JP2009207099A - Communication recording apparatus, communication data processing method and communication data processing program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To carry out application analysis, even if there is a packet that cannot be received, by receiving and assembling packets addressed to other hosts on a network. <P>SOLUTION: In a communication recording apparatus 1, a reception control unit 3 connects to a communication network over which application data are divided into a plurality of packets and communicated, and stores received packets in a memory. A TCP analysis unit 4 analyzes connection information of the packets received by the reception control unit 3, and a TCP order control unit 5 determines an order of packets received by the reception control unit 3. When some of the plurality of packets are stored in the memory by the reception control unit 3, an application analysis unit 6 then reads the partial packets from the memory and records part of application data contained in the read partial packets in a recording unit 9, which in turn is an auxiliary storage device, as part of communication history. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention, for example, receives a packet transmitted and received between an in-house network and the Internet, analyzes and records the received data, and stores the data exchanged on the network as evidence, and communication data The present invention relates to a processing method and a communication data processing program.

  There is a communication recording device (forensic server) that records packets transmitted and received on a network for use as evidence in the case of unauthorized access analysis and information leakage.

  The communication recording device is connected to a mirroring port of a switching hub connected to the internal network, and records packets transmitted and received between the internal network and the Internet.

In communication using TCP (Transmission Control Protocol), data is processed as a byte stream between a transmission application and a reception application.
When the communication recording device receives the TCP packet, it assembles the packet according to the sequence number of the received packet and then analyzes the application data. For example, when the data is an HTTP (Hyper Text Transfer Protocol) GET for Web access, the communication recording device is configured with a URL [Uniform Resource Locator] such as access destination information (www. ***. Co.jp). The response (image data, audio data) to this is restored and recorded.
JP 2006-295921 A JP 2006-340322 A JP 2003-163714 A JP 2000-244564 A JP 2001-251342 A JP 2003-163682 A Murayama Koho, Nishida Yoshifumi, Oie Yuji, “Iwanami Lecture Internet Volume 3 Transport Protocol”, Iwanami Shoten, April 6, 2001, P47

  However, the data recorded by the communication recording device is data transmitted / received between other hosts such as between the terminal and the proxy server or between the proxy server and the WWW server, and the destination of the packet in which the data is set is not the communication recording device. Further, since the TCP / IP (Internet Protocol) protocol stack of the OS does not target packets that are not addressed to itself, the communication recording device uses the OS TCP / IP protocol stack function to communicate between other hosts that are to be recorded. The data cannot be assembled.

  In addition, since the communication recording device has received a copy of the packet from the mirroring port, if the packet is discarded due to a communication error during transfer to the mirroring port, the data transmitted in the discarded packet Can not receive. Furthermore, transmission and reception of this packet between the internal network and the Internet is completed even if a communication error occurs during transfer to the mirroring port. For this reason, the packet is not retransmitted, and the communication recording apparatus does not receive the packet. In the communication recording device, the continuity of the sequence number is not maintained for the data after the sequence number of this packet, and the assembly of the application data including the data transmitted in this packet is not completed. Therefore, when a packet is discarded during transfer to the mirroring port, the communication recording apparatus cannot analyze application data including data transmitted in the discarded packet.

The present invention has been made to solve the above-described problems, for example, receives TCP / IP communication data between other hosts on a network, assembles packets addressed to other hosts, and The purpose is to be able to perform analysis.
In addition, for example, the present invention has an object to enable continuous application analysis to record a packet even when the packet is discarded due to a communication error while being transferred to a mirroring port.

  The communication recording device of the present invention is a communication recording device that records the history of communication between a plurality of other communication devices, and is connected to a communication network in which application data indicating specific data is divided into a plurality of packets and communicated Receiving a packet sent to the communication network out of the plurality of packets destined for at least one of the plurality of communication devices, and storing the received packet in a main storage device; When a part of the plurality of packets is stored in the main memory by the reception control unit, the part of the packets is read from the main memory, and the part of the read packets includes the packet A communication recording unit that records a part of application data in the auxiliary storage device as a part of the communication history of the communication network.

  According to the present invention, for example, even when a part of application data cannot be received, the received part can be recorded as a communication history of the communication network. Thereby, application data can be analyzed based on the recorded part.

Embodiment 1 FIG.
FIG. 1 is a diagram illustrating an example of a communication network system 100 according to the first embodiment.
In FIG. 1, a terminal 21 (an example of a communication terminal device) connected to an in-house network 22 (in-house LAN [LAN: local area network]) connects to the Internet 24 via an FW 25 (firewall device) and a proxy server 26. Data is acquired from the WWW server 23.
The FW 25 is provided to ensure the security of the in-house network 22 and restricts direct communication between the in-house network 22 and the Internet 24. The proxy server 26 acquires data from the WWW server 23 instead of the terminal 21 so that the terminal 21 of the in-house network 22 can acquire data from the WWW server 23 on the Internet 24, and transmits the acquired data to the terminal 21.

  The communication recording device 1 receives data transmitted / received between the proxy server 26 and the WWW server 23 via the SW 27 (switching hub device), and the received data is communicated between the in-house network 22 and the Internet 24. Data history (communication history 120, communication log). The terminal 21 is one of terminals connected to the internal network 22 and the WWW server 23 is one of terminals connected to the Internet 24. The communication recording apparatus 1 records a history of communication (via the proxy server 26) between a communication terminal of the in-house network 22 and a communication terminal connected to the Internet 24. By verifying the communication history 120 recorded by the communication recording device 1, it is possible to check whether there is an unauthorized access from the Internet 24 to the in-house network 22, information leakage from the in-house network 22 to the Internet 24, and the content thereof. In other words, the communication history 120 is used as forensic evidence to prove the presence or absence of unauthorized access, analysis of unauthorized access procedures, and the presence or absence of information loss.

  The SW 27 has a plurality of ports to which communication cables are connected. The communication cable connected to each port is connected to the FW 25, the proxy server 26, and the communication recording device 1. In particular, a port to which the communication recording apparatus 1 is connected is referred to as a “mirroring port”. The SW 27 relays (relays) data transmitted from the internal network 22 or transmitted to the internal network 22 between the ports, and transmits the data to the communication cable connected to the FW 25, the proxy server 26, and the communication recording apparatus 1 from each port. To do. In particular, the SW 27 relays all data relayed between the ports to the mirroring port to which the communication recording apparatus 1 is connected via the communication cable 29. This function of the SW 27 is called “port monitor function”. The communication recording apparatus 1 can receive all data relayed between the ports by the port monitor function of the SW 27.

FIG. 2 is a diagram showing the configuration of the IP packet 105.
TCP / IP communication is performed in the in-house network 22 and the Internet 24. In the TCP / IP communication, an IP packet 105 configured as shown in FIG. 2 is communicated.

  An IP packet 105 (also referred to as an IP datagram) has an IP header 101 in which control information is set, and encapsulates the TCP packet 104. The IP header 101 includes a “source IP address” for identifying a source terminal, a “destination IP address” for identifying a destination terminal, a “packet length” indicating the size of the IP packet 105, an IP header 101 “Header length” indicating the size is set. The size of the TCP packet 104 is a size obtained by subtracting the header length from the packet length.

  The TCP packet 104 (also referred to as a TCP segment) includes a TCP header 102 in which control information is set and TCP data 103 in which at least a part of application data is set. The TCP header 102 includes a “transmission source port number” that identifies a transmission source application program, a “transmission destination port number” that identifies a transmission destination application program, and an arrangement position of the TCP data 103 in the application data “ The “sequence number”, “acknowledgment number” indicating the arrangement position in the application data of the TCP data 103 transmitted next from the transmission destination (reception side), and the like are set.

Hereinafter, the IP packet 105 and the TCP packet 104 are collectively referred to as “packets”.
Further, the sequence number is written as “seq”, and the confirmation response number is written as “ack”.

FIG. 3 is a diagram illustrating a configuration of the GETm 107, and FIG. 4 is a diagram illustrating a configuration of the Resm 108.
The HTTP request message (denoted as GETm 107) shown in FIG. 3 and the HTTP response message (denoted as Resm 108) shown in FIG. 4 are examples of application data set in the TCP data 103.
Each of the GETm 107 and the Resm 108 has a message header 71 in which control information is set and a message body 72 that is data for communication. The message header 71 and the message body 72 are separated by a blank line 66.
The message header 71 of the GETm 107 includes a request line 61, a request header field 62, a general header field 63, a header field 64, and the other 65. The message header 71 of the Resm 108 includes a status line 68, a response header field 69, and a general header field. 63, a header field 64, and the other 65.
“GET” is set in the request line 61 of the GET m 107 to indicate that this HTTP message is GET 43. In the header field 64 of GETm 107 and Resm 108, “Content-Length” indicating the size of the message body 72 is set. Hereinafter, the size of the message body 72 is referred to as “content size”.

  Hereinafter, GETm 107 and Resm 108 are collectively referred to as “message 106”.

FIG. 5 is a diagram illustrating the divided Resm 108.
In FIG. 5, when the size of the message 106 (for example, Resm 108) is large, the message 106 is divided into a plurality of pieces and transmitted in a plurality of packets.
For example, a Resume 108 of 2000 bytes (bytes) is divided into two by 1000 bytes, a packet (Res44) including a message header 71 (the head of the Resm 108) and a part of the message body 72, and the remaining message body 72 (Resm108). And the packet (Data 45) including the end of the data.

  Hereinafter, the respective parts constituting the message 106 divided like the data set in Res 44 and the data set in Data 45 are collectively referred to as “divided data (or fragment)”.

FIG. 6 is a diagram illustrating an example of a communication sequence in the first embodiment.
The Res 108 shown in FIG. 5 is sent from the WWW server 23 to the proxy server 26 using Res 44 and Data 45 in the flow shown in FIG.
An arrow shown in FIG. 6 indicates that a packet is transmitted in the direction of the arrow.

  Here, it is assumed that some data is requested (HTTP request) from the terminal 21 of the in-house network 22 to the WWW server 23. The proxy server 26 receives a request from the terminal 21 to the WWW server 23. If the terminal 21 does not hold the requested data, the proxy server 26 issues a request to the WWW server 23 instead of the terminal 21 to acquire the data, and responds to the terminal 21 with the acquired data. FIG. 6 shows a flow of packet transmission / reception when the proxy server 26 sends a request to the WWW server 23 instead of the terminal 21 to acquire data.

  First, the proxy server 26 establishes a TCP connection with the WWW server 23 through transmission / reception of SYN 40, SYN / ACK 41 and ACK 42, and acquires data from the WWW server 23 through transmission / reception of GET 43, Res 44, Data 45 and ACK 47 using the established connection. The connection is disconnected by sending / receiving FIN / ACK 50, FIN / ACK 51 and ACK 52.

SYN 40 is a packet in which a flag indicating a connection establishment request is set in the TCP header 102.
SYN / ACK 41 is a packet in which an acknowledgment number (ack) indicating completion of reception of SYN 40 and a flag indicating establishment of a connection are set in the TCP header 102.
The ACK 42 is a packet in which an acknowledgment number indicating completion of reception of SYN / ACK 41 is set in the TCP header 102.
The GET 43 is a packet in which the GET m 107 is set in the TCP data 103.
Res 44 is a packet in which the first half of Res 108 is set in the TCP data 103.
Data 45 is a packet in which the latter half of Resm 108 is set in TCP data 103.
The ACK 47 is a packet in which an acknowledgment number indicating completion of the reception of Res 44 and Data 45 is set in the TCP header 102.
The FIN / ACK 50 is a packet in which a flag indicating a connection disconnection request is set in the TCP header 102.
The FIN / ACK 51 is a packet in which an acknowledgment number indicating completion of reception of the FIN / ACK 50 and a flag indicating disconnection are set in the TCP header 102.
The ACK 52 is a packet in which an acknowledgment number indicating completion of reception of the FIN / ACK 51 is set in the TCP header 102.
Hereinafter, the case where the TCP data 103 is not included in the SYN 40, the SYN / ACK 41, the ACK 42, the ACK 47, the FIN / ACK 50, the FIN / ACK 51, and the ACK 52 will be described as an example.

