JP2015204538A - Call processing sequence analyzer and communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problem in which there is a case where reproduction of a sequence needs information which does not appear in a packet held by a call processing device; and the sequence cannot be reproduced by existing capture methods if there is no call information common to all packets.SOLUTION: A call processing device adds information needed for reproduction of a sequence to a reception packet and a transmission packet and transmits the resulting packets as analysis packets to an analyzer. The analyzer receives analysis packets from a call processing apparatus involved in a sequence to be reproduced, and identifies packets belonging to the same sequence. For identification of the sequence, the analyzer uses whether analysis information added by the call processing device accords with payloads of the transmission packet and the reception packet between two devices.

Description

  The present invention relates to call processing analysis in mobile networks.

As a background art of this technical field, mobile communication technology called LTE (Long Term Evolution) standardized in 3GPP (3 ^rd Generation Partnership Project) has become widespread. Non-Patent Document 1 describes a sequence that can be a reproduction target of the present invention.

  Moreover, there exists Unexamined-Japanese-Patent No. 2004-248192 (patent document 1). This publication describes a control signal sequence generation method using Call ID in VoIP (Voice Over IP) service.

JP 2004-248192 A

3GPP standard document (URL: http://www.3gpp.org/) TS 23.401 General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access v 11.7.0

  In recent years, mobile networks such as LTE have become more complex, smartphones have become widespread, and the processing amount of nodes (hereinafter referred to as call processing devices) that process control packets has increased, so the problem analysis of these call processing devices has also become complicated. It has become. When a maintenance person analyzes a cause of a failure or a cause of delay in a call processing device, a problem does not always occur due to the cause of one call processing device, so only a call processing device in which a problem such as a failure or delay has become apparent In some cases, it is not enough to investigate. In such a case, the maintenance person needs analysis including other call processing devices along the problematic call processing sequence. Here, the call processing sequence is a series of packets (messages) that are exchanged between a plurality of call processing devices related to the procedure according to the procedure such as terminal connection and handover. Examples of the procedure include Initial Attach described in Chapter 5.3.2 of Non-Patent Document 2 and Detach described in Chapter 5.3.8.

  It is common for a maintenance person or a maintenance system to capture a packet input to or output from a call processing device and use the captured packet for problem analysis. In order to perform analysis in accordance with the call processing sequence, the maintenance system extracts packet sequences belonging to the same sequence from the captured packets, and different types of packets (messages) across a plurality of call processing devices. It is necessary to link each other. Here, in the present invention, extracting a packet string belonging to a certain sequence by linking the packets is called sequence reproduction.

  Patent Document 1 discloses a technique for generating a sequence from captured packets using Call-ID, which is call information common to all call processing devices in the sequence, in VoIP. However, if there is no common call information in the sequence across multiple relay devices, such as Call-ID, in the information obtained from the packet, the sequence cannot be reproduced. In such call processing, the call processing device holds information that does not appear in the packet and identifies call information.

  For example, from Non-Patent Document 2, Chapter 5.3.2, in Initial Attach, when MME (Mobile Management Entity) receives an Attach request from eNodeB (evolved NodeB), UE (User Equipment) is received by GUTI (Global Unique Temporary Identity). Identify. Next, when an Update Location Request is transmitted to the HSS (Home Subscriber Server), IMSI (International Mobile Subscriber Identity) is used as a UE identifier. Here, GUTI and IMSI are call information. At this time, the MME needs to identify the same UE from a plurality of UE identifiers, that is, GUTI and IMSI, by registering GUTI and IMSI in the same entry of the table, and has the function. The identification process of call information by this function does not appear in the packet. In the above example, GUTI is communicated by a NAS (Non Access Stratum) protocol, and IMSI is communicated by a Diameter protocol. For this reason, it is difficult or a complicated protocol analysis is required for the maintenance system to identify the sequence only from the packet capture data.

  That is, the maintenance system needs to use the information held by the call processing device in order to identify that GUTI and IMSI belong to the same sequence. Therefore, in the present invention, when common call information in a sequence such as Call-ID cannot be obtained from a packet, a maintenance system can link different call information such as GUTI and IMSI. Furthermore, it is an object of the present invention to enable analysis according to a sequence using information held by a call processing device.

  In order to solve the above problem, the analysis device of the present invention includes a first storage unit that stores a packet received from a communication device and first identification information for identifying the communication device in association with each other; Of a plurality of packets stored in the first storage unit in association with different first identification information, at least a part of the information constituting the packet is compared. A processing unit that determines whether or not the contents match and a second storage unit that stores a combination of a plurality of packets whose contents are determined to match by the processing unit are configured.

  When the call processing device adds information for analysis to the packet, analysis using information that does not appear in the packet becomes possible. The analysis device can identify packets having different call information belonging to the same sequence, and the sequence can be reproduced.

It is a block diagram of the example of a system to which this invention is applied in a LTE system. It is an example of a call processing sequence of Initial Attach in the LTE system. It is an example of the format of a packet for analysis. It is an example of the block diagram of a call processing apparatus. It is an example of a processing flow in a call processing device for determining a call type and registering it in a call processing ID table. It is an example of the processing flow which produces | generates the packet for analysis in a call processing apparatus. It is an example of a table holding a call processing ID. It is an example of the block diagram of an analyzer. It is an example of the processing flow for an analyzer to buffer an analysis packet. It is an example of the processing flow for reproducing a normal sequence. This is a packet sequence divided by device ID and call processing ID. It is an example of a table holding packet match narrowing conditions. It is an example of a table that resolves a device ID from an IP address. It is an Initial attach message sequence output by the analysis device. It is an example of a sequence when there is a packet loss. It is an example of the sequence reproduction process flow when there is a packet loss. It is an analysis process flow of an abnormal sequence.

  Hereinafter, examples will be described with reference to the drawings.

  In this embodiment, an example will be described in which the normal call processing sequence of the initial attach shown in FIG. 2 is reproduced in the configuration of the LTE system shown in FIG. Here, the initial attach in FIG. 2 is a series of call control in which when the UE 110 is turned on, the LTE system authenticates, establishes a connection with the UE 110, and registers with the LTE network when the UE 110 attach request is received. It is processing. With Initial Attach, wireless route setting, user authentication, connection processing to PDN (Packet Data Network) 120, eNodeB111-SGW113-PGW114 route setting, billing information setting, etc. are performed, and UE 110 can receive communication services It becomes. Note that the description will be made using the initial attach as an example of the call processing sequence, and the present embodiment can be applied to a call processing sequence other than the initial attach.

