PCI‘
`
`International Bureau
`WORLD INTELLECTUAL PROPERTY ORGANIZATION
`
`
`
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`
`
`
`
`(51) International Patent Classification 5 =
`(11) International Publication Number:
`W0 92/19054
`
`
`H04J 3/14, 3/24, H04L 12/56
`
`
`(43) International Publication Date:
`29 October 1992 (29.10.92)
`
`
`(21) International Application Number:
`PCT/US92/02995
`(74) Agent: PRAHL, Eric, L.; Fish & Richardson, 225 Franklin
`Street, Boston, MA 02110-2804 (US).
`
`10 April 1992 (10.04.92)
`(22) International Filing Date:
`
`
`
`
`(81) Designated States: AT (European patent), BE (European
`
`
`(30) Priority data:
`patent), CA, CH (European patent), DE (European pa~
`
`tent), DK (European patent), ES (European patent), FR
`12 April 1991 (12.04.91)
`US
`684,695
`
`
`
`
`(European patent), GB (European patent), GR (Euro-
`
`pean patent), IT (European patent), JP, LU (European
`
`
`
`patent), MC (European patent), NL (EurOpean patent),
`INC.
`(71) Applicant: CONCORD COMMUNICATIONS,
`
`[US/US]; 753 Forest Street, Marlboro, MA 01752 (US).
`SE (European patent).
`
`
`
`
`(72) Inventors: FERDINAND, Engel
`; 21 Joseph Road, Nor-
`
`Published
`
`thborough, MA 01532 (US). JONES, Kendall, S.
`; 90
`
`
`Boulder Road, Newton Center, MA 02159 (US). RO-
`With international search report.
`
`BERTSON, Kary ; 398 North Road, Bedford, MA 01739
`
`(US). THOMPSON, David, M.
`; 5127 243rd Road, Red-
`mond, WA 98053 (US). WHITE, Gerard ; 133 Massa-
`poag Road, Tyngsborough, MA 01879 (US).
`
`
`
`
`
`
`
`
`
` 2
`
`
`
`
`(54) Title: NETWORK MONITORING
`
`14
`
`2
`2
`1014
`_Ia ram-
`6_m- 2:
`2
`2
`2
`4
`
`10
`
`2
`
`2
`
`4
`
`I4
`
`2
`
`MONITOR m m BRIDGE
`
`s
`
`FILESERVER m ROUTER
`2
`2
`4
`
`2
`
`5
`
`2
`
`6
`
`2
`2
`m FILE SERVER
`
`14
`
`,
`
`1o
`MONITOR
`
`
`
`
`
`
`
`10
`
`2
`
`2
`
`MONITOR
`
`4
`
`4
`
`ROUTER
`
`m w W a“
`2
`2
`,
`2
`14
`
`m
`2
`
`2
`
`. a“
`
`2
`
`2
`
`
`
`
`
`
`
`
`
` (57) Abstract
`
`
`Monitoring is done of communications which occur in a network of nodes (2), each communication being effected by a
`transmission of one or more packets among two or more communicating nodes (2), each communication complying with a prede-
`
`
`fined communication protocol selected from among protocols available in the network. The contents of packets are detected pas-
`
`
`sively and in real time, communication information (130, 152, 178) associated with multiple protocols is derived from the packet
`contents.
`
`EX 1009 Page 1
`
`

`

`‘1
`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`Codes used to identify States party to the PCI‘ on the front pages of pamphlets publishing international
`applications under the PCl'.
`
`United Statea of America
`
`Spain
`l-inland
`France
`Gabon
`United Kingdom
`Guinea
`Greece
`Hungary
`Italy
`Japan
`Democratic People‘s Republic
`of Korea
`Republic of Korea
`l icchtenstein
`Sri lanka
`I unembourg
`Monaco
`
`AT
`AU
`BB
`BE
`BF
`86
`BJ
`BR
`CA
`CF
`CG
`CH
`Cl
`
`Aualria
`Australia
`Barltarlm
`Belgium
`Burktna Faun
`Bulgaria
`Benin
`Brazil
`Canada
`Central African Republic
`Congo
`Swit/erland
`(Tote d'lvoire
`('atneroon
`('Iecltnslovaltin
`(icnnany
`Denmark
`
`Madagascar
`Mali
`Mongolia
`Mauritania
`Malawi
`Netherlands
`Norway
`Poland
`Romania
`Russian Federation
`Sudan
`Sweden
`Senegal
`Soviet Union
`(‘ltad
`Togo
`
`EX 1009 Page 2
`
`EX 1009 Page 2
`
`

