JP5742549B2 - Packet capture processing method and apparatus - Google Patents

Description

  The present invention relates to a packet capture processing method and apparatus. If the packet data that flows into the network increases due to some reason for the various packet data that flows through the network and exceeds the allowable amount of the network, the packet data is queued at the relay router. Waiting for processing.

  However, the capacity of the queue of the relay router is limited, and when packets cannot be stored in the queue, delay or discard due to packet data transfer waiting occurs. This situation is congestion. In the present invention, in order to investigate and analyze the quality of a network in which such a situation occurs in normal or congested state, a packet for collecting packet data flowing in the network and measuring the quality of the network is collected. The present invention relates to a capture processing method and apparatus.

  In the packet capture processing device that measures the quality of the network, as shown in FIG. 5A, the packet data amount (traffic amount) of the network may flow in excess of the processing capability of the packet capture processing device. For packet data that has flowed in beyond the processing capacity, the measurement is missed, and the packet capture processing device processes the packet discard as it occurs, so there is a tendency to excessively measure the packet discard rate.

  In order to prevent the above problems, the packet capture processing device performs sampling measurement within the range of processing capability, for example, as shown in FIG. 5B, and performs statistical processing based on the result of the sampling measurement. Techniques such as performing quality measurements were used.

  In addition, there exists a technique of the following patent documents 1 thru | or 3 as a related technique.

JP 2003-204358 A JP 2001-103090 A JP 2010-34721 A

  As described above, in the conventional processing apparatus, as shown in FIG. 5 (a), when the processing capacity is exceeded, the packet between them is not measured and the measurement is omitted, or FIG. As shown in (b), a method of performing sampling measurement at the time of high load has been used. Alternatively, methods such as narrowing down analysis items, collecting only specific information, and collecting only specific packets at the time of high load have been proposed.

  However, these methods do not collect all the packet data that flows through the network, but omit some packet data to analyze, so it is not possible to strictly analyze the packet data that flows through the network. Accurate measurement results could not be obtained. The present invention provides a packet capture processing method and apparatus that can collect and analyze all packet data flowing in a network even under high load and can obtain a precise measurement result.

A packet capture processing method that solves the above problem includes a step of determining whether or not packet data whose processing capability exceeds a predetermined threshold is received, and a packet whose processing capability exceeds a predetermined threshold. When the data is received, it is determined whether the received packet data is the subsequent packet data of the session already processed by the own device, and if the received packet data is the subsequent packet data of the session processed by the own device, the received packet data is treated with the own device, if not the packet data of the session processing in the own device, the received packet data, for each session, see containing and transferring to other packet capture processor, a For the received packet data to be transferred to the other packet capture processing device, the payload part is discarded, and a plurality of Edit the long packet combining the header portion of the received packet data, and comprising transferring the long packet to the other packet capture processor.

In addition, the packet capture processing device that solves the above-mentioned problem has a flow rate monitoring unit that determines whether or not packet data whose processing capability exceeds a predetermined threshold is received, and the processing capability of the own device is predetermined. When packet data exceeding the threshold is received, it is determined whether the received packet data is subsequent packet data of the session already processed by the own device, and subsequent packet data of the session processed by the own device. If it is, the received packet data is treated with the own device, if not the packet data of the session processing in the own device, the received packet data, for each session, a session dispersion to be transferred to other packet capture processor and means for receiving data to be transferred to the other packet capture processor discards the payload section, Those having a packet optimization means for editing a long packets combining the header portion of the received packet data number.

  It is possible to collect and analyze all packet data by performing distributed processing with other processing devices without performing sampling measurement for packet data flowing through the network even under high load. Measurement results can be obtained.

It is a figure which shows the Example of the distributed process of the disclosed packet capture processing apparatus. It is a figure which shows an example of the flow of packet data of each session, and the example of an operation | movement flow of the dispersion | distribution process of packet data. It is a figure which shows the specific example of optimization of a transfer packet. It is a figure which shows the structural example of the functional block of a 1st, 2nd and 3rd processing apparatus. It is a figure which shows the example of the conventional process when the traffic amount exceeding a processing capacity is inflowed.

  The disclosed packet capture processing device is connected to, for example, a router or a switch constituting the packet communication network. And the packet transmitted / received by the transmission path between routers or between switches is captured. For example, a router or switch duplicates a packet to be sent to the transmission path and transfers it to the packet capture processing device. And / or the router or the switch duplicates the packet received from the transmission path and transfers it to the packet capture processing device.

  As another capture method, the disclosed packet capture processing device is placed on the transmission path between routers or switches, duplicates the received packet, transmits one to the transmission path, and holds the other in its own device. To do.

