KR100628479B1 - LAN PROTOCOL ANALYZER SYSTEM and EDUCATING METHOD - Google Patents

Abstract

       The present invention relates to an integrated network analysis system for comprehensive network management and an education and practice method using the same, which is an Internet communication protocol integrated analysis device based on TCP / IP (Transmission Control Protocol-Internet Protocol) in an Ethernet environment. The present invention relates to an integrated LAN (Local Area Network) protocol analysis system that not only provides management, protocol analysis, and packet blocking, but also supports educational packages for data communication practice.

       To this end, the present invention, the connection and line status inspection module for implementing the details and inspection of the connection and the line status, the network analysis module for supervising the overall network state by building and analyzing the overall database on the network, on the network Protocol analysis module that analyzes the protocol and details of packet composition protocol and details, and protocol characteristics to define and control the characteristics of protocol or packet using protocol characteristics. A protocol control module; A network interface card connected to the Internet is connected to the network analysis module, and the network analysis module is connected to a line analysis module and a protocol analysis module, and the protocol control module is connected to the network interface card.

       Educational practice using integrated network analyzer, LAN protocol analysis system, integrated network analysis system, network analysis system

Description

       Integrated Network Analysis System and Training Practice Method Using Them {LAN PROTOCOL ANALYZER SYSTEM and EDUCATING METHOD}             

      1 is a block diagram illustrating an integrated network analysis system according to an embodiment of the present invention;

      2a and 2b is a basic installation environment and overall performance flow diagram showing the integrated network analysis system of the present invention,

      3A-3S illustrate PC screens shown using a protocol analysis module;

      4A-4G illustrate PC screens shown using a protocol control module;

      5a to 5c is a conceptual diagram of the installation environment and principle of the TCP connection blocking in the protocol control module,

      5d is a flowchart illustrating an installation environment and principle packet filtering procedure of a TCP connection blocking in a protocol control module;

      Figures 6a to 6p are PC screens shown using the SNMP function of the network analysis module,

      7A to 7Z show PC screens shown using the NMS function of the network analysis module;

      8A to 8H show PC screens shown using the connection and track inspection module;

      9 is a flowchart illustrating a protocol analysis system;

      10 is a flowchart illustrating the overall flow of execution and educational package association for explaining the method of training practice using the integrated network analysis system of the present invention;

      11a to 11d is a block diagram and a flow chart of the educational program production practice process,

      12 is a block diagram of a network simulation training process,

      13 and 14 are block diagrams and flowcharts of a control training process of a network;

      15 is a conceptual diagram for explaining a concept of multiplexing and demultiplexing of a network basic theory practice;

      16 is a flowchart of a protocol analysis simulation for multiplexing and demultiplexing practice;

      17A to 17P illustrate a process for analyzing multiplexing and demultiplexing, a data link layer analysis process,

      18A to 18B are flowcharts and conceptual diagrams of byte order simulation in multiplexing / demultiplexing;

      19A and 19B are PC screens showing byte order simulation in multiplexing / demultiplexing;

      20 is a flowchart for explaining a protocol analysis training content;

      21A to 21M illustrate PC screens using a protocol analysis simulation program;

      22a to 22c are PC screens shown in the educational protocol analyzer,

      23A to 23B are conceptual diagrams and a flowchart for explaining an ARP simulation exercise;

      24a to 24d are PC screens using the ARP simulation training program,

      25a to 25z are PC screens using the IP simulation training program,

      26A to 26D show PC screens showing an ICMP program production practice;

      27a to 27g are PC screens showing the trace router manufacturing practice,

28a to 28c are PC screens showing the trace router manufacturing practice,
29A to 29C show PC screens showing a 3-way handshaking simulation exercise;
29D is a flowchart showing a 3-way handshaking simulation exercise;
29E-29G show PC screens showing a 3-way handshaking simulation exercise;
30a to 30d are PC screens showing training protocol control module creation practice,
31A is a flowchart illustrating a traffic generation exercise;
31B to 31E are PC screens showing a traffic generation exercise.

      Explanation of symbols on the main parts of the drawings

        10: connection and line status check module 20: network analysis module

        30: protocol analysis module 40: protocol control module

        50: Internet 60: Network Interface Card

       The present invention relates to an integrated network analysis system for comprehensive network management and a training method using the same. More specifically, the network management, protocol analysis and The present invention relates to a LAN protocol analysis system that not only provides a packet blocking function but also integrates an educational package for data communication practice.

       Currently, in the frenzy of the Internet / Intranet, much of the work depends on the network. Among them, e-mail and WWW (World Wide Web) are basic, groupware, and client / server. The importance of the situation is increasing day by day. In addition, the importance of network management is increasing due to the size and complexity of the network and the increase of work using the network. In this situation, if the processing is delayed due to network error or slowdown, this is a problem of social production base on information and communication. Therefore, quick response in case of network error is basic and it is important to eliminate the possibility in advance.

      Conventional protocols used for network management include Simple Network Management Protocol (SNMP), Common Management Information Protocol (CMIP), and Remote network MONitoring (RMON), which is used to observe and analyze traffic. And, by using the ping of the Internet Control Message Protocol (ICMP), it was possible to determine the connection state between end-to-end equipment. However, this has a limitation in that it merely provides a function such as measuring information or response time of the counterpart host's operation.

       Conventional network analysis and management programs utilizing these protocols are individual and therefore limited in function. Specifically, the product is classified into a product line that analyzes protocols, a product line that restricts and controls network flows, a product line that analyzes the overall network configuration and network status, and a product line that checks the line connection status. It was used individually.

       However, such a configuration operates independently according to each characteristic or role, and thus, in addition to the existing functions provided, such a configuration does not exist as a database for generating new data or existing as a database for operation of other products. Today, as the number of hosts connected to the Internet increases dramatically and the network configuration becomes complex, new complex data is required for management, and thus, integrated network analysis that overcomes the disadvantages mentioned in the linkage and interworking of these products. The product model was asked for.

       In addition, the integrated network analysis product model, in addition to the conventional fragmentary character-oriented network education method, enables analysis and experimentation on a real network, thereby realizing three-dimensional education and fostering core human resources required for advanced practice. This was necessary.

