JP4988632B2 - Packet relay device and traffic monitoring system - Google Patents

Description

  The present invention relates to a packet relay apparatus and a traffic monitoring system for transmitting statistical information collected from a packet header or a mirror packet copied from a packet to an analyzer for analyzing a communication state.

  On the Internet, not only conventional best-effort data communication, but also data that requires communication quality assurance, such as voice / video and transaction data for core business, has come to be communicated. In addition, the amount of data to be communicated is increasing along with the broadband access lines such as ADSL (Asymmetric Digital Subscriber Line) and FTTH (Fiber To The Home). And as the importance of the Internet as a social infrastructure rises, DoS (Denial of Service) attacks and network bandwidth occupancy by peer-to-peer (P2P) traffic do not bring about a decline or stop of the quality of communication services on the Internet. It is a big social problem.

  Against this background, communication service providers such as carriers and ISPs (Internet Service Providers) collect statistical data such as communication data volume and packet header information in order to understand the communication status on the network. In addition, a traffic monitoring function such as mirroring for transmitting a mirroring packet copied from a packet during communication to an analyzer for analysis is required.

  The purpose of grasping the communication status on the network is, for example, confirmation of the quality assurance status when the communication quality assurance service is provided. In addition, in order to cope with an increase in the amount of data with limited network resources, there is a collection of traffic information reflected in traffic engineering that effectively utilizes network resources. There are also detection / analysis of DoS attacks and detection / analysis of network bandwidth occupancy by P2P traffic. Further, there are provisioning for charging network resources in response to user requests for bandwidth and communication services, billing, and the like, in which network resources are systematically prepared by predicting customer demand.

  To realize these, packet relay devices such as routers and switches used in carriers and ISPs include statistical functions such as sFlow described in Non-Patent Document 1, NetFlow described in Non-Patent Document 2, and the like. A port mirroring function for copying and analyzing the packet described in Document 3 is provided.

  Regardless of which traffic monitoring function is used, an analyzer for analyzing the communication state is connected to one of the lines of the packet relay apparatus. In the packet relay apparatus, a statistical packet including statistical information collected from the packet header as data or a mirror packet copied from the packet is transmitted to an analyzer for traffic analysis to analyze and monitor traffic.

  In the case of sFlow, the packet relay device samples a part of the input packet at a sampling rate set by the operation manager of the packet relay device, and collects header information of the packet to be sampled and statistical information for each interface. Then, an sFlow statistical packet including the header information and the statistical information as data is generated, and the generated sFlow statistical packet is transmitted to the analyzer.

  In the case of NetFlow, the packet relay apparatus collects packet header information for each flow and statistical information for each flow classified according to the source terminal, destination terminal, application, quality level, etc. of the input packet. And a NetFlow statistical packet including data and statistical information as data, and the generated NetFlow statistical packet is transmitted to the analyzer.

  Hereinafter, the monitoring target line or logical interface through which the mirror packet replication source packet or sFlow and NetFlow statistics collection target packets flow is referred to as a monitor port. An output line that transmits an sFlow statistical packet or a NetFlow statistical packet is called an analyzer port. An output line that transmits a mirror packet is called a mirror port.

  Non-Patent Document 4 shows that Japanese Internet traffic is growing exponentially. The abstract of Non-Patent Document 5 explains that DoS attacks can be broadly classified into logic attacks and flooding attacks. Non-Patent Document 6 describes load balancing by multipath, which is a load balancing technique. Non-Patent Document 7 describes a leaky bucket (leak bucket) algorithm as a bandwidth monitoring algorithm.

  Patent Document 1 describes a communication statistical processing device that transfers a sample packet to a collector device (analyzer in the present specification). Patent Document 2 also discloses a packet communication device that transfers a sampled packet to an analyzer (analyzer in the present specification). Patent Document 3 discloses a flow detection apparatus called a CAM (Content Addressable Memory) that uses a high-speed search-only device that outputs an address including an entry that matches input data when data is input.

  First, a system configuration in the case of mirroring by a conventional packet relay device will be described with reference to FIG. 1 and FIG. Here, FIG. 1 and FIG. 2 are hardware block diagrams of the mirroring system. In FIG. 1, a packet relay device (S0) 101 receives packets P0, P1, P2, and P3 from an input line 102, and transmits these packets P0, P1, P2, and P3 from an output line 103.

  When mirroring a packet received from the input line 102, the mirroring system sets the input line 102 as a monitor port and connects the mirror port 110. In the mirroring system, an analyzer (A0) 120 for analyzing mirror packets is connected to the mirror port 110. The packet relay device (S0) 101 generates mirror packets C0, C1, C2, and C3 obtained by copying the packets P0, P1, P2, and P3 received from the monitor port 102. The mirror packets C0, C1, C2, and C3 are generated. Transmit from the mirror port 110. The mirror packets C0, C1, C2, and C3 transmitted from the mirror port 110 are input to the analyzer 120 connected to the mirror port 110. The analyzer 120 analyzes packet header information and bandwidth information.

  With reference to FIG. 2, a system configuration in a case where the conventional packet relay apparatus expands the mirror port to a plurality will be described. In FIG. 2, a packet relay device (S0) 101 connects a mirror port 111, a mirror port 112, and a mirror port 113 in addition to the mirror port 110 of FIG. In the mirroring system, an analyzer (A0) 120 for analyzing mirror packets is connected to the mirror port 110, an analyzer (A1) 121 is connected to the mirror port 111, and an analyzer (A2) 122 is connected to the mirror port 112. The analyzer (A3) 123 is connected to the mirror port 113.

  The packet relay device (S0) 101 generates mirror packets for the number of mirror ports, transmits mirror packets C0, C1, C2, and C3 from the mirror port 110, and also receives mirror packets C0, C1, and C3 from the mirror port 111. C2 and C3 are transmitted, mirror packets C0, C1, C2, and C3 are transmitted from the mirror port 112, and mirror packets C0, C1, C2, and C3 are also transmitted from the mirror port 113.

  The mirror packets C0, C1, C2, and C3 transmitted from the mirror port 110 are input to the analyzer 120 connected to the mirror port 110, and the analyzer 120 analyzes packet header information and band information. Similarly, the mirror packets C0, C1, C2, and C3 transmitted from the mirror port 111 are input to the analyzer 121 connected to the mirror port 111. The mirror packets C0, C1, C2, and C3 transmitted from the mirror port 112 are input to the analyzer 122 connected to the mirror port 112. The mirror packets C0, C1, C2, and C3 transmitted from the mirror port 113 are input to the analyzer 123 connected to the mirror port 113. The analyzers 121 to 123 analyze packet header information and bandwidth information.

  Next, a system configuration in the case where statistical information is collected by a conventional packet relay device will be described with reference to FIG. FIG. 3 is a hardware block diagram of the statistical information collection system. In FIG. 3, a conventional packet relay apparatus (S0) 1701 receives packets P0, P1, P2, and P3 from an input line 1702, and transmits these packets P0, P1, P2, and P3 from an output line 1703. In order to analyze the statistical information of the packet received from the input line 1702, the statistical information collection system is connected to the analyzer port 1710 with an analyzer (A0) 120 for totaling, editing, and displaying statistical information. The packet relay apparatus (S0) 101 generates statistical packets S0, S1, S2, and S3 including header information and statistical information of the packets P0, P1, P2, and P3 received from the monitor port 1702, and the statistical packets S0, S1 , S2 and S3 are transmitted from the analyzer port 1710. The statistical packets S0, S1, S2, and S3 transmitted from the analyzer port 1710 are input to the analyzer 1720 connected to the analyzer port 1710, and the header information and statistical information of the packet are analyzed by the analyzer 1720.

  However, there is a limit to the analysis performance of the analyzer. In FIG. 3, only S0 can be analyzed, and subsequent S1, S2, and S3 are missed from the analysis target (x mark). In this case, by using the sampling function provided in the packet relay device (S0) 1701, only the statistical packet using a part of all the packets P0, P1, P2, and P3 received from the input line 1702 as a sample is analyzed port. 1710 can be transmitted. In the case of FIG. 3, by transmitting only the statistical packet S0 using P0 as a sample from the analyzer port 1710, the statistical packet load on the analyzer 1720 is suppressed within the performance limit of the analyzer 1720, and the statistical packet is dropped. Can be prevented. However, since only the statistical information of some of the packets P0, P1, P2, and P3 received from the input line 1702 can be collected, the accuracy of statistics decreases.

  In addition, the statistical packet load on the analyzer is suppressed by collecting only the flow composed of packets having a specific source IP address, destination IP address, L4 protocol, source port, and destination port. You can also. In the case of FIG. 3, let P0, P1, P2, and P3 be packets belonging to different flows. Here, even if only the flow to which P0 belongs is selected as a statistical information collection target, the statistical information collection system can suppress the statistical packet load on the analyzer 1720 within the performance limit of the analyzer 1720 and prevent the statistical packet from being dropped. . However, since only the statistical information of packets belonging to some of the packets P0, P1, P2, and P3 belonging to all flows received from the input line 1702 can be collected, the statistical information of the entire flow cannot be obtained. Even if the flow outside the information collection target shows an abnormal behavior, it cannot be detected and analyzed.

  The bit rate bandwidth monitoring algorithm will be described with reference to FIG. FIG. 4 is a flowchart for explaining a bit rate band monitoring algorithm. A leaky bucket algorithm will be described as a bandwidth monitoring algorithm.

  The leaky bucket algorithm is a model of a leaky bucket with a hole with a certain depth. While the bucket is filled with water, water continues to leak in the monitoring band (hole size). The length of water is poured. The bucket has a depth to allow the arrival fluctuation of the packet, and the input packet is observed as long as the bucket does not overflow. In detail, the flowchart of FIG. 4 is followed.