  The components of this system will be described with reference to FIG. UE 110 is a wireless terminal. eNodeB 111 is a radio base station. The MME 112 is a call control device. SGW (Serving GateWay) 113 and PGW (Packet data network GateWay) 114 are gateways for transferring data packets. The HSS 115 is a subscriber information management server. In this embodiment, communication devices that receive and process control messages from the UE 110, such as eNodeB 111, MME 112, SGW 13, and PGW 114, are collectively referred to as call processing devices.

  The analysis device 101 collects and analyzes the analysis packet 300 of FIG. 3 from a call processing device such as eNode111, MME112, SGW113, PGW114, HSS115, identifies and links packets belonging to the same sequence, detects an abnormality in the sequence, Analyze abnormalities. In this embodiment, as shown in FIG. 1, the analysis device 101 collects the analysis packet 300 from all the call processing devices 111-115. However, the analysis packet 300 may be collected from a part of the call processing device.

  Here, the operation when each call processing device 111-115 generates the analysis packet 300 will be described. However, the description of the part that operates as standard in Non-Patent Document 1 is omitted. In addition to the standard operation, the call processing device 111-115 creates a copy of the received packet and the transmitted packet, adds the header information 301-306 for analysis in FIG. 3 to these copied packets, and transmits to the analysis device 101 .

  The format of the analysis packet 300 will be described with reference to FIG. The device ID 301 is an identifier for identifying each of a plurality of call processing devices. A unique value is assigned to all devices to be monitored. The device ID 301 is managed by the analysis device 101 so as to be unique for each call processing device, and is distributed to the call processing devices 111-115 by the analysis device 101. The call processing ID 302 is an identifier for identifying call processing executed by the call processing device, that is, a series of sequences to which the packet belongs. Each call processing device 111-115 individually manages the call processing ID 302 so as to have a unique value for each call within each call processing device 111-115.

  The transmission / reception flag 303 is a field indicating whether the packet is a packet received by the call processing device or a transmitted packet, and is used to enable the analysis device 101 to distinguish between the received packet and the transmitted packet. A transmission / reception time 304 indicates a transmission time or a reception time in the call processing device. The call processing device adds a transmission time to the transmission packet and adds a reception time to the reception packet. Type 305 is a field indicating whether call processing for the corresponding packet has been performed normally or abnormal processing such as retransmission has been performed. For example, by assigning normal transmission: 0, retransmission: 1, fragment: 2, etc., the analysis device 101 is used to identify the processing executed by the call processing devices 111-115. The field 306 is packet information, and the call processing apparatuses 111-115 store the received packet or the transmitted packet in the field 306. Here, a received packet means a packet received from another call processing device by a certain call processing device, and a transmission packet means a packet transmitted from one call processing device to another call processing device.

  The configuration of the call processing device and the procedure for giving analysis information will be described with reference to FIG. 4, FIG. 5, and FIG. A configuration common to the call processing devices 111-115 shown in FIG. 1 will be described as the call processing device 119 of FIG.

  The transmission / reception unit 410 is connected to an external device of the call processing device 119 via a communication line. The transmission / reception determination unit 411 determines that the packet is received from the external device if the analysis header information 301-306 is not added to the input packet. Is determined to be a packet. In the case of a received packet, the transmission / reception determining unit 411 adds analysis header information 301-306 to the received packet, and the transmission / reception information adding unit 412 stores information indicating the received packet in the transmission / reception flag 303, and The reception time 304 is registered and transmitted to the call processing unit 420.

  FIG. 5-A and FIG. 5-B show processing executed by the call processing unit 420. The subsequent call processing unit 420 will be described with reference to FIG. The call processing unit 420 duplicates the packet received from the transmission / reception unit 410 by the received packet duplication unit 441 (501), and then performs processing by the protocol processing unit 430 according to the protocol. Here, the reason why received packet replicating section 441 replicates the received packet is to transmit the received packet to analysis apparatus 101. The copy source received packet is processed by the call processing unit 420 and then becomes a transmission packet.

  Of the protocol processing unit 430, the new call determination unit 431 determines whether or not the processing is processing for a new call. The determination method depends on the content of the call processing. Here, a case will be described in which an Attach Request 202 is received when the call processing device is the MME 112.

  When receiving the packet, the new call determination unit 431 extracts the UE identifier and the message identifier from the packet according to the 3 gpp standard (502). Here, the UE identifier is GUTI of UE 110, and the message identifier is Attach Request. In the MME 112, the Attach Request 202 is a message for starting call processing. Here, the new call determination unit 431 confirms whether or not the extracted GUTI is registered in the call information 611 of the call information management table 610, and determines that it is a new call if not registered (503).

  If the call is a new call, the new call determination unit 431 registers GUTI as GUTI613 in the call information 611 of the call information management table 610. Further, the call processing ID generation unit 442 generates a call management ID 612 for uniquely identifying the UE 110 from other user terminals in the call processing device 119, and the call management ID 612 and the call processing ID management table of the call information identification table 610. Each of them is registered in the call management ID 621 of 620 (504). FIG. 6 illustrates a case where the call management ID is 0. In addition, the new call determination unit 431 writes “Attach start” to the state 622 of the entry that is newly registered in the call processing ID table 620 and the call management ID 621 is 0, so that the Attach Request process for the corresponding UE 110 has started. Is notified to the call processing ID management unit 440 (505).

  The protocol processing unit 430 performs call processing according to the 3 gpp standard (not shown), and then registers the IMSI stored in the UpdateLocationRequest 203 as a transmission packet in the call information 611 of the call information management table 610 as the IMSI 614. This IMSI is information for identifying the UE 110 in the UpdateLocationRequest 203. Further, the type determination unit 432 determines the type of processing from the result of the call processing by the protocol processing unit 430 (506) and stores it in the type 624 of the call processing ID management table 620 (507).

