KR100608541B1 - An apparatus for capturing Internet ProtocolIP packet with sampling and signature searching function, and a method thereof - Google Patents

Abstract

The present invention relates to an IP packet collection device and method for hardware-implementing a sampling function and a signature retrieval function which have been performed in analysis software to collect packets from a high-speed Internet circuit. According to the present invention, the field-programmable gate array (FPGA) hardware, which has been performed in analysis software so far, can be implemented with FPGA (Field Programmable Gate Array) hardware to reduce the amount of computing resources required for traffic collection on high-speed Internet circuits, and more precisely. A monitoring system capable of real time analysis can be efficiently constructed.

IP Packet Acquisition, Flow Sampling, Signature Search, Monitoring, FPGA

Description

An apparatus for capturing Internet Protocol (IP) packet with sampling and signature searching function, and a method

1 is a block diagram of an IP packet collection device having a sampling and signature search function according to an embodiment of the present invention.

2 is an operation flowchart of an IP packet collection method having a sampling and signature search function according to an embodiment of the present invention.

3 is a detailed operation flowchart illustrating a sampling method according to an embodiment of the present invention.

4 is a detailed operation flowchart illustrating a signature search method according to an embodiment of the present invention.

The present invention relates to an IP packet collecting device having a sampling and signature retrieval function and a method thereof. The present invention relates to an FPGA (Field Programmable) method for collecting a sampling function and a signature retrieval function that have been performed in analysis software to collect packets from a high-speed Internet circuit. Gate Array) The present invention relates to an IP packet collecting device implemented in hardware and a method thereof.

First, the sampling type can be divided into packet sampling and flow sampling. Among them, flow sampling defines packets having the same characteristics as one flow and samples packets using a predetermined calculation rule based on the flow. Way.

For example, for a flow on the Internet, a collection of packets with the same source internet protocol (IP) address, destination IP address, protocol, source port number, and destination port number can be defined as a flow.

It also checks whether a signature, such as a specific pattern or string, exists in the payload of an L4 PDU (Protocol Data Unit), such as TCP or UDP, for a collected IP packet. Just attach the payload and truncate it to a fixed fixed collection size, otherwise discard the payload and pass the collected packets up to the L4 header to the analysis software.

By doing so, the amount of data collected by the IP packet collector to the analysis server is reduced to a minimum, so that the traffic analysis system can analyze a larger number of packets quickly and accurately even on a high-speed Internet circuit.

Traffic measurement technology is needed to understand the operational status and traffic characteristics, design and plan, block harmful traffic, billing and quality of service (QoS) of the currently operating network.

Such traffic measurement can be divided into active measurement and passive measurement.

Active measurement is a method of measuring the result by sending packets for measurement directly to the network, which has the advantage of easily obtaining the metric desired to obtain such as one-way delay, but the best-effort of the Internet network. There are disadvantages of inaccurate measurement results due to service characteristics and current normal network traffic.

Passive measurement, on the other hand, is a method of tapping a physical link circuit or using a port mirroring function of a switch or a router to classify circuits and set one circuit separately for monitoring. This method has the advantage of not only collecting all the traffic flowing through the circuit but also having no effect on the current network. However, there is a problem that the network currently in operation must be temporarily stopped for physical tapping of the circuit.

However, because network operators want to know and manage the network situation in real time and operate the network efficiently without affecting the current network performance, manual measurement methods are more used.

Meanwhile, due to the increase in the number of Internet users and the emergence of various application services, the Internet network has become large in size, ranging from several 100Mbps to several 10Gbps. There are some problems when trying to measure such a high speed line using a general purpose network interface card (NIC) card.

The first problem is that as the traffic volume increases, the central processing unit (CPU) usage increases rapidly due to the increased interrupt processing for every packet, causing packet loss and even the system itself to stop.

The second problem is that since a regular NIC card does not have the ability to calculate time, it uses the system's current time as the time stamp of the time the packet arrived, which also differs from time to time for each system. There is a problem that is calculated later.

