JP5168098B2 - Detection apparatus, method, and program - Google Patents

Description

  The disclosed technique relates to a continuity confirmation technique for a network communication system.

  A ping command is often used for communication confirmation in an IP network. In ping, if a response request packet called an ICMP Echo request is transmitted to a host to be inspected and an ICMP Echo reply in response thereto is received, it can be determined that the host to be inspected is in communication.

  On the other hand, the same communication confirmation can be performed using TCP (Transmission Control Protocol) widely used in data communication. Specifically, if a data packet of 1 byte or more is transmitted to a host to be inspected and an ACK (ACKnowledgement) packet in which acknowledgment response information is stored is responded, the communication path including the target host is communicated. It can be judged that In a typical communication mode, one ACK packet is responded to two data packets to be transmitted.

  Now, as shown in FIG. 15, the above-described disconnection detecting device 1501 for the purpose of confirming communication is used as a network relay point, that is, using a means such as a tap between the transmission host 1502 and the reception host 1503. To install.

  In this case, the communication confirmation with respect to the receiving host 1503 can be confirmed by receiving the ACK packet ACK2 for the data packets DATA1, DATA2, etc.

  On the other hand, in the communication confirmation with respect to the transmission host 1502, the communication in the direction from the transmission host 1502 toward the communication detection device 1501 can be confirmed because the data packets DATA 1 and DATA 2 are received from the transmission host 1502. However, the communication in the direction from the disconnection detection device 1501 to the transmission host 1502 has a problem that it cannot be confirmed because there is no response to the ACK2 packet from the reception host 1503 via the disconnection detection device 1501 to the transmission host 1502. Was. Note that the transmission host 1502 can normally transmit the transmission data packet without waiting for the ACK2 packet from the reception host 1503. For this reason, the transmission data packet detected by the disconnection detecting device 1501 cannot be a response to the ACK2 packet.

  In addition, when the transmission host 1502 and the reception host 1503 communicate with each other on different routes, the reception host 1503 and the transmission host 1502 are both detected only by the disconnection detection device placed at a relay point on one route. There was a problem that the communication check could not be performed.

  Accordingly, an object of the disclosed technique is to enable communication and non-communication confirmation even in a packet sequence in which a correspondence relationship between a data packet and an ACK packet cannot be taken.

The aspect disclosed below is based on a non-connection detecting device, method, or program for detecting a continuity state of packet data flowing on a network.
The input unit receives a packet flowing on the network.

  The packet information acquisition unit includes source address information, destination address information, sequence control information (sequence number), and acknowledgment response information (ACK flag, confirmation response number) of the received packet from the received packet received by the input unit. Get packet information.

The non-communication / communication detection unit detects a change tendency of the order control information of the received packet based on the packet information, thereby detecting a conduction state including communication or non-communication between the transmission source host and the destination host of the reception packet. detecting, if the sequence control information of the received packet is increasing monotonically is determined between the source host and destination host of the received packet is communicated. This disconnection / communication detection unit, for example, further determines the acknowledgment response information of the received packet, thereby causing a disconnection between the host of the received packet and the host device or between the host device and the destination host of the received packet. Detect if you did.
The output unit outputs the conduction state.

According to the configuration of the disclosed aspect, the disconnection detecting device monitors a packet that operates based on a sequence number such as TCP, so that even if the route of the upper and lower packets is different, or there is no response packet for the request It is possible to determine whether or not communication is possible.
As a result, an effect of improving diagnosis accuracy regarding a network or host failure can be obtained.

Hereinafter, the best embodiment will be described in detail with reference to the drawings.
FIG. 1 is a configuration diagram of an embodiment of a disconnection detecting device.
The disconnection detecting device 100 is connected to the network via a device for monitoring packets such as a tap or a monitor port of a switch on the network connecting the transmission host and the reception host, and is transmitted from the transmission host to the reception host. Packets can be monitored.

  In FIG. 1, the processing unit 102 includes a packet information acquisition unit 102-1 and a non-communication / communication detection unit 102-2, and the storage unit 103 includes a communication state storage unit 103-1 and a monitor result storage unit 103-2. .

The input unit 101 receives a packet flowing on the network.
The packet information acquisition unit 102-1 acquires the following information from the IP header and TCP header of the received packet. That is, the packet information acquisition unit 102-1 has a TCP connection ID, that is, four pieces of information of a transmission source IP address (SA), a transmission source port number (SP), a destination IP address (DA), and a destination port number (DP). Get the set and TCP sequence number (SEQ) value.

  As shown in FIG. 2, the source IP address and the destination IP address are information stored in the IP header portion of the received packet. The source port number, the destination port number, and the sequence number are information stored in the TCP header in the upper protocol TCP packet stored in the IP packet. The transmission source port number is a number for identifying the process of the transmission source application. The destination port number is a number for specifying the process of the destination application.

  When receiving the TCP packet normally, the receiving host sets the destination port number and the source port number in the reply of the ACK packet to the transmitting host. That is, the original destination port number is set to be the transmission source port number, and the transmission source port number is set to the destination port number.

