WO2022270766A1 - Device and method for automatic packet analysis-based intelligent network management - Google Patents

Device and method for automatic packet analysis-based intelligent network management Download PDF

Info

Publication number
WO2022270766A1
WO2022270766A1 PCT/KR2022/007006 KR2022007006W WO2022270766A1 WO 2022270766 A1 WO2022270766 A1 WO 2022270766A1 KR 2022007006 W KR2022007006 W KR 2022007006W WO 2022270766 A1 WO2022270766 A1 WO 2022270766A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
analysis
information
unit
network management
Prior art date
Application number
PCT/KR2022/007006
Other languages
French (fr)
Korean (ko)
Inventor
김신규
Original Assignee
(주)소울시스템즈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)소울시스템즈 filed Critical (주)소울시스템즈
Publication of WO2022270766A1 publication Critical patent/WO2022270766A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0681Configuration of triggering conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0695Management of faults, events, alarms or notifications the faulty arrangement being the maintenance, administration or management system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes

Definitions

  • the present invention relates to intelligent network management, and in particular, provides a guide for accurately and quickly identifying and solving various and complex network issues (performance, failure, etc.)
  • An automatic packet analysis-based intelligent network management device and method that enables convenient network management and is suitable for providing customized network management services tailored to user needs by linking with various systems with information collection and analysis functions will be.
  • intelligent network technology collectively refers to network and infrastructure technologies commonly used for the 4th industrial revolution and innovative growth based on intelligence, and in detail, software-defined networking (SDN), network functions virtualization (NFV), and network intelligence technology , low-latency/time-deterministic network technology, quantum information communication technology, network structure technology, transport network technology, and wired/wireless access technology.
  • SDN software-defined networking
  • NFV network functions virtualization
  • network intelligence technology low-latency/time-deterministic network technology
  • quantum information communication technology network structure technology
  • transport network technology and wired/wireless access technology
  • the network intelligence technology repeats a series of procedures such as automatic collection of data and feedback for autonomous decision-making using artificial intelligence technologies such as machine learning. technology that automatically performs the functions of
  • NMS Network Management System
  • TMS Traffic Management System
  • DPI Data Packet Inspector
  • NMS Network Management System
  • TMS Traffic Management System
  • DPI Data Packet Inspector
  • Packet Analyzer are very complicated and difficult to use, and have problems in that they require a high level of expertise.
  • the present invention has been proposed to solve the above conventional problems, and the purpose of the present invention is to accurately and quickly identify the cause of various and complex network issues (performance, failure, etc.) with one click through automatic packet analysis.
  • automatic packet analysis that can provide customized network management services tailored to user needs by linking with various systems through information collection and analysis functions. It is to provide an intelligent network management device and method based on the same.
  • FIG. 1 is a conceptual diagram of an automatic packet analysis-based intelligent network management device according to an embodiment of the present invention
  • FIG. 2 is a conceptual diagram showing detailed functions of each part in FIG. 1
  • FIG. 3 is an intelligent network management device of FIG. 4
  • FIG. 4 is a conceptual diagram showing detailed functions of the automatic diagnosis unit in FIG. 1
  • FIG. 5 is a conceptual diagram showing detailed functions of the one-click processing unit in FIG. 1
  • FIG. 6 is a report in FIG.
  • FIG. 7 is a conceptual diagram showing detailed functions of the user interface unit in FIG. 1 .
  • the intelligent network management device 100 provides accurate and fast causes with one click for various and complex network issues through automatic packet analysis.
  • a control unit that provides a guide for identification and resolution, enables any network operator to manage the network easily and conveniently, and controls to provide customized network management services tailored to user needs by linking with various systems with information collection and analysis functions ( 110) and;
  • An application data measurement unit 120 that measures data including network packets, SNMP TRAP, and SYSLOG information from the network equipment 210 of the data center or the remote intelligent network management device 220 under the control of the control unit 110, and ; a network performance analysis unit 130 under the control of the control unit 110 and analyzing network performance using the data measured by the application data measuring unit 120; an automatic diagnosis unit 140 under the control of the control unit 110 and automatically diagnosing a network state using a result analyzed by the network performance analysis unit 130; an event management unit 150 that receives the control of the control unit 110 and manages events including packet analysis events, SNMP TRAP events, and
  • a one-click processing unit 160 processing to provide a single click
  • a report preparation unit 170 under the control of the control unit 110 and generating a network diagnosis report based on packet analysis
  • a user interface unit 180 that receives the control of the control unit 110 and provides a user interface so that the user can manage the network.
  • the application data measuring unit 120 collects data types including network packets, SNMP TRAP, and SYSLOG, collects SPAN/Port Mirroring or Tap equipment, collects time is instant or schedule-based, collects data
  • the storage is characterized by metadata and packet original (PCAP).
  • the network performance analysis unit 130 uses BPS, PPS, Latency or Timeout for network usage and performance analysis, uses TCP Session, UDP Session or HTTP Error for failure/event analysis, and analyzes application service (L7) uses HTTP, DNS, SMTP, POP3, IMAP, FTP Server trace or Client trace, L2 to L4 analysis is performed by Mac usage analysis, hop count analysis, UDP port analysis, TCP port analysis or payload analysis, and statistical and Trend analysis is characterized by using usage, performance indicators, failures, or events.
  • the automatic diagnosis unit 140 defines diagnosis items, measures the state of a diagnosis subject, provides symptoms of a diagnosis subject, provides expected causes, provides measures for each expected cause, and provides analysis results.
  • the automatic diagnosis target includes performance, usage, UDP, TCP, or HTTP errors.
  • the event management unit 150 When a packet analysis event occurs, the event management unit 150 generates and manages three-step events of Warning, Critical, and Info, performs SNMP Trap event collection processing, supports SNMP v1, v2c or v3, and generates SYSLOG events. occurs, it collects and searches SYSLOG events, and performs classification by SYSLOG level.
  • the one-click processing unit 160 when the user clicks one or more of BPS, PPS, Latencies, Timeout, HTTP Error, and TCP Flag, provides detailed information about the clicked item, the meaning, symptoms, and expected causes of the information. , It provides information needed to solve network problems, including countermeasures, and provides network traffic status (Avg or Top) information when the BPS item is clicked, and Unicast, Multicast, Broadcast, or Unknown status information when the PPS item is clicked. When the Latencies item is clicked, the network response delay status information (by Avg, Top or IP) is provided.
  • the network timeout status (by Avg, Top or IP) information is provided, and the HTTP Error When the item is clicked, HTTP Code state or URL comparison analysis status information is provided.
  • TCP Flag item When the TCP Flag item is clicked, TCP Zero Windows, Duplicate ACK, Retransmission, or Reset occurrence status information is provided. It provides user-specified time filter information, and is characterized in that it allows the user to manage the network by selecting a chart or graph.
  • FIG. 8 is a flowchart illustrating an intelligent network management method based on automatic packet analysis according to an embodiment of the present invention.
  • the application data measuring unit 120 receives network packets, SNMP, and data from the network equipment 210 of the data center or the remote intelligent network management device 220.
  • the network performance analyzer 130 analyzes network performance using the data measured by the application data measurer 120 (ST2);
  • a third step (ST3) of the automatic diagnosis unit 140 automatically diagnosing the state of the network using the result analyzed by the network performance analysis unit 130;
  • the one-click processing unit 160 receives the result of the automatic diagnosis unit 140 and is necessary for solving the network problem including detailed information of the network diagnosis, meaning of the information, symptom, expected cause, and action plan.
  • a fourth step (ST4) of processing information to be provided with one click After the fourth step, the user interface unit 180 provides a user interface so that the user can perform network management; a fifth step (ST5); and automatic packet analysis in the intelligent network management device 100 Provides a guide for accurate and quick cause identification and resolution with one click for various and complex network issues, enables any network operator to easily and conveniently manage the network, and interlocks with various systems with information collection and analysis functions. It is characterized in that it provides a customized network management service tailored to user needs.
  • An automatic packet analysis-based intelligent network management device and method provides a guide for accurately and quickly identifying and solving causes with one click for various and complex network issues (performance, failure, etc.) through automatic packet analysis
  • the present invention has the effect of providing all information necessary for problem solving, such as detailed information, meaning of the information, symptoms, expected causes, and measures, with a single click.
  • the cause of the problem can be identified through an analysis process.
  • no action plan has been suggested.
  • the present invention makes it possible to clearly identify the cause of network problems with one click, to provide a troubleshooting guide (ADA: Automatic Diagnostics Analysis), and to approach problems without drilling down.
  • ADA Automatic Diagnostics Analysis
  • the present invention can be operated in one system (All-In-One) from information collection to analysis, diagnosis, and results, and provides optimal system selection options suitable for the operating environment (Portable, Rack Mount, Rugged PC, Cloud, etc.) This is possible, and immediate use (Zero Configuration) is possible without pre-setting work.
  • the present invention is a packet collection technology using a general NIC (Network Interface Controller), which has the advantage of not depending on the vendor, and has the advantage of not being affected by the user environment by internalizing the L7 protocol automatic classification engine, and interworking with EMS, SIEM, NMS, etc. (Rest API)
  • NIC Network Interface Controller
  • the present invention has the effect of reducing MTTR (Mean time to repair) by more than 1/5 while being about 1/4 cheaper than the price of a foreign solution for the same purpose.
  • it takes about 1 to 2 weeks to collect system setting information, analyze it, and solve the problem of writing a report.
  • the present invention has the advantage of being able to process information collection, analysis, report writing, and problem solving within about 2 to 3 days.
  • the total time required to solve the problem is a general empirical value and may vary depending on the nature of the problem.
  • the present invention can shorten the pre-preparation (setup) time for collecting network information and reduce the time to identify the cause of the problem through analysis. can do. It can also reduce action and recovery time for problem resolution. In addition, the time to prepare the final report can be shortened.
  • FIG. 1 is a conceptual diagram of an intelligent network management device based on automatic packet analysis according to an embodiment of the present invention.
  • FIG. 2 is a conceptual diagram showing detailed functions of each part in FIG. 1 .
  • FIG. 3 is a conceptual diagram showing the connection between the intelligent network management device of FIG. 1 and an external device.
  • FIG. 4 is a conceptual diagram showing detailed functions of the automatic diagnosis unit in FIG. 1 .
  • FIG. 5 is a conceptual diagram showing detailed functions of the one-click processing unit in FIG. 1 .
  • FIG. 6 is a conceptual diagram showing detailed functions of the report preparation unit in FIG. 1 .
  • FIG. 7 is a conceptual diagram showing detailed functions of the user interface unit in FIG. 1 .
  • FIG. 8 is a flowchart illustrating an intelligent network management method based on automatic packet analysis according to an embodiment of the present invention.
  • FIG. 9 is a conceptual diagram showing an application example of the present invention.
  • FIG. 10 is a conceptual diagram showing an example of constant network control in FIG. 9 .
  • FIG. 11 is a conceptual diagram showing an example of integrated CCTV control in FIG. 9 .
  • FIG. 12 is a conceptual diagram showing an example of performance management after network separation in FIG. 9 .
  • FIG. 13 is a conceptual diagram showing an example of network design in FIG. 9 .
  • the present invention provides a guide for accurately and quickly identifying and solving various and complex network issues (performance, failure, etc.) with one click through automatic packet analysis, and allows any network operator to easily and conveniently manage the network. It is intended to provide customized network management services tailored to user needs by linking with various systems with information collection and analysis functions.
  • FIG. 1 is a conceptual diagram of an intelligent network management device based on automatic packet analysis according to an embodiment of the present invention.
  • the intelligent network management device 100 that performs network management includes a control unit 110, an application data measurement unit 120, a network performance analysis unit 130, an automatic diagnosis unit 140, an event management unit 150, a one-click It may be configured to include a processing unit 160, a report writing unit 170, and a user interface unit 180.
  • the control unit 110 provides a guide for accurately and quickly identifying and resolving various and complex network issues with one click through automatic packet analysis in the intelligent network management device 100, and any network operator can easily and conveniently manage the network. It controls to provide customized network management services tailored to user needs by linking with various systems with information collection and analysis functions.
  • the application data measurement unit 120 is controlled by the controller 110 and measures data including network packets, SNMP TRAP, and SYSLOG information from the network equipment 210 of the data center or the remote intelligent network management device 220.
  • the network performance analyzer 130 is controlled by the controller 110 and analyzes network performance using data measured by the application data measurer 120 .
  • the automatic diagnosis unit 140 is controlled by the control unit 110 and automatically diagnoses the state of the network using the result analyzed by the network performance analysis unit 130 .
  • the event management unit 150 is controlled by the control unit 110 and manages events including packet analysis events, SNMP TRAP events, and SYSLOG events.
  • the one-click processing unit 160 is controlled by the control unit 110, receives the results of the automatic diagnosis unit 140, and network problems including detailed information of network diagnosis, meaning of the information, symptoms, expected causes, and countermeasures. It is processed to provide the information necessary for resolution with a single click.
  • the report preparation unit 170 is controlled by the control unit 110 and creates a network diagnosis report based on packet analysis.
  • the user interface unit 180 is controlled by the control unit 110 and provides a user interface so that the user can manage the network.
  • FIG. 2 is a conceptual diagram showing detailed functions of each part in FIG. 1 .
  • the types of data collected by the application data measuring unit 120 include network packets, SNMP TRAPs, and SYSLOGs.
  • the collection method uses SPAN/Port Mirroring or Tap equipment.
  • the point of collection is immediate or schedule-based.
  • Throughput can be 500Mbps, 1G, 5G, 10G, etc.
  • Collected data storage is metadata and packet origin (PCAP).
  • the maximum storage capacity may be 76TB (Portable 32TB).
  • the application data measurement unit 120 receives data center information in the form of packets and manages the packet data in the form of information bundles.
  • packets are collected on the NIC, each packet is separately distributed and stored in individual queues (hardware buffers) inside the NIC to balance the load on the NIC. And the process of taking data out of the hardware buffer and processing it is done in the application program.
  • the application data measurement unit 120 creates a pre-specified number of queues in the NIC hardware itself. Then, a separate thread is allocated to read the data of the NIC. At this time, one is assigned to each queue. In addition, a separate buffer is created in advance to move and store raw packets in the NIC internal queue. Also, whether or not packets are accumulated in the queue can be checked automatically or manually. If there is an automatic check, there is a delay between the system checking the queue and notifying the program of the result. This is the process of "Checking the queue in the system ⁇ Sending messages to the program ⁇ Processing messages in the program ⁇ Processing the queue". At this time, the processes of 'sending messages to the program' and 'processing messages in the program' are the causes of delay. So, the delay is avoided by manual control based on an infinite loop. In other words, delay is avoided by performing the process of "checking the queue in the program ⁇ processing the queue ⁇ repeating".
  • the application data measuring unit 120 calculates and checks the size of the accumulated data for each queue by executing each thread at once and at the same time. Then, for each queue, the location to be stored in the buffer is selected. At this time, if the size of the data to be stored is larger than the remaining size of the buffer, the buffer is replaced with a new, empty buffer. Also, after specifying the storage location in advance, each thread simultaneously writes data to a single buffer. In general, when multiple threads simultaneously write data to a single buffer, a problem may arise when multiple threads simultaneously write data to the same location, but in this case, there is no problem because the areas where data are written do not overlap. Since the storage location is specified in advance, there is no room for memory waste.
