Method and apparatus for real-time protocol analysis using an active and adaptive auto-throtting CPU allocation front end process

US 6,735,629 B1
Filed: 05/04/2000
Issued: 05/11/2004
Est. Priority Date: 05/04/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for monitoring and analyzing data flow at a point in a network to which a plurality of devices are connected, said method comprising the steps of:

connecting a probe to a point in said network selected for monitoring, said probe including a control processor unit (CPU) responsive in Kernel Mode for receiving an interrupt each time a data packet is received by a network interface card (NIC) of said probe, said NIC generating said interrupt for terminating present processing of said CPU for transferring data packets to either a buffer memory for access for low detail processing by said CPU programmed to operate in the Kernel Mode, or to a frame capture memory for high detail processing by said CPU programmed via Expert Analyzer software to operate in a User Mode, said User Mode normally having lower priority than said Kernel Mode; and

allocating CPU time via programming said CPU, responsive to said Expert Analyzer software being enabled, to increase the allocation of percentage of available CPU time to User Mode processing as the amount of unanalyzed data in said frame capture memory increases.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a probe system for monitoring and analyzing data flow and associated activities between devices connected in common to a point in a network, in the mode of operation, the probe'"'"'s driver runs in a “Kernel mode” on Windows NT for analyzing in relatively low detail packets of data retrieved from the network, whereby programming is provided for operating the Kernel mode driver to monitor the rate of traffic or data packets entering an NIC card buffer, for causing the CPU to respond to an interrupt issued by the NIC everytime a data packet is received at a traffic rate below a predetermined threshold to access data packets entering the NIC card buffer, and to cause the CPU to respond to polling pulses at regular predetermined intervals to access data packets, when the traffic rate exceeds the predetermined threshold, for providing more CPU cycles to analyze the data packets. In another mode of operation, unanalyzed data packets are transferred to a frame memory for relatively detailed analysis via Expert Analyzer software operating the CPU in a User mode, whereby the amount of unanalyzed data in the frame memory is monitored for allocating the percent of CPU time available for Kernel mode processing in inverse relationship thereto.

50 Citations

View as Search Results

30 Claims

1. A method for monitoring and analyzing data flow at a point in a network to which a plurality of devices are connected, said method comprising the steps of:
- connecting a probe to a point in said network selected for monitoring, said probe including a control processor unit (CPU) responsive in Kernel Mode for receiving an interrupt each time a data packet is received by a network interface card (NIC) of said probe, said NIC generating said interrupt for terminating present processing of said CPU for transferring data packets to either a buffer memory for access for low detail processing by said CPU programmed to operate in the Kernel Mode, or to a frame capture memory for high detail processing by said CPU programmed via Expert Analyzer software to operate in a User Mode, said User Mode normally having lower priority than said Kernel Mode; and
  
  allocating CPU time via programming said CPU, responsive to said Expert Analyzer software being enabled, to increase the allocation of percentage of available CPU time to User Mode processing as the amount of unanalyzed data in said frame capture memory increases.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein said step of allocating CPU time is performed in the Kernel Mode.
  - 3. The method of claim 1, wherein said step of allocating CPU time includes the steps of:
4. The method of claim 3, wherein the allocation basing uses a percentage of unanalyzed data in the frame capture memory of 0-10%, 10-50%, 50-75%, 75-90% and 90-100%;
- with a CPU percentage allocated to kernel mode frame processing of 85%, 50%, 30%, 15% and 10%;
  
  respectively.
5. The method of claim 1, wherein said CPU is initialized to have a 90% allocation of its time to Kernel Mode processing of data.
6. The method of claim 4, wherein said CPU is initialized to have a 90% allocation of its time to Kernel Mode processing of data.
7. The method of claim 1, further including the step of calculating the maximum number of processor ticks consumed for each system tick by Kernel Mode processing.
8. The method of claim 5, further including the steps of:
- monitoring the enablement of the Expert Analyzer Software; and
  
  returning the allocation of CPU time for the Kernel Mode to 90%.
9. The method of claim 6, further including the steps of:
- monitoring the enablement of the Expert Analyzer Software; and
  
