JP5894963B2 - Analysis server and analysis method - Google Patents

Description

  The present invention relates to a computer and an analysis method for analyzing a network state of a tenant information communication system constructed on a data center.

  In recent years, data centers, which are facilities specialized in installing and operating various devices such as servers, networks, and storages, are becoming widespread. In data centers, computer resources of physical devices are logically divided using various virtualization technologies, and the divided computer resources are allocated to tenant systems that are information communication systems for customers using the data center. . Server virtualization technology includes technology that divides a physical server into a plurality of virtual machines. The network includes a virtual interface technology such as a virtual local area network (VLAN) that divides a physical network interface into a plurality of virtual LANs and a sub-interface.

  One or more tenant systems are constructed in the data center. When a failure occurs in a tenant, it is related to a specific tenant system in order to identify whether the failure is caused by a network or a failure caused by something other than the network, such as a virtual machine that constitutes the tenant system. There is a need to quickly analyze the state of the network.

  The state of the network related to the tenant system can be analyzed by recording a communication packet generated in connection with the tenant system with a packet capture device or the like and comparing the recorded capture logs. However, in a large-scale data center, the number of network devices to be installed is large, and the amount of communication packets passing through the network devices is very large.

  Further, when analyzing only a specific tenant system, the communication packet of the tenant system to be analyzed passes only through some devices in the data center. For this reason, in the method of capturing and analyzing with all network devices, many capture logs that do not include communication packets of the tenant system are analyzed, and the calculation time for analysis becomes long. Therefore, in order to quickly analyze the network state of a specific tenant system, it is necessary to reduce the amount of interface and capture log of the network device to be captured. It is also important to quickly obtain necessary analysis results from logs with a large amount of data, where the collected logs are analyzed first and the order of analysis of the captured logs is determined.

  When the number of tenant systems built in the data center is small, it is possible for the administrator to predict the network devices through which the communication packets of the tenant system pass, and to reduce the number of interfaces to be captured. It is also easy to determine which captured data is analyzed first. However, when the configuration of the tenant system is complicated, it is difficult for the administrator to manually predict the network device through which the communication packet passes and determine the order in which the captured packet can be analyzed quickly. In a configuration using Ethernet (registered trademark) fabric or multi-chassis link aggregation, there may be one or more communication paths that can communicate at the same cost. In such a case, the administrator selects the network device or interface through which the communication packet passes manually to select which communication route to use for each communication flow based on the flow allocation algorithm implemented in the network device. It is very difficult to predict.

  Patent document 1 is known as a background art of this technical field. In this publication, in order to reduce the number of capture devices necessary for packet capture, a protocol path to be captured from a path control device to a relay device is directed to the capture device or adjacent to the capture device. A change to a relay device is described (for example, paragraph 0021).

  Patent Document 2 describes that a communication path is analyzed without using a capture log of a communication packet by collecting a plurality of firewall logs and comparing the traffic logs of the plurality of firewalls. (For example, paragraph 0078).

JP 2011-15151 A JP2012-205205A

  In the technique described in Patent Document 1 described above, in order to capture the target protocol, the route of the communication packet is changed for the capture device. For this reason, the communication path at the time of capture and the communication path at the time of actual operation are different, and the network state when the communication path at the time of actual operation is used cannot be analyzed.

  In the technology described in Patent Document 2 above, since the firewall traffic log is compared, it is not possible to analyze whether or not the communication packet recorded in the traffic log has reached the virtual machine constituting the tenant system. . In addition, since the communication flow described in the traffic log is sequentially tracked, it is necessary to compare the traffic logs in large quantities in order to analyze the final route in a large-scale network. Furthermore, in a data center, when connecting a system located at a customer's base and a system located at the data center using a dedicated line or VPN (Virtual Private Network), a tenant system is constructed with a configuration that does not use a firewall. It is also possible to do. In a configuration that does not use a firewall, the network state of the communication path cannot be analyzed using the technique described in Patent Document 2.

  An object of the present invention is to reduce the time required for analysis when analyzing a network state through which a communication packet of a tenant system passes during actual operation.

