JP2009290436A - Communication data statistic device, and communication data statistic method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technology by which the statistics of communication data can be efficiently taken even in a high-speed communication line. <P>SOLUTION: A communication data statistic device has a subordinate data update portion recording the statistics of a first flow in a first memory, and a superior data update portion recording the statistics of a second flow in a second memory. The subordinate data update portion takes the statistics of values of different type identifiers which are flow identifiers included in a second flow identifying condition but not included in a first flow identifying condition based on control information received from the superior data update portion at the time of recording the statistics of the first flow in the first memory, and registers the statistics of the different type identifiers associated with the statistics of the first flow in the first memory. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a technique for collecting statistics of communication data flowing through a network.

  The Internet has become established as an important social infrastructure, and not only conventional best-effort data communication, but also communication of data that requires communication quality assurance such as voice, video, and transaction data for core business is being performed. is there. In addition, access lines have become broadband due to the spread of ADSL (Asymmetric Digital Subscriber Line) and FTTH (Fiber To The Home) technologies, and the amount of data to be communicated has increased accordingly.

  From such a background, telecommunications carriers and ISPs (Internet service providers) need a technique for collecting statistics of communication data flowing through the network in order to grasp the state of communication in the network. In particular, there is a high demand for a technique for collecting communication data statistics for each flow classified according to the transmission source and destination of communication data, the application used, the quality level, and the like.

  As a technique for collecting communication data statistics for each flow, for example, Patent Document 1 describes a cache-type flow statistics technique. In this technique, a predetermined combination of flow identifiers (for example, a source address, a destination address, a source port number, a destination port number, etc.) is acquired from the header information of the received packet, and the value of each flow identifier in the combination By counting the number of packets that are all the same, the traffic for each flow is counted.

Japanese Patent Laid-Open No. 2006-5402 JP 2006-352831 A

  Such a cache-type flow statistical technique is characterized by extremely high flow analysis capability because header information is analyzed every time a packet is received. However, since it is necessary to analyze header information for all received packets and to record the analysis results in the memory, the access speed to the memory becomes a bottleneck as the line speed increases to 40 Gbps and 100 Gbps. It may be difficult to record the necessary statistical information in the memory.

  In consideration of such problems, the problem to be solved by the present invention is to provide a technique capable of efficiently collecting statistics of communication data even in a high-speed communication line.

  SUMMARY An advantage of some aspects of the invention is to solve at least a part of the problems described above, and the invention can be implemented as the following forms or application examples.

[Application Example 1] A communication data statistics device that takes statistics of communication data flowing through a network, and includes a receiving unit that receives a packet in which a plurality of types of flow identifier values are recorded and one or more types of the flow identifiers. A subordinate that identifies the first flow of the packet based on the first flow identification condition and the value of the flow identifier of the received packet, and records the statistical information of the first flow in the first memory Based on the data update unit, the second flow identification condition including more types of flow identifiers than the first flow identification condition, and the value of the flow identifier of the received packet. And a higher-level data update unit that records statistical information of the second flow in the second memory, and is recorded in the first memory based on a predetermined statistical condition. An output unit for outputting the statistical information of the first flow or the statistical information of the second flow recorded in the second memory, and the upper data update unit includes the second flow identification The control information for taking statistics of the value of the heterogeneous identifier that is a flow identifier that is included in the condition but not included in the first flow identification condition is transmitted to the lower data update unit, and the lower data update is performed. The unit takes statistics of the value of the heterogeneous identifier based on the control information received from the higher-level data update unit when recording the statistics of the first flow in the first memory. A communication data statistics device that records statistical information of identifier values in the first memory in association with statistical information of the first flow.

  With such a communication data statistics device, the statistics of flows counted based on different flow identification conditions can be recorded in parallel in the first memory and the second memory. Therefore, even if the network is a high-speed communication line, statistics of communication data can be efficiently recorded in the memory. Furthermore, in the communication data statistics device of the above aspect, the lower data updating unit can take statistics of the values of the different identifiers based on the control information received from the upper flow identification unit. Since the heterogeneous identifier is included in the second flow identification condition but is not included in the first flow identification condition, the statistic of the value of such a heterogeneous identifier is referred to as the first flow statistic. By associating and recording in the first memory, various analyzes of the flow can be performed. Note that the statistics of the values of the different identifiers can be referred to as “different numbers”.

Application Example 2 In the communication data statistics device according to Application Example 1, the upper data update unit determines whether or not the identified second flow is a new flow as the control information. Is transmitted to the lower data update unit, and the lower data update unit indicates that the flag information received from the upper data update unit indicates that a new flow has been identified. A communication data statistics device that counts up the number of identifier values.

  With such a communication data statistics device, the lower data updating unit can easily take statistics of the values of the different identifiers based on the flag information received from the upper data updating unit.

