KR102027759B1 - Network-related new device registration method and apparatus - Google Patents

Abstract

One aspect of the present invention discloses a new device registration method associated with a network in a network new object registration device. The method includes maintaining network entity information including Internet Protocol (IP) information for at least one entity associated with the network, information on at least one packet transmitted and received between a first entity and a second entity. Acquiring the information, comparing the acquired information about the at least one packet with IP information in the retained network entity information, and registering a new device with the network entity information based on the comparison result. do.

Description

New device registration method and device associated with a network {NETWORK-RELATED NEW DEVICE REGISTRATION METHOD AND APPARATUS}

The present invention relates to a device registration method associated with a network service, and more particularly, to a method for registering a new device in a list associated with a network.

The network generally includes a communication link and various devices having communication capabilities connected to the communication link. Here, devices associated with a network include computers, peripherals, routers, storage devices, and various electrical appliances having a communication interface with a processor. Here, the term "device" typically includes logical devices or other devices having functionality and the ability to process and exchange data, and may include general purpose computers as well as home devices.

Traditional network systems include a variety of server devices associated with a web site and client devices used by a user. In general, a client device requests a connection to a server having a specific IP address in order to use a web site, and connects through a waiting time. At this time, when a plurality of client devices are gathered at a specific time by a plurality of users to access the server, a bottleneck may reduce the performance of the network service associated with the server. When a service performance or quality problem occurs, the user delays, causing a decrease in the utilization rate of the service by increasing the waiting time, which leads to a decrease in productivity and sales. In addition, an increase in IT operating costs may occur, and server operators and / or managers of related businesses may face the unfavorable consequences of reduced corporate competitiveness.

Therefore, the cause of performance degradation should be identified quickly and the response should be made as soon as possible. However, there is no suitable service to clearly identify where the cause of such performance degradation is, so that proper response is not achieved.

1 is a conceptual diagram illustrating a process of performing a conventional network service management.

Referring to FIG. 1, for IT management, an IT team leader commands commands related to quality management to a network operation part, a server operation part, a database development part, and an application development part, respectively.

When a particular service problem occurs, the personnel in each part individually determine the problem of the IT device they manage and report it. In other words, an independent approach to a problem with a particular service, such as "not an application problem," "not a network problem," and / or "no problem on the server," may not quickly identify the cause of the problem, Does not respond properly to problems That is, there is a problem in that the golden time of performance improvement is missed.

SUMMARY OF THE INVENTION An object of one aspect of the present invention for solving the above problems is to provide a new device registration method and apparatus associated with a network that can automatically register a new device associated with a network for network service management.

A new device registration method associated with a network in a network new object registration device according to an aspect of the present invention for achieving the above object comprises Internet Protocol (IP) information for at least one entity associated with the network. Retaining network entity information, acquiring information about at least one packet transmitted and received between a first entity and a second entity, and storing information about the obtained at least one packet in the retained network entity information. Comparing with IP information and registering a new device in the network entity information based on the comparison result.

The registering of the new device in the network entity information based on the comparison result may include: when there is first IP information not present in the retained network entity information, based on the first IP information; 1 may include registering the device associated with the IP information as the new device to the network entity information.

Registering the device associated with the first IP information as a new device in the network entity information based on the first IP information may include whether an IP associated with the first IP information exists in an IP area that can be processed in association with the network. When there is an IP associated with the first IP information in the comparing step and the processable IP area, the device associated with the first IP information may be registered as the new device in the network entity information.

Comparing the information on the obtained at least one packet with the IP information in the retained network entity information, the destination IP information included in the information on the obtained at least one packet is compared to the retained network entity. And comparing with IP information in the information.

The network entity information includes information associated with a link between a plurality of entities, wherein the device registration method associated with the network extracts a source IP of a packet having a device associated with the first IP information as a destination IP. Comparing the extracted source IP with IP information present in the network entity information; and if the extracted source IP does not exist in the network entity information, the device and the extracted device associated with the first IP information. The method may further include registering a link of the device associated with the source IP as the new link to the network entity information.

Registering a link of the device associated with the first IP information and the device associated with the extracted source IP as a new link in the network entity information includes both an IP associated with the first IP information and the extracted source IP being the network. Comparing the first IP information and the IP associated with the first IP information with the first IP information in the network IP information; Registering a link of an associated device with a device associated with the extracted source IP as a new link to the network entity information.

Registering a device associated with the first IP information as a new link to the network entity information based on the first IP information may include a flow map representing traffic flow of the network based on the retained network entity information. The method may further include visualizing a device associated with the new link in the flow map.

The registering of the new device in the network entity information based on the comparison result may include: when there is first IP information not present in the retained network entity information, based on the first IP information; Registering a device associated with IP information as a new device candidate and determining whether to register the device associated with the first IP information registered as the new device candidate as the new device in the network entity information.

Determining whether to register the device associated with the first IP information registered as the new device candidate as the new device in the network entity information comprises: displaying the device associated with the first IP information as the new device candidate; Receiving a user input for the displayed new device candidate, determining whether to register a new device based on the user input, and if it is determined to register as a new device, the device associated with the first IP as the new device as the network; And registering with the entity information.

Registering the device associated with the first IP information as the new device candidate based on the first IP information as a new device candidate in the IP region in which an IP associated with the first IP information is processable in association with the network. Comparing whether there exists and if there is an IP associated with the first IP information in the processable IP region, the device associated with the first IP information may be registered as a new device candidate.

Comparing the information on the obtained at least one packet with the IP information in the retained network entity information, the destination IP information included in the information on the obtained at least one packet is compared to the retained network entity. And comparing with IP information in the information.

The network entity information includes information associated with a link between a plurality of entities, wherein the network device registration method comprises: extracting a source IP of a packet having a device associated with the first IP information as a destination IP; Comparing the extracted source IP with the IP information present in the network entity information; and if the extracted source IP does not exist in the network entity information, the device associated with the first IP information and the extracted source IP; Registering a link of the associated device as a new link candidate and registering the link of the device associated with the first IP information registered as the new link candidate and the device associated with the extracted source IP as the new link in the network entity information. The method may further include determining.

If the extracted source IP does not exist in the network entity information, registering a link between the device associated with the first IP information and the device associated with the extracted source IP as a new link candidate, wherein the first IP information is included. Comparing both the IP associated with the extracted source IP with the network in the processable IP area and the IP associated with the first IP information and the extracted source IP in the processable IP area In this case, the method may include registering a link between the device associated with the first IP information and the device associated with the extracted source IP as the new link candidate in the network entity information.

Determining whether to register a link of a device associated with the first IP information registered as the new link candidate and a device associated with the extracted source IP to the network entity information as a new link includes: a device associated with the first IP information; Displaying a link with a device associated with the extracted source IP as the new link candidate, receiving a user input for the displayed new link candidate, determining whether to register a new link based on the user input; If it is determined to register as a new link, registering the link with the device associated with the first IP information and the device associated with the extracted source IP to the network entity information as a new link.

Registering a link between the device associated with the first IP information and the device associated with the extracted source IP to the network entity information as a new link, indicating traffic flow of the network based on the retained network entity information. Further visualizing the device associated with the new link in the flow map.

The information on at least one packet transmitted or received between the first entity and the second entity may be information obtained by performing mirroring from a switching device provided between the first entity and the second entity.

In accordance with another aspect of the present invention, there is provided a apparatus for registering a new object associated with a network, comprising: a database holding network entity information including Internet Protocol (IP) information for at least one entity associated with the network; A port for obtaining information on at least one packet transmitted and received between a first entity and a second entity, and comparing the information on the obtained at least one packet with IP information in the retained network entity information. A packet analysis module and a service module for registering a new device in the network entity information based on the comparison result.

According to the new device registration method associated with the network of the present invention, there is an effect of easily registering a new device without the user's cumbersome work.

1 is a conceptual diagram illustrating a process of performing a conventional network service management;
2 is a conceptual diagram illustrating a system including a packet mirroring apparatus according to an embodiment of the present invention;
3 is a block diagram showing a connection configuration between a packet mirroring device and another device in a network according to an embodiment of the present invention;
4 is a conceptual diagram illustrating an operation of each section of a packet mirroring apparatus according to an embodiment of the present invention;
5 is a block diagram specifically illustrating a packet mirroring apparatus according to an embodiment of the present invention;
6 is a flowchart schematically illustrating a method for diagnosing network performance of a packet mirroring apparatus according to an embodiment of the present invention;
7A and 7B are conceptual diagrams illustrating network round trip time (RTT) indicators between a user and a server calculated by a packet mirroring apparatus according to an embodiment of the present invention;
8 is a conceptual diagram illustrating a delay index calculated in a packet mirroring apparatus according to an embodiment of the present invention;
9 is a conceptual diagram illustrating a server response wait session number index calculated in a packet mirroring apparatus according to an embodiment of the present invention;
10 is a conceptual diagram illustrating a CPS / TPS (Connection Per Second / Transaction Per Second) index calculated by a packet mirroring apparatus according to an embodiment of the present invention;
FIG. 11 is a diagram illustrating a flow map generated based on performance indicators calculated by a packet mirroring apparatus according to an embodiment of the present invention; FIG.
12 is a table illustrating an example of a setting value for determining whether an alert associated with network performance occurs in a packet mirroring apparatus according to an embodiment of the present invention;
13A and 13B are views illustrating an exemplary state of response speed analysis for each section according to a flow map;
FIG. 14 is a view showing a dashboard for visualizing performance indicators between a user and a server. FIG.
15 is a diagram showing monitored pages of detailed traffic by server, user, URL, and session;
FIG. 16 is a diagram illustrating a page for identifying contents of detailed session information and an error of an application; FIG.
17 is a view showing a page for performing correlation check associated with a problem element by a drill-down method;
18 is a diagram illustrating a process of checking real time service status and detailed information of each service by server;
19 is a diagram showing a diagnostic analysis page for a detailed log of an application;
20 is a diagram illustrating a process of tracking a user by estimating abnormal access;
FIG. 21 is a diagram illustrating a page visualizing the haptic speed up to the user's access for each main page.
FIG. 22 is a diagram illustrating a page visualizing the response speed of the main page target user according to the warning; FIG.
FIG. 23 is a diagram illustrating a page of analyzing a user's haptic speed according to a response delay analysis screen for a specific website; FIG.
24 is a view showing a screen visualizing the loading time of each web page and the analysis page of the transition and delay components of haptic velocity accordingly;
25 shows a page for diagnosing and analyzing details of a delayed web page;
FIG. 26 illustrates a page for checking a funnel using HTTP referrer information. FIG.
27 is a diagram illustrating a page for comparing and analyzing server and network indices;
28A is a flowchart illustrating a process of determining a service delay and a failure event alarm;
28B illustrates a threshold setting page;
29A and 29B show pages related to 40X error analysis,
30 shows a page visualizing service performance in a global map in conjunction with geographic data;
FIG. 31 illustrates a page visualizing service performance in a local map in association with geographical data; FIG.
32 is a diagram illustrating a page analyzed by monitoring performance of each server;
33 is a diagram showing a page showing a distribution of connections of users by environment;
34A and 34B illustrate a page for registering a new device and a link;
35 is a block diagram illustrating a configuration of an operation of automatically registering a new device in a packet mirroring device according to another embodiment of the present invention;
36A to 36C are flowcharts illustrating a process for registering a new device and a new link in a packet mirroring device according to another embodiment of the present invention;
37A to 37C are flowcharts illustrating a process for selectively registering a new device and a new link in a packet mirroring device according to another embodiment of the present invention;
38 is a view showing an optional device automatic registration page;
FIG. 39 is a view of a flow map visualizing newly created links and devices by automatic device registration; FIG.
40 is a view for explaining a system connection relationship of a plurality of packet mirroring apparatus according to another embodiment of the present invention;
41 is a diagram illustrating a configuration of performing different functions according to a connection relationship of a plurality of packet mirroring devices according to another embodiment of the present invention;
42 is a block diagram specifically illustrating a packet mirroring apparatus or a service module of FIG. 5 according to an embodiment of the present invention.

As the present invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in the drawings and described in detail in the written description.

However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.

Terms such as first and second may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as the second component, and similarly, the second component may also be referred to as the first component. The term and / or includes a combination of a plurality of related items or any item of a plurality of related items.

When a component is referred to as being "connected" or "connected" to another component, it may be directly connected to or connected to that other component, but it may be understood that other components may be present in between. Should be. On the other hand, when a component is said to be "directly connected" or "directly connected" to another component, it should be understood that there is no other component in between.

The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting of the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. In this application, the terms "comprise" or "have" are intended to indicate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, and one or more other features. It is to be understood that the present invention does not exclude the possibility of the presence or the addition of numbers, steps, operations, components, components, or a combination thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art. Terms such as those defined in the commonly used dictionaries should be construed as having meanings consistent with the meanings in the context of the related art, and shall not be construed in ideal or excessively formal meanings unless expressly defined in this application. Do not.

Hereinafter, with reference to the accompanying drawings, it will be described in detail a preferred embodiment of the present invention. In the following description of the present invention, the same reference numerals are used for the same elements in the drawings and redundant descriptions of the same elements will be omitted.

Throughout this specification, entity includes various devices associated with a network, which is a term that includes a client terminal and / or a server device.

A user basically means a user of a client terminal. However, in some cases it may also mean a user of the packet mirroring apparatus according to an embodiment of the present invention. The network operator and / or network administrator is a person who manages a network related to the packet mirroring device, and may mean a user of the packet mirroring device.

A network performance diagnosis apparatus that calculates performance related indicators related to network performance may be called a packet mirroring apparatus. In addition, since it can be implemented as a device for visualizing the performance-related indicators of the network service, it can be called a network performance indicator visualization device. In addition, since it may be implemented as a device for registering an object newly linked to the network, it may be called a network new object registration device. Hereinafter, despite the above various embodiments, it is called a packet mirroring apparatus.

In addition, the term network performance may be used generically with respect to communication performance in servers, networks and clients.

2 is a conceptual diagram illustrating a system including a packet mirroring apparatus according to an embodiment of the present invention. As shown in FIG. 2, a packet mirroring system according to an embodiment of the present invention includes a client terminal 210-1 to 210-3, a network 220, a server side 230 to 250, and a packet mirroring apparatus 200. ) May be included.

Referring to FIG. 2, the client terminals 210-1 to 210-3 access a specific web site and / or web application through the network 220. At this time, the connection is performed at the server end 230 to 250 associated with the web site and / or the web application. The client terminals 210-1 to 210-3 access a specific web page through a web browser and request execution of a desired page or application. The request may include the execution of not only static content such as html documents, but also multimedia content such as video, audio, and / or other applications.

According to an embodiment of the present invention, the client terminals 210 to 210-3 operate by a user, and may include any device including a communication function (including an Internet connection and a web browser execution function) and a data processing function. Can be. The client terminals 210-210-3 are mobile stations (MS), user equipment (UE), user terminals (UT), wireless terminals, access terminals (AT), terminals, fixed or mobile subscriber units. Subscriber Unit (SS), Subscriber Station (SS), Cellular Phone, Wireless Device, Wireless Communication Device, Wireless Transmit / Receive Unit (WTRU), Mobile Node, Mobile, Mobile Station, Personal It may be referred to as a personal digital assistant (PDA), smartphone, laptop, netbook, personal computer, wireless sensor, consumer electronics (CE) or other terms. Various embodiments of the client terminals 210-1 to 210-3 include a cellular telephone, a smart phone having a wireless communication function, a personal digital assistant (PDA) having a wireless communication function, a wireless modem, a portable computer having a wireless communication function, Shooting devices such as digital cameras with wireless communication capabilities, gaming devices with wireless communication capabilities, music storage and playback appliances with wireless communication capabilities, Internet appliances with wireless Internet access and browsing, as well as combinations of such functions It may include a portable unit or terminals, but is not limited thereto.

