JP2010183214A - Apparatus, method and program for analysis of packet - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To obtain an apparatus, method and program for analysis of a packet, which allows a user to perform various analyses of the packets even the user is a beginner of a network. <P>SOLUTION: The packet analysis apparatus 10 includes: a first packet transceiving means 11 which connects with an arbitrary number of first kind communication devices through a first communication network, and transmits and receives packets; a second packet transmitting and receiving means 12 which connects with an arbitrary number of second kind communication devices which are access objects of the first kind communication device through a second communication network, and transmits and receives packets; an analysis content selection means 13 which causes the first kind communication device to select an analysis content regarding to a packet signal using a WEB browser screen; a packet analysis means 14 which analyses the packet signal during a limited time when selection of the analysis content is carried out; and a WEB browser screen display means 15 which displays the analysis results on the WEB browser screen as the analysis results. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a packet analysis device, a packet analysis method, and a packet analysis program for analyzing a packet used in a communication network.

  An error may occur when trying to view a web page or when trying to send or receive an email. When such an event occurs, it is often an error in the settings of the personal computer, router device, or home gateway device. When such a trouble occurs, as a first related technique related to the present invention, an error is analyzed using a packet capture tool. The packet capture tool is a tool used to determine the cause of an error by capturing (capturing) and analyzing a packet flowing on a communication network.

  FIG. 26 is a diagram for explaining an error analysis technique using packet capture. When analyzing an error, check the packet sequence by raising the hierarchy sequentially from the physical layer 901 to the network interface layer 902, the Internet layer 903, the transport layer 904, and the application layer 905 in the hierarchical model. Is done.

  For example, it is assumed that a personal computer (not shown) in the user's home cannot access the web page. In such a case, the physical layer 901 is first checked to see if a communication cable connecting a personal computer and a router device or hub (not shown) is connected. Subsequently, the hierarchy is increased in order. A check is made.

  Here, the physical layer 901 need only be checked whether the communication cable is physically connected to the router device when the personal computer is set to be connected to the router device by wire. Accordingly, the physical layer 901 can be checked relatively easily even for a network beginner.

  However, in the inspection of the network interface layer 902 that is one level higher than this, it is necessary to check whether a MAC (Media Access Control) address is allocated, and in the inspection of the Internet layer 903, IP (Internet Protocol) is required. It is necessary to check whether the address is allocated. In the last inspection of the application layer 905, it is checked whether the application software settings are correct. In this way, in the inspection of the layer above the physical layer 901, detailed information confirmation such as confirmation of various settings, confirmation of packet information in question by packet capture, confirmation of connection sequence, etc. It is necessary to proceed with the process one by one.

  For this reason, it takes time and effort to analyze errors related to the communication network, and the analyst also requires specialized knowledge. As a result, such error analysis is a very expensive task and may be costly.

  Therefore, a second related technique has been proposed in which the receiving apparatus detects the reception pattern of the packet signal sent from the transmitting apparatus and notifies the transmitting side of the success or failure of the reception or the cause of the error. (For example, refer to Patent Document 1).

JP 2007-088525 (paragraph 0117, paragraph 0145, FIG. 1)

  However, in the second related technology, even if it is effective for one-to-one communication between a mobile phone and a television that performs infrared communication, for example, an information processing device such as a mobile phone or a personal computer is used. It cannot cope with communication with various servers on the network. In addition, the second related technique is limited to processing for establishing a communication connection from a transmitting device, and cannot deal with various types of analysis related to packets.

  Accordingly, an object of the present invention is to provide a packet analysis device, a packet analysis method, and a packet analysis program that can perform various types of analysis on packets even for beginners of a network.

  In the present invention, (b) first packet transmitting / receiving means for transmitting / receiving packets connected to an arbitrary number of first-type communication devices via the first communication network; and (b) the first communication described above. Second packet transmitting / receiving means for transmitting and receiving packets by connecting to an arbitrary number of second type communication devices to be accessed by the first type of communication device via a second communication network different from the network; (C) Analysis content selection means for causing a communication device equipped with a browser among the first type of communication devices described above to select analysis contents related to a packet signal by using a web browser screen, and (d) analysis by the analysis content selection means. When the contents are selected, the corresponding packet signal transmitted / received using the first packet transmitting / receiving means or the second packet transmitting / receiving means described above is limited. Packet analyzing means for analyzing over a period, (e) a web browser screen display means and the packet analysis device comprises displaying the analysis result of the packet analyzing device as an analysis result to the web browser screen.

  In the present invention, (a) there is a request for selecting analysis contents relating to a packet signal from a communication device having a browser among an arbitrary number of first-type communication devices that perform communication via the first communication network. And (b) when the analysis content is selected by the analysis content selection step, the connection is made with the first type communication device. Any number of second types to be accessed by the first type of communication device via the first packet transmission / reception means for transmitting / receiving packets or the second communication network different from the first communication network. A packet analysis module for analyzing a corresponding packet signal transmitted / received using the second packet transmitting / receiving means connected to the communication apparatus over a finite time. And-up, comprising the (C) packet analysis method and a web browser screen display step of displaying the analysis result of the packet analysis step as an analysis result to the web browser screen described above.