  A “sequence number (seq)” and an “acknowledgment response number (ack)” are set in the TCP header 102 of the transmitted / received packet.

  “Sequence number (seq)” indicates the arrangement order of the transmitted TCP data 103 in units of bytes, and is a message transmitted from the transmission source (transmission side) of the packet to the transmission destination (reception side) of the packet. An arrangement position of the TCP data 103 of the packet in 106 is shown. The initial value of “sequence number (seq)” is set to SYN 40 and SYN / ACK 41.

In FIG. 6, seq (99) set to SYN 40 means that the arrangement order of the TCP data 103 transmitted from the proxy server 26 to the WWW server 23 is indicated by a serial number that continues from “99”.
Further, seq (700) set in SYN / ACK 41 means that the arrangement order of the TCP data 103 transmitted from the WWW server 23 to the proxy server 26 is indicated by a serial number subsequent to “700”.

  The “acknowledgment response number (ack)” is a value obtained by adding “1” to the sequence number of the TCP data 103 that has been received, and the transmission source of the packet has received the TCP data 103 received in the past from the transmission destination of the packet. A value obtained by adding “1” to the sequence number is shown. Next, a packet including the data following the “acknowledgment response number (ack)” set in the packet as the TCP data 103 is transmitted from the transmission destination of the packet to the transmission source of the packet.

  The SYN 40, SYN / ACK 41, FIN / ACK 50, and FIN / ACK 51 treat the TCP data 103 as a 1-byte packet, and “1 (byte)” is added to the “sequence number (seq)”.

In FIG. 6, the proxy server 26 transmits SYN 40 in which “99” is set as an initial value of its own seq to the WWW server 23 in order to establish a connection with the WWW server 23. The WWW server 23 that has received the SYN 40 sets a value (100) obtained by adding “1” to the seq (99) of the SYN 40 as an ack, and proxies the SYN / ACK 41 in which “700” is set as an initial value of its own seq. Send to server 26. The proxy server 26 that has received the SYN / ACK 41 sets a value (701) obtained by adding “1” to the seq (700) of the SYN / ACK 41 as an ack, and an ACK 42 that sets the ack (100) of the SYN / ACK 41 to a seq. Is transmitted to the WWW server 23. Thereby, a connection is established between the proxy server 26 and the WWW server 23.
After establishing the connection, the proxy server 26 transmits the GET 43 in which the GET m 107 is set as the TCP data 103 to the WWW server 23. Seq and ack of GET 43 are the same as ACK 42. Here, the size of GETm 107 is assumed to be 100 bytes.

The WWW server 23 that has received the GET 43 divides the 2000 byte Resm 108 into two parts each having 1000 bytes. Then, the WWW server 23 transmits the Res 44 in which the first 1000 bytes including the head of the Resm 108 are set as the TCP data 103 to the proxy server 26, and the second 1000 bytes including the end of the Resm 108 is the TCP data 103. The set Data 45 is transmitted to the proxy server 26. The seq of Res44 is the same value as the ack of GET43, and the seq of Data45 is a value (1701) obtained by adding the size (1000) of the TCP data 103 of Res44 to the seq (701) of Res44.
The proxy server 26 that has received the Res 44 and the Data 45 sets the ACK 47 in which the value (2701) obtained by adding the total size (2000) of the TCP data 103 of the Res 44 and Data 45 to the ack (701) of the GET 43 is set as the ack. Send to. The seq of ACK 47 is the same as the ack of Res 44 and Data 45.

  The proxy server 26 that has received Resm 108 by Res 44 and Data 45 transmits FIN / ACK 50 in which the same seq (200) and ack (2701) as ACK 47 are set to the WWW server 23 in order to disconnect the connection. The WWW server 23 that has received the FIN / ACK 50 transmits to the proxy server 26 FIN / ACK 51 (seq: 2701) in which a value (201) obtained by adding “1” to the seq (200) of the FIN / ACK 50 is set as ack. The proxy server 26 that has received the FIN / ACK 51 transmits to the WWW server 23 ACK 52 (seq: 201) in which a value (2702) obtained by adding “1” to seq (2701) of the FIN / ACK 51 is set as ack. As a result, the connection between the proxy server 26 and the WWW server 23 is disconnected.

As shown in FIG. 6, the communication recording apparatus 1 receives each packet (SYN40 to ACK52) communicated between the WWW server 23 and the proxy server 26, and communicates the TCP data 103 set in each packet. Record as history 120. In FIG. 6, GETm 107 set in GET 43, Resm 108 set in Res 44 and Data 45 are recorded as communication history 120 by the communication recording device 1.
The communication recording device 1 records the TCP data 103 set in Res44 and the TCP data 103 set in Data45 in association with each other as Resm108, and records the GETm107 and Resm108 in association with each other.

FIG. 7 is a diagram illustrating the communication history 120 in which the GETm 107 and the Resm 108 are set according to the first embodiment.
For example, the communication recording apparatus 1 records GETm 107 and Resm 108 in association with each other as shown in FIG.
The request pointer 81 indicates the address of the storage area in which the GETm 107 set in the GET 43 is recorded.
The response pointer 82 includes the address of the storage area recorded in the first half of Resm 108 set in Res 44 and the address of the storage area recorded in the second half of Resm 108 set in Data 45 as the storage area in which Resm 108 is recorded. Is shown in the order of the data (start → end).
For example, the first half part of Resm 108 set in GETm 107 and Res 44 and the second half part set in Data 45 are stored in a continuous storage area.
Thereby, the communication recording device 1 can record the message 106 communicated between the proxy server 26 and the WWW server 23 as the communication history 120.
A set of request pointers 81 and response pointers 82 is generated for the number of messages 106 communicated between the proxy server 26 and the WWW server 23.
In addition, a set of request pointer 81 and response pointer 82 of each message 106 is managed for each connection.
The format of the communication history recorded by the communication recording device 1 is not limited to that shown in FIG.

FIG. 8 is a diagram illustrating an example of hardware resources of the communication recording device 1 according to the first embodiment.
In FIG. 8, the communication recording apparatus 1 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, or a processor) that executes a program. The CPU 911 includes a cache memory 907, a ROM 913, a RAM 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, an FDD 904 (Flexible Disk Drive), a CDD 905 (compact disk device), a printer device 906, via a bus 912. It is connected to a magnetic disk device 920 and controls these hardware devices. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.
The RAM 914 and the cache memory 907 are an example of a main storage device and an example of a volatile memory. The ROM 913 is an example of a nonvolatile memory. The storage medium of the FDD 904, the storage medium of the CDD 905, and the magnetic disk device 920 are an example of an auxiliary storage device and an example of a nonvolatile memory.
The communication board 915, the keyboard 902, the FDD 904, and the like are examples of an input device, an input device, or an input unit.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices, output devices, or output units.

  The communication board 915 includes a plurality of ports. One end of the communication cable is connected to each port, and the other end of the communication cable is connected to the mirroring port of the SW 27.

  The magnetic disk device 920 stores an OS 921 (operating system), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the OS 921, and the window system 922.

  The program group 923 stores a program for executing a function described as “˜unit” in the embodiment. The program is read and executed by the CPU 911.

In the file group 924, in the embodiment, result data such as “determination result”, “calculation result of”, “processing result of” when executing the function of “to part”, “to part” The data to be passed between programs that execute the function “,” other information, data, signal values, variable values, and parameters are stored as items “˜file” and “˜database”. The communication history 120 is an example of what is included in the file group 924.
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, output, printing, and display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the CPU operations of extraction, search, reference, comparison, operation, calculation, processing, output, printing, and display. Is remembered.
In addition, arrows in the flowcharts described in the embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic disk device 920 magnetic field. It is recorded on a recording medium such as a disc, other optical discs, mini discs, DVD (Digital Versatile Disc). Data and signal values are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “˜unit” in the embodiment may be “˜circuit”, “˜device”, “˜device”, and “˜step”, “˜procedure”, “˜”. Processing ". That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part”. Alternatively, the procedure or method of “to part” is executed by a computer.

FIG. 9 is a functional configuration diagram of the communication recording apparatus 1 according to the first embodiment.
A functional configuration of the communication recording apparatus 1 according to the first embodiment will be described below with reference to FIG.

  The communication recording apparatus 1 includes a reception control unit 3, a TCP analysis unit 4, a TCP order control unit 5, an application analysis unit 6, a data display unit 7, an input port 2, and a recording unit 9.

  The input port 2 is connected to the communication cable 29, and the other end of the communication cable 29 is connected to the mirroring port of SW27. The input port 2 inputs a packet transferred by the port monitor function of the SW 27 via the communication cable 29 and outputs the input packet to the reception control unit 3.

  The recording unit 9 is an auxiliary storage device (nonvolatile memory) (for example, a magnetic disk device 920, flash memory, FD, CD, DVD) in which the message 106 is recorded as the communication history 120 by the application analysis unit 6.

  The reception control unit 3 inputs a packet from the input port 2 and stores all the input packets in a main storage device (volatile memory) (for example, the RAM 914 and the cache memory 907). The reception control unit 3 is set with an operation mode (promiscuous mode) for receiving all packets including packets not addressed to itself.

  The reception control unit 3 inputs the input port 2 to a communication network (for example, the in-house network 22 and the Internet 24) in which application data (for example, GETm 107, Resm 108, message 106) indicating specific data is divided into a plurality of packets and communicated. The communication cable 29 and the SW 27 are connected to receive a packet sent to the communication network among the plurality of packets (the packet is input from the input port 2). The reception control unit 3 stores the received packet in the main storage device.

  The TCP analysis unit 4 analyzes the TCP header 102 of each packet received by the reception control unit 3 and stored in the main storage device. For example, the TCP analysis unit 4 sets, searches, and deletes connection information.

  The TCP order control unit 5 performs control related to the order of the TCP packets 104 based on the sequence number (seq) set in the TCP header 102 for each packet received by the reception control unit 3 and stored in the main storage device.

  For example, the TCP order control unit 5 (order determination unit) causes the reception control unit 3 to include the first TCP packet including the first TCP data and the first TCP header including the sequence number of the first TCP data. Is received and stored in the main storage device, and the first TCP data included in the first TCP packet is recorded in the recording unit 9 (auxiliary storage device) by the application analysis unit 6 (communication recording unit) described later. When the second TCP packet including the second TCP data and the second TCP header including the sequence number of the second TCP data is received by the reception control unit 3 and stored in the main storage device The following processing is performed. The TCP order control unit 5 determines the second TCP data based on the sequence number of the first TCP data included in the first TCP header and the sequence number of the second TCP data included in the second TCP header. It is determined using the CPU whether or not is data following the first TCP data.

  Further, for example, when the TCP sequence control unit 5 (order determination unit) determines that the second TCP data is data subsequent to the first TCP data, the TCP sequence control unit 5 (order determination unit) adds the third TCP packet stored in the main storage device to the third TCP packet. Refer to the included TCP header. Then, the TCP order control unit 5 determines whether or not the third TCP data included in the third TCP packet is data subsequent to the second TCP data based on the sequence number included in the referenced TCP header. judge.

  The application analysis unit 6 analyzes the TCP data 103 and records it in the recording unit 9 for each packet received by the reception control unit 3 and stored in the main storage device.

  For example, the application analysis unit 6 (communication recording unit), when a part of the plurality of packets obtained by dividing the message 106 is stored in the main storage device by the reception control unit 3, The packet is read, and a part of the message 106 included in the part of the read packet is recorded in the recording unit 9 as a part of the communication history.

  For example, the application analysis unit 6 refers to the TCP header 102 included in the TCP packet 104 stored in the main storage device by the reception control unit 3. Then, the application analysis unit 6 causes the recording unit 9 to associate the TCP data 103 included in the TCP packet 104 with the arrangement position in the message 106 based on the sequence number (seq) included in the referenced TCP header 102. Record.

