JP2011155706A - Device and method for determining operating system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To identify whether a cause of delay of a packet is simple delay or delay caused by performing retransmission by loss. <P>SOLUTION: The next time sequence number serving as the one which the present packet should have is compared with a sequence number of the present packet, an identifier of the previous packet is compared with an identifier of the present packet. When the next time sequence number matches the sequence number of the present packet, and the identifiers of the previous packet and the present packet continue, it is determined that the delay is caused due to the simple delay; and when the identifiers of the previous packet and the present packet do not continue, it is determined that delay is caused due to retransmission. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a packet capture device that determines a cause of packet delay.

  In order to solve a problem when a packet delay occurs during system operation and maintenance, it is necessary to accurately grasp the cause. To solve the problem, specifically, the packet sender was delayed due to the packet sender delaying the packet transmission, or the packet transmission due to the packet loss in the network. Need to know if the packet arrival was delayed as a result of the re-transmission.

  Conventionally, among protocols with higher layers than IP (Internet Protocol), protocols that have retransmission procedures such as TCP (Transmission Control Protocol), etc., as a method of identifying packet loss, using sequence numbers that are monotonically increasing as a clue, If it is continuous, it was determined that no packet loss occurred.

  Therefore, if the sequence numbers are consecutive, it is not recognized as a loss, and in any case where the arrival of a packet from a previously received packet is delayed, the sending host simply determines that it took a long time to transmit. It was.

  Patent Document 1 describes a technique for identifying retransmission and normal transmission from time-series information of packet arrival based on a sequence number.

Japanese Patent Laying-Open No. 2005-210515

  However, in a protocol having a retransmission procedure in a layer higher than the IP layer such as TCP, generally, after a packet is lost, the packet for recovering the loss is retransmitted. Even if a packet is lost between the sending host and the measuring device and the sending host retransmits it, the measuring device can observe that the sequence number is continuous. There was a problem that.

  As described above, in the conventional method, since the loss or delay is determined from the continuity of the sequence number of the TCP header, the cause of the delay cannot be correctly determined.

  It is an object of the present invention to provide an apparatus for correctly identifying whether the cause of packet delay is simply delayed or delayed due to retransmission.

  The disclosed packet capture device includes an acquisition unit that acquires an ID value and a sequence number described in a header of a received packet, a previous ID value that is an ID value of a previously received packet, and a sequence that should be received next time A storage unit that stores a next sequence number that is a number, and a detection unit that determines whether the cause of delay of the received packet is a mere delay or a delay due to retransmission due to loss, and the detection unit includes the next sequence number And the sequence number of the packet acquired this time, the previous ID value and the ID value of the packet received this time are compared, and the next sequence number and the sequence number of the packet received this time match, and When the previous ID value and the ID value of the packet received this time are continuous, it is determined that this is a mere delay. And, and judging that the delay due to retransmission when ID value of the previously received ID value and the current packet is not continuous.

  According to the disclosed apparatus, it is possible to identify whether the cause of the delay of the packet is simply delayed or delayed due to retransmission.

1 is a configuration diagram of a system according to a first embodiment of the present invention. 1 is a configuration diagram of a packet capture device according to a first embodiment of the present invention. FIG. It is an example of a communication state table. It is an example of a monitor result table. It is a flowchart of the identification method of embodiment of this invention. It is a block diagram of the system which concerns on 2nd Embodiment. It is a block diagram of the packet capture apparatus which concerns on the 2nd Embodiment of this invention. It is an example of a monitor result table. It is an example of a continuous start ID table. It is a flowchart of the identification method which concerns on the 2nd Embodiment of this invention. It is a block diagram of the system which concerns on 3rd Embodiment. It is a block diagram of the packet capture apparatus which concerns on the 3rd Embodiment of this invention. It is an example of a monitor result table. It is a figure which shows the example of OS type table. It is a flowchart of the identification method of the 3rd Embodiment of this invention.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
(First embodiment)
FIG. 1 is a configuration diagram of a system according to the first embodiment of the present invention.

The system according to the embodiment of the present invention includes a packet capture device 101, a transmission host 102, a reception host 103, and a tap 104.
The tap 104 is disposed between the transmission host 102 and the reception host 103.
The packet capture device 101 is connected to the tap 104, and the transmission host 102 and the reception host 103 are connected to the tap 104 via the network.

  When the transmission host 102 transmits a packet to the reception host 103, the tap 104 between the transmission host 102 and the reception host 103 branches the packet to the packet capture device 101. The packet capture device 101 receives the packet.

FIG. 2 is a configuration diagram of the packet capture device according to the first embodiment of this invention.
The packet capture device 201 includes an input unit 202, a processing unit 210, a storage unit 220, and an output unit 203.

