JP6167625B2 - Packet recording device - Google Patents

Description

  Embodiments described herein relate generally to a packet recording apparatus.

  Various communication errors occur in a packet communication network in which data is transmitted by packets. For example, a communication error is reported when data cannot be transmitted to a specific device connected to the network. The administrator of the packet network that has received the report identifies the cause of the communication error and performs work for quickly recovering the packet communication network.

  In general, when a communication error occurs, a packet related to the communication error is captured. The administrator can identify the cause of the communication error by analyzing the data in the captured packet.

  As a conventional technique, for example, a data receiving unit that receives traffic data, a dump file recording unit that is a non-volatile recording area, and a cache that divides the received traffic data every predetermined time and temporarily holds it as cache data A traffic recording device that records traffic data. When this traffic recording device receives a detection notification for notifying that a predetermined event has occurred in the traffic data, a cache that records traffic data from the cache data of the cache unit up to a predetermined time before the detection notification is received. A cache management unit is provided that identifies data and records the identified cache data in a dump file recording unit in association with the detection notification (for example, Patent Document 1).

  Also, a plurality of collecting means for associating packet information of all communication packets on the monitoring line with the reception time information and holding a packet information holding unit to obtain traffic flow information of a predetermined collecting condition, and traffic from each collecting means A new monitoring setting condition is set based on monitoring target specifying information having at least a monitoring time condition from a management unit that manages aggregate information of a predetermined monitoring target based on flow information and an external monitoring target notification unit, and the monitoring setting condition There is a network monitoring system comprising monitoring target setting management means for setting each collection means as a new collection condition, and each collection means has packet information if the monitoring time condition of the new collection condition is in the past time range. By referring to the holding unit, traffic flow information of a new collection condition is obtained (for example, Patent Document 2).

JP 2010-213143 A JP 2008-244635 A

  However, in the technique described in Patent Document 1, the specified cache data is recorded in the dump file recording unit in association with the detection notification. For this reason, when detection notifications occur simultaneously, cache data recording processing occurs intensively, and there is a possibility that a recording processing error may occur due to an increase in processing resource load or resource shortage. In addition, since cache data corresponding to the detection notification is recorded, there is a problem in that redundant cache data is recorded and the storage capacity is wasted when the detection notification occurs intensively.

In the technique described in Patent Document 1, cache data is recorded in the dump file recording unit in response to the detection notification. For this reason, depending on the reception timing of the detection notification, the cache data to be recorded in the dump file recording unit may be erased from the cache unit. In this case, the cache data cannot be recorded in the dump file recording unit.

  On the other hand, in the technique described in Patent Document 2, packet information held in the packet information holding unit is not deleted. Therefore, if a large-capacity recording medium is not prepared, packet information may not be held due to insufficient free space. It was.

  An embodiment of the present invention aims to provide a packet recording apparatus capable of avoiding a recording processing error due to an increase in processing resource load or a resource shortage and capable of suppressing the capacity of a packet data recording area. .

An embodiment of the present invention includes a recording area in which a file in which packet information relating to a packet flowing on a network is collected in unit time is periodically recorded;
A storage area for storing information identifying a file included in a packet detection period determined based on an event that occurs on the network, and a recording time indicating a time at which the file is recorded in the recording area;
A process of determining a file to be deleted from the remaining files excluding the file specified by the information from the files recorded in the recording area, and periodically deleting the determined file from the recording area A packet recording device including a control device to be executed.

  According to the embodiment of the present invention, it is possible to avoid a recording processing error due to an increase in processing resource load or a resource shortage, and to suppress the capacity of a packet data recording area.

FIG. 1 shows a configuration example of a network system including a packet network device according to an embodiment. FIG. 2 shows a state of information transmission when a failure occurs in the network system shown in FIG. FIG. 3 is a diagram in which the NW device, the monitoring server, and the packet capture device illustrated in FIG. 2 are extracted. FIG. 4 schematically shows a configuration for sending the failure notification and the detection notification shown in FIG. FIG. 5 shows a hardware configuration example of the information processing apparatus. FIG. 6 schematically shows a configuration example of the packet capture device. FIG. 7 shows an example of the data structure of the detection notification information area. FIG. 8 shows an example of the data structure of the packet storage time information table. FIG. 9 shows an example of the data structure of the detection time condition information table. FIG. 10 is a sequence diagram relating to packet data management processing. FIG. 11 schematically illustrates packet data storage processing (operation example 1) in a normal state. FIG. 12 schematically shows packet data storage processing (operation example 1) in a normal state. FIG. 13 schematically shows a packet data storage process (operation example 2) when the packet data (dump file) in which the save flag is set becomes the oldest data. FIG. 14 schematically shows a packet data storage process (operation example 2) when the packet data (dump file) in which the save flag is set becomes the oldest data. FIG. 15 schematically shows packet data collection confirmation and post-collection processing (operation example 3) when packet data (dump file) being saved is collected (first pattern). FIG. 16 schematically shows packet data collection confirmation and post-collection processing (operation example 3) when the packet data (dump file) being collected is collected (first pattern). FIG. 17 schematically shows packet data collection confirmation and post-collection processing (operation example 4) when the packet data (dump file) being collected is collected (second pattern). FIG. 18 schematically shows packet data collection confirmation and post-collection processing (operation example 4) when packet data (dump file) being collected is collected (second pattern). FIG. 19 is a flowchart illustrating a packet data management process (an example of a CPU process according to operation examples 1 to 4). FIG. 20 is a flowchart illustrating packet data management processing (an example of processing by the CPU according to operation examples 1 to 4). FIG. 21 is a sequence diagram illustrating the detection notification management process. FIG. 22 schematically illustrates the detection notification management process (operation example 5). FIG. 23 schematically illustrates the detection notification management process (operation example 5). FIG. 24 is a flowchart illustrating an example of CPU processing in the detection notification management processing. FIG. 25 is a flowchart illustrating an example of CPU processing in the detection notification management processing.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. The configuration of the embodiment is an exemplification, and the embodiment of the present invention is not limited to the configuration of the following embodiment.

<Network work configuration>
FIG. 1 shows a configuration example of a network system including a packet recording apparatus according to an embodiment. In FIG. 1, the network system includes a service network N1 and a management network N2.

