JP2003143226A - Probe apparatus for ip network and traffic statistic method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a probe apparatus for an IP network that can freely and flexibly set intensive statistic to an intensive range of sub network address spaces being objects of statistics. SOLUTION: The probe apparatus for the IP network connected to a transmission line of the IP network being a supervisory object and applying intensive statistic to a received IP datagram comprises, an IP address extract means 11 that extracts an IP address from the IP datagram, a network use storage means 12 that stores identification data to distinguish an IP address space denoting an optional sub network area from all the IP address spaces, and a statistic count use storage means 17 that collectively records addresses denoting optional sub network areas or traffic by all IP addresses each.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention I of each IP datagram is connected to an IP backbone network that carries out communication according to the Internet protocol and exchanges data on an IP network transmission line.
IP that performs traffic statistics for P address values
The present invention relates to a network probe device.

[0002]

2. Description of the Related Art A communication protocol IP version4 (Internet Protocol, version 4) generally used in an IP backbone network uses an address space having a length of 32 bits. The IP address value in the header of the IP datagram is the Sour that identifies the source host.
ceIP address and Destin to identify the destination host
There are two types of IP address. IETF RFC
According to the place defined in 791, a 32-bit length source IP address and destination IP address are stored in the range up to 160 bits at the beginning of the IP datagram as the header structure of IPver4.

The IP probe device is an IP to be monitored.
IP datagrams on the transmission path are acquired and statistical analysis is performed on network traffic without affecting the transmission content of the backbone network. When grasping the traffic situation on an IP backbone network that uses IPver4, which is a type of connectionless communication mode for the data link layer protocol, pay attention to the IP address stored in the header part of the IP datagram, The traffic volume distribution data is acquired for each IP address at a constant sampling time period.

The above-mentioned operation is called IP address statistics,
Traffic statistical data can be obtained for the computer / host device that is the actual transmission source or transmission destination regarding the operating status of the IP backbone network and the tendency of traffic components. In addition, the IP address statistics are relayed because the traffic components can be analyzed by tracking the changes over time in the composition ratio of the IP addresses that appear between the specific nodes of the IP backbone network that is being implemented. It is possible to verify whether the network design and operation status are appropriate with respect to the tendency of route selection and the load status by time of day.

For the reasons described above, the IP address statistics function is useful for network management, and therefore some IP addresses are not available.
It is implemented and used in network probe equipment. By the way, in the conventional IP address statistical function, for example, up to n first IP addresses acquired from the start of the IP address statistics are accumulated in the IP probe device, and only the accumulated IP addresses are targeted. I was running statistics.

Next, a configuration example of the IP address statistical function adopted in the conventional IP probe device will be described with reference to FIG. FIG. 1 shows a CAM (Content Address).
(Able Memory) is used to register the IP address of the statistical object, that is, to store while receiving. In this configuration example, the capacity of the number of samples that can be simultaneously executed as the IP address statistics is uniquely determined by the installed CAM capacity.

In FIG. 1, reference numeral 1 is an IP address extraction unit. The IP address extraction unit has a function of extracting an IP address value from the IP datagram acquired from the monitored IP network transmission line, and outputs the extracted IP address value to the IP address bus.

At this time, the IP address value to be extracted is I
Either the source IP address or the destination IP address included in the P datagram, or both. At the same time, the IP address extraction unit outputs a reception notification signal at the timing of outputting a valid value to the IP address bus.

In FIG. 1, 2 is a CAM (Content Add
ressable memory). The CAM has a function of comparing all the recorded data values with the input data value and outputting the storage position of the recorded data to the CAM address bus only when they match.

That is, the CAM sets the corresponding storage address to the CAM only when it matches any of the internally recorded data values, specifically, any of the registered IP address values.
At the same time as showing on the address bus, the coincidence detection signal is also output together. The read / write mode control operation for the CAM is performed by the write control unit described below.

In FIG. 1, reference numeral 3 is a write controller. In the write control unit, the reception notification signal output from the IP address extraction unit 1 and the CA output from the CAM 2
The M read address bus signal and the match detection signal are respectively connected. The write control unit generates a statistical value update signal for updating the statistical data value for each IP address. Further, the write control unit is an R / W for controlling writing and reading with respect to the CAM.
CAM read / write control is executed by generating a signal and supplying it to the CAM.

In the embodiment shown in FIG. 1, the simultaneous comparison operation with all registered internal data of the CAM is utilized as a means for detecting the IP address value which is a statistical object. Also,
Registration of the IP address value to the CAM is performed by monitoring the I
It is carried out on a first-come-first-served basis upon reception from the P network.

For example, all addresses of the CAM have IP
When the address is registered, the CAM is used only in the read mode. That is, the input IP address is compared with all registered stored IP address values, and if there is the same IP address value, a match detection signal is output. In this case, the write control unit can generate the statistical value update signal based on the match detection signal.

On the other hand, immediately after the start of the IP address statistics, since the IP address value of the statistical object is not registered, the IP address
Along with the datagram reception, a write operation to the CAM, which is registration as a new IP address, is performed. In this case, C
AM is a coincidence detection signal as a CAM read operation,
The CAM read address indicating the storage location obtained at the same time is not generated.

