JP2018137687A - Packet analyzing program, packet analyzer, and packet analyzing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a packet analyzing program that analyzes a communication route of packet data on a network on which communication is carried out via a relay device that severs connection on the network.SOLUTION: A packet analyzing program causes a computer of a packet analyzer for analyzing a communication route of packet data communicated from a first device to a second device interposing, between them, a relay device for relaying a network to function as: comparison analyzing means for comparing a payload of first packet data passing at an upstream side of the relay device with a payload of second packet data passing at a downstream side of the relay device; and assembling means for assembling a transmission source IP address of the first packet data and a destination IP address of the second packet data if a comparison result of the payloads accords.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a packet analysis program, a packet analysis device, and a packet analysis method for analyzing a communication path of packet data on a network.

  There are various techniques for visualizing the movement of packet data flowing on a client-server (END-END) network and analyzing the network. The visualization of packet data between the client and the server is performed by analyzing the source IP address (SA: source address) and the destination IP address (DA: destination address) included in the TCP / IP header of the packet data flowing between the client and the server. This is done by graphing.

  As a technique for analyzing packet data on a network, a first transmission source IP address is extracted from a packet transmitted by a device, a second transmission destination address is extracted from a packet received by the device, and a first transmission source IP There has been proposed a technique for analyzing whether the address and the second destination address match (for example, refer to Patent Document 1).

JP 2005-175755 A

  Communication may be performed via a relay device that divides a connection on the network, such as a proxy, FW (firewall), or LB (load balancer), for convenience of network configuration.

  For example, when communication is performed from a client device to a server device via a proxy, when packet data arrives from the client device to the proxy, the proxy rewrites the destination IP address of the arrived packet data with the IP address of the server device. The proxy also rewrites the source IP address of the packet data arriving at the proxy with the IP address of the proxy itself. Then, the proxy transfers the packet data with the rewritten IP address to the server.

  When analyzing the movement of packet data on the network via the proxy, it is determined that the packets before and after passing through the proxy are packets having different destination IP addresses (or source IP addresses).

  For this reason, when the movement of packet data is analyzed by the source IP address and the destination IP address according to the conventional technique, the connection on the network is apparently divided before and after the proxy. For this reason, the conventional packet analysis apparatus cannot determine whether or not the packet data flowing through the network between the client and the proxy and the network between the proxy and the server match. As a result, the packet data communication path between the client and the server via the proxy cannot be specified, and the movement of the packet data cannot be analyzed.

  An object according to one aspect of the present invention is to provide a packet analysis program for analyzing a communication path of packet data on a network in which communication is performed via a relay device that disconnects the connection on the network.

The present invention employs the following configuration in order to solve the above problems.
That is, according to one aspect of the present invention, a computer of a packet analysis device that analyzes a communication path of packet data that is communicated from a first device to a second device across a relay device that relays a network. Comparison analysis means for comparing the payload of the first packet data passing through the upstream side of the relay device and the payload of the second packet data passing through the downstream side of the relay device, the comparison results of the respective payloads matched A packet analysis program that functions as an assembling unit that assembles a source IP address of the first packet data and a destination IP address of the second packet data.

  According to the present invention, it is possible to analyze a communication path of packet data on a network in which communication is performed via a relay device that divides a connection on the network.

It is a figure which shows an example of the packet analysis system containing the packet analysis apparatus which concerns on embodiment of this invention. It is a figure which shows an example of the measurement server with which a packet analysis apparatus is equipped, and a web server It is a hardware block diagram of a packet analysis device It is a figure which shows the example which assembles packet data by the L4 assembly part. It is a flowchart which shows the example of the packet analysis process by a packet analysis program. It is a figure which shows the example of a packet information table. It is a figure which shows the graph of a packet analysis result It is a figure which shows the graph of a packet analysis result It is a figure which shows the graph of a packet analysis result

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a diagram illustrating an example of a packet analysis system including a packet analysis apparatus according to an embodiment of the present invention. The packet analysis system 1 shown in FIG. 1 is a LAN (Local Area Network) system, although not particularly limited. The packet analysis system 1 includes a PC (Personal Computer) device 10, a server device 20, a proxy 30, switches (SW) 40 a and 40 b, and a packet analysis device 100.

