JP2024000673A - Communication log analysis device and method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To facilitate the analysis of a communication log including machine codes of data of a data frame communicated between devices.

SOLUTION: A communication log accumulated on a mediation device mediating communication between devices includes a log entry per data frame. The log entry includes a machine code of data of a data frame. The machine code includes a machine code of data representing a data type. A communication log analysis device identifies matters including time, transmission or reception, a transmission destination device or a transmission source device, and a data type of data in a data frame corresponding to the log entry from each log entry of the communication log. The communication log analysis device identifies one or a plurality of subject matters, which is one or a plurality of matters related to the target data type, among the plurality of identified matters, identifies an analysis sequence, which is a communication sequence based on the one or the plurality of identified subject matters, and displays a figure of the analysis sequence.

SELECTED DRAWING: Figure 1

COPYRIGHT: (C)2024,JPO&INPIT

Description

The present invention generally relates to communication log analysis, and particularly relates to communication log analysis that acquires communication logs when a communication failure occurs and plays an auxiliary role in failure cause analysis.

When a communication failure occurs, it is generally necessary to analyze communication logs accumulated in devices involved in communication in order to identify the cause of the failure and perform failure recovery. Furthermore, it may be necessary to analyze communication logs for reasons other than the occurrence of a communication failure.

Patent Document 1 discloses a method for analyzing communication access logs. By converting encrypted logs into plaintext logs, it is possible to analyze what kind of data was exchanged and to visualize the access status to categorized sites.

Patent Document 2 discloses a method of collecting and analyzing communication logs related to a failure when a failure occurs. The monitoring logs of multiple devices are collected in a single device, and when a failure occurs, the location of the failure can be identified from the monitoring logs of the multiple devices.

Japanese Patent Application Publication No. 2020-197929 Japanese Patent Application Publication No. 2011-221703

Generally, communication logs to be analyzed are stored in an intermediary device that mediates communication between devices. The communication log accumulated in the mediation device has a log entry for each data frame received by the mediation device and for each data frame transmitted by the mediation device. For each data frame, the log entry includes machine language for the data of at least a portion of that data frame.

Even if you look at the machine language display of the log entry, it will be difficult to analyze unless the analyzer is an expert in analysis. Therefore, when a communication failure occurs, it is difficult to perform a quick analysis (for example, to quickly determine the cause for failure recovery).

Furthermore, the viewpoint of analysis differs depending on the data type of data in the data frame (for example, whether it is data that is communicated at regular intervals, whether there is a response, whether it is data that requires a reply, etc.). Data representing the data type is included in the data of the data frame, and the communication log includes machine language for the data representing the data type. For this reason, it is also difficult to specify the data type.

Such a problem and its solution are neither disclosed nor suggested in either Patent Documents 1 and 2.

A communication log analysis device acquires communication logs accumulated in an intermediary device. The communication log has a log entry for each data frame, and the log entry includes data representing the time when the intermediary device received the data frame from the device or the time when the intermediary device sent the data frame to the device, and machine language of at least part of the data (including data representing the data type) of the data frame. The communication log analysis device extracts information from each log entry in the acquired communication log, including the time, whether it is sent or received, the destination device or the source device, and the data type of the data in the data frame corresponding to the log entry. Identify what matters. The communication log analysis device identifies one or more target matters that are one or more matters related to the target data type among the multiple identified matters, and Identify an analysis sequence that is a communication sequence based on the subject matter of , and display a diagram of the analysis sequence.

It is possible to easily analyze a communication log containing machine language of data of data frames communicated between devices.

1 is a diagram illustrating a schematic configuration example of an entire system according to an embodiment of the present invention. It is a figure showing an example of composition of a data frame. It is a figure showing an example of condition input UI. It is a figure which shows the example of a structure of all data information. It is a figure which shows the example of a structure of extracted data information. FIG. 3 is a diagram illustrating a configuration example of special processing information. It is a flowchart of an example of analysis processing. FIG. 3 is a diagram illustrating an example of a correct communication sequence. FIG. 3 is a diagram illustrating an example of a correct communication sequence. FIG. 3 is a diagram showing an example of an analysis sequence diagram without special processing. FIG. 7 is a diagram showing an example of an analysis sequence diagram with special processing.

