WO2016143066A1 - Information processing device and port mirroring position selection method - Google Patents

Abstract

[Problem] To enable a quick selection of a communication device capable of executing port mirroring without discarding mirrored traffic. [Solution] At the time of selecting a communication device for conducting port mirroring of a traffic flowing through a network constituted by a plurality of communication devices, communication devices through which traffics flowing through the network pass are determined; a traffic that is to be port-mirrored is determined; all communication devices through which the determined traffic passes are determined; combinations of the communication devices for conducting port mirroring among the determined communication devices are listed; and, from among the listed combinations of the communication devices, a combination such that, in the communication devices constituting the combinations, no congestion will occur at the mirror port of the communication devices for conducting port mirroring is selected.

Description

Information processing apparatus and port mirroring position selection method

The present invention relates to an information processing apparatus and a port mirroring position selection method, and is suitable for application to, for example, a communication system of a cloud provider that provides IaaS (Infrastructure As Service).

An increasing number of companies use a service called IaaS that provides a customer with an environment in which a set of computer resources such as a server device, a storage device, and a network necessary for building a business computer system can be used. An IaaS customer constructs an IT (Internet Technology) system such as a web application using the provided computer resources.

In recent years, as customer applications on IaaS have also been required to be reliable, there is an increasing expectation that cloud service providers that provide IaaS will provide application performance monitoring services.

However, when the application performance is monitored, it is difficult for the cloud provider providing IaaS to uniformly apply the monitoring software to various application execution platforms by customers. Therefore, as a technique for performing application performance monitoring service on IaaS, passive performance monitoring that analyzes response time based on application traffic is suitable.

In order to perform passive performance monitoring, it is necessary to collect the application traffic to be monitored in the analyzer. This can be done by port mirroring (hereinafter referred to simply as mirroring) using a communication device such as a switch or router that constitutes an IaaS physical network, or by connecting a tap to each link on the network to branch the traffic signal. It is realized by doing.

In this case, since the tap duplicates the packet unconditionally, in a cloud environment where a large number of communications flow, a load is imposed on the network and the analysis device for delivering the duplicated packet to the analysis device. Therefore, when collecting packets in a cloud environment, it is desirable to use mirroring that can collect packets only for the traffic of the application whose performance is to be monitored.

However, in order to mirror specific traffic (hereinafter referred to as target traffic) in an environment including a large number of communication devices, a communication device that performs mirroring settings (hereinafter referred to as a mirror position as appropriate) is used. It is necessary to select quickly.

As a method for solving the above problems, Patent Document 1 and Patent Document 2 disclose a technique for selecting a mirror position based on communication path information. For example, Patent Document 1 discloses selecting a mirror position based on physical topology information, and Patent Document 2 discloses selecting a mirror position based on BGP (Border Gateway Protocol) information in a communication device. Is disclosed.

JP 2010-245710 A JP 2008-92520 A

By the way, in the technique used when selecting the mirror position in the above-mentioned patent, the mirror position is selected without considering the bandwidth of the output interface of the packet duplicated by mirroring (hereinafter referred to as the mirror port). Yes.

Normally, there are 1 to 2 interfaces that can be set as the mirror port of the communication device. Therefore, in an environment where there are many applications that require performance monitoring unless the mirror position is selected in consideration of the mirror port bandwidth, There is a possibility that the mirror port is congested and the traffic to be collected is discarded.

The present invention has been made in view of the above points, and will propose an information processing apparatus and a port mirroring position selection method capable of quickly selecting a communication apparatus capable of performing port mirroring without discarding mirrored traffic. It is what.

In order to solve this problem, the present invention relates to each of the traffic passing through the communication device in an information processing device for selecting the communication device to be subjected to port mirroring of traffic flowing through a network composed of a plurality of communication devices. A network information analyzing unit for acquiring the predetermined traffic information from each of the communication devices, and identifying each of the communication devices through which each of the traffic flowing through the network passes by analyzing each of the acquired traffic information; Based on the analysis result of the network information analysis unit, the traffic to be subjected to the port mirroring is specified, all the communication devices through which the specified traffic passes are specified, and the port of each specified communication device is specified. Said mirroring A mirror position candidate enumeration unit for enumerating combinations of communication devices; and the port mirroring of the communication device in the communication device constituting the combination among the combinations of the communication devices enumerated by the mirror position candidate enumeration unit And a satisfactory combination selection unit for selecting a combination that does not cause congestion in the mirror port.

Further, in the present invention, in the port mirroring position selection method executed by the information processing apparatus that selects the communication apparatus that should perform port mirroring of traffic flowing through a network composed of a plurality of communication apparatuses, the information processing apparatus includes: The communication device through which each of the traffic flowing through the network passes by acquiring predetermined traffic information regarding each of the traffic passing through the communication device from each of the communication devices, and analyzing each of the acquired traffic information. A first step of identifying the information, and the information processing device identifies the traffic to be subject to the port mirroring based on the analysis result, identifies all the communication devices through which the identified traffic passes, Port on each identified communication device A second step of enumerating the combinations of the communication devices that perform the error ringing, and the information processing apparatus includes the port mirroring of the communication device in the communication device that constitutes the combination among the enumerated combinations of the communication devices. And a third step of selecting a combination that does not cause congestion in the mirror port.

According to the present invention, it is possible to realize an information processing apparatus and a port mirroring position selection method that can quickly select a mirror position (communication apparatus) that can execute port mirroring without discarding mirrored traffic.

It is a block diagram which shows the whole structure of the communication system by 1st Embodiment. It is a block diagram which shows the structural example of a data network. It is a block diagram which shows the hardware constitutions of a management apparatus. It is a block diagram which shows the logical structure of a management apparatus. It is a conceptual diagram which shows the structure of a network topology information table. (A) is a conceptual diagram which shows the structure of a communication management table, (B) is a conceptual diagram which shows the structure of a path | route management table. It is a conceptual diagram which shows the structure of a mirror position request | requirement management table. (A) is a conceptual diagram which shows the structure of a candidate management table, (B) is a conceptual diagram which shows the structure of a candidate position management table. FIG. 11 is a sequence diagram showing a flow of a series of processes from when a mirror position request is transmitted from an operation source to a management apparatus until a mirror position response corresponding to the mirror position request is transmitted from the management apparatus to the operation source. It is a flowchart which shows the process sequence of a network information analysis process. It is a conceptual diagram which shows the data format of an IPFIX message. It is a flowchart which shows the process sequence of a mirror position candidate enumeration process. It is a flowchart which shows the process sequence of a candidate search process. (A) to (E) are diagrams for explaining candidate search processing. It is a flowchart which shows the process sequence of a candidate registration process. It is a flowchart which shows the process sequence of a satisfaction combination selection process. It is a figure which shows schematic structure of a mirroring condition display screen. It is a block diagram which shows the whole structure of the communication system by 2nd Embodiment. It is a conceptual diagram which shows the structure of the mirror position request | requirement management table by 2nd Embodiment.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

(1) First Embodiment (1-1) Configuration of Communication System According to the Present Embodiment In FIG. 1, 1 indicates a communication system according to the present embodiment as a whole. The communication system 1 is connected to a plurality of computers 3 and a plurality of communication devices 4 connected to a data network 2, an aggregation communication device 5 connected to these communication devices 4, and an aggregation communication device 5. Analysis device 6, management device 8 connected to each communication device 4 via control network 7, and operation source 9 connected to management device 8.

The electronic computer 3 is composed of, for example, a server device or a personal computer, and communicates with each other via the data network 2.

The communication device 4 includes, for example, a LAN (Local Area Network) switch, a router, and the like, and includes one or a plurality of interfaces (not shown) connected to the data network 2, an interface connected to the control network 7, and aggregation. And one or a plurality of mirror ports MP connected to the communication device 5. Note that the communication device 4 of the present embodiment includes only one mirror port MP.

The communication device 4 is equipped with a transfer function 10, a mirroring function 11, and a communication information notification function 12. The transfer function 10 analyzes the traffic received via an arbitrary interface of the communication device 4, and based on information such as a 5-tuple obtained by the analysis, an interface to output the traffic according to a predetermined rule. This function determines and outputs traffic from the determined interface.

Here, the 5-tuple refers to a “source IP address” that is an IP (Internet Protocol) address of a communication device (electronic computer 3) that is a transmission source of the traffic, and transmission of traffic from a plurality of programs operated by the communication device. "Sender port number" that specifies the source program, "Destination IP address" that is the IP address of the communication device (electronic computer 3) that is the destination of the traffic, and a plurality of programs that the communication device operates Indicates a “destination port number” that specifies a destination program of traffic and “IP protocol” that indicates the type of IP protocol used when sending / receiving the traffic. Such information can be acquired from the header portion of each packet constituting the traffic.

Also, the mirroring function 11 is a function that duplicates traffic designated using information such as a 5-tuple out of traffic passing through the communication device 4 and outputs it from the mirror port MP. Further, the communication information notification function 12 uses predetermined traffic information related to traffic passing through the communication device 4 (information such as accumulated traffic for each traffic and 5 tuples) as the notification information 13, and a predetermined device (the present embodiment). Is a function of transmitting to the management apparatus 8) via the control network 7.

