The present invention relates to a broadband traffic analysis system, and more particularly, to a traffic analysis system which analyzes, in detail, an entirety of an amount of upstream traffic and an amount of downstream traffic by comparing and analyzing a sequence number value and an acknowledgement number value of one-way traffic of two-way traffic to solve an issue in that an entirety of upstream traffic and downstream traffic need to be collected and analyzed in order for upstream traffic and downstream traffic transmitted over a broadband network to be analyzed.
In recent times, the Internet may be easily used by anyone due to a drastic development and propagation of Internet technology.
Accordingly, a number of Internet users is rapidly increasing, and methods for connecting to the Internet and usage patterns of the Internet have become complex and diversified.
In addition, a broadband network for providing the Internet is complicated, and an Internet usage pattern is also diversified. Thus, a professional traffic analysis system is required to manage and operate a traffic network as an amount of traffic usage significantly increases due to the rapid increase and the drastic propagation of Internet users.
Here, the traffic analysis system refers to a system for analyzing a statistical amount of traffic, a current state of an Internet connection, a number of transmission control protocol (TCP) connection sessions, and a traffic usage for each service to analyze an increasing amount of traffic in the broadband network, and to analyze a factor causing interference against the network.
However, hundreds or thousands of high-cost and high-capacity traffic analysis systems are required to professionally analyze an entirety of upstream traffic and downstream traffic in the broadband network through segmentation. Accordingly, not only construction costs but also high costs for maintaining and repairing are incurred as a traffic rate increases. Thus, introducing a system for analyzing an entirety of the upstream traffic and the downstream traffic in the broadband network is difficult, in terms of costs and maintenance.
To solve the aforementioned issue, a traffic sample analysis method installed in a partial section of the broadband network to analyze traffic is currently adopted as a method for analyzing rapidly increasing high-capacity traffic of the broadband network. The traffic sample analysis method may eliminate the above-described issues in terms of costs and maintenance, which may result from using a plurality of analytical systems. However, traffic analysis is possible using only an extracted traffic sample, in lieu of the entirety of traffic. Accordingly, a result of the analysis may differ from an actual amount of traffic analysis and as a result, numerous errors in measurement may occur.
Accordingly, to overcome issues found in conventional high-cost and high-capacity traffic analysis systems, traffic sample analysis systems, and the like, there is a need for a traffic analysis method that may construct an efficient high-capacity traffic analysis system at low costs. However, a method satisfying all the requirements has yet to be proposed.
An aspect of the present invention provides a session-based traffic analysis system which may replace a plurality of high-cost and high-capacity traffic analysis systems with a low-cost and efficient traffic analysis system, and may measure a total amount of traffic by analyzing a portion of upstream traffic that occupies about ⅓ of the total traffic in a broadband network.
Another aspect of the present invention provides a session-based traffic analysis system which may accurately analyze an amount of traffic for each transmission control protocol (TCP) connection using only some one-way packets based on TCP connection-oriented characteristics, that is, connection information of data storage for each TCP connection, and may accurately analyze an amount of two-way traffic using only some one-way connection information, as an amount of TCP data transmission to be transmitted is calculated based on a sequence number of the TCP connection information, and an amount of received TCP data transmission is calculated based on an acknowledgement number of the TCP connection information.
According to an aspect of the present invention, there is provided a session-based traffic analysis system to analyze two-way traffic based on one-way traffic, with respect to broadband traffic using a transmission control protocol (TCP), the system including a traffic mirroring means to monitor the one-way traffic transmitted from a broadband network on the TCP, the one-way traffic corresponding to upstream traffic or downstream traffic, a session information extracting means to extract a sequence number and an acknowledgement number for each set of session information from the traffic monitored by the traffic mirroring means, a two-way traffic analyzing means to update an initial value and a final value for each of the sequence number and the acknowledgement number extracted by the session information extracting means, to determine an amount of traffic transmitted in a direction traffic is collected in based on the initial value and the final value of the sequence number, and to determine an amount of traffic transmitted in a direction opposite to the direction traffic is collected in based on the initial value and the final value of the acknowledgement number, and a storage medium to periodically log and store a traffic analysis result value obtained by the traffic analyzing means.
