JP4793580B2 - Protocol type determination method, system and program thereof - Google Patents

Description

  The present invention relates to a technique for measuring the quality of a network, and more particularly to a protocol type determination method for determining the type of packet protocol under a predetermined sampling measurement, its system, and program.

  Various protocols exist in the current network system. For example, even if you take TCP, which is a representative protocol, if you look further, TCP Tahoe, TCP Reno, TCP New Reno, TCP Vegas, High-Speed TCP, BIC-TCP, TCP-Areno, TCP-Westwood, etc. There are many types (TCP version here).

  In such a network in which packets of many kinds of protocols flow, it is obvious on the End host side what protocol is used for communication.

  However, it is difficult to determine the type of protocol only by observing the contents of packets flowing in the network. For example, when the protocol is TCP, the congestion control algorithm is different, but the header format of the packet is the same, and the TCP version is unknown only by checking the header format.

  On the other hand, when the protocol type is used for network quality management, the protocol type is important.

  Accordingly, the present invention has been invented in view of the above problems, and provides a protocol type determination method, system and program for determining a packet protocol by measuring packets flowing in a network. It is to provide.

  The present invention for solving the above problems is a protocol type determination method for determining the protocol type of a packet flowing in a network, measuring a packet flowing in the network with a predetermined sampling probability, and obtaining window width information of a transmission terminal. An index to be expressed is calculated, and a packet protocol type is determined based on statistical information of the index.

  The present invention for solving the above problems is a protocol type discrimination system for discriminating the type of a protocol of a packet flowing in a network, measuring a packet flowing in the network with a predetermined sampling probability, and obtaining window width information of a transmission terminal. And calculating means for calculating an index to be expressed, and determining means for determining the type of packet protocol based on statistical information of the index.

  The present invention for solving the above-mentioned problems is a program for determining the protocol type of a packet flowing in the network, measuring a packet flowing in the network with a predetermined sampling probability, and indicating an index representing window width information of the transmitting terminal. The information processing apparatus is configured to cause the information processing apparatus to execute a calculation process and a process of determining a packet protocol type based on statistical information of the index.

  According to the present invention, the ACK duplication degree obtained by measuring the packet flowing through the network or the sequence number inversion even if the protocol type cannot be determined only by analyzing the packet. By using the degree, it is possible to determine the protocol of the packet flowing through the network. This is because the present invention focuses on the fact that the histogram of the ACK duplication degree or sequence number inversion degree has a distribution specific to each type of protocol, and is configured to make a protocol determination by using this distribution. Because.

<First Embodiment>
A first embodiment of the present invention will be described.

  A feature of the present invention is that the statistical information of the index representing the window width information of the transmitting terminal has a characteristic characteristic for each protocol type, and packets flowing through the network have a predetermined sampling probability (including full sampling). ) To calculate the statistical information of the index representing the window width information of the transmitting terminal, and to determine the type of packet protocol based on the statistical information of this index.

  Here, the window width of the transmitting terminal is a range of the number of packets and the amount of data that can be transmitted without the transmitting terminal receiving an acknowledgment from the receiving terminal. The index indicating the window width information of the transmitting terminal is information for estimating the window width of the transmitting terminal obtained by measuring a packet flowing through the network with a predetermined sampling probability (including full sampling), for example, As a representative index, there is an ACK duplication degree indicating the number of consecutive identical ACK numbers, or a sequence number inversion degree indicating a sampling number of sequence numbers equal to or greater than a sequence number when the transmission sequence number is inverted.

  Here, the ACK duplication degree indicates how many identical ACK numbers continue. For example, FIG. 1 shows a transmission packet with a square, an ACK packet with a circle, each numerical value in each figure shows a sequence value and an ACK number, and transmission packets with sequence values 1, 2, and 3 are transmitted. It shows a state in which the ACK numbers of the ACK packets responding to it are observed as 2, 3, and 4. Then, the transmission packet with the sequence value 4 is lost, and then the transmission packet with the sequence value 5 and 6 is transmitted, and then the transmission packet with the sequence value 4 is retransmitted. At this time, the observed ACK number is an ACK packet of ACK number 7 that responds to a retransmission packet of sequence number 4 after three ACK numbers 4 continue. Therefore, since three ACK numbers 4 are consecutive, the ACK duplication degree is 3.

  The sequence number inversion degree is a count of the number of SNs that have been observed so far when the sequence value (hereinafter referred to as SN) is inverted. The inversion of SN means that the sequence numbers of the observed packets are not in ascending order, and the observed sequence numbers decrease due to retransmission of the packets.

  For example, FIG. 2 shows a transmission packet as a square, an observation packet as a circle, each numerical value in each figure indicates a sequence value, and the sequence numbers of the packets are ascending as 1, 2, and 3 At this time, the sequence number of the packet to be observed next becomes 5 instead of 4, and the sequence number becomes 4 after ascending order, such as 5, 6, 7, and the sequence number decreases. In this case, when SN reversal occurs, the SNs at the time of reversal (here, SN is 3) are four SNs of 4, 5, 6, and 7, so the sequence number reversal degree is 4. .

  In this way, as a map of the window width of the transmitting terminal, an index obtained by observing a packet flowing through the network, such as an ACK duplication degree or a sequence number inversion degree, is calculated.

  Next, statistical information is the histogram, the sum of the histogram (sum of squares), the extreme value (maximum, minimum), the average value (arithmetic mean, square mean, geometric mean, harmonic mean), Moment (skewness, kurtosis), variance (standard deviation, variance, mean method error, mean absolute deviation from median, mean absolute deviation from mean), median, mode, sum of squares of deviation, covariance Information on the correlation and the ratio of the specific area of the histogram as described later may be used.

  Such statistical information such as a histogram of ACK duplication degree or sequence number inversion degree has a distribution that is unique to each protocol and packet loss rate. For example, FIG. 3 is a histogram in which the horizontal axis represents the ACK duplication degree and the vertical axis represents the frequency. When the protocol is TCP Reno and BIC TCP, each sampling probability (100 %, 50%, 25%, 12.5%, 6.25%). As shown in FIG. 3, it can be seen that even if the packet loss rate is the same, if the protocol type and the sampling probability are different, the histogram of the ACK redundancy is different.

  Accordingly, statistical information (histogram or histogram statistical information) of the ACK duplication degree or sequence number inversion degree is stored in a database for each protocol for each predetermined sampling probability and packet loss rate. Then, ACK duplication degree or sequence number inversion degree is measured with a predetermined sampling probability for packets flowing on the network, and statistical information approximate to the measured ACK duplication degree or sequence number inversion degree statistical information can be found from the database. If possible, it can be determined that the protocol corresponding to the statistical information is the protocol of the packet being measured. Further, since the statistical information is stored in a database for each packet loss rate, the packet loss rate of the packet under measurement can be obtained at the same time.

  Note that this is a method for searching for statistical information matching. The statistical information of the ACK duplication degree or sequence number inversion degree for each protocol, which is stored in advance in a database, for each protocol, for each packet loss rate, and the observed ACK Statistical information on the degree of redundancy or sequence number inversion, sum of histogram (sum of squares), extreme value (maximum, minimum), average value (arithmetic mean, square average, geometric mean, harmonic mean), moment (distortion degree) , Kurtosis), variance (standard deviation, variance, mean method error, mean absolute deviation from median, mean absolute deviation from mean), median, mode, sum of squares of deviation, covariance, correlation, etc. Can be compared. Then, statistical information that approximates the statistical information of the observed ACK duplication degree or sequence number inversion degree is selected. It is also possible to search for matching by combining a plurality of the above statistics.

