JP2014187534A - Information processing device, information processing method, information processing program and information processing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To identify an application of a tunnel establishment factor.SOLUTION: In an information processing device, having a processor and a memory and capturing a packet flowing a network at a predetermined position in the network, the processor decides whether or not the captured packet is a user packet that first flows through a tunnel by a predetermined tunneling protocol. In the captured packet is a user packet that first flows through the tunnel, the processor identifies the application of the tunnel establishment factor from the captured packet.

Description

  The present invention relates to an information processing apparatus, an information processing method, an information processing program, and an information processing system for performing network monitoring.

  FIG. 1 is a diagram illustrating a configuration example of a wireless communication network system. A wireless communication network system 500 shown in FIG. 1 is a network for communication of mobile terminals. The wireless communication network system 500 includes a wireless network 510, a wireless access network 520, and a packet switched core network 530. A mobile terminal (User Equipment) 10 exists in the wireless network 510. A radio base station (Base Transceiver Station) 20 exists at the boundary between the radio network 510 and the radio access network 520. A radio network controller (Radio Network Controller) 30 exists above the radio base station 20. A packet switching core network 530 exists above the radio access network 520, and a plurality of subscriber packet switches 40 and a plurality of relay packet switches 50 exist in the packet switching core network 530. The Internet and an application server 80 are connected to the packet switching core network.

When the mobile terminal 10 connects to the Internet or the application server 80, the mobile terminal 10 passes through the radio base station 20, the radio network controller 30, the subscriber packet switch 40, and the relay packet switch 50. At this time, a tunnel is formed between the radio network controller 30 and the relay packet switch 50, and the tunnel is used for data transfer between the mobile terminal 10 and the Internet and the application server 80. An example of a tunneling protocol that forms the tunnel is GTP (General Packet Radio Service (GPRS) Tunneling Protocol). Further, the wireless network control device 30 and the relay packet switch 5
For example, a GTP-U (GTP for User Plane) tunnel is a tunnel formed with zero. A GTP-U tunnel is formed for each user.

  FIG. 2 is a diagram illustrating an example of a control plane and user plane packet in a wireless communication network. In FIG. 2, a portion between the wireless network control device 30 and the Web service gateway 70 is extracted from the wireless communication network system 500 illustrated in FIG. 1. In FIG. 2, the control plane is represented as C-Plane, and the user plane is represented as U-Plane.

The GTP control plane control protocol is the GTP-C (GTP for Control plane) protocol, and the user plane control protocol is the GTP-U protocol. In a network in which GTP is used, a control signal for tunnel establishment by GTP-C is exchanged between the subscriber packet switch 40 and the relay packet switch 50 in the control plane. As a result, a GTP-U tunnel is established in the user plane.

In the control plane, GTP-C control packets are exchanged between the subscriber packet switch 40 and the relay packet switch 50, and information for establishing a GTP-U tunnel is exchanged. Further, between the subscriber packet switch 40 of the control plane and the radio network controller 30, for example, RANAP (Radio Access Network Application Part)
Control packets are exchanged, and information for opening a GTP-U tunnel is exchanged.

Within the GTP-U tunnel of the data plane, that is, between the radio network controller 30 and the relay packet switch 50, user data of various applications such as HTTP (Hypertext Transfer Protocol) is encapsulated by GTP-U. Transferred. User data of one mobile terminal 10 flows through one GTP-U tunnel. Further, data of a plurality of applications of one mobile terminal 10 flows in one GTP-U tunnel. User data is also called a user packet.

  The network devices located at both ends of the tunnel are burdened with preparation processing for tunnel establishment, control packet waiting, message timeout monitoring processing, and encapsulation processing. When a tunnel is established, control packets are exchanged between network devices in the control plane for tunnel maintenance and management, and bandwidth is consumed even when there is no user data communication for tunnel maintenance. Therefore, the process of opening and maintaining the tunnel is one of the processes with a high load on the network device.

  In order to save bandwidth, the GTP-U tunnel is often set by a network administrator so that it is deleted when user data communication times out without being performed for a predetermined time. On the other hand, an application used in a smartphone that is an example of the mobile terminal 10 includes an application that starts in the background and performs communication at a predetermined cycle. For example, if the communication interval of the application is shorter than the tunnel deletion timer, the tunnel will continue to be maintained while the application is activated. Further, for example, when the communication interval of the application is longer than the tunnel deletion timer, the tunnel is established at the communication interval of the application, and there is a possibility that the tunnel is frequently established.

  Therefore, communication by an application that performs communication at a predetermined cycle may be one of the load factors of the network. For stable network maintenance, it is desirable to identify an application that causes a tunnel opening and to grasp the load status for each application.

JP-A-7-231317 JP 2002-261799 A

  However, in order to grasp the load status for each application, there are the following problems.

In the carrier network, network monitoring is performed for stable network maintenance. Network monitoring is performed, for example, by placing a signal branching device called TAP (Test Access Point) at a predetermined position where traffic is to be monitored, and analyzing the branch signal with a network probe.

  When grasping the load related to the establishment and maintenance of the tunnel, for example, the TAP is placed at any position on the tunnel path between the subscriber packet switch 40 and the relay packet switch 50 (point P1 in FIG. 1). Is placed.

FIG. 3 is a diagram showing fields included in the header part of GTP-C and information arranged in each field. FIG. 4 is a diagram showing fields included in the payload part of GTP-C at the time of a line connection request and information arranged in each field. FIG. 5 is a diagram showing fields included in the payload portion of GTP-C at the time of line connection response and information arranged in each field. FIG. 6 is a diagram showing fields included in the header part of GTP-U and information arranged in each field.

  For example, the GTP packet captured at the point P1 shown in FIG. 1 has the information shown in any of FIGS. As shown in FIG. 3 to FIG. 6, the information of the GTP-C protocol and the GTP-U protocol does not include information that can identify the application. On the other hand, it is possible to specify an application from user data encapsulated by the GTP-U protocol by performing decapsulation. However, since the GTP-U tunnel is shared by a plurality of applications of the same mobile terminal 10, it is impossible to specify which application has caused the tunnel opening. Therefore, it is not possible to specify an application that becomes a tunnel opening factor from GTP-C and GTP-U packets passing through the GTP-U tunnel.

  Further, for example, when the packet is captured outside the GTP-U tunnel as in the point P2 shown in FIG. 2, the GTP information is not given to the packet. Therefore, even if an application can be specified from the captured packet, it cannot be determined whether or not the application is an application that causes a tunnel to be established.

  Therefore, the application of the control signal for each application, which becomes a load factor of the network, cannot be properly predicted because the application that becomes the cause of opening the tunnel cannot be specified. As a result, a communication failure may occur when a load exceeding the load assumed at the time of design occurs.

  An object of one embodiment of the present invention is to provide an information processing apparatus, an information processing method, an information processing program, and an information processing system that can identify an application that causes a tunnel to be established.

