JP2007274282A - Network monitoring program, network monitoring method and network monitoring device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To highly accurately and automatically discriminate a fault generation part on a network regardless of the number of connections. <P>SOLUTION: An address storage means 14 stores the physical address of a router 30 relaying transmission/reception data between the network 21 to which an own device 1 is connected and an external network 22. A communication condition monitoring means 16 monitors communication conditions with other equipment. An abnormality detection means 17 detects the abnormality of communication from communication contents detected in the communication condition monitoring means 16. A fault part judgement means 18 refers to the address storage means 14, and when the physical address of communication opposite equipment for which the abnormality is detected in the abnormality detection means 17 does not match with the physical address of the router 30 stored in the address storage means 14, judges that the fault is generated in the communication with the equipment connected to the network 21 other than the router 30. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a network monitoring program, a network monitoring method, and a network monitoring apparatus for monitoring an operation state of a network, and more particularly to a network monitoring program, a network monitoring method, and a network monitoring apparatus that detect a failure occurring on the network. About.

  With the development of information technology, many companies are trying to improve the efficiency of operations using computer systems. In the computer system, a plurality of communication devices such as a plurality of computers and switches are connected via a network. And with the expansion of the scope of work that can be performed by computers, networks are becoming larger year by year.

  In addition, with the opening and standardization of the system architecture and the like, it is possible to construct a network by combining devices from different manufacturers. In addition, intelligent devices on the network are being promoted. As a result, the network configuration is complicated.

  As described above, when a trouble occurs in a large-scale and complicated network, the operation status of each device is confirmed. By the way, there are many cases where a failure in the network cannot be determined only by the operation status of each device. Therefore, it is a very difficult task to identify the fault location and cause on the network. If the location and cause of failure are not known for a long time, the business of the customer who uses the network will be stopped for a long time.

  Therefore, there is a demand for automatically detecting the location of failure on the network and its cause without the system administrator's judgment. For this reason, when a table that correlates elements that can cause failures on the network and events that indicate communication abnormalities is prepared and an event that indicates abnormalities is detected during communication with other devices, A technique for determining a cause of a failure corresponding to the event with reference to a table is considered (for example, see Patent Document 1).

In the technique described in Patent Document 1, communication is mainly monitored by the protocol of the network layer and the transport layer, so that the own apparatus side, the adjacent transmission path side, and the non-adjacent transmission path side (for example, via a router). It was possible to determine where the failure occurred on the previous transmission line side). Specifically, by monitoring the presence or absence of playback packets, the presence or absence of duplicate received packets, the presence or absence of data loss, the Ack (acknowledgment response) response time, the reset signal, etc., communication abnormalities are detected and which abnormal events are detected. The location of the failure is determined by checking which connection is occurring in the above table.
Japanese Patent Laying-Open No. 2005-167347 (paragraph numbers [0021] to [0031], FIG. 1)

  However, in the technique described in Patent Document 1, since the failure location is determined based on the difference between events detected in each connection and indicating an abnormality, the number of communication counterpart devices and connections is small. In such a case, there is a problem that it is impossible to accurately determine the location of the failure. For example, when a communication abnormality is detected at a specific IP (Internet Protocol) address and port, it can be determined that a failure has occurred in the communication partner device, but when there is only one monitored connection, It was not possible to determine whether the device was connected to an external network via a router or connected to a network in front of the router.

  The present invention has been made in view of such points, and a network monitoring program, a network monitoring method, and a network capable of automatically and accurately determining a failure occurrence location on a network regardless of the number of connections An object is to provide a monitoring device.

  In the first aspect of the present invention, a network monitoring program for causing a computer to execute the functions shown in FIG. 1 is provided in order to solve the above problems. This network monitoring program is for detecting a failure occurrence location on the network, and can cause a computer to execute the following functions.

  A computer that operates based on the network monitoring program has functions of an address storage unit 14, a communication status monitoring unit 16, an abnormality detection unit 17, and a failure location determination unit 18. The address storage unit 14 stores the physical address of the router 30 that relays transmission / reception data between the internal network to which the computer is connected and the external network. The communication status monitoring unit 16 monitors the communication status with other devices. The abnormality detection unit 17 detects a communication abnormality from the communication content detected by the communication status monitoring unit 16. The failure location determination unit 18 refers to the address storage unit 14, and the physical address of the communication counterpart device whose abnormality is detected by the abnormality detection unit 17 does not match the physical address of the router 30 stored in the address storage unit 14. It is determined that a failure has occurred in communication with a device connected to the internal network other than the router 30.

  When the computer executes such a network monitoring program, the address storage unit 14 stores the physical address of the router 30 that relays transmission / reception data between the internal network and the external network to which the computer is connected. In addition, the communication status monitoring unit 16 monitors the communication status with other devices, and the abnormality detection unit 17 detects a communication abnormality from the communication content detected by the communication status monitoring unit 16. Then, the failure location determination unit 18 refers to the address storage unit 14, and the physical address of the communication counterpart device whose abnormality is detected by the abnormality detection unit 17 matches the physical address of the router 30 stored in the address storage unit 14. If not, it is determined that a failure has occurred in communication with a device connected to the internal network other than the router 30.

  According to a second aspect of the present invention, there is provided a network monitoring method for detecting a fault occurrence location on a network connected to an information processing apparatus, in order to solve the above problem, wherein the address storage means includes the information processing apparatus. Stores the physical address of the router that relays transmission / reception data between the internal network and the external network to which the network is connected, the communication status monitoring means monitors the communication status with other devices, and the abnormality detection means A communication abnormality is detected from the communication content detected by the communication status monitoring means, the failure location determination means refers to the address storage means, and the physical address of the communication counterpart device where the abnormality is detected by the abnormality detection means is When the physical address of the router stored in the address storage means does not match, the device connected to the internal network other than the router Network monitoring method characterized by determining that a failure has occurred is provided in the communication between.

According to such a network monitoring program, the same processing as that of the computer executing the network monitoring program according to the first aspect is performed.
Furthermore, in the third aspect of the present invention, in order to solve the above-mentioned problem, in a network monitoring apparatus for detecting a fault occurrence location on a network, between the internal network and the external network to which the network monitoring apparatus is connected. The address storage means for storing the physical address of the router that relays the transmitted / received data in the communication, the communication status monitoring means for monitoring the communication status between other devices, and the communication contents detected by the communication status monitoring means An anomaly detection means for detecting an anomaly and an address storage means, and the physical address of the communication counterpart device in which the anomaly is detected by the anomaly detection means matches the physical address of the router stored in the address storage means Otherwise, a failure occurs in communication with devices connected to the internal network other than the router. Network monitoring apparatus is provided, characterized in that it comprises a fault location determining means for determining a.

  According to such a network monitoring apparatus, processing similar to that of a computer that executes the network monitoring program according to the first aspect is performed.