  Next, an embodiment in which the present invention is applied to a specific system will be described. In the following description, a case where the ACK redundancy is used will be described. In order to explain using specific examples, the type of protocol in the present embodiment refers to a TCP version, for example, TCP-Reno, BIC-TCP, or the like.

  FIG. 4 is a diagram showing an outline of a network to which the present invention is applied.

  In FIG. 4, 1 is a determination device for determining the type of protocol, 2 and 3 are communication terminals, and 4 and 5 are branch devices. Although the branching devices 4 and 5 are provided so as to acquire bidirectional packets, only one of them may be used as necessary. Further, the communication terminal 2 or 3 does not necessarily need to terminate communication, and may relay communication.

  FIG. 5 is a block diagram illustrating the configuration of the determination apparatus 1.

  The determination device 1 includes a data reception unit 111 and a data reception unit 112 that are data inputs from the branching devices 4 and 5, and a probability that one of N packets is input by the data reception units 111 and 112 (sampling probability s = 1 / N), a sampling processing unit 113 that acquires packet information, a flow identification unit 114 that classifies a flow using information in the acquired packet, and a flow information storage unit 115 that stores the result. A data preprocessing unit 100 is provided. The data receiver 111 and the branching device 4 are provided for observing the transmission SN of data communication from the communication terminal 2 to the communication terminal 3 and observing the ACK number from the communication terminal 3 to the communication terminal 2. . Similarly, the data receiving unit 112 and the branching device 5 are provided for observing the transmission SN of data communication from the communication terminal 3 to the communication terminal 2 and observing the ACK number from the communication terminal 2 to the communication terminal 3. Yes. Therefore, both sets of the data receiving unit 111 and the branching device 4 and the data receiving unit 112 and the branching device 5 are not necessarily required, and only one set may be used as necessary.

  Further, the determination apparatus 1 extracts information from the flow information storage unit 115, identifies the ACK number and stores it in the end-to-end information storage unit 205, and the flow information storage unit 115. The information is extracted, the ACK duplication degree is detected and stored in the end-to-end information storage unit 205, and the information is extracted from the end-to-end information storage unit 205, and the ACK duplication degree is obtained. Is calculated by the histogram calculation unit 203 for calculating the histogram of the ACK, the histogram database 206 storing the histogram of the ACK redundancy for each protocol for each predetermined sampling probability and packet loss rate, and the histogram calculation unit 203. A matching unit 204 that searches a histogram approximated to the histogram and compares the protocol and the packet loss rate corresponding to the histogram. It comprises a configured protocol determining section 200 from. In the histogram database 206, as described above, the statistical information of the ACK redundancy (histogram or statistical information of the histogram) is databased for each protocol for each predetermined sampling probability and packet loss rate. Assume that it is stored.

  Moreover, the determination apparatus 1 includes a result storage unit 300 that stores a result determined by the protocol determination unit 200.

  In the present embodiment, processing is started by first capturing a packet flowing on the network by the measuring apparatus 1 and entering the data preprocessing unit 100. Data input from the branch device 4 is received by the data receiving unit 111, and data input from the branch device 5 is received by the data receiving unit 112. After receiving data by the data receiving unit 111 and the data receiving unit 112, the receiving unit passes the data to the sampling processing unit 113.

  The sampling processing unit 113 acquires packet information with a probability of one in N. As a sampling processing method at this time, a random number is generated and compared with the sampling probability s (1 / N), and a random counter is used for determining whether to discard the random number, or one counter is used for each packet, each protocol, or each flow. A method of comparing the sampling value with the sampling value that is retained, comparing the sampling value with the sampling probability, and comparing the sampling probability with a part of packet header information such as the ACK number can be considered.

  After the acquisition packet is determined by the sampling processing unit 113, the flow identification unit 114 classifies the packet (flow identification) using a part of the information of the acquisition packet, information such as an IP address and a port number, and flows the result. The information is stored in the information storage unit 115.

  Here, the data preprocessing unit 100 performs the processing of the flow identification unit 114 after performing the sampling processing unit 113. After the flow identification processing unit 114 performs flow identification, the sampling processing unit 113 determines an acquisition packet. It doesn't matter. In the present embodiment, the sampling processing unit 113 is provided. However, this may be omitted, and the function of sampling processing may be added to the branches 4 and 5.

  Next, the protocol determination unit 200 will be described.

  First, generation of a histogram stored in the histogram database 206 will be described. Note that the histogram stored in the histogram database 206 may be generated by the protocol determination unit 200, or histogram data acquired in advance by another method may be stored in the histogram database 206.

  First, the relationship between the packet loss rate and the ACK redundancy is investigated with a predetermined sampling probability s. The sampling probability s is ideally 1 (full sampling), but is not limited to this. The survey can be performed by setting representative survey points from a packet loss rate of 0.001% (small value) to about 10% (large value) and creating a histogram at each point. .

  When the actually measured sampling rate is different from the sampling rate measured in the survey stage, the result of the actually measured sampling rate s is predicted from the survey result of the sampling rate s measured in the survey stage. For example, as a prediction method, the case where the measurement target is the ACK duplication degree will be described. When the frequency of ACK duplication degree = n at the time of full sampling (sampling probability s = 1) is m, the actual sampling probability s1 is , N × s1 is calculated. This result (n × s1) is between ACK duplication degree = k (integer) and ACK duplication degree = k + 1. Then, the frequency m is weighted and distributed to k and k + 1 based on n × s1. For example, if the frequency of ACK duplication degree 5 at the time of full sampling (sampling probability s0 = 1) is 16, the sampling probability s1 (= 0.25) is n × s1 = 5 × 0.25 = 1.25. Become. Therefore, the frequency 16 is distributed to the duplication degree 1 and the duplication degree 2. That is, 16 × 0.75 = 12 is added to ACK duplication degree 1, and 16 × 0.25 = 4 is added to ACK duplication degree 2. Such a process is performed for each ACK redundancy, and a histogram at the sampling probability s1 is predicted. The above-described example is an example, and other correction methods may be used without departing from the spirit of the invention.

  In this way, the histogram for each sampling probability s and packet loss rate is stored in the histogram database 206 for a protocol whose measurement is predicted in the network.

  The ACK number identifying unit 201 sequentially retrieves ACK packets to be analyzed and analyzed (packets corresponding to the designated flow in the designated period) from the flow information storage unit 115 and identifies the ACK number. Then, the result is recorded in the end-to-end information storage unit 205.

  The ACK duplication degree detection unit 202 reads information from the end-to-end information storage unit 205, counts up duplicate ACK numbers, and detects the ACK duplication degree.

  The histogram calculation unit 203 reads out the ACK duplication degree detected by the ACK duplication degree detection unit 202 from the end-to-end information storage unit 205 and creates a histogram of the ACK duplication degree.

  The collation unit 204 collates the histogram of the ACK overlap created by the frequency distribution calculation unit 203 with the histogram of the sampling probability s stored in the histogram database 206, and detects an approximate histogram. Then, the protocol and packet loss rate corresponding to the histogram are determined as the protocol and packet loss rate of the packet to be measured, and the result is stored in the result storage unit 300.

