JP2017054341A - Packet search apparatus, packet search system, and packet search method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a packet search apparatus configured to reduce processing time of a processor.SOLUTION: A packet search apparatus includes a file storage unit, an index unit, a determination unit, an addition unit, and a search unit. The file storage unit stores a packet to be transferred, as a file. The index unit stores correspondence between an attribute of a packet and a packet having the attribute. On receipt of a search request including an attribute of a packet, the determination unit determines whether the attribute included in the search request is stored in the index unit or not. When the attribute of the packet included in the search request is not stored in the index unit, the addition unit searches for a packet stored in the file regarding the attribute not stored in the index unit, and adds correspondence between the attribute not stored in the index unit and a corresponding packet, to the index unit. The search unit searches for a packet associated with the attribute included in the search request, in reference to the index unit.SELECTED DRAWING: Figure 13

Description

  The present invention relates to a packet search device, a packet search system, and a packet search method.

In recent years, a collaborative model that provides services to customers by connecting networks of a plurality of companies has appeared. A virtual mobile communication operator (Mobile Virtual Network Operator, MVNO) that provides a service to a customer using a network of a mobile communication operator (Mobile Network Operator, MNO) is an example of a collaboration model. Each company in the collaboration model can monitor its own network, but it is difficult to monitor the networks of other companies connected to its network. Therefore, when a failure or the like occurs in the collaboration model network, it is difficult to grasp the cause of the failure. Therefore, each company in the collaboration model captures the packets flowing through its network and accumulates the captured packets. Each company in the collaborative model analyzes the accumulated packets to investigate failures that occurred in the network.

JP-A-9-167167 JP-A-10-55302

  Here, it takes a lot of time and work to search for a packet related to a failure or the like from the accumulated packets. Therefore, it is conceivable to add index information as a search key to the accumulated packet. By adding the index information, it becomes easy to search for packets. However, of the accumulated packets, the referenced packets are some of the packets related to failures and the like. Therefore, there is a possibility that the processing time of the processor used for the process of adding index information for all the accumulated packets including the unreferenced packet may not be allowed.

  Therefore, an object of one aspect of the disclosed technology is to provide a packet search device that can reduce the processing time of a processor.

  One aspect of the disclosed technique is exemplified by a packet search device as follows. The packet search device includes a file storage unit, an index unit, a determination unit, an additional recording unit, and a search unit. The file storage unit stores the transferred packet as a file. The index part stores a correspondence between a packet attribute and a packet having the attribute. When receiving a search request including a packet attribute, the determination unit determines whether the attribute included in the search request is stored in the index unit. When the attribute of the packet included in the search request is not stored in the index part, the appending part searches the packet stored in the file for the attribute that is not stored in the index part, and the attribute that is not stored in the index part The correspondence with the corresponding packet is added to the index part. The search unit searches the packet associated with the attribute included in the search request with reference to the index unit.

  This packet search apparatus can reduce the processing time of the processor.

FIG. 1 is a diagram illustrating an example of a network using MNO and MVNO. FIG. 2 is a diagram illustrating an example of a DIAMETER message structure. FIG. 3 is a diagram illustrating an example of a hardware configuration of the information processing apparatus. FIG. 4 is a diagram illustrating an example of processing blocks of the capture file storage device. FIG. 5 is a diagram illustrating an example of a table of the capture file management unit. FIG. 6 is a diagram illustrating an example of processing blocks of the message search apparatus. FIG. 7 is a diagram illustrating an example of a table managed by the index management unit. FIG. 8 is a diagram illustrating an example of a table managed by the AVP attribute management unit. FIG. 9 is a diagram illustrating an example of a table managed by the AVP attribute management unit. FIG. 10 is a diagram illustrating an example of a flow of processing for capturing a packet. FIG. 11 is a diagram illustrating an example of the flow of a search request process for a capture file to which no index is added. FIG. 12 is a diagram illustrating an example of a processing flow of a search request for a capture file to which an index is added. FIG. 13 is a diagram illustrating an example of a processing flow of the message search apparatus that receives a search request.

  Hereinafter, a message search system according to an embodiment will be described with reference to the drawings. The configuration of the embodiment described below is an exemplification, and the disclosed technology is not limited to the configuration of the embodiment.

<First Embodiment>
FIG. 1 is a diagram illustrating an example of a network 500 based on MNO and MVNO. In the network 500, an MNO MNO network 300 and an MVNO MVNO network 200 are connected via a Packet Data Network Gateway (PGW) 210. The user terminal 310 is connected to the MNO network 300 by wireless communication.

The MNO network 300 is managed by an MNO that is a mobile communication carrier. The MNO network 300 is, for example, a mobile phone or a personal handy-phone system (P
This is a mobile network exemplified by HS). The MNO owns a mobile network such as a mobile phone or PHS and provides a communication service.

