Browse Prior Art Database

Method for network traffic capturing on enterprise servers with multiple NICs

IP.com Disclosure Number: IPCOM000028053D
Publication Date: 2004-Apr-21
Document File: 5 page(s) / 266K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method for network traffic capturing on enterprise servers with multiple network interface cards (NICs). Benefits include improved performance.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 54% of the total text.

Method for network traffic capturing on enterprise servers with multiple NICs

Disclosed is a method for network traffic capturing on enterprise servers with multiple network interface cards (NICs). Benefits include improved performance.

Background

The capturing of network traffic is widely used for network traffic monitoring and analysis. Enterprise analyzer products evaluate the performance issues of multi-tier enterprise applications, such as Web applications and services by capturing and analysis of the inter-tier network traffic.

In reflection-based distributed network monitoring, a reflector agent captures the network traffic destined to or originating from the monitored machine and forwards the data (after filtering/compression) to the central collection server.

         Each NIC has a reflector agent for monitoring network traffic. The reflector agent adds a time stamp to each captured network packet. These time stamps are used by the collection server to compute the times of inter-tier activities (such as HTTP requests and COM+ invocations). For simplicity, each reflector agent sends the packets in order by time stamp. The delay in sending the packets must be minimized to provide real-time feedback on the Web application performance.

The generation of time stamps is performed by dedicated NDIS protocol driver (see Figure 1). The protocol driver creates a virtual device for each connected network adapter. The reflector agent reads the packets from the virtual devices, performs the processing, and sends them to the central collection server. When no packets are available to read, the ReadPacket() request returns after a predefined timeout expires.

While this method guarantees accurate time stamping, it requires the reflector agent to merge streams of the packets read from all virtual devices. In the resulting stream, the network packets should be ordered according to the time stamps regardless from which NIC they originated.

A straightforward merging algorithm works well when network traffic through all NICs is intensive (see Figure 2). It guarantees that blocking ReadPacket() immediately returns with the next packet. However, the algorithm does not work if network traffic is not intensive on one or more NICs. The algorithm can be improved by implementing ReadPacket() with timeout (see Figure 3).

The improved algorithm with timeout includes two rounds of reading from NICs. If d...