       The present invention has been invented a model of a new network analysis tool in view of the above circumstances, the data calculated from one product family is the basis for controlling the other product family or a plurality of product products based on each analysis result The purpose is to provide an integrated network analysis system for comprehensive network management, which produces data that cannot be produced independently.

       In addition, the teaching practice method using the integrated network analysis system of the present invention proposes an improved three-dimensional and practical network teaching method, and analyzes the protocol through such an integrated environment as well as the conventional theoretical learning and generates a packet corresponding thereto. It is possible to control and transmit various kinds of phenomena caused by transmitting these data to the actual network through the analysis of the network visually, providing a causal structure of composition and measurement of all control situations to foster more professional manpower The purpose is to reduce the cost of constructing a virtual network for experiments and experiments.

       The present invention for achieving the above object, by using the connection and line status inspection module, SNMP protocol to implement the details and inspection of the connection and the line status, the overall database state on the network network to build and analyze Network analysis module that supervises network protocol, protocol analysis module that analyzes the configuration protocol and details of packet by analyzing protocols implemented on network network, and protocol characteristics using protocol characteristics It consists of a protocol control module that defines the nature of the protocol or packet and controls it; A network interface card connected to the Internet is connected to the network analysis module, the network analysis module is connected to the line analysis module and the protocol analysis module, and the protocol control module is connected to the network interface card. It characterized in that the linking and interlocking operation was performed.

In the network analysis module, the network band is input to retrieve SNMP data, and the connection and line check module checks the connection status through ping, and recognizes the overall network configuration through the existence of subnets, and is recognized by the protocol analysis module. It analyzes the packet on the network, and determines whether to inhibit the network flow through the protocol control module characterized in that the flow of the packet is blocked.
The modules are characterized by further comprising an education package that can perform the operation of each characteristic of the independent execution, cross-linking and interlocking operation, using the training protocol analyzer design, simulation design using this.
The MIB data obtained by using SNMP may be corrected by comparing and reviewing values statistically calculated by the protocol analysis module.
Analysis result of the protocol analysis module In the training program for protocol analysis, the actual packet is analyzed, a virtual packet based on the learning is generated, and then transmitted to the real network through the integrated network analysis system;
Checking whether it is properly transmitted through the protocol analysis module of the pass-through network analysis system, writing and practicing through a virtual packet generator and an educational protocol analyzer, and then verifying it through an integrated network analysis system;
Network simulation and network control are created and then verified through an integrated network analysis system.
The educational program production practice is performed as an educational practice program through a program library module consisting of CRawPacketEdu, CPacketGen, and ICMPSocket libraries, and an educational protocol controller, educational protocol analyzer, and educational network analyzer.
Through the program library module and program source, input requirements for protocol analysis / control and network analysis, perform protocol analysis and control through educational training program, and verify through actual integrated network analysis system. do.
The network simulation practice is composed of a multiplexing / demultiplexing virtual training module, an internet protocol virtual design module, a byte order virtual training, and a protocol tester training module. An integrated network analysis system that provides a virtual network training environment for each individual module virtually. This is an educational practice method.
The network control practice consists of traffic generation creation practice, TCP / IP 3-way handshaking, ARP request / response creation practice, and ICMP-based trace router creation practice. It is done.
Linkage and interlocking operations are the integration of analysis systems that perform conventional individual functions, linking and linking each calculation result and function, and increasing the value of information with a third new analysis result generated through this. By providing a single unified interface, this can result in ease of use and cost savings.

      In addition, the teaching method using the integrated network analysis system of the present invention is a teaching method using such a device, which acts as a physical aid such as a virtual network configuration or other equipment configuration, and actually operates beyond the limit of the conventional fragmentary learning. Experiment with analysis and generation of existing protocols and observe the behavior of these in the network of reality.

       Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram showing an integrated network analysis system according to an embodiment of the present invention, the present invention detects and analyzes all packets generated during communication in the actual Ethernet network required for the actual packet prototype and network management All statistics and management functions are supported.
That is, as shown in FIG. 2A, packets generated during communication activities such as Internet, chat, and file transfer between Host A 3 and Host B 4 on one subnet connected to a router or hub 1, etc. 5) is detected and analyzed by the integrated network analyzer (2) of the present invention, a system that monitors and analyzes all packets of other nodes flowing on the same network using the broadcasting characteristics of the subnet.

       Figure 2b is the overall flow chart of the module shown in the figure, the network bandwidth is input from the network analysis module to retrieve the SNMP data and analyze it to recognize the overall network configuration through the presence of a subnet, in the connection and line check module After checking the connection state through the ping, it analyzes the packet on the network recognized by the protocol analysis module, and determines whether to inhibit the network flow through the protocol control module to block the flow of the packet.

       The integrated network analysis system of the present invention connected to the Internet 50 has a protocol analysis module 30, a protocol control module 40, a network analysis module 20, and a connection and line state through a network interface card 60. It consists of a check module 10, these modules can not only independently execute the task having each characteristic, but also can perform the mutual linkage and interlocking operation. In addition, it consists of educational packages that can be practiced using such protocol analysis design and simulation design.

        The present invention can support not only a method of analyzing traffic in a conventional LAN environment or a method of controlling traffic, but also a method of directly controlling a location of a gateway point or a local machine, as well as a port mirroring method. The network interface card 60 connected to the Internet 50 is connected to the network analysis module 20 and the protocol analysis module 30 through the line inspection module 10, and the protocol control module 40 is connected to the network interface card 60. It is connected to the network interface card 60.

The protocol analysis module 30 analyzes a protocol implemented on a network, and analyzes the configuration protocol and details of the packet and its details. (See Figures 3A-3S)
In Fig. 1, the protocol decoder 31 is a TCP stack that shows the TCP connection status after monitoring start, that is, monitoring time, memory usage rate, total number of received packets, total connection port and frame size between TCP, and the number of establishment / end / reset in real time. Decoder window that displays the transmission / reception IP and the nature of the packet by analyzing the window and the collected data, expresses the contents as HEX value, structured according to the type, and outputs the contents expressed in the tree structure. It consists of a TCP flow window that shows the flow of data (see Figure 3a).