  The user terminal 310 is an information processing apparatus capable of wireless communication. The user terminal 310 is connected to the MNO network 300 by wireless communication, and is connected to, for example, the Internet 400 via the MVNO network 200. The user terminal 310 is a smart device exemplified by a smartphone, a tablet terminal, a smart watch, and the like. The user terminal 310 is, for example, a mobile phone, a PHS, a notebook personal computer, a desktop personal computer, or a mobile router.

The MVNO network 200 is managed by an MVNO that is a virtual mobile communication carrier. The MVNO provides a communication service using the MNO network 300 provided by the MNO. MVNO, for example, communicates from MNO network 300 to MN
A service for connecting to an external network such as the Internet 400 via the O network 200 is provided. The MVNO network 200 can add various restrictions to the communication of the user terminal 310 that uses the MVNO service via the MNO network 300.

  The MVNO network 200 includes a PGW 210, a Policy and Charging Rules Function (PCRF) 220, a message search system 201, and a client 250. The message search system 201 includes a capture file storage device 230 and a message search device 240. The capture file storage device 230, the message search device 240, and the client 250 are connected to each other via a computer network. The PGW 210, the PCRF 220, and the capture file storage device 230 are connected to each other by a computer network. The message search system 201 is an example of a “packet search system”.

  The PGW 210 is an information processing apparatus that connects the MNO network 300 and the Internet 400 to the MVNO network 200. That is, the PGW 210 is a gateway of the MNO network 300. In addition, the PGW 210 sends a packet for communication via the PGW 210 to the packet capture point 260. Transmission to the packet capture point 260 is realized by, for example, port mirroring or a network tap.

  The PCRF 220 is an information processing apparatus that controls communication quality for communication connecting from the MNO network 300 to the Internet 400 via the MVNO network 200. The PCRF 220 performs various controls including communication speed limitation for communication performed from the user terminal 310 via the PGW 210. For example, the PCRF 220 controls communication from the user terminal 310 using DIAMETER, which is a protocol used for communication control including user authentication and communication speed limitation.

  FIG. 2 is a diagram illustrating an example of a DIAMETER message structure. The message includes one or more packets. The DIAMETER message includes one or more attribute / attribute value pairs called attribute value pairs (AVP). The attribute indicates the type of information notified by the packet, and the attribute value is a value set in the attribute. In DIAMETER, communication is controlled by a combination of attribute value pairs. In DIAMETER, for example, a communication speed of a specific user is limited by a combination of a plurality of attribute value pairs.

  The message search system 201 captures packets on the capture point 260 and accumulates the captured packets. The message search system 201 searches for a requested packet in response to a search request from the client 250.

  The capture file storage device 230 is an information processing device that captures a packet on a computer network in the message search system 201 and stores the captured packet as a capture file. For example, the capture file storage device 230 captures a packet on the packet capture point 260 of FIG. The capture file storage device 230 is an example of a “file storage unit”. A capture file is an example of a “file”.

The message search device 240 is an information processing device that searches for a packet stored in the capture file storage device 230 in response to a request from the client 250 in the message search system 201. Furthermore, when the index information that is the search key is not added to the search target packet, the message search device 240 adds the index information to the packet and a packet having a predetermined relationship with the packet. The message search device 240 is an example of a “packet search device”.

  The client 250 is an information processing apparatus that is used by an administrator of the MVNO network 200, for example. For example, the client 250 instructs the message search device 240 to search for a packet.

  FIG. 3 is a diagram illustrating an example of a hardware configuration of the information processing apparatus 100. The information processing apparatus 100 includes a CPU 101, a memory 102, a storage device 103, a line interface 104, and a connection bus B1. The CPU 101, the memory 102, the storage device 103, and the line interface 104 are connected to each other via a connection bus B1. The information processing apparatus 100 can be used as, for example, the PGW 210, the PCRF 220, the capture file storage apparatus 230, the message search apparatus 240, the client 250, and the user terminal 310.

  In the information processing apparatus 100, the CPU 101 expands the program stored in the storage device 103 in the work area of the memory 102, and controls peripheral devices through execution of the program. Thereby, the information processing apparatus 100 can execute a process that matches a predetermined purpose. The memory 102 and the storage device 103 are recording media that can be read by the information processing apparatus 100.

  The memory 102 is exemplified as a storage unit that is directly accessed from the CPU 101. The memory 102 includes a random access memory (RAM) and a read only memory (ROM).

  The storage device 103 stores various programs and various data in a recording medium in a readable and writable manner. The storage device 103 is also called an external storage device. The storage device 103 stores an operating system (OS), various programs, various tables, and the like. The OS includes a communication interface program that exchanges data with an external device or the like connected via the line interface 104. Examples of the external device include other information processing devices and external storage devices connected via a computer network or the like. The storage device 103 may be a part of a cloud system that is a group of computers on a network, for example.

