JP2011176586A - Packet sampling apparatus and method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To avoid such a problem that a specified flow only is continuously sampled in the packet sampling of an IP network. <P>SOLUTION: A packet sampling apparatus 1 includes: a hash value calculating unit 1b for obtaining a hash value with respect to information (a flow key) to specify the flow including at least the transmission source IP and transmission destination IP address of each packet, by each arrival packet; a sampling unit 1c for sampling the packets when the hash value obtained by the hash value calculating unit 1b is within a predetermined range (a sample section), thus detecting traffic which generates a large amount of small flows; and a sample section determining unit 1f for changing the sample section with a predetermined fixed period. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a technique for managing communication traffic in an IP (Internet Protocol) network, and more particularly to a technique suitable for efficiently monitoring the entire flow flowing through the entire network.

  With the increase in traffic on the Internet, which is an IP network, and the diversification of Internet usage patterns and applications, traffic measurement that supports the efficient operation of the network (NW) has become important.

  In particular, the importance of a mechanism that can detect the waste of NW resources that cause quality degradation and the traffic that causes security problems is increasing.

  For this purpose, attention has been paid to flow level traffic measurement, and application to abnormal traffic detection, heavy user identification, traffic engineering, etc. is being studied.

  Here, the flow is a “source IP address (srcIP), destination IP address (dstIP), source port number (srcPort), destination port number (dstPort), protocol number” as header information in the packet. It refers to a group of packets having the same set of five.

  However, in order to measure the communication quality of the flow from the user terminal (user flow communication quality), it is necessary to capture all the packets flowing through the line, analyze the packet header information, and analyze the flow information. As the speed increases, it has become difficult to capture and process all packets.

  Therefore, in recent years, attention has been paid to a technology that reduces the processing required for flow management by performing “packet sampling” that captures some packets instead of capturing all packets flowing through the line. . For example, Non-Patent Document 1 describes a technique for periodically referring (sampling) 1 packet to N packets and estimating the original flow statistical information from the flow analysis result of the sampled packets.

  Non-Patent Document 2 proposes a technique for specifying a long flow (a flow sending a lot of traffic) using packet sampling.

  Non-Patent Document 3 proposes a technique for accurately obtaining statistics of a flow having a large flow size.

  In these technologies, when packet sampling is performed, the majority of flows composed of a small number of packets are ignored, but long flows are used because the probability of being sampled is high. Packet sampling is suitable.

  However, as described in Non-Patent Documents 4 and 5, for example, abnormal traffic such as scanning is difficult to detect by packet sampling. This is because these abnormal traffic generates a large amount of small flows (flows composed of a small number of packets), so that individual flows are not easily sampled.

  As a technique for solving such a problem, for example, “flow sampling” described in Non-Patent Document 6 has attracted attention. Flow sampling is a set of five flows (source IP address (srcIP), destination IP address (dstIP), source port number (srcPort), destination port number (dstPort)) for each incoming packet. Protocol number) is input to the hash function as a key (flow key), and the packet is sampled only when the hash value is less than the threshold value, so that all flows are equal regardless of the flow size (number of packets). To be sampled. In this way, for example, it is possible to detect a host (communication device) that generates a large amount of small flows.

  However, in this flow sampling, only flows that match a specific condition such as when the hash value is less than the threshold value are sampled, so that a flow that does not match the condition continues to be unsampled.

  That is, there is a problem in that the flow that flows through the network cannot be monitored as a whole, and as a result, the flow that would otherwise need to be monitored may continue to be monitored without being sampled.

IETF Packet Sampling (psamp) Working Group, [Search February 10, 2010], Internet <URL: http://www.ietf.org/html.charters/psamp-charter.html>. T. Mori, T. Takine, J. Pan, R. Kawahara, M. Uchida, and S. Goto, "Identifying heavy-hitter flows from sampled flow statistics," IEICE Trans. Commun., Vol.E90-B, no .11, pp.3061-3072, Nov. 2007. C. Estan and G. Varghese, "New Directions in Traffic Measurement and Accounting," ACM SIGCOMM2002, Aug. 2002. R. Kawahara, K. Ishibashi, T. Mori, N. Kamiyama, S. Harada, and S. Asano, "Detection accuracy of network anomalies using sampled flow statistics," IEEE Globecom 2007, Nov. 2007. D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, and A. Lakhina, "Impact of packet sampling on anomaly detection metrics," ACM SIGCOMM IMC, 2006. K. Keys, D. Moore, C. Estan, "A Robust System for Accurate Real-time Summaries of Internet Traffic," SIGMETRICS2005.