  Further, for example, the application analysis unit 6 determines that the second TCP data stored in the main storage device is data following the first TCP data recorded in the recording unit 9 by the TCP order control unit 5. In this case, the second TCP data is read from the main storage device, and the read second TCP data is recorded in the recording unit 9 following the first TCP data.

  Further, for example, the application analysis unit 6 determines that the second TCP data stored in the main storage device is data following the first TCP data recorded in the recording unit 9 by the TCP order control unit 5. When it is determined that the third TCP data stored in the main storage device is data following the second TCP data, the following processing is performed. The application analysis unit 6 reads the second TCP data and the third TCP data from the main storage device, records the second TCP data in the recording unit 9 following the first TCP data, and the third TCP data. The TCP data is recorded in the recording unit 9 following the second TCP data.

  The data display unit 7 displays the communication history 120 recorded in the recording unit 9 on the display device 901 or prints it from the printer device 906.

FIG. 10 is a flowchart showing a communication recording method of the communication recording apparatus 1 according to the first embodiment.
A communication recording method of the communication recording apparatus 1 in the first embodiment will be described below with reference to FIG.
Each unit of the communication recording apparatus 1 executes each process described below using a CPU.

<S110: Reception control processing>
The reception control unit 3 receives and receives the IP packet 105 from the input port 2, and stores the received IP packet 105 in a memory (main storage device).
The IP packet 105 received by the reception control unit 3 and stored in the memory is an IP packet 105 communicated between the proxy server 26 and the WWW server 23 and between the proxy server 26 and the terminal 21 in FIG. Yes, the IP packet 105 is transferred by the port monitor function of the SW 27. The TCP data 103 of the IP packet 105 indicates a message 106 from the terminal 21 of the internal network 22 to the WWW server 23 of the Internet 24 and a message 106 from the WWW server 23 of the Internet 24 to the terminal 21 of the internal network 22. The message 106 having a large size is divided into a plurality of pieces, and each is transmitted as a TCP data 103 by a plurality of IP packets 105.

<S120: TCP analysis processing>
Next, the TCP analysis unit 4 refers to the TCP packet 104 included in the IP packet 105 received by the reception control unit 3 in S110 and stored in the memory, and analyzes the TCP packet 104 based on the TCP header 102.
For example, in FIG. 6, the TCP analysis unit 4 identifies whether the TCP packet 104 is SYN 40, SYN / ACK 41, ACK 42, GET 43, Res 44, Data 45, ACK 47, FIN / ACK 50, FIN / ACK 51, or ACK 52.
For example, the TCP analysis unit 4 sets connection information based on SYN 40 and SYN / ACK 41.

<S130: TCP order control process>
Next, the TCP order control unit 5 determines the order of arrangement of the TCP data 103.
For example, the TCP order control unit 5 refers to the TCP packet 104 included in the IP packet 105, and arranges the TCP data 103 in the message 106 before the division based on the sequence number (seq) set in the TCP header 102. Identify the location.

<S140: Application Analysis Processing>
Then, the application analysis unit 6 arranges the TCP data 103 in order and records the message 106 as the communication history 120 in the recording unit 9.
For example, the application analysis unit 6 acquires each TCP data 103 from the IP packet 105 and records the acquired TCP data 103 in the recording unit 9 as a communication history in association with the arrangement position in the message 106 before the division.

<S150: Data Display Processing>
Further, the data display unit 7 acquires the communication history 120 from the recording unit 9, and displays the acquired communication history 120 on the display device 901 or prints it from the printer device 906.

FIG. 11 is a flowchart showing details of TCP analysis processing (S120) to application analysis processing (S140) of the communication recording method according to the first embodiment.
Details of the TCP analysis process (S120) to the application analysis process (S140) of the communication recording method according to the first embodiment will be described below with reference to FIG.

  In the communication recording method of the first embodiment, when the IP packet 105 is newly received and stored in the memory by the reception control unit 3 in the reception control process (S110), the TCP shown in FIG. Analysis processing (S120) to application analysis processing (S140) are executed.

First, the following processing is executed as TCP analysis processing (S120).
The TCP analysis unit 4 refers to the TCP header 102 of the IP packet 105 newly stored in the memory, determines whether the TCP packet 104 is SYN 40 or SYN / ACK 41 transmitted when the connection is established, or FIN / It is determined whether the packet is an ACK 50 or another TCP packet 104. Hereinafter, the IP packet 105 newly stored in the memory is referred to as a “received packet” (S1).

  When the TCP packet 104 is SYN 40 or SYN / ACK 41 in S1, the TCP analysis unit 4 generates connection information based on the TCP header 102 and the IP header 101 (S4).

At this time, when the SYN 40 is stored in the memory, the TCP analysis unit 4 sets “source IP address” and “destination IP address” set in the IP header 101 and “transmission” set in the TCP header 102. Connection information is generated using the “original port number” and the “destination port number” as information for identifying the connection (hereinafter referred to as “connection identifier”). Also, the TCP analysis unit 4 sets a value obtained by adding “1” to “sequence number (seq)” set in the TCP header 102 of the SYN 40 in the connection information as the Next Seq of the transmission source of the SYN 40.
Further, when SYN / ACK 41 is stored in the memory, the TCP analysis unit 4 sets a value obtained by adding “1” to seq set in the TCP header 102 as the connection source NextSeq in the connection information. To do.
“NextSeq” indicates the sequence number of the TCP data 103 recorded in the recording unit 9 next.

After the processing of S4, the TCP analysis unit 4 deletes the received packets (SYN 40 and SYN / ACK 41) from the memory. Hereinafter, erasure from the memory is referred to as “discard” (S2).
This completes the processing for the received packets (SYN 40 and SYN / ACK 41).

  When the TCP packet 104 is FIN / ACK 50 in S1, the TCP analysis unit 4 identifies the corresponding connection information based on the TCP header 102 and the IP header 101, and deletes the identified connection information (S4b).

After the process of S4b, the TCP analysis unit 4 does not include the TCP data 103 (S11), and therefore discards the received packet (FIN / ACK 50) (S2).
This completes the processing for the received packet (FIN / ACK 50).

  If the TCP packet 104 is of another type in S1, the TCP analysis unit 4 determines whether the TCP state of the received packet is correct based on the TCP header 102 (S3).

  For example, the TCP analysis unit 4 checks the presence or absence of connection information identified by the connection identifier of the received packet. If there is connection information, the TCP state is “OK”, and if there is no connection information, the TCP state is “NG”. To do.

  If the TCP state is “NG” in S3, the TCP analysis unit 4 discards the received packet (S2).

  If the TCP state is “OK” in S3, the TCP analysis unit 4 determines whether the size of the TCP data 103 is “0”. The size of the TCP data 103 is obtained by subtracting the “header length” of the IP header 101 set in the IP header 101 from the “packet length” of the IP packet 105 set in the IP header 101. Hereinafter, the TCP data 103 of the received packet is referred to as “received data”, and the size of the received data is referred to as “received size” (S11).

  If the reception size is “0” in S11, the TCP analysis unit 4 discards the received packet (S2).

  Next, the order determination process S131 is executed as the TCP order control process S130 as follows for the received packet determined that the reception size is not “0” in S11.

  The TCP sequence control unit 5 refers to the TCP header 102 of the received packet and the connection information of the received packet, and determines the seq set in the TCP header 102 of the received packet and the transmission source of the received packet set in the connection information It is determined whether NextSeq is the same (S5).

  If seq and NextSeq are not the same in S5, that is, if the received data cannot be received in order, the processing for the received packet ends. At this time, the received packet is not discarded but is stored in the memory. Hereinafter, the received packet held in the memory is referred to as “held packet” (S7).

  When seq and NextSeq are the same in S5, the TCP sequence control unit 5 determines whether or not there is a holding packet (hereinafter referred to as “granted packet”) including the TCP data 103 that can be added to the received data (S50). ).

At this time, the TCP order control unit 5 identifies a holding packet in which a value obtained by adding the reception size to seq of the reception packet is set as seq as the grant packet. The TCP data 103 of the attached packet is data in which the received data and seq are continuous and follow the received data in the message 106.
Further, the TCP order control unit 5 similarly has a relationship in which the TCP data 103 is consecutive from the sequence number of the received data, such as a second grant packet for the grant packet and a third grant packet for the second grant packet. All grant packets in are identified.

If there is no grant packet in S50, the TCP sequence control unit 5 notifies the application analysis unit 6 of the received packet, and the application analysis unit 6 executes application analysis processing (S140) described below for the received packet.
After the application analysis process (S140) is executed, the process for the received packet ends.

When there is a grant packet in S50, the TCP sequence control unit 5 notifies the application analysis unit 6 of the received packet and the grant packet specified in S50 as a reception packet (S51), and the application analysis unit 6 receives the received packet (assignment). The application analysis process (S140) described below is executed for the packet (including the packet).
After the application analysis process (S140) is executed, the process for the received packet ends.

FIG. 12 is a flowchart showing details of application analysis processing (S140) of the communication recording method according to the first embodiment.
Details of the application analysis process (S140) of the communication recording method according to the first embodiment will be described below with reference to FIG.

  The application analysis unit 6 reads the received packet from the memory, records the received data in the recording unit 9, and deletes the received packet from the memory. When the received packet includes a grant packet, the application analysis unit 6 further reads out the grant packet from the memory and records the TCP data 103 (hereinafter referred to as “grant data”) set in the grant packet in the recording unit 9. The granted packet is deleted (S13).

  At this time, the application analysis unit 6 refers to the seq of the received packet, and records the received data in the recording unit 9 in association with seq. For example, the application analysis unit 6 records the received data as a part of the message 106 in the format shown in FIG. For example, in FIG. 7, when Resm 108 is divided into Res 44 and Data 45 and transmitted, the application analysis unit 6 stores the recorded first half portion of Resm 108 set as the TCP data 103 of Res 44 in the response pointer 82. The address of the area is set as the first pointer. Further, the application analysis unit 6 sets, in the response pointer 82, the address of the storage area recorded in the latter half of the Resm 108 set as the TCP data 103 of the Data 45 as the second pointer. Further, in the first half of the Resm 108 (TCP data 103 set in Res44) and the second half (TCP data 103 set in Data45), the first pointer and the second pointer are “first pointer <first It is stored so as to satisfy the relationship of “two pointers”. Further, the first half and the second half of Resm 108 are recorded in a continuous storage area. The request pointer 81 and the response pointer 82 are newly generated when reception data of a new message 106 is recorded, and an address indicating the recording area of the reception data is added every time reception data constituting the message 106 is recorded. .

Further, since the application analysis unit 6 records the reception data (including the grant data) in S13 in the recording unit 9, the reception size (including the size of the grant data is included in the NextSeq of the transmission source of the received packet. Hereinafter, the size of the grant data (Referred to as “grant size”) to update the connection information of the received packet. “NextSeq” indicates the seq of the TCP data 103 recorded in the recording unit 9 (S21).
The application analysis process (S140) for the received packet ends here.

  Next, the TCP analysis process (S120) to the application analysis process (S140) illustrated in FIGS. 11 and 12 will be described using the communication sequence illustrated in FIG. 6 as an example.

  An information acquisition request from the terminal 21 is notified to the WWW server 23 via the proxy server 26. Packets transmitted / received by the proxy server 26 to / from the Internet 24 are notified to the communication recording apparatus 1 via the SW 27. Since the HTTP protocol used for connection to the WWW server 23 operates on TCP, the proxy server 26 transmits SYN 40 to establish the connection. The reception control unit 3 of the communication recording apparatus 1 is set to a promiscuous mode for receiving all packets, and can receive packets addressed to other hosts.

  When the SYN 40 is received by the reception control unit 3, the TCP analysis unit 4 checks the TCP type and TCP state (steps 1 and 3). The TCP analysis unit 4 analyzes whether the transmission source IP address, transmission destination (destination) IP address, transmission source port number, and transmission destination (destination) port number of the received packet are registered, and must be registered. For example, the address and port number in the packet are registered as connection information (step 4). Thereafter, when the packet is received, the TCP analysis unit 4 checks whether the packet is transmitted / received on the established connection (step 3). Then, when the packet is transmitted without establishing a connection, the TCP analysis unit 4 discards the packet as a TCP state error (step 2). The connection information is retained during communication after the connection is established, and is deleted when a connection disconnection packet (FIN / ACK 50) is received (step 4b). The received SYN 40 is discarded after the TCP state check (step 2).