One aspect of the present invention is:
A processor and memory;
An information processing apparatus that captures a packet flowing through the network at a predetermined position in the network,
The processor is
Determining whether the captured packet is a user packet that first flows in a tunnel according to a predetermined tunneling protocol;
When the captured packet is a user packet that first flows in the tunnel, an application that is a factor for opening the tunnel is identified from the captured packet.
Information processing apparatus.

  Another aspect of the present invention is an information processing method in which the above-described information processing apparatus executes the above-described processing. Another aspect of the present invention can include a program that causes a computer to function as the information processing apparatus described above, and a computer-readable recording medium that records the program. The computer-readable recording medium refers to a recording medium in which information such as data and programs is accumulated by electrical, magnetic, optical, mechanical, or chemical action and can be read from the computer or the like.

  According to the information processing apparatus, the information processing method, the information processing program, and the information processing system of the disclosure, it is possible to specify an application that is a factor for opening a tunnel.

It is a figure which shows the structural example of a radio | wireless communication network system. It is a figure which shows an example of the packet of the control plane and user plane in a radio | wireless communication network. It is a figure which shows the field contained in the header part of GTP-C, and the information distribute | arranged to each field. It is a figure which shows the field contained in the payload part of GTP-C at the time of a line connection request | requirement, and the information distribute | arranged to each field. It is a figure which shows the field contained in the payload part of GTP-C at the time of a line connection response, and the information distribute | arranged to each field. It is a figure which shows the field contained in the header part of GTP-U, and the information distribute | arranged to each field. It is a figure for demonstrating the method of specifying the application used as the tunnel opening factor in 1st Embodiment. It is a figure which shows an example of the sequence until GTP-U tunnel establishment. It is a figure which shows the structural example of a quality monitoring system. It is a figure which shows an example of the hardware constitutions of a probe apparatus. It is a figure which shows an example of the functional block of the probe apparatus in 1st Embodiment. It is a figure which shows the identification means of an application identification non-target packet, and a specific example. It is a figure which shows the initial state of an example of an internal holding table. It is an example of an internal holding table in which information is stored after the probe apparatus captures a CREATE PDP CONTEXT REQUEST message that is a tunnel opening request addressed from the originating apparatus A to the terminating apparatus B. It is an example of an internal holding table in which information is stored after the probe device captures a CREATE PDP CONTEXT RESPONSE message that is a response to a request for opening a tunnel addressed from a receiving device B to a calling device A . It is an example of the internal holding table after the packet which flows through a tunnel is detected. It is a figure which shows an example of application identification information. It is a figure which shows an example of the information produced | generated by the application identification part. It is a figure which shows an example of the quality data produced | generated by the period totaling part. It is an example of the flowchart of the packet analysis process of the probe apparatus in 1st Embodiment. It is an example of the flowchart of the packet analysis process of the probe apparatus in 1st Embodiment. It is an example of the flowchart of the totaling process of the information of the packet performed periodically. It is a figure which shows an example of the functional block of a manager apparatus. It is an example of the flowchart of the information total process of a manager apparatus. It is a figure which shows an example of the flowchart of a display process of quality information or alarm information. It is one of the display examples of quality information. It is one of the display examples of quality information. It is one of the display examples of quality information. It is one of the display examples of quality information. It is a figure for demonstrating the method of specifying the application used as the tunnel opening factor of 2nd Embodiment. It is an example of the flowchart of the packet analysis process of the probe apparatus in 2nd Embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment.

<First Embodiment>
FIG. 7 is a diagram for explaining a method of identifying an application that becomes a tunnel opening factor in the first embodiment. There is a high possibility that the packet group that flows through the GTP-U tunnel immediately after the GTP-U tunnel is established is a packet group that is transmitted by an application that is a cause of establishment of the GTP-U tunnel. For example, in the example shown in FIG. 7, if a packet group flows through the GTP-U tunnel in the order of application 1 and application 2 after the GTP-U tunnel is opened, Is considered to be an application.

  Therefore, in the first embodiment, an application that transmits a packet group that flows through the GTP-U tunnel immediately after the establishment of the GTP-U tunnel is specified as an application that causes the establishment of the GTP-U tunnel. In order to identify the application that is the cause of opening the GTP-U tunnel, first, the opening of the GTP-U tunnel is detected in the first embodiment.

  FIG. 8 is a diagram illustrating an example of a sequence until the GTP-U tunnel is established. In FIG. 8, the mobile terminal 10, the subscriber packet switch 40, and the relay packet switch 50 are extracted from the wireless communication network system 500 shown in FIG.

  In OP1, the mobile terminal 10 transmits a line connection request. In OP2, the subscriber packet switch 40 receives the line connection request from the mobile terminal 10, and in order to open a GTP-U tunnel according to the line connection request, the subscriber packet switch 40 sends a relay packet switch 50 to the end of the tunnel. A GTP-C message requesting tunnel establishment is transmitted. The GTP-C message transmitted at this time is “CREATE PDP CONTEXT REQUEST”.

  In OP3, the relay packet switch 50 serving as the end of the GTP-U tunnel receives the GTP-C message requesting the tunnel opening, and transmits a GTP-C message in response to this request to the subscriber packet switch 40. By exchanging GTP-C messages between OP2 and OP3, TEID (Tunnel Endpoint IDentifier) that is identification information of the tunnel is determined, and the tunnel is established.

  In OP4, since the tunnel is established, the subscriber packet switch 40 transmits a line connection response to the mobile terminal 10. Thereafter, the mobile terminal 10 can communicate through the GTP-U tunnel.

  In the first embodiment, a packet capture point is assumed on the route of the GTP-U tunnel between the subscriber packet switch 40 and the relay packet switch 50. Since the GTP-U tunnel is established in OP3 of FIG. 8, in the first embodiment, the establishment of the GTP-U tunnel is detected by detecting the CREATE PDP COMTEXT RESPOPNSE message of the GTP-C protocol.

<Configuration of quality monitoring system>
FIG. 9 is a diagram illustrating a configuration example of the quality monitoring system. In the first embodiment, the TAP 3 connects the edge router of the IP (Internet Protocol) router network included in the packet switching core network 530 and the subscriber packet switch 40 or the relay packet switch 50 on the route of the GTP-U tunnel. Arranged in between.

  The quality monitoring system 100 is, for example, a system for monitoring the traffic in the packet-switched core network 530 shown in FIG. 1 and collecting statistical information to manage the quality of the network. The quality monitoring system 100 includes a plurality of probe devices 1 and a manager device 2. Each probe apparatus 1 and manager apparatus 2 are connected via a network such as a LAN (Local Area Network).

  Each of the plurality of probe devices 1 is connected to each of a plurality of TAPs 3 arranged at predetermined positions in the packet switching core network 530 and captures a packet branched by the TAP 3. The probe device 1 analyzes the captured packet and transmits the total of analysis results to the manager device 2 at a predetermined cycle.

  The manager device 2 collects packet analysis results from each probe device 1 and performs statistical processing on the entire packet-switched core network 530. As a result of the statistical processing, the manager device 2 outputs alarms and statistical results through a display device or the like.

