JP4950312B2 - Packet sampling device - Google Patents

Description

  The present invention relates to a device that performs traffic monitoring using a sampling technique, and more particularly to a device that performs traffic monitoring at low cost using random packet sampling or time sampling.

  As a device that performs traffic monitoring at low cost using a sampling technique, a device equipped with nProbe (Non-Patent Document 1) is known.

  The nProbe can operate sampling functions such as NetFlow and IPFIX on a general-purpose PC, and can realize traffic monitoring without using a dedicated traffic capture device.

“NProbe”, [online], [searched on January 21, 2010], Internet <http://www.ntop.org/nProbe.html>

  Since the method of Non-Patent Document 1, that is, the packet sampling apparatus equipped with nProbe is realized on a general-purpose PC, traffic monitoring can be realized at low cost. On the other hand, since a general-purpose PC is used instead of a dedicated traffic capture device, there are the following problems. In other words, when discarding packets at the network interface, device driver, and kernel, there are problems such as measuring the packet flow rate on the network to be less than the actual one, and erroneously detecting packet discard on the network.

  SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to accurately acquire traffic information in a network such as packet flow rate and packet discard in a network in an apparatus for realizing traffic monitoring.

  In order to solve the above-mentioned problems, the present invention is characterized in that sampling processing and other processing are performed in consideration of packet discard occurring in the apparatus.

  Of the inventions disclosed in this specification, the outline of typical ones will be briefly described as follows.

  According to a first aspect of the present invention, there is provided a packet sampling apparatus that includes a network interface and randomly selects a part of packets received from the network interface at a preset ratio, from the network interface to the sampling unit. The packet discarding unit that monitors packet discarding at one or a plurality of sites and detects the number of discarded packets when the packet discarding is detected, and counts the number of packets that arrived and counts the number of packets that have arrived. Using the value and the random number, a second number of packets (1 ≦ second number <first number) set in advance in the first set number of packet cycles is selected, and the in-device discard detection unit The number of discarded packets notified from the above is added to the counter value and discarded within the device. When it is determined that the received packet matches the packet selected using the random number, the sampling unit that determines the proxy selection packet from the packet after the determination and the information on the packet selected by the sampling unit are notified to the external device And an export unit.

  According to a second aspect of the present invention, there is provided a packet sampling apparatus that includes a network interface and randomly selects a part of packets received from the network interface at a preset ratio, from the network interface to the sampling unit. The packet discarding unit that monitors packet discarding at one or a plurality of sites and detects the number of discarded packets when the packet discarding is detected, and counts the number of packets that arrived and counts the number of packets that have arrived. Using a value and a random number, a second number of packets (1 ≦ second number <first number) set in advance in the first set number of packet cycles is selected, and packets not selected Store some or all in the buffer and notify from the device discard detection unit The number of discarded packets is added to the counter value, and when it is determined that the packet discarded in the apparatus matches the packet selected using the random number, the proxy selection packet is determined from the packet stored in the buffer. And an export unit for notifying an external device of information on a packet selected by the sampling unit.

  According to a third aspect of the present invention, there is provided a packet sampling apparatus that includes a network interface and randomly selects a part of packets received from the network interface at a preset ratio, from the network interface to the sampling unit. The device discard detection unit that monitors packet discard at one or more parts of the device and notifies the export unit of the number of discarded packets when packet discard is detected, and counts the number of arrived packets, and the counted counter value And a random number are used to select a second preset number of packets (1 ≦ second number <first number) in a preset first number of packet cycles, and the first number of packets The number of in-device discard packets notified from the in-device discard detector during reception A sampling unit that notifies the sport unit, and the first number used in the packet selection is rewritten to a value obtained by adding the original number of discarded packets in the apparatus notified from the sampling unit to the original number, and the sampling And an export unit that associates the information of the packet selected by the unit and notifies the external device of the information.

  A fourth invention is a packet sampling device comprising a network interface, and randomly selecting a part of the packets received from the network interface at a preset ratio, from the network interface to the sampling unit In-device discard detection unit that monitors packet discard at one or a plurality of parts and notifies the sampling unit of the number of discarded packets when packet discard is detected, and counts the number of packets that have arrived, and the counted counter value And a random number are used to select a second number (1 ≦ second number <first number) of packets set in advance in the first number of packet cycles, and from the in-device discard detection unit Depending on the notified number of discarded packets in the device, packet selection is performed in the next cycle. Selected by the sampling unit for changing the parameter {second number, first number} and the changed parameter {second number, first number} used for packet selection in the next period and the sampling unit And an export unit that associates the information of the packet and notifies the external device.

