JP2010041644A - Flow determination method, communication device, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a flow determination method that can simplify a process needed for flow determination, in flow determination using a template definition system; a communication device; and a program. <P>SOLUTION: In this flow determination method, respective data of a plurality of predetermined designated fields in an existing flow are stored in a storage part; an order is set on a designation field basis based on data in a header of an observed packet and held in a holding part; the data in the storage part and data in a header of a new packet are compared with each other on a designation field basis in accordance with the order; when the comparison result shows disaccord during the comparison, the new packet is determined not to belong to the existing flow to suspend the comparison of the new packet with the existing flow; when data of an existing flow without being compared with the new packet are present in the storage part at that point, the comparison object of the new packet is changed to the data of the existing flow without being compared to continue the comparison; and, when all the comparison results in a plurality of designation fields shows accord, the new packet is determined to belong to the existing flow. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a method for measuring a plurality of communications between a plurality of bases on a network that connects a plurality of terminals such as the Internet and an IP network, in particular, a newly generated traffic is a flow that has already occurred. The present invention relates to a flow determination method, a communication apparatus, and a program for determining whether to belong.

  The IP used on the Internet includes information on a protocol, a source IP address, and a destination IP address, and the transport protocol includes information on a source port and a destination port.

  Among traffic measurement techniques, a method of classifying communication types based on information held by these packets is flow measurement (flow determination).

  In flow measurement, packets having information such as the same protocol, the same source IP address, the same destination IP address, the same source port, and the same destination port are regarded as packets belonging to the same communication. A set of packets belonging to the same communication is called a flow. By measuring the flow data amount and packet amount, a plurality of communication services can be monitored between a plurality of points.

  In Internet communication, route control is performed by a router. A packet transmitted from the transmission source reaches the transmission destination via a plurality of routers. Since the router refers to the IP header of the packet and, in some cases, the header of the transport layer, it is suitable as a device for classifying the flows described above.

  As a method for notifying other devices of the flow information of a packet that has passed through a router, NetFlow (see Non-Patent Document 1) and IPFIX (IP Flow Information Export) (see Non-Patent Document 2) are known.

  In these methods, a router is assumed as one of the flow information transmission apparatuses. Flow information transmitted from the transmission device is received by a reception device having network connectivity with the transmission device.

  The flow information includes information such as a source IP address, a destination IP address, a source port, a destination port, a protocol, a flow start time, a flow end time, and a byte counter. These items of information are called field types in NetFlow and Information Elenent in IPFIX. Hereinafter, field types in NetFlow and Information Elements in IPFIX are collectively referred to as element information.

  There are two methods for packetizing flow information: a fixed format method and a template definition method. In the fixed format method, the same element information is always arranged in a fixed manner in the flow information.

  In the template definition method, the flow information definition information and the flow information data information are separated, and the field of the flow information data information is determined from the element information number and the size information included in the definition information. In the definition information, one or more combinations of element information numbers and information of their sizes are listed in succession, whereby a plurality of fields of data information are determined. The order of the fields in the data information is determined based on the order of enumeration of the element information in the definition information, and the format is determined.

  It is NetFlow version 9 and IPFIX that adopt the template definition method in the existing protocol. On the other hand, NetFlow versions 1, 5, and 8 adopt a fixed format method.

  In the template definition method, first, the transmission device transmits information listing the number of element information called a template and the size of the element information to the reception device.

  After the template is received on the receiving side, the transmitting apparatus packetizes the flow data in the order of the element information defined in the template, and transmits the packet data to the receiving apparatus.

  In the template definition method, the element information included in the flow information can be changed by the template definition, so that it is possible to transmit / receive flow information suitable for each network configuration and each purpose of collecting flow information.

  In the flow transmission device, the function unit that determines the flow and the function unit that packetizes and transmits the flow information that is determined can be separated, so even if a protocol that uses a template definition method for packetization is used, the user The function part that performs flow determination always makes a determination on only a specific field and sends definition information in addition to data information according to the protocol rules, but does not have the flexibility of changing the template by input from There may also be implementations where the packet uses a substantially fixed format. On the other hand, when an input from a user is accepted for determination of a template, element information included in the flow and element information serving as a condition constituting the flow are determined by the input.

