US9270550B2 - Session-based traffic analysis system - Google Patents
Session-based traffic analysis system Download PDFInfo
- Publication number
- US9270550B2 US9270550B2 US13/882,724 US201113882724A US9270550B2 US 9270550 B2 US9270550 B2 US 9270550B2 US 201113882724 A US201113882724 A US 201113882724A US 9270550 B2 US9270550 B2 US 9270550B2
- Authority
- US
- United States
- Prior art keywords
- traffic
- sequence number
- acknowledgement
- value
- traffic analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 81
- 230000005540 biological transmission Effects 0.000 claims abstract description 16
- 238000011144 upstream manufacturing Methods 0.000 claims description 10
- 239000000284 extract Substances 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 2
- 238000000034 method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000013500 data storage Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012284 sample analysis method Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000003012 network analysis Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/022—Capturing of monitoring data by sampling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
Definitions
- the present invention relates to a broadband traffic analysis system.
- the Internet may be easily used by anyone due to a drastic development and propagation of Internet technology.
- a broadband network for providing the Internet is complicated, and an Internet usage pattern is also diversified.
- a professional traffic analysis system is required to manage and operate a traffic network as an amount of traffic usage significantly increases due to the rapid increase and the drastic propagation of Internet users.
- the traffic analysis system refers to a system for analyzing a statistical amount of traffic, a current state of an Internet connection, a number of transmission control protocol (TCP) connection sessions, and a traffic usage for each service to analyze an increasing amount of traffic in the broadband network, and to analyze a factor causing interference against the network.
- TCP transmission control protocol
- a traffic sample analysis method installed in a partial section of the broadband network to analyze traffic is currently adopted as a method for analyzing rapidly increasing high-capacity traffic of the broadband network.
- the traffic sample analysis method may eliminate the above-described issues in terms of costs and maintenance, which may result from using a plurality of analytical systems.
- traffic analysis is possible using only an extracted traffic sample, in lieu of the entirety of traffic. Accordingly, a result of the analysis may differ from an actual amount of traffic analysis and as a result, numerous errors in measurement may occur.
- An aspect of the present invention provides a session-based traffic analysis system which may replace a plurality of high-cost and high-capacity traffic analysis systems with a low-cost and efficient traffic analysis system, and may measure a total amount of traffic by analyzing a portion of upstream traffic that occupies about 1 ⁇ 3 of the total traffic in a broadband network.
- Another aspect of the present invention provides a session-based traffic analysis system which may accurately analyze an amount of traffic for each transmission control protocol (TCP) connection using only some one-way packets based on TCP connection-oriented characteristics, that is, connection information of data storage for each TCP connection, and may accurately analyze an amount of two-way traffic using only some one-way connection information, as an amount of TCP data transmission to be transmitted is calculated based on a sequence number of the TCP connection information, and an amount of received TCP data transmission is calculated based on an acknowledgement number of the TCP connection information.
- TCP transmission control protocol
- a session-based traffic analysis system to analyze two-way traffic based on one-way traffic, with respect to broadband traffic using a transmission control protocol (TCP), the system including a traffic mirroring means to monitor the one-way traffic transmitted from a broadband network on the TCP, the one-way traffic corresponding to upstream traffic or downstream traffic, a session information extracting means to extract a sequence number and an acknowledgement number for each set of session information from the traffic monitored by the traffic mirroring means, a two-way traffic analyzing means to update an initial value and a final value for each of the sequence number and the acknowledgement number extracted by the session information extracting means, to determine an amount of traffic transmitted in a direction traffic is collected in based on the initial value and the final value of the sequence number, and to determine an amount of traffic transmitted in a direction opposite to the direction traffic is collected in based on the initial value and the final value of the acknowledgement number, and a storage medium to periodically log and store a traffic analysis result value obtained by the traffic analyzing means.
- TCP transmission control protocol
- the session information extracting means may extract, from TCP header information of the traffic, sequence information to be used as a sequence number value, acknowledgement information to be used as an acknowledgement number value, and source Internet protocol (IP)/destination IP/source port/destination port values of an IP header and a TCP header to be used as a session information value.
- IP Internet protocol
- the two-way traffic analyzing means may store a sequence number and an acknowledgement number of a session information value initially collected as initial values of the sequence number and the acknowledgement number, and may continuously store sequence numbers and acknowledgement numbers collected thereafter for the same session information value, as final values of the sequence number and the acknowledgement number.
- the two-way traffic analyzing means may calculate the initial values and the final values of the sequence number and the acknowledgement number, may determine an amount of data transmitted in the direction the traffic is collected in based on an equation “final value of sequence number ⁇ initial value of sequence number”, and may determine an amount of data received in the direction opposite to the direction the traffic is collected in based on an equation “final value of acknowledgment number ⁇ initial value of acknowledgment number”.
