JP4823156B2 - Remote traffic monitoring method - Google Patents

Description

    The present invention relates to a network system, and more particularly to a technique related to measurement of traffic flowing on a network.

  Conventionally, a network management technique using flow statistics in a network has been proposed in order to realize a stable network. As such a network management technique, techniques such as NetFlow statistics and sFlow statistics are generally popular. In these technologies, an agent included in a network device such as a router or a switch in a network extracts a packet from traffic to be monitored, and processes the extracted packet and transmits it to a collector. On the other hand, as disclosed in Patent Document 1, a technique for mirroring a preset copy of a target packet to a monitoring device has also been proposed.

JP 2006-050433 A

  However, instead of simple mirroring, the method of processing packets by an agent provided in a network device has a problem of increasing the load on the network device such as a router or switch or limiting the number of flows that can be extracted and the accuracy (granularity). It was.

  SUMMARY An advantage of some aspects of the invention is that it provides a technique for reducing a load on a network device such as a router or a switch in a network system.

The present invention provides a traffic monitoring system for monitoring network traffic. This traffic monitoring system
A transfer device having a sampling device and a transfer processing unit;
An offload processing device;
A traffic analyzer,
With
The sampling device comprises:
An extraction unit that extracts transfer data from the traffic based on a preset criterion, and generates sampling data by replicating the extracted transfer data;
An encapsulation processing unit that generates an encapsulated data by executing an encapsulation process for adding a header addressed to the offload processing device to the sampling data;
With
The transfer processing unit transfers the transfer data and the encapsulated data,
The offload processing device generates flow data for analyzing the traffic according to the transferred encapsulated data, transfers the flow data to the traffic analysis device,
The traffic analysis device analyzes the traffic based on the transferred flow data.

  In the traffic monitoring system of the present invention, the generation processing of flow data with a heavy processing load is processed by an offload processing device separate from the transfer device, and the processing that the transfer device is in charge of is the original function of extraction, duplication, and encapsulation. Since there is only a certain transfer, the burden is significantly reduced. Furthermore, the inventor of the present application also pays attention to the demand for scalability that the contents of network monitoring differ from one network to another, vary from detailed analysis to simple analysis, and that the monitoring contents may vary with time. did. In response to such a request, the present inventor can flexibly deal with only the selection and replacement of an offload processing device and can realize high scalability by offloading the generation processing of flow data with a large processing burden. I came up with it.

  Here, the sampling device in charge of the extraction / duplication / encapsulation processing can be implemented in hardware in an ASIC or other manner within the transfer device, or can be implemented in software. It is. The present invention has an advantage that the burden on the CPU is small even when implemented in software because the processing burden is small. In addition, among the extraction / duplication / encapsulation processes handled by the transfer apparatus, duplication / encapsulation is a process executed by the transfer apparatus in the transfer process, so that the function can be used as it is. Further, the extraction process can be dealt with as an extension of the sorting process performed in the transfer process. For this reason, the software implementation of the sampling process also has a feature that consumption of resources is small.

  As described above, the inventor of the present application has a large processing load and may become a bottleneck, and offloads processing that is essentially different from the original processing of the transfer device, and the original function of the transfer device. We have succeeded in creating a very rational system that can be handled by diversion and expansion and that the transfer device executes processes such as extraction, duplication, and encapsulation that can only be performed by the transfer device. Furthermore, since the present invention is practically implemented in software on the transfer device, the present invention is realized as a system that is extremely mountable and applicable to a wide range of uses.

In the above traffic monitoring system,
The encapsulating process may include a process of storing information for specifying a transfer apparatus that has transferred the encapsulated data in the encapsulated data.

  In this way, the offload processing apparatus can perform statistical / analysis processing after identifying which transfer apparatus the data is extracted from.

In the above traffic monitoring system,
The network has a plurality of transfer devices,
The traffic monitoring system includes a plurality of offload processing devices,
Each of the plurality of transfer devices may be assigned to transfer the encapsulated data to any of the plurality of offload processing devices.

  In this way, it is possible to flexibly cope with load fluctuations caused by changes in monitoring contents and monitoring targets (for example, the number of transfer devices) by adding or reducing offload processing devices. In addition, for example, as the number of switches and routers to be monitored increases, the number of offload processing devices can be increased, reducing power consumption compared to a system that can sufficiently handle the offload processing burden from the beginning. There is also an advantage that the initial investment can be reduced.