  Information (data) is extracted from the corresponding field of the observed packet based on element information which is a condition constituting the flow. The extracted information is compared with information in the corresponding field of the existing flow in order to determine whether the new observation packet is a new flow or an existing flow.

In the case of a flexible implementation of the template, since the template can be freely defined by input from the user or the like, the fields to be compared are changed by the input.
[Search May 30, 2008], Internet <http://www.ietf.org/rfc/rfc3954.txt> [Search May 30, 2008], Internet <http://www.ietf.org/rfc/rfc5101.txt>

   The template definition method can have information flexibility as compared with the fixed format method. On the other hand, the required processing increases, and the processing efficiency and the computer resource amount utilization efficiency may be inferior.

  The flow information transmission device has a function of creating flow information from the observed packet and holding it inside, and a function of transmitting the flow information inside according to the protocol.

  In the function of creating and holding the flow information, in the fixed format method, the field of the packet header to be compared is determined in advance, so that a plurality of pieces of element information can be compared by a unique comparison process. The same applies to the case where the flow information is transmitted by packetizing into a substantially fixed format by comparing only the fixed fields while using the protocol adopting the template definition method.

  On the other hand, when element information that is a condition for configuring a flow can be freely changed (designated) in a protocol that adopts a template definition method, it cannot be realized by comparison of fixed fields, and a packet header corresponding to each element information It is necessary to make a comparison for each field. As a method with no possibility of erroneous determination, there is a method of comparing each field individually.

  The comparison method for each field increases the number of processing compared to the comparison processing in the fixed format or the comparison processing in the implementation in which the field for comparison processing is fixed, which is the template definition method.

  An object of the present invention is to provide a flow determination method, a communication apparatus, and a program that can reduce the number of searches required for flow determination in flow determination using a template definition method.

  The flow determination method of the present invention is a flow determination method in a communication device that determines whether a newly observed new packet belongs to an existing flow, and is arbitrarily specified to define the existing flow Each of the designated fields based on the accumulation step of accumulating the data registered in each of the plurality of designated fields in the existing flow in the accumulation means and the data in the header information of the observed packets that have already been observed. A setting step for holding the rank for each designated field in the holding means, the data in the storage means, and the data in the header information of the new packet for each of the designated fields. The comparison step for comparing according to the rank in the holding means, and the comparison result indicating a mismatch when performing the comparison according to the rank, It is determined that the new packet does not belong to the existing flow, the subsequent comparison of the new packet and the existing flow is stopped, and the data of the existing flow that has not been compared with the new packet at that time is accumulated. If it exists in the means, the comparison target of the new packet is changed to the data of the uncompared existing flow and the comparison is continued, and if all the comparison results in the plurality of designated fields indicate a match, Determining that a new packet belongs to the existing flow.

  The communication apparatus according to the present invention is a communication apparatus that determines whether a newly observed new packet belongs to an existing flow, and is included in the existing flow arbitrarily designated to define the existing flow. Storage means for storing data registered in each of the plurality of designated fields, and holding means for holding the order set for each of the designated fields based on the data in the header information of the observed packets that have already been observed. The data in the storage means and the data in the header information of the new packet are compared for each designated field according to the rank in the holding means, and the comparison is performed when the comparison is performed according to the rank. If the result indicates a mismatch, it is determined that the new packet does not belong to the existing flow, and the new packet and the existing flow are further determined. If the data of the existing flow that has not been compared with the new packet exists in the storage means at that time, the comparison target of the new packet is changed to the data of the existing flow that has not been compared. And comparing means for continuing the comparison and determining that the new packet belongs to the existing flow when all the comparison results in the plurality of designated fields indicate a match.

  According to the present invention, the data in the storage means and the data in the header information of the new packet have already been observed when comparing each of a plurality of designated fields arbitrarily designated to define the existing flow. The data is compared according to the order set based on the data in the header information of the packets.

  For this reason, it becomes possible to compare the data of the designated field in an order suitable for the data in the header information of the already observed packet, and it is possible to reduce the number of data comparisons and data searches.

  For example, if a comparison is made in order from a specified field having a large number of different specified fields among a plurality of specified fields, the number of data comparisons and data searches can be reduced.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 is a block diagram illustrating a communication apparatus that classifies network traffic for each flow, performs measurement, and transmits measured flow information according to an embodiment of the present invention. FIG. 1 shows the configuration of a part related to packet processing.