Therefore, the write control unit outputs the write address value used for registration to the CAM to the CAM write address bus instead of the CAM read address that is not generated, and also outputs the statistical value update signal from the CAM to detect the coincidence. It is generated without a signal.

The statistical value update signal generated by the write controller has the function of counting up the update location of the statistical count RAM, which will be described later, and the CAM read address value or C
The AM write address value is used as a write address as an update location.

In FIG. 1, reference numeral 4 is an address selector having a function of generating a CAM address bus.
When the IP address is newly registered, the CAM write address value indicating the new registration position by the write control unit is selected, and if the CAM write address value matches the CAM registered IP address value, the CAM read address value associated with the match detection is selected. select. Therefore, since the CAM match detection signal is used as the selection control signal, the CAM read address is selected only when the CAM match detection signal is output.

In FIG. 1, reference numeral 5 is an address selector having a function of generating an INDEX bus. The address selector 5 receives as input the CAM address value that is the selection result of the address selector 4 and the read address value that is the output of the read control unit.

While receiving the write control signal output from the write control unit, the CAM address value is selected and output to the INDEX bus output. While the write control signal output from the write control unit is not received, the read address value is selected and output to the INDEX bus output.

In FIG. 1, 6 is an IP address RAM.
Is. The INDEX bus signal generated by the address selector 5 is used as the RAM address input, and the IP address value generated by the IP address extraction unit 1 via the IP address bus signal is used as the RAM data input.

The write operation to the IP address RAM is executed by the statistical value update signal generated by the write controller. The write operation is executed at the timing when the statistical value update signal is input, and is used in the read operation state while the statistical value update signal is not input.

As the write address of the IP address RAM, the CAM address value of the CAM registered IP address value indicating the CAM storage address is given via the INDEX bus. At the same time, I as write data
An IP address value is input via the P address bus.
As a result, a copy of the same IP address group is created in the IP address RAM for all IP address values registered in the CAM. Therefore, R for IP address
The depth used by the AM is equal to the number of IP addresses registered in the CAM.

In FIG. 1, 7 is a statistic counting RAM.
Is. The INDEX bus signal generated by the address selector 5 is used as an address input of the RAM, and the statistical count operation 8 is executed by the statistical value update signal generated by the write controller.

The statistic count operation mechanism 8 reads the data of the current address input value supplied via the INDEX bus, adds 1 to the value, and then overwrites it at the same address, thereby corresponding data in the statistic count RAM. Perform an operation to update the value to +1.

As the write address of the RAM for statistical counting, the CAM address value indicating the CAM storage address of the CAM registered IP address value is given via the INDEX bus. At the same time, the data value of the corresponding address is incremented by 1 by the input of the statistical value update signal and the operation of the statistical counting operation mechanism 8.

As a result, the statistical count RAM is C
Each time the IP address value registered in the AM is received, the number of received IP datagrams is counted at the same address as the CAM. Further, the depth used by the statistical count RAM is equal to the number of IP addresses registered in the CAM. In the statistical count RAM, it is necessary to set all contents data to 0 in advance as an initial state.

In FIG. 1, 9 is a CPU. CPU
Is used to read the IP address statistics. The IP address statistical value is read from the CPU at a time when the statistical data contents are not updated, that is, when the statistical value update signal is not output. The CPU data bus is connected to each data bus of the IP address RAM and the statistical count RAM.

In FIG. 1, reference numeral 10 is a read controller. The read control unit receives the read request signal output from the CPU and the statistical value update signal output from the write control unit in order to generate the read address. The read address is connected to the address selector 5, and when the statistical value update signal is not output, it is simultaneously supplied to the IP address RAM and statistical count RAM.

The read controller freezes the generation of the read address while the statistical value update signal is being input. Therefore, with respect to the access to the RAM for IP address and the RAM for statistical count, the write operation for updating the statistical value based on the CAM address output timing is given higher priority than the read operation by the CPU. However,
In the configuration example of FIG. 1, when the access time of the read operation by the CPU overlaps with the statistical value update signal, the CPU
The description of weight control for is omitted.

As described above, the configuration example shown in FIG.
Every time when the registered IP address detected by the CAM is received (from the monitored IP network transmission line), the statistic count RAM adds +1 to the data at the position indicated by the INDEX bus, and as a result, the statistics by IP address are obtained. Has been realized. Statistical data is statistical count RA
In addition to M, the IP address RAM is read simultaneously with the common INDEX bus value, so the I registered in the CAM
The P address value and the corresponding statistical value can be collected in pairs.

Next, the operation algorithm of the write controller 3 of FIG. 1 will be described with reference to the flowchart of FIG. The write control unit internally has a CAM write pointer for registering a new IP address value in the CAM, and
Immediately after the start of the P address statistics, the CAM address is initialized so as to indicate 0. (Step S1)

When the reception notification signal is input from the IP address extraction unit 1 of FIG. 1 (YES in step S3), if the CAM coincidence detection signal is not obtained (NO in step S3),
The unregistered IP address value shown in is received.