  The WWW server 23 that has received the SYN 40 transmits a SYN / ACK 41. The SYN / ACK 41 is discarded after checking by the TCP analysis unit 4 (step 3) (step 2).

Next, the proxy server 26 transmits ACK42. The communication recording device 1 receives the ACK 42 transmitted by the proxy server 26. At this time, NextSeq (O) (hereinafter referred to as NextSeq (O) of proxy server 26) of the packet transmitted in the direction of “in-house (proxy server 26) → Internet (WWW server 23)” is “100”. Further, NextSeq (I) (hereinafter referred to as NextSeq (I) of WWW server 23) of a packet transmitted in the direction of “in-house (proxy server 26) ← Internet (WWW server 23)” is “701”.
Next, the TCP analysis unit 4 checks the data size of the ACK 42 (the size of the TCP data 103, the reception size) (S11), but discards the ACK 42 because the size is “0” (step 2).

Next, the proxy server 26 transmits GET43. When the GET 43 is received by the reception control unit 3, the TCP analysis unit 4 determines the TCP type (“other than”) of the GET 43 (step 1), determines the TCP state (“OK”) (step 3), The reception size (> 0) is determined (step 11).
Next, the TCP order control unit 5 compares NextSeq (O) of the proxy server 26 with the received TCP sequence number of the GET 43 (step 5). NextSeq (O) is “100”, which matches the sequence number of GET43.
Next, the TCP sequence control unit 5 analyzes whether there is data located behind the received data among the held data (step 50).
Since there is no retained data for the GET 43, application analysis processing (step 140) is executed next.
In the application analysis process (step 140), the message header 71 and message body 72 of the GET 43 are recorded in the recording unit 9 (step 13), and NextSeq (O) is updated by the received size to become “200” (step 21).

The WWW server 23 that has received the GET 43 transmits Res 44 and Data 45.
When Res 44 is received by the reception control unit 3, the TCP analysis unit 4 performs a TCP analysis process (step 120) on Res 44 in the same manner as the GET 43.
Next, the TCP order control unit 5 compares NextSeq (I) of the WWW server 23 with the TCP sequence number of the received Res 44 (step 5). NextSeq (I) is “701”, which matches the sequence number of Res44.
Next, the TCP sequence control unit 5 analyzes whether there is data located behind the received data among the held data (step 50).
Since there is no retained data for Res44, application analysis processing (step 140) is executed next.
In the application analysis process (step 140), the message header 71 and message body 72 of Res44 are recorded in the recording unit 9 (step 13), and NextSeq (I) is updated by the received size to become “1701” (step 21).
Data 45 is processed in the same manner as Res 44 and recorded in the recording unit 9, and NextSeq (I) is updated to “2701”.

The proxy server 26 that has received the Data 45 transmits an ACK 47.
When the reception control unit 3 receives ACK 47, the ACK 47 is discarded because the data size is “0” (step 2).

  Thereafter, FIN / ACK 50, FIN / ACK 51, and ACK 52 are exchanged between the proxy server 26 and the WWW server 23 and received by the reception control unit 3 for disconnection, but all of them are discarded (step 2). finish. At this time, since the TCP connection is disconnected, the TCP analysis unit 4 deletes the connection information (step 4b).

FIG. 13 is a diagram illustrating an example of a communication sequence according to the first embodiment.
Next, TCP analysis processing (S120) to application analysis processing (S140) in a case where the packets arrive at the transmission destination in an order different from the arrangement order in the message 106 will be described with reference to FIGS.
In FIG. 13, the order of Res 44 and Data 45 is reversed with respect to FIG. 6.

The operations for SYN 40 to GET 43 are the same as in the above example based on FIG.
After the operation for the GET 43, NextSeq (O) of the proxy server 26 is “200”, and NextSeq (I) of the WWW server 23 is “701”.

  When Data 45 is received by the reception control unit 3, after the TCP analysis processing (S 120) by the TCP analysis unit 4, the TCP sequence control unit 5 receives NextSeq (I) of the WWW server 23 and the TCP sequence number of the received Data 45. Are compared (step 5). Here, since the NextSeq (I) “701” and the sequence number “1701” of Data 45 do not match, Data 45 is not recorded in the recording unit 9 but is stored in the memory (step 7).

Next, when Res 44 is received by the reception control unit 3, after the TCP analysis processing (S 120) by the TCP analysis unit 4, the TCP order control unit 5 receives NextSeq (I) of the WWW server 23 and the TCP of the received Res 44. The sequence number is compared (step 5). At this time, NextSeq (I) “701” and Res44 sequence number “701” match. Therefore, the TCP sequence control unit 5 checks whether there is data that can be added after the Res 44 in the stored data (step 50). Since the retained packet includes the previously received Data 45, the TCP sequence control unit 5 notifies the application analysis unit 6 of the data packet to which Data 45 is added after Res 44 as a received packet (step 51).
In the application analysis process (S140), as in the previous example based on FIG. 6, the message header 71 of Res44, the message body 72, and the message body 72 of Data45 are recorded in the recording unit 9 (step 13), and NextSeq (I) Is updated by the received size (the size of the TCP data 103 of Res44 + the size of the TCP data 103 of Data45) to become “2701” (step 21).

  The operations for ACK 47 to ACK 52 are the same as in the above example based on FIG.

  In the first embodiment, the following communication recording apparatus 1 and application data analysis method (communication recording method) of the communication recording apparatus 1 have been described.

The communication recording device 1 includes a reception control unit 3, a TCP analysis unit 4, a TCP sequence control unit 5, an application analysis unit 6, a recording unit 9, and a data display unit 7, analyzes the sequence number of received data, Are received in order, data is not stored in the assembly buffer (main storage device, memory), but is analyzed by application analysis and recorded.
The reception control unit 3 receives all packets including packets addressed to other hosts from the network.
The TCP analysis unit 4 analyzes the TCP state of the packet received by the reception control unit 3.
The TCP order control unit 5 performs control so that the packet order is correct when the packet order is reversed.
The application analysis unit 6 analyzes application data (message 106).
The recording unit 9 records the analysis result (application data) of the application analysis unit 6.
The data display unit 7 displays the data of the recording unit 9.

As described above, the communication recording apparatus 1 compares the sequence number of received data with respect to data addressed to another host and NextSeq, and holds the data if they match, that is, if the data arrives in order. Do application analysis without. For this reason, the communication recording apparatus 1 can record application data without consuming resources such as a memory.
Further, the communication recording apparatus 1 holds data when the sequence numbers do not match, and performs application analysis by adding the held data when data positioned before this data is received. Therefore, the communication recording apparatus 1 can record application data even when the order of packets is reversed.

Embodiment 2. FIG.
In the second embodiment, a mode in which the communication recording apparatus 1 processes a packet including a plurality of messages 106 will be described. For example, a packet including a plurality of messages 106 includes a portion including the end of the first message transmitted earlier and a portion including the beginning of the second message transmitted after the first message. Packet.
Hereinafter, items different from the first embodiment will be mainly described, and items omitted will be the same as those of the first embodiment.

FIG. 14 is a functional configuration diagram of the communication recording apparatus 1 according to the second embodiment.
In FIG. 14, the communication recording device 1 according to the second embodiment includes a termination detection unit 10 in addition to the configuration of the communication recording device 1 according to the first embodiment.

  The end detection unit 10 detects the end of the message 106 from each packet received by the reception control unit 3 and stored in the main storage device.

  For example, the termination detection unit 10 (termination specifying unit) is based on the size of each of the plurality of packets stored in the main storage device by the reception control unit 3 and the size of each of the plurality of messages 106 included in the plurality of packets. A packet including the end of each message 106 among a plurality of packets is specified as a terminal packet using the CPU.

  Further, for example, the termination detection unit 10 (terminating unit) determines whether the termination packet includes the termination of the first application data and the beginning of the second application data.

  The application analysis unit 6 distinguishes a plurality of packets stored in the main storage device by the reception control unit 3 for each message 106 based on the termination packet of each message 106 specified by the termination detection unit 10. Then, the application analysis unit 6 distinguishes the plurality of messages 106 included in the plurality of packets for each message 106 and records them in the recording unit 9.

  In addition, when the termination detection unit 10 described later determines that the termination packet includes the termination of the first application data and the beginning of the second application data, the application analysis unit 6 performs the following processing I do. The application analysis unit 6 extracts the first application data and the second application data from the terminal packet, distinguishes the first application data and the second application data, and records them in the recording unit 9.

FIG. 15 is a diagram showing the divided message 106.
In FIG. 15, when the size of the message 106a is large, the message 106a is divided into a plurality of pieces and transmitted in a plurality of packets. Further, in the packet including the end of the message 106a, the head portion of the message 106b transmitted next to the message 106a is included in the packet including the end portion of the message 106a so that the size of the TCP data 103 becomes a predetermined maximum size. Is set.
For example, when the size of the message 106a is 1500 bytes (bytes), the size of the message 106b is 500 bytes, and the maximum size of the TCP data 103 is 1000 bytes, the message 106a and the message 106b are the top of the message 106a. The packet is transmitted in two packets: Res 44 in which the part is set, and Data / Res 53 (terminal packet) in which the terminal part of the message 106a and the message 106b (head part to terminal part) are set.

FIG. 16 is a flowchart showing details of application analysis processing (S140) of the communication recording method according to the second embodiment.
Details of the application analysis process (S140) of the communication recording method according to the second embodiment will be described below with reference to FIG.
The TCP analysis process (S120) to the TCP order control process (S130) are the same as those in the first embodiment (FIG. 11).

  First, the application analysis unit 6 determines whether the received data is the head of the message 106 (S16).

For example, the application analysis unit 6 compares a content size described later with a recording size described later, and determines that the received data is the head of the message 106 when the content size and the recording size match.
The content size indicates the size of the message body 72 of the message 106, and the recording size indicates the size of the data recorded in the recording unit 9 in the message body 72 of the message 106. It is assumed that the content size and the recording size are set to “0” as initial values when the TCP analysis unit 4 generates connection information (S4). The content size and the recording size are set for each of both establishing a connection. Hereinafter, “content size” and “recording size” are assumed to be for the transmission source of the received packet unless “transmission destination” is specified. The content size and the recording size are the same either when the first received data is received or when the entire message body 72 is recorded. That is, when the content size and the recording size are the same, the new received data indicates the head of the message 106.

  If the received data is the head of the message 106 in S16, the application analysis unit 6 initializes the recording size set in the connection information of the received packet to “0” (S17).

  Further, the application analysis unit 6 acquires the content size (in the header field 64 of the message header 71) set at a predetermined position from the beginning of the received data, and sets it in the connection information of the received packet. Further, a value obtained by subtracting the size of the message header 71 from the reception size (including the added size) is set as “reception size B” in the connection information of the reception packet (S18).

  If the received data is not the head of the message 106 in S16, the application analysis unit 6 sets the reception size to the reception size B (S18b).

  Next, the end detection unit 10 compares the total size of the reception size B and the recording size with the content size. When the total value of the reception size B and the recording size and the content size are the same, the end of the reception data is the end of the message 106 (S19).

  The case where the content size is larger than the total value of the reception size B and the recording size means that all the packets that divide the message 106 have not been received. Further, the case where the content size is equal to the total value of the reception size B and the recording size means that all the packets that divide the message 106 are received and the next message 106 is not included in the received data. To do.

  When the content size is equal to or larger than the total value of the reception size and the recording size in S19, the application analysis unit 6 receives the received packet (including the attached packet) as received data, as in the first embodiment (FIG. 12). The set message body 72 is recorded in the recording unit 9 for the reception size B. If the received data is the head of the message 106 in S16, the message header 71 is also recorded (S13).

