A communications provider is required to analyze traffic in its own network to effectively utilize network resources. For example, amount of network resources to be reserved for specific service can be estimated beforehand by analyzing the distribution of used services of traffic in its own network and equipment investigation can be optimized. Vain traffic in its own network is reduced by detecting and blocking Distributed Denial of Service (DDoS) attack performed via its own network, and a user's device utilizing the network can be protected.
A method of analyzing traffic can be roughly classified into two categories: statistical analysis and content analysis of each packet.
Statistical analysis uses a function for collecting statistical information which a packet communications unit such as a router has. The total of packets received via a certain port of a router is included in collected statistical information. As even relatively simple hardware can collect statistical information, most of routers can collect statistical information. This function is disclosed in a non-patent document 1, Waldbusser S. “Remote Network Monitoring Management Information Base”, STD 59, RFC2819, May, 2000. In the statistical analysis, the number of packets and traffic volume can be statistically analyzed; however, the contents of a passing packet cannot be detailedly analyzed.
Then, a method of transferring a part or the whole of a packet passing a router to analyzing equipment and analyzing the contents of the packet in the analyzing equipment is adopted. For example, all packets received via a certain port can be transferred to the analyzing equipment using a function of a port mirroring with the many routers are provided. Besides, a packet is sampled and can be also transferred to the analyzing equipment using each function of sFlow (disclosed in a non-patent document 2, Phaal P. and others “InMon Corporation's sflow: A Method for Monitoring Traffic in Switched and Routed Networks”, RFC3176, September, 2001) and NetFlow (disclosed in a non-patent document 3, “Cisco Systems NetFlow Services Export Version 9” edited by Claise B., RFC3954, August, 2004), which a part of routers have.
A patent document 1, JP-A No. 248185/2004, discloses a method of transferring traffic matched with a condition to analyzing equipment and analyzing it there when suspicious traffic of Distributed Denial of Service attack is detected.
The above-mentioned analyzing methods respectively have problems.
In the method of using port mirroring or in the patent document 1, all packets matched with the condition are transmitted to the analyzing equipment. That is, when suspicious traffic of DDoS attack is detected, a great number of packets are required to be checked and may exceed analyzing capacity in the analyzing equipment. Besides, it is also conceivable that a line between the analyzing equipment and the router is saturated.
In addition, in the methods using sFlow and NetFlow, transfer according to the throughput of the analyzing equipment and the line is enabled by sampling a packet. However, in random sampling in units of packet, a stream that consists of a plurality of continuous packets cannot be reconstructed and the analysis of the stream is difficult.
Many applications use a stream-oriented protocol such as TCP and SCTP as information exchange means between applications. In the stream-oriented protocol, data expressed in a byte string is split into a plurality of packets and is exchanged between a client and a server. When data is transmitted between the client and the server using the stream-oriented protocol, packets are exchanged to establish session between the client and the server. For example, when a SYN packet is transmitted from the client to the server using TCP, the server responds a SYN+ACK packet in response to the SYN packet. When the client transmits an ACK packet in response to the SYN+ACK packet from the server, a session is established. When the session is shut down, an FIN packet and an ACK packet are similarly exchanged. In the invention, a series of packet group till session establishment, data exchange and session shutdown is defined as a stream. The details of TCP are described in a non-patent document 4, Postel J. B. “Transmission Control Protocol”, RFC793, September, 1981 and the details of SCTP are described in a non-patent document 5, Stewart R. and others “Stream Control Transmission Protocol”, RFC2960, August, 2000.
As described above, in the stream-oriented protocol, data is split into a plurality of packets and is transmitted. Therefore, even if some of packets in a stream are sampled, the stream cannot be reconstructed and analysis equipuments cannot analyse precisely, such as behavior of an application.