At this time, if the CAM write pointer value provided inside is less than the CAM maximum capacity or the rated registration number (NO in step S4), the writing to the CAM by the current CAM write pointer shown in is executed. (Step S6)

In parallel with this, the write control unit issues a statistical value update signal together with the current CAM write pointer value so that the statistical registration is also performed for the newly registered IP address. (Step S5) Next, CAM
Set the write pointer value to +1. (Step S7)

However, if the internal CAM write pointer value has reached the maximum capacity of the CAM or the number of registered CAMs (TES in step S4), the current unregistered IP address is newly registered as shown in. Ignore without doing.

On the other hand, if the CAM coincidence detection signal is obtained at the time when the reception notification signal is input from the IP address extraction unit (YES in step S3), it is the IP address value registered in the CAM. As shown in
A statistical value update signal is issued based on the match detection signal output by M. (Step S8)

As described above, the conventional IP network probe device of FIG. 1 utilizes the simultaneous comparison function with all registered data that the CAM internally has to utilize the IP address value that is the statistical object. It is used as a detection means. And
A write control unit is used as a registration unit for the CAM of the IP address value to be the statistical object and a control unit for the CAM. Therefore, when the received IP address value is the statistical object, the CAM or the write control unit provides the statistical value update signal and the CAM address indicating the update location of the statistical count value.

[0038]

However, the conventional IP network probe apparatus shown in FIG. 1 has the following problems. First, when the IP probe device executes the IP address statistics, there is a problem that the IP address aggregation statistics for aggregating the IP address values for each arbitrary sub-network cannot be applied.

On the Internet, there are cases where it is desired to aggregate the traffic statistics counts carried out for individual IP addresses for the corresponding sub-networks and carry out statistics. In the case of grasping the traffic amount for each route regarding the communication between providers, in the conventional method illustrated in FIG. 1, only the IP address values belonging to the relevant sub-network are obtained from the statistical results of the individual IP address values registered in the CAM. You have to find and collect all of them.

Further, unless it takes time to add them one by one to make a total value, the traffic aggregation result in the corresponding sub-network unit cannot be obtained. That is, in the traffic statistical method of the IP address value that monitors the individual host IP address values registered in the CAM, the traffic of a plurality of IP network addresses may be mixed. It was difficult to aggregate the network addresses by classifying them and bundling them together.

For example, in the configuration example shown in FIG. 1, for the purpose of transmitting only a certain range of IP address values, a filter of IP address values is used to register only a single network address range in CAM. Even if you try to
In order to finally consolidate, it was necessary to add all the IP address statistical values manually.

Second, IPs that can be registered as statistical objects
There is a problem that the number of addresses is limited to the capacity of the mounted CAM. The number of IP addresses that can be registered and monitored at one time corresponds to the number of words in the CAM. Therefore, if an IP address with a registered number up to 64K is to be dealt with, a CAM with a depth of 64K words is required. is there.

Generally, it is difficult to obtain a device having a large capacity in the CAM as compared with the RAM, and as shown in the write control unit 3 in FIG. 1, a registration control unit or the like is required as a dedicated peripheral circuit. In addition, if it is attempted to effectively utilize a small capacity device for CAM resources, it may be automatically or manually depending on the status of the monitored IP network transmission line.
It has been necessary to provide a means for deleting an IP address value that has already been registered in the CAM and is determined to be unnecessary so that a new IP address value can be additionally registered.

However, the addition of the function of adding / deleting the registered IP address value to the CAM has a problem that the peripheral circuit is further enlarged in addition to the registration control unit of the CAM.
Further, when implementing the selection work by software for the IP address value to be deleted, the burden on both the software and the hardware increases and the function becomes complicated, such as the construction of an algorithm for the deletion decision and the operation verification. was there.

An object (object) of the present invention is to provide a mechanism capable of arbitrarily designating a spatial range in which a sub-network address value can be taken without limitation, so that the traffic volume of an IP address value can be aggregated for each sub-network. In statistics, it is an object of the present invention to provide an IP network probe device capable of freely and flexibly setting the aggregation range of a sub-network address space which is a statistical object. Another object of the present invention is to provide a statistical method capable of performing traffic statistics for simultaneously monitoring the individual IP address values of all the hosts that make up a traffic component within a range belonging to an arbitrarily designated subnetwork address.

[0046]

In order to solve the above-mentioned problems, in the probe device for an IP network, which is connected to a transmission path of an IP network to be monitored and performs aggregate statistics of traffic from a received IP datagram,
IP address extraction means for extracting an IP address value from the P datagram, and I indicating an arbitrary sub-network area
A network storage unit that stores identification data for distinguishing the P address space from the entire IP address space, an address indicating the arbitrary sub-network area, or traffic is aggregated and recorded for each IP address. An IP network probe device is configured with the statistical count storage means. (Claim 1) With this configuration, it is possible to switch between the setting of the traffic aggregation statistics for each sub-network and the setting of the statistics for each individual host IP address that constitutes the traffic component of the specific sub-network according to the situation.