Each client terminal 210-1-210-3 includes input devices such as a mouse and keyboard for receiving user input and a display for providing a control user interface for the user to interact with the networked devices. It may include a user communication interface. The user interface may include a graphical user interface (GUI) to provide information to the user.

Network 220 includes a wired and / or wireless network. Network 220 may include the Internet. The network 220 may include a serial bus that provides a physical layer (medium) for transmitting and receiving data between variously connected client terminals 210-1 to 210-3 and server terminals 230 to 250. . The serial bus may include a 1394 serial bus. It can support both, but is not necessarily limited to, time-multiplexed audio / video (A / V) streams and standard Internet Protocol (IP) communications (eg, IETF REC 2734). . Network 220 may also include a non-1394 network (eg, Ethernet, etc.). In addition, the network 220 may include a home network. Each client terminal 210-1 to 210-3 may communicate with one or more server devices 230 to 250 in the network 220.

The server-side 230-250 responds to the user's request by using the network 220 resources to provide services to the user. This includes the return of information (data). It also includes the performance of a function (eg, a mechanical function) and return of status, return of data streams and status, acceptance of data streams and return of status, or storage of status for various actions. The server stages 230 to 250 may include custom, embedded, and control programs to implement control of their own hardware.

The server end 230-250 may be associated with a specific web site and / or web application, and perform operations and management related to work performed in each web site and / or web application. The server terminals 230 to 250 may interact with the client terminals 210-1 to 210-3 and other servers 230 to 250. Example services may include MPEG sourcing / sinking, and display services.

Server-sides 230-250 may interface data (e.g., HTML, XML, Java, JavaScript, GIF, JPEG, MPEG, graphics burst or intended to provide an interface for command and control of the device via network 220). Information in any other format used for the purpose). In a particular embodiment, each of the servers 230-250 may process information such as one or more Hypertext Markup Languages (HTML) that provide command and control of the device. The server-side 230-250 uses an Internet standard for representing HTML pages using a browser technique.

According to an embodiment of the present invention, the server stages 230 to 250 may include a web server 230, an app server 240, and a database server 250. However, the server side is not necessarily composed of a combination of three servers. Only the web server 230 is present, the app server 240 and the database server 250 may be valid, or only one app server 240 may be configured, and other various forms and layers of server combinations It is possible.

The web server 230 is a server providing content requested to a web client. The web server 230 may provide static HTML, JPEG, GIF, or the like image to the web browser through the HTTP protocol. In some cases, the web server 230 may also include a container capable of operating an internal application.

App server 240 may also be referred to as a web application server (WAS) server, which represents a middleware software server that provides transaction processing and management and application execution environments in a client / server environment. Typically, server-side 230-250 may be implemented as a three-tier web computing environment of a web server, an application server, and a database, where the app server 240 serves as an application server in a client / server environment. . The app server 240 provides an application execution environment and a database connection function, manages a transaction, performs business logic for processing a task, and performs application interworking between different types of systems.

According to an embodiment of the present invention, effective distribution may be induced through functional classification of the web server 230 and the WAS 240. Static data may be structurally processed by the web server 230 that exists in the front, and dynamic data may be processed by the WAS 240 at the rear. For example, the service request is not passed to the WAS 240 by placing static data such as HTML and JavaScript files, CSS, images, and the like on the web server 230 in advance. In addition, by passing the web application service to the WAS 240 located behind, the WAS 240 can concentrate on the execution of the web application. The way of processing by the web server 230 and the handing over to the WAS 240 may be handled through the configuration of the web server 230. Whether to pass a specific extension or directory task to the WAS 240 is handled by the web server 230.

The database server 250 is a storage in which various data handled by the web server 230 and / or the app server 240 are stored. The database server 250 may store huge amounts of data associated with the web server 230 and / or the app server 240 according to the nature of the work, website, and web application. This may include personal information, institutional information, data associated with various content (eg, multimedia content), and the like.

The packet mirroring apparatus 200 may be disposed between at least one of the network 220 and the web server 230, between the web server 230 and the app server 240, and between the app server 240 and the database server 250. Can be. The packet mirroring apparatus 200 is disposed between at least one of the network 220 and the web server 230, between the web server 230 and the app server 240, and between the app server 240 and the database server 250. Diagnosing the performance of a network server based on a packet that is connected to a switching device (not shown) and mirrors packets transmitted and received between two entities. According to the above embodiment of the present invention, since the mirrored packet may be generated by copying based on the actual transmitted / received packet (user traffic actually used), a separate artificial test packet may be generated for diagnosing the performance of the network service. no need. In particular, the packet mirroring apparatus 200 may monitor all packets in real time.

The packet mirroring apparatus 200 may display various types of performances of network services based on various types of information (eg, source ID, destination ID, time, etc.) included in the mirrored packet. The indicators are calculated in real time. The calculation of the indicator may be performed in a transaction unit. The calculated index may exceed 120, which will be described in more detail with reference to FIG. 5 below. Based on the calculated indicators, the packet mirroring apparatus 200 determines whether there is a problem such as a speed delay, waiting delay, traffic excess, or error occurrence in each section, and allows the operator or administrator to check the determination result. Visualize. That is, the error section can be quickly identified, and the response to the error section can be made quickly. As the management of these network services is performed at one point, IT management, which has been previously shared among several persons in charge, can be efficiently carried out, and the status of network services in all sections can be checked at a glance, thereby identifying errors immediately. Support, and respond to them.

In addition, the packet mirroring apparatus 200 may analyze the mirrored packet to track access from a malicious user (related to security issues), and the response may be made in real time.

According to the embodiment of the present invention, since the packet mirroring apparatus 200 is connected to the switching apparatus, it may not require the installation of an agent that substantially loads the server terminals 230 to 250. That is, it does not impose a burden such as slowing down the work speed of the server 230 (230 ~ 250). However, the packet mirroring apparatus 200 of the present invention is not necessarily configured in hardware, and may be installed and operated in a switching apparatus or other apparatus in software.

3 is a block diagram illustrating a connection configuration between a packet mirroring device and another device in a network according to an embodiment of the present invention.

Referring to FIG. 3, a router 322 is connected to a network such as the Internet 320, and the router 322 is connected to a switch 324 to connect servers 330-related to a request of a client terminal (not shown). 1 to 330-3, and transmits the request, and information related to the response to the request from the servers (330-1 ~ 330-3) to the client terminal.

Router 322 or a router (not shown) having a routing function extracts a location and a destination of a packet transmitted from a client terminal through the Internet 320, and designates an optimal path to the location, and follows the path. The data packet is redirected to a switch 324. Router 322 identifies the IP address and forwards the data to switch 324.

The switch 324 remembers the unique MAC addresses of the servers 330-1 to 330-3, and determines which packet should be sent to which location through the address. Send to the server (330-1 ~ 330-3). The switch 324 includes a switch that serves as an OSI 2 layer, an OSI 3 layer, an OSI 4 layer, and / or another layer (eg, OSI 7 layer). For example, a function of setting a path may be performed. It may also perform functions such as load balancing, port forwarding, and QoS. The switch 324 may be called a network switch, a switching hub, a port switching hub, or the like.

The packet mirroring apparatus 300 is connected to the switch 324 and obtains by mirroring almost all packets provided to the servers 330-1 to 330-3 through the switch 324. Packet mirroring, ie, copying or capturing of packets, may be performed at switch 324. In some cases, the packet mirroring device 300 itself may be used. The switch 324 replicates the packets provided to the servers 330-1 ˜ 330-3, and then sets a port connected to the packet mirroring device 300 as a destination port to the packet mirroring device 300. Can provide. In this case, the corresponding port may be designated and provided for analysis purposes.

4 is a conceptual diagram illustrating an operation of each section of a packet mirroring apparatus according to an embodiment of the present invention.

Referring to FIG. 4, as described with reference to FIGS. 2 and 3, the client terminal 410 transmits packets to the server 430, 440, and 450 through the Internet 420. There is a router 422 and a switch 424 between the server 430, the packet mirroring device 400 is connected to the switch 424.

The packet mirroring apparatus 400 may analyze the mirrored packet to check the user haptic delay time at the client terminal 410. In addition, information related to traffic to the first server 430 may be identified through the Internet 420, and response latency at the server 430, 440, and 450 may also be checked. In particular, the response waiting time of the server 430, 440, 450 is determined for each section. Response waiting time between the Web server 430 and the WAS 440 section and the WAS 440 and the DB server 450 section are calculated and handled separately. Web latency and app latency can be calculated separately. Here, the web response waiting time represents the response delay time until the static URL (image (gif, png, jpg, etc.), css, js, text, etc.) receives data from the web server 430, and the app response waiting time The response delay time until receiving the first packet of the page generated from the dynamic URL or the POST URL. App response latency can be associated with dynamic content with query parameters, calls using dynamic content such as HTML, ASP, JSP, PHP, and / or HTTP POST methods. That is, it represents the response latency associated with the work returned via WAS server 440 and / or DB server 450.

First, the user's haptic speed in the client terminal 410 is determined by the page loading time. This is analyzed and visualized as the user's haptic speed for each major web page. That is, when there are a large number of users accessing a specific web page, the haptic time for each user environment and / or region may be determined. The user environment may be identified differently according to the region, the OS installed in the client terminal, the type of web browser, and the type of terminal. In addition, it is possible to provide a regional access status and distribution monitoring environment. In this case, the regional access status may be provided by being divided into a global regional status for the entire global region and a local regional status for the domestic region.

The actual traffic occurrence status for the user section (network section) to the server 430 may be expressed as a network round trip time (RTT). This can also be called network time. Here, in terms of usage, bit per second (BPS) information representing the data transfer rate per second, user per second (UPS) information representing the number of users connected per second, and CPS (connection) representing the number of new sessions connected per second It is also possible to grasp the status of Transaction Per Second (TPS) information indicating the number of transactions occurring per second and Per Second information. It can also monitor user applications and analyze and track abnormal behavior by users. These performance metrics can help you identify applications that are occupying network traffic and monitor the correlation of users, applications, and networks.

In addition, the packet mirroring apparatus 400 may determine the response delay time between the servers 430, 440, and 450. In other words, it is possible to grasp the response quality index for each server interval, which includes the response delay time for each server, the response wait session for each server (wait) and the index for each application URI and / or the index for each DB query. Can be.

5 is a block diagram specifically illustrating a packet mirroring apparatus according to an embodiment of the present invention. As shown in FIG. 5, the packet mirroring apparatus 500 according to an embodiment of the present invention may include a port 510, a packet analysis module 520, a service module 530, and a user interface 540. have. In addition, the packet analysis database 522 and the service database 532 may be further included.

Referring to FIG. 5, at least one port 510 may be provided, which is connected to the switch devices 524-1, 524-2,. One port may be connected to one switch device. The connected ports receive mirrored packet information from switch devices 524-1, 524-2,... And transmit the mirrored packet to packet analysis module 520.

The packet analysis module 520 collects the mirrored packets and substantially analyzes the packets. This may be called an analysis engine. The packet analysis module 520 primarily analyzes the header of the packet in the mirrored packet. Through this, it is distinguished whether it is HTTP packet, DB related packet or TCP related packet. That is, it identifies which protocol is associated with the packet. This allows you to see which server sent the request information, such as "GET / Web address / HTTP / 1.1". The packet analysis module 520 parses and parses the packet header information. "GET" becomes the request message and "Web address" indicates the web address associated with the request. In addition, "HTTP / 1.1" means that the HTTP 1.1 version, in addition to the language information (eg, ko-kr) associated with the packet can be checked and stored. In addition to the GET, the request method may transmit POST, HEAD, PUT, DELETE, etc. according to the situation, and the packet analysis module 520 stores this information along with time information and related IP.

The packet analysis module 520 assigns an index of each packet and checks whether the packet is an HTTP-based request packet or a response packet based on the index. At this time, the comparative analysis with the information obtained from the packets received in the past is also performed. That is, when there is a request packet obtained from the first entity, there may be a response packet therefrom from the second entity, and at this time, at least two or more packets in time series, packets transmitted and received from the first entity and the second entity Based on this, one session can be established and the flow of transactions can be analyzed.

In addition, the packet analysis module 520 may parse what browser the client terminal uses, information associated with the HOST, previous URL address information, and browser support language information. At this time, it is possible to analyze whether the header is a general header, a general header, a request header, or an entity header, and parse information indicating a boundary between the header and the payload.

Then, the packet analysis module 520 secondly analyzes the Uniform Resource Locator (URL) (or Uniform Resource Identifier), the Source IP (Source_ip), the Destination IP (Dest_ip), and time information of the mirrored packet. do. Here, if you check the URL value, you can see which address redirects to the address, such as "https://www.google.com/?gws_rd=ssl". In addition, the source IP may indicate the IP address of the client terminal and the destination IP may indicate the IP of the server associated with the final destination site of the request. The response packet may indicate the opposite information. The time information may be provided in a time stamp format. In addition, the length information of the entire packet can be checked.

The packet analysis module 520 includes packet analysis algorithms corresponding to various protocols, for example, HTTP, IP, UDP, TCP, DNS, and the like. Destination IP and time information can be extracted and used for analysis.

Based on the packet-related information extracted by the secondary analysis, performance index information of about 120 elements per transaction can be generated. Preferably, 6000 transactions are analyzed in one second. Then, the extracted packet related information and 120 performance index information generated per transaction are stored in the database 522. Hereinafter, performance related indicators generated based on packet related information of mirrored packets will be described in more detail.

The packet analysis module 520 calculates round trip arrival time information (RTT information) on a transaction basis. That is, round trip time information of the data signal is calculated. An algorithm related to the calculation of the RTT information will be described in more detail with reference to FIG. 7 below.

The packet analysis module 520 generates session information. This may indicate the number of sockets established per second, that is, the number of sockets connected without interruption. In addition, the packet analysis module 520 calculates response latency information before the client sends a request and receives a response from a specific server. This is the amount of time it takes to query the database, run the application, or do anything else.

The packet analysis module 520 may include BPS information indicating the size of bits transmitted or received per second, packet per second (PPS) information indicating the number of packets transmitted or received per second, and the number of users connected per second (IP). Calculate UPS information indicating a standard). This can be calculated based on the number of source IPs connected to a specific destination IP based on how many users are connected per second. In addition, CPS information indicating the number of new sessions connected per second (indicates how many sessions are newly connected in one second), and TPS information indicative of the number of transactions occurring per second (how many transactions occur in a second). Calculate The packet analysis module 520 calculates Hit Per Second (HPS) information indicating the number of URLs requested per second. In this case, the packet analysis module 520 calculates the HPS based on how many URLs are requested from the server in the case of the server HPS, and based on how many URLs are requested per second from the client in the case of the client HPS. Calculate the HPS. The packet analysis module 520 calculates server per second (SPS) information, which is information about the number of servers connected per second. This indicates how many servers a client is connected to in one second.

