JP5610482B2 - Packet capture system and packet capture method - Google Patents

Description

  The present invention relates to a packet capture system and a packet capture method for capturing a packet flowing on a communication network.

  In proportion to the rapid increase in the number of smartphone users, the traffic flowing over the communication network has also increased rapidly. Operators are interested in the quality of mobile services, such as what applications smartphone users use and what services they receive, and how satisfied they are when using those services.

  In a conventional mobile network, an operator has set up a server and provided services as represented by i-mode (registered trademark) and EzWeb (registered trademark). Therefore, the operator can grasp the user trend.

  However, the rapid increase in smartphones has begun to provide mobile users with services using a general Internet network server, rather than services such as i-mode and EzWeb closed within the operator. Therefore, the operator has to judge the quality of service using a packet capture device or the like.

  Conventionally, a packet capture device captures all traffic flowing on a communication network, writes it to a database (DB) such as a hard disk, and the analyst analyzes the written data to determine how it affects the service. I was judging. There are also devices such as sFlow and NetFlow that write packets to a DB after filtering packets flowing on a communication network based on pre-determined filter rules without capturing all packets. These methods could be used without any problem with the conventional 1 Gbit / s line capacity. However, as described above, a high-speed line with a backbone line capacity of 10 Gbit / s is required due to the rapid increase in traffic. As a result, it has become difficult to capture all packets.

  In recent smartphones, there are many applications that use a plurality of sessions in one terminal. Therefore, it frequently occurs that a single terminal uses a plurality of IP addresses. Furthermore, depending on the application, the port number to be used may be changed depending on the version number of the application as well as the IP address. Therefore, even if packets are filtered and captured by the IP address or port number of the terminal, it has become very difficult to capture the packets required by the operator.

Although it is difficult to capture the packet requested by the operator, the operator wants to grasp the usage status of the user.
Patent Document 1 and Patent Document 2 disclose a system that determines a specific packet pattern in advance and analyzes data matched with the pattern for the needs of the operator.

JP 2010-0747444 A JP 2010-045704 A

  When acquiring or discarding a packet with a conventional apparatus, it is necessary to know a packet pattern in advance and pattern it. For this reason, the packet cannot be obtained or discarded unless the packet contents are exactly the same as the patterned contents. If the packet contents could not be matched in this way, a new pattern had to be input to the capture device each time, which was very complicated. That is, when filtering packets, an analyst needs to analyze traffic in advance to determine what kind of filter is applied.

  In the conventional mobile network, the server itself is managed by the operator, so it is possible to easily know parameters for identifying services such as the IP address and port number of the server and mobile terminal, and filter based on the IP address. It was possible to generate a pattern. However, it is difficult for an operator to know the above parameters for a server in a general Internet network. In such a situation, it is very difficult for an analyst to generate a filter to capture a packet.

The summary of the invention disclosed in this specification is as follows. Captures packets flowing on the network for a certain period of time, analyzes the packet analysis DB for storing those packets and the inside of the packets stored in the packet analysis DB, and extracts the trends of the most frequently appearing packets and the pre-packet capture function of the packet capture system based on the trend of the extracted packet with a packet capture device only packets corresponding to the condition can be captured and performed by these devices and functions Packet capture method.

  By using the packet capture system of the present invention in a mobile service network in which a large number of base stations are connected to a mobile network device, the packet type and data amount that the mobile network administrator has not assumed are increased. Can be collected.

1 is a block diagram of a mobile network system. It is a block diagram of a packet capture system. It is a flowchart explaining operation | movement of a packet analysis apparatus. It is a flowchart explaining operation | movement of a packet capture apparatus. It is a flowchart which searches a most frequent set with a packet analysis apparatus. It is a figure explaining the sample packet for searching a most frequent set with a packet analysis apparatus. It is a figure explaining the creation process (1st step) of a filter pattern from the pre-captured packet. It is a figure explaining the creation process (2nd step) of a filter pattern from the pre-captured packet. It is a figure explaining the creation process (final form) of a filter pattern from the pre-captured packet.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings using examples. The same reference numerals are assigned to substantially the same parts, and the description will not be repeated.
First, a mobile network system for realizing a capture system will be described with reference to FIG. In FIG. 1, the mobile network system 500 includes a communication terminal 100, a base station 150, a packet capture system 200, a communication device 250, and the Internet 300. The packet capture system 200-1 is disposed between the base station 150-1 and the communication device 250-1. The packet capture system 200-2 is disposed between the base station 150-2 and the communication device 250-1. The packet capture system 200-3 is disposed between the communication device 250-1 and the communication device 250-2.