The transfer function 10, mirroring function 11, and communication information notification function 12 of the communication device 4 are all based on existing technology. For example, the transfer function 10 includes a LAN switch switching function, and the mirroring function 11 includes LAN switch access control. As the port mirroring function and the communication information notification function 12, IPFIX (IP Flow Information Export) can be applied. In the following, it is assumed that IPFIX is applied as the communication information notification function 12, and the notification information 13 is an IPFIX message.

The aggregation communication device 5 is composed of, for example, a network packet broker, and includes a plurality of reception ports RP and one or a plurality of transmission ports TP. Each reception port RP is connected to a mirror port MP of a different communication device 4, and one or more transmission ports TP are connected to an arbitrary analysis device 6. Then, the aggregation communication device 5 transfers the traffic copied (mirrored) by each communication device 4 received via the reception port RP to the corresponding analysis device 6 via the transmission port TP.

The analysis device 6 is composed of a passive type performance monitoring device. The analysis device 6 analyzes the traffic transferred from the aggregation communication device 5 to monitor the response performance of the application that transmits and receives the traffic, for example.

The management device 8 is, for example, a server device used by a system administrator to manage the communication system 1, and in response to a mirror position request 17 to be described later given from the operation source 9, in the mirror position request 17. Equipped with a function to select the communication device 4 to be the mirror position when analyzing the specified traffic and return the selection result to the operation source 9 as a mirror position response 18 (hereinafter referred to as a mirror position selection function) Has been.

The operation source 9 is assumed to be, for example, a client terminal 15 operated by the user 14 or an operation management apparatus 16 installed by a cloud operator who operates the communication system 1. When the operation source 9 is the client terminal 15, the client terminal 15 uses the traffic to be analyzed by the analysis device 6 (hereinafter referred to as target traffic) and, if necessary, the mirror position of the target traffic. GUI (Graphical User Interface) for the user to specify is displayed. Then, the client terminal 15 transmits a request for selecting the mirror position of the target traffic designated by the user 14 to the management apparatus 8 as the above-described mirror position request 17 by using this GUI. In addition, when a mirror position response 18 to the mirror position request 17 is given from the management apparatus 8, the client terminal 15 determines the mirror position of the target traffic selected by the management apparatus 8 that is recognized based on the mirror position response 18. Display in format.

In the present embodiment, the mirror position request 17 includes one or more combinations of communication requirements and mirror position communication device IDs. The communication requirement is a requirement for target traffic, and is composed of information on five tuples of the target traffic (hereinafter referred to as five-tuple information). In this case, the communication requirement does not need to include all of the 5-tuple information, and only a part thereof may be used. In addition to the 5-tuple information, a VLAN (Virtual LAN) identifier may be included. The mirror position communication device ID is an identifier (communication device ID) of the communication device 4 to be the mirror position of the target traffic designated by the operation source 9 as described above. The mirror position communication device ID may be empty (that is, the communication device 4 to be the mirror position of the target traffic may not be specified).

The mirror position response 18 should be the mirror position selected by the management apparatus 8 in addition to the information (combination of one or more communication requirements and the mirror position communication apparatus ID) included in the corresponding mirror position request 17. The identifier (communication device ID) of the communication device 4 is included. Normally, in order to perform port mirroring, interface information for executing port mirroring is required in addition to mirror position (communication device) information. However, when port mirroring with access control is used, mirroring can be performed even if only the communication device 4 is specified. Can be implemented. Specifically, port mirroring is activated in advance for all ports of the communication device 4, and any traffic is denied (deny) by access control. After the mirror position is specified, the communication that becomes the mirror position is performed. By permitting the mirroring of the traffic to be mirrored by the access control of the device 4, the interface information becomes unnecessary when performing the port mirroring.

The mirror position request 17 and the mirror position response 18 are described in XML (eXtensible Markup Language), for example, and are transmitted and received between the operation source 9 and the management device 8 by HTTP (Hyper Text Transfer Protocol).

FIG. 2 shows a configuration example of the data network 2. In FIG. 2, the configuration of the data network 2 and the traffic flowing through the data network 2 are simplified. However, in an actual environment, the data network is configured by a large number of communication devices, and a large number of traffics are generated on the data network. Flowing.

2, the data network 2 is composed of a plurality of communication devices 4A to 4D having the same functions and configurations as the communication device 4 described above with reference to FIG. 1, and a plurality of electronic computers 3S to 3W are connected to the data network 2. ing. Note that the communication devices 4A to 4D and the electronic computers 3S to 3W do not need to be devices having physical entities, but may be virtual switches or virtual machines implemented by software.

The communication devices 4A to 4D and the electronic computers 3S to 3W are connected to each other using a LAN cable. Specifically, the electronic computer 3S is connected to the communication device 4A, and the communication device 4A is connected to the communication device 4C and the communication device 4D, respectively. The electronic computer 3T is connected to a communication device 4B, and this communication device 4B is connected to the communication device 4C and the communication device 4D, respectively. Further, the communication device 4C is connected to the electronic computer 3U, and the communication device 4D is connected to the electronic computer 3V and the electronic computer 3W.

In FIG. 2, the traffic 19K flows from the electronic computer 3S to the electronic computer 3U via the communication device 4A and the communication device 4C, and the traffic 19M flows from the electronic computer 3T via the communication device 4B and the communication device 4D. In this example, traffic 19L flows from the computer 3V via the communication device 4D, the communication device 4B, and the communication device 4C.

In FIGS. 5 to 8 used in the following description, in the data network 2 having such a configuration, it is desired to mirror the traffic to the electronic computer 3U (the transmission source is not specified) and the traffic from the electronic computer 3T to the electronic computer 3W. An example in which the position request 17 is given from the operation source 9 to the management device 8 is shown. However, in FIG. 5 to FIG. 8, if all the information is written and the number of rows in the table increases, only a few representative rows are listed in the table. 5 to 8, for simplification of description, the traffic of each traffic is always 800 Mbps, and the bandwidth of the mirror port MP (FIG. 1) of the communication device 4 (hereinafter including 4A to 4D). Is set to 1024 [Mbps]. Under such a situation, when a plurality of traffics are mirrored by the same communication device 4, congestion occurs at the mirror port MP, so that the mirror position needs to be distributed to the plurality of communication devices 4.

FIG. 3 shows a simplified hardware configuration of the management device 8. As is apparent from FIG. 3, the management device 8 includes a processor 21, a main storage device 22, an external storage device 23, a communication control device 24, and an input / output device 26 connected to each other via an internal bus 20. Configured.

The processor 21 is hardware having a function for controlling operation of the entire management apparatus 8. The main storage device 22 is composed of, for example, a semiconductor memory and is used to temporarily hold various programs and control data. In the main storage device 22, in addition to a notification information stack 30 for temporarily storing notification information transmitted from each communication device 4, a management program 31, a network topology information table 32, and a communication analysis information table group to be described later 33, the mirror position request management table 34 and the mirror position candidate management table group 35 are also stored and held in the main storage device 22.

The external storage device 23 is a storage device having a large storage capacity, and is composed of, for example, a hard disk device or an SSD (Solid State Drive). The external storage device 23 is used for holding various programs and data for a long period of time. The communication control device 24 is hardware having a function of controlling communication with each communication device 4, and is connected to the control network 7 via the interface 27. The input / output device 26 includes an input device such as a keyboard and a mouse for a user to perform various operation inputs, and an output device such as a liquid crystal display for displaying various information.

FIG. 4 shows a simple logical configuration of the management device 8. As shown in FIG. 4, the management device 8 includes a network information analysis unit 40, a mirror position selection unit 41, a mirror position candidate listing unit 42, and a satisfaction combination selection unit 43. The network information analysis unit 40, the mirror position selection unit 41, the mirror position candidate listing unit 42, and the satisfaction combination selection unit 43 are stored in the main storage device 22 (FIG. 3) by the processor 21 (FIG. 3) of the management device 8. This is a function embodied by executing the management program 31 (FIG. 3).

The network information analysis unit 40 analyzes the above notification information 13 transmitted from each communication device 4 constituting the data network 2 via the control network 7, and includes 5-tuple information on each traffic flowing through the data network 2, The communication device 4 through which each of the traffic passes and information such as the traffic of the traffic in the communication device 4 are acquired, and processing for storing the acquired information in the communication analysis information table group 33 is executed.

Further, the mirror position selection unit 41 executes a process of receiving the mirror position request 17 transmitted from the operation source 9 and newly registering it in the mirror position request management table 34. However, the mirror position selection unit 41 is the case where the mirror position request 17 is given from the operation source 9 and the 5-tuple information of the target traffic specified in the mirror position request 17 in the mirror position request management table 34. If all the same records already exist, no records are added. In addition, when the mirror position selection result is given from the sufficiency combination selection unit 43 as described later, the mirror position selection unit 41 notifies the operation source 9 as a mirror position response 18.