In addition, the packet analysis module 520 calculates wait information indicating the number of sessions waiting for response. This is the number of sessions in which the client sends a request and has not received a response. The server has 100 real-time sessions, of which 10 indicates that 10 out of 100 sessions have not yet received a response.

Further, the packet analysis module 520 generates client_ip, server_ip, client_port, and server_port information. These represent the client's IP information, the server's IP information, the client's port information, and the server's port information, respectively. In this case, the client_ip and server_ip information uses a string as a unit (for example, 222.103.141.187), and the client_port and server_port information uses a number as a unit (for example, 1254 or 80).

The packet analysis module 520 may calculate transaction_number information. transaction_number information is a transaction number generated after a session is established. 1 for the first transaction after a session is established. Usually, multiple transactions occur after a session is established, each time indexing by increasing the number by one. When viewing a page with a browser, when requesting each component in the page (js, css, image, etc.), when processing multiple transactions in one session, it can be distinguished by indexing by incrementing by 1 per transaction. For example, if it has transaction_number information of 8, it indicates that it was the 8th transaction after the session was established.

The packet analysis module 520 generates start_time information, start_usec information, end_time information, end_usec information, fin_time information, and fin_usec information in relation to the start and end of a transaction. This is based on the source ip, destination ip, and time information of the mirrored packet, and details of whether the same source (client) and the destination (eg, the server) give the request packet within a certain time interval and receive all related data. Can be obtained by analyzing

The start_time information represents a transaction start time (year, month, day, hour, minute, for example, 2012-07-18 22:33:06), and the start_usec information represents a transaction start time (million of second). The start_usec information may be a completed time in combination with the start_time (eg, 2012-07-18 22: 33: 06.288370).

end_time information indicates a transaction end time. That is, it indicates the end of data (the time of receiving the last response data of a transaction). For example, it may be represented as 2012-07-18 22:33:12.

The end_usec information represents the transaction end time in millionths of a second.

The fin_time information indicates the time when the transaction is completed, the next transaction comes to completion, the transaction is completed (receives Fin), or ends with a timeout (Timeout). For example, it may be represented as 2012-07-18 22:35:23.

fin_usec Info: Shows the transaction completion time in millions of seconds.

The packet analysis module 520 stores the transaction state under an information name of "state". This can be expressed as seven numbers and is as follows.

Transaction Status Code

1-session_finish: Initial state

2-3whs_syn_sent: Client sent syn during 3 handshake

3-3whs_syn_received: Client received syn / ack during 3 handshake

4-3whs_ack_received: Server receives ack during 3 handshake

5-session_connected: Session connected

6-session_request: The client has made a request

7-session_response: Server responded

Next, we save the transaction result under the name "result". This can be expressed as eleven numbers and is as follows.

Transaction result code

1-trans_finish: A transaction has been completed

2-client_finish: Session terminated by client (send Finish-FIN)

3-server_finish: Server terminated session (send Finish-FIN)

4-client_reset: Session terminated by client (send Reset-RST)

5-server_reset: Session terminated by server (send Reset-RST)

6-client_timeout: Client terminates because of timeout while sending request

7-server_timeout: Server terminated due to Timeout while sending response

9-session_error: HTTP session error

10-req_parser_error: HTTP Request Header error

11-rsp_parser_error: HTTP Response Header error

Next, the packet analysis module 520 calculates time information related to the response delay of the transaction. This includes tran_latency, tran_rsp_time, used_time, and fin_used_time information.

The tran_latency information indicates a transaction response wait time. This represents the wait time after the client sends a request to receive the first data from the server. This is in milliseconds. For example, it may have a value of 76328. tran_rsp_time is a transaction response time and represents a transmission time of response data. In other words, it indicates the time when the server transmits the response data. Again, one millionth of a second is used as a unit. The used_time information is a transaction total use time and may be calculated as "End Time-Start Time". This represents the time it takes for the session between the client and server to be established and both the client's request and the server's response are completed. The fin_used_time information is a usage time until the completion of a transaction and is calculated as "Fin Time-Start Time".

The packet analysis module 520 calculates session_req_pkts, session_req_bytes, session_rsp_pkts, session_rsp_bytes, session_bps, sess_max_bps, session_pps, and sess_max_pps information.

The session_req_pkts information represents the number of transaction request data packets, which are calculated based on the number of packets sent by the specific client as request data. This is in number units. The session_req_bytes information indicates bytes of request data of a transaction and is calculated based on the amount of bytes sent by the specific client as request data. The unit is byte. The session_rsp_pkts information indicates the number of transaction response packets and is calculated based on the number of packets of response data sent from a specific server to the client. The number is a unit. The session_rsp_bytes information indicates bytes of response data of a transaction and is calculated based on the amount of bytes sent by the specific server as response data. The unit is byte. The session_bps information represents the real time BPS of the session and is calculated based on the BPS of the currently established session. The unit is a number. The session_pps information represents a real-time PPS of a session and is calculated based on the PPS of the currently established session. The unit is a number. The sess_max_pps information indicates the maximum PPS of the session and is calculated based on the maximum PPS during the period in which the session is to be used. The unit is a number.

Next, the packet analysis module 520 generates domain, url, method, and response_code_number information.

The domain information indicates information related to the domain among URLs requested by the client. This is in strings. For example, information such as "www.lgmobile.co.kr" is shown.

The url information is a Url requested by the client and indicates information such as "/jsp/front/search/include/akc.jsp". The unit is a string.

method information is a type of request method (POST, GET, HEAD, PUT ...), and indicates the type of request method requested by the client. The unit is a string.

The response_code_number information is a response result and is represented by an HTTP status code. For example, it may be expressed as one of "200, 304, 404, 500 ..." as a Response Status Code responded by the server. The unit is a string.

The packet analysis module 520 calculates users, max_users, sessions, max_sessions, wait, max_wait, ups, max_ups, cps, max_cps, tps, max_tps, latency, max_latency, and idle information.

The users information may indicate the number of real-time users (based on Client IP) of the corresponding Url and may indicate, for example, "the number of real-time users of /jsp/front/search/include/akc.jsp". The unit is a number.

The max_users information indicates the maximum number of users of the corresponding Url during the time when the Url is being used, for example, "the maximum number of users of /jsp/front/search/include/akc.jsp". The unit is a number.

The sessions information indicates the number of real time sessions of the corresponding Url and may indicate, for example, "the number of real time sessions of /jsp/front/search/include/akc.jsp". The unit is a number.

The max_sessions information may indicate the maximum number of sessions of the corresponding Url during the time when the Url is in use, and may indicate, for example, "the maximum number of sessions of /jsp/front/search/include/akc.jsp". The unit is a number.

The wait information may indicate, for example, the number of real-time response wait sessions of jsp / front / search / include / akc.jsp as the number of real-time waits of the corresponding Url. The unit is a number.

The max_wait information may indicate, for example, "maximum number of response waiting sessions of /jsp/front/search/include/akc.jsp" as the maximum number of response waiting sessions of the corresponding Url during the time when the Url is being used. The unit is a number.

The ups information indicates a real time UPS of the corresponding Url, and may indicate, for example, "a real time UPS of /jsp/front/search/include/akc.jsp". This means "the number of users connected per second to /jsp/front/search/include/akc.jsp". The unit is a number.

The max_ups information indicates a Max UPS of the corresponding Url, and may indicate, for example, "maximum UPS of /jsp/front/search/include/akc.jsp". The unit is a number.

The cps information represents the real time CPS of the corresponding Url, and may represent, for example, "real time CPS of /jsp/front/search/include/akc.jsp". This means "number of sessions connected per second to /jsp/front/search/include/akc.jsp". The unit is a number.

max_cps This indicates the Max CPS of the corresponding Url, for example, "Max CPS of /jsp/front/search/include/akc.jsp". The unit is a number.

The tps information may indicate a real time TPS of the corresponding Url and may indicate, for example, "a real time TPS of /jsp/front/search/include/akc.jsp". This means "the number of transactions occurring per second in /jsp/front/search/include/akc.jsp". The unit is a number.

The max_tps information indicates the Max TPS of the corresponding Url, and may indicate, for example, "maximum TPS of /jsp/front/search/include/akc.jsp". The unit is a number.

The latency information may indicate, for example, "real-time latency of response (jsp / front / search / include / akc.jsp)" as a latency of the corresponding Url. The unit is a number.

The max_latency information may indicate Max Latency of the corresponding Url, and may indicate, for example, "Max Latency (Response Wait Time) of /jsp/front/search/include/akc.jsp". The unit is a number.

The idle information may indicate the idle of the corresponding Url and may indicate, for example, "the time when there was no request of /jsp/front/search/include/akc.jsp." If the Url is used a lot, Idle is shortened. On the contrary, if the Url is not used much, the idle is long. The unit is a number.

The packet analysis module 520 may generate content_len, mime, referrers, agent, and cookie information by analyzing the header of the request packet of the client and the response packet from the server.

content_len, the information, indicates the content length of the response header, and indicates the length of the content included in the response HTTP header sent by the server. For example, it may mean "byte of /jsp/front/search/include/akc.jsp". The unit is a string.

The mime information indicates the response header content type. For example, it may be one of text / html and the like. This is the content type information included in the response HTTP header sent by the server. The unit is a string.

The referrers information indicates the referrer of the request header and indicates the referrer included in the request HTTP header sent by the client. For example, "the referrer of /jsp/front/search/include/akc.jsp is http://www.lgmobile.com/jsp/front/search/include/miniAkc.html". have. The unit is a string.

The agent information indicates an agent of the request header, which indicates an agent included in the request HTTP header sent by the client. This information is often sent by the browser and may include information such as OS version, browser type, and version.

The cookie information indicates a cookie of the request header and contains information related to the cookie included in the request HTTP header sent by the client.

The packet analysis module 520 is information related to a network service of a specific server and includes server_countrys, server_max_countrys, server_error, server_user, server_max_user, server_sessions, server_max_sessions, server_bps, server_max_bps, server_pps, server_max_rts, server_cp, server_ups, server_ups, server_ups, server_ups The server_tps, server_max_tps, server_hps, server_max_hps, server_wait, server_max_wait, and server_idle information can be generated.

The server_countrys information represents the real time country count of the corresponding server. For example, it may mean "the number of real-time countries of users connected to the server 203.247.157.199". Based on this, we can analyze the fact that there are currently two countries connected to the 203.247.157.199 server.

The server_max_countrys information represents the maximum country count of the corresponding server. That is, in the case of a registered server, the Max criterion may represent one day. This can be changed by user settings. For example, it may mean "the maximum number of countries connected to the server 203.247.157.199". This allows us to analyze the fact that the 203.247.157.199 server has been connected simultaneously in up to 10 countries.

The server_error information indicates the number of real time errors (400, 500 response codes) of the corresponding server. For example, 203.247.157.199 may indicate the number of user errors and / or server errors of 400 to 599 among the response status codes responded by the server.

The server_user information indicates the number of real-time users (based on Client IP) of the server. For example, it may mean "the number of real-time users of the 203.247.157.199 server".

The server_max_user information indicates the maximum number of users of the server. Here, in the case of a registered server, the criterion of Max may be one day. This can be changed by user settings. For example, this may represent "maximum number of users of server 203.247.157.199".

server_sessions Shows the number of real-time sessions of the server. The server_max_sessions information indicates the maximum session number of the corresponding server. The server_bps information represents the real time BPS of the corresponding server. The server_max_bps information indicates Max BPS of the corresponding server. The server_pps information represents the real time PPS of the server. The server_max_pps information represents Max PPS of the corresponding server.

The server_rtt information represents a real time RTT of the corresponding server. The server_max_rtt information indicates the Max RTT of the corresponding server. For example, this may be solved by the "maximum average RTT of the server 203.247.157.199". The unit of server_rtt information and server_max_rtt information is micro sec.

The server_ups information represents a real time UPS of the corresponding server. This may represent a "real-time UPS of server 203.247.157.199", which means that about one user per second is connected to the 203.247.157.199 server.

The server_max_ups information represents the Max UPS of the corresponding server.

The server_cps information may indicate the real time CPS of the corresponding server, for example, “the real time CPS of the server 203.247.157.199”. This means that there are about 15 sessions per second connected to the 203.247.157.199 server.

The server_max_cps information indicates Max CPS of the corresponding server.

The server_tps information represents the real time TPS of the corresponding server, and may represent, for example, "real time TPS of the server 203.247.157.199". This indicates that there are about 79 transactions per second on the 203.247.157.199 server.

The server_max_tps information represents Max TPS of the corresponding server.

The server_hps information represents the real time HPS of the corresponding server. For example, "real-time HPS of server 203.247.157.199". This means that about 203.247.157.199 serverrs are requested about 79 URLs per second.

The server_max_hps information indicates Max HPS of the corresponding server.

The server_wait information represents the number of waits of the corresponding server. For example, the "real-time wait number of the 203.247.157.199 server" may be indicated. This may indicate that the server 203.247.157.199 is currently waiting for 46 out of 206 sessions.

The server_max_wait information represents the maximum wait number of the corresponding server.

The server_idle information represents the idle time of the corresponding server. For example, it may indicate "the time when there was no request to the server 203.247.157.199". If the server has many users, the idle will be shorter. If the server is small, the idle will be long. The unit is micro sec.

According to an embodiment of the present invention, server_countrys, server_max_countrys, server_error, server_user, server_max_user, server_sessions, server_max_sessions, server_bps, server_max_bps, server_pps, server_max_pps, server_ups, server_max_ups, server_cps, server_tps, server_tps server_max server The unit of information is a number.

The packet analysis module 520 is information related to a network service of a specific client. The client_max_tps, client_hps, client_max_hps, client_wait, client_max_wait, and client_idle information can be generated.

The client_country_code information indicates a country code (KR ..) of the client. For example, "222.103.141.187 The country of the client may represent KR".

The client_error information represents the real time error number of the client. For example, "222.103.141.187 may indicate the number of errors from 400 to 599 of the response status code among the transactions requested by the client."

The client_servers information represents the number of real-time server connections of the client, which is calculated based on the server that the packet analysis module 520 is currently monitoring. For example, "222.103.141.187 may indicate the number of servers currently connected to a client." The client_max_servers information indicates the maximum number of simultaneous servers of the client. The client_sessions information represents the number of real time sessions of the client. The client_max_sessions information represents the maximum number of sessions of the client.

The client_bps information indicates the client's real time BPS, the client_max_bps indicates the client's maximum BPS, the client_pps information indicates the client's real time PPS, and the client_max_pps information indicates the client's maximum PPS.

The client_rtt information indicates the real time RTT of the client, and the client_max_rtt information indicates the maximum RTT of the client. The unit of client_rtt information and client_max_rtt information is micro sec.

 The client_sps information represents the real time SPS of the client and indicates how many servers are currently connected per second. The client_max_sps information indicates the maximum SPS of the client. The client_cps information represents the real time CPS of the client, which indicates how many sessions are connected per second. The client_max_cps information indicates the maximum CPS of the client. The client_tps information represents the client's real-time TPS, which indicates how many transactions are occurring per second. The client_max_tps information represents the maximum TPS of the client. The client_hps information represents the real time HPS of the client, and the client_max_hps information represents the maximum HPS of the client.