  In the present embodiment, an example in which communication is performed between the PC device 10 and the server device 20 with the proxy 30 interposed therebetween will be described. The PC device 10 corresponds to the first device of the present invention, the server device 20 corresponds to the second device of the present invention, and the proxy 30 corresponds to the relay device of the present invention.

  The PC device 10 is configured by an existing PC, and requests data from the server device 20 via the proxy 30.

  The proxy 30 is arranged on the network between the PC device 10 and the server device 20, and relays packet data transmitted from the PC device 10 to the server device 20 and packet data transmitted from the server device 20 to the PC device 10, respectively. To do. For example, the proxy 30 communicates with the server device 20 on behalf of a Web browser in the PC device 10.

  The server device 20 is configured by an existing Web server or the like, and sends a response of data requested from the PC device 10 via the proxy 30 to the PC device 10 via the proxy 30 again.

  Hereinafter, an example in which packet data is transmitted from the PC device 10 to the server device 20 via the proxy 30 will be described.

  On the network between the PC device 10 and the proxy 30 (hereinafter referred to as “upstream side” of the proxy 30), packet data (hereinafter referred to as “packet A”) whose destination IP address (DA: destination address) is the proxy 30. Called). On the network between the proxy 30 and the server device 20 (hereinafter referred to as “downstream side” of the proxy 30), packet data (hereinafter referred to as “packet B”) whose source IP address (SA) is the proxy 30. ").

  The switch 40 a is disposed on the upstream side of the proxy 30, and the switch 40 b is disposed on the downstream side of the proxy 30. The switch 40a and the switch 40b have a mirror port that duplicates a packet to be transferred and outputs the duplicated packet to an external device. For example, the mirror port of the switch 40 a copies the packet A passing through the upstream side of the proxy 30 and transmits the copied packet data to the packet analysis device 100. Similarly, the mirror port of the switch 40 b copies the packet B that passes through the downstream side of the proxy 30 and transmits the copied packet data to the packet analysis device 100.

  The packet analysis device 100 captures packet data (capture data) obtained by copying the packet A via the mirror port of the switch 40a. Similarly, the packet analysis device 100 captures packet data (capture data) obtained by copying the packet B via the mirror port of the switch 40b.

  In the above-described embodiment, an example in which communication is performed between the PC device 10 and the server device 20 via the proxy 30 has been described, but this is not a limitation. For example, the present invention can be applied to a relay device such as FW (firewall), LB (load balancer), etc., in which the connection on the network is disconnected by rewriting the IP address.

  In the present embodiment, the disconnection means that the destination IP address and the source IP address included in the packet are rewritten on the upstream side and the downstream side of the relay device such as the proxy 30 arranged on the network. Shows the state caused by. When the destination IP address and the source IP address are rewritten in the relay device, a state in which the destination IP address and the source IP address do not match occurs on the upstream side and the downstream side of the relay device such as the proxy 30. When the network is analyzed from the device determined from the above, the connection of the network is apparently divided.

  In the present embodiment, for convenience of explanation, packet reception before and after the connection is divided by the proxy 30 is assumed to be one port each, but this is not restrictive. For example, the connection may be divided at a plurality of ports.

  In the present embodiment, an example is described in which packet data is captured from the mirror ports of the two switches 40a and 40b, but this is not restrictive. For example, a plurality of switches can be arranged on a network passing through a relay device such as the proxy 30, and packet data can be captured and analyzed from the mirror port of each switch.

  FIG. 2A is a diagram illustrating an example of a measurement server and a Web server included in the packet analysis device 100. As shown in FIG. 2A, the measurement server 200 includes two packet analysis units 210a and 210b, an L7 comparison analysis unit 220, an L4 assembly unit 230, an L4 statistics unit 240, and a DB (database) 250.

  The packet analysis unit 210a captures the packet A passing through the upstream side of the proxy 30 via the mirror port of the switch 40a via communication I / O described later.

  Similarly, the packet analysis unit 210b captures the packet B passing through the downstream side of the proxy 30 via the mirror port of the switch 40b via communication I / O described later.

  The packet analysis unit 210a includes an L4 analysis unit 211a and an L7 analysis unit 212a. Similarly, the packet analysis unit 210b includes an L4 analysis unit 211b and an L7 analysis unit 212b.