  The present invention is an analysis server that analyzes a network state of one or more tenants constructed on an information processing system including a server and a network device, and the analysis server includes the information processing system of the tenant. Configuration information of nodes constituting the network, a setting processing unit that selects a node that collects communication record information among the nodes of the network based on the configuration information, and the communication record information is collected in the selected node And an analysis processing unit that acquires the collected communication record information and analyzes the state of the network, and the analysis processing unit is an end point of an analysis target layer in the network A service route calculation processing unit for calculating a communication route of communication packets between nodes, and a first end of the analysis target layer The communication record information of the first node to be compared with the communication record information of the second node to be the second endpoint, and the communication packet of the first node has reached the second node And a determination processing unit that specifies a node that has discarded a communication packet that has not reached the second node.

  According to the present invention, it is possible to reduce the time required for analysis when analyzing the state of a network through which a communication packet generated in a specific tenant system constructed in a data center passes.

1 is a block diagram illustrating an example of a computer system according to a first embodiment of this invention. FIG. It is a block diagram which shows a 1st Example of this invention and shows an example of a server. It is a block diagram which shows a 1st Example of this invention and shows an example of a switch. It is a block diagram which shows the 1st Example of this invention and shows an example of a firewall. It is a block diagram which shows a 1st Example of this invention and shows an example of an analysis server. It is a block diagram which shows a 1st Example of this invention and shows an example of the process and data which an analysis server performs. It is a figure which shows a 1st Example of this invention and shows an example of the node management table contained in tenant structure DB. It is a figure which shows a 1st Example of this invention and shows an example of the interface management table contained in tenant structure DB. It is a figure which shows a 1st Example of this invention and shows an example of the virtual node management table contained in tenant structure DB. It is a figure which shows a 1st Example of this invention and shows an example of the address conversion table contained in tenant structure DB. It is a figure which shows a 1st Example of this invention and shows an example of the policy management table contained in tenant structure DB. It is a figure which shows a 1st Example of this invention and shows an example of the log classification management table contained in tenant structure DB. It is a figure which shows a 1st Example of this invention and shows an example of the analysis layer management table contained in tenant structure DB. It is a figure which shows the 1st Example of this invention and shows an example of a packet storage table. It is a figure which shows a 1st Example of this invention and shows an example of the table contained in collection management DB. It is a figure which shows a 1st Example of this invention and shows an example of the collection interface management table contained in collection management DB. It is a figure which shows a 1st Example of this invention and shows an example of the table contained in analysis result DB. It is a sequence diagram which shows a 1st Example of this invention and shows an example of a collection process. It is a sequence diagram which shows a 1st Example of this invention and shows an example of an analysis process. It is a flowchart which shows a 1st Example of this invention and shows an example of a collection apparatus selection process. 1 is a block diagram illustrating a logical configuration of a tenant system according to a first embodiment of this invention. FIG. It is a block diagram which shows a 1st Example of this invention and shows an example of the communication path | route of a tenant system. It is a block diagram which shows the 1st Example of this invention and shows the other example of the communication path | route of a tenant system. It is a block diagram which shows the 1st Example of this invention and shows the other example of the communication path | route of a tenant system. It is a block diagram which shows a 1st Example of this invention and shows an example of the service path | route of a tenant system. It is a block diagram which shows the 1st Example of this invention and shows the other example of the service path | route of a tenant system. It is a flowchart which shows a 1st Example of this invention and shows an example of an arrival determination process. It is a flowchart which shows a 1st Example of this invention and shows an example of a discard node specific process. It is a flowchart which shows a 1st Example of this invention and shows an example of a packet comparison process. It is a flowchart which shows a 1st Example of this invention and shows an example of a session comparison process. It is a figure which shows the 1st Example of this invention and shows an example of a switch management table. It is a flowchart which shows a 1st Example of this invention and shows an example of an equal cost apparatus selection process. It is a block diagram which shows the 1st Example of this invention and shows an example of a service path | route. It is a block diagram which shows the 1st Example of this invention and shows the other example of a service path | route. It is a figure which shows the 2nd Example of this invention and shows an example of an interface group management table. It is a figure which shows the 2nd Example of this invention and shows an example of a capture node management table. It is a flowchart which shows the 2nd Example of this invention and shows an example of a capture setting process. It is a figure which shows the 3rd Example of this invention and shows an example of a service port management table. It is a figure which shows the 3rd Example of this invention and shows an example of an arrival determination table. It is a flowchart which shows the 3rd Example of this invention and shows an example of an arrival determination process. It is a block diagram which shows the 2nd Example of this invention and shows an example of a computer system.