  In FIG. 1, the transmitting apparatus 100 compares a packet observed from a network or the like with an accumulated flow according to a template definition method, and based on the comparison result, the observation packet is stored as a new flow. It is determined whether it is an existing flow.

  The transmission apparatus 100 includes a network interface (hereinafter referred to as “NIC”) 1, a packet observation unit (hereinafter referred to as “observation unit”) 2, and a flow information creation unit (hereinafter referred to as “creation unit”) 3. And a flow information sending part (hereinafter referred to as “sending part”) 4. The creation unit 3 includes a flow information storage unit (hereinafter referred to as “storage unit”) 3a and a new observation packet / existing flow comparison unit (hereinafter referred to as “packet / flow comparison unit”) 3b. The packet flow comparison unit 3b includes a different number holding unit (hereinafter referred to as “holding unit”) 3b1, a comparison unit 3b2, and a change detection unit (hereinafter referred to as “detection unit”) 3b3.

  A NIC (accepting means) 1 accepts a packet from a network such as the Internet and provides it to the observation unit 2.

  The observation unit (observation means) 2 accepts a packet from the NIC 1 or a packet that is scheduled to be output after some processing. The observation unit 2 performs packet sampling and filtering on the received packet as necessary, and extracts a newly observed packet (hereinafter referred to as “new packet”). The observation unit 2 provides the new packet to the creation unit 3.

  The creation unit (creation unit) 3 creates flow information based on the new packet.

  The accumulation unit (accumulation means) 3a accumulates flow information. For example, the accumulation unit 3a accumulates, as flow information, at least data registered in each of a plurality of designated fields in the existing flow that is arbitrarily designated to define the existing flow.

  The flow information creation process is performed by the comparison unit (comparison means) 3b2.

  The holding unit (holding unit) 3b1 holds the order set for each designated field based on the data in the header information of the already observed packets.

  The comparison unit 3b2 compares the data of the existing flow already observed in the storage unit 3a and the data in the header information of the new packet transmitted from the observation unit 2 for each designated field in the rank in the holding unit 3b1. To determine whether the new packet is a new flow or an existing flow.

  When the comparison unit 3b2 performs the comparison according to the order in the holding unit 3b1, and the comparison result indicates a mismatch, the comparison unit 3b2 determines that the new packet does not belong to the existing flow, and the new packet and the If the subsequent comparison of the existing flow is canceled and the existing flow that is not compared with the new packet still exists in the storage unit 3a, the comparison target of the new packet is the existing flow that is not compared. Change to to continue the comparison. The comparison unit 3b2 determines that the new packet belongs to the existing flow when all the comparison results in the plurality of designated fields indicate coincidence.

  The comparison unit 3b2 sets the rank for each designated field based on the data in the header information of the already observed packet, and holds the rank for each designated field in the holding unit 3b1.

  Further, the comparison unit 3b2 newly sets the rank for each designated field based on the data in the header information of the observed packet different from the observed packet used for setting the rank in the holding unit 3b1, and holds it. The order in the part 3b1 is updated to the newly set order.

  In this embodiment, the comparison unit 3b2 sets or updates the order as follows.

  First, the comparison unit 3b2 measures and obtains a different number for each designated field based on data in the header information of the observed packet used for setting or updating the rank in the holding unit 3b1.

  Note that the number of different designated fields indicates the number of occurrences of different values in the designated field. For this reason, the larger the number of differences, the higher the possibility that the data in the designated field corresponding to the number of differences will be different for each flow.

  Subsequently, the comparison unit 3b2 sets the rank so that the higher the number of the designated fields among the plurality of designated fields, the higher the rank.

  Further, the comparison unit 3b2 compares the data in the storage unit 3a and the data in the header information of the new packet for each designated field in descending order of rank in the holding unit 3b1.

  Further, the comparison unit 3b2 updates the rank in the holding unit 3b1 at the time of updating the data in the storage unit 3a.

  For example, the comparison unit 3b2 updates the rank in the holding unit 3b1 as follows.