`

`W0 92/ 19054
`
`,
`
`PCI‘/US92/02995
`
`—1—
`
`NETWORK MONITORING
`
`Background of the Invention
`
`The invention relates to monitoring and managing
`communication networks for computers.
`
`5
`
`Todays computer networks are large complex systems
`
`with many components from a large variety of vendors.
`
`These networks often span large geographic areas ranging
`
`from a campus-like setting to world wide networks. While
`
`the network itself can be used by many different types of
`
`10 organizations,
`
`the purpose of these networks is to move
`
`information between computers. Typical applications are
`
`electronic mail,
`
`transaction processing, remote database,
`
`query, and simple file transfer. Usually,
`
`the
`
`organization that has installed and is running the
`
`15 network needs the network to be running properly in order
`
`to operate its business. Since these networks are
`
`complex systems,
`
`there are various controls provided by
`
`the different equipment to control and manage the
`
`network. Network management is the task of planning,
`
`20 engineering, securing and operating a network.
`
`To manage the network properly,
`
`the Network
`
`Manager has some obvious needs. First,
`
`the Network
`
`Manager must trouble shoot problems. As the errors
`
`develop in a running network,
`
`the Network Manager must
`
`25 have some tools that notify him of the errors and allow
`
`him to diagnose and repair these errors.
`
`Second,
`
`the
`
`Network Manager needs to configure the network in such a
`
`manner that the network loading characteristics provide
`
`the best service possible for the network users.
`
`To do
`
`30 this the Network Manager must have tools that allow him
`
`visibility into access patterns, bottlenecks and general
`
`loading. With such data,
`
`the Network Manager can
`
`reconfigure the network components for better service.
`
`There are many different components that need to
`
`35 be managed in the network. These elements can be, but
`
`EX 1009 Page 3
`
`EX 1009 Page 3
`
`

`

`W0 92/19054
`
`PCT/US92/02995
`
`_2-
`
`are not limited to: routers, bridges, PC's, workstations,
`minicomputers, supercomputers, printers, file servers,
`switches and pbx's. Each component provides a protocol
`for reading and writing the management variables in the
`5 machine. These variables are usually defined by the
`component vendor and are usually referred to as a
`Management Information Base (MIB). There are some
`standard MIB's, such as the IETF (Internet Engineering
`Task Force) MIB I and MIB II standard definitions.
`10 Through the reading and writing of MIB variables,
`software in other computers can manage or control the
`component. The software in the component that provides
`remote access to the MIB variables is usually called an
`agent. Thus, an individual charged with the
`15 responsibility of managing a large network often will use
`various tools to manipulate the MIB's of various agents
`
`on the network.
`Unfortunately, the standards for accessing MIBs
`
`are not yet uniformly provided nor are the M18
`20 definitions complete enough to manage an entire network.
`The Network Manager must therefore use several different
`types of computers to access the agents in the network.
`This poses a problem, since the errors occurring on the
`network will tend to show up in different computers and
`25 the Network Manager must therefore monitor several
`different screens to determine if the network is running
`properly.
`Even when the Network Manager is able to
`
`30
`
`sufficient for the Network Manager to function properly.
`Furthermore, there are many errors and loadings on
`the network that are not reported by agents.
`Flow
`control problems, retransmissions, on—off segment
`loading, network capacities and utilizations are some of
`the types of data that are not provided by the agents.
`
`EX 1009 Page 4
`
`EX 1009 Page 4
`
`