Application Example 3 In the communication data statistics device according to Application Example 1, the lower data update unit transmits statistical period information indicating a statistical period of the first flow to the upper data update unit. The upper data update unit holds the statistical period information received from the lower data update unit as the control information transmitted next time, and the lower data update unit includes the upper data update unit. A communication data statistics device that counts up the number of values of the heterogeneous identifier when a statistical period represented by control information received from a current statistical period is different.

  In such a communication data statistical device, the statistical period represented by the control information transmitted from the upper data update unit to the lower data update unit is compared with the current statistical period, so that the heterogeneous identifier It is possible to take statistics of values.

Application Example 4 In the communication data statistics device according to Application Example 3, in the case where the lower data update unit identifies a new flow or the statistical information is output by the output unit A communication data statistics device for changing the statistics period.

  With such a communication data statistics device, it is possible to take statistics on the value of a heterogeneous identifier based on a statistical period that changes when a new flow is identified or when statistical information is output by an output unit become.

  The present invention can be configured as a communication data statistics method or a computer program in addition to the configuration as the communication data statistics device described above. Such a computer program may be recorded on a computer-readable recording medium. As the recording medium, for example, various media such as a flexible disk, a CD-ROM, a DVD-ROM, a magneto-optical disk, a memory card, and a hard disk can be used.

Hereinafter, embodiments of the present invention will be described based on several examples.
A. First embodiment:
FIG. 1 is a diagram showing an example of a network configuration including a communication data statistics device 104 as the first embodiment. As shown in the figure, the network configuration of this embodiment includes routers 101a to 101c that are connected to each other and relay packets, server 102a connected to router 101b, server 102b connected to router 101c, router The communication data statistics device 104 connected to the terminal 101a and the terminal devices 103a to 103c connected to the router 101a are included. The router 101a transmits a copy of the relayed packet (traffic) to the communication data statistics device 104 by using the mirroring technique or the sFlow technique defined in RFC3176.

  FIG. 2 is a block diagram illustrating a schematic configuration of the communication data statistics device 104 of the present embodiment. The communication data statistics device 104 is a device that takes statistics of communication data flowing through the network. As shown in the figure, the communication data statistics device 104 of the present embodiment includes a packet receiving unit 201 that receives a packet transmitted from the router 101a, a packet analysis unit 202 that analyzes a packet received by the packet receiving unit 201, A statistical processing unit 204 that performs statistical processing on the packet analyzed by the packet analysis unit 202, and a flow table (SIP-DIP-DPT table 221a, SIP-DIP table 221b, DIP table 221c, SIP) that records the result of statistical processing The memory 222a-222d which hold | maintains the table 221d), the statistical information output part 203 which outputs the result of a statistical process, and the control part 212 which controls the statistical processing part 204 and the statistical information output part 203 are provided. As the memories 222a to 222d, for example, generally distributed SDRAM or RLDRAM with reduced access latency can be used. In the present embodiment, the packet receiving unit 201 receives a packet transmitted from the router 101a, but the packet receiving unit 201 may intercept (capture) a packet flowing through the network.

  The packet receiving unit 201, the packet analyzing unit 202, the statistical processing unit 204, the statistical information output unit 203, and the control unit 212 are each configured by an FPGA (Field Programmable Gate Array). As for these, all the functions may be comprised by one FPGA, and may be comprised by separate FPGA. Further, not an FPGA but an ASIC (Application Specific Integrated Circuit) may be used.

  The packet analysis unit 202 extracts the value of the flow identifier, the packet reception time, the number of bytes, the TCP flag information, and the like from the packet received by the packet reception unit 201, and the statistical processing unit 204 extracts these extracted information. Send to. The flow identifier is information recorded in the header of the packet. Examples of the flow identifier include a VLAN ID (VID), a source MAC address, a destination MAC address, a source IP address (SIP), a destination IP address (DIP), a higher level protocol (PRT), and a source port number (SPT). ), Destination port number (DPT).

  The statistical processing unit 204 analyzes the flow of the packet based on the value of the flow identifier received from the packet analysis unit 202 and aggregates the packets for each analyzed flow. The result of the aggregation is recorded in the flow tables 221a to 221d included in the memories 222a to 222d connected to the statistical processing unit 204. The detailed configuration of the statistical processing unit 204 will be described later.

  A management terminal 211 is connected to the control unit 212. The control unit 212 performs various settings for the statistical processing unit 204 and the statistical information output unit 203 in accordance with instructions from the management terminal 211. The management terminal 211 and the control unit 212 may be connected by a network or may be connected by an interface such as RS-232C or USB.

  The statistical information output unit 203 outputs the statistical information received from the statistical processing unit 204 to an external device. The statistical information is output via an arbitrary interface set in advance, such as a network interface or a PCI bus. When outputting via the network interface, a transmission packet is generated using the destination IP address and the source IP address set by the administrator via the control unit 212. Note that the statistical information output unit 203 may output statistical information to a display device or printing device connected to the communication data statistical device 104 in addition to outputting statistical information to a predetermined interface. Good.