In the following description, an "interface device" may be one or more interface devices. The one or more interface devices may be at least one of the following:
- One or more I/O (Input/Output) interface devices. The I/O (Input/Output) interface device is an interface device for at least one of an I/O device and a remote display computer. The I/O interface device for the display computer may be a communication interface device. The at least one I/O device may be a user interface device, eg, an input device such as a keyboard and pointing device, or an output device such as a display device.
- One or more communication interface devices. The one or more communication interface devices may be one or more of the same type of communication interface device (for example, one or more NICs (Network Interface Cards)) or two or more different types of communication interface devices (for example, one or more NICs (Network Interface Cards)). It may also be an HBA (Host Bus Adapter).

Also, in the following description, "memory" refers to one or more memory devices, which may typically be a main storage device. At least one memory device in the memory may be a volatile memory device or a non-volatile memory device.

Also, in the following description, "persistent storage" refers to one or more persistent storage devices. The persistent storage device is typically a non-volatile storage device (eg, auxiliary storage device), and specifically, for example, a HDD (Hard Disk Drive) or an SSD (Solid State Drive).

Furthermore, in the following description, a "storage device" may be at least a memory and a persistent storage device.

Also, in the following description, a "processor" refers to one or more processor devices. The at least one processor device is typically a microprocessor device such as a CPU (Central Processing Unit), but may be another type of processor device such as a GPU (Graphics Processing Unit). At least one processor device may be single-core or multi-core. The at least one processor device may be a processor core. The at least one processor device may be a processor device in a broad sense such as a hardware circuit (eg, FPGA (Field-Programmable Gate Array) or ASIC (Application Specific Integrated Circuit)) that performs part or all of the processing.

In addition, in the following explanation, functions may be explained using the expression "yyy part", but functions may be realized by one or more computer programs being executed by a processor, or one or more computer programs may be executed by a processor. It may be realized by the above hardware circuit (for example, FPGA or ASIC), or a combination thereof. When a function is realized by a program being executed by a processor, the specified processing is performed using a storage device and/or an interface device as appropriate, so the function may be implemented as at least a part of the processor. good. A process described using a function as a subject may be a process performed by a processor or a device having the processor. Programs may be installed from program source. The program source may be, for example, a program distribution computer or a computer-readable recording medium (for example, a non-temporary recording medium). The description of each function is an example, and a plurality of functions may be combined into one function, or one function may be divided into a plurality of functions.

In addition, in the following explanation, when the same type of elements are explained without distinguishing, common reference numerals are used, and when the same type of elements are explained separately, the element ID (for example, identification number) is used. or reference signs may be used.

Embodiments of the present invention will be described in detail below with reference to the drawings.

FIG. 1 is a diagram showing a schematic configuration example of an entire system including a communication log analysis device (hereinafter referred to as analysis device) according to an embodiment.

A plurality of devices 101 (101A, 101B, 101C, . . . ) communicate via an intermediary device (communication intermediary device) 111. At least one set of devices 101 of the plurality of devices 101 may be a server-client system.

Mediation device 111 includes an interface device 51, a storage device 52, and a processor 53 connected thereto.

A plurality of devices 101, an NTP (Network Time Protocol) server 121, and an analysis device 130 are connected to the interface device 51, for example, via a communication network. A communication log 55 is recorded in the storage device 52.

When the processor 53 executes a computer program stored in the storage device 52, functions such as the intermediary section 114, the recording section 112, and the output section 113 are realized. The intermediary unit 114 mediates communication between the devices 101 (receives a data frame from the device 101 as the source, and transmits the data frame to the device 101 as the destination).