  The comparison unit 3b2 causes the flow information (data) in the storage unit 3a to be transmitted from the sending unit 4 to an external device at a certain timing, and deletes the flow information in the storage unit 3a. If the flow information is not stored in the storage unit 3a, the comparison unit 3b2 always determines that the new packet is a new flow, creates flow information for the new flow based on the new packet, and stores the flow information in the storage unit 3a. To accumulate. The comparison unit 3b2 newly sets the rank for each designated field based on the data in the header information of the packet observed in a certain period after the time when all the data in the storage unit 3a is transmitted to the external device. The rank in the holding unit 3b1 is updated to the newly set rank.

  The comparison unit 3b2 compares the updated data in the storage unit 3a with the data in the header information of the new packet for each designated field in the descending order of the update in the holding unit 3b1.

  If the comparison unit 3b2 determines that the new packet does not belong to the existing flow, the comparison unit 3b2 determines that the new packet belongs to the new flow, and uses the sum of the number of existing flows and the number of new flows as the flow recognition number. recognize.

  The detection unit (change detection unit) 3b3 determines whether a change in traffic related to a new packet satisfies a predetermined condition.

  As the predetermined condition, for example, a condition that a change amount or a change rate of the number of flow recognitions in a predetermined period exceeds a predetermined threshold value is used.

  In addition, when the detection unit 3b3 determines that the traffic change relating to the new packet satisfies a predetermined condition, the comparison unit 3b2 sets a new rank and sets the rank in the holding unit 3b1. Update to the ranking.

  When a new packet is assigned to a new flow, the comparison unit 3b2 newly registers new flow information in the storage unit 3a.

  On the other hand, when a new packet is allocated to an existing flow, the comparison unit 3b2 displays time information (flow start / end time), data amount information (byte amount / packet amount), etc. of the existing flow in the storage unit 3a. Update.

  The creation unit 3 sets the flow information in the storage unit 3a at regular time intervals, in accordance with some user instruction, or the remaining amount of the storage buffer constituting the storage unit 3a is less than a predetermined value. Provided to the sending unit 4 autonomously due to internal reasons such as fewer functions.

  The transmitting unit 4 appropriately packetizes the flow information in a format conforming to the protocol and transmits the packet.

  Although not shown in FIG. 1, as a functional unit indirectly related to packet processing, parameters used for template setting, setting of element information of flow configuration conditions, and the like are received from the user, and necessary information is received. , There is a functional unit (for example, an input unit) that transmits to each unit illustrated in FIG. 1.

  1 may be realized by a computer that operates according to a program recorded on a CD-ROM, a hard disk, or a memory. A CD-ROM, hard disk, or memory can generally be called a computer-readable recording medium. In this case, the computer equipped with the NIC 1 functions as the observation unit 2, the creation unit 3, and the transmission unit 4 by reading and executing the program from the recording medium, and the transmission device 100 can be realized.

  Here, an outline of the operation of the transmission apparatus 100 will be described.

  The transmission apparatus 100 employs a template definition method. In addition, the designation field that defines the flow is not constant, and the transmission apparatus 100 has a function of freely changing the designation field by external input or the like.

  The comparison unit 3b2 determines whether the new packet observed by the observation unit 2 is an existing flow already accumulated in the accumulation unit 3a or a new flow to be newly registered.

  Specifically, the comparison unit 3b2 compares whether the data of each designated field in the new packet is the same as the data of each designated field of the existing flow accumulated in the accumulation unit 3a.

  If the field data in the new packet is different from the field data of the existing flow by even one field, the comparison unit 3b2 determines that the new packet is a flow different from the existing flow, and stores it in the storage unit 3a. Compare with the next existing flow. When iterative processing is performed and it is found that the new packet is different from all existing flows, the comparison unit 3b2 determines that the new packet is a new flow.

  When comparing the data of the specified field individually, if it is determined whether the flow is a new flow or not by comparing fewer fields, the existing flow search and the flow determination for determining whether the flow is an existing flow or a new flow. Accordingly, the number of comparisons of data in each field can be reduced.

  In the storage unit 3a, the storable number N of flows is determined according to the amount of memory that can be used by the processing system.

  In this embodiment, in addition, the packet flow comparison unit 3b has a memory space that holds a different number for each designated field that is a component of the flow, that is, a holding unit 3b1.

  This space depends on the algorithm that calculates the different numbers.

  Different algorithms for calculating the number are famous, such as Liner Counting, LogLog Counting, and ACC (Adaptive Cardinality Counting) that combines them, but any algorithm can be used.