- the same analysis result value as a value obtained by analyzing total traffic may be induced by analyzing only a portion of upstream traffic that occupies about 1 ⁇ 3 of the total traffic, instead of analyzing the total traffic of a broadband network.
- a broadband network traffic analysis system using a low-capacity and general-purpose server capable of correcting a traffic analysis value, although a portion of TCP packets is missing while analyzing the traffic.
- FIG. 1 is a configuration diagram illustrating a state in which a session-based traffic analysis system according to an embodiment of the present invention is applied to a network.
- FIG. 2 is a diagram illustrating a configuration of an Internet protocol (IP) header of an IP packet for extracting values of a source IP and a destination IP from among session values.
- IP Internet protocol
- FIG. 3 is a diagram illustrating a configuration of a TCP header of an IP packet for extracting values of a source port, a destination port, a sequence number, and an acknowledgement number from among session values.
- FIG. 4 illustrates a session information storage table for managing a session value, and values of a sequence number and an acknowledgement number extracted from the IP packet as an initial value and a final value.
- FIG. 5 is a flowchart illustrating a session-based traffic analysis process according to an embodiment of the present invention.
- a session-based traffic analysis system to analyze two-way traffic based on one-way traffic, with respect to broadband traffic using a transmission control protocol (TCP).
- TCP transmission control protocol
- the system includes a traffic mirroring means to monitor the one-way traffic, more particularly, upstream traffic or downstream traffic transmitted from a broadband network to TCP.
- the system also includes a session information extracting means to extract a sequence number and an acknowledgement number for each set of session information from the traffic monitored by the traffic mirroring means.
- the system also includes a two-way traffic analyzing means.
- the two-way traffic analyzing means updates an initial value and a final value for each of the sequence number and the acknowledgement number extracted by the session information extracting means.
- the two-way traffic analyzing means determines an amount of traffic transmitted in a direction traffic is collected in based on the initial value and the final value of the sequence number.
- the two-way traffic analyzing means determines an amount of traffic transmitted in a direction opposite to the direction traffic is collected in based on the initial value and the final value of the acknowledgement number.
- the system also includes a storage medium to periodically log and store a traffic analysis result value obtained by the traffic analyzing means.
- FIG. 1 is a configuration diagram of a network system illustrating a state in which a corresponding system performing a session-based traffic analysis method according to an embodiment of the present invention is applied to a network.
- a session-based traffic analysis system includes a traffic mirroring means 11 to lead traffic into a traffic analysis device 12 using a tab, a switch device, and the like, and the traffic analysis device 12 to analyze the lead traffic based on a session.
- FIG. 2 is a diagram illustrating a configuration of an Internet protocol (IP) header of a packet which is analyzed when a source IP 21 and a destination IP 22 are extracted from among session information values.
- IP Internet protocol
- the source IP 21 of FIG. 2 indicates an IP address of a transmitter which transmits data
- the destination IP 22 indicates an IP address of a receiver which receives data.
- FIG. 3 is a diagram illustrating a configuration of a transmission control protocol (TCP) header of a packet which is analyzed when information of a source port 31 and a destination port 32 , and a sequence number 33 and an acknowledgement number 34 for the session-based traffic analysis are extracted from among session information values.
- TCP transmission control protocol
- the source port 31 indicates a connection number of a data transmitter
- the destination port 32 indicates a connection number of a data receiver.
- the sequence number 33 is a serial number which is assigned in an order when data to be transmitted through a network is divided into packets.
- the acknowledgement number 34 is a serial number of received data.
- sequence number is the serial number of data to be transmitted and thus, an increase in a value between an initially collected sequence number value and a finally collected sequence number value based on session information indicates an amount of data actually transmitted with respect to corresponding session information.
- the acknowledgement number is the serial number of received data and thus, an increase in a value between an initially collected acknowledgement number value and a finally collected acknowledgement number value based on session information indicates an amount of data actually received with respect to corresponding session information.
- FIG. 4 is a session information storage table storing an initial sequence number value, a final sequence number value, an initial acknowledgement number value, and a final acknowledgement value for each set of session information.
- an amount of data transmitted by a corresponding session is calculated based on an equation of “final value of sequence number ⁇ initial value of sequence number”, and an amount of data received by the corresponding session is calculated based on an equation “final value of acknowledgment number ⁇ initial value of acknowledgment number”.
- the initial sequence number value stores a sequence number value which is extracted when a minimum packet having a session value is collected.
- the final sequence number value is maintained by continuously updating, to be used as the final sequence number value, a sequence number value of a corresponding packet extracted when a packet having the same session value as an initial session value is collected because a packet having the initial session value is already collected.
- the initial acknowledgement number value stores the sequence number value extracted when a minimum packet having a session value is already collected.