  The sequence number is information for controlling TCP packets to be arranged in the correct order. As the sequence number, a value obtained by sequentially adding the TCP data length of each TCP packet is set. The TCP data length can be calculated as a value obtained by subtracting the header length from the packet length in the IP header shown in FIG. 2 of each packet. The packet length indicates the size of the entire packet including the header and any cuts in octets.

When there is no problem with the received TCP packet, when the receiving host returns an ACK packet to the transmitting host, the TCP received in the sequence number of the received packet as the acknowledgment number in the TCP header shown in FIG. Set the number obtained by adding the packet length and send it back. In the ACK packet, an ACK flag which is one of the code bits in the TCP header shown in FIG. 2 is turned ON (1 is set). Sending host, this ACK flag receives a packet to ON, after the identifying the acknowledgment number in the TCP header of the packet, and checks whether any transmission data is subject to approval by an ACK packet, buffer The transmission data held in is discarded.

Further, the packet information acquisition unit 102-1 acquires the time when the input unit 101 acquires a packet as the packet reception time.
The packet information acquisition unit 102-1 notifies the acquisition / interconnection detection unit 102-2 of the acquisition information. Here, the TCP connection ID is unique regardless of the packet transmission / reception direction.

The non-communication / communication detection unit 102-2 searches the connection table and the non-communication / communication table stored in the communication state storage unit 103-1, using the TCP connection ID notified from the packet information acquisition unit 102-1 as a key. Then, the disconnection / communication detection unit 102-2 updates the connection table and the disconnection / communication table based on the entry contents of each searched table and the packet information notified from the packet information acquisition unit 102-1.

  Further, the communication / communication detection unit 102-2 determines communication, communication, and no communication from the recorded contents of the connection table and communication / communication table, and stores the determination result in the monitor result storage unit 103-2.

The communication state storage unit 103-1 records the determination result in the communication / communication detection unit 102-2.
The monitor result storage unit 103-2 has a function of storing a monitor result for notification to a network administrator or a monitoring device. For example, the number of transmitted packets for each TCP connection, the number of losses, a delay time of a transmission host, and the like Store as information.

  The output unit 104 is an interface that acquires part or all of the information stored in the monitor result storage unit 103-2 and outputs the monitor result. The output unit 104 may be a screen display unit for displaying statistical information to a network administrator, or a network interface unit that supports a communication protocol for transmission to a network management device (NMS). It may be.

FIG. 3 is an explanatory diagram of the basic operation of the embodiment using the disconnection detecting device 100 having the above-described configuration.
In this embodiment, the disconnection detecting device 100 monitors the sequence numbers of TCP data packets and ACK packets.

Then, for each TCP connection ID, the time zone in which the sequence number of the received data packet or ACK packet is detected to increase monotonously is determined on both sides of the transmission host 301 and the reception host 302 corresponding to the TCP connection. Communication is determined to be in communication.

On the other hand, for each TCP connection ID, it is determined that the communication of the TCP connection is interrupted in the time zone in which the sequence number of the received data packet or ACK packet is duplicated.

In addition, when the disconnection detecting apparatus 100 can monitor both the data packet and the ACK packet, in addition to the above determination, it can be detected on which side the disconnection has occurred.
With the above basic operation, it is possible to accurately measure the normal / non-communication time even when the non-communication detecting device 100 is installed at a location passing through another route in the up / down direction or when data is transmitted in one direction. It becomes.

The specific operation of this embodiment will be described below.
First, as the first embodiment, an operation when the outage detecting device 100 shown in FIG. 1 cannot monitor both the data packet and the ACK packet will be described.

FIG. 4 is an operation flowchart illustrating the overall control operation of the disconnection detecting device 100 according to the first embodiment.
FIG. 5 is a diagram illustrating an example of a connection table stored in the communication state storage unit 103-1 in the first embodiment. In the figure, the TCP connection ID and the source IP address are abbreviated as A, B, A, A, etc. for the sake of simplicity. The same TCP connection ID A is assigned to different source IP addresses a and b. This is because the IP addresses using the TCP connection are the transmission host 301 and the reception host 302 (see FIG. 3). This is because the combination is always a combination of two IP addresses.

  FIG. 6 is a diagram illustrating an example of a communication / non-communication table stored in the communication state storage unit 103-1 in the first embodiment. The disconnection time and communication time are sequentially stored for each TCP connection ID.

Hereinafter, the operation will be described with reference to the operation flowchart of FIG. 4 and the table configurations of FIGS.
First, the input unit 101 receives a packet (step S401).
Next, the packet information acquisition unit 102-1 obtains the TCP connection ID from the four information sets of the source IP address, source port number, destination IP address, and destination port number in the IP header and TCP header of the received packet. create. Further, the packet information acquisition unit 102-1 acquires the TCP data length and the SEQ (Step S402). The packet information acquisition unit 102-1 notifies the information to the disconnection / communication detection unit 102-2.