`

`W0 92/ l 9054
`
`PCT/US92/02995
`
`-3-
`
`Simple needs like charging each user for actual network
`
`usage are impossible.
`
`Summary of the Invention
`In general,
`in one aspect,
`the invention features
`
`5 monitoring communications which occur in a network of
`
`nodes, each communication being effected by a
`
`transmission of one or more packets among two or more
`
`communicating nodes, each communication complying with a
`
`predefined communication.protocol selected from among
`
`10 protocols available in the network.
`
`The contents of
`
`packets are detected passively and in real time,
`
`communication information associated with multiple
`
`protocols is derived from the packet contents.
`
`Preferred embodiments of the invention include the
`
`15
`
`following features. The communication information
`
`derived from the packet contents is associated with
`
`multiple layers of at least one of the protocols.
`
`In general,
`
`in another aspect,
`
`the invention
`
`features monitoring communication dialogs which occur in
`
`20 a network of nodes, each dialog being effected by a
`
`transmission of one or more packets among two or more
`
`communicating nodes, each dialog complying with a
`
`predefined communication protocol selected from among
`
`protocols available in the network.
`
`Information about
`
`25 the states of dialogs occurring in the‘network and which
`
`comply with different selected protocols available in the
`
`network is derived from the packet contents.
`
`Preferred embodiments of the invention include the
`
`following features.
`
`A current state is maintained for
`
`30 each dialog, and the current state is updated in response
`
`to the detected contents of transmitted packets.
`
`For
`
`each dialog, a history of events is maintained based on
`
`information derived from the contents of packets, and the
`
`history of events is analyzed to derive information about
`
`35 the dialog.
`
`The analysis of the history includes
`
`EX 1009 Page 5
`
`EX 1009 Page 5
`
`

`

`W0 92/19054
`
`PCT/US92/02995
`
`_4—
`
`counting events and gathering statistics about events;
`The history is monitored for dialogs which are inactive,
`and dialogs which have been inactive for a predetermined
`period of time are purged.h For example,
`the current
`5 state is updated to data state in response to observing
`the transmission of at least two data related packets
`from each node.
`Sequence numbers of data related packets
`
`stored in the history of events are analyzed and
`
`retransmissions are detected based on the sequence
`10 numbers.
`The the current state is updated based on each
`new packet associated with the dialog; if an updated
`current state cannot be determined,
`information about
`prior packets associated with the dialog is consulted as
`an aid in updating the state.
`The history of events may
`15 ‘be searched to identify the initiator of a dialog.
`The full set of packets associated with a dialog
`up to a point in time completely define a true state of
`the dialog at that point in time, and the step of
`updating the current state in response to the detected
`20 contents of transmitted packets includes generating a
`current state (e.g., "unknown") which may not conform to
`the true state.
`The current state may be updated to the
`
`true state based on information about prior packets
`transmitted in the dialog.
`'
`
`25
`
`Each communication may involve multiple dialogs
`corresponding to a specific protocol. Each protocol
`layer of the communication may be parsed and analyzed to
`isolate each dialog and statistics may be kept for each
`dialog.
`The protocols may include a connectionless-type
`30 protocol in which the state of a dialog is implicit in
`transmitted packets, and the step of deriving information
`about the states of dialogs includes inferring the states
`of the dialogs from the packets. Keeping statistics for
`protocol layers may be temporarily suspended when parsing
`
`EX 1009 Page 6
`
`EX 1009 Page 6
`
`

`

`W0 92/l 9054
`
`7
`
`PCT/US92/02995
`
`-5-
`
`and statistics gathering is not rapid enough to match the
`
`rate of packets to be parsed.
`
`In general,
`in another aspect,
`the invention
`features monitoring the operation of the network with
`
`5
`
`respect to specific items of performance during normal
`
`operation, generating a model of the network based on the
`
`monitoring, and setting acceptable threshold levels for
`
`the specific items of performance based on the model.
`
`In
`
`preferred embodiments,
`
`the operation of the network is
`
`10 monitored with respect to the specific items of
`
`performance during periods which may include abnormal
`
`operation.
`
`In general,
`
`in another aspect,
`
`the invention
`
`features the combination of a monitor connected to the
`
`15 network medium for passively, and in real time,
`
`monitoring transmitted packets and storing information
`
`about dialogs associated with the packets, and a
`
`workstation for receiving the information about dialogs
`
`from the monitor and providing an interface to a user. In
`
`20 preferred embodiments,
`
`the workstation includes means for
`
`enabling a user to observe events of active dialogs.
`
`In general,
`
`in another aspect,
`
`the invention
`
`features apparatus for monitoring packet communications
`
`in a network of nodes in which communications may be in
`
`25 accordance with multiple protocols.
`
`The apparatus
`
`includes a monitor connected to a communication medium of
`
`the network for passively, and in real time, monitoring
`
`transmitted packets of different protocols and storing
`
`information about communications associated with the
`
`30 packets,
`
`the communications being in accordance with
`
`different protocols, and a workstation for receiving the
`
`information about the communciations from the monitor and
`
`providing an interface to a user.
`
`The monitor and the
`
`workstation include means for relaying the information
`
`35 about multiple protocols with respect to communication in
`
`EX 1009 Page 7
`
`EX 1009 Page 7
`
`