The input unit 202 is an interface through which a packet is input. The input unit 202 transmits the received packet and information to the processing unit 210.
The processing unit 210 includes a packet information acquisition unit 211, a packet loss / delay detection unit 212, and a monitor result output unit 213.

  The packet information acquisition unit 211 creates a TCP session ID from the information of the IP header and the TCP header. Also, the created TCP session ID, the information described in the IP header and TCP header such as sequence number and identifier, the packet reception time, etc. are transmitted to the packet loss / delay detection unit 212. The sequence number is described in the TCP header and is a number used to notify the destination host of the order of data to be transmitted. The destination host can correctly rearrange the order of the data according to this number, or issue a retransmission request for lost data. The sequence number indicates where the data is in the entire data.

The identifier is described in the IP header and is incremented every time a packet is transmitted.
Based on the information stored in the communication state storage unit 221 and the information from the packet information acquisition unit 211, the packet loss / delay detection unit 212 determines whether the packet is simply delayed or retransmitted due to loss. . In addition, various information such as the total packet delay time and the number of losses, the packet reception time, and the identifier are written in the communication state storage unit 221 and the monitor result storage unit 222.

  The monitor result output unit 213 acquires part or all of the information of the monitor result table stored in the monitor result storage unit 222 and transmits the acquired information to the output unit 203. For example, the stored statistical information may be extracted and transmitted to the output unit 203 based on a filter condition masked by a specific session ID value, upper 24 bits of the session ID, or the like.

The storage unit 220 includes a communication state storage unit 221 and a monitor result storage unit 222.
The communication state storage unit 221 stores a communication state table as shown in FIG.
The communication state table includes, as items, a transmission source address, a TCP session ID, a previous reception time, a next SEQ, and a previous ID value.

The source address is the IP address of the transmission host.
The TCP session ID is a value generated from the source address (SA), source port number (SP), destination address (DA), and destination port (DP) of the TCP header of the packet.
The previous reception time is the reception time of the packet received last time.

  The next SEQ is the sequence number of the packet that is expected to be possessed by the next packet to be received, which is obtained by adding the TCP payload size of the packet received last time to the sequence number of the packet received last time.

The previous ID value is an identifier (ID value) of the IP header of the packet received last time.
The monitor result storage unit 222 stores a monitor result table as shown in FIG.
The monitor result table includes, as items, a transmission source address, a TCP session ID, the number of packet transmissions, the number of losses, a loss rate, and a total delay time.

The source address is the IP address of the transmission host.
The TCP session ID is a value generated from the source address (SA), source port number (SP), destination address (DA), and destination port (DP) of the TCP header of the packet.

The packet transmission count is the number of packets received by the packet capture device among the packets transmitted by the transmission source host.
The loss number is the number of lost packets.

The loss rate is a value obtained by dividing the number of losses by the number of packet transmissions and multiplying by 100, and indicates the ratio of loss in packet transmission.
The total delay time (milliseconds) indicates the total delay time of the packets whose delay cause is simply a delay.

  The output unit 203 is an interface that outputs a monitor result. For example, a network interface that supports a monitor for displaying statistical information to a network administrator and a communication protocol for transmission to a network management device (NMS).

FIG. 5 is a flowchart of the identification method according to the first embodiment of this invention.
In step S <b> 501, the input unit 202 receives a packet and transmits the packet to the packet information acquisition unit 211. The packet received this time is called the current packet, the packet received immediately before the packet received this time is called the previous packet, and the packet received next to the packet received this time is called the next packet.

  In step S502, the packet information acquisition unit 211 sends the source address (SA) and destination address (DA) described in the IP header, and the source port number (SP) and destination port number (SP) described in the TCP header. Create a TCP session ID from DP).

Further, the packet information acquisition unit 211 acquires the sequence number (SEQ) of the TCP header and the identifier (ID value) of the IP header. The session ID, sequence number, and identifier are transmitted as a set to the packet loss / delay detection unit 212.
In addition, the packet information acquisition unit 211 transmits the packet reception time (packet reception time) to the packet loss / delay detection unit 212.

  In step S503, the packet loss / delay detection unit 212 searches the communication state table using the transmission source address and session ID received by the packet loss / delay detection unit 212 as keys, and whether there is a corresponding entry (ie, the same). Whether or not there is an entry having a pair of a source address and a session ID) If there is a corresponding entry, the process proceeds to step S504. If there is no corresponding entry, the process proceeds to step S509. The same session ID is generated even when the transmission source address and the transmission destination address are reversed. Therefore, the source address is also used as a search key so that it can be distinguished.

  In step S504, the packet loss / delay detection unit 212 refers to the communication state table, and acquires the previous reception time, next SEQ, and previous ID value of the corresponding entry from the communication state table.