  The problem to be solved is that, with the conventional packet sampling technique, statistics of a flow with a large flow size (long flow) can be obtained with high accuracy, but a flow with a small flow size generated by abnormal traffic such as port scan ( (Small flows) are difficult to sample, and with the conventional flow sampling technology, it is possible to sample small flows, but only flows that match a specific condition, so flows that do not match that condition. Is the point that the state that is not sampled continues.

  An object of the present invention is to solve these problems of the prior art and to make it possible to efficiently monitor a flow that flows through the entire network by setting both a long flow and a small flow as sampling targets.

  In order to achieve the above object, in the present invention, for each packet, information (flow key) for identifying the flow including at least the transmission source IP and the transmission destination IP address of the packet, for example, the transmission source IP address ( srcIP), destination IP address (dstIP), source port number (srcPort), destination port number (dstPort), a hash value for a flow key consisting of five pairs of protocol numbers is obtained, and the obtained hash value is determined in advance. By sampling the packet within a given range (sample interval), it is possible to detect traffic that generates a large amount of small flows, and by changing the sample interval at a predetermined period T, Avoid problems where only certain flows continue to be sampled.

  According to the present invention, it is possible to detect anomalous traffic that generates a large amount of small flows by sampling a hash value for a flow key for each packet, and to change a sample interval periodically, or to perform random sampling By using together, it becomes possible to monitor the entire flow flowing through the entire network without sampling biased to only a part of the specified flows.

It is a block diagram which shows the structural example of the network which provided the packet sampling apparatus which concerns on this invention. It is a block diagram which shows the structural example of the packet sampling apparatus in FIG. It is a flowchart which shows the processing operation example which concerns on this invention of the packet sampling apparatus in FIG.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. In FIG. 1, reference numeral 1 denotes a packet sampling apparatus according to the present invention, and reference numerals 2 and 3 denote communication nodes (denoted as “nodes” in the figure) constituting an IP network.

  The packet sampling device 1 has a computer configuration including a CPU (Central Processing Unit), a main memory, a display device, an input device, an external storage device, and the like, and is recorded on a storage medium such as a CD-ROM via an optical disk drive device or the like. After the installed program and data are installed in the external storage device, they are read from the external storage device into the main memory and processed by the CPU, thereby executing the functions of the respective processing units.

  That is, as shown in FIG. 2, the packet sampling device 1 has a packet counting unit 1a, a hash value calculation unit 1b, a sampling unit 1c, a packet storage unit 1d, and a specific flow management unit as means for executing programmed computer processing. 1e and a sample interval determination unit 1f.

  With such a computer configuration, the packet sampling apparatus 1 of this example obtains a hash value for information (flow key) that identifies the flow including at least the transmission source IP and the transmission destination IP address of the packet for each packet, If the obtained hash value is in a predetermined range (sample interval), the packet is sampled, and the traffic is detected in large quantities by generating a small flow by changing the sample interval at a predetermined constant period T. And avoiding the problem that only certain flows continue to be sampled.

  Details of the sampling processing operation by the packet sampling apparatus 1 will be described below as first to fifth embodiments. In this example, the flow key includes five source IP addresses (srcIP), destination IP address (dstIP), source port number (srcPort), destination port number (dstPort), and protocol number. Is used.

  <First embodiment>

  With the computer configuration shown in FIG. 2, the packet sampling apparatus 1 of this example first counts up a counter C (not shown) every time a packet arrives in the packet counting unit 1a.

  Then, in the hash value calculation unit 1b, for each packet x that arrives, “source IP address (srcIP), destination IP address (dstIP), source port number (srcPort), destination port number (dstPort) of the packet. ), Protocol (Protocol) ", and the read flow key x is input to the hash function. It is assumed that the hash function returns a hash value within the range of size b.

  Then, the hash value calculation unit 1b calculates a value “h (x) / b” obtained by dividing the hash value h (x) returned by the hash function by the size b, and the sampling unit calculates the calculated value and the packet. Transfer to 1c.