`

`\N{)92/19054
`
`PCT/US92/02995
`
`-6—
`
`the different protocols from the monitor to the
`workstation in accordance with a single common network
`
`,
`management protocol.
`the invention
`in another aspect,
`In general,
`features diagnosing communication problems between two
`nodes in a network of nodes interconnected by links. The
`operation of the network is monitored with respect to
`specific items of performance during normal operation.
`model of normal operation of the network is generated
`based on the monitoring. Acceptable threshold levels are
`set for the specific items of performance based on the
`model. The operation of the network is monitored with
`respect to the specific items of performance during
`periods which may include abnormal operation. When
`abnormal operation of the network with respect to
`communication between the two nodes is detected,
`problem is diagnosed by separately analyzing the
`performance of each of the nodes and each of the links
`connecting the two nodes to isolate the abnormal
`
`the
`
`A
`
`operation.
`in another aspect, the invention
`In general,
`features a method of timing the duration of a transaction
`of interest occurring in the course of communication
`
`between nodes of a network, the beginning of the
`transaction being defined by the sending of a first
`packet of a particular kind from one node to the other,
`and the end of the transaction being defined by the
`
`sending of another packet of a particular kind between
`the nodes.
`In the method, packets transmitted in the
`
`network are monitored passively and in real time.
`The
`beginning time of the transaction is determined based on
`the appearance of the first packet.
`A determination is
`made of when the other packet has been transmitted.
`The
`
`timing of the duration of the transaction is ended upon
`
`"U
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`the appearance of the other packet.
`
`EX 1009 Page 8
`
`EX 1009 Page 8
`
`

`

`W0 92/ 19054
`
`PCT/US92/02995
`
`_7-
`
`In general,
`
`in another aspect,
`
`the invention
`
`features,
`
`tracking node address to node name mappings in
`
`a network of nodes of the kind in which each node has a
`possibly nonunique node name and a unique node address
`
`5 within the network and in which node addresses can be
`
`assigned and reassigned to node names dynamically using a
`
`name binding protocol message incorporated within a
`
`packet.
`
`In the method, packets transmitted in the
`
`network are monitored, and a table linking node names to
`
`10 node addresses is updated based on information contained
`
`in the name binding protocol messages in the packets.
`
`One advantage of the invention is that it enables
`
`a network manager to passively monitor multi-protocol
`
`networks at multiple layers of the communications.
`
`In
`
`15 addition, it organizes and presents network performance
`
`statistics in terms of dialogs which are occurring at any
`
`desired level of the communication. This technique of
`organizing and displaying network performance statistics
`
`provides an effective and useful view of network
`
`20 performance and facilitates a quick diagnosis of network
`
`problems.
`
`other advantages and features will become apparent
`
`from the following description of the preferred
`
`embodiment and from the claims.
`
`25
`
`'
`
`'
`
`t
`
`ed
`
`od'
`
`ts
`
`Fig. 1 is a block diagram of a network;
`
`Fig. 2 shows the layered structure of a network
`
`communication and a protocol tree within that layered
`
`environment;
`
`30
`
`Fig.
`
`3 illustrates the structure of an
`
`ethernet/IP/TCP packet;
`
`Fig. 4 illustrates the different layers of a
`
`communication between two nodes;
`
`Fig. 5 shows the software modules within the
`
`35 Monitor;
`
`EX 1009 Page 9
`
`EX 1009 Page 9
`
`

