JP2010011382A - Communication device and communication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To suppress the load on a device to be monitored and to monitor traffic while gathering all packets to be monitored. <P>SOLUTION: An input control means 1a controls input of packets received by a communication device 1. A temporary storage means 1b temporarily stores the received packets. An output control means 1c controls output of the received packets. A mirror output control means 1d controls output of mirror packets based upon the received packets. The input control means 1a performs control to write the received packets to the temporary storage means 1b. The mirror output control means 1d performs control to extract only some of the packets written to the temporary storage means 1b and to output mirror packets having some of the extracted packets. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a communication device and a communication method, and more particularly to a communication device and a communication method for monitoring network traffic.

2. Description of the Related Art Conventionally, as a technique for monitoring network traffic by a communication device such as a network switch or a router, a method for collecting packets flowing in the network such as sFlow and port mirroring is known. Such a monitoring method samples a packet from a port to be monitored, converts the specified area information of the sample, statistical information about the port, etc. into a packet, and transfers the packet to a device that monitors traffic. is there.
JP 2004-304752 A JP 2005-286684 A

  However, in sFlow, it is possible to monitor the network with a drastic traffic collection function while suppressing the load on the device that monitors traffic by sampling. On the other hand, there is a case where it is desired to obtain information of all packets in order to perform detailed network monitoring. In such a case, since it is not assumed in sFlow, when monitoring the details of network traffic, Not suitable.

  Therefore, when detailed network monitoring is desired, port mirroring is generally performed. In port mirroring, packets are not sampled, and all packets on the monitoring port are transferred to the port of the device that monitors the traffic.

However, port mirroring has the problem that privacy can be compromised by monitoring all traffic.
In addition, port mirroring has a problem in that a device capable of receiving all traffic must be prepared as a device for monitoring traffic.

  The present case has been made in view of the above points, and provides a communication device and a communication method capable of monitoring traffic with a reduced load on the device while collecting all packets to be monitored. Objective.

  A communication device that monitors the traffic of the disclosed network includes an input control unit that controls input of a packet received by the communication device, a temporary storage unit that temporarily stores the received packet, and the received Output control means for controlling the output of the packet, and mirror output control means for controlling the output of the mirror packet based on the received packet, the input control means storing the received packet in the temporary storage The mirror output control means extracts only part of the packet written in the temporary storage means and outputs the mirror packet having the part of the extracted packet. Do.

  According to the disclosed communication apparatus, input of the received packet is controlled by the input control unit, the received packet is temporarily stored by the temporary storage unit, and the output of the received packet is output by the output control unit. The mirror packet output is controlled by the mirror output control means. Here, the input control unit performs control to write the received packet to the temporary storage unit, and the mirror output control unit extracts only a part of the packet written to the temporary storage unit and extracts the extracted packet. Control is performed to output a mirror packet having a part of

  According to the disclosed communication apparatus and communication method, it is possible to reduce the load on the apparatus when collecting packets.

Hereinafter, embodiments will be described with reference to the drawings.
FIG. 1 is a diagram showing an outline of the present embodiment. A communication device 1 shown in FIG. 1 is a communication device that monitors network traffic.

The communication device 1 includes an input control unit 1a, a temporary storage unit 1b, an output control unit 1c, and a mirror output control unit 1d in order to monitor network traffic.
The input control unit 1 a controls input of the input packet 2 received by the communication device 1. At this time, the input control means 1a performs control to write the received input packet 2 in the temporary storage means 1b. As a result, the input packet 2 input to the communication device 1 is written to the temporary storage unit 1b by the input control unit 1a. Here, the input packet 2 includes, for example, a header portion 2a indicating a destination and a payload portion 2b indicating data to be transferred such as user data.

  The temporary storage unit 1b temporarily stores the received input packet 2. As a result, the packet written in the temporary storage means 1b is read out under the control of the output control means 1c and is read out under the control of the mirror output control means 1d.

  The output control means 1c controls the output of the received input packet 2. The input packet 2 is output as the output packet 3 from the communication device 1 under the control of the output control means 1c. As a result, the input packet 2 written in the temporary storage unit 1b is read from the output control unit 1c, and is output to the outside of the communication apparatus 1 from an output unit (not shown) such as an appropriate destination port. Here, the output packet 3 includes, for example, a header portion 3a and a payload portion 3b as in the case of the input packet 2.

  The mirror output control means 1d controls the output of the mirror packet 4 based on the received input packet 2. At this time, the mirror output control means 1d extracts only the header part 2a which is a part of the input packet 2 written in the temporary storage means 1b. Next, the mirror output control unit 1d performs control to copy the header part 2a, which is a part of the extracted input packet 2, into the header part 4a and output the mirror packet 4 having the header part 4a.

  According to such a communication apparatus 1, the input control unit 1a controls the input of the received input packet 2, the temporary storage unit 1b temporarily stores the received input packet 2, and the output control unit The output of the output packet 3 which is a copy of the received input packet 2 is controlled by 1c, and the output of the mirror packet 4 is controlled by the mirror output control means 1d. Here, the input control means 1a controls the received input packet 2 to be written in the temporary storage means 1b, and the mirror output control means 1d uses a part of the input packet 2 written in the temporary storage means 1b. Only a certain header part 2a is extracted, and control is performed so that the mirror packet 4 having the header part 2a which is a part of the extracted packet is output.

  Thereby, when performing mirroring, the mirror output control means 1d connected to the observation device (not shown) that collects the mirror packet 4 and monitors the traffic is output from the output control means 1c from the temporary storage means 1b. The same packet data as the output packet 3 is read and output.

  That is, the data of the input packet 2 read from the temporary storage unit 1b by the mirror output control unit 1d is not the data of the entire packet but the data of a part of the packet (for example, the header part 2a). Further, a part of the data of the packet is read with a specific size designated by the user or determined in advance as an upper limit.

  Thereby, the mirror output control means 1d performs control to extract only the header part 2a which is a part of the input packet 2 written in the temporary storage means 1b and output the mirror packet 4 having the extracted header part. As a result, it is possible to reduce the load on the apparatus during packet collection.

  Next, a more specific embodiment of the above communication device will be described. In the following embodiments, description will be made with the communication device as a switch, particularly a layer 2 switch in mind, but the present invention is not limited to this. In addition, the unit of layer 2 data in the OSI (Open Systems Interconnection) reference model is sometimes referred to as a frame. However, in the following embodiments, all are unified and expressed as a packet for convenience of explanation.

[First Embodiment]
FIG. 2 is a diagram illustrating the overall configuration of the communication system. In the communication system according to the present embodiment, a plurality of layer 2 switches relay data link layer packets so that data can be transmitted and received between terminal devices.

  The communication system shown in FIG. 2 includes switches 100, 100a, 100b, 100c, 100d and terminal devices 40, 61, 62, 63, 64, 65, 66. The switches 100, 100a, 100b, 100c, and 100d are layer 2 switches. The terminal devices 61, 62, 63, 64, 65, 66 are terminal devices used by the user. The terminal device 40 is a terminal device used by an administrator of the switch 100. The switches 100a, 100b, 100c, and 100d are configured in the same manner as the switch 100, and have equivalent functions.

  The switch 100 is connected to the switches 100a and 100b. The switch 100b is connected to the switches 100c and 100d. The terminal devices 61 and 62 are connected to the switch 100a. The terminal devices 63 and 64 are connected to the switch 100c. The terminal devices 65 and 66 are connected to the switch 100d. The terminal device 40 is connected to the switch 100. The two switches or the switch and the terminal device are connected by one or more physical links (network cables).

  The switches 100, 100a, 100b, 100c, and 100d relay the packet from the source terminal device to the destination terminal device according to the address included in the packet. For example, when the terminal device 61 transmits a packet to the terminal device 63, the packet is relayed in the order of the switch 100a, the switch 100, the switch 100b, and the switch 100c.

  FIG. 3 is a diagram illustrating a hardware configuration of the switch. FIG. 3 shows the internal configuration of the switch 100, but the switches 100a, 100b, 100c, and 100d can be realized with the same configuration. The switch 100 includes a CPU (Central Processing Unit) 101, interface cards 102a, 102b, 102c, and 102d, a switch card 103, a table storage memory 104, a port monitoring unit 105, and a bus 106.

  The CPU 101 controls the entire switch 100. The CPU 101 executes processing by a program. The CPU 101 executes a program similarly held in the memory using data held in a memory (not shown). The CPU 101 receives a command transmitted from the terminal device 40 used by the administrator via a communication interface (not shown), and returns an execution result for the command to the terminal device 40.

  The table storage memory 104 stores a plurality of tables. The table stored in the table storage memory 104 includes a table for managing the configuration of the logical link, a table for determining a packet transfer destination within the logical link, and a table for storing information indicating the packet transfer destination. It is.