- the final acknowledgement number value is maintained by continuously updating, to be used as the final acknowledgement number value, an acknowledgement number value of a corresponding packet extracted when a packet having the same session value as the initial session value is collected because the packet having an initial session value is already collected.
- FIG. 5 is a flowchart illustrating a session-based traffic analysis process.
- the session-based traffic analysis process in the broadband network generates a session value key by monitoring a packet transmitted on a network in operation S 51 , and by extracting a session value, more particularly, information about a source IP, a destination IP, a source port, and a destination port included in the monitored packet in operation S 52 .
- Whether the generated session value is a session value present in the session information storage table or a new session value may be determined in operation S 53 .
- the extracted new session value is stored in the session information storage table in operation S 54 .
- a sequence number and an acknowledgement number of the corresponding packet are extracted in operation S 55 .
- the extracted sequence number and acknowledge number are stored in the session information storage table to be used as an initial value of the stored new session value in operation S 56 .
- the session information storage table is searched for an existing session value in operation S 57 .
- the extracted sequence number and acknowledge number are stored in the session information storage table to be used as a final value of the previously stored session information.
- the initial value and the final value of the sequence number, and the initial value and the final value of the acknowledgement number are stored in the session information storage table for each session value of all packets by repeatedly performing operations S 56 and S 59 for each packet being monitored.
- a traffic analysis value for example, a data transmission amount and a data reception amount may be calculated according to the following equations.
- Data transmission amount final value of sequence number ⁇ initial value of sequence number
- Data reception amount final value of acknowledgement number ⁇ initial value of acknowledgement number
- the present invention is neither limited thereto nor restricted thereby.
- the present invention may be configured as a system which may perform predetermined processes as described above and is independent in terms of hardware.
- the present invention may be provided in a form of software, such as an application installed on a server side or a client side to operate in a broadband network analysis and to operate by requesting a traffic analysis.
- the present invention when the present invention is provided in the form of software as described above, the present invention may be provided in various forms based on necessity.
- the present invention may be provided in a form of a record medium in which a program executing the above-mentioned predetermined processes is stored, or in a form of a download program to be downloaded and installed through the Internet.
- a session-based traffic analysis system which may replace conventional high-cost and high-capacity traffic analysis systems and traffic sample analysis systems, and may measure a total amount of traffic by analyzing a portion of upstream traffic that occupies about 1 ⁇ 3 of the total traffic in a broadband network to manage an efficient high-capacity traffic analysis system at low costs.
- a session-based traffic analysis system which may accurately analyze an amount of traffic for each transmission control protocol (TCP) connection using only some one-way packets based on TCP connection-oriented characteristics, more particularly, connection information of data storage for each TCP connection, and may accurately analyze an amount of two-way traffic using only some one-way connection information, as an amount of TCP data transmission to be transmitted is calculated based on a sequence number of the TCP connection information, and an amount of received TCP data transmission is calculated based on an acknowledgement number of the TCP connection information.
- TCP transmission control protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a session-based traffic analysis system that may accurately analyze an amount of traffic for each transmission control protocol (TCP) connection using only one-way packets. The system may accurately analyze an amount of two-way traffic using only one-way connection information.
Description
The present invention relates to a broadband traffic analysis system.
In recent times, the Internet may be easily used by anyone due to a drastic development and propagation of Internet technology.
Accordingly, a number of Internet users is rapidly increasing, and methods for connecting to the Internet and usage patterns of the Internet have become complex and diversified.
In addition, a broadband network for providing the Internet is complicated, and an Internet usage pattern is also diversified. Thus, a professional traffic analysis system is required to manage and operate a traffic network as an amount of traffic usage significantly increases due to the rapid increase and the drastic propagation of Internet users.
Here, the traffic analysis system refers to a system for analyzing a statistical amount of traffic, a current state of an Internet connection, a number of transmission control protocol (TCP) connection sessions, and a traffic usage for each service to analyze an increasing amount of traffic in the broadband network, and to analyze a factor causing interference against the network.
However, hundreds or thousands of high-cost and high-capacity traffic analysis systems are required to professionally analyze an entirety of upstream traffic and downstream traffic in the broadband network through segmentation. Accordingly, not only construction costs but also high costs for maintaining and repairing are incurred as a traffic rate increases. Thus, introducing a system for analyzing an entirety of the upstream traffic and the downstream traffic in the broadband network is difficult, in terms of costs and maintenance.
To solve the aforementioned issue, a traffic sample analysis method installed in a partial section of the broadband network to analyze traffic is currently adopted as a method for analyzing rapidly increasing high-capacity traffic of the broadband network. The traffic sample analysis method may eliminate the above-described issues in terms of costs and maintenance, which may result from using a plurality of analytical systems. However, traffic analysis is possible using only an extracted traffic sample, in lieu of the entirety of traffic. Accordingly, a result of the analysis may differ from an actual amount of traffic analysis and as a result, numerous errors in measurement may occur.