The recording unit 112 records a communication log 55 of communication between the devices 101 in the storage device 52. The communication log 55 has a log entry for each data frame received by the mediation device 111 and for each data frame transmitted by the mediation device 111. For each data frame, a log entry includes data representing the time when the intermediary device 111 received the data frame from the device 101 or the time when the intermediary device 111 sent the data frame to the device, and all (or a portion) of the data frame. ) and the machine language of the data. Specifically, for example, each time the intermediary device 111 receives or transmits a data frame, the recording unit 112 specifies the time through communication with the NTP server 121 (or specifies the time using a timer inside the intermediary device 111). ), data representing the specified time is included in the log entry, and the machine language of the data of the data frame received or transmitted by the intermediary device 111 is included in the log entry.

The output unit 113 transmits the communication log 55 to the analysis device 130.

The analysis device 130 includes an interface device 71, a storage device 72, and a processor 73 connected thereto.

The intermediary device 111 and the analyst terminal 140 are connected to the interface device 71, for example, via a communication network. The analyst terminal 140 is an example of an input/output device operated by an analyst, and is, for example, a computer equipped with a display device and an input device, such as a smartphone or a personal computer.

The communication log 55 from the intermediary device 111 is stored in the storage device 72 . Furthermore, data type rule information 156, analysis target condition information 157, special processing information 158, and sequence information 159 are stored in the storage device 72. The data type rule information 156 is information representing a rule for specifying a data type represented by data existing at a position depending on the configuration of a user area (described later). The extraction condition information 157 is information representing analysis target conditions (conditions regarding communication to be analyzed). The analysis target conditions are, for example, conditions specified by the analyst. Special processing information 158 is information representing the relationship between data types and special processing. Sequence information 159 is information representing the correct communication sequence for at least one data type (eg, a data type that requires special processing).

When the processor 73 executes a computer program stored in the storage device 72, functions such as the input section 131, the output section 132, and the analysis section 133 are realized.

The input unit 131 receives (obtains) the communication log 55 from the intermediary device 111 and stores the communication log 55 in the storage device 72 . In addition, the input unit 131 receives input of analysis target conditions from the analyst terminal 140 and stores analysis target condition information 157 representing the analysis target conditions in the storage device 72 .

The output unit 132 displays a diagram of the analysis sequence specified by the analysis unit 133 on the analyst terminal 140 (sends display information for the diagram of the analysis sequence to the analyst terminal 140). The analysis unit 133 analyzes the communication log 55 and identifies an analysis sequence.

The device 101 communicates with other devices via the intermediary device 111 using wired or wireless communication means. The intermediary device 111 records in the communication log 55 the time when the inter-device communication was performed and the content of the communication (for example, the machine language of the data in the data frame).

For example, when the occurrence of a failure is detected by the intermediary device 111 (for example, when a failure notification is received from at least one device 101 of the source and destination), the communication log 55 accumulated in the intermediary device 111 is sent to the output unit 113. The data is output from the analyzer 131 and stored in the storage device 72 of the analyzer 130 through the input section 131 of the analyzer 131. Note that the analysis device 131 does not necessarily need to be connected to the intermediary device 111; specifically, the communication log 55 may be copied from a portable storage medium to the storage device 72 via the interface device 71. .

FIG. 2 is a diagram illustrating a configuration example of a data frame used in inter-device communication.

The data frame illustrated in FIG. 2 is a general TCP/IP frame, and includes an Ethernet header 201 (Etherenet is a registered trademark), an IP header/TCP header 202, and user data 210. User data 210 is data that occupies user area 203. The data length and data format of the user data 210 are arbitrary. Although there are no restrictions on the data length and data format of the user area 203, it is assumed that data type data (data representing a data type) 211 is present at a specified location in the user area 203.

Here, "data type" is the type of data (eg, particularly user data 210) of the data frame. The data type means, for example, whether the user data is data that is communicated at regular intervals, data that requires a response, or data that requires a reply. It is desirable for analysts to analyze communication logs from a perspective appropriate to the data type.