  FIG. 3 is a diagram showing the configuration of each flow table. The flow tables shown in FIGS. 3A to 3D are prepared for each flow identification condition including one or more combinations of flow identifiers. The flow identification condition is set by the administrator via the control unit 212, for example. The SIP-DIP-DPT table 221a is a table in which a combination of a source IP address (SIP), a destination IP address (DIP), and a destination port number (DPT) is used as a flow identification condition. The SIP-DIP table 221b is a table that uses a combination of SIP and DIP as a flow identification condition. The DIP table 221c is a table that uses DIP as a flow identification condition. The SIP table 221d is a table that uses SIP as a flow identification condition.

  In each flow table, “entry number”, “flow identification condition”, “statistical information”, and “generation identifier” are recorded. In “entry number”, a unique number uniquely indicating the type of flow is recorded. In the “flow identification condition”, the value of the flow identifier included in the flow identification condition is recorded. For example, the SIP value is recorded in the flow identification condition of the SIP table 221d, and the SIP and DIP values are recorded in the flow identification condition of the SIP-DIP table 221b. In “statistical information”, the number of packets counted for each flow is recorded. In the flow tables other than the SIP-DIP-DPT table 221a, “difference number” is recorded as statistical information. The “difference number” is the number of packets having the same flow identifier value included in the flow identification condition but different values of the flow identifier (heterogeneous identifier) other than the flow identification condition. For example, in the SIP-SIP table 221b, the numbers of packets having the same SIP and DIP values but different DPT values are recorded as different numbers. The “generation identifier” records the generation (counting period) of the statistical information being counted. This generation identifier is incremented by one when an entry is overwritten or statistical information is output by the statistical information output unit 203. In addition to the information shown in FIG. 3, the statistical information includes information such as the number of accumulated bytes, the flow generation start time, the last update time, and the number of packets with the SYN flag set among the TCP flags. May be. Further, as the statistical information, various statistical values such as an average value, variance, deviation value, and median value of the number of packets calculated based on the number of packets of each flow may be recorded.

  The statistical processing unit 204 determines that the packets whose flow identifier values included in the flow identification conditions all match are the same flow, and obtains flow statistics by counting the number of packets for each determined flow. Then, the statistical result is recorded as statistical information in the flow table corresponding to the flow identification condition. For example, if the flow identification conditions are SIP and DIP, the packets whose values match are determined as the same flow, and the packets are counted for each flow. Then, the counted number of packets is recorded in the SIP-DIP table 221b corresponding to the flow identification condition. In the present embodiment, an example is shown in which four types of flow tables are prepared, but the number of flow tables increases or decreases according to the number of flow identification conditions.

  FIG. 4 is a diagram illustrating a detailed configuration of the statistical processing unit 204. The statistical processing unit 204 includes a plurality of data update units 401a to 401d (hereinafter collectively referred to as “data update unit 401”). The data update unit 401 receives the value of the flow identifier of the received packet, the reception time of the packet, the number of bytes, the TCP flag information, and the like from the packet analysis unit 202, and based on these information, each flow table Update. In addition, when the number of packets of each flow recorded in the flow table is equal to or greater than a predetermined threshold, the data update unit 401 transmits the statistical information of the flow to the statistical information output unit 203.

  The data update unit 401 is a processing block having the same function, and is associated with each of the flow tables 221a to 221d in a one-to-one relationship. Specifically, the data update unit 401a is connected to a memory 222a that stores a SIP-DIP-DPT table 221a, and the data update unit 401b is connected to a memory 222b that stores a SIP-DIP table 221b. The data update unit 401c is connected to a memory 222c that stores the DIP table 221c, and the data update unit 401d is connected to a memory 222d that stores the SIP table 221d. Note that the number of data update units 401 increases or decreases according to the number of flow tables.

  Each data updating unit 401 has a function of transmitting information for counting the “different number” shown in FIG. 3 (hereinafter referred to as “different number control information”) to the other data updating unit 401. . In the present embodiment, the different number control information is flag information indicating a new / existing flow. In this embodiment, the different number control information output from the data update unit 401a is transmitted to the data update unit 401b, and the different number control information output from the data update unit 401b is transmitted to the data update unit 401c and the data update unit 401d. Sent. In other words, in this embodiment, the data update unit 401 with a large number of flow identifiers included in the flow identification condition (hereinafter referred to as “upper data update unit 401”) has a flow identification condition with one less flow identifier. Different number control information is transmitted to the data updating unit 401 (hereinafter referred to as “lower data updating unit 401”).

  FIG. 5 is a diagram illustrating a detailed configuration of the data update unit 401. The data update unit 401 includes an analysis result reception unit 501, a combination extraction unit 502, an entry determination unit 503, a data comparison unit 504, a statistics update unit 505, a threshold determination unit 506, a data writing unit 507, and a flow data output unit 508. The

  The analysis result receiving unit 501 receives a flow identifier value (SIP, DIP, PRT, SPT, DPT, etc.), packet reception time, number of bytes, TCP flag information, and the like from the packet analysis unit 202. Of these, the value of the flow identifier is transferred to the combination extraction unit 502, and other information is transferred to the statistics update unit 505.