  The packet loss / delay detection unit 212 uses PRV_ID as the previous ID value, CUR_ID as the identifier of the current packet, PRV_T as the previous reception time, CUR_T as the reception time of the current packet, and SEQ as the sequence number of the current packet.

In step S505, the packet loss / delay detection unit 212 compares the next SEQ with the SEQ. If they are the same, the process proceeds to step S506, and if they are different, the process proceeds to step S512.
In step S506, the packet loss / delay detection unit 212 compares the value obtained by adding 1 to CUR_ID (identifier of the current packet) and PRV_ID (previous ID value (identifier of previous packet)). If it is different, it is determined that the delay is due to retransmission due to loss, and the process proceeds to step S508.

  In step S507, the packet loss / delay detection unit 212 adds the value obtained by subtracting the previous reception time (PRV_T) from the reception time (CUR_T) of the current packet to the total delay time of the corresponding entry in the monitor result table. Write to.

  In step S508, the packet loss / delay detection unit 212 calculates the current loss number by CUR_ID (identifier of the current packet) −PRV_ID (previous ID value (identifier of previous packet)) − 1, and calculates the current loss number. Is added to the number of losses in the monitor result table and written to the monitor result table.

In step S509, the packet loss / delay detection unit 212 creates a new entry in the communication state table.
In step S510, the packet loss / delay detection unit 212 adds the TCP data length (payload size) of the current packet to SEQ (sequence number of the current packet) to the next SEQ (sequence expected for the next received packet). The next SEQ is written in the communication state table.

  In step S511, the packet loss / delay detection unit 212 sets the previous reception time (PRV_T) as the current packet reception time (CUR_T) and the previous ID value (PRV_ID) as the current packet ID value (CUR_ID) in the communication state table. Write. In addition, 1 is added to the packet transmission number to obtain a new packet transmission number, which is written in the monitor result table.

Next, a specific example of determination of delay and loss is shown.
In the following specific example, it is assumed that the communication state storage unit 221 and the monitor result storage unit 222 store the communication state table of FIG. 3 and the monitor result table of FIG.

An example in the case where the delay is first determined is shown.
First, a new packet is received (step S501).
The packet information acquisition unit 211 creates a TCP session ID from the TCP header and IP header of the newly received packet (current packet) (step S502). The packet information acquisition unit 211 acquires the sequence number (SEQ) of the TCP header and the identifier (ID) of the IP header. The session ID, sequence number, and identifier are transmitted as a set to the packet loss / delay detection unit 212. The packet reception time (packet reception time) is transmitted to the packet loss / delay detection unit 212.

In the packet received this time, it is assumed that source address = α, session ID = A, sequence number (SEQ) = 680, and identifier (ID value) = 336.
When the communication state table is searched using the session ID “A” and the transmission source address “α” as keys (step S503), the corresponding entry exists in the first line of the communication state table. 335 is acquired as (step S504). Also, PRV_ID is the previous ID value, CUR_ID is the current packet identifier, PRV_T is the previous reception time, CUR_T is the current packet reception time, and SEQ is the current packet sequence number (step S504).

The next time SEQ and SEQ are compared (step S505), both are the same at 680.
Next, when CUR_ID (= 336) and PRV_ID (= 335) plus 1 are compared (step S506), both are the same at 336.

  Since the next SEQ (= 680) and SEQ (= 680) are the same and the identifier (= 336) of the current packet is continuously increased from the previous ID value (= 335), the current packet is delayed. Judge that there is.

A value obtained by adding a value obtained by subtracting the previous reception time from the reception time of the current packet to the total delay time of the monitor result table is written (step S507).
Next, a sequence number (next SEQ) expected for the received packet is calculated and written in the communication state table (step S510).

  The previous reception time (PRV_T) is written in the communication state table as the current packet reception time (CUR_T) and the previous ID value (PRV_ID) is the current packet ID value (CUR_ID). Further, a value obtained by adding 1 to the packet transmission number is written in the monitor result table, and the packet transmission number is 31 (step S511).

Next, an example in the case of being determined as loss will be shown.
First, a new packet is received (step S501).
The packet information acquisition unit 211 creates a TCP session ID from the TCP header and IP header of the newly received packet (current packet) (step S502). The packet information acquisition unit 211 acquires the sequence number (SEQ) of the TCP header and the identifier (ID) of the IP header. The session ID, sequence number, and identifier are transmitted as a set to the packet loss / delay detection unit 212. The packet reception time (packet reception time) is transmitted to the packet loss / delay detection unit 212.

In the packet received this time, it is assumed that the transmission source address = α, session ID = A, sequence number (SEQ) = 680, and identifier (ID value) = 337 are acquired.
When the communication state table is searched using the session ID “A” and the transmission source address “α” as keys (step S503), the corresponding entry exists in the first line of the communication state table. 335 is acquired as (step S504). Also, PRV_ID is the previous ID value, CUR_ID is the current packet identifier, PRV_T is the previous reception time, CUR_T is the current packet reception time, and SEQ is the current packet sequence number (step S504).