The storage device 103 is, for example, an Erasable Programmable ROM (EPROM), a solid state drive (SSD), a hard disk drive (Hard Disk Drive, HDD), or the like. The storage device 103 is, for example, a Compact Disc (CD) drive device, a Digital Versatile Disc (DVD) drive device, a Blu-ray (registered trademark) Disc (BD) drive device, or the like. Further, the storage device 103 may be provided by Network Attached Storage (NAS) or Storage Area Network (SAN).

  A recording medium that can be read by the information processing apparatus 100 is a recording medium that stores information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from the information processing apparatus 100. Say medium. Examples of such a recording medium that can be removed from the information processing apparatus 100 include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a Blu-ray disk, a DAT, an 8 mm tape, a flash memory, and the like. There are memory cards. In addition, as a recording medium fixed to the information processing apparatus 100, there are a hard disk, an SSD, a ROM, and the like.

  The line interface 104 is an interface with a computer network, for example. The line interface 104 communicates with an external device via a computer network.

  The information processing apparatus 100 may further include, for example, an input unit that receives an operation instruction from a user or the like. Examples of such an input unit include an input device such as a keyboard, a pointing device, a touch panel, an acceleration sensor, or a voice input device.

The information processing apparatus 100 may include an output unit that outputs data processed by the CPU 101 or data stored in the memory 102, for example. Examples of such an output unit include output devices such as a Cathode Ray Tube (CRT) display, a Liquid Crystal Display (LCD), a Plasma Display Panel (PDP), an Electroluminescence (EL) panel, an organic EL panel, or a printer.

<Processing block>
4 and 6 are diagrams illustrating examples of processing blocks of the capture file storage device 230 and the message search device 240, respectively. For example, the CPU 101 in FIG. 3 executes a computer program loaded in the memory 102 as each block in FIGS. 4 and 6. However, at least a part of any of the blocks in FIGS. 4 and 6 may include a hardware circuit, a dedicated processor, or a digital signal processor (DSP). Hereinafter, processing blocks of the capture file storage device 230 and the message search device 240 will be described with reference to FIGS. 4 and 6.

<Processing Block of Capture File Storage Device 230>
FIG. 4 is a diagram illustrating an example of processing blocks of the capture file storage device 230. In FIG. 4, a capture unit 231 is shown as an example of a processing block of the capture file storage device 230. In FIG. 4, a capture file management unit 232 is illustrated as an example of a storage unit of the capture file storage device 230. Further, a communication interface 233 is shown as an example of the line interface 104 used by the capture file storage device 230 for communication with the outside. The other device described in FIG. 4 is a device that communicates with the capture file storage device 230 via the communication interface 233, and is, for example, the message search device 240 or the client 250.

  The CPU 101 of the capture file storage device 230 receives the packet flowing through the packet capture point 260 as the capture unit 231 and captures the received packet. The capture unit 231 stores the captured packet in the storage device 103 as a capture file. For example, the capture unit 231 stores the captured packet in a capture file for each predetermined time range of the time stamp, and causes the storage unit 103 to store the capture file. That is, the capture file can include a plurality of packets captured within a predetermined time range. When the total value of the data size of the packets captured in the predetermined time range of the time stamp exceeds the predetermined size, the capture unit 231 may divide the captured file so as to fit within the predetermined size and store the divided capture file in the storage device 103. . Further, the capture unit 231 stores the correspondence between the file name of the capture file and the time stamp of the packet stored in the capture file in the capture file management unit 232.

The capture file management unit 232 is a table for managing the correspondence between the capture file stored in the storage device 103 and the time stamp of the packet stored in the capture file. FIG. 5 is a diagram illustrating an example of a table of the capture file management unit 232. The first line of FIG. 5 illustrates the type of information to be recorded. That is, the time stamp is recorded in the first column of FIG. 5, and the file name of the capture file is recorded in the second column. The time stamp is expressed by, for example, four digits for the year, two digits for the month, two digits for the day, two digits for the hour, two digits for the minute, and two digits for the second. For example, the capture file with the file name “packet1.cap”
Packets in the range from 20:00:00 on month 1 to 20: 9: 59 on August 1, 2015 are recorded. The capture file management unit 232 is constructed on the memory 102 or the storage device 103 of the capture file storage device 230, for example.

  Returning to FIG. 4, the communication interface 233 connects the capture file storage device 230 to another device through a computer network. The communication interface 233 is an example of the line interface 104 in FIG. Other devices include message search device 240, client 250, PCRF 220 and PGW 210. Further, the capture file storage device 230 captures a packet flowing through the packet capture point 260 via the communication interface 233.

<Processing Block of Message Search Device 240>
FIG. 6 is a diagram illustrating an example of processing blocks of the message search device 240. FIG. 6 illustrates processing blocks of the message search unit 241, the index addition unit 242, and the capture file reading unit 243. Further, in FIG. 6, the storage units of the index management unit 244 and the AVP attribute management unit 245 are illustrated. Further, a communication interface 246 is shown as an example of the line interface 104 used by the message search device 240 for communication with the outside. The other device described in FIG. 6 is a device that communicates with the message search device 240 via the communication interface 246, for example, the capture file storage device 230 or the client 250.