  In FIG. 4, the flow starts when a packet is input to the packet relay apparatus. Here, TNOW: current time, TLST: previous packet input time, R: monitoring bandwidth (bit rate / packet rate), CNT: bucket water amount, THR: bucket threshold, LEN: frame length of packet. The packet relay apparatus calculates an elapsed time ΔT from the previous packet input time (S1401). The packet relay apparatus calculates the amount of water (ΔDEC = ΔT × R) leaked from the bucket during ΔT (S1402). The packet relay apparatus determines whether water remains in the bucket at present (S1403). If YES, the packet relay apparatus calculates the current bucket water amount (NOWCNT) (S1404), and determines whether NOWCNT exceeds the bucket threshold (S1406).

  If NO in step 1403, the packet relay apparatus sets NOWCNT = 0 (S1405), and proceeds to step 1406. If YES in step 1406, the packet relay device is in compliance with the bandwidth, so the packet relay device adds water corresponding to the frame length of the input packet to the bucket (S1408), and updates the amount of water in the bucket (S1411). If NO in step 1406, the packet relay device discards the input packet, sets NOWCNT in CNT2 meaning after addition (S1410), and transitions to step 1411. After updating the amount of water in the bucket in step 1411, the packet relay device updates TLST (S1412) and ends.

JP 2006-005402 A JP 2007-184799 A JP 2003-304278 A RFC3176 “InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks” RFC3954 “Cisco Systems NetFlow Services Export Version 9” AX7800S, AX5400S Software Manual Description Vol. 2 12. Port mirroring, [online], ALAXALA Networks, [March 4, 2008 search], Internet <URL: http://www.alaxala.com/jp/support/manual/AX7800S/HTML/10_6/APGUIDE2/ 0179.HTM> Ministry of Internal Affairs and Communications, "Understanding the total amount of traffic on the Internet in Japan", [online], August 22, 2007, Data Communication Section, Electronic Communication Division, Communications Bureau, Ministry of Internal Affairs and Communications, [March 4, 2008 search] , Internet <URL: http://www.soumu.go.jp/s-news/2007/pdf/070822_2_bt1.pdf> Ryo Kaizaki, et al. "Detection of Denial of Service attacks using AGURI", ICT2002, June 2002. AX7800R Software Manual Manual Vol. 1 7.7 Load balance, [online], ALAXALA Networks, [March 4, 2008 search], Internet <URL: http://www.alaxala.com/jp/support/manual/AX7800R/HTML/ 10_6 / APGUIDE / 0093.HTM> The ATM Forum Technical Committee Traffic Management Specification Version 4.1 Normative Annex B: Traffic Contract Related Algorithms and Procedures

  Due to a functional increase in Internet traffic, the amount of traffic that must be accommodated by the packet relay apparatus is increasing, and the accommodated lines of the packet relay apparatus are expected to increase in the future. With regard to the rate of increase in traffic volume, Gilder's law is known as an empirical rule, which is about twice in a half year to a year, whereas the increase in traffic volume depends on the improvement in CPU performance. According to Moore's Law, the rule of thumb is about a year and a half. Actually, high-speed lines of 10 Gbps and 40 Gbps are used in the backbone of the network, and practical use of a high-speed line of 100 Gbps is being studied. On the other hand, the performance of the analyzer is limited to about 1 Gbps. Thus, the improvement in analyzer performance is not expected to catch up with the increase in line speed, and this difference in performance is expected to increase further in the future. Then, the following problems arise in the conventional traffic monitoring function.

  In the case of sFlow, by setting the sampling rate in accordance with the performance of the analyzer, it is avoided that the traffic volume to be analyzed exceeds the analysis capability of the analyzer. However, if the performance of the analyzer cannot keep up with the increase in the traffic volume of the network, the sampling rate must be reduced to avoid the traffic volume being analyzed exceeding the analysis capacity of the analyzer. . Therefore, since the ratio of the traffic volume that can be analyzed with respect to the traffic volume of the network decreases, there is a problem that the statistical accuracy of the analysis decreases.

  In the case of NetFlow, statistical information for each flow is collected and transmitted to the analyzer, but the number of flows that can be collected is limited for each apparatus, and the number of flows may be limited by the performance of the analyzer. Therefore, when the amount of traffic in the network increases and the number of flows increases, there is a problem that the ratio of the number of flows that can be analyzed to the number of flows that flow through the network decreases. For example, in order to check the communication quality for each flow, it is necessary to investigate the total number of packets for each flow, so NetFlow is more suitable than sFlow. There is a problem that it is limited by performance.

  In the case of port mirroring, when the monitor port is a high-speed line, there is a problem that mirror packets exceeding the analysis capability of the analyzer cannot be analyzed.

  For example, a case where a DoS attack is analyzed by port mirroring will be described. The DoS attack is roughly classified into a logic attack and a flooding attack. A logic attack is a general term for attacks that cause degradation and stoppage of the quality of communication services provided by a server using system security holes. As an example known so far, Land (source and destination IP addresses) Attacks by SYN packets having the same address), Tiny Fragment (attack that causes a TCP header to be fragmented and the first fragment packet does not include a TCP flag, and passes through a filter) are known. A flooding attack is an attack in which an attacker sends a large number of packets to the server, making it difficult for a legitimate client to connect to the server, or occupying the server's computational resources to make it impossible to provide communication services. It is a generic name. Examples include SYN flooding (an attack that exhausts the memory resources of the attack target server by sending a large number of SYN packets), Smurf (the source IP address is spoofed to the attack target server, and the destination IP address is broadcast) An attack that sends a large amount of ICMP echo replies to an attack target server by sending a ping (ICMP echo request) packet is known.

  In the case of a flooding attack, a large number of attack packets flow, so even if some of the mirror packets copied from the attack packet cannot be analyzed due to insufficient analysis capabilities of the analyzer, it is possible to understand and analyze the overall trend. It is. However, in the case of a logic attack, even one attack packet is established as an attack. Therefore, if a mirror packet of the packet cannot be analyzed due to insufficient analysis capability of the analyzer, it is difficult to analyze the logic attack.

  Similarly, when investigating the spread of leaked files and viruses due to P2P, even if some of the packets containing the leaked files and viruses cannot be analyzed due to insufficient analysis capabilities of the analyzer, the leaked files and viruses will spread It is possible to grasp statistically. However, in order to identify and analyze an outflow / diffusion source packet such as a packet from which a file was initially leaked or a virus-triggered packet, it is necessary that the mirror packet of the packet does not leak from the analysis target. If the mirror packet of the packet leaks from the analysis target due to insufficient analysis capability of the analyzer, it is difficult to identify and analyze the outflow / diffusion source packet.

  SUMMARY An advantage of some aspects of the invention is to solve at least a part of the problems described above, and the invention can be implemented as the following forms or application examples.

[Application Example 1]
The packet relay apparatus of Application Example 1 is connected to a plurality of input lines and output lines, and transmits a packet received from each input line from any output line specified by the header information. Consists of multiple mirror ports that transmit mirror packets copied from received packets or transmitted packets for each output line or output flow identified by header information of transmitted packets or output packets identified by header information of received packets A mirror port group designating unit for designating a mirror port group to be set, and a mirror port selecting unit for selecting one of the plurality of mirror ports designated by the mirror port group designating unit for each mirror packet Selected by the mirror port selector. To send a mirror packet from Poto.

  When the packet relay device of Application Example 1 is used, even if the monitor port becomes a high-speed line, the analyzer can be connected to multiple mirror ports to distribute the load of mirror packets, thereby exceeding the analysis capability of the analyzer alone. It is possible to solve the problem of the port mirror that the mirror packet cannot be analyzed.

[Application Example 2]
The packet relay device of Application Example 2 is connected to a plurality of input lines and output lines, and transmits a packet received from each input line from any output line specified by the header information. Identified by some or all values of input flow or transmitted packet header information identified by some or all values of the output line, logical input interface, logical output interface or received packet header information For each output flow, an analyzer port that generates a statistical packet including header information and / or statistical information of a received packet or transmitted packet as data, and specifies an analyzer port group composed of a plurality of analyzer ports that transmit the statistical packet Group specification part and each statistical packet Wherein comprising an analyzer port selecting unit for selecting any one of the analyzer port of the analyzer port groups plurality of analyzers port specified by the specifying unit, for transmitting the statistical packet from the analyzer port selected in the analyzer port selection unit.

  If the packet relay device of Application Example 2 is used, even if the monitor port becomes a high-speed line, connecting the analyzer to multiple analyzer ports and distributing the statistical packet load will exceed the analysis capability of the analyzer alone Can solve the problem of sFlow and NetFlow that cannot be analyzed.

  In the case of sFlow, as described above, in order to avoid that the traffic volume to be analyzed exceeds the analysis capability of the analyzer, the sampling rate must be changed to a low level, and analysis is performed on the network traffic volume. The ratio of traffic volume that can be targeted decreases. As a result, there is a problem that the statistical accuracy of the analysis is lowered. Here, if the packet relay device of application example 2 is used, the statistical packet load is distributed to a plurality of analyzers. Therefore, if the number of analyzer ports and the number of analyzers are increased without changing the sampling rate, the analysis capability of the analyzer alone Can be avoided. Therefore, it is possible to solve the problem that the statistical accuracy of the analysis is lowered.

  In the case of NetFlow, as described above, when the number of flows is limited by the performance of the analyzer, when the traffic amount of the network increases and the number of flows increases, the number of flows flowing through the network can be analyzed. There is a problem that the ratio of the number of flows decreases. Here, if the packet relay device of application example 2 is used, the statistics packet load for each flow can be distributed by a plurality of analyzers to collect and analyze statistics. Therefore, if the number of analyzer ports and analyzers is increased, It is not necessary to reduce the ratio of the number of flows to be performed.