The present invention further provides an offload processing device for generating flow data used for analysis of network traffic by the traffic analysis device.
This offload processing device
An encapsulated data receiving unit that receives the encapsulated data that is extracted from the traffic based on a preset criterion and is duplicated and then appended with a header destined for the offload processing device by encapsulation processing;
A flow data generation unit that generates flow data for analyzing the traffic in accordance with the received encapsulated data;
An output unit for transmitting the flow data to the traffic analysis device in order to cause the traffic analysis device to analyze the traffic according to the flow data;
Is provided.

The present invention further provides a sampling device for extracting transfer data from the traffic and transferring it to an offload processing device in order to monitor network traffic.
This sampling device
An extraction unit that extracts transfer data from the traffic based on a preset criterion, and generates sampling data by replicating the extracted transfer data;
An encapsulation processing unit that generates an encapsulated data by executing an encapsulation process for adding a header addressed to the offload processing device to the sampling data;
An output unit for transmitting the encapsulated data to the offload processing device in order to cause the offload processing device to generate flow data for analyzing the traffic according to the transferred encapsulated data; ,
Is provided.

The present invention further provides a transfer device for transferring data in a network.
This transfer device
The sampling device;
A transfer processing unit for transferring the transfer data and the encapsulated data;
Is provided.

The present invention further provides a traffic monitoring method for monitoring network traffic.
This traffic monitoring method
A transfer device having a sampling device and a transfer processing unit;
An offload processing device;
A traffic analyzer,
The process of preparing
An extraction step in which the sampling device extracts transfer data from the traffic based on a preset criterion, and generates sampling data by duplicating the extracted transfer data;
An encapsulation processing step in which the sampling device executes encapsulation processing for adding a header addressed to the offload processing device to the sampling data to generate encapsulated data;
The transfer processing unit transferring the transfer data and the encapsulated data;
The offload processing device generating flow data for analyzing the traffic according to the transferred encapsulated data, and transferring the flow data to the traffic analyzing device;
The traffic analyzing device analyzing the traffic based on the transferred flow data;
Is provided.

  Note that the present invention is not limited to the above-described mode, and can also be realized in a mode as a network monitoring control method. Furthermore, the present invention can be realized in various modes such as a mode as a computer program for constructing these methods and apparatuses and a mode as a recording medium on which such a computer program is recorded.

Hereinafter, embodiments of the present invention will be described in the following order based on examples.
A. Traffic monitoring system in the first embodiment of the present invention:
B. Traffic monitoring system in the second embodiment of the present invention:
C. Variations:

A. Traffic monitoring system in the first embodiment of the present invention:
FIG. 1 is a block diagram showing an outline of a traffic monitoring system 10 in the first embodiment of the present invention. In this embodiment, the traffic monitoring system includes two client systems T1 and T2, five switches SW1 to SW5, and lines Ct_1, C1_2, and C2_3 that connect devices including each switch for easy understanding. , C3_4, C4_t, C2_5, C3_5, C3_a, and C5_o, the traffic of the network 10 shall be monitored. In this embodiment, the network 10 is configured as a layer 2 local area network.

  In this embodiment, the traffic monitoring system uses sFlow statistics as an example to monitor traffic. The sFlow statistics is a function of monitoring traffic flowing on the network with a relay device (router or switch) in order to analyze traffic (flow) characteristics between terminals and traffic characteristics of adjacent networks. For the sFlow statistics, statistical information from layer 2 to layer 3 is supported by the published flow statistics protocol (RFC3176).

  The traffic monitoring system includes an sFlow agent 310 (enlarged view EV1) provided in the switch SW2, an offload processing unit 100, and an analysis processing unit 200 in order to monitor traffic using sFlow statistics. . The SFlow agent 310 includes an extraction unit 311 and an encapsulation processing unit 312. The sFlow agent 310 may be configured as hardware, for example, as an ASIC, or may be configured as software. The switch SW2 further includes a transfer processing unit 350 for transferring data (packets) similarly to the other switches SW1, SW3 to SW5. In this example, the traffic to be monitored is transfer traffic TRt1_t2 (FIG. 1) between the two client systems T1 and T2. However, the traffic to be monitored is not limited to this example, and can be arbitrarily set as will be described later.