  The L4 analysis unit 211a and the L4 analysis unit 211b perform analysis on the third layer and the fourth layer in an OSI (Open Systems Interconnection) reference model of ISO (International Organization for Standardization).

  The L4 analysis unit 211a analyzes the source IP address and the destination IP address included in the TCP / IP header of the packet A. Similarly, the L4 analysis unit 211b analyzes the source IP address and the destination IP address included in the TCP / IP header of the packet B.

  First, an example of upstream packet data in which communication is performed from the PC device 10 toward the server device 20 across the proxy 30 will be described. In this case, the PC device 10 side is upstream of the network, and the server device 20 side is downstream of the network.

  When analyzing the packet data on the upstream side of the proxy 30, the L4 analysis unit 211a analyzes the transmission source IP address of the packet A (in this case, the IP address indicating the PC device 10 that is the transmission source).

  On the other hand, when analyzing packet data on the downstream side of the proxy 30, the L4 analysis unit 211b analyzes the destination IP address of the packet B (in this case, the IP address indicating the server device 20 that is the destination). .

  Next, an example of downlink packet data in which communication is performed from the server device 20 toward the PC device 10 with the proxy 30 interposed therebetween will be described. In this case, the server device 20 side is upstream of the network, and the PC device 10 side is downstream of the network.

  When analyzing the packet data on the upstream side of the proxy 30, the L4 analysis unit 211b analyzes the transmission source IP address of the packet B (in this case, the IP address indicating the server device 20 that is the transmission source).

  On the other hand, when analyzing packet data on the downstream side of the proxy 30, the L4 analysis units 211a and 211b use the destination IP address of the packet A (in this case, the IP address indicating the PC device 10 that is the destination). To analyze.

  The L4 analysis unit 211a and the L4 analysis unit 211b notify the analysis results of the analyzed third layer and fourth layer to the L7 comparison analysis unit 220 and the L4 assembly unit 230.

  The L7 analysis unit 212a and the L7 analysis unit 212b perform analysis related to the seventh layer (hereinafter referred to as “L7”) in the ISO OSI reference model.

  Specifically, the L7 analysis unit 212a analyzes the payload included in the packet A. In the present embodiment, the payload refers to a data body obtained by removing, from packet data, a TCP / IP header or unique information such as personal information adopted only by the network. For example, when data corresponding to a URL (Uniform Resource Locator) is requested from the PC device 10 to the server device 20, the payload portion of the upstream packet A transmitted from the PC device 10 to the proxy 30 includes the URL Is stored. In this case, the L7 analysis unit 212a analyzes the information on the URL.

  The L7 analysis unit 212b analyzes the payload included in the packet B, similarly to the L7 analysis unit 212a. The L7 analysis units 212a and 212b notify the L7 comparison analysis unit 220 of the analyzed payload information.

  The L7 comparison analysis unit 220 performs L7 data analysis processing for comparing the payload of the packet A that passes through the upstream side of the proxy 30 and each payload of the packet B that passes through the downstream side of the proxy 30.

  For example, when the packet A is transmitted from the PC device 10 to the server device 20, the contents of the packet A are analyzed by the L7 analysis unit 212a, and the transmission time of the packet A, the type included in the payload of the packet data, etc. are determined. The

  For example, when a URL is requested from the PC device 10 to the server device 20, the URL information similar to the packet A described above is included in the payload portion of the upstream packet B transmitted from the proxy 30 to the server device 20. Is stored. In this case, the L7 analysis unit 212b analyzes the information on the URL. The L7 analysis unit 212a and the L7 analysis unit 212b notify the L7 comparison analysis unit 220 of the analysis result of L7. Since the technique of the well-known patent 4610240 can be employ | adopted about the technique of the analysis of a payload, it abbreviate | omits for details.

  In addition, the L7 analysis unit 212a and the L7 analysis unit 212b acquire time stamps that are times when the packets A and B are captured by the switch 40a and the switch 40b, respectively, and notify the L4 statistics unit 240 of the time stamp information. Regarding the method for obtaining the time stamp of the packet data, since the technique of the known Japanese Patent No. 4648181 can be adopted, the details are omitted.

