JP2005286684A - Traffic flow measuring environment setting system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a traffic flow measuring environment setting system capable of collecting detailed traffic information related to a required flow using traffic information being obtained from a plurality of network apparatus without increasing managing traffics in sampling system. <P>SOLUTION: In the measuring system having a measuring server for grasping the performance of a network by collecting traffic information from network apparatus, the measuring server comprises a means for collecting flow information at a high sampling rate at such a position as the traffic concentrates, a means for judging an abnormal state based on the flow information, a means for identifying a network apparatus close to a flow source becoming abnormal based on the judgment results of abnormal state of flow, and a means for decreasing the sampling rate of an identified network apparatus. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to traffic measurement that collects traffic information output from a network device and analyzes the behavior of the network.

  For the purpose of grasping traffic flowing from the network device to the network, there is a means for outputting statistical information that flows to the network (for example, traffic flowing from the end host to the end host). Among them, there is a sampling method that creates flow information by focusing on any packet flowing in the network, instead of outputting flow information by focusing on all packets in order to improve operational management efficiency (Non-patented) Reference 1). In the method of collecting these pieces of information, sampling information collected from individual network devices can be displayed. However, although it has a function to change the sampling setting, there is no description of how to change it.

  On the other hand, collection of management information from a network device is generally performed using SNMP (Simple Network Management Protocol). In this case, periodic information request processing (ie, a network management device or network device) Polling) collects time-series management information. On the other hand, Patent Document 1 has means for changing the polling interval of information collection from the network load.

JP 2002-141921 IETF RFC 3176: “InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks” (September 2001)

  In the case of the sampling method, it is necessary to determine the sampling rate set in the network device. Here, the sampling rate is a value such as one of N packets flowing through the network, and N must be determined according to the situation. Since an error occurs depending on the sampling rate, it is difficult to grasp the actual traffic situation. When the sampling rate is increased, the amount of traffic output from the network device to the management device increases, and the load on the management device and the amount of traffic generated in the management network increase.

  On the other hand, if the setting limit of the overall sampling rate is determined in consideration of the network load in order to reduce the traffic volume, the network state cannot be grasped with the required number of samples.

  As for the network configuration, network traffic such as servers and clients close to the LAN is low speed, and the network device at the center of the network is configured to aggregate traffic and increase the transfer speed. Therefore, in order to solve this problem, in the network device constituting the network, means for collecting flow information at a high sampling rate at a location where traffic is concentrated, and judgment means for judging an abnormal state based on the flow information And a means for identifying a network device close to the flow source that becomes abnormal based on the determination result of the abnormal state of the flow, and a means for reducing the sampling rate with respect to the identified network device.

  By using traffic information obtained from a plurality of network devices, it is possible to collect detailed traffic information related to a required flow without increasing management traffic by a sampling method.

  Embodiments according to the present invention will be described with reference to FIGS.

  FIG. 1 shows a conceptual configuration of a flow measurement system according to the present invention. The host (202) transmits various traffics to the opposite host via the network device (201). Network devices (201, 203, 204, 205) such as routers and switches transfer packets to the opposite host based on the destination information of the packets sent from the host and the forwarding information held by themselves. At the same time, the network device (201, 203, 204, 205) extracts a sampling packet based on the sampling rate, transmits a packet of a copy of the sampling packet to the measurement server (10), or notifies the measurement server (10) of information related to the sampling packet. . One network device (205) is connected to another network (210) like an Internet connection. The measurement server (10) has a function of collecting and analyzing sampling information notified from the network device (201), and a function of setting a sampling port and a sampling rate for the network device. The network management server (20) collects network configuration information, failure information, and the like and monitors the network. In this configuration, the measurement server (10) and the network management server (20) are handled as different devices, but may be realized by one device. Further, the measurement server (10) has a function of setting sampling for the network device and a function of collecting sample packets, but each function may be implemented in a separate device.

  FIG. 2 shows an example of components of each server that implements the flow measurement system according to the present invention. The measurement server (10) is a communication control unit (11) for exchanging data with a device that outputs flow statistics information, such as a router or switch to be monitored, a calculation area for program processing, and a result storage area Work memory (12) used as a database, database (13) for storing various information such as sampling data and flow information, program memory (14) for storing programs related to management and measurement, and execution of programs stored in program memory A central processing unit (CPU) (15) for controlling access to the database, a CRT display (16) for displaying the configuration and setting information of the measurement system, a keyboard (17) and a mouse (for inputting initial conditions and various information) 18) and an input / output control device (19) for controlling the input / output device.