  Furthermore, in the present invention, as a packet analysis program in a computer, (a) an analysis relating to a packet signal from a communication device equipped with a browser among an arbitrary number of first-type communication devices communicating via a first communication network. When there is a content selection request, an analysis content selection process for making the selection on the displayed web browser screen, and (b) when the analysis content is selected by the analysis content selection process, the first described above Accessed by the first type of communication device via the first packet transmission / reception means for transmitting / receiving packets connected to the type of communication device or the second communication network different from the first communication network. Corresponding packet signals to be transmitted / received using the second packet transmitting / receiving means connected to an arbitrary number of second-type communication devices are limited. A packet analysis processing for analyzing over a period, is characterized in that to execute a web browser screen displaying process of displaying the analysis result (c) a web browser screen to the analysis results of the packet analysis processing.

  As described above, according to the present invention, since the communication device displays the packet analysis result on the browser, no hardware for performing data display or input operation is required on the device side that analyzes the packet. In addition, since the communication device can select analysis contents, it is possible to analyze packets according to various situations.

It is a claim corresponding | compatible figure of the packet analysis apparatus of this invention. It is a claim correspondence diagram of the packet analysis method of the present invention. It is a claim correspondence diagram of the packet analysis program of the present invention. It is a system configuration figure showing composition of a packet analysis system by an embodiment of the invention. It is a block diagram showing the outline | summary of the structure of the router apparatus in this Embodiment. It is a block diagram showing the fundamental structure of a mode that a packet is analyzed in the router apparatus of this Embodiment. It is a top view of the display part which shows the example of a display of the failure sequence in this Embodiment. It is a flowchart showing the mode of failure sequence analysis processing in this embodiment. It is the top view of the display part which showed the time change of the packet total amount in this Embodiment. It is a flowchart showing the mode of the process of the statistical information in the router apparatus of this Embodiment. It is a top view of the display part which showed the example of a display of the terminal illustration information in this Embodiment. It is a flowchart showing the mode of the analysis process of the subordinate terminal analysis part in this Embodiment. It is explanatory drawing showing the mode of expansion | deployment of the display content when accessing the router apparatus in the modification of this invention. It is the top view which showed the top page display of the personal computer in a 1st Example. It is the top view which showed the other example of the error display in a 1st Example. It is the top view which showed the example of a display of the packet breakdown display in a 1st Example. It is the flowchart which showed the process which performs the packet breakdown display in a 1st Example. It is a top view showing the example of a display of the time slot | zone display with which the personal computer in a 1st Example is easy to communicate. It is explanatory drawing showing the example which extracted the statistical value of the packet total amount and communication speed of 1 month in a 1st Example. It is a flowchart showing the process of the "picture display under a router" in the 2nd Example of this invention. It is a top view which shows the mode of reception of the packet via the WAN interface part in a 2nd Example. It is a top view which shows the mode of reception of the packet via the LAN interface part in a 2nd Example. It is explanatory drawing showing the mode of the packet transmission / reception of a personal computer and a DNS server via the router apparatus in a 2nd Example. It is a flowchart showing the mode of the filter process of the packet in a 2nd Example. It is explanatory drawing showing the mode of the analysis at the time of the mail transmission by the failure sequence analysis part in a 3rd Example. It is explanatory drawing of the hierarchical model which showed the method of error analysis.

  FIG. 1 shows a claim correspondence diagram of the packet analysis apparatus of the present invention. The packet analysis apparatus 10 of the present invention includes a first packet transmission / reception means 11 that transmits / receives packets by connecting to an arbitrary number of first-type communication apparatuses via a first communication network, and the first communication described above. Second packet transmitting / receiving means 12 for transmitting / receiving packets by connecting to an arbitrary number of second type communication devices to be accessed by the first type of communication device via a second communication network different from the network; Analysis content selection means 13 for causing a communication device equipped with a browser among the first type of communication devices described above to select analysis content regarding a packet signal by using a web browser screen, and selection of analysis content by the analysis content selection means 13 Corresponding packet transmitted / received using the first packet transmitting / receiving unit 11 or the second packet transmitting / receiving unit 12 It includes a packet analysis unit 14 for analyzing over a finite time, and a web browser screen displaying unit 15 for displaying the analysis result of the packet analysis unit 14 as the analysis result to the web browser screen No..

  FIG. 2 shows a claim correspondence diagram of the packet analysis method of the present invention. According to the packet analysis method 20 of the present invention, there is a request for selecting analysis contents related to a packet signal from a communication device having a browser among an arbitrary number of first-type communication devices that communicate via a first communication network. When the analysis content selection step 21 is selected by the displayed web browser screen and the analysis content is selected by the analysis content selection step 21, it is connected to the first type communication device. Arbitrary number of second-type communications to be accessed by the first-type communication device via first packet transmitting / receiving means for transmitting / receiving packets or a second communication network different from the first communication network. A packet for analyzing a corresponding packet signal transmitted / received using the second packet transmitting / receiving means connected to the apparatus over a finite time. And preparative analysis step 22, and a web browser screen displaying step 23 of displaying the analysis results the analysis results of the packet analysis step 22 in the web browser screen described above.