  The combination extraction unit 502 extracts a combination of flow identifiers included in its own flow identification condition from the values of the flow identifiers received from the analysis result reception unit 501. For example, in the case of the combination extraction unit 502 included in the data update unit 401b, a combination of SIP and DIP is extracted from the value of the flow identifier. When the combination extraction unit 502 extracts the value of the flow identifier, the combination extraction unit 502 transmits the extracted value of the flow identifier to the entry determination unit 503 and the data comparison unit 504. A combination of flow identifiers included in the flow identification condition is set in advance by the administrator via the control unit 212 for each data update unit 401.

  Based on the value of the flow identifier received from the combination extraction unit 502, the entry determination unit 503 determines the entry number of the flow table that records the statistical information of the received packet. Specifically, the entry number is determined by associating (mapping) the hash value of the value of the flow identifier received from the combination extraction unit 502 with the entry number. At this time, the entry determination unit 503 uses a plurality of (four in this embodiment) hash functions to avoid the determined entry numbers from being duplicated between different flow identifier values. A plurality of (four in this embodiment) entry numbers are determined. When the entry determination unit 503 determines a plurality of entry numbers, the entry determination unit 503 transmits the determined plurality of entry numbers to the data comparison unit 504 and transmits a signal for reading data from the determined plurality of entry numbers to the memory. In response to this read signal, data of a plurality of corresponding entries is transmitted from the flow table in the memory to the data comparison unit 504. At this time, the data transmitted to the data comparison unit 504 is hereinafter referred to as “flow data”. This flow data includes a flow identifier value, statistical information, and a generation identifier.

  For each of the four flow data received from the flow table 221, the data comparison unit 504 compares the value of the flow identifier included in the flow data with the value of the flow identifier received from the combination extraction unit 502. As a result of this comparison, if there is flow data in which all the flow identifier values included in the flow data match the flow identifier values received from the combination extraction unit 502 (in other words, the flow of the received packet Data comparison unit 504 transmits the flow data to the statistics update unit 505, and further transmits the entry number of the entry in which the flow data is recorded to the data writing unit 507. To do.

  For all four flow data received from the flow table 221, if the flow identifier included in the flow data does not match the flow identifier received from the combination extraction unit 502 (in other words, the flow of the received packet In the case of a new flow), the data comparison unit 504 selects one entry to be overwritten from the four entries from which the flow data has been read. Selection of an entry to be overwritten is determined based on a predetermined criterion such as an entry having the smallest number of packets in the entry or an entry having the oldest last update time. When the entry to be overwritten is selected, the data comparison unit 504 substitutes new data for the flow data of the selected entry. Specifically, the value of the flow identifier received from the combination extraction unit 502 is substituted for the flow identifier, and “0” is substituted for the number of statistical information packets and the number of differences. Also, a value obtained by adding “1” to the generation identifier before overwriting (that is, the generation identifier +1 of the entry to be overwritten) is substituted for the generation identifier 341. When new flow data is created in this way, the data comparison unit 504 transmits the created flow data to the statistics update unit 505 and transmits the entry number of the entry to the data writing unit 507.

  The statistics updating unit 505 receives the flow data from the data comparison unit 504 and receives the packet reception time, the number of bytes, and TCP flag information from the analysis result receiving unit 501. Further, the number control information is received from the upper data update unit 401. When receiving the data, the statistical update unit 505 first counts up the number of packets in the statistical information by one from the flow data.

  Further, when the statistical update unit 505 receives a flag (new flag) indicating that a new flow has been detected as the different number control information from the higher-level data update unit 401, the statistical update unit 505 sets the difference number in the statistical information to 1. Count up. For example, when the data updating unit 401b counts the number of different DPTs, when the new flag is received from the data updating unit 401a that updates the SIP-DIP-DPT table, the difference number of DPTs is “1”. Is added.

  Further, when the statistical information includes the accumulated number of bytes, the flow start time, the last update time, and the number of packets for which the SYN flag is set, the statistical update unit 505 converts these values into the analysis result reception unit. Update based on the information received from 501.

  The statistics update unit 505 transmits the flow data updated in this way to the threshold determination unit 506. Further, when the number of packets of the flow data received from the data comparison unit 504 is “0”, the statistics update unit 505 determines that the flow data is new flow data and is a new flag. Is transmitted to the flow data output unit 508.

  The threshold determination unit 506 compares the number of packets in the flow data received from the statistics update unit 505 with a predetermined threshold. As a result of this comparison, when the number of packets exceeds the threshold, the threshold determination unit 506 outputs the flow data updated by the statistics update unit 505 to the flow data output unit 508. Then, the threshold determination unit 506 resets the statistical information of the flow data to be output to zero, and counts up one generation identifier. Then, the flow data updated in this way is transmitted to the data writing unit 507. When the number of packets does not exceed the threshold, the threshold determination unit 506 transmits the flow data received from the statistics update unit 505 to the data writing unit 507 as it is. The above-described threshold is appropriately set by the administrator via the control unit 212.