The mirror position candidate enumeration unit 42 sequentially reads the mirror position request 17 registered in the mirror position request management table 34, and the network topology information table 32 and communication analysis described later for the target traffic specified in the read mirror position request 17. The information table group 33 is used to list one communication device 4 or a combination of a plurality of communication devices 4 that can be mirrored without omission or duplication as mirror position candidates (hereinafter referred to as mirror position candidates), and Is stored in the mirror position candidate management table group 35.

The sufficiency combination selecting unit 43 selects all the communication devices 4 constituting the mirror position candidate from the mirror position candidates of the target traffic enumerated by the mirror position candidate listing unit 42 and stored in the mirror position candidate management table group 35. 1, one mirror position candidate whose communication amount of the mirror port MP (FIG. 1) is equal to or less than a mirror port threshold value described later is selected, and this is notified to the mirror position selection unit 41 as a mirror position selection result.

On the other hand, as shown in FIG. 3, a network topology information table 32, a communication analysis information table group 33, a mirror position request management table 34, and a mirror position candidate management table group 35 are stored in the main storage device 22 of the management apparatus 8. ing.

The network topology information table 32 is a table used to hold device information of each communication device 4 configuring the data network 2, and as shown in FIG. 5, a communication device ID column 32A, an IP address column 32B, A mirror port bandwidth column 32C and a mirror port threshold column 32D are provided. In the network topology information table 32, one row (record) corresponds to one communication device 4.

In the communication device ID column 32A, identifiers (communication device IDs) assigned to the respective communication devices 4 constituting the data network 2 are stored, and in the IP address column 32B, the corresponding communication device 4 receives the above notification. An IP address used as a transmission source IP address when the information 13 (FIG. 1) is transmitted to the management device 8 is stored.

The mirror port bandwidth column 32C stores the maximum bandwidth of the mirror port MP (FIG. 1) of the corresponding communication device 4, and the mirror port threshold value column 32D stores the mirror port of the notification device by a system administrator or the like. A preset threshold value of communication traffic (hereinafter referred to as a mirror port threshold value) is stored.

These pieces of information in the network topology information table 32 are set in advance by the system administrator or the like using the input / output device 26 (FIG. 3). However, such information may be set by a system administrator or the like via the control network 7.

The communication analysis information table group 33 is a table group for managing information obtained based on the notification information 13 transmitted from each communication device 4 constituting the data network 2, and as shown in FIG. It consists of a communication management table 33A and a route management table 33B.

The communication management table 33A is a table used for managing traffic flowing on the data network 2, and as shown in FIG. 6A, a communication ID column 33AA, a transmission source IP address column 33AB, a transmission source port. A number field 33AC, a destination IP address field 33AD, a destination port number field 33AE, and an IP protocol field 33AF are provided. In the communication management table 33A, one row corresponds to one traffic flowing through the data network 2.

The communication ID column 33AA stores an identifier (communication ID) unique to the traffic assigned to the corresponding traffic, and includes a source IP address column 33AB, a source port number column 33AC, and a destination IP address column 33AD. In the destination port number column 33AE and the IP protocol column 33AF, corresponding information (source IP address, source port number, destination IP address, destination port number and IP protocol) of the 5-tuple information of the traffic is stored. Each is stored. These pieces of information stored in the communication management table 33 </ b> A are information included in the notification information 13.

The route management table 33B is a table used for managing various types of information regarding the route of each traffic flowing on the data network 2, and as shown in FIG. 6B, the communication ID column 33BA, the communication device ID. A column 33BB, a traffic column 33BC, a cumulative traffic column 33BD, a reception interface column 33BE, a transmission interface column 33BF, and an acquisition time column 33BG are configured. Also in the route management table 33B, one row corresponds to one traffic flowing through the data network 2.

The communication ID column 33BA stores the communication ID of the corresponding traffic, and the communication device ID column 33BB stores the communication device ID of one of the communication devices 4 through which the corresponding traffic passes. The The traffic volume column 33BC stores the data volume (communication volume) per second flowing through the communication device 4 to which the corresponding traffic corresponds, and the accumulated traffic volume column 33BD stores the corresponding traffic in the corresponding communication device 4. Is stored (hereinafter referred to as the accumulated communication amount).

Further, the reception interface column 33BE stores the identifier of the interface that has received the corresponding traffic by the corresponding communication device 4, and the transmission interface column 33BF has transmitted the corresponding traffic by the corresponding communication device 4 to another device. Stores the identifier of the interface. Further, in the acquisition time column 33BG, the time when the management device 8 received the corresponding notification information 13 (more precisely, the time when the corresponding communication device 4 generated the notification information 13 is referred to as the acquisition time. Stored) is stored.

Among these pieces of information stored in the path management table 33B, the information stored in the communication device ID column 33BB, the accumulated communication amount column 33BD, the reception interface column 33BE, the transmission interface column 33BF, and the acquisition time column 33BG is the corresponding notification. Information acquired from the information 13 and stored in the traffic column 33BC (that is, traffic) is stored in the acquisition time column 33BG and information stored in the cumulative traffic column 33BD (that is, cumulative traffic). It is calculated based on the information (that is, the acquisition time).

On the other hand, the mirror position request management table 34 is a table used for holding the mirror position request 17 given from the operation source 9 to the management apparatus 8, and as shown in FIG. A requirement column 34B and a mirror position communication device ID column 34C are provided. In the mirror position request management table 34, one row corresponds to one mirror position request 17.

In the request ID column 34A, an identifier (request ID) unique to the mirror position request 17 assigned to the mirror position request 17 when the management apparatus 8 receives the corresponding mirror position request 17 is stored. .

The communication requirement column 34B includes a source IP address column 34BA, a source IP port number column 34BB, a destination IP address column 34BC, a destination port number column 34BD, and an IP protocol column 34BE. These source IP address column 34BA, In the source IP port number column 34BB, the destination IP address column 34BC, the destination port number column 34BD, and the IP protocol column 34BE, corresponding information (source IP address, Source port number, destination IP address, destination port number or IP protocol) are stored.

Further, in the mirror position communication device ID column 34C, the communication device ID of the communication device 4 to be set as the mirror position for the corresponding target traffic specified in the corresponding mirror position request 17 is stored.

On the other hand, the mirror position candidate management table group 35 is a table group for holding the mirror position candidates listed by the mirror position candidate listing unit 42 (FIG. 4). As shown in FIG. The candidate position management table 35B is used.

The candidate management table 35A is a table used for managing the correspondence between the mirror position request 17 and a candidate ID described later, and as shown in FIG. 8A, the request ID column 35AA and the candidate ID column 35AB. It is configured with. The request ID column 35AA stores a request ID unique to the mirror position request 17 assigned to the mirror position request 17 received by the management apparatus 8, and the candidate ID column 35AB stores a candidate ID described later. Is done. In the candidate management table 35A, one row corresponds to one candidate ID.

The candidate position management table 35B is a table used for managing the mirror position candidates listed by the mirror position candidate listing unit 42. As shown in FIG. 8B, the candidate position management table 35B includes a candidate ID column 35BA, a communication device, and the like. An ID column 35BB and a traffic volume column 35BC are provided.

In the candidate ID column 35BA, identifiers (candidate IDs) assigned to the respective mirror position candidates enumerated by the mirror position candidate enumeration unit 42 with respect to one mirror position request 17 are stored. In addition, when there are a plurality of mirror position candidates listed by the mirror position candidate listing unit 42 for one mirror position request 17, different candidate IDs are assigned to these mirror position candidates.

Further, the communication device ID column 35BB stores the communication device ID of one communication device 4 constituting the mirror position candidate. Accordingly, when the mirror position candidate is configured by a combination of a plurality of communication devices 4, these communication devices 4 are registered in different rows of the candidate position management table 35B.

Further, in the traffic volume column 35BC, when the corresponding communication device 4 is set as the mirror position of the target traffic, the traffic volume of the target traffic flowing through the mirror port MP (FIG. 1) of the communication device 4 (the mirror port MP) Is stored).

(1-2) Various Processes Related to the Mirror Position Selection Function (1-2-1) Flow of Processes Related to the Mirror Position Selection Function FIG. 9 shows the state after the mirror position request 17 is transmitted from the operation source 9 to the management device 8 The flow of a series of processes until the mirror position response 18 corresponding to the mirror position request 17 is transmitted from the management apparatus 8 to the operation source 9 is shown.

When the mirror position request 17 designating the 5-tuple of the target traffic and the communication device 4 to be the mirror position as necessary is transmitted from the operation source 9 to the management device 8 (SP1), first, the management device 8 The mirror position selection unit 41 extracts the 5-tuple information of the target traffic included in the mirror position request 17 and the communication device ID of the communication device 4 to be the mirror position from the mirror position request 17, and obtains these pieces of information. It is registered in the mirror position request management table 34 (SP2).