`

`W0 92/19054
`
`PCI'/US92/02995
`
`_8—
`
`Fig. 6 shows the structure of the Monitor software
`in terms of tasks and intertask communication mechanisms;
`Figs. 7a-c show the STATS data structures which
`store performance statistics relating to the the data
`
`link layer;
`Fig. 8 is a event/state table describing the
`operation of the state machine for a TCP connection;
`Fig. 9a is a history data structure that is
`identified by a pointer found in the appropriate dialog
`
`a»
`
`10
`
`statistics data within STATS;
`
`Fig. 9b is a record from the history table;
`
`Fig. 10 is a flow diagram of the
`
`15
`
`20
`
`Look_for_Data_State routine;
`Fig. 11 is a flow diagram of the
`Look_for_Initiator routine that is called by the
`Look_for_pata_state routine;
`Fig. 12 is a flow diagram of the
`Look_for_Retransmission routine which is called by the
`Look_at_fiistory routine;
`Fig. 13 is a diagram of the major steps in
`processing a frame through the Real Time Parser (RTP);
`Fig. 14 is a diagram of the major steps in the
`
`processing a statistics threshold event;
`Fig. 15 is a diagram of the major steps in the
`
`25
`
`processing of a database update;
`Fig. 16 is a diagram of the major steps in the
`
`processing of a monitor control request;
`Fig. 17 is a logical map of the network as
`
`30
`
`displayed by the Management Workstation;
`Fig. 18 is a basic summary tool display screen;
`Fig. 19 is a protocol selection menu that may be
`
`invoked through the summary tool display screen;
`
`Figs. 20a-g are examples of the statistical
`variables which are displayed for different protocols;
`
`EX 1009 Page 10
`
`EX 1009 Page 10
`
`

`

`W0 92/19054
`
`PCT/US92/02995
`
`-9—
`
`Fig. 21 is an example of information that is
`
`displayed in the dialogs panel of the summary tool
`
`display screen;
`
`.
`
`Fig. 22 is a basic data screen presenting a rate
`
`5 values panel, a count values panel and a protocols seen
`
`panel;
`
`Fig. 23 is a traffic matrix screen;
`
`Fig. 24 is a flow diagram of the algorithm for
`
`adaptively establishing network thresholds based upon
`
`10 actual network performance;
`
`Fig. 25 is a simple multi-segment network;
`
`Fig. 26 is a flow diagram of the operation of the
`
`diagnostic analyzer algorithm;
`
`Fig. 27 is a flow diagram of the source node
`
`15 analyzer algorithm;
`
`Fig. 28 is a flow diagram of the sink node
`
`analyzer algorithm;
`Fig. 29 is a flow diagram of the link analysis
`
`logic;
`
`20
`
`Fig. 30 is a flow diagram of the DLL problem
`
`checking routine;
`
`Fig. 31 is a flow diagram of the IP problem
`
`checking routine;
`
`Fig. 32 is a flow diagram of the IP link component
`
`25 problem checking routine;
`
`Fig. 33 is a flow diagram of the DLL link
`
`component problem checking routine;
`
`Fig. 34 shows the structure of the event timing
`
`database;
`
`30
`
`Fig. 35 is a flow diagram of the operation of the
`
`event timing module (ETM)
`
`in the Network Monitor;
`
`Fig. 36 is a network which includes an Appletalk®
`
`segment;
`
`Fig. 37 is a Name Table that is maintained by the
`
`35 Address Tracking Module (ATM);
`
`EX 1009 Page 11
`
`EX 1009 Page 11
`
`

`

`.
`
`.
`
`WO92/19054
`
`PCI'/US92/02995
`
`Fig. 38 is a flow diagram of the operation of the
`
`ATM; and
`Fig. 39 is a flow diagram of the operation of the
`
`ATM.
`
`5
`
`Also attached hereto before the claims are the
`
`following appendices:
`Appendix I identifies the SNMP MIB subset that is
`supported by the Monitor and the Management Workstation
`
`10
`
`(2 pages);
`Appendix II defines the extension to the standard
`MIB that are supported by the Monitor and the Management
`
`Workstation (25 pages);
`
`Appendix III is a summary of the protocol
`variables for which the Monitor gathers statistics and a
`
`15 brief description of the variables, where appropriate (17
`
`pages);
`
`Appendix IV is a list of the Summary Tool Values
`Display Fields with brief descriptions (2 pages); and
`Appendix V is a description of the actual screens
`
`20 for the Values Tool
`
`(34 pages).
`
`5
`
`T
`
`we
`
`:
`
`d
`
`t'on
`
`A typical network, such as the one shown in Fig.
`includes at least three major components, namely,
`1,
`25 network nodes 2, network elements 4 and communication
`
`lines 6. Network nodes 2 are the individual computers on
`
`exists.
`
`the network. They are the very reason the network
`They include but are not limited to workstations
`(WS), personal computers (PC), file servers (FS), compute
`3o servers (CS) and host computers (e.g., a VAX), to name
`but a few. The term server is often used as though it
`
`was different from a node, but it is,
`
`in fact, just a
`
`node providing special services.
`In general, network elements 4 are anything that
`35 participate in the service of providing data movement in
`
`EX 1009 Page 12
`
`EX 1009 Page 12
`
`