The session information extracting means may extract, from TCP header information of the traffic, sequence information to be used as a sequence number value, acknowledgement information to be used as an acknowledgement number value, and source Internet protocol (IP)/destination IP/source port/destination port values of an IP header and a TCP header to be used as a session information value.
The two-way traffic analyzing means may store a sequence number and an acknowledgement number of a session information value initially collected as initial values of the sequence number and the acknowledgement number, and may continuously store sequence numbers and acknowledgement numbers collected thereafter for the same session information value, as final values of the sequence number and the acknowledgement number.
The two-way traffic analyzing means may calculate the initial values and the final values of the sequence number and the acknowledgement number, may determine an amount of data transmitted in the direction the traffic is collected in based on an equation “final value of sequence number—initial value of sequence number”, and may determine an amount of data received in the direction opposite to the direction the traffic is collected in based on an equation “final value of acknowledgment number—initial value of acknowledgment number”.
According to embodiments of the present invention, the same analysis result value as a value obtained by analyzing total traffic may be induced by analyzing only a portion of upstream traffic that occupies about ⅓ of the total traffic, instead of analyzing the total traffic of a broadband network.
Accordingly, more than ⅓ of the number of traffic analysis servers required in the related art may be decreased. According to the decrease in the number of traffic analysis servers, costs for purchasing a traffic analysis server, or additional costs and range of management may be reduced. Accordingly, there may be provided a broadband network management method which is efficient in terms of time and costs.
Further, according to embodiments of the present invention, there may be provided a broadband network traffic analysis system using a low-capacity and general-purpose server capable of correcting a traffic analysis value, although a portion of TCP packets is missing while analyzing the traffic.
Provided is a session-based traffic analysis system to analyze two-way traffic based on one-way traffic, with respect to broadband traffic using a transmission control protocol (TCP). The system includes a traffic mirroring means to monitor the one-way traffic, more particularly, upstream traffic or downstream traffic transmitted from a broadband network to TCP. The system also includes a session information extracting means to extract a sequence number and an acknowledgement number for each set of session information from the traffic monitored by the traffic mirroring means. The system also includes a two-way traffic analyzing means. The two-way traffic analyzing means updates an initial value and a final value for each of the sequence number and the acknowledgement number extracted by the session information extracting means. The two-way traffic analyzing means determines an amount of traffic transmitted in a direction traffic is collected in based on the initial value and the final value of the sequence number. The two-way traffic analyzing means determines an amount of traffic transmitted in a direction opposite to the direction traffic is collected in based on the initial value and the final value of the acknowledgement number. The system also includes a storage medium to periodically log and store a traffic analysis result value obtained by the traffic analyzing means.
Hereinafter, a session-based traffic analysis system according to embodiments of the present invention will be described in detail with reference to the accompany drawings.
Here, the following description is only an example of implementation of the present invention and thus, the present invention is neither limited thereto nor restricted thereby.
As illustrated in
The source IP 21 of
The source port 31 indicates a connection number of a data transmitter, and the destination port 32 indicates a connection number of a data receiver.
The sequence number 33 is a serial number which is assigned in an order when data to be transmitted through a network is divided into packets.
The acknowledgement number 34 is a serial number of received data.
Here, the sequence number is the serial number of data to be transmitted and thus, an increase in a value between an initially collected sequence number value and a finally collected sequence number value based on session information indicates an amount of data actually transmitted with respect to corresponding session information.
In addition, the acknowledgement number is the serial number of received data and thus, an increase in a value between an initially collected acknowledgement number value and a finally collected acknowledgement number value based on session information indicates an amount of data actually received with respect to corresponding session information.
Using values stored in the session information storage table, an amount of data transmitted by a corresponding session is calculated based on an equation of “final value of sequence number—initial value of sequence number”, and an amount of data received by the corresponding session is calculated based on an equation “final value of acknowledgment number—initial value of acknowledgment number”.