Further, the mirror position selection unit 41 thereafter issues a request to enumerate mirror position candidates corresponding to the mirror position request 17 at a predetermined timing (hereinafter referred to as a mirror position candidate enumeration request). The position candidate enumeration unit 42 is given (SP3).

When the mirror position candidate enumeration unit 42 receives the above-described mirror position candidate enumeration request from the mirror position selection unit 41, the mirror position candidate enumeration unit 42 performs communication analysis information table group 33 for each mirror position request 17 registered in the mirror position request management table 34. Referring to the communication management table 33A (FIG. 6A) and the path management table 33B (FIG. 6B), all the mirror position candidates corresponding to the mirror position request 17 are listed (SP4).

Further, the mirror position candidate enumeration unit 42 obtains necessary information regarding the enumerated mirror position candidates from the candidate management table 35A (FIG. 8A) and the candidate position management table 35B (FIG. 8) of the mirror position candidate management table group 35. (B)) is registered (SP5). The mirror position candidate enumeration unit 42 then requests that one mirror position candidate should be selected as a mirror position from these mirror position candidates at a predetermined timing (hereinafter, this is referred to as a satisfaction combination selection request). To the satisfaction combination selection unit 43 (SP6).

When the above-mentioned satisfaction combination selection request is given from the mirror position candidate listing section 42, the satisfaction combination selection section 43 configures the mirror position candidates from the mirror position candidates registered in the mirror position candidate management table group 35. For all the communication devices 4 that perform this, one mirror position candidate is selected at which the traffic of the mirror port MP (FIG. 1) is equal to or less than the mirror port threshold (SP7). The sufficiency combination selection unit 43 selects one such mirror position candidate for each mirror position request 17. Then, the satisfaction combination selection unit 43 notifies the mirror position selection unit 41 of the mirror position selection result for each mirror position request 17 obtained in this way (SP8).

The mirror position selection unit 41 is notified from the satisfaction combination selection unit 43 of a mirror position selection result (a set of request ID 34A (FIG. 7) and a plurality of communication device IDs 32A (FIG. 5)) for each mirror position request 17 described above. Then, the communication requirement 34B corresponding to the request ID 34 included in the mirror position selection result is obtained by referring to the mirror position request management table 34, and the communication device ID 32A corresponding to the obtained communication requirement 34B and the mirror position selection result is obtained. Is created (SP9), and the created mirror position response 18 is transmitted to the operation source 9 (SP10).

(1-2-2) Specific Processing Contents Related to Mirror Position Selection Function (1-2-2-1) Network Information Analysis Processing FIG. 10 shows notification information transmitted from each communication device 4 constituting the data network 2 13 shows the specific processing contents of processing (hereinafter referred to as network information analysis processing) executed by the network information analysis unit 40 (FIG. 4) that has received 13 (FIG. 1). When receiving the notification information 13, the network information analysis unit 40 analyzes the notification information 13 in accordance with the processing procedure shown in FIG. 10 and stores necessary information in the communication analysis information table group 33.

In the following description, it is assumed that IPFIX is applied as the communication information notification function 12 (FIG. 1) of the communication device 4 as described above, and the description will be made on the assumption that the notification information 13 is an IPFIX message. Incidentally, the IPFIX message is a message having the data structure shown in FIG. That is, the IPFIX message 50 includes an IP header 50A, a UDP header 50B, an IPFIX header 50C, and a payload portion 50D. The payload portion 50D is associated with each traffic passing through the communication device that is the source of the IPFIX message 50. The 5-tuple information (source IP address, destination IP address, source port number, destination port number and IP protocol) of the traffic and the identifier (“input physical IF” and the physical interface for inputting / outputting the traffic) A data set 51 including information such as “output physical IF”) and cumulative communication amount (“cumulative communication amount”) is stored.

When the network information analysis unit 40 receives the notification information 13 as described above transmitted from any one of the communication devices 4 constituting the data network 2, the network information analysis unit 40 starts the network information analysis process shown in FIG. The source IP address included in the IP header 50A (FIG. 11) of the notification information 13 is compared with the IP address 32B of the network topology information table 32 (FIG. 5), and the communication device 4 that is the source of the notification information The communication device ID is acquired (SP20). Further, the network information analysis unit 40 acquires the Unix time (“Unix (registered trademark) Secs”) stored in the IPFIX header 50C (FIG. 11) of the notification information 13 as the acquisition time of the notification information 13 (SP21). .

Subsequently, the network information analysis unit 40 extracts one data set 51 (FIG. 11) from the payload portion 50D (FIG. 11) of the notification information 13 (SP22), and the 5-tuple information included in the acquired data set 51. It is determined whether or not a record having the same 5-tuple information exists in the communication management table 33A (FIG. 6A) of the communication analysis information table group 33 (SP23).

Obtaining a negative result in this determination means that the traffic corresponding to the data set 51 extracted in step SP22 is not yet registered in the communication analysis information table group 33. Thus, at this time, the network information analysis unit 40 assigns a unique communication ID to the traffic corresponding to the data set 51 extracted in step SP22, and includes the communication ID and 5 included in the data set 51. The tuple information is newly registered in the communication management table 33A (SP24).

Specifically, the network information analysis unit 40 stores the communication ID assigned to the traffic in the communication ID column 33AA of the new row in the communication management table 33A, and the source IP address column 33AB, source port of the row. In the number field 33AC, the destination IP address field 33AD, the destination port number field 33AE, and the IP protocol field 33AF, corresponding information of the 5-tuple information included in the data set 51 extracted in step SP22 is stored.

Further, the network information analysis unit 40 thereafter registers the traffic route corresponding to the data set 51 extracted in step SP22 in the route management table 33B (FIG. 6B) (SP25).

Specifically, the network information analysis unit 40 stores the communication ID assigned to the traffic at step SP24 in the communication ID column 33BA of the new line in the route management table 33B, and steps into the communication device ID column 33BB of the row. Stores the communication device ID acquired in SP20.

Further, the network information analyzing unit 40 adds corresponding information of the identifier of the reception physical interface and the identifier of the transmission physical interface included in the data set 51 extracted in step SP22 to the reception interface column 33BE and the transmission interface column 33BF of the row. And the acquisition time of the communication information acquired in step SP21 is stored in the acquisition time column 33BG of the row. Furthermore, the network information analysis unit 40 stores the accumulated communication amount included in the data set 51 extracted in step SP22 in the communication amount column 33BC and the accumulated communication amount column 33BD of the row.

Then, when the network information analyzing unit 40 ends the process of step SP25, the process proceeds to step SP29.

On the other hand, obtaining a negative result in the determination at step SP23 means that the traffic corresponding to the data set 51 extracted at step SP22 has already been registered in the communication analysis information table group 33. Thus, at this time, the network information analysis unit 40 acquires the communication ID of the traffic already registered in the communication analysis information table group 33 from the communication management table 33A (FIG. 6A) (SP26).

Further, the network information analysis unit 40 matches the communication ID stored in the communication ID column 33BA in the record of the route management table 33B (FIG. 6B) with the communication ID acquired in step SP26 and the communication device ID. It is determined whether there is a record in which the communication device ID stored in the column 33BB matches the communication device ID acquired in step SP20 (SP27).

Obtaining a negative result in this determination means that the traffic communication path already registered in the communication analysis information table group 33 has been changed. Thus, at this time, the network information analyzing unit 40 proceeds to step SP27, registers the new route of the traffic in the route management table as described above, and then proceeds to step SP29.

On the other hand, obtaining a positive result in the determination at step SP27 means that the traffic has already been registered in the communication analysis information table group 33 and there is no change in the route. Thus, at this time, the network information analysis unit 40 updates the traffic volume stored in the traffic volume column 33BC of the line corresponding to the traffic in the route management table 33B (SP28).

Specifically, the network information analysis unit 40 uses CCV1 as the cumulative communication amount included in the data set 51 extracted at step SP22, T1 as the generation time of the notification information 13 acquired at step SP21, and the corresponding record detected at step SP26. CCV2 is the cumulative communication amount stored in the cumulative communication amount column 33BD, and T2 is the time stored in the acquisition time column 33BG of the record, and the communication amount of the corresponding record detected in step SP26 in the route management table 33B. The traffic stored in the column 33BC is expressed as

Is updated to the communication amount CV calculated by.

Next, the network information analysis unit 40 determines whether or not the processing of step SP23 to step SP28 has been executed for all the data sets 51 stored in the payload portion 50D (FIG. 11) of the notification information 13 received at that time. (SP29). If the network information analysis unit 40 obtains a negative result in this determination, it returns to step SP22, and thereafter, the data set 51 selected in step SP22 is sequentially switched to another unprocessed data set 51 while step SP22 to step SP22. The processing of SP29 is repeated.

Then, the network information analysis unit 40 eventually obtains a positive result at step SP29 by completing the processing of step SP23 to step SP28 for all the data sets 51 stored in the payload portion 50D of the notification information 13 received at that time. And this network information analysis processing is complete | finished.