The data type data 211 exists in the user area 203 at a position that depends on the configuration of the user area 203. In other words, the position of the data type data 211 (for example, the offset from the beginning of the data frame or the beginning of the user area) is not unique. Therefore, it is difficult to identify the data type from the communication log 55 in which the user data 210 is written. For example, some user data 210 includes a user data body and a user data header, and the position of data type data 211 differs depending on the type of user data header. Since the configuration of the user area 203 is determined by the user, it is difficult to specify the data type.

Further, in the communication log 55, user data (all data in the user area 203) is written in machine language. This point is also a factor that makes it difficult to identify data types.

Therefore, in this embodiment, data type rule information 156, that is, information representing a rule for specifying a data type represented by data existing at a position depending on the configuration of the user area 203 is prepared. Examples of one or more rules that can be registered and specific data types that follow the rules are as follows.
- The rule represents the relationship between the type of sending device and the type of user data header and/or position of data type data. When the analysis unit 133 identifies the type of the sending device from the log entry, the analysis unit 133 uses the identified device type as a key to identify the position of the data type data 211 from the rule, and determines the data type from the data 211. Identify.
- Rules specify the type of header (Etherenet header, IP header/TCP header, and/or user data header), the characteristics of the header (for example, the character string at the beginning of the header), and the position of the data type data 211. Represents a relationship. When the analysis unit 133 specifies the characteristics of the header from the log entry, the analysis unit 133 uses the specified characteristics as a key to specify the position of the data type data 211 from the rule, and specifies the data type from the data 211.
- A rule represents the relationship between a specific character string (for example, a string of alphabets or numbers) and the position of the data type data 211. If any specific character string is found in the log entry, the analysis unit 133 uses the specific character string as a key to specify the position of the data type data 211 from the rule, and determines the data type from the data 211. Identify.

FIG. 3 is a diagram illustrating an example of a condition input UI (User Interface).

The condition input UI 300 is a UI that accepts input of analysis target conditions, and is a UI provided to the analyst terminal 140 by the input unit 131. The condition input UI 300 includes a tool (for example, a GUI component) that accepts input of elements of conditions to be analyzed. Both tools are useful for narrowing down the log entries to be analyzed.

According to the condition input UI 300, the analyst can select the data type to be investigated from the pull-down menu 301.

Further, according to the condition input UI 300, by inputting the time to be analyzed after communication log acquisition into the text boxes 302 and 303, the start time and end time to be analyzed can be specified.

Further, according to the condition input UI 300, if you want to output an analysis sequence diagram of only data received by the intermediary device 111 or data sent by the intermediary device 111, you can select transmission or reception from the pull-down menu 304.

Furthermore, according to the condition input UI 300, if you want to output an analysis sequence diagram of communication between specific devices, you can select the source device from the pull-down menu 305 and select the destination device from the pull-down menu 306.

The AND of the above conditions becomes the analysis target condition, and information 157 representing the analysis target condition is stored in the storage device 72. An analysis sequence diagram to be output is created by the analysis unit 133 based on the log entry that satisfies the analysis target conditions.

In this way, the input unit 131 accepts manual input of analysis target conditions, which are conditions related to communication to be analyzed. Conditions to be analyzed include data type, communication time range (start time and end time, reference time and offset from reference time, etc.), transmission or reception, and communication between devices. consists of at least one condition. An analyst can limit the log entries to be analyzed by specifying conditions for analysis. Therefore, the time required for analysis processing can be shortened, and only the information necessary for investigating the cause can be output.

FIG. 4A is a diagram showing an example of the configuration of all data information 401.

The analysis unit 133 extracts information from each log entry in the communication log 55, including the time, whether it is sent or received, the destination device or the source device, and the data type of the data in the data frame corresponding to the log entry. The data information 401 including information representing the specified items is created. The total data information 401 has an entry for each log entry (for each data frame). The entry includes information such as time 411, data type 412, sending/receiving 413, communication partner 414, data A 415, and data B 416.

The time 411 is the time specified from the log entry, and specifically represents the time when the intermediary device 111 transmitted the data frame or received the data frame.

Data type 412 represents the data type identified from the log entry. To specify the data type, the analysis unit 133 refers to the data type rule information 156 described above.