  Patent Document 1 is similar to the present invention in that the sample packet is transferred to a “collector device” (corresponding to “analyzer” in the present embodiment), but “for each mirror packet” which is a feature of Application Example 1 of the present invention. There is no description regarding a processing unit corresponding to a “mirror port selection unit that selects any one mirror port among a plurality of mirror ports specified by the mirror port group specification unit”, and is outside the scope of Patent Document 1. The point is different from the present invention. Similarly, it corresponds to “analyzer port selection unit for selecting one of a plurality of analyzer ports designated by the analyzer port group designation unit for each statistical packet”, which is a feature of Application Example 2 of the present invention. There is no description regarding the processing unit to be performed, and the point that is not covered by Patent Document 1 is different from the present invention.

  Next, the condition of claim 1 of Patent Document 1 “a flow table comprising a plurality of flow entries defining flow identification conditions for identifying packet flows” “packets to be statistically associated with the flow identification conditions” A statistical control table including at least one statistical control entry that defines statistical control information for limiting, ”the condition“ part or all of header information of a received packet ”according to claim 5 of the present invention, Alternatively, a mirror port is selected by an operation based on a function having a part or all of header information of a transmission packet as an input value and a value identifying a mirror port as an output value. Enter part or all of the header information or part or all of the header information of the transmitted packet. By calculation based on the function that the value describing the differences between selecting an analyzer port. " Note that the flow identification condition of Patent Document 1 is considered to be the same concept as the condition specified as “a part or all of the header information of a received packet or a transmitted packet” of the present invention.

  As a difference in configuration between Patent Document 1 and the present invention, Patent Document 1 restricts the packets to be statistically defined from “flow identification conditions”, while in claim 5 or claim 10 of the present invention. The condition is that “mirror port” or “analyzer port” is selected from “flow identification condition”. In addition, as a difference in effect, in Patent Document 1, the packets to be statistically limited are limited. However, in the present invention, even when the load on the monitor port increases, all packets received or transmitted from the monitor port can be mirrored. The difference is that statistics of all packets received or transmitted from a monitor port can be collected. A specific configuration example when selecting “mirror port” or “analyzer port” from “flow identification conditions” in the present invention will be described in the fourth and eighth embodiments.

  In addition, as shown in FIG. 10 of Patent Document 1, in the method of setting a flow by a flow table including a plurality of flow entries in which flow identification conditions are defined, the flow table capacity becomes a bottleneck when the number of flows increases. Limits on the number of flows that can be made. On the other hand, in the case of the method of calculating the mirror port or the analyzer port by inputting the value of the header information as the flow identification condition into the function as in claim 5 or claim 10 of the present invention, You only need to have combinatorial logic. Therefore, since an additional flow table is not required, there is an effect that the number of flows that can be collected is not limited by the added flow table.

  Next, differences from Patent Document 2 will be described. Also in Patent Document 2, the point that the sampled packet is transferred to the analyzer (equivalent to the analyzer) is the same as that of the present invention. However, the feature of the application example 1 of the present invention is “the mirror port group designating unit for each mirror packet. There is no description regarding the processing unit corresponding to the “mirror port selection unit that selects any one mirror port among a plurality of designated mirror ports”, and it is different from the present invention in that it is outside the scope of Patent Document 2. ing. Similarly, a processing unit corresponding to “analyzer port selection unit that selects any one analyzer port among a plurality of analyzer ports designated by the analyzer port group designation unit for each statistical packet”, which is a feature of application example 2. There is no description about this, and it is different from the present invention in that it is outside the scope of Patent Document 2.

  Next, the condition of claim 1 of Patent Document 2 “a means for generating a condition for performing packet copy according to information in the stream start packet, and a plurality of network interfaces by copying packets that match the conditions of the sampling target stream” Output from any one of the above "and the condition" a part or all of the header information of the received packet or the transmitted packet is an input value, and a value that identifies a mirror port is an output value. The mirror port is selected by the above-mentioned calculation "or the condition of claim 10" based on a function having a part or all of the header information of the received packet or the transmitted packet as an input value and a value identifying an analyzer port as an output value The difference from “select analyzer port by calculation” will be described. In Patent Document 2, it is considered that “information in a packet” corresponds to “flow identification condition”.

  As a structural difference between Patent Document 2 and the present invention, Patent Document 2 uses “flow identification condition” as a means for designating a sampling target stream condition and a sampling probability, while claim 5 of the present invention. Alternatively, the condition of claim 10 is different in that “mirror port” or “analyzer port” is selected. Further, as a difference in effect, in Patent Document 2, it is assumed that sampling is performed for collecting statistics. When the load on the monitor port increases, the load on the statistical packet does not exceed the performance of the analyzer. In addition, it is necessary to more strictly limit the conditions of the sampling target stream or lower the sampling probability. Therefore, when the load on the monitor port increases, the ratio of packets that can collect statistics decreases. On the other hand, in the present invention, sampling is not premised, and when the load on the monitor port increases, a plurality of analyzers are connected to a plurality of analyzer ports to collect statistics in a distributed manner, thereby receiving from the monitor port. Another difference is that statistics of all transmitted packets can be collected.

  According to the present invention, it is possible to provide a packet relay device and a traffic monitoring system that can reliably grasp a communication state on a network.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings using examples. The same reference numerals are assigned to substantially the same parts, and the description will not be repeated.

  Example 1 will be described with reference to FIGS. Here, FIG. 5 is a hardware block diagram of the mirroring system (traffic monitor system). FIG. 6 is a block diagram of the packet relay apparatus. FIG. 7 is a diagram for explaining header information transmitted from the packet receiving circuit. FIG. 8 is a functional block diagram of the mirror determination unit. FIG. 9 is a diagram illustrating the configuration of the mirror port table. FIG. 10 is a diagram illustrating the configuration of the mirroring determination result. FIG. 11 is a functional block diagram of the mirror port selection unit. FIG. 12 is a diagram for explaining the configuration of the counter table. In FIG. 5, the packet relay apparatus (S1) 301 does not generate mirror packets for the number of mirror ports as shown in FIG. 2, but generates mirror packets one by one. Further, the packet relay apparatus (S1) 301 does not transmit all the mirror packets C0, C1, C2, and C3 from all the mirror ports 110 to 113 as shown in FIG. Select one. The packet relay device (S1) 301 transmits the mirror packet C0 from the mirror port 110 and inputs it to the analyzer 120 connected to the mirror port 110, and the analyzer 120 analyzes the header information and bandwidth information of the packet. Similarly, the mirror packet C1 is transmitted from the mirror port 111 and input to the analyzer 121 connected to the mirror port 111, and the header information and bandwidth information of the packet are analyzed by the analyzer 121. The mirror packet C2 is transmitted from the mirror port 112 and input to the analyzer 122 connected to the mirror port 112, and the analyzer 122 analyzes packet header information and band information. The mirror packet C3 is transmitted from the mirror port 113 and input to the analyzer 123 connected to the mirror port 113, and the analyzer 123 analyzes packet header information and band information.

  By transmitting the mirror packets so as to be distributed to a plurality of analyzers in this way, it is possible to reduce the load on the analyzer while keeping all the mirror packets as mirroring targets.

  Note that multi-path load balancing (Non-Patent Document 6) is known as a prior art of load distribution. Multipath and this embodiment have the following differences. First, the multipath is intended for load distribution of normal communication packets, but this embodiment is different in that load distribution of mirror packets is targeted. Next, in multipath, since communication packets are load-balanced, it is necessary to prevent sequence reversal between packets having the same flow, that is, the same IP address and port number. Accordingly, there is a restriction that the same flow must be transmitted from the same output line. On the other hand, in this embodiment, since the load distribution of mirror packets is targeted, there is no need to restrict this order reversal, and even the same flow can be transmitted from different mirror ports. Different. However, in this case, in order to analyze the mirror packet for each flow, it is necessary to analyze the mirror packet information of the same flow accumulated in a plurality of analyzers after being aggregated later.

  Next, the configuration of the packet relay apparatus 301 will be described with reference to FIG. The configuration of the packet relay device 301 can be applied to a router that routes and forwards packets or a switch that forwards and forwards packets.

  In FIG. 6, a packet relay apparatus 301 outputs an input line 102 into which a packet is input, a packet receiving circuit 410 that performs packet reception processing, a packet search unit 420 that performs determination processing on the reception side regarding the packet, and a packet. Packet relay processing means 430 that performs switching based on the line number, packet search unit 440 that performs determination processing on the transmission side regarding the packet, and packet transmission processing by reading the packet from the transmission buffer 450 in which the switched packet is accumulated A packet transmission circuit 460 for performing the processing, an output line 103 for outputting a packet, and a mirror port 110 for outputting a mirror packet are provided. The packet receiving circuit 410 determines the input line number 601 and the frame length LEN 602 of the packet, and adds them to the header information 600 (described later with reference to FIG. 7) transmitted from the packet receiving circuit 410.

  The packet search unit 420 includes a route search unit 422 for determining an output line number and a mirror determination unit 421 that performs determination related to mirroring. In order for the packet search unit 420 to perform route search and mirror determination, header information and input line information are transmitted from the packet receiving circuit 410 to the packet search unit 420. When mirroring is performed for each output line, the mirror determination unit (not shown for simplicity in the figure) included in the packet search unit 440 on the transmission side can also perform determination related to mirroring.

  The output line number obtained by the route search unit 422, the mirroring instruction obtained by the mirror determination unit 421, and the mirroring determination result of the mirror port number are transmitted to the packet receiving circuit 410 as search result information in the packet search unit 420. . The search result information transmitted to the packet reception circuit 410 is transmitted to the packet transmission circuit 460 via the packet relay processing unit 430 together with the information of the packet body. In the packet transmission circuit 460, the copy source packet body is stored in the transmission buffer 450-1 connected to the output line 103 and transmitted from the output line 103.