  FIG. 1 shows an example of distributed processing by the disclosed packet capture processing apparatus. The packet capture processing devices 10, 10 ′, 10 ″, for example, collect (capture) packet data of each session a to f flowing in a local area network (LAN) as an example of the packet communication network and perform analysis. In the following description, “packet capture processing device” is simply abbreviated as “processing device”. The session referred to here is a series of communications from the same transmission source device to the same reception destination device.

  Here, it is assumed that the processing load of packet analysis in the first processing device 10 is increased and the processing load is expected to exceed the processing capability threshold of the first processing device 10. Then, the first processing device 10 identifies a session of packet data received thereafter, sorts each packet data in units of sessions, transfers it to the second processing device 20 for other proxy processing, The second processing device 20 analyzes the packet data distributed in session units.

  The first processing device 10 and the second processing device 20 respectively transfer the analysis results obtained by analyzing the packet data to the third processing device 30, and the third processing device 30 Then, the analysis results transferred from the second processing device 20 are aggregated, statistical processing is performed, and network quality or the like is measured. The management result is referred to by the management management terminal 40 when the management management terminal 40 accesses the third processing device 30.

  Similarly, when the other processing apparatuses 10 ′ and 10 ″ are in a state where the processing load increases and the processing capacity threshold is expected to be exceeded, the packet data received thereafter is distributed in session units and used for proxy processing. The data is transferred to the second processing device 20, and the packet data is distributed in session units by the second processing device 20. That is, the packet data of the same session is processed by the same processing device, and the packet data of the same session is processed. The packet data is distributed so as not to be transferred to different processing devices.

  FIG. 2A shows an example of the flow of packet data for each session on the network to be captured by the first processing apparatus 10. In FIG. 2A, a1 and a2 indicate the first and second received packet data of session a, respectively. B1 and b2 indicate the first and second received packet data of the session b, respectively.

  c1 and c2 indicate the first and second received packet data of the session c. d1 and d2 indicate the first and second received packet data of the session d. e1, e2, and e3 indicate the first, second, and third received packet data of the session e. f1 indicates the first received packet data of the session f.

  Each packet data is received by the first processing device 10 in order from the left side as shown in FIG. 2A, where a high load occurs after the reception of the first packet data c1 of the session c. Assume that the high load is released after receiving the second packet data d2 of the session d.

  FIG. 2B shows an example of an operation flow for performing distributed processing on the packet data. When receiving the packet data (2-1), the first processing device 10 determines whether or not a high load is generated in the first processing device 10 (2-2). Whether or not a high load is occurring can be determined based on, for example, the CPU usage rate of the first processing apparatus 10 or the amount of transferred packets (PPS: Packet Per Second). .

  When the high load is not generated, the first processing device 10 identifies the session of the received packet data and determines whether the packet data of the session has already been transferred to the second processing device 20. (2-3). Specifically, the session is identified by extracting a destination address (Destination Address: DA), a source address (Source Address: SA), a session identifier, and the like included in the packet, and combining or all of these packets. Identifies the session.

  If the received packet data is not subsequent packet data of a session that has already been transferred to the second processing device 20, the received packet data is stored in the queue (queue) Q1 of the first processing device 10 (2- 4). Specifically, when there is a session that has been determined to be transferred, information for identifying the session is retained, the session of the packet based on the information extracted from the received packet, the retained session information, To determine whether the session is already transferred.

  When the received packet data is subsequent packet data of the session of the received packet that has already been transferred to the second processing device 20, the received packet data is transferred to the second processing device 20, and the packet data is transferred to the second processing device 20. The data is stored in the queue (queue) Q2 of the second processing device 20 (2-6).

  On the other hand, when a high load occurs, the first processing device 10 identifies the session of the received packet data, and determines whether or not the packet data of the session has already been received by the first processing device 10. Determine (2-5). The determination as to whether or not it has already been received can use the method described in the case where the above-described high load has not occurred.

  When the received packet data is not subsequent packet data of a session that has already been received by the first processing device 10, the received packet data is transferred to the second processing device 20 and the second processing device 20 waits. Store in the queue (queue) Q2 (2-6).

  When the received packet data is subsequent packet data of a session that has already been received by the first processing device 10, the received packet data is stored in a queue (queue) Q1 of the first processing device 10 ( 2-4).

  A specific description will be given of how the packet data shown in FIG. 2A is distributed by the above-described flow example of distributed processing. The packet data a1, a2, b1, c1 received before the high load is generated are sequentially stored in a queue (queue) Q1 of the first processing device 10.