  The communication device 250 performs call processing, header conversion, and the like. The communication device 250 includes devices such as L2SW, L3SW, and a router. Communication transmitted from the wireless terminal 100 can be performed by these devices.

  The configuration of the packet capture system 200 will be described with reference to FIG. In FIG. 2, the packet capture system 200 includes a packet analysis device 210, a packet capture device 220, and a display device 230. The packet analysis device 210 includes a pre-packet capture unit 211 and a packet analysis database (DB) 212.

Packets transferred from the base station 150 and the communication device 250 are captured by the packet analysis device 210 to sample an arbitrary number of packets at an arbitrary time. The packet analysis DB 212 collects and stores acquired packets. The pre-packet capture unit 211 analyzes the sampled packet.
The configuration of FIG. 2 can be realized by dividing the apparatus for each apparatus, or can be realized by a single apparatus such as a server.

  With reference to FIG. 3, the processing of the packet analysis device 210 will be described. In FIG. 3, the packet analysis device 210 captures a packet (S301). The packets captured at this stage are not all the packets that flow on the network, but packets that flow on the network for a certain fixed time such as 30 seconds and 1 minute. In addition, the capture cycle is set every 24 hours and every week. The packet analysis device 210 extracts the most frequent packet pattern (S302). The packet analysis device 210 stores the extracted packet pattern in the packet analysis database (S303).

  With reference to FIG. 4, the process of the packet capture device will be described. In FIG. 4, the packet capture device 220 reads a packet filter pattern from the packet analysis DB (S304). The packet capture device 220 captures the packet (S305). The packet capture device 220 captures a packet that matches the filter according to the packet filter pattern (S306). The packet capture device 220 displays the captured packet on the display device (S307), and proceeds to step 305.

  With reference to FIG. 5, a process for extracting a packet to be captured by the capture device 220 from a packet captured by the packet analysis device 210 will be described. In FIG. 5, the packet acquired by the packet analysis device 210 includes information such as a terminal identifier, a transmission source address, a destination address, a port number, a packet length, and a packet arrival interval time. Based on such information, the packet analysis device 210 extracts what type of packet pattern appears most frequently.

  First, the packet analysis device 210 determines a frequency threshold value S (S401). The threshold value S is a threshold value for extracting an element that appears S or more times in the acquired packet element. That is, if the value of S is large, the number of packets captured by the packet capture device 220 can be reduced. On the other hand, if the value of S is small, more packets are captured by the packet capture device 220. S is a value that determines how much packets to be captured by the packet capture device 220 are narrowed down.

The packet analysis device 210 sets K = 1 and Y (0) as the total set (Ω) (S402). The packet analysis device 210 sets X (K) as a set of elements that have appeared S or more times in Y (K−1) (S403). The packet analysis device 210 determines whether X (K) is an empty set (Φ) (S404). If YES, the packet analysis device 210 sets X (K−1) as the most frequent set (S407) and ends.

  When NO in step 404, the packet analysis device 210 creates Y (K) = {set consisting of only elements of X (K) and a set of the number of elements K + 1} (S405). The packet analysis device 210 increments K (S406) and returns to step 403.

  The specific processing of FIG. 5 will be described with reference to FIGS. In FIG. 6, consider {wireless terminal identification ID, source address, destination address, port number, packet length} 500 as information included in the pre-capture unit 211. Assume that the packet analysis device 210 captures packets 501 to 510 including these pieces of information. Among these, the most frequent combination is specified by the method shown in FIG. The threshold value S is 4 here. That is, if it appears four times or more in each category, it is determined that the frequency is high.

In FIG. 6, the set X1 that appears four times or more is
X1 = {101, A, B, C, 10, 200}
It is. The elements selected here are extracted from all the elements included in FIG. 6 regardless of the category to which they originally belong (wireless terminal identification ID, transmission source address, destination address, etc.).

  Consider a set Y1 composed of only X1 elements and having 2 elements.

Y1
= {{101, A}, {101, B}, {101, C}, {101, 10}, {101, 200}, {A, B}, {A, C}, {A, 10}, {A, 200}, {B, C}, {B, 10}, {B, 200}, {C, 10}, {C, 200}, {10, 200}}
It is.

