JP2021150826A - Packet comparison program - Google Patents

Abstract

To obtain the easy analysis of capture data acquired at a plurality of points.SOLUTION: A packet comparison program causes a computer to execute the processing so as to operate as: an input unit 11 which inputs capture data A, B on packets acquired at respective different points on a communication path; an extraction unit 12 which selects packets from the capture data A and extract, from the capture data B, a packet group which has time information in a predetermined range based on the time information on the selected packets; and a determination unit 13 which prioritizes in advance each component of the packets, and determines identity between the selected packet and the packet included in the packet group for each packet included in the packet group, using the prioritized components.SELECTED DRAWING: Figure 1

Description

The present invention relates to a packet comparison program.

With the spread of high-speed and wideband network services, the number of reports of delays and malfunctions in home networks and in-house networks is increasing. In order to solve the problem, it is effective to analyze the packets captured on the communication path. For example, in the inventions described in Patent Document 1 and Patent Document 2, test traffic is applied between bases connected via VPN, and the test traffic is captured to determine a bottleneck point or between bases. Measure the band.

Japanese Patent No. 6603770 Japanese Patent No. 6603771

In order to identify the communication device causing the problem, it is necessary to acquire and compare the captured data at multiple locations.

However, there is a problem that the analysis of the captured data requires a high skill and it takes an enormous amount of time to compare the captured data. The time information of the captured data captured at different points on the communication path is often out of sync. In addition, various packets are transmitted depending on the location where the packet is acquired. Since the analysis depends on the skill of the individual, the accuracy cannot be guaranteed, and it takes a huge amount of time to extract the same packet between the captured data.

The present invention has been made in view of the above, and an object of the present invention is to facilitate analysis of captured data acquired at a plurality of locations.

In the packet comparison program of one aspect of the present invention, the process of inputting the first captured data and the second captured data obtained by acquiring packets at different points on the communication path, and selecting the first packet from the first captured data. Processing, processing to extract a group of packets having time information within a predetermined range based on the time information of the first packet from the second capture data, and prioritizing the components of the packet. For each of the second packets included in the packet group, the computer is made to execute a process of determining the identity of the first packet and the second packet by using the component.

According to the present invention, it is possible to easily analyze the captured data acquired at a plurality of locations.

FIG. 1 is a functional block diagram showing a configuration example of the packet comparison device of the present embodiment. FIG. 2 is a diagram showing an example of a communication path for acquiring a packet. FIG. 3 is a diagram showing an example of a communication path for acquiring a packet. FIG. 4 is a diagram showing an example in which the determination result is output. FIG. 5 is a flowchart showing a processing flow of the packet comparison device of the present embodiment.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

A configuration example of the packet comparison device 1 of the present embodiment will be described with reference to FIG. The packet comparison device 1 shown in FIG. 1 includes an input unit 11, an extraction unit 12, a determination unit 13, and an output unit 14. Each part included in the packet comparison device 1 may be configured by a computer provided with an arithmetic processing unit, a storage device, and the like, and the processing of each part may be executed by a program. This program is stored in a storage device included in the packet comparison device 1, and can be recorded on a recording medium such as a magnetic disk, an optical disk, or a semiconductor memory, or can be provided through a network.

The input unit 11 inputs the capture data A and B that record the packets acquired at the different points on the communication path.

For example, as shown in FIG. 2, packets are acquired at points P1 to P4 on a communication path between bases connected via VPN (Virtual Private Network), and points P1 and P4, points P2 and points P3, The capture data acquired at the points P1 and P2 or the points P3 and P4 are input. Points P1 and P4 are measurement points in the local network of each site. Points P2 and P3 are measurement points between the line terminator and the router, and can acquire packets encapsulated by the router so that they are correctly forwarded to the destination site within the VPN. For example, the router encapsulates the IPv4 packet in the IPv6 packet and sends it to the VPN, or extracts the IPv4 packet from the IPv6 packet received from the VPN and sends it to the local network of the base. By comparing the captured data of each point P1 to P4, the defective part can be identified.

Alternatively, as shown in FIG. 3, packets are acquired at points P5 and P6 before and after UTM (Unified Threat Management) on the communication path connecting the local network and the Internet, and the captured data acquired at points P5 and P6 is acquired. You may enter it. UTM is a device that implements security measures in an integrated manner, inspects communications to counter threats from the outside or inside, and discards threatening packets. By comparing the captured data at points P5 and P6, it can be confirmed whether the UTM is functioning correctly as set.