  When the processing of the protocol processing unit 430 is completed, the protocol processing unit 430 passes the call management ID 612 generated in step 504 to the call processing ID management unit 440. When receiving the call management ID 612, the call processing ID management unit 440 starts the processing of FIG. The call processing ID management unit 440 acquires the call management ID 612 received from the protocol processing unit 430 (508). The call processing ID generation unit 442 refers to the call processing ID table 620 using the call management ID 612 as a key, and determines whether the call is a new call with reference to the state 622 (509). When the status 622 indicates “Attach start” written by the protocol processing unit 410, the call processing ID generation unit 442 determines that the call is a new call, generates a new call processing ID (510), and sets the call processing ID table. It registers in the call processing ID 623 of 620 (511). In the example shown in FIG. 6, the call processing ID 623 is 0 and the same value as the call management ID 621, but the call management ID 621 and the call processing ID may be the same value or different values. Then, the call processing ID generating unit 442 updates the state 622 from “Attach started” to “Attach processing in progress”. If the call is not a new call, the call processing ID 623 registered in the call processing ID management table 620 is acquired when the state 622 referred to in step 509 indicates “Attach processing in progress” (512).

  The analysis information adding unit 443 stores the call processing ID 623 newly generated in step 510 or acquired from the call processing ID management table 620 in step 512 in the call processing ID 302 (513). Also, the analysis information adding unit 443 obtains the type 624 using the call management ID 621 as a key, stores its own device ID in the device ID 301 in the packet type 305 of the analysis header information 300, and stores these information. The analysis header information 300 is added to the received packet and the transmitted packet (514). The analysis information adding unit 443 further sets a transmission flag 304 in the transmission packet. Finally, the call processing unit 420 transmits the reception packet and the transmission packet to the transmission / reception unit 410 (515).

  The transmission / reception information adding unit 412 of the transmission / reception unit 410 checks the transmission / reception flag 304 for the reception packet and transmission packet received from the call processing unit 420, and if the transmission / reception flag 304 indicates transmission, the packet to be transmitted Is created, and the header for analysis of one of the duplicated packets is removed. Then, the transmission / reception information adding unit 412 adds the transmission time 305 to the analysis header of the transmission packet with the analysis header, and transmits it to the analysis apparatus 101. When the transmission / reception flag 304 indicates reception, the transmission information is not added, and the data is transmitted to the analysis apparatus 101 with the analysis header information attached.

  With the above processing, the call processing device 119 receives the packet at the transmission / reception unit 410, and then adds analysis information including the call processing ID 302 at the call processing unit 420, and sends the analysis packet 300 from the 410 to the analysis device 101. Send. In the above description, by selecting a key of the call processing ID table 444, a common call processing ID can be held from the start to the end of the procedure executed by the corresponding call processing device 111-115.

  Next, the analysis apparatus 101 will be described with reference to FIG. The transmission / reception unit 710 is connected to the call processing device 119 and the storage 770, and serves as an interface for communication between the external device and the processing unit 720. The device ID / call processing ID classification processing unit 730 classifies the analysis packet 300 received from the call processing device 119 for each of the device ID 301 and the call processing ID 302, and holds them as a packet sequence by device call processing ID shown in FIG. The generated packet sequence 765 for each device call processing ID is held in the memory 760 according to the memory capacity of the analysis device 101 or the data amount or time limit set by the system administrator. The device call processing ID-specific packet sequence 765 that is no longer held due to the above conditions is discarded or stored in the storage 770 according to the setting of the system administrator.

  The packet association processing unit 740 creates the sequence collection result packet sequence 767 shown in FIG. 13 by extracting and linking together the analysis packets 300 belonging to the same sequence from the packet sequence 765 for each device call processing ID. . Specifically, the packet association processing unit 740 compares the transmission packet 300 and the reception packet 300 between the two devices stored in the device call processing ID-specific packet sequence 765, and matches the packets belonging to the same sequence. I will link it as Since it takes time to compare all the packets in the device call processing ID-specific packet sequence 767 one by one, the packet association processing unit 740 narrows down the packets to be compared as will be described later.

  The anomaly analysis unit 750 checks the sequence anomaly reproduced by the packet association processing unit 740 as the sequence collection result packet sequence 767. Only when there is an anomaly, the packet sequence bundled as belonging to a series of sequences Therefore, a determination process such as storing in the storage 770 is executed.

  The analysis apparatus 101 uses the packet comparison table 771 and the apparatus ID table 772 using the information of the analysis packet 300 received from the call processing apparatus 119 as a key. FIG. 11 is an example of a packet comparison table 771. The packet comparison table 771 uses the packet match search time range 1104 as a threshold for packet comparison by the packet association processing unit 740 to narrow down the packets to be compared from the packet sequence 765 by device call processing ID for packet payload comparison. The packet comparison key type 1103 is stored as a field. These thresholds and fields are specified by the system administrator. The reception device ID 1101 and the transmission device ID 1102 are keys for using values held in the packet comparison table 771. The system administrator makes settings relating to packet comparison using both or one of the device IDs of the device that transmitted the packet and the device that received the packet as a key.

  In FIG. 11, an IP payload is stored as the packet comparison key type 1103. The system administrator can change the Ether payload or TCP payload depending on the network configuration. The packet match search time range 1104 specifies the interval between the transmission and reception times 304 of the analysis packet 300 to be subjected to payload comparison in the search processing performed by the payload comparison unit 744. For example, in FIG. 2, when the time when the eNodeB 111 transmits the Attach Request 202 is T_A and the time when the ME 112 receives the Attach Request 202 is T_B, the difference between the T_B and T_A is within the time stored in the packet match search time range 1104. If so, these packets are compared. In the packet match search time range 1104, a standard of time until a packet arrives at an adjacent device is set.

  The search time range 1105 for the packet string sets a timeout time set in the timer monitoring unit 734 of the device ID / call processing ID classification processing unit 730. When this time is timed out, the device ID / call processing ID classification processing unit 730 determines that the sequence has ended without receiving the analysis packet 300 having the same device ID and call processing ID. The collection of the analysis packet 300 having the ID / call processing ID is terminated. In the search time range 1105 for the packet sequence, for example, a time required for one procedure can be set as a guide. In this case, 100ms is the target for 3gpp. In the search time range 1105 in FIG. 11, 1s is set to enable collection even when there is a retransmission.

  FIG. 12 shows an example of the contents of the device ID table 772. In the device ID table 772, a set of the IP address 1201 of each call processing device and the device ID 1202 of each call processing device assigned by the analysis device 101 is stored. As will be described later, when the packet narrowing unit 741 narrows down the comparison target packet, the packet narrowing unit 741 receives the packet by referring to the transmission destination or source IP address of the packet body stored in the packet sequence 765 for each device call processing ID, or By identifying the device of the other party that transmitted and searching the device ID table 1201 with the IP address of the identified partner device, the device ID 1202 of the identified partner device is obtained.