The third problem is that there is no storage fast enough to store large amounts of data collected from high speed lines in real time.

Therefore, in order to solve the above-mentioned problem, a time stamp for accurate packet arrival time is calculated using a Global Positioning System (GPS) or a Code Division Multiple Access (CDMA) in a collection card, and interrupt processing is performed for every packet. Instead, a dedicated collection device is needed that can collect a certain amount of collected data and process it all at once to reduce CPU usage.

However, in order to monitor a high-speed link, a collection-only device cannot solve the fundamental problem. Therefore, instead of measuring all packets flowing through a circuit, sampling is required.

Currently, packet sampling is performed by the router's interface card, but it is not frequently used due to the poor performance of the router. In particular, flow-based sampling only affects the performance of the monitoring system because it is performed only by analysis software.

Therefore, there is a need for a collection device in which such a sampling function is implemented in hardware. Collecting packets of a given length from a high-speed line generates a large amount of data, which is a fast enough hard disk storage device that can pass it from the acquisition unit to system memory and store it for analysis software again. Is needed. However, there is a problem that the speed of the storage device is not fast enough to store all of a large amount of data generated in a high speed Internet line.

Thus, there is a need to reduce the amount of collected data generated to a minimum, so that it can be collected at a storage speed and, on the other hand, to reduce the analysis software analysis time.

On the other hand, the analysis software needs to distinguish which application the collected packet belongs to in order to calculate application-specific statistics. This can be done by searching for a specific pattern or signature in the payload of the L4 packet.

However, these tasks are time-consuming and computer-intensive, which greatly affects the overall performance of the monitoring system.

Therefore, it is necessary to implement this function in hardware in the collection device to speed up the analysis software analysis and to minimize the amount of data generated from the device by discarding unnecessary data.

In addition, instead of invoking a DMA interrupt every time a packet is finally collected and processed, copying it to system memory over the PCI bus, wait until a certain amount of collected packet data is stored before invoking one DMA interrupt. By doing so, it is necessary to reduce CPU resource waste caused by many interrupt calls occurring on a high speed line.

An object of the present invention to solve the above problems is to implement a sampling function and a signature search function performed in the analysis software with FPGA (Field Programmable Gate Array) hardware to provide a sampling and signature search function that can collect packets faster and more accurately. The present invention provides an apparatus for collecting internet protocol packets and a method thereof.

As a means for achieving the above object, the IP packet collection device according to the present invention,

An L2 frame generation unit configured to generate a frame of an L2 link layer by receiving traffic from a network interface connection unit generating a bit stream from a physical circuit;

An input frame storage unit for storing frame data generated by the L2 frame generation unit;

Signature search for distinguishing L2 header, IP header, L4 header and payload by receiving one frame from the input frame storage unit, and performing signature search with reference to signature search rules defined according to each L4 protocol part; And

After receiving one frame from the input frame storage unit, the L2 header, the IP header, the L4 header, and the payload are classified, and the IP packet is sampled according to a sampling mode. If the signature search mode is turned on, the central packet processing unit discards the payload if the signature search fails according to the result of the signature search unit, and processes the packet according to a predetermined collection size if the signature search succeeds.

Characterized in that it comprises a.

In addition, as another means for achieving the above object, the IP packet collection method according to the present invention,

In the IP packet collection method that the data is transmitted through the PCI bus of the general-purpose PC or server, and has a sampling and signature search function,

a) generating one L2 frame from a physical circuit, and then dividing the L2 frame into an L2 header and an IP packet;

b) when the input packet is an IP packet, checking a sampling mode and performing sampling corresponding to a mode type if a sampling mode is turned on;

c) checking a signature mode when the sampling performance is successful, and performing a signature search process when the signature mode is turned on;

d) discarding the payload portion after the L4 header of TCP or UDP if the signature search result is unsuccessful, adding a time stamp using a time synchronization signal, and storing the processed acquisition data in a PCI output buffer;

e) If the signature mode is off or the signature search result is successful, discard the portion of the IP packet after a predetermined acquisition length, add a time stamp using a time synchronization signal, and then process the collected data into the PCI output buffer. Storing; And

f) invoking a direct memory access (DMA) interrupt to the system memory via the PCI bus when the last collected stored data reaches a predetermined amount;

Characterized in that it comprises a.