  • the application data measuring unit 120 manages a buffer for storing a plurality of packets, and each packet includes an L2 header, an L3 header, an L4 header, and a packet body (body and payload).
  • the information bundle structure consists of 'the first time to be saved, the last time to be saved, information block 1, information block 2, information block 3, ..., information block n'.
  • the structure of the information block consists of 'compressed size, actual size, compressed binary information data'.
  • the fixed length consists of a structure such as 'fixed width data 1, fixed width data 2, fixed width data 3, fixed width data 4, ..., fixed width data n'.
  • variable length is 'fixed-width data 1 (including variable-length information), variable-length data 1, fixed-width data 2 (including variable-length information), variable-length data 2, fixed-width data 3 (including variable-length information) , variable length data 3, ..., fixed width data n (including variable length information), and variable length data n'.
  • the application data measurement unit 120 generates metadata for individual packets. Metadata includes packet confirmation time, packet size, session ID, packet size, MAC address, and various types of TCP-specific information.
  • the information bundle includes session information bundle, BPS information bundle, PPS information bundle, RTT information bundle, timeout information bundle, TCP information bundle, Remarks information bundle, and event information bundle.
  • the session information bundle stores session ID, client IP/port, server IP/port, L4 protocol, and L7 protocol information.
  • the BPS information bundle stores session ID, transmission time (in seconds), data size transmitted per second from client to server, and data size information transmitted from server to client per second.
  • the PPS information bundle stores the session ID, transmission time (in seconds), the number of packets transmitted per second from the client to the server, and the number of packets transmitted per second from the server to the client.
  • the RTT (Round Trip Time) information bundle stores session ID, transmission delay time from client to server, and transmission delay time information from server to client. The entire session information and occurrence time information are stored in the timeout information bundle.
  • the TCP information bundle includes the time zone of TCP SYN and session information, TCP SYN, the time zone and session information of TCP RST, TCP RST, the time zone of TCP DUP ACK and session information, TCP DUP ACK, the time zone and session of TCP packet retransmission It stores information such as TCP packet retransmission, occurred time zone, and TCP other problem information such as the type of problem (TCP Zero Window, Port Reused, Out of Order).
  • the Remarks information bundle stores HTTP request/response headers, DNS query and response results, SMTP email sender ID, FTP/IMAP/POP3 error content information.
  • the event information bundle stores event information that occurs when the value is above or below a pre-defined threshold or above a variable rate.
  • the network performance analyzer 130 analyzes network usage and performance using BPS, PPS, Latency or Timeout. Failure/event analysis uses TCP Session, UDP Session or HTTP Error. Application service (L7) analysis uses HTTP, DNS, SMTP, POP3, IMAP, FTP Server trace or Client trace. L2 to L4 analysis is performed by Mac usage analysis, hop count analysis, UDP port analysis, TCP port analysis, or payload analysis. Statistics and trend analysis use usage, performance metrics, failures, or events.
  • Failure/event analysis uses TCP Session, UDP Session or HTTP Error.
  • Application service (L7) analysis uses HTTP, DNS, SMTP, POP3, IMAP, FTP Server trace or Client trace.
  • L2 to L4 analysis is performed by Mac usage analysis, hop count analysis, UDP port analysis, TCP port analysis, or payload analysis. Statistics and trend analysis use usage, performance metrics, failures, or events.
  • the network performance analyzer 130 includes performance indicators of BPS, PPS, latency, and timeout in basic performance indicators and generates them.
  • additional performance indicators include performance indicators of the number of flows generated by time and by IP, TCP performance indicators, performance indicators of IP lists that provide TCP-based services, IP lists that provide UDP-based services, performance indicators of MAC addresses for each IP, and data for each port number.
  • TCP performance indicators include TCP RST, TCP Zero Windows, TCP DUP ACKS, TCP retransmission, TCP port reuse, and TCP packet out-of-order performance indicators.
  • L7 performance indicators for each protocol include analysis by DNS query result, HTTP connection status, SMTP Performance indicators of data transmission amount measurement for each sender/receiver may be included.
  • the network performance analyzer 130 determines whether the performance index to be analyzed is BPS-based analysis, PPS-based analysis, Timeout-based analysis, TCP RST-based analysis, TCP Zero Windows analysis, TCP DUP ACK analysis, TCP retransmission analysis, TCP port reuse analysis, Determine which performance indicator analysis is used among TCP packet order reversal analysis, HTTP error status analysis, and additional performance indicator analysis.
  • the network performance analyzer 130 analyzes the traffic as 'traffic surge' if the traffic is 85% or more of the total available bandwidth, and if the traffic surge condition lasts for more than 60 seconds, it is classified as 'traffic excessive state persistence'. If more than 50% of the total traffic is concentrated on a single IP, it is analyzed as 'concentration of traffic to a specific IP', and if the traffic in use is less than 2% of the total available bandwidth, it is analyzed as 'suspected network failure'.
  • broadcast packets occupy more than 70% of all packets, it is analyzed as 'high bandwidth occupancy due to rapid increase in broadcast packets', and if non-IP packets occupy more than 50% of all packets If it does, it is analyzed as 'unknown packets occupies a large amount of bandwidth'.
  • timeout-based analysis if timeouts occur for more than 20 IPs per second during the period specified by the user, it is analyzed as 'suspicion of unavailability of service due to network interface shutdown or equipment outage', and if more than 10 IPs per second occur simultaneously during the period specified by the user ⁇ If timeout occurs for less than 20 IPs, it is analyzed as 'suspicion of service interruption due to cable or GBIC (Giga Bitrate Interface Converter) failure'.
  • GBIC giga Bitrate Interface Converter
  • TCP RST-based analysis if the same server sends RST more than 10 times per second, it is analyzed as 'when a request comes in to a destination port that does not exist on the server side, or when a connection is attempted to a port that has already been disconnected.' And, if the same client sends RST 5 or more times per second, it is analyzed as 'if the application wants to terminate the connection using Reset instead of FIN', and if the same client/server generates RST 3-4 times per second If this is the case, it is analyzed as 'a case where either the server or the client terminates without notifying the termination'.
  • TCP Zero Windows analysis if the TCP Zero Window phenomenon occurs more than 10 times per second, it is analyzed as 'suspicion of zero window creation due to errors in security devices such as firewalls and IPS or WAN accelerators'.
  • TCP DUP ACK analysis if DUP ACK occurs more than 60 times per second in a specific IP, it is analyzed as 'Network Congestion'.
  • TCP retransmission analysis if TCP retransmission occurs more than 1000 times per second in a specific IP, it is analyzed as 'suspicion of loop occurrence in the duplication section'.
  • TCP port reuse analysis if TCP port reuse is confirmed more than 3 times per second, it is analyzed as 'client-side local port exhaustion and server time wait state maintenance suspicion'.
  • TCP packet out-of-order analysis if out-of-order occurs more than 3 times per second, it is analyzed as 'suspicion of TCP segment loss due to packet loss'.
  • HTTP error status analysis if the status code is HTTP 4XX and the same phenomenon is found in less than 10 IPs, it is recognized as a 'user input problem' and analyzed. If the same phenomenon is found, it is recognized as 'there is a problem in the server or client code' and analyzed. If the performance index is additionally analyzed, the performance index is added and analyzed according to the addition of the system setting or the addition of the user.
  • diagnosis items are defined, the condition of the diagnosis subject is measured, symptoms of the diagnosis subject are provided, expected causes are provided, and measures for each expected cause are provided. and provide analysis results.
  • Automatic diagnosis targets include performance, usage, UDP, TCP or HTTP errors.
  • Event management targets in the event management unit 150 include events by packet analysis, SNMP TRAP events, SYSLOG events, and the like.
  • a packet analysis event When a packet analysis event occurs, it creates and manages the 3-step events of Warning, Critical, and Info, performs SNMP Trap event collection processing, and supports SNMP v1, v2c or v3.
  • SYSLOG event When a SYSLOG event occurs, SYSLOG event collection and search are performed, and classification by SYSLOG level is performed.
  • the report writer 170 creates a packet analysis-based diagnosis report, and creates a report including performance and usage, UDP/TCP analysis, and application analysis. Looking at the report creation function in the report creation unit 170, it includes period, IP, Port, and Tag filtering. It also allows you to select report item selections. For example, it can provide 16 selection options including network status, network usage and performance, failures/events, application services, automatic diagnosis, L2 to L7 analysis, statistics and trend analysis, and events. It also provides the ability to select the report title, date, and logo. In addition, an opinion input window for each report item is provided. In addition, a comprehensive opinion input window is provided. It can also provide, for example, four report templates. It also provides a report preview feature. It also provides the ability to create PDF and Tab Separated Values (TSV) files. In addition, it provides a download function for raw data storage and management by providing a RAW Data download function.
  • TSV PDF and Tab Separated Values
  • FIG. 3 is a conceptual diagram showing the connection between the intelligent network management device of FIG. 1 and an external device.
  • the external device may be a network equipment 210 of a data center or a remote intelligent network management device 220 or the like.
  • the network equipment 210 of the data center connects to the physical network (Physical NW) through Tapping or Port Mirroring and measures data.
  • the network equipment 210 of the data center may be a virtualization environment including a virtual switch (vSwitch).
  • the remote intelligent network management device 220 may be a device installed in a remote office.
  • the application data measuring unit 120 measures raw data and generates meta information.
  • Raw data becomes Network packet, SNMP Trap, Syslog, etc. These Raw Dates are stored and parsed to generate meta information. Through meta information generation, network state, usage, performance, failure and event information extraction, service automatic recognition, classification, etc. are performed and stored.
  • FIG. 4 is a conceptual diagram showing detailed functions of the automatic diagnosis unit in FIG. 1 .
  • the automatic diagnosis unit 140 automatically diagnoses the network through network status, network use and performance, failure/event, application service, automatic diagnosis, L2 to L7 analysis, statistics and trend analysis, and event processing.
  • the status of network equipment is identified through SNMP Trap information analysis, and Syslog data analysis is performed.
  • BPS Bits Per Second
  • PPS Packets Per Second
  • Latencies Timeout
  • Automatic diagnosis of failure/event performs automatic diagnosis on UDP Flag, TCP Resets, TCP Zero Windows, TCP Reuse, TCP Duplicate ACKs, and TCP Retransmission. It also performs automatic diagnosis for HTTP 4XX and HTTP 5XX.
  • Automatic diagnosis of application service performs automatic recognition of application service and detailed payload analysis. So, it performs automatic diagnosis for HTTP, DNS, SMTP, POP3, IMAP, and FTP.
  • L2 ⁇ L7 analysis performs Mac usage analysis as Layer 2 analysis, Hop Account analysis as Layer 3 analysis, analysis by port (by source and destination) as Layer 4 analysis, and automatic diagnosis of application services through Layer 7 analysis. do.
  • Automatic diagnosis of statistics and trend analysis performs automatic diagnosis of performance indicators (BPS, PPS, Latency, Timeout), TCP related, HTTP error, Layer 7 analysis, and flow trend.
  • BPS performance indicators
  • PPS Latency, Timeout
  • TCP Transmission Control Protocol related
  • HTTP error Layer 7 analysis
  • flow trend
  • Automatic diagnosis of events performs threshold setting and control by performance, alarm generation and level setting, search and inquiry by alarm level, and automatic diagnosis of Syslog Server (Remote) and SNMP Trap Server. And Alarm/Event provides real-time network status monitoring and notification service.
  • FIG. 5 is a conceptual diagram showing detailed functions of the one-click processing unit in FIG. 1 .
  • the one-click processing unit 160 When a user clicks one or more of BPS, PPS, Latencies, Timeout, HTTP Error, and TCP Flag, the one-click processing unit 160 provides detailed information about the clicked item, meaning, symptom, expected cause, and action of the information. Provides all information needed to solve network problems, including solutions.
  • the one-click processing unit 160 provides network traffic status (Avg or Top) information when the BPS item is clicked, Unicast, Multicast, Broadcast, or Unknown status information when the PPS item is clicked, and Latencies item is the original status information.
  • network response delay status information by Avg, Top or IP
  • Timeout item is clicked, network Timeout status (by Avg, Top or IP) information is provided.
  • HTTP Code Provides state or URL comparison analysis status information, provides TCP Zero Windows, Duplicate ACK, Retransmission, or Reset occurrence status information when the TCP Flag item is clicked, provides descriptions and causes of occurrence for each item, and user-specified time filter It provides information and allows the user to manage the network by selecting a chart or graph.
  • FIG. 6 is a conceptual diagram showing detailed functions of the report preparation unit in FIG. 1 .
  • the report writer 170 generates a diagnosis report with one click without separate analysis or diagnosis work. Users can designate a desired period, insert a user logo, and provide a window for inputting general opinions.
  • FIG. 7 is a conceptual diagram showing detailed functions of the user interface unit in FIG. 1 .
  • the user interface unit 180 provides a dashboard UI (User Interface), statistics UI, analysis tool UI, payload tracking UI, report UI, automatic diagnostic analysis UI, event UI, system setting UI, and the like.
  • dashboard UI User Interface
  • statistics UI Analysis tool UI
  • payload tracking UI report UI
  • automatic diagnostic analysis UI event UI
  • system setting UI system setting UI
  • FIG. 8 is a flowchart illustrating an intelligent network management method based on automatic packet analysis according to an embodiment of the present invention.
  • the application data measurement unit 120 receives network packets from the network equipment 210 of the data center or the remote intelligent network management device 220, Measure data including SNMP TRAP and SYSLOG information.
  • the network performance analyzer 130 analyzes network performance using the data measured by the application data measurer 120 after the first step.
  • the automatic diagnosis unit 140 automatically diagnoses the state of the network using the result analyzed by the network performance analysis unit 130.
  • the one-click processing unit 160 receives the result of the automatic diagnosis unit 140, and includes detailed information of the network diagnosis, meaning of the information, symptom, expected cause, and action plan. It processes to provide information needed to solve network problems with a single click.
  • the user interface unit 180 provides a user interface so that the user can manage the network.
  • the intelligent network management device 100 provides a guide for accurate and quick cause identification and resolution with one click for various and complex network issues through automatic packet analysis, so that any network operator can easily and conveniently manage the network. and provides customized network management services tailored to user needs by linking with various systems with information collection and analysis functions.
  • FIG. 9 is a conceptual diagram showing an application example of the present invention.
  • the present invention makes it possible to perform constant network control, performance, and failure event management of a business network through constant network control. Also, through CCTV integrated control, performance and failure management can be performed. In addition, it enables network performance improvement, network structure and configuration diagnosis through performance management after network separation. It also enables capacity optimization design through network design.
  • FIG. 10 is a conceptual diagram showing an example of constant network control in FIG. 9 .
  • FIG. 11 is a conceptual diagram showing an example of integrated CCTV control in FIG. 9 .
  • FIG. 12 is a conceptual diagram showing an example of performance management after network separation in FIG. 9 .
  • performance management can solve network performance problems. Therefore, it can contribute to VDI (Virtual Desktop Infrastructure) environment, physical network separation, and logical network separation.
  • VDI Virtual Desktop Infrastructure
  • FIG. 13 is a conceptual diagram showing an example of network design in FIG. 9 .
  • the present invention provides a guide for accurately and quickly identifying and solving various and complex network issues (performance, failure, etc.) with one click through automatic packet analysis, and enables network operators to easily and conveniently manage the network. It provides customized network management services tailored to user needs by linking with various systems with information collection and analysis functions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a device and method for automatic packet analysis-based intelligent network management, which can provide, by a single click, an accurate and fast troubleshooting guide for complex network issues (performance, failure, etc.) through automatic packet analysis, enable any network operator to manage a network easily and conveniently, and provide a customized network management service customized for user request by interworking with various systems through information collection and analysis functions.