  According to the present invention, the address storage unit stores the physical address of the router between the internal network to which the device monitoring the network is connected and the external network, and also monitors the communication status with other devices. When a communication abnormality is detected from the communication content detected by the monitoring, the physical address of the communication partner device in which the abnormality is detected is referred to the address storage means, and the physical address of the router stored in the address storage means If it does not match, it is determined that a failure has occurred in communication with a device connected to the internal network other than the router. Therefore, when a failure occurs in communication with a device connected to an internal network other than the router, even when there are few communication partner devices, the location of the failure can be automatically and reliably determined. Automatic failure avoidance and early recovery are possible.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
First, the outline of the invention applied to the embodiment will be described with reference to FIG. 1, and then the specific contents of the embodiment will be described.

FIG. 1 is a diagram for explaining an overview of a network monitoring function according to the present invention.
In FIG. 1, as an example, an own device 1 in which the network monitoring function according to the present invention is implemented, and two other devices 2 and 3 that are communication partners of the own device 1 are shown. The own device 1 and the partner device 2 are both connected to the network 21. The network 21 is connected to another network 22 via the router 30, and the counterpart apparatus 3 is connected to the network 22.

  A network address (for example, an IP address) and a physical address (for example, a MAC (Media Access Control address) address) are assigned to the own device 1 and the counterpart devices 2 and 3, respectively. The router 30 relays the packet between the networks 21 and 22, and converts the network address on the transmission side network added to the header of the packet into the network address on the reception side network at the time of the relay. As such a relay device, a gateway or the like may be applied instead of the router 30.

  The own apparatus 1 includes an application 11, a communication unit 12, a communication interface 13, an address storage unit 14, a physical address acquisition unit 15, a communication status monitoring unit 16, an abnormality detection unit 17, a failure location determination unit 18, and a failure information output unit 19. I have.

  The application 11 is a processing function that operates in the device 1. For example, a server function such as a Web server function can be implemented as the application 11. The communication unit 12 controls data communication between the application 11 and the communication partner apparatus. The communication interface 13 performs communication via the connected transmission path.

  The address storage means 14 stores a network address in the network 21 of the counterpart device that communicated with the device 1 and a physical address of the device in association with each other. Therefore, the address storage unit 14 also stores the physical address of the router 30.

  Information stored in the address storage unit 14 is acquired by the physical address acquisition unit 15. The physical address acquisition unit 15 acquires a physical address from the communication partner device via the network 21 based on the network address of the communication partner device, for example. As a procedure for acquiring such a physical address, for example, a procedure defined by a protocol called ARP (Address Resolution Protocol) in TCP (Transmission Control Protocol) / IP can be used. An ARP table associated with the MAC address is stored.

  The communication status monitoring unit 16 monitors the communication status with other devices via the communication interface 13. For example, the communication status monitoring unit 16 acquires a packet passed between the communication unit 12 and the communication interface 13 and analyzes the content. The communication status can be monitored for each connection, for example. The communication status is monitored not only for abnormal communication but also for normal communication. For example, normal communication performed at the same time as abnormal communication is monitored, and the history is recorded. Such a normal communication history can also be effectively used to identify the cause of the failure.

  The abnormality detection unit 17 detects a communication abnormality from the communication content detected by the communication status monitoring unit 16. For example, an event indicating an abnormality such as a response delay, packet retransmission, or duplicate packet reception is detected. A normal event that occurs at the same time as the event may be detected at the same time as the event indicating the abnormality.

  The failure location determination unit 18 determines a location where a communication failure has occurred when a communication abnormality is detected by the abnormality detection unit 17. The failure location determination means 18 first determines the location where a failure has occurred based on the comparison result between the physical address of the communication counterpart device in which an abnormality has been detected and the physical address of the router 30 stored in the address storage means 14. .

  Here, the failure location determination means 18 can acquire, for example, the physical address of the counterpart device in which an abnormality has been detected from the information of the communication content detected by the communication status monitoring means 16. For example, the communication status monitoring unit 16 stores the communication content detection result together with address information such as the physical address of the communication counterpart device, and the failure location determination unit 18 uses the physical address from the storage information of the communication status monitoring unit 16. To get.

  When the physical address is acquired, the failure location determination unit 18 refers to the address storage unit 14 to extract the physical address of the router 30 and obtains the physical address of the router 30 and the physical address of the communication partner device in which the abnormality is detected. Compare. From this comparison, when the physical addresses do not match, it can be seen that a failure has not occurred in communication with the device (for example, the counterpart device 3) on the external network 22 via the router 30, The determination unit 18 determines that a failure has occurred in communication with devices on the network 21 excluding the router 30. In the example of FIG. 1, it can be determined that a failure has occurred in communication with the counterpart device 2.

  On the other hand, when the physical addresses match by the above comparison, the failure location determination means 18 further executes a process for confirming the connection with the router 30 with the matched physical address via the communication interface 13. For example, a command for requesting some response to the router 30 such as a ping (Packet Internet Groper) command is issued, and the presence or absence of connection is confirmed from the response status.

  When the connection with the router 30 is confirmed, it can be seen that the communication from the own device 1 to the router 30 is normal, so the failure location determination means 18 is connected to the external network 22 (for example, the partner device 3 or It is determined that a communication failure has occurred in the transmission path between the partner apparatus 3 and the router 30. If the connection with the router 30 is not confirmed, the failure location determination means 18 determines that a failure has occurred in the communication in the network 21 with the router 30.

  According to such a failure location determination procedure, by using the physical address, it is possible to identify whether or not the communication partner device in which an abnormality has been detected is the router 30, so that at least the communication partner device is connected to the network 21. When connected, it is possible to reliably detect a communication failure with the device. Further, even when an abnormality occurs in communication via the router 30, it is possible to surely determine whether the failure occurs in the network 21 or 22 by checking the connection with the router 30 as described above. Such a failure location can be reliably determined even when the number of connections monitored by the communication status monitoring unit 16 is small (for example, when there is only one communication partner device).

  The failure information output means 19 outputs failure information 19a indicating the failure location determination result by the failure location determination means 18. By referring to the failure information 19a, the location where the failure has occurred can be accurately identified, so that the failure can be automatically avoided or recovered early.

Next, a system to which the network monitoring function according to the present invention is applied will be described more specifically.
FIG. 2 is a diagram showing a configuration example of the network system according to the embodiment of the present invention.

  In FIG. 2, as an example, a system in which servers 100, 201, 202 and clients 301 to 304 are connected to each other via switches 401 to 403 and a router 500 is shown. The servers 100, 201 and 202 are each connected to the router 500 via the switch 401, and one segment is constituted by these devices. The clients 301 and 302 are connected to the router 500 via the switch 402, and the clients 303 and 304 are connected to the router 500 via the switch 403, and one segment is constituted by these devices.