  The CPU 101 of the message search device 240 reads a capture file stored in the storage device 103 of the capture file storage device 230 as a capture file reading unit 243 in response to a search request from the client 250. For example, the capture file reading unit 243 specifies a capture file based on a time stamp included in the search request, and reads the specified capture file. The capture file reading unit 243 is an example of a “reading unit”.

  The CPU 101 of the message search device 240 searches the capture file in response to a search request from the client 250 as the message search unit 241. The message search unit 241 searches for the packet that is the target of the search request from the capture file read by the capture file reading unit 243 using the attribute value pair included in the search request as a search key. When an index is not added to the capture file, the message search unit 241 instructs the index addition unit 242 to add an index to the capture file. The message search unit 241 is an example of a “determination unit”, “specification unit”, “additional writing unit”, and “search unit”.

  The CPU 101 of the message search device 240 adds an index to the capture file as the index adding unit 242. The index addition unit 242 executes index addition in response to an instruction from the message search unit 241. The index adding unit 242 may add an index in response to an instruction from the client 250.

The index management unit 244 is a table that manages an index added to the capture file. FIG. 7 is a diagram illustrating an example of a table managed by the index management unit 244. As illustrated in FIG. 7, the index management unit 244 includes an attribute list table 244a that manages a list of attributes included in the capture file, and an attribute value and a packet number that identifies the packet in which the attribute value is recorded. And a correspondence management table 244b for managing correspondence. The packet number is a number that uniquely identifies each packet stored in the capture file. For example, the packet number is assigned to each packet in the capture file by a serial number. That is, the number of the packet in the capture file is specified by the packet number. In the example of FIG. 7, a packet in which “A” is set as the value of the attribute “Imsi” is a packet specified by the packet numbers 1, 4, 7, and 50. That is, the message search unit 241 of the message search device 240 can identify a packet having the attribute value pair specified at the time of the search request by referring to the index management unit 244. The attribute list table 244a and the correspondence management table 244b are created for each capture file. The index list table 244a and the correspondence management table 244b are empty in the initial state of the message management search device 240.

The AVP attribute management unit 245 is a table that manages attribute value pairs. 8 and 9 are diagrams illustrating an example of a table managed by the AVP attribute management unit 245. FIG. 8 shows the attribute of DIAMETER (denoted as Index key in the figure) and AV used in the first embodiment.
It is an example of an AVP code table 245a indicating correspondence of P codes (denoted as AVP Code in the figure). In the AVP code table 245a, various attributes used in DIAMETER are stored as a list. In the AVP code table 245a, an attribute used in DIAMETER is associated with an AVP code that is a code for identifying the attribute. That is, in the DIAMETER packet illustrated in FIG. 2, the AVP code is described as an attribute, and what attribute is specified by the AVP code is identified. The AVP code table 245a is determined at the time of factory shipment or initial setting, for example.

FIG. 9 is a diagram illustrating an example of the inclusion relationship table 245b that manages the inclusion relationship between attributes. In DIAMETER used in the first embodiment, an inclusion relationship exists between attributes. In DIAMETER, for example, there may be a plurality of attributes used for the same application. These attributes are referred to as “equal” to each other in an inclusive relationship. For example, in DIAMETER, there may be other attributes that make a certain attribute more specific. In this case, an attribute is referred to as “includes” another attribute in the inclusion relationship. Hereinafter, in the present specification, a relationship in which “a certain attribute is equal to another attribute” or “a certain attribute includes another attribute” is referred to as “a certain attribute includes another attribute”. In the inclusion relationship table 245b, the inclusion relationship of attributes is exemplified. The first line of the inclusion relationship table 245b illustrates the type of information managed by the inclusion relationship table 245b. That is, the attributes are exemplified in the first and second columns of the inclusion relationship table 245b, and the inclusion relationship between the attributes in the first and second columns is exemplified in the third column. For example, in the second line of the inclusion relationship table 245b, the relationship between the attribute “Imsi” and the attribute “MSISDN” is “equal (=)”. Further, referring to the third and fourth lines of the inclusion relationship table 245b, it can be seen that the attributes “Imsi” “include” the attributes “Call ID” and “Session ID”. The inclusion relation table 245b is determined, for example, at the time of factory shipment or initial setting. The AVP attribute management unit 245 is an example of a “relation storage unit”.

  The communication interface 246 connects the message search device 240 and other devices through a computer network. The communication interface 246 is an example of the line interface 104 in FIG. Other devices include a capture file storage device 230, a client 250, a PCRF 220 and a PGW 210.

<Processing flow>
FIG. 10 is a diagram illustrating an example of a flow of processing for capturing a packet. The process of FIG. 10 is started simultaneously with the activation of the capture file storage device 230, for example. Hereinafter, the flow of processing for capturing a packet will be described with reference to FIG.