  According to a fifth aspect of the present invention, there is provided a packet sampling apparatus that includes a network interface and extracts a part of packets from packets received from the network interface for a preset time. Alternatively, the packet discarding at a plurality of parts is monitored, and when the packet discarding is detected, the in-device discarding detection unit for notifying the fact to the sampling unit and the packet arrived at a preset time period Packet extraction is performed only for the first time, and packet extraction is not performed for the remaining second time. When the in-device discard is notified from the in-device discard detection unit, a packet extraction time zone (first from the extraction start time) The packet extraction immediately stops and the extraction start time The sampling unit that notifies the elapsed time Δt to the export unit, and the parameters used for packet extraction {first time, second time} were actually used for packet extraction based on Δt notified from the sampling unit. And an export unit that rewrites the parameters {first time−Δt, second time + Δt} and notifies the external device in association with information about the packet extracted by the sampling unit.

  According to a sixth aspect of the present invention, there is provided a packet sampling apparatus that includes a network interface and extracts a part of the packets received from the network interface for a preset time. Alternatively, it monitors the packet discards at multiple sites, and if it detects packet discards, it immediately notifies the network discard detection unit of the number of discarded packets, and from the arriving packets at a preset time period. The packet extraction is performed for the first time set in advance, and the sampling number is not extracted for the remaining second time, and the sequence number of the packet extracted in the sampling unit is monitored. Detect discards, Network discard detection unit that counts the number of discarded packets and does not detect as packet discard in the network when there is a missing sequence number in the packet that was extracted when the in-device discard was notified from the in-device discard detection unit And an export unit for notifying an external device of information related to packet discard detected by the network discard detection unit.

  According to the present invention, it is possible to accurately acquire the flow rate and packet discard on the network at a low cost by performing the sampling process in consideration of the packet discard generated in the apparatus.

It is a block diagram of the packet sampling apparatus which concerns on Example 1 of this invention. It is a figure which shows the processing content of the packet sampling apparatus which concerns on Example 1 of this invention. It is a block diagram of the packet sampling apparatus which concerns on Example 2 of this invention. It is a figure which shows the processing content of the packet sampling apparatus which concerns on Example 2 of this invention. It is a block diagram of the packet sampling apparatus which concerns on Example 3 of this invention. It is a figure which shows the processing content of the packet sampling apparatus which concerns on Example 3 of this invention. It is a block diagram of the packet sampling apparatus which concerns on Example 4 of this invention. It is a figure which shows the processing content of the packet sampling apparatus which concerns on Example 4 of this invention. It is a block diagram of the packet sampling apparatus which concerns on Example 5 of this invention. It is a figure which shows the processing content of the packet sampling apparatus which concerns on Example 5 of this invention. It is a block diagram of the packet sampling apparatus which concerns on Example 6 of this invention. It is a figure which shows the processing content of the packet sampling apparatus which concerns on Example 6 of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a configuration diagram of a packet sampling apparatus according to Embodiment 1 of the present invention.

  In FIG. 1, 110 is UserLand, 120 is Kernel, 130 is NIC, 111 is an export unit, 112 is a sampling unit, and 113 is an in-device discard detection unit.

  The export unit 111, the sampling unit 112, and the in-device discard detection unit 113 are arranged in the UserLand 110. A packet received at a network interface (not shown) passes through the NIC 130 and the kernel 120 and reaches the sampling unit 112.

  FIG. 2 is a diagram illustrating processing contents of the packet sampling device according to the first embodiment of the present invention.

  In FIG. 2, 201 is a packet arriving at the network interface, 202 is a packet arriving at the sampling unit, and 203 is a counter value of the sampling unit. 211 is a notification of the discard of three packets from the in-device discard detection unit 113 to the sampling unit 112, and 212 is a notification of the discard of the two packets.

  The in-device discard detection unit 113 constantly monitors the NIC 130 and the kernel 120 and confirms whether or not the packet is discarded. When packet discard occurs, the fact is immediately notified to the sampling unit 112 together with the number of discarded packets innerDroppedPackets.

  The sampling unit 112 counts the number of received packets. This counter is added not only when a packet is received, but also when an in-device discard is notified from the in-device discard detection unit 113. When in-device discard is notified from the in-device discard detection unit 113, the notified number of discarded packets, inner Dropped Packets, is added. In the example of FIG. 2, the counter value 203 of the sampling unit is incremented by 3 when a 3 packet discard notification 211 is received, and is added by 2 when a 2 packet discard notification 212 is received.