  In FIG. 7, if a set of X1 elements that appears four times or more as a threshold value is X2, eight of 601, 603, 604, 605, 606, 607, 608, and 609 are marked with a circle in the X2 candidate field. Is applicable.

And X2 is X2
= {{101, A}, {101, B}, {101, 10}, {101, 200}, {A, B}, {A, 10}, {A, 200}, {B, 10}, {B, 200}, {10, 200}}
It becomes.

  Consider a set Y2 composed of only elements X2 and having 3 elements.

Y2
= {{101, A, B}, {101, A, 10}, {101, A, 200}, {101, B, 10}, {101, B, 200}, {A, B, 10}, {A, B, 200}, {A, 10, 200}, {B, 10, 200}}
It is.

  In FIG. 8, if a set of elements Y2 that appears four times or more, which is the threshold value, is X3, four of 701, 703, 706, and 709 with a circle in the candidate column for X3 correspond.

And X3 is X3
= {{101, A, B}, {101, A, 10}, {101, A, 200}, {101, B, 10}, {101, B, 200}, {A, B, 10}, {A, B, 200}, {A, 10, 200}, {B, 10, 200}}
It becomes. In this case, X3 = Y2, but X3 = Y2 is not always satisfied.

  Further, consider a set Y3 composed of only elements X3 and having 4 elements.

Y3
= {{101, A, B, 10}, {101, A, B, 200}, {101, A, 10, 200}, {101, B, 10, 200}}
It is.

  In FIG. 9, if X4 is a set that appears four times or more as the threshold value in the element of Y3, there are four sets of 801, 803, 806, and 809.

And X4 is X4
= Y3
= {{101, A, B, 10}, {101, A, B, 200}, {101, A, 10, 200}, {101, B, 10, 200}}
It becomes.

Finally, consider a set Y4 composed of only elements X4 and having 5 elements.
Y4 = {{101, A, B, 10, 200}}
Let X5 be the set of Y4 elements that appear at least four times the threshold. X5
= Y4
= {{101, A, B, 10, 200}}
It becomes.

  A set Y5 composed of only elements X5 and having 6 elements is considered, but there is no set having 6 elements. Therefore, it can be seen that the element of X5 is a combination of header information that appears most frequently in the captured packet.

Here, if there is no set satisfying X5, the element included in X4 is a combination of header information that appears most frequently in the captured packet. In this case, although the combination of the most frequently occurring header information is presence of a plurality, in which case, the most frequently appeared candidates among them is the combination of the most frequently used.

  In the above-described embodiment, the first category is five, that is, the wireless terminal ID, the transmission source address, the destination address, the port number, and the packet length, but it does not depend on the number of categories.

  The packets captured in accordance with the flow of FIG. 3 are a set of packets that have flowed most frequently on the network based on packets captured for a certain period of time in a category requested in advance by the operator. These packets are not packets that are filtered according to the subjectivity of the operator, but are packets that are extracted based on characteristics on the network. Further, by filtering the packets, it is possible to drastically reduce the traffic volume, and it is possible to reduce the probability that the capture packet is lost.

  The result is the most frequently used terminal type (for example, the terminal XXX of company A), the service or application that the user uses most frequently (for example, writing to VoIP or SNS), the most It is a user who uses the network frequently.

  As a result of displaying the captured packet, if a certain terminal type appears frequently as in the first example, it can be compared with the sales performance of that terminal type to the user using that terminal. You can predict that there will be some impact on the data. Specifically, if a terminal whose sales volume is not extremely large appears frequently due to captured packets, it is considered that a process of repeating retransmission is performed due to a bug in the terminal or the like.

  Further, when the type of application is specified as shown in the second example as a result of displaying the captured packet, it is possible to improve the service quality of the application or to restrict it. Specifically, if a large number of VoIP packets flow as a result of the captured packets, the operator can obtain statistical data of delay and fluctuation of those packets, which can be used to improve the quality of the actual service. . Also, in the event of a disaster, it is possible to restrict these packets and operate the entire network stably.

If the packet by a group that the user or the user belongs is large, there is a possibility that a small number of individuals occupies the network, it is also possible to increase the rates for rejecting the user. Conversely, it is possible to create a plan that encloses users in a specific group and preferentially provides high-quality services.