Hereinafter, an IP packet collecting device having a sampling and signature search function and a method thereof according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

Embodiments of the present invention define a general configuration and method of a collection device including sampling and signature retrieval functions, and also define methods for packet sampling and flow sampling, in order to solve the technical problems of measuring high-speed lines. Then, a method of searching for a specific signature in the payload of the L4 packet is defined.

In addition, an embodiment of the present invention discloses an apparatus and method for monitoring collection dedicated to ensure various functions and optimal performance by implementing the above methods in hardware.

FIG. 1 is a block diagram illustrating an IP packet collection apparatus having a sampling and signature search function according to an exemplary embodiment of the present invention.

Referring to FIG. 1, the IP packet collecting apparatus 100 according to an exemplary embodiment of the present invention may include a (Booter) 110, a network interface connection unit 120, an L2 frame generation unit 130, and an input frame storage unit 140. ), The signature search unit 150, the central packet processing unit 160, the GPS / CDMA time signal access unit 170, the collection packet storage unit 180, and the PCI bus control unit 190, and the SDRAM ( Synchronous Dynamic Random Access Memory (151) memory 151 and TCAM (Ternary Content Addressable Memory) memory 152 may be further included.

First, the network interface connector 120 generates a bit stream from a physical circuit.

The GPS / CDMA visual signal access unit 170 may generate a precise time stamp by receiving GPS or CDMA time information through an RJ45 port.

The L2 frame generator 130 receives the traffic from the network access unit 120 to generate a frame of the L2 link layer.

The input frame storage unit 140 stores the frame data generated by the L2 frame generation unit 130 and is implemented as a FIFO (First In First Out) buffer.

The signature retrieval unit 150 receives one frame from the input frame storage unit 140, classifies the L2 header and the IP header, and the L4 header such as TCP or UDP and the payload, and then defines them according to each L4 protocol. The signature search is performed by referring to the signed signature search rule, and may be implemented in an FPGA.

Here, the SDRAM memory 151 stores a rule to be used for the signature search, and the TCAM memory 152 is a memory required for the signature search unit 150 to determine whether a specific pattern exists.

In addition, the central packet processing unit 160 receives one frame from the input frame storage unit 140 and classifies the L2 header and the IP header and the L4 header such as TCP or UDP and the payload, and then determines whether the packet is an IP packet. Inspects and performs the sampling process on the IP packet according to the sampling mode. At this time, if the signature retrieval mode is turned on only for the packet whose result is successful, the packet retrieval unit discards the payload in case of failure and processes the packet according to the predetermined collection size in case of success, according to the result of the signature retrieval unit 150. In addition, the time information is received from the GPS / CDMA time signal access unit 170 and finally, the collected data for the IP packet is generated together with the time stamp and stored in the PCI output buffer.

The collected packet storage unit 180 is for storing the final collected data generated by the central packet processing unit 160, and is implemented as a FIFO buffer.

The PCI bus controller 190 calls the DMA interrupt only once and delivers it to the system memory when the processed collection data stored in the collection packet storage unit 180 reaches a predetermined size.

From 110 serves to initialize all the set values of the collection device (100).

Specifically, in the IP packet collection apparatus 100 according to the embodiment of the present invention, the network interface connection unit 120 includes all kinds of physical links and signaling protocols capable of Internet high-speed lines.

For example, possible cable lines are in the form of Unshield Twisted Pair (UTP) cables, optical cables, and the physical signal protocols and speeds are Giga Ethernet, Asynchronous Transfer Mode (ATM), and Optical Carrier (OC) -12 /. 48/192/768, etc.