`

`W0 92/19054
`
`PCI‘/US92/02995
`
`_11—
`
`a network, i.e., providing the basic communications.
`
`They include, but are not limited to, LAN's, routers,
`
`bridges, gateways, multiplexers, switches and connectors.
`Bridges serve as connections between different network
`
`5
`
`segments. They keep track of the nodes which are
`
`connected to each of the segments to which they are
`
`connected. When they see a packet on one segment that is
`
`addressed to a node on another of their segments,
`
`they
`
`grab the packet from the one segment and transfer it to
`
`10 the proper segment. Gateways generally provide
`
`connections between different network segments that are
`
`operating under different protocols and serve to convert
`
`communications from one protocol to the other. Nodes
`
`send packets to routers so that they may be directed over
`
`15 the appropriate segments to the intended destination
`
`node.
`
`Finally, network or communication lines 6 are the
`
`components of the network which connect nodes 2 and
`
`elements 4 together so that communicatons between nodes 2
`
`20 may take place. They can be private lines, satellite
`
`lines or Public Carrier lines.
`
`They are expensive
`
`resources and are usually managed as separate entities.
`
`Often networks are organized into segments 8 that are
`
`connected by network elements 4.
`
`A segment 8 is a
`
`25 section of a LAN connected at a physical level (this may
`
`include repeaters). Within a segment, no protocols at
`
`layers above the physical layer are needed to enable
`
`signals from two stations on the same segment to reach
`
`each other (i.e., there are no routers, bridges,
`
`30 gateways...).
`
`The Network Monitor and the Management Workstation:
`
`In the described embodiment,
`
`there are two basic
`
`elements to the monitoring system which is to be
`
`described, namely, a Network Monitor 10 and a Management
`
`EX 1009 Page 13
`
`EX 1009 Page 13
`
`

`

`I.
`
`W0 92/ 19054
`
`PCT/US92/02995
`
`Workstation 12. Both elements interact with each other
`
`over the local area network (LAN).
`Network Monitor 10 (referred to hereinafter simply
`as Monitor 10)
`is the data collection module which is
`attached to the LAN.
`It is a high performance real time
`front end processor which collects packets on the network
`and performs some degree of analysis to search for actual
`or potential problems and to maintain statistical
`information for use in later analysis.
`In general, it
`performs the following functions.
`It operates in a
`promiscuous mode to capture and analyze all packets on
`the segment and it extracts all items of interest from
`the frames.
`It generates alarms to notify the Management
`Workstation of the occurence of significant events.
`It
`
`10
`
`15
`
`receives commands from the Management Workstation,
`
`20
`
`processes them appropriately and returns responses.
`Management Workstation 12 is the operator
`interface.
`It collects and presents troubleshooting and
`performance information to the user.
`It is based on the
`SunNet Manager
`(SNM) product and provides a graphical
`network-map-based interface and sophisticated data
`presentation and analysis tools.
`It receives information
`from Monitor 10, stores it and displays the information
`
`in various ways.
`
`It also instructs Monitor 10 to perform
`
`25
`
`certain actions. Monitor 10,
`
`in turn, sends responses
`
`and alarms to Management Workstation 12 over either the
`primary LAN or a backup serial link 14 using SNMP with
`
`the MIB extensions defined later.
`
`These devices can be connected to each other over
`
`30
`
`various types of networks and are not limited to
`connections over a local area network. As indicated in
`
`Fig. 1, there can be multiple Workstations 12 as well as
`
`multiple Monitors 10.
`Before describing these components in greater
`
`35
`
`detail, background information will first be reviewed
`
`EX 1009 Page 14
`
`EX 1009 Page 14
`
`