  Hereinafter, an embodiment of the present invention will be described with reference to the accompanying drawings.

  In this embodiment, the interface for capturing communication packets is reduced by using the configuration information of the tenant, the information of the layer that analyzes the state of the network, and the traffic log. In addition, an example will be described in which a node serving as an end point of a service is identified from tenant configuration information and analysis is performed based on a network state between nodes serving as service end points, thereby reducing the time required for the analysis. In addition, a layer shows the example corresponding to the 1st layer to the 7th layer of OSI (Open Systems Interconnection) reference model.

  FIG. 1 is a block diagram illustrating an example of a computer system according to the first embodiment.

  The data center 100 is composed of one or more network devices and servers. The network devices include switches (SW) 7a to 7h, a firewall (FW) 9a, and a load balancer (LB) 10a. The servers 8a to 8f allocate a divided server resource to a virtual machine (VM: Virtual Machine) by using a virtual infrastructure. The servers 8a to 8f are connected to other servers, the firewall 9a, and the load balancer 10a via any of the switches 7a to 7h. In the illustrated example, one rack stores one or more servers and one or more switches. For example, a server 8a and a server 8b are accommodated in a rack that accommodates the switch 7f, and the servers 8a and 8b are connected to the switch 7f.

  The analysis server 1 is a computer for analyzing the state of the network related to the tenant system. The capture device 4 is a device for capturing communication packets related to the tenant system. The analysis server 1 and the capture device 2 are connected to other network devices and the servers 8a to 8e via the switch 7a in the data center. Further, the capture device 2 may be directly connected to other switches (7b to 7h) in order to capture communication packets related to the tenant system.

  FIG. 2 is a block diagram illustrating an example of the server 8a. The servers 8b to 8f have the same configuration as the server 8a. The server 8a includes, as hardware, a CPU (Central Processing Unit) 802, a memory 803, and an interface 804, which are connected by a bus (or interconnect).

  The memory 803 stores a virtual infrastructure 805, which is a process executed by the CPU 802, an OS of a virtual machine, and the like. The virtual infrastructure 805 is processing for logically dividing server resources such as the CPU 802 and allocating them to virtual machines (VMs). The virtual infrastructure 805 can be configured by a virtualization unit such as a hypervisor or a VMM (Virtual Machine Monitor), for example.

  The virtual infrastructure 805 provides a virtual switch 806, one or more virtual machines (11, 12), and a capture function 810. The virtual machine 11 includes a virtual NIC 113, an OS (Operation System) 112, and a service 111.

  The virtual NIC 113 is a virtual interface for the virtual machine 11 to transmit and receive communication packets for communicating with other devices. The number of virtual NICs can be appropriately increased or decreased by the virtual board 805, and one or more virtual NICs 113 may be provided.

  The service 111 is a program installed in the virtual machine 11 and is executed on the OS 112. The administrator can add a service to the virtual machine 11 by installing an arbitrary program in the virtual machine 11 to be managed. For example, the virtual machine 11 in which the service 111 that provides a firewall function is installed functions as a firewall (FW). A virtual machine 12 in which a service 121 that functions as a WEB server is installed functions as a WEB server. A plurality of services may be installed in one virtual machine.

  The virtual switch 806 includes one or more ports 807, 808, and 809. The virtual NICs 113 and 123 or the interface 804 of the virtual machine are logically connected to each port. The virtual switch 806 transfers a communication packet received by the interface 804 to an appropriate virtual NIC, or transfers a communication packet transmitted by the virtual NICs 113 and 123 to an appropriate virtual NIC or interface 804. In the example of FIG. 2, the virtual NIC 113 is connected to the port 807, the virtual NIC 123 is connected to the port 808, and the interface 804 is connected to the port 809. A communication packet is a minimum unit of data exchanged between devices communicating via a network. The most typical example of the communication packet is an Ethernet (registered trademark) frame. The capture 810 is a function for capturing all communication packets transmitted and received by the virtual switch 806.