  FIG. 1 further shows a switch SW2a including the sFlow agent 310a in the prior art (enlarged view EV2). The sFlow agent 310a is different from the sFlow agent 310 of the first embodiment that does not include the sample generation unit 313 in that the sFlow agent 310a includes the sample generation unit 313. In the first embodiment, the processing of the sample generation unit 313 is offloaded to the offload processing unit 100 that exists outside the switch SW2.

  FIG. 2 is a flowchart showing the contents of the traffic monitoring process of the first embodiment. In step S100, the extraction unit 311 included in the sFlow agent 310 extracts a packet based on a preset extraction criterion from the transfer traffic TRt1_t2 (FIG. 1). As an extraction criterion, for example, an access control list (ACL), specific input / output port designation, sampling at a certain rate, or a combination thereof can be realized.

  In step S200, the encapsulation processing unit 312 included in the sFlow agent 310 performs an encapsulation process on the extracted packet. In this embodiment, the encapsulation process is a process of generating a copy of the extracted packet and adding a specific header and additional information using the copied packet as a payload.

  FIG. 3 is an explanatory diagram showing the contents of the encapsulation processing of the first embodiment configured as a layer 2 local area network. FIG. 3 shows an encapsulated packet D1c (Ethernet frame) encapsulated by adding a header and additional information to the extracted packet D1 (Ethernet frame). The header of the encapsulated packet D1c includes the MAC address of the offload processing unit 100 as the destination MAC address DMAC, the MAC address of the switch SW2 as the source MAC address SMAC, and the Ether type TYPE representing the protocol type. It is out. The additional information of the encapsulated packet D1c includes information related to packet processing such as the device ID of the switch SW2, transmission / reception interface information, Nextop information, and QoS information.

  In this way, in the encapsulation process, the packet D1 as an Ethernet frame is duplicated to become a part of the payload, the additional information is added to the payload, and the destination MAC address DMAC is changed from the client system T1 to the offload processing unit 100. It is processing. Such processing can be realized not only in the layer 2 local area network but also in other types of communication such as communication of other layers such as the Internet layer of layer 3 described later and MPLS communication.

  FIG. 4 is an explanatory diagram showing the contents of the encapsulation process of the network configured in the Internet layer of layer 3 as a modification. FIG. 4 shows an encapsulated packet D2c (IP packet) encapsulated by adding an IP header and additional information to the extracted packet D2 (IP packet). The IP header of the encapsulated packet D2c includes the IP address of the offload processing unit 100 as the destination IP address DIP, the IP address of the switch SW2 as the source IP address SIP, the service type, and other information. . The additional information of the encapsulated packet D2c can be the same as the additional information of the encapsulated packet D1c. When the encapsulation process is completed in this way, the process proceeds to step S300 (FIG. 2).

  In step S300, the transfer processing unit 350 (FIG. 1) included in the switch SW2 transfers the encapsulated packet D1c received from the encapsulation processing unit 312 following the transfer of the packet D1 (FIG. 3). However, the transfer destinations are different from each other. That is, the packet D1 includes the destination MAC address DMAC of the client system T1 in the header, so that it is output to a port (not shown) connected to the line C2_3 and transferred to the switch SW3. On the other hand, since the destination MAC address DMAC of the offload processing unit 100 is included in the header, the encapsulated packet D1c is output to a port (not shown) connected to the line C3_5 and transferred to the switch SW5. become.

  In this way, when the processing in the switch SW1 is completed and the encapsulated packet D1c reaches the offload processing unit 100 via the switch SW5, the processing proceeds to step S400.

  In step S400, the offload processing unit 100 executes a sample generation process. The sample generation process is a process for generating sample data to be used for traffic analysis in the analysis processing unit 200. The sample data includes a flow sample (flow statistic) representing a traffic flow and a counter sample (interface statistic) representing a transmission / reception counter error and other events occurring in the interface.