  For a packet for which a mirroring instruction is given as a result of the mirroring determination, a packet copy is generated in the packet transmission circuit 460. A copy of the generated packet is accumulated as a mirror packet in the transmission buffer 450-2 connected to the mirror port 110 and transmitted from the mirror port 110.

  A management terminal 480 is connected to the packet relay apparatus 301 in order to enable user settings for the packet search unit 420, and setting information from the management terminal 480 is temporarily stored in the register 470. In accordance with the information read from the register 470, various table control units shown later perform table setting.

  With reference to FIG. 7, the header information transmitted from the packet receiving circuit will be described. In FIG. 7, the header information 600 includes an input line number 601, an LEN 602, an L2 (layer 2) header 610, an L3 (layer 3) header 620, and an L4 (layer 4) header 630. Further, the L2 header 610 includes a destination MAC address 611, a transmission source MAC address 612, an ether type 613, and a VLAN tag 614. The L3 header 620 is described here for IPv4, and includes an IP version 621, a TOS (Type of Service) 622, an L4 protocol 623, a source IP address 624, and a destination IP address 625. The L4 header 630 includes a transmission source port 631 and a destination port 632.

  The header information 600 includes packet header information received by the packet relay apparatus 301 and information not included in the packet header. The former is an L2 header part 610, an L3 header part (when IPv4) 620, and an L4 header part 630. The latter is the input line number 601 determined by the packet receiving circuit 410 and the packet frame length LEN 602.

  Next, the configuration of the mirror determination unit provided in the packet relay device will be described with reference to FIG. In FIG. 8, the mirror determination unit 421 includes a header information extraction unit 504, a monitor port number extraction unit 500, a mirror port table control unit 501, a mirror port table 502, and a mirror port selection unit 503. The header information extraction unit 504 extracts header information necessary for mirroring determination from the header information transmitted from the packet reception circuit 410. The header information extraction unit 504 transmits the extracted header information to the monitor port extraction unit 500 and the mirror port selection unit 503.

  Further, the monitor port number extraction unit 500 extracts the input line number 601 from the header information and transmits it to the mirror port table control unit 501. The mirror port table control unit 501 sets the mirror port table 502 according to the information read from the register 470. The mirror port table control unit 501 generates a read address for reading the mirror port table 502 based on the input line number 601 and reads the mirror port table 502.

  Here, the description of FIG. 8 is interrupted and the mirror port table will be described. In FIG. 9, the mirror port 502 is composed of a plurality of mirror port entries 502-i (i = 0, 1,... N) defined for each monitor port. In the mirror port entry 502-i, a mirroring EN (enable) indicating necessity of mirroring for each monitor port and a plurality of mirror port numbers belonging to the mirror port group for each monitor port are set. For example, in the mirror port entry 502-0 defined for the monitor port 0, the mirroring EN0 indicating the necessity of mirroring at the monitor port 0, the mirror port 0-0, the mirror port 0-1, and the mirror port 0-2. , Four mirror ports are defined as mirror ports 0-3.

  Returning to FIG. 8, the mirror port table control unit 501 transmits the information of the mirror port entry 502-i read from the mirror port table 502 to the mirror port selection unit 503. When the mirroring EN set in the mirror port entry 502-i transmitted from the table control unit 501 indicates mirroring, the mirror port selection unit 503 transmits mirror packets from a plurality of mirror ports. Select one mirror port dynamically. A method for selecting a mirror port will be described later. When the mirror port selection unit 503 selects a mirror port, the mirroring instruction by the mirroring EN is reflected in the mirroring determination result.

  Again, the description of FIG. 8 is interrupted, and the mirroring determination result will be described. In FIG. 10, the mirroring determination result 700 includes a mirroring instruction flag 701 and a mirror port number 702. The mirroring instruction flag 701 indicates mirroring when “1”, and does not indicate mirroring when “0”. The mirror port number 702 describes the mirror port number when the mirroring instruction flag 701 is “1”, and is invalid when the mirroring instruction flag 701 is “0”.

  Returning to FIG. 8, the mirror port selection unit 503 transmits the selected mirror port number to the packet reception circuit 410 as the mirror port number 702 of the mirroring determination result 700. When the mirroring EN set in the mirror port entry 502-i transmitted from the table control unit 501 does not instruct mirroring, the mirroring instruction flag of the mirroring determination result 700 is set to “0” to the packet receiving circuit 410. Send.

  The configuration of the mirror port selection unit will be described with reference to FIG. In FIG. 11, in the first embodiment, mirror port selection is determined based on a round robin algorithm based on the arrival order of packets. The mirror port selection unit 503 includes a mirror port selection circuit 901, a counter table control unit 902, and a counter table 903. When a packet arrives at the mirror determination unit 421, first, the input port number 601 extracted by the monitor port number extraction unit 500 and the information of the mirror port entry 502-i obtained by the mirror port table control 501 are the mirror port selection circuit. 901 is transmitted. Of these, the mirror port selection circuit 901 transmits the input line number 601 to the counter table control unit 902. The counter table control unit 902 sets the counter table 903 according to the information read from the register 470.

  When the mirroring EN of the mirror port entry 502-i does not instruct mirroring, the mirroring instruction flag 701 of the mirroring determination result 700 is transmitted to the packet receiving circuit 410 as “0”. At this time, the mirror port number 702 becomes invalid. When the mirroring EN of the mirror port entry 502-i indicates mirroring, the counter table control unit 902 generates a read address for reading the counter table 903 based on the input line number 601 and reads the counter table 903. .

  Here, the counter table will be described with reference to FIG. In FIG. 12, the counter table 903 includes counters 903-i (i = 0 to n) for each monitor port. The counter value needs to have an information amount that can uniquely represent each of a plurality of mirror ports belonging to the same mirror port group defined in the mirror port entry 502-i. Specifically, since the mirror port entry 502-i defines four mirror ports, mirror port i-0, mirror port i-1, mirror port i-2, and mirror port i-3, the counter is mirrored. It is necessary to take "0" corresponding to port i-0, "1" corresponding to mirror port i-1, "2" corresponding to mirror port i-2, and "3" corresponding to mirror port i-3. is there. Therefore, the counter needs to have an information amount of at least 2 bits.

  Returning to FIG. 11, the counter table control unit 902 transmits the read counter 903-i to the mirror port selection circuit 901, and adds 1 to the value of the read counter 903-i, and after the addition The value of the counter 903-i is written into the counter table 903. When the read value of the counter 903-i is “3” which is the maximum value, “0” is written in the counter table 903 as the value of the counter 903-i. The mirror port selection circuit 901 selects a mirror port corresponding to the value of the counter 903-i transmitted from the counter table control unit 902, and sets the selected mirror port number as the mirror port number 702 of the mirroring determination result 700. The mirroring instruction flag is set to “1” and transmitted to the packet receiving circuit 410.

  According to this embodiment, by transmitting the mirror packet so as to be distributed to a plurality of analyzers, it is possible to reduce the load on the analyzer while keeping all the mirror packets as mirroring targets.

  A second embodiment will be described with reference to FIGS. FIG. 13 is a functional block diagram of the mirror port selection unit. FIG. 14 is a functional block diagram of the bandwidth monitoring unit. FIG. 15 is a diagram for explaining a bandwidth monitoring table.

  The block diagram of the packet relay apparatus of the second embodiment is as shown in FIG. 6 and is the same as that of the first embodiment. With reference to FIG. 13, the configuration of the mirror port selection unit in the second embodiment will be described. In FIG. 13, in the second embodiment, the bit rate of the mirror packet transmitted for each of the plurality of mirror ports belonging to the same mirror port group is monitored, and the bit rate of the mirror packet transmitted for each mirror port is mirrored. A mirror port that does not reach the predetermined maximum bit rate for each port is selected. Here, the maximum bit rate is less than the maximum performance of the analyzer.

  In FIG. 13, the mirror port selection unit 503A includes a mirror port selection circuit 901 and a bandwidth monitoring unit 1101. When a packet arrives at the mirror judgment unit 421 in FIG. 8, first, the input line number 601 extracted by the monitor port number extraction unit 500 and the information of the mirror port entry 502-i obtained by the mirror port table control 501 are mirrored. It is transmitted to the port selection circuit 901.

  When the mirroring EN of the mirror port entry 502-i does not instruct mirroring, the mirror port selection circuit 901 transmits the mirroring instruction flag of the mirroring determination result 700 as “0” to the packet reception circuit 410. At this time, the mirror port number 702 becomes invalid.

  When the mirroring EN of the mirror port entry 502-i indicates mirroring, the mirror port selection circuit 901 is a mirror port configuring a plurality of mirror ports belonging to the same mirror port group defined in the mirror port entry 502-i. Four mirror port numbers i-0, mirror port i-1, mirror port i-2, and mirror port i-3 are transmitted to the bandwidth monitoring unit 1101. The bandwidth monitoring unit 1101 monitors the bit rate of the mirror packet transmitted in each of the mirror port i-0, the mirror port i-1, the mirror port i-2, and the mirror port i-3, and transmits it for each mirror port. A mirror port is selected in which the bit rate of the mirror packet thus set does not reach a predetermined maximum bit rate for each mirror port.

  When there are a plurality of mirror ports in which the bit rate of the mirror packet transmitted for each mirror port does not reach the predetermined maximum bit rate for each mirror port, the mirror port having the smallest mirror port number is selected. Shall. In addition, a mirror port with the smallest bit rate of the mirror packet transmitted for each mirror port can be selected.