Here, the initial sequence number value stores a sequence number value which is extracted when a minimum packet having a session value is collected.
The final sequence number value is maintained by continuously updating, to be used as the final sequence number value, a sequence number value of a corresponding packet extracted when a packet having the same session value as an initial session value is collected because a packet having the initial session value is already collected.
Further, the initial acknowledgement number value stores the sequence number value extracted when a minimum packet having a session value is already collected.
The final acknowledgement number value is maintained by continuously updating, to be used as the final acknowledgement number value, an acknowledgement number value of a corresponding packet extracted when a packet having the same session value as the initial session value is collected because the packet having an initial session value is already collected.
As illustrated in
Whether the generated session value is a session value present in the session information storage table or a new session value may be determined in operation S53.
When the corresponding session value is determined to be the new session value absent in the session information storage table, the extracted new session value is stored in the session information storage table in operation S54. A sequence number and an acknowledgement number of the corresponding packet are extracted in operation S55. The extracted sequence number and acknowledge number are stored in the session information storage table to be used as an initial value of the stored new session value in operation S56.
Conversely, when the corresponding session value is determined to be present in the session information storage table, the session information storage table is searched for an existing session value in operation S57.
In operation S58, the sequence number and the acknowledgement number of the corresponding packet are extracted,
In operation S59, the extracted sequence number and acknowledge number are stored in the session information storage table to be used as a final value of the previously stored session information.
The initial value and the final value of the sequence number, and the initial value and the final value of the acknowledgement number are stored in the session information storage table for each session value of all packets by repeatedly performing operations S56 and S59 for each packet being monitored.
In addition, based on session values stored in the session information storage table through the aforementioned process, a traffic analysis value, for example, a data transmission amount and a data reception amount may be calculated according to the following equations.
Data transmission amount=final value of sequence number−initial value of sequence number
Data reception amount=final value of acknowledgement number−initial value of acknowledgement number
As described above, although the session-based traffic analysis system in the broadband network according to embodiments of the present invention is described, the present invention is neither limited thereto nor restricted thereby.
Although an installation is described to be performed in the session-based analysis device 12 in the above-mentioned embodiment, the present invention may be configured as a system which may perform predetermined processes as described above and is independent in terms of hardware. For example, the present invention may be provided in a form of software, such as an application installed on a server side or a client side to operate in a broadband network analysis and to operate by requesting a traffic analysis.
Here, when the present invention is provided in the form of software as described above, the present invention may be provided in various forms based on necessity. For example, the present invention may be provided in a form of a record medium in which a program executing the above-mentioned predetermined processes is stored, or in a form of a download program to be downloaded and installed through the Internet.
Accordingly, the present invention is not limited to the above-described embodiments. Instead, it would be appreciated by those skilled in the art that changes may be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
According to embodiments of the present invention, there may be provided a session-based traffic analysis system which may replace conventional high-cost and high-capacity traffic analysis systems and traffic sample analysis systems, and may measure a total amount of traffic by analyzing a portion of upstream traffic that occupies about ⅓ of the total traffic in a broadband network to manage an efficient high-capacity traffic analysis system at low costs.
According to other embodiments of the present invention, there may be also provided a session-based traffic analysis system which may accurately analyze an amount of traffic for each transmission control protocol (TCP) connection using only some one-way packets based on TCP connection-oriented characteristics, more particularly, connection information of data storage for each TCP connection, and may accurately analyze an amount of two-way traffic using only some one-way connection information, as an amount of TCP data transmission to be transmitted is calculated based on a sequence number of the TCP connection information, and an amount of received TCP data transmission is calculated based on an acknowledgement number of the TCP connection information.
Number | Date | Country | Kind |
---|---|---|---|
10-2010-0111031 | Nov 2010 | KR | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/KR2011/008413 | 11/7/2011 | WO | 00 | 7/15/2013 |