  The program memory (14) includes a network information collection program (141) for controlling configuration / state information collection by communicating with the network monitoring function, and a sampling setting program for setting a sampling rate and a measurement port for the network device. (142), a flow information collection program (143) for collecting and storing sampling packets notified from the network device, a flow analysis program (144) for analyzing flows based on the collected sampling packets, and based on the flow analysis results A sampling change program (145) for changing the sampling rate is included.

  The network management server (20) includes the same communication control device (21), program memory (22), work memory (23), CPU (24), and database (25) as the measurement server. Among them, there are a configuration / state information collection program (26) for collecting various management information from a network device and storing it in a database, and a management information providing program (27) for providing management information stored in the database. The database stores management information such as the configuration and status of network devices.

  When the network management server (20) and the measurement server (10) are mounted on the same device, the configuration / status information collection program (26) and the management information provision program (27) on the network management server are installed on the measurement server. It indicates that the database (25) that exists in the program memory (14) and stores the management information also exists in the database (13) on the measurement server. When the setting function and collection function of the measurement server (10) are implemented on separate devices, the sampling setting program (142) on the measurement server and the information necessary for measurement settings in the database are stored on separate devices. Will be.

  Next, the operation of the flow measurement system in the present embodiment will be described.

  In the flow measurement system, initial setting processing to set the flow of interest, change processing to actually monitor network traffic and change the sampling rate when abnormal flow is found, sampling rate when abnormal flow disappears The recovery process to return to the original will be shown respectively.

  First, an initial setting process for setting a flow of interest will be described.

  In the initial setting process, a flow of interest is set by the management operator. The flow can be set according to various conditions. FIG. 3 shows elements of flow conditions that can be set in this embodiment. For example, when the flow information (301) is “destination subnet flow”, the intended one (302) is “destination subnetwork address”, and its value (303) is “1”. In the case of “application flow”, “port number” is “4”. An actual flow type identifier is set by a combination of these elements. That is, if the value of the flow type identifier is “3 (= 1 + 2)”, it has both conditions of “destination subnet flow” and “source subnet flow”, and this flow is transmitted to a certain subnetwork and a certain subnetwork. Represents a combination of flowing flows. This table is stored in advance in the database (13) on the measurement server, and the management operator sets the flow type identifier based on this table. In addition, a network device to be measured may be specified at the time of setting, and a flow analysis time indicating a time interval for performing flow statistics from the initial sampling rate and collected data is also set. Further, if necessary, flow information to be focused on when changing the flow sampling can be designated as a flow type identifier. The set flow measurement conditions are stored in the database (13).

  FIG. 4 shows the stored initial condition table (400). The initial condition table identifier (401) uniquely specifies this data. The flow type identifier (402) represents a condition for flow analysis. The flow export list (403) indicates a group of devices such as routers that output sampling packets for calculating flows. This data includes not only the target network device but also the port number for monitoring packets on that device. Here, an export agent having a port number of 1 for a network device having an IP address of E.F.G.H, and an export agent having all port numbers (*) being set for a network device having an IP address of A.B.C.D. The changed flow type identifier (404) represents a flow type identifier for performing flow analysis after changing the sampling rate. Here, the post-change flow type identifier is set to 24, and the flow information (310) is changed to execute flow information collection regarding “destination host” and “source host” (value: 8 + 16). The default sampling rate (405) indicates a sampling rate set first. The flow analysis time (406) is a time interval for performing flow analysis. The threshold value (407) is a value for determining an abnormal state with respect to the flow. The threshold in this embodiment is determined to be abnormal when the flow analysis result is below a certain value, but in addition to this, when the value becomes above a certain value, As a flow distribution at the port, a case where an arbitrary flow is larger or smaller than a certain ratio (for example, 60% of all sample values) can be taken as a threshold value.

  This table may be set for each network device. In this case, a plurality of initial condition tables (400) exist in the database (13). The management operator stores the above information in a database using a mouse or a keyboard, and starts the sampling setting program (142).

  When the sampling setting program (142) is started, the sampling setting program (142) sets, based on the initial condition table (400) existing in the database (13), if the sampling condition is not set in the target network device.

  This completes the initial setting process.

  Next, the changing process will be described.

  FIG. 5 is an overview of the overall process flow in the change process.

  Here, it is assumed that the sampling setting program (142) is used in the initial setting process so that the central network device (203) is set to capture a packet at a rate of one in 10,000. . Further, in the flow analysis, based on the initial conditions set in FIG. 4, the flow analysis is performed in units of subnetwork (a pair of destination subnet and source subnet). Flow analysis is executed with the source address pair as one flow.