  FIG. 3 shows a claim correspondence diagram of the packet analysis program of the present invention. The packet analysis program 30 according to the present invention requests a computer to select the analysis content related to a packet signal from a communication device having a browser among an arbitrary number of first type communication devices that communicate via a first communication network. When there is an analysis content selection process 31 for making the selection on the displayed web browser screen, and when the analysis content selection by the analysis content selection process 31 is performed, the above-described first type communication device Arbitrary number of second objects to be accessed by the first type of communication device via the first packet transmitting / receiving means for transmitting and receiving packets or the second communication network different from the first communication network. The corresponding packet signal transmitted / received using the second packet transmitting / receiving means connected to the communication device of the kind is transmitted over a finite time. A packet analyzing process 32 for analyzing, characterized in that to execute a web browser screen display process 33 to be displayed as an analysis result of the analysis result of the packet analysis processing 32 on the web browser screen described above.

  <Embodiment of the Invention>

  Next, an embodiment of the present invention will be described.

  FIG. 4 shows an outline of the configuration of the packet analysis system according to the embodiment of the present invention. In this packet analysis system 100, a router device 104 is connected between the Internet 101 and a personal computer 103 that accesses a web server 102 on the Internet 101. In this embodiment, paying attention to the fact that the router device 104 having a routing function can acquire information on a packet passing through the router device 104, the main device performs various analyses. The personal computer 103 and the router device 104 are connected by a LAN (Local Area Network) cable 106, and the router device 104 and the Internet 101 are connected by a line 107 such as a telephone line or an optical cable.

  By the way, it is assumed that a communication error occurs when the personal computer 103 accesses the web server 102 via the Internet 101. In the present embodiment, the router apparatus 104 acquires information about the packets 111 and 112 transmitted and received between the router apparatus 104 and the Internet 101 and the packets 113 and 114 transmitted and received between the router apparatus 104 and the personal computer 103. Then, an error solution technique is presented to the user. At this time, packet statistical data and setting contents for improving usability may be presented to the user.

  FIG. 5 shows an outline of the configuration of the router device according to the present embodiment. The router apparatus 104 includes a main control unit 123 including a CPU (Central Processing Unit) 121 and a memory 122 that stores a control program executed by the CPU 121 in a part of a nonvolatile memory area. In addition to controlling the entire router device 104, the main control unit 123 implements some software function units constituting the router device 104 as necessary. The hardware or software functional unit of the router device 104 includes a LAN interface unit 124, a WAN (Wide Area Network) interface unit 125, a packet transmission / reception unit 126, a packet analysis unit 127, a MAC address registration unit 128, and a web side display unit. 129 exists.

  Here, the LAN interface unit 124 is an interface circuit for connecting the router device 104 to the LAN cable 106 shown in FIG. The WAN interface unit 125 is an interface circuit that the router device 104 connects to the line 107 shown in FIG. The packet transmitting / receiving unit 126 transmits and receives packets via the LAN interface unit 124 or the WAN interface unit 125. The packet analysis unit 127 takes a packet from the packet transmission / reception unit 126, extracts information from the packet, and performs analysis. The MAC address registration unit 128 registers the MAC address of each terminal such as the personal computer 103 (FIG. 4) located under the router device 104.

  The web-side display unit 129 is for displaying a web page on each terminal such as the personal computer 103 shown in FIG. The router device 104 is not provided with a physical display such as a liquid crystal display. For example, by starting the browser of the personal computer 103 and accessing the router device 104, the display content of the web side display unit 129 can be displayed on the display screen of the personal computer 103.

  FIG. 6 shows a principle configuration of how a router device analyzes a packet. The packet analysis unit 127 of the router apparatus 104 stores three analysis units that perform different analyzes of the failure sequence analysis unit 141, the packet statistical analysis unit 142, and the subordinate terminal analysis unit 143, failure sequences, and error solution methods thereof. The failure sequence / error solution storage unit 144 is provided.

  First, the failure sequence analysis unit 141 as the first analysis unit will be described. The failure sequence analysis unit 141 compares the sequence of packets received by the packet transmission / reception unit 126 with the sequence of previously failed packets stored in the failure sequence / error solution storage unit 144. Therefore, the failure sequence / error solution storage unit 144 stores each failure sequence and error solution in pairs. Then, collation (pattern matching) is performed as to whether the sequence 151 of the packet received this time matches any one of the failure sequences stored in the failure sequence / error solution storage unit 144. If the sequence 151 matches any one of the failure sequences, the error solution information 152 representing the corresponding error solution is read from the failure sequence / error solution storage unit 144.

  FIG. 7 shows an example of the display on the web-side display unit when the received packet sequence matches any of the failure sequences. The web-side display unit 129 displays the characters “error detected” and the error countermeasures based on the error solution information 152 sent from the packet analysis unit 127 shown in FIG. . Therefore, the user of the packet analysis system 100 (FIG. 4) can remove the error by executing the contents shown as the error countermeasure.

  Instead of displaying a specific error countermeasure message, an error code may be displayed. In this case, the user executes an error countermeasure corresponding to the error code. If a URI (Uniform Resource Identifier) is associated with each error code displayed on the web-side display unit 129, various articles on the web regarding error countermeasures can be displayed by the user clicking on the URI. .

  FIG. 8 illustrates a failure sequence analysis process performed by the failure sequence analysis unit. This process is a process performed by the failure sequence analysis unit 141 constituting the packet analysis unit 127 according to the control program stored in the memory 122 of the router device 104 shown in FIG. This will be described with reference to FIGS.