  The sampling unit 1c determines whether or not the value calculated by the hash value calculation unit 1b is within a range (sample interval) determined in advance by the sample interval determination unit 1f. The packet is simply transferred to the subsequent node, and if it is within the sample period, the packet is transferred to the subsequent node, and the packet is sampled and transferred to the packet storage unit 1d.

  The packet accumulating unit 1d stores the packet in a storage device (not shown).

  In this way, by sampling packets based on the hash value of the flow key (flow sampling) and collecting the sampled packets, it becomes possible to detect traffic that generates a large amount of small flows.

  However, the technique so far is similar to the technique described in Non-Patent Document 6 described above, and there is a problem that only a specific flow continues to be sampled.

  In order to cope with this problem, in the packet sampling apparatus 1 of the present example, the sample interval determined by the sample interval determination unit 1f is changed every predetermined constant period T measured by a timer function (not shown).

  In this example, the sample interval determination unit 1f determines the sample interval as [t, t + W], where t and W are “0 <= t <= 1, 0 <= t + W”. <= 1, W> 0 ”. Note that t is a parameter that is updated every certain period T as will be described later, and the initial value is 0. W is set to W = p using a predetermined target packet sampling rate p.

  Then, the sample interval determination unit 1f updates the value of t as “t ← t + δ” after the elapse of a certain period T. δ is a predetermined parameter, and “0 <δ <= W” is assumed.

  However, if “t + W” exceeds 1, the sample interval determination unit 1f sets the sample interval to “[t, 1] ∨ [0, t + W-1]”, and at the next update, Update “t ← t + W-1 + δ” and update the sample interval to [t, t + W].

  In this way, the sample interval determination unit 1f has a problem that only a specific flow continues to be sampled by changing the range of hash values to be sampled by the sampling unit 1c, that is, the sample interval, every fixed period T. It can be avoided.

  Next, a second embodiment of the sampling processing operation by the packet sampling apparatus 1 of the present example having the computer configuration shown in FIG. 2 will be described.

  <Second embodiment>

  In this example, when the packet sampling in the first embodiment described above is performed every fixed period T, and there is a flow that satisfies a predetermined specific condition for the flows sampled during the period T. Changes / sets the packet sample interval in the next period so as to include the hash value h (x) for the flow key x.

  That is, the packet sampling apparatus 1 having a computer configuration shown in FIG. 2 counts up the number of packets associated with the flow ID in the specific flow management unit 1e in association with the flow ID for the sampled by the sampling unit 1c. A flow in which the counted number of packets exceeds a predetermined threshold is specified, and the flow ID of the specific flow is notified to the sample section determination unit 1f.

  In this way, when there is a notification of the flow exceeding the threshold value from the specific flow management unit 1e, the sample interval determination unit 1f checks the hash value for the flow ID, and the hash is included in the current sample interval. Whether the value is included is checked (discriminated), and if not included, the sample interval is changed so that the hash value is included.

  For example, when there are M specific flows (M> 1), a plurality of sample sections are included so that the sample section includes the hash value of the key “x_i (i = 1,..., M)” of the specific flow. Set separately.

  Specifically, assuming that the current sample interval is [0.1, 0.2], m hash values of M specific flows are not included in [0.1, 0.2], and those hash values are [0.5, 0.55]. Is included, the sample interval is changed from [0.1, 0.2] to {[0.1, 0.15], [0.5, 0.55]}.

  In this way, the specific flow is continuously sampled as a flow to be continuously monitored.

  As described above, other techniques for continuously monitoring a specific flow together with the packet sampling in the first embodiment will be described as third to fifth embodiments.

  <Third embodiment>

  In this example, the packet sampling in the first embodiment described above is performed every fixed period T, and there is a flow that satisfies a predetermined specific condition for a flow sampled during a predetermined period. In this case, the packet sampling section is changed / set in the next cycle so as to include the hash value h (x) for the flow key x. The packet sampling apparatus 1 in FIG. Perform the process.

  The sampling unit 1c is in parallel with the sampling based on the hash value in the first embodiment described above, every time the value of the counter C counted up by the packet counting unit 1a is a multiple of a predetermined value N. The packet is transferred to the subsequent node, and sampled and transferred to the packet storage unit 1d and the specific flow management unit 1e.

  Thereafter, in the same manner as in the second embodiment described above, the specific flow management unit 1e counts up the number of packets associated with the flow ID with respect to the packets sampled by the sampling unit 1c, and counts up every period T. The flow whose number of packets exceeds a predetermined threshold is specified, the flow ID of the specific flow is notified to the sample section determination unit 1f, and the sample section determination unit 1f includes a hash value for the flow ID. Change the sample interval.