  In this embodiment, regardless of which algorithm is used, the maximum number of memory spaces (bit strings in the case of Liner Counting) required to obtain the different numbers that can be held by these algorithms is the same as the number of flow accumulations possible. .

  The comparison unit 3b2 makes the comparison order earlier for a designated field having a larger number of differences calculated and estimated. Specifically, the comparison unit 3b2 sets the designated field to be compared first as the designated field having the largest number of differences calculated and estimated, and sets the designated field to be compared last as the designated field having the smallest number of differences. And

  Since the number of comparisons of each designated field is the same as the number of packets, the designated field having a different number is placed higher in the comparison order, so that the packet is different in the designated field in which the first comparison is performed. The probability that this can be determined increases.

  At the start of creation of flow information, the comparison unit 3b2 calculates the number of M packets observed in the observation unit 2 for each field.

  For example, when the source address, the destination address, the protocol, the source port, and the destination port are designated fields that use flow creation conditions, the comparison unit 3b2 uses the five designation fields in the holding unit 3b1 as illustrated in FIG. , For each of the observed M packets, a different number for each field is counted.

  Next, the comparison unit 3b2 arranges the five designated fields in descending order, sets the rank according to the order, and sets the rank as the designated field comparison order.

  For example, when the five designated fields are arranged in the order of different numbers, the destination address, the source address, the destination port, the source port, and the protocol are in the order, and the comparison unit 3b2 displays the destination address, the source address, and the destination port. Search (comparison) in the order of source port and protocol.

  If the newly determined order is different from the order that has been used so far, the comparison condition (order) is different from the existing flow that is stored using a different order from the newly determined order. It becomes impossible to compare the existing flow information in the updated order.

  In order to continue the comparison, the comparison unit 3b2 provides all the flow information accumulated in the accumulation unit 3a to the transmission unit 4, and deletes all accumulated flow information from the accumulation unit 3a.

  After that, the comparison unit 3b2 only needs to newly accumulate flow information in the accumulation unit 3a from the packets observed thereafter using the updated order.

  The timing at which the flow information is provided from the storage unit 3a to the sending unit 4 is considered to be the same as the timing at which the sending unit 4 sends the flow information to a receiving device (not shown). Is depleted of resources, or some forced time, and these timings are timings for switching the order in the holding unit 3b1 to the updated order.

  Generally, at some of these transmission timings, not all flow information stored in the storage unit 3a is transmitted. For example, in the transmission based on the regular transmission interval, information on a flow that is not determined to be completed remains in the storage unit 3a.

  The comparison unit 3b2 determines whether the flow exceeds a predetermined time (active timeout time), the packet interval of the observed flow exceeds a predetermined time (idle timeout time), and TCP It is determined that the flow has ended in each of the cases where there is an explicit flow end in the above.

  In the present embodiment, when the comparison unit 3b2 updates the order, the flow information that does not satisfy the flow end condition is also provided from the accumulation unit 3a to the sending unit 4 for the reason of forced termination of the flow, and from the accumulation unit 3a. By deleting, the storage unit 3a is set to an initial state in which nothing is stored.

  Similarly, when the flow information is sent to the receiving device when the resource of the transmitting device 100 is exhausted, the comparison unit 3b2 similarly provides all the flow information stored in the storage unit 3a to the transmission unit 4 and deletes it from the storage unit 3a. Thus, the storage unit 3a is set to an initial state in which nothing is stored.

  The comparison unit 3b2 updates the order held in the holding unit 3a1 to a new order when the storage unit 3a is in the initial state.

  In IPFIX, there is an Information Element (No. 136: flowEndReason) that indicates the reason for the end of the flow, and it is possible to transmit the end of the flow from the transmitting device 100 to a receiving device (not shown).

  Here, when flow information is transmitted at a regular transmission interval, the flow has already been explicitly passed to the active timeout (0x01: activetimeout), idle timeout (0x02: idletimeout), TCP, etc. (0x03: end of Flow) If it is detected), those reasons are used, and if not, forced end (0x04: forced end) is used as the reason. Further, when the cause of the flow information transmission is resource depletion, resource depletion (0x05: rack of resources) may be used.

  As described above, since a search is performed from a designated field having a large number of differences, when a new packet and an existing flow are different, a determination can be made by comparing a small number of fields, and the total number of searches can be reduced.