  As processing performed by the server 8a, the virtual infrastructure allocates virtual NICs to the virtual machines 11 and 12, and the virtual switch 806 logically connected to the virtual NIC communicates between the interface 804 or the virtual machines 11 and 12. A process of transferring a packet, and a process of recording a communication packet transferred by the capture 810 by the virtual switch 806.

  FIG. 3A is a block diagram illustrating an example of the configuration of the switch 7a. Since the switches 7b to 7h have the same configuration as the switch 7a, overlapping explanations will be given. The switch 7a includes a CPU 71, a memory 72, and a plurality of interfaces 73 as hardware, and each is connected by a bus or the like. The memory 72 includes a routing table 721 that is a table referred to by each process, a flow allocation process 722 that is a process executed by the CPU 71, and a transfer process 723.

  The routing table 721 is a table for determining the interface 73 output from the switch 7a based on the destination address of the communication packet input to the switch 7a. When the switch 7a performs IP (Internet Protocol) routing, a layer 3 routing table is provided. When the switch 7a is a switch that supports Ethernet (registered trademark) fabric or multi-chassis link aggregation, a layer 2 routing table is provided. The switch 7a may include a plurality of layers of routing tables.

  The flow allocation process 722 is a process for allocating communication flows and routing table entries. When one or more communication paths with the same cost exist for the destination as in the Ethernet (registered trademark) fabric or multi-chassis link aggregation, the communication path to be assigned is determined for each communication flow.

  The transfer process 723 refers to the destination address of the communication packet input from the interface 73 and the routing table 721 to determine the interface to be output. When the switch 7a functions as the layer 3 switch 7a, the layer 3 routing table is referred to. When functioning as the layer 2 switch 7a, the layer 2 routing table is referred to. The flow allocation process 722 and the transfer process 723 may be implemented as hardware.

  The processing performed by the switch 7a includes processing for receiving a communication packet by the switch 7a, processing for determining an interface 73 to be output by referring to the routing table 721 from destination information of the communication packet, and processing for transferring the communication packet. Including. When one or more communication paths having the same cost (the number of hops) exist for the destination, the switch 7a determines which communication path is assigned to each communication flow by the flow assignment process 722, and outputs Including a process for determining the interface 73 to be transferred and a process for transferring the communication packet.

  FIG. 3B is a block diagram showing an example of the configuration of the firewall 9a. The firewall 9a includes a CPU 91, a memory 92, and one or more interfaces 93 as hardware, and each is connected by a bus or the like. The memory 92 includes a routing table 921 that is a table referred to by each process, a policy table 922, a transfer process 923 that is a process executed by the CPU 71, an address conversion process 924, an access control process 925, and a log storage process. 926.

  The routing table 921 is a table for determining the interface 93 to be output from the firewall 9a based on the destination IP address included in the communication packet input to the firewall 9a. When the firewall 9a performs IP routing, a layer 3 routing table is provided. The policy table 922 is a table describing rules for functioning as a firewall. Actions such as allowing a specific communication flow to pass through the firewall 9a, rejecting it, or converting an address are described. The address conversion includes all processes for converting the destination address of the IP header such as VIP (Virtual IP) and MIP (Mapped IP), the source address, the destination port number of the TCP or UDP header, and the source port number. .

  The transfer process 923 determines the interface 93 to output by referring to the destination address of the communication packet input from the interface 93 and the routing table 921.

  The address conversion process 924 converts the IP header and the TCP header included in the communication packet received by the firewall 9a in accordance with the description of the policy table 922.

  The access control process 925 discards or allows the communication packet received by the firewall 9a according to the description of the policy table 922.

  The log recording process 926 records a process performed by the firewall 9a for the communication flow. The communication flow is recorded not for each communication packet but for a process in which one or more communication packets are collected, such as for each TCP session. Various processes (923 to 926) executed on the firewall 9a may be implemented as hardware.

  As processing of the firewall 9a, the policy table 922 is referred to for the communication packet input to the firewall 9a, and the operation (pass, reject, address conversion) for the communication packet is determined, and the destination IP address of the communication packet And the process of determining the interface 93 to be output with reference to the routing table 921 and the process of recording the communication flow of the communication packet.