Description

자동 패킷 분석 기반의 지능형 네트워크 관리 장치 및 그 방법Intelligent network management device and method based on automatic packet analysis
본 발명은 지능형 네트워크 관리에 관한 것으로, 특히 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈(성능, 장애 등)에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공하기에 적당하도록 한 자동 패킷 분석 기반의 지능형 네트워크 관리 장치 및 그 방법에 관한 것이다.The present invention relates to intelligent network management, and in particular, provides a guide for accurately and quickly identifying and solving various and complex network issues (performance, failure, etc.) An automatic packet analysis-based intelligent network management device and method that enables convenient network management and is suitable for providing customized network management services tailored to user needs by linking with various systems with information collection and analysis functions will be.
일반적으로 지능형 네트워크 기술은 지능 기반의 4차 산업혁명 및 혁신성장을 위해 공통으로 사용될 네트워크 및 인프라 기술들을 총칭하며, 세부적으로는 SDN(Software-Defined Networking), NFV(Network Functions Virtualization), 네트워크 지능 기술, 저지연/시간-확정형 네트워크 기술, 양자정보통신 기술, 네트워크 구조 기술, 전달망 기술, 유무선 액세스 기술 등을 포괄적으로 포함한다.In general, intelligent network technology collectively refers to network and infrastructure technologies commonly used for the 4th industrial revolution and innovative growth based on intelligence, and in detail, software-defined networking (SDN), network functions virtualization (NFV), and network intelligence technology , low-latency/time-deterministic network technology, quantum information communication technology, network structure technology, transport network technology, and wired/wireless access technology.
또한 네트워크 지능화 기술은 데이터의 자동 수집, 기계학습과 같은 인공지능 기술을 활용한 자율 의사 결정을 위한 피드백 등 일련의 절차를 반복하는 방식을 통해 네트워크 종단간 (재)설정, 제어, 관리 및 오케스트레이션 등의 기능을 자동적으로 수행하는 기술을 말한다.In addition, the network intelligence technology repeats a series of procedures such as automatic collection of data and feedback for autonomous decision-making using artificial intelligence technologies such as machine learning. technology that automatically performs the functions of
이러한 지능형 네트워크의 의미는 시간이 지남에 따라 진화하고 있으며 주로 계산 및 알고리즘의 획기적인 발전으로 이어지고 있다.The meaning of these intelligent networks is evolving over time, primarily leading to breakthroughs in computation and algorithms.
종래기술로는 대한민국 등록특허 제 10-1998863 호의 '네트워크 장비의 통신장애관리와 유지관리를 위한 시스템', 대한민국 등록특허 제 10-2133001 호의 '네트워크 관리 장치, 네트워크 관리 시스템 및 네트워크 관리 방법' 등이 개시된 바 있다.Prior art includes Korean Patent Registration No. 10-1998863 'System for Communication Failure Management and Maintenance of Network Equipment' and Korean Patent Registration No. 10-2133001 'Network Management Apparatus, Network Management System and Network Management Method'. has been disclosed.
네트워크가 중단되면 비즈니스의 중단으로 직결된다. 또한 네트워크 성능저하로 인한 업무처리 지연은 조직의 직접적인 손실로 연결된다. 네트워크가 한 번 중단될 경우의 평균 손실액은 미국의 경우 미화 402,542달러에 달한다고 답했다.(출처 : The Rise of AIOps: How Data, Machine Learning, and AI Will Transform Performance Monitoring, Appdynamics News, 2018.12.17.) 따라서 네트워크 중단 상황을 최소화할 필요가 있다.If the network is down, it is directly related to the disruption of the business. In addition, business processing delays due to network performance degradation lead to direct losses for the organization. They answered that the average loss in the case of a single network outage is USD 402,542 in the US. (Source: The Rise of AIOps: How Data, Machine Learning, and AI Will Transform Performance Monitoring, Appdynamics News, 2018.12.17.) Therefore, it is necessary to minimize the network interruption situation.
네트워크의 성능을 평가하는 업타임 인스티튜트(Uptime Institute)는 공개적으로 보고된 네트워크 가동 정지 사례를 연구해왔다. 이를 보면, IT 장애 중 네트워크 장애는 2017년 19%에서 2018년 32%로 대폭 증가하였다. 따라서 네트워크 중단사태 발생 시 신속한 원인추적 및 해결방안을 제시할 수 있는 기술이 요구된다.The Uptime Institute, which evaluates the performance of networks, has studied publicly reported cases of network outages. Looking at this, among IT failures, network failures increased significantly from 19% in 2017 to 32% in 2018. Therefore, in the event of a network outage, a technology capable of quickly tracking the cause and suggesting a solution is required.
종래의 네트워크 관리는 NMS(Network Management System), TMS(Traffic Management System), DPI(Data Packet Inspector) 및 패킷 분석기(Packet Analyzer) 등이 있다.Conventional network management includes a Network Management System (NMS), a Traffic Management System (TMS), a Data Packet Inspector (DPI), and a Packet Analyzer.
그러나 장비 및 회선 모니터링 중심의 NMS(Network Management System)는 복잡하게 얽힌 네트워크 이슈 해결에 한계가 있다. 또한 네트워크 트래픽 관리를 위한 TMS(Traffic Management System)는 페이로드(Payload)에 대한 심층분석을 지원하지 못하는 한계가 있다. 또한 DPI(Data Packet Inspector) 및 패킷 분석기(Packet Analyzer)는 매우 복잡하고 어려워 사용이 불편하며 고도의 전문성 필요로 하는 문제점이 있다.However, NMS (Network Management System) focused on equipment and line monitoring has limitations in solving complex network issues. In addition, TMS (Traffic Management System) for network traffic management has a limitation in not supporting in-depth analysis of payload. In addition, DPI (Data Packet Inspector) and Packet Analyzer are very complicated and difficult to use, and have problems in that they require a high level of expertise.
이에 본 발명은 상기와 같은 종래의 제반 문제점을 해결하기 위해 제안된 것으로, 본 발명의 목적은 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈(성능, 장애 등)에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공할 수 있는 자동 패킷 분석 기반의 지능형 네트워크 관리 장치 및 그 방법을 제공하는 데 있다.Therefore, the present invention has been proposed to solve the above conventional problems, and the purpose of the present invention is to accurately and quickly identify the cause of various and complex network issues (performance, failure, etc.) with one click through automatic packet analysis. automatic packet analysis that can provide customized network management services tailored to user needs by linking with various systems through information collection and analysis functions. It is to provide an intelligent network management device and method based on the same.
도 1은 본 발명의 일 실시예에 의한 자동 패킷 분석 기반의 지능형 네트워크 관리 장치의 개념도이고, 도 2는 도 1에서 각 부분의 세부 기능을 보인 개념도이며, 도 3은 도 1의 지능형 네트워크 관리 장치와 외부 장치의 연결을 보인 개념도이고, 도 4는 도 1에서 자동 진단부의 세부 기능을 보인 개념도이며, 도 5는 도 1에서 원클릭 처리부의 세부 기능을 보인 개념도이고, 도 6은 도 1에서 보고서 작성부의 세부 기능을 보인 개념도이며, 도 7은 도 1에서 사용자 인터페이스부의 세부 기능을 보인 개념도이다.1 is a conceptual diagram of an automatic packet analysis-based intelligent network management device according to an embodiment of the present invention, FIG. 2 is a conceptual diagram showing detailed functions of each part in FIG. 1, and FIG. 3 is an intelligent network management device of FIG. 4 is a conceptual diagram showing detailed functions of the automatic diagnosis unit in FIG. 1, FIG. 5 is a conceptual diagram showing detailed functions of the one-click processing unit in FIG. 1, and FIG. 6 is a report in FIG. It is a conceptual diagram showing detailed functions of the preparation unit, and FIG. 7 is a conceptual diagram showing detailed functions of the user interface unit in FIG. 1 .
이에 도시된 바와 같이, 네트워크의 관리를 수행하는 지능형 네트워크 관리 장치(100)에 있어서, 상기 지능형 네트워크 관리 장치(100)에서 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공하도록 제어하는 제어부(110)와; 상기 제어부(110)의 제어를 받고, 데이터 센터의 네트워크 장비(210) 또는 원격 지능형 네트워크 관리 장치(220)로부터 네트워크 패킷, SNMP TRAP, SYSLOG 정보를 포함한 데이터를 측정하는 어플리케이션 데이터 측정부(120)와; 상기 제어부(110)의 제어를 받고, 상기 어플리케이션 데이터 측정부(120)에서 측정한 데이터를 이용하여 네트워크의 성능을 분석하는 네트워크 성능 분석부(130)와; 상기 제어부(110)의 제어를 받고, 상기 네트워크 성능 분석부(130)에서 분석한 결과를 이용하여 네트워크의 상태를 자동 진단하는 자동 진단부(140)와; 상기 제어부(110)의 제어를 받고, 패킷 분석에 의한 이벤트, SNMP TRAP 이벤트, SYSLOG 이벤트를 포함한 이벤트를 관리하는 이벤트 관리부(150)와; 상기 제어부(110)의 제어를 받고, 상기 자동 진단부(140)의 결과를 전달받고, 네트워크 진단의 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 정보를 한 번의 클릭으로 제공하도록 처리하는 원클릭 처리부(160)와; 상기 제어부(110)의 제어를 받고, 패킷 분석 기반의 네트워크 진단 보고서를 작성하는 보고서 작성부(170)와; 상기 제어부(110)의 제어를 받고, 사용자가 네트워크 관리를 수행할 수 있도록 사용자 인터페이스를 제공하는 사용자 인터페이스부(180);를 포함하여 구성된 것을 특징으로 한다.As shown in this, in the intelligent network management device 100 that performs network management, the intelligent network management device 100 provides accurate and fast causes with one click for various and complex network issues through automatic packet analysis. A control unit that provides a guide for identification and resolution, enables any network operator to manage the network easily and conveniently, and controls to provide customized network management services tailored to user needs by linking with various systems with information collection and analysis functions ( 110) and; An application data measurement unit 120 that measures data including network packets, SNMP TRAP, and SYSLOG information from the network equipment 210 of the data center or the remote intelligent network management device 220 under the control of the control unit 110, and ; a network performance analysis unit 130 under the control of the control unit 110 and analyzing network performance using the data measured by the application data measuring unit 120; an automatic diagnosis unit 140 under the control of the control unit 110 and automatically diagnosing a network state using a result analyzed by the network performance analysis unit 130; an event management unit 150 that receives the control of the control unit 110 and manages events including packet analysis events, SNMP TRAP events, and SYSLOG events; Under the control of the control unit 110, receiving the result of the automatic diagnosis unit 140, providing information necessary for network problem solving, including detailed network diagnosis information, meaning of the information, symptoms, expected causes, and countermeasures. a one-click processing unit 160 processing to provide a single click; a report preparation unit 170 under the control of the control unit 110 and generating a network diagnosis report based on packet analysis; A user interface unit 180 that receives the control of the control unit 110 and provides a user interface so that the user can manage the network.
상기 어플리케이션 데이터 측정부(120)는, 수집 데이터 종류는 네트워크 패킷, SNMP TRAP, SYSLOG를 포함하고, 수집 방식은 SPAN/Port Mirroring 또는 Tap 장비를 이용하며, 수집 시점은 즉시 또는 스케줄 기반이며, 수집 데이터 저장은 메타데이터 및 패킷 원본(PCAP)인 것을 특징으로 한다.The application data measuring unit 120 collects data types including network packets, SNMP TRAP, and SYSLOG, collects SPAN/Port Mirroring or Tap equipment, collects time is instant or schedule-based, collects data The storage is characterized by metadata and packet original (PCAP).
상기 네트워크 성능 분석부(130)는, 네트워크 사용량 및 성능 분석은 BPS, PPS, Latency 또는 Timeout을 이용하며, 장애/이벤트 분석은 TCP Session, UDP Session 또는 HTTP Error를 이용하며, 응용서비스(L7) 분석은 HTTP, DNS, SMTP, POP3, IMAP, FTP Server 추적 또는 Client 추적을 이용하고, L2 내지 L4 분석은 Mac 사용분석, hop Count 분석, UDP Port 분석, TCP Port 분석 또는 Payload 분석으로 수행하며, 통계 및 추이분석은 사용량, 성능지표, 장애, 또는 이벤트를 이용하는 것을 특징으로 한다.The network performance analysis unit 130 uses BPS, PPS, Latency or Timeout for network usage and performance analysis, uses TCP Session, UDP Session or HTTP Error for failure/event analysis, and analyzes application service (L7) uses HTTP, DNS, SMTP, POP3, IMAP, FTP Server trace or Client trace, L2 to L4 analysis is performed by Mac usage analysis, hop count analysis, UDP port analysis, TCP port analysis or payload analysis, and statistical and Trend analysis is characterized by using usage, performance indicators, failures, or events.
상기 자동 진단부(140)는, 진단 항목을 정의하고, 진단 대상의 상태를 측정하며, 진단 대상의 증상을 제공하고, 예상되는 원인을 제공하며, 예상원인 별 조치방법을 제공하고, 분석 결과 제공하며, 자동 진단 대상은 성능, 사용량, UDP, TCP 또는 HTTP 에러를 포함하는 것을 특징으로 한다.The automatic diagnosis unit 140 defines diagnosis items, measures the state of a diagnosis subject, provides symptoms of a diagnosis subject, provides expected causes, provides measures for each expected cause, and provides analysis results. The automatic diagnosis target includes performance, usage, UDP, TCP, or HTTP errors.
상기 이벤트 관리부(150)는, 패킷 분석 이벤트가 발생하면 Warning, Critical, Info의 3단계 이벤트 생성해서 관리하고, SNMP Trap 이벤트 수집 처리를 수행하고, SNMP v1, v2c 또는 v3 지원을 수행하며, SYSLOG 이벤트가 발생하면 SYSLOG 이벤트 수집 및 검색을 수행하고, SYSLOG Level 별 분류를 수행하는 것을 특징으로 한다.When a packet analysis event occurs, the event management unit 150 generates and manages three-step events of Warning, Critical, and Info, performs SNMP Trap event collection processing, supports SNMP v1, v2c or v3, and generates SYSLOG events. occurs, it collects and searches SYSLOG events, and performs classification by SYSLOG level.
상기 원클릭 처리부(160)는, BPS, PPS, Latencies, Timeout, HTTP Error, TCP Flag 중에서 사용자가 어느 하나 이상을 원클릭하면, 클릭된 항목에 대한 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 정보를 제공하고, BPS 항목이 원클릭되면 네트워크 트래픽 현황(Avg 또는 Top) 정보를 제공하며, PPS 항목이 원클릭되면 Unicast, Multicast, Broadcast 또는 Unknown 현황 정보를 제공하고, Latencies 항목이 원클릭되면 네트워크 응답 지연 현황(Avg, Top 또는 IP별) 정보를 제공하며, Timeout 항목이 원클릭되면 네트워크 Timeout 현황(Avg, Top 또는 IP별) 정보를 제공하고, HTTP Error 항목이 원클릭되면 HTTP Code state 또는 URL 비교 분석 현황 정보를 제공하며, TCP Flag 항목이 원클릭되면 TCP Zero Windows, Duplicate ACK, Retransmission 또는 Reset 발생 현황 정보를 제공하고, 각 항목별 설명 및 발생 원인을 제공하며, 사용자 지정 시간 필터 정보를 제공하며, 사용자가 차트(Chart) 또는 그래프(Graph)를 선택하여 네트워크를 관리할 수 있게 하는 것을 특징으로 한다.The one-click processing unit 160, when the user clicks one or more of BPS, PPS, Latencies, Timeout, HTTP Error, and TCP Flag, provides detailed information about the clicked item, the meaning, symptoms, and expected causes of the information. , It provides information needed to solve network problems, including countermeasures, and provides network traffic status (Avg or Top) information when the BPS item is clicked, and Unicast, Multicast, Broadcast, or Unknown status information when the PPS item is clicked. When the Latencies item is clicked, the network response delay status information (by Avg, Top or IP) is provided. When the Timeout item is clicked, the network timeout status (by Avg, Top or IP) information is provided, and the HTTP Error When the item is clicked, HTTP Code state or URL comparison analysis status information is provided. When the TCP Flag item is clicked, TCP Zero Windows, Duplicate ACK, Retransmission, or Reset occurrence status information is provided. It provides user-specified time filter information, and is characterized in that it allows the user to manage the network by selecting a chart or graph.
도 8은 본 발명의 일 실시예에 의한 자동 패킷 분석 기반의 지능형 네트워크 관리 방법을 보인 흐름도이다.8 is a flowchart illustrating an intelligent network management method based on automatic packet analysis according to an embodiment of the present invention.
이에 도시된 바와 같이, 지능형 네트워크 관리 장치(100)에서 네트워크 관리를 수행하면, 어플리케이션 데이터 측정부(120)에서 데이터 센터의 네트워크 장비(210) 또는 원격 지능형 네트워크 관리 장치(220)로부터 네트워크 패킷, SNMP TRAP, SYSLOG 정보를 포함한 데이터를 측정하는 제 1 단계(ST1)와; 상기 제 1 단계 후 네트워크 성능 분석부(130)는 상기 어플리케이션 데이터 측정부(120)에서 측정한 데이터를 이용하여 네트워크의 성능을 분석하는 제 2 단계(ST2)와; 자동 진단부(140)는 상기 네트워크 성능 분석부(130)에서 분석한 결과를 이용하여 네트워크의 상태를 자동 진단하는 제 3 단계(ST3)와; 상기 제 3 단계 후 원클릭 처리부(160)는 상기 자동 진단부(140)의 결과를 전달받고, 네트워크 진단의 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 정보를 한 번의 클릭으로 제공하도록 처리하는 제 4 단계(ST4)와; 상기 제 4 단계 후 사용자 인터페이스부(180)는 사용자 인터페이스를 제공하여 사용자가 네트워크 관리를 수행할 수 있도록 하는 제 5 단계(ST5);를 포함하고, 상기 지능형 네트워크 관리 장치(100)에서 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공하는 것을 특징으로 한다.As shown in this, when the network management is performed by the intelligent network management device 100, the application data measuring unit 120 receives network packets, SNMP, and data from the network equipment 210 of the data center or the remote intelligent network management device 220. A first step (ST1) of measuring data including TRAP and SYSLOG information; After the first step, the network performance analyzer 130 analyzes network performance using the data measured by the application data measurer 120 (ST2); A third step (ST3) of the automatic diagnosis unit 140 automatically diagnosing the state of the network using the result analyzed by the network performance analysis unit 130; After the third step, the one-click processing unit 160 receives the result of the automatic diagnosis unit 140 and is necessary for solving the network problem including detailed information of the network diagnosis, meaning of the information, symptom, expected cause, and action plan. a fourth step (ST4) of processing information to be provided with one click; After the fourth step, the user interface unit 180 provides a user interface so that the user can perform network management; a fifth step (ST5); and automatic packet analysis in the intelligent network management device 100 Provides a guide for accurate and quick cause identification and resolution with one click for various and complex network issues, enables any network operator to easily and conveniently manage the network, and interlocks with various systems with information collection and analysis functions. It is characterized in that it provides a customized network management service tailored to user needs.