2 is a flowchart illustrating a method of collecting an IP packet having a sampling and signature search function according to an embodiment of the present invention.

1 and 2, an IP packet collection method having a sampling and signature retrieval function according to an embodiment of the present invention, first, initializes all setting values of a device by a booter 110 when power is supplied. S201), and then, if up by the device driver, the process moves to the packet waiting state S202.

Next, when the bit stream comes from the network interface connection unit 120 in the packet waiting state (S202), the L2 frame generation unit 130 generates an input frame and inserts it into the input frame storage unit 140 ( S203).

Next, when one frame enters the input frame storage unit 140, the L2 frame header and the IP header are classified according to the type of the interface of the Internet line (S204).

Next, it is checked whether the input frame is an IP packet (S205), and if the input frame is not an IP packet, the process moves to the packet waiting state (S202), and the algorithm continues for only the IP packet.

Next, when the input frame is an IP packet, it is checked whether a sampling mode is turned on (S206). When the sampling mode is turned on, if the sampling mode type is one of Cyclic, Random, and Hash, sampling is performed according to a corresponding type. It performs (S207).

In this case, it is checked whether the sampling performance is successful (S208). If the sampling performance is unsuccessful, the process moves to the aforementioned packet waiting state (S202), and if the sampling performance is successful, comparing the next signature search mode ( S209).

Next, when the sampling function is turned off in the above-described step S206 or the sampling execution result is successful in the above-described step S208, the signature search mode is checked (S209).

If the signature search mode is turned on, the signature search process is performed according to the L4 protocol such as TCP or UDP (S210). Thereafter, it is checked whether the signature search is successful (S211). If the signature search execution result is unsuccessful, the procedure proceeds to step S213 which will be described later. If the signature search execution result is successful, the process moves to the next step S212.

If the signature search execution fails in step S211 described above, all payload parts of the L4 protocol such as TCP or UDP are discarded, only the L4 header including the IP header is selected, and the GPS / CDMA visual signal access unit 170 is performed. After receiving the time information from the time stamp is added to create the final collection information for the IP packet, and stores it in the collection packet storage unit 180 output buffer (S213).

Otherwise, if the signature mode is turned off in step S209 or the signature search result is successful in step S211, the payload portion after the predetermined IP packet collection length is discarded and the GPS / CDMA visual signal access unit 170 is discarded. After receiving the time information from the time stamp is added to create the final collection information for the IP packet and stored in the output buffer of the collected packet storage unit 180 (S212).

As such, when the collected data stored in the above-described steps S212 and S213 are collected by the PCI bus controller 190, a predetermined amount of processed data is collected, and a packet is transferred to the kernel memory of the system by calling one DMA interrupt. (S214).

3 and 4, the above-described sampling method of step S207 and the signature search method of step S210 will be described in detail.

3 is a detailed operation flowchart illustrating a sampling method according to an embodiment of the present invention.

Referring to FIG. 3, the sampling method according to an embodiment of the present invention first compares sampling types (S207-1).

If the sampling mode type is cyclic, the InPktCnt internal variable representing the current number of input packets is increased by one (S207-2). Then, this InPktCnt value is compared with the value of Cyclic_N, which is a predetermined number of packets to be sampled (S207-5), and if the two values are different, the search result is determined to be failed (S207-10). The value is initialized to 0 (S207-8), and the sampling result is determined to be successful (S207-9).

If the sampling mode type is random, a random probability value between 0 and 1 along a uniform distribution is generated and stored in the internal variable p (S207-3). Thereafter, the generated probability value p is compared with a random_P value that is predefined and represents a probability of sampling (S207-6). If the p value is larger than the Random_P value, the sampling result is determined as a failure (S207-10). If the generated probability value p is less than or equal to the Random_P value, the sampling result is determined to be success (S207-9).