  The data writing unit 507 writes the flow data received from the threshold determination unit 506 to the entry corresponding to the entry number received from the data comparison unit 504 in the flow table.

  When the flow data output unit 508 receives different number control information from the statistical update unit 505, the flow data output unit 508 transmits the different number control information to the lower data update unit 401. In addition, the flow data output unit 508 transmits the flow data received from the threshold determination unit 506 to the statistical information output unit 203.

  The detailed configuration of the data update unit 401 has been described together with the processing content. Hereinafter, for reference, the contents of the process executed by the data update unit 401 will be described in a confirming manner using a flowchart.

  FIG. 6 is a flowchart illustrating a flow table update process executed by the data update units 401a to 401d. As shown in the figure, first, each data updating unit 401 receives the packet analysis result from the packet analysis unit 202 (steps S10a to S10d), and from the analysis result, the flow identifier of the flow identifier included in its own flow identification condition. A combination is extracted (steps S12a to S12d).

  The data updating units 401a to 401d search the flow table for an entry in which the corresponding flow is recorded based on the value of the flow identifier extracted in steps S12a to S12d (steps S14a to S14d), and statistical information. Is updated (steps S20a to S20d). At this time, if the value of the flow identifier extracted in step S12b is new (step S16b), the data update unit 401b sends the different number control information indicating the new flag to the data update unit that is the lower data update unit 401. It transmits to 401c and the data update part 401d. The data update unit 401c and the data update unit 401d that have received the new flag add different numbers in steps S20c and S20d. Further, if the value of the flow identifier extracted in step S12a is new (step S16a), the data update unit 401a transmits the different number control information indicating the new flag to the data update unit 401b that is the lower data update unit 401. (Step S18a). The data updating unit 401b that has received this new flag adds a different number in step S20b. Although not shown in the figure, if it is determined in step S16b or step S18b that the value of the flow identifier has already been issued, a flag indicating that the flow has already occurred (present flag) is displayed in the lower data update unit 401. Sent.

  When the statistical information is updated, the data update units 401a to 401d respectively compare the number of packets of the update target entry with a predetermined threshold (steps S22a to S22d). If the number of packets is equal to or greater than the threshold value as a result of the comparison, the data updating units 401a to 401d output statistical information (steps S24a to S24d) and reset the statistical information after output (steps S26a to S26d). Furthermore, each of the data update units 401a to 401d increments the generation identifier of the entry to be updated by one (steps S30 and S32).

  According to the communication data statistical apparatus 104 of the first embodiment described above, the flow tables prepared for each flow identification condition are stored in different memories, and the data update unit 401 that updates the flow table further includes , Each memory is connected. Therefore, the four flow tables can be updated simultaneously. As a result, even when the line speed of the network is high, it is possible to prevent the access speed to the memory from becoming a bottleneck and reducing the statistical processing speed.

  In this embodiment, if a new flow is detected when updating the flow table, different number control information is transmitted to the lower data update unit 401. The data updating unit 401 that has received the transmission of the different number control information can update the different number in its own flow table with reference to the different number control information. Therefore, the data updating unit 401 can update different numbers at the same time as updating the number of packets, so it is not necessary to update only the different numbers independently. As a result, the number of memory updates does not increase, and as a result, it is possible to update statistical information including different numbers at high speed.

  Also, according to the communication data statistics device 104 of the present embodiment, the number of packets, the number of different packets, and the generation identifier are aggregated for each received packet flow. If the total number of packets reaches a predetermined threshold or more, these pieces of information are output as statistical information to an external device. By using the statistical information for each flow output in this way, the carrier or ISP can check the status of the transmission quality of the data at the time of providing the service. In addition, by using such information, traffic engineering for effectively utilizing network resources becomes possible. In addition, network resources can be prepared systematically by predicting customer demand, and provisioning to quickly provide network resources in response to user requests (bandwidth, service), attack detection / analysis, billing, etc. Can be done. Also, in this embodiment, since a different number of aggregation results are also output, for the flows aggregated according to the flow identification conditions, it is grasped how diffused and transmitted those flows are with respect to other flow identifiers. Can do. Therefore, it becomes possible to monitor the proliferation activity of the network worm accompanied by the port scan. Furthermore, in this embodiment, since the generation identifier is counted for each entry, it is possible to determine that there is an abnormality in access to the memory when an entry having a locally large generation identifier value occurs. become.

B. Second embodiment:
Next, a second embodiment of the present invention will be described. In the second embodiment, different numbers are aggregated by using generation identifiers.

  The communication data statistics device 104 according to the present embodiment is different from the communication data statistics device 104 according to the first embodiment in the configuration of the flow table 221, the connection state between the data update units 401, the content of the number control information, and the statistics update The operation of the unit 505 differs from the information output by the flow data output unit 508. Hereinafter, these differences will be described.