  According to the first embodiment, the protocol of the measured packet can be determined by measuring the ACK duplication degree or the sequence number inversion degree.

  In the first embodiment described above, the ACK duplication degree has been described as an example. However, a histogram is created by measuring the degree of sequence number inversion, and a predetermined sampling probability is set for this histogram and each protocol. The protocol of the measured packet can be discriminated in the same manner as the ACK duplication degree by collating with the sequence number inversion degree histogram stored in the database for each packet loss rate.

（RTTはラウンドトリップ時間、ｐはパケットロス率、ｂはdelay ACKパラメタ（送信端末がＡＣＫを受け取るごとに１／ｂウインドサイズを大きくする））
であらわせられるTCP-Renoのうち、ｂ＝１及びｂ＝２、サンプリング率１００％、ロス率１％の場合のＡＣＫ重複度のヒストグラムがデータベースに格納されているものとし、ｂ＝１のヒストグラムの平均値＝１６．３３、ｂ＝２のヒストグラムの平均値＝１１．５５とする。尚、上記スループット推定式は、文献“Jitendra Padhye, Victor Firoiu, Don towsley, Jim Kurose, “Modeling TCP Throughput: A Simple Model and its Empirical Validation”, In ACM SIGCOMM’98”に記載されているものを用いた。 In the first embodiment, a specific example of matching of histograms of ACK duplication degrees will be described. In the following description, the throughput estimation formula is

(RTT is the round trip time, p is the packet loss rate, b is the delay ACK parameter (the 1 / b window size is increased each time the transmitting terminal receives ACK))
, The histogram of ACK duplication in the case of b = 1 and b = 2, sampling rate 100%, loss rate 1% is stored in the database, and the histogram of b = 1 It is assumed that the average value of the histogram of the average value = 16.33 and b = 2 = 11.55. The above throughput estimation formula uses the one described in the literature “Jitendra Padhye, Victor Firoiu, Don towsley, Jim Kurose,“ Modeling TCP Throughput: A Simple Model and its Empirical Validation ”, In ACM SIGCOMM '98”. It was.

  Here, as a result of measuring the flow A at the sampling rate of 100%, in the flow A, 173205 pakcets passed and the packet loss amount was 1732 packets. Then, the packet loss rate is 1%. Moreover, the average value of the histogram of the ACK duplication degree was 11.55.

  Similarly, as a result of measuring the flow B at a sampling rate of 100%, in the flow B, 244949 pakcets passed and the packet loss amount was 2449 packets. Then, the packet loss rate is 1%. Moreover, the average value of the histogram of the ACK duplication degree was 16.33.

  Here, when the average value of the histogram of the ACK duplication degree in the case of b = 1, sampling rate 100%, loss rate 1% of TCP-Reno is read from the database, the average value is 16.33.

  Since the average value of the histogram of the ACK overlap of flow A is 11.55, it is different from the average value 16.33 of the read histogram. Therefore, Flow A is not TCP = 1 Reno with b = 1. On the other hand, since the average value of the histogram of the ACK overlap degree of flow B is 16.33, it matches the average value 16.33 of the read histogram. Therefore, the flow A is TCP-Reno with b = 1.

  Subsequently, when the average value of the histogram of the ACK duplication degree in the case of b = 2, sampling rate 100%, loss rate 1% in TCP-Reno is read from the database, the average value is 11.55.

  Since the average value of the histogram of the ACK overlap of flow A is 11.55, it matches the average value of 11.55 of the read histogram. Therefore, flow A is TCP = 2 Reno with b = 2. On the other hand, since the average value of the histogram of the ACK overlap of flow B is 16.33, it is different from the average value of 11.55 of the read histogram. Therefore, the flow B is not b = 2 TCP-Reno.

To summarize these results, it is determined that the protocol of the flow A is TCP = 2 Reno with b = 2 and the flow B is TCP-Reno with b = 1.
<Second Embodiment>
A second embodiment will be described.

  In the first embodiment, when determining the protocol of the sampled packet, a histogram of the measured ACK duplication degree is created, and this histogram is compared with the histogram corresponding to the measured sampling probability among the histograms made in the database. In the above description, the protocol corresponding to the most approximate histogram is determined as the protocol of the measured packet.

  In the second embodiment, an example will be described in which, in order to omit the process of creating a histogram, the “observation probability” that is the ratio of a specific area of the histogram is used as statistical information to perform arithmetic matching. In the following description, a case where the ACK redundancy is used will be described.

  First, the observation probability will be described.

  The observation probability is also called the detection probability, the literature “Yasuhiro Yamazaki, Hideyuki Shimonishi, Tsutomu Murase,“ Proposal of packet loss rate estimation method by sampling measurement ”, IEICE Technical Report (NS2004-159, TM2004-62) ), November, 2004 ”and the like, the details necessary for understanding the present invention will be described.

  In FIG. 6, the horizontal axis is ACK redundancy j, the ratio P of the number of predetermined ACK redundancy to the total number of ACK redundancy is vertical, and the histogram when sampling probability = 1 (full capture) FIG. 6 is a diagram showing a sampling probability predicted from this histogram = histogram at the time of s. In FIG. 6, a dotted line indicates a histogram when sampling probability = 1 (full capture), and a solid line indicates a histogram when sampling probability = s.

しかしながら、サンプリング確率ｓのヒストグラムはｊが１以下は観測することができないので、ｊ＝２以上の閾値ｋ_ACKでＡＣＫ重複度を計測することとなる。この閾値ｋ_ACKは計測対象となるＡＣＫ重複度の値を決定する値であり、例えば、閾値ｋ_ACK＝２とした場合には２以上のＡＣＫ重複度を計測対象とすることを意味する。 The ratio P can be defined as a function having the packet loss rate p, the sampling probability s, and the ACK redundancy j as variables, and can be expressed as P (p, s, j). The total number of P (p, s, j) when the sampling probability = s and the total number of P (p, 1, j) when the sampling probability = 1 are both 1 as shown in the following equation 1. It is.

However, since the histogram of the sampling probability s cannot be observed when j is 1 or less, the ACK duplication degree is measured with a threshold k _ACK of j = 2 or more. This threshold value k _ACK is a value that determines the value of the ACK duplication degree to be measured. For example, when the threshold value k _ACK = 2, it means that two or more ACK duplication degrees are to be measured.

この割合Ｑ_ACK（ｐ，ｓ，ｋ_ACK）は、サンプリング確率ｓ時において、閾値ｋ_ACK以上のＡＣＫ重複度を観測できる確率であり、この確率を観測確率と呼ぶ。 Accordingly, the total number of P (p, s, j) at the sampling probability s includes a portion below the threshold k _ACK that cannot be actually observed, and the actually observable ratio Q _ACK ( p, s, k _ACK ) is expressed by the following formula 2.

This ratio Q _ACK (p, s, k _ACK ) is a probability that an ACK duplication degree equal to or higher than the threshold value k _ACK can be observed at the sampling probability s, and this probability is called an observation probability.

  This observation probability is obtained for each sampling probability s and packet loss rate for the protocol using the histogram described in the first embodiment, and is stored in a database.