The next time SEQ and SEQ are compared (step S505), both are the same at 680.
Next, when CUR_ID (= 337) and PRV_ID (= 335) plus 1 are compared (step S506), they are different.

  The next SEQ (= 680) and SEQ (= 680) are the same, but the current packet identifier (= 337) has not increased continuously from the previous ID value (= 335), so the current packet is retransmitted. Packet, that is, the cause of delay is determined to be retransmission due to loss (step S506).

  When the number of losses is calculated, the current packet ID value−previous ID value−1 = 337−335−1 = 1. Then, a value obtained by adding the currently calculated loss number 1 to the current loss number 0 in the monitor result table, that is, 1 is written (step S508).

Next, a sequence number (next SEQ) expected for the received packet is calculated and written in the communication state table (step S510).
The previous reception time (PRV_T) is written in the communication state table as the current packet reception time (CUR_T) and the previous ID value (PRV_ID) is the current packet ID value (CUR_ID). Further, a value obtained by adding 1 to the packet transmission number is written in the monitor result table, and the packet transmission number is 31 (step S511).

(Second Embodiment)
In the second embodiment, a case where one transmission host transmits packets to a plurality of reception hosts will be described.

FIG. 6 is a configuration diagram and a conceptual diagram of a system according to the second embodiment.
The system according to the second embodiment of the present invention includes a packet capture device 601, a transmission host 602, a reception host 603-n (n = 1 to 3), and a tap 604.

The tap 604 is disposed between the transmission host 602 and the reception host 603.
The packet capture device 601 is connected to the tap 604, and the transmission host 602 and the reception host 603 are each connected to the tap 604 via the network.

When the transmission host 602 transmits a packet to the reception host 603, the tap 604 between the transmission host 102 and the reception host 603 branches the packet to the packet capture device 601. Then, the packet capture device 601 receives the packet.
The IP addresses of the receiving hosts 603-6103-2 and 603-3 are A, B, and C, respectively.

In FIG. 6, packets are transmitted from the transmission host 602 in the order of a packet 611, a packet 612, a packet 613, and a packet 614. The packet 611, the packet 612, the packet 613, and the packet 614 are transmitted to the reception host 603-1, the reception host 603-2, the reception host 603-3, and the reception host 603-1, respectively.
Seq is a packet sequence number, and ID is an identifier.

  Although the packet is transmitted without loss to the receiving host 603-1, since the packet is transmitted to another receiving host between the transmission of the packet 611 and the packet 614, the identifier of the packet 611 ( 100) and the identifier (103) of the packet 614 are not continuous. In this case, when the identification method according to the first embodiment is used, there is actually no loss, but it is determined to be a loss. In the second embodiment, even in such a case, it is determined that the packet 614 is delayed.

  In the second embodiment, even when the transmitting host transmits a packet to a plurality of receiving hosts and the identifiers are not consecutive for the same TCP session, the determination can be made correctly.

FIG. 7 is a configuration diagram of a packet capture device according to the second embodiment of the present invention.
The packet capture device 701 includes an input unit 702, a processing unit 710, a storage unit 720, and an output unit 703.

The input unit 702 is an interface through which a packet is input. The input unit 702 transmits the received packet and information to the processing unit.
The processing unit 710 includes a packet information acquisition unit 711, a packet loss / delay detection unit 712, and a monitor result output unit 713.

  The packet information acquisition unit 711 creates a TCP session ID from the information of the IP header and the TCP header. Also, the created TCP session ID, the information described in the IP header and TCP header such as sequence number and identifier, the packet reception time, etc. are transmitted to the packet loss / delay detection unit 712.

  The packet loss / delay detection unit 712 determines whether the packet is delayed or lost based on the information stored in the communication state storage unit 721 and the information from the packet information acquisition unit 711. In addition, various information such as the total packet delay time and the number of losses, the packet reception time, and the identifier are written in the communication state storage unit 721, the monitor result storage unit 722, and the continuous start ID storage unit 723.

  The monitor result output unit 713 acquires part or all of the information of the monitor result table stored in the monitor result storage unit 722 and transmits the acquired information to the output unit 703. For example, the stored statistical information may be extracted and transmitted to the output unit 203 based on a filter condition masked by a specific session ID value, upper 24 bits of the session ID, or the like.

The storage unit 720 includes a communication state storage unit 721, a monitor result storage unit 722, and a continuous start ID storage unit 723.
The communication state storage unit 721 stores a communication state table as shown in FIG.
The communication state table is the same as that in the first embodiment.