  Note that information for identifying the call processing device on the network, such as an IP address, may be used as it is as the device ID. In this case, the device ID 301 in FIG. 3, the device ID 1091 in FIG. 10, the receiving device ID 1101 in FIG. 11, the transmitting device ID 1102 in FIG. 13, the device ID 1391 in FIG. It is applied as it is. In this case, the device ID table 772 in FIG. 12 is not necessary. In the case where a plurality of call processing devices are assigned IP addresses in duplicate, a device ID is prepared separately from the address information as in this embodiment.

  FIG. 8 shows a processing flowchart of the device ID call processing ID classification processing unit 730. FIG. 10 shows a packet sequence 765 for each device call processing ID output by the device ID call processing ID classification unit 730 as a result of the processing flow of FIG.

  First, the transmission / reception unit 710 receives the analysis packet 300 from the call processing device 119 (801), and the transmission / reception unit 710 passes the received packet to the processing unit 720. The device ID / call processing ID classification processing unit 730 acquires the device ID 301 and the call processing ID 302 from the received analysis packet 300 (802). Next, the device ID determination unit 731 examines a set of device ID 301 and call processing ID 302 (hereinafter referred to as device call processing ID) of the received analysis packet 300 (803), and packet by device call processing ID In the case of new device call processing IDs 301 and 302 not registered in the column 765, in the packet column 765 by device call processing ID as a memory area for storing the packet 300 having the corresponding device call processing IDs 301 and 302. One area is allocated (804). Here, when the device ID of the received analysis packet 300 is “120” of the MME 112 and the call processing ID 302 is “100”, the area of the packet sequence 1020 in FIG. Stored in the area. The device ID of the MME 112 is “120” as illustrated in the device ID table 772.

  At this time, the device call processing ID determination unit 732 also assigns a timer 768 to determine whether collection of the analysis packet 300 having the same call processing ID is completed (804). Here, the timer 768 is assigned for each set of the device ID 301 and the call processing ID 302, that is, for each packet sequence for each device call processing ID. The timer 768 is used by the timer monitoring unit 734 to determine the completion of the generation of the packet sequence 1020. That is, if the device call processing ID determination unit 732 does not receive a new analysis packet 300 even after the time set in the timer 768, the device call processing ID determination unit 732 estimates that the exchange of packets belonging to a series of procedures has ended. A determination is made to end the generation of the packet sequence for each device call processing ID.

  In step 803, if the device call processing ID of the received analysis packet 300 already exists in the packet string for each device call processing ID, or if step 804 is processed, the device call processing ID determination unit 732 corresponds. The packet body 306 of the analysis packet 300 is stored in the packet 1096 of the device call processing ID-specific packet sequence 765, and the timer 768 is reset (805). The transmission / reception flag 303 included in the analysis header information of the analysis packet 300 is set to the transmission / reception flag 1093 of the packet sequence 1020, the transmission / reception time 304 is set to the transmission / reception time 1094, and the type 305 is type 1095. Respectively.

  The timer monitoring unit 734 compares the timer 768 with the threshold set in the packet sequence search time range 1105 of the packet comparison table 771, and determines that a timeout has occurred when the packets of the device call processing IDs 1101 and 1102 are not received for the threshold time or longer ( 806). If it is determined that the timeout has occurred, the sorting unit 733 sorts the packets in the packet sequence 765 classified by device call processing ID determined as timeout in the order of the transmission / reception time 1094 (807), and the packet sequence 765 classified by device call processing ID. Complete the generation. If the timer monitoring unit 734 receives the same device call processing ID analysis packet 300 and determines that the timer 768 corresponding to the device call processing IDs 1101 and 1102 has been reset before the timer monitoring unit 734 determines that the timeout has occurred, the timeout does not occur (806) Then, the generation of the packet sequence 765 for each device call process ID is not completed and the reception process is continued (801).

  Thus, the classification of the analysis packet 300 transmitted from all the call processing devices 119 by the device ID 301 and the call processing ID 303 is completed, and the packet sequence 765 for each device call processing ID is output. FIG. 10 shows an output example of the Initial Attach sequence of FIG. The device ID of each device is as shown in the device ID table of FIG.

  Next, referring to FIG. 7, FIG. 9, and FIG. 10, the packet association processing unit 740 collects packets belonging to the same sequence across a plurality of call processing devices 111-115 from the packet sequence 765 by device call processing ID. A process for restoring the sequence of FIG. 2 will be described.

  FIG. 9 is a flowchart showing processing in which the packet association processing unit 740 associates packets belonging to a series of sequences from the device call processing ID-specific packet sequence 765 and restores the sequence. The packet linking processing unit 740 detects the trigger for starting the linking process and instructs the start of the process, and the system administrator sets the number of packet sequences 765 for each device call processing ID monitored by the start determination unit 746 The packet linking process is started when the predetermined amount is exceeded (900). The trigger is that the call processing device 119 stores information specifying the start / end of call processing in the type 305 of the analysis packet 300, and the start determination unit 746 examines the packet sequence 765 by device call processing ID to identify the start information. It may be triggered by the fact that both pieces of end information are available. Alternatively, the start determination unit 746 may include a timer, and the association may be started when a certain time has elapsed since the start of generation of the device call processing ID-specific packet sequence 765.

  Next, the packet association processing unit 740 acquires a packet sequence for starting association in the packet sequence 765 for each device call processing ID, for example, a pair of the device ID 1091 and the call processing ID 1092 of the first packet 1021 of the packet sequence 1020. (901). For simplicity, the apparatus call processing IDs 1091 and 1092 acquired here are represented as “S”. Here, “S” is a set of ID = “120”, which is the device call processing ID of the packet sequence 1020, and call processing ID = “100”. Further, in the process 901, when there are a plurality of packet strings that can be linked, the process may be started from any device call process ID packet string 765.

  Next, the packet narrowing unit 741 acquires the first packet 1021 of the packet sequence specified by “S” (902). In the flowchart of FIG. 9, the corresponding packet 1021 is represented as “P”. The packet narrowing unit 741 narrows down the number of packets to be compared using the IP address included in “P”, the transmission / reception flag 1093, and the transmission / reception time 1094 (903). Since packet 1021 is a received packet from transmission / reception flag 1092, packet narrowing unit 741 uses the IP address of the transmission source and uses the IP address 1201 of device ID table 1200 as a key, that is, the device that transmitted the packet. The device ID 1302 is acquired. The corresponding IP address 1201 is that of the eNodeB 111, and “110” is obtained as the device ID 1202.