Accordingly, to overcome issues found in conventional high-cost and high-capacity traffic analysis systems, traffic sample analysis systems, and the like, there is a need for a traffic analysis method that may construct an efficient high-capacity traffic analysis system at low costs. However, a method satisfying all the requirements has yet to be proposed.
An aspect of the present invention provides a session-based traffic analysis system which may replace a plurality of high-cost and high-capacity traffic analysis systems with a low-cost and efficient traffic analysis system, and may measure a total amount of traffic by analyzing a portion of upstream traffic that occupies about ⅓ of the total traffic in a broadband network.
Another aspect of the present invention provides a session-based traffic analysis system which may accurately analyze an amount of traffic for each transmission control protocol (TCP) connection using only some one-way packets based on TCP connection-oriented characteristics, that is, connection information of data storage for each TCP connection, and may accurately analyze an amount of two-way traffic using only some one-way connection information, as an amount of TCP data transmission to be transmitted is calculated based on a sequence number of the TCP connection information, and an amount of received TCP data transmission is calculated based on an acknowledgement number of the TCP connection information.
According to an aspect of the present invention, there is provided a session-based traffic analysis system to analyze two-way traffic based on one-way traffic, with respect to broadband traffic using a transmission control protocol (TCP), the system including a traffic mirroring means to monitor the one-way traffic transmitted from a broadband network on the TCP, the one-way traffic corresponding to upstream traffic or downstream traffic, a session information extracting means to extract a sequence number and an acknowledgement number for each set of session information from the traffic monitored by the traffic mirroring means, a two-way traffic analyzing means to update an initial value and a final value for each of the sequence number and the acknowledgement number extracted by the session information extracting means, to determine an amount of traffic transmitted in a direction traffic is collected in based on the initial value and the final value of the sequence number, and to determine an amount of traffic transmitted in a direction opposite to the direction traffic is collected in based on the initial value and the final value of the acknowledgement number, and a storage medium to periodically log and store a traffic analysis result value obtained by the traffic analyzing means.
The session information extracting means may extract, from TCP header information of the traffic, sequence information to be used as a sequence number value, acknowledgement information to be used as an acknowledgement number value, and source Internet protocol (IP)/destination IP/source port/destination port values of an IP header and a TCP header to be used as a session information value.
The two-way traffic analyzing means may store a sequence number and an acknowledgement number of a session information value initially collected as initial values of the sequence number and the acknowledgement number, and may continuously store sequence numbers and acknowledgement numbers collected thereafter for the same session information value, as final values of the sequence number and the acknowledgement number.
The two-way traffic analyzing means may calculate the initial values and the final values of the sequence number and the acknowledgement number, may determine an amount of data transmitted in the direction the traffic is collected in based on an equation “final value of sequence number−initial value of sequence number”, and may determine an amount of data received in the direction opposite to the direction the traffic is collected in based on an equation “final value of acknowledgment number−initial value of acknowledgment number”.
According to embodiments of the present invention, the same analysis result value as a value obtained by analyzing total traffic may be induced by analyzing only a portion of upstream traffic that occupies about ⅓ of the total traffic, instead of analyzing the total traffic of a broadband network.
Accordingly, more than ⅓ of the number of traffic analysis servers required in the related art may be decreased. According to the decrease in the number of traffic analysis servers, costs for purchasing a traffic analysis server, or additional costs and range of management may be reduced. Accordingly, there may be provided a broadband network management method which is efficient in terms of time and costs.
Further, according to embodiments of the present invention, there may be provided a broadband network traffic analysis system using a low-capacity and general-purpose server capable of correcting a traffic analysis value, although a portion of TCP packets is missing while analyzing the traffic.
Provided is a session-based traffic analysis system to analyze two-way traffic based on one-way traffic, with respect to broadband traffic using a transmission control protocol (TCP). The system includes a traffic mirroring means to monitor the one-way traffic, more particularly, upstream traffic or downstream traffic transmitted from a broadband network to TCP. The system also includes a session information extracting means to extract a sequence number and an acknowledgement number for each set of session information from the traffic monitored by the traffic mirroring means. The system also includes a two-way traffic analyzing means. The two-way traffic analyzing means updates an initial value and a final value for each of the sequence number and the acknowledgement number extracted by the session information extracting means. The two-way traffic analyzing means determines an amount of traffic transmitted in a direction traffic is collected in based on the initial value and the final value of the sequence number. The two-way traffic analyzing means determines an amount of traffic transmitted in a direction opposite to the direction traffic is collected in based on the initial value and the final value of the acknowledgement number. The system also includes a storage medium to periodically log and store a traffic analysis result value obtained by the traffic analyzing means.
Hereinafter, a session-based traffic analysis system according to embodiments of the present invention will be described in detail with reference to the accompany drawings.