<Configuration of probe device>
FIG. 10 is a diagram illustrating an example of a hardware configuration of the probe apparatus 1. The probe device 1 is, for example, a dedicated computer as a probe device or a general-purpose computer. The probe device 1 includes a processor 101, a main storage device 102, an input device 103, an output device 104, an auxiliary storage device 105, a portable recording medium drive device 106, and a network interface 107. These are connected to each other by a bus 109.

  The input device 103 is, for example, a pointing device such as a keyboard and a mouse. Data input from the input device 103 is output to the processor 101.

  The portable recording medium driving device 106 reads out programs and various data recorded on the portable recording medium 110 and outputs them to the processor 101. The portable recording medium 110 is, for example, an SD card, a miniSD card, a microSD card, a USB (Universal Serial Bus) flash memory, a CD (Compact Disc), a DVD (Digital Versatile Disc), a Blu-ray disc, or a flash memory card. Such a recording medium.

  The network interface 107 is an interface for inputting / outputting information to / from the network. The network interface 107 is connected to a wired network and a wireless network. The probe device 1 communicates with the manager device 2 through the network interface 107, for example. The network interface 107 is, for example, a NIC (Network Interface Card), a wireless LAN card, or the like. Data received by the network interface 107 is output to the processor 101. In the first embodiment, a plurality of network interfaces 107 are provided, and one or more of them are also used as an interface for connection with the TAP 3.

The auxiliary storage device 105 stores various programs and data used by the processor 101 when executing each program. The auxiliary storage device 105 is a non-volatile memory such as an EPROM (Erasable Programmable ROM) or a hard disk drive. The auxiliary storage device 105 holds, for example, an operating system (OS), a network monitoring program, and various other application programs.

  The main storage device 102 provides the processor 101 with a storage area and a work area for loading a program stored in the auxiliary storage device 105, and is used as a buffer. The main storage device 102 is a semiconductor memory such as a RAM (Random Access Memory) and a ROM (Read Only Memory).

The processor 101 is, for example, a CPU (Central Processing Unit). The processor 101 executes various processes by loading the OS and various application programs held in the auxiliary storage device 105 or the portable recording medium 110 into the main storage device 102 and executing them. The number of processors 101 is not limited to one, and a plurality of processors 101 may be provided.

  The output device 104 outputs the processing result of the processor 101. The output device 104 includes, for example, an audio output device such as a speaker, a display, and a printer.

  For example, in the probe apparatus 1, the processor 101 loads a network monitoring program held in the auxiliary storage device 105 to the main storage device 102 and executes it. The probe device 1 detects the opening of the GTP-U tunnel by analyzing the packet branched by the TAP 3 through the execution of the network monitoring program, and sends a packet group that flows immediately after the opening of the GTP-U tunnel. Identify the application. Note that the hardware configuration of the probe device 1 is an example, and is not limited to the above, and components may be omitted, replaced, or added as appropriate according to the embodiment. The network monitoring program may be recorded on the portable recording medium 110, for example. The probe device 1 is an example of an “information processing device”. The network monitoring program is an example of an “information processing program”. The hardware configuration of the manager device 2 is the same as that shown in FIG.

  FIG. 11 is a diagram illustrating an example of functional blocks of the probe device 1 according to the first embodiment. In the probe apparatus 1, for example, when the processor 101 executes a network monitoring program stored in the auxiliary storage device 105, the protocol analysis unit 11, the IP tabulation unit 12, the application identification unit 13, the period tabulation unit 14, and the manager interface 15 Works as. Each functional block of the probe device 1 is not limited to being realized by software processing of the processor 101, and may be realized by hardware. For example, hardware that implements each functional block of the probe apparatus 1 includes a large scale integration (LSI) and a field-programmable gate array (FPGA).

  The protocol analysis unit 11 analyzes the header of the packet branched by TAP 3, determines which protocol the packet is, collects the packets for each protocol, and acquires protocol information. More specifically, the protocol analysis unit 11 detects a GTP packet from the packets branched by the TAP 3. The protocol analysis unit 11 determines the protocol based on, for example, the protocol number in the IP header, the port number in the UDP or TCP header, and information in each field in the GTP header. The GTP protocol is determined by, for example, the protocol number in the IP header being 17 (UDP (User Datagram Protocol)) and the destination or source port number in the UDP header being 3386. Further, the discrimination between the GTP-C protocol and the GTP-U protocol is identified by the value of the Protocol Type field in the GTP header (see FIGS. 3 and 6). The GTP-C protocol message is identified by the Message Type field in the GTP header.

The protocol analysis unit 11 is a GTP-C CREATE PDP CONTEXT RE.
When a QUEST message or a CREATE PDP CONTEXT RESPONSE message is detected, GTP-U tunnel information established by the message is recorded in the internal holding table 17. Information recording on the internal holding table 17 will be described later.

When the protocol analysis unit 11 detects a GTP-U packet, the protocol analysis unit 11 uses the information in the internal holding table 17 to identify the GTP-U tunnel through which the GTP-U packet flows. For each GTP-U tunnel, the protocol analysis unit 11 counts the order of GTP-U packets flowing through the tunnel after the tunnel is opened, and assigns each GTP-U packet as an arrival order count. Note that the arrival order count may not be a consecutive number in each tunnel, and may not be consecutive as long as a larger number is given in the arrival order. For example, the arrival order count may be a serial number of a packet input to the probe apparatus 1.

  The IP totalization unit 12 extracts IP information from the information analyzed by the protocol analysis unit 11 and performs totalization based on the IP information. More specifically, for example, the IP aggregating unit 12 aggregates the packets as the IP information regarding the destination IP address, the source IP address, the combination of the destination IP address and the source IP address, and the like of each packet.

  The application identification unit 13 identifies an application that is a cause of establishment of the GTP-C tunnel from the GTP-U packet detected by the protocol analysis unit 11. The application identification unit 13 refers to the arrival order count in the tunnel assigned to each GTP-U packet by the protocol analysis unit 11, and identifies the application for the GTP-U packet with the smallest arrival order count. This is because the application identification unit 13 treats the GTP-U packet with the smallest arrival order count as a packet that flows immediately after the establishment of the GTP-U tunnel.

  For example, the application identification unit 13 decapsulates a GTP-U packet with the smallest arrival order count and extracts a user packet. The application identification unit 13 compares the extracted user packet information with the information defined in the application identification information 16, and identifies the application that transmitted the GTP-U packet with the smallest arrival order count. In addition, the application identification unit 13 notifies the period counting unit 14 of information on the GTP-U packet with the smallest arrival order count including the identified application.

However, there are some GTP-U packets that flow immediately after the establishment of the GTP-U tunnel, making it difficult to identify the application. For example, HTTP (Hypertext Transfer Protocol)
There is a name resolution packet for a DNS server that is commonly used in a plurality of applications when name resolution is performed prior to application communication in order for the application to acquire the IP address of the communication destination. In addition, for example, there is a packet such as user authentication performed prior to an application when a plurality of applications provided by the same application vendor use the same communication destination IP address for purposes such as user authentication. The application identifying unit 13 excludes the packet that is difficult to identify the application as described above from the application identification target.