  In this example, it can be seen that the device that transmitted the packet 1021 is the eNodeB 111 and the device ID is “110”. As a result, the device ID 1091 to be compared is narrowed down to “110”. Of the packet sequences 1010-1050 in FIG. 10, the device ID 1091 whose value is “110” is the packet sequence 1010. Although omitted in FIG. 10, the analysis apparatus 101 also includes a packet sequence having apparatus ID 1091 = “110” and other call processing ID 1092. Including the other packet sequence, it is expressed as “packet sequence of device ID“ 110 ””. “Packet string of device ID“ 110 ”” includes a packet string 1010.

  Next, the packet narrowing unit 741 further narrows down the packet string to be searched from “packet string of device ID“ 110 ””. The packet narrowing unit 741 searches the packet comparison table 1100 for an entry whose receiving device ID 1101 is “120” and the transmitting device ID 1102 is “110”, acquires the time range narrowed down from the search time range 1104 of the entry, and Packets outside the time range to be performed are excluded from “packet string of device ID“ 110 ””. Further, since the transmission / reception flag 1093 of the packet 1021 indicates the received packet, the packet narrowing unit 741 extracts only the transmission packet from the “packet string of the device ID“ 110 ””. In this explanation, the example of narrowing down by transmission / reception after narrowing down by time has been described, but after narrowing down by transmission / reception first, narrowing down by transmission / reception time is performed later. May be. The packet string that is extracted by the packet narrowing unit 741 through the above-described processing and that includes only the transmission packet within the comparison target time is denoted as “transmission packet string of device ID“ 110 ””.

  Next, the payload comparison unit 744 acquires the setting of the payload to be compared from the packet comparison key type 1103 of the packet comparison table 1100. Hereinafter, when comparing payloads, IP payloads are compared. The reason for the IP payload is that the header field below IP is edited when there is a switch or router between call processing devices. Of the information included in the packet 1096, a part other than the IP payload may be set as a comparison target. The payload comparison unit 744 compares the payload of the packet 1021 and the payload of the packet of the “transmission packet sequence with the device ID“ 110 ”” in order of time (904).

  The payload comparison unit 744 performs the payload comparison for all the packets in the “transmission packet sequence of the device ID“ 110 ””. The packet payload included in the packet body 1096 of the packet 1011 included in the packet sequence 1010 matches the packet payload included in the packet body 1096 of the packet 1021 in the “transmission packet sequence of the device ID“ 110 ””. (904). In the flowchart, the matched packet 1012 is expressed as “Pt”. Here, in FIG. 10, for the “transmission packet string of device ID“ 110 ””, the description of the packet string whose call processing ID 1092 value is other than “100” is omitted. Even if a plurality of packet sequences having the same device ID 1091 and different call processing IDs 1092 are mixed, the call information of the payload and other message information are different for each packet. Therefore, by detecting a packet having the same payload as the packet 1021, the packet 1012 belonging to the same sequence as the device call processing IDs 1091 and 1092 of “S” can be extracted. Packets that are within the time specified by the packet matching search time range 1104 in the packet comparison table 1100 in the time comparison order, but cannot be matched with packets sent / received by other devices (does not match) Is a mismatch. Since the case of the mismatch will be described in Example 2, it is omitted here.

  Next, the payload comparison unit 744 stores the packet 1021 (Attach Request 202) and the packet 1012 (Attach Request 202) in the sequence collection result packet string 767. FIG. 13 shows a configuration example of the sequence collection result packet sequence 767. The packet 1021 is stored in the entry 1302 of the packet sequence 767, and the packet 1012 is stored in the entry 1301 of the packet sequence 767. The payload comparison unit 744 saves the fact that it has been searched in the searched column 1390 of the packet 1021 used as the comparison source at the time of storage. Here, the case where the packets 1301 and 1302 of the Initial Attach packet sequence of FIG. 2 are stored as the sequence collection result packet sequence 767 is shown (905).

  Next, the payload comparison unit 744 determines whether there is a next packet in the device call processing IDs 1091 and 1092 (device ID = “120”, call processing ID = “100”) of the packet 1021, that is, there is an unprocessed packet in the packet string 1020. It is checked whether or not there is (906). Since there is a packet 1022 in the packet sequence 1020, the determination is yes and the process proceeds to the next process (907). The packet association processing unit 740 newly sets the packet 1022 as “P” (907), and repeats the processing (903-905). Thereafter, the packet association unit 740 repeats the process for the packet sequence 1020 up to the packet 1027. Here, in addition to the packets 1021 and 1012 described above, the packet 1051 based on the packet 1022, the packet 1052 based on the packet 1023, the packet 1031 based on the packet 1024, the packet 1034 based on the packet 1025, the packet The packet 1013 is stored in the sequence collection result packet string 767 based on the packet 1013 and the packet 1016 based on the packet 1027.

  Next, the unsearched determination unit 745 stores the device call processing ID 1091 and 1092 (device ID = “120”, call processing ID = “100”) of the packet sequence 1020 and the packet sequence 1010 stored in the sequence collection result packet sequence 767. Device call processing ID 1091 and 1092 (device ID = “110”, call processing ID = “1”) and device call processing ID 1091 and 1092 (device ID = “150”, call processing ID = “10”) of the packet sequence 1050 And “S” from the searched sequence column 1390 of the Initial Attach sequence collection result packet sequence 1300 among the device call processing IDs 1091 and 1092 (device ID = “130”, call processing ID = “1000”) of the packet sequence 1030 A device call processing ID that has never been handled (not handled as a comparison source) is determined (908), and is newly set as “S” (909), and a narrowing process is executed (903). Here, since the device call processing IDs 1091 and 1092 of the packet sequences 1010, 1050, and 1030 are to be processed, they are sequentially executed. First, the device call processing IDs 1091 and 1092 in the packet sequence 1010 are newly set as S.