  The configuration of the bandwidth monitoring unit that implements the bandwidth monitoring algorithm of FIG. 4 will be described with reference to FIG. In FIG. 14, the bandwidth monitoring unit 1101 includes a current water amount determination unit 1210, a monitoring result determination unit 1220, a bandwidth monitoring table 1202, and a bandwidth monitoring table control unit 1201. The current water amount determination unit 1210 further includes a CNT holding unit 1211, a TLST holding unit 1212, an R holding unit 1213, a timer 1214, and a current water amount calculation circuit 1215. The monitoring result determination unit 1220 includes a THR holding unit 1221, an LEN holding unit 1222, a NOWCNT holding unit 1223, a monitoring result determination circuit 1224, a CNT2 holding unit 1225, and a TLST holding unit 1226.

  The bandwidth monitoring table control unit 1201 controls the bandwidth monitoring table 1202. Here, the bandwidth monitoring table will be described with reference to FIG. In FIG. 15, the bandwidth monitoring table 1202 includes a plurality of maximum bit rates Rj (j = 0 to m), bucket threshold values THRj, bucket water amount CNTj, and previous packet input time TLSTj set for each mirror port. The bandwidth monitoring entry 1202-j (j = 0 to m) is configured.

  When all packets received from the monitor port are to be mirrored, the sum of the maximum bit rates R0 to Rm for each mirror port is equal to or greater than the line bandwidth of the monitor port.

  Returning to FIG. 14, when a packet arrives, the bandwidth monitoring table control unit 1201 generates a read address for reading the bandwidth monitoring table 1202 based on the mirror port i-0 transmitted from the mirror port selection circuit 901, and performs bandwidth monitoring. Read table 1202. Similarly, for mirror port i-1, mirror port i-2, and mirror port i-3, a read address for reading the bandwidth monitoring table 1202 is generated based on these port numbers, and the bandwidth monitoring table 1202 is read. . Hereinafter, the bandwidth monitoring process for the mirror port i-0 will be described as an example, but the same process is performed for the mirror port i-1, the mirror port i-2, and the mirror port i-3. The process of selecting the mirror port based on the monitoring band result for the four mirror ports is performed in the mirror port selection circuit 901 after the band monitoring for the four ports is performed. The bandwidth monitoring table control unit 1201 can set the bandwidth monitoring table 1202 according to the information read from the register 470.

  Rj of the bandwidth monitoring entry 1202-j read from the bandwidth monitoring table 1202 is accumulated in the R holding unit 1213 of the current water amount determination unit 1210, TLSTj is accumulated in the TLST holding unit 1212, and CNTj is accumulated in the CNT holding unit 1211. Based on these values and the value of the timer 1214 indicating the current time, calculations and determinations 1401 to 1405 in the flowchart of FIG. 4 are performed, and the obtained NOWCNT is stored in the NOWCNT holding unit 1223 of the monitoring result determination unit 1220. Accumulated. Next, the LEN 602 transmitted from the header information extraction unit 504 of the mirror determination unit 421 is accumulated in the LEN holding unit 1222, and the THRj of the bandwidth monitoring entry 1202-j read from the bandwidth monitoring table 1202 is stored in the THR holding unit 1221. Based on these values, the monitoring result determination circuit 1224 determines the bandwidth monitoring result 1406 in the flowchart of FIG. The mirror port number whose band monitoring result is band compliance is transmitted to the mirror port selection circuit 901.

  If there is only one mirror port number whose band monitoring result is band compliance, the mirror port number is transmitted to the packet receiving circuit 410 as the mirror port number 702 of the mirroring determination result 700. If there are a plurality of mirror port numbers whose band monitoring results are band compliance, the smallest mirror port number is transmitted to the packet receiving circuit 410 as the mirror port number 702 of the mirroring determination result 700. The mirror port number specified in the mirror port number 702 of the mirroring determination result 700 is transmitted from the mirror port selection circuit 901 to the bandwidth monitoring unit 1101, and the operations 1408 to 1412 in the flowchart of FIG. The monitoring result determination circuit 1224 stores the calculated CNT2 in the CNT2 holding unit 1225 and the calculated TLST in the TLST holding unit 1226. The CNT2 stored in the CNT2 holding unit 1225 and the TLST stored in the TLST holding unit 1226 are transmitted to the bandwidth monitoring table control unit 1201, and the field values of the CNT and TLST in the bandwidth monitoring entry 1202-j of the bandwidth monitoring table 1202, respectively. As updated.

  In the third embodiment, the packet rate of the mirror packet transmitted for each of the plurality of mirror ports belonging to the same mirror port group is monitored, and the packet rate of the mirror packet transmitted for each mirror port is previously determined for each mirror port. Select a mirror port that does not reach the defined maximum packet rate.

The configuration of the packet relay apparatus of the third embodiment is as shown in FIG. 6 and is the same as that of the first embodiment. The configuration of the mirror port selection unit is the same as that of FIG. 13 of the second embodiment.
The third embodiment is different from the second embodiment as follows. (1) The maximum packet rate is less than the maximum performance of the analyzer. (2) The bandwidth monitoring unit 1101 monitors the packet rate of the mirror packet transmitted in each of the mirror port i-0, the mirror port i-1, the mirror port i-2, and the mirror port i-3, and the mirror port A mirror port in which the packet rate of the mirror packet transmitted every time does not reach the maximum packet rate predetermined for each mirror port is selected.

The flowchart of the packet rate bandwidth monitoring algorithm corresponds to a case where LEN = 1 is fixed regardless of the frame length of the packet in the second embodiment.
The configuration of the bandwidth monitoring unit 1101 that implements the bandwidth monitoring algorithm of FIG. 4 is the same as that of FIG. 14 of the second embodiment. However, the bandwidth monitoring unit 1101 has a plurality of bandwidth monitoring entries 1202-j (j = 0 to m) shown in FIG. 15 in which the maximum packet rate Rj (j = 0 to m) and the bucket threshold value THRj for each mirror port are set. Is provided with a bandwidth monitoring table 1202. When all packets received from the monitor port are to be mirrored, the sum of the maximum packet rates R0 to Rm for each mirror port is equal to or greater than the line bandwidth of the monitor port. In FIG. 14, the LEN 602 transmitted from the header information extraction unit 504 of the mirror determination unit 421 is ignored, and a fixed value of LEN = 1 is stored in the LEN holding unit 1222.

  In the fourth embodiment, in the mirror port selection unit, the mirror port is calculated by a calculation based on the HASH function in which the value of part or all of the header information of the received packet or the transmitted packet is an input value and the value for identifying the mirror port is an output value Select. Thereby, mirror packets belonging to the same flow are not distributed to a plurality of mirror ports, and can be transmitted to a unique mirror port for each flow. According to the fourth embodiment, mirror packets belonging to the same flow are not distributed to a plurality of mirror ports, and can be transmitted to a unique mirror port for each flow.

  The configuration of the packet relay apparatus of the fourth embodiment is as shown in FIG. 6 and is the same as that of the first embodiment. The configuration of the mirror port selection unit will be described with reference to FIG. FIG. 16 is a functional block diagram of the mirror port selection unit. In FIG. 16, the mirror port selection circuit 901 of the mirror port selection unit 503B includes a mirror port i-0, a mirror port i-1, a mirror port i-2, and a mirror port that constitute a plurality of mirror ports belonging to the same mirror port group. The i-3 information is received from the mirror port table control unit 501. Further, the mirror port selection circuit 901 receives header information necessary for identifying a flow from the header information extraction unit 504. Here, the header information as a condition for identifying the flow is a destination MAC address 611, a source MAC address 612, a source IP address 624, a destination IP address 625, a source port 631, and a destination port 632. The mirror port selection circuit 901 transmits the header information to the HASH function calculation unit 1501.

  The configuration of the HASH function calculation unit will be described with reference to FIG. Here, FIG. 17 is a functional block diagram of the HASH function calculation unit. In FIG. 17, the HASH function calculation unit 1501 includes a destination MAC address holding unit 1602, a source MAC address holding unit 1603, a source IP address holding unit 1604, a destination IP address holding unit 1605, and a source port holding unit. 1606, a destination port holding unit 1607, and a HASH function calculation unit 1601.

  The HASH function calculation unit 1501 holds the destination MAC address 611 in the destination MAC address holding unit 1602 among the header information transmitted from the mirror port selection circuit 901 to the HASH function calculation unit 1501. The HASH function calculation unit 1501 holds the source MAC address 612 in the source MAC address holding unit 1603. The HASH function calculation unit 1501 holds the source IP address 624 in the source IP address holding unit 1604. The HASH function calculation unit 1501 holds the destination IP address 625 in the destination IP address holding unit 1605. The HASH function calculation unit 1501 holds the source port 631 in the source port holding unit 1606. The HASH function calculation unit 1501 holds the destination port 632 in the destination port holding unit 1607.

  The header information temporarily held in the holding units 1602 to 1607 is subjected to the HASH calculation in the HASH function calculation circuit 1601 to output the HASH value. The HASH function calculation unit 1501 selects one mirror port that transmits a mirror packet in the mirror port selection circuit 901 based on the HASH value. The HASH value needs to have an information amount that can uniquely represent each of a plurality of mirror ports belonging to the same mirror port group defined in the mirror port entry 502-i. That is, since the mirror port entry 502-i defines four mirror ports, mirror port i-0, mirror port i-1, mirror port i-2, and mirror port i-3, the HASH value is the mirror port i. It is necessary to take “0” corresponding to −0, “1” corresponding to the mirror port i−1, “2” corresponding to the mirror port i-2, and “3” corresponding to the mirror port i-3. Therefore, the HASH value needs to have an information amount of 2 bits at a minimum.

