TW201206120A - Method for tracing processing procedure of network packet - Google Patents

Abstract

This invention presents a new mechanism that can trace the execution sequence of kernel functions that process data network packet and record information of concern. With such trace, we can analyze the networking behavior, conduct software debugging and optimize performance of networking devices. The underlying idea of the mechanism is that the execution sequence of functions process a network packet can be derived from the sequence the functions access the data structure of the network packet. The proposed mechanism first adopts a function analyzer to identify all functions that refer or handle the data structure of network packets, and then patches instructions in each function identified. At run time, the execution of each patched function will trigger the patched instructions automatically to record the function identity and other information of concern. Because, the patching instructions are executed in a sequence exactly the same as the one of the patched functions, the patching instructions can thus record the execution sequence of the patched functions.

Description

201206120 VI. Description of the Invention: [Technical Field] The present invention is a method for tracking a processing procedure of a network packet, and more particularly to a method for processing a network communication device and a cloud computing processing packet of a cloud computing device. [Prior Art] It is necessary for network communication devices to define network behavior anomalies (such as transmission delay, response time, and packet omissions), which is very important for the development of increasingly popular networked devices. . Usually the network packet is processed by the system core. The system core analysis tool (Linux Kerne 1 Prof i er) is used to help developers analyze the internal (i nterna 1) behavior of the system core. The existing tools can be roughly divided into three. Class: Source Instrumentation, Binary Instrumentation, Statistical Sampling (Statistical)

Samp 1 i ng), the analysis tools related to each category are as shown in Table 1. Table 1. Classification of existing system core analysis tools

Source Binary Statistical

Instrumentation Instrumentation Sampling

Kprobe Systemtap Kernlnst KLASY Dtrace

Oprof i le LTTng

KTAU

LKST

KFT

Ftrace 201206120

Kernprof

Source Instrumentation mainly modifies the system source code (Source Code) and inserts instructions that can record the internal information of the system to analyze the internal behavior of the system core. For example, Linux Trace Toolkit Next Generation (LTTng), Kernel Tuning and Analysis Utilities (KTAU), Linux Kernel State Tracer (LKST), etc. Modify the important core functions in the system. This φ three-item technology inserts the code into the important core functions in the core system, records the core event trigger time, and analyzes the operation behavior of the core system. This record usually contains the context. A context switch, a timer expired, a system call, and so on. However, it is still impossible to track the internal processing of the network packet in the core system in detail, and it is unable to automatically find and embed the tracking instruction in the core function sequence, that is, these records cannot assist the developer to trace the network packet to the core network. The processing of the road communication protocol. Core function tracking (Kernel • Function Trace, KFT), FTrace and Kernprof, etc., further modify all system core functions, record the core function execution order and execution time, etc. These three technologies are all within the core system. The core functions are all inserted into the code, and the operation process of the core system is completely obtained. The result is as shown in the first figure. Where: index refers to the number of the primary function, %time refers to the usage time ratio of the primary function, self refers to the running time of the primary function, children refers to the primary function call (child), 201206120 line time, called refers to The total number of calls, name refers to the name of the primary function. The number of the main function in the real line is [20] and [21] 'There are parents and children in the upper and lower sides of the main function (such as the arrow with the dotted line) However, developers still can't use this information to correctly track the order of execution of the core system's processing of packets; that is, users can't effectively and correctly track packet-oriented by analyzing the results. Core function sequence.