       The decoder window is composed of SUMMARY, DATA, and DETAIL windows, and one to three windows can be viewed on one screen according to the user's selection, and color can be designated for each frame for clear visual expression of the packet. This is expressed in HEX and tree structure window. (Refer to FIGS. 3B and 3E.) In particular, if a specific value of the DATA window is specified, it moves in conjunction with the analysis value of the DETAIL window that analyzes the contents in detail. If you specify a specific value of, the underscore is linked to the value of the corresponding DATA window. In addition, by recombining the collected packets into units of data transmitted and received in communication, it also has a function to specify the contents of abstract packets into existing actual communication contents, making it difficult to judge data on a packet basis. Can be overcome (see FIGS. 3G-3K).

     The data in the packet summary window showing a brief representation of the packet supports a storage format that is compatible with the data format used in the conventional data program, thereby providing various representations and forms of data analysis and maximizing information efficiency. (See Figures 3E and 3F)

     In a real network, a lot of data is transmitted for a short time. In practice, the protocol analysis module 30 supports various filtering rules in order to inspect a desired protocol or packet. In filtering, there are IP address, MAC address, port number, 2/3 layer layer type classification, packet size, and some data matching. The IP address and the MAC address additionally support a directional recognition function, and determine the direction of transmission or reception for the IP address or MAC address and extract the corresponding one. (See Figures 3L-3S)

      The 2/3 layer layer type classification supports a protocol list operating in the 2/3 layer based on the reference model of the OSI 7 layer, and enables the user to select a filter for the protocol. The data matching filter can extract data by checking a partial match for an unknown packet that does not have this specific protocol model. Specifically, if the start point is set and afterwards, the size and data of the range for the duplicate check are inputted, it is checked and extracted for each modified packet. In total, such a filter may operate by dividing the application method of collecting content that matches the content set for the rule and the non-application method of collecting all content that does not match.

     When the protocol control module 40 transmits and receives data that does not meet the filtering conditions while monitoring communication between the hosts, the protocol control module 40 immediately disconnects the virtual packets by sending them to the corresponding host. With this configuration, hosts that notify and receive abnormal disconnections of the connection will terminate the connection.

     Therefore, the protocol control module 40 defines the characteristics of a protocol or packet of a specific character by using the protocol characteristic and controls it as shown in FIG. 4G. In particular, while general control tools perform operations locally or at the location of the gateway, which is the first transmission / reception part of communication, the protocol control module 40 is a protocol control method using mirroring, and the entire network is monitored by transmission / reception data for blocking. It prevents overload and prevents overload, and it proceeds separately from the conventional communication. Therefore, there is no effect other than control of a specific area or node according to the rules set for the current network. (See FIGS. 5A-5D)

       In the narrow, it can be set to block the entire protocol such as HTTP, FTP, and the related conditions such as DNS, MAC address and port can be set in complex. In addition, it supports setting by network application, which supports convenient setting because it selects data that has already been analyzed, even if the user lacks the specialized knowledge such as port and protocol characteristics needed to block the program. . (See FIGS. 4A-4E)

      Both of these filter descriptions support the internal and external scopes, in terms of the way in which the selected item is applied, the internal method of examining the corresponding matters of the described contents, and the external method of checking other matters. It is possible to set a specific band for the set blocking rule. By inputting the band of a specific IP, it supports the restriction on the applied node. The rules thus set may be stored in a unique format in consideration of future reuse, and then may be recalled and used in the protocol control module 40. (See Figure 4f)

      The network analysis module 20 builds and analyzes the overall database on the network using the Simple Network Management Protocol (SNMP) protocol to supervise the overall network status. In order to efficiently manage the network and easily identify problems, the network monitor records all the network requirements according to the RMON MIB configuration standard by using the packets monitored by the network without the help of routers or switches through the RMON (Remote network MONitoring) analysis function. . It is divided into an SNMP analyzer 21 and an RMON analyzer 22.

      Therefore, statistics on line utilization, traffic size, and network traffic can be shown without affecting the load on the server or network line. It acquires and analyzes MIB (Management Information Base) information provided by the switch, and calculates the total error and corrects the data to build and analyze the entire database on the network to supervise the overall network status.

      Although the SNMP analyzer 21 does not know the node into which the SNMP management is implanted, it sets the specific band and automatically detects the characteristics of each node when searching for the node, and automatically selects the node equipped with the SNMP management. MIB data is requested for these nodes, and the collected data is represented in a tree structure. (Refer to FIG. 6A to FIG. 6H) These operations are repeated in a certain time, and are shown in some tables. The protocol distribution details, protocol error details, traffic details, and traffic errors are expressed in hourly wave graphs or bar graphs. These log records are documented upon request and provided in the form of an ASCII code file.

      The network analysis module 20 is a flow board showing the total utilization rate and the number of received packets (MULTICAST / BROADCAST / UNCAST) and the number of errors (CHECKSUM / FRAGMENT ERRORS) in detail through the NMS data display 32 of the protocol analysis module 30. (33; see FIG. 7y and FIG. 7z), HOST TOP10 analyzing the top 10 hosts from the traffic generated in the subnet (38; see FIG. 7a to FIG. 7c), the network / transport / application layer which is the representative three layers on Ethernet Protocol distribution (34; see Figs. 7f to 7h) to indicate the use of each protocol; traffic matrix (37; see Figs. 7d to 7e) which outputs the connection status of traffic currently occurring on the network; A status stick (35 (see FIGS. 7I to 7K)) for providing statistics on the user, a user history (36 (FIGS. 7L to 7W) for providing various statistics for each time zone), and an error content when a network failure occurs. Seven analysis tables of alarms 39 (see FIG. 7x) that provide indications are provided.

      The connection and track state check module 10 implements details and checks on the connection and track state. It is a set of basic functions for managing and checking a network. It implements the functions of connection and existence of a specific node, RTT (ROUND TRIP TIME), DNS query, and routing path tracking. In detail, the ping tester 14 performs a ping according to a set number of repetition times, timeouts, packet sizes, and delay times on the inputted area through three input methods of single, continuous, and discontinuous. 8h), automatic scanning (15; see FIG. 8d) showing IP utilization, average RTT, and personal details of discovered nodes by scanning specific bands in a short time, router according to ICTL's TTL (TIME TO LIVE) value A tracer router (11; see FIGS. 8A and 8B) that visually refines the route on the Internet using the return value of < RTI ID = 0.0 > and < / RTI > DNS lookup / WHOIS (12, 13: FIG. 8C) indicating the connection IP address and registrant information for the domain. And FIG. 8E).