본 발명에 의한 자동 패킷 분석 기반의 지능형 네트워크 관리 장치 및 그 방법은 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈(성능, 장애 등)에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공할 수 있는 효과가 있다.An automatic packet analysis-based intelligent network management device and method according to the present invention provides a guide for accurately and quickly identifying and solving causes with one click for various and complex network issues (performance, failure, etc.) through automatic packet analysis In addition, it is possible for any network operator to manage the network easily and conveniently, and it is possible to provide customized network management services tailored to user needs by linking with various systems through information collection and analysis functions.
또한 본 발명은 한 번의 클릭으로 상세정보, 해당정보의 의미, 증상, 예상원인 조치방안 등 문제해결에 필요한 모든 정보 제공할 수 있는 효과가 있는데, 종래 기술은 분석과정을 통해 문제의 원인을 확인할 수 있으나 조치방안을 제시하지 못한 한계가 있다.In addition, the present invention has the effect of providing all information necessary for problem solving, such as detailed information, meaning of the information, symptoms, expected causes, and measures, with a single click. In the prior art, the cause of the problem can be identified through an analysis process. However, there is a limitation that no action plan has been suggested.
또한 본 발명은 한 번의 클릭으로 명쾌한 네트워크 문제 발생 원인 규명이 가능하고, 문제해결 가이드 제공(ADA : Automatic Diagnostics Analysis)이 가능하며, 드릴다운(Drill down) 없이 문제에 접근하는 운영 방식이 가능해진다.In addition, the present invention makes it possible to clearly identify the cause of network problems with one click, to provide a troubleshooting guide (ADA: Automatic Diagnostics Analysis), and to approach problems without drilling down.
또한 본 발명은 정보 수집에서 분석, 진단, 결과까지 하나의 시스템에서 운영(All-In-One)이 가능하고, 운영환경에 맞는 최적 시스템 선택 옵션 제공(Portable, Rack Mount, Rugged PC, Cloud 등)이 가능하며, 사전 설정작업 없이 즉시 사용(Zero Configuration)이 가능해진다.In addition, the present invention can be operated in one system (All-In-One) from information collection to analysis, diagnosis, and results, and provides optimal system selection options suitable for the operating environment (Portable, Rack Mount, Rugged PC, Cloud, etc.) This is possible, and immediate use (Zero Configuration) is possible without pre-setting work.
또한 본 발명은 일반 NIC(Network Interface Controller)를 이용한 패킷수집기술로 벤더에 의존하지 않는 장점이 있으며, L7 프로토콜 자동분류엔진 내재화로 사용자 환경에 영향받지 않는 장점이 있고, EMS, SIEM, NMS 등과 연동(Rest API) 가능한 장점이 있으며, 사용자 요구에 따른 커스터마이징 서비스가 가능한 효과가 있다.In addition, the present invention is a packet collection technology using a general NIC (Network Interface Controller), which has the advantage of not depending on the vendor, and has the advantage of not being affected by the user environment by internalizing the L7 protocol automatic classification engine, and interworking with EMS, SIEM, NMS, etc. (Rest API) There is a possible advantage, and there is an effect that a customizing service according to user needs is possible.
또한 본 발명은 동일 목적의 외국산 솔루션 가격 대비 약 1/4으로 저렴하면서, 동시에 MTTR(Mean time to repair, 평균장애복구시간)을 1/5 이상 줄여준 효과가 있다. 종래 기술은 시스템 설정정보 수집, 분석, 보고서 작성 문제 해결까지 약 1~2주의 시간이 소요된다. 반면 본 발명은 정보 수집, 분석, 보고서 작성, 문제 해결까지 약 2~3일 이내에 처리 가능한 장점이 있다. (여기서 문제해결 총 소요시간은 일반적 경험 값이며 문제 속성에 따라 다를 수 있다.) 본 발명은 네트워크 정보 수집을 위한 사전 준비(설정) 시간을 단축할 수 있으며, 분석을 통한 문제원인 확인 시간을 단축할 수 있다. 또한 문제 해결을 위한 조치 및 복구 시간을 단축할 수 있다. 또한 최종 보고서 작성시간을 단축할 수 있다.In addition, the present invention has the effect of reducing MTTR (Mean time to repair) by more than 1/5 while being about 1/4 cheaper than the price of a foreign solution for the same purpose. In the prior art, it takes about 1 to 2 weeks to collect system setting information, analyze it, and solve the problem of writing a report. On the other hand, the present invention has the advantage of being able to process information collection, analysis, report writing, and problem solving within about 2 to 3 days. (Here, the total time required to solve the problem is a general empirical value and may vary depending on the nature of the problem.) The present invention can shorten the pre-preparation (setup) time for collecting network information and reduce the time to identify the cause of the problem through analysis. can do. It can also reduce action and recovery time for problem resolution. In addition, the time to prepare the final report can be shortened.
또한 종래 기술의 경우, 네트워크 관리를 위해서 네트워크 및 솔루션 운영 전문가가 반드시 필요함에 반해, 본 발명은 초급 네트워크 엔지니어에 의해서도 운영이 가능한 장점이 있다.In addition, in the case of the prior art, a network and solution operation expert is absolutely necessary for network management, whereas the present invention has the advantage that it can be operated even by a beginner network engineer.
도 1은 본 발명의 일 실시예에 의한 자동 패킷 분석 기반의 지능형 네트워크 관리 장치의 개념도이다.1 is a conceptual diagram of an intelligent network management device based on automatic packet analysis according to an embodiment of the present invention.
도 2는 도 1에서 각 부분의 세부 기능을 보인 개념도이다.FIG. 2 is a conceptual diagram showing detailed functions of each part in FIG. 1 .
도 3은 도 1의 지능형 네트워크 관리 장치와 외부 장치의 연결을 보인 개념도이다.3 is a conceptual diagram showing the connection between the intelligent network management device of FIG. 1 and an external device.
도 4는 도 1에서 자동 진단부의 세부 기능을 보인 개념도이다.FIG. 4 is a conceptual diagram showing detailed functions of the automatic diagnosis unit in FIG. 1 .
도 5는 도 1에서 원클릭 처리부의 세부 기능을 보인 개념도이다.5 is a conceptual diagram showing detailed functions of the one-click processing unit in FIG. 1 .
도 6은 도 1에서 보고서 작성부의 세부 기능을 보인 개념도이다.6 is a conceptual diagram showing detailed functions of the report preparation unit in FIG. 1 .
도 7은 도 1에서 사용자 인터페이스부의 세부 기능을 보인 개념도이다.FIG. 7 is a conceptual diagram showing detailed functions of the user interface unit in FIG. 1 .
도 8은 본 발명의 일 실시예에 의한 자동 패킷 분석 기반의 지능형 네트워크 관리 방법을 보인 흐름도이다.8 is a flowchart illustrating an intelligent network management method based on automatic packet analysis according to an embodiment of the present invention.
도 9는 본 발명의 적용 예시를 보인 개념도이다.9 is a conceptual diagram showing an application example of the present invention.
도 10은 도 9에서 네트워크 상시 관제의 예시를 보인 개념도이다.10 is a conceptual diagram showing an example of constant network control in FIG. 9 .
도 11은 도 9에서 CCTV 통합관제의 예시를 보인 개념도이다.11 is a conceptual diagram showing an example of integrated CCTV control in FIG. 9 .
도 12는 도 9에서 망분리 후 성능관리의 예시를 보인 개념도이다.FIG. 12 is a conceptual diagram showing an example of performance management after network separation in FIG. 9 .
도 13은 도 9에서 네트워크 설계의 예시를 보인 개념도이다.13 is a conceptual diagram showing an example of network design in FIG. 9 .
이와 같이 구성된 본 발명에 의한 자동 패킷 분석 기반의 지능형 네트워크 관리 장치 및 그 방법의 바람직한 실시예를 첨부한 도면에 의거하여 상세히 설명하면 다음과 같다. 하기에서 본 발명을 설명함에 있어 관련된 공지 기능 또는 구성에 대한 구체적인 설명이 본 발명의 요지를 불필요하게 흐릴 수 있다고 판단되는 경우에는 그 상세한 설명을 생략할 것이다. 그리고 후술되는 용어들은 본 발명에서의 기능을 고려하여 정의된 용어들로서, 이는 사용자, 운용자의 의도 또는 판례 등에 따라 달라질 수 있으며, 이에 따라 각 용어의 의미는 본 명세서 전반에 걸친 내용을 토대로 해석되어야 할 것이다.A preferred embodiment of the automatic packet analysis-based intelligent network management device and method according to the present invention configured as described above will be described in detail based on the accompanying drawings. In the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted. In addition, terms to be described later are terms defined in consideration of functions in the present invention, which may vary according to the intention of a user or operator or precedent, and accordingly, the meaning of each term should be interpreted based on the contents throughout this specification. will be.
먼저 본 발명은 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈(성능, 장애 등)에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공하고자 한 것이다.First of all, the present invention provides a guide for accurately and quickly identifying and solving various and complex network issues (performance, failure, etc.) with one click through automatic packet analysis, and allows any network operator to easily and conveniently manage the network. It is intended to provide customized network management services tailored to user needs by linking with various systems with information collection and analysis functions.
도 1은 본 발명의 일 실시예에 의한 자동 패킷 분석 기반의 지능형 네트워크 관리 장치의 개념도이다.1 is a conceptual diagram of an intelligent network management device based on automatic packet analysis according to an embodiment of the present invention.
네트워크의 관리를 수행하는 지능형 네트워크 관리 장치(100)는 제어부(110), 어플리케이션 데이터 측정부(120), 네트워크 성능 분석부(130), 자동 진단부(140), 이벤트 관리부(150), 원클릭 처리부(160), 보고서 작성부(170), 사용자 인터페이스부(180)를 포함하여 구성될 수 있다.The intelligent network management device 100 that performs network management includes a control unit 110, an application data measurement unit 120, a network performance analysis unit 130, an automatic diagnosis unit 140, an event management unit 150, a one-click It may be configured to include a processing unit 160, a report writing unit 170, and a user interface unit 180.
제어부(110)는 지능형 네트워크 관리 장치(100)에서 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공하도록 제어한다.The control unit 110 provides a guide for accurately and quickly identifying and resolving various and complex network issues with one click through automatic packet analysis in the intelligent network management device 100, and any network operator can easily and conveniently manage the network. It controls to provide customized network management services tailored to user needs by linking with various systems with information collection and analysis functions.
어플리케이션 데이터 측정부(120)는 제어부(110)의 제어를 받고, 데이터 센터의 네트워크 장비(210) 또는 원격 지능형 네트워크 관리 장치(220)로부터 네트워크 패킷, SNMP TRAP, SYSLOG 정보를 포함한 데이터를 측정한다.The application data measurement unit 120 is controlled by the controller 110 and measures data including network packets, SNMP TRAP, and SYSLOG information from the network equipment 210 of the data center or the remote intelligent network management device 220.
네트워크 성능 분석부(130)는 제어부(110)의 제어를 받고, 어플리케이션 데이터 측정부(120)에서 측정한 데이터를 이용하여 네트워크의 성능을 분석한다.The network performance analyzer 130 is controlled by the controller 110 and analyzes network performance using data measured by the application data measurer 120 .
자동 진단부(140)는 제어부(110)의 제어를 받고, 네트워크 성능 분석부(130)에서 분석한 결과를 이용하여 네트워크의 상태를 자동 진단한다.The automatic diagnosis unit 140 is controlled by the control unit 110 and automatically diagnoses the state of the network using the result analyzed by the network performance analysis unit 130 .
이벤트 관리부(150)는 제어부(110)의 제어를 받고, 패킷 분석에 의한 이벤트, SNMP TRAP 이벤트, SYSLOG 이벤트를 포함한 이벤트를 관리한다.The event management unit 150 is controlled by the control unit 110 and manages events including packet analysis events, SNMP TRAP events, and SYSLOG events.
원클릭 처리부(160)는 제어부(110)의 제어를 받고, 자동 진단부(140)의 결과를 전달받고, 네트워크 진단의 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 정보를 한 번의 클릭으로 제공하도록 처리한다.The one-click processing unit 160 is controlled by the control unit 110, receives the results of the automatic diagnosis unit 140, and network problems including detailed information of network diagnosis, meaning of the information, symptoms, expected causes, and countermeasures. It is processed to provide the information necessary for resolution with a single click.
보고서 작성부(170)는 제어부(110)의 제어를 받고, 패킷 분석 기반의 네트워크 진단 보고서를 작성한다.The report preparation unit 170 is controlled by the control unit 110 and creates a network diagnosis report based on packet analysis.
사용자 인터페이스부(180)는 제어부(110)의 제어를 받고, 사용자가 네트워크 관리를 수행할 수 있도록 사용자 인터페이스를 제공한다.The user interface unit 180 is controlled by the control unit 110 and provides a user interface so that the user can manage the network.
도 2는 도 1에서 각 부분의 세부 기능을 보인 개념도이다.FIG. 2 is a conceptual diagram showing detailed functions of each part in FIG. 1 .
어플리케이션 데이터 측정부(120)에서 수집 데이터 종류는 네트워크 패킷, SNMP TRAP, SYSLOG를 포함한다. 수집 방식은 SPAN/Port Mirroring 또는 Tap 장비를 이용한다. 수집 시점은 즉시 또는 스케줄 기반이다. Throughput은 500Mbps, 1G, 5G, 10G 등이 될 수 있다. 수집 데이터 저장은 메타데이터 및 패킷 원본(PCAP)이다. 최대 저장 용량은 76TB(Portable 32TB)가 될 수도 있다.The types of data collected by the application data measuring unit 120 include network packets, SNMP TRAPs, and SYSLOGs. The collection method uses SPAN/Port Mirroring or Tap equipment. The point of collection is immediate or schedule-based. Throughput can be 500Mbps, 1G, 5G, 10G, etc. Collected data storage is metadata and packet origin (PCAP). The maximum storage capacity may be 76TB (Portable 32TB).
또한 어플리케이션 데이터 측정부(120)는 데이터 센터의 정보를 패킷으로 전달받고, 패킷 데이터를 정보묶음으로 관리한다. NIC에 패킷이 수집되면, NIC에서의 부하 분산을 위해 각 패킷을 NIC 내부의 개별 queue(하드웨어 버퍼)에 별도로 분산하여 저장한다. 그리고 하드웨어 버퍼에서 데이터를 꺼내어 처리하는 부분은 응용프로그램에서 진행하도록 한다.In addition, the application data measurement unit 120 receives data center information in the form of packets and manages the packet data in the form of information bundles. When packets are collected on the NIC, each packet is separately distributed and stored in individual queues (hardware buffers) inside the NIC to balance the load on the NIC. And the process of taking data out of the hardware buffer and processing it is done in the application program.
어플리케이션 데이터 측정부(120)는 NIC 하드웨어 자체에 사전 지정된 개수의 큐(queue)를 생성하도록 한다. 그리고 NIC의 데이터를 읽기 위한 별도의 스레드를 할당한다. 이 때 queue별로 1개씩 할당한다. 또한 NIC 내부 queue의 원시 패킷을 옮겨 저장할 수 있는 별도의 버퍼를 미리 생성한다. 또한 Queue에 패킷이 쌓여있는지의 여부는 자동 또는 수동으로 확인할 수 있게 한다. 만약 자동 확인시 시스템이 queue 확인 후 프로그램에 결과를 알려주기까지 생기는 지연이 있다. 이는 "시스템에서 queue 확인 → 프로그램에 메시지 전송 → 프로그램의 메시지 처리 → queue 처리"하는 과정인데, 이때 '프로그램에 메시지 전송'하는 과정과 '프로그램의 메시지 처리' 과정이 지연 발생의 원인이다. 그래서 무한루프에 기반한 수동 제어로 해당 지연을 회피한다. 즉, "프로그램에서 queue 확인 → queue 처리 → 반복"의 과정을 수행하여 지연을 회피한다.The application data measurement unit 120 creates a pre-specified number of queues in the NIC hardware itself. Then, a separate thread is allocated to read the data of the NIC. At this time, one is assigned to each queue. In addition, a separate buffer is created in advance to move and store raw packets in the NIC internal queue. Also, whether or not packets are accumulated in the queue can be checked automatically or manually. If there is an automatic check, there is a delay between the system checking the queue and notifying the program of the result. This is the process of "Checking the queue in the system → Sending messages to the program → Processing messages in the program → Processing the queue". At this time, the processes of 'sending messages to the program' and 'processing messages in the program' are the causes of delay. So, the delay is avoided by manual control based on an infinite loop. In other words, delay is avoided by performing the process of "checking the queue in the program → processing the queue → repeating".