  A CPU 101, interface cards 102a, 102b, 102c, and 102d, a switch card 103, a table storage memory 104, and a port monitoring unit 105 are connected to the bus 106.

  Each of the interface cards 102a, 102b, 102c, and 102d has a plurality of (for example, eight) communication ports. One physical link can be connected to each communication port. The interface cards 102a, 102b, 102c, and 102d monitor the respective communication ports and acquire packets. The interface cards 102a, 102b, 102c, and 102d have a buffer that temporarily holds packets in preparation for a case where packets arrive at a plurality of communication ports at the same time. Then, the interface cards 102a, 102b, 102c, and 102d send the acquired packets to the switch card 103.

  The switch card 103 has a learning table (not shown). The switch card 103 stores the transmission source address of the packet received in the past and the identification information of the communication port or logical link from which the packet has arrived in association with each other in the learning table. This learning table is updated by the switch card 103 as needed.

  When the switch card 103 receives a packet from any one of the interface cards 102a, 102b, 102c, and 102d, the switch card 103 refers to the learning table and determines the transfer destination of the packet. Here, when the determined transfer destination is a logical link, the switch card 103 refers to the table stored in the table storage memory 104, and the specific interface cards 102a, 102b, 102c, 102d used for transfer and Determine the communication port. Thereafter, the switch card 103 sends the packet to the determined interface cards 102a, 102b, 102c, and 102d.

The interface cards 102a, 102b, 102c, and 102d that have received the packet send the received packet to the transmission destination from the determined communication port.
The port monitoring unit 105 monitors the communication ports of the interface cards 102a, 102b, 102c, and 102d. When the port monitoring unit 105 detects a failure or recovery of the physical link connected to the communication ports of the interface cards 102a, 102b, 102c, and 102d, the port monitoring unit 105 notifies the CPU 101 accordingly.

  FIG. 4 is a diagram illustrating an example of a data structure of a packet. The packet 30 shown in FIG. 4 is transmitted / received to / from the switches 100a, 100b, etc. via the communication ports of the interface cards 102a, 102b, 102c, 102d.

  The packet 30 includes a preamble, a destination MAC address (MAC DA: Media Access Control address Destination Address), a source MAC address, a TPID (Tag Protocol Identifier), and a VLAN (Virtual Local Area Network) tag. , Type, payload and FCS (Frame Check Sequence). The packet 30 can also be divided into a preamble part having a preamble, a destination MAC address, a source MAC address, a TPID, a VLAN tag, a header part having a type, a payload part having a payload, and an FCS part having an FCS.

  The preamble is a bit string for notifying the start of packet transmission and giving timing for synchronization. The destination MAC address is an address that uniquely identifies the communication interface of the destination terminal device. The transmission source MAC address is an address that uniquely identifies a communication interface of the transmission source terminal device. The TPID is a value indicating the type of the packet (for example, whether it is a VLAN packet or a normal packet). The VLAN tag is a uniquely determined value assigned to each logical network when one network is divided into a plurality of logical networks for operation. The type is a field that specifies a protocol to be used. The payload is a data body to be transmitted / received. For example, the payload is obtained by dividing an IP packet into a predetermined data length. FCS is a value used to detect an error in a received packet.

  It should be noted that various modifications of the data structure of the packet are conceivable depending on the network operation mode and the like. For example, the VLAN tag may be omitted. In addition, information other than that shown in FIG. 4 may be added.

  FIG. 5 is a block diagram illustrating a configuration of the switch according to the first embodiment. The switch 100 shown in FIG. 5 is a layer 2 switch having a function of outputting a mirror packet having a header portion of an input packet in order to monitor network traffic.

The switch 100 includes an input control unit 110, a shared memory 120, an output control unit 130, and a mirror output control unit 140 in order to monitor network traffic.
The input control unit 110 controls input of input packets received by the switch 100. At this time, the input control unit 110 performs control to write the received input packet into the shared memory 120. As a result, the input packet input to the switch 100 is written into the shared memory 120 by the input control unit 110. Here, the input packet has, for example, a header portion indicating a destination and a payload portion indicating data to be transferred such as user data.

  The shared memory 120 temporarily stores the received input packet. Thereby, the packet written in the shared memory 120 is read out under the control of the output control unit 130 and is read out under the control of the mirror output control unit 140.

  The output control unit 130 controls the output of the received input packet. Under the control of the output control unit 130, an input packet is output from the switch 100 as an output packet. As a result, the input packet written in the shared memory 120 is read from the output control unit 130 and output to the outside of the switch 100 from an output unit (not shown) such as an output port of an appropriate destination. Here, the output packet has a header part and a payload part, for example, like the input packet.

  The mirror output control unit 140 controls the output of the mirror packet based on the received input packet. At this time, the mirror output control unit 140 extracts only the header part that is a part of the input packet from the input packet written in the shared memory 120. Next, the mirror output control unit 140 performs control to copy a header part that is a part of the extracted input packet and output a mirror packet having this header part.

  According to such a switch 100, input of the received packet is controlled by the input control unit 110, and the received packet is temporarily stored by the shared memory 120 and received by the output control unit 130. The output of the packet is controlled, and the output of the mirror packet is controlled by the mirror output control unit 140. Here, the input control unit 110 performs control to write the received packet to the shared memory 120, and the mirror output control unit 140 extracts and extracts only a part of the packet written to the shared memory 120. Control is performed so that a mirror packet having a part of the packet is output.

  As a result, when mirroring is performed, the mirror output control unit 140 connected to an observation device (not shown) that collects mirror packets and monitors traffic is output from the shared memory 120 to the output control unit 130. Read and output the same packet data.

  That is, the data of the packet read from the shared memory 120 by the mirror output control unit 140 is not the data of the whole packet but the data of a part of the packet. Further, it is read out with an upper limit of a specific size designated by the user or predetermined.

The switch 100 is a layer 2 switch, but is not limited thereto, and may be a communication device having a data relay function such as a router.
FIG. 6 is a block diagram showing the configuration of the input control unit in the first embodiment.

The input control unit 110 includes a packet writing unit 111 and a control data writing unit 112 in order to control input of input packets received by the switch 100.
The packet writing unit 111 performs control to write packet data such as header and payload data in the input packet input to the switch 100 to the shared memory 120.

  The control data writing unit 112 determines the input port number indicating the input port to which the input packet input to the switch 100 is input, the data size when the input packet is written to the shared memory 120, the input packet from the input packet, for example, Control is performed to write control data for controlling transfer and mirroring of the input packet, such as information on the position of the packet (for example, the size from the beginning) when performing cutout for cutting out a part of the packet, to the shared memory 120.

  In this way, the input packet input to the switch 100 is written to the shared memory 120 by the packet writing unit 111, and control data such as the data size and input port number at the time of writing is also controlled by the control data writing unit 112. It is written in the shared memory 120.

FIG. 7 is a block diagram illustrating a configuration of the mirror output control unit according to the first embodiment.
The mirror output control unit 140 includes a shared memory read control unit 141 that reads data from the shared memory 120. The shared memory read control unit 141 includes a control data processing unit 141a, a packet data processing unit 141b, a size counter unit 141c, and an FCS calculation unit 141d.

The control data processing unit 141a reads the control data of the input packet from the shared memory 120, and performs output control of the mirror packet based on this.
The packet data processing unit 141b reads out the header part of the packet from the shared memory 120 based on the size count result by the size counter unit 141c and makes it a mirror packet. Is added. Next, the packet data processing unit 141b outputs the mirror packet to which the FCS is added.

  The size counter unit 141c counts the size of the read data and recognizes the size from the top. Thereby, the size counter unit 141c controls the extraction of the header part from the packet read from the shared memory 120 by the packet data processing unit 141b.

  The FCS calculator 141d calculates an FCS for detecting a mirror packet error. In the FCS calculation by the FCS calculation unit 141d, a copy of the header part of the packet read from the shared memory 120 by the packet data processing unit 141b is used as a mirror packet, and the FCS of the mirror packet is calculated by the FCS calculation unit 141d. The

  FIG. 8 is a diagram illustrating the operation of the switch according to the first embodiment. In FIG. 8, the operation of the switch 100 when a packet is input to the switch 100 will be described. Here, it is assumed that the packets 31 and 32 are already input after being input to the switch 100, and the packet 33 is input from now on. The mirror packets 51 and 52 are mirrored packets based on the packets 31 and 32, respectively.

  The packets 31, 32, and 33 have preamble portions 31a, 32a, and 33a, header portions 31b, 32b, and 33b, payload portions 31c, 32c, and 33c, and an FCS (not shown), respectively.