The client_wait information indicates the real-time wait number of the client and indicates the number of sessions currently waiting for a response from a specific client. The client_max_wait information represents the maximum wait number of the client, and the client_idle information represents the real time idle time of the client, which represents a time when there was no request from a specific client. The unit of client_idle information is micro sec.

According to an embodiment of the invention, client_country_code, client_error, client_servers, client_max_servers, client_sessions, client_max_sessions, client_bps, client_max_bps, client_pps, client_max_pps, client_sps, client_max_sps, client_cps, client_max_cps, client_tps, client_tps, client_tps_client_ The unit is a number.

In addition, the packet analysis module 520 may generate org, city_id, isp_id, os_id, browser_id, mobile_id, and telcom_id information.

The org information represents the organization of the IP-based client. For example, "Organization of 222.103.141.187 Client" may represent Korea Telecom.

The city_id information may indicate the city code of the IP-based client. For example, "City of 222.103.141.187 Client" may represent Seoul.

The isp_id information represents an ISP code of an IP based client. For example, "ISP of 222.103.141.187 Client" may represent Korea Telecom.

The os_id information represents the OS code of the client of the client. This allows you to see information about whether the client uses Win XP, iOS, or Android as the OS.

browser_id represents the browser code of the client. This will give you information about whether the client is using a browser, explorer, chrome or MSIE9.

The mobile_id information represents a mobile code of a client. This is the device identification information of the client and indicates whether it is a Samsung, Pantech, or Apple device.

The telcom_id information represents the TelCom Code of the client. This indicates information on whether the client's carrier is SKT, KT, or LGT.

Network service performance related indicators associated with the above 120 packets are generated in real time and stored in a database 522.

The service module 530 generates statistics based on performance related indicators stored in the database 522. Statistics may be performed on a specific server basis, on a specific user basis, on a URL basis, on a session basis, on a server group located in a specific region, on a client group located in a specific region, and / or on a web page. The service module 530 appropriately visualizes the performance-related indicators so that the user may intuitively grasp the performance of the service according to the current network by using various preset visualization tools. Visualization is performed based on statistics. In other words, the indicators associated with a specific parameter may be collected to generate a graph or table in a meaningful form. For example, the server may generate a list of sessions generated at a specific time in association with a specific client or server, or generate a table for a database query generated at that time. That is, since the performance-related indicators associated with the network service are stored together with the time information (time stamp information) of the corresponding packet, a flow map for understanding the packet flow in a specific time zone in relation to the client terminal and the server side. You can also create Various statistics and corresponding visualization methods will be described in more detail with reference to the following drawings.

In order to generate a specific graph or a specific table / list in response to an input from a user, the service module 530 may include a desired time or a desired environment (for example, a specific web browser type or a specific user terminal type (mobile or PC)). You can search and search based on criteria variables such as The service module 530 may classify desired data based on the selected reference variable to generate visualization information of an appropriate type.

According to an embodiment of the present invention, the service module 530 may perform an alarm function for finding and displaying a problem part in the network service. For example, when the number of waits is greater than or equal to the threshold, it may be determined that there is a problem in the response speed of the corresponding section, and visually display that there is a problem in the corresponding section. Warning means according to the problem may be implemented in the form of sending a text message or e-mail to the contact person already stored in addition to expressing differently visually. This will be described in more detail with reference to FIG. 12.

Various statistical data generated by the service module 530, visualization information data, information related to the visualization tool, and various threshold information set by the user are stored in the service database 532, and the user may randomly select the user through the user interface 540. When requesting the processed information of, it can return the corresponding information.

The user interface 540 includes a device that receives various inputs from an operator and outputs visualized information such as a graph or a table generated by the service module 530. This may include input means such as a mouse, keyboard, touch pad, and output means such as a monitor or touch screen. The user is connected to the database (eg server name, server IP, associated URL, port, sort number, server location information, addressable IP area, etc.), and various server-side connections (links). UX / UI database information can be entered, including a flow database associated with the < RTI ID = 0.0 >) < / RTI > and visualization tools for output to the user and / or metadata associated with the visualization. In addition, a rule set for determining a problem may be input and various setting values associated with the rule set may be input.

6 is a flowchart schematically illustrating a method for diagnosing network performance of a packet mirroring apparatus according to an embodiment of the present invention.

Referring to FIG. 6, the packet mirroring apparatus obtains a mirrored packet from the switching apparatus (S610).

Then, after extracting the source IP, destination IP and time information from the mirrored packet, various performance-related indicators are calculated (S620). Some of the performance indicators may be calculated in transactional units, and certain performance indicators may be calculated in seconds.

In operation S630, the packet mirroring apparatus calculated performance-related index may be stored in a local storage and / or an external database. In addition, in order to visualize statistical information desired by a user and / or network administrator of the client terminal based on the calculated performance-related indicators, statistics for each indicator may be output and search and search results for desired information may be returned. . In addition, in the case of more than a specific value in connection with the service, it may be determined that the problem on the network, and it may be displayed for each section or for each website.

7A and 7B are conceptual diagrams illustrating a network round trip time (RTT) index between a user and a server calculated in a packet mirroring apparatus according to an embodiment of the present invention.

Referring to FIG. 7A, a packet mirroring apparatus calculates round trip arrival time (RTT) information of a packet on a network between a user and a server. In this case, it is assumed that the packet mirroring device is between the client and the server. Assuming a basic synchronization scenario, the first client sends a sync signal (SYN), the server receives it, the server sends a sync signal and an acknowledgment signal (ACK) in response to the received sync signal, and the client The response signal ACK may be transmitted in response to the signal from the. The transmission and reception of these three signals may be called 3-way handshake.

In this signal transmission scenario, since the packet mirroring device is between the client and the server, the mirrored packet arrives at the T1 time point earlier than the time when the synchronization signal SYN arrives from the client. The synchronization signal and response signal from the server arrive at the packet mirroring device at the time T2 earlier than the client arrival time. Finally, the response signal ACK at the client arrives at the packet mirroring device at time T3 earlier than the time of arrival at the server.

In this relationship, the packet mirroring apparatus can secure the T1 to T3 time information with respect to three packet transmission / reception points, and the " T3-T1 " It can calculate by using. This may be called network RTT.

Referring to FIG. 7B, the network RTT may be further subdivided to calculate and calculate the RTT in the server and the RTT in the client. The RTT (sRTT) at the server represents the time delayed at the server side for one packet, which can be calculated using "T2-T1".

In addition, the RTT (cRTT) in the client can be calculated using "T3-T2" as the RTT in the client.

The packet mirroring apparatus according to an embodiment of the present invention calculates and stores the three RTTs, the network RTT, the server RTT, and / or the client RTT for each transaction in real time.

8 is a conceptual diagram illustrating a delay index calculated in a packet mirroring apparatus according to an embodiment of the present invention.

Referring to FIG. 8, the packet mirroring apparatus may calculate various delay indicators. In this case, it is assumed that the packet mirroring apparatus exists between the client and the server, and the client transmits the plurality of request packets to the server, and the server transmits the plurality of response packets to the client in response to the plurality of requests.

The packet mirroring device has a T1 time when the first client request packet arrived, a T2 time when the last client request packet arrived, a T3 time when the first response packet arrived from the server, and a T4 time when the last response packet arrived from the server. Can be obtained through the arrival time of the mirrored packet.

In this case, the request time information of the delay indicators indicates a time when the request reaches the server from the time when the plurality of requests from the client to the server starts to be transmitted. In this regard, the packet mirroring apparatus may know the time at which the first request packet originated from the client based on the time point T1 through the cRTT divided in half. Also, sRTT divided in half shows the time when the last request packet actually reached the server. Through this arithmetic analysis, it can be calculated using "request time = cRTT / 2 + (T2-T1) + sRTT / 2". In general, sRTT value is very small, so cRTT / 2 + (T2- It is calculated to be close to T1) value.

Next, the response latency represents the response delay time until the server receives the content or data associated with the request from the URL associated with the client's request. In other words, as soon as the server receives the data, it sees that it performs a transfer to the client and indicates the time until the server receives the first data related to the request from the URL. This is ultimately calculated as (T2-T3) minus the sRTT value. Here, since the value may be small enough to ignore the sRTT value, "T2-T3" may be the response waiting time.

Next, the response data transmission time represents a time required for the server to transmit the content related to the request to the client. This is calculated using the equation "response time = sRTT / 2 + (T4-T3) + cRTT / 2". Considering that sRTT is a very small value, it almost matches the value of (T4-T3) + cRTT / 2.

Calculating the usable time from sending the request on the client side to receiving the entire response data related to the request, it is the sum of the request transmission time, the response waiting time and the response data transmission time. time = (T4-T1) + cRTT ".

9 is a conceptual diagram illustrating a server response waiting session number index calculated in a packet mirroring apparatus according to an embodiment of the present invention.

Referring to FIG. 9, since the server processes at least one request from a plurality of clients, even one server processes a plurality of sessions in connection with the requests. In this case, the longer the processing time in the server, the longer the waiting time in the client, which requires the user of the client device to be patient. Therefore, this response waiting session number information at the server has a significant meaning.

The number of sessions waiting for response is calculated as the number of remaining sessions minus the session in which the actual response data is transmitted to the client through processing by the server among a plurality of sessions associated with the request. For example, if only one response is made for three sessions, the response waiting session number is calculated as wait = 3-1 = 2. That is, the packet mirroring device can secure all the mirroring packets for the actual packets that are present between the client and the server and are transmitted and received between them, so that the number of response waiting sessions currently being processed in the server can be clearly understood.

According to an embodiment of the present invention, whether the processing of the specific request is completed in the server may be determined based on whether the response packet for the request for the specific URL is transmitted to the client based on the source ip and the destination ip. In the case of a response packet, it can be identified by checking whether the destination ip and the source ip are included as opposed to the request packet while being associated with the specific URL indicated in the request packet.

10 is a conceptual diagram illustrating a CPS / TPS (Connection Per Second / Transaction Per Second) index calculated by a packet mirroring apparatus according to an embodiment of the present invention.

Referring to FIG. 10, one transaction includes at least one request between a client and a server and at least one response data packet according to the at least one request. In the embodiment of FIG. 10, three response data packets constitute one transaction for one GET request, which does not necessarily have a relationship of 1: 3, and there are more request packets and corresponding responses to the corresponding request packets. It is acceptable for data packets to have fewer relationships.

Such transactions also have important implications with regard to the speed and delay of network services. Accordingly, the packet mirroring apparatus calculates the number of newly attempted transactions per second. This is called TPS. In addition, the number of connections between a specific client and a specific server, which may be called a connection, calculates the number of newly attempted connections per second. This is called CPS.

In addition, periodically calculates UPS (User Per Second) information indicating the number of users connected per second and BPS information indicating the amount of data transmitted and received per second through a specific client, a specific server, or a specific session. PPS information indicating the number of packets transmitted and received per second, HPS information indicating the number of URLs requested per second, and SPS information indicating the number of servers connected per second are also periodically calculated.

In the embodiment of FIGS. 7A to 10, the packet mirroring device is present between the client and the server to calculate various indicators associated with the network delay between the client and the server. It may be present between a plurality of servers to calculate the delay between the servers. For example, the delay indicator between the web server and the WAS server may be calculated to exist between the web server and the WAS server, and the delay indicator between the WAS server and the DB server may be calculated between the WAS server and the DB server. In addition, a plurality of packet mirroring devices are arranged in the server side including a plurality of servers to calculate the delay index for each section, and by sharing the calculated delay index with each other, the delay index for each section and server in the entire server network Can also be displayed.

According to another embodiment of the present invention, one packet mirroring device is connected to a switch between a client and a web server, a switch between a web server and a WAS server, and a switch between a WAS server and a DB server, respectively. The device may be configured to calculate a delay index for each section and / or server for a plurality of server sections.

FIG. 11 is a diagram illustrating a flow map generated based on a performance index calculated by a packet mirroring apparatus according to an embodiment of the present invention.

Referring to FIG. 11, a flow map consists of a user and at least one server and links between the user and the server (associated with the session). In this embodiment, a user is connected to three web servers, three web servers are connected to three WASs, and three WASs are connected to one DB.

According to an embodiment of the present invention, in relation to the part of visualizing the performance indicators of the packet mirroring apparatus, the packet mirroring apparatus is implemented as a network performance indicator visualization apparatus, wherein the performance related indicators are necessarily generated based on the mirrored packets. Indicators do not have to be used. After acquiring the packet in another manner, the performance-related indicators are calculated in the above-described manner based on the information in the obtained packet, and then the corresponding performance-related indicators are objectized to describe a flow map, a server list, a user list, and a URL list to be described later. You can create session lists, web page analysis pages, and more.

First, in the embodiment of FIG. 11, the packet mirroring apparatus may generate a flow map indicating a traffic flow of a network including each entity based on the calculated performance-related indicators. At the top of the flow map, there is a part for setting a time section to be viewed. When the real time setting is made, the flow map of the present time is reproduced. In order to find out the performance of the network service at a certain point in time in the past, the flow map of the point in time may be reproduced. For example, if you want to see the section from 11:11 January 2, 2017 to 01:33 January 3, 2017, the user sets the start time and the end time, respectively, and is generated based on the corresponding time point. Play the content associated with the flow map. At this time, a time bar is generated according to the set start time and end time, and a flow map of a desired time point is reproduced by controlling fast forward movement, fast backward movement, and play / stop on the generated time bar. Can be. In this case, the indicators to be displayed through each link, each user, and each server may be selected. For example, it may include at least one of response latency, response wait session number information, BPS, CPS, TPS, UPS, and the like. In addition, you can choose to display the IP address with each user and each server.

According to an embodiment of the present invention, in the flow map, the user and each server displays the performance related indicators calculated above. In this case, indicators related to delay and / or speed of the network may be used among the performance-related indicators. Each performance indicator is objectified and displayed on a specific visualization space. Here, the object is a data object, which is an object of the performance-related indicators to appear on the flow map. For example, it may include data such as response latency or BPS. Since each performance-related indicator includes time information, an object may also be implemented to include time information and mapped to the visualization space. The visualization space represents a display space for displaying an object, and a plurality of objects may be represented in the visualization space.

In generating the flow map, the packet mirroring apparatus determines whether a performance indicator is related to an entity (eg, a client, a server, a link between a client and a server), identifies which performance indicator, and then identifies the performance indicator. Based on the content of the performance indicators (BPS, response wait session, response latency, etc.) and the objects of the performance indicators, a flow map is generated according to predetermined metadata on the visualization space. do. In particular, one performance-related indicator corresponds to one object and is expressed in a visual form for each indicator, but highly relevant performance-related indicators (for example, indicators such as response latency and number of sessions waiting for the same user). Can be objectified with one visual form. That is, two data may be displayed together in a certain format on one client icon. The same applies to performance indicators associated with server-side and links.

For example, a delay indicator such as a response latency of a user of 0.63 ms is objectized and represented on the visualization space associated with the flow map. The link is objectified based on at least one of the performance related indicators between the plurality of entities. The server is objectified based on at least one of the performance related indicators associated with the server and represented on the visualization space. The delay indicator displayed on the flow map does not necessarily include only the response waiting speed, but may display another at least one indicator among about 120 performance-related indicators generated according to an embodiment of the present invention. In this case, the displayed response waiting speed may indicate a current response waiting speed, and when there are a plurality of response waiting speeds in a plurality of links, the fastest response waiting speed, average response waiting speed, and / or maximum depending on a user setting The slow response wait rate can be displayed.