  The sampling unit 112 randomly selects samplingSize (1 ≦ samplingSize << samplingPopulation) (second number) of packets preset in each sampling period (first number) of packet periods of the counter. To do. Specifically, samplingSize integers (N1, N2,..., NsamplingSize) having different sampling ranges of 1 to SamplingPopulation are obtained using random numbers for samplingPopulation packet periods. In the period, the acquired integer (N1, N2,..., NsamplingSize) -th received packet is determined as a selection packet. This is done at each cycle.

  Since the sampling unit 112 includes the number of in-device discarded packets as the increment of the counter, packets can be selected at a sampling size ratio of samplingPopulation. However, since the packet indicated by the integers (N1, N2,..., NsamplingSize) obtained from the random number may be included in the in-device discard packet, by determining the proxy selection packet, the samplingSizing of the samplingPopulations It is possible to perform packet selection while observing the above ratio. The proxy selection packet is selected from non-selected packets after it is determined that the packet to be selected has been discarded in the apparatus. The proxy selection packet is determined as a packet immediately after it is found, or is determined again using a random number from the packet after it is found.

  For example, as shown in FIG. 2, when {samplingSize, samplingPopulation} = {1, 20}, it is decided to select the 14th with a random number, but the 14th packet to be selected is discarded in the apparatus. Therefore, the proxy selection packet is determined from 16 to 20 or subsequent cycles, and this packet is sampled with the final selection packet as the 18th packet.

  The parameters {samplingSize, samplingPopulation} used in the sampling unit 112 are desirably determined in advance in consideration of the performance of hardware, software, and the like of the device. For example, the parameter may be determined from the worst value of in-device packet discard that can occur continuously. If the continuous packet discard is 1000, for example, {samplingSize, samplingPopulation} = {1,1001 or more} is desirably employed as a parameter. The purpose of this is to avoid a case in which the number of packets discarded in the apparatus in one cycle is too large to determine a selected packet. However, the present invention is not limited to this, and may be 1 ≦ samplingSize (second number) <samplingPopulation (first number).

  The export unit 111 notifies the external device of the packet information acquired by the sampling unit 112 using a protocol such as NetFlow, sFLow, or IPFIX. Here, the parameter used for packet selection may be associated and notified.

  As described above, in this embodiment, in a sampling device that performs random sampling, when a selected packet is discarded in the device, the sampling rate is protected by selecting a proxy selection packet from future non-selected packets. .

  According to the present embodiment, for example, in a device that realizes traffic monitoring on a general-purpose PC, it is possible to accurately acquire traffic information in the network such as the packet flow rate and packet discard in the network at a low cost.

  FIG. 3 is a configuration diagram of a packet sampling apparatus according to the second embodiment of the present invention.

  In FIG. 3, 310 is UserLand, 320 is Kernel, 330 is NIC, 311 is an export unit, 312 is a sampling unit, and 313 is an in-device discard detection unit.

  The export unit 311, the sampling unit 312, and the in-device discard detection unit 313 are arranged in the UserLand 310. A packet received at a network interface (not shown) passes through the NIC 330 and the kernel 320 and reaches the sampling unit 312.

  FIG. 4 is a diagram illustrating processing contents of the packet sampling device according to the second embodiment of the present invention.

  In FIG. 4, 401 is a packet arriving at the network interface, 402 is a packet arriving at the sampling unit, and 403 is a counter value of the sampling unit. Reference numeral 411 denotes a notification of three-packet discard from the in-device discard detection unit 313 to the sampling unit 312. Reference numeral 412 denotes a notification of the two-packet discard.

  The in-device discard detection unit 313 constantly monitors the NIC 330 and the kernel 320 and confirms whether or not the packet is discarded. When packet discard occurs, the fact is immediately notified to the sampling unit 312 together with the number of discarded packets innerDroppedPackets.

  The sampling unit 312 counts the number of received packets. This counter is added not only when a packet is received, but also when an in-device discard is notified from the in-device discard detection unit 313. When in-device discard is notified from the in-device discard detection unit 313, the number of discarded packets notified by innerDroppedPackets is added. In the example of FIG. 4, 3 is added to the counter value 403 of the sampling unit when the 3 packet discard notification 411 is received, and 2 is added when the 2 packet discard notification 412 is received.

  The sampling unit 312 randomly selects samplingSize (1 ≦ samplingSize << samplingPopulation) (second number) packets preset for each period in the samplingPopulation (first number) packet period of the counter. To do. Specifically, samplingSize integers (N1, N2,..., NsamplingSize) having different sampling ranges of 1 to SamplingPopulation are obtained using random numbers for samplingPopulation packet periods. In the period, the acquired integer (N1, N2,..., NsamplingSize) -th received packet is determined as a selection packet. This is done at each cycle.