`

`W0 92/l 9054
`
`PCT/US92/02995
`
`regarding communication protocols which specify how
`
`communications are conducted over the network and
`
`regarding the structure of the packets.'
`
`The Protocol Tree:
`
`.
`
`5
`
`As shown in Fig. 2, communication over the network
`
`is organized as a series of layers or levels, each one
`
`built upon the next lower one, and each one specified by
`
`one or more protocols (represented by the boxes).
`
`Each
`
`layer is responsible for handling a different phase of
`
`10 the communication between nodes on the network.
`
`The
`
`protocols for each layer are defined so that the services
`
`offered by any layer are relatively independent of the
`
`services offered by the neighbors above and below.
`
`Although the identities and number of layers may differ
`
`15 depending on the network (i.e., the protocol set defining
`
`communication over the network),
`
`in general, most of them
`
`share a similar structure and have features in common.
`
`For purposes of the present description,
`
`the Open
`
`Systems Interconnection (081) model will be presented as
`
`20 representative of structured protocol architectures.
`
`The
`
`OSI model, developed by the International Organization
`for Standardization,
`includes seven layers. As indicated
`
`in Fig. 2,
`
`there is a physical layer, a data link layer
`
`(DLL), a network layer, a transport layer, a session
`
`25 layer, a presentation layer and an application layer,
`
`in
`
`that order. As background for what is to follow,
`
`the
`
`function of each of these layers will be briefly
`
`described.
`
`The physical layer provides the physical medium
`
`30 for the data transmission.
`
`It specifies the electrical
`
`and mechanical interfaces of the network and deals with
`
`bit level detail.
`
`The data link layer is responsible for
`
`ensuring an error-free physical link between the
`
`communicating nodes.
`
`It is responsible for creating and
`
`35 recognizing frame boundaries (i.e., the boundaries of the
`
`EX 1009 Page 15
`
`EX 1009 Page 15
`
`

`

`W0 92/19054
`
`PCT/US92/02995
`
`-14-
`
`The
`packets of data that are sent over the network.)
`network layer determines how packets are routed within
`the network.
`The transport layer accepts data from the
`layer above it (i.e., the session layer), breaks the
`5 packets up into smaller units, if required, and passes
`these to the network layer for transmission over the
`network.
`It may insure that the smaller pieces all
`arrive properly at the other end.
`The session layer is
`the user's interface into the network. The user must
`10 interface with the session layer in order to negotiate a
`connection with.a process in another machine. The
`presentation layer provides code conversion and data
`reformatting for the user's application. Finally,
`the
`application layer selects the overall network service for
`15 the user's application.
`Fig. 2 also shows the protocol tree which is
`implemented by the described embodiment.
`A protocol tree
`shows the protocols that apply to each layer and it
`identifies by the tree structure which protocols at each
`20 layer can run “on top of" the protocols of the next lower
`layer.
`Though standard abbreviations are used to
`identify the protocols, for the convenience of the
`reader, the meaning of the abbreviations are as follows:
`ARP
`Address Resolution Protocol
`
`25
`
`30
`
`35
`
`ETHERNET Ethernet Data Link Control
`
`FTP
`
`ICMP
`
`IP
`
`LLC
`
`MAC
`
`NFS
`
`NSP
`
`RARP
`
`SMTP
`SNMP
`
`File Transfer Protocol
`
`Internet Control Message Protocol
`
`Internet Protocol
`
`802.2 Logical Link Control
`
`802.3 CSMA/CD Media Access Control
`
`Network File System
`
`Name Server Protocol
`
`Reverse Address Resolution Protocol
`
`Simple Mail Transfer Protocol
`Simple Network Management Protocol
`
`EX 1009 Page 16
`
`EX 1009 Page 16
`
`