  Subsequently, the disconnection / communication detection unit 102-2 determines whether or not the TCP connection ID exists in the connection table (see FIG. 5) in the communication state storage unit 103-1 (step S403).

When the received packet is the head packet of a certain TCP connection and the TCP connection ID does not exist in the connection table, the disconnection / communication detection unit 102-2 executes the following operation (determination in step S403 is NO) ).

  That is, the disconnection / communication detection unit 102-2 creates a new TCP connection entry in the connection table (see FIG. 5) and the disconnection / communication table (see FIG. 6) in the communication state storage unit 103-1. Step S404).

  Thereafter, the communication / communication detection unit 102-2 records the reception time of the received packet notified from the packet information acquisition unit 102-1 as the communication time in a new entry (see FIG. 6) of the communication / communication table (see FIG. 6). Step S408).

  Further, the disconnection / communication detection unit 102-2 adds a value obtained by adding the TCP data length of the received packet acquired in step S402 to the previous SEQ = 0 in the new entry (see FIG. 5) of the connection table. The new previous SEQ is updated (step S411). Thereafter, the process returns to the reception process of the next packet (steps S411 → S401).

  On the other hand, when the received packet is the second and subsequent packets of a certain TCP connection and the TCP connection ID exists in the connection table, the incompatibility / communication detection unit 102-2 executes the following operation (step) The determination in S403 is YES).

First, the disconnection / communication detection unit 102-2 determines whether the TCP data length is greater than 0 (step S405).
If the TCP data length is 0 (NO in step S405), the process returns to the next packet reception process (steps S405 → S401).

If the TCP data length is greater than 0 (YES in step S405), the incompatibility / communication detection unit 102-2 executes the following communication processing.
First, the non-communication / communication detection unit 102-2 determines whether or not the SEQ acquired from the received packet in step S402 is equal to or greater than the previous SEQ stored in the corresponding entry of the connection table (FIG. 5). (Step S406). This is a determination as to whether or not the SEQ is monotonously increasing.

  Next, when the SEQ is monotonously increasing (YES in step S406), the disconnection / communication detection unit 102-2 records the disconnection start time in the corresponding entry of the connection table (FIG. 5). It is determined whether or not (step S407).

When the disconnection start time is not recorded (NO in step S407), the disconnection / communication detection unit 102-2 proceeds to the process of step S408.
When the disconnection start time is recorded (YES in step S407), the disconnection / communication detection unit 102-2 sets the period from the disconnection start time to the reception time of the received packet as the disconnection time. To the entry to be recorded (step S409).

Subsequently, the disconnection / communication detection unit 102-2 resets the disconnection start time of the corresponding entry in the connection table (step S410).
Thereafter, the disconnection / communication detection unit 102-2 proceeds to the process of step S408.

  In step S408, the communication / communication detection unit 102-2 sets the reception time of the received packet notified from the packet information acquisition unit 102-1 to the corresponding entry (see FIG. 6) of the communication / communication table as the communication time. Record.

  Further, the incompatibility / communication detection unit 102-2 adds a value obtained by adding the TCP data length of the received packet acquired in step S402 to the previous SEQ in the corresponding entry of the connection table (see FIG. 5). It is updated as a new previous SEQ (step S411). Thereafter, the process returns to the reception process of the next packet (steps S411 → S401).

  On the other hand, if it is determined in step S406 that the SEQ has not increased monotonously (NO in step S406), the disconnection / communication detection unit 102-2 performs connection processing (see FIG. 5). ) Is recorded in the corresponding entry (step S412). The disconnection start time is the reception time of the received packet notified from the packet information acquisition unit 102-1. However, when the disconnection start time is already recorded in the corresponding entry, a new recording of the disconnection start time is not performed. Thereafter, the process returns to the reception process of the next packet (steps S412 → S401).

A specific example of the series of control operations will be described.
Now, in the recording state of the connection table shown in FIG. 5, SEQ is 680, the data length is 20, the source IP address is “a”, the destination IP address is “a”, and the data packet whose TCP connection ID is “A” is received. Suppose that In this case, in FIG. 4, each process is executed in the order of steps S401 → S402 → S403 → S405 → S406 → S407 → S408 → S411. As a result, the packet reception time T1 is recorded as a communication time in the corresponding entry of the non-communication / communication table (FIG. 6) as a packet that can be confirmed communication with a monotonically increasing SEQ. In the corresponding entry of the connection table (FIG. 5), the previous SEQ is updated from 680 to 700.

  Next, it is assumed that a packet having a source IP address “a”, a destination IP address “a”, a TCP connection ID “A”, a SEQ “680”, and a data length “20” is received. In this case, in FIG. 4, each process is executed in the order of steps S401 → S402 → S403 → S405 → S406 → S412. As a result, since it is determined that the SEQ has not increased monotonously, the disconnection start time T2 is recorded in the corresponding entry of the connection table as a packet in which the disconnection time is to be recorded.