FIG. 7 is a diagram showing the configuration of each flow table in the second embodiment. In this embodiment, the SIP-DIP-DPT table 221a is different from the flow table of the first embodiment shown in FIG.
In the SIP-DIP table 221b, “different generation information” is recorded. “Different number generation information” indicates the value of the generation identifier of another flow table that counts the number of differences based on the update result of the flow table. For example, the SIP-DIP table 221b of this embodiment is used for counting the number of different DIPs when updating the SIP table 221d, and is also used for counting the number of different SIPs when updating the DIP table 221. The generation identifier values of the SIP table 221d and the DIP table 221c are recorded as different generation information in the SIP-DIP table 221b.

  FIG. 8 is a diagram showing a detailed configuration of the statistical processing unit 204 in the second embodiment. In this embodiment, each data update unit 401 transmits and receives different generation information and generation identifier values to each other. Therefore, in the statistical processing section of the first embodiment shown in FIG. 4 and the statistical processing section of the second embodiment shown in FIG. 8, the signal line connecting each data updating section 401 is one in the first embodiment. In contrast to the direction, the second embodiment is different in that it is bidirectional. In this embodiment, different generation information is transmitted and received as different number control information between the data update units 401. In the present embodiment, the generation identifier value counted by the lower data update unit 401 is transmitted from the lower data update unit 401 to the higher data update unit 401. The generation identifier value of the lower data update unit 401 transmitted in this way is recorded as several generation information different from the upper data update unit 401.

Next, the operation of the statistics update unit 505 in the second embodiment will be described based on a flowchart.
FIG. 9 is a flowchart showing the operation of the statistical update unit 505 in the second embodiment. The statistical update unit 505 of the present embodiment receives different generation information from the upper data update unit 401, and further receives a generation identifier value from the lower data update unit 401 (step S100). Upon receiving these pieces of information, the statistical updating unit 505 receives the value of the received different generation information and the value of its own generation identifier in the flow data received from the data comparison unit 504 (the value of the generation identifier received in step S100). Is not matched (step S110). If the value of the received different generation information does not match the value of its own generation identifier (step S110: No), it is determined that the flow is a new flow (step S120), and the different number is counted up by one. (Step S130). On the other hand, if the value of the received different generation information matches the value of its own generation identifier (step S110: Yes), it can be determined that the flow has already been issued (step S140). Do not count up different numbers.

  As described in the first embodiment, the value of the generation identifier is a value that is counted up when an entry is overwritten when a new flow is detected or when statistical information is output and the entry is cleared to zero. is there. That is, it can be said that the generation identifier represents a period in which the number of packets is counted in the corresponding entry. Therefore, the lower data update unit 401 compares the value of the different generation information received from the upper data update unit 401 (= the value of the latest generation identifier of itself) with the value of the current generation identifier of itself. Thus, it can be accurately determined whether the flow of the received packet has already appeared or is new. As a result, the data update unit 401 can accurately add different numbers.

  For example, the data update unit 401d that manages the SIP table 221d compares the value of the different generation information received from the data update unit 401b that manages the SIP-DIP table 221b with the value of its own generation identifier. If the values do not match, it is determined that the flow is a new flow, and the number of different DIPs is incremented by one. On the other hand, if the values match, it is determined that the flow has already been issued, and the number is not counted up. Similarly, in the data update unit 401b that manages the SIP-DIP table 221b, the value of the different generation information received from the data update unit 401a that manages the SIP-DIP-DPT table 221a and the value of its own generation identifier are obtained. If they do not match, the number of different DPTs is incremented by one. On the other hand, if the values match, it is determined that the flow has already been issued, and the number is not counted up.

  The statistical update unit 505 determines that the flow is a new flow in step S120, counts up a different number in step S130, and then performs different generation information in the flow data received from the data comparison unit 504. The current generation identifier value is transmitted to the flow data output unit 508 (step S150). That is, in the first embodiment, different number control information indicating a new flag is transmitted to the flow data output unit 508, but in the second embodiment, different generation information and a generation identifier are output as flow data. The data is transmitted to the unit 508. When the flow data output unit 508 receives the different generation information and the generation identifier from the statistical update unit 505, the flow data output unit 508 transmits the different generation information to the lower data update unit 401 and transmits the generation identifier to the upper data update unit 401. To do.

  Finally, the statistical update unit 505 holds the value of the current generation identifier of the lower data update unit 401 in the different generation information in its own flow table. The value of the generation identifier received from 401 is stored in the different generation information of itself, and the flow data is transmitted to the threshold determination unit 506 (step S160). For example, the data update unit 401a that manages the SIP-DIP-DPT table 221a stores the generation identifier value received from the data update unit 401b that manages the SIP-DIP table 221b as different generation information. Similarly, the data update unit 401b that manages the SIP-DIP table 221b stores the value of the generation identifier received from the data update unit 401c that manages the DIP table 221c as different generation information of the DIP, and manages the SIP table 221d. The value of the generation identifier received from the data update unit 401d to be stored is stored as several generation information different from the SIP.