Here, the following description is only an example of implementation of the present invention and thus, the present invention is neither limited thereto nor restricted thereby.
As illustrated in FIG. 1 , to analyze traffic occurring with respect to an Internet user 13, a session-based traffic analysis system according to an embodiment of the present invention includes a traffic mirroring means 11 to lead traffic into a traffic analysis device 12 using a tab, a switch device, and the like, and the traffic analysis device 12 to analyze the lead traffic based on a session.
The source IP 21 of FIG. 2 indicates an IP address of a transmitter which transmits data, and the destination IP 22 indicates an IP address of a receiver which receives data.
The source port 31 indicates a connection number of a data transmitter, and the destination port 32 indicates a connection number of a data receiver.
The sequence number 33 is a serial number which is assigned in an order when data to be transmitted through a network is divided into packets.
The acknowledgement number 34 is a serial number of received data.
Here, the sequence number is the serial number of data to be transmitted and thus, an increase in a value between an initially collected sequence number value and a finally collected sequence number value based on session information indicates an amount of data actually transmitted with respect to corresponding session information.
In addition, the acknowledgement number is the serial number of received data and thus, an increase in a value between an initially collected acknowledgement number value and a finally collected acknowledgement number value based on session information indicates an amount of data actually received with respect to corresponding session information.
Using values stored in the session information storage table, an amount of data transmitted by a corresponding session is calculated based on an equation of “final value of sequence number−initial value of sequence number”, and an amount of data received by the corresponding session is calculated based on an equation “final value of acknowledgment number−initial value of acknowledgment number”.
Here, the initial sequence number value stores a sequence number value which is extracted when a minimum packet having a session value is collected.
The final sequence number value is maintained by continuously updating, to be used as the final sequence number value, a sequence number value of a corresponding packet extracted when a packet having the same session value as an initial session value is collected because a packet having the initial session value is already collected.
Further, the initial acknowledgement number value stores the sequence number value extracted when a minimum packet having a session value is already collected.
The final acknowledgement number value is maintained by continuously updating, to be used as the final acknowledgement number value, an acknowledgement number value of a corresponding packet extracted when a packet having the same session value as the initial session value is collected because the packet having an initial session value is already collected.
As illustrated in FIG. 5 , the session-based traffic analysis process in the broadband network according to an embodiment of the present invention generates a session value key by monitoring a packet transmitted on a network in operation S51, and by extracting a session value, more particularly, information about a source IP, a destination IP, a source port, and a destination port included in the monitored packet in operation S52.
Whether the generated session value is a session value present in the session information storage table or a new session value may be determined in operation S53.
When the corresponding session value is determined to be the new session value absent in the session information storage table, the extracted new session value is stored in the session information storage table in operation S54. A sequence number and an acknowledgement number of the corresponding packet are extracted in operation S55. The extracted sequence number and acknowledge number are stored in the session information storage table to be used as an initial value of the stored new session value in operation S56.
Conversely, when the corresponding session value is determined to be present in the session information storage table, the session information storage table is searched for an existing session value in operation S57.
In operation S58, the sequence number and the acknowledgement number of the corresponding packet are extracted,
In operation S59, the extracted sequence number and acknowledge number are stored in the session information storage table to be used as a final value of the previously stored session information.
The initial value and the final value of the sequence number, and the initial value and the final value of the acknowledgement number are stored in the session information storage table for each session value of all packets by repeatedly performing operations S56 and S59 for each packet being monitored.
In addition, based on session values stored in the session information storage table through the aforementioned process, a traffic analysis value, for example, a data transmission amount and a data reception amount may be calculated according to the following equations.
Data transmission amount=final value of sequence number−initial value of sequence number
Data reception amount=final value of acknowledgement number−initial value of acknowledgement number
Data transmission amount=final value of sequence number−initial value of sequence number
Data reception amount=final value of acknowledgement number−initial value of acknowledgement number
As described above, although the session-based traffic analysis system in the broadband network according to embodiments of the present invention is described, the present invention is neither limited thereto nor restricted thereby.
Although an installation is described to be performed in the session-based analysis device 12 in the above-mentioned embodiment, the present invention may be configured as a system which may perform predetermined processes as described above and is independent in terms of hardware. For example, the present invention may be provided in a form of software, such as an application installed on a server side or a client side to operate in a broadband network analysis and to operate by requesting a traffic analysis.
Here, when the present invention is provided in the form of software as described above, the present invention may be provided in various forms based on necessity. For example, the present invention may be provided in a form of a record medium in which a program executing the above-mentioned predetermined processes is stored, or in a form of a download program to be downloaded and installed through the Internet.
Accordingly, the present invention is not limited to the above-described embodiments. Instead, it would be appreciated by those skilled in the art that changes may be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
According to embodiments of the present invention, there may be provided a session-based traffic analysis system which may replace conventional high-cost and high-capacity traffic analysis systems and traffic sample analysis systems, and may measure a total amount of traffic by analyzing a portion of upstream traffic that occupies about ⅓ of the total traffic in a broadband network to manage an efficient high-capacity traffic analysis system at low costs.