  Subsequently, after 30 seconds, it is assumed that a packet having a source IP address “a”, a destination IP address “a”, a TCP connection ID “A”, a SEQ “700”, and a data length “100” is received. In this case, in FIG. 4, each process is executed in the order of steps S401 → S402 → S403 → S405 → S406 → S407 → S409 → S410 → S408 → S411. As a result, as a packet in which the SEQ increases monotonically again and communication can be confirmed, the connection / disconnection table (FIG. 6) from the connection start time of the corresponding entry in the connection table to the packet reception time T3 is the connection time until now. Is recorded in the corresponding entry. Further, the packet reception time T3 is recorded as the communication time in the corresponding entry of the non-communication / communication table (FIG. 6). Further, the previous SEQ is updated from 700 to 800 in the corresponding entry of the connection table (FIG. 5).

By repeating the above processing every time a packet is received, the disconnection and communication time for each connection is calculated.
The communication / communication detection unit 102-2 determines communication, communication, and no communication at regular intervals from the connection table updated as described above and the recorded contents of the communication / communication table, and the determination result is a monitor result. Store in the storage unit 103-2.

FIG. 7 is an operation flowchart illustrating communication, communication, and no-communication determination processing executed by the communication / communication detection unit 102-2.
First, the incompatibility / communication detection unit 102-2 determines whether or not there is an unprocessed entry in the connection table in the communication state storage unit 103-1 (step S701). If the TCP connection ID is the same as the processed one, the processing is completed.

  When there is an unprocessed entry in the connection table (YES in step S701), the disconnection / communication detection unit 102-2 acquires the contents of one unprocessed entry on the connection table (step S702).

  Next, the disconnection / communication detection unit 102-2 determines whether or not the source IP address belonging to the entry is set as a failure determination target by means not shown (step S703).

  When the transmission source IP address is not set as a failure determination target (NO in step S703), the incompatibility / communication detection unit 102-2 proceeds to the next entry process (step S703 → S701).

  When the transmission source IP address is set as a failure determination target (YES in step S703), the disconnection / communication detection unit 102-2 uses the TCP connection corresponding to the entry as a key, and the communication state storage unit 103. Search the non-communication / communication table in -1. Then, the disconnection / communication detection unit 102-2 acquires the disconnection time and communication time of the TCP connection from the entry of the retrieved disconnection / communication table (step S704).

  Subsequently, the disconnection / communication detection unit 102-2 sets the communication time corresponding to the currently monitored network path to the communication time obtained so far and the currently processed TCP acquired in step S704. It is calculated as an OR operation result with the connection communication time (step S705). That is, the communication time in at least one TCP connection is calculated as the overall communication time.

  Further, the disconnection / communication detection unit 102-2 indicates the disconnection time corresponding to the currently monitored network path, the disconnection time obtained up to now, and the currently processed TCP connection acquired in step S704. Or calculated as a time zone that is not the communication time calculated in step S705 (step S706). That is, in a time zone that is not a communication time, a time at which at least one TCP connection is disconnected is detected as an overall communication time.

  After the above processing is executed for all the TCP connections extracted from the connection table, the disconnection / communication detection unit 102-2 detects the disconnection obtained up to now when the determination in step S701 is NO. The time and communication time are output to the monitor result storage unit 103-2 in the storage unit 103 (step S707).

A specific example of the series of control operations will be described.
Now, it is assumed that records of TCP connection IDs = A, B, and C exist in the connection table, and the contents recorded in the disconnection / communication table are as shown in FIG. In this case, each transmission host 301 (see FIG. 3) with addresses 1, 2, and 3 communicates with a reception host 302 (see FIG. 3) with the same address 10, respectively.

  As shown in FIG. 8B, at step S705, TB0 to TB1 which are communication records of connection B with respect to TA0 to TA1, TA2 to TA3 and TA4 to TA5 which are communication records of connection A. , TB2 to TB3 are ORed. As a result, TB0 to TB1 and TB2 to TB3 are obtained as communication times.

  Next, as shown in FIG. 8B, in step S706, an AND operation is performed on TA1 to TA2 and TA3 to TA4, and TB0 to TB1 and TB2 to TB3 are inverted. As a result, TB1 to TB2 are obtained as the disconnection time.

  As a result of the same processing as described above being executed for the connection C, as shown in FIG. 8B, TB1 to TB2 are output as non-communication times common to the connections A, B, and C.

  If each of the above hosts has the connection state shown in FIG. 9, the link L1 used in common by the addresses 1, 2, and 3 is most likely to be a failure location. It can be inferred that it is TB1 to TB2.

  The following control operation can be adopted for the deletion operation of the connection table and the entry / disconnection table entry. That is, for example, once every minute, the entire disconnection / communication table is searched, and the corresponding entry in the connection table and the disconnection / communication table is deleted for the TCP connection ID that has passed five minutes or more from the last communication time. The As a result, a table having a finite capacity can be used efficiently.