또한 어플리케이션 데이터 측정부(120)는 각 스레드가 한꺼번에 동시에 수행하여 각 큐별 쌓인 데이터 크기를 계산 및 확인한다. 그리고 각 큐별로 버퍼에 저장할 위치를 선정한다. 이때 저장할 데이터의 크기가 버퍼의 잔여 크기 보다 클 경우에는 버퍼를 비어있는 새 버퍼로 교체한다. 또한 미리 저장할 위치를 지정한 다음 각 스레드가 단일 버퍼에 동시에 데이터 쓰기를 수행한다. 일반적으로 단일 버퍼에 여러 스레드가 동시에 쓰기를 수행하면 같은 위치에 다수의 스레드가 동시에 데이터를 쓰는 문제가 발생할 수 있지만, 이 경우 데이터를 쓰는 영역이 겹치지 않으므로 아무런 문제가 없다. 사전에 미리 저장할 위치를 지정하므로 메모리 낭비의 여지가 없다. 종래기술의 경우 단일 스레드를 사용하기 때문에 쓰기 속도에 한계가 있거나(최고 10Gbps 내외), FPGA 기반의 별도 하드웨어를 사용하는 방법으로 속도 문제를 해결하는 반면, 본 발명은 순전히 100% 소프트웨어적인 방법으로만 고속처리를 가능하게 하는 장점이 있다.In addition, the application data measuring unit 120 calculates and checks the size of the accumulated data for each queue by executing each thread at once and at the same time. Then, for each queue, the location to be stored in the buffer is selected. At this time, if the size of the data to be stored is larger than the remaining size of the buffer, the buffer is replaced with a new, empty buffer. Also, after specifying the storage location in advance, each thread simultaneously writes data to a single buffer. In general, when multiple threads simultaneously write data to a single buffer, a problem may arise when multiple threads simultaneously write data to the same location, but in this case, there is no problem because the areas where data are written do not overlap. Since the storage location is specified in advance, there is no room for memory waste. In the case of the prior art, since it uses a single thread, the writing speed is limited (up to around 10 Gbps), or the speed problem is solved by using separate FPGA-based hardware, whereas the present invention is purely 100% software-based. It has the advantage of enabling high-speed processing.
또한 어플리케이션 데이터 측정부(120)는 다수의 패킷을 저장하는 버퍼를 관리하고, 각각의 패킷은 L2 헤더, L3 헤더, L4 헤더, 패킷 본문(body 및 payload)을 포함한다. 정보묶음 구조는 '저장하고 있는 최초 시간, 저장하고 있는 마지막 시간, 정보 블록 1, 정보 블록 2, 정보 블록 3, ..., 정보 블록 n'과 같은 구조로 이루어져 있다. 정보 블록의 구조는 '압축된 크기, 실제 크기, 압축된 이진 정보 자료'의 구조로 이루어져 있다. 이전 정보 자료 중 고정 길이는 '고정폭 데이터 1, 고정폭 데이터 2, 고정폭 데이터 3, 고정폭 데이터 4, ..., 고정폭 데이터 n'과 같은 구조로 이루어져 있다. 이전 정보 자료 중 가변 길이는 '고정폭 데이터 1(가변 길이 정보 포함), 가별 길이 데이터 1, 고정폭 데이터 2(가변 길이 정보 포함), 가변 길이 데이터 2, 고정폭 데이터 3(가변 길이 정보 포함), 가변 길이 데이터 3, ..., 고정폭 데이터 n(가변 길이 정보 포함), 가변 길이 데이터 n'과 같은 구조로 이루어져 있다.In addition, the application data measuring unit 120 manages a buffer for storing a plurality of packets, and each packet includes an L2 header, an L3 header, an L4 header, and a packet body (body and payload). The information bundle structure consists of 'the first time to be saved, the last time to be saved, information block 1, information block 2, information block 3, ..., information block n'. The structure of the information block consists of 'compressed size, actual size, compressed binary information data'. Among the previous information data, the fixed length consists of a structure such as 'fixed width data 1, fixed width data 2, fixed width data 3, fixed width data 4, ..., fixed width data n'. Among the previous information data, variable length is 'fixed-width data 1 (including variable-length information), variable-length data 1, fixed-width data 2 (including variable-length information), variable-length data 2, fixed-width data 3 (including variable-length information) , variable length data 3, ..., fixed width data n (including variable length information), and variable length data n'.
어플리케이션 데이터 측정부(120)는 개별 패킷에 대한 메타데이터를 생성한다. 메타데이터에는 패킷 확인 시간, 패킷 크기, 세션 ID, 패킷 크기, MAC address, 각종 TCP 특화 정보 등이 포함된다. 정보묶음에는 세션 정보묶음, BPS 정보묶음, PPS 정보묶음, RTT 정보묶음, 타임아웃 정보묶음, TCP 정보묶음, Remarks 정보묶음, 이벤트 정보묶음 등이 포함된다. 세션 정보묶음에는 세션 ID, 클라이언트 IP/port, 서버 IP/port, L4 프로토콜, L7 프로토콜 정보를 저장한다. BPS 정보묶음에는 세션 ID, 전송 시간(초단위), 클라이언트에서 서버로 초당 전송된 데이터 크기, 서버에서 클라이언트로 초당 전송된 데이터 크기 정보를 저장한다. PPS 정보묶음에는 세션 ID, 전송 시간(초단위), 클라이언트에서 서버로 초당 전송된 패킷 개수, 서버에서 클라이언트로 초당 전송된 패킷 개수 정보를 저장한다. RTT(Round Trip Time) 정보묶음에는 세션 ID, 클라이언트에서 서버로의 전송 지연시간, 서버에서 클라이언트로의 전송 지연시간 정보를 저장한다. 타임아웃 정보묶음에 세션 전체 정보, 발생시간 정보를 저장한다. TCP 정보묶음에는 TCP SYN이 발생한 시간대 및 세션 정보인 TCP SYN, TCP RST가 발생한 시간대 및 세션 정보인 TCP RST, TCP DUP ACK이 발생한 시간대 및 세션 정보인 TCP DUP ACK, TCP 패킷 재전송이 발생한 시간대 및 세션 정보인 TCP 패킷 재전송, 발생한 시간대 및 문제점 종류(TCP Zero Window, Port Reused, Out of Order)인 TCP 기타 문제점 정보를 저장한다. Remarks 정보묶음에는 HTTP 요청/응답 헤더, DNS query 및 응답 결과, SMTP email 수발신자 ID, FTP/IMAP/POP3 오류 내용 정보를 저장한다. 이벤트 정보묶음에는 사전에 사용자 정의된 임계치 이상이나 이하 또는 변동비 이상일 경우 발생한 이벤트 정보를 저장한다.The application data measurement unit 120 generates metadata for individual packets. Metadata includes packet confirmation time, packet size, session ID, packet size, MAC address, and various types of TCP-specific information. The information bundle includes session information bundle, BPS information bundle, PPS information bundle, RTT information bundle, timeout information bundle, TCP information bundle, Remarks information bundle, and event information bundle. The session information bundle stores session ID, client IP/port, server IP/port, L4 protocol, and L7 protocol information. The BPS information bundle stores session ID, transmission time (in seconds), data size transmitted per second from client to server, and data size information transmitted from server to client per second. The PPS information bundle stores the session ID, transmission time (in seconds), the number of packets transmitted per second from the client to the server, and the number of packets transmitted per second from the server to the client. The RTT (Round Trip Time) information bundle stores session ID, transmission delay time from client to server, and transmission delay time information from server to client. The entire session information and occurrence time information are stored in the timeout information bundle. The TCP information bundle includes the time zone of TCP SYN and session information, TCP SYN, the time zone and session information of TCP RST, TCP RST, the time zone of TCP DUP ACK and session information, TCP DUP ACK, the time zone and session of TCP packet retransmission It stores information such as TCP packet retransmission, occurred time zone, and TCP other problem information such as the type of problem (TCP Zero Window, Port Reused, Out of Order). The Remarks information bundle stores HTTP request/response headers, DNS query and response results, SMTP email sender ID, FTP/IMAP/POP3 error content information. The event information bundle stores event information that occurs when the value is above or below a pre-defined threshold or above a variable rate.
네트워크 성능 분석부(130)에서 네트워크 사용량 및 성능 분석은 BPS, PPS, Latency 또는 Timeout을 이용한다. 장애/이벤트 분석은 TCP Session, UDP Session 또는 HTTP Error를 이용한다. 응용서비스(L7) 분석은 HTTP, DNS, SMTP, POP3, IMAP, FTP Server 추적 또는 Client 추적을 이용한다. L2 내지 L4 분석은 Mac 사용분석, hop Count 분석, UDP Port 분석, TCP Port 분석 또는 Payload 분석으로 수행한다. 통계 및 추이분석은 사용량, 성능지표, 장애, 또는 이벤트를 이용한다.The network performance analyzer 130 analyzes network usage and performance using BPS, PPS, Latency or Timeout. Failure/event analysis uses TCP Session, UDP Session or HTTP Error. Application service (L7) analysis uses HTTP, DNS, SMTP, POP3, IMAP, FTP Server trace or Client trace. L2 to L4 analysis is performed by Mac usage analysis, hop count analysis, UDP port analysis, TCP port analysis, or payload analysis. Statistics and trend analysis use usage, performance metrics, failures, or events.
또한 네트워크 성능 분석부(130)는 기본 성능지표에 BPS, PPS, latency, timeout의 성능지표가 포함되어 생성한다. 또한 추가 성능지표에 시간별 및 IP별 생성된 flow 개수의 성능지표, TCP 성능지표, TCP 기반 서비스 제공 IP 목록의 성능지표, UDP 기반 서비스 제공 IP 목록, IP별 MAC address의 성능지표, 포트 번호별 데이터 사용 현황의 성능지표, 또는 L7 프로토콜별 성능지표 중에서 하나 이상의 성능지표를 생성한다. TCP 성능지표는 TCP RST, TCP Zero Windows, TCP DUP ACKS, TCP 재전송, TCP 포트 재사용, TCP 패킷 순서 뒤바뀜의 성능지표가 포함되고, L7 프로토콜별 성능지표에는 DNS 쿼리 결과별 분석, HTTP 접속 현황, SMTP 송신/수신자별 데이터 전송량 측정의 성능지표가 포함될 수 있다.In addition, the network performance analyzer 130 includes performance indicators of BPS, PPS, latency, and timeout in basic performance indicators and generates them. In addition, additional performance indicators include performance indicators of the number of flows generated by time and by IP, TCP performance indicators, performance indicators of IP lists that provide TCP-based services, IP lists that provide UDP-based services, performance indicators of MAC addresses for each IP, and data for each port number. Create one or more performance indicators from the performance indicators of usage status or performance indicators for each L7 protocol. TCP performance indicators include TCP RST, TCP Zero Windows, TCP DUP ACKS, TCP retransmission, TCP port reuse, and TCP packet out-of-order performance indicators. L7 performance indicators for each protocol include analysis by DNS query result, HTTP connection status, SMTP Performance indicators of data transmission amount measurement for each sender/receiver may be included.
네트워크 성능 분석부(130)는 분석하고자 하는 성능지표가 BPS 기반 분석, PPS 기반 분석, Timeout 기반 분석, TCP RST 기반 분석, TCP Zero Windows 분석, TCP DUP ACK 분석, TCP 재전송 분석, TCP 포트 재사용 분석, TCP 패킷 순서 뒤바뀜 분석, HTTP error status 분석, 성능지표 추가 분석 중에서 어떤 성능지표 분석인지 판별한다.The network performance analyzer 130 determines whether the performance index to be analyzed is BPS-based analysis, PPS-based analysis, Timeout-based analysis, TCP RST-based analysis, TCP Zero Windows analysis, TCP DUP ACK analysis, TCP retransmission analysis, TCP port reuse analysis, Determine which performance indicator analysis is used among TCP packet order reversal analysis, HTTP error status analysis, and additional performance indicator analysis.
네트워크 성능 분석부(130)는 성능지표 분석이 BPS 기반 분석이면 트래픽이 총 가용 대역폭의 85% 이상이면 '트래픽 급증'으로 분석하고, 트래픽 급증 상태가 60초 이상 지속되면 '트래픽 과다 상태 지속'으로 분석하며, 총 트래픽의 50% 이상이 단일 IP에 집중되면 '특정 IP로의 트래픽 집중'으로 분석하고, 사용중인 트래픽이 총 가용 대역폭의 2% 미만이면 '네트워크 장애 의심'으로 분석한다. PPS 기반 분석이면 만약 Broadcast 패킷이 전체 패킷 중 70% 이상을 점유하는 경우이면 'Broadcast 패킷의 급격한 증가로 인한 높은 대역폭 점유'로 분석하고, 만약 IP 패킷이 아닌 패킷이 전체 패킷의 50% 이상을 점유하는 경우이면 '알 수 없는 패킷이 대역폭을 대폭 점유'로 분석한다. Timeout 기반 분석이면 만약 사용자가 지정한 기간 동안 초당 20개 IP 이상에 대해서 timeout이 발생한 경우이면 'Network interface shutdown 또는 장비 정전으로 인한 서비스 불가 의심'으로 분석하고, 만약 사용자가 지정한 기간 동안 동시에 초당 10개 이상 ~ 20개 미만 IP에 대해서 timeout이 발생한 경우이면 '케이블 또는 GBIC(Giga Bitrate Interface Converter, 기가비트 인터페이스 컨버터) 불량으로 인한 서비스 끊김 의심'으로 분석한다. TCP RST 기반 분석이면 만약 동일 서버에서 RST를 초당 10회 이상 보낸 경우이면 '서버측에서 존재하지 않는 Destination port로 Request가 들어오거나, 이미 연결이 종료된 포트로 접속을 시도하는 등의 경우'로 분석하고, 만약 동일 클라이언트에서 RST를 초당 5회 이상 보낸 경우이면 'Application에서 FIN 대신 Reset을 사용하여 연결을 종료하고자 하는 경우'로 분석하며, 만약 동일 클라이언트/서버에서 RST를 초당 3~4회 발생시키는 경우이면, '서버와 클라이언트 양쪽 중 어느 한쪽에서 종료됨을 알리지 않고 종료하는 경우'로 분석한다. TCP Zero Windows 분석이면 만약 TCP Zero Window 현상이 초당 10회 이상 발생한 IP이면 '방화벽, IPS 등 보안장비 또는 WAN 가속기 등의 오류로 인한 Zero window 생성 의심'으로 분석한다. TCP DUP ACK 분석이면 만약 특정 IP에서 DUP ACK이 초당 60회 이상 발생한 경우이면 'Network Congestion(충돌)'로 분석한다. TCP 재전송 분석이면 만약 특정 IP에서 TCP 재전송이 초당 1000회 이상 발생하는 경우이면 '이중화 구간에서의 loop 발생 의심'으로 분석한다. TCP 포트 재사용 분석이면 만약 TCP 포트 재사용이 초당 3회 이상 확인된 경우이면 '클라이언트 측 local port 고갈 및 서버 time wait 상태 유지 의심'으로 분석한다. TCP 패킷 순서 뒤바뀜 분석이면 만약 순서 뒤바뀜이 초당 3회 이상 발생한 경우이면 '패킷 유실 등으로 인한 TCP segment loss 발생 의심'으로 분석한다. HTTP error status 분석이면 만약 상태코드가 HTTP 4XX인 경우 10개 미만의 IP에서 동일 현상이 발견되면 '사용자 입력 문제'로 인식하여 분석하고, 만약 상태코드가 HTTP 5XX이거나 HTTP 4XX이면서 10개 이상의 IP에서 동일 현상이 발견되면 '서버 또는 클라이언트의 코드에 문제가 있는 것'으로 인식하여 분석한다. 성능지표 추가 분석이면 시스템 설정의 추가 또는 사용자의 추가에 따라 성능지표를 추가하여 분석한다.If the performance indicator analysis is BPS-based analysis, the network performance analyzer 130 analyzes the traffic as 'traffic surge' if the traffic is 85% or more of the total available bandwidth, and if the traffic surge condition lasts for more than 60 seconds, it is classified as 'traffic excessive state persistence'. If more than 50% of the total traffic is concentrated on a single IP, it is analyzed as 'concentration of traffic to a specific IP', and if the traffic in use is less than 2% of the total available bandwidth, it is analyzed as 'suspected network failure'. In PPS-based analysis, if broadcast packets occupy more than 70% of all packets, it is analyzed as 'high bandwidth occupancy due to rapid increase in broadcast packets', and if non-IP packets occupy more than 50% of all packets If it does, it is analyzed as 'unknown packets occupies a large amount of bandwidth'. In the case of timeout-based analysis, if timeouts occur for more than 20 IPs per second during the period specified by the user, it is analyzed as 'suspicion of unavailability of service due to network interface shutdown or equipment outage', and if more than 10 IPs per second occur simultaneously during the period specified by the user ~ If timeout occurs for less than 20 IPs, it is analyzed as 'suspicion of service interruption due to cable or GBIC (Giga Bitrate Interface Converter) failure'. In the case of TCP RST-based analysis, if the same server sends RST more than 10 times per second, it is analyzed as 'when a request comes in to a destination port that does not exist on the server side, or when a connection is attempted to a port that has already been disconnected.' And, if the same client sends RST 5 or more times per second, it is analyzed as 'if the application wants to terminate the connection using Reset instead of FIN', and if the same client/server generates RST 3-4 times per second If this is the case, it is analyzed as 'a case where either the server or the client terminates without notifying the termination'. In the case of TCP Zero Windows analysis, if the TCP Zero Window phenomenon occurs more than 10 times per second, it is analyzed as 'suspicion of zero window creation due to errors in security devices such as firewalls and IPS or WAN accelerators'. In case of TCP DUP ACK analysis, if DUP ACK occurs more than 60 times per second in a specific IP, it is analyzed as 'Network Congestion'. In the case of TCP retransmission analysis, if TCP retransmission occurs more than 1000 times per second in a specific IP, it is analyzed as 'suspicion of loop occurrence in the duplication section'. In TCP port reuse analysis, if TCP port reuse is confirmed more than 3 times per second, it is analyzed as 'client-side local port exhaustion and server time wait state maintenance suspicion'. In the case of TCP packet out-of-order analysis, if out-of-order occurs more than 3 times per second, it is analyzed as 'suspicion of TCP segment loss due to packet loss'. In the case of HTTP error status analysis, if the status code is HTTP 4XX and the same phenomenon is found in less than 10 IPs, it is recognized as a 'user input problem' and analyzed. If the same phenomenon is found, it is recognized as 'there is a problem in the server or client code' and analyzed. If the performance index is additionally analyzed, the performance index is added and analyzed according to the addition of the system setting or the addition of the user.
자동 진단부(140)에서의 자동 진단 내용을 보면, 진단 항목을 정의하고, 진단 대상의 상태를 측정하며, 진단 대상의 증상을 제공하고, 예상되는 원인을 제공하며, 예상원인 별 조치방법을 제공하고, 분석 결과 제공한다. 자동 진단 대상은 성능, 사용량, UDP, TCP 또는 HTTP 에러를 포함한다.Looking at the contents of automatic diagnosis in the automatic diagnosis unit 140, diagnosis items are defined, the condition of the diagnosis subject is measured, symptoms of the diagnosis subject are provided, expected causes are provided, and measures for each expected cause are provided. and provide analysis results. Automatic diagnosis targets include performance, usage, UDP, TCP or HTTP errors.
이벤트 관리부(150)에서 이벤트 관리대상은 패킷 분석에 의한 이벤트, SNMP TRAP 이벤트, SYSLOG 이벤트 등을 포함한다. 패킷 분석 이벤트가 발생하면 Warning, Critical, Info의 3단계 이벤트 생성해서 관리하고, SNMP Trap 이벤트 수집 처리를 수행하고, SNMP v1, v2c 또는 v3 지원을 수행한다. SYSLOG 이벤트가 발생하면 SYSLOG 이벤트 수집 및 검색을 수행하고, SYSLOG Level 별 분류를 수행한다.Event management targets in the event management unit 150 include events by packet analysis, SNMP TRAP events, SYSLOG events, and the like. When a packet analysis event occurs, it creates and manages the 3-step events of Warning, Critical, and Info, performs SNMP Trap event collection processing, and supports SNMP v1, v2c or v3. When a SYSLOG event occurs, SYSLOG event collection and search are performed, and classification by SYSLOG level is performed.