The address of the network storage means has at least one predetermined area recognized as a common IP address by masking the predetermined bits of the IP address. (Claim 2) Further, the data value 1 is written in the IP address section in the range in which the sub-network exists in the network storage means and in the bit width of the prefix size of the corresponding sub-network, with the most significant bit justified. Bit pattern. (Claim 3)

Further, the IP address is separated into upper bits and lower bits including a common part, and the separated upper bits and lower bits are read by the read data of the network storage means addressed by the upper bits. , And two AND gate groups applied for each bit, and the output of any one of the two AND gate groups is used to address the statistic counting memory. (Claim 4) In addition, a part of the AND gate elements included in the two AND gate groups can be short-circuited. (Claim 5) Further, the access to the statistic count storage means is configured such that the write operation relating to the aggregate record has priority. (Claim 6)

Further, by using the IP network probe device according to any one of claims 1 to 6, all hosts constituting a traffic component are included in a range belonging to an arbitrarily designated subnetwork address. Individual I
The P-address value is monitored at the same time to collect traffic statistics. (Claim 7) Further, a plurality of sub-networks are simultaneously monitored. (Claim 8)

[0050]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described with reference to FIG. In FIG. 3, 11 is an IP address extraction unit. IP from monitored IP network transmission line
While the address is extracted and output to the IP address bus, a data valid signal indicating that a valid value is being output to the IP address bus is output.

As an example of the output specifications of the IP address extraction unit 11, the IP address bus and the timing of the data valid signal are shown in (1) and (3) of FIG. 4, respectively. As shown in FIG. 4 (3), the output of the data valid signal is delayed from the output of the valid value to the IP address bus. At this time, the IP address bus simultaneously outputs the entire 32-bit IP address value when IP ver-4.

Further, the IP address bus uses 32 bits as a whole divided into two systems as shown in FIG. In the first system, among the address bits 31 to 0 having a 32-bit structure, the continuous bit 31 including the MSB side is included.
To upper 2 to supply IP address signal from 1 to 8
It is a 4-bit bus. The upper 24 bit bus, which is the first system for receiving the IP address bus, is shown in FIG.

The second system is a lower 24 bit bus for supplying a continuous IP address signal from bit 23 to bit 0, including the LSB side, among the address bits 31 to 0 having a 32-bit structure. The lower 24 bit bus, which is the second system for receiving the IP address bus, is shown in FIG. 3 (B).

In FIG. 3, reference numeral 12 is a network memory having a depth of 16 M words and a width of 24 bits. The network memory is used in the constant read mode during the execution of the IP address statistics. The above high-order 24-bit bus
The 24-bit data supplied and read as the network memory address is output to the network data bus.

As an example of the output specifications of the network memory, (2) of FIG. 4 shows a period during which valid read data is output to the IP address bus input from the IP address extraction unit. That is, in the IP address extraction unit, the data valid signal of FIG. 4C is generated from the IP address extraction unit at the timing after the read data value of the network memory becomes valid. Therefore, during the output period of the data valid signal, both the IP address value supplied from the IP address extraction unit and the network data bus value read from the network memory are valid.

In FIG. 3, 13 is an AND gate group 2. The AND gate group 2 is composed of 24 2-input AND gates. It has a function of ANDing the respective bits of the network data bus output from the above-mentioned upper 24-bit bus and the network memory 12.
The 24-bit output result of the AND gate group 2 is output to the upper address bus.

In FIG. 3, 14 is an AND gate group 1. The AND gate group 1 is composed of 24 2-input AND gates. It has a function of ANDing the bits of the network data bus output from the lower 24-bit bus and the network memory 12 described above.
The 24-bit output result of the AND gate group 1 is output to the lower address bus.

In FIG. 3, reference numeral 15 is a write address selector. The write address selector generates a 24-bit width write address signal and outputs it to the write address bus. When the operation mode is the network address, the write address selector outputs the upper address bus from the AND gate group 1 to the write address bus. When the operation mode is the host address, the address selector outputs the lower address bus from the AND gate group 2 to the write address bus.

In FIG. 3, reference numeral 16 is an address selector. The data valid signal supplied from the IP address extraction unit 11 is used as a switching control signal to select an address value output on the INDEX bus. While the data valid signal is being input, the write address value that is the selection result of the write address selector 15 is output to the INDEX bus. When no data valid signal is input, the read address value is output on the INDEX bus.

In FIG. 3, reference numeral 17 is a statistical count memory. A 24-bit wide input address value corresponding to a depth of 16 M words is supplied via the INDEX bus, and IP is set according to the timing of the data valid signal input at the same time.
A counting operation 18 for address statistics is executed. For this reason, each data value of the memory for statistical count indicates the traffic amount indicating the number of times the corresponding IP address value is received.

Upon receiving the data valid signal, the statistic counting operation mechanism 18 receives the current IN on the statistic counting memory.
This is an operation of updating the data value pointed to by the DEX bus, which is read once from the data value in the memory for statistical counting, then added to +1 and then written to the same address. This series of operations as the statistic counting operation is shown in (4) of FIG.

In FIG. 3, reference numeral 19 denotes a CPU, which is used for the purpose of reading traffic statistical data for each received IP address from the statistical counting memory. The read data from the statistics counting memory is read via the CPU data bus.

In FIG. 3, reference numeral 20 is a read address generator. It has a function of connecting a CPU address bus from the CPU 19 and generating a read address value for collecting traffic statistical data from the IP address statistical section based on the CPU address value.