  The service network N1 is a network (packet communication network) in which a packet communication service for a user is executed, and includes, for example, a plurality of network devices (NW devices) 11 connected to the Internet IN. The NW device 11 is a packet relay device such as a layer 3 switch (L3 switch) or a router.

  The management network N2 is, for example, a network for a service provider or network administrator to maintain and manage the network system, and includes a plurality of NW devices 21. Each NW device 21 is connected to a monitoring server (detection device) 22. The NW device 21 is also a packet relay device such as a layer 3 switch (L3 switch) or a router.

  The service network N1 and the management network work N2 are connected by one or more servers S such as the servers S1 and S2 illustrated in FIG. Each server S is connected to the NW device 11 and the NW device 21. The NW device 11 and the NW device 21 are connected as necessary.

  The packet capture device 30 is an example of a packet recording device. The packet capture device 30 is connected to the monitoring server 22 via the NW device 21 in the management network N2. Further, the packet capture device 30 is connected to a predetermined NW device 11 in the service network N1 via a communication line L for packet capture. In the example illustrated in FIG. 1, the packet capture device 30 is connected to the NW device 11A via a communication line (link) L.

  When a predetermined event (for example, a communication error) is detected with respect to a packet transmitted through the packet communication network (that is, the service network N1), the packet capture device 30 performs data related to the packet before and after the occurrence of the predetermined event. (Packet data) is recorded.

  FIG. 2 shows a state of information transmission when a failure occurs in the network system shown in FIG. As shown in FIG. 2, for example, it is assumed that the link (communication line) connecting the NW device 11A and the server S1 is disconnected (link down occurs). In this case, a failure notification is sent to the monitoring server 22 from the NW device 11A and the server S1. The monitoring server 22 sends a failure detection notification corresponding to the failure notification received from the network device 11A and the server S1 to the packet capture device 30.

  3 is a diagram in which the NW device 11 (11A), the monitoring server 22, and the packet capture device 30 illustrated in FIG. 2 are extracted. FIG. 4 is a configuration for sending the failure notification and the detection notification illustrated in FIG. Is shown schematically.

  In FIG. 4, the NW device 11 has a service packet communication port P1 (hereinafter referred to as packet communication port P1), a management port P3, and a mirroring port P2 as communication ports.

  The packet communication port P1 is a communication port used for providing a packet communication service, and is used for transferring a packet (user packet). A packet transmitted from the packet communication port P1 (packet P in FIG. 4) flows on traffic (traffic flow) passing through the packet communication port P1.

  The management port P3 is used for the NW device 11 to communicate with the monitoring server 22 via the management network N2. The NW device 11 has a function for detecting a predetermined event such as a link down, and information indicating the detected predetermined event is transmitted from the management port P3 to the monitoring server 22 as a failure notification. The server S also has the management port P3 described above.

  The mirroring port P2 is a port for transmitting a copy of the packet transmitted from the packet communication port P1 (the copy packet CP in FIG. 4) to the packet capture device 30. The mirroring port P2 captures the mirroring packet (copy packet) by selecting the packet communication port P1 of the network device 11 that the packet capture device 30 desires to capture in advance or the virtual local area network (VLAN). Can be sent to the device 30. Note that the packet capture device 30 may acquire a copy of the packet using Simple Network Management Protocol (SNMP) instead of using the mirror port. The mirroring packet is an example of “a copy of a packet flowing on the network”.

The monitoring server 22 is an example of a detection device. The monitoring server 22 sends a failure notification (failure log) from each device connected to the service network N1 such as the NW device 11 or the server S.
Can be monitored in real time. The monitoring server 22 can detect the occurrence of a characteristic event that may be an incident from the failure notification.

  As shown in FIG. 4, the monitoring server 22 can include a detection information reception unit 221, a detection unit 222, and a detection information transmission unit 223. The detection information reception unit 221 receives the occurrence of a characteristic event from the NW device 11 or the server S as a failure notification (failure log), and provides the detection unit 222 with it.

  The detection unit 222 determines whether or not the event indicated by the failure notification received from the detection information reception unit 221 is an event that requires detection of packet data. When the failure notification indicates an event that requires detection of packet data, the detection information transmission unit 223 is instructed to output a detection notification.

  In response to the output instruction from the detection unit 222, the detection information transmission unit 223 generates a packet including a detection notification (detection notification signal) and transmits the packet to the packet capture device 30. The detection notification signal includes notification content and detection time. The notification content includes the content of the failure notification, and the detection time is, for example, the occurrence time of the failure notification.

  The detection notification (detection notification signal) may be input to the packet capture device 30 from a device other than the monitoring server 22. Alternatively, an administrator or an operator may directly input a detection notification (detection notification signal) to the packet capture device 30 using a user interface provided in the packet capture device 30.

  The monitoring server 22 can request the packet capture device to provide a dump file stored in the packet capture device 30. For obtaining the dump file from the packet capture device 30, for example, an existing method such as File Transfer Protocol (FTP) can be applied. Note that the dump file stored in the packet capture device 30 can be directly taken out from the packet capture device 30 by an operator (operator) using, for example, a user interface connected to the packet capture device 30.

  The packet capture device 30 temporarily records the mirroring packet (packet copy) transmitted from the mirroring port P2. The copy of the packet is an example of “information relating to the packet”. The packet capture device 30 generates a file (dump file) in which mirroring packets are collected in unit time. The dump file is recorded (saved) in a predetermined recording area. The dump file is used for analysis of an event occurring in the network (an event notified to the packet capture device 30 as a detection notification).

  Recording of the dump file in the recording area is periodically executed regardless of reception of the detection notification. Accordingly, the dump file recording process does not occur intensively by receiving the detection notifications intensively. As a result, it is possible to prevent the dump file from being recorded in the recording area due to an increase in the load of resources for recording processing or a shortage of resources.

The dump file recording area has a predetermined capacity, and if there is no free area to record a new dump file, it is deleted from the multiple dump files (dump file group) recorded in the recording area. A dump file to be determined is determined, and the dump file is deleted from the recording area. For example, the dump file with the oldest time recorded in the recording area is determined as a deletion target and deleted. As a result, it is avoided that dump files that are not used for analysis (irrelevant to the detection notification) are stored without limitation. Accordingly, the capacity of the recording area can be suppressed. In other words, the capacity of the recording medium included in the packet capture device 30 can be suppressed.