  Next, since the packet data c2 received after the occurrence of high load has already been received by the first processing device 10 in the packet c1 of the session c, the packet data c2 It is stored in the matrix (queue) Q1.

  Since the packet data d1 received next is not yet received by the first processing device 10 in the session d, the packet data d1 is stored in the queue (queue) Q2 of the second processing device 20. Stored in

  Since the packet data b2 received next has already received the packet data b1 of the session b from the first processing device 10, the packet data b2 is stored in the queue (queue) Q1 of the first processing device 10. Stored in

  Since the packet data e1 received next is not yet received by the first processing device 10 in the session e, the packet data e1 is stored in the queue (queue) Q2 of the second processing device 20. Stored in

  Since the packet data d2 received next is not received by the first processing device 10 in the session d, the packet data d2 is stored in the queue (queue) Q2 of the second processing device 20. Stored.

  Since the packet data e2 received next has already been transferred to the second processing device 20 even after the high load is released, the packet data e2 Are stored in a queue (queue) Q2 of the processing device 20.

  The packet data f1 received next is after the release of the high load, and since the packet data of the session f has not been transferred to the second processing device 20, the packet data f1 is stored in the first processing device 10. Stored in the queue Q1.

  Since the packet data e3 received next has been transferred to the second processing device 20 even after the high load is released, the packet data e3 It is stored in the queue (queue) Q2 of the second processing device 20.

  In the packet capture processing method described above, the packet data received by the first processing device 10 is transferred to the second processing device 20 for proxy processing as it is for distributed processing. When the second processing device 20 to which the packet data is transferred receives the packet, it passes the packet to the operating system (OS). The operating system (OS) identifies the type of the packet, activates application software corresponding to each type, and processes the received packet on the application software.

  For this reason, in the method of transferring the packet data of the distributed processing as it is to the second processing device 20 for the proxy processing, there is a load of overhead processing due to transfer processing for each packet and activation of an operating system (OS) for each packet. As a result, the processing load on the first and second processing apparatuses 10 and 20 increases.

  Therefore, only the data part used for analysis and measurement is extracted from the packet data distributed in the above-mentioned session unit, the data unnecessary for analysis and measurement is discarded, and only the data part used for the analysis and measurement is discarded. Combined to optimize forwarding packets. By doing so, it is possible to reduce the overhead of overhead processing such as transfer processing for each packet and operating system (OS) activation for each packet.

  For optimization of the transfer packet, specifically, for example, the data in the payload portion of each packet data distributed in session units is discarded and the data in the header portion of each packet data is combined. The combined data is converted into a long packet and transferred to the second processing device 20 for proxy processing.

  By doing so, it is possible to improve the transfer efficiency by using a long packet with a high data ratio of the overhead part such as header information. In the first processing device 10, rather than processing all the packets, The processing load can be reduced by distributed processing.

  FIG. 3 shows a specific example of transfer packet optimization. FIG. 3A shows an example of packet data transferred from the first processing device 10 to the second processing device 20. Assume that packet data d1, e1, d2, e2, and e3 are transferred as shown in FIG.

  The first processing device 10 deletes the data in the payload section 3-2 from the packet data, and stores only the data in the header section 3-1 as shown in FIG. 3 is stored. The first processing device 10 combines the data of only the header part stored in the storage unit 3-3 and converts it into a long packet.

  FIG. 3B shows an embodiment in which packet data of each session transferred to the second processing device 20 is mixed and converted into a long packet. On the other hand, as shown in FIG. 3 (c), the packet data of each session transferred to the second processing device 20 is classified in session units, distributed in session units, and stored in the storage unit. can do.

That is, as shown in FIG. 3C, only the data packets d1, d2 of the session d are stored in the first storage unit 3-4, and only the data packets e1, e2, e3 of the session e are stored in the second storage unit 3-4. Store in the storage unit 3-5. Then, the data packet of session d stored in the first storage unit 3-4 is combined and converted into a long packet, and the data packet of session e stored in the second storage unit 3-5 is combined. Convert to long packet. By doing so, in the second processing device 20, the received long packet corresponds to the session unit, and it is possible to efficiently perform processing such as analysis in the session unit.

  FIG. 4 shows a configuration example of functional blocks of the first, second, and third processing apparatuses. The first processing apparatus 10 includes a reception control unit (capture engine) 11, a session management unit 12, a flow rate monitoring unit 13, a session distribution unit 14, a packet analysis unit 15, an analysis result editing unit 16, a transmission control unit 17, and a packet optimization The conversion unit 18 is provided.

  The reception control unit (capture engine) 11 controls collection of packet data flowing through the network. The session management unit 12 identifies a session based on the transmission source IP address and the destination IP address of the received packet data, and manages the received packet data on a session basis.