      As shown in Figure 2b and 9, the description of the inter-module interaction in the integrated network analysis system of the present invention requires a sketch that can look at the overall network configuration for the analysis of the network. By using the SNMP analyzer 21 of the network analysis module 20 to obtain the MIB data of the specified network, it is analyzed. After that, through the connection and the line state check module 10 to check the connection state, such as the speed of each node. In this case, the contents of the MIB data correspond to the subnetwork of the connection point that generated the MIB data. When the connection point that indicates another lower subnetwork of the node information of the MIB is found, the above process is repeated. Finally, the overall network configuration with the specified network as the top level is confirmed.

After recognizing a specific network as described above, the flow of data for all or part of the region is analyzed. The protocol analysis module 30 corresponds to this. In the case of the protocol analysis module 30, the range of nodes to be analyzed on the network is set according to the internal search method (port mirroring method) without direct access to the corresponding node. Afterwards, the contents of the data are displayed for each packet, which is a unit of data flowing on the chart or network. The former case is a flow board, a host top 10, a protocol distribution, a traffic matrix, a status stick, a user history, and an alarm. Decoder part.

       Statistics and recorded results of the protocol analysis module 30 is used as data of the analysis for the corresponding band. For example, when the actual transmission is slow compared to the bandwidth of the network, Host Top 10 can find hosts with a high occupancy rate, and use Packet Size Distribution to determine the size of packets distributed in the network. Report It can be found that the efficiency of network usage is the cause of poor communication. In addition, through protocol distribution, the application layer that consumes the most resources is identified to provide data for various judgments about the network, such as setting an appropriate coordination ratio such as a web or FTP service.

Through this analysis, the network manager performs the discovery of the node that causes the problem or the necessity of changing the network structure or expanding the facility. In this case, if the problem is based on facilities and periods, the related equipment is expanded to the most relevant deep subnet, or if the problem is related to data or a specific node on a network other than the protocol control module 40.

       The protocol control module 40 is a port mirroring method similar to the protocol analysis module 30 and proceeds separately from the existing communication. Therefore, the protocol control module 40 has any influence other than the control of a specific area or node according to the rules set for the current network. In addition, by terminating the connection by sending a combination of virtual packets to the host, the host that notifies and receives the abnormal disconnection of the connection through the setting of the RST bit, which occurs when a TCP connection fails, terminates the connection.

      In this way, a particular node that interrupts the flow of the network starts control of the designated band using application-level related program settings or protocol and port classification, which is reflected in the network and sets the band for the set contents. By reducing the overall communication.

       The overall operation of the present invention configured as described above, the network analysis module 20 acquires MIB (Management Information Base) data for the network using SNMP and analyzes it to abstract the basic configuration of the overall network, and The data connection and line status check module 10 checks each node and specifies the data.

       After that, all the protocols communicated on the confirmed network go through the protocol analysis module to analyze the contents of each packet and measure the statistics. At this time, due to the technical limitations of general packet monitoring, an error range of the amount of communication and the amount of measurement can be generated, which is measured based on the MIB database established in the network analysis module 20. You will be notified at the time of the final report.

       In addition, the protocols related to routing determined by the protocol analysis module 30 are transmitted to the network analysis control module 40 to be constructed as data for further configuration of the relevant network, and to expand the structure information of the network. In addition, through the connection and line status check module 10, it configures the data such as the expected reception path and the connection speed report with the current target for the packet, the analysis of these protocols and packets and their network distribution The analysis report determines whether or not to control according to a policy established in the protocol control module 40 or a pattern to be analyzed.

       If control is confirmed, the packet is forcibly blocked at the forwarding stage, and the related connection is blocked by using the ICMP protocol impossible message or TCP protocol characteristic for the subsequent contents.

       The present invention constituted as described above is tested / tested by communication equipment developers such as network analysis and management paths, NICs and hubs, and new protocol development companies in companies requiring security solutions such as network management or electronic commerce in various public institutions or schools. As a research and development tool, it can be used as educational equipment for information communication schools and communication equipment related industries.

       10 is a flow chart showing the overall flow of execution and educational package association for explaining the training practice method using the integrated network analysis system of the present invention, Figures 11a to 11d is a production practice and the flow chart and block diagram of the educational program. 12 is a network simulation exercise, and FIGS. 13 and 14 show a network control exercise and a block diagram and a flowchart thereof.

       The overall execution flow shown in FIG. 10 and the educational package are linked, and as a result of analyzing the protocol analysis module, the actual packet is analyzed by the protocol analysis training program, and a virtual packet based on the learning is generated, and then the integrated network analysis system. It transmits to the actual network of the network, and checks whether it is properly transmitted through the protocol analysis module of the network analysis system, writes and practices through the virtual packet generator and educational protocol analyzer, and then verifies through the integrated analysis system, network simulation and network control. It is designed to cultivate talents who can be applied to high-level practice by writing and then verifying it through protocol analysis system.

       The educational program production practice shown in FIG. 11A includes a program library module 70 of CRawPacketEdu, CPacketGen, and ICMPSocket libraries, an educational protocol controller (see FIG. 11C), an educational protocol analyzer (see FIG. 11B), and an educational network analyzer. The training program 72 may be performed through the source 71.

       As shown in FIG. 11D, requirements for protocol analysis / control and network analysis are input through the program library module 70 and the program source 71, and protocol analysis and control are performed through an educational training program. In fact, the verification is performed through an integrated network analysis system.

       The network simulation exercise shown in FIG. 12 is composed of a multiplexing / demultiplexing virtual training module, an internet protocol virtual design module, a byte order virtual training, and a protocol tester training module, which are executed in the order as guided by the program after execution. These simulation programs are based on scenarios that allow us to observe what is happening in the real network by providing a virtual environment for things that cannot be done in the real network due to the nature of the experiment. That is, the data or packet generated in the virtual network training environment is transmitted to the network actually used and verified by the device.