  Note that the capacity of the recording area of the dump file is based on experiments and empirical rules, even if reception of the detection notification is delayed, the capacity of the dump file related to the detection notification can exist in the recording area. Is set.

  In the present embodiment, each dump file recorded in the recording area is associated with a recording time during which each dump file is recorded in the recording area. In the packet capture device 30, information for specifying a dump file whose recording time is included in a packet detection period (hereinafter simply referred to as a detection period) associated with an event specified by the received detection notification is stored in a storage area. Is remembered. The packet detection period includes a predetermined time that goes backward (in the past) from a certain time (time) specified by the detection notification and a predetermined time that travels forward (in the future) from a certain time. A dump file whose recording time is included in the packet detection period indicates a dump file that is desired to be detected for event analysis.

  The process for determining the dump file to be deleted from the recording area is periodically executed by the control device provided in the packet capture device 30. In the periodic determination process, the control device excludes the dump file specified by the information stored in the storage area from the target to be deleted. Therefore, a dump file that is desired to be detected for event analysis is not deleted by mere passage of time.

  Therefore, an operator who desires event analysis can obtain a desired dump file through access to the recording area at a convenient timing. At this time, since the dump file to be acquired can be determined by using the above information as a clue, it is easy to obtain the desired dump file.

<Hardware configuration of information processing device>
Next, a hardware configuration example of an information processing apparatus (computer) applicable as the packet capture apparatus 30 will be described. As a hardware configuration of the packet capture device 30, an existing hardware architecture possessed by a personal computer (PC), a workstation, a dedicated or general-purpose server machine can be applied.

  FIG. 5 is a diagram illustrating a hardware configuration example of the information processing apparatus. In FIG. 5, the information processing apparatus 50 includes, as an example, a CPU 51, a memory 52, a storage device 53, and an input / output (I / O) device 54. The CPU 51, the memory 52, the storage device 53, and the I / O device 54 are connected to each other via the bus B.

  The memory 52 functions as a main memory used as a work area for the CPU 51. The main memory is formed by, for example, a RAM (Random Access Memory) and a ROM (Read Only Memory).

The storage device 53 stores various programs executed by the CPU 51 and data used when each program is executed. The storage device 53 is, for example, a non-volatile recording medium, and can be formed using, for example, at least one of a hard disk, a flash memory, and an EEPROM (Electrically Erasable Programmable Read-Only Memory). Each of the memory 52 and the storage device 53 is an example of a recording medium.

The I / O device 54 includes a communication interface circuit (communication interface (communication IF)). As the communication IF, for example, an existing network card or a network interface card (NIC) interface device for local area network (LAN) connection can be applied. The I / O device 54 can be connected to an input device such as a keyboard, a button, a pointing device, and a touch panel, and an output device such as a display device. The output device and the input device provide a user interface (UI) for an administrator and a worker (operator) to input information or acquire information.

  For example, the CPU 51 can exhibit the function as the packet capture device 30 by loading a program installed in the storage device 53 into the memory 52 and executing the program. The CPU 51 is an example of a processor (microprocessor) or a control device. A digital signal processor (DSP) can be used instead of the CPU 51.

  The hardware configuration of the information processing apparatus 50 illustrated in FIG. 5 can be applied to the hardware configuration of the monitoring server 22. That is, the I / O device 54 (communication IF) illustrated in FIG. 5 can function as the detection information reception unit 221 and the detection information transmission unit 223 illustrated in FIG. In addition, the CPU 51 can function as the detection unit 222 by executing a program stored in the storage device 53 of the monitoring server 22 on the memory 52. In other words, the monitoring server 22 can be realized using a computer such as a PC or a dedicated or general-purpose server machine.

  Further, the hardware configuration of the information processing apparatus 50 shown in FIG. 5 can also be applied to the NW device 11, the NW device 21, and the server S.

  The functions realized by the program execution using the CPU 51, the memory 52, and the storage device 53 described above may be realized by hardware logic (wired logic) using a dedicated or general-purpose hardware chip.

Functions realized by hardware logic or wired logic include, for example, electric circuits, electronic circuits, integrated circuits (ICs), and large scale integration.
(LSI), Application Specific Integrated Circuit (ASIC), etc.), Programmable Logic Device (PLD, for example, Field Programmable Gate Array (FPGA)), or two or more.

<Configuration example of packet capture device>
FIG. 6 schematically illustrates a configuration example of the packet capture device 30. In FIG. 6, the I / O device 54 (communication IF) receives a packet reception function 541 that receives a mirroring packet transmitted from the mirror port P2 (FIG. 4) of the NW device 11 and a detection notification from the monitoring server 22. It performs the detection notification receiving function 542.

  The memory 52 includes a cache area (cache area) 521, a detection notification information area (detection notification information area) 522, and a storage area for the packet storage time information table 523. The storage device 53 includes a packet data storage area 531 and a detection time condition information table 532. The packet data storage area 531 is an example of a “recording area”.

The detection notification information area 522 stores information (detection notification information) included in the detection notification received by the detection notification reception function 542. FIG. 7 shows an exemplary data structure of the detection notification information area 522. The detection notification information area 522 has a record of detection notification units. The record includes a record number (detection notification identification information (ID)), notification contents, and detection time. The notification content indicates the type of event notified by the failure notification. The event may include, for example, “link down”, “illegal access”, “application (application) error”, and “other”.

  The cache area 521 is an area that temporarily stores (caches) all mirroring packets (packet data) received by the I / O device 54 (packet reception function 541), and has a predetermined size.

  The packet data storage area 531 stores, as a rule, packet data (stored in the cache area 521) captured within a period retroactive for a predetermined time from the present as a dump file (log). For example, the packet data storage area 531 records packet data captured during a time one hour before the current time in principle.

  The packet data (cache data) stored in the cache area 521 is collected (blocked) every unit time (for example, 1 minute), and the packet data (packet data block) that is blocked is packet data as a dump file. Recorded in the storage area 531. The packet data storage area 531 can record a plurality of dump files (dump file group) for at least a predetermined time.