  The failure sequence analysis unit 141 waits for reception of a packet from the packet transmission / reception unit 126 (step S201). When the packet is received (Y), the failure sequence analysis unit 141 analyzes the packet (step S202), and any one of the plurality of error patterns of the failure sequence stored in the failure sequence / error solution storage unit 144 is detected. Are compared (step S203).

  If it does not match any of the error patterns of the failure sequence (step S203: N), it is determined whether the sequence is completed (step S204). If it is completed (Y), an error is detected as it is. If not, the analysis of the failure sequence ends (END). When it is determined that the sequence is not completed (step S204: N), it is necessary to continue the analysis of the failure sequence. In this case, the process returns to step S201 to wait for reception of the next packet.

  On the other hand, if it matches with any of the error patterns of the failure sequence in the determination in step S203 (Y), an error is detected in the packet received in step S201. Therefore, in this case, the corresponding error code is searched (step S205). In the case of the present embodiment, the failure sequence / error solution storage unit 144 stores in advance a pair of failure sequences and error solutions. Therefore, in this case, an error code corresponding to the failure sequence or an error solution method may be read. The failure sequence analysis unit 141 outputs the read error code or error solution method to the web side display unit 129 (step S206), and ends the series of processing (end).

  Returning to FIG. 6, the packet statistics analysis unit 142 as the second analysis unit will be described. The packet statistical analysis unit 142 is used when acquiring statistical information regarding a packet. The packet transmitting / receiving unit 126 is connected to the LAN interface unit 124 and the WAN interface unit 125 as shown in FIG. The LAN interface unit 124 is connected to the personal computer 103 via the LAN cable 106 shown in FIG. 4, and the WAN interface unit 125 is connected to the web server 102 on the connection destination Internet 101 via the line 107. Yes. For this reason, the packet statistical analysis unit 142 can grasp statistical information such as obtaining the flow rate of packets passing through the router device 104.

  FIG. 9 shows a temporal change in the total amount of packets as an example of statistical information acquired by the packet statistical analysis unit. The horizontal axis indicates the change in time every hour on a specific day, and the vertical axis indicates the total amount of packets passing through the router device 104 in units of one hour. Such statistical information is obtained by the packet statistical analysis unit 142 of the packet analysis unit 127 acquiring information 153 indicating the flow rate in a specific direction of a packet passing through the packet transmission / reception unit 126 shown in FIG. By outputting to the web side display part 129, it can visualize, for example as a line graph. The example shown in FIG. 9 shows temporal changes of packets passing through the LAN interface unit 124.

  Of course, the statistical information output to the web-side display unit 129 can be printed out using a printer (not shown) on the personal computer 103 side or stored as electronic data.

  FIG. 10 shows how statistical information is processed in the router. This will be described with reference to FIGS.

  First, the contents of the statistics desired by the user, the period for collecting the statistics, and the display method of the statistics results are specified by the setting of the router device 104 itself or the setting operation from the personal computer 103 (step S221). The main control unit 123 waits for the start of the statistical period based on clock information output from a clock circuit (not shown) (step S221).

  When the statistical period starts (step S222: Y), every time the packet transmitting / receiving unit 126 receives a packet (step S223: Y), the packet is analyzed (step S224). In this analysis, for example, as shown in FIG. 9, when it is instructed to sequentially display temporal changes of packets passing through the LAN interface unit 124, the packets passing through the LAN interface unit 124 are selected, A process of counting the number of packets every time is performed.

  The main control unit 123 checks whether an instruction to sequentially output analysis contents to the web-side display unit 129 is performed in step S221 (step S225), and if an instruction to sequentially output has been performed (Y ), And outputs the current analysis content to the web side display unit 129 (step S226). Then, it is checked whether or not the statistical period specified in step S221 has ended (step S227). If it has not ended (N), the process returns to step S223 to wait for reception of the next packet. If the instruction to sequentially output the analysis content to the web-side display unit 129 is not given in step S225 (N), the analysis content is displayed on the web-side display unit unless the statistical period ends (step S227: N). Without outputting to 129, the process returns to step S223 and waits for the next packet to be received.

  When the statistical processing of the packet is performed as described above and the statistical period ends (step S227: Y), the router device 104 outputs the analysis content of the entire period to the web-side display unit 129, and the content is displayed by the browser described above. Is displayed (step S228), and the statistical information processing ends (END). If the instruction to sequentially output the analysis contents to the web-side display unit 129 is not made in step S225, the web-side display unit 129 analyzes results for all periods for which statistics have been performed at the end of this statistical period. Will be displayed in the browser.

  Returning to FIG. 6, the subordinate terminal analysis unit 143 as the third analysis unit will be described. The subordinate terminal analysis unit 143 receives the address information 155 of each packet from the packet transmission / reception unit 126 and analyzes whether the MAC address of the subordinate terminal of the router device 104 that has transmitted / received the packet is registered in the MAC address registration unit 128. . If registered, the terminal is formally recognized as a terminal under the router device 104. The terminal illustration information 156 as the analysis result is sent to the web-side display unit 129, and terminal illustration information indicating whether each terminal under the router device 104 is recognized is displayed on the browser.