The monitor result storage unit 722 stores a monitor result table as shown in FIG.
The monitor result table includes, as items, a transmission source address, a TCP session ID, the number of packet transmissions, the number of indeterminate times, and a total delay time.

The source address, TCP session ID, number of packet transmissions, and total delay time are the same as in the first embodiment.
The indeterminate number of times indicates the number of times that it was not possible to determine whether it was a delay or a loss.

  The continuous start ID storage unit 723 includes a continuous start ID table as shown in FIG. The continuous start ID table includes, as items, a transmission source address, a continuous start ID value, a previous ID value, and an increase number.

The source address is the IP address of the transmission host.
The continuous start ID value is an identifier (ID value) of the IP header of the first packet when the packet is transmitted without loss.

The immediately preceding ID value is an identifier (ID value) of the IP header of the packet transmitted previously by the transmission source host.
The increase number is a range in which packets can be considered continuous without loss.

  For example, referring to the entry in the first row, the transmission source address is α, the continuous start ID value is 1, and the immediately preceding ID value is 335. Thus, it can be seen that the transmission host having the transmission source address α continuously transmits without loss from the packet with the identifier (ID value) 1 to the packet immediately before the identifier (ID value) 335.

FIG. 9 is a flowchart of the identification method according to the second embodiment of the present invention.
In step S1001, the input unit 202 receives the packet and transmits the packet to the packet information acquisition unit.

  In step S1002, the packet information acquisition unit 711 transmits the source address (SA), source port number (SP), destination address (DA), and destination port number (DP) described in the TCP header or IP header. To create a TCP session ID.

  Further, the packet information acquisition unit 711 acquires the sequence number (SEQ) of the TCP header and the identifier (ID) of the IP header. The session ID, sequence number, and identifier are transmitted as a set to the packet loss / delay detection unit 712.

  In step S1003, the packet loss / delay detection unit 712 refers to the communication state table, and the same session ID and transmission source address combination as the session ID and transmission source address received by the packet loss / delay detection unit 712 communicates. Determine if it is in the state table.

If there is a combination of the same session ID and transmission source address, the process proceeds to step S1004, and if there is no combination of the same session ID and transmission source address, the process proceeds to step S1006.
In step S1004, the packet loss / delay detection unit 712 checks whether the transmission source address exists in the continuous start ID table. If the transmission source address exists, the process proceeds to step S1005. If not, the process proceeds to step S1007.

  In step S1005, CON_ID is the continuous start ID value of the corresponding entry in the continuous start ID table, L_ID is the immediately preceding ID value of the corresponding entry in the continuous start ID table, and CUR_ID is the ID value of the IP header of the current packet.

In step S1006, the packet loss / delay detection unit 712 creates a new entry in the packet communication state table.
In step S1007, the packet loss / delay detection unit 712 creates a new entry in the continuous start ID table.

  In step S1008, the packet loss / delay detection unit 712 sets the continuous start ID value and the previous ID value of the corresponding entry in the continuous start ID table as the ID value of the IP header of the current packet, and writes it in the continuous start ID table.

  In step S1009, the packet loss / delay detection unit 712 refers to the communication state table, and acquires the previous reception time, next SEQ, and previous ID value of the session ID from the communication state table.

The packet loss / delay detection unit 712 sets PRV_ID as the previous ID value, PRV_T as the previous reception time, CUR_T as the reception time of the current packet, and SEQ as the sequence number of the current packet.
In step S1010, the packet loss / delay detection unit 712 compares the next SEQ and SEQ, and if they are the same, the process proceeds to step S1011. If they are different, the process cannot proceed to step S1017 because the delay and loss cannot be identified. I do.

  In step S1011, the packet loss / delay detection unit 712 compares the ID value (CUR_ID) of the current packet and the previous ID value (L_ID) plus a constant N. If CUR_ID is equal to or less than L_ID + N, the process proceeds to step S1012. If CUR_ID is greater than L_ID + N, the process proceeds to step S1014. In step S1011, if CUR_ID has increased only by N or less than L_ID, the ID values are considered to be continuous.

  In step S1012, the packet loss / delay detection unit 712 compares the continuous start ID value (CON_ID) of the corresponding entry with the ID value (PRV_ID) of the previous packet. If CON_ID is equal to or less than PRV_ID, it is determined that the delay is in progress, and the process proceeds to step S1013. If CON_ID is greater than PRV_ID, the process proceeds to step S1015.

In step S1013, a value obtained by subtracting the previous reception time from the reception time is added to the total delay time of the monitor result table.
In step S1014, the ID value (CUR_ID) of the current packet is written in the continuous start ID value of the corresponding entry in the continuous start ID table. In step S1014, since CUR_ID is larger than L_ID + N, it is considered that the previous ID values are not continuous, and the continuous start ID value is updated with the ID value of the current packet.