  The packet data storage area 531 has a predetermined storage capacity (predetermined size) capable of recording a dump file for a predetermined time (1 hour) as an initial capacity (initial size). When there is no free space in the packet data storage area 531 for recording a new dump file (new file), the oldest dump file is deleted and an area for recording a new file is created. In this way, the packet data storage area 531 keeps a predetermined capacity in principle.

  However, among the dump files recorded in the packet data storage area 531, the dump file related to the detection notification is treated as an exception and is not deleted simply by the passage of time. The dump file related to the detection notification is held in the packet data storage area 531 until it is intentionally extracted from the packet data storage area 531 by an administrator or operator (operator) who analyzes the event specified by the detection notification, for example. Is done.

  FIG. 8 shows an example of the data structure of the packet storage time information table 523. The packet storage time information table 523 is used to manage each dump file recorded in the packet data storage area 531. The packet storage time information table 523 is an example of a “storage area”.

  The packet storage time information table 523 stores a record corresponding to the dump file recorded in the packet data storage area 531. For example, as described above, when the predetermined time as the total time for recording the dump file is “1 hour” and the unit time is “1 minute”, as shown in FIG. The information table 523 has an area capable of storing 60 records as the initial number of records.

  However, the predetermined time “1 hour” and the unit time “1 minute” are examples, and the total length and unit time of recording the dump file and the number of initial records can be set as appropriate.

  Each record in the packet storage time information table 523 includes a record number (record identification information (ID)), a recording time, a write flag, and a file save flag (hereinafter, save flag). The recording time indicates the recording time (recording time) of the dump file for the packet data storage area 531.

  The write flag is a flag for confirming that the dump file is written in the packet data storage area 531. When the write flag is on (“1”) (set), it indicates that the corresponding dump file exists in the packet data storage area 531. The write flag is set when the dump file is recorded in the packet data storage area 531.

  The save flag is a flag for indicating a dump file that should be deleted from the packet data storage area 531. As described above, the dump file in which the save flag is set (set to ON (“1”)) is not deleted from the packet data storage area 531 as time passes. The save flag is set in a record corresponding to the detection period determined using the detection time condition information table 532 based on the detection time included in the detection notification.

  FIG. 9 shows a data structure example of the detection time condition information table 532. As shown in FIG. 9, the detection time condition information table 532 is a table that defines a time detection condition of a dump file to be detected as a dump file related to the detection notification. As a temporal detection condition, a predetermined time before and after the detection time of the detection notification is defined as a temporal detection condition of the dump file. A period between a time when the detection time has returned for a predetermined time in the past and a time when the detection time has advanced for a predetermined time in the future is a “detection period”.

  In the example illustrated in FIG. 9, the detection time condition information table 532 includes one or more records prepared for each notification content (event type) of the detection notification. Each record includes record identification information (ID), a notification content type, a pre-notification storage time (minutes), and a post-notification storage time.

  In this embodiment, “link down”, “illegal access”, “application error”, “other”, and the like are set as the types of notification contents. However, the number of types of notification contents can be set as appropriate. The pre-notification storage time indicates a predetermined time that goes back from the detection time to the past, and the post-notification storage time indicates a predetermined time that has advanced from the detection time to the future. For example, when the notification content is “link down”, 1 minute before and after the detection time is defined as the detection time condition.

  Returning to FIG. 6, various programs (meaning operating system, application program) executed by the CPU 51 are installed in the storage device 53, and data used in executing each program is stored. The memory 52 is used as a work area (main memory) for the CPU 51. The CPU 51 executes the packet data management process 511 and the detection notification management process 512 by loading the program stored in the storage device 53 into the memory 52 and executing it.

<Packet management processing>
Next, the packet data management process 511 executed by the CPU 51 will be described. FIG. 10 is a sequence diagram relating to the packet data management process 511. The packet data management processing 511 is roughly divided into packet data storage processing and packet data collection confirmation / post-collection processing.

<< Packet management processing sequence >>
In the sequence diagram of FIG. 10, the packet data storage process is roughly performed as follows. For example, a packet capture start instruction is input to the packet capture device 30 by an operator (operator) (<1> in FIG. 10). Then, temporary storage processing of the mirroring packet (packet data) to the cache area 521 is started (<2> in FIG. 10). The packet capture start instruction is given to the CPU 51 (<3> in FIG. 10), and the execution of the packet data management process 511 is started.

  In the packet data management process 511, the CPU 51 performs the following process for each unit time. First, the CPU 51 refers to the packet storage time information table 523 (<4> in FIG. 10). At this time, if there is a record to be deleted in the packet storage time information table 523, the CPU 51 performs an update process of the packet storage time information table 523. That is, the CPU 51 deletes the record with the oldest recording time in the packet storage time information table 523 (however, the save flag is off) (<5> in FIG. 10).

  Subsequently, the CPU 51 deletes the dump file (packet data) corresponding to the deleted record from the packet data storage area 531 (<6> in FIG. 10).

  Next, the CPU 51 updates the packet storage time information table 523 (<7> in FIG. 10). That is, the CPU 51 adds a new file record to the packet storage time information table 523.

  Subsequently, the CPU 51 acquires cache data for a unit time from the cache area 521 (<8> in FIG. 10), and stores it in the packet data storage area 531 as a dump file. As a result, the packet data storage area 531 is updated (<9> in FIG. 10). Up to this point is the packet data storage process, and subsequently, the packet data collection confirmation / post-collection process is executed.

  That is, the CPU 51 monitors each dump file recorded (saved) in the packet data saving area 531 (<10> in FIG. 10). Next, the CPU 51 refers to each record in the packet storage time information table 523 and determines whether or not there is a content difference between each dump file and each record (<11> in FIG. 10).

  At this time, if there is a difference, the difference indicates that the dump file recorded in the packet data storage area 531 has been retrieved by the operator (deleted from the packet data storage area 531). Therefore, the CPU 51 deletes the record corresponding to the dump file whose existence in the packet data storage area 531 cannot be confirmed from the packet storage time information table 523 (<12> in FIG. 10).