In addition, in the flow map, with respect to the user and each server, the number information of the total sessions to which the current user is associated and the number of sessions waiting to be processed may be displayed in the form of "1/203".

According to an embodiment of the present invention, a user may be displayed as a user group of a specific region. For example, users in one company may be represented as a group user associated with one company, and the number of related users may be separately indicated. In addition, users may be classified into a group 1, a group 2, and the like in one group. In this case, the classification criteria may be directly set by the administrator, or may be automatically classified based on information related to a region, an organization, and / or an IP. In addition, performance indicators for the classified users may be separately processed. The separate processing may mean that the object is generated as a separate object when objectifying the flow map. That is, in the group of 50 employees, group 1 may be classified into 15 people and group 2 may be classified into 35 people. In this case, user 1 represents 15 performance indicators of group 1, and group 2 represents performance indicators of the remaining 35 people. It can be objectized based on and displayed in the flow map.

In the case of the server, the number of sessions currently being processed may be displayed as "1/122" without being processed, compared to the total number of sessions connected to the server. In this case, the information associated with the session may be changed into information associated with a transaction and / or information associated with a connection (or a link) according to a user setting. That is, about 120 performance related indicators previously calculated by the packet mirroring apparatus may be appropriately illustrated in the flow map.

In the embodiment of FIG. 11, each link is associated with sessions between packet transmission and reception. Information objectized and displayed in the form of a square box in the middle of the link may include delay rate indicators such as response wait rate, response wait session number information, and BPS. For example, in the case of the user and the homepage_WEB 1 at the top of FIG. 11, there is currently a response waiting rate of 0.03 s for a specific packet between two entities, and there are 122 sessions, most of which have been processed, and only one session is currently present. You can see at a glance that this response is waiting. In addition, it can be seen that the service is performed at a high speed with a BPS of 401.4k.

On the contrary, the portal administration _WEB 1 at the bottom of FIG. 11 and the user have a very slow speed with a response latency of 1.35 s. The ratio of the number of sessions waiting for response to the total sessions of 0/65 is currently 28.61k It shows a relatively low BPS. Therefore, due to the low response latency and BPS, the link has a warning indication regarding "segment delay". The warning display can be expressed by the method of classifying the color of the line representing the link, the thickness of the line, or the method of changing the shape of the line. For example, a threshold value associated with a plurality of response waiting speeds is set, and the state is distinguished by comparing the set threshold value with the current response waiting speed value. The state may be determined by a rule set to be described later, and may be divided into a plurality of sections through a plurality of thresholds. For example, it may be divided into states such as "normal", "warning", "problem", and the like, and the state may be determined based on a result of comparison with a threshold value. There is a visual representation corresponding to the determined state, and the state may be represented by the corresponding visual representation. For example, the worst state may be represented by a red color indicating "problem occurrence" and the next bad state by a yellow color indicating "warning". That is, different visual expressions may be achieved for each of the plurality of sections corresponding to the plurality of thresholds. The visual representation includes at least one change in the color, thickness, or shape of the object. In particular, in a link-related state, the "normal" state is black, the "delay" state is red, the "network problem" state is black, and the "network delay" state is red. It can be displayed for the operator to understand.

In addition, in the flow map, the web server is associated with at least one WAS server. In particular, the upper two web servers (homepage_WEB 1 and homepage_WEB 2) are connected to form two links with two WAS servers (homepage_WAS 1 and homepage_WAS 2). That is, the web server (homepage_WEB 1) is also connected to two WASs (homepage_WAS 1 and homepage_WAS 2), and the web server (homepage_WEB 2) is also connected to the two WASs (homepage_WAS 1 and homepage_). Connected to WAS 2). Thus, four links are generated, and the performance-related indicators are displayed for each of the four links.

In this way, not only the user-web server section, but also the web server-WAS section and the WAS-DB section can be represented, and this visual representation allows the user to intuitively select which section on the network server is present or past. Find out if there is a problem with the server.

According to another embodiment of the present invention, it is not necessary to represent three sections of a user-web server section, a web server-WAS section, and a WAS-DB section, and one section (eg, a user-server section) smaller than this. Alternatively, the DB server section may be hierarchized into a plurality of DB server sections, such as a DB slave, a DB master, and a DB end. The same is true of web servers and WAS. The configuration of this overall flow map may be created through user settings (which may be stored as metadata).

In relation to the generation of the flow map, the packet mirroring device configures the web server, WAS server, and DB server associated with the user's request based on the mirrored packet analysis based on the centralized user (ie, the client terminal's IP). can do. That is, the server side related to the destination ip and / or URL in the mirrored packet can be extracted as a component of the flow map, and the connection relationship of the flow map can be generated based on the extracted ip of each server and visualized. Alternatively, a specific server to be centrally set first, and a flow map may be generated by associating a user who sends a request to the server with other servers associated with the set server based on the set server.

Metadata associated with the configuration of the flow map may be stored in advance in the service database 532 of FIG. 5. The metadata may store colors, fonts, physical file locations, tile backgrounds, and the like, as well as information related to the shape and location coordinates of the target object (eg, user, server, and link) to be objectified. This is described in more detail below.

12 is a table illustrating an example of a setting value for determining whether an alert associated with network performance occurs in a packet mirroring apparatus according to an embodiment of the present invention.

Referring to FIG. 12, in a flow map or other visualized representation, a packet mirroring device may alert a user to performance-related indicators associated with the current network service against various thresholds, thereby preventing the user from having a large traffic problem in advance. To help. In connection with the alert determination, setting of various threshold values may be required.

In general, the judgment on the warning situation can be divided into server warning and interval warning. Each has a separate set of available rules. For server intervals, the portion of server state (Service Down, Server Down), number of sessions, number of sessions waiting for response, response waiting time, CPS, TPS, BPS, HTTP 40x or 50x errors It may be determined based on the. The interval warning may be determined based on the number of response waiting sessions and the response waiting time.

As shown in FIG. 12, the packet mirroring apparatus determines whether a problem of a network service occurs based on at least some of the performance related indicators. Latency information indicating a response delay time until the server receives the first data associated with the content from the URL associated with the request for the client's content, and the client has not received a response to the request. Based on the wait wait information indicating the number of sessions, web traffic delay, WAS traffic server delay, excessive WAS traffic wait, DB traffic delay, and web WAS interval delay may be determined. The packet mirroring apparatus may determine whether a problem occurs by comparing a performance related indicator with a threshold value and measuring a duration in which a value of the performance related indicator higher than the threshold value exists as a result of the comparison.

First, a web traffic delay may occur when all the web servers have a response waiting time of more than 5 seconds while the number of response waiting sessions is 70% or more. If the time is longer than 10 seconds according to user settings, it may be determined that there is a problem with web traffic delay.

In addition, the WAS traffic server delay may be determined that the problem occurs when the response waiting time for the WAS server lasts 5 seconds or more. The excessive WAS traffic wait is considered to be a problem when the number of sessions waiting for more than 70% for the WAS server lasts more than 5 seconds.

DB traffic delay may occur for all DB servers when the number of response waiting sessions is over 30% and the response waiting time exceeds 5 seconds. If the time is longer than 10 seconds according to the user setting, it may be determined that there is a problem with DB traffic delay.

Furthermore, in relation to the occurrence of the delay of the web WAS interval, it may be determined that there is a problem when all the web servers and the WAS server have a response waiting time of 5 seconds or more and continue for about 5 seconds or more.

In addition, the packet mirroring apparatus may determine whether a problem occurs by comparing a speed-related indicator such as BPS with a threshold value. The excessive BPS occurs for all servers, but if the BPS is over 50M for more than 5 seconds, it is considered a problem.

The excessive CPS occurs for all servers, and it is determined that a problem occurs when the CPS exceeds 150 for about 10 seconds.

In the case of 50X and / or 40X errors, it is determined that a problem has occurred for all web servers if the HTTP 50x error (or HTTP 40x error) exceeds 5 for about 5 seconds.

In case of excessive wait, if the total number of sessions is over 1000 for all servers and the percentage of sessions waiting for response exceeds 80%, it is determined that a problem has occurred.

The various thresholds, associated duration thresholds, destination server IPs, and thus alert levels associated with this problem occurrence are selected to be changeable by user settings.

According to an embodiment of the present invention, an alert level may be determined to match the problem situation as described above, and the alert state is represented in the flow map and various other visualization tools according to the alert level. In addition, as an action matching a problem situation, an operation of notifying an alert situation to an SMS text message, an e-mail, and / or a social network service (SNS) associated with a preset party account may be performed.

According to another embodiment of the present invention, since the packet mirroring device continuously stores data about an indicator related to network performance over time, the stored data constitutes big data. By applying a machine learning algorithm to the stored big data, it is possible to adaptively generate an appropriate rule set for an alert situation. For example, a packet mirroring device may have a lower or higher threshold for a WAS server where WAS traffic delays occur constantly, based on data on the average response latency and / or number of sessions waiting for past WAS servers. It can be set high.

In addition, the average response delay time and / or response waiting session number, BPS in the normal category, while storing response delay time and / or response waiting session number, BPS, or TPS values in the normal category are stored through historical big data. If the difference is greater than or equal to the threshold value compared to the TPS value, a problem may be determined.

Otherwise, when the service speed delay occurs intensively on only one server in the connection relationship between the web server and the WAS server, or the WAS server and the DB server, the speed delay above the threshold value compared to the average speed delay value with other servers occurs. It may be determined to express the warning.

13A and 13B illustrate exemplary response speed analysis for each section according to a flow map.

FIG. 13A shows a load balancing situation in a morning time zone for a specific network service, and it can be seen that the system operates in a normal situation. FIG. 13B illustrates a load balancing situation in an afternoon time zone associated with the specific network service. Here, the number of transactions of 601 is shown in the uppermost web server, and it indicates that an excessive transaction is processed.

In this way, it is possible to intuitively grasp the state of the service at a specific time in the present and the past through the flow map. Compared to the morning time zone, the WEB 1 server is handling more transactions than other servers during the busy afternoon time period, so the operator can be notified of this by warning indications such as number expansion or red display. In particular, such warning may be performed by comparison with other servers. That is, when the amount of transaction transactions in a specific server is significantly higher than the average transaction transaction volume of a plurality of servers existing at equal server intervals, the problem may be determined and a warning may be determined by comparing with a set threshold. have.

14 is a view showing a dashboard for visualizing performance indicators between a user and a server.

Referring to FIG. 14, the flow map identifies and visualizes problems by user, server, and communication section. It may be updated at a predetermined period (eg, 1 second unit). If you want to look at detailed performance-related indicators for a specific link in the flow map, you can click on the link to see detailed performance-related indicators.

When one of a plurality of links between the user and the web server section is clicked, performance related indexes such as URL information, response waiting time information, and packet method information list associated with the link may be output. In the case of the web server and WAS sections and the WAS and DB server sections, a list of relevant performance indicators may be output. In this way, when a specific analysis of a problem in a specific section is needed, the user can identify the details by looking at the details of related performance indicators. Performance-related indicators displayed in the list displayed for each section may be different.

In particular, when it is expressed that there is a problem with a particular link, the particular link is determined as a parameter and the details associated with the specific link as a parameter are called. Then, a list of details is displayed. In this case, the packet mirroring apparatus may display the performance-related indicators (for example, the performance-related indicators indicating higher than the threshold) causing the problem differently from the normal range indicators such as red in the corresponding list. Allows the user to identify the cause at a glance. That is, the problem occurrence part of the flow map and the related list / page may be expressed to match each other based on parameters.

According to an embodiment of the present invention, the settings related to the drill-down movement from a specific map to a specific page (or list) may be stored through a user setting, and may be changed to a template desired by a user. . That is, the page (or list) may have hierarchical information, and when a specific area in the list is clicked, the packet mirroring device uses the information associated with the corresponding area as a parameter and the page (or list) of the lower layer having the same parameter. Call)

15 is a diagram illustrating a monitored page of detailed traffic for each server, user, URL, and session.

Referring to FIG. 15, the packet mirroring apparatus may display a current state in a table form so as to recognize at a glance a server, a user, a URL, a session, and other performance related indicators associated with the packet mirroring apparatus. The packet mirroring apparatus may generate a list for each management server, a user associated with the server, a URL, and a session in association with a network. This is done by periodically monitoring and storing detailed traffic associated with the list (eg, in units of 1 second). Here, the Max part represents a maximum value associated with the corresponding server, such as server_max_xxxx information (eg, server_max_user information). That is, the maximum management target server, the maximum number of users, the number of URLs and the number of sessions, etc. of the server may be represented, and the Current part may represent the server, the number of users, the number of URLs, and the number of sessions currently used in real time.

In this case, when a server is clicked, a server list including information of servers currently managed by the packet mirroring apparatus is displayed, as in the drill-down method of FIG. 14. The server list includes the name of the managed server, server IP, country, number of users, number of sessions, number of transactions, number of sessions waiting for response (and rate), TPS, BPS, app latency, web latency, RTT, errors, and status. Information and the like can be displayed.

When the user portion is clicked, the packet mirroring apparatus displays a user list including information of users associated with all clients currently associated with the managed server. In the user list, the IP of the client terminal, the server, session, transaction, number of waiting sessions (and rate), SPS, CPS, TPS, HPS, BPS, PPS, RTT, error, agent, web browser, Information related to cities, institutions, and the like may be displayed.

Clicking on a session displays a list of sessions containing information about sessions currently managed by the packet mirroring device. In the session list, the IP of the client terminal of the user associated with the session, the IP of the server associated with the session, the associated URL, the method, the result code value, the number of transactions, the waiting time of the response, the agent, the city, the institution, and the status information may be displayed. have.

Clicking on the URL displays a list of URLs containing information of URLs currently managed by the packet mirroring device. The list of URLs includes the IP, URL address, method, result code value, number of sessions (or currently connected sessions in total), number of sessions waiting for response, UPS, CPS, HPS, BPS, and response waiting for the server associated with the URL. Information related to time, number of downloads, and length may be displayed.

At the far right of each list is an icon labeled Act. When you click on the action icon, you can see the specific server in the server list, the specific user in the user list, the specific session in the session list, and the packets associated with the specific URL in the URL list. Details are displayed. Here, a variable that is a parameter for switching between lists is called a parameter, and in this embodiment, a specific server (eg, WEB_administrative portal 1 server), a specific user, a specific session, a specific URL, and the like are parameters. . That is, in switching the list, in a detail request (also referred to as a list switching request) through a user's click or the like, a specific parameter by a click is determined, and then another type associated with the specific parameter is determined. A list is displayed. This list switching and drill-down movement of pages with upper and lower hierarchical relationships are described in more detail below.

FIG. 16 is a diagram illustrating a page for identifying contents of detailed session information and an error of an application.