  The switches 401 to 403 determine the packet transmission destination in the network layer of the OSI (Open Systems Interconnection) reference model and transfer the packet. The router 500 relays packets transmitted and received between segments, and at the time of relaying, converts the IP address on the transmission side segment added to the header of the packet into the IP address on the reception side segment.

  In this network system, the network monitoring function is implemented in the server 100. A similar network monitoring function can be implemented in other servers and clients.

FIG. 3 is a diagram illustrating a hardware configuration example of a server equipped with a network monitoring function.
The server 100 is entirely controlled by a CPU (Central Processing Unit) 101. A random access memory (RAM) 102, a hard disk drive (HDD) 103, a graphic processing device 104, an input interface 105, and a communication interface 106 are connected to the CPU 101 via a bus 107.

  The RAM 102 temporarily stores at least part of an OS (Operating System) program and application programs to be executed by the CPU 101. The RAM 102 stores various data necessary for processing by the CPU 101. The HDD 103 stores an OS and application programs.

  A monitor 104 a is connected to the graphic processing device 104. The graphic processing device 104 displays an image on the screen of the monitor 104a in accordance with a command from the CPU 101. Keyboards 105 a and 105 b are connected to the input interface 105. The input interface 105 transmits a signal sent from the keyboard 105 a or the mouse 105 b to the CPU 101 via the bus 107.

  The communication interface 106 is connected to the switch 401 via a network cable, and transmits / receives data to / from another computer via the switch 401.

  With the hardware configuration as described above, the processing functions of the present embodiment can be realized. Although FIG. 3 shows the hardware configuration of the server 100, other servers and clients can be realized with the same hardware configuration.

Next, the network monitoring function implemented in the server 100 will be specifically described. First, the configuration of software that realizes this network monitoring function will be described.
FIG. 4 is a diagram illustrating a software configuration example of a server in which the network monitoring function is implemented.

  The network monitoring function is divided into a function that operates in the kernel part of the OS and a function that operates in a user part higher than the kernel. In FIG. 4, the network monitoring unit 100a controls the former function, and the network monitoring unit 100b controls the latter function.

  The network monitoring unit 100a arranged in the kernel is provided in a driver portion between the communication interface 106 and the IP / ARP 100c. That is, a packet passed between the communication interface 106 and the IP / ARP 100c always passes through the network monitoring unit 100a. Further, the network monitoring unit 100a monitors information at a layer 3 level (network layer) such as the IP / ARP 100c, and also monitors communication using a protocol at a layer 4 level (transport layer) such as the TCP 100d.

  The network monitoring unit 100b arranged in the user part (part other than the kernel) is a daemon (background service) that performs a failure information collection function. Specifically, the network monitoring unit 100b receives an abnormality detection notification from the network monitoring unit 100a arranged in the kernel and accumulates it in the failure information 110. The failure information 110 is stored in a storage area in the HDD 103, for example. Further, when the abnormality detection notification is received, the abnormality detection notification can be accumulated in the failure information 110 and also notified to, for example, a management server provided outside.

Incidentally, the ARP table 100e and the routing table 100f are connected to the IP / ARP 100c.
FIG. 5 is a diagram illustrating an example of information stored in the ARP table.

  In the ARP table 100e, the IP address and MAC address of the other party that communicated in the same segment are stored in association with each other. The IP / ARP 100c broadcasts the ARP packet in which the IP address of the communication partner device is set to the network (same segment) through the communication interface 106 according to the ARP protocol, and acquires the MAC address of the communication partner device from the response packet. And stored in the ARP table 100e. As a result, the MAC address corresponding to the destination IP address can be extracted and stored in the packet header by referring to the ARP table 100e when transmitting the packet.

FIG. 6 is a diagram illustrating an example of information stored in the routing table.
The routing table 100f stores an IP address indicating a packet transmission route. The IP / ARP 100c can determine the transmission path of the packet corresponding to the destination IP address designated by the upper layer by referring to the routing table 100f when transmitting the packet. The routing table 100f is created by the IP / ARP 100c according to a procedure according to a predetermined routing protocol. In the routing table 100f, the IP address of the router 500 is set as “Default Gateway”.

FIG. 7 is a block diagram illustrating functions of the network monitoring unit.
The network monitoring units 100a and 100b have functions as shown in FIG. 7 in order to monitor the communication state. The network monitoring unit 100a on the kernel side includes a packet analysis unit 120 and a connection monitoring unit 130.

The packet analysis unit 120 analyzes the content of the communication packet. The analysis result is passed to the connection monitoring unit 130.
The connection monitoring unit 130 monitors the connection state based on the analysis result passed from the packet analysis unit 120 and detects a connection abnormality or the like. For connection monitoring, connection tables 140, 140a, 140b,... For each connection are used. In the connection tables 140, 140a, 140b,..., The current connection status and the occurrence status of errors are recorded.

  For example, the connection table 140 includes a connection management table 141, a transmission monitoring table 142, and a reception monitoring table 143. In the connection management table 141, information indicating a connection partner device of a connection, an occurrence state of an abnormality in the connection, and the like are registered. In the transmission monitoring table 142, information for monitoring whether there is an abnormality in a packet transmitted from the server 100 is sequentially registered. In the reception monitoring table 143, information for monitoring whether there is an abnormality in the packet received by the server 100 is sequentially registered.

  The connection monitoring unit 130 monitors layer 2 (data link layer) to layer 4 (transport layer) level information from the information from the packet analysis unit 120. Specifically, for example, its own communication interface, IP address, port number, counterpart communication interface, IP address, port number, MAC address, etc. are monitored. And the information of the presence or absence (establishment state) of a connection is acquired. Further, the presence / absence of a retransmission packet based on the layer 4 protocol (TCP), the presence / absence of a duplicate received packet, the presence / absence of data loss, the response time of Ack (acknowledgment response), and the reset signal are monitored and statistically processed.

  The network monitoring unit 100b arranged in the user part includes a failure determination unit 150. The failure determination unit 150 refers to the connection tables 140, 140a, 140b,... And detects an abnormality such as an error. The failure determination unit 150 refers to the ARP table 100e and the routing table 100f, issues a function for determining whether or not the communication partner device is the router 500, and issues a ping command to the communication partner device. It has a function to confirm the presence or absence of connection with equipment. Then, using these functions, the location where a communication failure has occurred is determined, and the determination result is set in the failure information 110 and output.

  The failure determination unit 150 detects an occurrence of an abnormality at the layer 4 level based on information stored in the connection tables 140, 140a, 140b,. Along with this, it is also possible to detect a sign of a stage before it is generally recognized as a failure. For example, since the network is autonomously controlled, even if a problem (retransmission or the like) occurs at the TCP level, it is automatically recovered and no failure is detected. However, as a sign of the occurrence of a failure, a problem (such as retransmission) often occurs at the TCP level. Conventionally, failure detection based on a problem (retransmission or the like) has not been performed at the TCP level, and thus an administrator usually cannot recognize that there is an abnormality in the system until a serious problem occurs.