  In step S1015, the packet loss / delay detection unit 712 determines that the delay or loss cannot be determined because the ID values are not continuous, and adds 1 to the number of times the monitor result table cannot be determined.

  In step S1016, the sequence number of the current packet plus the data length (payload size) of the current packet is calculated as the sequence number expected for the next packet (next SEQ), and the next SEQ is written in the communication state table.

  In step S1017, the reception time of the current packet is written in the previous reception time of the communication state table, and the ID value of the current packet is written in the previous ID value. Also, 1 is added to the number of packets transmitted in the monitor result table. Also, the ID value of the current packet is written in the ID value immediately before the corresponding entry in the continuous start ID table.

Next, a specific example of the second embodiment will be described.
In the following specific example, the communication state storage unit 721, the monitor result storage unit 722, and the continuous start ID storage unit 723 include a communication state table in FIG. 3, a monitor result table in FIG. 8, and a continuous start ID in FIG. Assume that a table is stored.

First, a new packet is received (step S1001).
The packet information acquisition unit 711 creates a TCP session ID from the TCP header and IP header of the newly received packet (current packet) (step S1002). The packet information acquisition unit 711 acquires a TCP header sequence number (SEQ) and an IP header identifier (ID value). The session ID, sequence number, and identifier are transmitted as a set to the packet loss / delay detection unit 712. Also, the packet reception time (packet reception time) is transmitted to the packet loss / delay detection unit 712.

In the packet received this time, it is assumed that source address = α, session ID = B, sequence number (SEQ) = 421, and identifier (ID value) = 336 are acquired.
When the communication status table is searched using the session ID “B” and the transmission source address “α” as keys (step S1003), a corresponding entry exists in the second row of the communication status table.

When the continuous start ID table transmission source address “α” is searched for as a key (step S1004), a corresponding entry exists in the first line of the continuous start table.
CON_ID is the continuous start ID value (1) of the corresponding entry of the continuous start ID table, L_ID is the immediately preceding ID value (335) of the corresponding entry of the continuous start ID table, and CUR_ID is the identifier (ID value) of the IP header of the current packet (336) ) (Step S1005). Also, 1 is acquired as the increase number N from the continuous start ID table.

  421 is acquired as the next SEQ and 211 is acquired as the previous ID value (step S1009). Also, PRV_ID is the previous ID value (211), PRV_T is the previous reception time, CUR_T is the reception time of the current packet, and SEQ is the sequence number (421) of the current packet (step S1109).

The next time SEQ and SEQ are compared (step S1010), both are the same at 421.
When CON_ID (336) and L_ID (335) plus the increase number N (1) are compared (step S1011), CON_ID is L_ID + N or less.
When CON_ID (1) is compared with PRV_ID (211) (step S1012), CON_ID is equal to or less than PRV_ID.

From the above, it is considered that the ID values of the current packet are continuous, there is no retransmission due to loss, and it is determined that the packet is simply delayed.
Thereafter, the monitor result table, the communication state table, and the continuous start ID table are updated (steps S1013, S1016, and S1017).
According to the packet capture device of the second embodiment, the delay can be identified even when the transmission source host communicates with a plurality of transmission destination hosts.

(Third embodiment)
In the third embodiment, a case where the transmission source host is a specific OS (Operation System) such as Linux (registered trademark) will be described.
FIG. 11 is a system configuration diagram and a conceptual diagram of the third embodiment of the present invention.

The system according to the third embodiment of the present invention includes a packet capture device 1101, a transmission host 1102, a reception host 1103-n (n = 1 to 3), and a tap 1104.
The tap 1104 is disposed between the transmission host 1102 and the reception host 1103.

The packet capture device 1101 is connected to the tap 1104, and the transmission host 1102 and the reception host 1103 are each connected to the tap 1104 via a network.
When the transmission host 1102 transmits a packet to the reception host 1103, the tap 1104 between the transmission host 102 and the reception host 1103 branches the packet to the packet capture device 1101. Then, the packet capture device 1101 receives the packet.
Note that the IP addresses of the receiving hosts 1103-1, 1103-2, and 1103-3 are A, B, and C, respectively.

  In FIG. 11, packets are transmitted from the transmission host 1102 in the order of a packet 1111, a packet 1112, a packet 1113, and a packet 1114. Packet 1111, packet 1112, packet 1113, and packet 1114 are transmitted to reception host 1103-1, reception host 1103-2, reception host 1103-3, and reception host 1103-1, respectively.

Seq is a packet sequence number, and ID is an identifier.
When the transmission host 1101 uses a specific OS (Operation System) such as Linux (registered trademark), the identifier (ID value) of the IP header starts from a random value for each TCP connection, and one packet is transmitted. Although it increases by 1 every time, it is not a value common to the sending host.