  <Fourth embodiment>

  In this example, the packet sampling in the first embodiment described above is performed every fixed period T, and there is a flow that satisfies a predetermined specific condition for a flow sampled during a predetermined period. In this case, the packet sampling section is changed / set in the next cycle so as to include the hash value h (x) for the flow key x. The packet sampling apparatus 1 in FIG. Perform the process.

  In parallel with the sampling based on the hash value in the first embodiment, the sampling unit 1c generates a random number in the range of 0 to 1 for each packet arrival, and the result is the reciprocal of a predetermined value N. If it is (1 / N) or less, the packet is transferred to the packet storage unit 1d and the specific flow management unit 1e together with the subsequent node.

  Thereafter, as in the second and third embodiments described above, the specific flow management unit 1e counts up the number of packets associated with the flow ID with respect to the packets sampled by the sampling unit 1c. The flow in which the number of counted up packets exceeds a predetermined threshold is specified, the flow ID of the specific flow is notified to the sample section determining unit 1f, and the sample section determining unit 1f includes a hash value for the flow ID. Thus, the sample interval is changed.

  <Fifth embodiment>

  In this example, instead of setting a flow whose number of sample packets exceeds a threshold value as a flow to be specified, a sampling interval is set as a flow whose quality is deteriorated.

  Specifically, using the packets accumulated in the packet accumulating unit 1d, the values representing the quality state of each flow are set to the above-mentioned Non-Patent Document 6 or the publicly known document 1 (Kawahara, Ishibashi, Mori, Kamiyama, Hasegawa, “Flow Quality Estimation Method Using Flow Sampling,” Society of Society Society Conference, September 2009) and Public Reference 2 (Kobayashi, Ishibashi, Nishida, “Proposal of Large-scale VoIP Traffic Quality Measurement Method Using Selective sFlow” , ”IEICE Technical Report, vol. 107, no. 311, NS2007-95, pp. 7-12, November 2007), etc. If the quality degradation condition is checked (determined) and a flow in the quality degradation state is detected, the flow ID is notified to the sample section determination unit 1f.

  Thereafter, in the same manner as in the second to fourth embodiments described above, the sample interval determination unit 1f changes the sample interval so as to include the hash value for the flow ID.

  Note that the above-described known documents 1 and 2 describe a technique for estimating the flow round-trip propagation delay time and the packet loss rate as a technique for grasping the flow quality from the sample information.

  In this technology, the SYN-SYNACK response time is extracted from the sampled packets by extracting the SYNACK for the SYN packet of the TCP flow of interest and the ACK for the SYNACK response and calculating it using the observation time information of each packet. And the SYNACK-ACK response time, and the sum of them is calculated as the round-trip propagation delay time.

  Also, in the above-mentioned publicly known document 2, VoIP traffic is extracted, and the VoIP quality is estimated by analyzing the arrival interval of RTP packets for each session. Specifically, the fact that there is a correlation between the dispersion of arrival intervals and voice quality is used.

  Further, as a technique for detecting quality degradation using TCP throughput as a quality, for example, publicly known document 3 (R. Kawahara, T. Mori, K. Ishibashi, N. Kamiyama, and H. Yoshino, “Packet sampling TCP flow rate estimation and performance degradation detection method, "IEICE Trans. Commun., Vol.E91-B, No.5, pp.1309-1319, May 2008.). In this technique, among packets sampled from the same flow, the sequence number SN_l of the last sampled packet and its time T_l, the sequence number SN_f of the first packet and its time T_f are used to calculate the throughput (SN_l-SN_f ) / (T_l-T_f).

  By using these techniques, the flow to be sampled is specified in the next period while grasping the quality of each flow. In other words, a flow whose quality estimated from the sample packet information is deteriorated from a predetermined target value is regarded as a specific flow, and sampling for the flow is continued.

  Next, the processing operation of the packet sampling apparatus in FIG. 2 will be described with reference to FIG.

  First, every time a packet arrives (step S301), the packet counter 1a counts up a counter C (not shown) (step S302).