  FIG. 5 is an explanatory diagram showing the contents of the sFlow packet F1 generated by the offload processing unit 100. The sFlow packet F1 is configured as a packet in which an sFlow header is added to n flow samples and m counter samples. The sFlow header stores data such as the number of samples included in the sFlow packet F1, the generation time of the sFlow packet F1, the IP address of the SFlow agent 310 and the sequence number of the sFlow packet, and the destination MAC address DMAC of the analysis processing unit 200 It is included.

  Each of the n flow samples has a configuration in which a flow sample header is added to data in the basic data format and the extended data format. The flow sample header stores information such as the sampling interval of the flow sample and the total number of packets arriving at the interface. The data in the basic data format stores flow samples representing traffic flows such as the original packet length and sampled packet contents. Extended data format data stores information such as switch information (VLAN information, etc.), router information (L3 NextHop, etc.), gateway information (L3 AS number, etc.), user information (TACACS / RADIUS information, etc.) and URL information. is doing.

  Each of the m counter samples has a configuration in which a counter sample header is added to the counter sample type and the counter sample information. The counter sample header stores data representing information such as SNMP representing the counter sample generation source (specific port) and the transmission interval of the counter sample. The counter sample type data stores data representing types such as Ethernet statistics and token ring statistics. The counter sample information stores data representing statistical information for each type.

  In step S500, the offload processing unit 100 transfers the sFlow packet F1 generated in this way to the switch SW5 via the line C5_o. Since the sFlow packet F1 transferred to the switch SW5 includes the destination MAC address DMAC of the analysis processing unit 200, it is transferred to the analysis processing unit 200 via the switch SW3.

  In step S600, the analysis processing unit 200 collects sFlow packets, performs traffic analysis based on the collected sFlow packets, and transmits, for example, an analysis result to the client system T1. The analysis processing unit 200 may be configured to graphically display the traffic status on a display (not shown).

  As described above, in the first embodiment, since the generation process of the sFlow packet with a large load is offloaded from the switch SW2, the processes handled by the switch SW2 are only extraction, duplication, encapsulation, and transfer that is the original function. Therefore, the burden is remarkably reduced. In addition, the network monitoring contents differ from network to network, and vary from detailed analysis to simple analysis depending on the application. Further, it is sufficient to meet the scalability requirement that the monitoring contents may change over time. It is configured.

B. Traffic monitoring system in the second embodiment of the present invention:
FIG. 6 is a block diagram showing an outline of the traffic monitoring system 10a according to the second embodiment of the present invention. The traffic monitoring system 10a of the second embodiment is different from the traffic monitoring system of the first embodiment in that it includes two offload processing units 100 and 100a.

  In the traffic monitoring system 10a of the second embodiment, the offload processing unit 100 is in charge of receiving encapsulated data from the three switches SW1, SW2, and SW5, and the offload processing unit 100a is from the two switches SW3 and SW4. It is set to be responsible for receiving encapsulated data.

  As described above, in the second embodiment, each of the five switches SW1 to SW5 is assigned to transfer the encapsulated data to one of the two preset offload processing units 100 and 100a. Therefore, it is possible to respond flexibly by adding or reducing offload processing devices according to fluctuations in the burden of offload processing. In this way, as the number of switches and routers to be monitored increases, the number of offload processing devices can be increased, reducing power consumption compared to a system that can sufficiently handle the offload processing burden from the beginning. There is also an advantage that the initial investment can be reduced.

C. Variations:
As mentioned above, although several embodiment of this invention was described, this invention is not limited to such embodiment at all, and implementation in various aspects is possible within the range which does not deviate from the summary. It is. For example, the following modifications are possible.

C-1. In each of the above-described embodiments, the analysis processing unit 200 performs both the collector and analyzer processes, but may be configured as a separate device, for example.

C-2. In each of the above-described embodiments, the sampling device is implemented in hardware in an ASIC or other manner inside the transfer device, but can also be implemented in software. In the present invention, since the processing load of the sampling process is small in the present invention, there is an advantage that the load on the CPU is small even if implemented in software. In addition, among the extraction / duplication / encapsulation processes handled by the transfer apparatus, duplication / encapsulation is a process executed by the transfer apparatus in the transfer process, and the function can be used. Further, the extraction process can be dealt with as an extension of the sorting process performed in the transfer process. As described above, the software implementation of the sampling process has a feature of low resource consumption.