  The flow rate monitoring unit 13 monitors the flow rate of packet data, determines the occurrence of high load based on a preset threshold value, and notifies the session management unit 12 of the determination result. The determination of the occurrence of a high load is made when a preset threshold value (for example, 90% of the limit value of the processing capability) or a preset transfer packet amount (PPS) threshold value is exceeded for the processing capability of the processing device. It can be set as the structure determined with high load generation | occurrence | production.

  Under the management of the session management unit 12, the session distribution unit 14 sends the received packet data to the packet analysis unit 15 of its own device or transfers it to another second or third processing device. , Decentralize the analysis process. The packet analysis unit 15 analyzes the received packet data for each session. The analysis result editing unit 16 edits the analysis result analyzed by the packet analysis unit 15 and passes it to the transmission control unit 17.

  The packet optimization unit 18 discards the data in the payload portion of each packet data distributed in session units, combines the data in the header portion of each packet data, converts the combined data into a long packet, and transmits the data in the transmission control unit 17. To pass.

  The transmission control unit 17 transmits the analysis result edited by the analysis result editing unit 16 to the quality data aggregation statistical processing unit 38 of the third processing device 30. Further, the transmission control unit 17 distributes the packet data distributed by the session distribution unit 14 and converted into a long packet by the packet optimization unit 18 to the second processing device 20 or the third processing device 30 that is the transfer destination. Send.

  The second processing device 20 includes a reception control unit (capture engine) 21, a packet analysis unit 25, an analysis result editing unit 26, and a transmission as functional blocks for distributed processing of packet data received by the first processing device 10. A control unit 27 is provided.

  In the second processing device 20, the packet data transmitted from the transmission control unit 18 of the first processing device 10 is received by the reception control unit (capture engine) 21, and the packet analysis unit 25 receives the received packet data for each session. Perform the analysis process. The analysis result of the packet analysis unit 25 is edited by the analysis result editing unit 26 and passed to the transmission control unit 27. The transmission control unit 27 transmits the analysis result edited by the analysis result editing unit 26 to the quality data aggregation statistical processing unit 38 of the third processing device 30.

  As described above, the analysis results are aggregated in addition to the configuration in which the functional blocks for performing the distributed processing on the packet data received by the first processing device 10 are provided in the independent second processing device 20. It can be set as the structure which provides those functional blocks in the 3rd processing apparatus 30 which performs a statistical process.

  When the third processing device 30 performs distributed processing of packet data analysis, the third processing device 30 includes a reception control unit (capture engine) 31, a packet analysis unit 35, an analysis result editing unit 36, and a transmission. A control unit 37 is provided. Since these functions are the same as those of the reception control unit (capture engine) 21, the packet analysis unit 25, the analysis result editing unit 26, and the transmission control unit 27 in the second processing device 20, redundant description is omitted.

DESCRIPTION OF SYMBOLS 10 1st processing apparatus 20 2nd processing apparatus for proxy processing 30 3rd processing apparatus which collects and performs statistical processing 10 ', 10 "Other processing apparatus

Claims (3)

In a packet capture processing method for receiving and analyzing packet data on a network,
Determining whether or not packet data whose processing capability of the device exceeds a predetermined threshold is received;
When packet data whose processing capability exceeds a predetermined threshold is received, it is determined whether the received packet data is subsequent packet data of a session already processed by the device, and processed by the device. If the received packet data is not the packet data of the session being processed by the own device, the received packet data is changed to another packet data for each session. Transferring to a packet capture processing device;
Only including,
For the received packet data transferred to the other packet capture processing device, the payload part is discarded, a long packet obtained by combining the header parts of a plurality of received packet data is edited, and the long packet is processed by the other packet capture process. A packet capture processing method comprising a step of transferring to a device . The packet capture processing method according to claim 1 , further comprising a step of editing a long packet in which a header part of the received packet data is combined in a session unit when editing the long packet. In a packet capture processing device that receives and analyzes packet data on the network,
Flow rate monitoring means for determining whether or not packet data whose processing capability exceeds a predetermined threshold value has been received;
When packet data whose processing capability exceeds a predetermined threshold is received, it is determined whether the received packet data is subsequent packet data of a session already processed by the own device. If a subsequent packet data of the session processing, the received packet data is treated with the own device, if not the packet data of the session processing in the own device, the received packet data, for each session, other Session distribution means for transferring to a packet capture processing device of
A packet optimizing unit is provided that edits a long packet in which a payload portion is discarded and a header portion of a plurality of received packet data is combined with respect to received data transferred to the other packet capture processing device. Packet capture processing device.

Images