(1-2-2-2) Mirror position candidate enumeration process FIG. 12 is executed by the mirror position candidate enumeration unit 42 (FIG. 4) to which the mirror position candidate enumeration request is given from the mirror position selection unit 41 (FIG. 4). The specific processing content of the processing (the processing of step SP4 in FIG. 9 and hereinafter referred to as mirror position candidate enumeration processing) is shown. When receiving the mirror position candidate enumeration request 42, the mirror position candidate enumeration unit 42, for each mirror position request 17 registered in the mirror position request management table 34 (FIG. 7), in accordance with the processing procedure shown in FIG. All the position candidates are detected (enumerated), and each mirror position candidate for each detected mirror position request 17 is registered in the mirror position candidate management table group 35 (FIG. 4).

In practice, when receiving the mirror position candidate enumeration request 42, the mirror position candidate enumeration unit 42 starts the mirror position candidate enumeration process shown in FIG. One record (mirror position request 17) is selected, and its contents are stored as record R (SP30).

Subsequently, the mirror position candidate listing unit 42 obtains a traffic set T that satisfies the communication requirements of the record R (SP31). Specifically, the mirror position candidate listing unit 42 sets the communication requirement of the record R selected in step SP30 among the records of the communication management table 33A (FIG. 6B) of the communication analysis information table group 33 (FIG. 6). Each communication ID stored in the communication ID column 33AA (FIG. 6A) of each record to be satisfied is acquired, and these acquired communication IDs are stored as a set T.

For example, if the record R is a record corresponding to the mirror position request 17 “req2” in FIG. 7 (record on the second line from the top in FIG. 7), this is indicated in the communication management table 33A (FIG. 6A). Since the record satisfying the communication requirement of the record R is a record corresponding to the traffic of the communication ID “trM” (record on the third line from the top in FIG. 6A), the mirror position candidate enumeration unit 42 The communication ID “trM” is stored as a set T.

Further, the record R corresponds to the mirror position request 17 “req1” in FIG. 7 (this is a mirror position request for requesting the mirror position for all traffic input to the computer 3 whose IP address is “10.2.0.50”). If the record is a record, the record satisfying the communication requirement of the record R in the communication management table 33A is a record corresponding to the traffic with the communication ID “trK” (record on the first line from the top in FIG. 6A). , “TrL” is a record corresponding to the traffic of the communication ID “trL” (record on the second line from the top in FIG. 6A), the mirror position candidate enumeration unit 42 “trK” which is the communication ID of these traffics. And “trL” is stored as a set T.

Next, the mirror position candidate listing unit 42 selects a set P of records corresponding to each traffic obtained in step SP31 from the records in the route management table 33B (FIG. 6B) of the communication analysis information table group 33. Obtain (SP32). Specifically, the mirror position candidate enumeration unit 42 selects any one of the records in the path management table 33B whose communication ID stored in the communication ID column 33BA (FIG. 6B) belongs to the set T obtained in step SP31. A record matching the communication ID is detected, and a set of the records is set as a set P.

Thereafter, the mirror position candidate listing unit 42 determines whether or not the number of elements of the set P obtained in step SP32 is greater than 0 (SP33).

Obtaining a negative result in this determination means that there is no traffic that satisfies the communication request of the mirror position request 17 corresponding to the record R selected in step SP30 or there is no route of the traffic (for example, the record R is the first line in FIG. 7). In other words, the traffic having “10.2.0.50” as the destination IP address or the route of the traffic does not exist). Thus, at this time, the mirror position candidate listing unit 42 transmits an error notification to the mirror position selection unit 41 (SP38), and then proceeds to step SP44. Thus, at this time, the mirror position selection unit 41 receives the error notification from the mirror position candidate listing unit 42 and transmits the mirror position response 18 corresponding thereto to the operation source 9.

On the other hand, obtaining a positive result in the determination in step SP33 means that there is traffic or a route of the traffic that satisfies the communication request of the mirror position request 17 corresponding to the record R selected in step SP30. Thus, at this time, the mirror position candidate listing unit 42 determines whether the communication device ID of any communication device is stored in the mirror position communication device ID column 34C (FIG. 7) of the record R selected in step SP40 (step S40). It is determined whether or not the communication device 4 to be the mirror position is specified in the mirror position request 17 corresponding to the record R selected in SP30 (SP34).

If a positive result is obtained in this determination, the mirror position candidate listing unit 42 is stored in the mirror position communication device ID column 34C of the record R selected in step SP30 from the records belonging to the set P in the route management table 33B. All the records whose communication device IDs are stored in the communication device ID column 33BB (FIG. 6B) are extracted, and the extracted record group is stored as a set F (SP35).

Also, the mirror position candidate listing unit 42 determines whether or not the number of elements of the set F obtained in step SP35 is greater than 0 (SP36).

To obtain a negative result in this determination is that the target traffic specified in the mirror position request 17 corresponding to the record R selected in step SP30 passes through the communication device 4 specified as the mirror position in the mirror position request 17. Means no. Thus, at this time, the mirror position candidate listing unit 42 transmits an error notification to the mirror position selection unit 41 (SP38), and then proceeds to step SP44.

On the other hand, obtaining a positive result in the determination at step SP36 means that the traffic specified in the mirror position request 17 corresponding to the record R selected in step SP30 is the communication specified as the mirror position in the mirror position request 17. This means that the device 4 is being routed. Thus, at this time, the mirror position candidate listing unit 42 selects the communication device 4 specified in the mirror position request 17 as a mirror position candidate corresponding to the mirror position request 17 corresponding to the record R selected in step SP30. In order to register in the management table group 35 (FIG. 8), the candidate registration process mentioned later is performed (SP37). Further, after completing the candidate registration process, the mirror position candidate listing unit 42 proceeds to step SP44.

On the other hand, when the mirror position candidate listing unit 42 obtains a negative result in the determination at step SP34, the mirror position candidate listing unit 42 uses the record set P of the route management table 33B (FIG. 6B) obtained at step SP32 as the record set for each traffic. Classify into P1 to Pn (SP39). Specifically, the mirror position candidate enumeration unit 42 uses the records P having the same communication ID stored in the communication ID column 33BA (FIG. 6B) as the set P of the records in the route management table 33B obtained in step SP32. Into sets P1 to Pn.

Subsequently, the mirror position candidate enumeration unit 42 stores each set Pi (i = 1, 2,..., N) in the communication device ID column 33BB (FIG. 6B) of the records belonging to the set Pi. Each set of communication device IDs Si (i = 1, 2,..., N) is obtained (SP40). As a result, for each traffic satisfying the communication requirements of the mirror position request 17 corresponding to the record R selected in step SP30, the communication device IDs of all the communication devices 4 through which the traffic passes are obtained as a set Si. .

Next, the mirror position candidate listing unit 42 executes a candidate search process to be described later in order to search for a mirror position candidate corresponding to the mirror position request 17 corresponding to the record R selected in step SP30 (SP41). By this candidate search process, combinations of communication device IDs of communication devices 4 that can be mirror positions are obtained as candidates Ui (i = 1, 2,..., M), respectively. That is, in order to perform a desired analysis, not only the mirroring only needs to be performed in one communication device 4 but also the mirroring may be required in a plurality of communication devices 4. Therefore, the candidate Ui may include not only the communication device ID of one communication device 4 as an element but also the communication device IDs of a plurality of communication devices 4 as an element.

Thereafter, the mirror position candidate enumeration unit 42 performs the same communication as the element of the candidate Ui from the records of the route management table 33B (FIG. 6B) for each candidate Ui obtained by the above-described candidate search process. All records whose device IDs are stored in the communication device ID column 33BB (FIG. 6B) are extracted, and the sets of extracted records are stored as sets Vi (i = 1, 2,..., M), respectively. (SP42).

Further, the mirror position candidate listing unit 42 stores necessary information of all candidates Ui obtained by the candidate search process in step SP41 (more precisely, all sets Vi converted in step SP42) in the mirror position candidate management table group 35. A candidate registration process for registration is executed (SP43).

Then, the mirror position candidate listing unit 42 performs the processing of steps SP31 to SP43 for all the records in the mirror position request management table 34 (FIG. 7) (for all mirror position requests 17 registered in the mirror position request management table 34). It is determined whether or not the execution of the process has been completed (SP44).

When the mirror position candidate listing unit 42 obtains a negative result in this determination, it returns to step SP30, and then sequentially switches the record R selected in step SP30 to another record that has not been processed, and then performs the processing in steps SP30 to SP44. repeat.

Then, the mirror position candidate enumeration unit 42 executes the processing of steps SP31 to SP43 for all the records in the mirror position request management table 34 (for all the mirror position requests 17 registered in the mirror position request management table 34). If a positive result is obtained in step SP44 by finishing, this mirror position candidate enumeration process is terminated.

The specific contents of the candidate search process executed by the mirror position candidate enumeration unit 42 in step SP41 of the mirror position candidate enumeration process described above are shown in FIG.

When the mirror position candidate enumeration unit 42 proceeds to step SP41 of the mirror position candidate enumeration process, the mirror position candidate enumeration unit 42 starts the candidate search process shown in FIG. 13, and first selects one communication device ID included in each of the sets S1 to Sn. A set C1 including each of them is created (SP50).