  FIG. 12 is a diagram showing identification means for non-application identification target packets and a specific example. The non-application identification target packet shown in FIG. 12 is an example, and the present invention is not limited to this.

For example, there are 1) protocol or port number, 2) pre-held IP address, subnet address, URL (Uniform)
Resource Locator), 3) elapsed time since tunnel establishment, 4) APN (Access Pont Name) identification information, bearer type identification information, and 5) packet size. In any of the identification means, the condition of the non-application identification target packet is held in advance in the storage area of the main storage device 102, for example. The application identification unit 13 compares the information of the GTP-U packet having the smallest arrival order count with the condition, and if the condition is met, excludes the GTP-U packet from the application identification target. . In this case, the application identification unit 13 determines whether or not a packet having the next smallest arrival order count flowing through the same GTP-U tunnel is an application identification target. Application identification is performed for the packet.

  The period totaling unit 14 aggregates information from the IP totaling unit 12 and the application identifying unit 13 at a predetermined period, and generates quality data. The predetermined cycle for generating the quality data is, for example, 1 minute. The quality data generated by the period totaling unit 14 is, for example, information regarding the use status of the tunnel for one period for each application, and includes the number of times the tunnel has been opened for each application during one period. The manager IF 15 is an interface with the manager device 2. The period totaling unit 14 transmits the generated quality data to the manager device 2 through the manager IF 15.

<Information handled by the probe device>
(Internal holding table)
13A, 13B, 13C, and 13D are diagrams each showing an example of the internal holding table 17. FIG. The GTP-U tunnel has different devices located at both ends of the tunnel depending on the connection destination and application. The GTP-U tunnel is identified by TEID in each device located at both ends of the tunnel. Therefore, in order to identify the GTP-U tunnel from the GTP-U packet, the TEID used by each device at both ends of the GTP-U tunnel and the IP address of each device are used. The internal holding table 17 stores these pieces of information for specifying the GTP-U tunnel from the GTP-U packet. The internal holding table 17 is generated in a storage area of the main storage device 102, for example.

  FIG. 13A is a diagram illustrating an initial state of an example of the internal holding table. In the first embodiment, the internal holding table 17 includes an internal management ID, a bearer identification information part, and a bearer state information part. The bearer refers to a GTP-U tunnel in the first embodiment. The internal management ID is information for identifying the GTP-U tunnel in the probe apparatus 1.

  The bearer identification information section holds information used for tunnel identification. Information held in the bearer identification information part is divided into TEID and IP address. For both the TEID and the IP address, the transmission side and the reception side are stored for each of the GTP-C protocol and the GTP-U protocol. 13A to 13D show the same internal holding table 17, in which the information on the GTP-C protocol is described as “C side” and the information on the GTP-U protocol is described as “U side”. Further, the information on the calling side is written as “(calling)”, and the information on the receiving side is written as “(arrival)”. That is, the internal holding table 17 shown in FIGS. 13A to 13D includes “C side TEID (originating)”, “C side TEID (arriving)”, “U side TEID (originating)”, “ “U-side TEID (arrival)”, “C-side IP address (outbound)”, “C-side IP address (inbound)”, “U-side IP address (outbound)”, “U-side IP address (inbound)” Including.

  The bearer status information section holds information related to the tunnel status. In the example shown in FIG. 13A, the bearer state information part includes the opening time and the bearer state. In the internal holding table 17, all items are empty in the initial state.

Hereinafter, the acquisition of information in the internal holding table 17 will be described with reference to FIGS. 13B to 13D. 13B to 13D, a case where a tunnel is established between the transmission side device A and the reception side device B will be described. For example, the device A on the transmission side is the subscriber packet switch 40 in FIG. For example, the receiving-side apparatus B is the relay packet switch 50 in FIG.

  FIG. 13B shows an internal holding table in which information is stored after the probe apparatus 1 captures a CREATE PDP CONTEXT REQUEST message that is a tunnel opening request addressed from the originating apparatus A to the terminating apparatus B. An example of is shown. The CREATE PDP CONTEXT REQUEST message is detected by the protocol analysis unit 11. The protocol analysis unit 11 handles the information on the transmission source of this CREATE PDP CONTEXT REQUEST message as the information on the transmission side device in the internal holding table 17.

  The protocol analysis unit 11 reads “C side TEID (originating)”, “U side TEID (originating)”, “C side IPID” of the internal holding table 17 from the information (see FIG. 4) of the payload part of the CREATE PDP CONTEXT REQUEST message. Address (source) ”and“ U-side IP address (source) ”are acquired. “C-side TEID (originating)”, “U-side TEID (originating)”, “C-side IP address (originating)”, and “U-side IP address (originating)” are respectively in the payload part of the CREATE PDP CONTEXT REQUEST message. , TEID control plane, TEID Data I, SGSN Address for signaling, SGSN Address for user traffic (see FIG. 4).

  Further, the protocol analysis unit 11 stores the time when the CREATE PDP CONTEXT REQUEST message is received in the “opening time” of the internal holding table 17. The time stored in the “opening time” is, for example, the value of the internal clock of the probe apparatus 1 and is given when the network interface 107 receives a packet branched from the TAP 3. Further, the protocol analysis unit 11 stores “opening request” in the “bearer state” of the internal holding table 17.

  The internal management IDs of the internal holding table 17 are given by the protocol analysis unit 11 in the order stored in the internal holding table 17, for example, in order from 1. However, the present invention is not limited to this, and the internal management ID may be given in any way as long as it does not overlap with other entries.

  In FIG. 13C, the probe device 1 stores information after capturing a CREATE PDP CONTEXT RESPONSE message that is a response to the tunnel opening request addressed from the receiving device B to the calling device A. An example of a holding table is shown. The CREATE PDP CONTEXT RESPONSE message is detected by the protocol analysis unit 11.

  Note that the CREATE PDP CONTEXT RESPONSE message is a response to the CREATE PDP CONTEXT REQUEST message in FIG. 13B. For example, the protocol analysis unit 11 stores the destination IP address of the IP header and the TEID in the GTP-C header. It is determined by matching “C-side IP address” (source) and “C-side TEID (source)” in the table 17. In this determination, it is also determined by the fact that the Sequence Number in the GTP-C header of the CREATE PDP CONTEXT RESPONSE message and the CREATE PDP CONTEXT REQUEST message is common (see FIG. 3).

The protocol analysis unit 11 uses the CREATE PDP CONTEXT RESPONSE
From the information of the payload part of the message, “C-side TEID (arrival)”, “U-side TEID (arrival)”, “C-side IP address (arrival)”, “U-side IP address (arrival)” in the internal holding table 17 To get. “C-side TEID (incoming)”, “U-side TEID (incoming)”, “C-side IP address (incoming)”, and “U-side IP address (incoming)” are respectively in the payload part of the CREATE PDP CONTEXT RESPONSE message. , TEID control plane, TEID Data I, SGSN Address for signaling, SGSN Address for user traffic (see FIG. 5).

  Further, the protocol analysis unit 11 rewrites “bearer state” in the internal holding table 17 from “opening request” to “opened”.