  Next, the payload comparison unit 744 executes a linking process (902-907) for the device call processing IDs 1091 and 1092 of the packet sequence 1010. At this time, there is no packet whose payload is newly matched in the packet sequence 1010. At this time, the payloads of the packets 1012 and 1021 already stored in the Initial Attach packet sequence 1300 match, but the payload comparison unit 744 performs a device call before storing the packet 1021 in the Initial Attach sequence collection result packet sequence 1300. Check whether a packet with the same processing ID 1091,1092 (device ID = “110”, call processing ID = “1”) and transmission / reception time 304 (T3, T2) is stored. Do not save 1021. Subsequently, the payload comparison unit 744 also processes the device call processing IDs 1092 and 1092 in the packet sequence 1050, and there is no new matching packet. Next, the payload comparison unit 744 performs comparison processing based on the device call processing IDs 1092 and 1092 of the packet sequence 1030 (902-907). Here, the packet 1041 is stored based on the packet 1032 and the packet 1042 is stored based on the packet 1033 in the initial attach packet sequence 1300 (903-907). Further, the payload comparison unit 744 newly sets the device call processing ID 1092 and 1092 of the packet sequence 1040 as “S” (908, 909) and repeats the same processing (902-907).

  As described above, when there are a plurality of device call processing IDs 1091 and 1092 with matching payloads, the packet association processing unit 740 executes all the device call processing IDs 1091 and 1092 by performing the above-described processing shown in FIG. For the call processing devices 111-115, the call processing packet sequence 1010-1050 from the start to the end of one Procedure can be stored in the sequence collection result packet sequence 767.

  When the device call processing IDs 1091 and 1092 newly set to “S” disappear, the packet association processing unit 740 determines that the corresponding call processing sequence has been reproduced (908), and a new sequence reproduction that is another call processing. The process proceeds (910). The processing unit 720 sets “S” as a new device call processing ID 1091 and 1092 (911), allocates a memory area for storing packets belonging to the corresponding sequence (912), and repeats the processing.

  When the start determination unit 746 determines (910) that the device call processing ID-specific packet sequence 765 has not been generated, the processing of the packet association processing unit 740 ends here. If new analysis packets 300 are transmitted from the call processing devices 111-115 to the analysis device 101, the analysis device 101 executes the above-described processing one after another. According to the above embodiment, a normal sequence of Initial Attach is reproduced, and the initial Attach call control packet sequence of FIG. 13 is output with the packet sequence of FIG. 10 as an input.

  Using the reproduced sequence, it is possible to confirm at a glance that the call processing sequence is processed normally, and it is possible to easily confirm the operation following the call processing sequence, such as when adding or switching call processing devices. . In order to achieve the above effect, in this method, since the analysis device uses the dedicated header added by the call processing device and the payload is compared, the analysis device simulates the operation of the LTE system. There is an advantage that does not require a complicated mechanism.

  In this example, not only a normal sequence but also an example in which a sequence can be reproduced when there is an abnormality is shown. Further, after reproduction, normality / abnormality is determined, and only the sequence determined to be abnormal is stored in the storage 770. An example will be described.

  FIG. 14 is an example of a sequence including a retransmission packet in the second embodiment, and is also a part of the sequence shown in FIG. In the packet sequence in FIG. 14, the description of the portions denoted by the same reference numerals as those in FIG. The difference between FIG. 14 and FIG. 2 is that the Create Session Request 206 in FIG. 2 transmitted from the SGW 113 to the PGW 114 has a signal loss of the signal 1401 and the signal 1402 is retransmitted in FIG. Signals 1401 and 1402 are the same Create Session Request messages as the signal 206.

  FIG. 15 is a flowchart for the packet association processing unit 740 to reproduce the sequence when a packet is lost and retransmitted. Description of parts already described in FIG. 9 is omitted. Even if the lost packet 1401 exists, since the packet association processing unit 740 reproduces the sequence, a branch 1501 and a process 1502 are added to the processing flow of FIG. 9 in FIG. Also, processing 1503 is added in order for the abnormality analysis unit 750 to perform abnormality determination.

  In the first embodiment, consider a case where “P” is a lost packet 1401 in the payload comparison processing (904) executed by the payload comparison unit 744. At this time, since there is no matching packet in the packet sequence 765 for each device call processing ID in the payload comparison processing (904), the determination result branches to no (1501). Here, the packet of Create Session Request 1401 transmitted by SGW 113 and the packet of Create Session Request 1402 received by PGW 114 do not match because the time until retransmission of packet 1402 after transmission of packet 1401 is the packet comparison table. This is a case where the packet match search time range 1104 is longer than the packet match search time range 1104. Usually, a time shorter than the time required for packet retransmission processing is set in the packet match search time range 1104. If there is no match, the packet association processing unit 740 starts processing the next packet (906). The next packet is a retransmission packet 1402, and since this packet has been received by the PGW 114, it matches in the payload comparison process (904). The payload comparison unit 744 stores the comparison target packet and the comparison source packet 1402 of the matched packet 1402 and the packet sequence having the same device call processing IDs 1901 and 1902 as the comparison source packet 1402 in the sequence collection result packet sequence 767 (1502 ). As a result, loss packets having the same device call processing IDs 1901 and 1902 as the retransmission packet 1402 can also be stored in the sequence collection result packet string 767 (905). From the above, the sequence can be reproduced even when there is a packet loss.

  In addition, for the sequence collection result packet string 767 that has been collected by the above processing, the abnormality analysis unit 750 can identify that there is an abnormality in the sequence by checking the type 1395 (1503). Note that the protocol processing unit 430 registers in the type 1395 whether or not the message has been normally transmitted or received.

  By using the recorded type 1395 abnormality information, the abnormality analysis unit 750 stores only the abnormal sequence. When the storage capacity is limited, the abnormal sequence is preferentially stored over the normal sequence. It is possible to make a determination such as storing abnormal sequences separately. This makes it possible to improve the efficiency of problem analysis performed by the maintenance person and save the storage 102 for captured data.

  In the present embodiment, an example will be described in which a cause is identified and countermeasures can be taken by tracing and analyzing a sequence from a node where a problem has become present. As an example, when the MME 112 receives an AttachRequest 202 burst from the eNodeB 111, the packet sequence constituting the burst is linked to the Create Session Request 205 transmitted from the MME 112, and the terminal model is determined from the IMEI (International Mobile Equipment Identity) of the Create Session Request 205 An example to identify is shown. Here, IMEI is an identification number assigned to a terminal used by a user, and has information such as the model of the terminal. A burst means a state in which high bandwidth traffic of a certain value or more continues for a certain time. The burst reception means that a communication node such as the call processing device 111-115 receives burst traffic. When the communication node receives a burst and the processing capability is insufficient, congestion occurs and countermeasures are required.

