1
PROGRAMMABLE PACKET SAMPLING
FOR NETWORK MANAGEMENT
CROSS-REFERENCE TO RELATED
APPLICATIONS 5
This application is a continuation of "Programmable Packet Sampling for Network Management," U.S. patent application Ser. No. 08/376,153 filed Jan. 20, 1995, now abandoned. This application is related to "Address Tracking 10 Over Repeater Based Networks," U.S. Pat. No. 5,353,353 issued on Oct. 10, 1994, "Repeater Security System," U.S. patent application Ser. No. 08/053,797 filed Apr. 26, 1993, "Apparatus and Method for Selectively Storing Error Statistics" now U.S. Pat. No. 5,353,353, U.S. patent application 15 Ser. No. 08/337,634 filed Nov. 10, 1994, "Programmable Address Mapping Matrix for Secure Networks," U.S. patent application Ser. No. 08/366,809 filed Dec. 30, 1994, and "Programmable Delay of Disrupt for Secure Networks," U.S. patent application Ser. No. 08/366,808 filed Dec. 30, 20 1994, all hereby expressly incorporated by reference for all purposes.
BACKGROUND OF THE INVENTION
The present invention relates generally to data packet 25 sampling within a local area network and more specifically to improved sampling in a secure computer network.
Networks of computers are commonly used in today's business environment. One common network system struc- 3Q ture uses one or more repeaters. The repeater typically includes several ports. A particular data packet received at one port is retransmitted from the other ports of the repeater. Each repeater restores timing and amplitude degradation of data packets received on one port and retransmits them to all 35 other ports, and hence over the network. For networks employing a CSMA/CD-type of network, such as an Ethernet network, every data packet passes through every repeater. Network administrators are thereby able to conveniently use each repeater as a device on the network from 4Q which to gather information concerning the operation of the network.
In traditional Ethernet (802.3 10BASE5) and Cheapemet (802.3 10BASE2), a coaxial cable provides a linear bus to which all nodes of a local area network are connected. A 45 standard promulgated by the IEEE (IEEE Standard 802.3) defines various functionality for computer networks. This standard is expressly incorporated by reference for all purposes. Signaling is accomplished using a current synch technique wherein a center conductor of the coaxial cable is 50 used for a signal and a shield conductor of the coaxial cable is used for a reference voltage (typically ground). Twisted pair Ethernet (802.3 10BASE-T) uses a standard voice grade telephone cable rather than the coaxial cable. The telephone cable uses separate pairs of conductive wires for transmis- 55 sion and reception.
When using twisted pair Ethernet, the network configuration is a star topology. The star topology provides for several end stations or data terminal equipment (DTE) devices all coupled to a multiport repeater located at a center 60 of the star. The repeater performs signal amplitude and timing restoration. The repeater receives a bitstream at one Of its ports and restores signal amplitude levels and timing requirements. The repeater repeats the reshaped and retimed input bitstream to all of its other ports. In one sense, the 65 repeater acts as a logical coaxial cable, permitting every node connected to the twisted pair network to receive each
2
transmission from any other node, just as when a coaxial cable is used. The pairs of conductors use differential signaling, one pair for transmission and another pair for reception.
While a repeater is used in a traditionally wired coaxial Ethernet network as a mechanism to extend the physical distance limit of the network, in the IEEE 802.3 10BASE-T, the standard mandates the use of a repeater to provide connectivity between nodes whenever more than two nodes are present. Although physical signaling on the cabling differs between the traditional Ethernet-type of repeater and the twisted pair-type of repeater, the functionality of the repeaters are identical, as is the frame or packet format that is used to pass messages between the participating nodes on the network.
The frame commences with a preamble sequence which is an alternating ("1" and "0") pattern. The preamble sequence provides a single frequency on the network, in this case five megahertz (MHz) at the start of each frame, allowing a receiver to acquire and lock onto the associated bitstream. The preamble sequence is followed by a start of packet identifier that immediately precedes the data portion of the transmission. Either a start of frame delimiter (802.3) or synch sequence (Ethernet) delineates the start of the data portion of the message. Following the start of packet identifier are two address fields: a destination address (DA) and a source address (SA). These addresses are both forty-eight bit values and are transmitted least significant bit (LSB) first.