  At T <b> 1, the communication interface 233 of the capture file storage device 230 receives a packet flowing through the packet capture point 260. The capture unit 231 of the capture file storage device 230 captures the received packet.

  At T2, the capture unit 231 stores the captured packet in the capture file for each predetermined time range of the time stamp as described above. In addition, when the size of the capture file exceeds a predetermined size, the capture unit 231 divides the capture file so as to fit within the predetermined size. The capture file is stored in the storage device 103 of the capture file storage device 230. As illustrated in FIG. 5, the capture unit 231 causes the capture file management unit 232 to store the correspondence between the file name of the capture file and the time stamp of the packet stored in the capture file. The capture file storage device 230 stores the packet flowing through the packet capture point 260 as a capture file by repeatedly executing the processing of T1 and T2.

  FIG. 11 is a diagram illustrating an example of the flow of a search request process for a capture file to which no index is added. Hereinafter, the flow of processing for a search request for a capture file to which no index is added will be described with reference to FIG.

  At T11, a packet search request is made from the client 250 to the message search device 240. The search request includes information for specifying a packet to be searched. The information specifying the packet is, for example, a time stamp, an attribute, and an attribute value set in the attribute. Here, the time stamp “August 1, 2015 20: 3: 0” to August 1, 2015 20: 5: 3 is designated as the search request, and “Imsi = 990001111111111” is designated as the attribute value pair. Shall. That is, in the search request, “Imsi” is specified as the attribute and “990001111111111” is specified as the attribute value.

  In T12, the message search unit 241 of the message search device 240 that has received the packet search request refers to the capture file management unit 232, and identifies a capture file that includes a packet with the time stamp specified in the search request. Further, the message search unit 241 refers to the index management unit 244 to determine whether or not an index is added to the identified capture file. In the process illustrated in FIG. 11, as described above, no index is added to the capture file.

  At T <b> 13, the capture file reading unit 243 of the message search device 240 acquires a capture file from the capture file storage device 230 via the communication interface 246. At this time, the capture file reading unit 243 notifies the capture file storage device 230 of the time stamp included in the search request from the client 250. The capture unit 231 of the capture file storage device 230 refers to the capture file management unit 232 and identifies a capture file including the notified packet with the time stamp. The capture unit 231 reads the identified capture file from the storage device 103 and transmits it to the message search device 240. The capture file reading unit 243 of the message search device 240 receives the capture file transmitted from the capture unit 231 of the capture file storage device 230.

At T14, the index adding unit 242 of the message search device 240 adds an index to the acquired capture file. First, the index adding unit 242 adds the search-requested attribute to the captured file index list table 244a. Further, the index adding unit 242 analyzes the acquired capture file and searches for a packet including the attribute to be searched. The attribute value set in the retrieved packet is acquired, and the packet number and attribute value pair of the packet is added to the acquired capture file correspondence management table 244b. Further, the index adding unit 242 performs the same processing for the attribute requested for search and the included attribute. In this search, the index adding unit 242 does not consider attributes other than the attribute requested for the search and the attribute included in the attribute requested for the search. Therefore, the index adding unit 242 can shorten the processing time of the CPU 101 used for creating an index, compared to a case where all attribute value pairs included in the capture file are analyzed. As a result of such processing, the index list table 244a and the correspondence management table 244b are in the state illustrated in FIG. 7, for example. Referring to FIG. 7, it can be seen that packets having “A” as the value of the attribute “Imsi” are packets having packet numbers 1, 4, 7, and 50.

  At T <b> 15, the message search unit 241 of the message search device 240 returns the search result to the client 250. The search result may be a searched packet or a packet number that identifies the searched packet.

  FIG. 12 is a diagram illustrating an example of a processing flow of a search request for a capture file to which an index is added. Hereinafter, the flow of processing for a search request for a capture file to which an index is added will be described with reference to FIG. In addition, the same code | symbol is attached | subjected about the process similar to FIG. 11, and the detailed description is abbreviate | omitted.

  The process at T11 is the same as the process at T11 in FIG. Therefore, the description is omitted. In T21, the message search unit 241 of the message search device 240 that has received the packet search request refers to the capture file management unit 232, and specifies a capture file including a packet with the time stamp specified in the search request. Further, the message search unit 241 refers to the index management unit 244 to determine whether or not an index is added to the capture file including the packet with the specified time stamp. In the process illustrated in FIG. 12, as described above, an index is added to the capture file. Therefore, the message search unit 241 refers to the index management unit 244 and acquires a packet number that identifies a packet corresponding to the search request.

  At T22, the message search unit 241 transmits the packet number acquired at T21 to the client 250. At this time, the message search unit 241 may acquire the capture file from the capture file storage device 230 by the capture file reading unit 243 and transmit the packet specified by the packet number from the acquired capture file.