  In this state, the flow collection program (143) having a packet information collection function on the measurement server collects the sampling packets notified from the apparatus and stores them in the database. When a predetermined time has elapsed, the flow analysis program is notified (501).

  When receiving the notification, the flow analysis program (144) creates flow information obtained based on the flow type identifier in the initial condition table (400) and stores it in the database (13).

  FIG. 6 shows an embodiment of the data format of the flow information held. The flow identifier (601) is a value that uniquely identifies the flow information (600). The flow condition identifier (602) represents which flow is focused on. The export agent (603) indicates a network device that is a basis of flow data, that is, a network device from which sampling packets are extracted. Here, the IP address is E.F.G.H and the port number 1 is designated. The reference list (604) indicates an identifier of flow information created when an abnormality is identified. The flow history (605) represents the flow information, from the measurement time (606) representing the time for calculating the flow information to be stored, the sample value (607) by the sample data, and the network device set in the calculated flow information. Output data sampling rate (608). Finally, the attribute (609) indicates whether this table was created by sampling change or not, and in this embodiment, what was monitored in advance has a value of “M”, and at the time of sampling change If created, it has a value of “S”.

  FIG. 7 is a table showing the flow conditions to be analyzed. The flow condition identifier (602) is used to refer to this table. The flow condition table (700) includes a flow condition identifier (701) for uniquely specifying the table, a flow type identifier (702) for identifying a flow, and flow information definition data (703) set according to the flow identifier. . The flow type identifier (702) is the same as the flow type identifier (402) described in the initial setting process. The example of FIG. 7 is a flow condition for a flow table created according to the initial condition table (400), and “3” is set as the flow type identifier. The flow definition data (704) stores the actual IP address of the flow condition specified by the value of the flow type identifier (value 1 and value 2 in FIG. 4). Here, the destination subnet and the source subnet are stored. An IP address is stored.

  Flow information indicating how many packets have passed to the target flow group is calculated from the stored sampling packets based on the flow type in the flow table (502).

  When analyzing the flow, the flow analysis program (144) compares it with the flow data in the database, and if it is existing flow information, adds the calculated time and the calculated value to the flow history (605). If it is a new flow, a flow information table is created in the database, and a sampling value for the found flow is stored in the flow history (605). When the flow analysis process ends, the flow analysis process notifies the sampling change determination program (145) of the end of the process.

  The sampling change determination program (145) performs the sampling change process if the flow determination condition threshold is exceeded based on the flow result calculated this time (504). If the flow does not exceed the threshold value, the process is terminated, and the packet collection program waits for the elapse of time until the next flow analysis (505).

  FIG. 8 is a flowchart showing an outline of processing of the sampling change program.

  When there is an abnormality in the flow, the sampling change determination program (145) checks whether the source address information is included in the flow definition from the flow type identifier in the data table of the flow determined to be abnormal (801) ). If not, the sampling packet related to the abnormal flow is collected from the sampling packets stored in the database. Then, the address information of the packet that must be extracted from the sampling packet is collected (802). When the address information becomes clear, the sampling change program identifies the edge network device including the target address information using the configuration information collection program (803).

  When requested, the configuration information collection program first collects a network device having a destination network address from a network device at the edge of the network with respect to the configuration / state collection program (26) on the network management server (20). In the case of traffic from the external network (205), the source address may be different from the address of the network device. Thus, if it does not exist, the route that reaches the destination address via the network device that output the capture packet is selected based on the connection relationship between the network device and the routing table of the network device, and the measurement target Narrow down the route to solve the network device, and identify the network device as the entrance.

  When the sampling change determination program (145) identifies the target network device, the sampling change determination program (145) collects information on the entire packet passage to the interface of the network device that monitors the flow via the network monitoring server, and sends it to the target network device. A sampling rate is determined (804).

  FIG. 9 shows the relationship between the sampling rate and the packet passing number. The packet passing number (901) is the total number of packets flowing through the interface that performs sampling. The sampling rate (902) is the maximum value of the sampling rate that can be set in the network device, and may be set to be equal to or less than a specified value. For example, if the packet passing number is 100,000 pps, the packet sampling rate may be set between a value of 1 in 10 and a rate of 1 in 1,000. Here, considering the load of the network device, the maximum sampling rate is taken in each range.

  As described above, when the network device is identified and the sampling rate is determined, it is determined whether the same data as the changed condition exists in the flow data in the database. If it exists, the table identifier is set in the reference list (604). If it does not exist, a flow data table (600) of the corresponding flow is newly created, and the attribute (609) of the created table is set to “ S ”, and the table identifier is set in the reference list (604) (805).