  Since the sampling unit 312 includes the number of in-device discarded packets as the increment of the counter, it is possible to select packets at a sampling size ratio of sampling population. However, since the packet indicated by the integers (N1, N2,..., NsamplingSize) obtained from the random number may be included in the in-device discard packet, by determining the proxy selection packet, the samplingSizing of this number of samplingPopulation Packet selection can be performed while keeping the ratio. In determining the proxy selection packet, past unselected packets are buffered and selected from them. The buffer of the non-selected packet is a buffer having a preset length, and the buffer capacity can be reduced by storing only the latest non-selected packet. In that case, the first or last packet of the buffer can be determined as a proxy selection packet. Alternatively, the proxy selection packet can be determined using a random number from the buffer.

  For example, as shown in FIG. 4, when {samplingSize, samplingPopulation} = {1, 20}, it is decided to select the 14th with a random number, but the 14th packet to be selected is discarded in the apparatus Therefore, the proxy selection packet is determined from the buffered 1 to 4 and 8 to 13, and this packet is sampled with the final selection packet as the 12th packet.

  The parameters {samplingSize, samplingPopulation} used in the sampling unit 312 are preferably determined in advance in consideration of the performance of the hardware, software, etc. of the device. For example, the parameter may be determined from the worst value of in-device packet discard that can occur continuously. If the continuous packet discard is 1000, for example, {samplingSize, samplingPopulation} = {1,1001 or more} is desirably employed as a parameter. The purpose of this is to avoid a case in which the number of packets discarded in the apparatus in one cycle is too large to determine a selected packet. However, the present invention is not limited to this, and may be 1 ≦ samplingSize (second number) <samplingPopulation (first number).

  The export unit 311 notifies the external device of the packet information acquired by the sampling unit 312 using a protocol such as NetFlow, sFLow, or IPFIX. Here, the parameter used for packet selection may be associated and notified.

  As described above, in this embodiment, in a sampling device that performs random sampling, when a selected packet is discarded in the device, the sampling rate is protected by selecting a proxy selection packet from past non-selected packets. .

  According to the present embodiment, for example, in a device that realizes traffic monitoring on a general-purpose PC, it is possible to accurately acquire traffic information in the network such as the packet flow rate and packet discard in the network at a low cost.

  FIG. 5 is a configuration diagram of a packet sampling apparatus according to the third embodiment of the present invention.

  In FIG. 5, 510 is UserLand, 520 is Kernel, 530 is NIC, 511 is an export unit, 512 is a sampling unit, and 513 is an in-device discard detection unit.

  The export unit 511, the sampling unit 512, and the in-device discard detection unit 513 are arranged in the UserLand 510. A packet received at a network interface (not shown) passes through the NIC 530 and the kernel 520 and reaches the sampling unit 512.

  FIG. 6 is a diagram illustrating processing contents of the packet sampling device according to the third embodiment of the present invention.

  In FIG. 6, 601 is a packet arriving at the network interface, 602 is a packet arriving at the sampling unit, 603 is a counter value of the sampling unit, and 604 is a total value of discard in the apparatus. Reference numeral 611 denotes a three-packet discard notification from the in-device discard detection unit 513 to the export unit 511, and reference numeral 612 denotes a two-packet discard notification.

  The in-device discard detection unit 513 constantly monitors the NIC 530 and the kernel 520 and confirms whether or not a packet is discarded. When the packet discard occurs, the fact is immediately notified to the export unit 511 together with the number of discarded packets innerDroppedPackets.

  The sampling unit 512 counts the number of received packets. This counter is only added when a packet is received.

  The sampling unit 512 randomly selects samplingSize (1 ≦ samplingSize << samplingPopulation) (second number) packets preset for each period in the samplingPopulation (first number) packet period of the counter. To do. Specifically, samplingSize integers (N1, N2,..., NsamplingSize) having different sampling ranges of 1 to SamplingPopulation are obtained using random numbers for samplingPopulation packet periods. In the period, the acquired integer (N1, N2,..., NsamplingSize) -th received packet is determined as a selection packet. This is done at each cycle.

  The parameters {samplingSize, samplingPopulation} used in the sampling unit 512 are preferably determined in advance in consideration of the performance of hardware, software, and the like of the device. For example, the parameter may be determined from the worst value of in-device packet discard that can occur continuously. If the continuous packet discard is 1000, for example, {samplingSize, samplingPopulation} = {1,1001 or more} is desirably employed as a parameter. The purpose of this is to avoid a case in which a selection packet cannot be determined because there are too many packets discarded in the apparatus within one period. However, the present invention is not limited to this, and may be 1 ≦ samplingSize (second number) <samplingPopulation (first number).