  FIG. 13 is a diagram illustrating an example of a processing flow of the message search apparatus 240 that has received a search request. Hereinafter, the processing flow of the message search apparatus 240 that has received a search request will be described with reference to FIG.

  At T <b> 31, the client 250 transmits a search request to the message search device 240. In the search request at T31, it is assumed that a search request having the same contents as T11 in FIG. 11 is transmitted. The message search unit 241 of the message search device 240 that has received the search request from the client 250 uses the attribute-attribute value pair included in the search request as a key by the process illustrated in T12 of FIG. 11 or T22 of FIG. The index management unit 244 is searched. When the attribute management unit 244 includes an attribute / attribute value pair included in the search request (Y in T32), the process proceeds to T33. If the attribute and attribute value pair included in the search request is not included in the index management unit 244 (N in T32), the process proceeds to T35. The message search unit 241 that executes the process of T32 is an example of a “determination unit”.

  In T33, the message search unit 241 refers to the index management unit 244, and acquires a packet number that identifies a packet including an attribute-attribute value pair included in the search request. Further, the message search unit 241 may acquire a capture file including a packet specified by the packet number by the capture file reading unit 243.

  At T <b> 34, the message search unit 241 transmits a packet number for specifying a search result packet to the client 250. The message search unit 241 may transmit the packet specified by the packet number from the capture file acquired by the capture file reading unit 243 to the client 250. The message search unit 241 that executes the processes of T33 and T34 is an example of a “search unit”.

In T35 to T310, processing in the case where the attribute management unit 244 does not include the attribute-attribute value pair included in the search request will be described. The process at T35 is the same as the process at T14 in FIG. Therefore, the description is omitted. In T36, the index adding unit 242 refers to the AVP attribute management unit 245 to check the attribute inclusion relationship. Referring to FIG. 9, the search requested attribute “Imsi” and the attribute “MSISDN” are equal in inclusion relation. The attributes “Call ID” and “Session ID” are included in the attribute “Imsi” in the inclusion relationship. Therefore, it is determined that there is an inclusion relationship (Y in T37), and the process proceeds to T38. The index adding unit 242 that executes the process of T36 is an example of a “specifying unit”.

In T38, the message search unit 241 creates an index for the attribute requested for the search and the attribute included in the attribute requested for the search. The message search unit 241 refers to the inclusion relation table 245b and identifies an attribute included in the attribute requested to be searched. Here, referring to FIG. 9, as attributes included in the attribute “Imsi”, “MSISDN”, “Call”
“ID” and “Session ID” are specified. The message search unit 241 also creates an index for the attribute “Imsi” requested for the search and the attributes “MSISDN”, “Call ID”, and “Session ID” included in the attribute “Imsi”. First, the capture file reading unit 243 reads from the capture file storage device 230 a capture file including a packet with a time stamp designated by the search request. Next, the message search unit 241 determines whether the attribute “Imsi”, the attributes “Imsi”, “MSISDN”, “Call ID”, and “Session ID” are included in the read capture file. Subsequently, the message search unit 241 creates an index by executing the process of T35 for the attribute determined to be included in the capture file. The message search unit 241 that executes the process of T38 is an example of an “additional writing unit”.

  In T310, a process when the attribute requested for search does not have an inclusion relationship is described. In this case, the message search unit 241 extracts the attributes included in the packets for all the packets included in the capture file, and the process of T35 is performed on the extracted attributes.

  In T39, the message search unit 241 specifies the packet requested to be searched by the process exemplified in T33. The message search unit 241 that executes the process of T39 is an example of a “search unit”.

<Effects of First Embodiment>
The message search system 201 of the first embodiment does not create an index at the stage of packet capture, but creates an index when a search request is made. Therefore, the message search system 201 can omit the index creation process when no packet search occurs.

  In the first embodiment, when creating an index of a capture file, an index is created not only for an attribute requested for search but also for an attribute included in the attribute. For this reason, the message search system 201 according to the first embodiment performs a search result at high speed by referring to an index for a search request by another attribute included in the certain attribute after the search is performed with the certain attribute. Can respond.

  In the first embodiment, the capture file is divided according to a predetermined time range. Therefore, newly captured data is not added to the divided capture file. As a result, according to the first embodiment, it is possible to suppress index re-creation processing due to a change in the capture file. Further, by dividing the capture file in a predetermined time range, it is easy to specify the capture file including the search target packet by specifying the time. Therefore, for example, a capture file including packets before and after the occurrence of a failure can be easily specified. Further, the message search system 201 creates an index for the capture file specified by the time specified in the search request. Therefore, the processing time of the CPU 101 used for index creation can be shortened compared to the case of creating indexes for all capture files.

  In the first embodiment, the attributes to be indexed for the capture file are limited by using the inclusion relation of attributes. Therefore, according to the first embodiment, the processing time of the CPU 101 used for index creation can be shortened as compared with the case where indexes are created for all attributes of packets included in a capture file.