Transmission/reception 413 represents transmission or reception identified from the log entry. The communication partner 414 represents the destination device or source device identified from the log entry, specifically, the ID of the source device (for example, the name of the device) or the ID of the destination device.

dataA 415 represents the data part (part of the data frame) identified from the log entry, and dataB 416 represents the data part (the remainder of the data frame) identified from the log entry. That is, all or part of a data frame identified from a log entry may be divided into multiple data parts, and the multiple data parts may be included in the entry. For example, user data identified from a log entry may be divided into a plurality of data parts and stored in the entry of the total data information 401. The number of data parts can be determined arbitrarily. For example, dataA 415 may be the Ethernet header 201 and IP header/TCP header 202, and dataB 416 may be the user data 210. Alternatively, for example, dataA 415 may be a user data header, and dataB 416 may be the user data body.

FIG. 4B is a diagram showing a configuration example of extracted data information 402.

Extracted data information 402 is information that is comprised only of entries that match the analysis target conditions out of all data information 401. Therefore, the information 421 to 426 that the entries of the extracted data information 402 have are the same as the information 411 to 416 that the entries of the total data information 401 have. The analysis unit 133 identifies entries that match the analysis target condition represented by the information 157 from among all the data information 401, and generates extracted data information 402, which is a set of the identified entries. One or more entries included in the extracted data information 402 correspond to an example of information representing one or more items related to the target data type (data type included in the analysis target condition).

FIG. 5 shows a configuration example of the special processing information 158.

Special processing information 158 represents the relationship between the data type and the presence or absence of special processing. For example, the special processing information 158 has an entry for each data type, and each entry includes information such as a data type 501, a special processing flag 502, and a special processing name 503.

Data type 501 represents a data type. The special processing flag 502 indicates the presence or absence of special processing (“1” means that there is, and “0” means that there is no special processing). The special process name 503 represents the name of the special process if there is a special process. The special process name 503 may be associated with a special process (for example, an algorithm).

"Special processing" refers to processing performed to generate an analysis sequence diagram to be displayed, other than identifying a communication sequence from the extracted data information 402 and generating a diagram of that communication sequence. .

FIG. 6 is a flowchart of an example of the analysis process.

The input unit 131 of the analysis device 130 inputs the communication log 55 accumulated in the intermediary device 111, and stores the communication log 55 in the storage device 72 (S601).

The analysis unit 133 extracts the time of communication, the data type, whether it is sent or received, the communication partner, and the data to be sent and received (all or part of the user frame) from the communication log 55, and extracts the information including the information. All data information 401 is created (S602). In S602, various information is as follows, for example.
- Time 411 represents the time specified from the data representing time in the log entry.
- Data type 412 represents a data type specified according to at least one rule represented by data type rule information 156.
- Sending/receiving 413 and communication partner 414 are information specified from the header of the data frame in the log entry.
- dataA 415 and dataB 416 are all or part of a data frame (for example, machine language) included in the log entry.

The input unit 131 displays a condition input UI on the analyst terminal 140, receives input of the analysis target condition via the condition input UI, and stores information 157 representing the input analysis target condition in the storage device 72 (S603 ). Note that S603 may be performed in advance.

The analysis unit 133 creates extracted data information 402 by extracting only entries that match the analysis target conditions from all data information 401 (S604).

The analysis unit 133 refers to the entry in the special processing information 158 that corresponds to the data type represented by the extracted data information 402 (or the data type included in the analysis target condition) and determines whether special processing is necessary. (S605).

If special processing is not required (S605: NO), the analysis unit 133 determines, from the extracted data information 402, the time, which data frame the intermediary device 111 received from which device, and which data frame the intermediary device 111 received. It specifies which data type of data frame was sent to the device, constructs an analysis sequence that is a communication sequence representing the specified items, and generates a diagram of the analysis sequence. The output unit 132 displays the analysis sequence diagram on the analyst terminal 140 (S606).