  As shown in FIG. 8, when the packets 31 and 32 are sequentially input to the switch 100, the corresponding mirror packets 51 and 52 are sequentially output accordingly. At this time, the header part 51b of the mirror packet 51 corresponding to the packet 31 is a copy of the header part 31b of the packet 31. Similarly, the header part 52b of the mirror packet 52 corresponding to the packet 32 is a copy of the header part 32b of the packet 32.

  That is, the mirror packet 51 is output by adding the preamble part 51a and the FCS of the mirror packet 51 to the header part 51b which is a copy of the header part from which the payload part 31c and FCS of the packet 31 are removed by the switch 100. . Similarly, the mirror packet 52 is output with the preamble portion 52a and the FCS of the mirror packet 52 added to the header portion 52b which is a copy of the header portion from which the payload portion 32c and FCS of the packet 32 are removed.

  FIG. 9 is a flowchart illustrating a procedure of input control processing according to the first embodiment. This input control process is a process in which the switch 100 receives an input of a packet and writes the received packet in the shared memory 120 (see FIG. 5). The input control process is executed by the CPU 101 (see FIG. 3) when the switch 100 is activated.

  [Step S <b> 111] The CPU 101 determines whether a packet is input to the switch 100. If a packet has been input, the CPU 101 advances the process to step S112. On the other hand, if no packet is input, the CPU 101 advances the process to step S111.

  [Step S112] The CPU 101 determines whether or not the shared memory 120 has a free space. If there is free space in the shared memory 120, the CPU 101 advances the process to step S113. On the other hand, if there is no free space in the shared memory 120, the CPU 101 advances the process to step S114.

[Step S113] The CPU 101 writes the packet and packet control data in the shared memory 120. Thereafter, the CPU 101 advances the process to step S111.
[Step S114] The CPU 101 discards the packet input to the switch 100 without writing it to the shared memory 120. Thereafter, the CPU 101 advances the process to step S111.

  FIG. 10 is a flowchart illustrating a procedure of mirror output control processing according to the first embodiment. This mirror output control process is a process in which the switch 100 receives an input, reads the header portion of the packet written in the shared memory 120 (see FIG. 5), and outputs the read header portion as a mirror packet. The mirror output control process is executed by the CPU 101 (see FIG. 3) when the switch 100 is activated.

  [Step S121] The CPU 101 sets whether or not to output a mirror packet and a cutout size that is the size of the header portion of the cutout packet. In the first embodiment, the switch 100 extracts the header portion of the packet based on this cut-out size.

  [Step S122] The CPU 101 determines whether there is a packet written in the shared memory 120 or not. If there is a packet, the CPU 101 advances the process to step S123. On the other hand, if there is no packet, the CPU 101 advances the process to step S122.

[Step S123] The CPU 101 initializes an FCS register (not shown) included in the FCS calculation unit 141d (see FIG. 7) that calculates the FCS.
[Step S124] The CPU 101 determines whether or not to perform header mirroring that cuts out and outputs the header portion of the packet written in the shared memory 120. In the case of performing header mirroring, the CPU 101 advances the process to step S125. On the other hand, when header mirroring is not performed, the CPU 101 advances the process to step S127.

[Step S125] The CPU 101 reads the header part of the packet written in the shared memory 120, and calculates the FCS of the header part of the read packet.
[Step S126] The CPU 101 adds the FCS calculated in step S125 to the header read in step S125, and outputs the packet as a packet. Further, the CPU 101 discards unnecessary portions other than the header portion of the packet read at this time. Thereafter, the CPU 101 advances the process to step S122.

[Step S127] The CPU 101 reads the entire packet written in the shared memory 120, and calculates the FCS of the entire read packet.
[Step S128] The CPU 101 adds the FCS calculated in step S127 to the entire packet read in step S127, and outputs it as a mirror packet. Thereafter, the CPU 101 advances the process to step S122.

  As described above, in the first embodiment, the mirror output control unit 140 extracts only the header part that is a part of the input packet written in the shared memory 120, and includes the extracted header part. By performing control to output packets, it is possible to reduce the load on the apparatus during packet collection.

  Further, when the mirror output control unit 140 discards the payload portion, it is possible to perform detailed monitoring of network traffic while considering privacy protection and communication secret.

[Second Embodiment]
Next, a second embodiment will be described. Differences from the first embodiment will be mainly described, and the same reference numerals are used for the same matters, and descriptions thereof are omitted.

  In the second embodiment, the mirror output control unit 240 of the switch 200 combines the header portions of the extracted packets, and outputs the header portions of a plurality of packets at the same time. And different.

Hereinafter, the switch 200 in the present embodiment will be described.
FIG. 11 is a block diagram illustrating a configuration of a mirror output control unit according to the second embodiment.

  The mirror output control unit 240 controls the output of the mirror packet based on the received input packet. At this time, the mirror output control unit 240 extracts only the header part that is a part of the input packet from the input packet written in the shared memory 220. Next, the mirror output control unit 240 copies the header part, which is a part of the extracted input packet, and writes it in the accumulation buffer 243. Next, the mirror output control unit 240 reads the header part of the packet written in the accumulation buffer 243, combines a plurality of read packet header parts into the mirror packet, and outputs the mirror packet in which the header parts are combined. Control.

  The mirror output control unit 240 includes a shared memory read control unit 241 that reads data from the shared memory 220, a storage buffer write control unit 242, a storage buffer 243, and a storage buffer read control unit 244.

  The shared memory read control unit 241 reads the packet stored in the shared memory 220 based on the size count result by the size counter unit 241c, extracts the header part from the read packet, and extracts the header part of the extracted packet. Control to write to the accumulation buffer 243 is performed. The shared memory read control unit 241 includes a control data processing unit 241a, a packet data processing unit 241b, a size counter unit 241c, an FCS calculation unit 241d, a timer unit 241e, an accumulation number counter unit 241f, and an accumulation size counter unit 241g.

The control data processing unit 241a reads the control data of the input packet from the shared memory 220, and performs output control of the mirror packet based on this.
The packet data processing unit 241b reads the packet header from the shared memory 220. The header portion of the packet read by the packet data processing unit 241b is written into the accumulation buffer 243 by the accumulation buffer write control unit 242.

  The size counter unit 241c measures the size of the header part of the packet read from the shared memory 220 and written to the accumulation buffer 243, and recognizes the size from the beginning of the packet. Accordingly, the size counter unit 241c controls the extraction of the header portion from the packet read from the shared memory 220 by the packet data processing unit 241b.

  The FCS calculation unit 241d calculates an FCS for detecting a mirror packet error. In the FCS calculation by the FCS calculation unit 241d, the FCS of the mirror packet having a copy of the header portion of the packet read from the accumulation buffer 243 by the accumulation buffer read control unit 244 is calculated by the FCS calculation unit 241d.

  Specifically, when the accumulation buffer read control unit 244 determines that the header portion is to be read from the accumulation buffer 243, the FCS calculation unit 241d generates the header portion of the packet stored in the accumulation buffer 243. The FCS of the mirror packet is calculated. The FCS calculation result by the FCS calculation unit 241d is subsequently controlled to be written into the storage buffer 243 by the storage buffer write control unit 242.

  The timer unit 241e measures the elapsed time. The accumulation number counter unit 241f counts the number of header parts of the packets written in the accumulation buffer 243. The accumulation size counter unit 241g adds up the sizes of the header portions of the packets written in the accumulation buffer 243.

  Although details will be described later, based on the measurement result of the elapsed time by the timer unit 241e, the counting result of the number of header parts of the packet by the accumulation number counter unit 241f, and the total size of the header part of the packet by the accumulation number counter unit 241f. Thus, the output of the mirror packet is controlled by the storage buffer read control unit 244.

  The accumulation buffer write control unit 242 controls the writing of the header part extracted from the packet by the packet data processing unit 241b and the FCS calculated by the FCS calculation unit 241d to the accumulation buffer 243. Further, when the size of the header portion of the packet measured by the size counter unit 241c is smaller than a predetermined amount, the accumulation buffer write control unit 242 performs control to align the size of the header portion of the packet with the predetermined amount by padding. .

  The accumulation buffer 243 is a buffer for storing the header portion extracted from the packet by the packet data processing unit 241b and the FCS calculated by the FCS calculation unit 241d.

  The storage buffer read control unit 244 reads the header part of the packet written in the storage buffer 243, combines a plurality of read packet header parts into a mirror packet, and outputs a mirror packet having the combined header part Control.

  At this time, the accumulation buffer read control unit 244 combines and combines a plurality of header parts extracted from the packet every time the number of header parts of the packet reaches a predetermined number as a result of counting by the accumulation number counter unit 241f. Control to output a mirror packet having a header part is performed.