  Therefore, the connection monitoring unit 130 according to the present embodiment monitors information that cannot be normally confirmed, such as automatic recovery (retransmission or the like) at the TCP level. Then, the failure determination unit 150 performs a trouble sign estimation based on the monitored information.

FIG. 8 is a diagram illustrating a trouble sign estimation example. Here, as an example, consider a case where a packet transmitted from the server 100 to the server 201 is retransmitted without reaching at once.
Normally, even if retransmission from the server 100 to the server 201 occurs, it is considered that no abnormality has occurred. However, retransmission of a packet from the server 100 to the server 201 means that the packet has been lost on the transmission path or the server. If this frequency becomes high, it will develop into a serious trouble. For example, if retransmitted packets are frequently sent from the server 100 to the server 201, it may be considered that the server 201 is starting to have insufficient capabilities such as a CPU. If such a sign of trouble is detected and notified to the administrator as failure information, it is possible to cope with it before a serious trouble occurs.

In the following, a processing procedure for detecting a failure and its precursor and determining the failure location will be described.
FIG. 9 is a flowchart showing a network monitoring process procedure. In the following, the process illustrated in FIG. 9 will be described in order of step number. The following processing is executed every time communication is performed with another device.

  [Step S11] The packet analysis unit 120 captures a connection. That is, a packet transmitted through the connection is acquired from the establishment of a connection with another device.

[Step S12] The packet analysis unit 120 extracts the TCP, IP, and data link layer header of the captured packet.
[Step S13] The packet analysis unit 120 analyzes the extracted header information. Details of this processing will be described later.

  [Step S14] The connection monitoring unit 130 determines whether the event is the first event. If the connection table being updated corresponding to the connection is not provided, it can be determined that this is the first event. In the case of the first event, the process proceeds to step S15. Otherwise, the process proceeds to step S16.

  [Step S15] The connection monitoring unit 130 sets the state of the corresponding connection table so that the failure information detected based on the contents of the connection table is merged (additionally integrated) into the failure information 110 after a predetermined time.

  [Step S16] The failure determination unit 150 detects a failure based on the connection table 140 and determines the location where the failure has occurred. Then, the failure information 110 is updated (merged) based on the determination result. Details of this processing will be described later.

Next, header information analysis processing will be described in detail.
FIG. 10 is a flowchart showing a procedure of header information analysis processing. In the following, the process illustrated in FIG. 10 will be described in order of step number.

  [Step S21] The connection monitoring unit 130 determines whether a connection table corresponding to the acquired packet exists. If the connection table exists, the process proceeds to step S23. If the connection table does not exist, the process proceeds to step S22.

  [Step S22] The connection monitoring unit 130 generates a connection table associated with a combination of an IP address and a port number. The generated connection table is stored in a storage area in the RAM 102, for example.

  [Step S23] The connection monitoring unit 130 detects retransmission, duplicate reception, delay, and packet lost based on the response (Ack) number, sequence number, and data length. The detected result is registered in the connection table. Thereafter, the process returns to the process shown in FIG. 9, and the process proceeds to step S14.

Next, an example of creating a connection table based on a packet transmitted / received by a specific connection will be specifically described.
FIG. 11 is a diagram illustrating an example of communication over a connection.

  FIG. 11 shows an example in which a connection established with the server 201 is monitored by a network monitoring function implemented in the server 100. In FIG. 11, as an example, the server 100 is a Web server and the server 201 is an application (AP) server. The IP address of the server 100 is “192.168.10.10”, and the port number of the application that provides the function as the Web server is “80”. The IP address of the server 201 is “192.168.10.20”, and the port number of the application that provides the processing function is “10000”.

  Here, attention is focused on the packets 40 to 45 passed between the server 100 and the server 201. Here, the contents of the packets 40 to 45 will be described with reference to FIG. It is assumed that the packet 44 has not been transmitted correctly due to some kind of failure.

FIG. 12 is a diagram showing the contents of the packet on the Web server side.
In FIG. 12, the communication state (normal or abnormal) recognized by the server 100 for the packets 40 to 45, the packet transmission / reception time (time from the start of monitoring), SRC-IP (transmission source IP) Address), SRC-Port (source port number), DST-IP (destination IP address), DST-Port (destination port number), Sequence no (sequence number), Ack no (response number), Data Len (Data length) is shown.

  The packet 40 is in a normal state, time is 0.5 seconds, SRC-IP is “192.168.10.20”, SRC-Port is “10000”, DST-IP is “192.168.10.10”, and DST-Port is “80”. , Sequence no is “1900”, Ack no is “1000”, and Data Len is 100 bytes.

  The packet 41 is in a normal state, time is 1.0 second, SRC-IP is “192.168.10.10”, SRC-Port is “80”, DST-IP is “192.168.10.20”, and DST-Port is “10000”. , Sequence no is “1000”, Ack no is “2000”, and Data Len is 10 bytes.

  The packet 42 is in the normal state, the time is 2.5 seconds, the SRC-IP is “192.168.10.20”, the SRC-Port is “10000”, the DST-IP is “192.168.10.10”, and the DST-Port is “80”. , Sequence no is “2000”, Ack no is “1010”, and Data Len is 0 byte.

  The packet 43 is in a normal state, time is 3.0 seconds, SRC-IP is “192.168.10.10”, SRC-Port is “80”, DST-IP is “192.168.10.20”, and DST-Port is “10000”. , Sequence no is “1010”, Ack no is “2000”, and Data Len is 20 bytes.

  The packet 44 is a packet that could not reach the server 100 for some reason. Therefore, in FIG. 12, the status and time fields are blank. The contents of the packet 44 are “192.168.10.20” for SRC-IP, “10000” for SRC-Port, “192.168.10.10” for DST-IP, “80” for DST-Port, “2000” for Sequence no, Ack no Is “1030” and Data Len is 100 bytes, but this packet 44 does not reach the server 100. Therefore, on the server 100 side, the packet 45 having the same content as the packet 43 is retransmitted by the function of the TCP protocol.

  The packet 45 has an abnormal state, a time of 6.0 seconds, SRC-IP “192.168.10.10”, SRC-Port “80”, DST-IP “192.168.10.20”, and DST-Port “10000”. , Sequence no is “1010”, Ack no is “2000”, and Data Len is 20 bytes.

  The packet analysis unit 120 of the server 100 analyzes header information of the packets 41 to 43 and 45 that are actually input / output, and passes the information (information shown in FIG. 12) to the connection monitoring unit 130. The connection monitoring unit 130 creates the connection table 140 based on the received information. As shown in FIG. 7, the connection table 140 includes a connection management table 141, a transmission monitoring table 142, and a reception monitoring table 143. Examples of the data structure of these tables are shown below.