  The export unit 511 uses the in-device discard packet number innerDroppedPackets notified from the in-device discard detection unit 513, and uses the parameters {samplingSize, samplingPopulation} used for packet selection in {samplingSize, samplingPopulation + innerDropped} rewritten sampler In association with the information of the packet selected in 512, the external device is notified using a protocol such as NetFlow, sFlow, and IPFIX. As a result, since the external device can know the parameters used for packet selection as a result, it can acquire traffic information at a correct rate.

  For example, as shown in FIG. 6, when the parameter of the sampling unit 512 is {samplingSize, samplingPopulation} = {1, 15}, the parameters used for packet selection when the number of in-device discarded packets innerDroppedPackets = 5 Is notified to the external device as {samplingSize, samplingPopulation} = {1,15 + 5} instead of {samplingSize, samplingPopulation} = {1,15}.

  As described above, in the present embodiment, in the sampling device that performs random sampling, the denominator of the sampling rate is increased by the number of in-device discarded packets, and the external device is notified.

  According to the present embodiment, for example, in a device that realizes traffic monitoring on a general-purpose PC, it is possible to accurately acquire traffic information in the network such as the packet flow rate and packet discard in the network at a low cost.

  FIG. 7 is a configuration diagram of a packet sampling apparatus according to Embodiment 4 of the present invention.

  In FIG. 7, 710 is a UserLand, 720 is a kernel, 730 is a NIC, 711 is an export unit, 712 is a sampling unit, and 713 is an in-device discard detection unit.

  The export unit 711, the sampling unit 712, and the in-device discard detection unit 713 are arranged in the UserLand 710. A packet received at a network interface (not shown) passes through the NIC 730 and the kernel 720 and reaches the sampling unit 712.

  FIG. 8 is a diagram illustrating processing contents of the packet sampling device according to the fourth embodiment of the present invention.

  In FIG. 8, 801 is a packet arriving at the network interface, 802 is a packet arriving at the sampling unit, 803 is a counter value of the sampling unit, and 804 is a total value of discard in the apparatus. 811 is a notification of the discard of three packets from the in-device discard detection unit 713 to the sampling unit 712, and 812 is a notification of the discard of the two packets.

  The in-device discard detection unit 713 constantly monitors the NIC 730 and the kernel 720 and confirms whether or not a packet is discarded. When the packet discard occurs, the fact is immediately notified to the export unit 711 together with the number of discarded packets inner DroppedPackets.

  The sampling unit 712 counts the number of received packets. This counter is only added when a packet is received.

  The sampling unit 712 randomly selects samplingSize (1 ≦ samplingSize << samplingPopulation) (second number) packets preset for each period in the samplingPopulation packet number (first number) of the counter. To do. Specifically, samplingSize integers (N1, N2,..., NsamplingSize) having different sampling ranges of 1 to SamplingPopulation are obtained using random numbers for samplingPopulation packet periods. In the period, the acquired integer (N1, N2,..., NsamplingSize) -th received packet is determined as a selection packet. In addition, the sampling unit 712 uses the in-device discard packet number innerDroppedPackets notified from the in-device discard detection unit 713 to set the parameter {samplingSize, samplingPopulation} in the next cycle to {samplingSize, samplingPopulation} ederDropp + innerDrops}. This is done at each cycle.

  For example, as shown in FIG. 8, when the parameter of the sampling unit 712 is {samplingSize, samplingPopulation} = {1, 15}, and the total value 804 of in-device discard is 5, it is used for packet selection in the next period. Change the parameter to {samplingSize, samplingPopulation} = {1,15 + 5} instead of {samplingSize, samplingPopulation} = {1,15}.

  The parameters {samplingSize, samplingPopulation} used in the sampling unit 712 are preferably determined in advance in consideration of the performance of hardware, software, etc. of the device. For example, the parameter may be determined from the worst value of in-device packet discard that can occur continuously. If the continuous packet discard is 1000, for example, {samplingSize, samplingPopulation} = {1,1001 or more} is desirably employed as a parameter. The purpose of this is to avoid a case in which a selection packet cannot be determined because there are too many packets discarded in the apparatus within one period. However, the present invention is not limited to this, and may be 1 ≦ samplingSize (second number) <samplingPopulation (first number).

  The export unit 711 associates the changed parameter {samplingSize, samplingPopulation} changed by the sampling unit 712 with the information of the packet selected by the sampling unit 712, and uses the protocol such as NetFlow, sFlow, IPFIX, etc. Notice. As a result, since the external device can know the parameters used for packet selection as a result, it can acquire traffic information at a correct rate.