Referring to FIG. 16, as described above, each list managed by the packet mirroring apparatus may be displayed with an association of parameters. That is, when a specific session of the session list is clicked, a specific session is determined as a parameter, and a user list, a server list, and the like related to the specific session can be checked. In this case, since the information included in the mirrored packet and the information related to the performance related indicators are stored with time information, the detailed information included in each list may also have time information, and the details of the point in time desired by the administrator. Can return

In the embodiment of FIG. 16, when a specific session is clicked on in the user list, information related to the parameter session is extracted using the session as a parameter, and a new session list is displayed (see the upper left list of FIG. 16). . Here, when a user clicks on a session of a particular user, the packet mirroring device determines, as a parameter, the session of the user associated with the clicked area, associated with the currently connected 155 sessions of up to 178 session data associated with the particular user. Extract data and display it in list form. That is, the user may check an application related to a specific session associated with the user while viewing the session list. The session list includes the IP of the client terminal of the user associated with the sessions of the specific user, the IP of the server associated with the session, the associated URL, the method, the result code value, the number of transactions, the response latency, the agent, the city, the institution, the status. Information can be displayed.

In addition, in the user list of the embodiment of FIG. 16, when looking at the session 70/143 of the user 172.18.220.14, the session list associated with the session is displayed as a list displayed at the right end of FIG. 16. Here you can see the user, server IP, and associated URL. And, in particular, you can check the DB query. To verify the DB query, the packet mirroring device extracts the contents of the packets associated with the DB query statement sent to a specific DB server and network performance indicators of the packets, and creates and visualizes them in a list form.

In addition, as described above, the user list may display information related to user-specific network usage such as CPS, TPS, HPS, BPS, and PPS. In addition, information on whether an agent, a web browser, or a mobile device, city, ISP, and institution information can be checked, and information related to an error occurrence is also displayed. In this case, when the error part is clicked, the stored information having the error code that the user wants to see is extracted, and a session list is generated and displayed based on the information of the sessions associated with the extracted information. In the embodiment of FIG. 16, a total of six errors are displayed in the user list, and when the error portion is clicked, six sessions related to six errors may be displayed in the form of a session list.

FIG. 17 is a diagram illustrating a page for confirming correlation associated with a problem element by a drill-down method.

Referring to FIG. 17, when a user list is output through a packet mirroring device and a user waits for a response wait session number part to check a service delay occurrence application, a response waits for a specific threshold value or a predetermined threshold ratio or more. A list of URLs and / or session lists indicating the number of sessions may be displayed. The user can look at the list of URLs and / or sessions and clearly see which applications are currently experiencing service delays. You can then react quickly and take action.

Also, in order to view the details of an error, in the session list, clicking on an error 400 and an error 500 outputs a session list including the sessions associated with the error, viewing the session list associated with the error occurrence and viewing the application associated with the error occurrence. You can check it.

18 is a diagram illustrating a process of confirming real-time service status for each server and detailed information for each alert.

Referring to FIG. 18, detailed information for each service state and alert may be checked for each server. The packet mirroring apparatus according to an embodiment of the present invention may generate a page displaying server state information. The page displays the server name, server IP, and the number of sessions currently connected, out of all allowable sessions. This can be expressed in a form where a certain part is filled in the form of an empty box. That is, 10% may be expressed in a form in which only one box of ten empty boxes is filled with color. In addition, such number and / or ratio related information may be represented in a box form. In addition, a graph of a change in response waiting time over time and a change in number of response waiting sessions over time may also be displayed. In this way, a plurality of server status information is arranged and displayed on one page in the packet mirroring apparatus, so that the user can recognize status information of at least some of the servers managed by the packet mirroring apparatus at a glance.

In this case, the server list may be displayed in a table form on the upper right side of the server status information, and may be displayed in a list form on the lower right side of the server status information with alerts associated with the management target server. Clicking on one of these (eg, the alert portion "too many sessions") displays the details related to the alert in the clicked area (see the top left window of FIG. 18). In response to the alert details request, the packet mirroring apparatus extracts performance related indicators at the corresponding time point of the server, and extracts indicators associated with an error therein. The information is then displayed in a list, including its associated information (eg, server IP, problem start time and end time associated with the alert). The number of warnings is also displayed. In addition, as status information, performance related indicators such as the number of users, sessions, response waiting sessions, UPS, CPS, TPS, BPS, RTT, response waiting time, 400 errors, and 500 errors are displayed.

When the play icon is clicked in the alert history portion, a flow map of the corresponding time zone is played by automatically setting a start time and an end time of the warning (refer to the bottom right flow map of FIG. 18). Here, you can detect anomalies in the link or server associated with a particular session.

At this time, if you click on the link related to the alarm situation, you can check the detailed alarm situation log of the sessions (especially transactions) associated with the two principals (client (Tokyo_office) and server (webSRV1) of the link at that time (left of FIG. See log data below), which contains logs for transactions in the corresponding time zone, including client IP, number of users, OS, ISP, RTT, etc., URL address, response Latency information, length, referrer, etc. The server information includes server name, response waiting time, user, session, TPS, response waiting session number, RTT and BPS information, and time information. Information indicating from what time the transaction was, and indicating whether the current state information, for example, a situation (session_response) waiting for a response from the server in the session, and And information (e.g., client_finish) is also displayed together.

19 is a diagram illustrating a diagnostic analysis page for a detailed log of an application.

Referring to FIG. 19, the packet mirroring apparatus may organize and display information related to an application into an application list (upper left list of FIG. 19). This includes the name and IP of the server associated with the application, the number of users, the number of sessions, the number of transactions, and the error information, the BPS, the amount of request data, the amount of response data, the number of response wait sessions, and the response latency information. Is displayed. At this time, if you want to see the part related to the error of the application, you can click the error part.

Then, the packet mirroring apparatus determines the part related to the clicked area as a parameter. Then find the transaction data associated with the application as a parameter. From there, data with an error indication is extracted, and log data related to an error of the application is output. This is transaction log data, which may be displayed in a form similar to the lower left log list of FIG. 18. Here, it is possible to determine which error occurred between which client and which server at which point an application error occurred.

In addition, the packet mirroring apparatus may display a response delay time of a specific application in a graph form according to time, and in particular, when a specific time point is clicked, the time point that is clicked is specified (for example, in a preset unit (1 minute unit)). Can be specified), and packets (or performance indicators based thereon) associated with the application at the specified time point are extracted. Here, the server may be expressed in chart form based on the location of the servers related to the application on the map in conjunction with a map representing geographic information. In this case, the server may be expressed in different forms based on response latency information generated during the request and response processing of the application. That is, the server having the first response waiting time is displayed in green, the server having the second response waiting time is shown in light green, and the server having the third response waiting time is displayed in yellow, so that the delay of the servers associated with the application is only displayed on the map color. Make sure you know what's going on. The status information can then be displayed at the bottom of the chart and response latency graphs. Status information includes country status, user status, URL status, where URL status is information related to the URL associated with the application, including URL address information, method information, transaction count information, error information, HPS, amount of response data, The average response waiting session number information, the average response waiting speed, and the download count information may be included.

20 is a diagram illustrating a process of tracking a user by estimating abnormal access.

Referring to FIG. 20, the packet mirroring apparatus may track an abnormal access user by using a specific user list. In the user list, when the action icon is clicked, the packet mirroring apparatus may extract all the access contents of a specific time zone of the accessor and display it in a list form.

In this case, the packet mirroring apparatus may display the session start time and the session end time side by side in the form of a time bar for each session based on the specific time zone. In this case, the information may not be displayed for each session but may be displayed for each transaction or for each accessed URL.

In this case, the time bar may be displayed through different visualization expressions. In particular, the client RTT, server RTT, request time, response waiting time and response data transmission time are each represented by different visualization representations (eg, different colors, different shapes, different thicknesses, etc.). Therefore, it can be intuitively understood through the time bar what kind of operation the specific session is performing in what specific time period in the specific time zone.

In addition, the packet mirroring apparatus may extract and display a usage time, a response waiting time, a method, a result value, type information associated with a URL, state information, and related URL information with respect to the session.

In addition, the packet mirroring apparatus extracts data related to the packet associated with the specific session in the corresponding time zone when detailed information related to the specific session is requested, and includes time information, cRTT information, sRTT information, request time, response waiting time, and response. The data transfer time can be displayed as a numerical value that is clearer than the time bar. URL information may also be displayed as related domain, URL address, type, method, result, BPS, PPS, number of users, number of sessions, and number of sessions waiting for response. In addition, related server information may be displayed as server IP, port, response data packet number, response data amount, user number, session number, and response waiting session number information.

Since the packet mirroring device can trace back the behavior of all users in a certain time period, it can track the users connected through the abnormal route, and induce abnormal behavior of the users (eg, excessive CPS, excessive TPS, and / or excessive error response). ) Can be traced back to which user.

FIG. 21 is a diagram illustrating a page visualizing a haptic speed up to a user's access for each main page.

Referring to FIG. 21, a packet mirroring apparatus may store information about sRTT, cRTT, request time, response waiting time, and response data transmission time information based on a web page associated with a user request in a mirrored packet, prior to the arrival time of the web page. Can be calculated on the basis of In addition, in relation to the flow map configuration, the time until the response data is received according to the request transmission is calculated based on the number of sessions according to the connection request to a specific server, response wait time according to the session, and response wait session number (wait) information. can do. In other words, it is possible to calculate the sensory response speed from a user's point of view to a specific web page and display it on one page. For example, the packet mirroring apparatus may utilize a used time as the haptic response speed.

The packet mirroring apparatus may convert the haptic response time of the plurality of web sites into a time value. In addition, when the threshold value is greater than the threshold value associated with the set haptic response time, it may be determined as a serious problem occurrence situation such as a warning or service down and server down.

The packet mirroring apparatus may express, in addition to the haptic response time, the number of response waiting sessions associated with the corresponding web site in comparison with the total allowable number of sessions as individual information about a plurality of web sites. In addition, the change in the response waiting time according to the passage of time can be summarized through a graph.

FIG. 22 is a diagram illustrating a page visualizing the response speed of the main page target user according to the warning.

Referring to FIG. 22, when a web site in a warning state is clicked, the packet mirroring device displays a performance analysis page according to the warning. For example, the performance analysis page may be a warning about a web-WAS delay, in which the analysis page organizes related actions into a list based on information in mirrored packets associated with the speed delay at that time. Display.

At this time, the sessions associated with a specific web site may be analyzed and the actions occurring at the corresponding time may be summarized. For example, the access behavior to the IP of the server associated with the web page may be extracted. In addition, the IP of the client, which is the subject of the access action (the country, the OS, and the mobile status may also be displayed together) and the time required for the access action may be calculated and displayed together. In particular, as described above, the time required may be expressed in a time bar form by dividing into cRTT, sRTT, request time, server response waiting time, and response data transmission time.

More specifically, you can display detailed information about a session or transaction (or connection) that occurred at a specific time for a particular web page. In this page, the client IP, page start time, page end time, OS, browser, mobile device presence information, carrier information, ISP information, and city information associated with the session (or transaction) are displayed.

In addition, the page load time information may be provided in the form of a time bar that divides cRTT, sRTT, request time, server response waiting time, and response data transmission time. Or it may be displayed in the form of a time bar divided into client time, network time, and server time. The client time, the network time, and the server time can be displayed respectively. Client time means time spent at the client end and includes page design time and the time spent on the client itself. The network time includes cRTT information, sRTT information, request time and download time. Server time includes response latency. At this time, the page design time represents the time required to play the data associated with the received web design in the client terminal, the client itself time is the client, such as the time to generate the request information associated with the web page, regardless of network conditions This may mean a time required for page loading internally in the device. This takes into account the time taken from the state of status code 5, which means that the session is established based on the transaction state code, from the performance related indicators generated by the packet mirroring device, to the state associated with the state code 6 in which the session request is performed. Can be calculated. Or it may be calculated based on the session result code.

In addition, in connection with the use of the web page, the usage component information, the amount of request packets, the amount of response data, user information, session information, response waiting session information, TPS information, and error related information are also displayed.

In addition, the details (analysis by component) are displayed by sorting in chronological order for a plurality of sessions included in the corresponding time, but in the form of a time bar that divides cRTT, sRTT, request time, server response waiting time and response data transmission time. URL information, used time information, response waiting time information, and the like may be expressed therein. Based on this, the delay component can be extracted.

FIG. 23 is a diagram illustrating a page of analyzing a user's haptic speed according to a response delay analysis screen for a specific website.

Referring to FIG. 23, the packet mirroring device generates and displays a response delay analysis screen for a web site. At this time, the packet mirroring apparatus generates an analysis page based on the extracted information by extracting information on generated packets and performance-related indicators generated from the packets in association with a specific web site at a specific time period.

The analysis page displays the set time information, and the page loading time information related to the response delay in the page is expressed in the form of a time bar that divides cRTT, sRTT, request time, server response waiting time and response data transmission time. do. As shown in the website analysis page at the bottom of FIG. 22, page loading time information, client time information, network time information, and server time information are displayed. In addition, usage information (including call count, request amount, response data amount information), current status information (including concurrent user information, concurrent session information, TPS information, and response waiting session information) and availability information (including error related information) Including information) can be organized and displayed. Here, the page loading time may be calculated based on the server response waiting time and / or the total use time. Alternatively, the time may be calculated by adding the use time to the client time. That is, it may be a time value measured from the time when the request is transmitted to the time when the entire data of the response data packet for the request-related packet is completed loading.

In addition, the response speed related information for each service (or component) associated with the web page is displayed in detail. According to the embodiment of Figure 23, the two service user haptic speed analysis is displayed. First, the page loading speed of the iinju-k service is slightly slower at 4.78 seconds, and the delayed page rate is 63.64%. The delay page may mean a page at which the page loading speed is higher than a specific speed, and the ratio may be calculated based on the number of delay pages compared to the number of calls from the user. Next, the page loading speed of the gne service is also slightly slower at 4.95 seconds.

Also, more specifically, the section in which the rate of delay is generated through analysis of the rate of delay delay may be identified as a client section (Page Design Time, Client Time).

FIG. 24 is a diagram illustrating a screen visualizing loading time of each web page and an analysis page of a trend and delay component of haptic velocity.

Referring to FIG. 24, the packet mirroring apparatus measures and shows a loading time for each web page in a web page analysis page. In this case, when the user requests a further trend analysis by clicking a trend icon, the packet mirroring apparatus provides a change over time of the haptic speed for the web page in the form of a graph. In the graph, the normal category is set based on the threshold for haptic velocity, so events in the normal category can be expressed in purple, and other events can be expressed in different colors. In addition, delays due to client time can be expressed in blue, delays due to network time, and delayed by server time in yellow, and delays due to multiple causes can be expressed in gray. Do. That is, the delay due to various causes can be expressed at a glance over time.

In addition, when an event representing a specific haptic velocity at a specific time is clicked in the graph, a delay component analysis page associated with the event is generated.

The analysis page shows a web page analysis screen of time and delay rate corresponding to the clicked event, and related URL access actions are provided in the form of a time bar.

25 is a diagram illustrating a page for diagnosing and analyzing details of a delayed web page.

Referring to FIG. 25, the packet mirroring apparatus may generate a detailed diagnostic analysis page for a slow web page having a tangible velocity of more than a specific value. One web page includes a plurality of components. At this time, if the delay web page shows a web page having a haptic speed equal to or greater than a specific value and displays client information, time information, and the like associated therewith, the time information indicates the total page loading time. The packet mirroring apparatus may extract the most significant delay cause based on the weight of client time, the weight of network time, and the weight of server time. This is visually represented by the time bar.