  Further, since the application analysis unit 6 has recorded the message body 72 for the reception size B in the recording unit 9 in S13, the application analysis unit 6 adds the reception size B and updates the recording size (S20).

Further, the application analysis unit 6 adds the reception size and updates the NextSeq of the transmission source as in the first embodiment (FIG. 12) (S21).
The application analysis process (S140) for the received packet ends here.

  If the content size is less than the total value of the reception size and the recording size in S19, that is, a portion including the end of the first message (end portion of the message body 72) is set in the reception data. When the part including the head of the second message is set after the end of the first message, the application analysis unit 6 cuts out the first message part from the received data (including the added data). Hereinafter, the cut out first message is referred to as “cutout data” (S22).

  Next, the application analysis unit 6 records the cut-out data cut from the received data in S22 (the end portion of the message body 72) in the recording unit 9 (S13b).

  At this time, the application analysis unit 6 records the cut-out data in the recording unit 9 in association with the sequence number, similarly to S13. The cut-out data is recorded in the recording unit 9 as the final data of the message 106.

  In addition, since the application analysis unit 6 cuts out the cut-out data (the end portion of the message body 72) from the reception data in S22, the application analysis unit 6 updates the reception size by subtracting the size of the cut-out data (hereinafter referred to as cut-out size) (S23). ).

  In addition, since the application analysis unit 6 records the cut-out data in the recording unit 9 in S13b, the application analysis unit 6 adds the cut-out size and updates the record size (S24).

  Furthermore, since the application analysis unit 6 has recorded the cut-out data in the recording unit 9 in S13b, the application analysis unit 6 adds the cut-out size and updates the NextSeq of the transmission source (S25).

And the application analysis part 6 performs the process after S16 with respect to the remaining received data (a provision data is included) which the cut-out data cut out by S22.
At this time, since the recording size is updated in S24, the content size is equal to the recording size, and the received data is determined to be the head of the message 106 (S16).

FIG. 17 is a diagram illustrating an example of a communication sequence according to the second embodiment, in which Data 45 is replaced with Data / Res 53 with respect to FIG. 6 of the first embodiment.
As described with reference to FIG. 15, Data / Res 53 is a packet in which the end portion of the message 106 a and the message 106 b (head portion to end portion) are set as the TCP data 103.
The application analysis process (S140) shown in FIG. 16 will be described using the communication sequence shown in FIG. 17 as an example.

  As described in the first embodiment, SYN 40 to ACK 42 are discarded (S2) in the TCP analysis process (S120), and the application analysis process (S140) is not executed.

  Next, as described in the first embodiment, the GET 43 transmitted from the proxy server 26 to the WWW server 23 is received by the reception control unit 3 and stored in the memory (S110), and the TCP analysis unit 4 performs TCP analysis. The process is performed (S120), the TCP order control unit 5 performs the TCP order control process (S130), and is notified to the application analysis unit 6 as a received packet.

In FIG. 16, the application analysis unit 6 determines whether or not the GET 43 is the head of the message 106 (S16). At this time, since the content size and the recording size for the proxy server 26 are both the initial value “0”, the GET 43 is determined to be the head of the message 106. Therefore, the application analysis unit 6 initializes the recording size (S17), and acquires the content size and sets the reception size B (S18).
Next, the end detection unit 10 compares the total size of the reception size B and the recording size with the content size (S19). Here, the reception size B is “100 (subtracting the size of the message header 71)”, the recording size is “0”, and the content size is “100 (subtracting the size of the message header 71)”. Therefore, the total value of the reception size B and the recording size is equal to the content size. Therefore, the application analysis unit 6 records the GET 43 in the recording unit 9 (S13), updates the recording size to a value obtained by adding the reception size B (S20), and adds NextSeq of the proxy server 26 to the reception size “200”. (S21), and the process for GET 43 is terminated.

  Next, Res 44 transmitted from the WWW server 23 to the proxy server 26 is received by the reception control unit 3 and stored in the memory (S110) as described in the first embodiment, and the TCP analysis unit 4 performs TCP analysis. The process is performed (S120), the TCP order control unit 5 performs the TCP order control process (S130), and the application analysis unit 6 is notified as the received packet.

In FIG. 16, the application analysis unit 6 determines whether Res 44 is the head of the message 106 (S16). At this time, since the content size and the recording size for the WWW server 23 are both the initial value “0”, it is determined that Res 44 is the head of the message 106a. Therefore, the application analysis unit 6 initializes the recording size (S17), acquires the content size “1500 (subtracting the size of the message header 71)”, and sets the reception size B (S18).
Next, the end detection unit 10 compares the total size of the reception size B and the recording size with the content size (S19). Here, the reception size B is “1000 (subtracting the size of the message header 71)”, the recording size is “0”, and the content size is “1500 (subtracting the size of the message header 71)”. Therefore, the total value of the reception size B and the recording size is smaller than the content size. Therefore, the application analysis unit 6 records Res44 in the recording unit 9 (S13), and updates the recording size to a value “1000 (subtracting the size of the message header 71)” obtained by adding the reception size B (S20). ), NextSeq of the WWW server 23 is updated to “1701” to which the reception size is added (S21), and the processing for Res44 is ended.

  Next, the Data / Res 53 transmitted from the WWW server 23 to the proxy server 26 is received by the reception control unit 3 and stored in the memory (S110) as described in the first embodiment. The TCP analysis process (S120) is performed, the TCP order control unit 5 performs the TCP order control process (S130), and the application analysis unit 6 is notified as the received packet.

In FIG. 16, the application analysis unit 6 determines whether Data / Res 53 is the head of the message 106 (S16). At this time, the content size for the proxy server 26 is set to “1500 (subtracting the size of the message header 71)” at the time of Res44 processing, and the recording size is set to “1000 (from the message header 71 at the time of Res44 processing). Minus the size of “)”. For this reason, the content size does not match the recording size, and it is determined that Data / Res 53 is not the head of the message 106.
Next, the end detection unit 10 compares the total size of the reception size B and the recording size with the content size (S19). Here, the reception size B is “1000”, the recording size is “1000 (subtracting the size of the message header 71)”, and the content size is “1500 (subtracting the size of the message header 71)”. The total value of the reception size B and the recording size is larger than the content size. Therefore, the application analysis unit 6 determines that the message 106b is included in the Data / Res53 in addition to the message 106a, and cuts out the end portion (500 bytes) of the message 106a from the Data / Res53 (S22). The terminal portion of the message 106a is recorded in the recording unit 9 (S13b). Further, the application analysis unit 6 updates the reception size to “500” obtained by subtracting the size of the end portion of the message 106a (S23), and the recording size is added to the size of “1500” (from the message header). 71 (subtracting the size of 71) ”(S24), and NextSeq (I) of the WWW server 23 is updated to“ 2201 ”obtained by adding the size of the terminal portion of the message 106a (S25).

Then, the application analysis unit 6 performs the process from S16 on the remaining Data / Res 53 (message 106b) from which the message 106a has been cut out.
The application analysis unit 6 determines whether or not the remaining Data / Res 53 (message 106b) is the head of the message (S16). At this time, since the content size and the recording size are both “1500 (subtracting the size of the message header 71)”, the remaining Data / Res 53 is determined to be the head of the message 106b. Therefore, the application analysis unit 6 initializes the recording size of the remaining Data / Res 53 (message 106b) (S17), and the content size is the size of the message 106b “500 (subtracting the size of the message header 71)”. Acquisition and setting of the reception size B are performed (S18).
Next, the end detection unit 10 compares the total size of the reception size B and the recording size with the content size (S19). Here, the reception size B is “500 (subtracting the size of the message header 71)”, the recording size is “0”, and the content size is “500 (subtracting the size of the message header 71)”. Therefore, the total value of the reception size B and the recording size is equal to the content size. Therefore, the application analysis unit 6 records the remaining Data / Res 53 (message 106b) in the recording unit 9 (S13), updates the recording size to a value obtained by adding the reception size B (S20), and the NextSeq of the WWW server 23. Is updated to “2701” to which the reception size is added (S21), and the processing for Data / Res53 is terminated.

  As described in the first embodiment, ACK47 to ACK52 are discarded in the TCP analysis process (S120) (S2), and the application analysis process (S140) is not executed.

  As described above, in the communication recording apparatus 1 according to the second embodiment, the termination analysis unit 10 identifies a packet (termination packet) including the termination of the message 106, and the application analysis unit 6 is included in the termination packet. The messages 106 can be distinguished, and a plurality of messages 106 can be distinguished for each message 106 and recorded in the recording unit 9.

Embodiment 3 FIG.
In the third embodiment, a packet that has been successfully communicated between the proxy server 26 and the WWW server 23 is lost due to an error that occurs during transfer to the mirroring port connected to the communication recording device 1 in the SW 27. A case will be described in which loss occurs due to an error that occurred during transmission through the communication cable 29 connected from the mirroring port of the SW 27 to the communication recording apparatus 1. Since the communication between the proxy server 26 and the WWW server 23 is completed, the lost packet is not retransmitted between the proxy server 26 and the WWW server 23 and is received by the communication recording device 1. There is nothing.
Hereinafter, matters different from the first embodiment and the second embodiment will be mainly described, and matters that will not be described are the same as those in the first embodiment and the second embodiment.

  The functional configuration of the communication recording apparatus 1 in the third embodiment is the same as that in the first and second embodiments.

  In the third embodiment, the TCP order control unit 5 (missing data specifying unit) refers to the TCP header 102 included in the TCP packet 104 stored in the main storage device by the reception control unit 3. The TCP order control unit 5 is the TCP data 103 that has not been received by the reception control unit 3 based on the confirmation response number (ack) included in the referenced TCP header 102, and is between specific communication terminal devices (for example, The TCP data 103 that has been communicated between the proxy server 26 and the WWW server 23) is specified as missing data using the CPU.

  The application analysis unit 6 generates data in which a predetermined value is set as the missing data size specified by the TCP order control unit 5 as missing data, and records the generated missing data in the recording unit 9.

FIG. 18 is a flowchart showing details of TCP analysis processing (S120) to application analysis processing (S140) of the communication recording method according to the third embodiment.
Details of the TCP analysis process (S120) to the application analysis process (S140) of the communication recording method according to the third embodiment will be described below with reference to FIG.

  In the TCP analysis process (S120) in the third embodiment, it is determined whether or not the packet reception size (the size of the TCP data 103) is “0” from the TCP analysis process (S120) in the first embodiment (see FIG. 11). (S11) is removed.

  The TCP order control process (S130) in the third embodiment is obtained by adding the missing data specifying process (S132) to the TCP order control process (S130) in the first embodiment (see FIG. 11).

In the TCP order control process (S130) of the third embodiment, when the TCP order control unit 5 holds the received packet (S7), the Seq set in the TCP header 102 of the received packet is transmitted. It is set in the connection information as the original “assembly Seq”. However, when “assembly Seq” is already set, the TCP sequence control unit 5 compares the set assembly Seq with the Seq of the received packet, and updates the assembly Seq when the received packet Seq is smaller To do. When the set assembly Seq is larger, the TCP sequence control unit 5 does not update the assembly Seq. That is, the top Seq of the holding packet (s) is set in the assembly Seq. Note that “assembly Seq” is set to an initial value “0” when the TCP analysis unit 4 generates connection information (S4). “Assembly Seq” is set for both communication terminals that establish a connection.
The missing data specifying process (S132) will be described below.

  After the application process (S140) or the reception packet holding (S7) in the order determination process (S131), the TCP order control unit 5 refers to the TCP header 102 of the received packet and the connection information of the received packet. Then, the TCP sequence control unit 5 compares the ack (acknowledgment response number) set in the TCP header 102 of the received packet with the NextSeq of the transmission destination (reception side) of the received packet set in the connection information. . As a result of this size comparison, the TCP sequence control unit 5 successfully communicates between the communication terminals (for example, the proxy server 26 and the WWW server 23), but is lost during transfer to the communication recording device 1 and lost to the communication recording device 1. Whether or not there is a packet not received (hereinafter referred to as a missing packet) is determined (S8).