보고서 작성부(170)는 패킷 분석 기반 진단 보고서를 작성하는 것으로, 성능 및 사용량, UDP/TCP 분석, Application 분석이 포함된 보고서를 작성한다. 보고서 작성부(170)에서의 보고서 작성 기능을 보면, 기간, IP, Port, Tag 필터링을 포함한다. 또한 보고서 항목 선택을 선택할 수 있게 한다. 예를 들면, 네트워크 상태, 네트워크 사용 및 성능, 장애/이벤트, 응용 서비스, 자동 진단, L2 ~ L7 분석, 통계 및 추이 분석, 이벤트 등이 포함된 16가지 선택 옵션을 제공할 수 있다. 또한 보고서 제목, 일자, 로고 선택 기능을 제공한다. 또한 보고서 항목별 의견 입력 창을 제공한다. 또한 종합 의견 입력 창을 제공한다. 또한 예를 들면 4가지의 보고서 템플릿을 제공할 수 있다. 또한 보고서 미리보기 기능을 제공한다. 또한 PDF 및 TSV(Tab Separated Values) 파일 생성 기능을 제공한다. 또한 RAW Data 다운로드 기능을 제공하여 Raw Data 보관 및 관리를 위한 다운로드 기능을 제공한다.The report writer 170 creates a packet analysis-based diagnosis report, and creates a report including performance and usage, UDP/TCP analysis, and application analysis. Looking at the report creation function in the report creation unit 170, it includes period, IP, Port, and Tag filtering. It also allows you to select report item selections. For example, it can provide 16 selection options including network status, network usage and performance, failures/events, application services, automatic diagnosis, L2 to L7 analysis, statistics and trend analysis, and events. It also provides the ability to select the report title, date, and logo. In addition, an opinion input window for each report item is provided. In addition, a comprehensive opinion input window is provided. It can also provide, for example, four report templates. It also provides a report preview feature. It also provides the ability to create PDF and Tab Separated Values (TSV) files. In addition, it provides a download function for raw data storage and management by providing a RAW Data download function.
도 3은 도 1의 지능형 네트워크 관리 장치와 외부 장치의 연결을 보인 개념도이다.3 is a conceptual diagram showing the connection between the intelligent network management device of FIG. 1 and an external device.
외부 장치는 데이터 센터의 네트워크 장비(210) 또는 원격 지능형 네트워크 관리 장치(220) 등이 될 수 있다. 데이터 센터의 네트워크 장비(210)는 Tapping 또는 Port Mirroring으로 물리적 네트워크(Physical NW)에 접속하여 데이터를 측정한다. 또한 데이터 센터의 네트워크 장비(210)는 가상 스위치(vSwitch)를 포함한 가상화 환경일 수 있다. 원격 지능형 네트워크 관리 장치(220)는 원격 오피스(remote Office)에 설치된 장치일 수 있다.The external device may be a network equipment 210 of a data center or a remote intelligent network management device 220 or the like. The network equipment 210 of the data center connects to the physical network (Physical NW) through Tapping or Port Mirroring and measures data. In addition, the network equipment 210 of the data center may be a virtualization environment including a virtual switch (vSwitch). The remote intelligent network management device 220 may be a device installed in a remote office.
지능형 네트워크 관리 장치(100)에서 어플리케이션 데이터 측정부(120)는 Raw 데이터를 측정하고, 메타정보를 생성한다. Raw 데이터는 Network 패킷, SNMP Trap, Syslog 등이 되며, 이러한 Raw Date를 저장하고, 파싱하여 메타정보를 생성할 수 있게 한다. 메타정보 생성을 통해 네트워크의 상태, 사용량, 성능, 장애 및 이벤트 정보 추출, 서비스 자동 인식, 분류 등을 수행하고 저장한다.In the intelligent network management device 100, the application data measuring unit 120 measures raw data and generates meta information. Raw data becomes Network packet, SNMP Trap, Syslog, etc. These Raw Dates are stored and parsed to generate meta information. Through meta information generation, network state, usage, performance, failure and event information extraction, service automatic recognition, classification, etc. are performed and stored.
도 4는 도 1에서 자동 진단부의 세부 기능을 보인 개념도이다.FIG. 4 is a conceptual diagram showing detailed functions of the automatic diagnosis unit in FIG. 1 .
자동 진단부(140)는 네트워크 상태, 네트워크 사용 및 성능, 장애/이벤트, 응용 서비스, 자동 진단, L2 ~ L7 분석, 통계 및 추이 분석, 이벤트 처리를 통해 네트워크에 대한 자동 진단을 수행한다.The automatic diagnosis unit 140 automatically diagnoses the network through network status, network use and performance, failure/event, application service, automatic diagnosis, L2 to L7 analysis, statistics and trend analysis, and event processing.
네트워크 상태의 자동 진단에서는 SNMP Trap 정보 분석으로 네트워크 장비상태를 파악하고, Syslog 자료 분석을 수행한다.In the automatic diagnosis of the network status, the status of network equipment is identified through SNMP Trap information analysis, and Syslog data analysis is performed.
네트워크 사용 및 성능의 자동 진단에서는 BPS(Bits Per Second), PPS(Packets Per Second), Latencies, Timeout에 대한 자동 진단을 수행한다.In the automatic diagnosis of network usage and performance, BPS (Bits Per Second), PPS (Packets Per Second), Latencies, and Timeout are automatically diagnosed.
장애/이벤트의 자동 진단에서는 UDP Flag, TCP Resets, TCP Zero Windows, TCP Reuse, TCP Duplicate ACKs, TCP Retransmission에 대한 자동 진단을 수행한다. 또한 HTTP 4XX, HTTP 5XX에 대한 자동 진단을 수행한다.Automatic diagnosis of failure/event performs automatic diagnosis on UDP Flag, TCP Resets, TCP Zero Windows, TCP Reuse, TCP Duplicate ACKs, and TCP Retransmission. It also performs automatic diagnosis for HTTP 4XX and HTTP 5XX.
응용 서비스의 자동 진단에서는 응용 서비스 자동 인식 및 Payload 상세분석을 수행한다. 그래서 HTTP, DNS, SMTP, POP3, IMAP, FTP에 대한 자동 진단을 수행한다.Automatic diagnosis of application service performs automatic recognition of application service and detailed payload analysis. So, it performs automatic diagnosis for HTTP, DNS, SMTP, POP3, IMAP, and FTP.
문제원인 및 해결방안 제시를 위한 자동 진단에서는 TCP Retransmission, Hop Low, Microburst, RTT(Round Trip Time), TCP Reset, TCP Zero Windows, TCP DUP ACKs, Timeout에 대한 자동 진단을 수행한다.Automatic diagnosis for problem causes and solutions is performed for TCP Retransmission, Hop Low, Microburst, RTT (Round Trip Time), TCP Reset, TCP Zero Windows, TCP DUP ACKs, and Timeout.
L2 ~ L7 분석의 자동 진단에서는 Layer 2 분석으로 Mac 사용 분석, Layer 3 분석으로 Hop Account 분석, Layer 4 분석으로 포트별 분석(출발지, 도착지 별), Layer 7 분석으로 응용 서비스에 대한 자동 진단을 수행한다.Automatic diagnosis of L2 ~ L7 analysis performs Mac usage analysis as Layer 2 analysis, Hop Account analysis as Layer 3 analysis, analysis by port (by source and destination) as Layer 4 analysis, and automatic diagnosis of application services through Layer 7 analysis. do.
통계 및 추이 분석의 자동 진단에서는 성능지표(BPS, PPS, Latency, Timeout), TCP 관련, HTTP 오류, Layer 7 분석, Flow 추이에 대한 자동 진단을 수행한다.Automatic diagnosis of statistics and trend analysis performs automatic diagnosis of performance indicators (BPS, PPS, Latency, Timeout), TCP related, HTTP error, Layer 7 analysis, and flow trend.
이벤트의 자동 진단에서는 성능별 임계치 설정 및 제어, 알람 생성 및 등급 설정, 알람 등급별 검색 및 조회, Syslog Server(Remote), SNMP Trap Server에 대한 자동 진단을 수행한다. 그리고 알람/이벤트(Event)는 실시간 네트워크 상태 감시 및 알림 서비스를 제공한다.Automatic diagnosis of events performs threshold setting and control by performance, alarm generation and level setting, search and inquiry by alarm level, and automatic diagnosis of Syslog Server (Remote) and SNMP Trap Server. And Alarm/Event provides real-time network status monitoring and notification service.
도 5는 도 1에서 원클릭 처리부의 세부 기능을 보인 개념도이다.5 is a conceptual diagram showing detailed functions of the one-click processing unit in FIG. 1 .
원클릭 처리부(160)는 BPS, PPS, Latencies, Timeout, HTTP Error, TCP Flag 중에서 사용자가 어느 하나 이상을 원클릭하면, 클릭된 항목에 대한 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 모든 정보를 제공한다.When a user clicks one or more of BPS, PPS, Latencies, Timeout, HTTP Error, and TCP Flag, the one-click processing unit 160 provides detailed information about the clicked item, meaning, symptom, expected cause, and action of the information. Provides all information needed to solve network problems, including solutions.
종래의 경쟁기술은 복잡한 분석과정을 통해 문제의 원인을 확인할 수 있으나 조치방안을 제시하지 못하는 한계가 있다.Conventional competing technologies can identify the cause of a problem through a complicated analysis process, but have limitations in not being able to suggest countermeasures.
그래서 원클릭 처리부(160)는 BPS 항목이 원클릭되면 네트워크 트래픽 현황(Avg 또는 Top) 정보를 제공하며, PPS 항목이 원클릭되면 Unicast, Multicast, Broadcast 또는 Unknown 현황 정보를 제공하고, Latencies 항목이 원클릭되면 네트워크 응답 지연 현황(Avg, Top 또는 IP별) 정보를 제공하며, Timeout 항목이 원클릭되면 네트워크 Timeout 현황(Avg, Top 또는 IP별) 정보를 제공하고, HTTP Error 항목이 원클릭되면 HTTP Code state 또는 URL 비교 분석 현황 정보를 제공하며, TCP Flag 항목이 원클릭되면 TCP Zero Windows, Duplicate ACK, Retransmission 또는 Reset 발생 현황 정보를 제공하고, 각 항목별 설명 및 발생 원인을 제공하며, 사용자 지정 시간 필터 정보를 제공하며, 사용자가 차트(Chart) 또는 그래프(Graph)를 선택하여 네트워크를 관리할 수 있게 한다.Therefore, the one-click processing unit 160 provides network traffic status (Avg or Top) information when the BPS item is clicked, Unicast, Multicast, Broadcast, or Unknown status information when the PPS item is clicked, and Latencies item is the original status information. When clicked, network response delay status information (by Avg, Top or IP) is provided. When the Timeout item is clicked, network Timeout status (by Avg, Top or IP) information is provided. When the HTTP Error item is clicked, HTTP Code Provides state or URL comparison analysis status information, provides TCP Zero Windows, Duplicate ACK, Retransmission, or Reset occurrence status information when the TCP Flag item is clicked, provides descriptions and causes of occurrence for each item, and user-specified time filter It provides information and allows the user to manage the network by selecting a chart or graph.
도 6은 도 1에서 보고서 작성부의 세부 기능을 보인 개념도이다.6 is a conceptual diagram showing detailed functions of the report preparation unit in FIG. 1 .
보고서 작성부(170)는 별도의 분석이나 진단 작업없이 한 번의 클릭으로 진단 보고서를 생성한다. 사용자는 원하는 기간 지정이 가능하고, 사용자 로고 삽입이 가능하며, 종합의견 입력 창을 제공한다.The report writer 170 generates a diagnosis report with one click without separate analysis or diagnosis work. Users can designate a desired period, insert a user logo, and provide a window for inputting general opinions.
도 7은 도 1에서 사용자 인터페이스부의 세부 기능을 보인 개념도이다.FIG. 7 is a conceptual diagram showing detailed functions of the user interface unit in FIG. 1 .
사용자 인터페이스부(180)는 대시보드 UI(User Interface), 통계 UI, 분석도구 UI, 페이로드 추적 UI, 보고서 UI, 자동 진단분석 UI, 이벤트 UI, 시스템 설정 UI 등을 제공한다.The user interface unit 180 provides a dashboard UI (User Interface), statistics UI, analysis tool UI, payload tracking UI, report UI, automatic diagnostic analysis UI, event UI, system setting UI, and the like.
도 8은 본 발명의 일 실시예에 의한 자동 패킷 분석 기반의 지능형 네트워크 관리 방법을 보인 흐름도이다.8 is a flowchart illustrating an intelligent network management method based on automatic packet analysis according to an embodiment of the present invention.
제 1 단계(ST1)에서는 지능형 네트워크 관리 장치(100)에서 네트워크 관리를 수행하면, 어플리케이션 데이터 측정부(120)에서 데이터 센터의 네트워크 장비(210) 또는 원격 지능형 네트워크 관리 장치(220)로부터 네트워크 패킷, SNMP TRAP, SYSLOG 정보를 포함한 데이터를 측정한다.In the first step (ST1), when the intelligent network management device 100 performs network management, the application data measurement unit 120 receives network packets from the network equipment 210 of the data center or the remote intelligent network management device 220, Measure data including SNMP TRAP and SYSLOG information.
제 2 단계(ST2)에서는 제 1 단계 후 네트워크 성능 분석부(130)는 어플리케이션 데이터 측정부(120)에서 측정한 데이터를 이용하여 네트워크의 성능을 분석한다.In the second step (ST2), the network performance analyzer 130 analyzes network performance using the data measured by the application data measurer 120 after the first step.
제 3 단계(ST3)에서는 자동 진단부(140)는 네트워크 성능 분석부(130)에서 분석한 결과를 이용하여 네트워크의 상태를 자동 진단한다.In the third step (ST3), the automatic diagnosis unit 140 automatically diagnoses the state of the network using the result analyzed by the network performance analysis unit 130.
제 4 단계(ST4)에서는 제 3 단계 후 원클릭 처리부(160)는 자동 진단부(140)의 결과를 전달받고, 네트워크 진단의 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 정보를 한 번의 클릭으로 제공하도록 처리한다.In the fourth step (ST4), after the third step, the one-click processing unit 160 receives the result of the automatic diagnosis unit 140, and includes detailed information of the network diagnosis, meaning of the information, symptom, expected cause, and action plan. It processes to provide information needed to solve network problems with a single click.
제 5 단계(ST5)에서는 제 4 단계 후 사용자 인터페이스부(180)는 사용자 인터페이스를 제공하여 사용자가 네트워크 관리를 수행할 수 있도록 한다.In the fifth step (ST5), after the fourth step, the user interface unit 180 provides a user interface so that the user can manage the network.
그래서 지능형 네트워크 관리 장치(100)에서 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공한다.Therefore, the intelligent network management device 100 provides a guide for accurate and quick cause identification and resolution with one click for various and complex network issues through automatic packet analysis, so that any network operator can easily and conveniently manage the network. and provides customized network management services tailored to user needs by linking with various systems with information collection and analysis functions.
도 9는 본 발명의 적용 예시를 보인 개념도이다.9 is a conceptual diagram showing an application example of the present invention.
그래서 본 발명은 네트워크 상시 관제를 통해 업무망의 네트워크 상시 관제, 성능, 장애 이벤트 관리를 수행할 수 있게 한다. 또한 CCTV 통합관제를 통해 성능 및 장애관리를 수행할 수 있게 한다. 또한 망분리 후 성능관리를 통해 네트워크 성능개선, 망 구조 및 구성 진단을 수행할 수 있게 한다. 또한 네트워크 설계를 통해 용량 최적화 설계를 수행할 수 있게 한다.Therefore, the present invention makes it possible to perform constant network control, performance, and failure event management of a business network through constant network control. Also, through CCTV integrated control, performance and failure management can be performed. In addition, it enables network performance improvement, network structure and configuration diagnosis through performance management after network separation. It also enables capacity optimization design through network design.
도 10은 도 9에서 네트워크 상시 관제의 예시를 보인 개념도이다.10 is a conceptual diagram showing an example of constant network control in FIG. 9 .
따라서 네트워크 상시 관제를 통해 사용량 및 Health(네트워크 운영상태) 체크, 성능 모니터링, 장애 모니터링 및 해결, 비정상행위 탐지 및 경고, 서비스 최적화, 정기 보고서 제공이 가능해진다.Therefore, it is possible to check usage and health (network operation status), monitor performance, monitor and solve problems, detect and warn abnormal behavior, optimize services, and provide regular reports through constant network control.
도 11은 도 9에서 CCTV 통합관제의 예시를 보인 개념도이다.11 is a conceptual diagram showing an example of integrated CCTV control in FIG. 9 .
CCTV 통합관제를 통해 사용량 및 Health(네트워크 운영상태) 체크, 성능 모니터링, 장애 모니터링 및 해결, 비정상행위 탐지 및 경고, 서비스 최적화, 정기 보고서 제공이 가능해진다.Through CCTV integrated control, usage and health (network operation status) checks, performance monitoring, failure monitoring and resolution, abnormal behavior detection and warning, service optimization, and provision of regular reports become possible.
도 12는 도 9에서 망분리 후 성능관리의 예시를 보인 개념도이다.FIG. 12 is a conceptual diagram showing an example of performance management after network separation in FIG. 9 .
망분리 후 성능관리를 통해 네트워크의 성능 문제를 해결할 수 있게 된다. 그래서 VDI(Virtual Desktop Infrastructure, 데스크탑 가상화) 환경, 물리적 망분리, 논리적 망분리를 하는데 기여할 수 있다.After network separation, performance management can solve network performance problems. Therefore, it can contribute to VDI (Virtual Desktop Infrastructure) environment, physical network separation, and logical network separation.
도 13은 도 9에서 네트워크 설계의 예시를 보인 개념도이다.13 is a conceptual diagram showing an example of network design in FIG. 9 .
따라서 네트워크 설계시, 사용량 및 Health(네트워크 운영상태) 체크, 성능 모니터링, 서비스 최적화, 분석 보고서 제공이 가능해진다.Therefore, when designing a network, it becomes possible to check usage and health (network operation status), monitor performance, optimize services, and provide analysis reports.
이처럼 본 발명은 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈(성능, 장애 등)에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공하게 된다.As such, the present invention provides a guide for accurately and quickly identifying and solving various and complex network issues (performance, failure, etc.) with one click through automatic packet analysis, and enables network operators to easily and conveniently manage the network. It provides customized network management services tailored to user needs by linking with various systems with information collection and analysis functions.
이상에서 실시예를 들어 본 발명을 더욱 상세하게 설명하였으나, 본 발명은 반드시 이러한 실시예로 국한되는 것은 아니고, 본 발명의 기술사상을 벗어나지 않는 범위 내에서 다양하게 변형실시될 수 있다. 따라서 본 발명에 개시된 실시예들은 본 발명의 기술적 사상을 한정하기 위한 것이 아니라 설명하기 위한 것이고, 이러한 실시예에 의하여 본 발명의 기술적 사상의 범위가 한정되는 것은 아니다. 본 발명의 보호범위는 청구범위에 의하여 해석되어야 하며, 그와 동등한 범위 내에 있는 모든 기술적 사상은 본 발명의 권리범위에 포함되는 것으로 해석되어야 할 것이다.Although the present invention has been described in more detail by way of examples above, the present invention is not necessarily limited to these examples, and may be variously modified without departing from the spirit of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical spirit of the present invention, but to explain, and the scope of the technical spirit of the present invention is not limited by these embodiments. The protection scope of the present invention should be construed according to the claims, and all technical ideas within the equivalent range should be construed as being included in the scope of the present invention.