  In the packet capture system of the present embodiment, it is not necessary to set a packet pattern in advance, and it is possible to flexibly change and correct the pattern of data to be captured. In addition, since statistical analysis is performed based on the information in the header part of the packet arbitrarily captured in advance, an objective analysis result can be obtained. In order to identify the application in the conventional capture device, However, in this embodiment, a necessary packet can be captured without fixing a specific application or a specific user.

  In a mobile network, a very large number of terminals communicate while moving through a plurality of sessions. Therefore, the quality of the usage area varies as the terminal moves. Many terminals exist in fixed network communications such as an optical network at home, but since the terminals do not move, it is relatively easy to manage the quality of the network without the quality of the area changing extremely. is there. However, unlike fixed network communication, it is very difficult to grasp and manage the quality of an area in a mobile network. Therefore, an index for managing the quality of the mobile network that changes from moment to moment based on the packets captured by this embodiment, specifically, the delay, response time, fluctuation of the terminal used and the application used. It is possible to grasp statistical information such as the position of a specific user, average throughput, and the like.

  It is possible to understand the application usage status, usage time zone, and usage location for each communication terminal based on various collected capture information, and it can be used to improve application services depending on time and location, and to adjust the contents of communication terminal contracts according to usage mode It becomes possible to do.

  Further, even when the network device is in a congestion state, it is possible to instantly identify the packet type that causes the congestion from the collected capture information, and it can be used for quick network restoration work.

  DESCRIPTION OF SYMBOLS 100 ... Communication terminal, 150 ... Base station, 200 ... Packet capture system, 210 ... Packet analysis apparatus, 211 ... Pre-packet capture part, 212 ... Packet analysis DB, 220 ... Packet capture apparatus, 230 ... Display apparatus, 250 ... Communication apparatus , 300 ... Internet network, 500 ... Mobile network system.

Claims (2)

A packet capture system comprising a packet analysis device and a packet capture device,
The packet analysis device
(A) Capture a packet flowing over the network for a certain period of time, accumulate the packet,
(B) creating a set Y (0) of all elements of a plurality of categories included in the header information of the packet captured and accumulated for a certain period of time;
(C) Create a set X (1) of elements that appear more than a predetermined threshold number of times in the elements of the set Y (0) ,
(D) determining whether the set X (1) is an empty set;
(E) If it is not an empty set in (d), create a set Y (1) consisting of only elements of the set X (1) and having two elements,
As K = 1,
(F) creating a set X (K + 1) of elements in which the number of times included in each of the plurality of packets is equal to or more than the predetermined threshold among the elements of the set Y (K);
(G) determining whether the set X (K + 1) is an empty set;
(H) If the set is not an empty set in (g), create a set Y (K + 1) composed of only elements of the set X (K + 1) and having K + 2 elements,
(I) by adding 1 to the previous Symbol K to create a new K,
(J) the repeating said using the new K created in (i) (f) ~ (i) above was performed,
(K) if in the (g) is empty stores elements included in the set X (K) to the packet analysis database,
The packet capture device includes:
A packet capture system for capturing a packet including an element stored in the packet analysis database. A packet capture method in a packet capture system comprising a packet analysis device and a packet capture device,
In the packet analysis device,
(A) capturing a packet flowing on the network for a certain period of time and storing the packet;
(B) creating a set Y (0) of all elements of a plurality of categories included in the header information of the packet captured and accumulated for a certain period of time;
(C) creating a set X (1) of elements appearing more than a predetermined threshold number of times in the elements of the set Y (0) ;
(D) determining whether the set X (1) is an empty set;
(E) if it is not an empty set in (d), creating a set Y (1) consisting of only elements of the set X (1) and having two elements;
As K = 1,
(F) creating a set X (K + 1) of elements in which the number of times included in each of the plurality of packets among the elements of the set Y (K) is equal to or greater than the predetermined threshold;
(G) determining whether the set X (K + 1) is an empty set;
(H) If the set is not an empty set in (g), creating a set Y (K + 1) having only K + 2 elements and including only elements of the set X (K + 1);
A step of adding 1 to create a new K to (i) before Symbol K,
(J) a step of repeatedly performing said (f) ~ (i) above using the new K created in (i) above,
(K) if in the (g) is empty, the storing the elements included in the set X (K) to the packet analysis database,
In the packet capture device,
Capturing a packet including an element stored in the packet analysis database.

Images