  FIG. 4 is a block diagram illustrating an example of the configuration of the analysis server 1. The analysis server 1 can be realized using a computer including a CPU 401 and a memory 402. The memory 402 stores various programs such as an OS and an analysis program. Each program may be introduced from another device into the storage device via a communication interface 403 or a media interface 404 when necessary, via a medium that can be used by the computer. The medium refers to, for example, a communication medium (that is, a wired, wireless, optical, or other network, a carrier wave or a digital signal that propagates through the network), or an external storage medium 406 that is detachable from the media interface 404. The analysis server 1 may be connected to the console 407 that operates the management server via the input / output device 405.

  The configuration of the capture device 2 is the same as that of the analysis server, and the programs stored on the memory are different. That is, the analysis server 1 is different in that the capture program is stored in the memory and executed by the CPU.

  FIG. 5 is a block diagram illustrating an example of processing executed by the analysis server and data used. The analysis server 1 includes an instruction reception process 501, a setting process 510, a collection process 520, and an analysis process 530 as software components. These software functions as an instruction reception processing unit (501), a setting processing unit (510), a collection processing unit (520), and an analysis processing unit (530).

  The instruction receiving process 501 receives instructions such as the start of collection and the start of analysis specified by the administrator. In response to the received instruction, the setting process 510, the collection process 520, and the analysis process 530 are called. The collection start is an instruction for starting collection of communication record information such as a log or a communication packet for analyzing a network state related to a specific tenant. The analysis start is an instruction for ending log collection for a specific tenant and starting analysis from communication record information such as collected logs or communication packets.

  The setting process 510 includes a collection device selection process 511, a capture setting process 512, and a traffic log collection setting process 513 as components.

  The collection device selection processing 511 refers to the tenant configuration DB 540, identifies the network device and server through which the communication packet of the tenant system passes, determines the device that captures the communication packet, and the device that collects the traffic log as a log.

  The capture setting process 512 sets the packet capture of the communication packet for the network device or the server in accordance with the determination of the collection device selection process 511. The traffic log collection setting process 513 performs settings for collecting traffic logs for network devices, servers, and capture devices in accordance with the determination of the collection device selection processing 511.

  The collection process 520 includes a traffic log collection process 521 and a packet collection process 522 as components. The traffic log collection process 521 collects traffic logs from network devices. The packet collection process 522 collects a captured communication packet file from the capture device or server and stores it in the packet accumulation DB 550.

  The analysis processing 530 includes tenant packet extraction processing 531, arrival determination processing 532, and discard note identification processing 533 as components. The tenant packet extraction processing 531 extracts the tenant communication packet from the communication packet file that may include the tenant communication packet among the communication packets stored in the packet storage DB 550.

  The arrival determination processing 532 compares the extracted tenant communication packets and determines whether or not the communication packets have reached the final destination node of the service. The result determined in the arrival determination process 532 is recorded in the analysis result DB 570. The discard node specifying process 533 specifies at which node the communication packet that has reached the final destination node is discarded, and records it in the analysis result DB 570.

  Here, in the analysis server 1, each function unit such as the setting process 510, the collection process 520, and the analysis process 530 is loaded into the memory 402 as a program. The CPU 401 realizes a predetermined functional unit by performing processing according to the program of each functional unit. For example, the CPU 401 functions as an analysis processing unit by processing according to an analysis program. The same applies to other programs. Furthermore, the CPU 401 is a functional unit that realizes each of a plurality of processes executed by each program. A computer and a computer system are an apparatus and a system including these functional units.

  Information such as programs and tables for realizing each function of the analysis unit is stored in an external storage medium 406, a nonvolatile semiconductor memory, a hard disk drive, a storage device such as an SSD (Solid State Drive), or an IC card, an SD card, a DVD Can be stored in any computer-readable non-transitory data storage medium.

  FIG. 6A, FIG. 6B, FIG. 6C and FIG. 7A, FIG. 7B, FIG. 7C, and FIG. 7D show configuration examples of the tenant configuration DB 540. The tenant configuration DB 540 is a database for managing configuration information of the tenant system.

  The tenant configuration DB 540 includes a tenant identifier 541, a node management table 542, an interface management table 543, a virtual node management table 544, an address conversion table 545, a policy management table 546, a log type management table 547, and an analysis layer management table 548. Each table is managed for each tenant identifier 541.