  returning the allocation of CPU time for the Kernel Mode to 90%.
10. The method of claim 1, further including the step of:
- programming said CPU to both terminate responding to said interrupts whenever the data packet traffic rate is equal to or above said predetermined traffic rate, and to respond to a polling pulse at a predetermined polling rate while maintaining Kernel mode processing until such time that the traffic rate reduces to below said predetermined traffic rate, whereafter normal NIC interrupts are then responded to by said CPU.
11. The method of claim 10, further including the step of:
- storing temporarily in a card receive buffer each data packet received by said NIC.
12. The method of claim 11, further including the step of:
- transferring at the initiation of a Kernel mode of operation a data packet from said card receive buffer to a Kernel process driver, for processing by said CPU.
13. The method of claim 10, further including the step of:
- terminating CPU processing of data packets whenever the time spent by said CPU in such processing exceeds a predetermined percentage of the total CPU time available between system ticks.
14. The method of claim 13, wherein the predetermined percentage value is 90%.
15. The method of claim 10, wherein said step of programming said CPU in a first mode of operation includes the initial step of:
- calibrating said CPU to determine how many processor ticks are available for each system tick.
16. The method of claim 15, further including the step of:
- terminating the processing of received data packets if said CPU uses greater than a predetermined percentage of the processor ticks available for each system tick.
17. The method of claim 15, further including the step of:
- terminating the processing of received data packets if said CPU while processing received data packets uses greater than 90% of the processor ticks available for each system tick.
18. The method of claim 1, further including the step of:
- transferring to a statistics buffer memory statistical data obtained from said CPU processing a data packet.

19. A method for monitoring and analyzing data flow at a point in a network to which a plurality of devices are connected, said method comprising the steps of:
- connecting a probe to a point in said network selected for monitoring, said probe including a central processor unit (CPU) responsive in Kernel mode for receiving an interrupt each time a data packet is received by a network interface card (NIC) of said probe, said NIC generating said interrupt for terminating present processing of said CPU for transferring data packets for processing in the Kernel mode;
  
  programming said CPU to respond to said interrupts for data packet processing at times when said NIC is receiving data packets below a predetermined traffic rate;
  
  programming said CPU to both terminate responding to said interrupts whenever the data packet traffic rate is equal to or above said predetermined traffic rate, and to respond to a polling pulse at a predetermined polling rate while maintaining Kernel mode processing until such time that the traffic rate reduces to below said predetermined traffic rate, whereafter normal NIC interrupts are then responded to by said CPU;
  
  transferring unanalyzed data from said NIC to a frame capture memory;
  
  enabling software in a User mode for progressively analyzing data in said frame capture memory;
  
  monitoring the percentage of unanalyzed data in said frame capture memory relative to the total storage capacity thereof at any given time; and
  
  allocating the percentage of CPU (central processing unit) time for Kernel mode frame processing as a function of the percentage of unanalyzed data in said frame capture memory.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, wherein said allocating step is made with a percentage of unanalyzed data in the frame capture memory of 0-10%, 10-50%, 50-75%, 75-90% and 90-100%;
    - with a CPU percentage allocated to kernel mode frame processing of 85%, 50%, 30%, 15% and 10%;
      
      respectively.
  - 21. The method of claim 19, further including the steps of:
22. The method of claim 19, further including after said probe connecting step, the steps of initializing said CPU to allocate 90% of its time to Kernel mode processing of data.

23. An apparatus for analyzing network data packets, comprising:
- a network interface card for receiving data packets from the network, said network interface card comprising a card receive buffer memory for temporary storage of said data packets, said network interface card being adapted to generate a receive interrupt upon receiving a data packet;
  
  a central processor (CPU) for running a first process for analyzing network data packets, and a second process for other than analyzing network data packets in one mode of operation, said first process being for accessing the data packets in said card receive buffer memory, and transporting the data packets to a secondary buffer for access and processing by said second process;
  
  a frame capture memory for receiving unanalyzed data from said secondary buffer via said first process; and
  
  expert analyzer software for, when enabled, programming said CPU for analyzing data in said frame capture memory using said second process in a second mode of operation;
  