  FIG. 11 shows an example of terminal illustration information displayed on the display unit. The web side display unit 129 illustrates that the router device 104 is connected to the Internet 101 and that the personal computer 103 and another communication device 161 are connected under the router device 104. Of these, for the personal computer 103, as shown in the analysis result table 171, in addition to the MAC address and IP address, the computer name, workgroup name, and browser name used by the terminal are known and recognized. It has become a terminal. As shown in the analysis result table 172, the other communication device 161 has the MAC address and IP address known, but the computer name, workgroup name, and browser name used by the terminal are known. It can be seen that a terminal that is not recognized by the router device 104 is connected.

  The subordinate terminal analysis unit 143 illustrated in FIG. 6 determines the correspondence between the MAC address and the IP address by analyzing a packet using a protocol such as ARP (address resolution protocol) and RARP (reverse address resolution protocol). Here, ARP is a protocol for obtaining a MAC address based on an IP address, and RARP is a protocol for obtaining an IP address from a destination MAC address. In the MAC address registration unit 128, the administrator of the router device 104 registers these MAC addresses for each of the terminals under its control. Each terminal registered in the MAC address registration unit 128 is a recognized terminal. When an unrecognized terminal such as another communication device 161 in FIG. 11 exists under the router device 104, it is possible to improve security by discovering and dealing with this.

  In FIG. 11, NBNS (NetBIOS Name Service) is a protocol used for file sharing in Windows (registered trademark). A terminal that can share a file automatically outputs a packet using NBNS (hereinafter referred to as an NBNS packet) regardless of whether it is recognized. Therefore, the subordinate terminal analysis unit 143 in the router apparatus 104 can analyze the presence / absence of each subordinate terminal by analyzing the NBNS packet.

  FIG. 12 shows the state of the analysis processing of the subordinate terminal analysis unit. This will be described with reference to FIGS.

  The main control unit 123 waits for the packet transmitting / receiving unit 126 to receive a packet (step S241). When the packet transmitting / receiving unit 126 receives the packet (Y), the packet is analyzed (step S242). As a result, for example, in the case of the NBNS packet sent from the personal computer 103, the analysis result shown in the analysis result table 171 is obtained. In the case of the NBNS packet sent from the other communication device 161, the analysis result The analysis results shown in Table 172 are obtained.

  The main control unit 123 searches for a stored template having a MAC address that matches the MAC address of the analysis result obtained by analyzing the received NBNS packet (step S243). Since the MAC address is different for each individual terminal, the stored template can be uniquely determined. Here, for a terminal that has already been recognized, these templates are stored in a memory area (not shown) provided in the memory 122 or the packet analysis unit 127.

  If a template is found as a result of the search (step S244: Y), it is checked whether an IP address exists in the packet corresponding to the template (step S245). If the template is not found (step S244: N), a template for adding the currently received terminal analysis result is prepared (step S246). Then, the determined MAC address is written in the template (step S247). Thereafter, the process proceeds to step S245.

  If it is determined in step S245 that no IP address exists in the received NBNS packet (N), it is determined whether a workgroup name exists in this packet (step S248). If there is an IP address in the NBNS packet received in step S245 (Y), the IP address is written in the corresponding template (step S249). Then, the process proceeds to step S248.

  If it is determined in step S248 that the work group name does not exist in the received NBNS packet (N), it is determined whether the computer name exists in this packet (step S250). If it is determined in step S248 that the work group name exists (Y), the work group name is written in the corresponding template (step S251). Then, the process proceeds to step S250.

  If it is determined in step S250 that the computer name does not exist in the received NBNS packet (N), it is determined whether the browser name exists in this packet (step S252). If it is determined in step S250 that the computer name exists (Y), the computer name is written in the corresponding template (step S253). Then, the process proceeds to step S252.

  If it is determined in step S252 that the browser name does not exist in the received NBNS packet (N), the template created as described above is displayed on the web side display unit 129 as an analysis result table together with the network diagram. (Step S254), the process ends (END). If it is determined in step S252 that a browser name exists in the received NBNS packet (Y), the browser name is written in the corresponding template (step S255). Then, the process proceeds to step S254, and the template created as described above is displayed on the web side display unit 129 together with the network diagram as an analysis result table, and the process ends (END).

  As described above, according to the present embodiment, just by accessing the router device 104 from a terminal such as the personal computer 103 from a web browser, the cause of the error can be clarified and the statistical data and the router device 104 can be managed. Data related to the connection status of the terminal can be acquired. In general, it is difficult to acquire these data unless the person has a relatively high level of knowledge about the network and packet sequence. Therefore, according to the present embodiment, various problems can be solved without the user having special knowledge, and usability can be improved.

  In the present embodiment, the router device 104 analyzes the packet and displays an error. Therefore, it is not necessary to use packet capture, and the cost can be reduced by reducing the number of analysis steps. Further, the router device 104 presents a solution to the user using the analyzed result. Thereby, even if a user does not have special knowledge, a problem can be solved and usability can be improved.

  Further, by collecting various statistics in the router device 104 according to the present embodiment, it is possible to acquire information for determining whether or not a terminal is infected with a virus that transmits and receives packets illegally, such as a bot virus. For this reason, the security of the terminal such as the personal computer 103 and the entire communication system using the terminal is improved. Further, by grasping the temporal change in the packet flow in the network, it is possible to easily determine a time zone that is efficient for accessing a communication network such as the Internet.