`

`W0 92/ 19054
`
`PCT/US92/02995
`
`-15-
`
`TCP
`
`TFTP
`
`UDP
`
`Transmission Control Protocol
`
`Trivial File Transfer Protocol
`
`User Datagram Protocol
`
`Two terms are commonly used to describe the protocol
`
`5
`
`tree, namely, a protocol stack and a protocol family (or
`
`suite).
`
`A protocol stack generally refers to the
`
`underlying protocols that are used when sending a message
`
`over a network.
`
`For example, FTP/TCP/IP/LLC is a
`
`protocol stack.
`
`A protocol family is a loose association
`
`31) of protocols which tend to be used on the same network
`
`(or derive from a common source). Thus, for example,
`
`the
`
`TCP/IP family includes IP, TCP, UDP, ARP, TELNET and FTP.
`
`The Decnet family includes the protocols from Digital
`
`Equipment Corporation. And the SNA family includes the
`
`15 protocols from IBM.
`
`W:
`
`The relevant protocol stack defines the structure
`
`of each packet that is sent over the network. Fig. 3,
`
`which shows an TCP/IP packet, illustrates the typical
`
`20 structure of a packet.
`
`In general, each level of the
`
`protocol stack takes the data from the next higher level
`
`and adds header information to form a protocol data unit
`
`(PDU) which it passes to the next lower level. That is,
`
`as the data from the application is passed down through
`
`25 the protocol layers in preparation for transmission over
`
`the network, each layer adds its own information to the
`
`data passed down from above until the complete packet is
`
`assembled. Thus,
`
`the structure of a packet ressembles
`
`that of an onion, with each PDU of a given layer wrapped
`
`30 within the PDU of the adjacent lower level.
`
`At the ethernet level,
`
`the PDU includes a
`
`destination address (DEST MAC ADDR), a source address
`
`(SRC MAC ADDR), a type (TYPE)
`
`identifying the protocol
`
`which is running on top of this layer, and a DATA field
`
`35 for the PDU from the IP layer.
`
`EX 1009 Page 17
`
`EX 1009 Page 17
`
`

`

`W0 92/19054
`
`PCT/US92/02995
`
`-16-'
`
`the PDU for the IP layer
`Like the ethernet packet,
`includes an IP header plus a DATA field.
`The IP header
`includes a type field (TYPE) for indicating the type of
`service, a length field (LGTH) for specifying the total
`length of the PDU, an identification field (ID), a
`protocol field (PROT) for identifying the protocol which
`is running on top of the IP layer (in this case, TCP), a
`source address field (SRC ADDR) for specifying the IP
`
`5
`
`address of the sender, a‘destination address field (DEST
`10 ADDR) for specifying the IP address of the destination
`
`node, and a DATA field.
`The PDU built by the TCP protocol also consists of
`
`a header and the data passed down from the next higher
`
`In this case the header includes a source port
`layer.
`15 field (SRC PORT) for specifying the port number of the
`sender, a destination port field (DEST PORT) for
`specifying the port number of the destination, a sequence
`number field (SEQ NO.) for specifying the sequence number
`of the data that is being sent in this packet, and an
`
`20 acknowledgment number field (ACK NO.) for specifying the
`number of the acknowledgment being returned.
`It also
`
`includes bits which identify the packet type, namely, an
`
`acknowledgment bit (ACK), a reset connection bit (RST), a
`synchronize bit (SYN), and a no more data from sender bit
`(FIN). There is also a window size field (WINDOW) for
`specifying the size of the window being used.
`
`25
`
`The Concept of a Dialog:
`The concept of a dialog is used throughout the
`following description. As will become apparent, it is a
`30 concept which provides a useful way of conceptualizing,
`organizing and displaying information about the
`performance of a network - for any protocol and for any
`layer of the multi-level protocol stack.
`As noted above,
`the basic unit of information in
`
`35 communication is a packet.
`
`A packet conveys meaning
`
`a
`
`EX 1009 Page 18
`
`EX 1009 Page 18
`
`

`

`W0 92/ 19054
`
`PCT/US92/02995
`
`-17-
`
`between the sender and the receiver and is part of a
`larger framework of packet exchanges.
`The larger
`
`exchange is called a dialog within the context of this
`document. That is, a dialog is a communication between a
`
`5 sender and a receiver, which is composed of one or more
`
`packets being transmitted between the two. There can be
`
`multiple senders and receivers which can change roles.
`
`In fact, most dialogs involve exchanges in both
`
`directions.
`
`10
`
`Stated another way, a dialog is the exchange of
`
`messages and the associated meaning and state that is
`
`inherent in any particular exchange at any lay