network data gap is determined and reported to enable a user to validate that all the traffic that was intended to be monitored is being monitored in monitoring and/or troubleshooting tools for observation of network traffic and network installation and maintenance. Span port oversubscription, incomplete span configuration, incorrectly placed network taps and monitoring device packet drop may thereby be detected and reported as data gap.
|
3. A method of analyzing network traffic data to determine data gap, comprising:
selecting a packet of network traffic;
determining if said selected packet is an ack;
if said packet is an ack, then determining whether a sequence number of a packet corresponding to said ack had been noted, and if not noted, indicating a data gap.
1. A network analysis device, comprising:
a network traffic observing unit for observing network traffic data and compiling transaction details data; and
a data gap analysis device for determining existence of data gap in the compiled network traffic transaction details data,
wherein said data gap analysis device includes packet processing for processing the observed network packet data to determine for any ack packet, whether a corresponding packet sequence number was noted, and if not, indicating data gap.
4. A method of analyzing network traffic data to determine data gap, comprising:
observing network traffic data and determining transaction details therefrom;
storing said determined transaction details;
analyzing said stored determined transaction details to determine existence of data gap,
wherein said analyzing comprises:
selecting a transaction detail for a packet of network traffic;
determining if said selected transaction detail represents an ack packet;
if said transaction detail represents an ack packet, then determining whether a sequence number of a packet corresponding to said ack packet had been noted, and if not noted, indicating existence of a data gap.
10. A network test instrument, comprising:
network interface for receiving network traffic;
a network traffic observing unit for observing received network traffic data and compiling transaction details data;
a data gap analysis device for determining existence of data gap in the compiled network traffic transaction details data, wherein said data gap analysis device includes packet processing for processing the observed network packet data to determine for any ack packet, whether a corresponding packet sequence number was noted, and if not, indicating data gap;
a user interface for interacting with a user for receiving operating instructions for the network test instrument and reporting determination results from the data gap analysis device.
2. The network analysis device according to
5. The method according to
6. The method according to
7. The method according to
8. The method according to
9. The method according to
11. The network test instrument according to
12. The network test instrument according to
13. The network test instrument according to
|
|||||||||||||||||||||||||||
This application is a continuation in part of U.S. patent application Ser. No. 12/128,503, filed Apr. 28, 2008, now abandoned.
This invention relates to networking, and more particularly to monitoring and analysis of network traffic.
In a computer networking environment, users may install and deploy monitoring and/or troubleshooting tools for observation of network traffic and network installation and maintenance. It is common to configure a set of network span or mirror ports on a switch/router/etc., install network taps, install devices inline, etc. A network span or mirror combines the data from multiple (one or more) network interfaces on a switch/router/etc. such that the data can be exported on a single port. The network monitoring and analysis devices can then get extended visibility across numerous network segments from a single interface. A network tap allows the user to install a device inline between points on a network and gain similar extended visibility into the network segments.
In many cases, the network environment is complex enough that, with the best intentions, a user will install taps or spans incorrectly. Typical configuration issues include but are not limited to:
1. Oversubscription of the span (including too many hi-bandwidth data flows such that the amount of data aggregated across the spanned ports can exceed available throughput capacity of the span port).
2. Incorrectly places taps (placement such that part of the data is missing due to the route the data takes across the network).
3. Incomplete configuration (span or tap configuration such that part of the data is missing).
4. Monitoring device dropping data (the device receiving the data is unable to process all of the data).
These issues can result in false determination that network problems exist, leading to wasted time and resources trying to track non-existent network problems.
In accordance with the invention, measurement and reporting when a network monitoring device missing data is provided.
Accordingly, it is an object of the present invention to provide an improved network analysis that reports when network data is missing from the analysis data.
It is a further object of the present invention to provide an improved network monitoring device that measures and reports that data is missing.
It is yet another object of the present invention to provide improved methods of network monitoring and analysis to measure and report missing data.
Another object of the invention is to provide an improved way for a user to validate that all the traffic that was intended to be monitored is being monitored.
A further object of the invention is to provide a monitoring device and method to accurately determine when a transaction has completed and a new transaction should be denoted.
The subject matter of the present invention is particularly pointed out and distinctly claimed in the concluding portion of this specification. However, both the organization and method of operation, together with further advantages and objects thereof, may best be understood by reference to the following description taken in connection with accompanying drawings wherein like reference characters refer to like elements.
The system according to a preferred embodiment of the present invention comprises a monitoring system and method and an analysis system and method for determining and reporting data gap.
Referring to
A network analysis product 14 is also connected to the network, and may include a user interface 16 that enables a user to interact with the network analysis product to operate the analysis product and obtain data therefrom, whether at the location of installation or remotely from the physical location of the analysis product network attachment.
The network analysis product comprises hardware and software, CPU, memory, interfaces and the like to operate to connect to and monitor traffic on the network, as well as performing various testing and measurement operations, transmitting and receiving data and the like. When remote, the network analysis product typically is operated by running on a computer or workstation interfaced with the network.
The analysis product comprises an analysis engine 18 which receives the packet network data and interfaces with application transaction details data store 21.
In operation, the network test instrument is attached to the network, and observes transmissions on the network to collect statistics thereon.
As sufficient data has been collected and stored in applications transaction details data store 21, analysis may be performed thereon to measure and report data gap.
Pkt11, an ack from the client of pkt10 is next sent, followed by pkt12 and pkt13 from the client, pkt13 not being observed by the monitor.