  Next, in the hash value calculation unit 1b, for each packet x that arrives, “source IP address (srcIP), destination IP address (dstIP), source port number (srcPort), destination port number ( dstPort), protocol (Protocol) "is read, the read flow key x is input to the hash function, and the hash value h (x) returned by this hash function is divided by the size b" h ( x) / b ", and the calculated value and the packet are transferred to the sampling unit 1c (step S303).

  The sampling unit 1c determines whether or not the value calculated by the hash value calculation unit 1b is within a range (sample interval) determined in advance by the sample interval determination unit 1f (step S304). Otherwise, the packet is simply transferred to the subsequent node, and if it is within the sample interval, the packet is transferred to the subsequent node, and the packet is sampled and transferred to the packet storage unit 1d (step S306). The packet storage unit 1d stores the packet in a storage device.

  In the sampling unit 1c, in parallel with the sampling based on the hash value, every time the value of the counter C counted up by the packet counting unit 1a is a multiple of a predetermined value N (step S305). The packet is sampled and transferred to the packet accumulating unit 1d and the specific flow management unit 1e (step S306), and the specific flow management unit 1e counts the number of packets sampled for each flow (step S307). If this count value exceeds a predetermined threshold value, the sample interval is notified so that the flow ID of the flow is notified to the sample interval determination unit 1f, and the flow is also sampled by sampling based on the hash value. To change.

  As described above with reference to FIGS. 1 to 3, the packet sampling apparatus 1 of the present example includes the hash value calculation unit 1b, the sampling unit 1c, and the sample interval determination 1f as functions for executing programmed computer processing. In the hash value calculation unit 1b, for each arrived packet, the source IP address (srcIP), destination IP address (dstIP), source port number (srcPort), destination port number (dstPort) of the packet , A hash value for a flow key consisting of five sets of protocol numbers is obtained, and the sampling unit 1c samples the packet if the hash value obtained by the hash value calculation unit 1b is within a predetermined range (sample interval). In the sample section determination unit 1f, the sample section is changed at a predetermined constant period.

  In particular, the hash value calculation unit 1b inputs the flow key to the hash function h (x), acquires the hash value within the range of the size b, and divides the acquired value of the hash function h (x) by the size b. Value h (x) / b, and the calculated value is the sample interval [t, t + W] (where t is 0 <= t <= 1 and initial value 0, W is a predetermined target packet sampling If the rate p is set as W = p> 0 and 0 <= t + W <= 1), the packet is sampled, and the sampling unit 1c samples for a predetermined period T. Packet sampling is performed in the interval [t, t + W], and the sample interval determination unit 1f sets the value of t to “t ← t + δ” (δ is a predetermined parameter, and 0 <δ < = W), and with this update, if “t + W” exceeds 1, the sample interval is set to “[t, 1] ∨ [0, t + W-1]” and the next update Occasionally t is updated to “t ← t + W-1 + δ” Te, to update the sample interval in [t, t + W].

  In this way, by performing flow sampling, it becomes possible to detect traffic that generates a large amount of small flows, and by changing the range (sample interval) of hash values to be sampled at specific intervals, The problem that only the flow continues to be sampled can be avoided.

  Further, the specific flow management unit 1e is provided as a function for executing programmed computer processing. In the specific flow management unit 1e, this sampling unit 1c is performed in parallel with the packet sampling for every fixed period T by the sampling unit 1c. The flow that satisfies a predetermined condition among the flows sampled during a certain period T is specified, and the sample section determination unit 1f includes a hash value for the flow key of the flow specified by the specific flow management unit 1e. In this way, the sample interval is set at the next period.

  For example, when there are M flows identified by the specific flow management unit 1e (M> 1), the sample section determination unit 1f selects the sample section as a flow key x_i (i = 1,..., M) of the specific flow. The sample interval is divided and set so as to include the hash value.

  Further, the specific flow management unit 1e specifies a flow in which the number of packets sampled by the sampling unit 1c exceeds a predetermined threshold as a specific flow.

  By doing so, the flow to be continuously monitored is continuously sampled.

  In addition, as a function of executing programmed computer processing, a packet counting unit 1a is provided. The packet counting unit 1a counts up each time a packet arrives, and the sampling unit 1c Each time the count-up value becomes a predetermined value, the flow key of the packet is notified to the specific flow management unit 1e, and the specific flow management unit 1e determines that the number of packets of the flow key notified from the sampling unit 1c is When a predetermined threshold value is exceeded, the flow is specified as a specific flow.