Next, the determination of the protocol type using the above observation probability will be described.
Step 1
In the case of observation of ACK duplication degree, when k or more of the same ACK numbers are observed as the threshold k _ACK , the count is incremented by 1, and the count number _Ak is measured. For example, if the k = 2, to measure the A ₂ which is a count number by one count when the same ACK number is observed continuously two or more. Similarly, when a k = 3, to measure the A ₃ which is a count number by one count when the same ACK numbers are observed continuously for three or more. At least two A _k having different combinations of the sampling probability s and the threshold k _ACK are observed.
Step 2
Subsequently, the number of packet losses is set to X _i (a temporary estimated value before convergence), and the packet loss rate is set to p _i = X _i / TH. Here, TH is the amount of communication (number of packets, size, etc.) generated during the measurement target period. Then, an arbitrary number of packet losses is selected as an initial value X ₀ (> 0), which is converted into an initial value packet loss rate p ₀ . Here, the initial packet loss rate p ₀ is p ₀ = X ₀ / TH. Note that the recommended value of the initial value X ₀ is the number packets lost just before the period, and the like.
Step 3
Then, corresponding to the value of the packet loss rate p _i found, observation probability of any protocol sampling probability _{s Q ACK (p i, s} , k ACK) , and searches the database, and the observed value A _k Observation probability _{Q ACK (p i, s,} k ACK) packet loss count _{X i + 1} from the, estimated based on the following equation 3.
X _{i + 1} = A _k / Q _ACK ( _pi , s, k _ACK )
Formula 3
And it converts into a packet loss rate based on a following formula.
p _{i + 1} = X _{i + 1} / TH
Step 4
Step 3 described above is iteratively calculated. Ideally, X _∞ is the true number of packet losses, but in practice, the rate of change = {(X _{i + 1} −X _i ) / X _i } or {(p _{i + 1} −p _i ) / p _i } Iterative calculation is performed until it is within a certain range, or iterative calculation is performed until i reaches a certain number.

In this way, the packet loss rate p _{i + 1} and the packet loss count X _{i + 1} of Ak under the measurement of the sampling probability s are _obtained .
Step 5
Then, by using the packet loss rate _{p i + 1} in _{A k,} determine packet loss count _{X l} of _A l (k ≠ l). The packet loss count X of A _l is _obtained by searching an observation probability Q _ACK (p _{i + 1} , s, k _ACK ) corresponding to the packet loss rate p _{i + 1} of A _k under the measurement of the sampling probability s from the database. _{Using ACK} (p _{i + 1} , s, k _ACK ), it is obtained from Equation 4.

X ₁ = A ₁ / Q _ACK ( _{pi + 1} , s, k _ACK ) Equation 4
At this time, packet loss count X _l of A _l are, if used the observation probability of the correct protocol, and an approximation packet loss count X _{i + 1} in the A _k. A packet loss count X _l of A _l, if a packet loss count X _{i + 1} at A _k is an approximation, observation probability of the protocol used for the calculation is the measure the packet protocol.

On the other hand, a packet loss count X of A _l, as long as the packet loss count X _{i + 1} at A _k is deviated, it is possible to not select the observation probability of the correct protocol, using the observation probability of the other protocols Redo from Step 2.

In this way, the protocol can be estimated using the observation probability.
In the above description, for ease of explanation, an example in which two observation probabilities with different thresholds are used from the same sampling probability has been described. However, in order to improve accuracy, three or more observation probabilities are used. May be.

  Further, observation probabilities with the same threshold may be used from different sampling probabilities. That is, the protocol may be determined using a plurality of observation probabilities with different combinations of sampling probabilities and thresholds. In this case, the calculation of the number of packet losses using each observation probability is the same as described above.

  Next, an embodiment in which the present invention is applied to a specific system will be described.

  FIG. 7 is a block diagram illustrating a configuration of the determination apparatus 1 according to the second embodiment.

  The difference from the first embodiment is that a packet loss count calculator 1203, a packet loss count collator 1204, and an observation probability database 1206 are provided instead of the histogram calculator 203, the collator 204, and the histogram database 206. .

  The observation probability database 1206 stores the above-described observation probabilities for each protocol, packet loss rate, and sampling probability.

The packet loss number calculation unit 1203 reads the count number (A _k ) of a certain threshold k from the end-to-end information storage unit 205, calculates Step 1 to Step 5 described above, and then calculates a different threshold j (≠ k). The number of counts (A _j ) is read out, the above Step 1 to Step 5 are calculated, and the packet loss count is obtained again.

  The packet loss number collation unit 1204 receives the result from the packet loss number calculation unit 1203, collates the packet loss number obtained from different threshold values k and j, and uses the two packet loss times if they are approximated. The observation probability protocol is determined as the packet protocol. On the other hand, if the packet loss times calculated from the different threshold values k and j are different, the packet loss number calculation unit 1203 is instructed to perform the calculation again.

（ＲＴＴはラウンドトリップ時間、ｐはパケットロス率、ｂはｄｅｌａｙ ＡＣＫパラメタ（送信端末がＡＣＫを受け取るごとに１／ｂウインドサイズを大きくする））
であらわせられるTCP-Renoのうちｂ＝１及びｂ＝２のプロトコルを用い、フローＡはｂ＝２のプロトコルのパケットが流れるフローであり、フローＢはｂ＝１のプロトコルのパケットが流れるフローであり、ＲＴＴが２０ｍｓ、パケットロス率が１％、ｓ＝０．２５で５分間の観測した場合の実験結果を説明する。尚、上記スループット推定式は、文献“Jitendra Padhye, Victor Firoiu, Don towsley, Jim Kurose, “Modeling TCP Throughput: A Simple Model and its Empirical Validation”, In ACM SIGCOMM’98”に記載されているものを用いた。 As Example 2, the throughput estimation formula is

(RTT is the round trip time, p is the packet loss rate, b is the delay ACK parameter (the 1 / b window size is increased each time the transmitting terminal receives ACK))
In the TCP-Reno, the protocol of b = 1 and b = 2 is used, the flow A is a flow in which a packet of protocol b = 2 flows, and the flow B is a flow in which a packet of protocol b = 1 flows. A description will be given of the experimental results when the RTT is 20 ms, the packet loss rate is 1%, and s = 0.25 for 5 minutes. The throughput estimation formula described in the literature “Jitendra Padhye, Victor Firoiu, Don towsley, Jim Kurose,“ Modeling TCP Throughput: A Simple Model and its Empirical Validation ”, In ACM SIGCOMM '98” is used. It was.

  In the following experiment, it is assumed that both the flow A and the flow B are determined as protocols with the b being unknown.

  Under this environment, flow A has 173205 pakcets, k = 2 (ACK duplication degree is 2 or more), 1357 times, k = 3 (ACK duplication degree is 3 or more). The number of times was 955. Flow B passes 244949 pakcets, k = 2 (ACK duplication degree is 2 or more), 2240 times, k = 3 (ACK duplication degree is 3 or more), 1896 times did it.

First, in flow A, the number of times of the threshold k = 2 is 1357 and the traffic amount Th is 173205. Therefore, if the initial value of the bucket loss count X ₀ is 1357, the initial value of the bucket loss rate is p ₀ = X _{With 0} / Th, approximately p0 = 0.00783. Therefore, when the value of the observation probability Q _ACK (0.00783, 0.25, 2) of b = 2 is retrieved from the database, Q _ACK (0.00783, 0.25, 2) is about 0.8371.

When Q _ACK (0.00783, 0.25, 2) = 0.8371 is used and the packet loss count X1 is calculated, X ₁ = 1357 / 0.8371 = 1621.