If special processing is necessary (S6005: YES), the analysis unit 133 identifies the special processing from the special processing information 158 (S607). The analysis unit 133 determines, from the extracted data information 402, the time, which data frame of which data type the intermediary apparatus 111 received from which device, and which data frame of which data type the intermediary apparatus 111 transmitted to which device. An analysis sequence that is a communication sequence representing the identified matter is specified, and the special processing of S607 is applied to the analysis sequence (S608). The analysis unit 133 generates a diagram of the analysis sequence that has been subjected to special processing. The output unit 132 displays the analysis sequence diagram on the analyst terminal 140 (S609).

Analysts have different analysis viewpoints (for example, data items they want to see) depending on the data type. The data type can be identified from communication logs containing machine language, and an analysis sequence diagram that follows the viewpoint according to the data type is automatically generated and displayed. This makes analysis easy for the analyst. In addition, if special processing is associated with the target data type (the data type represented by the extracted data information 402 (or the data type included in the analysis target condition)), the displayed analysis sequence diagram It is a diagram in which the special processing has been applied to a diagram of a communication sequence obtained from. This makes analysis easier for the analyst.

7A and 7B are diagrams illustrating an example of a correct communication sequence depending on the data type. For each data type, the correct communication sequence can be identified from sequence information 159.

The communication sequence illustrated in FIG. 7A is a correct communication sequence for data type 2. In relation to data type 2, data frames of data types 3 to 5 are transmitted and received.

The communication sequence illustrated in FIG. 7B is a correct communication sequence of data type 11. In relation to data type 11, data frames of data type 12 are transmitted and received. In addition, the threshold value for the time from when a data frame of data type 11 is transmitted from device 2 until device 2 receives a data frame of data type 12, and when a data frame of data type 11 is transmitted from device 2 and then when the data frame of data type 11 is A threshold value of time until a data frame is transmitted from device2 is defined.

FIG. 8 is a diagram showing an example of an analysis sequence diagram (the diagram displayed in S606) without special processing.

The elements in the analysis sequence diagram are, for example, the following.
- The time is the time specified from the time 421.
-device1 is the destination device, and device2 is the source device. The arrow indicates the data transmission direction. These are elements identified from send/receive 423 and communication partner 424.
- For each arrow (that is, for each transmission and each reception), the data type listed in the vicinity is the data type specified from the data type 422.

FIG. 9 is a diagram showing an example of an analysis sequence diagram (displayed in S609) with special processing.

An example of special processing includes:
- Identify the correct communication sequence for the target data type from the sequence information 159 representing the correct communication sequence for each data type.
- Performing a sequence comparison, which is a comparison between information representing the identified correct communication sequence and information representing the analysis sequence (communication sequence identified from the extracted data information 402).

The displayed analysis sequence diagram includes information based on the differences between sequences identified in the sequence comparison. According to the example shown in FIG. 9, the "information based on the difference" is as follows.
- The string "error" means that there is a time in the correct communication sequence but not in the analysis sequence.
- A combination of an arrow indicating reception of device2, which is present in the correct communication sequence but not in the analysis sequence, and the character string "No reception."
- A combination of an arrow indicating transmission of device2, which is present in the correct communication sequence but not in the analysis sequence, and the character string "No transmission."

In this way, by using the special processing, the difference between the correct communication sequence and the analysis sequence is specified, and information based on the specified difference is displayed on the analysis sequence diagram. Therefore, analysis becomes easier and the time required for analysis can be further reduced.

Although several embodiments of the present invention have been described above, these are illustrative examples for explaining the present invention, and are not intended to limit the scope of the present invention to these embodiments. The present invention can also be implemented in various other forms. For example, it is possible to combine any two or more embodiments among the plurality of embodiments described above.

For example, the communication log 55 may be directly input from the intermediary device 111 to the analysis device 130, or may be input from the intermediary device 111 to the analysis device 130 via a portable storage medium. Furthermore, the communication log 55 may be input to the analysis device 130 by the analysis device 130 reading the communication log displayed on the intermediary device 111 .

Further, the special processing flag 502 and special processing name 503 of the special processing information 158 may be changeable. This can be expected to easily deal with increases and decreases in data types or changes in the regular sequence.