  wherein said first process is run in a Kernel mode, and said second process is run in a User mode, said central processor granting a higher running priority to said Kernel mode than to said User mode;
  
  wherein, when the rate of data packets entering said card receive buffer is less than a predetermined traffic rate, said first process transports packet data from said receive buffer to said secondary buffer responsive to each receive interrupt generated by said network interface card;
  
  wherein, when die rate of data packets entering said card receive buffer exceeds said predetermined traffic rate, said first process transports data packets from said card receive buffer to said secondary buffer at regular predetermined intervals independent of any receive interrupts generated by said network interface card; and
  
  wherein, when the percentage of unanalyzed data in said frame capture memory relative to the total storage capacity thereof is within a predetermined range, said first process determines the percent allocation of CPU time available for Kernel mode processing in accordance with the percentage of said unanalyzed data, whenever said expert analyzer software is enabled.
- View Dependent Claims (24, 25, 26)
- - 24. The apparatus of claim 23, further including said central processor being programmed to terminate said first process and transfer to said second process whenever the time spent in said first process exceeds a predetermined percentage of the time available between system ticks.
  - 25. The apparatus of claim 23, further including said central processor being programmed to terminate said first process and transfer to said second process whenever the time spent in said first process exceeds 90% of the time available between system ticks.
  - 26. The apparatus of claim 23, wherein said first process allocates with a percentage of unanalyzed data in the frame capture memory of 0-10%, 10-50%, 50-75%, 75-90% and 90-100%;
    - with a CPU percentage allocated to kernel mode frame processing of 85%, 50%, 30%, 15% and 10%;
      
      respectively.

27. In a method for monitoring and analyzing the flow data packets at a point in a network to which a plurality of objects and/or devices are connected, a probe includes a network interface card (NIC) having an input for connection to said point in said network for receiving said data packets, and an interrupt generator for generating an interrupt at the time of receipt of each data packet, said probe further including a central processor unit (CPU) programmed to run in a high priority first mode for an associated operating system, for applications programs for analyzing said data packets, said CPU normally being responsive to each interrupt for accessing a data packet for low detail analysis, said CPU being programmed to run in a relatively low priority second mode for other applications, and for detailed analysis of said data packets, wherein the improvement to said method comprises the steps of:
- programming said CPU in said first mode of operation to respond to said interrupts at times when said NIC is receiving data packets below a predetermined traffic rate for the flow of data packets at said point in said network;
  
  programming said CPU in a said first mode of operation to both terminate responding to said interrupts whenever the data packet traffic rate is equal to or above said predetermined traffic rate, and to respond to a polling pulse at a predetermined traffic rate, whereafter normal NIC interrupts are then responded to by said CPU;
  
  transferring data packets upon receipt for detailed analysis to a frame capture memory; and
  
  allocating a greater percentage of CPU time to said second mode as a function of the amount of unanalyzed data in said frame capture memory increasing from one level to a higher level.
- View Dependent Claims (28, 29, 30)
- - 28. The method of claim 27, further including the step of:
29. The method of claim 27, further including the step of:
- terminating the processing of a received data packet if the time spent by said CPU performing such processing exceeds 90% of the CPU time available between operating system ticks.
30. The method of claim 27, wherein said allocating step makes allocations with a percentage of unanalyzed data in the frame capture memory of 0-10%, 10-50%, 50-75%, 75-90% and 90-100%;
- with a CPU percentage allocated to kernel mode frame processing of 85%, 50%, 30%, 15% and 10%;
  
  respectively.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Network General Technology
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Hansen, Daniel, Cafarelli, Dominick Anthony III
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
EL CHANTI, HUSSEIN A

Application Number

US09/565,021
Time in Patent Office

1,468 Days
Field of Search

709/220, 709/223, 709/234-236, 709/249, 709/201, 709/209, 709/225, 709/233
US Class Current

709/224
CPC Class Codes

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

Method and apparatus for real-time protocol analysis using an active and adaptive auto-throtting CPU allocation front end process

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for real-time protocol analysis using an active and adaptive auto-throtting CPU allocation front end process

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links