If the sampling mode type is Hash, a value of K = (k ₀ , k ₁ , ..., k _n-1 ) representing key values that can distinguish the flow is extracted from the header of the packet (S207-4). ). The extracted key values K are calculated by inputting them into hash (K), which is a predetermined hash function, and the result is divided by a Hahs_M value representing a predetermined number of hash values to be sampled, that is, hash (K). % Hash_M is compared with Hash_N indicating a result value to be input and sampled in advance (S207-7). If the comparison result of the previous two values is the same, the sampling search result is determined as success (S207-9). If the comparison result of the two values is different, the sampling search result is determined as failure (S207-10).

In the sampling method according to the embodiment of the present invention, when the sampling mode type is Cyclic or Random, it corresponds to packet sampling, and when Hash, it corresponds to flow sampling.

In particular, in flow sampling, the selection of K, the key values that distinguish flow attributes, and the uniform distribution of values are required to use the fast and simple hash (K) function in order for the flow to be uniformly applied during sampling.

Other K's and hash (K) 's in the embodiments of the present invention include the general case of most applicable K's and hash (K). For example, key values that distinguish flows can be extracted from the IP header and TCP or UDP header of an IP packet, for example, K = (source IP address, destination IP address, protocol number, source port number, destination port number. Can be defined as In addition, the hash function may be defined as H (k) = (source IP address + destination IP address + protocol number + source port number + (destination port number << 16)).

4 is a detailed flowchart illustrating a signature searching method according to an embodiment of the present invention.

Referring to FIG. 4, the signature search method according to an embodiment of the present invention first compares an L4 protocol type of an input packet (S210-1).

If the L4 protocol type is TCP or UDP, it is checked whether there is a specified signature search rule for the source port or the destination port (S210-2), and if the signature search rule exists, at the start position of the payload to be searched. A search is performed to see whether a signature exists between end positions (S210-4).

As a result of the previous search, it is checked whether the signature exists (S210-7). If the signature exists, the signature search result is determined to be successful (S210-10).

Otherwise, if the signature search rule for the source or destination port no longer exists in step S210-2, it is checked whether the signature search rule for any port exists (S210-3). If there is a signature search rule in step S210-3, a search is performed to see whether a signature exists between the start position and the end position of the payload to be searched (S210-5).

As a result of the previous search, it is checked whether the signature exists (S210-8). If the signature exists, the signature search result is determined to be successful (S210-10), otherwise, the process proceeds to S210-3 again. Otherwise, if the signature search rule for any port no longer exists in step S210-3, the signature search result is determined to fail (S210-11).

If the L4 protocol type is not TCP or UDP in step S210-1, a search is performed to see whether a signature exists according to a search rule defined for each corresponding protocol (S210-6). If the signature check result is present (S210-9), if the signature exists, the signature search result is determined as success (S210-10), otherwise the search result is determined as failure (S210-9). S210-11).

In the signature retrieval method according to an embodiment of the present invention, one example of the signature retrieval rule may be defined as <application protocol, port number, retrieval start position, retrieval end position, signature length, signature>.

In this case, the applied protocol can be classified into TCP source, TCP destination, UDP source, and UDP destination. If the port number is 0, it is an arbitrary port number. Otherwise, it means the corresponding port number. It can consist of the end position, the length of the signature to retrieve and the actual pattern. In addition, for L4 protocols other than TCP or UDP, signature search rules may be applied separately according to each protocol.

In the embodiment of the present invention, although the FIFO is used as a buffer for storing the input packet and the last processed acquisition packet, another buffer element may be used, and an SDRAM is used to store the signature search rule, but another storage memory may be used. have.

In addition, although the signature search unit FPGA uses TCAM as a memory type required to determine whether a specific pattern exists, other types of memory having similar functions may be used. In addition, a collection device may be manufactured using only one function, as needed, among the sampling function and the signature search function.