  As described above, when the probe apparatus 1 detects the CREATE PDP CONTEXT RESPONSE message, it is detected that the corresponding GTP-U tunnel has been established. Further, when the CREATE PDP CONTEXT RESPONSE message is detected, information corresponding to the corresponding GTP-U tunnel in the internal holding table 17 is arranged. Thereafter, the protocol analysis unit 11 can detect the GTP-U packet flowing through the established GTP-U tunnel using the internal holding table 17.

  FIG. 13D is a diagram illustrating an example of the internal holding table 17 after a packet flowing through the tunnel is detected. When the protocol analysis unit 11 detects a packet of the GTP-U protocol, the protocol analysis unit 11 compares the header information of the GTP-U packet with the entry of the internal holding table 17 and identifies the tunnel through which the GTP-U packet flows. The TEID of the GTP-U header part of the GTP-U packet and the destination IP address in the IP header are respectively “U-side TEID (arrival)”, “U-side IP address (arrival)”, or , “U-side TEID (originating)” and “U-side IP address (originating)” are matched to identify the tunnel through which the packet flows.

  When the protocol analysis unit 11 detects that a packet has flown through the tunnel held in the internal holding table 17, the “bearer state” of the entry of the corresponding tunnel in the internal holding table 17 is rewritten to “opened: U detected”. , The arrival order counting of the packets flowing through the tunnel is started. While the “bearer state” in the internal holding table 17 is “opened: U detected”, the protocol analysis unit 11 counts the arrival order count of packets flowing through the tunnel.

  The entry of the tunnel in the internal holding table 17 is deleted when the protocol analysis unit 11 detects a message related to deletion of the tunnel of the GTP-C protocol. The GTP-C protocol messages related to tunnel deletion are a DELETE PDP CONTEXT REQUEST message and a DELETE PDP CONTEXT RESPONSE message.

(Application identification information)
FIG. 14 is a diagram illustrating an example of the application identification information 16. The application identification information 16 is information used by the application identification unit 13 to identify the application of the GTP-U packet, and is information that defines the application. The application identification information 16 is stored in the auxiliary storage device 105, for example.

The application identification information 16 shown in FIG. 14 stores a definition type, a definition value corresponding to the definition type, and a corresponding application identifier. The definition type includes, for example, a destination IP address, a destination port number, a combination of a destination IP address and a destination port number, H
There are means capable of identifying an application such as URL in TTP, DNS resolution request name, and the like. In the corresponding application identifier, an identifier of an application corresponding to the definition value is stored. Although the application name is not stored in the application identification information 16 shown in FIG. 14, the association between the application identifier and the application name is defined by the quality monitoring system 100 and held in at least the manager device 2. It only has to be done. An application name may be stored in the application identification information 16 instead of the application identifier.

  For example, when the destination IP address of the user packet extracted from the GTP-U packet having the smallest arrival order count is “10.20.30.10”, the application identification unit 13 determines that the application identification unit 13 from FIG. It is determined that the application identifier of the packet is 100. If the information of the user packet extracted from the GTP-U packet having the smallest arrival order count does not match any of the application identification information 16, the application identification unit 13 sets the application identifier of the packet to 0. Judge as (unknown).

(Quality data)
FIG. 15 is a diagram illustrating an example of information generated by the application identification unit 13. The application identification unit 13 identifies an application that is a tunnel opening factor for the GTP-U packet with the smallest arrival order count that has flowed through the tunnel. Therefore, the information generated by the application identification unit 13 is information on the GTP-U packet that first flows through the tunnel generated by the application that is the tunnel opening factor.

  For example, in the example shown in FIG. 15, the information generated by the application identification unit 13 includes the acquisition time of the smallest arrival order count GTP-U packet that has flowed through the tunnel, the application identifier, and the tunnel through which the packet has flowed. And the information of the control signal generation nodes at both ends of the tunnel. For example, the top information shown in FIG. 15 is the GTP-U packet that first flows through the GTP-U tunnel of user 090XXX between SGSN # 1 and GGSN # 2 at 10: 10: 1. Indicates that the packet is an application with the application identifier 100.

  FIG. 16 is a diagram illustrating an example of quality data generated by the period totaling unit 14. The period totaling unit 14 generates quality data based on information notified from the IP totaling unit 12 and the application identifying unit 13 at a predetermined period. Therefore, the quality data includes information on the usage status of the tunnel for each application in one cycle.

  For example, in the example shown in FIG. 16, the quality data includes an aggregation time, an application identifier, the number of times of opening a tunnel, a control signal generation node, the number of user signal packets, a user signal use band, and the like. For example, the top entry shown in FIG. 16 indicates that GTP-U is applied by the application with the application identifier 100 between SGSN # 1 and GGSN # 2 during one period counted at 10:10. Indicates that the tunnel has been opened five times.

<Process flow>
17A and 17B are examples of a flowchart of packet analysis processing of the probe device 1 in the first embodiment. The flowchart illustrated in FIGS. 17A and 17B is started when a packet branched from TAP 3 is input to the probe apparatus 1.

  In OP11, the protocol analysis unit 11 analyzes the protocol of the input packet, and the IP totalization unit 12 analyzes the IP information of the input packet.

In OP12, when the input packet is a GTP-C protocol message (OP12: YES), the process proceeds to OP13. If the input packet is not a GTP-C protocol message (OP12: NO), the process proceeds to OP14. The GTP-C protocol message includes, for example, a CREATE PDP CONTEXT REQUEST message, a CREATE PDP CONTEXT RESPONSE message related to tunnel establishment, and a DELETE PDP CONTEXT related to tunnel deletion.
REQUEST message, DELETE PDP CONTEXT RESPONSE message.

  In OP13, the protocol analysis unit 11 records the information acquired from the input packet in the internal holding table 17. In this case, the input packet is a GTP-C protocol message. Thereafter, the processing illustrated in FIGS. 17A and 17B ends. For example, in OP2 and OP3 in the tunnel opening process shown in FIG. 8, every time a GTP-C message related to tunnel opening is input to the probe apparatus 1, the process of OP11-OP13 is executed. As described, information is recorded in the internal holding table 17. For example, when a GTP-C message related to tunnel deletion is input, the corresponding information in the internal holding table 17 is deleted in OP13.

  In OP14, when the input packet is a packet of the GTP-U protocol (OP14: YES), the process proceeds to OP15. In OP14, when the input packet is not a message related to the GTP-C protocol tunnel establishment (OP12: NO) and is not a GTP-U protocol packet (OP14: NO), the process proceeds to OP22. .

  In OP15, the protocol analysis unit 11 compares the information of the input packet with the information of the internal holding table 17, and determines whether or not the internal holding table 17 has a record of the tunnel corresponding to the information of the input packet. The input packet in this case is a GTP-U protocol packet. If there is a tunnel record that matches the information of the input packet in the internal holding table 17 (OP15: YES), the process proceeds to OP16. If there is no tunnel record that matches the information of the input packet in the internal holding table 17 (OP15: NO), the process proceeds to OP22.