       The network control exercise shown in FIG. 13 is composed of traffic generation writing instruction, TCP / IP 3-way handshaking, ARP request / response writing practice, and ICMP based trace writing practice, which is a program library as shown in FIG. Through module and program source, input requirements for protocol analysis / control and network analysis, send packet to real network, and verify through real integrated network analysis system.

       In this way, it is possible to effectively train the analysis of the actual network by judging the result of each module fused and operating together. That is, a specific pattern belonging to the corresponding protocol through the connection and track inspection module 10 is generated through the conventional contents which are only conceptually described, and this is actually generated through the protocol analysis module 30 and the network analysis module 20. It analyzes the influence of data on network operation, traffic or control status between each connection to understand overall network configuration and flow.

       This result again affects the control policy establishment of the protocol control module 40, thereby acquiring knowledge of effective network management. In addition, macro processes as well as micro controls or methods can be simulated by allowing the simulation of virtual packets and simulation of what packets are actually fragmented, routed, and forwarded on the network. I can learn.

      The specific main training course consists of basic network training, training protocol analyzer writing training, simulation training, training protocol controller writing training and traffic generation writing training.

      The basic practice of network is to actualize the concept of actual packet and protocol with the aim of understanding the concept of communication protocol, and to prepare the basic preparation of communication for protocol design, analysis and simulation in educational practice program.

      In order to transmit data using a network divided by layers, the transmitting side includes data in a format according to each layer, and this process is called multiplexing, and the opposite side of applying the reverse side is called demultiplexing. As shown in Fig. 15, the simulation to facilitate an accurate understanding of the protocol multiplexing and demultiplexing schemes generated during communication in the host is a multiplexing / demultiplexing simulation. As illustrated in FIG. 16, the network protocol is configured to learn overall network education through a simulation in which a user can directly analyze and test a protocol of a packet generated in an actual network.

       Through the simulation program that provides the contents of the actual network in this way, you can go through each layer directly and visually practice the actual packet composition by adding or subtracting specific values to the header or data used in each layer. This gives you insight into the actual packet configuration. First, enter the data to be sent in the data input window and press the demultiplex button to express the multiplexed data through HEX and ASCII data window at the bottom. After confirming this, press the next button to move to the next multiplexing step. .

      In this way, each step through the Data-Transmission Layer (TCP)-Network Layer (IP)-Data Link Layer (MAC) results in a complete data packet. This allows you to understand errors and behaviors, and to experience the actual network of packet combinations.

       In addition, the process of demultiplexing the multiplexed data from the sender's point of view from the opposite receiver's point is performed in reverse order with respect to the completed packet. In the demultiplexed data link layer, the sender and receiver The MAC address of the network layer and the IP address of the network layer are inputted through the process of removing each value by inputting a port, sequence, and acknowledgment, which are components of the TCP header, and finally leaving only original data. (See FIGS. 17A-17P)

       In addition, byte order processing in heterogeneous communication according to various platforms existing on the network occurs as shown in FIG. 18B. When data is stored in a computer, the byte order processing (Big-Endian, Little-Endian) is performed. When transmitting to the network, Big-Endian method is used. In order to solve the problem caused by the difference in byte order, data is converted to network byte order before being transmitted to the network, and then used after changing to host byte order at the receiving computer.

       To provide a byte simulation in this regard (see FIGS. 18A and 18B), it is possible to directly check the order in which the multibyte data is actually stored in memory and the order in which it is transmitted over the network and use the byte order conversion function to check the order. This is a practice to check for changes. After entering the data into the simulation program, press the memory save button to see the memory window that simulates the state actually stored in the memory, check the storage type of the value, and then change the network order using the HTONS button. Observe the state of change (see FIG. 19A).

       By understanding the heterogeneous data processing method through simulation, we can distinguish the platform type of the platform through actual programming, and look at the contents applied to the real memory, not just the virtual scenario. It is configured to In other words, by inputting the contents of the provided source, and debugging the part to analyze the state of the memory to apply the contents learned in the simulation on the real computer (see Fig. 19b).

       In IP, packets do some work related to headers, routing, and reassembly to find their destinations on the Internet, all of which are handled by internally provided machine modules, which simulate and deliver packets. The purpose of this study is to examine the function of IP. As illustrated in FIGS. 25A to 25Z, the IP design training process tracks the contents of header processing, transmission processing, queue configuration, routing, fragmentation, and reassembly to be processed in the IP layer step by step. According to the flow control table showing the order of progress of the displayed buttons, the result of each module is observed through the result window.

       The practice of writing a module is written in Microsoft Visual C ++ through CRawPacketEdu, a wrapper class library designed to conveniently handle the provided NIC control driver and the exercise as shown in FIG. 11D. Follow the instructions in the manual. The provided library consists of packet monitoring module, packet generation module, ICMP socket module, etc., CRawPacketEdu and CPacketGen are modular C ++ based libraries that can easily use the services needed to capture actual packets and generate traffic to specific nodes. to be. (See FIG. 11A)

       In addition, ICMP socket library is a socket library that supports ping, tracerouter, autoscan, and WHOIS easily.The implementation of packet capture module using CRawPacketEdu is achieved by creating CRawPacketEdu object-NIC binding-Starting packet capture-Captured Packet analysis-You can design packet monitoring system in order of packet capture stop. (See Figure 11B)

       As shown in FIG. 20, the training for creating a packet analyzer for education cultivates protocol analysis capability by analyzing actual packets, and improves packet handling capability and Internet programming at a programming level, and packet processing according to the TCP stack structure. We aim at skill acquisition. For this purpose, monitoring and observing the core protocols of TCP / IP SUITE, ETERNET, SNAP, IP, ICMP, ARP, TCP, UDP, DNS, and HTTP, and obtaining them from the data link layer to analyze and judge the overall structure. Includes exercises that build on the sources provided. Protocol analysis may be performed by reading the packets collected using the integrated network analysis system of the present invention into a protocol analysis program or analyzing the provided textbook experimental example which is basically loaded (see FIGS. 21A to 21M).

       The modified packet information or example loaded through the protocol analysis program is displayed in HEX and ASCII by dividing it to the left and right of the upper side, and it is determined whether the correct analysis is filled by filling the lower fields according to the characteristics of each protocol. That is, in case of Ethernet frame analysis, fields that require the transmit / receive MAC address and upper frame type, which are the corresponding header structure, appear.In case of TCP packet, transmit / receive port, sequence, acknowledgment, data offset, flag (URG, RST, SYN, FIN, PSH) ACK), window size, and checksum are generated.