A media access controller (MAC) associated with each DTE uses the destination address to determine whether an incoming packet is addressed to the node it is associated with. When a receiving node detects a match between its own node address and an address transmitted in the destination address field, it attempts to receive the packet. Nodes having a MAC that does not detect a matching address typically ignore a remainder of the packet.
There are three types of destination addressing supported by the 802.3 standards:
1. Individual. The DA field contains an individual and unique address assigned to a single node on the network.
2. Multicast. When the first bit (LSB) of the DA is set, the remainder of the DA includes a group address. The group of nodes that are actually addressed is determined by a higher layer function. In general, use of a group address is designed to transmit a message to a logically similar subset of nodes on the network.
3. Broadcast. The broadcast is a special form of multicast address wherein the DA field is set to all "l's." This address is reserved, and all nodes on the network must be capable of receiving a broadcast message.
The MAC that transmits a data packet writes its own address into the SA field. This allows the transmitting MAC to identify those packets which it originates. The 802.3 standards do not require that a receiving MAC take any action based upon the SA field. In some applications, such as management, security or configuration, the SA field may be tracked and monitored.
A two-byte length/type field follows the SA field. The choice of length or type is dependent upon whether the frame is compatible with the IEEE 802.3 or the Ethernet standard. A higher order byte of the length/type field is transmitted first, with the LSB of each byte transmitted first.
A data field contains actual packet data that is transferred between end stations and is between forty-six to fifteen hundred bytes in length. A logical link control (LLC) func3
tion is responsible for fragmenting data into block sizes suitable for transmission over the network. Data bytes are transmitted sequentially with the LSB of each byte transmitted first.
A frame check sequence (FCS) is a four-byte field that 5 contains a cyclic redundancy check (CRC) for the entire frame. The transmitting station computes the CRC throughout the DA, the SA, the length/type field, and data field. The transmitting station appends the FCS as the last four bytes of the frame. A receiving station uses the same CRC algorithm to compute the CRC for a received frame. The receiving station compares the CRC value it computes with the CRC value in the transmitted FCS. A mismatch indicates an error, such as a corrupted data frame. CRC bits of the FCS are transmitted in order: most significant bit (MSB) to LSB.
FIG. 1 and FIG. 2 are diagrams illustrating frame formats 15 for an IEEE 802.3 Standard compliant frame and an Ethernet frame, respectively. Comparing the frame formats illustrates that a primary difference between the frame types is that the start of frame delimiter (SFD) for 802.3 is defined as a byte that has a "10101011" pattern whereas the start frame 20 (synch) of Ethernet is a "11" sequence. Even so, in both cases, a total number of bits for the preamble plus the start of frame indication is sixty-four bits long.
The 802.3 and Ethernet standards both specify that a frame must be in the range of sixty-four to fifteen hundred 25 eighteen bytes (excluding preamble/SFD). However, the actual data field in the 802.3 system is permitted to be smaller than the forty-six byte value that is necessary to ensure this minimum size. To handle a smaller size data field, the MAC of a transmitting station appends pad char- 30 acters to the LLC data field before sending data over the network. The Ethernet standard assumes that an upper layer ensures that the minimum data field is forty-six bytes before passing data to the MAC, therefore the existence of appended pad characters in unknown to the MAC imple- 35 menting an Ethernet format.
The 802.3 standard also uses a length field that indicates the number of data bytes that are in the data field only. Ethernet, on the other hand, uses a type field in the same two bytes to identify the message protocol type. Since valid 40 Ethernet type fields are always assigned outside of the valid maximum 802.3 packet length size, both 802.3 and Ethernet packets can coexist on the same network. Hence, it has been found that it is important to be able to track and monitor the addresses for a variety of reasons. For example, for secure 45 networks it may be important that authentication is required to ensure that the appropriate nodes on the network receive the information. In addition, as networks change in the number of nodes attached thereto, it becomes important to be able to associate an address with a particular port or the 50 like within the network.