  The processes <4> to <12> described above are repeatedly executed (looped) every unit time until the packet capture is completed. Details of the packet data storage process, packet data collection confirmation and post-collection process will be described below.

<< Packet data storage process >>
[Operation example 1]
FIGS. 11 and 12 schematically show packet data storage processing in a normal time as Operation Example 1. FIG. However, in the example shown in FIGS. 11 and 12, the packet storage time information table 523 has 12 records (initial record number) for a predetermined time, and the packet storage time information table 523 shown in FIG. This is different from the initial number of records (60).

  When receiving the capture input (packet capture start instruction), the CPU 51 refers to the recording time, the write flag, and the file save flag in the packet storage time information table 523 to check whether there is a dump file to be deleted (FIG. 11). (1), FIG. 10 <4>).

  Here, whether or not there is a dump file to be deleted is whether or not “the number of write flags A−the number B of file save flags” is smaller than the initial record number C (12) (judgment formula: (A−B) <C ?)).

  That is, when the determination formula is satisfied ((A−B) <C), the CPU 51 determines that there is no dump file to be deleted. On the other hand, when the determination formula is not satisfied ((A−B) ≧ C), the CPU 51 determines that there is a dump file to be deleted.

  When there is a record to be deleted in the packet storage time information table 523, the CPU 51 deletes the record to be deleted from the packet storage time information table 523 (FIG. 11 (2), FIG. 10 <5>).

  At this time, among the records for which the save flag is not set (OFF), the record with the oldest recording time is determined as the record to be deleted (deletion target). In the example illustrated in FIG. 12, the record (ID = 1) with the oldest recording time (13:00) in the packet storage time information table 523 before update is the deletion target.

Subsequently, the CPU 51 deletes the dump file corresponding to the deleted record from the packet data storage area 531 (FIG. 11 (3), FIG. 10 <6>). The dump file includes recording time and packet data. The CPU 51 deletes the dump file having a recording time that matches the recording time in the deleted record. That is, as shown in the updated packet storage time information table 523 in FIG. 12, the dump file corresponding to the record with ID = 1 is deleted. When a record is deleted, each of the record immediately after that to the last record is incremented by one, and an area for storing a record related to a new dump file is generated.

  Next, the CPU 51 records the new dump file information (recording time and writing flag) in the packet storage time information table 523 (FIG. 11 (4), FIG. 10 <7>). That is, the CPU 51 generates a record of a new dump file record (recording time 13:12, write flag “1”) and stores it in a free area of the packet storage time information table 523. As a result, the recorded content of the packet storage time information table 523 becomes the updated state shown in FIG.

  As shown in FIG. 11, the received mirroring packet (packet data) is temporarily stored in the cache area 521 as cache data. The CPU 51 takes out cache data for a unit time (1 minute) from the cache data stored in the cache area 521 as a new dump file (new file). The CPU 51 stores the new file in the packet data storage area 531 (FIG. 11 (5), FIGS. 10 <8> and <9>).

  In this way, the dump file corresponding to the record having ID = 13 is stored (recorded) in the packet data storage area 531. At this time, the recording time (13:12) set in the record with ID = 13 is set in the dump file recorded in the packet data storage area 531. By this operation, the dump file in the packet data storage area 531 can be associated with the record in the packet storage time information table 523.

[Operation example 2]
13 and 14 schematically illustrate packet data storage processing in the case where the packet data (dump file) in which the save flag is set becomes the oldest data, as operation example 2.

In FIG. 14, the packet storage time information table 523 before the update adds 2 which is the number of records (each record having ID = 8 and ID = 9) in which the save flag is set to 12 initial records. It has 14 records. The process of adding a record storage area will be described later.

  In a state where the contents of the packet storage time information table 523 are the contents before the update shown in FIG. 14, the packet data management process 511 is performed as follows. That is, when the current time is a unit time period (start time of the packet data storage process), the CPU 51 refers to the packet storage time information table 523 and should delete it from the packet data storage area 531 using the above-described determination formula. Check if there is a dump file.

  In the example shown in FIG. 14, the write flag number A is 14, the save flag number is 2, and the initial record number C is 12. For this reason, since the relationship “(A−B) <C” is not established, the CPU 51 determines that the deletion target file exists.

According to the determination result, the CPU 51 detects the record with the oldest recording time among the records for which the save flag is not set (OFF) as a record to be deleted (FIG. 13 (1), FIG. 10 <1>). ). Here, the CPU 51 detects a record having ID = 10 in the pre-update packet storage time information table 523 in FIG. 14 as a deletion target and deletes it from the packet storage time information table 523 (FIG. 13 (2), FIG. 10). <5>).

  Subsequently, the CPU 51 deletes the dump file corresponding to the deleted record (ID = 10, recording time 13:09) from the packet data storage area 531 (FIG. 13 (3), FIG. 10 <6>).

  Next, the CPU 51 records the information (recording time and write flag) of the dump file (new dump file) of the next unit time in the packet storage time information table 523 (FIG. 13 (4), FIG. 10). <7>). That is, as the record having ID = 10 is deleted, the CPU 51 moves up the remaining records one by one, and stores the new dump file record (ID = 10) in the last record storage area (14th record storage area). 12, recording time 13:21, write flag “1”) is written (FIG. 13 (4)).

  Then, the CPU 51 acquires packet data (dump file) for a unit time corresponding to ID = 22 from the cache area 521 and records it in the packet data storage area 531 (FIG. 13 (5)). As described above, a record for which the save flag is set is executed every unit time (executed periodically), and is excluded from the deletion target in the determination process of the dump file to be deleted. Thereby, it is avoided that the dump file corresponding to the record is deleted from the packet data storage area 531.

<< Packet data collection confirmation and post-collection processing >>
[Operation example 3]
15 and 16 schematically show packet data collection confirmation and post-collection processing when the packet data (dump file) being saved is collected (first pattern) as Operation Example 3. FIG.

  Before the start of Operation Example 3, it is assumed that the stored contents of the packet storage time information table 523 are the contents shown in the packet storage time information table 523 before update in FIG. The operation example 3 is performed following the process <9> shown in FIG.