Next, as a second embodiment, a control operation in the case where the disconnection detecting device 100 in FIG. 1 can monitor both the data packet and the ACK packet will be described.
FIG. 10 is an operation flowchart illustrating the overall control operation of the disconnection detecting device 100 according to the second embodiment.

  FIG. 11 is a diagram illustrating a configuration example of a connection table stored in the communication state storage unit 103-1 in the second embodiment. In the second embodiment, a non-communication / communication table is not provided, and control is executed using only the connection table.

First, the input unit 101 receives a packet (step S1001).
Next, the packet information acquisition unit 102-1 obtains the TCP connection ID from the four information sets of the source IP address, source port number, destination IP address, and destination port number in the IP header and TCP header of the received packet. create. Further, the packet information acquisition unit 102-1 acquires the TCP data length and the SEQ (step S1002). The packet information acquisition unit 102-1 notifies the information to the disconnection / communication detection unit 102-2.

  Subsequently, the disconnection / communication detection unit 102-2 determines whether or not the TCP connection ID exists in the connection table (see FIG. 11) in the communication state storage unit 103-1 (step S1003).

  If the received packet is the head packet of a certain TCP connection and the TCP connection ID does not exist in the connection table, the incompatibility / communication detection unit 102-2 executes the following operation (determination in step S1003 is NO) ).

  That is, the disconnection / communication detection unit 102-2 newly creates a TCP connection entry in the connection table (see FIG. 11) in the communication state storage unit 103-1. At this time, the disconnection / communication detection unit 102-2 records the reception time of the received packet notified from the packet information acquisition unit 102-1 as the communication time in the new entry of the connection table. Further, the disconnection / communication detection unit 102-2 sets the TCP data length of the received packet acquired in step S1002 as the previous SEQ in the new entry of the connection table (step S1004). Thereafter, the process returns to the reception process of the next packet (steps S1004 → S1001).

  On the other hand, when the received packet is the second and subsequent packets of a certain TCP connection and the TCP connection ID is present in the connection table in the communication state storage unit 103-1, the communication / communication detection unit 102-2 is The following operations are executed (YES in step S1003).

  First, the disconnection / communication detection unit 102-2 determines whether or not the disconnection start time is recorded in the corresponding entry of the connection table (see FIG. 11) (step S1005). In the connection table, there are two entries corresponding to one TCP connection ID: a case where the transmission source IP address is the transmission host 301 and a case where the transmission host 301 is the reception host 302 (both see FIG. 3). . In the second embodiment, it is detected by distinguishing up to which source IP address connection is disconnected. In this case, in step S1005, it is determined whether or not the disconnection start time is recorded in at least one of the two entries corresponding to the target TCP connection ID.

  When the disconnection start time is not recorded (NO in step S1005), the disconnection / communication detection unit 102-2 indicates that the SEQ acquired from the received packet in step S1002 corresponds to the connection table (FIG. 11). It is determined whether or not it is equal to or greater than the previous SEQ stored in the entry (step S1006). This is a determination as to whether or not the SEQ is monotonously increasing.

  Next, when the SEQ monotonously increases (YES in step S1006), the incompatibility / communication detection unit 102-2 determines whether or not the TCP data length is greater than 0 (step S1007). .

If the TCP data length is greater than 0 (YES in step S1007), the disconnection / communication detection unit 102-2 proceeds to processing in step 1017 described later.
When the TCP data length is 0 (NO in step S1007), the disconnection / communication detection unit 102-2 further determines whether the ACK flag (see FIG. 2) of the code bit in the TCP header is ON. That is, it is determined whether the received packet is an ACK packet (step S1008).

  If the received packet is an ACK packet and the ACK flag is ON (YES in step S1008), the disconnection / communication detection unit 102-2 proceeds to a process in step 1017 described later.

  If the received packet is not an ACK packet and the ACK flag is not ON (NO in step S1008), the incompatibility / communication detection unit 102-2 returns to the reception processing for the next packet (step S1008 → S1001).

  On the other hand, when it is determined in step S1005 that the disconnection start time is recorded, the disconnection / communication detection unit 102-2 determines whether the TCP data length is greater than 0 (step S1013). .

When the TCP data length is greater than 0 (YES in step S1013), the disconnection / communication detection unit 102-2 further displays the SEQ acquired from the received packet in step S1002 in the connection table (FIG. 11). It is determined whether or not it is equal to or greater than the previous SEQ stored in the corresponding entry (step S1014). This is a determination as to whether or not the SEQ is monotonously increasing.

If the SEQ has not increased monotonously (NO in step S1014), the disconnection / communication detection unit 102-2 maintains the current disconnection state as it is, and returns to the reception processing for the next packet (step S1014 → S1001).
If the SEQ monotonously increases (YES in step S1014), the disconnection / communication detection unit 102-2 proceeds to the process of step S1016.

  If it is determined in step S1013 that the TCP data length is 0 (NO in step S1013), the incompatibility / communication detection unit 102-2 further sends the received packet from the inaccessible address. It is determined whether it is a thing (step S1015). That is, the disconnection / communication detection unit 102-2 has the source IP address stored in the entry for which the disconnection start time is set, out of the two entries for which the received packet is searched on the connection table. It is determined whether or not it is from the host (see FIG. 11). The received packet in this case is an ACK packet because the TCP data length is zero.