Subsequently, when the packet loss times X ₂ , X ₃ , and X ₄ are calculated, X ₁ = 1621, X ₂ = 699, X ₃ = 1722, X ₄ = 1729, X ₅ = 729, X ₆ = 1731 X ₇ = 1732 and X ₈ = 1733, which converged at X ₈ . The packet loss rate at ₈ o'clock is 1733/173205 = 0.0100054≈0.01, and when the value of the observation probability Q _ACK (0.01, 0.25, 3) of the threshold k = 3 at b = 2 is searched from the database, it is 0.550965. .

  Since the number of thresholds k = 3 is 955, the number of packet losses when the threshold k = 3 is 955 / 0.550965 = 1733, which matches 1733 which is the number of packet losses when k = 2. It is correct to choose from = 2. Therefore, the protocol of flow A is TCP-Reno with b = 2.

Similarly, in flow B, the number of thresholds k = 2 is 2240, and the traffic amount Th is 244949. Therefore, if the initial value of the bucket loss count X ₀ is 2240, the initial value of the bucket loss rate is p ₀ = From X ₀ / Th, approximately p ₀ = 0.00914. Therefore, when the value of the observation probability Q _ACK (0.00914, 0.25, 2) of b = 2 is retrieved from the database, Q _ACK (0.00914, 0.25, 2) is about 0.8037.

with b = 2 the Q _ACK (0.00914,0.25,2) = 0.8037, when calculating the packet loss count _{X 1, X 1 = 2240 /} 0.8037 = 2787 becomes.

Subsequently, when calculating the number of packet losses X ₂ , X ₃ , X ₄ , X ₂ = 2976, X ₃ = 3043, X ₄ = 3066, X ₅ = 3073, X ₆ = 3076, X ₇ = 3077 next, they converged in the _{X 7.} Packet loss rate o'clock X ₇ is, searching 3077/244949 = 0.01233315 ≒ 0.0123, and the threshold in the b = 2 k = 3 of the observation probability Q _ACK value of (0.0123,0.25,3) from the database, was 0.482297 .

  Since the number of thresholds k = 3 is 1896, the number of packet losses with threshold k = 3 is 1896 / 0.482297 = 3931, which is different from 3077 which is the number of packet losses when k = 2. The choice from 2 is wrong. Therefore, the protocol of flow B is not TCP-Reno with b = 2.

Next, the same calculation is performed for the flow B using the observation probability of b = 1. In the flow B, the number of thresholds k = 2 is 1357, and the traffic amount Th is 244949. When calculating the number of packet losses X ₀ , X ₁ , X ₂ , X ₃ , X ₀ = 2240, X ₁ = 2418, X ₂ = 2445, X ₃ = 2449, and convergence was achieved at X ₃ . X Packet loss rate at _3, 2449/244949 = 0.0099979 ≒ 0.01 next, searching the value of the threshold k = 2 of the observation probability Q _ACK (0.01,0.25,2) from the database, was 0.613509.

Since the number of thresholds k = 3 is 1896, the number of packet losses when the threshold value k = 3 is 1896 / 0.773735 = 2450, which is almost the same as the number of packet losses 2449 when k = 2, and b The observation probability selected from = 1 is correct. Therefore, the protocol of flow B is TCP-Reno with b = 1.
<Third Embodiment>
In the third embodiment, the determination of the protocol type using the observation probability of the sequence value will be described.

  8 to 10 are diagrams for explaining the concept of estimating the number of SN value reversal phenomena using a statistical technique.

  First, as shown in FIG. 8, a histogram at the time of full sampling (full capture) in which the degree of inversion j is on the horizontal axis and the ratio N of the number of predetermined inversions to the total number of inversions is on the vertical axis. Predict. This histogram may be obtained statistically or measured. The ratio N can be defined as a function having the packet loss rate p, the sampling probability s, and the degree of inversion j as variables.

ここで、図１０に示されるヒストグラムは、予測したサンプリング確率ｓのヒストグラムであるけれども、サンプリング計測を行っているので、ｊが０以下は観測することができない。例えば、サンプリングされたパケットのＳＮが、５，６，４となれば、ＳＮの逆転現象を観測するができるが、例え、ＳＮが逆転していても、ＳＮが逆転した前又は後のパケットのＳＮがサンプリングできなければ、観測することができないからである。 Next, as shown in FIG. 9, a histogram observed under a predetermined sampling probability s is predicted. The total number of ratios N (p, 1, j) when the sampling probability is 1 is expressed by Expression 4, and the total number of ratios N _SN (p, s, j) when the sampling probability is s is expressed by Expression 5. .

Here, although the histogram shown in FIG. 10 is a histogram of the predicted sampling probability s, since sampling measurement is performed, j cannot be observed to be 0 or less. For example, if the SN of the sampled packet is 5, 6, or 4, the SN reversal phenomenon can be observed. However, even if the SN is reversed, the SN of the packet before or after the SN is reversed can be observed. This is because if the SN cannot be sampled, it cannot be observed.

  Therefore, the degree of inversion is measured with a threshold of j = 1 or more. That is, this threshold is a value that determines the value of the degree of inversion to be measured. For example, when the threshold is k = 1, the degree of inversion of 1 or more is the object to be measured, and the threshold is k = 2. Means that the degree of reversal of 2 or more is to be measured, and normally k = 1. Therefore, the total number of ratios N (p, s, j) at the sampling probability s shown in Expression 2 includes a portion below the threshold k that cannot be actually observed.

  Therefore, the observation probability, which is the probability that the SN value inversion phenomenon at the sampling probability s can be observed, is expressed by Equation 6.

この観測確率は、本来の発生した逆転現象（ｓ＝１のヒストグラム）のなかで、観測した逆転度の事象（ｓ＝０．５の斜線面積部分)の割合でもある。そして、この観測確率を求めることにより、観測することができない閾値ｋ以下の逆転現象も含めたＳＮ値の逆転度やパケットロス率を求めことができるのである。 Equation 6

This observation probability is also the ratio of the event of the degree of reversal observed (shatched area portion of s = 0.5) in the originally generated reversal phenomenon (histogram of s = 1). Then, by obtaining this observation probability, the degree of inversion of the SN value and the packet loss rate including the inversion phenomenon below the threshold value k that cannot be observed can be obtained.

但し、ｋの採りうる値は１以上であり、ｊは逆転度である。尚、ｋを１に設定した場合、観測確率Ｑ_ＳＮ（ｐ_ｉ，ｓ，ｋ）は、

となる。 Hereinafter, a specific calculation method will be described.
Step 1
First, the degree of inversion of the SN value is observed under a predetermined sampling measurement. Here, the count value (observed value) when the threshold value is k is A _k . Normally, k = 1, and the count value in this case is equal to the number of SN value inversions, that is, the number of packet losses (number of SN value inversion phenomena), so that the number of SN value inversions is counted. Also good.
Step 2
Subsequently, the number of packet losses (number of SN value reversal phenomenon) is X _i (temporary estimated value before convergence), and the packet loss rate is p _{i + 1} = X _{i + 1} / Th. Here, Th is the amount of communication (number of packets, size, etc.) generated during the measurement target period. Then, an initial value X ₀ (> 0) of an arbitrary number of packet losses is selected and converted to an initial value packet loss rate p ₀ . Here, the initial packet loss rate p ₀ is p ₀ = X ₀ / Th. Note that the recommended value of the initial value X _0, the packet loss count immediately preceding period, and the like A _k.
Step 3
Then, _{p i} of observation from the value probability _{Q SN (p i, s,} k) is determined. Note that s is the sampling probability at the time of the predetermined sampling measurement, but the observation probability Q _SN (p _i , s, k) ≠ sampling probability s. Here, the observation probability Q _SN ( _pi , s, k) when the SN value is observed is expressed by Equation 7.
Equation 7

However, the value that k can take is 1 or more, and j is the degree of inversion. When k is set to 1, the observation probability Q _SN ( _pi , s, k) is

It becomes.