The measurement points for acquiring packets are not limited to the above.

The extraction unit 12 selects a packet from the capture data A of the comparison source, and extracts a packet group having time information within a predetermined range from the capture data B of the comparison destination based on the time information of the selected packet. Hereinafter, the packet selected from the capture data A will be referred to as a selected packet. A packet may be selected using the capture data B as a comparison source, and a packet group may be extracted from the capture data A.

The determination unit 13 determines the identity of the selected packet and the packet included in the packet group by using the prioritized components. For example, the selected packet and the component of each packet of the packet group are compared in the order of the component having the highest priority, and the packets included in the packet group are filtered. Alternatively, the selected packet and each packet of the packet group are compared and scored for each prioritized component, and the packet having the highest total score among the packets included in the packet group is determined to be the same packet as the selected packet. ..

When comparing the captured data of the point P1 and the point P2 or the point P3 and the point P4 in FIG. 2, since the captured data of the points 2 and 3 are encapsulated, the determination unit 13 releases the encapsulation. Judge the identity of the packet from.

The output unit 14 outputs the comparison result of the capture data A and B based on the determination result of the determination unit 13. For example, as shown in FIG. 4, the information of the packets determined to be the same in each of the comparison source and the comparison destination is displayed side by side. When there is no packet determined to be the same due to packet loss or the like, the packet loss side is left blank as indicated by reference numeral 100. FIG. 4 is an example of output, and the present invention is not limited to this. Any aspect may be used as long as the same packet and packet loss can be easily grasped.

The output unit 14 may be able to output only the column in which the packet loss is detected, or may be able to output only the packet of a specific protocol. Further, when a packet is selected from the displayed output result, the corresponding part of the captured data may be displayed.

The processing flow of the packet comparison device 1 of the present embodiment will be described with reference to the flowchart of FIG.

In step S11, the input unit 11 inputs each of the capture data A and B. The captured data A and B are, for example, PCAP format files. In the PCAP format file, a packet header including a time stamp, a packet length, and the like is added to each captured packet. When the capture data of the time zone to be analyzed is divided into a plurality of files, the user performs preprocessing such as merging the files. For example, when the capture data for 6 hours is recorded separately in a plurality of files every 2 hours, the plurality of files for 2 hours are merged into one file. The input unit 11 may input a plurality of files and merge them.

Further, the input unit 11 may accept the input of the time zone to be analyzed and input only the capture data of the time zone to be analyzed from the file. For example, when the capture data for 12 hours is recorded in the file and the analysis is performed for 6 hours at night, only the capture data in the time zone to be analyzed is read from the file.

In step S12, the extraction unit 12 selects one packet from the capture data A. For example, the extraction unit 12 selects packets in order from the beginning of the capture data A, and executes the following steps S13 and S14 for each packet.

In step S13, the extraction unit 12 extracts packets within a predetermined range from the capture data B based on the time information of the selected packets, and obtains a packet group of the same packet candidates. For example, the extraction unit 12 extracts a packet having time information within ± T seconds from the time information of the selected packet from the capture data B. The predetermined range may be arbitrarily set by the user.

In step S14, the determination unit 13 identifies a packet having a high identity with the selected packet based on the prioritized packet components for the packet group extracted in step S13, or the same packet does not exist. To judge. Table 1 shows an example of prioritized components.

In the example of Table 1, the IP address and port number of the packet source and destination are specified as the components in the item having the first priority. In the item with the second priority, the components are specified for each protocol. The payload itself is specified for the item having the third priority. Table 1 is an example and does not limit the number of priorities or components. For example, when a test packet is sent, the priority of the component for determining whether or not it is a test packet may be set high. The priority may be set for each layer. For example, the priority is set in the order of the IP header component, the TCP or UDP component, and the protocol component above TCP / UDP.

The following methods can be considered as a method of determining identity using the components of the prioritized packets.