  Further, the accumulation buffer read control unit 244 determines that, as a result of counting by the accumulation number counter unit 241f, the timer unit 241e counts as a result of counting by the timer unit 241e even if the number of packet header units does not reach the predetermined number. When a predetermined time has elapsed since the first header portion of the message was accumulated, a plurality of header portions extracted from the packets accumulated up to that time are combined, and a mirror packet having the combined header portions is output. Take control.

  Further, the accumulation buffer read control unit 244 determines the header extracted from the packet every time the total size of the header part of the packet stored in the accumulation buffer 243 reaches a predetermined amount as a result of the summation by the accumulation size counter unit 241g. It is also possible to perform control for combining a plurality of sections and outputting a mirror packet having a combined header section.

  Also in this case, the accumulation buffer read control unit 244 determines that a plurality of headers as a result of timing by the timer unit 241e even if the total size of the header portions of the packets stored in the accumulation buffer 243 has not reached a predetermined amount. When a predetermined time has elapsed since the first header portion of the packets was accumulated, a plurality of header portions extracted from the packets accumulated up to that time are combined, and a mirror packet having the combined header portions Is controlled.

  When performing the control to output the mirror packet, the accumulation buffer read control unit 244 reads the header part of the packet stored in the accumulation buffer 243 and combines it into a mirror packet, and the FCS calculation unit 241d transmits the mirror packet. Control to calculate FCS. Next, the storage buffer read control unit 244 reads the FCS calculated by the FCS calculation unit 241d from the storage buffer 243, and adds the FCS of the mirror packet calculated by the FCS calculation unit 241d to the mirror packet. Next, the packet data processing unit 241b outputs the mirror packet with the FCS added.

  The accumulation buffer read control unit 244 may use only the measurement of the elapsed time by the timer unit 241e as a reference for mirror packet output. In this case, as a result of measurement by the timer unit 241e, the accumulation buffer read control unit 244 combines a plurality of header portions extracted from the packet every time a predetermined time elapses, and outputs a mirror packet having the combined header portions. Control.

  FIG. 12 is a diagram illustrating the operation of the switch according to the second embodiment. In FIG. 12, the operation of the switch 200 when a packet is input to the switch 200 will be described. Here, the packets 31 and 32 are assumed to have been output after being input to the switch 200 as in the first embodiment, and the packet 33 will be input from now on. The mirror packet 250 is a packet in which the header portions 31b and 32b of the packets 31 and 32 are combined.

  The packets 31, 32, and 33 have preamble portions 31a, 32a, and 33a, header portions 31b, 32b, and 33b, payload portions 31c, 32c, and 33c, and an FCS (not shown), respectively.

  As shown in FIG. 12, when packets 31 and 32 are sequentially input to the switch 200, a corresponding mirror packet 250 is output accordingly. At this time, the header portion 251b of the mirror packet 250 is a copy of the header portion 31b of the packet 31. Similarly, the header part 252b of the mirror packet 250 is a copy of the header part 32b of the packet 32.

  That is, the mirror packet 250 includes a header portion 251b that is a copy of the header portion 31b from which the payload portion 31c of the packet 31 is removed by the switch 200, and a copy of the header portion 32b from which the payload portion 32c and FCS of the packet 32 are removed. Are combined with the header portion 251b, and the preamble portion 250a and the FCS of the mirror packet are added and output.

  FIG. 13 and FIG. 14 are diagrams illustrating an example of a data structure of a mirror packet in the second embodiment. FIG. 13 shows a mirror packet 250 when no padding is performed in the second embodiment. FIG. 14 shows a mirror packet 260 when padding is performed in the second embodiment.

First, the mirror packet 250 when no padding is performed will be described with reference to FIG.
When a packet 31 having a preamble part 31a, a header part 31b, a payload part 31c, and an FCS 31d is input to the switch 200, only the header part 31b of the packet 31 is copied and stored in the switch 200.

  Subsequently, when the packet 32 having the preamble part 32a, the header part 32b, the payload part 32c, and the FCS 32d is input to the switch 200, only the header part 32b of the packet 32 is copied and accumulated in the switch 200.

  Thereafter, the switch 200 outputs a mirror packet 250 in which the headers of the packet 31 and the packet 32 are combined. The mirror packet 250 includes a header part 251b which is a copy of the header part 31b of the packet 31, a header part 252b which is a copy of the header part 32b of the packet 32, a newly added preamble part 250a, and a newly calculated FCS 250d. Have.

  Next, the mirror packet 260 when padding is performed according to FIG. 14 will be described. The switch 200 according to the present embodiment will be described in detail later with reference to FIGS. 15 and 16, but when the header portion of the input packet is shorter than a predetermined cutout size, padding is performed to adjust the size of the header portion. To do. This padding will be described below. Here, the packet 31 is different from FIG. 13 in that the size of the header part 31b is shorter than a predetermined cut-out size.

  When a packet 31 having a preamble part 31a, a header part 31b, a payload part 31c, and an FCS 31d is input to the switch 200, only the header part 31b of the packet 31 is copied and stored in the switch 200. At this time, since the size of the header portion 31b is shorter than the cut-out size as described above, a padding portion (not shown) is added and accumulated in the header portion copied by the switch 200.

  Subsequently, as in FIG. 13, when the packet 32 having the preamble part 32a, the header part 32b, the payload part 32c, and the FCS 32d is input to the switch 200, only the header part 32b of the packet 32 is copied and stored in the switch 200. The

  Thereafter, the switch 200 outputs a mirror packet 260 in which the headers of the packet 31 and the packet 32 are combined. The mirror packet 260 includes a header part 261b that is a copy of the header part 31b of the packet 31, a padding part 261e added to the header part 261b to adjust the size, and a header part 262b that is a copy of the header part 32b of the packet 32. , A newly added preamble section 260a and a newly calculated FCS 260d.

  In this way, by adding a padding portion when the size of the header portion is short, the positions of the header portion and the like included in the packet can be aligned at a constant interval even when the sizes of the header portion and the like are uneven. .

  FIG. 15 and FIG. 16 are flowcharts illustrating the procedure of the mirror output control process in the second embodiment. This mirror output control process is a process in which the switch 200 receives an input, reads the header portion of the packet written in the shared memory 220 (see FIG. 11), and outputs the read header portion as a mirror packet. The mirror output control process is executed by the CPU 101 (see FIG. 3) when the switch 200 is activated.

  [Step S221] The CPU 101 sets whether or not to output a mirror packet and a cutout size indicating the size of the header portion of the cutout packet. In the second embodiment, the size of the header part included in the mirror packet is determined based on this cut-out size. When the size of the header part is shorter than the cut-out size, the size of the header part is adjusted by padding.

[Step S222] The CPU 101 initializes an FCS register (not shown) included in the FCS calculation unit 241d (see FIG. 11) that calculates the FCS.
[Step S223] The CPU 101 determines whether there is a packet written in the shared memory 220 or not. If there is a packet, the CPU 101 advances the process to step S224. On the other hand, if there is no packet, the CPU 101 advances the process to step S222.

  [Step S224] The CPU 101 initializes a size counter (not shown) included in the size counter unit 241c (see FIG. 11) that measures the size of the header portion of the input packet.

  [Step S225] The CPU 101 determines whether or not to perform header mirroring that cuts out and outputs the header portion of the packet written in the shared memory 220. When performing header mirroring, the CPU 101 advances the process to step S231 (see FIG. 16). On the other hand, when header mirroring is not performed, the CPU 101 advances the process to step S226.

[Step S226] The CPU 101 reads the entire packet written in the shared memory 220, and calculates the FCS of the entire read packet.
[Step S227] The CPU 101 adds the FCS calculated in step S226 to the entire packet read in step S226, and outputs it as a mirror packet. Thereafter, the CPU 101 advances the process to step S222.

  [Step S231] The CPU 101 determines whether or not the number of header portions of the packet written in the accumulation buffer 243 (see FIG. 11) is zero. If it is 0, the CPU 101 advances the process to step S233. On the other hand, if not 0, the CPU 101 advances the process to step S232.

  [Step S232] The CPU 101 has a timer (not shown) included in the timer unit 241e (see FIG. 11) that measures the elapsed time since the oldest header part of the packet stored in the storage buffer 243 is stored. Is initialized. At this time, a set value indicating a set time for completing the timer is set in the timer.

  [Step S233] The CPU 101 reads the header part of the packet written in the shared memory 220, and writes the header part of the read packet in the accumulation buffer 243. At this time, the CPU 101 acquires the size of the header portion of the packet from the size counter unit 241c initialized in step S224. When the size of the header portion of the packet is shorter than a predetermined cutout size, the CPU 101 adjusts the size of the header portion by adding a padding portion so that the header portion size is the same as the cutout size. Further, the CPU 101 discards unnecessary portions other than the header portion of the packet read at this time.