As a result, embodiments of the present invention reduce the amount of data collected through packet and flow sampling and collect L4, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), when attempting to collect IP packets from a high-speed Internet circuit. By retrieving a signature representing a specific application pattern from the payload of the packet and discarding the unnecessary payload part, the amount of data transmitted through the Peripheral Component Interconnect (PCI) is minimized. In particular, flow sampling enables the traffic analysis system to analyze application flows more accurately by allowing all packets corresponding to a given flow to be extracted.

Also, an embodiment of the present invention provides a method for executing all steps of the IP packet collection method including the sampling and signature retrieval functions, all the steps of the sampling retrieval method, and all the steps included in the signature retrieval method. A computer readable recording medium having recorded a program can be provided.

While the invention has been shown and described in connection with specific embodiments thereof, it will be appreciated that various modifications and changes can be made without departing from the spirit and scope of the invention as indicated by the claims. Anyone who owns it can easily find out.

According to the present invention, when manufacturing an IP packet collection device including sampling and signature retrieval functions from a high-speed Internet line, time synchronization can be performed using GPS or CDMA to generate precise time stamps, and existing analysis By implementing the packet sampling, flow sampling, and signature retrieval functions that require a lot of computer resources in software, the hardware can quickly provide the various functions needed to collect packets from high-speed lines using less CPU resources. have.

In addition, according to the present invention, since the flow sampling can collect all packets corresponding to the application flow, it is possible to solve the inaccuracy problem in the flow analysis in the existing packet sampling, and in particular, L4 protocol such as TCP or UDP. By applying signature search rules, the FPGA can implement the part dedicated to signature search only to improve the speed and minimize the amount of data finally processed and collected.

In addition, according to the present invention, CPU resources can be efficiently used because the DMA interrupt calls are transferred to the system memory only when the collected data reaches a predetermined amount.

In addition, according to the present invention, sampling and signature retrieval functions are possible from a high-speed line, so that a general-purpose PC or server can collect and analyze packets in real time, as well as detect virus intrusion alerts and distributed denial of service attacks. You can build a low-cost, high-speed Internet line monitoring system for real-time QoS assurance, Network Intrusion Detection System (NIDS), and traffic management.

Claims (14)