  According to the communication data statistics device 104 of the second embodiment described above, each data updating unit 401 can accurately count the number of different data by transmitting and receiving several generations of information unlike the generation identifier. Become. In the present embodiment, the data updating unit 401 can update different numbers and different generation information at the same time as updating the number of packets, so that the different numbers and different generation information can be separated from the number of packets. There is no need to update. As a result, the number of memory updates does not increase, and as a result, it is possible to update statistical information including different numbers at high speed.

  Note that the data update unit 401 of this embodiment transmits different generation information to the lower data update unit 401 as described above. At this time, the upper data updating unit 401 may select and transmit different generation information required by the receiving side (lower data updating unit 401). For example, the data update unit 401 b that manages the SIP-DIP table 221 b selects and transmits different generation information about DIP to the data update unit 401 c that manages the DIP table 302, and manages the SIP table 302. For the data updating unit 401d to be selected, different generation information about SIP is selected and transmitted.

  In the present embodiment, the flow data output unit 508 transmits the generation identifier to the upper data update unit 401 based on the connection shown in FIG. That is, the data update unit 401d and the data update unit 401c transmit a generation identifier to the data update unit 401b, and the data update unit 401b transmits a generation identifier to the data update unit 401a. That is, in this embodiment, the generation identifier is transmitted only to the data update unit 401 related to the different number count. On the other hand, the data update unit 401d is in the data update units 401a to 401c, the data update unit 401c is in the data update units 401a and 401b, the data update unit 401b is in the data update unit 401a, and all the upper data update units. A generation identifier may be transmitted to 401. This is because even in such a case, the upper data update unit 401 counts the number of differences using a generation identifier that is related to the counting of the number of differences.

C. Third embodiment:
Finally, a third embodiment of the present invention will be described. In the first and second embodiments described above, the communication data statistics device 104 takes the form of an independent device. On the other hand, in the third embodiment, the function of the communication data statistics device 104 (hereinafter referred to as “communication data statistics function”) is implemented in the router 101 shown in FIG.

  FIG. 10 is a functional block diagram of the router 101 incorporating the communication data statistical function. The router 101 includes a reception packet processing unit 701 connected to the input line, a transmission packet processing unit 702 connected to the output line, a search processing unit 703 connected to the reception packet processing unit 701, and a traffic statistics acquisition unit 705. A routing table 704 associated with the search processing unit 703, and a router control unit 711. The router control unit 711 is connected to the management terminal 712, and performs various settings for the reception packet processing unit 701, the transmission packet processing unit 702, and the search processing unit 703 in accordance with instructions from the management terminal 712. The management terminal 211 and the router control unit 711 may be connected by a network or may be connected by an interface such as RS-232C or USB.

  The received packet processing unit 701 temporarily accumulates packets received from the input line in a buffer, and transmits the header information of the accumulated packets to the search processing unit 703 and the traffic statistics acquisition unit 705.

  When the search processing unit 703 receives the header information from the received packet processing unit 701, the search processing unit 703 refers to the routing table 704 to search for an output line as an output destination of the packet, and the search result is sent to the received packet processing unit 701. Notice.

  When receiving the search result from the search processing unit 703, the reception packet processing unit 701 transfers the packet stored in the buffer and the search result to the transmission packet processing unit 702 including the output line included in the search result.

  The transmission packet processing unit receives the packet information and the search result by the search processing unit 703 from the reception packet processing unit, and outputs the packet to the output line included in the search result.

  The traffic statistics acquisition unit 705 has all the functional blocks of the communication data statistics device 104 shown in FIG. However, in the first embodiment, the packet receiving unit in FIG. 2 receives a packet from the router 101a, whereas in this embodiment, the packet header information from the received packet processing unit 701 shown in FIG. Receive. In the first embodiment, the statistical information output unit 203 outputs statistical information to a predetermined interface, whereas in this embodiment, the statistical information is stored in the received packet processing unit 701 shown in FIG. Is output. The received packet processing unit 701 that acquired the statistical information transfers the statistical information to a predetermined network device (for example, the terminals 103a to 103c). Further, the control unit 212 in the traffic statistics acquisition unit 705 is connected to the router control unit 711, and can control the traffic statistics acquisition unit 705 via the router control unit 711.

  According to the third embodiment described above, it becomes possible for the router 101 to take statistics of communication data including different numbers.

    Although various embodiments of the present invention have been described above, the present invention is not limited to these embodiments, and it goes without saying that various configurations can be adopted without departing from the spirit of the present invention. For example, a function realized by hardware may be realized by software by a CPU executing a predetermined program. In the above-described embodiment, each flow table 221 is individually stored in the memory. However, when the amount of memory is insufficient, a configuration in which a plurality of flow tables 221 are arranged in one memory is also possible. Is possible. In the above-described embodiment, the statistical processing unit 204 includes four data update units. However, the number is not limited to the number as long as two or more data update units are included.