  Further, when the number of objects such as URLs and SQL (Structured Query Language) included in the payload becomes enormous, the processing load of the L7 comparison analysis unit 220 performing analysis increases. Therefore, the L7 comparison / analysis unit 220 compares the payloads of the packets A and B with the variable part of the payloads included in the packets A and B analyzed by the L7 analysis unit 212a and the L7 analysis unit 212b. Is performed (hereinafter referred to as “name identification”).

  Since the name identification method can be performed using the technical contents of the known patent No. 4720213, the details will be omitted. For example, the L7 comparison analysis unit 220 stores various rules regarding name identification in the DB 250 in advance. Keep it. The L7 comparison analysis unit 220 cuts out payloads from the packet A and the packet B, respectively. The L7 comparison analysis unit 220 automatically generates an initial condition for name identification from the extracted payload and stores it in the DB 250. Then, the L7 comparison analysis unit 220 performs name identification processing of the extracted payload based on the rules stored in the DB 250. Note that the L7 comparison analysis unit 220 displays the result of the name identification process to the user through a display (not shown) of the client terminal 400 connected to the packet analysis device 100. And based on the request instruct | indicated from the user through the client terminal 400, the L7 comparison analysis part 220 edits the name collation rule memorize | stored in DB250. The L7 comparison analysis unit 220 notifies the L4 assembly unit 230 of the payload comparison result.

  As a rule of name identification, for example, among information included in a URL, information such as an ID or an account number that specifies an individual, a specific Web page that can be logged in by inputting an ID, a page unique to each ID With respect to information and information on variables (parameters) attached to the end of the URL, a rule that is not subject to comparison by the L7 comparison analysis unit 220 can be adopted by performing masking processing.

  If name identification is not performed, the number of objects such as URLs and SQL included in the payload may be enormous. However, when priority is given to accuracy, complete matching of the payload is desirable. For this reason, according to the accuracy of the analysis state of the network, it is possible to omit the name identification process of the present embodiment based on the user's instruction.

The L4 assembling unit 230 determines whether the comparison results of the payloads of the packet A and the packet B compared by the L7 comparison analysis unit 220 match. If the comparison results of the payloads match, the L4 assembly unit 230 performs a packet data combining process. In the packet data combining process, the L4 assembling unit 230 obtains the source IP address (SA) of the packet A passing through the upstream side of the proxy 30 and the destination IP address (DA) of the packet B passing through the downstream side of the proxy 30. Combining and assembling a TCP / IP header of one packet data. Then, the L4 assembling unit 230 attaches a payload to be compared to the assembled TCP / IP header and assembles it as one packet data (hereinafter referred to as “assembled packet”). In this way, it becomes clear which device the packet transmitted from a specific device is addressed to, so that the packet can be easily analyzed.
The process of assembling the assembly packet by the L4 assembly unit 230 will be described later. The L4 assembling unit 230 notifies the L4 statistical unit 240 of information on the assembled packet data.

  The L4 statistical unit 240 performs statistical processing related to L4. Specifically, the L4 statistics unit 240 is based on the packet between the END and the node (PC device 10 to the server device 20) assembled by the L4 assembling unit 230, and calculates the subnet unit or time (minute / hour / day / Monthly data such as the number of transmitted / received packets, the number of bytes, the number of packet losses, and RTT is statistically processed, and the statistical result data is stored in the DB 250 as a packet information table. The DB 250 stores data statistically processed by the L4 statistical unit 240. The packet information table data statistically processed by the L4 statistics unit 240 will be described later.

  The Web server 300 includes a Java (apple) applet 310 and a software group 320.

  The Java applet 310 is composed of small application components such as a servlet, and the packet information data statistically processed by the L4 statistical unit 240 and stored in the DB 250 is transmitted in HTML (HyperText) in response to a request from the client terminal 400. Response as Markup Language).

  The software group 320 includes Web server software and a servlet container. Web server software is software necessary to operate the Web server 300. The servlet container is software necessary for operating the servlets that make up the Java applet 310.

  The Web server 300 is realized by executing a Java applet 310 by a processor (not shown) of the packet analysis device 100. The Web server 300 responds to inquiries from various server software in response to requests such as the graph type, display period, and END-END designation specified by the client terminal 400.