       Refer to the packet dump window at the top and enter the destination address, source address, and upper frame type and press the result button. If the result is displayed correctly, TRUE and FALSE are entered. Repeat this until you've typed it so that you can correctly analyze the packet. Accordingly, all packet structures of the TCP / IP family can be completely conquered through this new invention. The above analysis is a simplified representation of the decoder window of the integrated analysis tool, and the confirmation or analysis of other details can be completed using the integrated analysis tool.

       Based on this exercise, you can create a module that captures and analyzes using a library that provides packets sent and received on a real network. The example source is loaded using Microsoft Visual C ++. In the example source, most of the other items are completed except for the analysis module. The participant can write a module section for analyzing the packets obtained through the start and stop of the capture menu. This is to implement and practice the analysis contents practiced in the above-described protocol analysis program on the actual program, which is a part of TCP / IP protocol analyzer design and fabrication which is the basis of the protocol analysis module of the integrated network analysis system. The present invention has the additional effect of cultivating the deep understanding and utilization of computer language as well as the various protocol analysis capabilities of Ethernet through this whole curriculum.

      In making educational protocol analyzers like this, protocols such as SNAP and ARP, in addition to general protocols such as TCP / IP, have a small percentage of traffic. Therefore, in the method of collecting packets, filtering that can filter out the rest of the protocol other than the packet of the corresponding protocol is required. This can also be provided by the example program to concentrate only the relevant protocol in the program analysis. Parts other than the basic protocol teaching purpose are easily passed (see FIG. 22C).

       Network practice is to configure and practice the environment to understand the characteristics and contents of each step of communication by performing the operation of protocols actually performed on the Ethernet network, 3-way handshaking of TCP / IP, ARP This course is based on the simulation of IP, ICMP and ICMP, and the results of the exercise are used as the basis for producing basic analysis tools such as ping and trace router.

       The ARP protocol is a protocol for obtaining a physical address corresponding to an IP on a local network. The ARP protocol is involved in IP and MAC address translation together with RARP. The ARP simulation program assists in performing the conversion process step by step.

       As shown in FIG. 23A and FIG. 23B, in the process of obtaining the corresponding addresses, the ARP goes through two processes of request and response. The process is executed in stages and the effects and results of each stage are examined. The process of understanding the principle is the ARP simulation process. Where EH is the Ethernet header and AH is the ARP header. The ARP simulation is based on the Educational Protocol Analyzer, which combines the ARP request packet from the lowest Ethernet frame to the best ARP, outputs it on the real network, receives the ARP response packet in response, and requests / response pairs. Outputs the analysis result of the packet to the screen (refer to FIGS. 24A to 24D).

       In order to process errors and control messages on the Internet, ICMP is used to control the flow of the Internet such as diagnostics. By using this characteristic of ICMP, we can manufacture trace router that can track ping and packet transmission path that can check whether a specific host is connected. ICMP simulation is performed to understand the request / response relationship of necessary packets. Done. As shown in FIG. 26A, like the ARP packet combination, each field of the ICMP is filled from the Ethernet frame to the ICMP, and it is delivered to the actual network and observed for the response to be returned to correct the abnormality or value of the packet. You will practice the difference in response. In other words, it generates a random ICMP packet through the construction of educational protocol analyzer and analyzes the response to the sent message and outputs it to the screen. (See FIGS. 26B-26D)

       The trace router adjusts the TTL value in the contents of ping's ICMP, so that each router passing ICMP packets through the Internet reduces the TTL value by one. If 0, an error message is sent from the sending host. It is supposed to be. Accordingly, by increasing the value of the TTL by 1, it is possible to determine the path of the router through which the packet is processed. Based on this theory, the trace router is manufactured. The process is illustrated and the library of textbooks is presented in order.

To explain each step, first create a project by running Visual C ++ 6.0.
In FIG. 27A, when the [New] dialog box appears, select MFC AppWizard (exe) from the project tab, enter 'Trace Route' in the [Project name] item in FIG. 27B, and press the [OK] button. In FIG. 27C, 'Dialog based' is selected in the MFC AppWizard-step1 window and the [Finish] button is pressed instead of the [Next] button. In FIG. 27D, the Wizard input information is confirmed in the New Project information window and the [OK] button is pressed.

       Copy the DllPing.dll, DllPing.lib, and icmpSocket.h files from the provided source folder to the folder where the TraceRouter project was created, and run the TraceRouter Project and select [Project]-[Add to Project]-[File] menu. After selecting the Insert file Into Project dialog box, select the icmpSocket.h file and click the [OK] button (see Fig. 27E). With the Trace Router project running, select the [Project]-[Settings] menu. Click [Link] tab and enter DllPing.lib in [Object / library modules]. (See Fig. 27F)

      TraceRouteDig.h (to the header file of mainframe (dialog) among project generated files) Add #include icmpSocket.h. In the TraceRouteDig.h header file, declare "Cimpsocket m_icmpSocket:" publicly inside the CTraceRouteDig class (see Figure 27g).

      Configure the user interface for using the tracerouter. First select the Resource View tab on the workstation of the TraceRouter project. Configure the user interface in the dialog of the tracerouter resource, then select the dialog. Then, the user interface is constructed using the control in the selected dialog (see FIG. 28A).

       In FIG. 28B, [1] represents an edit control, [2] represents a radio button control, [3] represents a list control, [4] represents a radio button control, and [5] uses a textual control. Configure Assign object IDs to user interfaces and controls and associate DOX variables. The traceroute is completed by implementing the ICMP theory acquired through the learning process of 1: 1 following formula into a program (see FIG. 28C).

       In the TCP communication, before the data exchange takes place, the communication must be initiated on one side and the request for communication commencement must be approved on the other side. Such a step is called a 3-way handshake, and the 3-way handshake practice is a step by step process. Help with the exercises.

      Looking at the steps of each connection and release, in the case of a first connection, the client sends the SYN segment as the first segment. This segment contains the sender and destination port numbers. The destination port number explicitly specifies the server to which the client wants to connect.