2 is a diagram illustrating an example of a network configuration including a communication data statistics device 104. FIG. 2 is a block diagram showing a schematic configuration of a communication data statistics device 104. FIG. It is a figure which shows the structure of each flow table. 3 is a diagram illustrating a detailed configuration of a statistical processing unit 204. FIG. 3 is a diagram illustrating a detailed configuration of a data update unit 401. FIG. It is a flowchart which shows the flow of the update process of the flow table which each data update part 401a-401d performs. It is a figure which shows the structure of each flow table in 2nd Example. It is a figure which shows the detailed structure of the statistics process part 204 in 2nd Example. It is a flowchart which shows operation | movement of the statistics update part 505 in 2nd Example. It is a functional block diagram of the router 101 incorporating the communication data statistical function.

Explanation of symbols

101a to 101c ... routers 102a and 102b ... servers 103a to 103c ... terminal devices 104 ... communication data statistics device 201 ... packet reception unit 202 ... packet analysis unit 203 ... statistical information output unit 204 ... statistical processing unit 211 ... management terminal 212 ... control Unit 221a to 221d ... flow table 222a to 222d ... memory 401a to 401d ... data update unit 501 ... analysis result reception unit 502 ... combination extraction unit 503 ... entry determination unit 504 ... data comparison unit 505 ... statistic update unit 506 ... threshold determination unit 507 ... Data writing unit 508 ... Flow data output unit 701 ... Reception packet processing unit 702 ... Transmission packet processing unit 703 ... Search processing unit 704 ... Routing table 705 ... Traffic statistics acquisition unit 711 ... Router control unit 712 ... Management terminal

Claims (5)

A communication data statistics device that takes statistics of communication data flowing through a network,
A receiving unit for receiving a packet in which values of a plurality of types of flow identifiers are recorded;
Based on a first flow identification condition composed of one or more types of the flow identifiers and the value of the flow identifier of the received packet, the first flow of the packet is identified, and the statistical information of the first flow A lower-order data update unit for recording the data in the first memory;
Identifying a second flow of the packet based on a second flow identification condition including more types of flow identifiers than the first flow identification condition and a value of the flow identifier of the received packet; An upper data update unit for recording the statistical information of the second flow in the second memory;
Based on a predetermined statistical condition, the statistical information of the first flow recorded in the first memory or the statistical information of the second flow recorded in the second memory is output. An output unit,
The upper data update unit includes control information for taking statistics of the value of a heterogeneous identifier that is a flow identifier that is included in the second flow identification condition but is not included in the first flow identification condition. Send it to the lower data update section,
The lower-level data update unit, when recording the statistics of the first flow in the first memory, based on the control information received from the higher-level data update unit, The communication data statistical device records the statistical information of the value of the heterogeneous identifier in the first memory in association with the statistical information of the first flow. The communication data statistics device according to claim 1,
The upper data update unit transmits flag information indicating whether or not the identified second flow is a new flow to the lower data update unit as the control information,
The lower data updating unit counts up the number of values of the heterogeneous identifier when the flag information received from the upper data updating unit indicates that a new flow has been identified. The communication data statistics device according to claim 1,
The lower data update unit transmits statistical period information indicating a statistical period of the first flow to the upper data update unit,
The upper data update unit holds the statistical period information received from the lower data update unit as the control information transmitted next time,
The lower data update unit counts up the number of values of the different identifiers when the statistical period represented by the control information received from the upper data update unit is different from the current statistical period Statistical device. The communication data statistics device according to claim 3,
The communication data statistics device, wherein the lower data update unit changes the statistical period when a new flow is identified or when the statistical information is output by the output unit. A communication data statistics method for taking statistics of communication data flowing through a network,
A reception step of receiving a packet in which values of a plurality of types of flow identifiers are recorded;
Based on a first flow identification condition composed of one or more types of the flow identifiers and the value of the flow identifier of the received packet, the first flow of the packet is identified, and the statistical information of the first flow A first data update step for recording the data in the first memory;
Identifying a second flow of the packet based on a second flow identification condition including more types of flow identifiers than the first flow identification condition and a value of the flow identifier of the received packet; A second data update step of recording statistical information of the second flow in a second memory;
Based on a predetermined statistical condition, the statistical information of the first flow recorded in the first memory or the statistical information of the second flow recorded in the second memory is output. An output process,
The second data update step obtains control information for taking statistics of the value of a heterogeneous identifier that is a flow identifier that is included in the second flow identification condition but is not included in the first flow identification condition. Including the steps of:
In the first data update step, when the statistics of the first flow are recorded in the first memory, based on the control information acquired in the second data update step, the heterogeneous identifier A communication data statistics method comprising: taking statistics of values, and recording the statistics of the heterogeneous identifier in association with the statistical information of the first flow in the first memory.

Images