Bioptic destiny: The rising use of switches, ATM and internetworking requires a new technique-watching two points in the network at the same time

Bioptic vision-observing two related points of a network simultaneously-has been available in protocol analyzers for some time. But recent networking trends have changed this from an occasionally useful feature to an essential tool for network analysis.

These trends include the increasing use of switches in network architectures, the need to provide internetworking functions between traditional wide and local area network systems, and new technologies such as asynchronous transfer mode.

Testing network systems and components is a classic black box problem. The person testing the network has access to the input and output data flows and must determine how well the network is performing based on this information.

Traditional WAN/LAN systems often can be tested by monitoring only half the data flow-network input or output-or in the worst case, monitoring the two halves sequentially. This is because the packet can take a limited number of paths through the network, and these paths generally are fixed. A LAN packet destined for another station on the same segment is seen by all other stations on that segment.

An analyzer connected to this segment also will see all this traffic. If the packet is destined for an address served by a different, directly connected segment, a bridge will forward the packet based on its Layer 2 destination address and information it develops regarding the addresses connected to all its attached segments.

If the intended destination is outside the local network environment, a router will modify the Layer 2 address information, then forward the packet across one of its connected external links. Both the Layer 2 address inserted and the external link selected will be determined based upon routing tables that the system administrator submits.

The forwarding decisions made in all these cases are both deterministic and static. Because of this, most problems can be resolved by observing either the input or the output of the network components.

Direct connections shift However, as switching technology penetrates further into the network, this is no longer true. The switch directs data directly from the source station to the destination station by creating a connection between the two. This complicates the relationship between the input and output data flows and leads to the need for bioptic testing.

In a switched network, the LAN packet confined to a single segment no longer is broadcast to everyone connected to that segment, but only to the intended recipient. Therefore it is necessary to monitor the network in two places-the link to the source address and the link to the destination address-to obtain the same information that can be seen with a single connection in a traditional shared-access LAN.

Diagnosing problems involving multiple switches, which is analogous to the bridge and router configurations, further complicates the monitoring process by adding additional potential monitor points.

The second trend driving the requirement for bioptic analysis is the need to integrate new technologies into existing networks.

Technologies such as ATM promise networks greater connectivity and capabilities. Because it is impractical to replace a large existing network, the transition to a new technology is usually an evolutionary process.

The new technology is first installed in areas where its capabilities will provide the greatest benefit. Later, if the technology is successful, it will migrate throughout the rest of the enterprise.

The interim period must provide interoperability functions to allow seamless communication between the old and new network components. When the new technology is dramatically different, as is the case with ATM, the devices providing interoperability significantly alter the data flows passing through them.

Verifying that these alterations are occurring correctly requires a comparison of the original and altered data packets. This can only be accomplished with a bioptic analyzer. Bioptic vision can be used to solve some typical network problems. It has been said that all network difficulties can be viewed as reflections of two basic problems: "I can't connect to X" and "the connection to X is too slow."

Bioptic in action Bioptic vision also can be used to solve complex internetworking problems.

Station A has complained of intermittent connection problems to Station B. A technician is dispatched to diagnose and correct the problem.

One of the most common mechanisms for testing connectivity across a network is the ping, a packet that requests that the destination acknowledge reception by immediately returning a reply (Figure 1).

The successful reception of a response indicates that the two stations can communicate across the network. The failure of some or all of the pings to elicit a response indicates a problem on the network.

The technician initiates a series of 100 pings from Station A to Station B, about half of which fail. This indicates that a problem exists in this network. The next step is to isolate which of the four involved network devices is causing the problem.

The technician connects a bioptic analyzer to points 1 and 3 and repeats the series of 100 pings. A message type analysis performed at these two points reveals that Station A transmitted 100 pings Station A, but Station B received only 83. The same analysis shows that Station B generated 83 replies, but Station A received only 53. Because Station A generated the requests, and Station B responded to all the requests it received, the problem is in one or both switches.

The third step is to isolate each switch to determine if it is contributing to the packet loss. The technician disconnects the analyzer from point 1, connects this lead to point 2 and repeats the ping test.

This time, the message type analysis reveals that 79 echo requests and echo replies were received at both points 2 and 3. This strongly indicates that the problem is caused by Switch A. The technician then conducts additional tests to determine why this switch is failing to deliver some of the packets it receives.

Bioptic vision is even more important for solving problems relating to the response time or performance of a network. This problem may result from network devices with a high latency or from excessive packet losses resulting in continual retransmissions.

Latency and loss only can be measured by comparing the input and output data flows though a network or network component. Latency is obtained by identifying matching packets and measuring the delay between the input and output packets. The number of packets lost can be determined by counting the number of packets captured on the input side that do not appear on the output.

The technician is dispatched to determine why users are reporting sluggish performance between Station A and Station B.

One way to measure the performance of a network is to transfer a file between the two stations and measure the time required. Because the time required to transferfiles seems excessive, the technician again connects the bioptic analyzer to points 1 and 3.

The analyzer is configured to capture all the file transfer data crossing between the two stations at each of these points, and the file transfer is repeated. The resulting capture files are analyzed using a latency and loss application to determine the average delay through the network and the number of dropped packets. The analysis shows limited loss, but the latency seems high (Figure 2).

The technician then repeats the test with the analyzer connected first to points 1 and 2, and then to points 2 and 3. This provides a complete characterization of where the network delay is inserted. Again, the technician would have to conduct additional tests to determine why the offending switch is inserting so much delay.

Mixed messages The final example involves interoperability between an Ethernet network and an ATM switch.

Communication between a LAN and an ATM environment is complicated by the fact that Ethernet is a connectionless technology while ATM is connection-oriented.

A connectionless network assumes that the network will know how to deliver a packet that is properly addressed. A connection-oriented network requires that the two communicating stations explicitly create a connection before exchanging data.

If Station A needs to send a packet to Station B, it places the correct source and destination addresses into an Ethernet packet and forwards this packet to the network (Figure 3).

The ATM switch, upon receiving this packet, must start establishing a connection to the intended station-this occurs by a process defined in the LAN Emulation protocol. The connection process results in the exchange of at least five packets, in addition to the original data packet.

Because this process happens dynamically in response to the packets received, the correct operation can be demonstrated only by observing both the Ethernet and ATM links simultaneously. The need for this type of analysis will continue to grow as networks become more complex and interconnected.