In this case, detailed analysis may be performed on a specific web page. In response to the detailed analysis request from the user, the packet mirroring apparatus performs component-specific analysis. That is, the URL information, time bar information, usage time, response waiting time, amount of data received, result code value, type, and status information are displayed for each component of the corresponding web page. In this case, the time bar information may be displayed by being divided into cRTT, sRTT, request time, server time, and response time.

FIG. 26 is a diagram illustrating a page for confirming a funnel using HTTP referrer information.

Referring to FIG. 26, the packet mirroring apparatus may generate an HTTP referrer information of packets of a specific time zone from the packets and arrange the same to generate a list. Referrers are the traces of each site visit via hyperlinks when surfing the World Wide Web (www) with a web browser. This allows you to see how the visitor to your website visited the site.

As shown in FIG. 26, the packet mirroring apparatus extracts and lists referrer information among packets and performance-related indicators of the time zone of the corresponding web site by returning it to the funnel confirmation request of the specific time zone for the specific web site. . Information about the number of transactions related to the referrer, information on the ratio of transactions related to the referrer among all transactions, error information, request data amount, response data amount, response waiting time and response waiting session information, and download time information are displayed together. Can be. In particular, with regard to transactions, you can sort in ascending or descending order.

In addition, referring to the graph at the bottom of FIG. 26, the packet mirroring apparatus may show each referrer in graph form according to a ratio associated with a transaction. As a result, it is possible to know at a glance which path the user connected to the web site.

27 is a diagram illustrating a page for comparing and analyzing server indicators and network indicators.

Referring to FIG. 27, the packet mirroring apparatus may generate a graph comparing a server index and a network related index. For example, a response latency value of a specific server and an RTT value associated with a network may be compared in a graph in chronological order. The packet mirroring device may compare other server related indicators and other network related indicators as well as response latency. For example, BPS, TPS, CPS, HPS, etc., but not RTT, can also be compared over time. In addition, the highest peak point among the server index and network-related index over a specific time period may be extracted to display a value of the corresponding portion.

28A is a flowchart illustrating a process of determining a service delay and a failure event alarm.

Referring to FIG. 28A, a packet mirroring apparatus has various rule sets related to a problem occurrence and a threshold for applying the rule set. To this end, threshold setting through a user interface may be required (S2810). In operation S2812, a configuration for interworking with a network service such as an email, an SMS text message, or an SNS is set. Then, the occurrence of the event is detected (S2814), and the preemptive response through the early warning can be performed (S2816).

According to an embodiment of the present invention, when an event occurs, not only visual measures but also audio measures may be accompanied. That is, it may be controlled to perform an operation such as ringing an alarm sound. In addition, when an event occurs, it can be automatically scrolled to the server associated with the event. For example, when a delay related problem associated with response latency occurs at the first server, the packet mirroring apparatus may identify the first server where the event occurs, and may include a flow map of the event occurrence time of the first server, a server status page, a session list, Automatically print user lists and / or related web site analysis pages.

28B is a diagram illustrating a threshold setting page.

Referring to FIG. 28B, the packet mirroring device generates a configuration window associated with an event occurrence and outputs it through a user interface. The user interface may receive user input and set an appropriate rule set and a threshold value associated with the rule set.

First, through the configuration window, the user can set the name of the alarm and enter the relevant server IP. Then, the duration threshold of the problem occurrence condition can be set, and the condition can also be selected to satisfy all of a plurality of conditions or a specific ratio.

You can also choose what form the server's state should be given when a particular event occurs. For example, you can choose whether to shut down the entire service or just the server. In addition, as described above with reference to FIG. 12, in relation to a problem occurrence, information related to the number of sessions, the number of response waiting sessions, response waiting time, CPS, TPS, BPS, and errors may be set. In addition to the performance-related metrics shown above, you can create events related to other metrics.

That is, the packet mirroring device can easily set the information related to the response speed, the number / rate of error of the application, the response waiting state of the server and the application, the network usage and / or the designated event notification by the receiver group through the configuration window. To help.

29A and 29B show pages associated with 40X error analysis.

Referring to FIG. 29A, in response to an error occurrence analysis request of a specific date, the packet mirroring apparatus may generate and display a graph of an hourly occurrence amount of a 40X error per day of a date associated with the request. In addition, by displaying the distribution of the user of the corresponding time, it is possible to visualize the occurrence of the 40X error according to the distribution of the user at a glance. It can be seen that a proportional relationship is established between the two.

Referring to FIG. 29B, the packet mirroring apparatus may collect 40X generation related information generated on a related date in response to an analysis request for a 40X generation application for a specific time zone, and display the collected contents in a table form. In this case, IP, URL, method, transaction information, error information, request and response data amount, response waiting session number and response waiting time information, and download time information of the related server may be displayed together. In the embodiment of Figure 29b, it can be seen that the application with the most 40X error is "www.gne.go.kr/main/photo_news.jsp". Not only the application but also a large number of applications can see the tendency associated with the same phenomenon, and the packet mirroring device can determine whether a link problem on a particular page exists based on the concentration of this phenomenon, You can control to periodically monitor the servers or clients associated with the.

The above error analysis is not necessarily performed only for a 40X error but may be performed for other errors such as a 50X error.

FIG. 30 illustrates a page visualizing service performance in a global map in association with geographical data.

Referring to FIG. 30, the packet mirroring apparatus may store geographical information. For example, it may store Geographic Information System (GIS) information. The GIS information may be linked with information (eg, country, city, etc.) associated with the location of the packet mirroring apparatus according to an embodiment of the present invention, and the GIS information and the packet information and / or performance related indicator information may be displayed in association. Can be.

According to the embodiment of FIG. 30, the packet mirroring apparatus visualizes the current state of a plurality of clients establishing a session with a server existing in Korea in consideration of the geographical location. That is, a visual representation corresponding to the number information of the corresponding client or the number of the clients may be implemented at the geographical location of the client on the world map based on the IP, country information, and city information of the client. The visual representation may be implemented as size or color information corresponding to the number of clients. Or it can be implemented by stating the number of clients actually in the area.

In addition, in response to a request for displaying information of all clients associated with the corresponding server, the packet mirroring apparatus may extract and display a user list including user information associated with the server. In this case, the line representing the connection between the client and the server may be expressed differently based on at least a portion (eg, RTT) of the network delay index. Differences in visual representation include varying colors, thicknesses, shapes, and the like.

According to another embodiment of the present invention, it is also possible to express the response based on the geographical information on the request for information to the user of the embodiment of FIG. 30 as information about the servers associated with the particular client and / or the servers selected by the operator. It is possible. In other words, the linkage with the geographical information is not limited to the user information, but is applicable to the server information, the session information, the URL information, and / or the website information.

FIG. 31 illustrates a page visualizing service performance in a local map in association with geographical data.

Referring to FIG. 31, when a specific country is clicked on a global map, information related to a local map of the clicked country may be displayed. That is, a global map, a country map (which may be called a local map), a city map at a lower level thereof, and the like are connected in a hierarchical relationship, and a user inputs a certain input (for example, click, zoom in, zoom out). Control inputs such as panning can be used to cross the geographical map of the upper and lower layers. The packet mirroring apparatus may display server information, user information, session information, URL information, and / or website information in association with geographical data on a local map.

That is, the packet mirroring apparatus acquires or pre-stores the client's ip, client port information, client's country information, organization information (org information), ISP information (isp_id), city information (city_id) and / or server ip. The data related to the geographic information may be mapped and represented on a real map such as a server port, a server country, a server city, and the like. At this time, it is possible to check at a glance the service speed in a specific region through the RTT or other delay-related indicators. For example, the packet mirroring apparatus compares an average value (or a maximum value and / or a minimum value) of RTT values of a client in a specific region with a predetermined threshold value (which may be a plurality), and then divides it into a specific interval, and then divides the divided interval. The area can be displayed in a visual representation corresponding to Alternatively, after mapping a location of a specific client of a corresponding region as a point, a visual expression corresponding to the divided section may be applied to the point. In this case, when an information request for a specific region or a corresponding point is input, the packet mirroring device may return session information, client information, server information, URL information, and / or web page information associated with the packet information.

32 is a diagram illustrating a page analyzed by monitoring performance of each server.

Referring to FIG. 32, the packet mirroring apparatus may display a server state based on servers associated with a specific service (eg, university authentication, course registration related service). In this regard, the packet mirroring device is a visual representation that indicates, in the session associated with a particular server, the percentage of currently available sessions that are connecting, and whether there is an error (a percentage of the filled portion in the empty box). And outputs it). In addition, the server status page may display a time bar displayed by dividing a client time, a network time, and a server time together, and speed-related indicators (BPS, TPS, etc.) from a current time point to a specific time zone in the past may also be displayed. Can be.

33 is a diagram illustrating a page showing a distribution of connections for each user's environment.

Referring to FIG. 33, the packet mirroring apparatus extracts information related to a user attribute from a mirrored packet and generates related information. Therefore, statistics can be generated for each environment of the user terminal associated with the current management target server, URL, and / or sessions at a specific time or in real time. At this time, org information, city_id information, isp_id information, os_id information, browser_id information, mobile_id information and / or telcom_id information may be utilized.

For example, the distribution of currently related users may be displayed in a graph based on the user ISP. Alternatively, the distribution of related users for each OS, for each web browser, for each device type, for each related communication company, and for each mobile device type may be displayed. In this case, when a specific distribution part in the graph (for example, chrome 39 in the web browser graph) is clicked, the user may be connected to display a list of users associated with the client using the specific distribution part. The connection between these analysis pages is stored through metadata and can be changed through user setting.

34A and 34B illustrate a page for registering a new device and a link.

Referring to FIG. 34A, in order to register a new device and a link in a packet mirroring apparatus, first, a user (or a network administrator / operator) may directly input server information. The server device input may require a server name, server IP, port, sort number, and the like.

In addition, when the device is registered, it is selected (source IP, destination IP) in the form of a link (source-destination) so that these links automatically configure the flow from the user to each step server by interconnection information. In other words, the final step-by-step flow map may be generated through the link configuration step after the input of the device information.

However, the packet mirroring apparatus according to an embodiment of the present invention monitors and diagnoses performance and security problems of the device by applying a packet mirroring technique to all IP-based devices connected to the network. At this time, it may be difficult to register hundreds or thousands of devices one by one, and when a new device is added, immediate registration processing may not be performed. Thus, with reference to Figures 35 to 39 will be described in detail a new object automatic registration method according to another embodiment of the present invention.

In this case, in relation to the automatic registration of the new object of the packet mirroring device, the packet mirroring device may be implemented as a new object auto registration device, and the device does not necessarily have to use the mirrored packet. Alternatively, after acquiring the information related to the packet, after acquiring information defining an address and a specific entity, such as a destination IP and a source IP, from among the obtained packet related information, the obtained information and the apparatus for automatically registering a new object are pre-configured. New objects can be registered in comparison with the network object information (including server list, etc.) held.

35 is a block diagram illustrating a configuration of an operation of automatically registering a new device in a packet mirroring device according to another embodiment of the present invention. As shown in FIG. 35, the packet mirroring apparatus 3500 according to another embodiment of the present invention may include a packet analysis module 3502 and a service module 3504. The packet mirroring apparatus 3500 may further include a database (not shown) that stores information related to a packet, and a database (not shown) that stores network entity information such as a server list.

Referring to FIG. 35, the packet analysis module 3502 may include packets between a service user and a web server 3510, packets between a web server 3510 and a WAS server 3520, and a WAS server 3520 and a DB server 3530. Collect the mirrored packets for the packets between and) and analyze the collected packets to generate about 120 performance indicators. Through this, real-time information for each section may be provided to the service module 3504. At this time, a list of servers not registered among the collected packets is also provided to the service module 3504. That is, by comparing the previously registered server list by the operator and the ip of the server described in the destination ip in the mirrored packet, the unregistered servers can be extracted and provided to the service module 3504.

As described above, the service module 3504 performs various statistical data, search, inquiry, and alarm functions based on the performance related indicators generated by the packet analysis module 3502. In addition, after performing automatic registration based on the unregistered server list received from the packet analysis module 3502, the monitoring server list is regenerated and provided to the packet analysis module 3502.

There may be two methods for registering a new device. There may be a method of automatically registering without a special input from an administrator and a new device to exist as a candidate, and a new device candidate to be a new device by the manager's decision. Through these methods, the new device may be automatically registered in the pre-stored server list and flow map, and the link may be automatically configured.

According to an embodiment of the present invention, not only the destination ip in the packet is used but also the source ip can be registered as a new device. In addition, registration with the client as well as the server side may be considered. At this time, a comparison with the user list may be required.

36A to 36C are flowcharts illustrating a procedure for registering a new device and a new link in a packet mirroring device according to another embodiment of the present invention.

Referring to FIG. 36A, in an overall process, the packet mirroring apparatus collects and analyzes mirrored packets (S3610). This can be done in the packet analysis module. In operation S3612, it is compared whether the destination in the packet is a new destination by comparing with the previously stored server list or server information. If it is a new destination, it is registered as a new device (S3614). In operation S3616, it is determined whether the source device associated with the registered new device is a new source. If it is a new source device, it registers as a new link (S3618). According to the embodiment of the present invention, even if the source device is not new, the link between the existing client and the new server device can also be registered as the new link. For example, a link between a source device existing in a pre-stored user list and a newly registered server device may also be considered as a new link.

Referring to FIG. 36B, in a process associated with registration of a new device, the packet mirroring device determines whether the device belongs to a registration category based on the information (eg, IP information) of the new device (S3630). Here, the registration category indicates the target device IP area to be processed by the packet mirroring device. This may be preset. For example, when 192.47.33.12 to 192.49.33.44 are registered categories, the IP of the new device is determined by comparing with the registered category IP range. As a result of the determination, if belonging to the registration category, the device is registered in the destination IP form (S3632).

Referring to FIG. 36C, in a process associated with registration of a new link, the packet mirroring device determines whether the device belongs to a registration category based on link information with a source device associated with the new device (S3640). As described above, the registration category may indicate an IP area of the target device. If it is determined that the link with the source device also belongs to the registration category, the new device and the source device are registered in the form of source IP and destination IP in the link list (S3642). At this time, the link is registered in association with links of an existing flow map. That is, the new device may display the connection with the existing or new source while being added as a new server to the existing flow map through the link related information (source IP-destination IP). According to another embodiment, it may be added as a client device to an existing flow map.

37A to 37C are flowcharts illustrating a process for selectively registering a new device and a new link in a packet mirroring device according to another embodiment of the present invention.

Referring to FIG. 37A, in an overall process, the packet mirroring apparatus collects and analyzes mirrored packets (S3710). In operation S3712, it is compared whether the destination in the packet is a new destination by comparing with the previously stored server list or server information. If it is a new destination, it is registered as a new device candidate (S3714). In operation S3716, it is determined whether the source device associated with the registered new device candidate is a new source. If it is a new source device, it registers as a new link candidate (S3718).

Referring to FIG. 37B, in a process associated with registering a new device candidate, the packet mirroring device determines whether the corresponding candidate belongs to the registration category based on the information (eg, IP information) of the new device candidate (S3730). As described above, the registration category may indicate a target device IP region to be processed by the packet mirroring apparatus. As a result of the determination, if belonging to the registration category, the candidate is registered in the device candidate list in the form of the destination IP (S3732). Then, the process proceeds to the optional device automatic registration process and automatically registers the device (S3734). The optional device automatic registration process is described below with reference to FIG. 38.