An L2 frame generation unit configured to generate a frame of an L2 link layer by receiving traffic from a network interface connection unit generating a bit stream from a physical circuit; An input frame storage unit for storing frame data generated by the L2 frame generation unit; Signature search for distinguishing L2 header, IP header, L4 header and payload by receiving one frame from the input frame storage unit, and performing signature search with reference to signature search rules defined according to each L4 protocol part; And After receiving one frame from the input frame storage unit, the L2 header, the IP header, the L4 header, and the payload are classified, and the IP packet is sampled according to a sampling mode. If the signature search mode is turned on, the central packet processing unit discards the payload if the signature search fails according to the result of the signature search unit, and processes the packet according to a predetermined collection size if the signature search succeeds. IP packet collection device comprising a. The method of claim 1, A GPS / CDMA visual signal connection for generating a precise time stamp; A memory storing a rule to be used for the signature search; A TCAM (Ternary Content Addressable Memory) memory device required for the signature search unit to determine the presence or absence of a specific pattern; A collection packet storage unit which is a PCI output buffer for storing final collection data generated by the central packet processing unit FPGA; And PCI bus controller which collects a certain amount of collected packets in the collected packet storage unit and delivers them using one DMA interrupt call Additionally contains The central packet processing unit receives the time information from the time signal access unit, and finally collects the collected data for the IP packet with a time stamp and stores in the PCI output buffer, IP packet collecting apparatus. The method of claim 1, And the input frame storage unit and the collection packet storage unit use a first in first out (FIFO) buffer. The method of claim 1, The signature retrieval unit and the central packet processor are implemented in a field programmable gate array (FPGA). In the IP packet collection method that the data is transmitted through the PCI bus of the general-purpose PC or server, and has a sampling and signature search function, a) generating one L2 frame from a physical circuit, and then dividing the L2 frame into an L2 header and an IP packet; b) when the input packet is an IP packet, checking a sampling mode and performing sampling corresponding to a mode type if a sampling mode is turned on; c) checking a signature mode when the sampling performance is successful, and performing a signature search process when the signature mode is turned on; d) discarding the payload portion after the L4 header of TCP or UDP if the signature search result is unsuccessful, adding a time stamp using a time synchronization signal, and storing the processed acquisition data in a PCI output buffer; e) If the signature mode is off or the signature search result is successful, discard the portion of the IP packet after a predetermined acquisition length, add a time stamp using a time synchronization signal, and then process the collected data into the PCI output buffer. Storing; And f) invoking a direct memory access (DMA) interrupt to the system memory via the PCI bus when the last collected stored data reaches a predetermined amount; IP packet collection method comprising a. The method of claim 5, In step b), the types of the sampling modes are compared, and the sampling mode type performs each sampling according to a cyclical, random, or hash mode. How to collect IP packets. The method of claim 6, b-1) increasing the number of cyclic input packets by the sampling mode type; b-2) comparing the current number of input packets with a predetermined number of input packets to be sampled each time and determining a search result as a failure if not equal; And b-3) if the number of input packets is equal to the number of packets to be sampled each time, initializing the current number of input packets to 0 and determining the sampling result as success. IP packet collection method comprising a. The method of claim 6, b-1) if the sampling mode type is Random, generating a random probability value between 0 and 1 along a uniform distribution; b-2) if the generated random probability value is greater than a predefined probability value to sample, determining a sampling result as a failure; And b-3) if the generated random probability value is less than or equal to a predefined probability value to sample, determining the sampling result as success. IP packet collection method comprising a. The method of claim 6, b-1) if the sampling mode type is Hash, extracting key values distinguishable from the IP header of the packet or L4 headers such as TCP and UDP; b-2) inputting the extracted key values into a predetermined hash function, calculating the result, and comparing the result value with a remainder obtained by dividing the number of hash values to be sampled with a predetermined sampled value; And b-3) determining the sampling result as a failure if the comparison result is different, and determining a success as the comparison result. IP packet collection method comprising a. The method of claim 9, Key values that can distinguish the flow of step b-1) use <source IP address, destination IP address, protocol number, source port number, destination port number>, the hash function (source IP IP packet collection method characterized in that the address + destination IP address + protocol number + source port number + (destination port number << 16)). The method of claim 5, In step c), the L4 protocol type of the input IP packet is compared, and the signature search is performed according to each signature search rule for the case where the L4 protocol type is TCP / UDP or other cases. IP packet collection method. The method of claim 11, c-1) checking if there is a specified signature search rule for a source port or a destination port if the L4 protocol type is TCP or UDP; c-2) if the signature search rule exists, searching for whether a signature exists between a start position and an end position of a payload to be searched; c-3) if the search result signature of step c-2 exists, determining the signature search result as success; c-4) checking whether a signature search rule exists for any port if the signature search rule of step c-1) no longer exists; c-5) if a signature search rule exists in step c-4), searching for whether a signature exists between a start position and an end position of a payload to be searched; c-6) if the search result signature of step c-5) exists, determining the signature search result as success; And c-7) if the search rule no longer exists in step c-4), determining the signature search result as a failure IP packet collection method comprising a. The method of claim 11, c-1) if the L4 protocol type is not TCP or UDP, performing a signature search according to a signature search rule defined for each protocol; And c-2) if the signature search result signature exists, determining a search result as a success, otherwise determining as a failure IP packet collection method comprising a. The method of claim 11, The signature search rule follows a format such as <application protocol, port number, search start location, search end location, signature length, signature>, and the application protocol has values of TCP source, TCP destination, UDP source, UDP destination, If the protocol number is 0, the IP packet collection method, characterized in that applied to any port number.

Images