  In this way, by using a technique that randomly samples one packet per N, it becomes easier to sample flows that send many packets, so identify flows that have a large impact on such networks. can do.

  In addition, the specific flow management unit 1e measures the quality of the packet sampled by the sampling unit 1c, and identifies a flow whose measured quality is deteriorated from a predetermined target value as a specific flow. Thereby, it is possible to identify the flow to be sampled even in the next period while grasping the quality.

  As described above, in the packet sampling apparatus 1 of this example, by detecting the hash value for the flow key for each packet, it is possible to detect abnormal traffic that generates a large amount of small flows and to change the sample period periodically. By doing so, it is possible to monitor the flow flowing through the entire network without sampling biased to only a part of the specified flows.

  In addition, this invention is not limited to the example demonstrated using FIGS. 1-3, In the range which does not deviate from the summary, various changes are possible. For example, in the present example, the first to fifth examples have been described as individual techniques, but a configuration in which the techniques of the examples are arbitrarily combined may be employed. For example, a configuration in which the technique for specifying the flow in the third embodiment and the technique for specifying the flow in the fourth embodiment are both implemented may be employed.

  Further, in this example, as shown in FIG. 1, the packet sampling device 1 is provided between the nodes 2 and 3, and the packet on the link between the nodes 2 and 3 is sampled. For example, a configuration may be adopted in which a packet transferred on the link via the node 2 is captured.

  Further, in this example, the flow key includes five source IP addresses (srcIP), destination IP address (dstIP), source port number (srcPort), destination port number (dstPort), and protocol number. Is used, but the source IP address (srcIP) and destination IP address (dstIP), or the source IP address (srcIP) and destination IP address (dstIP) and protocol number Information including at least the transmission source IP address (srcIP) and the transmission destination IP address (dstIP), such as a set of three, may be used as a flow key for specifying the flow.

  The computer configuration of this example may be a computer configuration without a keyboard or optical disk drive. In this example, a CD is exemplified as the recording medium, but a DVD, an FD, or the like may be used as the recording medium. As for the program installation, the program may be downloaded and installed via a network via a communication device.

  1: packet sampling device, 1a: packet count unit, 1b: hash value calculation unit, 1c: sampling unit, 1d: packet storage unit, 1e: specific flow management unit, 1f: sample interval determination unit, 2, 3: communication node ("node").

Claims (17)