  [Step S234] The CPU 101 stores, based on the header portion of the read packet, an accumulation number counter (not shown) included in the accumulation number counter unit 241f (see FIG. 11) and an accumulation size counter unit 241g (see FIG. 11). The value of the size counter (not shown) is updated.

  Here, the accumulated number counter is incremented by 1 by updating based on writing to the accumulation buffer 243 in the header portion of this packet. The accumulation size counter is added with a value indicating the size of the header portion of this packet by updating the header portion of this packet based on writing to the accumulation buffer 243.

  [Step S235] The CPU 101 determines whether or not the value of the counter to be determined has reached the scheduled value. If the planned value has been reached, the CPU 101 advances the process to step S237. On the other hand, if the planned value has not been reached, the CPU 101 advances the process to step S236.

  Here, the counter to be determined is a counter for determining whether or not the accumulated header parts are combined and output as a mirror packet, and either the accumulation number counter or the accumulation size counter is It is determined in advance by the design stage of the switch 200, user settings, and the like.

  For example, when the counter to be determined is an accumulation number counter, when the value of the accumulation number counter reaches a predetermined value, that is, the header portion of a predetermined number of packets is written in the accumulation buffer 243. In step S237, the mirror packet is output.

  In addition, when the counter to be determined is an accumulation size counter, when the value of the accumulation size counter reaches a predetermined value, that is, the total size of the header portion of the packet written in the accumulation buffer 243 is estimated. When the amount reached is reached, a mirror packet is output in step S237.

  [Step S236] The CPU 101 determines whether or not the timer has been completed, that is, whether or not the timer initialized in step S232 has reached the set value and the set time has elapsed. If the timer has been completed, the CPU 101 advances the process to step S237. On the other hand, if the timer has not been completed, the CPU 101 advances the process to step S223 (see FIG. 15).

  [Step S237] The CPU 101 reads all the header parts written in the accumulation buffer 243 in step S233, combines the header parts of the read packets, and calculates the FCS of the combined header parts. Further, the CPU 101 adds the calculated FCS to the read header part and outputs it as a packet. Thereafter, the CPU 101 advances the process to step S222 (see FIG. 15).

  As described above, in the second embodiment, in addition to the first embodiment, the mirror output control unit 240 combines a plurality of header parts and outputs the combined packet as one mirror packet. It is possible to further reduce the load on the device that collects the mirror packet output from the switch 100 and the switch 100 at the time of collection and monitoring of network traffic.

[Third Embodiment]
Next, a third embodiment will be described. Differences from the first embodiment and the second embodiment will be mainly described, and the same reference numerals are used for the same matters, and descriptions thereof are omitted.

  In the third embodiment, the input control unit 310 of the switch 300 writes the control data of the packet input to the shared memory 320, and the mirror output control unit 340 includes a part of the control data written to the shared memory 320. Is read out as additional information to be included in the mirror packet, and the read additional information is included in the mirror packet and output, which is different from the first embodiment and the second embodiment.

Hereinafter, the switch 300 in the present embodiment will be described.
FIG. 17 is a block diagram illustrating a configuration of the input control unit according to the third embodiment.
The input control unit 310 according to the third embodiment includes a packet writing unit 311 and a control data writing unit 312 in order to control input of an input packet received by the switch 300.

  The packet writing unit 311 performs control to write packet data such as header and payload data in the input packet input to the switch 300 to the shared memory 320.

  The control data writing unit 312 determines the input port number indicating the input port to which the input packet input to the switch 300 is input, the data size when the input packet is written to the shared memory 320, the input packet from the input packet, for example, Control is performed to write control data for controlling transfer and mirroring of the input packet, such as information on the position of the packet (for example, the size from the top) when performing cutout for cutting out a part of the packet, to the shared memory 320. Here, a part of the control data written in the shared memory 320 is output from the switch 300 as additional information included in the mirror packet.

  In this way, the input packet input to the switch 300 is written to the shared memory 320 by the packet writing unit 311, and control data such as the data size and input port number at the time of writing also includes additional information in part. While being included, the data is written to the shared memory 320 by the control data writing unit 312.

FIG. 18 is a block diagram illustrating a configuration of a mirror output control unit according to the third embodiment.
The mirror output control unit 340 controls the output of the mirror packet based on the received input packet. At this time, the mirror output control unit 340 extracts only the header part which is a part of the input packet from the input packet written in the shared memory 320. Next, the mirror output control unit 340 copies the header part, which is a part of the extracted input packet, and writes it in the accumulation buffer 343. Next, the mirror output control unit 340 reads the header part of the packet written in the accumulation buffer 343, combines a plurality of header parts of the read packet into the mirror packet, and outputs the mirror packet in which the header part is combined. Control.

  The mirror output control unit 340 includes a shared memory read control unit 341 that reads data from the shared memory 320, an accumulation buffer write control unit 342, an accumulation buffer 343, and an accumulation buffer read control unit 344.

  The shared memory read control unit 341 reads the packet stored in the shared memory 320 based on the size count result by the size counter unit 341c, extracts the header portion from the read packet, and extracts the header portion of the extracted packet. Control to write to the accumulation buffer 343 is performed. The shared memory read control unit 341 includes a control data processing unit 341a, a packet data processing unit 341b, a size counter unit 341c, an FCS calculation unit 341d, a timer unit 341e, an accumulation number counter unit 341f, and an accumulation size counter unit 341g.

  The control data processing unit 341a reads the control data of the input packet from the shared memory 320, and performs output control of the mirror packet based on this. In addition, the control data processing unit 341 a reads additional information from the shared memory 320. The additional information read by the control data processing unit 341a is written into the storage buffer 343 by the storage buffer write control unit 342.

  The packet data processing unit 341b reads the header portion of the packet from the shared memory 320. The header portion of the packet read by the packet data processing unit 341b is written into the accumulation buffer 343 by the accumulation buffer write control unit 342.

  The size counter unit 341c measures the size of the header portion of the packet that is read from the shared memory 320 and written to the accumulation buffer 343, and recognizes the size from the beginning of the packet. Accordingly, the size counter unit 341c controls the extraction of the header portion from the packet read from the shared memory 320 by the packet data processing unit 341b.

  The FCS calculation unit 341d calculates an FCS for detecting a mirror packet error. In the FCS calculation by the FCS calculation unit 341d, the FCS calculation unit 341d calculates the FCS of the mirror packet having a copy of the header part of the packet read from the storage buffer 343 by the storage buffer read control unit 344.

  Specifically, when the accumulation buffer read control unit 344 determines to read the header portion from the accumulation buffer 343, the FCS calculation unit 341d generates the packet from the header portion stored in the accumulation buffer 343. The FCS of the mirror packet is calculated. The FCS calculation result by the FCS calculation unit 341d is subsequently controlled to be written into the storage buffer 343 by the storage buffer write control unit 342.

  The timer unit 341e measures the elapsed time. The accumulation number counter unit 341f counts the number of header parts of the packets written in the accumulation buffer 343. The accumulation size counter unit 341g adds up the sizes of the header portions of the packets written in the accumulation buffer 343.

  Although details will be described later, based on the measurement result of the elapsed time by the timer unit 341e, the counting result of the number of header parts of the packet by the accumulation number counter unit 341f, and the total size of the header part of the packet by the accumulation number counter unit 341f. Thus, the output of the mirror packet is controlled by the storage buffer read control unit 344.

  The storage buffer write control unit 342 is information included in the header part extracted from the packet by the packet data processing unit 341b, the FCS calculated by the FCS calculation unit 341d, and the mirror packet with respect to the storage buffer 343. Control writing of some additional information. Here, the additional information includes, for example, information indicating the packet size, an input port number indicating the input port to which the input packet input to the switch 300 is input, and an output port from which an output packet that is not a mirror packet is output. There are output port numbers.

  In addition, when the size of the header portion of the packet measured by the size counter unit 341c is smaller than a predetermined amount, the accumulation buffer write control unit 342 performs control to align the size of the header portion of the packet with the predetermined amount by padding. .

  The accumulation buffer 343 is a buffer for storing the header extracted from the packet by the packet data processing unit 341b, the additional information read from the shared memory 320 by the control data processing unit 341a, and the FCS calculated by the FCS calculation unit 341d. is there.

  The accumulation buffer read control unit 344 reads the header portion and additional information of the packet written in the accumulation buffer 343, combines a plurality of read packet header portions and additional information into a mirror packet, and combines the header portions. And control to output a mirror packet having additional information. The accumulation buffer read control unit 344 provides an additional information storage area as an area for storing additional information between the header parts included in the mirror packet, and stores the additional information in the additional information storage area to mirror the additional information. Generate a packet.

  Here, when this additional information storage area is provided between the header parts included in the mirror packet, the number of additional information storage areas is one less than the number of header parts included in the mirror packet. Therefore, the size of additional information for one input packet is equal to or less than “size of additional information storage area” × “number of header parts included in mirror packet−1” ÷ “number of header parts included in mirror packet”. .