In the statistic count memory, the statistics value updating operation is prioritized in order to avoid a conflict between the statistic counting operation associated with the reception of the IP address value and the reading operation of the statistic result by the CPU. Therefore, the address generation unit monitors the reception notification signal from the address extraction unit, and while the reception notification signal is being output, that is, while the IP address statistical unit is updating the statistical value. Holds the value of the read address that is being generated, and makes the CPU wait for the read operation.

However, in the embodiment of FIG. 3, the weight controller for the CPU is omitted. Next, the operation of the embodiment shown in FIG. 3 will be described with a specific example. The IP address system used on the Internet is IPve
Taking rsion4 as an example, the concept of a network address sharing a certain range of upper bits is applied to the entire 32-bit IP address space.

The Internet has a structure in which an autonomous space in which one or a plurality of such network units are bundled is interconnected, and is convenient for reducing the burden of setting management and control of communication paths. In the Internet address system, class A uses the upper 8 bits as a common network address, class B uses the upper 16 bits as a shared network address, and class C uses a range up to the upper 24 bits as a common network address. Has been defined.

On the other hand, on the Internet, the network prefix range is defined as IP address classes A, B,
Besides applying to the three types of C, the classless internal domain routing (CIDR) network address allocation in which the class boundary is removed and the shared fixed address range is changed is also generalized.

In this way, the upper-order IP address bit value having a constant width and the address bits in a fixed range are
It is called the network prefix. The bit length that becomes a fixed range by the network prefix is
It is called a network mask. The Internet address is composed of a network address part corresponding to the bit width of the network mask on the upper side and a host address part on the lower side.

In some cases, the network area assigned with a certain network prefix may be further divided into smaller sub-networks of different sizes for IP address assignment. For example, within the area of a network prefix of 8-bit length, one sub-network has a 14-bit network prefix, and another sub-network has a 19-bit network prefix.

In general, the network prefix is
If the prefix size of up to 24 bits corresponding to class C can be handled, practically all sub-network values existing on the Internet can be expressed.

The embodiment of FIG. 3 is provided with a 16 M word deep network memory having a 24-bit address input and a statistical memory. Therefore, it is possible to execute aggregate statistics of IP address values for all networks and sub-networks up to class C having a 24-bit network prefix.

FIG. 5 shows the network memory 12 and the statistics counting memory 17 when the operation mode of the write address selector 15 in the embodiment shown in FIG. 3 is fixed to the network address side for executing aggregate statistics. Shows a usage example.

In FIG. 5, the subnetwork address 202.22 having a 16-bit prefix is used as an example.
For all traffic belonging to 5.0.0 / 16,
It is each bit setting pattern of a network memory and a statistics memory when bundling statistical values.

In the network memory 12 of FIG. 3, the upper 16-bit address value common as the sub-network address value is a bit pattern corresponding to "202.225". Address prefix 202.225.0.0/16 of the subnetwork to be statistically targeted
Indicates that since the network mask size is 16 bits long, the corresponding base address value in the network memory is represented in binary as "110010.10.111000."
It is 01.00000000 ".

A space in which only the upper 16 bits of the data bits are filled with 1 is set to 256 words in succession with the above-mentioned base address as the head. That is, the data value FFFF00h is written over the section from the CAE100h number value to CAE1FFh of the network memory. At this time, the data value 0 is set in all the remaining space of the network memory.

From the IP address extraction unit 11 of FIG.
When the bit IP address value is provided, the address selector 16 selects the write address bus side, and the write address selector 15 is fixed to the network address side.

Therefore, the higher 24 bits of the received IP address are set in the INDEX bus corresponding to the 24-bit address input of the statistics counting memory. However, as shown in FIG. 3, the high-order bit bus supplied from the IP address extraction unit performs AND processing for each bit with the data value 1 or 0 output from the network memory 12 by the operation of the AND gate group 213 in FIG. Be seen.

For this reason, the IND is stored in the statistical count memory.
The IP address value that can be reached via the EX bus is only the IP address setting range of the data value 1 preset in the network memory. Further, the IP address value that can be reached is a mask in which the bit width of the data value 1 is set to the upper 16 bits only, which is set as a bit pattern as shown in FIG. , But all become base address positions.

That is, the continuous data 1 setting address area of the network memory exerts a filtering action for limiting the input range with respect to the input IP address value of the statistics counting memory. In addition, by setting the continuous data 1 setting data width of the network memory to match the network mask size, the aggregation operation for the base address of the statistics counting memory corresponding to the network IP address value that is the common value of the mask range is performed. Exert.

As a result, in writing, the IP address value input from the address extracting unit is 202.22.
For all IP datagrams belonging to the range of 5.0.0 to 202.2225.255.255, all are the base address “202.225.0” of the statistical memory.
Are summarized in the address corresponding to. As a result, each traffic having 64K host IP address values belonging to the network address 202.225.0.0/16 is aggregated and statistically collected at one address.