A packet sampling device for sampling packets passing through a link in an IP network by programmed computer processing,
A hash value calculation means for obtaining a hash value for information (flow key) for identifying the flow including at least the transmission source IP address and the transmission destination IP address of the packet for each arrived packet;
Sampling means for sampling the packet if the hash value obtained by the hash value calculation means is in a predetermined range (sample interval);
A packet sampling apparatus comprising: a sample interval determining means for changing the sample interval at a predetermined fixed period. The packet sampling device according to claim 1,
The hash value calculation means
Input the above flow key into the hash function, get the hash value within the range of the array size, calculate the value obtained by dividing the value of the acquired hash function by the array size,
The sampling means is
If the value calculated by the hash value calculation means is within the sample interval for a predetermined period, the packet is sampled,
The sample interval determining means is
After the fixed period has elapsed, the value of t in the sample interval [t, t + W] is updated to “t ← t + δ” (δ is a predetermined parameter, 0 <δ <= W). When “t + W” exceeds 1, the sample interval is “[t, 1] ∨ [0, (t + W) -1]”, and the value of t is changed to “t ←” at the next update. A packet sampling apparatus, wherein the sampling interval is updated to [t, t + W] by updating to “t + W−1 + δ”. The packet sampling device according to claim 1 or 2, wherein
In parallel with the packet sampling at regular intervals by the sampling means,
A specific flow management means for specifying a flow satisfying a predetermined condition among the flows sampled during the predetermined period by the sampling means;
The sample interval determining means is
The packet flow sampling apparatus, wherein the sample interval is set in the next cycle so as to include a hash value for the flow key of the flow specified by the specific flow management means. The packet sampling device according to claim 3, wherein
If there are multiple flows specified by the specified flow management means,
The packet sampling apparatus, wherein the sample section determining means sets the sample section in a plurality of sections so that the sample sections include hash values of flow keys of the plurality of specific flows. The packet sampling device according to claim 3 or 4, wherein:
The specific flow management means is
A packet sampling apparatus, wherein a flow in which the number of packets sampled by the sampling means exceeds a predetermined threshold is specified as the specific flow. The packet sampling device according to any one of claims 3 to 5,
A packet counting means for counting up each time a packet arrives;
The sampling means is
Each time the count-up value of the packet count means becomes a predetermined value, the flow key of the packet is notified to the specific flow management means,
The specific flow management means is:
A packet sampling device, wherein when the number of flow key packets notified from the sampling means exceeds a predetermined threshold, the flow is specified as the specific flow. The packet sampling device according to any one of claims 3 to 6,
The specific flow management means is
The sampling means comprises means for measuring the quality of the sampled packet;
A packet sampling apparatus characterized in that a flow in which the measured quality is deteriorated from a predetermined target value is specified as the specific flow. The packet sampling device according to any one of claims 1 to 7,
2. The packet sampling apparatus according to claim 1, wherein the flow key includes five sets of a transmission source IP address, a transmission destination IP address, a transmission source port number, a transmission destination port number, and a protocol number of the packet.   The program for functioning a computer as each means in the packet sampling apparatus in any one of Claims 1-8. A packet sampling method for sampling a packet passing through a link in an IP network by a computer device,
The computer apparatus includes a hash value calculation means, a sampling means, and a sample section determination means as means for executing programmed computer processing,
The hash value calculation means obtains a hash value for information (flow key) specifying the flow including at least the transmission source IP and the transmission destination IP address of the packet for each packet that arrives,
The sampling means samples the packet if the hash value obtained by the hash value calculation means is a predetermined range (sample interval),
The packet sampling method, wherein the sample interval determining means changes the sample interval at a predetermined fixed period. The packet sampling method according to claim 10, comprising:
The hash value calculation means
Input the above flow key into the hash function, get the hash value within the range of the array size, calculate the value obtained by dividing the value of the acquired hash function by the array size,
The sampling means is
If the value calculated by the hash value calculation means is within the sample interval for a predetermined period, the packet is sampled,
The sample interval determining means is
After the fixed period has elapsed, the value of t in the sample interval [t, t + W] is updated to “t ← t + δ” (δ is a predetermined parameter, 0 <δ <= W). If “t + W” exceeds 1, the sample interval is “[t, 1] ∨ [0, t + W-1]”, and the value of t is changed to “t ← t + A packet sampling method, wherein the sampling interval is updated to [t, t + W] by updating to “W-1 + δ”. A packet sampling method according to claim 10 or claim 11, comprising:
The computer apparatus includes specific flow management means as means for executing programmed computer processing,
The specific flow management means is:
In parallel with the packet sampling at regular intervals by the sampling means,
Among the flows sampled during the fixed period by the sampling means, a flow that satisfies a predetermined condition is specified,
The sample interval determining means is
A packet flow sampling method, wherein the sample interval is set in the next cycle so as to include a hash value for a flow key of a flow specified by the specific flow management means. The packet sampling method according to claim 12, comprising:
If there are multiple flows specified by the specified flow management means,
The packet sampling method characterized in that the sample interval determining means sets the sample interval in a plurality of divisions so as to include the hash values of the flow keys of the plurality of specific flows. A packet sampling method according to claim 12 or claim 13, comprising:
The specific flow management means is
A packet sampling method characterized in that a flow in which the number of packets sampled by the sampling means exceeds a predetermined threshold is specified as the specific flow. The packet sampling method according to any one of claims 12 to 14,
The computer apparatus comprises a packet counting means as means for executing programmed computer processing,
The packet counting means includes:
Every time a packet arrives, it counts up,
The sampling means is
Each time the count-up value of the packet count means becomes a predetermined value, the flow key of the packet is notified to the specific flow management means,
The specific flow management means is:
A packet sampling method characterized in that, when the number of flow key packets notified from the sampling means exceeds a predetermined threshold, the flow is specified as the specific flow. The packet sampling method according to any one of claims 12 to 15,
The specific flow management means is
Measure the quality of the packet sampled by the sampling means,
A packet sampling method, wherein a flow in which the measured quality is deteriorated from a predetermined target value is specified as the specific flow. The packet sampling method according to any one of claims 10 to 16, comprising:
2. The packet sampling method according to claim 1, wherein the flow key is composed of five sets of a transmission source IP address, a transmission destination IP address, a transmission source port number, a transmission destination port number, and a protocol number of the packet.

Images