According to other embodiments of the present invention, there may be also provided a session-based traffic analysis system which may accurately analyze an amount of traffic for each transmission control protocol (TCP) connection using only some one-way packets based on TCP connection-oriented characteristics, more particularly, connection information of data storage for each TCP connection, and may accurately analyze an amount of two-way traffic using only some one-way connection information, as an amount of TCP data transmission to be transmitted is calculated based on a sequence number of the TCP connection information, and an amount of received TCP data transmission is calculated based on an acknowledgement number of the TCP connection information.
Claims (15)
1. A session-based traffic analysis system to analyze two-way traffic based on one-way traffic, with respect to broadband traffic using a transmission control protocol (TCP), the session-based traffic analysis system comprising:
at least one processor which implements a traffic mirror operatively coupled to a broadband network which monitors the one-way traffic transmitted from the broadband network on the TCP, the one-way traffic corresponding to either upstream traffic or downstream traffic;
at least one processor which implements a traffic analysis subsystem operatively coupled to a nontransitory storage medium and operatively coupled to the traffic mirror to receive the traffic monitored thereby, the traffic analysis subsystem:
extracts a sequence number and an acknowledgement number for each set of session information from the traffic monitored by the traffic mirror;
updates an initial value and a final value for each of the extracted sequence number and the extracted acknowledgement number;
determines an amount of traffic transmitted in a direction in which traffic is collected based on the initial value and the final value of the sequence number;
determines an amount of traffic transmitted in a direction opposite to the direction in which traffic is collected based on the initial value and the final value of the acknowledgement number; and
stores a traffic analysis result value in the nontransitory storage medium based at least in part on at least one of the determined amount of traffic transmitted in a direction in which traffic is collected or the determined amount of traffic transmitted in a direction opposite to the direction in which traffic is collected.
2. The session-based traffic analysis system of claim 1 , wherein the traffic analysis subsystem extracts, from TCP header information of the traffic, sequence information to be used as a sequence number value, acknowledgement information to be used as an acknowledgement number value, and source Internet protocol (IP), destination IP, source port, and destination port values of an IP header and a TCP header to be used as a session information value.
3. The session-based traffic analysis system of claim 1 , wherein the traffic analysis subsystem stores a sequence number and an acknowledgement number of a session information value initially collected as initial values of the sequence number and the acknowledgement number, and continuously stores sequence numbers and acknowledgement numbers collected thereafter for the same session information value, as final values of the sequence number and the acknowledgement number.
4. The session-based traffic analysis system of claim 3 , wherein
the traffic analysis subsystem:
calculates the initial values and the final values of the sequence number and the acknowledgement number,
determines an amount of data transmitted in the direction the traffic is collected in based on an equation: “final value of sequence number−initial value of sequence number”, and
determines an amount of data received in the direction opposite to the direction the traffic is collected in based on an equation: “final value of acknowledgment number−initial value of acknowledgment number”.
5. A traffic analysis system, the traffic analysis system comprising:
at least one processor which implements a traffic mirror operatively coupled to a network which monitors one-way traffic on a transmission control protocol (TCP), the one-way traffic corresponding to either a first direction or a second direction, wherein traffic in the second direction is opposite to traffic in the first direction;
at least one processor which implements a traffic analysis subsystem operatively coupled to the traffic mirror to receive the traffic monitored thereby, the traffic analysis subsystem:
extracts a sequence number and an acknowledgement number for session information from the monitored one-way traffic;
determines an initial value of the sequence number and a final value of the sequence number;
determines an initial value of the acknowledgement number and a final value of the acknowledgement number;
determines an amount of traffic in the first direction based on a difference between the initial value of the sequence number and the final value of the sequence number; and
determines an amount of traffic in the second direction based on a difference between the initial value of the acknowledgement number and the final value of the acknowledgement number.
6. The traffic analysis system of claim 5 , wherein the traffic analysis subsystem:
extracts the sequence number from a TCP header of the one-way traffic,
extracts the acknowledgement number from the TCP header of the one-way traffic, and
obtains the session information from a source Internet Protocol (IP) address, a destination IP address, a source port, and a destination port of the TCP header of the one-way traffic.
7. The traffic analysis system of claim 5 , wherein the traffic analysis subsystem:
determines, to be the initial value of the sequence number, a sequence number initially collected for the session information, and
determines, to be the initial value of the acknowledgement number, an acknowledgement number initially collected for the session information.
8. The traffic analysis system of claim 7 , wherein the traffic analysis subsystem:
updates, to be the final value of the sequence number, a sequence number collected subsequently for the session information; and
updates, to be the final value of the acknowledgement number, an acknowledgement number collected subsequently for the session information.