  The HASH calculation in the HASH function calculation circuit 1601 is obtained by the following bit operation. The header information temporarily held in the holding units 1602 to 1607 is divided into 8-bit information, and all the divided 8 bits are added for each header information. The HASH value is obtained by adding the bit values after the addition to the next different header information and extracting the lower 2 bits. The obtained HASH value is transmitted to the mirror port selection circuit 901, and one mirror port for transmitting a mirror packet is selected based on this HASH value.

  Next, a system (traffic monitor system) that collects statistical information by the packet relay device will be described with reference to FIGS. Here, FIG. 18 is a hardware block diagram of the statistical information collection system. FIG. 19 is a functional block diagram of the packet relay apparatus. FIG. 20 is a diagram for explaining a statistical packet determination result. FIG. 21 is a functional block diagram of the flow statistics collection unit. FIG. 22 is a diagram for explaining the CAM. FIG. 23 is a diagram for explaining the flow statistics table. FIG. 24 is a diagram for explaining the analyzer port register. FIG. 25 is a functional block diagram of the analyzer port selector.

  18, the statistical information collection system includes a packet relay device (S1) 1801 and four analyzers 1720 to 1723 connected to the packet relay device (S1) 1801. The packet relay device (S1) 1801 transmits the statistical packet C0 from the analyzer port 1710 and inputs it to the analyzer 1720 connected to the analyzer port 1710. The analyzer 1720 analyzes packet header information and statistical information. The statistical packet C1 is transmitted from the analyzer port 1711 and input to the analyzer 1721 connected to the analyzer port 1711. The analyzer 1721 analyzes packet header information and statistical information. The statistical packet C2 is transmitted from the analyzer port 1712 and input to the analyzer 1722 connected to the analyzer port 1712. The analyzer 1722 analyzes packet header information and statistical information. The statistical packet C3 is transmitted from the analyzer port 1713 and input to the analyzer 1723 connected to the analyzer port 1713. The analyzer 1723 analyzes packet header information and header information.

  When the statistical packets are transmitted so as to be distributed to a plurality of analyzers in this way, all packets belonging to all flows received from the input line 1702 while the statistical packet load on the single analyzer is kept within the limit of the analysis performance of the analyzer. P0, P1, P2, and P3 can be collection targets of statistical information. On the other hand, the sampling rate, which is the ratio of the number of packets subject to flow sampling to the total number of packets received from the input line, is not reduced, and the higher-speed input line is used as the monitor port while maintaining statistical accuracy. Can do. Alternatively, a high-speed input line accommodating a larger number of flows can be used as a monitor port, and statistical information of a larger number of flows can be collected in a distributed manner by a plurality of analyzers. The difference between the fifth embodiment and the multipath is as described in the first embodiment.

  Next, the configuration of the packet relay device will be described with reference to FIG. The configuration of the packet relay apparatus in FIG. 19 can be applied to a router that routes and forwards packets or a switch that switches and forwards packets.

  In FIG. 19, a packet relay device 1801 outputs an input line 1702 to which a packet is input, a packet reception circuit 410 that performs packet reception processing, a packet search unit 1910 that performs determination processing on the reception side regarding the packet, and a packet. Packet relay processing means 430 that switches based on the line number, packet search unit 1920 that performs determination processing on the transmission side regarding the packet, and packet transmission processing by reading the packet from the transmission buffer 450 in which the switched packet is accumulated A packet transmission circuit 460 for performing the processing, an output line 1703 for outputting a packet, and an analyzer port 1710 for outputting a statistical packet are provided. The packet receiving circuit 410 determines the input line number 601 and the packet frame length LEN 602 and adds them to the header information 600 transmitted from the packet receiving circuit 410 shown in FIG. The packet search unit 1910 includes a route search unit 422 for determining an output line number, a flow statistics collection unit 1911 that collects flow statistics, and a register 470 to which a management terminal 480 is connected. In order for the packet search unit 1910 to perform route search and flow statistics collection, the packet search unit 1910 includes a route search unit 422 and a flow statistics collection unit 1911 and receives header information and input line information from the packet receiving circuit 410. . When collecting the flow information for each output line, the flow statistics collecting unit provided in the packet search unit 1920 on the transmission side can also make a determination related to the flow statistics.

In FIG. 20, the statistical packet determination result 2400 includes a statistical packet generation instruction flag 2401 and an analyzer port number 2402.
Returning to FIG. 19, the packet search unit 1910 outputs the output line number obtained by the route search unit 422, the statistical packet generation instruction flag 2401 obtained by the flow statistics collection unit 1911, and the analyzer port number that transmits the statistical packet. A statistical packet determination result 2400 composed of 2402 is transmitted to the packet receiving circuit 410 as search result information. The search result information transmitted to the packet reception circuit 410 is transmitted to the packet transmission circuit 460 via the packet relay processing unit 430 together with the information of the packet body.

  In the packet transmission circuit 460, the packet body is stored in the transmission buffer 450-1 connected to the output line 1703 and transmitted from the output line 1703. For the packet instructed to generate the statistical packet, the packet transmission circuit 460 generates a statistical packet including header information and statistical information. The generated statistical packet is accumulated in a transmission buffer 450-2 connected to the analyzer port 1710 and transmitted from the analyzer port 1710.

  A management terminal 480 is connected to the packet relay apparatus 1801 in order to enable user settings for the packet search unit 1810, and setting information from the management terminal 480 is temporarily held in the register 470. In accordance with the information read from the register 470, various table control units shown later perform table setting.

  Next, the configuration of the flow statistics collection unit provided in the packet relay device will be described with reference to FIG. In FIG. 21, a flow statistics collection unit 1911 includes a header information extraction unit 2001, a CAM control unit 2002, a flow statistics calculation unit 2004, a flow statistics table control unit 2005, an analyzer port register 2008, and an analyzer port register control unit. 2007 and an analyzer port selection unit 2009. In addition, a CAM 2003 is connected to the CAM control unit 2002. Furthermore, the flow statistics table control unit 2005 refers to the flow statistics table 2006 and updates it.

  The header information extraction unit 2001 extracts information necessary for the collection of flow statistics from the header information transmitted from the packet reception circuit 410. The header information 600 transmitted from the packet receiving circuit 410 is the same as that in the first embodiment. Here, conditions for identifying a flow when collecting flow statistics are a transmission source IP address, a destination IP address, an L4 protocol, a transmission source port number, and a destination port number. The header information extraction unit 2001 extracts header information necessary for the flow identification and transmits the header information to the CAM control unit 2002. When data is input, the CAM outputs an address including an entry that matches the input data.

  In FIG. 22, the CAM 2003 identifies a flow specified by a set of a source IP address value, a destination IP address value, an L4 protocol value, a source port value, and a destination port value. It consists of a plurality of flow entries 2003-i (i = 0 to n) as conditions.

  Returning to FIG. 21, the CAM control unit 2002 sets the CAM 2003 according to the information read from the register 470. When the CAM control unit 2002 transmits header information necessary for flow identification to the CAM 2003, the CAM 2003 determines a flow entry 2003-i that matches the header information, and sets the address of the flow entry 2003-i to the CAM control unit 2002. Send to. If there is no flow entry that matches the header information, no flow statistics are collected, and no statistical packet is transmitted from the analyzer port to the analyzer.

  The CAM control unit 2002 that has received the address of the flow entry 2003-i that matches the header information transmits this address to the flow statistics table control unit 2005. The flow statistics table control unit 2005 sets the flow statistics table 2006 according to the information read from the register 470. The flow statistics table control unit 2005 that has received the address reads the flow statistics table 2006 based on this address.

  23, the flow statistics table 2006 includes flow statistics entries 2006-i corresponding to the flow entries 2003-i. The flow statistics entry 2006-i includes the number of received packets and the number of received bytes (for each flow). The flow statistics entry of the packet search unit 1820 on the transmission side holds statistical information on the number of packets transmitted and the number of transmitted bytes) for each flow.

  Returning to FIG. 21, the flow statistics table control unit 2005 transmits the statistical information of the number of packets and the number of bytes read from the flow statistics table 2006 to the flow statistics calculation unit 2004.

  The flow statistics calculation unit 2004 adds 1 to the number of packets in the received statistical information, and adds LEN 602 that is the frame length of the packet to the number of bytes. The flow statistics calculation unit 2004 transmits the calculated packet number and the statistical information of the number of bytes to the flow statistics table control unit 2005.

  The flow statistics table control unit 2005 writes the received statistical information on the number of packets and the number of bytes into the flow statistics table 2006 based on the address of the flow entry 2003-i.

  Next, the analyzer port register control unit 2007 reads the analyzer port register 2008. The analyzer port register control unit 2007 sets the analyzer port register 2008 according to the information read from the register 470.

  In FIG. 24, the analyzer port register 2008 is set with port numbers of a plurality of analyzer ports 0, analyzer ports 1, analyzer ports 2, and analyzer ports 3 included in the same analyzer port group.

  Returning to FIG. 21, the analyzer port register control unit 2007 transmits information on the analyzer port 0, analyzer port 1, analyzer port 2, and analyzer port 3 of the analyzer port group to the analyzer port selection unit 2009. The analyzer port selection unit 2009 selects one analyzer port from the analyzer port group, sets the selected analyzer port as the analyzer port number 2402 of the statistical packet determination result 2400, and transmits the statistical packet determination result 2400 to the packet reception circuit 410. Send.

  The configuration of the analyzer port selection unit will be described with reference to FIG. In FIG. 25, the analyzer port selection unit 2009 includes an analyzer port selection circuit 2501, a counter control unit 2502, and a counter 2503. Here, the analyzer port selection unit 2009 determines analyzer port selection based on a round-robin algorithm based on the arrival order of packets.