  As described above, the present embodiment changes the sampling rate by the number of in-device discarded packets in a sampling device that performs random sampling.

  According to the present embodiment, for example, in a device that realizes traffic monitoring on a general-purpose PC, it is possible to accurately acquire traffic information in the network such as the packet flow rate and packet discard in the network at a low cost.

  FIG. 9 is a configuration diagram of a packet sampling apparatus according to the fifth embodiment of the present invention.

  In FIG. 9, 910 is UserLand, 920 is Kernel, 930 is NIC, 911 is an export unit, 912 is a sampling unit, and 913 is an in-device discard detection unit.

  The export unit 911, the sampling unit 912, and the in-device discard detection unit 913 are arranged in the UserLand 910. A packet received at a network interface (not shown) passes through the NIC 930 and the kernel 920 and reaches the sampling unit 912.

  FIG. 10 is a diagram illustrating processing contents of the packet sampling device according to the fifth embodiment of the present invention.

  In FIG. 10, 1001 is a packet arriving at the network interface, and 1002 is a packet arriving at the sampling unit. Reference numeral 1011 is a notification when the three packets are discarded from the in-device discard detection unit 913 to the sampling unit 912, and 1012 is a notification when the two packets are discarded.

  The in-device discard detection unit 913 constantly monitors the NIC 930 and the kernel 920 to check whether there is a packet discard. When packet discard occurs, the fact is immediately notified to the sampling unit 912.

  The sampling unit 912 performs packet extraction from a packet received from the network interface for a preset samplingTimeInterval time (first time) in a preset time period, and performs packet extraction for the remaining samplingTimeSpace time (second time). If the discard within the apparatus is notified from the in-apparatus discard detection unit 913, the packet extraction is immediately stopped if the packet is extracted (within samplingTimeInterval time from the extraction start time), and the elapsed time from the extraction start time Informs the export unit of Δt. This is done at each cycle.

  For example, as shown in FIG. 10, when {samplingTimeInterval, samplingTimeSpace} = {500 ms, 500 ms}, packet extraction is performed only for samplingTimeInterval time (500 ms), and packet sampling is not performed for the remaining samplingTimeSpace time (500 ms). Although it is set, since the notification 1011 at the time of discarding three packets is notified from the in-device discard detection unit 913 during the time period for extracting the packet, the packet extraction is immediately stopped and the elapsed time Δt (230 ms) from the extraction start time Is notified to the export unit 911.

  The parameters {samplingTimeInterval, samplingTimeSpace} used in the sampling unit 912 are desirably determined in advance in consideration of the performance of hardware, software, and the like of the device.

  The export unit 911 rewrites the parameters {samplingTimeInterval, samplingTimeSpace} used for packet extraction into the parameters {samplingTimeInterva-Δt, samplingTimeSpace + Δt} actually used for packet extraction based on Δt notified from the sampling unit 912. In association with the information about the packet extracted in 912, the external device is notified using a protocol such as NetFlow, sFlow, and IPFIX.

  In the example of FIG. 10, the export unit 911 notifies {sampling TimeInterval, samplingTimeSpace} to {230 ms, 670 ms} to the external device.

  As described above, in the present embodiment, in the sampling device that performs time sampling, the time after the occurrence of the in-device discarding is set as the non-extraction time.

  According to the present embodiment, for example, in a device that realizes traffic monitoring on a general-purpose PC, it is possible to accurately acquire traffic information in the network such as the packet flow rate and packet discard in the network at a low cost.

  FIG. 11 is a configuration diagram of a packet sampling apparatus according to Embodiment 6 of the present invention.

  In FIG. 11, 1110 is UserLand, 1120 is Kernel, 1130 is NIC, 1111 is an export unit, 1112 is a sampling unit, 1113 is an in-device discard detection unit, and 1114 is a network discard detection unit.

  The export unit 1111, the sampling unit 1112, the in-device discard detection unit 1113, and the network discard detection unit 114 are arranged in the UserLand 1110. A packet received at a network interface (not shown) passes through the NIC 1130 and the kernel 1120 and reaches the sampling unit 1112.

  FIG. 12 is a diagram illustrating processing contents of the packet sampling device according to the sixth embodiment of the present invention.

  In FIG. 12, 1201 is a packet arriving at the network interface, 1202 is a packet arriving at the sampling unit, and 1203 is a sequence number of the packet extracted at the sampling unit. Reference numeral 1211 denotes a notification of three-packet discard from the in-device discard detection unit 1113 to the network discard detection unit 1114, and 1212 denotes a notification of the two-packet discard.