In the example of FIG. 5, the method of aggregating the total traffic volume for one network address of 16-bit prefix has been described. When the operation mode of the write address selector 15 is set to the network address side in the embodiment shown in FIG. 3, the traffic aggregation statistics can be simultaneously executed for the networks of all prefixes in the range from Class A to C. Ie 2
If the network has a prefix of 4 bits or less, it is possible to execute address statistics on a network-by-network basis simultaneously in parallel for all existing address spaces in the Internet. Also in this case, as shown in FIG. 5, the IP address range to be aggregated as a statistical object is designated by the bit pattern of the network memory, and the aggregated portion becomes the corresponding base address of the statistical count memory.

For example, when further adding traffic aggregation statistics of a network having 8-bit network pre-hooks to the setting state of FIG. 5, if the target IP network address is “32.0.0.0/8”, The additional settings for network memory and statistics memory are as follows. "32.0.0.0" for network memory
Corresponding to the data value "FF0" over continuous 64K words from address 200000h to address 20FFFFh.
000h "is written. In the memory 17 for statistics counting, about 16M I's common in the address 320000 as the base address and the network address" 32 "are common.
P-address value All traffic is aggregated and statistics are collected.

Further, when the traffic aggregation statistics function of the network having the 22-bit network pre-hooks is added to the setting state of FIG. 5, the target IP network address value is temporarily set to "210.231.220.0".
/ 22 ", the additional setting of the bit pattern of the network memory is as follows. In the network memory 12, the base address is “11010010.11.
100111.110111100 ", and therefore, the data value" FFFFFCh "over four consecutive words from D2E7DCh to D2E7DFh.
Write. In the statistics counting memory, the network address is “210.231.220”, which is common to the D2E7DCh address of the base address to be aggregated 1024
Street IP address values All traffic is aggregated and statistics are collected.

FIG. 6 shows the aggregated base address of the statistics memory in which the bit pattern setting range of the network memory and the traffic count value are aggregated when the aggregated statistics are simultaneously executed for each of the above-mentioned networks. In the setting of the bitmap in the network memory, the area other than the data 1 set in the above-described processing is the area in which the data value 0 is set.

In this way, the load status and traffic distribution for each network can be analyzed by aggregating the traffic volume for each network. Therefore, it is possible to make effective use of equipment such as a server, a hub, and a router, and to make a diagnosis when a failure occurs. Also, if there is a change in the network configuration or sub network address value,
The bit pattern setting of the network memory can be changed at any time following the changed IP address range.

As described above, I which is the range to be aggregated
The P network address space is made to correspond to the address section of the network memory, and the net mask (prefix) size of the IP network address to be aggregated is made to correspond to the bit width of the data value 1 of the network memory. Due to the effect of the bit pattern of placing the data value 1 in a specific range of the network memory set in this way, in the statistical memory performing the traffic count, the aggregation target range is compared with the base address corresponding to the IP network address. Traffic counts are aggregated.

Since the capacity of the network memory of the embodiment shown in FIG. 3 is 16 M words deep and 24 bits wide, the network mask size of 24 bits or less existing for the entire IP version 4 address space is used. All networks and all CIDR areas can be accommodated as bit patterns at the same time. That is,
The IP address range to be aggregated can be set for the entire Internet address space. On the contrary, if the bit pattern is not placed in the specific address section of the network memory, it also functions as a removal filter that excludes the network or sub-network of the corresponding IP address range from the traffic statistical object.

Next, the operation of the network memory 12 and the statistical count memory 17 when the operation mode of the write address selector 15 is fixed to the host address side in the embodiment shown in FIG. 3 will be described with reference to FIG. .

When the operation mode of the write address selector 15 is fixed to the host address side, statistics can be executed for each host IP address value which is a traffic component, instead of aggregating IP addresses as traffic on a subnetwork basis. .

In the example of FIG. 7, a network address 202.225.0.0 having a 16-bit prefix is used.
17 shows bit setting patterns of the network memory and the statistics memory in the case of executing individual statistics of all host IP addresses belonging to / 16.

In the network memory corresponding to 12 in FIG. 3, the common upper 16-bit address value "202.2
25 "corresponding to the CAE100h value to CAE1FF
FFFFFFh is written in continuous 256-word data up to h. Since it is necessary to identify the least significant bit of the IP address value, the data value 1 is always set for the entire 24-bit width regardless of the prefix range of the network address.

When the 32-bit address value is provided from the statistical address extracting unit 11 of FIG. 3, the address selector 16 selects the write address bus side, and the write address selector 15 fixes it to the host address side. ing. Therefore, the reception IP is connected to the INDEX bus corresponding to the 24-bit address input of the statistical memory.
The lower 24 bits of the address are set.

However, as shown in FIG. 3, the lower bit bus supplied from the statistical address extracting unit is ANDed bit by bit with the data value output from the network memory 12 by the operation of the AND gate group 1 in FIG. Done. Therefore, the IP address value that can reach the statistical memory via the INDEX bus is only the setting range of the data value 1 preset in the network memory.

When the 32-bit IP address is input from the statistical address extracting unit 11 of FIG. 3, only when the upper 16-bit address value “202.225”, which is limited by the network memory in advance, is input to the statistical counting memory. The 24-bit address input of is transparent. The 24-bit address input value that is input to the statistical count memory is
It corresponds to the lower side of the received IP address value.