  In this embodiment, as long as the traffic trend does not change significantly, the order obtained by the above method may be used. When traffic trends change, different numbers need to be observed and the order recalculated.

  The method for detecting the traffic change is not particularly limited. As an example, the detection unit 3b3 holds the number of flows per a certain time transmitted last time and the number of flows per a certain time transmitted this time regarding the total number of flows created and transmitted within a certain time (within a regular transmission interval). A threshold determination may be made to detect that the difference has changed when the difference is constant or greater than a specified change amount, or when the quotient is equal to or greater than a specified change rate.

  FIG. 3 is a flowchart for explaining an example of the operation of the transmission apparatus 100.

  Hereinafter, an example of the operation of the transmission apparatus 100 will be described with reference to FIG.

  In step 301, the comparison unit 3b2 compares the data of the existing flow in the storage unit 3a with the data in the header information of the new packet from the observation unit 2 according to the order in the holding unit 3b1 for each designated field. However, if the comparison results show a mismatch during the comparison, it is determined that the new packet does not belong to the existing flow, and the subsequent comparison for the new packet and the existing flow is stopped. When the data of the existing flow that has not been compared with the new packet exists in the storage unit 3a at that time, the comparison target of the new packet is changed to the data of the existing flow that has not been compared, If all the comparison results in the designated field indicate a match, it is determined that the new packet belongs to the existing flow.

  Note that the processing of step 301 is executed when the detection unit 3b3 determines that the traffic change related to the new packet does not satisfy the predetermined condition, or until the periodic transmission interval of the flow information elapses or the resource of the storage unit 3a This is done until the state is just before depletion.

  When the process of step 301 ends, step 302 is executed.

  In step 302, the comparison unit 3b2 provides the end flow information to the transmission unit 4, and the transmission unit 4 transmits the end flow information. Note that the process of step 302 is a normal process.

  Subsequently, in step 303, the comparison unit 3b2 calculates the total number of transmission flows per hour based on the flow information in the storage unit 3a, and records the calculation result in the detection unit 3b3. The detection unit 3b3 compares the current total number of transmission flows with the previous number of transmission flows, and determines whether there is a change in traffic.

  Subsequently, in step 304, when the detection unit 3b3 does not detect a change in traffic (when there is no change in traffic), the comparison unit 3b2 executes step 301.

  In step 304, when the detection unit 3b3 detects a change in traffic (when there is a change in traffic), the comparison unit 3b2 executes step 305.

  In step 305, the comparison unit 3b2 performs the same operation as in step 301.

  Subsequently, in step 306, the comparison unit 3 b 2 measures the number of M packets observed in the observation unit 2 that are different for each field.

  Note that the processing in steps 305 and 306 is executed when the detection unit 3b3 determines that the change in traffic related to the new packet does not satisfy the predetermined condition, or until the regular transmission interval of the flow information elapses or the storage unit 3a. This is done until the resource is exhausted.

  When the processing of steps 305 and 306 is completed, step 307 is executed.

  In step 307, the comparison unit 3b2 arranges the designated fields in which the different numbers are measured, in order from the largest different numbers, sets a new rank according to the order, and sets the new rank in the holding unit 3b1. Update the ranking.

  Subsequently, in step 308, if the storage unit 3a is in a resource depletion state, the comparison unit 3b2 executes step 309.

  In step 309, the comparison unit 3b2 causes the sending unit 4 to transmit all the flow information in the storage unit 3a as a resource exhaustion state, and deletes the flow information in the storage unit 3a. Thereafter, step 303 is executed.

  On the other hand, if the regular transmission interval has elapsed in step 308, the comparison unit 3b2 causes the sending unit 4 to forcibly transmit the untransmitted flow information in the storage unit 3a and deletes the flow information in the storage unit 3a. To do. Thereafter, step 302 is executed.

  According to the present embodiment, the holding unit 3b1 holds the order set for each designated field based on the data in the header information of the already observed packet.

  The comparison unit 3b2 compares the data of the existing flow in the storage unit 3a and the data in the header information of the new packet from the observation unit 2 according to the order in the holding unit 3b1 for each designated field. When the comparison shows that the result of the comparison is inconsistent, it is determined that the new packet does not belong to the existing flow, the subsequent comparison of the new packet and the existing flow is stopped, and the If data of an existing flow that has not been compared with the new packet still exists in the storage unit 3a at that time, the comparison target of the new packet is changed to the existing flow that has not been compared, and the comparison is continued. The comparison unit 3b2 determines that the new packet belongs to the existing flow when all the comparison results in the plurality of designated fields indicate coincidence.