  The identifier of the packet 1111 transmitted to the receiving host 1103-1 is 100, the identifier of the packet 1112 transmitted to the receiving host 1103-2 is 500, and the identifier of the packet 1113 transmitted to the receiving host 1103-3 is 1000.

  In this way, an identifier that is different for each TCP session is given as an initial value. The identifier of the packet 1114 transmitted to the receiving host 1103-1 is 101, and the identifier is continuous with respect to the packet 1111 for the same TCP session.

If this property is used, it can be determined that the identifier always increases by 1 for packets belonging to the same TCP session, and this is used for identification of loss and delay.
If the identifier always increases by 1 for packets belonging to the same TCP session, the identification method of the first embodiment (the flowchart of FIG. 5) can be used.
In other cases, the identification method of the second embodiment (the flowchart of FIG. 9) is used.

The packet capture device 1101 of the third embodiment has the functions of both the packet capture device 201 and the second packet capture device 701 of the first embodiment, and uses them appropriately.
Which identification method is used is determined by the type of OS of the sending host.

FIG. 12 is a configuration diagram of the packet capture device according to the third embodiment of this invention.
The packet capture device 1201 includes an input unit 1202, an output unit 1203, a processing unit 1210, and a storage unit 1220.

The input unit 1202 is an interface through which a packet is input. The input unit 202 transmits the received packet and information to the processing unit.
The processing unit 1210 performs processing such as acquisition of packet header information, identification of the cause of delay based on the acquired information, and transmission of results.

The output unit 1203 is an interface that outputs a monitoring result, and may be a screen for displaying statistical information to a network administrator, and a network interface that supports a communication protocol for transmission to a network management device (NMS) It may be good.
The processing unit 1210 includes a packet information acquisition unit 1211, a packet loss / delay detection unit 1212, and a monitor result output unit 1213.

  The packet information acquisition unit 1211 creates a TCP session ID from the information of the IP header and the TCP header. Also, the created TCP session ID, information described in the IP header and TCP header such as a sequence number and an identifier, the packet reception time, and the like are transmitted to the packet loss / delay detection unit 1212.

  The packet loss / delay detection unit 1212 determines the OS type identification and whether the packet is delayed or lost based on the information stored in the communication state storage unit 1221 and the information from the packet information acquisition unit 1211. Also, various information such as the total packet delay time and the number of losses, the packet reception time and the identifier are written in the communication state storage unit 1221, the monitor result storage unit 1222, the continuous start ID storage unit 1223, and the OS type storage unit 1224.

  The monitor result output unit 1213 acquires part or all of the information of the monitor result table stored in the monitor result storage unit 1222 and transmits the acquired information to the output unit 1203. For example, the stored statistical information may be extracted and transmitted to the output unit 1203 based on a filter condition masked by a specific session ID value, upper 24 bits of the session ID, or the like.

The storage unit 1220 includes a communication state storage unit 1221, a monitor result storage unit 1222, a continuous start ID storage unit 1223, and an OS type storage unit 1224.
The communication state storage unit 1221 includes a communication state table as shown in FIG. The communication state table is the same as that in the second embodiment.

  The monitor result storage unit 1222 includes a monitor result table as shown in FIG. The monitor result table includes, as items, a transmission source address, a TCP session ID, the number of packet transmissions, the number of losses, a loss rate, a total delay time, and an indeterminate number of times.

  The transmission source address, TCP session ID, number of packet transmissions, number of losses, loss rate, and total delay time are the same as in the first embodiment. In addition, the number of times the judgment cannot be made is the same as in the second embodiment.

The continuous start ID storage unit 1223 includes a continuous start ID table as shown in FIG. The continuous start ID table is the same as that in the second embodiment.
The OS type storage unit 1224 includes an OS type table as shown in FIG.
The OS type table has a transmission source address and an OS type as items. In the transmission source address, the IP address of the transmission host is stored. The OS type stores the type of OS of the sending host.

The OS type table stores the source address and the OS type so as to correspond to each other.
The OS type B is an OS that gives a different identifier for each TCP session and increments the identifier by 1 for packets belonging to the same TCP session, and corresponds to, for example, Linux. The OS type A is an OS that does not give a different identifier for each TCP session.

FIG. 15 is a flowchart of the identification method according to the third embodiment.
In step S1501, a packet is received.
In step S1502, it is determined whether the received packet is a SYN / ACK packet. If it is a SYN / ACK packet, the process proceeds to step S1503. If it is not a SYN / ACK packet, the process proceeds to step S1504.

The SYN / ACK packet is a packet used when a TCP connection is established.
In the procedure for establishing a TCP connection, the client first transmits a connection request (SYN packet) to the server. The server sends a response (SYN / ACK packet) to the connection request to the client. In response to the SYN / ACK packet, the client transmits an ACK packet to the server. The TCP connection is established by the above procedure.