For example, as set Si, as shown in FIG. 14A, set S1 having three communication device IDs A, B, and C as elements and three communication device IDs A, D, and C as elements. When there is a set S2, a set S3 having three communication device IDs C, F, and G as elements, and a set S4 having three communication device IDs B, E, and F as elements, mirror position candidate enumeration In step SP50, as shown in FIG. 14B, the unit 42 collects all kinds of elements of the sets S1 to S4 so as not to overlap, which is 7 A, B, C, D, E, F, G. A set C1 having one communication device ID as an element is created.

Subsequently, the mirror position candidate listing unit 42 creates a power set of the set C1 created in step SP50, and removes the remaining elements (excluding the empty set and two sets having the same value as C1 from the power set. That is, zero or more sets including the heel set) are set as sets C2 to Cp, respectively (SP51). As a result of this processing, as shown in FIG. 14C, sets C2 to Cp, which are two smaller than the number of elements in the set of sets C1, are created.

Next, the mirror position candidate enumeration unit 42 extracts from the sets C1 to Cp a set in which the number of elements in the common part with each set of the sets S1 to Sn is all 1, and sets these as candidates U1 to Uq. (SP52). For example, as shown in FIG. 14 (D), a set C9 having two communication device IDs A and B as elements has two common part elements in the set S1, and therefore may be a candidate Ui. However, the set C13 having two communication device IDs A and F as elements is extracted as a candidate because there is one common element in all of the sets S1 to S4. The purpose of the SP 42 is to calculate a combination of mirror positions for mirroring a plurality of traffics that are simultaneously mirrored to satisfy the mirror position request 17 without collection omission or duplication. Here, since each of the sets S1 to Sn represents a communication path as a communication device ID of the communication device 4 for each set of traffic, in order to mirror Si without collection omission or duplication, an element of the set Si is used. Of the one or more communication device IDs, exactly one communication device ID may be selected as the mirror position (when 0, traffic is not collected, and when there are 2 or more, one traffic is duplicated) And mirror it). For this reason, for all sets S1 to Sn, a set of communication device IDs that select exactly one communication device ID from each set as a mirror position is a set of communication devices ID for which all sets S1 to Sn represent communication paths. Represents a combination of mirror positions where collection omissions and duplication do not occur even when mirroring at the same time. In SP42, the number of elements in the common part is used to determine whether the set Ck has just selected one communication device ID among the elements of the set Si.

Then, the mirror position candidate listing unit 42 ends this candidate search process, and uses the candidates U1 to Uq as shown in FIG. 14E obtained in step SP52 of this candidate search process, as shown in FIG. Step SP41 of the mirror position candidate enumeration process described above is executed.

On the other hand, FIG. 15 shows specific contents of the candidate registration process executed by the mirror position candidate enumeration unit 42 in step SP37 or step SP43 of the mirror position candidate enumeration process (FIG. 12).

When the mirror position candidate enumeration unit 42 proceeds to step SP37 or step SP43 of the mirror position candidate enumeration process, the mirror position candidate enumeration unit 42 starts this candidate registration process. First, the unique candidate to be given to the mirror position candidate to be registered at that time An ID is generated, and the generated candidate ID is assigned to the request ID column 34A (in the record (record R) of the mirror position request management table 34 (FIG. 7) selected in step SP30 of the mirror position candidate enumeration process (FIG. 12) ( It is registered in the candidate management table 35A (FIG. 8A) of the mirror position candidate management table group 35 (FIG. 8) in association with the request ID stored in FIG. 7 (SP60).

Subsequently, the mirror position candidate listing unit 42, in the case of step SP37 of the mirror position candidate listing process, in the corresponding record in the route management table 33B (FIG. 6B) of the communication analysis information table group 33 (FIG. 6). Records belonging to the record set F, records belonging to the record set V1 to Vm in the case of step SP43), and those having the same communication device ID stored in the communication device ID column 33BB (FIG. 6B) The records are grouped together, and the record groups having the same communication device ID obtained by the classification are set as sets X1 to Xp, respectively (SP61).

Next, the mirror position candidate enumeration unit 42 selects one unprocessed set Xi (i = 1, 2,..., P) from the sets X1 to Xp obtained by the classification in step SP61 (SP62). Then, the total communication amount is calculated by adding the communication amounts stored in the communication amount column 33BC (FIG. 6B) of each record belonging to the selected set Xi (hereinafter referred to as the selected record group Xi). (SP63).

Further, the mirror position candidate listing unit 42 associates the total communication amount calculated in step SP63 and the communication device ID corresponding to the selected record group Xi with the candidate ID generated in step SP60, and the mirror position candidate management table group 35. The candidate position management table 35B (FIG. 8B) (FIG. 8B) of FIG. 8 is registered (SP64). Thereafter, the processing of steps SP63 to SP64 is performed for all sets X1 to Xp obtained by the classification of step SP61. It is determined whether or not the execution has been completed (SP65).

When the mirror position candidate listing unit 42 obtains a negative result in this determination, it returns to step SP62, and then sequentially switches the set Xi selected in step SP62 to another set Xi that has not been processed, and then proceeds from step SP62 to step SP65. Repeat the process.

When the mirror position candidate listing unit 42 finally registers all the sets X1 to Xp obtained by the classification in step SP61 in the mirror position candidate management table group 35 and obtains a positive result in step SP65, this candidate registration The process ends.

(1-2-2-3) Satisfaction Combination Selection Processing FIG. 16 shows processing executed by the satisfaction combination selection unit 43 that has received the combination search request from the mirror position candidate listing unit 42 (in the process of step SP7 in FIG. 9). Yes, this is hereinafter referred to as a satisfaction combination selection process). Upon receiving such a combination search request, the sufficiency combination selection unit 43 follows the processing procedure shown in FIG. 16 for each mirror position request 17 and selects one mirror from the mirror position candidates enumerated by the mirror position candidate enumeration unit 42. A position candidate is selected, and the selected mirror position candidate is notified to the mirror position selection unit 41 as a mirror position selection result.

In practice, when the satisfaction combination selection unit 43 receives such a combination search request, the satisfaction combination selection unit 43 starts the satisfaction combination selection process shown in FIG. 16, and first, a candidate management table 35A (FIG. 8) configuring the mirror position candidate management table group 35. A set of candidate IDs C1 to Cn is generated by classifying the candidate IDs stored in the candidate ID column 35AB (FIG. 8A) of each record of (A)) for each requirement ID (SP70). Accordingly, the sets C1 to Cn correspond to different requirement IDs.

Subsequently, the sufficiency combination selection unit 43 extracts candidate IDs one by one from the sets C1 to Cn generated in step SP70 and stores them as a set of candidate IDs Sk. As many sets Sk as the number of combinations of candidate IDs that are unique are created and stored as candidate ID sets S1 to Sp (SP71).

Next, the sufficiency combination selection unit 43 sets the variable k to 1 (SP72), and corresponds to each candidate ID included in the candidate ID group Sk among the records of the candidate position management table 35B (FIG. 8B). Each of the records (that is, each record in which any candidate ID included in the candidate ID group Sk is stored in the candidate ID column 35BA (FIG. 8B)) is stored in the communication amount column 35BC (FIG. 8B). The total value of the stored traffic is calculated for each communication device ID (SP73).

Thereafter, the sufficiency combination selection unit 43 refers to the network topology information table 32 (FIG. 5), and in all the communication devices 4 respectively corresponding to the respective communication device IDs for which the total value of the communication amount has been calculated in step SP73. Then, it is determined whether or not the total value is less than or equal to the mirror port threshold (SP74).

If the satisfaction combination selection unit 43 obtains a negative result in this determination, it determines whether or not the value of the variable k is equal to or greater than the number of candidate ID groups S1 to Sp described above (SP75). If the satisfaction combination selection unit 43 obtains a negative result in this determination, it increments (increases by 1) the value of the variable k (SP76), returns to step SP73, and thereafter gives a positive result in step SP74 or step SP75. Steps SP73 to SP76 are repeated until it is obtained.

Then, the sufficiency combination selecting unit 43 eventually selects a candidate ID group Sk in which the total amount of traffic in all the communication devices 4 from the candidate ID groups S1 to Sp enumerated in step SP71 is less than or equal to the mirror port threshold of the communication device 4. When a positive result is obtained in step SP74 by first detecting the ID, the requirement ID indicated by the candidate included in the candidate ID group Sk and the correspondence relationship between the communication device IDs are selected as mirror positions (SP78). Then, the satisfaction combination selection process is terminated.

Further, the sufficiency combination selecting unit 43 can detect a candidate ID group Sk in which the total value of the communication amount is less than or equal to the mirror port threshold value of the communication device 4 among the candidate ID groups Sk listed in step SP71. If a positive result is obtained in step SP75, a predetermined error notification is transmitted to the mirror position selection unit 41 (SP77), and then the satisfaction combination selection process is terminated.