  If the ack of the received packet is equal to or less than NextSeq of the destination of the received packet in S8, the process for the received packet ends because there is no missing packet.

  When the ack of the received packet is larger than NextSeq of the destination of the received packet in S8, the TCP order control unit 5 refers to the TCP header 102 of the received packet and the connection information of the received packet. The TCP order control unit 5 compares the ack set in the TCP header 102 of the received packet with the assembly Seq of the destination of the received packet set in the connection information (S9).

  The ack of the received packet indicates the sequence number of the TCP data 103 that has been received (added to “1”) to the transmission destination. For this reason, when the ack of the received packet is larger than the NextSeq of the destination of the received packet, at least the TCP data 103 following the destination NextSeq has been communicated between the communication terminals, but has not reached the reception control unit 3 Means that. At this time, it is unavoidable to continue holding the holding packet in anticipation of receiving the TCP data 103 that continues from the destination NextSeq. Therefore, in S9, the TCP sequence control unit 5 compares the ack of the received packet with the assembly Seq of the destination of the received packet, and determines whether there is a retained packet that can be retained.

  If the ack of the received packet is less than the assembly Seq of the destination of the received packet in S9, the process for the received packet ends. In this case, since there is a possibility that the TCP data 103 located before the held data may be received, the held packet transmitted from the destination of the received packet and held (hereinafter referred to as the destination holding packet) is held as it is. Is done.

  If the ack of the received packet is equal to or greater than the assembled Seq of the destination of the received packet in S9, the TCP sequence control unit 5 uses a variable obtained by subtracting the NextSeq of the destination of the received packet from the assembled Seq of the destination of the received packet. Set to “Diff”. “Diff” indicates the size of the TCP data 103 of the missing packet. Hereinafter, the TCP data 103 of the missing packet is referred to as “missing data”, and the size of the missing data is referred to as “missing size” (S41).

  After S41, application analysis processing (S140) for recording the retained packet in the recording unit 9 is executed by the application analysis unit 6.

FIG. 19 is a flowchart showing details of application analysis processing (S140) of the communication recording method according to the third embodiment.
FIG. 20 is a flowchart showing a part of application analysis processing (S140) of the communication recording method according to the third embodiment.
Details of the application analysis process (S140) of the communication recording method according to the third embodiment will be described below with reference to FIGS.

  In FIG. 19, the application analysis unit 6 determines whether Diff (size of missing data) is “0” (S10).

When Diff is “0” in S <b> 10, the application analysis unit 6 executes the processes after S <b> 11.
The case where Diff is “0” in S10 is the case where the application analysis process (S140) is executed after the order determination process (S131) in FIG. 18, and the processes after S11 record the received data in the recording unit 9. This is a process performed for this purpose.
Details of the processing after S11 will be described later.

When Diff is not “0” in S10, the application analysis unit 6 executes the processing from S51 onward shown in FIG.
The case where Diff is not “0” in S10 is the case where the application analysis process (S140) is executed after the missing data specifying process (S132) in FIG. This is a process performed to record the data.
Below, the process after S51 is demonstrated.

  In FIG. 20, the application analysis unit 6 identifies a held packet whose transmission data sequence number is less than the ack of the received packet among the transmission destination held packets. The holding data of the holding packet specified here is a target to be recorded in the recording unit 9 below (S51).

  Next, the application analysis unit 6 creates a substitute packet to replace the missing packet (S52).

  For example, the application analysis unit 6 sets the IP header 101 and the TCP header 102 of the destination holding packet as alternative packets, and updates the packet size of the IP header 101, the seq of the TCP header 102, etc. according to the missing data. . Further, for example, the application analysis unit 6 creates substitute data to be recorded in the recording unit 9 instead of missing data, and sets the created substitute data in a substitute packet. The size of the substitute data is Diff, and the data value of the substitute data is a specific value (for example, all 0, hereinafter referred to as substitute value) indicating that the data is substitute data. In addition, the application analysis unit 6 creates alternative data for a portion of the received packet that is less than ack and has no retained data. For example, the portion of the received packet that is less than the ack and has no retained data means that the received packet has an ack of 401, and there are retained data A with sequence numbers 101 to 200 and retained data B with sequence numbers 301 to 400 The data with sequence numbers 201-300. Also, for example, the portion of the received packet that is less than ack and has no retained data is data having a sequence number of 301 to 400 when the received packet ack is 401 and there is retained data of sequence numbers 201 to 300. (S52).

  Next, the application analysis unit 6 refers to the connection information of the received packet, and compares the recording size of the transmission destination of the received packet and the total value of Diff with the content size of the transmission destination of the received packet (S26).

  In S26, when the total value of the recording size of the transmission destination and Diff is larger than the content size of the transmission destination, the message header 71 of the next message 106 is included in the missing packet. That is, the content size of the next message 106 becomes unknown, and subsequent TCP data 103 cannot be distinguished for each message 106.

  Therefore, the application analysis unit 6 records the retained data specified in S51 and the substitute data generated in S52 in the recording unit 9, but does not distinguish each message 106 as shown in FIG. 7 (S13c).

  Further, since the application analysis unit 6 records the retained data and the alternative data in the recording unit 9 in S13c, the application analysis unit 6 adds the total value of the retained size and the alternative size to update the recording size of the transmission destination (S53). The total value of the size and the alternative size is added to update NextSeq of the transmission destination (S54).

Then, the application analysis unit 6 sets “1” in the abnormality flag so as to indicate that the TCP data 103 from the transmission destination of the received packet is recorded in the recording unit 9 without being distinguished for each message 106. This abnormality flag is set as the abnormality flag of the destination of the received packet in the connection information of the received packet (S32).
This completes the process for the received packet.

FIG. 21 is a diagram illustrating a case where the total value of the recording size and Diff is larger than the content size.
In FIG. 21, Res 44 is data that has already been received and recorded in the recording unit 9, Data 45 is missing data, and Data 46 is retained data. FIG. 21 shows the content size 111 and the recording size 112 for the message body 72 excluding the message header 71. As shown in FIG. 21, when the total value of the recording size 112 and the Diff 113 is larger than the content size 111, the next message 106 starts in the middle of the Data 45 that is missing data, and the message header 71 becomes unknown. For this reason, it becomes unclear whether Data 46 is the next message 106 or the next message 106. FIG. 21 is referred to as “Case 2”.
In case 2, the application analysis unit 6 sets “1” in the abnormality flag as described above.

  On the other hand, in S26, when the recording size of the transmission destination and the total value of Diff are equal to or smaller than the content size of the transmission destination, the application analysis unit 6 stores the data held in the transmission destination ( And alternative data) can be recorded in the recording unit 9 separately for each message 106.

FIG. 22 is a diagram illustrating a case where the total value of the recording size and Diff is equal to or smaller than the content size, and corresponds to FIG.
FIG. 22 shows a case 1 in which the total value of the recording size 112 and the Diff 113 and the content size 111 are equal. In Case 1, the TCP data 103 of Data 46 starts from the message header 71 (first) of the next message 106.
In FIG. 22, Case 3, Case 4, and Case 5 are shown as cases where the total value of the recording size 112 and Diff 113 is less than the content size.
Case 3 is a case where the total value of the recording size 112, Diff 113, and holding size 114 is larger than the content size 111, and the Data 46 includes the end of the message body 72 and the message header 71 of the next message 106.
Case 4 is a case where the total value of the recording size 112, Diff 113, and holding size 114 is equal to the content size 111, and the TCP data 103 of Data 46 ends at the end of the message body 72.
Case 5 is a case where the total value of the recording size 112, Diff 113, and holding size 114 is smaller than the content size 111, and the Data 46 includes an intermediate message body 72 (no termination).

In S26, when the recording value of the transmission destination and the total value of Diff are equal to or smaller than the content size of the transmission destination (case 1, case 3, case 4 and case 5), the processing moves to (2) in FIG. The unit 6 executes the processing from S16 onward as in the first embodiment, using the retained packet specified in S41 and the substitute packet generated in S42 as received packets.
However, in S16, when the received data is the head of the message and is alternative data, the process proceeds to (3).

FIG. 23 is a diagram showing communication history 120 in which GETm 107 and Resm 108 in the third embodiment are set, and corresponds to FIG. 7 in the first embodiment.
As shown in FIG. 23, the application analysis unit 6 of the communication recording apparatus 1 according to the third embodiment records the data of the packet (Data 45) that has been lost and not received by the reception control unit 3 as no data.

FIG. 24 is a diagram illustrating an example of a communication sequence according to the third embodiment, and corresponds to FIG. 6 according to the first embodiment.
The application analysis process (S140) shown in FIG. 19 will be described using the communication sequence shown in FIG. 24 as an example.
In FIG. 24, Data 45 has disappeared and has not been received by the communication recording apparatus 1. Data 46 indicates the end of the message 106 (case 4).

  An information acquisition request from the terminal 21 is notified to the WWW server 23 via the proxy server 26. Packets transmitted / received by the proxy server 26 to / from the Internet 24 are notified to the communication recording apparatus 1 via the SW 27. Since the HTTP protocol used for connection to the WWW server 23 operates on TCP, the proxy server 26 transmits SYN 40 to establish the connection. When SYN 40 is received by the reception control unit 3 of the communication recording device 1, the TCP analysis unit 4 checks the TCP type and TCP state (steps 1 and 3). The TCP analysis unit 4 analyzes whether the transmission source IP address, transmission destination (destination) IP address, transmission source port number, and transmission destination (destination) port number of the received packet are registered, and must be registered. For example, the address and port number in the packet are registered as connection information (step 4). Thereafter, when the packet is received, the TCP analysis unit 4 checks whether the packet is transmitted / received on the established connection (step 3). Then, when the packet is transmitted without establishing a connection, the TCP analysis unit 4 discards the packet as a TCP state error (step 2). The connection information is retained during communication after the connection is established, and is deleted when a connection disconnection packet (FIN / ACK 50) is received. The received SYN 40 is discarded after the TCP state check (step 2).

  The WWW server 23 that has received the SYN 40 transmits a SYN / ACK 41. The SYN / ACK 41 is discarded after checking by the TCP analysis unit 4 (step 3) (step 2).

Next, the proxy server 26 transmits ACK42. The communication recording device 1 receives the ACK 42 transmitted by the proxy server 26. The TCP analysis unit 4 performs the TCP analysis process (S120) shown in FIG. At this time, NextSeq (O) of the proxy server 26 is “100”, and NextSeq (I) of the WWW server 23 is “701”.
The TCP order control unit 5 compares the sequence number (Seq) of the ACK 42 with the NextSeq (O) of the proxy server 26 (Step 5). Here, seq of ACK 42 and NextSeq (O) of proxy server 26 match with “100”. For this reason, an application analysis process (step 140) is executed. At this time, Diff indicating the difference between the sequence numbers is “0” because the setting in S41 of FIG. 18 is not performed.
In the application analysis process (step 140) of FIG. 19, since Diff is “0” (step 10), the application analysis unit 6 checks the reception size (step 11). The size of the ACK 42 is 0, and the application for the ACK 42 The analysis process (S140) ends. Further, in step 8 of FIG. 18, since the ack of the ACK 42 and the NextSeq (I) of the WWW server 23 coincide with “701”, the processing for the ACK 42 is ended.

Thereafter, the proxy server 26 transmits GET43. GET 43 is transmitted as an HTTP request. When the reception control unit 3 receives the GET 43, the TCP analysis unit 4 performs the TCP analysis process (S120) shown in FIG. Next, the TCP order control unit 5 compares the sequence number of the header of the GET 43 with NextSeq (O) of the proxy server 26 (S5). Since seq of GET 43 and NextSeq (O) of proxy server 26 match with “100”, the application analysis process (step 140) is executed with “Diff = 0”.
In the application analysis process (step 140) of FIG. 19, since “Diff == 0” (step 10), “reception size! = 0” (step 11), and “abnormal flag! = 1” ( In step 12), the application analysis unit 6 checks whether the received data is the head of the message 106 (step 16).
The beginning of the message 106 starts from the beginning of the request line 61 of the GETm 107 (HTTP request message) in FIG. 3 (in the case of a request) or starts from the beginning of the status line 68 of the Resm 108 (HTTP response message) in FIG. Means (in the case of response). The message 106 transmitted first after establishing the connection is transmitted from the head of the message 106.