It is also important in secure networks to selectively prevent a node from receiving such address information unless the node requires the information. If a data packet is not destined for a particular node, the particular node 55 generally does not have a need for information within the data packet.
Further, it is important to provide a mechanism to associate the addresses of each port of a repeater with the actual port number or identity of the device. Typically, unsecured 60 repeaters are devices that are just used for signal amplitude and timing restoration. In all of the above-mentioned modes, the secure repeater must also be provided with the capability to detect and interpret the various fields within data packets that: are transmitted on the network. 65
As described above, every data packet transmitted in the computer network includes a destination address to identify
4
the recipient of the data packet. A secure repeater in a secure network may have one or more end stations attached to each port. Each end station has one unique address assigned, and possibly one or more multicast addresses. The secure repeater maintains a list of associated end stations for each output port. The security systems identified in the incorporated references use the destination address field from each data packet to route a data packet to only those output ports associated with the destination address. Output ports of the repeater associated with a destination address not matching the destination address receive a modified, or disrupted, data packet.
Managed repeaters include a management unit attached to an output port of the repeater. Since all data frames transmitted between end stations must pass through the repeater, the management unit may conveniently monitor and accumulate statistics about the operation and performance of the network.
A conventional managed repeater processes received data packets as follows. A data packet is received at an input port of the repeater. The repeater retransmits the data packet to a MAC of a management unit attached to an output port of the repeater. The MAC strips preamble information and the SFD from the retransmitted data packet and performs error checking on the remainder of the data packet. The MAC writes the data packet into a memory, such as a RAM. A microprocessor of the management unit reads the contents of the memory and processes it to extract statistics about the data packet. The MAC either writes an entire frame or no part of the frame. The decision to write is based upon whether an error was detected, or whether there was a match between the MAC address and the destination address field of the data packet.
In some instances, there may be thousands of data packets passing through the repeater every second. Based upon the procedure outlined above, a very large memory, a high performance microprocessor, and a high bandwidth bus are required for the management unit to adequately process all the traffic on the network.
While processing every packet to gather statistics about the network provides a good picture of how the network is performing, providing the management unit with resources to adequately process every packet is often too costly of a solution.
A network administrator is able to develop an acceptably accurate profile of the network performance by extracting statistics from a subset of all the data packets, provided that the subset is properly selected. Depending upon the packet selection criteria, the network statistics developed from the subset of packets reflects the network performance as a whole.
SUMMARY OF THE INVENTION
The present invention provides apparatus and method for simply and efficiently implementing a sampling process to sample a subset of data packets transmitted over a computer network. The present invention provides for selectively passing fewer data packets to a management unit than are transmitted over the network. The management unit using the preferred embodiment can be implemented with a smaller RAM, a slower microprocessor, and a lower bandwidth bus. For example, with the repeater passing one packet per thousand and with the network transmitting 3,000-4,000 data packets per second, the management unit may process only 3-4 packets per second, rather than all of the packets.
According to one aspect of the invention, the data packet sampling system includes a sampling repeater for receiving an input data packet, having a destination address field, at an input port. The sampling repeater retransmits the input data packet as an output data packet, disrupts the output data 5 packet, and inhibits, responsive to a plurality of disrupt control signals, disruption of the output data packet when one of the plurality of disrupt control signals is asserted. The sampling system additionally includes a sampler for periodically asserting a particular one of the plurality of disrupt 1Q control signals.
Further, in the preferred embodiment, the sampler of the data packet sampling system includes a sampling queue controlled by a queue controller. The sampler has a microprocessor interface, allowing the microprocessor to write 15 selected values into the sampling queue. These values each represent a sampling interval. When each sampling interval expires, the data packet sampling system transmits a packet to the management unit.