(1-3) Mirroring Status Display Screen FIG. 17 shows a mirroring status display screen 60 that can be displayed on the client terminal 15 (FIG. 1) or the operation management apparatus 16 (FIG. 1) of the operation source 9 by a predetermined operation. The mirroring status display screen 60 displays the mirroring status of traffic that has a mirror position set in the traffic flowing through the data network 2, and the traffic on the mirror port MP of the traffic in each communication device 4 that is set to the mirror position. Is a screen for presenting to the user.

The mirroring status display screen 60 includes a mirror acquisition status display area 61 and a mirror port traffic display area 62. The mirror acquisition status display area 61 is an area for displaying the mirroring acquisition status in the data network 2, and the mirror port traffic display area 62 is a mirror of the communication device 4 set as the mirror position in the data network 2. This is an area for displaying the traffic of the port MP.

In the mirror acquisition status display area 61, one or more communication device icons 70, one or more target traffic lines 71, one or more mirror position icons 72, and a legend 73 are displayed. The communication device icons 70 are displayed in correspondence with the communication devices 4 constituting the data network 2. The target traffic line 71 represents a path of traffic (target traffic) that is mirrored, and the mirror position icon 72 corresponds to the communication device icon 70 of the communication device 4 that is mirroring the target traffic. Is displayed. The target traffic line 71 is displayed in a different color or line type (solid line or broken line) for each mirror position request 17 (request ID), and the correspondence between the target traffic and the target traffic line 71 is displayed in the legend 73.

In the mirror port traffic volume display area 62, two-dimensional coordinates 80 are displayed with the traffic volume on the vertical axis and the time on the horizontal axis. When the user selects a specific communication device icon 70 (communication device icon 70 corresponding to the communication device 4 set at the mirror position) in the mirror acquisition status display area 61, the communication device corresponding to the communication device icon 70 is displayed. One or a plurality of graphs 81 each representing the traffic amount of each target traffic in the four mirror ports MP are displayed in a two-dimensional coordinate 80 in a stacked graph format. On the two-dimensional coordinate 80, a threshold line 82 indicating the threshold of the traffic amount of the mirror port MP is also displayed.

The graph 81 for each target traffic in the two-dimensional coordinate 80 is a traffic volume column 33BC in the row corresponding to the communication device 4 of the target traffic in the path management table 33B described above with reference to FIG. 6B (FIG. 6B). The threshold line 82 is generated based on the mirror port threshold value of the communication device 4 registered in the network topology information table 32 described above with reference to FIG.

(1-4) Effects of the present embodiment In the management device 8 of the present embodiment having the above configuration, the mirror position candidate enumeration unit 42 identifies and identifies all the communication devices 4 through which the target traffic passes. All combinations of these communication devices 4 are listed as mirror position candidates, and thereafter, in the satisfaction combination selection unit 43, the mirror position candidates are configured from the mirror position candidates listed by the mirror position candidate listing unit 42. For all the communication devices 4, one mirror position candidate whose communication amount of the mirror port MP is equal to or less than a mirror port threshold value to be described later is selected, and this is notified to the mirror position selection unit 41 as a mirror position selection result.

Therefore, according to the present management device 8, the communication device 4 that does not cause congestion in the mirror port MP can be selected as the mirror position, and thus the mirror position (where the mirrored traffic can be executed without discarding the mirrored traffic) The communication device 4) can be selected quickly.

(2) Second Embodiment FIG. 18, which shows the same reference numerals corresponding to FIGS. 1 to 4, shows a logical configuration of a communication system 90 according to the second embodiment. This communication system 90 performs the reselection of the mirror position when the free bandwidth of the mirror port MP (FIG. 1) of the communication device 91 is below a certain amount, and when the reselection of the mirror position is unnecessary. It is characterized in that a user or the like can be set so as not to perform such reselection. Note that the hardware configuration and other functions of the communication system 90 according to the present embodiment are the same as those of the communication system 1 according to the first embodiment, and a description thereof will be omitted here.

Actually, in the communication system 90, in addition to the transfer function 10, the mirroring function 11, and the communication information notification function 12, a band information output function 92 is installed in the communication device 91. This band information output function 92 uses the current use band of the mirror port MP of the communication device 91 (hereinafter referred to as the mirror port use band) as mirror port band information 93 at a predetermined time interval set as a control network. 7 is a function of transmitting to the management apparatus 94 via 7. Such a function is publicly known, and for example, a function of an SNNP (Simple Network Management Protocol) agent provided in a general communication apparatus can be applied.

The management device 94 is the same as that of the first embodiment except that the mirror port bandwidth monitoring unit 100 is provided, the function of the mirror position selection unit 101 is different, and the configuration of the mirror position request management table 102 is different. The configuration is the same as that of the management device 8. The mirror port bandwidth monitoring unit 100 and the mirror position selection unit 101 according to the present embodiment execute the management program 103 (FIG. 3) of the present embodiment stored in the main storage device 22 by the processor of the management device 8. It is a function that is embodied.

The mirror port bandwidth monitoring unit 100 performs processing for monitoring the mirror port usage bandwidth of each communication device 91 based on the above-described mirror port bandwidth information 93 transmitted from each communication device 91 constituting the data network 2. Execute.

Specifically, when the management device 94 receives the mirror port bandwidth information 93 from the communication device 91, the mirror port bandwidth monitoring unit 100 refers to the network topology information table 32 (FIG. 5) and the mirror port bandwidth information 93. Is specified in the communication device ID column 32A (FIG. 5), and the mirror port threshold column 32D (FIG. 5) of the record is specified. From this, the mirror port threshold value of the communication device 91 is acquired.

The mirror port bandwidth monitoring unit 100 compares the acquired mirror port threshold value with the current mirror port usage bandwidth stored in the mirror port bandwidth information 93, and the mirror port usage bandwidth is greater than the mirror port threshold value. In this case, a mirror position reselection request is given to the mirror position selection unit 101.

On the other hand, in the communication system 90 according to the present embodiment, the mirror position request 103 transmitted from the operation source 9 to the management apparatus 94 is fixed to the mirror position in addition to one or more combinations of communication requirements and mirror position communication apparatus ID. It differs from the communication system 1 of the first embodiment in that a flag is included.

The mirror position fixing flag is a Boolean value indicating whether the mirror position of the target traffic can be changed from the communication apparatus 91 once set to another communication apparatus 91, and is “true (cannot be changed)” or “false (changeable). ) ”.

For this reason, as shown in FIG. 19, the mirror position request management table 102 of the present embodiment has a request ID column 34A and a communication requirement column 34B of the mirror position request management table 34 of the first embodiment described above with reference to FIG. In addition to the request ID column 102A, the communication requirement column 102B, and the mirror position communication device ID column 102C having the same function and configuration as the mirror position communication device ID column 34C, a mirror position fixing flag column 102D is provided. The mirror position fixing flag included in the mirror position request 103 received by the selection unit 101 is stored and managed in this mirror position fixing flag column 102D.

In addition to the same function as the mirror position selection unit 41 (FIG. 4) of the first embodiment, the mirror position selection unit 101 has a mirror position fixing flag included in the mirror position request 103 of “false”. If the mirror port bandwidth monitoring unit 100 gives the above-described mirror position reselection request, the function for re-selecting the mirror position is executed. It is equipped with functions.

In practice, when the mirror position request 103 is given from the operation source 9, the mirror position selection unit 101 registers this in the mirror position request management table 102 as in the case of the mirror position selection unit 41 of the first embodiment. At the same time, a mirror position candidate enumeration request is given to the mirror position candidate enumeration unit 42 at a predetermined timing. When the mirror position selection unit 101 is notified of the mirror position selection result from the satisfaction combination selection unit 43 as a result, the request included in this notification (mirror position selection result) on the mirror position request management table 102. A record in which the same request ID as the ID is stored in the request ID column 102A (FIG. 19) is searched, and the mirror position fixing flag stored in the mirror position fixing flag column 102D (FIG. 19) of the record detected by this search is acquired. To do.

When the mirror position fixing flag acquired at this time is “true”, the mirror position selection unit 101 stores the record of the candidate position management table 35B (FIG. 8B) in the mirror position candidate management table group 35. A record in which the same candidate ID as the candidate ID included in the mirror position selection result is stored in the candidate ID column 35BA (FIG. 8B) is detected, and the communication device ID column 35BB (FIG. 8) of the record is detected. The communication device ID stored in (B)) (hereinafter referred to as a candidate communication device ID) is acquired.

Thereafter, the mirror position selection unit 101 has the same request ID as the request ID included in the mirror position selection result given from the satisfaction combination selection unit 43 among the records in the mirror position request management table 102. The record stored in FIG. 19) is detected, and the candidate communication device ID acquired as described above is stored in the mirror position communication device ID column 102C (FIG. 19) of the record. However, when a value (communication device ID) is already stored in the mirror position communication device ID column 102C, the mirror position selection unit 101 does not update the value. The other processes are the same as the processes after step SP9 in FIG. 9 described above for the first embodiment.