Referring to FIG. 37C, in a process associated with registration of a new link candidate, the packet mirroring device determines whether the candidate and the source device fall within the registration category based on link information with the source device associated with the new device candidate (S3740). . If it is determined that the link with the source device also belongs to the registration category, the new device candidate and the source device are registered in the form of source IP and destination IP in the link candidate list (S3742). Then, the process proceeds to the optional device automatic registration process and automatically registers the device (S3734).

38 is a diagram illustrating an optional device automatic registration page.

Referring to FIG. 38, the packet mirroring apparatus displays a monitoring server registration screen for a candidate device that is considered to be a new device candidate as a result of comparison with a pre-registered server list and determination of whether the packet mirroring device falls within a registration category. The administrator may confirm that a new device exists and determine whether to register the device through the screen. The monitoring server registration screen may include information input fields such as a server name, a server IP, a sort number, a dashboard view (which indicates whether a flow map is shown), a health check, and the like. The new server name defaults to the server IP and can be changed by user input. When a user registers the device, a link may be automatically configured using relationship information with an existing source.

FIG. 39 is a view illustrating a flow map visualizing links and devices newly generated by automatic device registration. FIG.

Referring to FIG. 39, when the packet mirroring device automatically registers a new device in the above-described manner, it can be confirmed that one link is added to existing links. At this time, a server-server link may be created by identifying a relationship with another server besides a client based on packets exchanged with other servers.

According to another embodiment of the present invention, the new device may include a device related to the Internet of Things (IoT). For example, the sensor may include various sensors such as a temperature sensor, an illuminance sensor, and an acceleration sensor, and may include an image processing device such as a CCTV or an IP camera. Through this, after registering the various devices in the packet mirroring device for network management according to an embodiment of the present invention, it can be used for alerting according to security, intrusion prevention and abnormal symptoms determination.

40 is a diagram illustrating a system connection relationship of a plurality of packet mirroring devices according to another embodiment of the present invention.

Referring to FIG. 40, the packet mirroring apparatus may be connected to an L2 / L3 switching and an L4 switch. The entire network system including a packet mirroring device includes a backborn switch connected to the Internet network, an L4 switch connected to the backbone switch, a firewall system (intrusion prevention system) and an intrusion prevention system connected to the L4 switch, and an intrusion prevention system. An L4 switch, and an L2 / L3 switch connected with the L4 switch. Here, two other L4 switches may be connected to the branch in the intrusion blocking system, and the two L4 switches may be connected to the L3 system. The packet mirroring apparatus 1 collects packets from the L2 / L3 switch and the L4 switch. At this time, the L2 / 3 switch receives the mirrored packet by performing packet mirroring according to the 1000base-T standard. From the L4 switch, the mirrored packet can be received by performing packet mirroring using the 10G Fiber NIC. In this case, a management interface of 1000Base-T may be connected to one of the two L4 switches to transmit and receive signals related to management of the switching operation and management of the packet mirroring operation.

According to the above embodiment of the present invention, the switches connected to the packet mirroring apparatus 1 may communicate with each other in different standards, and in particular, the connection media may include copper and fiber, and various types of media may have communication characteristics. Can be used to suit.

The packet mirroring device 1 may be configured to interwork with the packet mirroring device 2, and the packet mirroring device 1 may be configured to divide the operation to perform packet collection and analysis, and the packet mirroring device 2 to perform performance statistics and search operations. Can be. In this case, since the L2 / 3 switch is complexly connected with the web server, the WAS server, and the DB server, the network service performance index for each section may be calculated for the web server-WAS server section and the WAS server-DB server section.

FIG. 41 is a diagram illustrating a configuration of performing different functions according to a connection relationship of a plurality of packet mirroring devices according to another embodiment of the present invention. FIG.

Referring to FIG. 41, the packet mirroring apparatus 1 is connected to a switch to collect mirrored packets. The packet mirroring apparatus 1 collects packet information for each section such as a client-web server, web-WAS, and WAS-DB to analyze and monitor performance of the network service for each section in real time. It can work with packet mirroring device 2, which performs statistics and performs analysis related performance.

The packet mirroring device 2 communicates with the packet mirroring device 1 through short-range wireless or wired communication such as near field communication (NFC), packet-related raw data transmitted from the packet mirroring device 1, and analyzed performance-related indicators. Statistical data is generated periodically using the associated data. Certain statistics may be generated every hour. Then, a function of querying, searching, and storing the statistical data can be performed.

Although the drawing discloses that only the packet mirroring apparatus 1 is connected, the packet mirroring apparatus 1 and / or the packet mirroring apparatus 2 may be connected to the display means to display related data for the user to view.

42 is a block diagram specifically illustrating a packet mirroring apparatus or a service module of FIG. 5 according to an embodiment of the present invention. As illustrated in FIG. 42, a packet mirroring apparatus or a service module according to an embodiment of the present invention may include a receiver 4210 and a map / page generator 4220.

Referring to FIG. 42, the receiver 4210 may receive data associated with raw data information and performance related indicators of a mirrored packet from a packet mirroring device (not shown) or an analysis database (see 522 of FIG. 5). Then, the data received by the map / page generator 4220 is provided.

The map / page generator 4220 may receive packet data and / or performance based on the location template 4230, the tile information 4232, the project setting 4234, the rule script 4236, and the execution scheduler 4238 information. You can integrate relevant indicators to generate flow map or analysis page data.

The location template information 4230 may include layout information of various types of pages. For example, it may contain various types of information of the arrangement of a plurality of analysis pages (eg, server list, session list, user list, URL list, web page analysis page, etc.) in one entire display canvas. In addition, the template information may include connection relationship information between maps / pages. In conjunction with drill-down-based hierarchical page organization, you determine which analysis pages are placed in which hierarchy (the default type can be set and multiple types can be set), and the determined type of map / page layout and map / page A template having a linkage relationship therebetween can be defined. According to another embodiment of the present invention, if a specific type of template desired by the administrator is created, the same template / retrieval can be easily rearranged later by loading the same template.

The tile information 4232 stores background information of the user interface. For example, the background information used as the background of the flow map is stored so that when the map / page generator 4220 generates map / page data, the stored background information is visualized with the stored background.

The project setting 4234 information includes various setting information of a project for generating dynamic content in the map generator 4220.

The rule script 4236 may include basic layout information of various objects (eg, device objects, server objects, and / or link objects, etc.) displayed on the map / page, colors, fonts, etc. of visual representations to be displayed on the map / page. Is defined. The configuration information of the rule script 4236 may be managed by the rule system such as creation, storage, and deletion of an existing configuration.

In addition, since the period of the received data may be variable, the map / page generator 4230 has an execution scheduler 4238 and changes the data reception cycle and / or page generation cycle automatically or manually according to a defined schedule. Map / page creation. The execution scheduler 4238 may include time series work order information from extracting data required for analysis from the received data to generating a map and / or an analysis page.

The map and / or page data generated through the map / page generator 4230 may be output through a display means 4240 such as a monitor. Alternatively, the map and / or page data provided by another packet mirroring apparatus provided with the packet mirroring apparatus to cooperate with each other may be processed to generate other types of data. The display means 4240 may be included in the packet mirroring apparatus, or may exist separately, such as an external monitor.

The system or apparatus described above may be implemented with hardware components, software components, and / or combinations of hardware components and software components. For example, the systems, devices, and components described in the embodiments may include, for example, processors, controllers, arithmetic logic units (ALUs), digital signal processors, microcomputers, field programmable arrays (FPAs). ), A programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, may be implemented using one or more general purpose or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to the execution of the software. For the convenience of understanding, the processing apparatus may be described as one being used, but a person skilled in the art may recognize that the processing apparatus includes a plurality of processing elements and / or a plurality of types of processing elements. It can be seen that it may include. For example, the processing device may include a plurality of processors or one processor and one controller. In addition, other processing configurations are possible, such as parallel processors.

The software may include a computer program, code, instructions, or a combination of one or more of the above, and configure the processing device to operate as desired, or process it independently or collectively. You can command the device. Software and / or data may be any type of machine, component, physical device, virtual equipment, computer storage medium or device in order to be interpreted by or to provide instructions or data to the processing device. Or may be permanently or temporarily embodied in a signal wave to be transmitted. The software may be distributed over networked computer systems so that they may be stored or executed in a distributed manner. Software and data may be stored on one or more computer readable recording media.

The method according to the embodiments may be embodied in the form of program instructions that may be executed by various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the media may be those specially designed and constructed for the purposes of the embodiments, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks such as floppy disks. Magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware device described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Although the embodiments have been described by the limited embodiments and the drawings as described above, various modifications and variations are possible to those skilled in the art from the above description. For example, the described techniques may be performed in a different order than the described method, and / or components of the described systems, structures, devices, circuits, etc. may be combined or combined in a different form than the described method, or other components. Or even if replaced or substituted by equivalents, an appropriate result can be achieved.

Therefore, other implementations, other embodiments, and equivalents to the claims are within the scope of the claims that follow.

Claims (17)

A method for registering a new device associated with a network in a network new object registering device,
Retaining network entity information including Internet Protocol (IP) information for at least one entity associated with the network, the network associated with a first entity and a second entity;
Obtaining information about at least one packet transmitted or received between the first entity and the second entity;
Comparing the information on the obtained at least one packets with IP information in the retained network entity information; And
Registering a new device with the network entity information based on the comparison result;
A plurality of objects included in the network object information, links between the plurality of objects, and performance-related indicators for the plurality of objects and the links are generated as objects, and the generated objects are implemented in a visualization space. Register the new device with a generated flow map, the flow map representing traffic flow of the network,
Extracts at least one of a destination IP and a source IP of a first packet of a device associated with first IP information not included in the retained network entity information, and the extracted IP is not present in the network entity information. And determining a link associated with the device associated with the first IP information as a new link based on at least one of a destination IP and a source IP of the first packet, and registering the link with the network. The method of claim 1, wherein registering the new device with the network entity information based on the comparison result comprises:
As a result of the comparison, when the first IP information exists, registering the device associated with the first IP information as the new device in the network entity information based on the first IP information. How to register. The method of claim 2, wherein registering the device associated with the first IP information as the new device to the network entity information based on the first IP information comprises:
Comparing whether the IP associated with the first IP information is within a processable IP region in association with the network;
And registering the device associated with the first IP information in the network entity information as a new device when there is an IP associated with the first IP information in the processable IP area. The method of claim 2,
Comparing the information on the obtained at least one packet with the IP information in the retained network entity information, the destination IP information included in the information on the obtained at least one packet is compared to the retained network entity. And comparing the IP information in the information to a device associated with the network. The method of claim 4, wherein
The network entity information includes information associated with a link between a plurality of entities,
Extracting a source IP of a packet having a device associated with the first IP information as a destination IP;
Comparing the extracted source IP with IP information present in the network entity information; And
If the extracted source IP is not present in the network entity information, further comprising registering a link between the device associated with the first IP information and the device associated with the extracted source IP as a new link in the network entity information. Device registration method associated with the network. 6. The method of claim 5, wherein registering a link between the device associated with the first IP information and the device associated with the extracted source IP as a new link to the network entity information:
Comparing whether both the IP associated with the first IP information and the extracted source IP exist within a processable IP region in association with the network; And
If there is an IP associated with the first IP information and the extracted source IP in the processable IP region, a link between the device associated with the first IP information and the device associated with the extracted source IP is included in the network entity information. Registering with the network entity information as a new link. delete The method of claim 1, wherein registering the new device with the network entity information based on the comparison result comprises:
As a result of the comparison, if the first IP information exists, registering a device associated with the first IP information as a new device candidate based on the first IP information; And
And determining whether to register a device associated with the first IP information registered as the new device candidate as the new device in the network entity information. 9. The method of claim 8, wherein determining whether to register the device associated with the first IP information registered as the new device candidate as the new device in the network entity information:
Marking a device associated with the first IP information as the new device candidate;
Receiving a user input for the displayed new device candidate;
Determining whether to register a new device based on the user input; And
If determined to register as a new device, registering the device associated with the first IP to the network entity information as a new device. 10. The method of claim 9, wherein registering the device associated with the first IP information as the new device candidate on the network entity information based on the first IP information comprises:
Comparing whether the IP associated with the first IP information is within a processable IP region in association with the network; And
Registering a device associated with the first IP information as a new device candidate when an IP associated with the first IP information exists in the processable IP region. The method of claim 9,
Comparing the information on the obtained at least one packet with the IP information in the retained network entity information, the destination IP information included in the information on the obtained at least one packet is compared to the retained network entity. And comparing the IP information in the information to a device associated with the network. The method of claim 9,
The network entity information includes information associated with a link between a plurality of entities,
Extracting a source IP of a packet having a device associated with the first IP information as a destination IP;
Comparing the extracted source IP with IP information present in the network entity information; And
If the extracted source IP does not exist in the network entity information, registering a link between a device associated with the first IP information and a device associated with the extracted source IP as a new link candidate; And
And determining whether to register a link of the device associated with the first IP information registered as the new link candidate and the device associated with the extracted source IP to the network entity information as a new link. . The method of claim 12, wherein if the extracted source IP does not exist in the network entity information, registering a link between the device associated with the first IP information and the device associated with the extracted source IP as a new link candidate. :
Comparing whether both the IP associated with the first IP information and the extracted source IP exist within a processable IP region in association with the network; And
If there is an IP associated with the first IP information and the extracted source IP in the processable IP region, a link between the device associated with the first IP information and the device associated with the extracted source IP is included in the network entity information. Registering as a new link candidate. 13. The method of claim 12, wherein determining whether to register a link of a device associated with the first IP information registered as the new link candidate and a device associated with the extracted source IP to the network entity information as a new link:
Marking a link with a device associated with the first IP information and a device associated with the extracted source IP as the new link candidate;
Receiving a user input for the displayed new link candidate;
Determining whether to register a new link based on the user input; And
If determined to register with a new link, registering a link with the device associated with the first IP information and the device associated with the extracted source IP to the network entity information with the new link. Way. delete The method of claim 1,
The information on at least one packet transmitted and received between the first entity and the second entity is information obtained by performing mirroring from a switching device provided between the first entity and the second entity. In the new object registration device associated with the network,
A database holding network entity information including Internet Protocol (IP) information for at least one entity associated with the network, the network associated with a first entity and a second entity;
A port for obtaining information on at least one packet transmitted or received between the first entity and the second entity;
A packet analysis module for comparing information on the obtained at least one packet with IP information in the retained network entity information; And
And a service module for registering a new device in the network entity information based on the comparison result.
The service module generates a plurality of entities included in the network entity information, links between the plurality of entities, and performance related indicators of the plurality of entities and the links as objects, and visualizes the generated objects. Register the new device with a flow map created by implementing in space, the flow map representing traffic flow of the network,
Extracting at least one of a destination IP and a source IP of a first packet associated with a device associated with first IP information not included in the retained network entity information, such that the extracted IP is not present in the network entity information; And registering the link associated with the device associated with the first IP information as a new link based on at least one of a destination IP and a source IP of the first packet.

Images