  As a premise of the operation example 3, as shown in FIG. 15, the dump file corresponding to each record with ID = 8 and ID = 9 among the plurality of dump files recorded in the packet data storage area 531 (with the save flag set) It is assumed that the dump file) has been collected by the operator (operator) and has already been deleted from the packet data storage area 531.

  The CPU 51 refers to the packet data storage area 531 and obtains a list (file list) in which the recording time of each dump file recorded in the packet data storage area 531 is described (FIG. 15 (1)).

  Next, the CPU 51 refers to the packet storage time information table 523 and checks whether there is a dump file collected and deleted from the packet data storage area 531 (FIG. 15 (2)). That is, the CPU 51 compares each recording time of the file list with each recording time recorded in the packet data storage time information table 523, and determines whether there is a difference.

  As described above, since the dump file corresponding to each record of ID = 8 and ID = 9 has already been deleted, the recording time of these records is not included in the file list. Therefore, each record with ID = 8 and ID = 9 is found as a difference. When the difference is found, the CPU 51 determines that the dump file related to the difference has been deleted.

  Then, the CPU 51 deletes the record related to the difference (each record with ID = 8 and ID = 9) from the packet storage time information table 523 ((3) in FIG. 15). At this time, the CPU 51 deletes not only the stored contents of the record but also the record recording area. As a result, the total number of records in the updated packet storage time information table 523 is reduced by the number of deleted records.

  In the operation example 3, as shown in FIG. 16, the total number of records that can be recorded in the packet storage time information table 523 is returned to the initial number of records by deleting the record area. As described above, when there is no record in which the save flag is set, the total number of records is the initial number of records. As a result, the number of dump files that can be recorded in the packet data storage area 531 is reduced. Thus, the capacity of the packet data storage area 531 is suppressed as much as possible.

[Operation Example 4]
17 and 18 schematically show packet data collection confirmation and post-collection processing when the packet data (dump file) being saved is collected (second pattern) as the operation example 4.

  Before the start of operation example 4, it is assumed that the stored content of the packet storage time information table 523 is the content shown in the packet storage time information table 523 before update in FIG. 18 (the same as the content before update in FIG. 14). ). Similar to the operation example 3, the operation example 4 is performed subsequent to the process <9> shown in FIG.

  However, in the operation example 4, as shown in FIG. 17, the dump file corresponding to each record of ID = 14, 15 and 16 (with the save flag set) among the plurality of dump files recorded in the packet data storage area 531. It is assumed that a dump file that has not been collected is collected by an operator (operator) and has already been deleted from the packet data storage area 531.

  The CPU 51 refers to the packet data storage area 531 and obtains a list (file list) in which the recording time of each dump file recorded in the packet data storage area 531 is described ((1) in FIG. 17).

  Next, the CPU 51 refers to the packet storage time information table 523, compares each recording time of the file list with each recording time recorded in the packet data storage time information table 523, and determines whether there is a difference. Determination is made (FIG. 17 (2)).

  As a result of the comparison, it is found that the file list does not include the recording time recorded in the records of ID = 14, 15, and 16. Therefore, the CPU 51 deletes these records from the packet storage time information table 523 (FIG. 17 (3)).

  As a result of the deletion, the contents of the packet storage time information table 523 become the updated contents shown in FIG. That is, when a dump file for which the save flag is not set is deleted, only the information of the corresponding record is deleted, and the recording area of the record is not deleted (reduced). Thereby, in the packet data storage area 531, in addition to the dump file related to the detection notification, a number of dump files corresponding to a predetermined time can be stored (recorded).

<< Flowchart >>
19 and 20 are flowcharts showing packet data management processing 511 (processing of the CPU 51 according to operation examples 1 to 4). The process shown in FIGS. 19 and 20 is executed as a loop process with a period of unit time.

  In the first 01, the CPU 51 determines whether or not a determination formula (number of write flags A−number of save flags B <initial record number C) is satisfied. If the determination formula is satisfied (01, Yes), the process proceeds to 04. If the determination formula is not satisfied (01, No), the process proceeds to 02.

  The fact that the determination formula is not satisfied means that there is no free space for adding a new record in the packet storage time information table 523. Therefore, in 02, the CPU 51 deletes the record with the oldest recording time from the packet storage time information table 523 among the records for which the save flag is not set. Subsequently, the CPU 51 deletes the dump file corresponding to the record deleted in 02 from the packet data storage area 531 (03).

  In 04, the CPU 51 records the current time as the recording time in the empty record of the packet storage time information table 523. Subsequently, the CPU 51 turns on the write flag of the record in which the current time is recorded (05). Then, the CPU 51 takes out packet data for a unit time from the cache area 521 and writes it into the packet data storage area 531 as a new dump file (06).

  Next, the CPU 51 obtains a file list from the packet data storage area 531 (07). Next, the CPU 51 determines whether or not there is a difference between the file list and the recorded contents of the packet storage time information table 523 (08). If there is no difference (08, Yes), the packet data management process 511 ends.

  On the other hand, if there is a difference (08, No), the CPU 51 determines whether a save flag is set in the record corresponding to the difference (09). At this time, if the save flag is set in the difference record (09, Yes), the CPU 51 deletes the target record together with the record area (10).

  On the other hand, when the save flag is not set (09, No), the CPU 51 deletes the information of the target record, and performs the update process of the recording time and the write flag to make the record forward. (11). When the process 10 or 11 ends, the packet data management process 111 ends. However, as described above, the packet data management process 111 is repeatedly executed in a unit time period while the packet capture is being performed.

<Detection notification management process>
Next, the detection notification management process 512 executed by the CPU 51 will be described. FIG. 21 is a sequence diagram showing the detection notification management process 512. In FIG. 21, upon receiving a packet capture start instruction (<21> in FIG. 21), the detection notification reception function 542 of the I / O device 54 enters a state for executing detection notification reception processing (FIG. 21 <2>). ). Further, the CPU 51 starts execution of the detection notification management process 512 (<3> in FIG. 21).

  When the CPU 51 starts the detection notification management process 512, the CPU 51 waits for a detection notification received by the detection notification reception function 542. The detection reception function 542 transmits a detection notification to the CPU 51 (<4> in FIG. 21). When the CPU 51 receives the detection notification, the CPU 51 displays detection notification information (that is, notification content and detection time) in the detection notification information area 522 (FIG. 7). Then, the detection time condition information table 532 (FIG. 9) is referred to (FIG. 21 <5>).