  In addition, since the router device 104 recognizes and displays the subordinate terminals, it is possible to find a terminal that is not approved by the administrator, and security is improved. Furthermore, port mapping and packet filtering can be set by accessing only the router device 104. Details of packet filtering will be described in the embodiment.

  Next, a first example of the packet analysis system according to the embodiment will be described. 4 to 12 shown in the embodiment are used as they are in this embodiment. The user of the personal computer 103 shown in FIG. 4 starts a browser as application software installed in the personal computer 103 and accesses the URI of the router device 104. As a result, the top page of the router device 104 is displayed on the display screen of the personal computer 103.

  FIG. 13 shows how the display contents are expanded when the router device is accessed. This will be described with reference to FIGS.

  When the personal computer 103 accesses the URI of the router device 104, first, the top page display 301 of the router device 104 is displayed.

  FIG. 14 shows the top page display of a personal computer. The top page display 301 is a menu screen. As an item to be analyzed, the user selects one of “(1) Error display”, “(2) Statistical information display”, and “(3) Picture display under the router”. select. Here, “(1) error display” means display of the analysis result by the failure sequence analysis unit 141 of the packet analysis unit 127 shown in FIG. “(2) Statistical information display” means display of the analysis result of the packet statistical analysis unit 142. “(3) Picture display under the router” means display of the analysis result of the subordinate terminal analysis unit 143. When the user does not perform such analysis and sets the router device 104 itself, it is only necessary to click an item “various settings of the router device” displayed in the lower right corner of the top page 301.

  Returning to FIG. When the user operates the personal computer 103 (FIG. 4) and selects “(1) Error display” (FIG. 4), the failure sequence analysis process shown in FIG. 8 is performed, and an error display 302 is performed. An example of this is shown in FIG.

  FIG. 15 shows another example of error display. This error display 302 indicates that the input of an authentication ID (identifier) or password may be incorrect for the occurrence of an email-related error as a result of pattern matching the error packet sequence. Yes.

  When “(2) Statistical information display” is selected from the top page 301 of FIG. 14, the statistical information processing shown in FIG. 10 is performed, and the statistical information display 303 (FIG. 13) is performed. An example of this is shown in FIG. Further, the statistical information display 303 can be displayed in further subdivision. In this embodiment, the display can be expanded into a packet breakdown display 304 and a time zone display 305 that is easy to communicate.

  FIG. 16 shows a display example of the packet breakdown display. In the packet breakdown display 304, the types and ratios of packets passing through the router device 104 shown in FIG. 4 are represented as a pie chart as an example. In FIG. 16, a specific time zone in the statistical information shown in FIG. 9 is designated, and the type of the packet 114 directed from the LAN cable 106 to the router device 104 in the time zone is analyzed. Although the packet using the LAN interface unit 124 has been described with reference to FIG. 16, the packet breakdown can be displayed in the same manner for the packet using the WAN interface unit 125.

  FIG. 17 shows the flow of processing for performing such a packet breakdown display. This will be described with reference to FIGS.

  When the packet breakdown display statistical processing period starts (step S401: Y), the packet statistical analysis unit 142 waits for a packet to be received from the packet transmitting / receiving unit 126 (step S402). When a packet is received (Y), the packet statistical analysis unit 142 analyzes the type of the packet (step S403). Then, the analyzed packet is stored in correspondence with the received time (step S404), and the analyzed result is stored in correspondence with the packet type (step S405). Then, it is checked whether the statistical processing period ends (step S406). If it is before the end (N), the process returns to step S402 to wait for reception of the next packet.

  When the statistical processing period ends at the stage where the packet reception processing is performed in this way (step S406: Y), the contents stored in steps S404 and S405 are associated with the received time and the type of packet ( Step S407). The result thus obtained is output to the web side display unit 129 (step S408), and the process ends (END).

  As described above, temporal changes in the amount and type of received packets can be grasped. Thereby, it may be confirmed that the communication amount has increased abnormally even though the personal computer 103 is not particularly operated. In such a case, there is a risk of being infected with a bot-type virus created for the purpose of operating a computer from the outside via the Internet 101. Therefore, by indicating the increase in the traffic and the cause, it is possible to allow the user to take necessary security measures and improve security.

  FIG. 18 shows a display example of a time zone display in which the personal computer can easily communicate as another result of the statistical processing. The time zone display 305 that is easy to communicate can display, for example, which time zone the amount of communication is small for each day of the week, so that it is possible to present to the user which time zone is efficient for connecting to the Internet. Become.

  Returning to FIG. 13 again, the description will be continued. When the user selects “(3) picture display under the router” (FIG. 14) from the top page 301, the picture display 306 under the router is performed and analyzed by the subordinate terminal analysis unit 143 shown in FIG. Processing is performed (FIG. 12). One example is shown in FIG. 11 of the embodiment.

  FIG. 19 shows an example in which statistical values of the total packet amount and communication speed for one month are collected as still another result of the statistical processing. In this example, for the 30 days from the first day to the 30th day, the total amount of packets and the communication speed for each hour of each day are measured. The measurement result may be displayed as a bar graph or a line graph for the total amount of packets and communication speed in units of one day according to the user's designation, or may be displayed every hour for the designated day.