  The client terminal 400 is configured by an existing PC. A web browser is installed in the client terminal 400.

  When the user instructs display of the packet analysis result via the Web browser 410, the client terminal 400 transmits a request to the Web server 300 of the packet analysis device 100. When the response corresponding to the request is returned from the Web server 300, the Web browser 410 of the client terminal 400 displays a graph of the packet analysis result that is the response result. A specific example of the packet analysis result graph displayed on the browser 410 of the client terminal 400 will be described later.

  FIG. 2B is a hardware block diagram of the packet analysis device 100. The packet analysis device 100 includes a CPU (Central Processing Unit) 512, a RAM (Random Access Memory) 514, a storage unit 516, a communication I / O 518, a DB 250, and a bus 520.

  The CPU 512 reads a program from the storage unit 516 and comprehensively controls the packet analysis device 100 according to the read program. The program includes a packet analysis program, an application, a module, and the like which will be described later.

  The RAM 514 is a working area for developing programs and various data read from the storage unit 516. The storage unit 516 is an HDD (Hard Disk Drive) or a flash memory. The storage unit 516 stores various programs including the above-described packet analysis program such as an application. The DB 250 stores a later-described packet information table in which packet information is stored.

  The communication I / O 518 is configured by a NIC (Network Interface Card) or the like, transmits / receives data and commands to / from the connected client terminal 400, and receives packet data from the switches 40a and 40b. Each part such as the CPU 512 and the RAM 514 is connected by a bus 520. The description of the NIC is omitted because the configuration of the existing interface can be adopted.

  An example of assembling packet data by the L4 assembling unit 230 will be described with reference to FIG. FIG. 3 is a diagram illustrating an example of assembling packet data by the L4 assembling unit 230. Here, for convenience of explanation, a case will be described in which uplink packet data in which communication is performed from the PC device 10 to the server device 20 with the proxy 30 interposed therebetween is assembled.

  In the present embodiment, the source IP address (SA) of the upstream packet A passing through the upstream side of the proxy 30 of the proxy 30 is “a”, and the upstream side of the upstream of the proxy 30 passing through the downstream side of the proxy 30 Assume that the destination IP address (DA) of packet B is “c”.

  In this case, the L4 assembling unit 230 transmits the packet IP that passes the transmission source IP address (SA) “a” of the packet A on the upstream side of the proxy 30 in the upstream direction between the END nodes (PC device 10 to the server device 20). Hereinafter, it is combined as a source IP address (SA) of “assembled packet”.

  The L4 assembling unit 230 assembles the destination IP address (DA) “c” of the packet B downstream of the proxy 30 as the destination IP address (DA) of the assembly packet.

  As a result, the source IP address (SA) included in the upstream packet data TCP / IP header in which communication is performed from the PC device 10 to the server device 20 across the proxy 30 is set to “a” and the destination IP address ( DA) is assembled into “c”. If the URL information “http://xxx.jp/” included in the payload of the packet A matches the URL information “http://xxx.jp/” included in the payload of the packet B, L4 The assembling unit 230 assembles one packet data using the matched payload information as the payload of the assembled packet.

  Next, packet analysis processing by the packet analysis apparatus 100 according to the present embodiment will be described. FIG. 4 is a flowchart illustrating an example of packet analysis processing by the packet analysis program.

  First, the L7 comparison analysis unit 220 performs name identification processing of L7 data (step S11). In this process, the variable part is excluded from the payload parts included in the packet A and the packet B analyzed by the L7 analysis unit 212a and the L7 analysis unit 212b.

  Next, the L7 comparison analysis unit 220 performs L7 data analysis processing (step S12). In this process, the L7 comparison analysis unit 220 uses the payload of the packet data passing through the upstream side of the proxy 30 captured via the mirror port of the switch 40a and the proxy 30 captured via the mirror port of the switch 40b. The payload of the packet data passing through the downstream side is compared.

  The L4 assembling unit 230 compares and determines whether or not the L7 data received from the two locations match (step S13). In this process, it is determined whether or not the payloads received from the two locations of the switch 40a disposed on the upstream side of the proxy 30 and the switch 40b disposed on the downstream side of the proxy 30 match. If the L7 data received from the two locations match (YES in step S13), the L4 assembling unit 230 performs a packet data combining process to assemble an assembled packet (step S14). The packet data combining process in step S14 is performed for both directions of packet data communicated in the upstream direction and packet data communicated in the downstream direction.