Claims (7)

  1. 네트워크의 관리를 수행하는 지능형 네트워크 관리 장치에 있어서,An intelligent network management device for managing a network,
    상기 지능형 네트워크 관리 장치에서 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공하도록 제어하는 제어부와;The intelligent network management device automatically analyzes packets to provide a one-click accurate and quick guide for identifying and solving various and complex network issues, enabling any network operator to easily and conveniently manage the network. a control unit that controls to provide customized network management services tailored to user needs in conjunction with various systems through collection and analysis functions;
    상기 제어부의 제어를 받고, 데이터 센터의 네트워크 장비 또는 원격 지능형 네트워크 관리 장치로부터 네트워크 패킷, SNMP TRAP, SYSLOG 정보를 포함한 데이터를 측정하는 어플리케이션 데이터 측정부와;an application data measuring unit that measures data including network packets, SNMP TRAP, and SYSLOG information from network equipment of a data center or a remote intelligent network management device under the control of the control unit;
    상기 제어부의 제어를 받고, 상기 어플리케이션 데이터 측정부에서 측정한 데이터를 이용하여 네트워크의 성능을 분석하는 네트워크 성능 분석부와;a network performance analysis unit under the control of the control unit and analyzing network performance using the data measured by the application data measurement unit;
    상기 제어부의 제어를 받고, 상기 네트워크 성능 분석부에서 분석한 결과를 이용하여 네트워크의 상태를 자동 진단하는 자동 진단부와;an automatic diagnosis unit for automatically diagnosing a state of the network under the control of the control unit and using a result analyzed by the network performance analysis unit;
    상기 제어부의 제어를 받고, 패킷 분석에 의한 이벤트, SNMP TRAP 이벤트, SYSLOG 이벤트를 포함한 이벤트를 관리하는 이벤트 관리부와;an event management unit that is controlled by the control unit and manages events including packet analysis events, SNMP TRAP events, and SYSLOG events;
    상기 제어부의 제어를 받고, 상기 자동 진단부의 결과를 전달받고, 네트워크 진단의 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 정보를 한 번의 클릭으로 제공하도록 처리하는 원클릭 처리부와;Under the control of the control unit, receive the results of the automatic diagnosis unit, process to provide information necessary for solving network problems, including detailed information of network diagnosis, meaning of the information, symptom, expected cause, and action plan, with one click a one-click processing unit;
    상기 제어부의 제어를 받고, 패킷 분석 기반의 네트워크 진단 보고서를 작성하는 보고서 작성부와;a report preparation unit under the control of the control unit and creating a network diagnosis report based on packet analysis;
    상기 제어부의 제어를 받고, 사용자가 네트워크 관리를 수행할 수 있도록 사용자 인터페이스를 제공하는 사용자 인터페이스부;a user interface unit that is controlled by the control unit and provides a user interface so that a user can perform network management;
    를 포함하여 구성된 것을 특징으로 하는 자동 패킷 분석 기반의 지능형 네트워크 관리 장치.Intelligent network management device based on automatic packet analysis, characterized in that configured to include.
  2. 청구항 1에 있어서, 상기 어플리케이션 데이터 측정부는,The method according to claim 1, wherein the application data measuring unit,
    수집 데이터 종류는 네트워크 패킷, SNMP TRAP, SYSLOG를 포함하고, 수집 방식은 SPAN/Port Mirroring 또는 Tap 장비를 이용하며, 수집 시점은 즉시 또는 스케줄 기반이며, 수집 데이터 저장은 메타데이터 및 패킷 원본(PCAP)인 것을 특징으로 하는 자동 패킷 분석 기반의 지능형 네트워크 관리 장치.The types of collected data include network packets, SNMP TRAP, and SYSLOG, the method of collection is using SPAN/Port Mirroring or Tap equipment, the point of collection is immediate or based on schedule, and the storage of collected data is metadata and original packet (PCAP) An intelligent network management device based on automatic packet analysis, characterized in that.
  3. 청구항 1에 있어서, 상기 네트워크 성능 분석부는,The method according to claim 1, wherein the network performance analysis unit,
    네트워크 사용량 및 성능 분석은 BPS, PPS, Latency 또는 Timeout을 이용하며, 장애/이벤트 분석은 TCP Session, UDP Session 또는 HTTP Error를 이용하며, 응용서비스(L7) 분석은 HTTP, DNS, SMTP, POP3, IMAP, FTP Server 추적 또는 Client 추적을 이용하고, L2 내지 L4 분석은 Mac 사용분석, hop Count 분석, UDP Port 분석, TCP Port 분석 또는 Payload 분석으로 수행하며, 통계 및 추이분석은 사용량, 성능지표, 장애, 또는 이벤트를 이용하는 것을 특징으로 하는 자동 패킷 분석 기반의 지능형 네트워크 관리 장치.Network usage and performance analysis uses BPS, PPS, Latency or Timeout, failure/event analysis uses TCP Session, UDP Session or HTTP Error, and application service (L7) analysis uses HTTP, DNS, SMTP, POP3, IMAP , FTP server tracking or client tracking is used, and L2 to L4 analysis is performed by Mac usage analysis, hop count analysis, UDP port analysis, TCP port analysis, or payload analysis. or an intelligent network management device based on automatic packet analysis, characterized in that using an event.
  4. 청구항 1에 있어서, 상기 자동 진단부는,The method according to claim 1, wherein the automatic diagnosis unit,
    진단 항목을 정의하고, 진단 대상의 상태를 측정하며, 진단 대상의 증상을 제공하고, 예상되는 원인을 제공하며, 예상원인 별 조치방법을 제공하고, 분석 결과 제공하며, 자동 진단 대상은 성능, 사용량, UDP, TCP 또는 HTTP 에러를 포함하는 것을 특징으로 하는 자동 패킷 분석 기반의 지능형 네트워크 관리 장치.Define diagnosis items, measure the condition of diagnosis subjects, provide symptoms of diagnosis subjects, provide expected causes, provide action methods for each expected cause, and provide analysis results. An intelligent network management device based on automatic packet analysis, characterized in that it includes UDP, TCP or HTTP errors.
  5. 청구항 1에 있어서, 상기 이벤트 관리부는,The method according to claim 1, wherein the event management unit,
    패킷 분석 이벤트가 발생하면 Warning, Critical, Info의 3단계 이벤트 생성해서 관리하고, SNMP Trap 이벤트 수집 처리를 수행하고, SNMP v1, v2c 또는 v3 지원을 수행하며, SYSLOG 이벤트가 발생하면 SYSLOG 이벤트 수집 및 검색을 수행하고, SYSLOG Level 별 분류를 수행하는 것을 특징으로 하는 자동 패킷 분석 기반의 지능형 네트워크 관리 장치.When a packet analysis event occurs, it generates and manages 3-step events of Warning, Critical, and Info, performs SNMP Trap event collection processing, performs SNMP v1, v2c or v3 support, and collects and searches SYSLOG events when a SYSLOG event occurs. An intelligent network management device based on automatic packet analysis, characterized in that it performs classification by SYSLOG Level.
  6. 청구항 1에 있어서, 상기 원클릭 처리부는,The method according to claim 1, wherein the one-click processing unit,
    BPS, PPS, Latencies, Timeout, HTTP Error, TCP Flag 중에서 사용자가 어느 하나 이상을 원클릭하면, 클릭된 항목에 대한 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 정보를 제공하고, BPS 항목이 원클릭되면 네트워크 트래픽 현황(Avg 또는 Top) 정보를 제공하며, PPS 항목이 원클릭되면 Unicast, Multicast, Broadcast 또는 Unknown 현황 정보를 제공하고, Latencies 항목이 원클릭되면 네트워크 응답 지연 현황(Avg, Top 또는 IP별) 정보를 제공하며, Timeout 항목이 원클릭되면 네트워크 Timeout 현황(Avg, Top 또는 IP별) 정보를 제공하고, HTTP Error 항목이 원클릭되면 HTTP Code state 또는 URL 비교 분석 현황 정보를 제공하며, TCP Flag 항목이 원클릭되면 TCP Zero Windows, Duplicate ACK, Retransmission 또는 Reset 발생 현황 정보를 제공하고, 각 항목별 설명 및 발생 원인을 제공하며, 사용자 지정 시간 필터 정보를 제공하며, 사용자가 차트 또는 그래프를 선택하여 네트워크를 관리할 수 있게 하는 것을 특징으로 하는 자동 패킷 분석 기반의 지능형 네트워크 관리 장치.When a user clicks one or more of BPS, PPS, Latencies, Timeout, HTTP Error, and TCP Flag, it is possible to solve network problems including detailed information about the clicked item, meaning of the information, symptoms, expected causes, and countermeasures. Provides necessary information, provides network traffic status (Avg or Top) information when the BPS item is clicked, Unicast, Multicast, Broadcast or Unknown status information when the PPS item is clicked, and provides information on the status of Unknown when the PPS item is clicked. Provides network response delay status information (by Avg, Top or IP), and provides network timeout status (by Avg, Top or IP) when the Timeout item is one-clicked, and HTTP Code state or Provides URL comparison and analysis status information, provides TCP Zero Windows, Duplicate ACK, Retransmission, or Reset occurrence status information when the TCP Flag item is clicked, provides descriptions and causes of occurrence for each item, and provides user-specified time filter information An intelligent network management device based on automatic packet analysis, characterized in that it provides a user to manage a network by selecting a chart or graph.
  7. 지능형 네트워크 관리 장치에서 네트워크 관리를 수행하면, 어플리케이션 데이터 측정부에서 데이터 센터의 네트워크 장비 또는 원격 지능형 네트워크 관리 장치로부터 네트워크 패킷, SNMP TRAP, SYSLOG 정보를 포함한 데이터를 측정하는 제 1 단계와;A first step of measuring data including network packets, SNMP TRAP, and SYSLOG information from network equipment in a data center or a remote intelligent network management device in an application data measuring unit when network management is performed by the intelligent network management device;
    상기 제 1 단계 후 네트워크 성능 분석부는 상기 어플리케이션 데이터 측정부에서 측정한 데이터를 이용하여 네트워크의 성능을 분석하는 제 2 단계와;a second step of analyzing network performance by the network performance analysis unit after the first step using the data measured by the application data measurement unit;
    자동 진단부는 상기 네트워크 성능 분석부에서 분석한 결과를 이용하여 네트워크의 상태를 자동 진단하는 제 3 단계와;a third step of automatically diagnosing the state of the network using the results analyzed by the network performance analyzer by the automatic diagnosis unit;
    상기 제 3 단계 후 원클릭 처리부는 상기 자동 진단부의 결과를 전달받고, 네트워크 진단의 상세정보, 해당정보의 의미, 증상, 예상원인, 조치방안을 포함한 네트워크 문제해결에 필요한 정보를 한 번의 클릭으로 제공하도록 처리하는 제 4 단계와;After the third step, the one-click processing unit receives the results of the automatic diagnosis unit, and provides information necessary for solving network problems, including detailed network diagnosis information, meaning of the information, symptoms, expected causes, and countermeasures, with one click. A fourth step of processing to do so;
    상기 제 4 단계 후 사용자 인터페이스부는 사용자 인터페이스를 제공하여 사용자가 네트워크 관리를 수행할 수 있도록 하는 제 5 단계;를 포함하고,A fifth step of allowing the user to perform network management by providing a user interface by the user interface after the fourth step; and
    상기 지능형 네트워크 관리 장치에서 자동 패킷 분석으로 다양하고 복잡한 네트워크 이슈에 대해 한 번의 클릭으로 정확하고 빠른 원인 파악 및 해결을 위한 가이드를 제공하고, 네트워크 운영자 누구나 쉽고 편리하게 네트워크를 관리할 수 있게 하며, 정보 수집 및 분석 기능으로 다양한 시스템과 연동하여 사용자 요구 맞춤형 커스터마이징된 네트워크 관리 서비스를 제공하는 것을 특징으로 하는 자동 패킷 분석 기반의 지능형 네트워크 관리 방법.Automatic packet analysis in the intelligent network management device provides one-click accurate and quick cause identification and solution guide for various and complex network issues, enables network operators to easily and conveniently manage the network, and provides information An intelligent network management method based on automatic packet analysis, characterized by providing customized network management services tailored to user needs by linking with various systems with collection and analysis functions.
PCT/KR2022/007006 2021-06-21 2022-05-17 Device and method for automatic packet analysis-based intelligent network management WO2022270766A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2021-0080079 2021-06-21
KR1020210080079A KR102370113B1 (en) 2021-06-21 2021-06-21 Apparatus and method for intelligent network management based on automatic packet analysis