FIG. 13 is a diagram illustrating an example of the data structure of the connection management table.
The connection management table 141 includes an interface name, a local IP, a local Port, a partner IP, a partner Port, a partner MAC, a retransmission counter, a duplicate reception counter, a packet lost counter, a response delay counter, a packet size counter, a packet A number counter, a counterpart response time criterion, and a local response time criterion are registered.

  The interface name is identification information of a communication interface that has established a connection. In the example of FIG. 13, the interface name is “hme0”. The local IP is its own IP address. In the example of FIG. 13, the IP address is “192.168.10.10”. The local port is the port number of the application that uses the connection. In the example of FIG. 13, the port number is “80”.

  The partner IP is the IP address of the communication partner device. In the example of FIG. 13, the IP address of the other party is “192.168.10.20”. The partner port is the port number of the partner application that communicates using the connection. In the example of FIG. 13, the port number of the partner application is “10000”. The partner MAC is the MAC address of the communication partner device. In the example of FIG. 13, the other party's MAC address is “00: 80: 91: a2: b3: c4”.

  The retransmission counter is the number of times the packet has been retransmitted. In the example of FIG. 13, the packet is retransmitted once. The duplicate reception counter is the number of times the same packet has been received twice. In the example of FIG. 13, duplicate reception of packets has not occurred. The packet lost counter is the number of times a packet is lost. In the example of FIG. 13, no packet loss has occurred.

  The response delay counter is the number of times that the time from when the packet is received by the own device until the response is returned to the communication partner exceeds the reference value. A response delay occurs when the processing load of the own apparatus is excessive. Therefore, by counting the number of response delay occurrences, it is possible to detect the occurrence of a failure due to an increase in the processing load of the own apparatus. In the example of FIG. 13, no response delay occurs.

  The packet size counter indicates the total received packet size. In the example of FIG. 13, the value of the packet size counter is “0”. The packet number counter is a counter indicating the total number of packets transmitted and received. In the example of FIG. 13, the value of the packet number counter is “0”.

  The counterpart response time reference is a response waiting time from the counterpart. If there is no response after waiting for this time, it is determined as a response delay, and the response delay counter is counted up. In the example of FIG. 13, the counterpart response time reference is “1.5 seconds”. The self-side response time reference is an allowable time when the self returns a response to the other party. If a response cannot be returned within this time, a response delay is detected. In the example of FIG. 13, the local response time reference is “0.5 seconds”.

FIG. 14 is a diagram illustrating an exemplary data structure of the transmission monitoring table.
The transmission monitoring table 142 has columns for sequence number prediction, time, and counterparty response time.

  In the sequence number prediction column, a predicted value of the sequence number of the next packet to be transmitted to the partner apparatus is set. A value obtained by adding the data length to the sequence number of the previously transmitted packet is the predicted value of the sequence number. If the sequence number of the next transmitted packet is smaller than the predicted sequence number value, it is known that the packet has been retransmitted.

  The time is the time when the packet is transmitted on the own side (elapsed time since the start of connection monitoring). The partner side response time is the elapsed time from the time when the packet is transmitted to the time when the response from the communication partner for the packet is received.

FIG. 15 is a diagram illustrating an example of the data structure of the reception monitoring table.
The reception monitoring table 143 has columns for sequence number prediction, time, and own side response time.

  In the sequence number prediction column, the predicted value of the sequence number of the next packet received from the partner apparatus is set. A value obtained by adding the data length to the sequence number of the packet received last time is the predicted value of the sequence number. Next, if the sequence number of the received packet is smaller than the predicted sequence number value, it is understood that the packet is duplicated.

  The time is the time when a packet is received from the other side (the elapsed time since the start of connection monitoring). The own side response time is an elapsed time from the time when the packet is received until the own device responds to the packet.

Next, state transition between the transmission monitoring table 142 and the reception monitoring table 143 when the communication shown in FIG. 11 (the contents of the packet are shown in FIG. 12) is performed will be described.
FIG. 16 is a first diagram illustrating state transition between the transmission monitoring table and the reception monitoring table.

  State ST1 is a state immediately after reception of packet 40 shown in FIG. 11 (time 0.5). When the server 100 receives the packet 40, the connection monitoring unit 130 predicts the sequence number on the receiving side and adds a record to the reception monitoring table 143.

  In the example of FIG. 16, “2000” (a value obtained by adding the data length “100” to the sequence number “1900” of the packet 40) is set in the sequence number prediction column, and “0.5” is set in the time column. Has been.

  State ST2 is a state immediately after transmission of packet 41 shown in FIG. 11 (time 1.0). When the server 100 transmits the packet 41, the connection monitoring unit 130 predicts the transmission-side sequence number and adds a record to the transmission monitoring table 142. At the same time, the connection monitoring unit 130 sets a value in the own response time field of the reception monitoring table 143.

  In the example of FIG. 16, “1010” (a value obtained by adding the data length “10” to the sequence number “1000” of the packet 41) is set in the sequence number prediction column of the transmission monitoring table 142, and “1” is set in the time column. .0 "is set. Also, “0.5” (the value obtained by subtracting the time “0.5” of the reception monitoring table 143 from the time “1.0” of the transmission monitoring table 142) is entered in the own response time column of the reception monitoring table 143. Is set.

  State ST3 is a state immediately after reception of packet 42 shown in FIG. 11 (time 2.5). When the server 100 receives the packet 42, the connection monitoring unit 130 predicts the receiving sequence number and updates the reception monitoring table 143. At the same time, the connection monitoring unit 130 sets a value in the other party response time column of the transmission monitoring table 142.

  In the example of FIG. 16, “2000” (a value obtained by adding the data length “0” to the sequence number “2000” of the packet 42) is set in the sequence number prediction column of the reception monitoring table 143, and “2” is set in the time column. .5 "is set. Further, “1.5” (a value obtained by subtracting the time “1.0” of the transmission monitoring table from the time “2.5” of the reception monitoring table 143) is set in the column of the other party response time of the transmission monitoring table 142. ing.

Since the sequence number of the packet 42 matches the sequence number predicted in advance, it is determined that no abnormality has occurred.
FIG. 17 is a second diagram illustrating state transition between the transmission monitoring table and the reception monitoring table.

  State ST4 is a state immediately after transmission of packet 43 shown in FIG. 11 (time 3.0). When the server 100 transmits the packet 43, the connection monitoring unit 130 predicts the transmission-side sequence number and updates the transmission monitoring table 142. At the same time, the connection monitoring unit 130 sets a value in the own response time field of the reception monitoring table 143.

  In the example of FIG. 17, “1030” (a value obtained by adding the data length “20” to the sequence number “1010” of the packet 43) is set in the sequence number prediction column as a new record in the transmission monitoring table 142. "3.0" is set in the column of. In addition, in the own response time column of the reception monitoring table 143, “0.5” (from the time “3.0” newly set in the transmission monitoring table 142 to the time “2.5” of the reception monitoring table 143). Subtracted value) is set.