  Further, the accumulation buffer read control unit 344 combines a plurality of header parts and additional information extracted from the packet every time the number of header parts of the packet reaches a predetermined number as a result of counting by the accumulation number counter unit 341f, Control is performed to output a mirror packet having a combined header part and additional information.

  Further, as a result of the counting by the accumulation number counter unit 341f, the accumulation buffer read control unit 344 does not reach the predetermined number of header portions of the packet. As a result of counting by the timer unit 341e, When a predetermined time has elapsed since the first header part of the message was accumulated, a plurality of header parts and additional information extracted from packets accumulated up to that time are combined, and the combined header part and additional information are The control which outputs the mirror packet which has is performed.

  Further, the accumulation buffer read control unit 344 extracts the packet from the packet every time the total size of the header part and additional information stored in the accumulation buffer 343 reaches a predetermined amount as a result of the summation by the accumulation size counter unit 341g. It is also possible to perform control for combining a plurality of header parts and additional information, and outputting a mirror packet having the combined header part and additional information.

  Also in this case, the accumulation buffer read control unit 344 determines the result of the time measurement by the timer unit 341e even if the total size of the header part and the additional information of the packet stored in the accumulation buffer 343 has not reached the predetermined amount, When a predetermined time has elapsed since the first header part of a plurality of header parts was accumulated, a plurality of header parts and additional information extracted from the packets accumulated up to that time were combined and combined. Control is performed to output a mirror packet having a header part and additional information.

  When performing control to output a mirror packet, the accumulation buffer read control unit 344 reads out and combines the header and additional information of the packet stored in the accumulation buffer 343 to form a mirror packet, and this is sent to the FCS calculation unit 341d. Control to calculate the FCS of the mirror packet is performed. Next, the storage buffer read control unit 344 reads the FCS calculated by the FCS calculation unit 341d from the storage buffer 343, and adds the FCS of the mirror packet calculated by the FCS calculation unit 341d to the mirror packet. Next, the packet data processing unit 341b outputs the mirror packet with the FCS added.

  Note that the storage buffer read control unit 344 may use only the measurement of the elapsed time by the timer unit 341e as a reference for mirror packet output. In this case, as a result of measurement by the timer unit 341e, the accumulation buffer read control unit 344 combines a plurality of header units and additional information extracted from the packet every time a predetermined time elapses, and combines the combined header unit and additional information. Control to output a mirror packet having

  FIG. 19 is a diagram illustrating a data structure example of a mirror packet according to the third embodiment. The mirror packet 350 shown in FIG. 19 is attached with the additional information of the packet so that the additional information is sandwiched between the header portions of the packet.

  When the packet 31 having the preamble part 31a, the header part 31b, the payload part 31c, and the FCS 31d is input to the switch 300, only the header part 31b of the packet 31 is copied and stored in the switch 300.

  Subsequently, when the packet 32 having the preamble portion 32a, the header portion 32b, the payload portion 32c, and the FCS 32d is input to the switch 300, only the header portion 32b of the packet 32 is copied and accumulated in the switch 300.

  Thereafter, the switch 200 outputs a mirror packet 350 in which the headers of the packet 31 and the packet 32 are combined. This mirror packet 350 includes a header part 351b which is a copy of the header part 31b of the packet 31, a header part 352b which is a copy of the header part 32b of the packet 32, a newly added preamble part 350a, a newly calculated FCS 350d, It has an additional information part 351f indicating additional information of the packet 31 and an additional information part 352f indicating additional information of the packet 32.

  Here, the additional information part 351f is arranged between the preamble part 350a and the header part 351b. Similarly, the additional information part 352f is disposed between the header part 351b and the header part 352b.

  In this manner, by arranging the additional information of the original packet in the vicinity of the mirrored header part and outputting it by the mirror packet together with the header part, it is possible to notify the accompanying information regarding the collected packets at the same time. More detailed and advanced monitoring of traffic.

  20 to 22 are flowcharts illustrating the procedure of the mirror output control process according to the third embodiment. This mirror output control process is a process in which the switch 300 receives an input, reads the header part and additional information of the packet written in the shared memory 320 (see FIG. 17), and outputs the read header part and additional information as a mirror packet. is there. The mirror output control process is executed by the CPU 101 (see FIG. 3) when the switch 300 is activated.

  [Step S321] The CPU 101 sets whether to output a mirror packet, a cut-out size indicating the size of the header part of the cut-out packet, and additional information items. In the third embodiment, the size of the header part included in the mirror packet is determined based on this cut-out size. When the size of the header part is shorter than the cut-out size, the size of the header part is adjusted by padding. Further, based on the setting of the additional information item, additional information corresponding to the set item is included in the mirror packet and output.

[Step S322] The CPU 101 initializes an FCS register (not shown) included in the FCS calculation unit 341d (see FIG. 18) that calculates the FCS.
[Step S323] The CPU 101 determines whether there is a packet written in the shared memory 220 or not. If there is a packet, the CPU 101 advances the process to step S324. On the other hand, if there is no packet, the CPU 101 advances the process to step S322.

  [Step S324] The CPU 101 initializes a size counter (not shown) included in the size counter unit 341c (see FIG. 18) that measures the size of the header portion of the input packet.

  [Step S325] The CPU 101 determines whether or not to perform header mirroring that cuts out and outputs the header portion of the packet written in the shared memory 220. When performing header mirroring, the CPU 101 advances the process to step S331 (see FIG. 21). On the other hand, when header mirroring is not performed, the CPU 101 advances the process to step S326.

[Step S326] The CPU 101 reads the entire packet written in the shared memory 220, and calculates the FCS of the entire read packet.
[Step S327] The CPU 101 adds the FCS calculated in step S326 to the entire packet read in step S326, and outputs the result as a mirror packet. Thereafter, the CPU 101 advances the process to step S322.

  [Step S331] The CPU 101 determines whether or not the number of header portions of the packet written in the accumulation buffer 343 (see FIG. 18) is zero. If it is 0, the CPU 101 advances the process to step S333. On the other hand, if not 0, the CPU 101 advances the process to step S332.

  [Step S332] The CPU 101 has a timer (not shown) included in the timer unit 341e (see FIG. 18) that measures the elapsed time since the oldest header part of the packet stored in the storage buffer 343 is stored. Is initialized. At this time, a set value indicating a set time for completing the timer is set in the timer.

  [Step S333] The CPU 101 reads the header portion of the packet written in the shared memory 320, and writes the header portion of the read packet in the accumulation buffer 343. At this time, the CPU 101 acquires the size of the header portion of the packet from the size counter unit 341c initialized in step S324. When the size of the header portion of the packet is shorter than a predetermined cutout size, the CPU 101 adjusts the size of the header portion by adding a padding portion so that the header portion size is the same as the cutout size. Further, the CPU 101 discards unnecessary portions other than the header portion of the packet read at this time.

  [Step S334] The CPU 101 generates additional information based on the additional information extracted by the control data processing unit 341a (see FIG. 18), and writes the additional information in the accumulation buffer 343. Thereafter, the CPU 101 advances the process to step S341 (see FIG. 22).

  [Step S341] The CPU 101 stores, based on the header portion of the read packet, an accumulation number counter (not shown) included in the accumulation number counter unit 341f (see FIG. 18) and an accumulation size counter unit 341g (see FIG. 18). The value of the size counter (not shown) is updated.

  Here, as in the second embodiment, the accumulation number counter is incremented by 1 by updating based on writing to the accumulation buffer 343 in the header portion of this packet. The accumulation size counter is added with a value indicating the size of the header portion of this packet by updating based on the writing of the header portion of this packet to the accumulation buffer 343.

  [Step S342] The CPU 101 determines whether or not the value of the counter to be determined has reached the scheduled value. If the planned value has been reached, the CPU 101 advances the process to step S344. On the other hand, if the planned value has not been reached, the CPU 101 advances the process to step S343.

  Here, the determination target counter is a counter for determining whether or not the accumulated header parts are combined and output as a mirror packet, as in the second embodiment. Alternatively, one of the storage size counters is determined in advance by the design stage of the switch 300, the user setting, and the like.

  For example, when the counter to be determined is an accumulation number counter, when the value of the accumulation number counter reaches a predetermined value, that is, the header portion of a predetermined number of packets is written in the accumulation buffer 343. In step S344, a mirror packet is output.

  When the counter to be determined is an accumulation size counter, when the value of the accumulation size counter reaches a predetermined value, that is, the total size of the header portion of the packet written in the accumulation buffer 343 is estimated. When the amount reached is reached, a mirror packet is output in step S344.