  First, packet data combination processing in the case of assembling upstream packet data in which communication is performed in the direction from the PC device 10 to the server device 20 across the proxy 30 will be described. In this case, the L4 assembly unit 230 combines the source IP address (SA) of the packet A that passes upstream of the proxy 30 and the destination IP address (DA) of the packet B that passes downstream of the proxy 30. Assemble the TCP / IP header of one packet data. Then, the L4 assembling unit 230 assembles one assembly packet by attaching the payload to be compared in step S13 to the assembled TCP / IP header.

  Next, packet data combination processing in the case of assembling downstream packet data in which communication is performed from the server device 20 to the PC device 10 with the proxy 30 interposed therebetween will be described. In this case, the L4 assembling unit 230 combines the source IP address (SA) of the packet B passing through the upstream side of the proxy 30 and the destination IP address (DA) of the packet A passing through the downstream side of the proxy 30. Assemble the TCP / IP header of one packet data. Then, the L4 assembling unit 230 assembles one assembly packet by attaching the payload to be compared in step S13 to the assembled TCP / IP header.

  The L4 assembling unit 230 stores information on the assembled packet (END-END node) assembled by the packet data combining process performed in step S14 in the DB 250 (step S15), and the process proceeds to step S16.

  Returning to step S13, if the L7 data received from the two locations do not match (NO in step S13), that is, a packet having the same payload only from one of the mirror ports of the switch 40a or the switch 40b. If not received, the process proceeds to step S17.

  The L7 comparison analysis unit 220 determines whether there is a packet received from between the PC device 10 and the proxy 30 (step S17). If there is a packet received from between the PC device 10 and the proxy 30 (YES in step S17), the L7 comparison analysis unit 220 determines that there is no packet addressed to the server device 20 due to the cache of the proxy 30 or access restriction. (Step S18). The L7 comparison analysis unit 220 determines that END-END is between the PC device 10 and the proxy 30 (step S19).

  The L4 assembling unit 230 stores the packet data information between the PC device 10 and the proxy 30 determined in step S19 in the DB 250 (step 15), and the process proceeds to step S16.

  Returning to step S17, when there is no packet received from the PC device 10 to the proxy 30 (NO in step S17), the L7 comparison analysis unit 220 determines whether there is a packet received from the proxy 30 to the server device 20. Determination is made (step S20).

  It is determined whether there is a packet received from between the proxy 30 and the server device 20 (step S20). When there is no packet received from between the proxy 30 and the server device 20 (NO in step S20), the L7 comparison analysis unit 220 determines that there is no received packet (step S21).

  Thus, depending on the function of the proxy 30, there may be no packet between the proxy 30 and the server device 20. For example, when the proxy 30 temporarily stores information such as a Web page, when using the cache of the proxy 30, there is no communication between the proxy 30 and the server device 20, that is, the proxy 30 is stored. When data is transmitted to the PC device 10, there may be no packet data between the proxy 30 and the server device 20.

  Also, when the proxy 30 prohibits access to the URL requested by the PC device 10 to the server device 20 or controls access by filtering inappropriate content, the proxy 30 has a function as a FW (firewall). Similarly, packet data between the proxy 30 and the server device 20 may not exist. In such a case, the L7 comparison analysis unit 220 determines that there is no packet addressed to the server device 20 due to the cache of the proxy 30 or access restriction. When this process ends, the packet analysis process ends.

  On the other hand, when there is a packet received from the proxy 30 to the server device 20 (YES in step S20), the L7 comparison analysis unit 220 determines that the proxy 30 blocks the response packet addressed to the PC device 10 from the server device 20. Judgment is made (step S22).

  Then, the L7 comparison analysis unit 220 determines that END-END is between the proxy 30 and the server device 20 (step S23).

  The L4 assembling unit 230 stores the packet information between the proxy 30 and the server device 20 determined in step S23 in the DB 250 (step 15).