Note that the sequence number of the packet 43 matches the sequence number predicted in advance, so it is determined that no abnormality has occurred.
State ST5 is a state immediately after transmission of packet 45 shown in FIG. 11 (time 6.0). When the server 100 transmits the packet 45, the connection monitoring unit 130 predicts the transmission-side sequence number and updates the transmission monitoring table 142.

  In the example of FIG. 17, “1030” (a value obtained by adding the data length “20” to the sequence number “1010” of the packet 45) is set in the sequence number prediction column of the transmission monitoring table 142, and “6” is set in the time column. .0 "is set.

  Here, the connection monitoring unit 130 that has detected the transmission of the packet 45 detects that the sequence number “1010” of the packet 45 is smaller than the sequence number prediction “1030” already set in the transmission monitoring table 142. Accordingly, the connection monitoring unit 130 determines that the packet 45 is a retransmission packet. Then, the connection monitoring unit 130 increments the value of the retransmission counter in the connection management table 141.

  In this way, the connection table 140 is updated. Then, the failure determination unit 150 determines whether or not a failure has occurred in each connection based on the information in the connection table 140. When the failure determination unit 150 detects a failure, the failure determination unit 150 determines a location where the failure has occurred and updates the failure information.

  Here, for reference, a conventional failure location determination method disclosed in Patent Document 1 (published patent publication of Japanese Patent Publication No. 2005-167347) will be described. In this conventional method, when an abnormality is detected based on the connection table 140 created as described above, a failure occurrence location is determined by applying the following determination condition to the event indicating the detected abnormality. Was.

  Determination condition 1: When the response time of Ack on the own device side (that is, the server 100) is longer than the reference value, a response delay is detected as an abnormal event, and it is determined that there is some problem in the own device.

  Judgment condition 2: When there is an abnormality (retransmission packet, duplicate received packet, missing data, or response delay) in all connections to the communication interface of the own device, the connection abnormality is detected as an abnormal event, and the adjacent transmission line ( That is, it is determined that the transmission path between the server 100 and the router 500 has failed.

  Judgment condition 3: When an abnormality occurs in an unspecified IP address or port in some connections, a connection abnormality is detected as an abnormal event, and the router 500 is not in the adjacent transmission path (that is, viewed from the server 100). It is determined that an error has occurred in the outer transmission line).

  Judgment condition 4: When a failure has occurred in a specific partner IP address and port at the time of establishing a connection, a connection abnormality is detected as an abnormal event, and it is determined that a communication partner device has failed.

  Based on the above determination conditions, it is determined where the communication failure occurs on the own apparatus side, adjacent transmission path, non-adjacent transmission path, or communication counterpart device. However, in a system capable of communicating via a router or gateway as in the present embodiment, when the number of connection partner devices is small, that is, when the number of connections monitored by the connection monitoring unit 130 is small, as described above When applying the judgment conditions, the location where the failure occurred could not be identified accurately.

  For example, in a situation where there is only one connection to be monitored, if an abnormal event that matches the determination condition 4 is detected, the communication partner device (for example, the server 201 or 202) in the same segment as the server 100 Both a case where a failure has occurred and a case where a failure has occurred in a network outside the router 500 (for example, in any of the clients 301 to 304) can be considered. That is, in the conventional failure location determination method, the hardware failure location is determined only at the level of layers 3 and 4, and therefore, if there is a router or gateway, the failure location is on the inner side. I couldn't tell whether it was outside or outside.

  Therefore, in this embodiment, by using the MAC address, it is determined whether or not the communication partner device in the same segment is a router, so that the location where a failure has occurred can be accurately identified regardless of the number of connections to be monitored. It can be so. Since the MAC address of the router can be acquired from information (ARP table) already held by the server 201 itself in the TCP / IP communication procedure, the determination method according to the present embodiment can be used for communication. Accurate fault location determination can be performed without significantly changing the program structure or the necessary information storage area.

FIG. 18 is a flowchart showing a procedure of failure location determination processing applied in the present embodiment. Hereinafter, the process illustrated in FIG. 18 will be described in order of step number.
[Step S31] The failure determination unit 150 refers to the connection table 140, analyzes the connection information, and totals the events of all the connections that have occurred.

  [Step S32] The failure determination unit 150 detects whether or not a failure has occurred based on the result of counting events. If a failure has occurred, the process proceeds to step S33. If no failure has occurred, the process is terminated.

  [Step S33] The failure determination unit 150 refers to the routing table 100f and acquires the IP address of the router. This process can be executed, for example, by executing the netstat command or the route command to acquire the contents of the routing table 100f and extracting the IP address of the gateway described therein.

[Step S34] The failure determination unit 150 refers to the ARP table 100e and acquires a MAC address corresponding to the IP address of the router acquired in Step S33.
[Step S35] The failure determination unit 150 acquires the IP address of the communication counterpart device in the connection in which the failure is detected in Step S32 from the connection table 140, and acquires the MAC address corresponding to the IP address from the ARP table 100e.

  [Step S36] The failure determination unit 150 determines whether or not the MAC address of the communication partner device acquired in step S35 matches the MAC address of any router acquired in step S34. If there is a matching router, the process proceeds to step S38. If there is no matching router, the process proceeds to step S37.

  [Step S37] In this step, it is understood that a failure has not occurred in communication with a device on the network outside the router as viewed from the server 100. Therefore, the failure determination unit 150 determines that a failure has occurred in a device other than the router connected to the network belonging to the same segment inside the router or a transmission path on the network. In the configuration of FIG. 2, for example, any of the servers 100, 201, 202, the switch 401, or a transmission path connected to these is determined as a failure occurrence location. Thereafter, the process proceeds to step S42.

[Step S38] The failure determination unit 150 issues a ping command to the router whose MAC address matches in step S36.
[Step S39] The failure determination unit 150 determines whether or not the response operation to the ping command has ended normally. Specifically, when the response from the router is within a predetermined time, it is determined that the process is normally completed. If the process has ended normally, the process proceeds to Step S40. If not completed normally, the process proceeds to step S41.

  [Step S40] In this step, it can be seen that a failure has occurred in communication with a device on the network outside the router as viewed from the server 100, and that the router is operating normally. For this reason, the failure determination unit 150 determines that a failure has occurred in a device connected to a network belonging to a segment outside the router as viewed from the server whose MAC address matches in step S36 or the transmission path of the segment. . In the configuration of FIG. 2, for example, any of the clients 301 to 304, the switches 402 and 403, the router 500, or a transmission path between these devices is determined as a failure occurrence location. Thereafter, the process proceeds to step S42.