       The segment also includes the client's initial sequence number (ISN), which is used to number the data bytes sent from the client to the server. If the client wants to specify an MSS to receive from the server, the client can add MSS options to this segment. Also, if the client wants to use a larger window, the client can specify the window extension with the appropriate options.

       This segment indicates that the client wants to establish a connection with certain parameters. This segment does not contain an acknowledgment number. Also, the window size is not defined in this segment. The definition of the window size is meaningful only if the segment contains an acknowledgment. The server sends a SYN + ACK segment, which is a combination of two segments into one as the second segment. There is a function of confirming reception of the first segment by using an acknowledgment number of the ACK flag and a function of being used as an initial segment of the server.

       The acknowledgment number is set to the value of the client's ISN + 1, and the server must set the client's window size. It also includes the Windows extension options that are intended to be used by the server and the MSS specified by the server. The client simply sends an ACK segment as the third segment. This segment acknowledges receipt of the second segment using the ACK flag and acknowledgment number. The acknowledgment number is the initial sequence number of the server plus one. This establishes a connection for data exchange.

       As shown in Fig. 29A (three-way handshaking; connection establishment) and Fig. 29B (three-way handshaking; connection termination), the process of releasing, like connection, has similar contents, and the TCP connection is bidirectional. Even if the connection in one direction is terminated, the other system can continue to transmit data in the other direction. The connection termination procedure starts from the client. The client program tells its TCP that the data transfer is complete and that it wants to terminate the connection. The client-server connection is terminated.

      However, the communication in the opposite direction is still open. When the server program finishes sending data in the server-client direction, the server requests its TCP to disconnect from the server-client direction. In the details of the protocol implementation, the system A attempting to terminate the connection sends a packet with FIN = 1, and the system B receives the packet with the FIN = 1 and sends an ACK in response to it and initiates the necessary operation upon disconnection. .

       When this operation is completed, System B sends an additional ACK for the FIN message sent from System A in packets with FIN = 1 and ACK = 1. System A sends an ACK to it and the connection is terminated. The simulation practice of 3-way handshaking is performed by the trainee by creating SYN and ACK segments corresponding to the first and third stages of the three-way handshaking method, the TCP protocol connection method. This experiment derives SYN + ACK difference segments. The MAC and IP addresses of the server and client computer, which are needed for the packet generation, are obtained using the integrated network analyzer (see FIG. 29C).

      By performing experiments and exercises step by step through the simulation (refer to FIG. 29D) on the parts that are difficult to actually perform, it helps to confirm and apply the theoretical part of each process. The process of practicing each simulation can be easily produced by providing the following library and the following schematic procedure.The process of acquiring and reconfirming the basic knowledge for protocol processing in the production process, cultivating the packet generation ability, To cultivate the packet recombination capacity that is the basis of the protocol control module. (See Figure 29E)

       The practice of writing an educational protocol controller is one of the practical applications based on the contents of learning such as the packet monitoring and packet recombination techniques of the previous process, and the packet blocking using the control function of ICMP and TCP-Hijacking of TCP. It is to design a. Specifically, TCP blocking has a function called REST for abnormal conditions in which a connection is disconnected from a related host, unlike a normal termination of a TCP connection. Based on this, a packet is virtually combined and delivered to connecting hosts to terminate the connection. will be. In order to release the connection, one side transmits a segment in which the RST bit is set in the control field of TCP, and the connection is immediately stopped by the receiving side of the packet.

       The practice of writing an educational protocol controller using three-way handshaking is an experiment for implementing a packet blocking program that can be used for harmful site blocking based on this theory, as shown in FIG. 5B. In the implementation of the program, the composition of the RST packet is a key issue.It is analyzed based on the source provided by analyzing the components and obtaining related information through the integrated network analyzer and delivering the combined packet for blocking. Its contents are to implement and execute the combination contents.

       However, packet blocking is not the only one. By using the ICMP Unreachable message, the connection can be disconnected (see Fig. 5c), and the connection clients can be controlled by manipulating the inability to send and receive packets using the control function for the IP that operates based on the TCP control function. Report to it, and through this, the TCP will no longer send or receive at the bottom, such as TCP disconnection.

       Both educational protocol blockers using TCP and ICMP are designed to be based on the provided sources and libraries. The procedure is the same as mentioned in the previous simulation exercise. In this way, students learn how to use the characteristics of the protocol for the control of the packet, thereby laying the foundation for understanding and utilizing the actual operating principle used in the above-described protocol control module, the role of the protocol and the method of using Improves ability (see FIGS. 30A-30D).

       The traffic generation writing practice is a process of creating a virtual packet for guiding various situations occurring in a network as shown in FIG. 31A and circulating it in a real network to verify various network performances and functions of equipment constituting the network. The purpose of this article is to create a traffic generation program that is used as a basic tool. The actual packet production was practiced through the above process, but the traffic generation practice does not write a specific protocol or a specific packet, but freely configures a general packet according to a desired format and distributes it on Ethernet. The main difference is to monitor the Ethernet network by adjusting the speed.

       Through the produced program, we measure throughput, delay and transmission efficiency, and consider efficient network configuration based on this information. Detailed experiments confirm packet transmission and reception using the traffic monitor and generator created as shown in FIGS. 31B to 31E. In particular, experiment to confirm the best effect function. To do this, first, the traffic generator is generated by adjusting the transmission speed and the packet size to monitor the IP and port of the monitor host. The monitor host measures the number and speed of packets transmitted through the traffic monitor. .

       Through this, it is possible to measure the size and speed combination of the packet with the best reception rate. For example, through the experimental results, if the packet size is set to 500 bytes and the transmission rate is set to 64Kbps, the packet is transmitted at a reception rate of about 400Kbps-500Kbps. BEST EFFORT transmission is the transmission of unreliable packets on a network, which means that the packets are transmitted as maximum as the bandwidth of the network allows. Using this best effect function, the maximum bandwidth of the network can be checked by setting the best effect in the packet generator.

      Specifically, the Internet protocol is practically constructed to understand the basics of the Internet communication and the communication system, and the prepared scenarios of the three-way handshaking simulation and ping simulation of TCP or ICMP are performed with the packets thus prepared. This is a practical process of creating Ethernet frame including Ethernet, IP, TCP, ICMP header as a whole, and performing creation and recombination according to the scenario. It includes actual packet generation, recombination of recombination capability, and accurate conception of scenario. It is done.