  If the received packet is TCP data length ≠ 0 and SEQ is monotonically increasing (determination in step S1014 is YES), or if the TCP data length is 0 and a non-transmission address is issued (determination in step S1015 is YES), the process of step S1016 Executed. This indicates a state in which the disconnection state on either the transmission host 301 side or the reception host 302 side (see FIG. 3) is resolved. That is, the disconnection / communication detection unit 102-2 records the period from the disconnection start time recorded in the corresponding entry of the connection table to the reception time of the received packet as the disconnection time in the corresponding entry of the connection table. Further, the disconnection / communication detection unit 102-2 resets the disconnection start time of the corresponding entry in the connection table (step S1016).

  After the process in step S1016, if the determination in step S1007 described above is YES, or if the determination in step S1008 described above is YES, the following processes in steps S1017 and S1018 are executed. This is a process for setting the communication state.

  First, the disconnection / communication detection unit 102-2 records the reception time of the received packet notified from the packet information acquisition unit 102-1 as the communication time in a corresponding entry (see FIG. 11) of the communication / communication table. (Step S1017).

  Next, the incompatibility / communication detection unit 102-2 adds a value obtained by adding the TCP data length of the received packet acquired in step S1002 to the previous SEQ in the corresponding entry of the connection table (see FIG. 11). Then, it is updated as a new previous SEQ (step S1018).

  If the received packet processed in step S1018 is an ACK packet, or if it is determined in step S1015 that the received packet is an ACK packet that does not have a TCP data length = 0 and a non-transmission address, step S1019 is determined. That is, the disconnection / communication detection unit 102-2 has an acknowledgment number (ACK number) (see FIG. 2) in the TCP header of the received packet larger than the previous ACK number recorded in the corresponding entry of the connection table. It is determined whether or not (step S1019).

  If the ACK number of the received packet is greater than the previous ACK number (YES in step S1019), the previous ACK number recorded in the corresponding entry in the connection table is replaced with the ACK number of the received packet and updated ( Step S1020).

After the process of step S1020 or when the determination of step S1019 is NO, the disconnection / communication detection unit 102-2 returns to the reception process of the next packet.
On the other hand, if it is determined in step S1005 that the disconnection start time is not recorded in the corresponding entry in the connection table, and it is determined in step S1006 that the SEQ of the received packet is not monotonically increased, the disconnection / communication detection unit 102 -2 executes the following disconnection process.

  That is, the incompatibility / communication detection unit 102-2 determines whether or not the SEQ (sequence number) of the received packet is equal to or greater than the ACK number (reverse ACK number) of the reverse path (step S1009). The reverse ACK number is recorded in an entry in which an address different from the source IP address extracted from the received packet is recorded as the source IP address among the two entries searched on the connection table. This is the previous ACK number (see FIG. 11).

  When the SEQ of the received packet is greater than or equal to the reverse ACK number, it indicates that the receiving host 302 cannot receive the data packet from the transmitting host 301 and cannot return an ACK packet. That is, it is estimated that a disconnection occurs on the route from the transmission host 301 to the reception host 302. Therefore, in this case (determination in step S1009 is YES), the disconnection / communication detection unit 102-2 determines the IP address of the receiving host 302 on the side that is estimated to be disconnected as viewed from the own apparatus as the disconnection address. . In other words, the communication / communication detection unit 102-2 determines the destination IP address of the received packet as the communication address. Then, the disconnection / communication detection unit 102-2 selects an entry whose address is recorded as the transmission source IP address as an object of the disconnection process (step S1010).

  On the other hand, when the SEQ of the received packet is smaller than the reverse ACK number, the transmission host 301 cannot correctly receive the ACK packet from the reception host 302 and cannot update the SEQ of the transmitted data packet, contrary to the above case It is. That is, it can be estimated that a disconnection has occurred in the path from the receiving host 302 to the transmitting host 301. Therefore, in this case (NO in step S1009), the disconnection / communication detection unit 102-2 determines the IP address of the transmission host 301 on the side that is estimated to be disconnected as viewed from the own apparatus as the disconnection address. . That is, the disconnection / communication detection unit 102-2 determines the transmission source IP address of the received packet as the disconnection address. Then, the disconnection / communication detection unit 102-2 selects an entry whose address is recorded as the transmission source IP address as an object of the disconnection process (step S1011).

  After step S1010 or S1011, the disconnection / communication detection unit 102-2 records the disconnection start time in the selected entry of the connection table (see FIG. 11) (step S1012). The disconnection start time is the reception time of the received packet notified from the packet information acquisition unit 102-1. Thereafter, the process returns to the reception process of the next packet (steps S1012 → S1001).

A specific example of the series of control operations will be described.
The first case will be described based on, for example, the operation sequence diagram of FIG. 12, the operation flowchart of FIG. 10, and the connection table example of FIG.