At this time, E1000 corresponding to the base address value "225.0.0" in the statistical count memory.
Traffic statistics can be monitored for all host IP address values belonging to the relevant IP network by mobilizing all the individual addresses in the range corresponding to the 0h value to the continuous 64K words. Thus, in FIG. 7, the sub-network address value 2 with the 16-bit prefix is
64K IP limited to 02.225.0.0/16
An example of executing address-based statistics is shown.

Also, for example, a host I belonging to a class A subnetwork having an 8-bit prefix
When the statistics are executed for the P address value, if the target class A address is “32.0.0.0/8”, the settings of the network memory and the statistics memory are as follows.

In the network memory, 200,000
The data value "FFFFFFh" is written in the space covering continuous 64K words from the address h to the address 20FFFFh. On the other hand, the statistic count memory uses the entire space of the statistic count memory, and the start IP address is "32".
It is possible to monitor the distribution status of traffic components for all the host IP address values of about 16M in common.

By the way, in the embodiment shown in FIG. 3, the AND gate group 1 is simply used as a functional block that causes signals of the lower 24 bit address value and the network data bus value to act on each other. Therefore, in the case where the operation mode of the write address selector 15 is fixed to the host address side, the output of the network memory 12 fixes all 24 bits of data in the corresponding network address range to 1 as described above.

In the embodiment of FIG. 3, when the operation mode of the write address selector 15 is fixed to the host address side, when statistics for each host IP address are targeted for a plurality of network address ranges, FIG. The configuration of the AND gate group 1 may be changed as shown in FIG.

In FIG. 8, of the AND gates constituting the AND gate group 1 of FIG. 3, eight AND gates in the range corresponding to the upper 8 bits are deleted, and instead, for the upper 8 bits, In this embodiment, the network data bus value is directly transmitted to the write address bus side.

In FIG. 8, two different network address areas "210.130.0.0/16" and "21" are used.
1.130.0.0/16 ”is a usage example of the network memory when the statistics of the host IP address values that are the respective traffic components are simultaneously executed in parallel.

"D28200" corresponding to the upper 24 bit value "210.130.0" including the network address
Data of value "00FFFFh", for example, is stored in a network memory area of continuous 64K words starting from the address "h".

Next, the top two including the network address
"D38" corresponding to the 4-bit value "211.130.0"
For example, data of the value "01FFFFh" is stored in the range of the network memory of continuous 64K words starting from the address 200h ".

On the other hand, in the statistical count memory, the address 0 corresponds to the IP address “210.130.0.0” and the address 10000h value corresponds to the IP address “21”.
1.130.0.0 ". Statistics for individual host IP addresses belonging to both sub-networks are executed in parallel in a space of continuous 64K words from each base address.

That is, "2" which is the upper 8-bit side data value of the bit pattern set in the network memory.
00h for identifying "10.130.0" and "21
This is because 01h for identifying "1.130.0" is directly used as the upper 8 bits of the statistical memory write address. In this way, the component statistics of a plurality of networks can be implemented in parallel.

As described above, when the upper 24 bit bus corresponding to the upper side of the IP address is connected to the write address supplied to the statistical memory, the address range in which the data value 1 set in the network memory exists And the data width, the IP address range to be aggregated in the statistical memory can be set arbitrarily.

On the contrary, the write address supplied to the statistical memory is the lower 24 bits corresponding to the lower side of the IP address.
When the bit bus is connected, the data output value of the network memory corresponding to the input value of the high-order 24-bit side IP address enables only the continuous space of the statistical memory to enable the hosts belonging to the corresponding network. I
Statistics by P address can be executed. This makes it possible to grasp the traffic statistical distribution for clarifying the traffic component composition of the network.

Thus, if the upper 24 bits are targeted for a single 32-bit IP address bus,
Network oriented address value aggregation statistics that can grasp a wide range of traffic trends at a time can be executed. Conversely,
If the lower 24 bits are targeted, host-oriented address component statistics with higher resolution can be realized in order to clarify the traffic component of a specific segment or network.

That is, the range of traffic statistics by IP address can be switched depending on the situation or purpose to apply "widely and shallowly" to the entire IP address space or "deeply and narrowly" to the specific IP address space. Can be operated flexibly.

The system of the present invention can be made clearer and simpler than the conventional CAM system shown in FIG. 1 which requires a complicated peripheral control circuit. CA
Instead of M, a RAM that can be controlled more easily and a large-capacity device is easily available can be utilized, so that the performance and reliability of traffic statistics can be significantly improved.

Assuming that the conventional example shown in FIG. 1 has a CAM capacity of 1
With 6K words, only 16K host IP address values are subject to traffic statistics at the same time. On the other hand, in the embodiment of the present invention shown in FIG. 3, the host IP address value corresponding to a maximum of 16 M words can be simultaneously monitored. In addition, it is possible to have an aggregate statistics function for aggregating the traffic volume of the belonging host IP address value for an IP network range in which an arbitrary range can be designated.

In the present invention, in order to accommodate all existing network prefixes in IP version 4, the network memory capacity is set to 1 for the input address of 24 bits.
It has a 6M word structure. As described above, the network memory of the present invention is applicable to all networks having a prefix size of 24 bits or less for all IP address spaces when performing aggregate statistics in network units for the upper 24 bits. It can be defined and accommodated by bit patterns.