  The tenant identifier 541 is an identifier for uniquely identifying the tenant system in the data center.

  FIG. 6A is a diagram illustrating an example of the node management table 542 configuring the tenant configuration DB 540.

  The node management table 542 is a table for managing the nodes constituting the tenant system. The node management table includes a node identifier 5421, a node type 5422, a service 5423, a communication type 5424, and an interface identifier 5425 as components.

  The node identifier 5421 is an identifier for uniquely identifying a node in the data center. The node identifier is not only a physical node such as the switch 7, the firewall 9, and the server 8, but also a virtual (or logical) node such as the virtual machines (VM) 11 to 13 and the virtual switch 806. Give an identifier. The node type 5422 indicates the type of node identified by the node identifier.

  The node type 5422 includes a client, a firewall (FW), a virtual machine (VM), a switch (SW), and the like.

  The service 5423 stores the type of service provided by each node. The service 5423 includes a client, a firewall (FW), a web service (WEB), an application (AP), a switch (SW), and the like.

  The communication type 5424 indicates the type of communication performed by the node identified by the node identifier. The communication type 5424 includes “termination” and “transfer”. “Termination” indicates that a communication packet is transmitted and received using the IP address of the interface included in the node. “Forward” indicates that transmission / reception of communication packets using the IP address of the interface included in the node is not performed, but only the forwarding process is performed.

  The interface identifier 5425 is an identifier of an interface included in the node identified by the node identifier. In addition to physical interfaces such as the interface 73 included in the switch 7, the interfaces include virtual interfaces such as the virtual NICs 113 and 123 in the virtual machine and the ports in the virtual switch 806. The interface identifier 5425 is an identifier that can uniquely identify an interface in the data center. The interface identifier 5425 may be an identifier that can be uniquely identified within a node. When an identifier that can be uniquely identified within a node is used, the interface is uniquely identified within the data center using the node identifier and the interface identifier.

  In the node management table 542 shown in FIG. 6A, the node identified by the node identifier N1 indicates that the node type 5422 is a client and has an interface identified by an interface identifier 5425 = I0.

  The node identified by the node identifier 5421 = N3 indicates that the node type 5422 is a virtual machine (VM) and has interfaces represented by interface identifiers I3 and I4.

  FIG. 6B is a diagram illustrating an example of the interface management table 543 configuring the tenant configuration DB 540.

  The interface management table 543 is a table for managing interfaces provided in nodes constituting the tenant system. The interface management table 543 includes an interface identifier 5431, a VLAN 5432, a MAC (Media Access Control) 5433, an IP 5434, a node identifier 5435, and an adjacent interface 5436 as components.

  The interface identifier 5431 is an identifier for uniquely identifying an interface in the data center. The VLAN 5432 registers the VLAN number when the interface indicated by the interface identifier 5431 belongs to the VLAN. If it does not belong to the VLAN, it need not be registered.

  The MAC 5433 indicates a MAC address assigned to the interface indicated by the interface identifier. IP 5434 indicates an IP address assigned to the interface indicated by the interface identifier 5431. The adjacent interface 5436 indicates an identifier of an interface to which the interface indicated by the interface identifier 5431 is connected. The node identifier 5435 stores an identifier corresponding to the node identifier 5421 of the node management table 542.

  FIG. 6C is a diagram illustrating an example of the virtual node management table 544 that configures the tenant configuration DB 540.

  The virtual node management table 544 shows a correspondence relationship between the node identifier 5441 of the virtual node and the node identifier 5442 of the physical node in which the virtual node is arranged. The virtual node management table 544 illustrated in FIG. 6C indicates that the virtual nodes indicated by the node identifiers N3 and N4 are arranged in the physical node indicated by N11.

  FIG. 7A is a diagram illustrating an example of the address conversion table 545 that configures the tenant configuration DB 540.

  The address conversion table 545 is a table for managing an address to be converted in any of the nodes constituting the tenant system. The address conversion table 545 includes, as components, a source IP address and port number 5451 before conversion, a destination address IP address and port number 5452 before conversion, a source IP address and port number 5453 after conversion, and a destination after conversion. An IP address, a port number 5454, and a node identifier 5455 are included.