  As described above, the sampling change program identifies the sampling rate to be changed and the network device to be changed, and notifies the sampling setting program and the flow analysis program (806).

  The sampling setting program sets the sampling rate for the network device that specifies the specified sampling rate.

  The flow analysis program checks the collection of sampling packets from the network device notified from the sampling setting program and the flow analysis conditions. If the flow conditions to be analyzed are different, the flow analysis program performs calculation based on them. At this time, if the sampling rate of the sampling packet within the analysis time has changed from before, the sampling value is stored in the flow data at the time interval up to that point, and the sample value at the remaining time is further added. .

  The above is the change process.

  Finally, the recovery process to restore the final flow analysis will be described.

  FIG. 10 is a flowchart showing an overall outline of the recovery process. The flowchart representing the overall processing outline also includes the changing process outline described with reference to FIG. In FIG. 5, only the process focused on the change process is described, and the program group in this embodiment performs the operation described below including the change process and the recovery process.

  First, the flow collection program collects the sampling packets, stores them in the database, and notifies the flow analysis program when the flow analysis time interval is reached (501). Then, the flow analysis process calculates each flow statistical information based on the sampling packet (502). Thereafter, the flow analysis program (144) notifies the sampling change determination program (145) of the end of the process.

  The sampling change determination program (145) searches for flow data having flow information to be analyzed, and creates new flow data if it does not exist. When the flow data exists, it is determined whether the recovery condition is satisfied (1001). The recovery condition is when the flow data exists, the current flow analysis result does not exceed the threshold value, and the previous sample value is taken using the data history (605), and this value exceeds the threshold value. Indicates the case. In other cases, that is, when the current flow analysis result exceeds the threshold value, or when the previous flow data does not exceed the threshold value, it is determined whether the sampling change condition is satisfied (1002).

  Sampling change conditions refer to the case where the previous flow analysis result does not exceed the threshold and the current flow analysis result exceeds the threshold. In this case, a new sampling change process is performed (1003). In this sampling change process, processes (504) to (507) after detecting an abnormal flow from the flow information of FIG. 5 are executed.

  If the sampling change processing condition is not satisfied, the subsequent processing is not performed and the process waits for the next flow analysis.

  When the recovery condition is satisfied, the flow analysis process extracts the reference list (604) in the flow data (600), and extracts the target flow data based on the table identifier contained therein (1004). . Then, the flow data table in which the export agent information in the extracted flow data has the same value is searched (1005). At this time, it is determined whether or not the extracted flow data is only data extracted from the reference list, and the attribute of each flow data is “S” (that is, created at the time of sampling) (1006). . If all the attributes are “S”, it is not necessary to sample from the target network device, so a request to delete the sampling value set in the target network device is made to the sampling setting program (1007 ). If at least one “M” exists, it is determined that the flow analysis using the data from the network device has been performed before the sampling change, and a request is made to return the original sampling to the sampling change program. Output.

  The sampling setting program changes the sampling setting from the target network device according to the request of the sampling change program.

  The above is the recovery process.

  Through the above processing, when it is determined that an arbitrary flow is abnormal, the sampling rate is changed and added from the network device on the edge side of the managed network, thereby making the data of the entire sampling packet unnecessary. It is possible to automatically grasp the flow trend related to the target flow without increasing it.

  Finally, the flow distribution display will be described with reference to FIGS.

  FIG. 11 shows an embodiment in which the flow statistical information displayed on the CRT (16) is displayed as a graph. The flow statistical information graph (1101) has information (1102) of the network device (EFGH-1) to be monitored. The actual traffic (1103) estimated by the sampling value is plotted on the vertical axis and the measurement time ( 1104) is displayed. At this time, (1105) shows the trend of the flow exceeding the threshold. The analogy value (1103) is calculated by displaying a value obtained by integrating the sampling rate from the sampling value.

  In this graph, all the flows that pass through the boat number 1 of the network device (EFGH) are displayed. However, for example, only the upper flow may be displayed with a large number of packets including the target flow. . In this graph, the flow information for the network device (identified network device) after the sampling rate change processing according to the present invention is executed can be seen for the flow (1105) exceeding the threshold. For this screen transition, the target flow (1105) may be selected, or transition may be made from a menu.

  FIG. 12 shows the graph after the screen transition displayed on the CRT (16). In this graph (1201), the monitoring target is changed to port number 1 of the identified network device (G.H.I.K), and the flow of port number 1 of the network device is displayed. According to FIG. 12, it can be inferred that the reason for the decrease in the flow (1105) in FIG. 11 is the decrease in the flows (1202) and (1203).