<Modification of First Embodiment>
In the message search system 201 of the first embodiment, DIAMETER is exemplified as a protocol to be a packet capture target. However, the protocol to be captured and searched by the message search system 201 is not limited to DIAMETER. The message search system 201 can be applied to various protocols having an inclusion relationship between attributes. The message search system 201 can be applied to, for example, RADIUS, General packet radio service. Tunneling Protocol (GTP), GPRS Tunneling. Protocol version 2 (GTPv2), Proxy Mobile IP (PMIP), and Session Initiation Protocol (SIP). It is.

  In the first embodiment, as an inclusion relationship between attributes in the inclusion relationship table 245b, a relationship in which an attribute and another attribute are “equal” and a certain attribute “includes” another attribute is exemplified. However, the information stored in the inclusion relationship table 245b is not limited to these. For example, the inclusion relationship table 245b may store the presence or absence of an inclusion relationship between a certain attribute and another attribute. In this case, for example, the inclusion relationship table 245b stores “1” when there is an inclusion relationship between a certain attribute and another attribute, and “no” when there is no inclusion relationship between a certain attribute and another attribute. "0" can be memorized.

  The message search system 201 of the first embodiment is realized by two information processing devices, a capture file storage device 230 and a message search device 240. However, the message search system 201 may be realized by a single information processing apparatus.

In the first embodiment, the message search system 201 captures a packet at the packet capture point 260. However, the location where the message search system 201 captures a packet is not limited to the packet capture point 260. For example, the message search system 201 may capture a packet between the PGW 210 and the MNO network 300. In this case, the message search system 201 can also capture a packet that establishes a session between the PGW 210 and the MNO network 300, for example.

<Others>
The following additional notes are further disclosed with respect to the embodiment including the above modification.
(Appendix 1)
A file storage unit for storing the transferred packet as a file;
An index part for storing the correspondence between the attribute of the packet and the packet having the attribute;
When receiving a search request including an attribute of a packet, a determination unit that determines whether or not the attribute included in the search request is stored in the index unit;
When the attribute of the packet included in the search request is not stored in the index part, the packet stored in the file is searched for the attribute not stored in the index part, and stored in the index part. An appending unit that appends a correspondence between the attribute and the corresponding packet that is not added to the index unit;
A search unit that searches for a packet associated with the attribute included in the search request with reference to the index unit,
Packet search device.
(Appendix 2)
A relationship storage unit for storing presence or absence of a predetermined relationship between the attributes;
When the attribute included in the search request is not stored in the index unit, a specifying unit that identifies the attribute that is in the predetermined relationship with the attribute included in the search request with reference to the relationship storage unit; Further comprising
The additional recording unit searches the packet stored in the file for the attribute specified by the specifying unit, and further executes a process of adding a correspondence between the specified attribute and the corresponding packet to the index unit To
The packet search apparatus according to claim 1.
(Appendix 3)
The predetermined relationship is an inclusion relationship between the attributes,
The attribute having the predetermined relationship with the attribute of the attribute included in the search request is an attribute included in the inclusion relationship in the attribute specified in the search request.
The packet search device according to claim 2.
(Appendix 4)
The file is created every predetermined time range,
The search request further includes a designated time for designating a time when the packet to be searched is stored as a file,
A reading unit that reads the file specified by the specified time.
The packet search device according to any one of claims 1 to 3.
(Appendix 5)
A packet search system comprising a capture file storage device and a packet search device,
The capture file storage device
A storage unit that stores the transferred packet as a file,
The packet search device includes:
An index part for storing the correspondence between the attribute of the packet and the packet having the attribute;
When receiving a search request including an attribute of a packet, a determination unit that determines whether or not the attribute included in the search request is stored in the index unit;
When the attribute included in the search request is not stored in the index part, the packet stored in the file is searched for the attribute not stored in the index part, and is not stored in the index part. An appending unit that appends a correspondence between the attribute and the corresponding packet to the index unit;
A search unit that searches for a packet associated with the attribute included in the search request with reference to the index unit,
Packet search system.
(Appendix 6)
The packet search device includes:
A relationship storage unit for storing presence or absence of a predetermined relationship between the attributes;
When the attribute included in the search request is not stored in the index unit, a specifying unit that identifies the attribute that is in the predetermined relationship with the attribute included in the search request with reference to the relationship storage unit; Further comprising
The additional recording unit searches the packet stored in the file for the attribute specified by the specifying unit, and further executes a process of adding a correspondence between the specified attribute and the corresponding packet to the index unit To
The packet search device according to appendix 5.
(Appendix 7)
The predetermined relationship is an inclusion relationship between the attributes,
The attribute having the predetermined relationship with the attribute of the attribute included in the search request is an attribute included in the inclusion relationship in the attribute specified in the search request.
The packet search system according to appendix 6.
(Appendix 8)
The file is created every predetermined time range,
The search request further includes a designated time for designating a time when the packet to be searched is stored as a file,
The packet search device further includes a reading unit that reads the file specified by the specified time.
The packet search device according to any one of appendices 5 to 7.
(Appendix 9)
Computer
Save the forwarded packet as a file,
Storing an index that is a correspondence between a packet attribute and a packet having the attribute;
When receiving a search request including a packet attribute, it is determined whether or not the attribute included in the search request is stored in the index;
If the attribute of the packet included in the search request is not stored in the index, the packet stored in the file is searched for the attribute not stored in the index, and the packet is not stored in the index Add the correspondence between the attribute and the corresponding packet in the index,
Searching for a packet associated with the attribute included in the search request with reference to the index;
Packet search method.
(Appendix 10)
The computer
Storing the presence or absence of a predetermined relationship between the attributes;
If the attribute included in the search request is not stored in the index, the attribute that is in the predetermined relationship with the attribute included in the search request is identified with reference to the stored predetermined relationship;
The appending further searches the packet stored in the file for the identified attribute, and further executes a process of appending the correspondence between the identified attribute and the corresponding packet to the index.
The packet search method according to claim 9.
(Appendix 11)
The predetermined relationship is an inclusion relationship between the attributes,
The attribute having the predetermined relationship with the attribute of the attribute included in the search request is an attribute included in the inclusion relationship in the attribute specified in the search request.
The packet search method according to attachment 10.
(Appendix 12)
The file is created every predetermined time range,
The search request further includes a designated time for designating a time when the packet to be searched is stored as a file,
Further executing a process of reading the file specified by the specified time;
The packet search method according to any one of appendices 9 to 11.