  [Step S343] The CPU 101 determines whether or not the timer has been completed, that is, whether or not the timer initialized in step S332 has reached the set value and the set time has elapsed. If the timer has been completed, the CPU 101 advances the process to step S344. On the other hand, if the timer has not been completed, the CPU 101 advances the process to step S323 (see FIG. 20).

  [Step S344] The CPU 101 reads all the header parts written in the storage buffer 343 in step S333 (see FIG. 21), combines the header parts of the read packets, and calculates the FCS of the combined header parts. Further, the CPU 101 adds the calculated FCS to the read header part and outputs it as a packet. Thereafter, the CPU 101 advances the process to step S322 (see FIG. 20).

  As described above, in the third embodiment, in addition to the first embodiment and the second embodiment, the mirror output control unit 340 outputs additional information included in the mirror packet. It becomes possible to perform more detailed monitoring of network traffic using the additional information.

[Fourth Embodiment]
Next, a fourth embodiment will be described. Differences from the first embodiment, the second embodiment, and the third embodiment will be mainly described, and the same reference numerals are used for the same matters and the description is omitted.

  The fourth embodiment is the first embodiment in that it collects packets that use a port determined as a monitoring target among the input ports and output ports of the switch 400 and outputs the collected results as mirror packets. This is different from the second embodiment and the third embodiment.

Hereinafter, the switch 400 in the present embodiment will be described.
FIG. 23 is a block diagram illustrating a configuration of a switch according to the fourth embodiment. A switch 400 shown in FIG. 23 is a layer 2 switch having a function of outputting a mirror packet having a header portion of an input packet in order to monitor network traffic.

The switch 400 includes an input control unit 410, a shared memory 420, an output control unit 430, and a mirror output control unit 440 in order to monitor network traffic.
The input control unit 410 controls input of input packets received by the switch 400. At this time, the input control unit 410 performs control to write the received input packet into the shared memory 420. As a result, the input packet input to the switch 400 is written into the shared memory 420 by the input control unit 410. Here, the input packet has, for example, a header portion indicating a destination and a payload portion indicating data to be transferred such as user data.

  The shared memory 420 temporarily stores the received input packet. Thereby, the packet written in the shared memory 420 is read out under the control of the output control unit 430 and is read out under the control of the mirror output control unit 440.

  The output control unit 430 controls the output of the received input packet. Under the control of the output control unit 430, an input packet is output from the switch 400 as an output packet. As a result, the input packet written in the shared memory 420 is read from the output control unit 430 and output to the outside of the switch 400 from an output unit (not shown) such as an output port of an appropriate destination. Here, the output packet has a header part and a payload part, for example, like the input packet.

  The mirror output control unit 440 controls the output of the mirror packet based on the received input packet. At this time, the mirror output control unit 440 extracts only the header part which is a part of the input packet from the input packet written in the shared memory 420. Next, the mirror output control unit 440 performs control to copy a header part which is a part of the extracted input packet and output a mirror packet having this header part.

  According to such a switch 400, input of the received packet is controlled by the input control unit 410, and the received packet is temporarily stored by the shared memory 420 and received by the output control unit 430. The output of the packet is controlled, and the mirror output control unit 440 controls the output of the mirror packet. Here, the input control unit 410 controls the received packet to be written to the shared memory 420, and the mirror output control unit 440 extracts and extracts only a part of the packet written to the shared memory 420. Control is performed so that a mirror packet having a part of the packet is output.

  As a result, when mirroring is performed, the mirror output control unit 440 connected to an observation device (not shown) that collects mirror packets and monitors traffic is output from the shared memory 420 to the output control unit 430. Read and output the same packet data.

  In other words, the packet data read from the shared memory 420 by the mirror output control unit 440 is not part of the entire packet data, but part of the packet data. Further, it is read out with an upper limit of a specific size designated by the user or predetermined.

The switch 400 is a layer 2 switch, but is not limited thereto, and may be a communication device having a data relay function such as a router.
Further, the switch 400 has a plurality of input ports to which packets are input, such as input ports a, b,. The mirror output control unit 440 performs control to output a mirror packet of a packet input to a predetermined input port among the plurality of input ports.

  The additional information includes information indicating a location where the packet is mirrored. The switch 400 has a plurality of input ports through which packets are input. The additional information includes information indicating an input port into which a packet for which a mirror packet is output by the mirror output control unit 440 is input.

  Further, when the switch 400 has a plurality of output ports from which packets are output, the mirror output control unit 440 performs control to output a mirror packet of a packet output from the output port that outputs the packet. In this case, the additional information may include information indicating an output port to which a packet for which a mirror packet is output by the mirror output control unit 440 is output.

  24 and 25 are diagrams illustrating the operation of the switch according to the fourth embodiment. FIG. 24 shows the operation of the switch 400 when an input port is set as a monitoring target in the fourth embodiment. FIG. 25 shows the operation of the switch 400 when the output port is set as a monitoring target.

  FIG. 24 describes the operation of the switch 400 when the input port a is the monitoring target. Here, the packet 31 is a packet input to the switch 400 by the input port a. The packet 32 is a packet input to the switch 400 by the input port b. The mirror packet 450 is a packet mirrored based on the packet 31 input from the input port a to be monitored.

The packets 31 and 32 have preamble portions 31a and 32a, header portions 31b and 32b, payload portions 31c and 32c, and an FCS (not shown), respectively.
As shown in FIG. 24, when packets 31 and 32 are sequentially input to the switch 400, a mirror packet 450 corresponding to the packet 31 input from the input port a to be monitored is output accordingly. At this time, the header portion 451b of the mirror packet 450 is a copy of the header portion 31b of the packet 31.

  That is, the mirror packet 450 is output by adding the preamble part 450a and the FCS of the mirror packet to the header part 451b which is a copy of the header part from which the payload part 31c and the FCS of the packet 31 are removed by the switch 400. On the other hand, the mirror packet corresponding to the packet 32 input from the input port b that is not the monitoring target is not output.

  FIG. 25 describes the operation of the switch 400 when the output port a is the monitoring target. Here, the packet 31 is a packet that is input to the switch 400 by the input port a and output from the output port a. The packet 32 is a packet that is input to the switch 400 by the input port b and output from the output port a. The mirror packet 460 is a packet that is mirrored based on the packets 31 and 32 output from the output port a to be monitored.

The packets 31 and 32 have preamble portions 31a and 32a, header portions 31b and 32b, payload portions 31c and 32c, and an FCS (not shown), respectively.
As shown in FIG. 25, when packets 31 and 32 are sequentially input to the switch 400, a mirror packet 460 corresponding to the packets 31 and 32 output from the output port a to be monitored is output accordingly. . At this time, the header portion 461b of the mirror packet 460 is a copy of the header portion 31b of the packet 31.

  That is, the mirror packet 460 includes a payload portion 31c of the packet 31 output from the output port a to be monitored by the switch 400, a header portion 461b that is a copy of the header portion from which the FCS is removed, and a payload portion 32c of the packet 32. The header part 462b, which is a copy of the header part from which the FCS has been removed, is added with the preamble part 460a and the FCS of the mirror packet and output.

  As described above, in the fourth embodiment, in addition to the first embodiment, the second embodiment, and the third embodiment, the mirror output control unit 440 includes the input port to be monitored and By outputting the mirror packet that collects the header part of the packet that has passed through the output port, the input / output status of the packet for each port can be collected, and more detailed traffic monitoring can be performed.

  Although the disclosed communication apparatus and communication method have been described based on the illustrated embodiment, the above description merely shows the principle of the present invention. Further, the present invention is not limited to the exact configurations and application examples described above, and many variations and modifications are possible to those skilled in the art, and all corresponding variations and equivalents are claimed in the appended claims. Further, the configuration of each part can be replaced with any configuration having a similar function. Moreover, other arbitrary structures and processes may be added. Further, any two or more configurations of the above-described embodiments may be combined.

(Appendix 1) In a communication device that monitors network traffic,
Input control means for controlling input of a packet received by the communication device;
Temporary storage means for temporarily storing the received packet;
Output control means for controlling the output of the received packet;
Mirror output control means for controlling the output of a mirror packet based on the received packet;
Have
The input control means performs control to write the received packet to the temporary storage means,
The communication is characterized in that the mirror output control means extracts only a part of the packet written in the temporary storage means and outputs the mirror packet having the part of the extracted packet. apparatus.