  FIG. 13 shows a display example when the flow information displayed on the CRT (16) is collected at the initial sampling rate before the sampling rate is changed. In this case, this is an example relating to a graph display of flow information having different sampling rates. In this case, since the sampling rates are different, the background color is changed for sections with different sampling rates. Thereby, it can be visually determined that the sampling rate of the analogy value has changed.

  In the present embodiment, the background color is changed in order to visually show the changed part of the sampling rate. However, the line color of the graph may be changed or the color of the time axis may be changed. .

  As another display method, the vertical axis (1102) may be displayed as a ratio, or the actual sample value may be displayed. In the case of an actual sampling value, when a plurality of sampling rates are included as shown in FIG. 13, they are displayed in accordance with either sampling rate. For example, if the value is adjusted to the value after the sampling change, the display value of the sampling value before the change is corrected by the following expression.

(Display value) = ((sample value) / (original sampling rate))
× (Sampling rate after change)

  It is used when you have your own network, such as a carrier or Internet service provider, and you want to analyze traffic problems using flow information for operational management.

It is a figure showing one structure of the network and management system of the monitoring object in this invention. It is a figure showing the detailed structure of the measurement system in this invention. It is one structure of the table showing the flow conditions which can be set in this invention. It is one structure of the initial condition table which stored the conditions for traffic analysis in this invention. It is a flowchart showing the whole process outline | summary of the change process in this invention. It is one structure of the flow data which stores the flow information in this invention. It is one structure of the table which stored the flow conditions for identifying a flow in the flow data in this invention. It is a flowchart showing the process outline | summary of the sampling change determination in this invention. It is one structure of the table showing the relationship between the sampling rate in this invention, and the total packet passage number from a network apparatus. It is the flowchart which showed the change and recovery processing outline in this invention. It is one structure of the graph showing the trend of the flow in the initial sampling environment in this invention. It is one structure of the graph showing the trend of a flow based on the data collected after the sampling change in this invention. It is one structure of the graph showing the trend of the flow when the data collected after the sampling change in the present invention and before the change are mixed.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Management communication network, 10 ... Network management apparatus, 11 ... Communication control apparatus, 12 ... Program memory, 13 ... Management information database, 14 ... Central processing unit, 15 ... Work memory, 16 ... Display, 17 ... Keyboard, 18 ... mouse, 19 ... input / output device, 20 ... managed device, 21 ... communication device on managed device, 22 ... configuration information provision processing device

Claims (6)

It consists of a network device that outputs traffic information that flows through the network and a measurement server that collects traffic information from any network device and grasps network performance in order to grasp traffic information in a network consisting of multiple network devices. In the measurement system, the measurement server
Means for calculating statistical information of a flow that is a collection of packets output from an arbitrary network device based on traffic information collected from the network device;
Means for identifying another network device through which a packet constituting the flow passes when the statistical information of the flow satisfies a condition requiring further monitoring;
A measurement system comprising: means for requesting traffic monitoring in order to monitor the flow information requesting further monitoring from the identified network device. A network device that outputs a part of traffic information flowing through the network to grasp traffic information in a network composed of a plurality of network devices, a measurement server that collects traffic information from any network device, and grasps network performance In a measurement system composed of:
Means for calculating statistical information of a flow that is a collection of packets output from an arbitrary network device based on traffic information collected from the network device;
Means for identifying another network device through which a packet constituting the flow passes when the statistical information of the flow satisfies a condition requiring further monitoring;
A measurement system comprising: means for requesting an increase in a ratio of traffic information to be output from the identified network device to monitor the flow information requesting further monitoring. 2. The measurement system according to claim 1, wherein the measurement server further stops the traffic monitoring for the network device that has requested the traffic monitoring when the statistical information of the flow no longer satisfies the condition for requesting further monitoring. Measuring system characterized by providing means for requesting 3. The measurement system according to claim 2, wherein the measurement server further calculates a ratio of traffic information output by the network device that has requested the traffic monitoring when the flow statistical information no longer satisfies the condition for requesting further monitoring. Measuring system characterized by providing means for returning to In the measurement system according to claim 1 or 2, the network device for the measurement server to identify is:
It is a network device having an interface through which packets constituting a flow enter a network to be managed. In the measurement system according to claim 1 or 2, the measurement server includes:
First of all, monitor the traffic for the network device where the traffic is concentrated.
A measurement system characterized by identifying a network device that has an interface through which a packet constituting the flow enters the managed network when the flow statistical information satisfies a condition that requires further monitoring.

Images