9. The traffic analysis system of claim 5 , further comprising:
a nontransitory storage unit for periodically logging and storing a traffic analysis result.
10. The traffic analysis system of claim 5 , wherein
traffic in the second direction is downstream traffic when traffic in the first direction is upstream traffic, and
traffic in the second direction is upstream traffic when traffic in the first direction is downstream traffic.
11. A traffic analysis method, the traffic analysis method comprising:
monitoring, by a processor-based traffic mirror, one-way traffic on a transmission control protocol (TCP), the one-way traffic corresponding to either traffic in a first direction or traffic in a second direction;
extracting, by a processor-based traffic analysis subsystem, a sequence number and an acknowledgement number for session information from the monitored one-way traffic;
determining, by the processor-based traffic analysis subsystem, an initial value of the sequence number and a final value of the sequence number;
determining, by the processor-based traffic analysis subsystem, an initial value of the acknowledgement number and a final value of the acknowledgement number;
determining, by the processor-based traffic analysis subsystem, an amount of traffic in the first direction based on the initial value of the sequence number and the final value of the sequence number;
determining, by the processor-based traffic analysis subsystem, an amount of traffic in the second direction based on the initial value of the acknowledgement number and the final value of the acknowledgement number,
wherein traffic in the second direction is opposite to traffic in the first direction.
12. The traffic analysis method of claim 11 , wherein the extracting of the sequence number and the acknowledgement number comprises:
extracting the sequence number from a TCP header of the one-way traffic;
extracting the acknowledgement number from the TCP header of the one-way traffic; and
obtaining the session information from a source Internet Protocol (IP) address, a destination IP address, a source port, and a destination port of the TCP header of the one-way traffic.
13. The traffic analysis method of claim 11 , wherein the extracting of the sequence number and the acknowledgement number comprises:
determining, to be the initial value of the sequence number, a sequence number initially collected for the session information, and
determining, to be the initial value of the acknowledgement number, an acknowledgement number initially collected for the session information.
14. The traffic analysis method of claim 13 , wherein the extracting of the sequence number and the acknowledgement number further comprises:
updating, to be the final value of the sequence number, a sequence number collected subsequently for the session information as, and
updating, to be the final value of the acknowledgement number, an acknowledgement number collected subsequently for the session information.
15. The traffic analysis method of claim 11 , wherein
the determining of an amount of traffic in the first direction based on the initial value of the sequence number and the final value of the sequence number comprises:
determining an amount of traffic in the first direction based on a difference between the initial value of the sequence number and the final value of the sequence number, and
the determining an amount of traffic in a second direction based on the initial value of the acknowledgement number and the final value of the acknowledgement number comprises:
determining an amount of traffic in a second direction based on a difference between the initial value of the acknowledgement number and the final value of the acknowledgement number.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR10-2010-0111031 | 2010-11-09 | ||
| KR1020100111031A KR101136529B1 (en) | 2010-11-09 | 2010-11-09 | A system for traffic analysis based on session |
| PCT/KR2011/008413 WO2012064056A1 (en) | 2010-11-09 | 2011-11-07 | Session-based traffic analysis system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| US20130286872A1 US20130286872A1 (en) | 2013-10-31 |
| US9270550B2 true US9270550B2 (en) | 2016-02-23 |
Family
ID=46051135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US13/882,724 Active 2032-09-04 US9270550B2 (en) | 2010-11-09 | 2011-11-07 | Session-based traffic analysis system |
Country Status (3)
| Country | Link |
|---|---|
| US (1) | US9270550B2 (en) |
| KR (1) | KR101136529B1 (en) |
| WO (1) | WO2012064056A1 (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104486340B (en) * | 2014-12-16 | 2018-02-06 | 上海斐讯数据通信技术有限公司 | Defend the method and system of data flow attack |
| CN105763391B (en) * | 2014-12-17 | 2019-06-25 | 中国移动通信集团公司 | A kind of session data stream processing system, method and relevant device |
| CN108600049B (en) * | 2018-04-16 | 2020-07-07 | 苏州云杉世纪网络科技有限公司 | Method and device for measuring performance of TCP connection of data center network and storage medium |
| CN112468373A (en) * | 2020-12-08 | 2021-03-09 | 武汉蜘易科技有限公司 | Accurate positioning analysis system and method for network flow of fingerprint equipment |
| CN113162820A (en) * | 2021-03-04 | 2021-07-23 | 睿石网云(杭州)科技有限公司 | Method for performing evidence-obtaining analysis on performance fault of application system |