Here, it supplements about Embodiment 2 mentioned above.
As shown in FIG. 5, Resm 108 (GET response) including large data such as image data is not stored in one packet but transmitted in two packets. At this time, only the message body 72 is stored in the second and subsequent packets. A packet in which only the message body 72 is stored indicates the message 106 from the middle rather than from the beginning. In this way, when the message 106 is divided into a plurality of packets, as described in the second embodiment, the termination detection unit 10 searches for a data delimiter in the message body 72 based on the content size and the reception size. The end of data is identified (step 19).
In FIG. 5, Res 44 and Data 45 are processed as one message Resm 108. In FIG. 15, the message 106a is divided into two packets of Res44 and Data / Res53, and the second packet (Data / Res53) includes a message body 72 of the message 106a and a message header 71 of the message 106b. Is stored. In this case (when there is data at the end of the delimiter), as described in the second embodiment, the application analysis unit 6 cuts out the message body 72 of the message 106a stored in the Data / Res 53 (step 22), and the message The message body 72 of 106a is recorded in the recording unit 9 (S13b), and the reception size, recording size, and NextSeq (O) of the proxy server 26 are updated (S23 to S25). Then, the application analysis unit 6 processes the data after the end of the message body 72 of the message 106a (message header 71, blank line 56, message body 72) as a new message, and returns to the check at the head of the message (S16). Repeat the process. If there is no data at the end of the delimiter, the process ends. Next, the received data is processed as the head of the message 106.

In FIG. 24 in the third embodiment, GET43, GET48, and Res49 are stored in one packet (there is data termination), and the operation will be described assuming that Res44, Data45, and Data46 divide the data into three ( Data 46 has an end of data).
Hereinafter, the description will be continued based on FIG.

In FIG. 19, since GET 43 is the head of the GET request (step 16), the application analysis unit 6 initializes the recording size (step 17). Next, the application analysis unit 6 determines the content size (size of the message body 72) and data from the request line 61, the request header field 62, the general-purpose header field 63, the header field 64, and other (65) headers in the message header 71. Information on the transmission format is acquired (step 18). The information acquired here is used for searching for the delimiter of data described above.
Next, the end detection unit 10 compares the content size, the reception size, and the recording size, and checks whether there is a data end (step 19). Hereinafter, for simplification of description, the description will be continued with “content size = size of message 106 (including message header 71)”, “reception size = reception size B”, and “recording size = recorded message 106 size”. . Since the content size (100) ≧ reception size B (100) + recording size (0) in the GET 43, the application analysis unit 6 assumes that there is an end (there is no data at the end of the packet), and the GET 43 is recorded in the recording unit 9 (Step 13). FIG. 7 shows an example of recording the message 106 in the recording unit 9. In the recording unit 9, GETm 107 is stored in the area indicated by the request pointer 81.
Then, the application analysis unit 6 adds the reception size B to the recording size (step 20), and adds the reception size to NextSeq (O) of the proxy server 26 (step 21). At this time, NextSeq (I) of the proxy server 26 is updated to “200”, and NextSeq (O) of the WWW server 23 remains “701”.
Next, in FIG. 18, the TCP sequence control unit 5 compares the ACK number of GET 43 with NextSeq (I) on the opposite side (step 8), and ends the processing because both match with “701”.

The WWW server 23 that has received the GET 43 transmits Res 44.
When Res44 is received by the reception control unit 3, the process is the same as the GET 43 until the process of acquiring the content size (step 18) in FIG. 19 (steps 1, 3, 4, 5, 6, 10, 11, 12). 16, 17). Res 44 is the head of the GET response, and the application analysis unit 6 acquires the content size and transmission format information from Res 44 (step 18). Res44 is 1000-byte data, but since it is the head of three packets (Res44, Data45, and Data46) obtained by dividing 3000-byte data, the content size is 3000.
Next, the end detection unit 10 compares the content size with the reception size + recording size (S19). In Res44, since content size (3000) ≧ reception size B (1000) + recording size (0), the application analysis unit 6 records Res44 in the recording unit 9 (step 13). In recording to the recording unit 9 (step 13), Res 44 is stored in the area indicated by the response pointer 82 of the recording unit 9.
Then, the application analysis unit 6 adds the reception size B to the recording size (step 20), and adds the reception size to NextSeq (I) of the WWW server 23 (step 21). At this time, NextSeq (O) of the proxy server 26 remains “200”, and NextSeq (I) of the WWW server 23 is updated to “1701”.
Next, in FIG. 18, the TCP sequence control unit 5 compares the ACK number of Res44 with NextSeq (O) on the opposite side (step 8), and ends the processing because both match with “200”.

  Next, it is assumed that the WWW server 23 transmits Data 45 and Data 46, but the Data 45 is discarded due to an error or the like on the network and has not reached the communication recording apparatus 1.

When the data 45 is not received by the reception control unit 3 and the data 46 is received, in FIG. 18, after the TCP type and TCP state are checked by the TCP analysis unit 4 (steps 1 and 3), the TCP sequence control unit 5 The header sequence number (2701) and NextSeq (I) (1701) of the WWW server 23 are compared (step 5). The TCP order control unit 5 determines that the order of the packets has been reversed because they do not match, holds Data 46 until Data 45 arrives, and sets assembly Seq to “2701” (step 7).
Next, the TCP order control unit 5 compares the ACK number of Data 46 with NextSeq (O) on the opposite side (step 8), and ends the processing because both match with “200”.

The proxy server 26 that has received the Data 45 and the Data 46 transmits an ACK 47.
When ACK 47 is received by the reception control unit 3, the sequence number of the header of ACK 47 and NextSeq (O) of proxy server 26 match “200” in FIG. 8 (step 5). Processing (step 140) is performed. In the application analysis process (step 140) of FIG. 19, since ACK 47 has no data (reception size == 0), the process ends.
Next, in FIG. 18, the TCP sequence control unit 5 compares the ACK number (3701) of the header of ACK 47 with the next Seq (I) (1701) on the opposite side (step 8). At this time, “ACK of ACK 47 header> NextSeq (I) on the opposite side”.
Next, the TCP order control unit 5 compares ACK (3701) with assembly Seq (2701) (step 9). At this time, “ACK ≧ assembly Seq”.
Next, the TCP sequence control unit 5 sets “Assembly Seq—Next Seq (I) on the opposite side” to Diff (step 41).
Then, the application analysis unit 6 performs application analysis processing (step 140) on the retained data 46 with Diff = 1000.
In FIG. 19, since “Diff! = 0”, the process jumps to (1) of FIG.
In FIG. 20, the application analysis unit 6 identifies Data 46 as a recording target (S41), and creates an alternative packet to replace the lost packet that has been lost (S42). Here, since content (3000) ≧ record size (1000) + Diff (1000) (step 26), the process jumps to (2) in FIG.
In FIG. 19, the application analysis unit 6 records Data 46 and the substitute packet, updates the recording size, and updates NextSeq (I) of the WWW server 23 (steps 16, 18 b, 19, 13, 20, 21). ), The processing for Data 46 is terminated.

  The subsequent processing for ACK 47, GET 48, Res 49, FIN / ACK 50, FIN / ACK 51, and ACK 52 is the same as in the first embodiment. GET48 and Res49 are processed in the same manner as GET43. GET 48 and Res 49 are recorded in the recording unit 9 as another message 106 in the same manner as GET 43 and Res 44 (Data 45, Data 46).

Although the case 4 has been described with reference to FIG. 23, the communication recording apparatus 1 also skips the missing packet in the case 1, case 3, and case 5 as in the case 4. Can be recorded.
In case 2, the communication recording device 1 cannot refer to the header information, and thus cannot grasp the position of the TCP data 103. In this case, the communication recording apparatus 1 skips the missing packet and records the TCP data 103, sets an abnormality flag, and records the TCP data 103 of the subsequent packets.

In the third embodiment, the following communication recording apparatus 1 and application analysis method have been described.
The communication recording device 1 includes a reception control unit 3, a TCP analysis unit 4, a TCP sequence control unit 5, an application analysis unit 6, a termination detection unit 10, a recording unit 9, and a data display unit 7. In the case of flight, the application number is analyzed using the sequence number and content size, and data is recorded.
The reception control unit 3 receives a packet from the network.
The TCP analysis unit 4 analyzes the TCP state of the packet received by the reception control unit 3.
The TCP order control unit 5 performs control so that the correct order is obtained when the order of the packets is reversed.
The application analysis unit 6 analyzes application data.
The end detection unit 10 detects a message delimiter when application data is divided into a plurality of messages and transmitted.
The recording unit 9 records the analysis result.
The data display unit 7 displays the data of the recording unit 9.

  As described above, the communication recording device 1 according to the third embodiment holds a packet when the packet is discarded and is not notified, and calculates a difference (Diff) between ACK numbers between the held packet and a packet received thereafter. By calculating, packet loss is detected. Then, the communication recording device 1 skips the discarded packets and performs the application analysis process (S140). Therefore, the communication recording apparatus 1 can record application data (message 106) even when a packet is discarded.

Embodiment 4 FIG.
In the fourth embodiment, a mode in which there are a plurality of routes through which the reception control unit 3 can receive a packet will be described.
Hereinafter, matters different from the first to third embodiments will be mainly described, and matters that will not be described are the same as those of the first to third embodiments.

FIG. 25 is a diagram illustrating an example of the communication network system 100 according to the fourth embodiment.
As shown in FIG. 25, communication network system 100 in the fourth embodiment is obtained by adding SW 28 to communication network system 100 in the first embodiment.
The SW 28 transfers all packets to the communication recording apparatus 1 via the communication cable 30 by the port monitor function, similarly to the SW 27.
The communication recording apparatus 1 receives the same packet twice because it receives the packet from the two switches (SW27, SW28). Even if the packet is discarded due to an error in one switch, the packet is received from the other. Can receive.

FIG. 26 is a functional configuration diagram of the communication recording apparatus 1 according to the fourth embodiment.
As shown in FIG. 26, the reception control unit 3 receives all packets from the SW 27 via the communication cable 29 and the input port 2, and receives all packets from the SW 28 via the communication cable 30 and the input port 12. .

  The TCP analysis unit 4 receives the TCP packet 104 by the reception control unit 3 and stores it as the first TCP packet in the main storage device, and then receives a new TCP packet 104 by the reception control unit 3 and stores it in the main storage device. When stored as a second TCP packet, the following processing is performed. The TCP analysis unit 4 receives the first TCP packet and the second TCP packet based on the sequence number (seq) of the first TCP packet and the sequence number (seq) of the second TCP packet. 3 determines whether or not the same TCP packet 104 is received from a different route (SW27 → communication cable 29 → input port 2, SW28 → communication cable 30 → input port 12). When the TCP analysis unit 4 determines that the first TCP packet and the second TCP packet are the same TCP packet, the TCP analysis unit 4 deletes the second TCP packet received later from the main storage device.

FIG. 27 is a flowchart showing details of the TCP analysis process (S120) to the application analysis process (S140) of the communication recording method according to the fourth embodiment.
FIG. 27 is obtained by adding S33 and S2 to FIG. 18 of the third embodiment.

  The TCP analysis unit 4 determines whether or not the received packet is the same as a packet received in the past (S33).

  Normally, when the same packet is transferred from SW 27 and SW 28 to the communication recording apparatus 1, the same packet reaches the communication recording apparatus 1 continuously. Therefore, the TCP analysis unit 4 sets the IP header 101 and the TCP header 102 of the previous received packet in the connection information, and sets the IP header 101 and the TCP header 102 and the connection information of the new received packet in the previous time. The IP header 101 and the TCP header 102 of the received packet are compared. When the IP header 101 and the TCP header 102 of the new received packet are the same as the IP header 101 and the TCP header 102 of the previous received packet set in the connection information, the TCP analyzing unit 4 It is determined that the packet is the same as the packet received in the past. Further, for example, the TCP analysis unit 4 sets the IP header 101 and the TCP header 102 of all received packets in the connection information, and receives if any received packet is the same as the IP header 101 and the TCP header 102. You may determine with a packet being the same packet as the packet received in the past. In this case, the IP header 101 and the TCP header 102 of the received packet determined to be the same packet as the received packet need not be set in the connection information.