  The analyzer port register control unit 2007 transmits information on the analyzer port 0, the analyzer port 1, the analyzer port 2, and the analyzer port 3 of the analyzer port group to the analyzer port selection unit 2009. When the analyzer port selection circuit 2501 receives the analyzer port group information, the analyzer port selection circuit 2501 transmits a signal indicating packet arrival to the counter control unit 2502.

  The counter control unit 2502 sets the counter 2503 in accordance with the information read from the register 470. When the counter control unit 2502 receives a packet arrival signal, the counter table control unit 2502 reads the counter 2503. The value of the counter 2503 needs to have an information amount that can uniquely represent each of a plurality of analyzer ports belonging to the analyzer port group defined in the analyzer port register 2008. In the analyzer port register 2008 shown in FIG. 24, four analyzer ports, analyzer port 0, analyzer port 1, analyzer port 2, and analyzer port 3, are defined, so that the counter is “0” corresponding to analyzer port 0. It is necessary to take “1” corresponding to the analyzer port 1, “2” corresponding to the analyzer port 2, and “3” corresponding to the analyzer port 3. Therefore, the counter needs to have an information amount of at least 2 bits.

  The counter table control unit 2502 transmits the value of the read counter 2503 to the analyzer port selection circuit 2501, adds 1 to the value of the read counter 2503, and writes the value after the addition to the counter 2503. If the read value of the counter 2503 is the maximum value “3”, “0” is written as the value of the counter 2503.

  The analyzer port selection circuit 2501 selects an analyzer port corresponding to the value of the counter 2503 transmitted from the counter table control unit 2502, and sets the selected analyzer port number as the analyzer port number 2402 of the statistical packet determination result 2400. The packet generation instruction flag 2401 is transmitted to the packet receiving circuit 410 as “1”.

  According to this embodiment, the statistical packet is transmitted so as to be distributed to a plurality of analyzers, thereby reducing the load on the analyzer.

  Example 6 will be described with reference to FIGS. 26 to 28. FIG. FIG. 26 is a functional block diagram of the analyzer port selection unit. FIG. 27 is a functional block diagram of the bandwidth monitoring unit 2601. FIG. 28 is a diagram for explaining a bandwidth monitoring table.

  The configuration of the packet relay apparatus of the sixth embodiment is as shown in FIG. 19 and is the same as that of the fifth embodiment. The configuration of the analyzer port selection unit in the sixth embodiment will be described with reference to FIG. In FIG. 26, the analyzer port selection unit 2009A includes an analyzer port selection circuit 2501 and a band monitoring unit 2601.

  In the sixth embodiment, the bit rate of the statistical packet transmitted for each of a plurality of analyzer ports belonging to the same analyzer port group is monitored, and the bit rate of the statistical packet transmitted for each analyzer port is predetermined for each analyzer port. Select an analyzer port that does not reach the maximum bit rate. The maximum bit rate should be less than the maximum performance of the analyzer.

  The analyzer port register control unit 2007 transmits information of the analyzer port 0, analyzer port 1, analyzer port 2, and analyzer port 3 of the analyzer port group to the analyzer port selection unit 2009A. When the analyzer port selection unit 2009A receives the analyzer port group information, the analyzer port selection unit 2009A receives four analyzer ports, analyzer port 0, analyzer port 1, analyzer port 2, and analyzer port 3, which constitute a plurality of analyzer ports belonging to the received analyzer port group. The number is transmitted to the bandwidth monitoring unit 2601.

  The bandwidth monitoring unit 2601 monitors the bit rate of the statistical packet transmitted in each of the analyzer port 0, the analyzer port 1, the analyzer port 2, and the analyzer port 3, and the bit rate of the statistical packet transmitted for each analyzer port is the analyzer. An analyzer port that does not reach a predetermined maximum bit rate for each port is selected. When there are multiple analyzer ports where the bit rate of the statistical packet transmitted for each analyzer port does not reach the maximum bit rate predetermined for each analyzer port, the analyzer port with the smallest analyzer port number is selected. And

The flowchart of the bit rate bandwidth monitoring algorithm is the same as in FIG.
FIG. 27 shows the configuration of the bandwidth monitoring unit that implements the bandwidth monitoring algorithm of FIG. FIG. 28 shows the configuration of the bandwidth monitoring table described in FIG. As is clear from the comparison between FIG. 27 and FIG. 14 and the comparison between FIG. 28 and FIG. 15, FIG. 27 differs from FIG. Also, FIG. 28 is different from FIG.

  In the seventh embodiment, the packet rate of the statistical packet transmitted for each of the plurality of analyzer ports belonging to the same analyzer port group is monitored, and the packet rate of the statistical packet transmitted for each analyzer port is predetermined for each analyzer port. Select an analyzer port that does not reach the maximum packet rate.

The configuration of the packet relay apparatus of the seventh embodiment is as shown in FIG. 19 and is the same as that of the fifth embodiment. In the seventh embodiment, the configuration of the analyzer port selection unit is the same as that of FIG.
The difference between the seventh embodiment and the sixth embodiment is as follows. (1) The maximum packet rate is less than the maximum performance of the analyzer. (2) The bandwidth monitoring unit 2601 monitors the packet rate of the statistical packet transmitted at each of the analyzer port 0, the analyzer port 1, the analyzer port 2, and the analyzer port 3, and the packet of the statistical packet transmitted for each analyzer port. Select an analyzer port whose rate does not reach the predetermined maximum packet rate for each analyzer port.

The flow chart of the packet rate bandwidth monitoring algorithm corresponds to the case where LEN = 1 is fixed in FIG. 4 regardless of the frame length of the packet.
The configuration of the bandwidth monitoring unit 2601 that implements the bandwidth monitoring algorithm of FIG. 4 is the same as that of FIG. However, the bandwidth monitoring unit 2601 has a plurality of bandwidth monitoring entries 2702-j (j = 0 to m) shown in FIG. 28 in which the maximum packet rate Rj (j = 0 to m) and the bucket threshold THRj for each analyzer port are set. The bandwidth monitoring table 2702 is provided. When all packets received from the monitor port are targeted for statistical packet generation, the sum of the maximum packet rates R0 to Rm for each analyzer port is equal to or greater than the line bandwidth of the monitor port. In FIG. 27, the LEN 602 transmitted from the header information extraction unit 2001 of the flow statistics collection unit 1911 is ignored, and a fixed value of LEN = 1 is accumulated in the LEN holding unit 2722.

  Example 8 will be described with reference to FIGS. 29 and 30. FIG. Here, FIG. 29 is a functional block diagram of the analyzer port selector. FIG. 30 is a functional block diagram of the HASH function calculation unit. The configuration of the packet relay apparatus according to the eighth embodiment is as shown in FIGS. 19 and 21 and is the same as that of the fifth embodiment.

  In the eighth embodiment, the analyzer port selection unit performs an analysis based on the HASH function using a part or all of the header information of the received packet or the transmission packet as an input value and a value for identifying the analyzer port as an output value. Select. As a result, statistical packets belonging to the same flow are not distributed to a plurality of analyzer ports, and are transmitted to a unique analyzer port for each flow. According to the eighth embodiment, statistical packets belonging to the same flow are not distributed to a plurality of analyzer ports, and are transmitted to a unique analyzer port for each flow. Therefore, it is not necessary to analyze after aggregation.

  The configuration of the analyzer port selector will be described with reference to FIG. In FIG. 29, the analyzer port selection unit 2009B includes an analyzer port selection circuit 2501 and a HASH function calculation unit 2901. Information on the analyzer port 0, analyzer port 1, analyzer port 2, and analyzer port 3 constituting a plurality of analyzer ports belonging to the same analyzer port group is transmitted from the analyzer port register control unit 2007 to the analyzer port selection circuit 2501. Also, the header information extraction unit 2001 transmits the header information necessary for identifying the flow to the analyzer port selection circuit 2501. Here, the header information as a condition for identifying the flow is a destination MAC address 611, a source MAC address 612, a source IP address 624, a destination IP address 625, a source port 631, and a destination port 632. The analyzer port selection circuit 2501 transmits the header information 600 to the HASH function calculation unit 2901.

  The configuration of the HASH function calculation unit is shown in FIG. The configuration of FIG. 30 is the same as that of FIG. The HASH function calculation unit 3001 transmits the obtained HASH value to the analyzer port selection circuit 2501. The analyzer port selection circuit 2501 selects one analyzer port that transmits a statistical packet based on the HASH value.

  As mentioned above, although the various Example of this invention was described, this invention is not limited to these Examples, A various structure can be taken in the range which does not deviate from the meaning.