  Next, a second example of the packet analysis system according to the embodiment will be described. In the second embodiment, as in the first embodiment, FIGS. 4 to 12 shown in the embodiment are used as they are in this embodiment. The user of the personal computer 103 shown in FIG. 4 starts a browser as application software installed in the personal computer 103 and accesses the URI of the router device 104. As a result, the top page of the router device 104 is displayed on the display screen of the personal computer 103.

  FIG. 20 shows the flow of processing of “picture display under router”. This will be described with reference to FIGS.

  The subordinate terminal analysis unit 143 waits for a packet to be received from the packet transmission / reception unit 126 (step S421). When the packet is received (Y), the subordinate terminal analysis unit 143 analyzes whether the packet is received from the LAN interface unit 124 or the WAN interface unit 125 (step S422). If the packet is received by the LAN interface unit 124 (step S423: Y), the packet “picture” is attached to the LAN side, that is, the device side under the router device 104 (step S424). Then, the “picture” of the packet corresponding to the network diagram is displayed on the web side display unit 129 (step S425), and the processing is ended (END).

  When it is determined that the packet is received on the WAN interface unit 125 side (step S423: N), a “picture” of the packet is attached to the WAN interface unit 125 side (step S426). Then, the “picture” of the packet corresponding to the network diagram is displayed on the web side display unit 129 (step S425).

  21 and 22 show another analysis process performed in this embodiment. Of these, FIG. 21 shows an analysis result table of analysis results of various types of packets such as TCP (Transmission Control Protocol) packets and UDP (User Datagram Protocol) packets received via the WAN interface unit 125 in FIG. 171 and 172 are illustrated. Further, in FIG. 22, the analysis result of the type of packet received via the LAN interface unit 124 is similarly illustrated together with the analysis result tables 171 and 172.

  From the viewpoint of the user of the personal computer 103, when performing port mapping, it is possible to determine what setting should be made for each terminal under the router device 104 by looking at these FIG. 21 and FIG. It becomes possible, and usability is improved in the sense that it is easy to set. In addition, even when a communication device that is not managed by the administrator, such as another communication device 161, is a device under the router device 104, the discovery is possible, and an improvement in security can be expected.

  FIG. 23 is for explaining another advantage of the analysis processing described above. Assume that the user of the personal computer 103 tries to browse a desired home page on the Internet 101 shown in FIG. At this time, the personal computer 103 needs to know the IP address of the browsing destination. At this time, a DNS (Domain Name System) server 311 is used.

  When the user is a minor, or in a predetermined case where the personal computer 103 used by the user is located at a specific workplace, there are cases where restrictions are imposed on the home page to be accessed. In such a case, by setting a filter in the packet sent from the personal computer 103 side by the router device 104, it becomes possible to reject an answer to an inquiry about a specific IP address and limit the access target. Therefore, as shown in FIG. 23, by displaying the contents of the packet transmitted through each place, the filter can be easily set and the usability is improved.

  Suppose that the user of the personal computer 103 shown in FIG. 4 tries to browse the contents of a desired web server 102 on the Internet 101 and the access is denied. In this case, the user accesses the router device 104 and selects (1) error display items shown in FIG. Then, the failure sequence is analyzed using the failure sequence analysis unit 141 shown in FIG.

  FIG. 24 shows how the packet filtering process described above is performed. This will be described with reference to FIGS.

  When the user performs an operation for accessing the web server 102 from the computer 103, the computer 103 sends a name resolution packet (DNS query XXX.co.jp) for acquiring the IP address of the web server 102 to the router device 104. To send. “Query” indicates an inquiry as a character string. When the failure sequence analysis unit 141 receives this packet (step S441: Y), it analyzes the type of the packet (step S442) and determines whether it matches the filter pattern that restricts access (step S443).

  When the name resolution packet (DNS query XXX.co.jp) does not match the filter pattern (N), the router device 104 sends a name resolution packet (ARP xxx.xxx.xxx.xxx) to the DNS server 311. And inquires about the IP address (step S444). That is, in this case, the IP address inquiry is sent to the DNS server 311 through the filter, and the process ends (END).

  On the other hand, when the filter for the desired web server 102 of the user is set (step S443: Y), the router device 104 does not send the name resolution packet to the DNS server 311 and the error (DNS “Server Failure” is returned to the personal computer 103 (step S445), and the process is terminated (END).

  Even when the address of the DNS server 311 is wrong, the name resolution fails because the packet for name resolution does not reach the DNS server 311. Also in this case, by capturing packets with each of the LAN interface unit 124 and the WAN interface unit 125 of the router device 104, packets of any destination and content can be transmitted to and received from the DNS server 311 or other servers. It helps to solve various errors.

  Next, a third example of the packet analysis system according to the embodiment will be described. In the third embodiment, a failure sequence analysis process is performed when an error occurs when the user transmits an electronic mail from the personal computer 103 shown in FIG. 4 and the transmission cannot be performed.

  FIG. 25 shows a state of analysis at the time of mail transmission by the failure sequence analysis unit. This will be described with reference to FIG. In the third example, as in the first example, FIGS. 4 to 12 shown in the embodiment are used as they are.