Binary Instrumentation mainly directly modifies the system machine code φ (ObjectCode), and temporarily introduces the execution flow to the function of the internal information of the recording system to achieve dynamic analysis of the internal behavior of the system. Taking Kprobe as an example, the developer needs to obtain the entry and exit address of the target core function in advance by the help of the compiler (C〇mpiler) or the disassembler (Disassembler). The tool assists in modifying the system machine code to obtain the required information. Kprobe, Kernlnst, D (DTrace) These three technologies are mainly to modify the core system's Object Code to achieve dynamic analysis _ system internal behavior, users modify the machine with the help of Compiler or Disassembler Code, but the user needs to have the knowledge of the core system to process the network packet, otherwise the packet-oriented core function sequence cannot be correctly tracked. So it is still impossible to automatically find and embed the tracking instruction in the core function sequence. Missing operations on specific devices and core versions. As for the system trace analysis program (Systemtap) of the binary tool class, this technology mainly provides an interface for the user to simplify the difficulty of using Kprobe through this interface. The user only needs to provide 201206120 for the target core function. Name, Systemtap is responsible for finding the entry point address of the target core function, and completing the Kprobe setting, but the user still needs to have the knowledge of the core system to process the network packet, otherwise the packet-oriented core function sequence cannot be correctly tracked. So it is still not possible to automatically find and embed tracking instructions in the core function sequence. Other tools, such as the Kernel Level Aspect-oriented System (KLASY), also provide an interface to the user, allowing the user to simplify the use of KernInst through this interface. The Compiler (gcc) first processes the core program, and then the developer performs tracking and recording for certain functions. The user can provide the name of the target data structure. KLASY is responsible for finding the instruction address of the target data structure. 'And Yuan Cheng set KernInSt, but the technology generated by this technology is too large 'users can not efficiently track the packet-oriented core edge sequence' and this technology requires specific compiler assistance for the development of embedded devices It is quite inconvenient. That is to say, the developer must have the relevant knowledge of the core system to process the network packet, and then the packet processing procedure can be tracked in a manual manner. However, the manual inspection method is not only costly, but also easy to miss or mis-examine, and it is difficult to track correctly and effectively. Encapsulation of the function execution order in the core system, and Binary

The applicability of the Instrumentation approach is poor. As for Statistical Sampling, it is mainly to periodically check the instruction (Instruction) being executed in the CPU, and the result is recorded to the user in a statistical manner. As far as the analysis tool (〇profile) is concerned, this technology mainly divides the behavior of the core system in a statistical manner, and periodically checks the instructions and then 201206120 to record the results in statistical ancient and correct tracking: The function that cannot be completed and does not process the network packet is recorded. Second;:=: and the chasing_road communication device =:f should be the reason for the time and the missing packets. The short-term core analysis tool (Linux Kernei trace network communication device processing seal Her) is applied to the chasing helmet. The shortcomings of the execution order are as follows: The correlation analysis of the packet-oriented function sequence is recorded. It is quite inconvenient for the user to process the execution order of the function of the processing package to be specific to the specific _ or system version, and the user must first have the packet processing fish system. ^ & The manual tracking method is used to implant the tracking instruction, the process is complicated = = =, and therefore 'how to improve the function sequence' - easy to be wrong. Recording, must be operated in a specific device and the manual review method of the tracking and system implementation knowledge of the necessary environment, after testing and research, finally obtain a method of tracking the network order, in addition to effectively solving It is not able to provide the shortcomings of handling the process and the first-hand knowledge. It can also be used for the development time and performance of specific software. That is to say, the topic of this two-way network communication is how to overcome the problem of accessing the network packet with the == 201206120 problem, so that the core of the system overcomes the use of only ah "order phase, and how sk_buf f this one The special name of the 金金咨+広, the original type name of the 淮 疋 疋 疋 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为 作为Network packet (NetwQrk (5) (4) method of processing private sequence] wherein the network packet is stored in a data structure ► The packet is accepted in the system core, and the party is chasing the call function. Passing the data structure, and according to =, the system of the method is a Linux' and the data structure is the ordering party. (4) The method utilizes the core of the system to access the network packet, and the processing program is the data structure-execution order The same way, and the pin is in accordance with the main technical point of view, the present invention can cover a method of processing a program in one of the network packets, wherein the network packet is accepted in the core of the system. The handler, the party The method includes the following steps: providing a function - to process the network packet, wherein the function is an inflammation number, defining a parameter type name of the parameter, and searching for the data type name, and tracking the processing program Preferably, the data type name of the method is a reference point of a search, and the data type is a primitive type name or a variant form name of a Sk-buff. Of course, the deformation type of the method The name can be an alias, a customized 201206120 shell material dust name or a nested data structure, and the deformed type name causes the data type of the network packet to be associated with the virtual network. ~, , the method Moreover, the function of finding and accessing the network packet from the source code of one of the cores of the system may be included, wherein the accessing the network packet is a function for directly accessing the network packet or an indirect The function of accessing the network packet of the Haihai network. The function of the direct access network packet of the method is utilized -