The first method is a method of filtering packets included in a packet group by using components in descending order of priority. For example, for the source and destination IP addresses and port numbers set with the highest priority in Table 1, the selected packets and the packets included in the packet group are compared, and the source and destination IP addresses are compared. Remove packets whose port number is different from the selected packet from the packet group. When the packets included in the packet group are narrowed down to one, it is determined that the packets are the same as the selected packets. When there are no more packets included in the packet group, it is determined that the selected packet has lost the packet. When a packet group contains a plurality of packets, the packet is narrowed down by using the component having the next highest priority.

The second method is a method in which the selected packet and the packet included in the packet group are compared and scored for each prioritized component, and the same packet as the selected packet is determined from the total score. Specifically, for each of the prioritized components, the selected packet and the packet included in the packet group are compared and scored. As the score calculation method, a method is adopted in which a high score can be obtained when the packets are the same. For example, when the item with the highest priority in Table 1 is used, the source IP address, the destination IP address, the source port number, and the destination port number are compared between the packets to be compared, and the matching components are matched. Give a high score to those with many. Scores are also calculated for each item with the second or higher priority. Among the packet groups, the packet having the highest total score, which is the sum of the obtained scores, is determined to be the same packet as the selected packet. When there is no packet whose total score is equal to or higher than a predetermined value, it is determined that the selected packet has lost the packet. Scores may be weighted based on priority. A negative score may be given when it is clear that the packets are not the same, for example, when the protocols differ between the packets.

In the second method, the identity can be determined even for packets whose IP addresses and port numbers have been translated by NAT or NAPT.

In step S15, the extraction unit 12 determines whether or not all the packets of the capture data A have been processed. When not all packets have been processed, the process returns to step S12, and the next packet is selected from the captured data A.

After processing all the packets of the capture data A, the capture data A and B of the comparison source and the comparison destination may be exchanged, and the processes from step S12 to step S15 may be repeated. Specifically, the extraction unit 12 selects a packet from the capture data B in step S12, and extracts a packet group from the capture data A in step S13. The determination unit 13 compares the packet selected from the capture data B in step S14 with the packet group extracted from the capture data A. As a result, packets transmitted from the measurement point of the capture data B to the measurement point of the capture data A can be extracted with packet loss.

As described above, in the packet comparison device 1 of the present embodiment, the input unit 11 inputs the captured data A and B obtained by acquiring packets at different points on the communication path, and the extraction unit 12 inputs the captured data. A packet is selected from A, a group of packets having time information within a predetermined range is extracted from the capture data B based on the time information of the selected packet, and the determination unit 13 prioritizes the components of the packet. Then, for each of the packets included in the packet group, the identity of the selected packet and the packet included in the packet group is determined by using the prioritized components. As a result, even if the time information of the capture data A and the capture data B are not synchronized, the same packet and packet loss can be easily grasped between the capture data A and B.

1 ... Packet comparison device 11 ... Input unit 12 ... Extraction unit 13 ... Judgment unit 14 ... Output unit

In the packet comparison program of one aspect of the present invention, the process of inputting the first captured data and the second captured data obtained by acquiring packets at different points on the communication path, and selecting the first packet from the first captured data. Processing, processing to extract a group of packets having time information within a predetermined range based on the time information of the first packet from the second capture data, and prioritizing the components of the packet. for each of the second packets in the packet group, said component with said to execute processing for determining the computer as the first packet identity of the second packet, the first packet and the second packet In the process of determining the identity of the above, the first packet and the second packet are compared for each of the prioritized components, and the one with many matching components is given a high score, and the priority is given. The second packet having the highest total score, which is the sum of the obtained scores, is determined to be the same packet as the first packet by repeating in order from the highest component .

Claims (4)

The process of inputting the first capture data and the second capture data that acquired packets at different points on the communication path,
The process of selecting the first packet from the first capture data and
A process of extracting a packet group having time information within a predetermined range from the second capture data based on the time information of the first packet, and
A computer performs a process of prioritizing packet components and determining the identity of the first packet and the second packet for each of the second packets included in the packet group by using the components. Packet comparison program to be executed by. The packet comparison program according to claim 1, wherein the determination process uses the components in descending order of priority to filter the second packet included in the packet group. In the determination process, the first packet and the second packet are compared and scored for each of the prioritized components, and the identity of the first packet and the second packet is determined from the total score. The packet comparison program according to claim 1. The packet comparison program according to any one of claims 1 to 3, wherein a computer executes a process of arranging and outputting packets determined to be the same.

Images