  At time T1 in FIG. 12, a packet with SEQ of 20500, ACK of 600, data length of 100, source IP address A, destination IP address A, and TCP connection ID A is detected. It is assumed that the device 100 has received it.

In this state, as shown in FIG. 11, there is no record of the disconnection start time in the corresponding entry, “previous SEQ ≦ SEQ” holds, and the TCP data length is 100. Accordingly, in FIG. 10, the processes of steps S1001 → S1002 → S1003 → S1005 → S1006 → S1007 → S1017 → S1018 → S1019 are sequentially executed, and the determination in step S1019 is NO. As a result, the packet reception time T1 as the communication time, 20600 as the previous SEQ, and 600 as the previous ACK are recorded in the corresponding entry of the connection table.

  Similarly, the contents of the corresponding entry are updated until time T4 in FIG. 12. However, at time T5, a sequence in which “previous SEQ ≦ SEQ” does not hold. As a result, in FIG. 10, steps S1001, S1002, S1003, S1005, S1006, and S1009 are sequentially executed. Here, the SEQ of the received packet is 20700, and the reverse ACK number is 20500, which is the previous ACK number of the entry whose source IP address is “a” in FIG. Accordingly, the determination in step S1009 is YES, and each process of steps S1010 → S1012 is further executed. As a result, the disconnection start time T5 is recorded in an entry (see FIG. 11) in which the transmission source IP address of the connection table is on the side.

  This state continues until time T7 in FIG. In this case, in FIG. 10, steps S1001, S1002, S1003, S1005, S1013, S1014, and S1001 are repeatedly executed.

  After that, when an ACK packet having an address as an originating address is received at time T8 in FIG. 12, steps S1001, S1002, S1003, S1005, S1013, and S1015 are executed in FIG. Then, the determination in step S1015 is YES, step S1016, which is a process for eliminating the disconnection, is executed, and the disconnection time on the side A is recorded from T5 to T8.

Next, the second case will be described based on, for example, the operation sequence diagram of FIG. 13, the operation flowchart of FIG. 10, and the connection table example of FIG.
In FIG. 13, in the packet transmission process from the transmission host 301 = A to the reception host 302 = A, from time T1 to T4, steps S1001, S1002, S1003, S1005, S1006, S1007, S1017, S1018, S1018, S1019, and S1019 are performed. Each process of S1001 is executed. At times T5 and T6, steps S1001, S1002, S1003, S1005, S1006, S1007, S1008, S1017, S1018, S1019, S1020, and S1001 are executed. Thereby, in the disconnection detecting device 100, the communication state is estimated.

  However, since the packet with SEQ = 20700 is retransmitted at time T7 in FIG. 13, “previous SEQ ≦ SEQ” does not hold, and the determination in step S1006 is NO. In addition, since the SEQ of the received packet is 20700 and the reverse ACK number is 20900, the determination in step S1009 is also NO. As a result, steps S1011 → S1012 are further executed. As a result, the disconnection start time T7 is recorded in the entry (see FIG. 11) in which the transmission source IP address of the connection table is on the i side.

  This state continues until time T10 in FIG. In this case, when the received packet goes from the transmission host 301 to the reception host 302 in FIG. 10, the processes of steps S1001 → S1002 → S1003 → S1005 → S1013 → S1014 → S1001 are executed. When the received packet goes from the receiving host 302 to the transmitting host 301, the processes of steps S1001, S1002, S1003, S1005, S1013, S1015, S1019, and S1001 are repeatedly executed.

  After that, when the ACK from the receiving host 302 to the sending host 301 is communicated at time T10 in FIG. 13 and a data packet having “i” as the originating address is received at time T11, in FIG. SEQ ≦ SEQ ”is established. As a result, the determination in step S1014 is YES, step S1016, which is a process for canceling the disconnection, is executed, and the disconnection time on the side A is recorded from T7 to T11.

FIG. 14 is a diagram illustrating an example of a hardware configuration of a computer that can realize the non-communication detection device 100 of FIG. 1 that realizes the operation of the first embodiment or the second embodiment described above.
The computer shown in FIG. 14 includes a CPU 1401, a memory 1402, an input device 1403, an output device 1404, an external storage device 1405, a portable recording medium driving device 1406 into which a portable recording medium 1409 is inserted, and a network connection device 1407. These are connected to each other by a bus 1408. The configuration shown in the figure is an example of a computer that can implement the above system, and such a computer is not limited to this configuration.

  The CPU 1401 controls the entire computer. The memory 1402 is a memory such as a RAM that temporarily stores a program or data stored in the external storage device 1405 (or the portable recording medium 1409) when executing a program, updating data, or the like. The CUP 1401 performs overall control by reading the program into the memory 1402 and executing it.

  The input device 1403 includes, for example, a keyboard, a mouse, etc. and their interface control devices. The input device 1403 detects an input operation by the user using a keyboard, a mouse, or the like, and notifies the CPU 1401 of the detection result.

