Protocol analyzers rise to net challenges

Driven by the increasing volume of data traffic on Internet Protocol (IP) networks and the dynamic, inherent unpredictability of protocol communications, new challenges are surfacing that make thorough and accurate testing of protocol communications both crucial and problematic. An effective high-speed network protocol analysis solution requires dedicated real-time protocol-processing logic and efficient management of processing and memory resources.

One of the more vexing problems that transpires while testing live high-speed networks or device clusters is the networking equivalent of the Heisenberg Uncertainty Principle of quantum mechanics. In its most common form the principal states that it is not possible to simultaneously determine the position and momentum of a particle. Moreover, the better known the position, the less well known the momentum and vice versa.

In networking, the more we prod a network and thereby interfere with normal IP traffic flow, the less accurate our test results will be. Simply put, haphazard probing into a network to capture packet traces risks degrading the network's performance along with skewing the test results.

In addition, the enormous amount of data transferred on high-speed networks could overwhelm traditional protocol analyzers and make them a performance bottleneck. However, a new generation of protocol analyzers is now emerging that offers a solution to this problem through the incorporation of sophisticated, real-time, hardware-assisted filters and triggers, combined with efficient data spooling and memory management.

How they work

To explain how these latest tools can assist network managers and equipment makers, it is helpful to understand how typical IP-networking protocol analyzers function.

First, incoming TCP/IP traffic is processed and predefined filters are applied to the packet stream. Relevant data traces are then stored into a memory buffer based on predefined triggering conditions. If necessary, the memory buffer then downloads the data into a built-in or attached hard drive for further massaging, indexing and postprocessing. Finally, trace data is displayed in a logical and comprehensible layered format for the user to explore and use.

To be able to process TCP/IP traffic at line speeds of 1 Gbit per second and higher, each step in this four-stage process must be optimized. In today's advanced analyzers, optimization is made possible using high-speed programmable logic and bus architectures.

In the first stage of this process, the analyzer must process and filter TCP/IP packets. However, with the computational load of TCP/IP networking speeds today reaching 10 Gbits/s, it has outstripped advances in processor speeds of TCP/IP packet processing.

The industry rule of thumb suggests that a modern processor must operate at 1 MHz for every 1 Mbit/s of TCP/IP data that it handles. This means that 1 Gbit/s of TCP/IP packet processing could consume over 75 percent of available compute cycles in even the fastest CPUs of desktop and notebook computers on which the typical software-centric protocol analyzers are running. If the data is further encrypted, the amount of compute cycles needed for TCP/IP packet processing may double or even triple.

Computational requirements are further complicated since TCP/IP standards allow many application protocols to simultaneously run on top of TCP/IP. As a consequence, many of the packets entered may be redundant or "promiscuous" and must be dealt with as exceptions or filtered out, or both.

An effective method of facilitating protocol analysis at these high processing speeds is the placement of real-time protocol processors in front of the traditional software-based protocol analyzer to offload packet processing from the analyzer's CPU. These front-end protocol processors are a combination of hardware and software in which certain filtering and analysis functions for the protocol may even be hardwired into programmable logic.

Such hardware-assisted filtering enables simultaneous application of a few dozen filtering conditions. These may include filtering out all packets of a specific application or filtering in all packets coming from the initiator host.

In the next stage of the process, relevant data traces are stored into a memory buffer based on predefined triggering conditions and, if needed, downloaded from the buffer into a built-in or attached hard-disk drive for further postprocessing.

Given the speed of TCP/IP traffic, even the large memory buffers currently used in dedicated protocol analyzers of 2 Gbytes to 4 Gbytes in size can be filled in a short time, even when filtering rules are applied.

To optimize memory use, in applications such as performance analysis, once packets are filtered out, the remaining IP packets can be stripped from their payload, leaving only the relevant packet headers or identifiers. Since some original packets can be very large, stripping packets may yield as much as an 80 percent reduction in memory space.

In other applications, such as conformance analysis, it is possible to extract and maintain in memory only the payload, the protocol data units, and remove any overhead transport packet information.

In the third step of this process, data is indexed to enable search and then displayed on the protocol analyzer's monitor for the user to explore. To capture even larger data traces, the data may dynamically be spooled into a dedicated hard drive of sufficient size (40 Gbytes or more).

Viewing options

As data is uploaded, sophisticated indexing mechanisms are applied to enable multiple levels of viewing options that meet the needs of the end user, be it a design or test engineer or a network administrator. Some protocol analyzer architectures even allow hardware-assisted search on the trace data stored at the memory buffer itself, thus avoiding slow uploads and allowing instantaneous trace data display.

Finally, the choice of user interface is extremely important for efficient viewing of captured trace data. Information overload is avoided through the use of layered, high-level drill-down formatting that enables intuitive horizontal and vertical navigation between applications and within protocol layers on the captured data and a quick focus on the segment in question.

Izhar Matzkevich is director of networking solutions at Computer Access Technology Corp. (Santa Clara, Calif.).

See related chart

See related chart