the time spent by said CPU in such processing exceeds a predetermined percentage of the total CPU time available, wherein the predetermined percentage is 90%;
wherein said programming said CPU includes calibrating said CPU to determine how many processor ticks are available for each system tick by;
determining the number of processor ticks per second, determining the number of system ticks per second, and dividing the number of processor ticks per second by the number of system ticks per second;
wherein said data packets are processed to perform network analysis by filtering said data packets in real-time;
analyzing said data packets to gather statistics;
performing triggering operations; and
identifying problems with said network where the statistics include;
a host table, a matrix table, and a protocol distribution. - View Dependent Claims (2, 3, 4)
storing temporarily in a card receive buffer each data packet received by said NIC.
-
-
3. The method of claim 2, further including the step of:
transferring at the initiation of a Kernel mode of operation a data packet from said card receive buffer to a Kernel process driver, for processing by said CPU.
-
4. The method of claim 3, further including the step of:
transferring to a statistics buffer memory statistical data obtained from said CPU processing a data packet.
-
5. An apparatus for analyzing network data packets, comprising:
-
a network interface card for receiving data packets from the network, said network interface card comprising a card receive buffer memory for temporary storage of said data packets, said network interface card being adapted to generate a receive interrupt upon receiving a data packet; and
a central processor for running a first process, and a second process for other than analyzing network data packets, said first process being for accessing the data packets in said card receive buffer memory, and transporting them to a secondary buffer for access and processing by said second process;
wherein said first process is run in a Kernel mode, and said second process is run in a User mode, said central processor granting a higher running priority to said Kernel mode than to said User mode;
wherein, when the rate of data packets entering said card receive buffer is less than a predetermined traffic rate, said first process transports packet data from said card receive buffer to said secondary buffer responsive to each receive interrupt generated by said network interface card; and
wherein when the rate of data packets entering said card receive buffer exceeds said predetermined traffic rate, said first process transports data packets from said card receive buffer to said secondary buffer at regular predetermined intervals independent of any receive interrupts generated by said network interface card;
said central processor (CPU) being programmed for terminating CPU processing of data packets whenever the time spent by said CPU in such processing exceeds a predetermined percentage of the total CPU time available, wherein the predetermined percentage is 90%;
wherein said programming said CPU further includes calibrating said CPU to determine how many processor ticks are available for each system tick by;
determining the number of processor ticks per second, determining the number of system ticks per second, and dividing the number of processor ticks per second by the number of system ticks per second;
wherein said data packets are processed to perform network analysis by filtering said data packets in real-time;
analyzing said data packets to gather statistics;
performing triggering operations; and
identifying problems with said network, where the statistics include;
a host table, a matrix table, and a protocol distribution. - View Dependent Claims (6)
a statistics buffer memory for receiving from said secondary buffer statistics obtained from processing a data packet.
-
-
7. In a method for monitoring and analyzing the flow data packets at a point in a network to which a plurality of objects and/or devices are connected, a probe includes a network interface card (NIC) having an input for connection to said point in said network for receiving said data packets, and an interrupt generator for generating an interrupt at the time of receipt of each data packet, said probe further including a central processor unit (CPU) programmed to run in a high priority first mode for an associated operating system, for application programs for analyzing said data packets, said CPU normally being responsive to each interrupt for accessing a data packet analysis, said CPU being programmed to run in a relatively low priority second mode for other applications, wherein the improvement to said method comprises the steps of:
-
programming said CPU such that said CPU itself operates in said first mode of operation to respond to said interrupts at times when said NIC is receiving data packets below a predetermined traffic rate for the flow of data packets at said point in said network; and
programming said CPU such that said CPU itself operates in a said first mode of operation to both terminate responding to said interrupts whenever the data packet traffic rate is equal to or above said predetermined traffic rate, and to respond to a polling pulse at a predetermined polling rate, until such time that the traffic rate reduces to below said predetermined traffic rate, whereafter normal NIC interrupts are then responded to by said CPU;
terminating CPU processing of data packets whenever the time spent by said CPU in such processing exceeds a predetermined percentage of the total CPU time available, wherein the predetermined percentage is 90%;
wherein said programming said CPU includes calibrating said CPU to determine how many processor ticks are available for each system tick by;
determining the number of processor ticks per second, determining the number of system ticks per second, and dividing the number of processor ticks per second by the number of system ticks per second;
wherein said data packets are processed to perform network analysis by filtering said data packets in real-time;
analyzing said data packets to gather statistics;
performing triggering operations; and
identifying problems with said network, where the statistics include;
a host table, a matrix table, and a protocol distribution. - View Dependent Claims (8, 9)
temporarily storing in said card receive memory to said Kernel process driver for processing by said CPU in response to either an interrupt or a polling signal.
-
-
9. The method of claim 8, further the steps of:
transferring from said Kernel process driver statistics obtained from said CPU processing a data packet to said statistics buffer memory.
-
10. A method for monitoring and analyzing data flow at a point in a network to which a plurality of devices are connected, said method comprising:
-
connecting a probe to a point in said network selected for monitoring, said probe including a central processor unit (CPU) responsive in Kernel mode for receiving an interrupt each time a data packet is received by a network interface card (NIC) of said probe, said NIC generating said interrupt for terminating present processing of said CPU for transferring data packets for processing in the Kernel mode;
programming said CPU such that said CPU itself operates to respond to said interrupts for data packet processing at times when said NIC is receiving data packets below a predetermined traffic rate;
programming said CPU such that said CPU itself operates to both terminate responding to said interrupts whenever the data packet traffic rate is equal to or above said predetermined traffic rate, and to respond to a polling pulse at a predetermined polling rate while maintaining Kernel mode processing until such time that the traffic rate reduces to below said predetermined traffic rate, whereafter normal NIC interrupts are then responded to by said CPU;
storing temporarily in a card receive buffer each data packet received by said NIC;
transferring at the initiation of a Kernel mode of operation a data packet from said card receive buffer to a Kernel process driver, for processing by said CPU; and
terminating CPU processing of data packets whenever the time spent by said CPU in such processing exceeds a predetermined percentage of the total CPU time available, wherein the predetermined percentage is 90%;
wherein said programming said,CPU includes calibrating said CPU to determine bow many processor ticks are available for each system tick by;
determining, the number of processor ticks per second, determining the number of system ticks per second, and dividing the number of processor ticks per second by the number of system ticks per second;
wherein a total number of processor ticks between system ticks is limited by a ullProcessorTicksLimnit value calculated by the following equation;
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeNetwork General Technology
-
Original AssigneeNetworks Associates Technology, Inc. (McAfee, LLC)
-
InventorsHansen, Daniel, Cafarelli, Dominick Anthony III
-
Primary Examiner(s)Kincaid, Kristine
-
Assistant Examiner(s)Narayanaswamy, Sindya
-
Application NumberUS09/493,918Time in Patent Office1,488 DaysField of Search709/224, 709/233, 709/229, 709/201, 709/202, 600/300, 445/427, 340/172.5, 395/740US Class Current709/233CPC Class CodesH04L 43/026 using flow identificationH04L 43/0894 Packet rateH04L 43/12 Network monitoring probesH04L 43/16 Threshold monitoringH04L 43/18 Protocol analysers