DESCRIPTION OF SYMBOLS 100 ... Information processing apparatus 101 ... CPU
DESCRIPTION OF SYMBOLS 102 ... Memory 103 ... Memory | storage device 200 ... MVNO network 201 ... Message search system 210 ... PGW
220 ... PCRF
230 ... Capture file storage device 231 ... Capture unit 232 ... Capture file management unit 233 ... Communication interface 240 ... Message search device 241 ... Message search unit 242 ... Index addition unit 243 ... Capture file reading unit 244 ... Index management unit 245 ... AVP attribute management unit 246 ... Communication interface 250 ... Client 260 ... Packet capture point 300 ... MNO network 310 ... User terminal 400 ... Internet

Claims (6)

A file storage unit for storing the transferred packet as a file;
An index part for storing the correspondence between the attribute of the packet and the packet having the attribute;
When receiving a search request including an attribute of a packet, a determination unit that determines whether or not the attribute included in the search request is stored in the index unit;
When the attribute of the packet included in the search request is not stored in the index part, the packet stored in the file is searched for the attribute not stored in the index part, and stored in the index part. An appending unit that appends a correspondence between the attribute and the corresponding packet that is not added to the index unit;
A search unit that searches for a packet associated with the attribute included in the search request with reference to the index unit,
Packet search device. A relationship storage unit for storing presence or absence of a predetermined relationship between the attributes;
When the attribute included in the search request is not stored in the index unit, a specifying unit that identifies the attribute that is in the predetermined relationship with the attribute included in the search request with reference to the relationship storage unit; Further comprising
The additional recording unit searches the packet stored in the file for the attribute specified by the specifying unit, and further executes a process of adding a correspondence between the specified attribute and the corresponding packet to the index unit To
The packet search apparatus according to claim 1. The predetermined relationship is an inclusion relationship between the attributes,
The attribute having the predetermined relationship with the attribute of the attribute included in the search request is an attribute included in the inclusion relationship in the attribute specified in the search request.
The packet search device according to claim 2. The file is created every predetermined time range,
The search request further includes a designated time for designating a time when the packet to be searched is stored as a file,
A reading unit that reads the file specified by the specified time.
The packet search device according to any one of claims 1 and 3. A packet search system comprising a capture file storage device and a packet search device,
The capture file storage device
A storage unit that stores the transferred packet as a file,
The packet search device includes:
An index part for storing the correspondence between the attribute of the packet and the packet having the attribute;
When receiving a search request including an attribute of a packet, a determination unit that determines whether or not the attribute included in the search request is stored in the index unit;
When the attribute included in the search request is not stored in the index part, the packet stored in the file is searched for the attribute not stored in the index part, and is not stored in the index part. An appending unit that appends a correspondence between the attribute and the corresponding packet to the index unit;
A search unit that searches for a packet associated with the attribute included in the search request with reference to the index unit,
Packet search system. Computer
Save the forwarded packet as a file,
Storing an index that is a correspondence between a packet attribute and a packet having the attribute;
When receiving a search request including a packet attribute, it is determined whether or not the attribute included in the search request is stored in the index;
If the attribute of the packet included in the search request is not stored in the index, the packet stored in the file is searched for the attribute not stored in the index, and the packet is not stored in the index Add the correspondence between the attribute and the corresponding packet in the index,
Searching for a packet associated with the attribute included in the search request with reference to the index;
Packet search method.

Images