Publications (1)

Publication Number Publication Date
WO2022270766A1 true WO2022270766A1 (en) 2022-12-29

Family

ID=80817461

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2022/007006 WO2022270766A1 (en) 2021-06-21 2022-05-17 Device and method for automatic packet analysis-based intelligent network management

Country Status (2)

Country Link
KR (1) KR102370113B1 (en)
WO (1) WO2022270766A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102370113B1 (en) * 2021-06-21 2022-03-07 (주)소울시스템즈 Apparatus and method for intelligent network management based on automatic packet analysis

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005101740A1 (en) * 2004-04-16 2005-10-27 Apparent Networks, Inc. Method and apparatus for automating and scaling active probing-based ip network performance monitoring and diagnosis
JP2005346331A (en) * 2004-06-02 2005-12-15 Nec Corp Failure recovery apparatus, method for restoring fault, manager apparatus, and program
JP2010218062A (en) * 2009-03-13 2010-09-30 Ricoh Co Ltd Information provision device, information provision system, information provision method, information provision program and recording medium recording the program
KR20170111944A (en) * 2016-03-30 2017-10-12 주식회사 코아아이티 Management system for remote monitoring and controling communication
KR20190088343A (en) * 2018-01-18 2019-07-26 주식회사맥데이타 Network performance indicator visualization method and apparatus, and system
KR102370113B1 (en) * 2021-06-21 2022-03-07 (주)소울시스템즈 Apparatus and method for intelligent network management based on automatic packet analysis

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101998863B1 (en) 2018-08-13 2019-10-01 주식회사 에이디엠 Communication failure management and maintenance management system of network facility
KR102133001B1 (en) 2019-04-10 2020-07-13 주식회사 케이티 Network management device, network management system and network management method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005101740A1 (en) * 2004-04-16 2005-10-27 Apparent Networks, Inc. Method and apparatus for automating and scaling active probing-based ip network performance monitoring and diagnosis
JP2005346331A (en) * 2004-06-02 2005-12-15 Nec Corp Failure recovery apparatus, method for restoring fault, manager apparatus, and program
JP2010218062A (en) * 2009-03-13 2010-09-30 Ricoh Co Ltd Information provision device, information provision system, information provision method, information provision program and recording medium recording the program
KR20170111944A (en) * 2016-03-30 2017-10-12 주식회사 코아아이티 Management system for remote monitoring and controling communication
KR20190088343A (en) * 2018-01-18 2019-07-26 주식회사맥데이타 Network performance indicator visualization method and apparatus, and system
KR102370113B1 (en) * 2021-06-21 2022-03-07 (주)소울시스템즈 Apparatus and method for intelligent network management based on automatic packet analysis

Also Published As

Publication number Publication date
KR102370113B1 (en) 2022-03-07

Similar Documents

Publication Publication Date Title
CN101933290B (en) Method for configuring acls on network device based on flow information
CN109787833B (en) Network abnormal event sensing method and system
Svoboda et al. Network monitoring approaches: An overview
JP4774357B2 (en) Statistical information collection system and statistical information collection device
US7986632B2 (en) Proactive network analysis system
JP4381448B2 (en) Multicast tree monitoring method and system in IP network
US20040054680A1 (en) Real-time network performance monitoring system and related methods
EP3082293B1 (en) Switching device and packet loss method therefor
US20170109095A1 (en) High speed logging system
US11563646B2 (en) Machine learning-based network analytics, troubleshoot, and self- healing system and method
JP2014534661A (en) Method, apparatus and communication network for root cause analysis
CN110505112B (en) Network performance monitoring method, device and storage medium
US11659449B2 (en) Machine learning-based network analytics, troubleshoot, and self-healing holistic telemetry system incorporating modem-embedded machine analysis of multi-protocol stacks
CN101594265A (en) A kind of network fault diagnosis method, device and the network equipment
WO2022270766A1 (en) Device and method for automatic packet analysis-based intelligent network management
WO2022270805A1 (en) Automatic packet analysis-based automatic network failure resolution device and method therefor
WO2022270767A1 (en) Device for generating and managing information bundle for intelligent network management system, and method of same
CN110838949A (en) Network flow log recording method and device
US7385930B2 (en) Packet discard point probing method and device
KR100887874B1 (en) System for managing fault of internet and method thereof
Liu et al. Programmable per-packet network telemetry: From wire to kafka at scale
KR102356104B1 (en) Apparatus and method for management of performance indicators in intelligent network management system
US12040990B2 (en) Packet programmable flow telemetry profiling and analytics
JP2003008647A (en) Probe device
US20210075738A1 (en) Packet Programmable Flow Telemetry Profiling And Analytics

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22828615

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22828615

Country of ref document: EP

Kind code of ref document: A1