  The output device 1404 includes a display device, a printing device, etc. and their interface control devices. The output device 1404 outputs data sent under the control of the CPU 1401 to a display device or a printing device.

The external storage device 1405 is, for example, a hard disk storage device. Mainly used for storing various data and programs.
The portable recording medium driving device 1406 accommodates a portable recording medium 1409 such as an optical disc, SDRAM, or CompactFlash (registered trademark), and has an auxiliary role for the external storage device 1405.

  The network connection device 1407 is a device for connecting, for example, a LAN (local area network) or a WAN (wide area network) communication line, and is connected to a tap or the like.

  The discontinuity detecting device 100 according to the embodiment of FIG. 1 is realized by the CPU 1401 executing a program having processing functions necessary for it. The program may be distributed by being recorded in, for example, the external storage device 1405 or the portable recording medium 1409, or may be acquired from the network by the network connection device 1407.

  The embodiment described above is not limited to use only for TCP, and any protocol that uses a sequence number in the same manner can be used in common. For example, SCTP, which is an L4 (layer 4) protocol, ICMP, which is an L3 (layer 3) protocol, or the like can be used.

It is a lineblock diagram of an embodiment of a failure detection device. It is a figure which shows the data format of a TCP / IP packet. It is explanatory drawing of the basic operation | movement of embodiment using the failure detection apparatus. It is an operation | movement flowchart which shows the whole control operation | movement of the interruption detection apparatus 100 in 1st Embodiment. It is a figure which shows an example of the connection table memorize | stored in the communication status memory | storage part 103-1 in 1st Embodiment. It is a figure which shows an example of the communication / non-communication table memorize | stored in the communication status memory | storage part 103-1 in 1st Embodiment. It is an operation | movement flowchart which shows the determination process of the communication, communication, and no communication which the communication / communication detection part 102-2 performs. FIG. 6 is an operation explanatory diagram (No. 1) of the first embodiment. FIG. 6 is an operation explanatory diagram (No. 2) of the first embodiment. It is an operation | movement flowchart which shows the whole control operation | movement of the interruption detection apparatus 100 in 2nd Embodiment. It is the figure which showed the structural example of the connection table memorize | stored in the communication status memory | storage part 103-1 in 2nd Embodiment. FIG. 6 is an operation sequence diagram (part 1) for explaining a second embodiment. FIG. 10 is an operation sequence diagram (part 2) for describing the second embodiment. It is a hardware block diagram of the computer which implement | achieves embodiment. It is explanatory drawing of the problem of a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100, 1501 Connection detection apparatus 101 Input part 102 Processing part 102-1 Packet information acquisition part 102-2 Connection / communication detection part 103 Storage part 103-1 Communication state storage part 103-2 Monitor result storage part 104 Output part 301, 1502 Sending host 302, 1503 Receiving host

Claims (3)

A detection device that detect the conducting state of the packet data flowing on the network,
An input unit for receiving a packet flowing on the network;
A packet information acquisition unit that acquires packet information including transmission source address information, destination address information, order control information, and acknowledgment response information of the received packet from the received packet received by the input unit;
By detecting the change trend of the sequence control information prior Symbol received packet, and detects the conduction state comprising non-delivery or communication between the host sending host and the destination of the received packet, the conduction state is disconnected In this case, on the basis of the acknowledgment response information of the received packet, disconnection occurs between the host of the received packet and the detection device or between the detection device and the destination host of the received packet. An incompatibility / communication detection unit that detects whether or not
An output unit for outputting the conduction state;
Detection equipment shall be the characterized in that it comprises. A detection method that detect the conducting state of the packet data flowing on the network,
An input step of receiving a packet flowing on the network;
A packet information acquisition step of acquiring packet information including transmission source address information, destination address information, order control information, and acknowledgment response information of the received packet from the received packet received by the input unit;
By detecting the change trend of the sequence control information prior Symbol received packet, and detects the conduction state comprising non-delivery or communication between the host sending host and the destination of the received packet, the conduction state is disconnected In this case, on the basis of the acknowledgment response information of the received packet, disconnection occurs between the host of the received packet and the detection device or between the detection device and the destination host of the received packet. A disconnection / communication detection step for detecting whether or not
An output step for outputting the conduction state;
Detection how to characterized in that it comprises a. A computer for detecting the continuity of packet data flowing on the network
An input step of receiving a packet flowing on the network;
A packet information acquisition step of acquiring packet information including transmission source address information, destination address information, order control information, and acknowledgment response information of the received packet from the received packet received by the input unit;
By detecting the change trend of the sequence control information prior Symbol received packet, and detects the conduction state comprising non-delivery or communication between the host sending host and the destination of the received packet, the conduction state is disconnected In this case, on the basis of the acknowledgment response information of the received packet, disconnection occurs between the host of the received packet and the detection device or between the detection device and the destination host of the received packet. A disconnection / communication detection step for detecting whether or not
An output step for outputting the conduction state;
A program for running