  In this example, it is assumed that the user transmits an electronic mail from the personal computer 103 to an SMTP (Simple Mail Transfer Protocol) server (not shown) on the Internet 101. The computer 103 greets the SMTP server with an “EHLO” command, and a response “250” is returned from the SMTP server. The personal computer 103 issues an “AUTH (Authentication)” command for authentication. In response to this request, an account name and password request “334” is made from the SMTP server. On the other hand, it is assumed that the account name and password are not sent from the personal computer 103, but instead the text “MAIL BODY” of the e-mail is sent. In this case, the SMTP server transmits an authentication error “535”.

  That is, in this example, in the procedure set in the personal computer 103, where the account name and password should be transmitted to the SMTP server, the transmission is omitted. When the above-described error occurs in the transmission of the e-mail, the user activates the browser of the personal computer 103 and displays “(1) Error display” (FIG. 14) from the top page as shown in the second embodiment. By selecting, an error can be specified in this way and a solution can be presented.

  In the embodiment and each example described above, the router apparatus 104 analyzes the packet. However, the present invention is not limited to this. For example, it goes without saying that the home gateway device may similarly analyze packets.

DESCRIPTION OF SYMBOLS 10 Packet analyzer 11 1st packet transmission / reception means 12 2nd packet transmission / reception means 13 Analysis content selection means 14 Packet analysis means 15 Web browser screen display means 20 Packet analysis method 21 Analysis content selection step 22 Packet analysis step 23 Web browser screen Display step 30 Packet analysis program 31 Analysis content selection process 32 Packet analysis process 33 Web browser screen display process 100 Packet analysis system 101 Internet 102 Web server 103 Personal computer 104 Router device 121 CPU
122 memory 124 LAN interface unit 125 WAN interface unit 127 packet analysis unit 128 MAC address registration unit 129 web side display unit 141 failure sequence analysis unit 142 packet statistical analysis unit 143 subordinate terminal analysis unit 144 failure sequence / error solution storage unit 161 other Communication equipment

Claims (9)

First packet transmitting / receiving means for transmitting and receiving packets by connecting to an arbitrary number of first type communication devices via a first communication network;
A second packet that transmits and receives packets by connecting to an arbitrary number of second type communication devices to be accessed by the first type communication device via a second communication network different from the first communication network. Transmitting and receiving means;
Analysis content selection means for causing a communication device equipped with a browser of the first type of communication device to select analysis content related to a packet signal by using a web browser screen;
Packet analysis for analyzing a corresponding packet signal transmitted / received using the first packet transmission / reception means or the second packet transmission / reception means over a finite time when the analysis content is selected by the analysis content selection means. Means,
A packet analysis apparatus comprising: a web browser screen display means for displaying an analysis result of the packet analysis means as an analysis result on a web browser screen.   The analysis content selection means includes means for selecting analysis content for analyzing an error in the sequence of the received packet, and the packet analysis means stores a failure sequence in which an error sequence pattern and an error solution method are stored. The packet analysis apparatus according to claim 1, further comprising an error solution storage unit.   2. The packet analysis apparatus according to claim 1, wherein the analysis content selection means includes means for selecting analysis contents to be acquired and analyzed for statistical information of received packets.   The packet analysis apparatus according to claim 1, wherein the analysis content selection means includes means for selecting the analysis content of each communication terminal connected to the first communication network.   5. The packet analysis device according to claim 4, wherein the packet analysis means analyzes whether or not these communication devices are recognized by analyzing an NBNS packet transmitted from each communication terminal.   2. The first communication network is a LAN (Local Area Network), the second communication network is a WAN (Wide Area Network), and a router device that performs routing analyzes packets. The packet analysis apparatus described.   The first communication network is a LAN (Local Area Network), the second communication network is a WAN (Wide Area Network), and the home gateway device analyzes a packet. Packet analysis device. When there is a request for selection of analysis contents related to a packet signal from a communication device equipped with a browser among an arbitrary number of first-type communication devices that perform communication via the first communication network, depending on the displayed web browser screen Analysis content selection step for making the selection,
When the analysis content is selected in the analysis content selection step, the first packet transmission / reception means for transmitting and receiving packets connected to the first type communication device or the second communication different from the first communication network. Corresponding packet signals to be transmitted / received using the second packet transmitting / receiving means connected to an arbitrary number of second type communication devices to be accessed by the first type communication device via the network are limited in time. Packet analysis step to analyze over,
A packet analysis method comprising: a web browser screen display step for displaying an analysis result of the packet analysis step as an analysis result on the web browser screen. On the computer,
When there is a request for selection of analysis contents related to a packet signal from a communication device equipped with a browser among an arbitrary number of first-type communication devices that perform communication via the first communication network, depending on the displayed web browser screen Analysis content selection process for making the selection,
When the analysis content is selected by the analysis content selection process, the first packet transmission / reception means for transmitting / receiving a packet by connecting to the first type communication device or the second communication different from the first communication network. Corresponding packet signals to be transmitted / received using the second packet transmitting / receiving means connected to an arbitrary number of second type communication devices to be accessed by the first type communication device via the network are limited in time. Packet analysis processing to analyze over,
A packet analysis program for executing a web browser screen display process for displaying an analysis result of the packet analysis process as an analysis result on the web browser screen.

Images