Maxwell, the intelligent network emulator, imposes impairments on "flows" of packets.

But what is a "flow" and how are they defined?

What is a "Flow"?

Imagine that you are sitting at the side of a highway watching the traffic pass by.

The first thing you will most likely notice is that traffic goes in two directions.

You will also notice that there are automobiles, motorcycles, small trucks, large trucks, etc.

You might mentally start to classify what you see into some sort of groups.  You might classify all red passenger automobiles moving into the city center into one group and while putting red passenger automobiles moving out of the city center into another.  And you might classify large trucks that are carrying loads of sand into one group and all hybrid vehicles into another.  You might group noisy motorcycles apart from quiet ones.  And you might put everything else into a catch-all group.

What you are doing is classifying the traffic on the highway into flows.  You are applying a criteria of your choosing to define these flows.

Now imagine that you are sitting at the side of a network link and that you somehow have the means of seeing each packet.

Perhaps you want to put all domain name packets into one group, all SIP packets into another, all HTTP packets into yet another group, and put everything else into a catch-all category.

That is what you do with Maxwell: you define criteria that divides the traffic flowing in either direction into groups of your choosing.  Those groups are "Flows".

Pattern matching of packet fields using the mask and compare method.

Maxwell provides the user with a wide variety of pattern matching tools so that the fields in packet headers and even packet data can be examined and used to decide whether a given packet belongs to a particular flow or not.

Thus, for example, a user may use fields from IEEE 802 headers, IPv4 or IPv6 headers, UDP or TCP headers, or even UDP or TCP data as a means of selecting packets for inclusion into a given flow.

Most of Maxwell's flow pattern matching tools use a simple technique called "mask and compare".

The mask and compare technique considers every header field of a packet to be a binary number.  Depending on the particular field that number may range from a few bits to as many as 48 bits.  For example, IEEE 802.1q VLAN Priority field is only 3 bits wide while an IEEE 802 MAC address is 48 bits wide.

Masks and values are expressed in network byte order.  In other words the numbers that the user provides for mask and value will be converted into "Big Endian" format and then applied to the packet data.

Note: IEEE MAC addresses are expressed by the user in the conventional format consisting of 12 hexadecimal digits, with optional colons or spaces as separators.  However, unlike IETF defined packets, each byte of the Ethernet/IEEE MAC address is transmitted low-order bit first.  This means that for MAC addresses the Group address bits are the low order bits of the first octet rather than the high order bits.  (Click here for more information about Mac Address Bit Ordering.)

In mask and compare expressions the ones bits in the mask indicate the bits in the packet field that are of interest; the zeros bits in the mask indicate that the corresponding bits in the packet field are of no concern and play no part in the calculation.

When evaluating a mask and compare expression, Maxwell uses logically "AND"s the bits of the mask against the bits of the packet field.  The result is then compared with the value that the user has provided.  If there is an exact match then the express is considered "true", otherwise it is considered "false".

Supposed you want to define a mask and compare expression that will pick up packets with source IP address of 192.168.1.xx where xx is any value.  (This should feel similar to the way in which IP subnets are defined; the principles are the similar.)

In hexadecimal the IP address 192.168.1.00 is 0xC0.0xA8.0x01.0x00 (in binary this is 11000000.10101000.00000001.00000000.)

So you would define a Mask of 0xFFFFFF00 (i.e. a binary value consisting of 24 ones followed by 8 zeros) - meaning that you are interested in the first 24 bits of the IP address.  And you would define the comparison value to be 0xC0A80100.

For another discussion of masking and comparing bits see Mask (computing).

In Maxwell there are many possible mask and compare expressions.  Typically a user will enable only a few of these and leave the remaining expressions inactive.

Different mask and compare expressions may be defined for each separate flow.  In this way a user can, for example, select DNS (UDP port 53) packets into one flow and HTTP (TCP port 80) packets into another.

Stateful Matching

Maxwell can go further than simple pattern matching.  If a user wants to classify packets based on some relationship, for example the first TCP connection after a DNS response, or the first RTP packet after an RTP packet with an "M" bit in its header, then the user can do so through user written software "plug in".  Plug-in code, however, operates after packets are classified into flows by the mask and compare expressions.

How are incoming packets classified into a flow?

Maxwell supports multiple flows.  The number of flows is always an even number.  Half of the flows are for packets flowing in one direction and the other half of the flows are for packets flowing in the reverse direction.  Maxwell infers the direction of a packet's flow from the interface on which that packet was received.

Incoming packets are sorted, using the mask and compare expressions, into flows using a waterfall technique.

If the packet arrived on interface 0 then it is considered to be flowing in the Interface 0 to interface 1 direction.  If the packet arrives on interface 1 then it is considered to be flowing in the other (interface 1 to interface 0) direction.  Based on the direction the list of flows appropriate for that direction is selected and used in the following steps.

1. The first flow is selected as a candidate.

2. The packet is evaluated against the active match and compare expressions that are defined for the candidate flow.

3. If all of the active expressions return a "true" answer the packet be accepted into the candidate flow and the flow selection process will end.

4. If the packet is not accepted into the candidate flow the next flow will be selected as the new candidate and the process will continue from step #2, above.  If there are no more flows, then the packet is simply discarded.

Impairment processing begins when a packet is accepted into a flow.  That impairment processing is described elsewhere.  However it should be noted that just as distinct and different packet acceptance criteria may be defined for each flow, distinct and separate impairment criteria may be defined for each flow.