  In step S <b> 16, the L4 statistics unit 240 performs aggregation processing such as subnetting and time aggregation based on the packet information stored in the DB 250. In this aggregation process, based on the assembly packet (END-END information) stored in the DB 250, the packet between the PC device 10 and the proxy 30, and the packet information between the proxy 30 and the server device 20, the L4 statistical unit The statistical processing 240 totalizes. The L4 statistics unit 240 performs a process of storing the aggregation result as packet information in a packet information table (see FIG. 5 described later) of the DB 250. When this process ends, the packet analysis process ends.

  A packet information table stored in the DB 250 by the L4 statistics unit 240 will be described with reference to FIG. FIG. 5 is a diagram illustrating an example of a packet information table. As shown in FIG. 5, the packet information table stores information on a plurality of packet data including transmission amount, NW delay, transmission loss, and number of transmissions for each address packet at a unit time.

  The time is the time at which a time stamp, which is the time when each packet passing through the network is captured via the mirror port of the switch 40a or the switch 40b, is acquired. This time is not limited to the captured time, and various times such as the time when the packet is transmitted from the PC device 10 or the server device 20 and the time when the assembly packet is assembled by the L4 assembly unit 230 are adopted. can do.

  The address stores information on the IP address included in the TCP / IP header of the packet data. The assembled packet assembled by the L4 assembling unit 230 is assembled based on the source IP address of the packet data passing through the upstream side of the proxy 30 and the destination IP address of the packet data passing through the downstream side of the proxy 30. The IP header information is stored as an address.

  In this embodiment, for convenience of explanation, address A, address B, address C,... And a simplified code (alphabet) are associated with each specific address, but this is not restrictive. It is also possible to store actual IP header information.

The transmission amount is the data size when transmitting the packet.
The NW delay is the difference between the time when the upstream packet is captured by the switch 40a and the time when the downstream packet corresponding to the upstream packet request is captured by the switch 40b.

  In the present embodiment, the difference between the time when the upstream packet is captured by the switch 40a and the time when the downstream packet is captured according to the upstream packet request by the switch 40b is used as the NW delay as described above. For example, various delays such as a difference between the time when the packet is transmitted to the server device 20 and the time when the packet is transmitted to the PC device 10 can be employed.

  The transmission loss is the number of lost packets during transmission of packet data over the network. Note that the transmission loss is excluded from the calculation of the transmission loss in consideration of the case where the packet does not exist due to cache or access restrictions.

  The number of transmissions is the number of packets transmitted from the PC device 10 to the server device 20 or the number of packets transmitted from the server device 20 to the PC device 10.

  Next, FIGS. 6A, 6B, and 6C describe an example of displaying a packet analysis result graph based on the packet information table. 6A, 6B, and 6C are graphs showing packet analysis results.

  Based on the user's operation, the object (location) on the network to be analyzed through the Web browser 410 displayed on the display (not shown) of the client terminal 400, the graph type of the packet analysis result, the period, the END-END designation, etc. When the instruction is performed, the client terminal 400 transmits a request corresponding to the instruction to the Web server 300 of the packet analysis apparatus 100.

  When receiving the request from the client terminal 400, the Web server 300 of the packet analysis apparatus 100 refers to the packet information table stored in the DB 250 and transmits a response corresponding to the request from the client terminal 400 to the client terminal 400. As a response result from the Web server 300 of the packet analysis apparatus 100, the client terminal 400 displays, for example, a graph of the packet analysis result as shown in FIGS. 6A, 6B, and 6C on the display through the Web browser 410.

  6A, FIG. 6B, and FIG. 6C, among the information displayed in the packet information table of FIG. 5, in particular, the units that include unit times “9: 00-9: 01” and “9: 0-01-9: 02”. The transition of the transmission amount, NW delay, and loss rate for the packet of IP address A, in which points for each time are plotted, is displayed.

  In FIG. 6A, the transition of the transmission amount of the packet at the IP address A transmitted every unit time is displayed. By viewing the graph in FIG. 6A, the user can easily analyze the packet data traffic on the network between the PC device 10 and the server device 20 (END-END) in which communication is performed via the proxy 30, and the network. Can be monitored.

  In FIG. 6B, the transition of the network delay at the IP address A transmitted every unit time is displayed. By viewing the graph in FIG. 6B, the user can easily analyze the network delay of packet data on the network between the PC device 10 and the server device 20 (END-END) that communicates via the proxy 30. The network can be monitored.