  The in-device discard detection unit 1113 constantly monitors the NIC 1130 and the kernel 1120 to check whether there is any packet discard. When packet discard occurs, the fact is immediately notified to the network discard detection unit 1114 together with the number of discarded packets inner DroppedPackets.

  The sampling unit 1112 performs packet extraction for a preset samplingTimeInterval time (first time) in a preset time period from a packet received from the network interface, and performs packet extraction for the remaining samplingTimeSpace time (second time). Not performed. This is done at each cycle.

  For example, as shown in FIG. 12, when {samplingTimeInterval, samplingTimeSpace} = {500 ms, 500 ms}, packet extraction is performed only for samplingTimeInterval time (500 ms), and packet extraction is not performed for the remaining samplingTimeSpace time (500 ms).

  The parameters {samplingTimeInterval, samplingTimeSpace} used in the sampling unit 1112 are desirably determined in advance in consideration of the performance of the hardware, software, and the like of the device.

  The network discard detection unit 1114 monitors the sequence number 1203 of the packet extracted by the sampling unit 1112, detects the packet discard in the network from the omission, counts the number of discarded packets, and the in-device discard detection unit 1113 If there is a missing sequence number in the packet extracted when notified of discard, it is not detected as packet discard in the network. The network discard detection unit 1114 notifies the export unit 1111 of information related to packet discard (packet loss) in the detected network.

  In the example of FIG. 12, the discard of 4 packets is detected when the sequence number 1203 is 1007, but the discard of the network is detected as 1 packet because the in-device discard detection unit 1113 is notified of the discard of 3 packets 1211. .

  The export unit 1111 associates the information about the packet discard (packet loss) detected by the network discard detection unit 1114 with the information about the packet extracted by the sampling unit 1112, and uses an external protocol such as NetFlow, sFlow, or IPFIX. Notify the device.

  In the example of FIG. 12, the export unit 1111 notifies the external device that the number of discarded network packets = 1.

  As described above, the present embodiment distinguishes between discards generated in the network and discards generated in the apparatus in the sampling apparatus that performs time sampling.

  According to the present embodiment, for example, in a device that realizes traffic monitoring on a general-purpose PC, it is possible to accurately acquire traffic information in the network such as the packet flow rate and packet discard in the network at a low cost.

  As mentioned above, the invention made by the present inventor has been specifically described based on the above embodiments. However, the present invention is not limited to the above embodiments, and various modifications can be made without departing from the scope of the invention. Of course.

110, 310, 510, 710, 910, 1110 ... UserLand, 120, 320, 520, 720, 920, 1120 ... Kernel, 130, 330, 530, 730, 930, 1130 ... NIC, 111, 311, 511, 711, 911, 1111, ... Export unit, 112, 312, 512, 712, 912, 1112 ... Sampling unit, 113, 313, 513, 713, 913, 1113 ... are in-device discard detection units, 1114 ... network discard detection unit, 201, 401, 601, 801, 1001, 1201... Packet arriving at the network interface, 202, 402, 602, 802, 1002, 1202... Arriving at the sampling unit, 203, 403, 603, 803. , 604, 804... Sum of discards within the device, 1203... Sequence number, 211, 411, 811... Notification of discard of 3 packets from the discard unit within the device to the sampling unit, 212, 412, 812. Notification, 611... Notification from the in-device discard detection unit to the export unit, 612... Notification of discard of the two packets. 1011... Notification of discard of three packets from the in-device discard detection to the sampling unit. 1211 ... Notification of 3 packet discard from the in-device discard detection unit to the network discard detection unit, 1212 ... Notification of 2 packet discard

Claims (10)