  [Step S41] In this step, a failure has occurred in communication with a device on the network outside the router as viewed from the server 100, and the connection with the router cannot be confirmed. Therefore, the failure determination unit 150 determines that a failure has occurred in the communication between the router and the server 100 whose MAC addresses match in step S36. In the configuration of FIG. 2, for example, the transmission path between the server 100 or the switch 401 or between the server 100 and the router 500 is determined as a failure occurrence location. Thereafter, the process proceeds to step S42.

[Step S42] The failure determination unit 150 registers the failure estimation result in the failure information.
According to the above processing procedure, it is monitored whether the failure location is a device other than the router in the same segment, a device on the path between the server 100 and the router, or a network outside the router. Regardless of the number of target connections, it can always be determined reliably. In addition, the network administrator refers to the failure information 110 in which the determination result is registered, so that the network administrator can perform a quick and accurate operation for avoiding a communication failure in advance or for quick recovery. Will be able to run without relying on the experience of In addition, it is possible to automatically avoid a communication failure based on the failure information 110.

  Note that, by using the above-described conventional determination conditions 1 to 4 together with the determination procedure shown in FIG. For example, in the state of step S37 or S41, it is possible to determine whether or not the failure occurrence location is the server 100 itself by applying the determination condition 1.

Next, an example in which the failure location determination method used in the above embodiment is applied to a larger-scale network system will be described.
FIG. 19 is a configuration example of a network system according to another embodiment of the present invention.

  FIG. 19 shows an example of a network in which various functions and communication paths are duplicated. In this example, routers 621 and 622 are connected to the Internet 610. Firewalls 631 and 632 are connected to the routers 621 and 622. Web servers 701 and 702 are connected to the firewalls 631 and 632 via switches 641 and 642, respectively. Application (AP) servers 711 and 712 are connected to the Web servers 701 and 702 via switches (SW) 643 and 644. Database servers (DB) servers 721 and 722 are connected to the AP servers 711 and 712 via switches (SW) 645 and 646.

  A management server 730 is connected to the switches 641, 643, 645. In this network system, it is assumed that a conventional network monitoring function using the determination conditions 1 to 4 described above is implemented in each of the Web servers 701 and 702, the AP servers 711 and 712, and the DB servers 721 and 722. . The failure information detected by each network monitoring function is collected by the management server 730, and the failure location can be identified by analyzing the collected failure information in the management server 730.

  For example, consider a case where a failure occurs in the switch 643. In this case, the Web server 701 can detect an abnormality in the communication path via the switch 643. Similarly, the AP server 711 can detect an abnormality in the communication path via the switch 643. Further, the DB server 721 can detect an abnormality in a non-adjacent communication path via the switches 645 and 646. Fault information indicating an abnormality detected in each server is notified to the management server 730.

  The management server 730 identifies the failure location based on the failure information notified from each server. Specifically, it can be determined that there is a failure in the overlapping elements among the failure occurrence elements indicated by the failure information collected from each server. In this example, it is determined that a failure has occurred in the switch 643. Thus, by implementing the conventional network monitoring function in each server, it is possible to perform accurate failure analysis quickly and accurately.

  However, in a system including such a management server 730, even when the conventional network monitoring function is implemented, if a failure occurs in communication between the Web server 701 and the Internet 610, the number of connections to be monitored is reduced. When there were few, it was not possible to pinpoint the fault. For example, it may not be possible to determine whether the failure location is on the firewall 631 632 or on the Internet 610 outside the routers 621 622.

  Therefore, a network monitoring function to which the present invention is applied is installed in the Web server 701. When the Web server 701 detects an abnormality during communication through the switch 641 or 642 according to the procedure shown in FIG. 18, the Web server 701 refers to the ARP table held by itself and acquires the MAC addresses of the routers 621 and 622. Compare with the MAC address of the communication partner device in the connection where the abnormality is detected. Based on the comparison result with those MAC addresses and the presence / absence of connection to the router 621 or 622, the location of the failure is the network between the Web server 701 and the router 621 or 622, or the router 621 or 622. It is determined whether the Internet 610 is outside. By transmitting the determination result to the management server 730, the management server 730 can more accurately identify the location where the failure has occurred on the network.

  Note that the above processing functions can be realized on a computer by executing on the computer a program that describes the processing contents of the functions that the network monitoring unit and the management server should have. The program describing the processing contents can be recorded on a computer-readable recording medium. Examples of the computer-readable recording medium include a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory. Examples of the magnetic recording device include a hard disk device (HDD), a flexible disk (FD), and a magnetic tape. Examples of the optical disc include a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only Memory), and a CD-R (Recordable) / RW (ReWritable). Magneto-optical recording media include MO (Magneto-Optical disk).

  When distributing the program, for example, portable recording media such as a DVD and a CD-ROM in which the program is recorded are sold. It is also possible to store the program in a storage device of a server computer and transfer the program from the server computer to another computer via a network.

  The computer that executes the program stores, for example, the program recorded on the portable recording medium or the program transferred from the server computer in its own storage device. Then, the computer reads the program from its own storage device and executes processing according to the program. The computer can also read the program directly from the portable recording medium and execute processing according to the program. In addition, each time the program is transferred from the server computer, the computer can sequentially execute processing according to the received program.

(Supplementary note 1) In a network monitoring program for detecting a fault occurrence location on a network,
Computer
Address storage means for storing a physical address of a router that relays transmission / reception data between an internal network to which the computer is connected and an external network;
Communication status monitoring means for monitoring the communication status with other devices;
An anomaly detection means for detecting an anomaly in communication from the communication content detected by the communication status monitoring means;
When the physical address of the communication counterpart device in which the abnormality is detected by the abnormality detection unit does not match the physical address of the router stored in the address storage unit with reference to the address storage unit, the internal device other than the router Failure location determination means for determining that a failure has occurred in communication with a device connected to the network;
Network monitoring program characterized by functioning as

  (Additional remark 2) When the physical address of the communication counterpart device in which the abnormality is detected matches the physical address of the router stored in the address storage unit, the failure location determination unit confirms the connection with the router, When the connection is confirmed, it is determined that a communication failure has occurred in the external network connected to the router. When the connection is not confirmed, the communication with the router through the internal network is determined. The network monitoring program according to appendix 1, wherein it is determined that a failure has occurred in communication.

  (Additional remark 3) The said fault location determination means issues the command which requests | requires a response with respect to the said router, and confirms the connection confirmation with the said router, and determines whether there was a response with respect to the said command within predetermined time. The network monitoring program according to supplementary note 2, characterized by:

  (Additional remark 4) The said abnormality detection means detects communication abnormality from the content of the header of the transmission / reception packet corresponding to a transport layer among the communication contents detected by the said communication condition monitoring means. 1. The network monitoring program according to 1.

  (Additional remark 5) The said abnormality detection means is the presence or absence of a retransmission packet, the presence or absence of a duplicate received packet, the presence or absence of a lack of transmission data among the communication contents detected by the said communication condition monitoring means, and the own apparatus side or a partner apparatus The network monitoring program according to appendix 4, wherein a communication abnormality is detected from at least one of the presence or absence of a response delay on the side.