  The node identifier 5455 is an identifier of a node that performs address conversion. The communication packet corresponding to the source IP address before conversion: port number 5451 and the destination IP address: port number 5452 is the node indicated by the node identifier 5455, and the source IP address after conversion: port number 5453 and the destination. IP address: Indicates that the address is converted to the address and port indicated by the port number 5454. In the figure, “Any” indicates that all IP addresses and port numbers are applicable. In addition, an address or a port number may be specified by a range. Address translation includes address translation by VIP or MIP. When the conversion is “any”, it indicates that no address or port conversion is performed.

  In the example of the address conversion table 545 shown in FIG. 7A, when the node whose node identifier 5455 is N2 receives a communication packet with the destination IP address xxxx and the destination port number 5452 of 80, the destination IP address 5454 is changed to zzzzz. To convert to. The source IP address and source port number are not converted.

  FIG. 7B is a diagram illustrating an example of the policy management table 546 that configures the tenant configuration DB 540.

  The policy management table 546 is a table for managing policies such as firewalls and load balancers constituting the tenant system. The policy management table 546 includes a node identifier 5461, a policy ID 5462, and a policy 5463 as components. The node identifier 5461 is an identifier of a node that executes the process specified by the policy 5463. The policy ID 5462 is an ID of a policy set in the node. The policy 5463 is a policy actually set in the node. In FIG. 7B, the policy ID = 1000 of the node indicated by the node identifier N2 is set to convert the communication packet of the destination IP address xxxx and the destination port number 80 from zone A to zone B to the destination IP address zzz. Indicates that

  Further, the node indicated by the node identifier N3 is set so as to reject a communication packet having a destination IP address from zone C to zone D of zzz and a destination port number of 443. Processing for the passing packet includes denial, passage, address translation (nat), and the like.

  FIG. 7C is a diagram illustrating an example of the log type management table 547 configuring the tenant configuration DB 540.

  The log type management table 547 is a table for managing a method of collecting communication record information such as a log or a communication packet for each node type. The log type management table 547 includes a node type 5471, a log type 5472, a collection node 5473, and a recording node 5474 as components.

  The node type 5471 is a type of a node constituting the tenant system. The node type includes virtual machine (VM), firewall (FW), switch (SW), client, and the like. In the log type 5472, what data is collected from the communication record information of the node indicated by the node type 5471 is set. The log type 5472 includes capture and traffic log. The collection node 5473 describes a node that collects a log or communication packet of the node indicated by the node type 5471. The recording node 5474 describes a node for recording collected node logs or communication packets.

  In the log type management table 547 of FIG. 7C, a node whose node type 5471 is “VM” captures a communication packet with a virtual switch, and indicates that the captured file is recorded in the server. Further, a node whose node type is “FW” records a traffic log in its own node, and indicates that the recorded traffic log is recorded in its own node. Note that the log type management table 547 may manage one log type management table not for each tenant but for the entire data center.

  FIG. 7D is a diagram illustrating an example of the analysis layer management table 548 that configures the tenant configuration DB 540.

  The analysis layer management table 548 is a table representing a correspondence relationship between a layer that analyzes the network state of the tenant system and a node that collects logs or communication packets in order to analyze the corresponding layer.

  The analysis layer 5481 includes service, layer 3, and layer 2. The collection device 5482 includes the node type registered in the node management table constituting the tenant system. The service performs analysis of layer 4 or higher. Layer 3 performs analysis beyond the IP layer. Layer 2 analyzes more than the Ethernet (registered trademark) layer.

  FIG. 8 is a diagram illustrating an example of the packet accumulation DB 550. The packet accumulation DB 550 is a table for managing files that capture communication packets. The packet storage DB 550 includes, as components, an interface identifier 5501, a node identifier 5502, a tenant identifier 5503, a directory 5504, a file name 5505, and a time stamp 5506.

  The interface identifier 5501 is the interface identifier of the interface that captured the communication packet. A node identifier 5502 is an identifier of a node including an interface. The tenant identifier 5503 is an identifier of a tenant related to the communication packet included in the corresponding file.

  A directory 5504 is a directory name in which the captured file is stored, and a file name 5505 is a name of the captured file. The time stamp 5506 includes the time when the capture of the corresponding file starts and the time when it ends.