  For this reason, it is possible to compare the data in the specified field in the order appropriate for the data in the header information of the observed packet, and search for the existing flow in the flow determination for determining whether the flow is an existing flow or a new flow. Accordingly, the number of comparisons of data in each field can be reduced.

  In the present embodiment, the comparison unit 3b2 sets a rank for each designated field based on data in the header information of the observed packet, and holds the rank for each designated field in the holding unit 3b1. Further, the comparison unit 3b2 newly sets the rank for each designated field based on the data in the header information of the packet observed during a certain period after the time when all the data in the storage unit 3a is transmitted to the external device. Then, the rank in the holding unit 3b1 is updated to the newly set rank.

  In this case, the rank can be updated based on the data in the header information of the observed packet. For this reason, it becomes possible to update an order | rank appropriately.

  In the present embodiment, the comparison unit 3b2 measures a different number for each designated field based on data in the header information of the observed packet used for setting or updating the rank in the holding unit 3b1, The ranking is set so that the ranking of the designated fields having a larger number among the designated fields becomes higher.

  Then, the comparison unit 3b2 compares the data in the storage unit 3a with the data in the header information of the new packet for each designated field in descending order of the order in the holding unit 3b1.

  In this case, it is possible to reduce the number of data comparisons and data searches.

  In this embodiment, the comparison unit 3b2 updates the rank in the holding unit 3b1 at the time of updating the data in the storage unit 3a, and updates the data in the storage unit 3a and the header information of the new packet. The data is compared for each designated field in the descending order of rank in the holding unit 3b1.

  In this case, since the order in the holding unit 3b1 is updated when the data in the storage unit 3a is updated, for example, the data structure in the storage unit 3a can be changed to a structure that allows easy comparison of data. It becomes possible. Therefore, it becomes possible to prevent the comparison of data from becoming difficult according to the update of the order for comparison.

  In the present embodiment, when the detection unit 3b3 detects that a change in traffic related to a new packet satisfies a predetermined condition, the comparison unit 3b2 newly sets a rank for comparison and sets the rank in the holding unit 3b1. , Update to the newly set rank.

  In this case, the order for comparison can be appropriately updated in accordance with the change in traffic.

  When the new packet does not belong to an existing flow, the comparison unit 3b2 determines that the new packet belongs to a new flow, and recognizes the sum of the number of existing flows and the number of new flows as the number of flow recognition As the predetermined condition, it is possible to use a condition that the change amount or change rate of the number of flow recognitions in a predetermined period exceeds a predetermined threshold value.

  In this case, the order for comparison can be appropriately updated according to the change in the number of flow recognitions.

  In the embodiment described above, the illustrated configuration is merely an example, and the present invention is not limited to the configuration.

It is the block diagram which showed the communication apparatus which is one Example of this invention. It is explanatory drawing which showed an example of the information hold | maintained at the holding | maintenance part 3b1. It is a flowchart for demonstrating operation | movement of a present Example.

Explanation of symbols

1 NIC
2 packet observation unit 3 flow information creation unit 3a flow information accumulation unit 3b new observation packet / existing flow comparison unit 3b1 different number holding unit 3b2 comparison unit 3b3 change detection unit 4 flow information transmission unit 100 transmission device

Claims (13)