It is a hardware block diagram of a mirroring system. It is a hardware block diagram of a mirroring system. It is a hardware block diagram of a statistical information collection system. It is a flowchart explaining the bandwidth monitoring algorithm of a bit rate. It is a hardware block diagram of a mirroring system. It is a block diagram of a packet relay apparatus. It is a figure explaining the header information transmitted from a packet receiving circuit. It is a functional block diagram of a mirror determination part. It is a figure explaining the structure of a mirror port table. It is a figure explaining the structure of a mirroring determination result. It is a functional block diagram of a mirror port selection part. It is a figure explaining the structure of a counter table. It is a functional block diagram of a mirror port selection part. It is a functional block diagram of a bandwidth monitoring unit. It is a figure explaining a bandwidth monitoring table. It is a functional block diagram of a mirror port selection part. It is a functional block diagram of a HASH function calculating part. System configuration for collecting statistical information in a packet relay device comprising the present invention It is a functional block diagram of a packet relay apparatus. It is a figure explaining a statistical packet determination result. It is a functional block diagram of a flow statistics collection part. It is a figure explaining CAM. It is a figure explaining a flow statistics table. It is a figure explaining an analyzer port register. It is a functional block diagram of an analyzer port selection part. It is a functional block diagram of an analyzer port selection part. 6 is a functional block diagram of a bandwidth monitoring unit 2601. FIG. It is a figure explaining a bandwidth monitoring table. It is a functional block diagram of an analyzer port selection part. It is a functional block diagram of a HASH function calculating part.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 101 ... Packet relay apparatus (S0), 102 ... Input line, 103 ... Output line, 110 ... Mirror port, 111 ... Mirror port, 112 ... Mirror port, 113 ... Mirror port, 120 ... Analyzer (A0), 121 ... Analyzer (A1), 122 ... Analyzer (A2), 123 ... Analyzer (A3), 301 ... Packet relay device (S1), 410 ... Packet receiving circuit, 420 ... Packet search unit, 421 ... Mirror determination unit, 422 ... Path search unit 430 ... Packet relay processing means, 440 ... Packet search unit, 450 ... Transmission buffer, 460 ... Packet transmission circuit, 470 ... Register, 480 ... Management terminal, 500 ... Monitor port number extraction unit, 501 ... Mirror port table control unit, 502 ... Mirror port table, 502-i ... Mirror port entry 503: Mirror port selection unit, 504: Header information extraction unit, 600 ... Header information, 601 ... Input line number, 602 ... Frame length of packet, 610 ... L2 header unit, 611 ... Destination MAC address, 612 ... Source MAC address 613 ... Ether type, 614 ... VLAN tag, 620 ... L3 header (IPv4), 621 ... IP version, 622 ... TOS (Type of Service), 623 ... L4 protocol, 624 ... Source IP address, 625 ... Destination IP address, 630 ... L4 header, 631 ... source port number, 632 ... destination port number, 700 ... mirroring determination result, 701 ... mirroring instruction flag, 702 ... mirror port number, 901 ... mirror port selection circuit, 902 ... counter Table control unit, 903... Counter table 903-i ... Counter for each monitor port, 1101 ... Band monitoring unit, 1201 ... Band monitoring table control unit, 1202 ... Band monitoring table, 1202-j ... Band monitoring entry, 1210 ... Current water amount determination unit, 1211 ... CNT holding unit , 1212 ... TLST holding unit, 1213 ... R holding unit, 1214 ... timer, 1215 ... current water amount calculation circuit, 1220 ... monitoring result determination unit, 1221 ... THR holding unit, 1222 ... LEN holding unit, 1223 ... NOWCNT storage means, 1224 ... monitoring result determination circuit, 1225 ... CNT2 holding unit, 1226 ... TLST holding unit, 1501 ... HASH function computing unit, 1601 ... HASH function computing circuit, 1602 ... destination MAC address holding unit, 1603 ... source MAC address holding unit, 1604 ... Source IP address holding unit, 1605 Destination IP address holding unit, 1606 ... Transmission source port holding unit, 1607 ... Destination port holding unit, 1701 ... Packet relay device (S0), 1702 ... Input line, 1703 ... Output line, 1710 ... Analyzer port, 1711 ... Analyzer port, 1712 ... Analyzer port, 1713 ... Analyzer port, 1720 ... Analyzer (A0), 1721 ... Analyzer (A1), 1722 ... Analyzer (A2), 1723 ... Analyzer (A3), 1801 ... Packet relay device (S1), 1910 ... Packet Search unit, 1911 ... Flow statistics collection unit, 1920 ... Packet search unit, 2001 ... Header information extraction unit, 2002 ... CAM control unit, 2003 ... CAM, 2003-i ... Flow entry, 2004 ... Flow statistics calculation unit, 2005 ... Flow Statistical table control unit 2006 ... Flow statistics table, 2006-i ... Flow statistics entry, 2007 ... Analyzer port register control unit, 2008 ... Analyzer port register, 2009 ... Analyzer port selection unit, 2400 ... Statistic packet determination result, 2401 ... Static packet generation instruction flag, 2402: Analyzer port number, 2501 ... Analyzer port selection circuit, 2502 ... Counter control unit, 2503 ... Counter, 2601 ... Bandwidth monitoring unit, 2701 ... Bandwidth monitoring table control unit, 2702 ... Bandwidth monitoring table, 2702-j ... Bandwidth monitoring entry 2710 ... Current water amount determination unit, 2711 ... CNT holding unit, 2712 ... TLST holding unit, 2713 ... R holding unit, 2714 ... Timer, 2715 ... Current water amount calculation circuit, 2720 ... Monitoring result determination unit, 2721 ... THR holding Holding unit, 2722... LEN holding unit, 2723... NOWCNT storage means, 2724... Monitoring result judgment circuit, 2725... CNT2 holding unit, 2726... TLST holding unit, 2901 .. HASH function calculating unit, 3001. Destination MAC address holding unit, 3003 ... Transmission source MAC address holding unit, 3004 ... Transmission source IP address holding unit, 3005 ... Destination IP address holding unit, 3006 ... Transmission source port holding unit, 3007 ... Destination port holding unit.

Claims (8)

In a packet relay device that is connected to a plurality of input lines and a plurality of output lines, and that transmits a packet received from one of the input lines from one of the output lines specified by header information,
A mirror port group designating unit for designating a mirror port group composed of a plurality of mirror ports for transmitting mirror packets copied from received packets or transmitted packets for each input flow or output flow;
A mirror port selection unit that selects any one of the plurality of mirror ports designated by the mirror port group designation unit for each mirror packet,
The mirror port selection unit selects a mirror port by a round robin algorithm based on the arrival order of received packets or transmitted packets ,
The packet relay device, wherein the mirror packet is transmitted from a mirror port selected by the mirror port selection unit. In a packet relay device that is connected to a plurality of input lines and a plurality of output lines, and that transmits a packet received from one of the input lines from one of the output lines specified by header information,
A mirror port group designating unit for designating a mirror port group composed of a plurality of mirror ports for transmitting mirror packets copied from received packets or transmitted packets for each input flow or output flow;
A mirror port selection unit that selects any one of the plurality of mirror ports designated by the mirror port group designation unit for each mirror packet,
The mirror port selection unit monitors a bit rate of a mirror packet transmitted for each of a plurality of mirror ports constituting the mirror port group, and selects a mirror port whose bit rate does not reach a predetermined bit rate. And
The packet relay device, wherein the mirror packet is transmitted from a mirror port selected by the mirror port selection unit. In a packet relay device that is connected to a plurality of input lines and a plurality of output lines, and that transmits a packet received from one of the input lines from one of the output lines specified by header information,
A mirror port group designating unit for designating a mirror port group composed of a plurality of mirror ports for transmitting mirror packets copied from received packets or transmitted packets for each input flow or output flow;
A mirror port selection unit that selects any one of the plurality of mirror ports designated by the mirror port group designation unit for each mirror packet,
The mirror port selection unit monitors a packet rate of a mirror packet transmitted for each of a plurality of mirror ports constituting the mirror port group, and selects a mirror port whose packet rate does not reach a predetermined packet rate. And
The packet relay device, wherein the mirror packet is transmitted from a mirror port selected by the mirror port selection unit. In a packet relay device that is connected to a plurality of input lines and a plurality of output lines, and that transmits a packet received from one of the input lines from one of the output lines specified by header information,
An analyzer port group designating unit for designating an analyzer port group composed of a plurality of analyzer ports that transmit statistical packets having header information and / or statistical information of received packets or transmitted packets as data for each input flow or output flow; ,
An analyzer port selection unit that selects one of the plurality of analyzer ports designated by the analyzer port group designation unit for each statistical packet;
The analyzer port selection unit selects an analyzer port by a round-robin algorithm based on the arrival order of received packets or transmitted packets ,
A packet relay apparatus, wherein the statistical packet is transmitted from an analyzer port selected by the analyzer port selector. In a packet relay device that is connected to a plurality of input lines and a plurality of output lines, and that transmits a packet received from one of the input lines from one of the output lines specified by header information,
An analyzer port group designating unit for designating an analyzer port group composed of a plurality of analyzer ports that transmit statistical packets having header information and / or statistical information of received packets or transmitted packets as data for each input flow or output flow; ,
An analyzer port selection unit that selects one of the plurality of analyzer ports designated by the analyzer port group designation unit for each statistical packet;
The analyzer port selection unit monitors a bit rate of a statistical packet transmitted for each of a plurality of analyzer ports constituting the analyzer port group, and selects an analyzer port whose bit rate does not reach a predetermined bit rate. ,
A packet relay apparatus, wherein the statistical packet is transmitted from an analyzer port selected by the analyzer port selector. In a packet relay device that is connected to a plurality of input lines and a plurality of output lines, and that transmits a packet received from one of the input lines from one of the output lines specified by header information,
An analyzer port group designating unit for designating an analyzer port group composed of a plurality of analyzer ports that transmit statistical packets having header information and / or statistical information of received packets or transmitted packets as data for each input flow or output flow; ,
An analyzer port selection unit that selects one of the plurality of analyzer ports designated by the analyzer port group designation unit for each statistical packet;
The analyzer port selection unit monitors a packet rate of a statistical packet transmitted for each of a plurality of analyzer ports constituting the analyzer port group, and an analyzer port in which the packet rate of the statistical packet does not reach a predetermined packet rate select,
A packet relay apparatus, wherein the statistical packet is transmitted from an analyzer port selected by the analyzer port selector. 4. A traffic monitoring system, wherein an analyzer for analyzing a mirror packet is connected to a plurality of mirror ports belonging to the mirror port group of the packet relay device according to any one of claims 1 to 3 . 7. A traffic monitoring system, wherein an analyzer for analyzing a statistical packet is connected to a plurality of analyzer ports belonging to the analyzer port group of the packet relay device according to claim 4 .

Images