但し、ｂは定数である。 Here, the ratio N (p, s, j) at the time of the sampling probability s is defined as a function of the variables p, s, j. In the case of TCP-Reno, the function N has a Poisson distribution based on the probability distribution model. It is possible to decide on a base. In this case, N (p, s, j) is expressed by Equation 8.
Equation 8

However, b is a constant.

  Note that the distribution of N (p, s, j) is not limited to Expression 8, and may be another expression.

After defining the function N (p, s, j) in this way, the observation probability Q _SN (p _i , s, k) is obtained.
Step 4
Further, X _{i + 1} (the number of packet loss) is estimated based on Expression 9 from the observed value A _k and the observation probability Q _SN ( _pi , s, k), and converted into a packet loss rate based on Expression 10.
Equation 9
X _{i + 1} = A _k / Q _SN ( _pi , s, k)
Equation 10
p _{i + 1} = X _{i + 1} / Th
Step 5
Step 3 and Step 4 described above are iteratively calculated. Ideally, X _∞ is the true number of packet losses, but in practice, the rate of change = {(X _{i + 1} −X _i ) / X _i } or {(p _{i + 1} −p _i ) / p _i } Iterative calculation is performed until it is within a certain range, or iterative calculation is performed until i reaches a certain number of times.

In this way, the packet loss rate p _{i + 1} and the packet loss count X _{i + 1} are obtained.

In the above calculation method, the method of obtaining the packet loss rate p _{i + 1} and the number of packet loss X _{i + 1} using a statistical method has been described. However, a database is constructed based on the distribution of the experimental results, and the function N is calculated from the result. It is also possible to determine this.

  The database construction method is described below.

First, as shown in step 1 of FIG. 11, a sampling probability s ₀ (= 1), that is, a plurality of predetermined packet loss rates under full sampling measurement, for example, a packet loss rate of 0.001% (small value) to about 10%. To the extent of (large value), as shown in FIG. 10, the inversion phenomenon of the SN value is shown with the degree of inversion at the sampling probability s as the horizontal axis and the ratio N (p, s, j) at the sampling probability s as the vertical axis. A histogram is created for each packet loss rate.

但し、ｐはパケットロス率、ｓはサンプリング確率、ｊはＳＮ値の逆転度である。 Next, as shown in step 2 of FIG. 11, a histogram having a predetermined sampling probability s is predicted based on the created histogram (sampling probability s ₀ = 1). The histogram N (p, s, j) of this sampling probability s is known as N (p, 1, j) because it is full sampling, and is given by Equation 11.
Equation 11

Here, p is the packet loss rate, s is the sampling probability, and j is the degree of inversion of the SN value.

  The histogram N (p, s, j) of each sampling probability s obtained in this way is substituted into Equation 6, and the observation probability of each sampling probability s is obtained as shown in step 3 of FIG. Since the obtained observation probabilities are discrete, continuous values are obtained by linear interpolation or log interpolation, and the results of observation probabilities are recorded in a database as shown in step 4 of FIG. FIG. 12 shows an example of such a database.

  In the database shown in FIG. 12, the search key is a combination of the packet loss rate and the sampling probability, and this combination and the observation probability of the combination are stored in association with each other.

  In the above description, the database is created based on the histogram obtained under full sampling measurement, but it is not always necessary to create it based on the histogram obtained under full sampling measurement. For example, the database may be created based on a histogram obtained under sampling measurement with a sampling probability of about 0.9, although the accuracy is somewhat reduced.

  Then, the observation probability corresponding to the combination of the packet loss rate obtained by Equation 10 and the sampling probability at that time is retrieved from the database, and the retrieved observation probability is substituted into Equation 9 again, so that the above Step 4 Process.

By processing in this way, it is possible to obtain the packet loss rate p _{i + 1} and the number of packet losses X _{i + 1} as in the statistical method described above.

Next, determination of the protocol type will be described using the observation probability described above. Note that the above-described SN value observation probabilities are obtained for each sampling probability s and packet loss rate for the protocol and stored in a database.
Step 1
First, the degree of inversion of the SN value is observed under a predetermined sampling measurement. Here, the count value (observed value) when the threshold value is k is A _k . Note that the count value in the case of k = 1 is equal to the number of SN value inversions, that is, the number of packet losses (the number of SN value inversion phenomena), so the number of SN value inversions may be counted. Such threshold k are different A _k, to observe at least two under measurement sampling probability s.
Step 2
Subsequently, the number of packet losses (number of SN value reversal phenomena) is set to X _i (temporary estimated value before convergence), and the packet loss rate is set to p _{i + 1} = X _{i + 1} / Th. Here, Th is the amount of communication (number of packets, size, etc.) generated during the measurement target period. Then, an initial value X ₀ (> 0) of an arbitrary number of packet losses is selected and converted to an initial value packet loss rate p ₀ . Here, the initial packet loss rate p ₀ is p ₀ = X ₀ / Th. Note that the recommended value of the initial value X _0, the packet loss count immediately preceding period, is A _k and the like.
Step 3
Next, an observation probability Q _SN (p _i , s, k) corresponding to the values of p _i and k at the sampling probability s in an arbitrary protocol is obtained from the database. In addition, although s is a sampling probability at the time of predetermined sampling measurement, it is observation probability _QSN ( _pi , s, k) ≠ sampling probability s.

Next, the packet loss frequency X _{i + 1} is estimated from the observation value A _k and the observation probability Q _SN (p _i , s, k) based on the following equation.

X _{i + 1} = A _k / Q _SN (p _i , s, k)
And it converts into a packet loss rate based on a following formula.
p _{i + 1} = X _{i + 1} / Th
Step 4
Step 3 described above is iteratively calculated. Ideally, X _∞ is the true number of packet losses, but in practice, the rate of change = {(X _{i + 1} −X _i ) / X _i } or {(p _{i + 1} −p _i ) / p _i } Iterative calculation is performed until it is within a certain range, or iterative calculation is performed until i reaches a certain number.

In this way, the packet loss rate p _{i + 1} and the packet loss count X _{i + 1} of Ak under the measurement of the sampling probability s are _obtained .
Step 5
Then, by using the packet loss rate _{p i + 1} in _{A k,} determine packet loss count _{X l} of _A l (k ≠ l). Packet loss count _{X l} of A _l searches corresponding to the packet loss rate _{p i + 1} of _{A k} in the measurement of a sampling probability s observation probability _{Q SN (p i + 1,} s, k) from the database, the observation probability Q _{Using SN} (pi _{+ 1} , s, k), the following equation is used.

_{X l = A l / Q SN} (p i + 1, s, k)
At this time, the packet loss count X of A _l approximates the packet loss count X _{i + 1 at} A _k if the observation probability of the correct protocol is used. A packet loss count X of A _l, if a packet loss count X _{i + 1} at A _k is an approximation, observation probability of the protocol used for the calculation is the measure the packet protocol.