  Whether the packet is a SYN / ACK packet is checked by checking whether the SYN flag and the ACK flag of the TCP header are 1. If the SYN flag and the ACK flag are 1, it is determined that the packet is a SYN / ACK packet.

  In step S1503, it is determined whether the identifier (ID value) of the IP header of the packet is 0. If it is 0, the process proceeds to step S1507. If not, the process proceeds to step S1509. In an OS in which a different identifier is given for each TCP session and the identifier is incremented by 1 for packets belonging to the same TCP session, the identifier of the SYN / ACK packet is 0. Therefore, in step S1503, the OS type is identified by the SYN / ACK packet identifier.

In step S1504, the OS type table is searched using the source address of the IP header of the packet as a key.
In step S1505, if there is no corresponding entry in the OS type table as a result of the search in step S1504, the process proceeds to step S1506, and if there is a corresponding entry, the process proceeds to step S1510.
In step S1506, a new entry is created in the OS type table.

In step S1507, the OS type is set to B and is written in the OS type table.
In step S1508, the process proceeds to step S502 in FIG. The packet capture device 1201 performs the processing after step S502, and when it reaches END in FIG. 5, returns to step S1508 and ends. At this time, the input unit 1202, the output unit 1203, the packet information acquisition unit 1211, the packet loss / delay detection unit 1212, the monitor result output unit 1213, the communication state storage unit 1221, and the monitor result storage unit 1222 are each in the first implementation. Corresponds to an input unit 202, an output unit 203, a packet information acquisition unit 211, a packet loss / delay detection unit 212, a monitor result output unit 213, a communication state storage unit 221, and a monitor result storage unit 222.

In step S1509, the OS type is set to A and is written in the OS type table.
In step S1510, the OS type table is referenced to determine the OS type of the packet transmission source host. If the type is A, the process proceeds to step S1511. If the type is not A (B), the process proceeds to step S1508.

  In step S1511, the process proceeds to step S1002 in FIG. The packet capture device 1201 performs the processing after step S1002, and when it reaches END in FIG. 5, returns to step S1508 and ends. At this time, the input unit 1202, the output unit 1203, the packet information acquisition unit 1211, the packet loss / delay detection unit 1212, the monitor result output unit 1213, the communication state storage unit 1221, the monitor result storage unit 1222, and the continuous start ID storage unit 1223 Are an input unit 702, an output unit 703, a packet information acquisition unit 711, a packet loss / delay detection unit 712, a monitor result output unit 713, a communication state storage unit 721, a monitor result storage unit 722, respectively, according to the second embodiment. And the continuous start ID storage unit 723.

  According to the packet capture device of the third embodiment, by identifying the type of OS, an identification method according to the OS of the transmission host can be used. This increases the possibility of correct identification.

  While the present invention has been described with reference to the embodiments, it is needless to say that the present invention is not limited to the above-described embodiments, and various modifications and improvements can be made within the scope of the present invention.

DESCRIPTION OF SYMBOLS 101 Packet capture device 102 Transmission host 103 Reception host 104 Tap 201 Packet capture device 202 Input unit 203 Output unit 210 Processing unit 211 Packet information acquisition unit 212 Packet loss / delay detection unit 213 Monitor result output unit 220 Storage unit 221 Communication state storage unit 222 Monitor result storage unit 701 Packet capture device 702 Input unit 703 Output unit 710 Processing unit 711 Packet information acquisition unit 712 Packet loss / delay detection unit 713 Monitor result output unit 720 Storage unit 721 Communication state storage unit 722 Monitor result storage unit 723 Continuous Start ID storage unit 1201 Packet capture device 1202 Input unit 1203 Output unit 1210 Processing unit 1211 Packet information acquisition unit 1212 Packet loss / delay detection unit 1213 Data result output section 1220 storage section 1221 communication state storage unit 1222 monitoring result storage unit 1223 successively starting ID storage unit 1224 OS type storage unit

Claims (2)

Depending on whether or not the ID value included in the header information of the response packet transmitted in response to the connection request is 0, the transmission host that transmitted the response packet transmits a packet every time a packet is transmitted within the same session. Determining means for determining the type of the operation system as to whether or not the operation system is of the type that sequentially increments the ID value included in the header information;
A device capable of determining an operating system. An operating system determination method executed by an apparatus capable of operating system determination,
Depending on whether or not the ID value included in the header information of the response packet transmitted in response to the connection request is 0, the transmission host that transmitted the response packet transmits a packet every time a packet is transmitted within the same session. The operating system determination method of determining the type of the operation system as to whether or not the operation system is a type that sequentially increments the ID value included in the header information.