  In OP16, the protocol analysis unit 11 adds 1 to the arrival order count of the corresponding tunnel, and gives the arrival order count of the corresponding tunnel to the input packet. The input packet is passed to the application identification unit 13. Next, the process proceeds to OP17.

  OP17 and OP18 are processes for determining whether or not application identification is performed for an input packet. In OP17, the application identifying unit 13 determines whether the input packet is an analysis target of application identification or whether the application that causes the establishment of the tunnel is unidentified. If the input packet is an application identification analysis target and the application of the tunnel establishment factor is unidentified (OP17: YES), the process proceeds to OP18. If the input packet is an application identification exclusion target, or if the application of the opening factor has already been identified for the corresponding tunnel (OP17: NO), the process proceeds to OP22.

As described above, the analysis target of the application identification is determined by determining whether or not a predetermined condition (see FIG. 12) is met. Whether or not the application of the corresponding tunnel is unidentified is determined by, for example, buffering the information (see FIG. 6) notified by the application identifying unit 13 to the period counting unit 14 in the main storage device 102 for a predetermined time. This is done by determining whether the information is in the buffer. Alternatively, whether the application of the corresponding tunnel is unidentified, for example, by setting an application identification item in the internal holding table 17 and setting a flag, record the identified tunnel of the application of the opening factor, It may be determined by the recording.

  In OP18, the application identifying unit 13 determines whether the arrival order count of the input packet which is the application analysis target in OP17 and has determined that the application that causes the establishment of the tunnel is unidentified is the minimum count in the corresponding tunnel. Determine whether or not. When the arrival order count of the input packet is the minimum count in the corresponding tunnel (OP18: YES), the process proceeds to OP19. If the arrival order count of the input packet is not the minimum count in the corresponding tunnel (OP18: NO), application identification is not performed for the input packet, and the process proceeds to OP22.

  For example, in this determination, the application identification unit 13 has a memory that records the minimum arrival order count for each existing tunnel in the main storage device 102, and the arrival order count of the input packet is recorded in the memory. Judgment is made based on whether the count is smaller than the forward count. When the minimum arrival order count of the tunnel corresponding to the input packet is not recorded in the memory, the application identification unit 13 sets the arrival order count given to the input packet to the GTP of the minimum arrival order count. -Judge as U packet and write the arrival order count into memory. If the arrival order count of the input packet is smaller than the arrival order count recorded in the memory, the application identification unit 13 uses the arrival order count of the input packet and arrives in the main storage device 102 of the corresponding tunnel. Rewrite the order count.

  In OP19, the application identification unit 13 compares the information of the input packet with the application identification information 16, and determines whether there is an application that matches the information of the input packet. If there is an application that matches the information of the input packet (OP19: YES), the process proceeds to OP20, and the application identification unit 13 gives the corresponding application identifier to the input packet. If there is no application that matches the information of the input packet (OP19: NO), the process proceeds to OP21, and the application identifying unit 13 uses, for example, 0 indicating that there is no corresponding application in the input packet as an application identifier. Give. Next, the process proceeds to OP22.

  In OP22, the application identifying unit 13 or the IP totaling unit 12 analyzes the IP information by counting the amount of input packets. The application identification unit 13 and the IP totaling unit 12 transmit the analyzed information to the periodic totaling unit 14. Thereafter, the processing illustrated in FIGS. 17A and 17B ends.

  Note that the processing illustrated in FIGS. 17A and 17B is an example, and the presence / absence, order, and the like of execution may be changed as appropriate. For example, the order of execution of OP17 and OP18 for determining whether or not to perform application identification for an input packet may be reversed.

  FIG. 18 is an example of a flowchart of packet information aggregation processing performed periodically. The process shown in FIG. 18 is started at the timing of a predetermined cycle of quality data generation by the cycle counting unit 14.

  In OP31, the period totaling unit 14 totals information for one period notified from the IP totaling unit 12 and the application identifying unit 13, and generates quality data. At this time, the period totaling unit 14 counts the number of times the tunnel has been opened for each application. For example, information is aggregated in units of applications.

In OP <b> 32, the period counting unit 14 transmits the generated quality data to the manager device 2 through the manager IF 15. Thereafter, the process shown in FIG. 18 ends.

<Manager device>
FIG. 19 is a diagram illustrating an example of functional blocks of the manager device 2. The hardware configuration of the manager device 2 is almost the same as that of the probe device 1 shown in FIG. The manager device 2 stores a quality tabulation program in the auxiliary storage device 105, and the CPU 101 operates as the information collection unit 21, the quality value statistics unit 22, and the alarm determination unit 23 when the quality tabulation program is executed. Further, the configuration information storage unit 24, the quality information storage unit 25, and the alarm information storage unit 26 are generated in the auxiliary storage device 105 by loading the quality tabulation program.

  The information collecting unit 21 receives quality data from a plurality of probe devices 1 in the quality monitoring system 100. Quality data is received from each probe device 1 at a predetermined cycle.

  The quality value statistics unit 22 uses the information stored in the configuration information storage unit 24 for the quality data received by the information collection unit 21 to narrow down the quality data used for statistics for the devices to be monitored. The device to be monitored is determined in advance. The quality value statistics unit 22 aggregates the refined quality data, generates quality information for each application, quality information for each device, etc. in the entire packet switching core network 530, accumulates it in the quality information storage unit 25, and generates an alarm. The determination unit 23 is notified. For example, the quality statistics unit 22 totals the number of times the tunnel is opened for each time zone and each application and accumulates it in the quality information storage unit 25.

  The alarm determination unit 23 detects quality degradation by comparing and evaluating a threshold value stored in advance and a value included in the quality information notified from the quality value statistics unit 22. The alarm determination unit 23 accumulates information in which the quality deterioration is detected in the alarm information storage unit 26. Moreover, the alarm determination part 26 may alert | report an alarm from the output device 104, when deterioration of quality is detected. Note that the deterioration of quality means an increase in load, for example, an increase in the number of occurrences of tunnel opening. The threshold is set for each quality value included in the quality information. One of the quality values included in the quality information is, for example, the number of times of tunnel opening occurrence, and the threshold value in this case is a threshold value of a ratio of unidentified applications in the number of times of tunnel opening occurrence in the entire network, a predetermined application For example, a threshold value of the number of times of opening a tunnel at a predetermined time. Other quality values included in the quality information include the number and occurrence rate of packet loss, the maximum instantaneous traffic flow (burst traffic), and the like.

  When an instruction is input from the operator of the quality monitoring system 100, the display processing unit 27 reads information from the quality information storage unit 25 or the alarm information storage unit 26 according to the instruction, and outputs an output device 104 such as a display or a speaker. Output to.

  The configuration information storage unit 24 stores the IP addresses and names of devices included in the packet switching core network 530, the connection relationship between the devices, and the like. In the quality information storage unit 25, the quality information generated by the quality value statistics unit 22 is stored. In the alarm information storage unit 26, alarm information generated by the alarm determination unit 23 is stored.

  FIG. 20 is an example of a flowchart of the information totaling process of the manager device 2. The flowchart shown in FIG. 20 is started at a predetermined cycle, for example. Alternatively, the flowchart shown in FIG. 20 is started upon reception of quality data from any of the probe devices 1 in the quality monitoring system 100, for example.