| CN115994172B (en) * | 2022-12-09 | 2024-05-14 | 华青融天(北京)软件股份有限公司 | Method, device, equipment and medium for determining service access relation |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070070916A1 (en) * | 2005-09-23 | 2007-03-29 | Andrew Lehane | Real time monitoring of TCP flows |
| US20100014418A1 (en) * | 2008-07-17 | 2010-01-21 | Fujitsu Limited | Connection recovery device, method and computer-readable medium storing therein processing program |
| KR20100024723A (en) | 2008-08-26 | 2010-03-08 | 주식회사 케이티 | System and method for analyzing alternative internet traffic using routing based on policy |
| KR20100032655A (en) | 2008-09-18 | 2010-03-26 | 고려대학교 산학협력단 | Apparatus and method for managing application for traffic analysis |
| KR20100072975A (en) | 2008-12-22 | 2010-07-01 | 주식회사 케이티 | Apparatus and method for managing network traffic based on flow and session |
-
2010
- 2010-11-09 KR KR1020100111031A patent/KR101136529B1/en active Active
-
2011
- 2011-11-07 WO PCT/KR2011/008413 patent/WO2012064056A1/en not_active Ceased
- 2011-11-07 US US13/882,724 patent/US9270550B2/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070070916A1 (en) * | 2005-09-23 | 2007-03-29 | Andrew Lehane | Real time monitoring of TCP flows |
| US20100014418A1 (en) * | 2008-07-17 | 2010-01-21 | Fujitsu Limited | Connection recovery device, method and computer-readable medium storing therein processing program |
| KR20100024723A (en) | 2008-08-26 | 2010-03-08 | 주식회사 케이티 | System and method for analyzing alternative internet traffic using routing based on policy |
| KR20100032655A (en) | 2008-09-18 | 2010-03-26 | 고려대학교 산학협력단 | Apparatus and method for managing application for traffic analysis |
| KR20100072975A (en) | 2008-12-22 | 2010-07-01 | 주식회사 케이티 | Apparatus and method for managing network traffic based on flow and session |
Non-Patent Citations (1)
| Title |
|---|
| International Search Report, mailed Mar. 28, 2012, for PCT/KR2011/008413, 5 pages. |
Also Published As
| Publication number | Publication date |
|---|---|
| US20130286872A1 (en) | 2013-10-31 |
| WO2012064056A1 (en) | 2012-05-18 |
| KR101136529B1 (en) | 2012-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9270550B2 (en) | Session-based traffic analysis system | |
| US20150074258A1 (en) | Scalable performance monitoring using dynamic flow sampling | |
| EP2556632B1 (en) | Real-time adaptive processing of network data packets for analysis | |
| US8051207B2 (en) | Inferring server state in s stateless communication protocol | |
| CN108429701B (en) | Network acceleration system | |
| US9571373B2 (en) | System and method for combining server side and network side transaction tracing and measurement data at the granularity level of individual transactions | |
| EP3164965B1 (en) | Estimating bandwidth in a network | |
| CN108076019B (en) | Abnormal traffic detection method and device based on traffic mirroring | |
| US20120300628A1 (en) | Method and apparatus to passively determine the state of a flow including determining flow state in the event of missing data on one or both sides of the flow | |
| CN109981550B (en) | A method and device for evaluating game service quality | |
| JP2003249960A (en) | Peer-to-peer method of probing and analyzing service quality and infrastructure using this method | |
| WO2009118602A2 (en) | Available bandwidth estimation in a packet-switched communication network | |
| CN105264859A (en) | Method and apparatus for generating insights into customer experience of web-based applications | |
| EP1681799B1 (en) | System and method for measuring end-to-end network delay and user-perspective delay | |
| CN107026766A (en) | A kind of assessment detection method and device of network quality | |
| KR20110057529A (en) | System for measuring response time of server using dummy request tag and method | |
| US8619594B2 (en) | System and method for comparing packet traces for failed and successful communications | |
| CN114285791B (en) | Data transmission method, device, computer equipment and storage medium | |
| CN111294382A (en) | Real-time data pushing method and device | |
| CN104468771B (en) | The determination method and device in geographical location | |
| CN110838950A (en) | Method and device for determining network performance jitter value | |
| CN118764292B (en) | Electric power vulnerability positioning method, device, equipment and medium based on vulnerability fingerprint | |
| US20040044759A1 (en) | Method and system for identifying lossy links in a computer network | |
| CN106534046B (en) | Mimic data transmission server and data transmission method | |
| CN108259576B (en) | A software and hardware real-time information transmission system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment |
Owner name: PLUSTECH INC., KOREA, REPUBLIC OF Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CHOI, KYU-MIN;REEL/FRAME:030382/0167 Effective date: 20130430 |
|
| STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
| AS | Assignment |
Owner name: SOOSAN INT CO., LTD., KOREA, REPUBLIC OF Free format text: CHANGE OF NAME;ASSIGNOR:PLUSTECH INC.;REEL/FRAME:040396/0361 Effective date: 20160229 |
|
| MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 4 |
|
| MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 8 |