The number of (6)-1 Variable), - parameter type name, - back to the specific name or a region definition to directly access the network packet. The function of calling the road packet is to use the function of the _ (jirect caller) <one; ^, & the road packet to call the e-mail, and indirectly point to the network packet Indicator to access the network seal package. - NET = ΓΓ 的 ' ' 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本: "Net" a function, embedding - tracking instructions in the function: .. Binding the telegram 'and then triggering the tracking command: identifier, 俾 can be pursued processing. Record this letter, of course, The tracking instruction of the method may be - (Instrument Source Code), the identifier is ', the original invention of the invention through the above concept, that can be seen = or a code. The method of processing the network packet, the fruit The use of the tracking data structure, and according to the processing program to pass the "201206120 data type name of the parameter, and then search for the characteristics of the capital. For ease of explanation, the present processing program and the illustration are more clear. g The following preferred embodiment f embodiment] The present invention proposes a new application mechanism in the network packet processing program, :=: the order of tracking the packet data, the tracking network by the core: function storage Take the network order. The invention is applied to the function of the network packet processing data of the processing core of the network, the "冓" and a functional analysis method, and the order of the function is executed by the access network itself, in order Enter the second part of the L-x core system that is executed by the program function name or code and the content of the package. The second is available for management. (Buff), tracking the core, and storing the network packet. The structure of the data structure. The behavior of the internal processing of the network packet and the time of the nuclear money use these records to assist 纟-^ ^ ^ ^ (network applications and core agreements or individuals;; The function of the present invention can be traced to the behavior and time points of the invention and is not limited = the industry can handle the application of the network packet including the capital. The case can be, and the application may be applied,: Γ communication industry and ^_ ), followed by;; = line network equipment, laptops in Handset, network access gateways, 201206120 network appliances and any networking devices, etc. Here we will take the Linux core system as an example. For the network packet inside the L^nux core system The process of recording measurement information, such as the content changes made by the functions or the statring time of each function, illustrates a preferred implementation of the mechanism for tracking the network packet processing procedure proposed by the present invention (applying For example, such record information has great value in developing a network device. However, the application of the present invention is not limited to this environment, and as long as the network packet data type name is known, the call can be applied to the present invention. The system processes the program of the network packet. The invention is applied to the Linux core system, and utilizes the data structure of the Unux core system internal material network packet to track the behavior and time point of processing the network packet inside the Linux core system, and assists in development. The analysis of the network behavior of the L i Cong core department. The invention is based on the embodiment of the Linu X core system.

And B. embedded instructions. And firstly visible in part A. - network packet - data node # sk_buff, including the picture 'Man (Man Liu - a package of information; responsibility storage), the present invention utilizes the Linux core (cket dati storage network packet The data structure 'as the basis for the search; ^ and the function of the storage road packet' and used in the Linux kernel system: the data structure of the access network packet (4) (buff. Please / rational and storage - kind Tracking - network packet - processing program ^ 卩 diagram 'display packet is stored in the data structure, and the network 2, the network is connected to a system core 201206120 to process the program, the method includes the following Pass the data structure of the hai, and follow the procedure according to it. And:; function to use the function of the packet to use the function call ^ (access to the network box), the rest of the letter The method can be saved: the virtual invention in the figure can be easily implemented in the same way of the Linux core system, because the operating system of the method is an Un sk_buff, the method utilizes the structure of the 兮 ^ 贝 — Access the network packet, the 3 The special function is to access the network program as one of the data structures to execute the order. And the processing is only the female's main technical point of view, please ask Yuan Didi = can cover a tracking network packet: :::: The network packet accepts the handler in the -system core; ^方==下::, provides a function to handle the network packet, where the; ί;: Γ Γ defines the parameter a data type name, and the search for the processing program by searching for the Beko U. Of course, the party at this time