(Additional remark 2) The said mirror output control means performs control which extracts a header part as the said part from the said packet, The communication apparatus of Additional remark 1 characterized by the above-mentioned.
(Supplementary Note 3) The mirror output control means includes:
Accumulation storage means for storing the part extracted from the packet;
Temporary storage read control means for reading out the packet stored in the temporary storage means, extracting the part from the read packet, and writing the extracted part of the packet into the accumulation storage means; ,
Reading the part of the packet written in the storage and storage means, combining a plurality of the part of the read packet into the mirror packet, and outputting the mirror packet having the combined part Storage storage read control means for performing control,
The communication apparatus according to appendix 1, characterized by comprising:

(Additional remark 4) The said mirror output control means has a timer means to measure elapsed time,
The accumulated storage read control unit combines the plurality of parts extracted from the packet every time a predetermined time has passed as a result of the measurement by the timer unit, and the mirror packet having the combined part The communication apparatus according to appendix 3, wherein control is performed to output.

(Additional remark 5) The said mirror output control means has the accumulation number count means which counts the said part of the said packet written in the said accumulation memory means,
The accumulated storage read control unit combines a plurality of the parts extracted from the packet every time the number of the part of the packet reaches a predetermined number as a result of counting by the accumulated number counting unit, 4. The communication apparatus according to appendix 3, wherein control is performed to output the mirror packet having the part combined.

(Additional remark 6) The said mirror output control means has a timer means to measure elapsed time,
The accumulation storage read control unit is configured to obtain a plurality of the ones as a result of counting by the timer unit even if the number of the part of the packets does not reach the predetermined number as a result of counting by the accumulation number counting unit. When a predetermined time has elapsed since the first part of the unit was accumulated, a plurality of the parts extracted from the packets accumulated up to that time are combined, and the combined one 6. The communication device according to appendix 5, wherein control is performed to output the mirror packet having a unit.

(Additional remark 7) The said mirror output control means has the accumulation | storage size count means which totals the said one part size of the said packet written in the said accumulation | storage storage means,
The accumulation storage read control unit combines a plurality of the parts extracted from the packet every time the sum of the sizes of the part of the packet reaches a predetermined amount as a result of the summation by the accumulation size counting unit. The communication apparatus according to appendix 3, wherein control is performed to output the mirror packet having the combined part.

(Supplementary Note 8) The mirror output control means includes timer means for measuring elapsed time,
As a result of the summation by the accumulation size count means, the accumulated storage read control means has a plurality of results of timing by the timer means, even if the sum of the sizes of the part of the packet has not reached the predetermined amount. When a predetermined time has elapsed since the first part of the part was accumulated, a plurality of the parts extracted from the packets accumulated up to that time are combined, and the combined The communication apparatus according to appendix 7, wherein control is performed to output the mirror packet having the part.

(Supplementary Note 9) The mirror output control means has size counting means for measuring the size of the part of the packet written to the accumulation storage means,
When the size of the part of the packet measured by the size counting unit is smaller than a predetermined amount, the storage / storage write control unit aligns the size of the part of the packet to a predetermined amount by padding. The communication apparatus according to appendix 3, wherein control is performed.

(Additional remark 10) The said mirror packet has additional information regarding the said packet, The communication apparatus of Additional remark 1 characterized by the above-mentioned.
(Additional remark 11) The said additional information has the information which shows the size of the said packet, The communication apparatus of Additional remark 10 characterized by the above-mentioned.

(Additional remark 12) The said communication apparatus has two or more input means into which the said packet is input,
11. The communication apparatus according to appendix 10, wherein the additional information includes information indicating the input unit to which the packet for which the mirror packet is output by the mirror output control unit is input.

(Additional remark 13) The said communication apparatus has multiple output means to which the said packet is output,
11. The communication apparatus according to appendix 10, wherein the additional information includes information indicating the output unit that outputs the packet on which the mirror packet is output by the mirror output control unit.

(Additional remark 14) The said communication apparatus has two or more input means into which the said packet is input,
The communication apparatus according to claim 1, wherein the mirror output control unit performs control to output the mirror packet of the packet input to the predetermined input unit among the plurality of input units.

  (Additional remark 15) The said mirror output control means performs control which outputs the said mirror packet of the said packet output from the output means which outputs the said packet, The communication apparatus of Additional remark 1 characterized by the above-mentioned.

  (Supplementary note 16) The communication apparatus according to supplementary note 1, wherein the mirror output control means includes error information addition means for adding error detection information for detecting an error of the mirror packet to the mirror packet.

(Additional remark 17) The said communication apparatus is a layer 2 switch, The communication apparatus of Additional remark 1 characterized by the above-mentioned.
(Supplementary note 18) The communication device according to supplementary note 1, wherein the communication device is a router.

(Supplementary note 19) In a communication method for monitoring network traffic,
An input control step in which an input control means controls input of a packet received by the communication device;
A mirror output control means for controlling output of a mirror packet based on the received packet;
Have
In the input control step, the input control unit performs control to write the received packet in a temporary storage unit that temporarily stores the packet,
In the mirror output control step, the mirror output control means extracts only a part of the packet written in the temporary storage means, and outputs the mirror packet having the part of the extracted packet. The communication method characterized by performing.

It is a figure which shows the outline | summary of this Embodiment. It is a figure which shows the whole structure of a communication system. It is a figure which shows the hardware constitutions of a switch. It is a figure which shows the data structure example of a packet. It is a block diagram which shows the structure of the switch in 1st Embodiment. It is a block diagram which shows the structure of the input control part in 1st Embodiment. It is a block diagram which shows the structure of the mirror output control part in 1st Embodiment. It is a figure which shows the operation | movement of the switch in 1st Embodiment. It is a flowchart which shows the procedure of the input control process in 1st Embodiment. It is a flowchart which shows the procedure of the mirror output control process in 1st Embodiment. It is a block diagram which shows the structure of the mirror output control part in 2nd Embodiment. It is a figure which shows operation | movement of the switch in 2nd Embodiment. It is a figure which shows the example of a data structure of the mirror packet in 2nd Embodiment. It is a figure which shows the example of a data structure of the mirror packet in 2nd Embodiment. It is a flowchart which shows the procedure of the mirror output control process in 2nd Embodiment. It is a flowchart which shows the procedure of the mirror output control process in 2nd Embodiment. It is a block diagram which shows the structure of the input control process in 3rd Embodiment. It is a block diagram which shows the structure of the mirror output control part in 3rd Embodiment. It is a figure which shows the data structure example of the mirror packet in 3rd Embodiment. It is a flowchart which shows the procedure of the mirror output control process in 3rd Embodiment. It is a flowchart which shows the procedure of the mirror output control process in 3rd Embodiment. It is a flowchart which shows the procedure of the mirror output control process in 3rd Embodiment. It is a block diagram which shows the structure of the switch in 4th Embodiment. It is a figure which shows the operation | movement of the switch in 4th Embodiment. It is a figure which shows the operation | movement of the switch in 4th Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Communication apparatus 1a Input control means 1b Primary storage means 1c Output control means 1d Mirror output control means

Claims (6)

In a communication device that monitors network traffic,
Input control means for controlling input of a packet received by the communication device;
Temporary storage means for temporarily storing the received packet;
Output control means for controlling the output of the received packet;
Mirror output control means for controlling output of a mirror packet based on the received packet;
Have
The input control means performs control to write the received packet to the temporary storage means,
The communication is characterized in that the mirror output control means extracts only a part of the packet written in the temporary storage means and outputs the mirror packet having the part of the extracted packet. apparatus.   The communication apparatus according to claim 1, wherein the mirror output control unit performs control to extract a header part as the part from the packet. The mirror output control means includes
Accumulation storage means for storing the part extracted from the packet;
Temporary storage read control means for reading out the packet stored in the temporary storage means, extracting the part from the read packet, and writing the extracted part of the packet into the accumulation storage means; ,
Read out the part of the packet written in the storage and storage means, combine a plurality of the part of the read out packet into the mirror packet, and output the mirror packet having the combined part Storage storage read control means for performing control,
The communication apparatus according to claim 1, further comprising: The mirror output control means has timer means for measuring elapsed time,
The accumulated storage read control unit combines the plurality of parts extracted from the packet every time a predetermined time has passed as a result of the measurement by the timer unit, and the mirror packet having the combined part The communication apparatus according to claim 3, wherein control for outputting is performed. The mirror output control means has accumulation number counting means for counting the part of the packets written in the accumulation storage means,
The accumulation storage read control unit combines a plurality of the parts extracted from the packet every time the number of the part of the packet reaches a predetermined number as a result of counting by the accumulation number counting unit, The communication apparatus according to claim 3, wherein control is performed to output the mirror packet having the part combined. In a communication method for monitoring network traffic,
An input control step in which an input control means controls input of a packet received by the communication device;
A mirror output control means for controlling output of a mirror packet based on the received packet;
Have
In the input control step, the input control unit performs control to write the received packet in a temporary storage unit that temporarily stores the packet,
In the mirror output control step, the mirror output control means extracts only a part of the packet written in the temporary storage means, and outputs the mirror packet having the part of the extracted packet. The communication method characterized by performing.

Images