Further, when the mirror position fixing flag acquired as described above is “false”, the mirror position selection unit 101 performs the same processing as the mirror position selection unit 41 (FIG. 4) of the first embodiment. I do.

Further, when the mirror position reselection request is given from the mirror port bandwidth monitoring unit 100, the mirror position selection unit 101 executes the same process as when the mirror position request 103 is given from the operation source 9 described above.

As a result, in the communication system 90 according to the present embodiment, the mirror position is automatically reselected when the mirror port bandwidth of the communication device 91 exceeds the threshold value (mirror port threshold value) set for the mirror port MP. The result is notified to the operation source 9 as a mirror position response 18.

In the communication system 1 of the present embodiment having the above configuration, when the mirror port use band of the communication device 91 exceeds a predetermined mirror port threshold (that is, the empty band of the mirror port MP is less than a certain amount). In this case, the mirror position is reselected, so that it is possible to prevent the occurrence of a situation in which the mirror port congestion occurs in the communication device 4 set at the mirror position and the mirrored traffic is discarded. it can.

Further, in the communication system 90 according to the present embodiment, the mirror position can be fixed by setting the mirror position fixing flag to “true” in the mirror position request. Therefore, the mirror position is changed for important traffic. It is possible to prevent a momentary interruption of traffic collection.

(3) Other Embodiments In the first and second embodiments described above, the network information analysis unit 40, the mirror position selection unit 41, the mirror position candidate listing unit 42, and the satisfaction combination of the management devices 8 and 94 are provided. Although the case where the selection unit 43 and the mirror port bandwidth monitoring unit 100 are configured as software has been described, the present invention is not limited to this, and some or all of these may be configured as hardware.

In the above-described first and second embodiments, the case where the data network 2 and the control network 7 are separate networks has been described. However, the present invention is not limited to this, and these are configured by the same network. You may do it.

Furthermore, in the first and second embodiments described above, in the satisfaction combination selection process (FIG. 16) executed by the satisfaction combination selection unit 43, one of the mirror position candidates listed by the mirror position candidate enumeration unit 42. As a method of selecting two mirror positions, the case of performing a simple exhaustive search has been described. However, the present invention is not limited to this, and a known metaheuristic algorithm such as a genetic algorithm may be used. .

Further, in the first and second embodiments described above, in the mirroring status display screen 60 described above with reference to FIG. 17, among the traffic flowing through the data network 2, the status of mirroring of the traffic whose mirror position is set, and the mirror Although the case where only the traffic amount at the mirror port MP of the traffic in each communication device 4 set at the position is presented to the user has been described, the present invention is not limited to this, for example, the mirroring status display screen 60 May be used to add traffic that is being mirrored, specify a mirror position, and perform access control for each user.

Further, in the first and second embodiments described above, the case where the table format is applied as the format for holding information such as communication analysis information and network topology information has been described, but the present invention is not limited to this. However, various other formats can be widely applied.

Furthermore, in the above-described first and second embodiments, the case where the system administrator installs the mirror position selection function of the present invention in the management devices 8 and 94 used for management of the data network 2 has been described. However, the present invention is not limited to this, and a dedicated device may be provided separately from the management device used by the system administrator for managing the data network 2, and such a mirror position selection function may be installed in the dedicated device.

The present invention can be widely applied to various communication systems.

DESCRIPTION OF SYMBOLS 1,90 ... Communication system, 2 ... Data network, 3, 3U-3W ... Electronic computer, 4, 4A-4D, 91 ... Communication apparatus, 7 ... Control network, 8, 94 ... Management apparatus, 9 …… Operator, 13 …… Notification information, 17, 103 …… Mirror position request, 18 …… Mirror position response, 21 …… Processor, 31, 103 …… Management program, 32 …… Network topology information table, 33 Communication analysis information table group 33A Communication management table 33B Route management table 34, 102 Mirror position request management table 35 Mirror position candidate management table group 35A Candidate management table 35B: Candidate position management table, 40: Network information analysis unit, 41, 101: Mirror position selection unit, 42: Mirror position candidate string Parts, 43 ...... sufficiency combination selecting unit, 60 ...... mirroring status display screen, 92 ...... band information output function, 93 ...... mirror port bandwidth information 100 ...... mirror port bandwidth monitor, MP ...... mirror port.

Claims (10)

1. In the information processing apparatus for selecting the communication apparatus that should perform port mirroring of traffic flowing through a network composed of a plurality of communication apparatuses,
   The communication through which each of the traffic flowing through the network passes by acquiring predetermined traffic information regarding each of the traffic passing through the communication device from each of the communication devices, and analyzing each of the acquired traffic information. A network information analysis unit for identifying a device;
   Based on the analysis result of the network information analysis unit, the traffic to be subjected to the port mirroring is specified, all the communication devices through which the specified traffic passes are specified, and the port of each specified communication device is specified. Mirror position candidate enumeration unit that enumerates combinations of the communication devices that perform mirroring;
   Satisfaction of selecting a combination that does not cause congestion in a mirror port that performs the port mirroring of the communication device, in the communication device that constitutes the combination, from the combinations of the communication devices listed by the mirror position candidate enumeration unit. An information processing apparatus comprising: a combination selection unit.
2. The mirror position candidate enumeration unit
   2. The information processing apparatus according to claim 1, wherein the traffic to be subjected to the port mirroring is specified based on a mirror position request given from outside.
3. In the mirror position request, a value of at least one item of the five tuples of the traffic to be subjected to the port mirroring is specified,
   Each of the traffic information stores a value of each item of the 5-tuple for each of the traffic passing through the corresponding communication device,
   The network information analysis unit
   From each of the traffic information, obtain the value of each item of 5 tuples of each of the traffic flowing through the network,
   The mirror position candidate enumeration unit
   The value of the item specified in the mirror position request among the five tuples is compared with the value of each item of the five tuples of the traffic acquired by the network information analysis unit, and the port The information processing apparatus according to claim 2, wherein the traffic to be mirrored is specified.
4. In the mirror position request,
   The communication device to perform the port mirroring is designated as necessary,
   The mirror position candidate enumeration unit
   Determining whether the traffic to be subject to port mirroring passes through the communication device specified in the mirror position request;
   The information processing apparatus according to claim 2, wherein error processing is executed when the traffic does not pass through the communication apparatus.
5. A mirror port bandwidth monitoring unit for monitoring a bandwidth used by the mirror port in each of the communication devices constituting the network;
   The mirror port bandwidth monitoring unit
   Processing for reselecting the communication device to be subjected to the port mirroring of the target traffic when the use band of the mirror port in any of the communication devices exceeds a preset threshold for the mirror port The information processing apparatus according to claim 1, wherein:
6. In the port mirroring position selection method executed by the information processing apparatus that selects the communication apparatus that should perform port mirroring of traffic flowing in a network composed of a plurality of communication apparatuses,
   The information processing device acquires predetermined traffic information related to each traffic passing through the communication device from each communication device, and analyzes each acquired traffic information so that each traffic flowing through the network is A first step of identifying the communication devices that respectively pass;
   The information processing device identifies the traffic to be subjected to the port mirroring based on the analysis result, identifies all the communication devices through which the identified traffic passes, and performs port mirroring on each identified communication device A second step of enumerating combinations of the communication devices that perform:
   A third step in which the information processing apparatus selects, from the enumerated combinations of the communication apparatuses, a combination that does not cause congestion in a mirror port that performs the port mirroring of the communication apparatus in the communication apparatuses that form the combination; A port mirroring position selection method comprising: and.
7. In the second step, the information processing apparatus
   The port mirroring position selection method according to claim 6, wherein the traffic to be subjected to the port mirroring is specified based on a mirror position request given from outside.
8. In the mirror position request, a value of at least one item of the five tuples of the traffic to be subjected to the port mirroring is specified,
   Each of the traffic information stores a value of each item of the 5-tuple for each of the traffic passing through the corresponding communication device,
   In the first step, the information processing apparatus
   From each of the traffic information, obtain the value of each item of 5 tuples of each of the traffic flowing through the network,
   In the second step, the information processing apparatus
   The value of the item specified in the mirror position request among the five tuples is compared with the value of each item of the five tuples of the traffic acquired by the network information analysis unit, and the port The port mirroring position selection method according to claim 7, wherein the traffic to be mirrored is specified.
9. In the mirror position request,
   The communication device to perform the port mirroring is designated as necessary,
   In the second step, the information processing apparatus
   Determining whether the traffic to be subject to port mirroring passes through the communication device specified in the mirror position request;
   The port mirroring position selection method according to claim 7, wherein error processing is executed when the traffic does not pass through the communication device.
10. The information processing apparatus includes:
    Monitoring the bandwidth of use of the mirror port in each of the communication devices constituting the network;
    Processing for reselecting the communication device to be subjected to the port mirroring of the target traffic when the use band of the mirror port in any of the communication devices exceeds a preset threshold for the mirror port The port mirroring position selection method according to claim 6, wherein:

Images