The state name can be used as a reference point for searching, and the present invention utilizes this I-type method to include a method for finding the type name of a specific data, and the type name of the special shell material contains the original type and Various deformation type names. That is, from the source code of the Linux core system, when searching for a function for accessing the network packet, not only the original type name of the specific data type, but also the name of the data type, can be used. Use a deformed state name. Please refer to Figure 4A. Because the C language has rules such as aliases (AHas), customized data types, and Nested Structures, the deformed state name of the method can be 12 201206120 Two material types... A nested data structure generates a type of tragic 43 system that makes it oblique to the data type of one of the network packets. The function of the language can access the function of a specific tool in many ways. The function of the four-day analysis method includes: searching for the access network, and searching for the second party. The method includes the core code of the system: the source code: two: the rirr function, where the access to the network is blocked. The function of the network packet or the function of an indirect packet is the four-picture β, the direct access network type, the global variable (also known as the type name (Paca eterType) 45 - ar = ble) 44, - the function of the function or - the definition of the region (L 〇, n Return Type 46 packets. Meaning (L〇CalDeflnhl_7, can directly access the network four:: Fang 2 : The function of accessing specific data does not utilize the above-used-call access network packet access, .NET packet The function system calls the direct access network seal (4) (5) (four), in the form of the function b ~ a), and indirect:; large: for example 'E by - indicator, so make and 彳曰,,, - 侍到- pointing One of the network packets is accessed by the network gateway: take the Internet packet, or directly access the network packet L (Indirect (5) (6)) as shown in Figure 6, to be refu e, and indirectly from ===, for example, cali by accessing the network packet. The metrics for the network packet, so that the 13 ί ] 201206120 part of the 'please participate' seven map (its The original function is located from another feasible point of view. The present invention can use the above-mentioned functional analysis method to find out the function of the access network packet in the .* — ^ mad type, and The embedding instruction, mei 4+勹> is also a method for tracking the processing procedure of the network packet, and the β π A ^ ^ T. The hai network packet is connected to the nucleus and the nucleus (d), the method includes

A function of the network packet, embedding a V-sun fork to take the A tracking command (for example, in the large dotted frame in the seventh figure, it is a tool r $ start code (Instrument Source 1 Γ 'is- In the function of the tracking technology, in the function, start (4) ^ ' and then trigger the chase _ order, and record one of the 5 哉 符 俾 俾 俾 俾 俾 俾 俾 俾 俾 俾 俾 俾 俾 俾 俾 田 田 田 田 田 田 田The tracking instruction system can be a tool source code. The function of the instruction code can record the execution order of the function and the internal data or resources of the system concerned, and provide the developer tracking and analysis system operation status. The identifier is a name or a code or other various symbols. The invention can be applied to the development of network devices, and the network has been widely built, and the networked devices are becoming more and more popular, and the cloud is added in the future. The development of the computing industry, device networking will be more common, the invention can improve the software development efficiency and communication efficiency of the network communication device, and the industry value is great. The keyword for searching in this case is: packet processing Sequence, packet processing procedure, packet trace, packet flow, packet data type, and kernel function, etc. When the database retrieved is USPTO patent 201206120 database retrieval system (http: //www. uspto.gov/) The results are as follows: 1. " packet processing sequence" AND " packet data type11 : 0 Article 2. "packet processing sequence" AND "kernel function": 0 Article 3. "packet processing procedure" AND " Packet data type": 0 Part 4. "packet processing procedure" AND 丨丨kernel function": 0 Article 5. "packet flow" AND " packet data type": 9 articles 6. "packet flow" AND M Kernel function": 7 articles 7. "packet trace" 'AND "packet data type" :0. 8. "packet trace" 'AND "kernel function": 0

The 5th and 6th patent documents retrieved are listed below: 1 US 7, 453, 801

Admission control and resource allocation in a communication system supporting application flows having quality of service requirements 2 US 7, 305, 51 1

Providing both wireline and wireless connections to a wireline interface 3 US 7, 164, 657

Intelligent collaboration across network systems 201206120 4 US 7, 136, 904

Wireless cable replacement for computer peripherals using a master adapter 5 US 7, 127, 541

Automatically establishing a wireless connection between adapters 6 US 6, 963, 955

Scattering and gathering data for faster processing φ 7 US 6, 950, 859

Wireless cable replacement for computer peripherals 8 US 6, 894, 972

Intelligent collaboration across network system 9 US 6, 665, 495

Non-blocking, scalable optical router architecture and method for routing optical traffic • 10 US 7,685,254