  In OP41, the quality value statistics unit 22 uses the information stored in the configuration information storage unit 24 to narrow down the quality data to devices to be monitored.

  In OP42, the quality value statistics unit 22 adds up the quality values from all the probe devices 1 for the device to be monitored and generates quality information. For example, the quality value statistics unit 22 generates quality information by counting the number of times the tunnel is opened for each time zone and / or for each application. In OP43, the quality value statistics unit 22 accumulates the generated quality information in the quality information storage unit 25. The quality value statistics unit 22 notifies the alarm determination unit 23 of the generated quality information.

  In OP44, the alarm determination unit 23 compares the threshold value with the quality value included in the quality information, and determines whether there is quality degradation. For example, when the quality value included in the quality information is the number of times the tunnel is opened for each time zone and application, the alarm determination unit 23 determines deterioration in quality when the quality value is larger than the threshold value. If there is quality degradation (OP44: YES), the process proceeds to OP45, and the alarm determination unit 23 stores the quality information in which quality degradation is detected in the alarm information storage unit 26 as alarm information. Thereafter, the process ends. If there is no quality degradation (OP44: NO), the processing shown in FIG.

  FIG. 21 is a diagram illustrating an example of a flowchart of a display process of quality information or alarm information. The flowchart shown in FIG. 21 is started, for example, when a display request is input from the system operator. The display request from the system operator includes a condition for information confirmed by the system operator. The conditions include, for example, designation of a time zone and designation of a device.

  In OP51 and OP52, the display processing unit 27 searches the alarm information storage unit 26 and the quality information storage unit 25 for information that matches the conditions specified by the system operator. In OP53, the display processing unit 27 displays information obtained as a result of the search on the display. Thereafter, the processing shown in FIG. 21 ends.

(Example of quality information display)
FIG. 22 is one example of quality information display. In the example shown in FIG. 22, the ratio of each application to the number of user signal packets and the number of occurrences of tunnel opening in a predetermined period is shown as a pie chart.

  In the example shown in FIG. 22, the application 1 has a large proportion of the number of user signal packets, but the application 3 has a large proportion of the number of occurrences of tunnel establishment. That is, from the example shown in FIG. 22, the application 3 indicates that the amount of data transmitted and received in one communication is small, but the frequency of tunnel establishment is high, and the application 3 is an application that places a load on the network. Is shown. In this way, by displaying the ratio of each application to the number of user signal packets and the number of occurrences of tunnel establishment, it is possible to identify the application that is placing a load on the network.

  Further, by comparing the proportion of each application occupying the number of occurrences of tunnel opening as shown in FIG. 22 in time series, when the proportion of unknown applications increases, the rise of unknown applications can be detected. it can. At this time, it is also possible to determine whether or not the unknown application is a threat to the network by referring to the ratio of the unknown application to the number of user signal packets.

  FIG. 23 is one example of quality information display. In the example shown in FIG. 23, the load status of each device during a predetermined period is shown as a bar graph. From the example shown in FIG. 23, it is possible to detect a device having a concentrated load and to confirm a target value for improving the performance of the device. In each device, it is possible to detect a loaded application.

  24A and 24B are examples of display of quality information. In the example shown in FIGS. 24A and 24B, a bar graph in which the number of control signal generations of all users at each time is accumulated for one application is shown. Display example 31 in FIG. 24A and display example 32 in FIG. 24B show the number of control signal generations for all users at the same time on different days (display example 32 is newer) for the same application 1.

  In the display example 31, at the time A-G, the number of control signal generations is uniform and averaged. That is, the system operator can determine from the display example 31 that the application 1 is an application that performs communication at a predetermined interval.

  On the other hand, in the display example 32, the generation of control signals is concentrated at time A and time E. That is, the system operator can determine from the display example 32 that the application 1 is an application that performs communication at a predetermined time.

  From the display example 31 and the display example 32, the system operator can detect that the operation of the application 1 has changed between the display example 31 and the display example 32, for example, due to an update or the like.

  In an application that performs communication at a predetermined time, the load tends to concentrate at the predetermined time, and there is a concern about the load on the network. As in the example shown in FIG. 24A and FIG. 24B, for each application, the number of control signal generations of all users is accumulated at each time, thereby identifying an application that places a load on the network and performs communication at a predetermined time. be able to.

<Operational effects of the first embodiment>
In the first embodiment, by identifying the application of the GTP-U packet that flows through the tunnel immediately after opening the GTP-U tunnel, it is possible to identify the application that causes the tunnel to be opened. This makes it possible to design the traffic processing performance of the devices in the network from the load status of each device in application units.

  In addition, by monitoring the load status of each application using the application information that is the cause of opening a tunnel, it is possible to detect, for example, behavioral changes due to application updates and load increases due to unidentified applications. it can. In addition, when these are detected, the manager device 2 notifies an alarm, so that the timing at which a detailed behavior investigation is necessary can be taken into operation as an operation trigger. This eliminates the need for periodic monitoring, and enables the operation cost to be reduced by conducting an investigation when an alarm occurs.

  In addition, by measuring the load of the control signal in units of applications, it is possible to identify an application that is applying a load to the network and to request improvement from the application vendor. As a result, it is possible to expect an application method change that reduces the network load by the application vendor, and it is possible to reduce the investment in the devices in the network.

In addition, although 1st Embodiment demonstrated GTP as an example, application of the technique demonstrated by 1st Embodiment is not restricted to GTP. The technique described in the first embodiment can be applied to a tunneling protocol using a tunnel identifier such as PMIP (Proxy Mobile IPv6).

Second Embodiment
In the second embodiment, a case will be described in which the probe device 1 specifies an application that becomes a tunnel opening factor outside a tunnel between devices on a route including a GTP-U tunnel. In the second embodiment, the description common to the first embodiment is omitted.

  For example, the GTP packet does not flow at the point P2 between the relay packet switch 50 and the Web service gateway 70 in the wireless communication network system 500 shown in FIG. That is, when the probe device 1 is arranged at the point P2, the probe device 1 cannot obtain a GTP-C packet or a GTP-U packet. It cannot be specified.

  FIG. 25 is a diagram for explaining a method for specifying an application that is a factor for opening a tunnel according to the second embodiment. FIG. 25 shows the number of packets at each time of one user detected at a capture point outside the route of the GTP-U tunnel. In the GTP-U tunnel, user data of one mobile terminal 10 flows per tunnel. Therefore, the GTP-U tunnel is often set so that the deletion timer set by the network administrator is deleted when the user packet of the mobile terminal 10 corresponding to the tunnel times out without flowing. That is, at the capture point outside the route of the GTP-U tunnel, when the reception interval of the user packet of one mobile terminal 10 is equal to or longer than the time of the deletion timer of the GTP-U tunnel (“N seconds” in FIG. 25). It can be considered that one GTP-U tunnel included in the route has been released.