A flow determination method in a communication device that determines whether a newly observed new packet belongs to an existing flow,
An accumulation step of accumulating data registered in each of a plurality of designated fields in the existing flow arbitrarily designated to define the existing flow in an accumulation unit;
A setting step for setting a rank for each of the designated fields based on data in header information of observed packets that have already been observed, and holding the rank for the designated fields in a holding unit;
A comparison step of comparing the data in the storage means and the data in the header information of the new packet according to the order in the holding means for each designated field;
If the comparison result indicates a mismatch when performing the comparison according to the rank, it is determined that the new packet does not belong to the existing flow, and the subsequent comparison of the new packet and the existing flow is performed. If the data of the existing flow that is not compared with the new packet exists in the storage means at that time, the comparison target of the new packet is changed to the data of the existing flow that is not compared, and the comparison is continued And a determination step of determining that the new packet belongs to the existing flow when all the comparison results in the plurality of designated fields indicate a match.   In the setting step, the rank is newly set for each of the designated fields based on the data in the header information of the packet observed in a certain period after the time when all the data in the storage unit is transmitted to the external device. The flow determination method according to claim 1, wherein the flow determination method is set and the rank in the holding unit is updated to the newly set rank. In the setting step, for each specified field, the number of different values appearing in the specified field is determined based on data in the header information of the observed packet used for setting or updating the rank in the holding unit. Measuring the number of different indications, and setting the rank so that the higher the rank of the specified field of the plurality of specified fields, the higher the rank,
3. The flow according to claim 2, wherein in the comparison step, the data in the storage unit and the data in the header information of the new packet are compared for each designated field in descending order of rank in the holding unit. Judgment method. In the setting step, the rank in the holding unit is updated at the time of updating the data in the storage unit,
In the comparing step, the updated data in the storage means and the data in the header information of the new packet are compared for each designated field in the descending order of the updated order in the holding means. Item 4. The flow determination method according to Item 2 or 3. A change detecting step for determining whether a change in traffic related to the new packet satisfies a predetermined condition;
In the setting step, when a change in traffic related to the new packet satisfies the predetermined condition, the rank is newly set, and the rank in the holding unit is updated to the newly set rank. The flow determination method according to any one of claims 2 to 4. In the determination step, if it is determined that the new packet does not belong to the existing flow, it is determined that the new packet belongs to a new flow, and the sum of the number of the existing flows and the number of the new flows is determined as flow recognition. As a number,
The flow determination method according to claim 5, wherein the predetermined condition is that a change amount or a change rate of the flow recognition number in a predetermined period exceeds a predetermined threshold. A communication device for determining whether a newly observed new packet belongs to an existing flow,
Storage means for storing data registered in each of a plurality of designated fields in the existing flow, arbitrarily specified to define the existing flow;
Holding means for holding the order set for each of the designated fields based on data in header information of observed packets that have already been observed;
The data in the storage means and the data in the header information of the new packet are compared according to the order in the holding means for each designated field, and the result of the comparison when the comparison is made in accordance with the order Indicates a mismatch, the new packet is determined not to belong to the existing flow, and the subsequent comparison of the new packet and the existing flow is stopped. If the data of the flow is present in the storage means, the comparison target of the new packet is changed to the data of the uncompared existing flow, and the comparison is continued. Comparing means for determining that the new packet belongs to the existing flow when the packet matches.   The comparing means sets the rank for each of the designated fields based on data in the header information of the observed packet, holds the rank for each designated field in the holding means, Based on the data in the header information of the packet observed during a certain period after all data is transmitted to an external device, a new rank is set for each of the designated fields, and the rank in the holding unit is The communication device according to claim 7, wherein the communication device is updated to a newly set order.   The comparison means calculates the number of occurrences of different values in the designated field for each designated field based on the data in the header information of the observed packet used for setting or updating the rank in the holding means. The number of different indications is measured, the rank is set so that the rank of the designated field having the larger number of different ones among the plurality of designated fields is higher, the data in the storage means, and the header information of the new packet The communication apparatus according to claim 8, wherein the data in each of the designated fields is compared in descending order of rank in the holding unit.   The comparison unit updates the rank in the holding unit at the time of updating the data in the storage unit, and the updated data in the storage unit and the data in the header information of the new packet, The communication device according to claim 8 or 9, wherein, for each of the designated fields, comparison is performed in descending order after updating in the holding unit. Change detection means for determining whether a change in traffic related to the new packet satisfies a predetermined condition;
The comparison unit newly sets the rank when the change in traffic related to the new packet satisfies the predetermined condition, and updates the rank in the holding unit to the newly set rank. The communication device according to any one of claims 8 to 10. If the comparing means determines that the new packet does not belong to the existing flow, the comparing means determines that the new packet belongs to the new flow, and determines the sum of the number of the existing flows and the number of the new flows as a flow recognition As a number,
The communication device according to claim 11, wherein the predetermined condition is that a change amount or a change rate of the flow recognition number in a predetermined period exceeds a predetermined threshold. A program for realizing the communication device according to any one of claims 7 to 12 by a computer,
The computer,
A program that functions as all means of the communication device.

Images