On the other hand, a packet loss count X of A _l, as long as the packet loss count X _{i + 1} at A _k is deviated, it is possible to not select the observation probability of the correct protocol, using the observation probability of the other protocols Redo from Step 2.

In this way, the protocol can be estimated using the observation probability.
In the above description, for ease of explanation, an example in which two observation probabilities with different thresholds are used from the same sampling probability has been described. However, in order to improve accuracy, three or more observation probabilities are used. May be.
Further, observation probabilities with the same threshold may be used from different sampling probabilities. That is, the protocol may be determined using a plurality of observation probabilities with different combinations of sampling probabilities and thresholds. In this case, the calculation of the number of packet losses using each observation probability is the same as described above.

  Next, an embodiment in which the present invention is applied to a specific system will be described.

  The network system to which the present invention is applied is the same as that in FIG. 4 in the second embodiment described above.

  FIG. 13 is a block diagram illustrating a configuration of the determination apparatus 1 according to the third embodiment. Note that the differences from the second embodiment will be described.

  The observation probability database 1306 stores the observation probability of the degree of inversion of the SN value described above for each protocol, packet loss rate, and sampling probability.

  The SN identification unit 301 measures the SN value of the received packet. The SN inversion degree detection unit 302 measures the degree of inversion from the measured SN value.

The packet loss number calculation unit 1303 reads the count number (A _k ) of a certain threshold k from the end-to-end information storage unit 205, calculates Step 1 to Step 5 described above, and then calculates a different threshold j (≠ k). The number of counts (A _j ) is read out, the above Step 1 to Step 5 are calculated, and the packet loss count is obtained again.

  The packet loss count collation unit 1204 receives the result from the packet loss count calculation unit 1303, collates the packet loss counts obtained from different thresholds k and j, and uses the two packet loss counts if they are approximate. The observation probability protocol is determined as the packet protocol. On the other hand, if the packet loss times calculated from the different threshold values k and j are different, the packet loss frequency calculation unit 1303 is instructed to perform the calculation again.

（ＲＴＴはラウンドトリップ時間、ｐはパケットロス率、ｂはｄｅｌａｙ ＡＣＫパラメタ（送信端末がＡＣＫを受け取るごとに１／ｂウインドサイズを大きくする））
であらわせられるTCP-Renoのうちｂ＝１及びｂ＝２のプロトコルを用い、フローＡはｂ＝２のプロトコルのパケットが流れるフローであり、フローＢはｂ＝１のプロトコルのパケットが流れるフローであり、ＲＴＴが20ms、パケットロス率が１％、ｓ＝0.25で５分間の観測した場合の実験結果を説明する。尚、上記スループット推定式は、文献“Jitendra Padhye, Victor Firoiu, Don towsley, Jim Kurose, “Modeling TCP Throughput: A Simple Model and its Empirical Validation”, In ACM SIGCOMM’98”に記載されているものを用いた。 As Example 3, the throughput estimation formula is the following formula:

(RTT is the round trip time, p is the packet loss rate, b is the delay ACK parameter (the 1 / b window size is increased each time the transmitting terminal receives ACK))
In the TCP-Reno, the protocol of b = 1 and b = 2 is used, the flow A is a flow in which a packet of protocol b = 2 flows, and the flow B is a flow in which a packet of protocol b = 1 flows. There will be described experimental results when observation is performed for 5 minutes with an RTT of 20 ms, a packet loss rate of 1%, and s = 0.25. The throughput estimation formula described in the literature “Jitendra Padhye, Victor Firoiu, Don towsley, Jim Kurose,“ Modeling TCP Throughput: A Simple Model and its Empirical Validation ”, In ACM SIGCOMM '98” is used. It was.

  In the following experiment, it is assumed that both the flow A and the flow B are determined as protocols with the b being unknown.

  Under this environment, the flow A is 173205 pakcets, the number of k = 1 (the SN inversion degree is 1 or more) is 409, and k = 2 (the SN inversion degree is 2 or more). 340 pieces could be measured. Further, in flow B, 244949 pakcets pass, the number of k = 1 (SN inversion degree is 1 or more) is 602, and the number of k = 2 (SN inversion degree is 2 or more) is 560. I was able to measure.

First, in flow A, the reverse number of the threshold k = 1 is 409, and the traffic amount Th is 173205. Therefore, if the initial value of the bucket loss count X ₀ is 409, the initial value of the bucket loss rate is p ₀ = From X ₀ / Th, p ₀ = 0.00236. Therefore, when the value of the observation probability Q _SN (0.00236, 0.25, 1) of b = 2 is retrieved from the database, Q _SN (0.00236, 0.25, 1) is 0.24939.

When Q _SN (0.00236, 0.25, 1) = 0.24939 is used and the packet loss count X ₁ is calculated, X ₁ = 409 / 0.24939 = 1640.

Subsequently, when the packet loss times X ₂ , X ₃ , and X ₄ were calculated, X ₂ = 1724, X ₃ = 1731, and X ₄ = 1732, which converged at X ₄ . Packet loss rate o'clock X ₄ is, searching 1732/173205 = 0.0099997 ≒ 0.01, and the threshold in the b = 2 k = 2 of the observation probability Q _SN value of (0.01,0.25,2) from the database, was 0.1963048 .

  Since the number of threshold values k = 2 is 340, the number of packet losses when threshold value k = 2 is 340 / 0.1963048 = 1732, which matches 1732 which is the number of packet losses when k = 1. It is correct to choose from = 2. Therefore, the protocol of flow A is TCP-Reno with b = 2.

Similarly, in flow B, since the number of threshold values k = 1 is 602 and the traffic amount Th is 244949, if the initial value of the bucket loss count X ₀ is 602, the initial value of the bucket loss rate is p ₀ = From X ₀ / Th, p ₀ = 0.00245. Therefore, when the value of the observation probability Q _SN (0.00245, 0.25, 1) of b = 2 is searched from the database, Q _SN (0.00245, 0.25, 1) is 0.24927.

with b = 2 the Q _SN (0.00245,0.25,1) = 0.24927, is calculated packet loss count _{X 1,} the _{X 1 = 602 / 0.24927 = 2415} .

Subsequently, when the packet loss times X ₂ , X ₃ , and X ₄ were calculated, X ₂ = 2547, X ₃ = 2558, and X ₄ = 2599, which converged at X ₄ . X packet loss rate of _4:00, when searching 2559/244949 = 0.010447 ≒ 0.0105, and the threshold in the b = 2 k = 2 of the observation probability Q _SN value of (0.0105,0.25,2) from the database, was 0.19314 .

  Since the number of threshold values k = 2 is 560, the number of packet losses when the threshold value k = 2 is 560 / 0.19314 = 2899, which is different from 2599 which is the number of packet losses when k = 1. The choice from 2 is wrong. Therefore, the protocol of flow B is not TCP-Reno with b = 2.

Next, the same calculation is performed for the flow B using the observation probability of b = 1. In the flow B, the number of inversions of the threshold value k = 1 is 602, the communication amount Th is 244949, and when calculating the packet loss times X ₀ , X ₁ , X ₂ , X ₃ , X ₀ = 602, X ₁ = 2408, X ₂ = 2447, X ₃ = 2449, and convergence was achieved at X ₃ . X Packet loss rate at _3, 2449/244949 = 0.0099979 ≒ 0.01 next, searching the value of the threshold k = 2 of the observation probability Q _SN (0.01,0.25,2) from the database, was 0.2286649.