130 Communication log analysis device

Claims (8)

Equipped with an analysis section and an output section,
The analysis unit acquires communication logs accumulated in an intermediary device that mediates communication between devices,
The communication log has a log entry for each data frame received by the intermediary device and for each data frame transmitted by the intermediary device,
For each data frame,
The log entry includes data representing the time when the intermediary device received the data frame from the device or the time when the intermediary device sent the data frame to the device, and machine language for at least part of the data in the data frame. including
The at least some data machine language includes a data machine language representing a data type;
The analysis section includes:
From each log entry in the acquired communication log, items including the time, whether it is sent or received, the destination device or the source device, and the data type of the data in the data frame corresponding to the log entry are identified. ,
Among the identified plurality of matters, specify one or more target matters that are one or more matters related to the target data type,
Identifying an analysis sequence that is a communication sequence based on the identified one or more target matters,
the output unit displays a diagram of the analysis sequence;
Communication log analysis device. It further includes an input section that accepts manual input of analysis target conditions, which are conditions related to communication to be analyzed,
The conditions to be analyzed include at least one of the following: data type, communication time range, transmission or reception, and communication between devices;
Each of the identified one or more target matters is a matter that satisfies the analysis target condition,
The communication log analysis device according to claim 1. The analysis unit determines whether information representing any one of the one or more special processes is associated with the target data type,
If the result of the determination is true, the diagram of the analysis sequence is a diagram obtained by applying the associated special processing to the diagram of the communication sequence obtained from the identified one or more target items. ,
The communication log analysis device according to claim 1. The special treatment is
Identifying the correct communication sequence for the target data type from sequence information that is information representing the correct communication sequence for each data type;
performing a sequence comparison that is a comparison between information representing the identified correct communication sequence and information representing the analysis sequence;
The diagram of the analysis sequence includes information based on the difference between the sequences identified in the sequence comparison.
The communication log analysis device according to claim 3. The machine language of at least some of the data is the machine language of user data,
For each data frame, the user data is the data in the user area of the data frame, including data representing the data type;
The communication log analysis device according to claim 1. The analysis section includes:
Refer to data type rule information, which is information representing rules for identifying the data type represented by data existing in a position depending on the configuration of the user area,
identifying a data type according to at least one rule represented by the data type rule information;
The communication log analysis device according to claim 5. A computer acquires communication logs accumulated in an intermediary device that mediates communication between devices,
The communication log has a log entry for each data frame received by the intermediary device and for each data frame transmitted by the intermediary device,
For each data frame,
The log entry includes data representing the time when the intermediary device received the data frame from the device or the time when the intermediary device sent the data frame to the device, and machine language for at least part of the data in the data frame. including
The at least some data machine language includes a data machine language representing a data type;
The computer obtains information from each log entry in the acquired communication log, including the time, whether it is sent or received, the destination device or the source device, and the data type of the data in the data frame corresponding to the log entry. identify,
The computer identifies one or more target matters that are one or more matters related to the target data type among the identified plurality of matters,
The computer identifies an analysis sequence that is a communication sequence based on the identified one or more target matters,
a computer displays a diagram of the analysis sequence;
Communication log analysis method. Obtain communication logs accumulated in an intermediary device that mediates communication between devices,
The communication log has a log entry for each data frame received by the intermediary device and for each data frame transmitted by the intermediary device,
For each data frame,
The log entry includes data representing the time when the intermediary device received the data frame from the device or the time when the intermediary device sent the data frame to the device, and machine language for at least part of the data in the data frame. including
The at least some data machine language includes a data machine language representing a data type;
From each log entry in the acquired communication log, items including the time, whether it is sent or received, the destination device or the source device, and the data type of the data in the data frame corresponding to the log entry are identified. ,
Among the identified plurality of matters, specify one or more target matters that are one or more matters related to the target data type,
Identifying an analysis sequence that is a communication sequence based on the identified one or more target matters,
displaying a diagram of the analysis sequence;
A computer program that causes a computer to do something.

Images