Of course, the network memory may be realized with a smaller size, for example, a 20-bit address of 4 M words, or conversely with a larger size. The same applies to the size of the statistical memory shown in FIG.

However, each bit width of the address and data of the network memory is the maximum number of bits of the network mask size to be aggregated, and the address bit width of the statistical memory is the maximum number of host IP addresses that can simultaneously trace traffic. Become. Further, although the present invention has been described by taking the IP version 4 network IP / host IP address statistical mode having a 32-bit IP address space as an example, the present invention can be similarly applied to a network of a 128-bit IP version 6 address system.

That is, in the IP probe apparatus implementing the present invention, by selecting the upper side of the IP address space, the IP network address aggregation statistical mode for the wide area is set, and conversely, the lower side of the IP address space is set. By selecting, both of the IP host address component statistical modes for targeting one or more limited spaces can be used according to purpose.

[0116]

According to the inventions described in claims 1 to 6, by having the configuration described in the claims, firstly, there is provided a mechanism capable of arbitrarily designating a space range of a network address value without limitation. With the provision, the aggregation statistics for aggregating the traffic volume of the IP address value for each network has an effect that the network address space range to be aggregated can be freely set for all the address spaces of the Internet. Secondly, it is possible to simultaneously monitor the traffic for all the individual host IP address values that make up the traffic component of the arbitrarily specified sub-network address for the entire address space of the Internet. . Thirdly, the IP address aggregation statistics per network, which is the first effect, and the IP address component statistics per network, which is the second effect,
The effect is that the same traffic statistical resource can be switched and shared depending on the situation and purpose.

According to the invention described in claims 7 and 8,
Traffic statistics can be obtained by simultaneously monitoring the individual IP address values of all the hosts that make up the traffic component within the range that belongs to the arbitrarily specified subnetwork address.

[Brief description of drawings]

FIG. 1 is a diagram showing a configuration of a conventional probe device for an IP network that registers an IP address of a statistical target by using a CAM (Content Addressable Memory).

FIG. 2 is a flowchart for explaining an operation algorithm of a write controller 3 in FIG.

FIG. 3 is a diagram showing a configuration of an IP network probe device of the present invention.

[Figure 4] IP address bus, network bus, INDEX
It is a figure which shows the timing of the signal of a bus, and a data valid signal.

FIG. 5 is a diagram illustrating a usage example of a network memory and a statistics counting memory.

FIG. 6 is a diagram showing an aggregate base address of a statistical memory in which a bit pattern setting range of a network memory and a traffic count value are aggregated.

FIG. 7 is a diagram showing an example of executing a 64K IP address-based statistic by limiting to a sub-network address value having a 16-bit prefix.

FIG. 8: Of the AND gates constituting the AND gate group 1 of the present invention, eight A's in a range corresponding to the upper 8 bits
FIG. 11 is a diagram showing an example in which the ND gate is deleted and instead, for the upper 8 bits, the network data bus value is directly transmitted to the write address bus side.

[Explanation of symbols]

11 IP address extractor 12 Network memory 13 AND gate group 2 14 AND gate group 1 15 Write address selector 16 address selector 17 Memory for statistics counting 18 counter mechanism 19 CPU 20 Read address generator

Claims (8)

[Claims] 1. A probe device for an IP network, which is connected to a transmission path of an IP network to be monitored and performs aggregate statistics of traffic from received IP datagrams, wherein an IP address value is extracted from the IP datagrams.
P address extracting means, network storage means in which identification data for distinguishing an IP address space indicating an arbitrary subnetwork area and the entire IP address space are stored, and an address indicating the arbitrary subnetwork area Or
A probe device for an IP network, comprising: a storage unit for statistical count in which traffic is aggregated and recorded for every IP address. 2. The address of the network storage means has at least one predetermined area recognized as a common IP address by masking the predetermined bits of the IP address. The probe device for an IP network according to claim 1. 3. A bit in which the data value 1 is written in the IP address section of the range in which the sub-network exists in the network storage means, and the bit width of the prefix size of the corresponding sub-network is filled with the most significant bit. The probe device for an IP network according to claim 5, which has a pattern. 4. The IP address is separated into upper bits and lower bits including a common part, and the separated upper bits and lower bits are read by the read data of the network storage means addressed by the upper bits. ,
And a group of two AND gates applied for each bit, wherein the output of any one of the two groups of AND gates addresses the statistic counting memory. The IP network probe device described. 5. A included in the two AND gate groups
The probe device for an IP network according to claim 4, wherein a part of the ND gate element is configured to be short-circuitable. 6. The I according to any one of claims 1 to 5, wherein the access to the statistic count storage means is prioritized for a write operation related to a tabulation record.
Probe device for P network. 7. The I according to any one of claims 1 to 6.
A traffic statistic method for simultaneously monitoring individual IP address values of all hosts constituting a traffic component within a range belonging to an arbitrarily designated subnetwork address using a P network probe device. 8. The traffic statistical method according to claim 7, wherein a plurality of sub-networks are simultaneously monitored.