  Processing performed by the abnormality analysis unit 750 will be described with reference to FIG. First, the abnormality analysis unit 750 detects a burst from the reception / transmission time 1394 of the sequence collection result packet sequence 767 (1601). The burst detection method is, for example, using the reception / transmission time 1394 to calculate the reception amount within a predetermined time by the transmission / reception flag 1393 for each device ID 1391, and burst reception if the number of received packets exceeds a predetermined threshold Can be determined. When a burst is detected (1602), the abnormality analysis unit 750 takes the model-specific statistics (1603). A method of collecting statistics for each model will be described. The abnormality analysis unit 750 identifies the MME 112 that has caused the burst based on the device ID 1391, and identifies the terminal model by examining the IMEI of the Create Session Request 205 transmitted by the MME 112. Statistical values can be counted with the identified model.

  The abnormality analysis unit 750 monitors the statistical information, and can determine that the terminal model is the cause of the burst when the statistical information of a specific model is equal to or greater than a threshold value. When the abnormality analysis unit 750 determines the cause model, it notifies the maintenance person (1604). Here, in order to identify the terminal model that causes the burst, it is necessary to detect the burst and know the IMEI of the packet that constitutes the detected burst. Further, the field including IMEI of the packet between the eNodeB 111 and the MME 112 is encrypted. Therefore, when packet linking is not performed using this method, it is necessary to extract the encrypted IMEI, which is difficult. In the present invention, since the packets transmitted and received between the opposing devices are compared, it is possible to determine whether or not the encrypted packets are the same if they are matched while being encrypted.

  As described above, it is possible to identify the terminal model that causes the burst reception by associating the packet that causes the burst with the transmission packet of the MME 112. By identifying the model, it became possible to narrow down the causes of failures such as congestion.For example, by narrowing down to the applications used only for that model, the cause of the problem could be identified and the corresponding application could be found. In such a case, it is possible to take measures such as requesting the manufacturer of the application to take measures.

  An example will be described in which when a node having a potential problem causes a failure in another normal node, the failure causing node is identified by analyzing along the sequence. In this embodiment, the sequence based on the packet sequence of FIG. 13 reproduced in the second embodiment is used. The sequence reproduction method is the same as in the second embodiment. Further, in this embodiment, description will be made with reference to the same drawings as those in the first embodiment and the second embodiment, and the illustration of the additional portions will be omitted.

  As an example, when the eNodeB 111 operates abnormally and the retransmission of the Attach request 202 occurs frequently in a short time, the load is imposed on the SGW 113 or HSS 115 connected to the MME 112 even though other call processing devices are operating normally. Suppose that increases. At this time, for example, when the HSS 115 is congested and a failure occurs, an example of detecting the cause of the eNodeB 111 is shown.

  First, the abnormality analysis unit 750 uses the HSS 115 device from the sequence group immediately before the failure occurs in the HSS 115 based on the failure time of the HSS 115 specified by a predetermined method, the transmission / reception time 1394 of the packet sequence 1300, and the device ID 1391. A packet sequence 1300 having ID 1391 is extracted. As a method for specifying the failure time, for example, there is a method in which the system administrator inputs to the analysis apparatus 101 or an alarm received by the abnormality analysis unit 750 from the HSS 115.

  Next, the abnormality analysis unit 750 counts the number of packets for the extracted abnormal sequence group by type 1395 and by device ID 1301. When retransmission is repeated, the count result is biased toward retransmission for type 1395, and the device ID 1391 that is retransmitting and the device ID 1391 that is receiving the retransmission packet are found. As a result, the system administrator can discover that the eNodeB 111 is repeatedly retransmitted to the HSS 115.

  By performing anomaly analysis using the packet sequence 1300 of the sequence reproduced as described above, the anomaly analysis unit 750 is based on the failure time of the HSS115 at which the failure became apparent, the device ID 1391 of the HSS115, and other information for analysis. It is possible to easily reach the eNodeB 111 that causes the problem.

  If the above failure occurs due to, for example, an eNodeB111 retransmission time (retransmission time interval) setting error, the HSS115 in which the failure is actualized or the MME112 adjacent to the failure may be misunderstood. High nature. Also, it is difficult to specify the eNodeB 111 that causes the failure by using only the packet capture and the failure log of the HSS 115. Even in such a case, according to the present embodiment, the cause of the failure can be quickly identified.

  In the plurality of embodiments described above, information necessary for reproduction of a sequence held by the call processing device in the device during call processing (hereinafter referred to as analysis information) is added to the reception / transmission packet to generate an analysis packet. A step of transmitting the analysis packet to an external device for analysis; receiving and analyzing the analysis packet; associating a packet sequence belonging to the same sequence; and reproducing a call processing sequence; A method for reproducing and storing a call processing sequence including an abnormality detection step for detecting an abnormality for the reproduced sequence and a step of selecting a packet sequence to be stored based on the detected abnormality together with a specific embodiment explained.

  It also has a call processing device that adds analysis information to the transmitted or received call processing packet, generates an analysis packet and transmits it to the analysis device, receives the analysis packet from the call processing device, analyzes and collects the sequence Including a database for holding data for efficient analysis and collection processing of the analysis device, the call processing device for identifying a sequence being processed in call processing Means for generating and holding an identifier (call processing ID) for identifying call processing in the device in association with information for each call processing, means for adding the call processing ID to a packet as part of analysis information, As analysis information, a device ID for the analysis device to identify the call processing device, a transmission / reception flag indicating whether the packet is a received packet or a transmitted packet, and a packet is transmitted / received A means for holding and adding to the packet the type information indicating whether the physical port, packet transmission / reception time, packet processing was performed normally, or whether the packet was abnormal, such as retransmission. Packets received between the two devices from means of receiving packets and classifying packets of the same sequence for each device by device ID and call processing ID, and packet sequence classified by device and call processing ID If they match, it is determined that they belong to the same sequence, and means for associating with the corresponding sequence, as a pre-processing of the payload comparison, Using the reception time, the means for narrowing down the number of packets to be compared and the analysis information of the packet sequence belonging to the reproduced sequence are examined and resent. Means for identifying a sequence in which an abnormality has occurred, means for specifying, recording, and displaying a call processing device belonging to the sequence, means for using database information using analysis information or field values of call processing packets as keys And the database uses the analysis information or the packet header information as a key in the narrowing-down process of the number of packets to be compared, and the information on the narrow-down and the payload information A system for reproducing a call processing sequence characterized by comprising means for holding offset information and providing it to an analysis apparatus has been described.