In operation, a microprocessor loads the sampling queue 20 with various values representing sampling intervals selected according to some selection algorithm. The particular selection algorithm chosen is dependent upon many factors and plays no particularly relevant part in the present invention, other than providing the actual sampling interval values. 25
The sampling queue is loaded with these values and the traffic on the network is monitored. Every time that a valid data packet is received, the value corresponding to the least recently added position of the sampling queue is decremented. When this value equals zero, a sampling signal is 30 asserted. The sampling signal controls retransmission of the data packet to a management unit. When the sampling signal is asserted, the repeater sends the data packet to the management unit. When the sampling signal is deasserted, the repeater transmits a disrupted packet to the management. 35 The disrupted packet is discarded by the management unit, with undisrupted packets processed.
After asserting the sample signal, the sampler uses the next least recently added value. The process continues as long as sampling is desired.
Various alternatives and modifications are possible. In the preferred embodiment, the invention is implemented as part of a secure repeater wherein data packet retransmission is controlled based upon a destination address within the data 4J packet. It is not necessary however, as the present invention could be implemented within conventional repeaters.
Additionally, the present invention includes features for resetting the sampling queue, and providing for various default operational modes. In one embodiment, a single 50 value stored in the sampling queue results in continued sampling at the specified interval. This mode is desirable when a user does not require variation in the sampling interval. This mode has an advantage in not requiring continuous attention from the management unit to update the 55 sampling intervals.
One implementation of the reset function in the preferred embodiment provides for changing the sampling intervals written into the sampling queue. In some instances, network traffic may be too light when compared to sampling intervals 60 written into the sampling queue. In these instances, too few sampling packets will be processed. Therefore, the preferred embodiment provides for resetting the relatively large sampling intervals with smaller values by overflowing the sampling queue with the newer values. When full, values 65 written into the sampling queue replace existing values. By writing a sufficient number of new values, the actual number
required depending upon the size of the sampling queue and values stored in the queue, new sampling intervals are established.
One feature of the preferred embodiment is to not only pass selected sample packets, but also to pass undisrupted data packets specifically addressed to the MAC of the management unit.
In still another feature of the present invention, there are times when data packets addressed to the management unit are also selected to be sample packets. The present invention identifies such data packets so that they may be properly handled by the management unit.
Reference to the remaining portions of the specification, including the drawing and claims, will realize other features and advantages of the present invention. Further features and advantages of the present invention, as well as the structure and operation of various embodiments of the present invention, are described in detail below with respect to accompanying drawing. In the drawing, like reference numbers indicate identical or functionally similar elements.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a diagram illustrating an IEEE 802.3 compliant frame format;
FIG. 2 is a diagram illustrating an Ethernet compliant frame format;
FIG. 3 is a block schematic diagram of a network of a plurality of personal computers implementing a star topology, the network including a managed repeater at each hub;
FIG. 4 is a block diagram schematically illustrating a preferred embodiment of a managed repeater;
FIG. 5 is a schematic block diagram of a sampling repeater;
FIG. 6 is a detailed block diagram of a sampler used in the sampling repeater shown in FIG. 5; and
FIG. 7 is a detailed schematic diagram of the transmitter shown in FIG. 5.
DESCRIPTION OF THE PREFERRED
EMBODIMENT
FIG. 3 is a block schematic diagram of a network 10 of a plurality of end stations 15 (e.g. personal computers) implementing a star topology, network 10 includes a secure repeater 20 at each hub, and a managed repeater 25 at one hub. The preferred embodiment is implemented using a carrier sense multiple access with collision detection (CSMA/CD) compliant network. Secure repeaters 20 and managed repeater 25 each conform to the incorporated IEEE Standard 802.3.
In operation, network 10 passes a data packet from one end station 15, through one or more secure repeaters 20 and/or managed repeater 25, to another end station 15. Secure repeater 20 receives the data packet at one port, and retransmits the data packet from other ports. Secure repeater 20 implements security features, such as data packet data masking, as described in the incorporated references. Managed repeater 25 periodically samples a data packet from the network and processes it to establish a statistic or management information base. Managed repeater 25 optionally includes security features similar to those of secure repeater 20.
FIG. 4 is a block diagram schematically illustrating a preferred embodiment of managed repeater 25 shown in FIG. 3 implementing selective sampling. Managed repeater
|