      As such, each module can be effectively trained in the analysis of the actual network by judging the result of fusion and operation. Generates a packet of a specific pattern belonging to the corresponding protocol through the connection and track inspection module, which is only conceptually explained, and the effect of this data on the operation of the network through the protocol analysis module and the network analysis module. Analyze the overall network configuration and flow by analyzing traffic or control conditions between each connection.

      This result affects the control policy establishment of the control module again, thereby acquiring the knowledge of effective network management. In addition, the process of writing virtual packets and simulation of what packets are actually fragmented, routed, and forwarded on the network can be used to learn not only macroscopic details but also microscopic controls and methods. Configured to do so.

       The network integrated analysis system can realize a more efficient network analysis and management system by expressing a new data format that has not existed before under the system of linkage and interworking, and constructing it as performance data for each component module. In addition, the integrated system provides a single interface for ease of use and a reduction in the cost of purchasing individual equipment.

       By constructing such an analysis and management system, we can build the foundation for experimenting and practicing the actual network contents, not the experimental configuration such as the virtual network, and perform the relevant knowledge directly to implement the principles and details of actual network configuration. It will be the basis for the development of advanced network related personnel who acquire the knowledge of control, and save the additional cost for the virtual network implementation or management.

       As described above, according to the present invention, through the integrated network analysis system for comprehensive network management, not only individual data generated in each module, but also new third data based on the analysis data for various network environments In addition to reducing the cost of multiple facilities, it can be expected to have advantages such as ease of use based on a single interface.

In addition, the present invention is tested and researched in a network analysis and management pathway, communication equipment developer such as NIC or hub, and a new protocol development company in a company that requires a security solution such as network management or electronic commerce in various public institutions or schools, etc. As a development tool, it can be used as educational equipment for information and communication schools and industries related to communication equipment.

Claims (10)

The ping tester 14 sets the repetition count, timeout, packet size, and delay time for the input IP band through three input methods of single / continuous / discontinuous, and performs a ping according to the set numerical value. Check the return value of the router according to ATUO SCAN (15), which shows IP utilization rate, average round trip time (RTT), personal details of discovered nodes, etc., and TTL (TIME TO LIVE) value of ICMP. Connection and line consisting of a tracer 11 for visually specifying a path on the Internet using a DNS LOOKUP / WHOIS 12 and 13 for indicating a connection IP address and registrant information for a domain. State check module 10; Even if you don't know the node where SNMP management is ported, if you set specific band and search, it automatically grasps the characteristics of each node, requests MIB data for the identified node, and displays the collected data in a tree structure. SNMP analyzer 21, and RMON analyzer 22 for recording network requirements according to the RMON MIB configuration standard using packets monitored by the network without the help of routers or switches. A network analysis module 20 for constructing a comprehensive database of the; It analyzes the collected packets that represent the TCP connection status after monitoring in real time and shows the transmission / reception IP and the nature of the packet, expresses the contents as HEX value, structured according to the type, and expresses it as a tree structure. It shows the flow of the packet per connection, and reconstructs the collected packet into data units that are transmitted and received in communication to actualize the abstract packet contents into actual communication contents, and does not have a specific protocol model. The protocol decoder 31 extracts a data matching filter by checking a partial match for unknown packets, and displays the network utilization rate, the number of received packets, and the number of errors. Network / transport / Protocol analysis module that displays the protocol usage by application layer, provides statistics by packet size, and analyzes the constituent protocol of the packet implemented on the network by providing NMS data display 32 which displays error contents when a network failure occurs. 30); And, In the case of transmitting and receiving data that does not meet the filtering conditions, the integrated network analysis system comprising a protocol control module (40) for performing protocol control by disconnecting the connection by sending a virtual packet to the host immediately. The method according to claim 1, wherein the protocol decoder 31, TCP stack window showing the monitoring time, memory usage rate, total number of received packets, total connection port and frame size between TCP, and number of establishment / end / reset; It analyzes the collected data and shows the transmission / reception IP and the nature of the packet, expresses the contents as HEX value, structure it according to the type and outputs the contents expressed in the tree structure. A decoder window configured to send and receive data units to materialize abstract packet contents into existing actual communication contents; And, TCP An integrated network analysis system comprising a TCP flow window that shows the flow of a packet for each connection. The method according to claim 2, NMS data display 32, A flow board 33 indicating the total utilization rate and the number of received packets (MULTICAST / BROADCAST / UNCAST) and the number of errors (CHECKSUM / FRAGMENT ERRORS); 'HOST TOP 10' 38 which analyzes the top 10 hosts among the traffic occurring in the subnet; A protocol distribution 34 indicating the use of the protocol per network / transport / application layer, which is a representative three layer on Ethernet; A traffic matrix 37 for outputting a connection state in which traffic is currently generated on the network; A status stick 35 which provides statistics on the packet size; A user history 36 which provides various statistics by time zone; And, Integrated network analysis system, characterized in that consisting of an alarm 39 for displaying the error content in the event of a network failure delete Analyze the actual packet with the training program for protocol analysis, generate the virtual packet based on the learning, and then transmit it to the real network using the integrated network analysis system according to claim 1, After checking whether the packet is correctly transmitted using the protocol analysis module of the integrated network analysis system, writing and practicing through the virtual packet generator and the educational protocol analyzer, and verifying the result through the integrated network analysis system, After performing the network simulation practice and network control practice, characterized in that verified through the integrated network analysis system, The network simulation practice consists of a multiplexing / demultiplexing virtual training module, an internet protocol virtual design module, a byte order virtual training, and a protocol tester training module to provide a virtual network training environment for each individual module. The network control practice consists of traffic generation creation practice, TCP / IP 3-way handshaking, ARP request / response creation practice, and ICMP-based trace router creation practice. Training method using integrated network analysis system. The method according to claim 5, The educational program production practice is an integrated network analysis system comprising a program library module consisting of CRawPacketEdu, CPacketGen, and ICMPSocket libraries, and a program source consisting of an educational protocol controller, an educational protocol analyzer, and an educational network analyzer. Training method using delete delete delete delete

Images