  As described in the plurality of embodiments, at least one of the embodiments can provide the following effects. By using the reproduced sequence, the maintenance person or the analysis apparatus can perform analysis in accordance with the call processing sequence, and can efficiently identify the cause of the abnormality. When the call processing device adds processing contents such as normal transmission and retransmission to the packet, the analysis device can determine whether an abnormality has occurred in the reproduced sequence, and can extract a call processing device related to the abnormal sequence. In addition, the analysis device distinguishes between normal sequences and abnormal sequences, so that it is possible to use a storage method such as storing only sequences when an abnormality occurs in the analysis device. Can be reduced. In addition, by recording statistics about abnormal sequences in the analysis device, it is possible to collect basic data for application to trend analysis such as analyzing routes and call processing devices that are likely to cause abnormalities.

  In addition, processing added to call processing in the call processing device is only addition of analysis information and transfer to the analysis device, and the influence of the implementation of the present invention on the load on the call processing device is small. Since the analysis apparatus reproduces the sequence using the analysis information added to the received analysis packet, processing such as DPI (Deep Packet Inspection) for analyzing a high layer is not required. Therefore, the processing load of the analysis apparatus can be suppressed to a low addition. By using the reception / transmission time information added by the call processing device, the maintenance person or the analysis device can observe the delay time between all the call processing devices along the reproduced sequence.

101 Analyzer
102 Capture storage, DB storage
110 UE
111 eNodeB
112 MME
113 SGW
114 PGW
115 HSS
120 PDN
201,202 Attach Request
203 Update location request
204 Update location response
205,206 Create session request
207, 208 Create session response
209 Attach accept
210 RB establishment request
211 RB establishment response
212 Attach complete
300 packets for analysis
301 Device ID
302 Send / Receive port
303 Call processing ID
304 Send / Receive flag
305 Send / Receive time
306 type
307 Call control packet
401 Call processor receiver
402 Call processor Call processor
601 GUTI and call processing ID
602 IMSI and call processing ID
701 transceiver
702 Device ID / Call Processing ID Classification Processing Unit
703 packet linking processor
704 Anomaly analysis unit
705 packet storage
1010 eNodeB packet sequence
1020 MME packet sequence
1030 SGW packet sequence
1040 PGW packet sequence
1050 HSS packet sequence
1101 Analysis condition table
1201 Device ID resolution table
1401 Abandoned Create session request
1402 Resent Create session request

Claims (10)

A first storage unit that stores a packet received from the communication device and first identification information for identifying the communication device in association with each other;
Among the packets stored in the first storage unit, for a plurality of packets held in association with the first identification information different from each other, at least a part of the information constituting the packet is compared. A processing unit that determines whether the contents match,
And a second storage unit that stores a combination of the plurality of packets determined to match by the processing unit. The analysis device according to claim 1,
A third storage unit that stores the first identification information and the address used in the network by the communication device specified by the first identification information;
The processor is
Obtaining the first identification information stored in the third storage unit in association with the address of the transmission destination or transmission source of any packet stored in the first storage unit;
An analysis apparatus, wherein a packet stored in the first storage unit in association with the acquired first identification information is selected as a comparison target of the arbitrary packet. The analysis device according to claim 2,
Transmission / reception information indicating whether the communication device has received or transmitted the packet is added to the packet received from the communication device,
The first storage unit also holds the transmission / reception information in association with the packet,
The processor is
When the transmission / reception information indicating that the packet has been transmitted is added, the first information stored in the third storage unit is associated with the address of the transmission destination of the packet. Get the identification information for
When the transmission / reception information indicating reception is added to the arbitrary packet,
The analysis apparatus characterized by acquiring the first identification information stored in the third storage unit in association with the address of the transmission source of the arbitrary packet. The analysis device according to claim 3,
The processor is
When the transmission / reception information indicating that the packet is transmitted is added to the arbitrary packet, the packet stored in the first storage unit is compared with the transmission / reception information indicating the reception. Target
When the transmission / reception information indicating reception is added to the arbitrary packet,
An analysis apparatus characterized in that the packet stored in the first storage unit in association with the transmission / reception information indicating transmission is used as a comparison target. The analysis device according to claim 4,
The packet received from the communication device is appended with time information when the communication device receives or transmits the packet,
The first storage unit also holds the time information in association with the packet,
The processing unit compares the packets when the difference in the time information between the packets stored in the first storage unit is within a predetermined time. The analysis device according to claim 5,
The packet received from the communication device is added with second identification information that is given by the communication device and identifies a series of sequences to which the packet belongs,
The first storage unit also holds the second identification information in association with the packet,
When the processing unit receives a packet from the communication device, the processing unit stores the packet for each combination of the first identification information and the second identification information. A plurality of communication devices that respectively transmit the received packet received via the network and the transmission packet generated based on the received packet and transmitted via the network with first identification information for identifying the device itself added thereto; ,
A first storage unit that associates the first identification information with the received packet received from the communication device, associates the first identification information with the transmission packet received from the communication device, and stores the first identification information; ,
Of the transmission packet and the reception packet stored in the first storage unit, of a plurality of packets held in association with the first identification information different from each other, A processing unit that compares at least a part of each other to determine whether the contents match,
Second storage for storing a combination of the transmission packet and the reception packet stored in the first storage unit in association with the different first identification information, the contents of which are determined to be identical by the processing unit A communication system. The communication system according to claim 7,
A third storage unit that stores the first identification information and the address used in the network by the communication device specified by the first identification information;
The processor is
Acquiring the first identification information stored in the third storage unit in association with the address of the transmission source of any received packet stored in the first storage unit;
A communication system, wherein a packet stored in the first storage unit in association with the acquired first identification information is selected as a comparison target of the arbitrary packet. The communication system according to claim 8,
Transmission / reception information indicating whether the packet is the transmission packet or the reception packet is added to the packet received from the communication device,
The communication system, wherein the first storage unit holds the transmission / reception information in association with the packet. The communication system according to claim 9,
The reception packet received from the communication device is appended with reception time information at which the communication device received the reception packet, and the transmission packet received from the communication device includes the transmission packet. Transmission time information transmitted by a communication device is added, and the first storage unit associates the reception time information with the reception packet, associates the transmission time information with the transmission packet, and holds the transmission time information. ,
The processing unit compares the packets when the difference between the reception time information of the received packet stored in the first storage unit and the transmission time information of the transmission packet is within a predetermined time. A communication system characterized by the above.

Images