Pkt14 is an ack of pkt13 and the monitor, observing the pkt14 but not having seen pkt13, notes a client data gap 42. Pkt15 is then sent from the server to the client, pkt12-pkt15 being transaction #2, 44.
The client sends pkt16 and pkt17 which are both acks of pkt15, and pkt18 which is a rst. On timeout, a period of time without any traffic between client and server, flow 38 is determined to have terminated in the illustrated example. Flow may be determined to have terminated on timeout as in the example, or on a TCP fin packet.
In accordance with the above description, data gap measurement, measured at the flow and transaction, is taken as an instance count where the analysis tool (mon 40) detects and acknowledgment from either the client or server where the analysis tool has not seen that sequence number from the other side (server or client side). In the above example, in transaction #1, the server sent packets that were not visible to the analysis tool. The client did receive those packets and sent acknowledgment. When the analysis tool got the acknowledgment it was able to make a determination that a server side data gap exists.
In transaction #2 above, the client sent a packet that was not visible to the analysis tool. The server did receive the packet and sent an acknowledgment. When the analysis tool got the acknowledgment it was able to make a determination that a client side data gap exists.
The analysis of the data may be made based on the data stored in application transactions details 21 in near real time or later as a post processing analysis of data collected over a period of time.
The noted data gap information may then be stored and reported with information regarding which client and which server was involved, whether it was a client or server data gap, and further information that may be of assistance to the user to help determine the mis-placement or mis-configuration of the monitoring equipment, taps or spans or other issues that are resulting in the data gap.
The data gap analysis may be implemented as a part of a network test instrument, or may be separately provided to process data gathered by a network test instrument.
Further, the monitoring device can make use of the location of the data gap to be able to determine when one transaction should be complete and another transaction started. This can be determined based on the existence of a data gap between subsequent client or server packets which allows the analysis to recognize that a new request or response occurred between the client and server.
In accordance with the above, the invention provides an intuitive and easy-to-use way for a user to validate that all the traffic that was intended to be monitored is being monitored. In addition, the invention allows the monitoring device to accurately determine when a transaction has completed and a new transaction should be created. In the event that the monitoring device is only seeing one side of a conversation, the invention allows the user to quickly see the root cause and therefore allows the user to correct the issue without wasting time trying to track non-existent network problems.
While a preferred embodiment of the present invention has been shown and described, it will be apparent to those skilled in the art that many changes and modifications may be made without departing from the invention in its broader aspects. The appended claims are therefore intended to cover all such changes and modifications as fall within the true spirit and scope of the invention.
| Patent | Priority | Assignee | Title |
| 11250170, | Dec 23 2016 | DISH Technologies L.L.C. | Secure activation of client receiver by host receiver smart card |
| 11259065, | Dec 23 2016 | DISH Technologies L.L.C. | Securely paired delivery of activation codes between removable and integrated security processors |
| Patent | Priority | Assignee | Title |
| 6807156, | Nov 07 2000 | TELEFONAKTIEBOLGET LM ERICSSON PUBL | Scalable real-time quality of service monitoring and analysis of service dependent subscriber satisfaction in IP networks |
| 7131046, | Dec 03 2002 | Advantest Corporation | System and method for testing circuitry using an externally generated signature |
| 7327735, | Nov 27 2002 | WSOU Investments, LLC | System and method for detecting lost messages transmitted between modules in a communication device |
| 7417991, | Dec 18 2003 | AVAYA LLC | Network quality estimation |
| 7602732, | Mar 07 2001 | AT&T Properties, LLC; AT&T INTELLECTUAL PROPERTY II, L P | End-to-end connection packet loss detection algorithm using power level deviation |
| 20040100964, | |||
| 20050060426, | |||
| 20050063307, | |||
| 20050111456, | |||
| 20050220117, | |||
| 20050237994, | |||
| 20060045017, | |||
| 20070206497, | |||
| 20080069002, | |||
| 20080095099, | |||
| 20090245103, | |||
| 20090268747, |
| Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
| May 29 2008 | Airmagnet, Inc. | (assignment on the face of the patent) | / | |||
| Oct 23 2008 | PRESCOTT, DAN | Fluke Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 021742 | /0813 | |
| Jul 14 2015 | NetScout Systems, Inc | JPMORGAN CHASE BANK, N A | SECURITY INTEREST SEE DOCUMENT FOR DETAILS | 036355 | /0586 | |
| Aug 13 2015 | Fluke Corporation | AIRMAGNET, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 036355 | /0553 | |
| Sep 13 2021 | AIRMAGNET, INC | NetScout Systems, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 057595 | /0428 |
| Date | Maintenance Fee Events |
| Aug 23 2019 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
| Aug 23 2023 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
| Date | Maintenance Schedule |
| Feb 23 2019 | 4 years fee payment window open |
| Aug 23 2019 | 6 months grace period start (w surcharge) |
| Feb 23 2020 | patent expiry (for year 4) |
| Feb 23 2022 | 2 years to revive unintentionally abandoned end. (for year 4) |
| Feb 23 2023 | 8 years fee payment window open |
| Aug 23 2023 | 6 months grace period start (w surcharge) |
| Feb 23 2024 | patent expiry (for year 8) |
| Feb 23 2026 | 2 years to revive unintentionally abandoned end. (for year 8) |
| Feb 23 2027 | 12 years fee payment window open |
| Aug 23 2027 | 6 months grace period start (w surcharge) |
| Feb 23 2028 | patent expiry (for year 12) |
| Feb 23 2030 | 2 years to revive unintentionally abandoned end. (for year 12) |