  The CPU 51 reads the pre-notification storage time and the post-notification storage time corresponding to the notification content included in the detection notification from the detection time condition information table 532. Subsequently, the CPU 51 obtains a time that goes back in the past from the detection time included in the detection notification before the pre-notification storage time and a time that has advanced from the detection time to the post-notification storage time in the future. Find the detection period to be the period.

  Next, the CPU 51 updates the packet storage time information table 523 using the detection period (<6> in FIG. 21). That is, one or more records whose recording time is included in the detection period among the records recorded in the packet storage time information table 523 are specified, and a save flag is set for each specified record. Then, the CPU 51 creates a record recording area for further recording the same number of records as the number of records for which the save flag is set.

  As described above, in the present embodiment, unless a record is stored in the packet storage time information table 523, the corresponding dump file is not recorded in the packet data storage area 531. On the other hand, the record in which the save flag is set is not deleted from the packet storage time information table 523 until it is confirmed that the corresponding dump file is deleted.

  For this reason, the record storage area for recording a new record (new dump file) decreases as the number of records in which the save flag is set (save record) increases. Therefore, the save flag is set in all records, and it may happen that a new record (that is, a new dump file) cannot be recorded.

  In order to eliminate the above inconvenience, when the save flag is set for the record, the number of records for which the save flag is set so that the storable number of records for which the save flag is not set maintains the initial number of records. The number of record storage areas is expanded.

[Operation Example 5]
22 and 23 schematically show a detection notification management process 512 as an operation example 5. FIG. As a premise of the operation example 5, as illustrated in the packet storage time information table 523 before update in FIG. 23, the packet storage time information table 523 stores records of the initial number of records (12). The save flag is not set for all records. Furthermore, the recording time of the latest record is “13:12”.

In FIG. 22, when the detection notification management process 512 (CPU 51) receives the detection notification (FIG. 22 (1)), the content of the detection notification (ID = 1, notification content “illegal access”, detection time “13:12”) ) Is stored in the detection notification information area 522 (FIG. 22 (2)). FIG. 22 illustrates a detection notification information area 522 in which a detection notification having the same content is received with a delay of one minute (detection time “13:13”) and the detection notification information is stored.

  The CPU 51 refers to the detection time condition information table 532 regarding the detection notification of ID = 1, and stores the pre-notification storage time “2 minutes” and the post-notification storage time “3 minutes” from the record that matches the notification content (illegal access). To get.

  Subsequently, the CPU 51 starts the detection period 13:10, which is two minutes after the detection time “13:12”, and ends the detection period 13:15, which is three minutes ahead of the detection time “13:12” (13:10). ~ 13: 15) is calculated.

  Next, the CPU 51 sets a save flag in a record whose recording time is included in the detection period. That is, as shown in the updated packet storage time information table 523 in FIG. 23, first, the CPU 51 sets a save flag in three records whose recording times are 13:10 to 13:12 (FIG. 23 ( 4-1)).

  Next, the CPU 51 adds three record storage areas (FIG. 23 (4-2)) in order to record a record in which the save flag is set for the remaining detection periods 13:13 to 13:15, A save flag is set in the record storage area (FIG. 23 (4-3)). As a result, records corresponding to the three dump files recorded in the packet data storage area 531 by future (future) packet data storage processing are stored in the packet storage time information table 523.

  Next, the CPU 51 adds the same number of record storage areas as the number of save flags newly set to the packet storage time information table 523. Here, six new record recording areas, which are the number of new save flags, are added. However, considering the initial number of records (12), three new record recording areas are added so that the total number of record storage areas is the number of initial records plus the number of save flags (12 + 6 = 18). You may be made to do. In this way, the number of record storage areas (that is, the number of dump files recorded in the packet data storage area 531) can be suppressed.

  As described above, the detection notification management process 512 related to the detection notification of ID = 1 is performed. At this time, when an unprocessed detection notification (for example, a detection notification of ID = 2) is stored in the detection notification information area 522, the CPU 51 performs processing for the detection notification.

  The processing for the detection notification with ID = 2 is almost the same as the processing for the detection notification with ID = 1. However, in the calculation of the detection period, the detection period “13:11 to 13:16” is calculated. Since the record storage area corresponding to the detection period has already been added, the CPU 51 sets a save flag for the recording time “13:16”.

  Subsequently, the CPU 51 adds the same number of record storage areas as the number of newly set evacuation flags (one) to the packet storage time information table 523. Of course, when the total number of record storage areas exceeds the number of initial records (12) plus the number of save flags, the CPU 51 can adopt a configuration in which no record storage area is added. In this way, the number of record storage areas (that is, the number of dump files recorded in the packet data storage area 531) can be suppressed.

<< Flowchart >>
24 and 25 are flowcharts illustrating an example of processing of the CPU 51 in the detection notification management processing 512. The detection notification management process 512 is started by receiving a detection notification from the detection notification receiving function 523 (FIG. 6).

  First, the CPU 51 stores the contents of the detection notification (notification contents and detection time) in the detection notification information area 522 (21). The processes after 21 are repeated for each detection notification.

  The CPU 51 refers to the detection time condition information table 532 (FIG. 9), reads the pre-notification storage time and the post-notification storage period included in the record corresponding to the notification content of the detection notification, and uses the detection notification detection time. The detection period (file save flag target time) is calculated (22).

  Next, the CPU 51 performs an update process for the packet storage time information table 523. That is, the CPU 51 refers to the packet storage time information table 523, and the detection period includes a time later than the current time, but a record recording area for storing a record corresponding to the time is a packet storage time information table. It is determined whether it is in 523 (23).

  At this time, if there is no record recording area (insufficient) (23, No), a record recording area (insufficient) of each recording time included in the detection period is added to the packet storage time information table 523 ( 24). On the other hand, if there is a record recording area (23, Yes), a save flag is recorded in the record recording area (record) corresponding to the detection period (25). However, the process 25 is performed on the record recording area in which the save flag is not recorded.