  Therefore, in the second embodiment, the probe apparatus 1 monitors the packet reception interval for one mobile terminal 10 at a capture point outside the route of the GTP-U tunnel, and the packet reception interval is N seconds or longer. The first packet is regarded as the first user packet that flows through the tunnel. N seconds is, for example, the value of the GTP-U tunnel deletion timer, which is 60 seconds.

  In the second embodiment, the hardware configuration and functional blocks of the probe device 1 are the same as those in the first embodiment.

  In the second embodiment, the IP counting unit 12 identifies packets having the same transmission source IP address as the same session. The IP totalization unit 12 assigns an internal session ID for internally identifying the session to the packet and notifies the application identification unit 13 of the internal session ID.

  For each session, the application identification unit 13 holds the reception time of the last received packet as, for example, the main storage device 102 as the last reception time. When receiving a packet of the same session next time, the application identification unit 13 calculates a packet reception interval from the reception time given to the packet and the last reception time held. If the reception interval exceeds N seconds, the application identifying unit 13 identifies the application for the received packet, as in the first embodiment.

<Process flow>
FIG. 26 is an example of a flowchart of packet analysis processing of the probe device 1 in the second embodiment. The flowchart shown in FIG. 26 is started when the probe apparatus 1 receives a packet branched from the TAP 3.

In OP61, the protocol analysis unit 11 analyzes the protocol of the input packet, and the IP totalization unit 12 analyzes the IP information of the input packet. The IP totalization unit 12 determines a session based on the source IP address of the input packet, and assigns an internal session ID to the input packet.

  In OP62, the application identification unit 13 determines whether or not the input packet is a packet for a new session. If the input packet is a packet for a new session (OP62: YES), the process proceeds to OP63, and the application identification unit 13 updates the final reception time of the session with the reception time given to the input packet. Thereafter, the process proceeds to OP22 in FIG. 17B, and when the input packets are aggregated, the process ends. When the input packet is a packet of an existing session (OP62: NO), the process proceeds to OP64.

  In OP64, the application identification unit 13 calculates a reception interval from the reception time given to the input packet and the last reception time of the corresponding session to be held.

  In OP65, the application identification unit 13 determines whether or not the calculated reception interval is N seconds or longer. When the reception interval is N seconds or longer (OP65: YES), the application identification unit 13 determines to perform application identification for the input packet. The process proceeds to OP66, and the application identification unit 13 updates the last reception time of the session with the reception time given to the input packet. Thereafter, the processing proceeds to OP17 in FIG. 17B, and application identification processing is performed on the input packet.

  When the reception interval is less than N seconds (OP65: NO), the application identification unit 13 determines not to perform application identification for the input packet. Thereafter, the process proceeds to OP63, and the application identification unit 13 updates the last reception time of the session with the reception time given to the input packet. Thereafter, the process proceeds to OP22 in FIG. 17B, and when the input packets are aggregated, the process ends.

<Effects of Second Embodiment>
In the second embodiment, the probe device 1 regards the first packet received after a packet reception interval of N seconds or more for one user as the packet of the application that becomes the tunnel opening factor, and identifies the application. Do. As a result, the load of the control signal can be measured even at a capture point where the tunneling protocol cannot be directly referred to. For example, it is possible to reduce the introduction cost of the quality monitoring system by arranging the probe device 1 only for communication destinations that are desired to be monitored.

  In the second embodiment, the application identification process that becomes a tunnel opening factor has been described under a design in which a user packet of one mobile terminal 10 flows per GTP-U tunnel. However, the application of the technology described in the second embodiment is not limited to a tunnel that is opened one per mobile terminal 10. For example, the present invention can be applied to a tunnel established for each QCI (QoS Class Identifier) in LTE. The QCI is a parameter for pointing out the QoS type. When a tunnel is opened for each QCI, the probe device 1 considers packets having the same transmission source IP address and QCI as the same session, and measures the packet reception interval of each session.

<Others>
In the first and second embodiments, the manager device 2 has been described as an independent device different from the probe device 1, but the manager device 2 may be the same device as the probe device 1.

1 Probe device 2 Manager device 3 TAP
11 Protocol Analysis Unit 12 IP Counting Unit 13 Application Identification Unit 14 Periodic Counting Unit 15 Manager IF
16 Application identification information 17 Internal holding table

Claims (9)

A processor and memory;
An information processing apparatus that captures a packet flowing through the network at a predetermined position in the network,
The processor is
Determining whether the captured packet is a user packet that first flows in a tunnel according to a predetermined tunneling protocol;
When the captured packet is a user packet that first flows in the tunnel, an application that is a factor for opening the tunnel is identified from the captured packet.
Information processing device. The information processing device captures a packet flowing between devices located on the tunnel path,
The processor is
Detecting the opening of the tunnel by detecting a control packet of the predetermined tunneling protocol;
A number indicating the arrival order from the establishment of the tunnel is given to the user packet flowing through the tunnel,
When the number given to the user packet flowing through the tunnel is the smallest in the tunnel, it is determined that the packet flowing through the tunnel is the packet that first flows through the predetermined tunnel;
The information processing apparatus according to claim 1. The processor is
Obtain identification information of the tunnel established from the control packet, store in the memory,
When detecting a user packet of the predetermined tunneling protocol, using the identification information of the tunnel stored in the memory, it is determined that the user packet is a packet flowing through the tunnel;
The information processing apparatus according to claim 2. The processor is
In the identification of the application, when the captured packet is a packet whose application is difficult to identify, the application is not identified for the captured packet.
The information processing apparatus according to any one of claims 1 to 3. The information processing device captures a packet between devices located on a route including the tunnel outside the tunnel,
The processor is
Measure the reception interval of the captured packet,
When the reception interval is equal to or longer than a predetermined time at which the tunnel is deleted, it is determined that a packet first captured after the predetermined time or longer is a user packet that first flows into the tunnel.
The information processing apparatus according to claim 1. The processor is
Measure the packet reception interval for each source address of the captured packet,
The information processing apparatus according to claim 5. A processor and memory;
In an information processing apparatus that captures packets flowing through the network at a predetermined position in the network,
The processor is
Determining whether the captured packet is a user packet that first flows in a tunnel according to a predetermined tunneling protocol;
When the captured packet is a user packet that first flows in the tunnel, an application that is a factor for opening the tunnel is identified from the captured packet.
Information processing method. A processor and memory;
In an information processing apparatus that captures packets flowing through the network at a predetermined position in the network,
In the processor,
Determining whether the captured packet is a user packet that first flows in a tunnel according to a predetermined tunneling protocol;
When the captured packet is a user packet that first flows into the tunnel, the application that is the opening factor of the tunnel is identified from the captured packet.
Information processing program. A capture unit that captures packets flowing through the network at a predetermined position in the network;
It is determined whether the captured packet is a user packet that first flows in a tunnel according to a predetermined tunneling protocol. If the captured packet is a user packet that first flows in the tunnel, the captured packet is determined. An identification unit for identifying an application that is a cause of establishment of the tunnel from the packet;
A counting unit that counts the number of times the tunnel is opened for each application at a predetermined cycle;
An information processing system comprising:

Images