(Additional remark 6) The said communication condition monitoring means is the network address on the said internal network of the said communicating party apparatus, and the said information extracted from the header of the transmission / reception packet corresponding to a transport layer every time a new connection is established, and the said Store it as a connection management table together with the physical address of the communication partner device,
The network monitoring program according to appendix 4, wherein the abnormality detecting means detects a communication abnormality from the connection management table.

  (Additional remark 7) The said address memory | storage means memorize | stores the address table which matched the network address in the said internal network of the communicating party apparatus which communicated with the said computer, and the physical address of the said communicating party apparatus, It is characterized by the above-mentioned. The network monitoring program according to appendix 1.

  (Appendix 8) When the computer communicates through the internal network, an address request packet in which the network address of the communication partner device in the internal network is set is broadcast on the internal network, and the communication partner device is transmitted from the response packet. The network monitoring program according to claim 7, further comprising: an address acquisition unit that acquires the physical address of the address and stores the acquired physical address in the address table.

  (Supplementary Note 9) When an abnormality is detected by the abnormality detection unit, the failure location determination unit determines a network address in the internal network of the router from path information for the computer to communicate with another device through the internal network. The physical address corresponding to the network address is extracted from the address table, and the failure location is determined from the comparison result between the extracted physical address and the physical address of the communication counterpart device in which the abnormality is detected. The network monitoring program according to appendix 7, characterized by:

(Supplementary Note 10) In a network monitoring method for detecting a failure occurrence location on a network connected to an information processing device,
Address storage means stores a physical address of a router that relays transmission / reception data between an internal network to which the information processing apparatus is connected and an external network;
The communication status monitoring means monitors the communication status with other devices,
The abnormality detection means detects a communication abnormality from the communication content detected by the communication status monitoring means,
When the failure location determination means refers to the address storage means, and the physical address of the communication counterpart device whose abnormality is detected by the abnormality detection means does not match the physical address of the router stored in the address storage means, Determining that a failure has occurred in communication with a device connected to the internal network other than the router;
A network monitoring method characterized by the above.

(Additional remark 11) In the network monitoring apparatus for detecting the failure location on the network,
Address storage means for storing a physical address of a router that relays transmission / reception data between an internal network and an external network to which the network monitoring device is connected;
Communication status monitoring means for monitoring the communication status with other devices;
An anomaly detection means for detecting an anomaly in communication from the communication content detected by the communication status monitoring means;
When the physical address of the communication counterpart device in which the abnormality is detected by the abnormality detection unit does not match the physical address of the router stored in the address storage unit with reference to the address storage unit, the internal device other than the router A failure location determination means for determining that a failure has occurred in communication with a device connected to the network;
A network monitoring apparatus comprising:

It is a figure for demonstrating the outline | summary of the network monitoring function which concerns on this invention. It is a figure which shows the structural example of the network system which concerns on embodiment of this invention. It is a figure which shows the hardware structural example of the server by which the network monitoring function is mounted. It is a figure which shows the software structural example of the server by which the network monitoring function was mounted. It is a figure which shows the example of the information memorize | stored in the ARP table. It is a figure which shows the example of the information memorize | stored in the routing table. It is a block diagram which shows the function of a network monitoring part. It is a figure which shows the trouble sign estimation example. It is a flowchart which shows a network monitoring process procedure. It is a flowchart which shows the procedure of a header information analysis process. It is a figure which shows the example of communication on a connection. It is a figure which shows the content of the packet by the side of a Web server. It is a figure which shows the example of a data structure of a connection management table. It is a figure which shows the example of a data structure of a transmission monitoring table. It is a figure which shows the example of a data structure of a reception monitoring table. It is a 1st figure which shows the state transition of a transmission monitoring table and a reception monitoring table. It is a 2nd figure which shows the state transition of a transmission monitoring table and a reception monitoring table. It is a flowchart which shows the procedure of the fault location determination process applied in this Embodiment. It is a structural example of the network system which concerns on another embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Self-device 2, 3 Counterpart device 11 Application 12 Communication means 13 Communication interface 14 Address storage means 15 Physical address acquisition means 16 Communication status monitoring means 17 Abnormality detection means 18 Fault location judgment means 19 Fault information output means 19a Fault information 21, 22 Network 30 router

Claims (5)

In a network monitoring program for detecting fault locations on the network,
Computer
Address storage means for storing a physical address of a router that relays transmission / reception data between an internal network to which the computer is connected and an external network;
Communication status monitoring means for monitoring the communication status with other devices;
An anomaly detection means for detecting an anomaly in communication from the communication content detected by the communication status monitoring means;
When the physical address of the communication counterpart device in which the abnormality is detected by the abnormality detection unit does not match the physical address of the router stored in the address storage unit with reference to the address storage unit, the internal device other than the router Failure location determination means for determining that a failure has occurred in communication with a device connected to the network;
Network monitoring program characterized by functioning as   When the physical address of the communication partner device in which the abnormality is detected matches the physical address of the router stored in the address storage unit, the failure location determination unit confirms the connection with the router and the connection is confirmed. If a communication failure has occurred in the external network connected to the router and the connection has not been confirmed, a failure has occurred in communication with the router through the internal network. The network monitoring program according to claim 1, wherein the network monitoring program is determined to have occurred.   The abnormality detection unit detects a communication abnormality from the content of a header of a transmission / reception packet corresponding to a transport layer among communication contents detected by the communication status monitoring unit. Network monitoring program. In a network monitoring method for detecting a fault occurrence location on a network connected to an information processing device,
Address storage means stores a physical address of a router that relays transmission / reception data between an internal network to which the information processing apparatus is connected and an external network;
The communication status monitoring means monitors the communication status with other devices,
The abnormality detection means detects a communication abnormality from the communication content detected by the communication status monitoring means,
When the failure location determination means refers to the address storage means, and the physical address of the communication counterpart device whose abnormality is detected by the abnormality detection means does not match the physical address of the router stored in the address storage means, Determining that a failure has occurred in communication with a device connected to the internal network other than the router;
A network monitoring method characterized by the above. In a network monitoring device for detecting fault locations on the network,
Address storage means for storing a physical address of a router that relays transmission / reception data between an internal network and an external network to which the network monitoring device is connected;
Communication status monitoring means for monitoring the communication status with other devices;
An anomaly detection means for detecting an anomaly in communication from the communication content detected by the communication status monitoring means;
When the physical address of the communication counterpart device in which the abnormality is detected by the abnormality detection unit does not match the physical address of the router stored in the address storage unit with reference to the address storage unit, the internal device other than the router A failure location determination means for determining that a failure has occurred in communication with a device connected to the network;
A network monitoring apparatus comprising:

Images