  In FIG. 6C, the transition of the packet loss rate at the IP address A transmitted every unit time is displayed. By viewing the graph of FIG. 6C, the user can easily analyze the packet loss rate on the network between the PC device 10 and the server device 20 (END-END) that communicates via the proxy 30, and the network. Can be monitored.

  In the present embodiment, only the display example of the graph of the IP address A in the graphs of FIGS. 6A to 6C has been described. However, the present invention is not limited to this, and a plurality of pieces of IP address information may be superimposed and displayed. Can be displayed side by side.

  In the present embodiment, it is possible to analyze packet data simply by changing a setting of an existing switch and capturing a packet obtained by copying packet data flowing on an existing network. Therefore, the packet analysis apparatus 100 according to the present embodiment can operate the network without changing the existing network configuration. In other words, it eliminates the risk of changing the configuration of a network that is currently operating stably by connecting a new device to the network, and the risk of introducing new software to a device that is currently operating stably. In addition, it is possible to operate the network while preventing an increase in cost caused by introducing new equipment.

  The present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, all the constituent elements shown in the embodiments may be appropriately combined. Furthermore, constituent elements over different embodiments may be appropriately combined. It goes without saying that various modifications and applications are possible without departing from the spirit of the invention.

1 packet analysis system 10 PC device 20 server device 30 proxy 40a switch 40b switch 100 packet analysis device 200 measurement server 210a packet analysis unit 210b packet analysis unit 211a L4 analysis unit 211b L4 analysis unit 212a L7 analysis unit 212b L7 analysis unit 220 L7 comparison Analysis unit 230 L4 assembly unit 240 L4 statistics unit 250 DB
300 Web server 310 Java applet 320 Software group 400 Client terminal 410 Web browser 512 CPU
514 RAM
516 Storage unit 518 Communication I / 0
520 bus

Claims (8)

A packet analysis device computer that analyzes a communication path of packet data that is communicated from the first device to the second device across a relay device that relays a network;
Comparison analysis means for comparing the payload of the first packet data passing through the upstream side of the relay device and the payload of the second packet data passing through the downstream side of the relay device;
Assembly means for assembling a source IP address of the first packet data and a destination IP address of the second packet data when the comparison results of the payloads match;
Packet analysis program characterized by functioning as The comparison analysis unit creates name identification data by eliminating variable parts according to predetermined conditions in the payload included in the packet data,
In comparing each payload,
The packet analysis program according to claim 1, wherein the name identification data of the first packet data is compared with the name identification data of the second packet data. The assembly means includes
A TCP / IP header of one packet data is assembled from the source IP address of the first packet data and the destination IP address of the second packet data, and the comparison / analysis unit compares the assembled TCP / IP header with the assembled TCP / IP header. The packet analysis program according to claim 1 or 2, wherein a target payload is attached and assembled as one packet data. The packet analysis program further includes:
The packet analysis program according to any one of claims 1 to 3, wherein data obtained by statistically processing packet information including the assembled packet is created. The packet analysis program according to any one of claims 1 to 4, wherein the relay device is a proxy that divides a connection on a network. A packet analysis device that analyzes a communication path of packet data that is communicated from a first device to a second device across a relay device that relays a network,
A comparison and analysis unit that compares the payload of the first packet data passing through the upstream side of the relay device and the payload of the second packet data passing through the downstream side of the relay device;
An assembly unit that assembles a source IP address of the first packet data and a destination IP address of the second packet data when the comparison results of the payloads match;
A packet analysis apparatus comprising: The comparative analysis unit
A payload of capture data obtained by copying the first packet data via a mirror port of a first switch arranged on the upstream side of the relay device, and a second switch arranged on the downstream side of the relay device The packet analysis apparatus according to claim 6, wherein the payload of the capture data copied from the second packet data is compared via a mirror port. A packet analysis method for analyzing a communication path of packet data for communication from a first device to a second device across a relay device that relays a network,
Comparing the payload of the first packet data passing through the upstream side of the relay device and the payload of the second packet data passing through the downstream side of the relay device;
A packet analysis method comprising assembling a source IP address of the first packet data and a destination IP address of the second packet data when the comparison results of the payloads match.

Images