  Next, the CPU 51 adds the same number of record storage areas as the number of save flags newly set to the packet storage time information table 523 (26). When the process 26 is completed, if the next detection notification is stored in the detection notification information area 222, the processes 22 to 26 for the detection notification are executed. When the processing for all the detection notifications stored in the detection notification information area 222 is completed, the detection notification management processing 512 is temporarily ended, and a detection notification is waited until a new detection notification is received.

<Effect of embodiment>
According to the embodiment, a dump file in which information is stored in the packet storage time information table 523 is recorded in the packet data storage area 531. The dump file is recorded every unit time. As described above, since the dump file is periodically recorded, as a result of simultaneous occurrence of detection notifications as in the prior art (the technique described in Patent Document 1), a processing error occurs and the dump file is generated. It is possible to avoid the recording not being performed.

  Further, according to the embodiment, it is determined every unit time whether or not the stored contents of the packet data storage area 531 satisfy the above-described determination formula. If the determination formula is not satisfied, the oldest record is deleted, and the dump file corresponding to the deleted record is deleted. As a result, the number of dump files recorded in the packet data storage area 531 can be suppressed to a certain range. As a result, the recording capacity of the dump file can be suppressed.

  Further, according to the embodiment, when the detection notification is received, the detection period is calculated based on the detection time condition information, and the save flag is set in the record having the recording time included in the detection period. Records for which the save flag is set are excluded from the deletion target record determination process that is periodically executed.

That is, the record in which the save flag is set is not deleted from the packet storage time information table 523 until the dump file corresponding to the packet data storage area 531 is collected and deleted by the operator (operator). As a result, the dump file used for analysis of the event indicated by the detection notification can be continuously stored in the packet data storage area 531 until the operator obtains it.

  In the packet storage time information table 523, when a save flag is set, a new record storage area is added, and the total number of record recording areas is at least equal to the number of initial records plus the number of save flags. Thus, in addition to the dump file corresponding to the record for which the save flag is set, at least the same number of dump files as the initial number of records can be stored in the packet data storage area 531.

  Then, at each unit time (periodically), it is determined whether the dump file is collected / deleted from the packet data storage area 531 and the dump file corresponding to the record for which the save flag is set is collected / deleted. In this case, the corresponding record is deleted from the packet storage time information table 523 for each record recording area. As a result, it is possible to suppress an increase in the number of dump files recorded in the packet data storage area 531.

  As described above, according to the packet capture device 30 (packet recording device) according to the embodiment, the packet data (dump file) related to the detection notification can be efficiently saved (with less waste of storage capacity). Can do. The configurations of the above-described embodiments can be combined as appropriate.

S ... Servers 11, 21 ... Network device 22 ... Monitoring server 30 ... Packet capture device 51 ... CPU
52 ... Memory 53 ... Storage device 54 ... I / O device 511 ... Packet data management processing 512 ... Detection notification management processing 521 ... Cache area 522 ... Detection notification information area 523 ... Packet storage time information table 531 ... Packet data storage area 532 ... Detection time condition information table 541 ... Packet reception function 542 ... Detection notification reception function

Claims (6)

A recording area for periodically recording a file in which packet information relating to packets flowing on the network is collected in unit time;
Stores information for identifying a file included in a packet detection period determined based on an event that has occurred on the network, the recording time indicating the time recorded in the recording area among the files recorded in the recording area Storage area to
The recording to determine the file to be deleted region from the recorded said file from among the remaining files file specified is excluded by the information periodically the determined file processing for deleting from said recording area A control device to be executed
It includes,
Recording of the file to the recording area is performed regardless of the occurrence of an event on the network,
The packet detection period is a period between a time when a predetermined time is returned from the detection time of the event and a time which is a predetermined time after the detection time.
Packet recording device. A recording area for periodically recording a file in which packet information relating to packets flowing on the network is collected in unit time;
Stores information for identifying a file included in a packet detection period determined based on an event that has occurred on the network, the recording time indicating the time recorded in the recording area among the files recorded in the recording area Storage area to
A control device that periodically executes a process of deleting a file determined from the remaining files from which the file specified by the information is excluded from the files recorded in the recording area, from the recording area;
Including
The storage area includes a plurality of record storage areas for storing records corresponding to each file recorded in the storage area,
The record indicates the recording time, a first flag indicating that a file corresponding to the record is recorded in the recording area, and a recording time included in the record is included in the packet detection period. Storing a second flag as the information;
When the number obtained by subtracting the number of second flags from the number of first flags stored in the storage area is equal to or greater than a predetermined number of records, the control device stores the second flag stored in the storage area. A process of periodically deleting a record corresponding to the deleted record from the recording area and deleting the record having the oldest recording time from the recording area from among the records for which no flag is set. Ru
Packet recording device. When the control device receives a detection notification including the content of an event that has occurred on the network and the detection time of the event, information indicating the detection notification and a packet storage time corresponding to the detection notification Based on the above, the packet detection period is calculated, and the second flag is set for each record in the storage area included in the packet detection period, and at least the second flag is newly set. The packet recording apparatus according to claim 2, wherein processing for adding the same number of record storage areas as the set number is performed. The file recorded in the recording area includes a recording time included in a record corresponding to the file,
The control device compares each file recorded in the recording area with each record stored in the storage area, and a record corresponding to a file not recorded in the recording area is included in the storage area. 4. The packet recording apparatus according to claim 2, wherein the record is deleted from the storage area. 5. The packet recording apparatus according to claim 4, wherein when the second flag is set in a record corresponding to a file that is not recorded in the recording area, the control apparatus deletes the record together with the record storage area. . A recording area for periodically recording a file in which packet information relating to packets flowing on the network is collected in unit time;
Stores information for identifying a file included in a packet detection period determined based on an event that has occurred on the network, the recording time indicating the time recorded in the recording area among the files recorded in the recording area And a storage device that includes a control device included in the packet recording device,
The recording to determine the file to be deleted region from the recorded said file from among the remaining files file specified is excluded by the information periodically the determined file processing for deleting from said recording area To run,
It said method comprising,
Recording of the file to the recording area is performed regardless of the occurrence of an event on the network,
The packet detection period is a period between a time when a predetermined time is returned from the detection time of the event and a time which is a predetermined time after the detection time.
Packet recording method.

Images