In a packet sampling device comprising a network interface and randomly selecting a part of the packets received from the network interface at a preset rate,
An in-device discard detection unit that monitors packet discard at one or a plurality of parts from the network interface to the sampling unit, and notifies the sampling unit of the number of discarded packets when packet discard is detected;
The number of packets that arrived is counted, and a second number (1 ≦ second number <first number) that is preset in a first number of packet cycles that is preset using the counted counter value and a random number. When a packet is selected, the number of discarded packets notified from the in-device discard detection unit is added to the counter value, and it is found that the packet discarded in the device matches the packet selected using the random number A sampling unit for determining a proxy selection packet from the packets after the discovery,
A packet sampling device, comprising: an export unit that notifies an external device of information on the packet selected by the sampling unit. In a packet sampling device comprising a network interface and randomly selecting a part of the packets received from the network interface at a preset rate,
An in-device discard detection unit that monitors packet discard at one or a plurality of parts from the network interface to the sampling unit, and notifies the sampling unit of the number of discarded packets when packet discard is detected;
The number of packets that arrived is counted, and a second number (1 ≦ second number <first number) that is preset in a first number of packet cycles that is preset using the counted counter value and a random number. Select a packet, store some or all of the unselected packets in the buffer, add the number of discarded packets notified from the in-device discard detection unit to the counter value, and A sampling unit that determines a proxy selection packet from the packet stored in the buffer when it is found to match the packet selected using the random number;
A packet sampling device, comprising: an export unit that notifies an external device of information on the packet selected by the sampling unit. In a packet sampling device comprising a network interface and randomly selecting a part of the packets received from the network interface at a preset rate,
An in-device discard detection unit that monitors packet discard at one or a plurality of parts from the network interface to the sampling unit, and notifies the export unit of the number of discarded packets when packet discard is detected;
The number of packets that arrived is counted, and a second number (1 ≦ second number <first number) that is preset in a preset first number of packet cycles using the counted counter value and a random number. A sampling unit that selects a packet and notifies the export unit of the number of in-device discarded packets notified from the in-device discard detection unit while receiving the first number of packets;
The first number used for the packet selection is changed to a value obtained by adding the number of discarded packets in the apparatus notified from the sampling unit to the original number, and information on the packet selected by the sampling unit A packet sampling device comprising: an export unit that associates and notifies an external device. In a packet sampling device comprising a network interface and randomly selecting a part of the packets received from the network interface at a preset rate,
An in-device discard detection unit that monitors packet discard in one or more parts from the network interface to the sampling unit, and notifies the sampling unit of the number of discarded packets when packet discard is detected,
The number of packets that arrived is counted, and a second number (1 ≦ second number <first number) that is preset in a preset first number of packet cycles using the counted counter value and a random number. A sampling unit that selects a packet and changes a parameter {second number, first number} used for packet selection in the next period in accordance with the number of in-device discarded packets notified from the in-device discard detection unit;
An export unit for associating the changed parameter {second number, first number} used for packet selection in the next period with the information of the packet selected by the sampling unit, and notifying the external device; Packet sampling device. In a packet sampling apparatus comprising a network interface and extracting a part of packets from packets received from the network interface for a preset time,
An in-device discard detection unit that monitors packet discard at one or more parts from the network interface to the sampling unit and notifies the sampling unit of the fact when packet discard is detected,
The packet is extracted from the arriving packet for a preset first time in the preset time period, and the packet is not extracted for the remaining second time, and the in-device discard is notified from the in-device discard detection unit. A sampling unit that immediately stops packet extraction if it is a time zone for packet extraction (within a first time from the extraction start time), and notifies the export unit of an elapsed time Δt from the extraction start time;
Parameters {first time−Δt, second time + Δt} actually used for packet extraction based on Δt notified from the sampling unit of parameters used for packet extraction {first time, second time} A packet sampling device comprising: an export unit that rewrites the information to the external device in association with information about the packet extracted by the sampling unit. In a packet sampling apparatus comprising a network interface and extracting a part of packets from packets received from the network interface for a preset time,
An in-device discard detection unit that monitors packet discard in one or more parts from the network interface to the sampling unit, and immediately notifies the network discard detection unit of the number of discarded packets when packet discard is detected;
A sampling unit that performs packet extraction for a first time set in advance in a preset time period and does not perform packet extraction for the remaining second time;
The sequence number of the packet extracted in the sampling unit is monitored, the packet discard in the network is detected from the omission, the number of discarded packets is counted, and the in-device discard is notified from the in-device discard detection unit If there is a missing sequence number in the extracted packet, a network discard detection unit that does not detect packet discard in the network,
A packet sampling device comprising: an export unit that notifies an external device of information related to packet discard detected by the network discard detection unit. The packet sampling device according to claim 1,
The packet sampling apparatus, wherein the sampling unit determines a proxy selection packet from a packet after the determination to determine a packet received immediately after the determination as a proxy selection packet. The packet sampling device according to claim 1,
The packet sampling apparatus, wherein the sampling unit determines the proxy selection packet by using a random number from a packet after the determination. The packet sampling device according to claim 2, wherein
The sampling unit stores only the preset number from the latest non-selected packet in the buffer of the unselected packet, and deletes the packet exceeding the preset number from the old packet. The selection packet is determined by determining the latest packet or the oldest packet among the packets stored in the buffer as a proxy selection packet. The packet sampling device according to claim 2, wherein
The sampling unit determines a proxy selection packet by determining, as a proxy selection packet, a packet selected using a random number from the packets stored in the buffer.

Images