  As described above, the present invention has a large processing load and may become a bottleneck, offloads processing that is essentially different from the original processing of the transfer device, and diverts the original function of the transfer device. It is configured as an extremely rational system in which processing such as extraction, duplication, and encapsulation that can be handled only by the transfer device is executed by the transfer device. Furthermore, since the present invention is practically implemented in software on the transfer device, the present invention is realized as a system that is extremely mountable and applicable to a wide range of uses.

C-3. In each of the above-described embodiments, sFlow statistics are used for traffic analysis, but the present invention can also be applied to traffic analysis using netFlow statistics, for example. The present invention can be widely applied to a traffic monitoring system that collects transfer data (packets) and performs traffic analysis.

The block diagram which shows the outline | summary of the traffic monitoring system in 1st Example of this invention. The flowchart which shows the content of the traffic monitoring process of 1st Example. Explanatory drawing which shows the content of the encapsulation process of 1st Example comprised as a local area network of a layer 2. FIG. Explanatory drawing which shows the content of the encapsulation process of the network comprised by the internet layer of the layer 3 as a modification. Explanatory drawing which shows the content of the sFlow packet F1 which the offload process part 100 produces | generates. The block diagram which shows the outline | summary of the traffic monitoring system in 2nd Example of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Network 100, 100a ... Offload processing part 200 ... Analysis processing part 311 ... Extraction part 312 ... Encapsulation processing part 313 ... Sample generation part 350 ... Transfer processing part T1, T2 ... Client system

Claims (6)

A traffic monitoring system for monitoring network traffic,
A transfer device having a sampling device and a transfer processing unit;
An offload processing device;
A traffic analyzer,
With
The sampling device comprises:
An extraction unit that extracts transfer data from the traffic based on a preset criterion, and generates sampling data by replicating the extracted transfer data;
An encapsulation processing unit that generates an encapsulated data by executing an encapsulation process for adding a header addressed to the offload processing device to the sampling data;
With
The transfer processing unit transfers the transfer data and the encapsulated data,
The offload processing device generates flow data for analyzing the traffic according to the transferred encapsulated data, transfers the flow data to the traffic analysis device,
The traffic analysis device is a traffic monitoring system that analyzes the traffic based on the transferred flow data. The traffic monitoring system according to claim 1,
The encapsulating process is a traffic monitoring system including a process of storing information for specifying a transfer apparatus that has transferred the encapsulated data in the encapsulated data. The traffic monitoring system according to claim 1 or 2,
The network has a plurality of transfer devices,
The traffic monitoring system includes a plurality of offload processing devices,
Each of the plurality of transfer devices is a traffic monitoring system assigned to transfer the encapsulated data to any of the plurality of offload processing devices. A sampling device that extracts transfer data from the traffic and transfers it to an offload processing device to monitor network traffic,
An extraction unit that extracts transfer data from the traffic based on a preset criterion, and generates sampling data by replicating the extracted transfer data;
An encapsulation processing unit that generates an encapsulated data by executing an encapsulation process for adding a header addressed to the offload processing device to the sampling data;
An output unit for transmitting the encapsulated data to the offload processing device to cause the offload processing device to generate flow data for analyzing the traffic according to the transferred encapsulated data; ,
A sampling device comprising: A transfer device for transferring data in a network,
A sampling device according to claim 4 ;
A transfer processing unit for transferring the transfer data and the encapsulated data;
A transfer device comprising: A traffic monitoring method for monitoring network traffic,
A transfer device having a sampling device and a transfer processing unit;
An offload processing device;
A traffic analyzer,
The process of preparing
An extraction step in which the sampling device extracts transfer data from the traffic based on a preset criterion, and generates sampling data by duplicating the extracted transfer data;
An encapsulation processing step in which the sampling device executes encapsulation processing for adding a header addressed to the offload processing device to the sampling data to generate encapsulated data;
The transfer processing unit transferring the transfer data and the encapsulated data;
The offload processing device generating flow data for analyzing the traffic according to the transferred encapsulated data, and transferring the flow data to the traffic analyzing device;
The traffic analyzing device analyzing the traffic based on the transferred flow data;
A traffic monitoring method comprising:

Images