Runtime adaptable search processor 11 US 7, 631,107

Runtime adaptable protocol processor 12 US 7, 627, 693

IP storage processor and engine using RDMA 13 US 7, 536, 462

Memory system for a high performance IP processor 201206120 14 US 7,487,264

High performance IP processor 15 US 7,415,723

Distributed network security system and a hardware processor 16 US 7, 376, 755

TCP/IP processor and engine using RDMA

When the database retrieved is the European Patent Office Patent Database Search System (http://ep·espacenet.com/), the results are as follows: 1. "packet processing sequence" AND "packet data type": 0 2. "packet processing sequence" AND "kernel function" : 0 Part 3. "packet processing procedure" AND "packet data type'丨:0 Article 4. " packet processing procedure" AND "kernel function&quot ;: 0 Part 5. "packet flow" AND M packet data type": 0 Part 6. "packet flow" AND " kernel function": 0 Article 7. "packet trace" 'AND "packet data type&quot ;: 0 Part 8. "packet trace" 1 AND "kernel function": 0 The results of comparing the technical content of the above search with the case show that they are not related to or different from the present invention, and there is no Invention similar

17 201206120 Called 22: 'Guangzhou can clearly track the process with a new design 'by using the caller = material structure', and the data type name of the parameter can be substantially recovered. The efficiency of the handler. Therefore, if you are familiar with the technology, you will be able to modify it, and you will be able to protect it. π section. The monthly patent [simplified description of the schema] • The chase:::: is the Kernprof core function of the original primitive tool class. The second diagram is the data structure used by the processing network of the present invention. Structure diagram; = three diagrams: is a programming diagram of the method of using the function call to transfer the data structure of the present invention; the fourth diagram A: is the alias of the c language of the present invention, the customary capital State and nested data structure isomorphism Wei implementation (four) design diagram; 0 〇1 fourth diagram B: is the global variable of the function directly accessing the network packet, the parameter type name of the function, the return type name And the program definition and other program diagrams; Figure 5: is a program diagram that uses the function of squeaking to access the network packet; Figure 6: is a program diagram of the function call using the accessed network packet; And > seventh figure: is a programming diagram of a preferred embodiment of the embedded instruction result of the third figure. 201206120 [Explanation of main component symbols] 41 : Alias 42 Customized data type name 43 : Nested data structure 44 Global variable 45 : Parameter type name 46 Return type name 47 · Area definition 70 Tool source code

Claims (1)

201206120 VII. Scope of application for patents·· 1 · A type of net-network packet (NetWGrk Paeket)::: The road packet is stored in a data structure, and the network includes the following steps (Kernei) accepted The processing program, the method should pass the _structure' and according to the scope of the application of the W patent! The method of the item, wherein the data structure is a sk_buii, and the method of accessing the method further comprises using a specific function. And 1, the processing program is a method of executing a processing packet of the data structure, wherein the network step: accepting the processing program within the weaving heart, the method includes the following number; providing a function, To process the network packet 'where the function defines a data type name of the parameter; and search for the data type name' to track the processing program. The method described in item 3 of the patent application scope is the reference point of the 甲 3 进 进 , , , , , , , , , , , , , , , , , , , , , , , , , , , , name. - The original 5. According to the scope of the patent application, the customized data type can be + ω · name or nested data structure for the "method of the deformation" and the 2012 201220 deformed type Corresponding to the data type of the network 6. According to the third item of the patent application scope, one of the original code of the heart, looking for one, 'the method further includes a function of accessing the network packet from the system core. 1 is a function of the network packet, wherein the function of the network packet that directly accesses the network packet is directly accessed by the function of the network packet as described in item 6 of the patent scope: The function of the packet is to use the method, the direct access network Variable, the parameter type, the declared variable (Global to directly access the network packet 2, the return type name or the - area definition 8. If the application for the sixth paragraph of the patent application scope is the use of the method 'the indirect access network Caller' or the function of the stored enemy network packet (Indirect (5) lee), and by means of a destination ^ Packet's function call (Indirect's indicator to access this indirectly to get a pointer to the network seal 9. A type of network slogan _ a package is a method of circumventing a program, wherein the network step | ... is connected to the processing program, the method includes providing access to the network as follows a function of the packet; embedding a tracking instruction in the function; starting to execute the function, and then triggering the tracking instruction; and the brother-recording the -_ character of the function, so that the processing program can be traced. The method of claim 9, wherein the tracking code is an InStrument Source Code, and the identifier is a name or a code.