  If the received packet is the same as the packet received in S33, the TCP analysis unit 4 discards the received packet (S2).

  When the received packet is not the same as the packet received in S33 in S33, the processing after S1 described in the first to third embodiments is performed on the received packet.

  In the fourth embodiment, the following communication recording apparatus 1 and application analysis method have been described.

  In the communication recording apparatus 1, the reception control unit 3 receives packets from a plurality of input ports, and the TCP analysis unit 4 compares whether the packets received by the reception control unit 3 are the same and receives the same data. Discard one. When a packet is received only from one side, the application analysis unit 6 performs data analysis on the received packet. If the packet is not received from all the ports, the application analysis unit 6 performs application analysis on the assumption that the packet has been lost.

  Since the communication recording apparatus 1 according to the fourth embodiment receives packets from two input ports as described above, even if a packet is discarded due to an error in one switch, processing is performed using the packet received from the other. Can continue.

In each embodiment, a mode has been described in which a packet addressed to another host is received, application data is assembled based on the received packet, and the assembled application data is recorded as a “communication history”.
However, the assembled application data may not be recorded as “communication history”.
For example, the assembled application data may be transmitted (or relayed or transferred) to a communication (terminal) device that is an original transmission destination or another specific communication (terminal) device. The communication (terminal) device that is the original transmission destination is a terminal set as a transmission destination in a packet including at least a part of the application data, and is a proxy server for Resm 108 (an example of assembled application data). 26 and the terminal 21.
That is, the communication recording device (and method, program) described in each embodiment receives a packet addressed to another host, assembles application data based on the received packet, and assembles the assembled application data with a specific communication ( It may be used as a communication data processing device (and method, program) that transmits (or relays, transfers) to a terminal device.
The communication data processing apparatus may analyze the assembled application data and transmit the analysis result to the communication (terminal) apparatus that is the original transmission destination.
The communication data processing device includes a data transmission unit instead of the data display unit 7 (or together with the data display unit 7).

1 is a diagram illustrating an example of a communication network system 100 according to Embodiment 1. FIG. The figure which shows the structure of the IP packet 105. FIG. The figure which shows the structure of GET43. The figure which shows the structure of Res44. The figure which shows Resm108 divided | segmented. FIG. 5 shows an example of a communication sequence in Embodiment 1. The figure which shows the communication log | history 120 in which GETm107 and Resm108 in Embodiment 1 were set. FIG. 3 is a diagram illustrating an example of hardware resources of the communication recording device 1 according to the first embodiment. 2 is a functional configuration diagram of a communication recording apparatus 1 according to Embodiment 1. FIG. 3 is a flowchart showing a communication recording method of the communication recording apparatus 1 according to the first embodiment. 7 is a flowchart showing details of a TCP analysis process (S120) to an application analysis process (S140) of the communication recording method according to the first embodiment. 5 is a flowchart showing details of application analysis processing (S140) of the communication recording method according to the first embodiment. FIG. 5 shows an example of a communication sequence in Embodiment 1. FIG. 4 is a functional configuration diagram of a communication recording apparatus 1 according to a second embodiment. The figure which shows the message 106 divided | segmented. 10 is a flowchart showing details of application analysis processing (S140) of the communication recording method according to the second embodiment. FIG. 6 shows an example of a communication sequence in Embodiment 2. 10 is a flowchart showing details of a TCP analysis process (S120) to an application analysis process (S140) of the communication recording method according to the third embodiment. 10 is a flowchart showing details of application analysis processing (S140) of a communication recording method according to Embodiment 3. 10 is a flowchart showing a part of application analysis processing (S140) of a communication recording method according to Embodiment 3. The figure which shows the case where the sum total of recording size and Diff is larger than content size. The figure which shows the case where the total value of recording size and Diff is below content size. The figure which shows the communication log | history 120 in which GETm107 and Resm108 in Embodiment 3 were set. FIG. 9 shows an example of a communication sequence in Embodiment 3. FIG. 10 is a diagram illustrating an example of a communication network system 100 according to a fourth embodiment. FIG. 6 is a functional configuration diagram of a communication recording apparatus 1 according to a fourth embodiment. 10 is a flowchart showing details of a TCP analysis process (S120) to an application analysis process (S140) of the communication recording method according to the fourth embodiment.

Explanation of symbols

  1 communication recording device, 2 input port, 3 reception control unit, 4 TCP analysis unit, 5 TCP sequence control unit, 6 application analysis unit, 7 data display unit, 9 recording unit, 10 termination detection unit, 12 input port, 21 terminal , 22 Corporate network, 23 WWW server, 24 Internet, 25 FW, 26 Proxy server, 27, 28 SW, 29, 30 Communication cable, 40 SYN, 41 SYN / ACK, 42 ACK, 43 GET, 44 Res, 45 Data, 46 Data, 47 ACK, 48 GET, 49 Res, 50, 51 FIN / ACK, 52 ACK, 53 Data / Res, 53d Data / Resm, 54 Data, 61 Request line, 62 Request header field, 63 General header field, 6 Header field, 65 Other, 66 Blank line, 67 Body, 68 Status line, 69 Response header field, 71 Message header, 72 Message body, 81 Request pointer, 82 Response pointer, 100 Communication network system, 101 IP header, 102 TCP header , 103 TCP data, 104 TCP packet, 105 IP packet, 106, 106a, 106b message, 107 GETm, 108 Resm, 111 content size, 112 recording size, 113 Diff, 114 holding size, 120 communication history, 901 display device, 902 Keyboard, 903 mouse, 904 FDD, 905 CDD, 906 printer, 907 cache memory, 911 CP , 912 Bus, 913 ROM, 914 RAM, 915 communication board, 920 a magnetic disk device, 921 OS, 922 Window system, 923 Program group, 924 File group.

Claims (11)

A communication recording device that records a history of communication between other communication devices,
Application data indicating specific data is divided into a plurality of packets and connected to a communication network to be communicated, and is transmitted to the communication network among the plurality of packets destined for at least one of the plurality of communication devices. A reception control unit that receives the received packet and stores the received packet in the main storage device;
When some packets of the plurality of packets are stored in the main storage device by the reception control unit, the some packets are read from the main storage device, and are included in the read some packets A communication recording apparatus comprising: a communication recording unit configured to record a part of the application data as a part of a communication history of the communication network in an auxiliary storage device. The reception control unit includes TCP (Transmission Control Protocol) data indicating a part of the application data and a TCP header including a sequence number indicating the arrangement position of the TCP data in the application data as the packet. Receiving a TCP packet and storing it in the main storage device;
The communication recording unit refers to the TCP header included in the TCP packet stored in the main storage device by the reception control unit, and determines the TCP packet based on the sequence number included in the referenced TCP header. The communication recording apparatus according to claim 1, wherein the included TCP data is recorded in the auxiliary storage device in association with the arrangement position in the application data. The communication recording device further includes:
The reception control unit receives the first TCP packet including the first TCP data and the first TCP header including the sequence number of the first TCP data, and stores the first TCP packet in the main storage device. After the first TCP data included in the first TCP packet is recorded in the auxiliary storage device by the communication recording unit, the sequence number of the second TCP data and the second TCP data by the reception control unit When the second TCP packet including the second TCP header included is received and stored in the main storage device, the sequence number of the first TCP data included in the first TCP header Based on the sequence number of the second TCP data included in the second TCP header, the second TCP data follows the first TCP data. Whether the data includes determining the order determination unit by using the CPU,
The communication recording unit reads and reads the second TCP data from the main storage device when the order determination unit determines that the second TCP data is data following the first TCP data. The communication recording apparatus according to claim 2, wherein the second TCP data is recorded in the auxiliary storage device following the first TCP data. When determining that the second TCP data is data subsequent to the first TCP data, the order determination unit refers to a TCP header included in a third TCP packet stored in the main storage device Determining whether the third TCP data included in the third TCP packet is data following the second TCP data based on the sequence number included in the referenced TCP header;
The communication recording unit determines that the second TCP data is data following the first TCP data by the order determination unit and the third TCP data follows the second TCP data. The second TCP data and the third TCP data are read from the main storage device, and the second TCP data is followed by the first TCP data to the auxiliary storage. 4. The communication recording device according to claim 3, wherein the third TCP data is recorded in the auxiliary storage device following the second TCP data while being recorded in the device. The reception control unit receives a TCP packet including a TCP header including an acknowledgment number indicating TCP data that has been communicated between specific communication terminal devices that communicate application data, and stores the received TCP packet in the main storage device. ,
The communication recording device further includes:
TCP data that is received by the reception control unit by referring to a TCP header included in a TCP packet stored in the main storage device and based on the confirmation response number included in the referenced TCP header And a missing data identifying unit that identifies, using the CPU, TCP data that has been communicated between specific communication terminal devices as missing data,
The communication recording unit generates, as the missing data, data in which a predetermined value for the size of the missing data specified by the missing data specifying unit is set, and records the generated missing data in the auxiliary storage device The communication recording apparatus according to claim 2, wherein The reception control unit receives a plurality of application data in a plurality of packets including at least a part of at least one of the application data as partial data, stores the received plurality of packets in the main storage device,
The communication recording device further includes:
Based on the size of each of the plurality of packets stored in the main storage device by the reception control unit and the size of each of the plurality of application data included in the plurality of packets, the end of each application data among the plurality of packets is determined. A termination specifying unit that specifies a contained packet as a termination packet using a CPU,
The communication recording unit distinguishes a plurality of packets stored in the main storage device by the reception control unit for each application data based on a termination packet of each application data specified by the termination specifying unit, and a plurality of packets The communication recording device according to claim 1, wherein the plurality of application data included in the storage device is recorded in the auxiliary storage device while being distinguished for each application data. The termination specifying unit determines whether the termination packet includes a termination of first application data and a head of second application data;
The communication recording unit, when the termination specifying unit determines that the termination packet includes the termination of the first application data and the beginning of the second application data, the first application from the termination packet 7. The communication recording apparatus according to claim 6, wherein the data and the second application data are extracted, and the first application data and the second application data are distinguished and recorded in the auxiliary storage device. The reception control unit is connected to the communication network through a plurality of routes, receives packets sent to the communication network from each of the plurality of routes, and stores packets received from the plurality of routes in the main storage device. 8. The communication recording apparatus according to claim 1, wherein The reception control unit includes TCP (Transmission Control Protocol) data indicating a part of the application data and a TCP header including a sequence number indicating the arrangement position of the TCP data in the application data as the packet. Receiving a TCP packet and storing it in the main storage device;
The communication recording device further includes:
After the TCP packet is received by the reception control unit and stored as the first TCP packet in the main storage device, a new TCP packet is received by the reception control unit and stored as the second TCP packet in the main storage device The first TCP packet and the second TCP packet differ depending on the reception control unit based on the sequence number of the first TCP packet and the sequence number of the second TCP packet. It is determined whether or not the same TCP packet is received from the route, and when it is determined that the first TCP packet and the second TCP packet are the same TCP packet, the later received 9. The communication device according to claim 8, further comprising a TCP analysis unit that deletes the second TCP packet from the main storage device. Recording device. The reception control unit connects to a communication network in which application data indicating specific data is divided into a plurality of packets and communicates, receives a packet sent to the communication network among the plurality of packets, and receives the received packet Receive control processing to store the
The communication recording unit reads the part of the packet from the main storage device when the packet is stored in the main storage device by the reception control unit, and the part that is read A communication data processing method comprising: performing storage processing for storing a part of the application data included in the packet in an auxiliary storage device.   A communication data processing program for causing a computer to execute the communication data processing method according to claim 10.

Images