  Since the number of threshold values k = 2 is 560, the number of packet losses when the threshold value k = 2 is 560 / 0.2286649 = 2449, which matches 2449, which is the number of packet losses when k = 1, and b = 1. The observation probability selected from is correct. Therefore, the protocol of flow B is TCP-Reno with b = 1.

  As described above, the protocol is determined by using the observation probability of the ACK duplication degree and the SN inversion degree. However, the present invention is not limited to using the observation probability of only one of the ACK duplication degree and the SN inversion degree. It is also possible to determine the protocol using the observation probabilities of both the ACK duplication degree and the SN inversion degree. In other words, the protocol determination may be performed by comparing the number of packet losses obtained from the observation probability of the ACK duplication degree and the number of packet losses obtained from the observation probability of the SN inversion degree as described above. .

  In the above-described embodiment, each unit is configured by hardware, but can be realized by a program that causes the information processing apparatus to perform the above-described operation.

FIG. 1 is a diagram for explaining the ACK duplication degree. FIG. 2 is a diagram for explaining the sequence number inversion degree. FIG. 3 is a diagram for explaining the present invention. FIG. 4 is a diagram showing an outline of a network to which the present invention is applied. FIG. 5 is a block diagram illustrating the configuration of the determination apparatus 1. FIG. 6 is a diagram for obtaining the observation probability in the ACK redundancy. FIG. 7 is a block diagram illustrating a configuration of the determination apparatus 1 according to the second embodiment. FIG. 8 is a diagram for explaining the concept of estimating the number of SN value reversal phenomena using a statistical method. FIG. 9 is a diagram for explaining the concept of estimating the number of SN value reversal phenomena using a statistical method. FIG. 10 is a diagram for explaining the concept of estimating the number of SN value reversal phenomena using a statistical method. FIG. 11 is a diagram for explaining a database construction method. FIG. 12 is a diagram showing an example of a database. FIG. 13 is a block diagram illustrating a configuration of the determination apparatus 1 according to the third embodiment.

Explanation of symbols

1 Measuring device 2, 3 Communication terminal 4, 5 Branching device

Claims (23)

A protocol type determination method for determining a protocol type of a packet flowing in a network,
Measure the packet flowing in the network with a predetermined sampling probability, calculate the index representing the window width information of the sending terminal,
A protocol type determining method, wherein the type of packet protocol is determined based on statistical information of the index.   2. The protocol type determination method according to claim 1, wherein the index is an ACK duplication degree indicating the number of consecutive identical ACK numbers.   2. The protocol type discriminating method according to claim 1, wherein the index is a sequence number inversion degree indicating the number of sequence numbers sampled equal to or greater than a sequence number at the time of inversion of a transmission sequence number.   4. The protocol type determination method according to claim 1, wherein the statistical information of the index is a histogram.   2. The statistical information of the index is any one of histogram sum of squares, extreme value, average value, moment, variance, median, mode, deviation sum of squares, covariance, and correlation. The method of determining a protocol type according to claim 3. For each protocol type, create a database of index statistical information for a given packet loss rate,
The statistical information obtained from the calculated index is compared with the statistical information of the index stored in the database, and the protocol type that the statistical information approximates is determined as the protocol of the packet being observed. The protocol type determination method according to any one of claims 1 to 5.   The protocol type determination method according to claim 1, wherein the statistical information of the index is an observation probability that is a probability that an ACK duplication degree equal to or higher than a predetermined threshold in a predetermined sampling probability can be observed.   The method according to claim 1, wherein the statistical information of the index is an observation probability that is a probability that a degree of sequence number inversion greater than or equal to a predetermined threshold value at a predetermined sampling probability can be observed.   9. The protocol of the packet being observed is determined using two types of observation probabilities: an observation probability of the ACK duplication degree and an observation probability of the sequence number inversion degree. Protocol type identification method described in 1. Select multiple observation probabilities with different combinations of sampling probability and threshold from the same protocol, and calculate the number of packet losses using each observation probability.
10. The protocol according to any one of claims 7 to 9, wherein, when the number of packet losses of each observation probability is approximate, the protocol corresponding to the observation probability used is determined as the protocol of the packet being observed. The protocol type determination method described. Database of observation probabilities for each protocol, sampling probability, and threshold,
A plurality of observation probabilities of thresholds having different combinations of sampling probabilities and thresholds are read out from the same protocol in the database, and a plurality of packet loss times are calculated using the read out observation probabilities. Item 11. The protocol type determination method according to Item 10. A protocol type discrimination system that discriminates the protocol type of a packet flowing through a network,
A calculation means for measuring a packet flowing through the network with a predetermined sampling probability, and calculating an index representing information on a window width of the transmission terminal;
A protocol type discrimination system comprising: discrimination means for discriminating a packet protocol type based on the statistical information of the index.   The protocol type discrimination system according to claim 12, wherein the index is an ACK duplication degree indicating a number of consecutive identical ACK numbers.   13. The protocol type discriminating system according to claim 12, wherein the index is a sequence number inversion degree indicating the number of sequence numbers sampled equal to or greater than a sequence number at the time of inversion of a transmission sequence number. Protocol type discrimination system according to any one of claims 12 to 14, wherein the statistics of the index is a histogram.   12. The statistical information of the index is any one of histogram sum of squares, extreme value, average value, moment, variance, median, mode, deviation sum of squares, covariance, and correlation. The protocol type discrimination system according to claim 14. The discrimination means includes
For each protocol type, a database storing statistical information of an index at a predetermined packet loss rate;
Means for collating the statistical information obtained from the calculated index with the statistical information of the index stored in the database and determining the protocol type corresponding to the most similar statistical information as the protocol of the packet being observed; 17. The protocol type discrimination system according to claim 12, further comprising:   13. The protocol type discrimination system according to claim 12, wherein the statistical information of the index is an observation probability that is a probability that an ACK duplication degree equal to or higher than a predetermined threshold in a predetermined sampling probability can be observed.   13. The protocol type discrimination system according to claim 12, wherein the statistical information of the index is an observation probability that is a probability that a sequence number inversion degree equal to or greater than a predetermined threshold in a predetermined sampling probability can be observed.   The determination means determines a protocol of an observed packet by using two types of observation probabilities: an observation probability of the ACK duplication degree and an observation probability of the sequence number inversion degree. The protocol type discrimination system according to claim 18 and claim 19. The discriminating means selects a plurality of observation probabilities with different combinations of sampling probabilities and thresholds from the same protocol, calculates the number of packet losses using each observation probability,
21. The protocol according to any one of claims 18 to 20 , wherein when the number of packet losses of each observation probability is approximate, the protocol corresponding to the observation probability used is determined as the protocol of the packet being observed. The described protocol type discrimination system. It has a database that stores protocols, sampling probabilities, and observation probabilities for each threshold,
The discriminating means reads out a plurality of observation probabilities with different combinations of sampling probabilities and thresholds from the same protocol in the database, and calculates a plurality of packet loss times using the read out observation probabilities. The protocol type discrimination system according to claim 21, A program for determining the protocol type of a packet flowing through a network,
A process of measuring a packet flowing in the network with a predetermined sampling probability and calculating an index representing information on a window width of the transmission terminal;
A protocol type determination program that causes an information processing apparatus to execute a process of determining a packet protocol type based on statistical information of the index.

Images