  9A and 9B are diagrams illustrating an example of the collection management DB 560. The collection management DB 560 is a table for managing the interface being captured. The collection management DB 560 includes a tenant identifier 561, a capture interface management table 562, a traffic log collection management table 563, and a collection interface management table 564 as components.

  The capture interface management table 562 and the traffic log collection management table 563 are managed for each tenant identifier 561.

  FIG. 9A is a diagram illustrating an example of the capture interface management table 562 and the traffic log collection management table 563 included in the collection management DB.

  The capture interface management table 562 is a table for managing an interface captured by the tenant system corresponding to the tenant identifier 561. Constituent elements of the capture interface management table 562 include a target interface 5621, a node identifier 5622 of the collection node, an interface identifier 5623, and a node identifier 5624 of the recording node.

  The target interface 5621 includes an interface identifier, and indicates that a communication packet transmitted and received by the interface specified in this item is captured. The node identifier 5622 of the collection node is an identifier of a node that captures a communication packet transmitted and received by the interface designated by the target interface 5621. The interface identifier 5623 is an identifier of an interface that captures a communication packet transmitted and received by the interface specified by the target interface. The node identifier 5624 of the recording node is an identifier of a node that captures a communication packet transmitted and received by the interface designated by the target interface 5621 and temporarily stores the captured file.

  The traffic log collection management table 563 is a table for managing the identifier 5631 of the node that collects the traffic log, the policy ID 5632, and the policy 5633 in the corresponding tenant system. The policy 5633 defines traffic log collection targets and the like.

  FIG. 9B is a diagram illustrating an example of the collection interface management table 564 included in the collection management DB.

  The collection interface management table 564 is a table for managing interfaces that are capturing communication packets in the data center. The collection interface management table 564 includes, as components, an interface identifier 5641, a node identifier 5642, a tenant identifier 5463, a node identifier 5644 of a recording node, and a file name 5645 of a capture file.

  FIG. 10 is a diagram illustrating an example of a table included in the analysis result DB 570. The analysis result DB 570 is a DB for recording a result of analyzing a network state related to the tenant system. The analysis result DB 570 includes a tenant identifier 571, an arrival determination table 572, and a discard node identification table 573 as components.

  The arrival determination table 572 is a table that records the result of the arrival determination process 532. The arrival determination table 572 includes, as components, a source IP address of a service source node: port number 5721, a destination IP address: port number 5722, a source IP address of a service destination node: port number 5723, and a destination IP address. : Port number 5724, arrival determination 5725, and session information 5726 are included.

  A service transmission source node indicates a node that is a transmission source of application communication, and a service destination node indicates a node that is a destination of application communication. For example, in the case of a Web system, a service transmission source node indicates a client terminal, and a service destination node indicates a Web server. In communication from the Web server to the client terminal, the transmission source and the destination are switched.

  The source IP address of the service source node: port number 5721 indicates the source IP address and port number of the communication packet transmitted by the node that is the source of the service. The destination IP address of the service source node: port number 5722 indicates the destination IP address and port number of the communication packet transmitted by the node that is the source of the service.

  The source IP address of the service destination node: port number 5723 indicates the source IP address and port number of the communication packet that has reached the node that is the destination of the service. The destination IP address of the service destination node: port number 5724 indicates the destination IP address and port number of the communication packet that has reached the node that is the destination of the service.

  The arrival determination 5725 indicates whether or not the communication packet transmitted by the service transmission source node has reached the service destination node. If it has reached, it is registered as “arrived”.

  The session information 5726 indicates the start time and end time of the TCP session including the communication packet transmitted by the service source node.

  The discard node specifying table 573 is a table that records the result of the discard node specifying process 533. The discard node specification table 573 includes, as components, arrival determination 5731, communication packet transmission source IP address: port number 5732, communication packet destination IP address: port number 5733, destination node identifier 5734, node type 5735, action 5736 included. The arrival determination 5731 indicates the result of the arrival determination process 532. Since the discard node specifying process 533 executes only the communication packet that has not arrived as a result of the arrival determination process 532, the arrival determination item is always “unreachable”.

  The source IP address: port number 5732 of the communication packet indicates the source IP address and source port number of the communication packet that has not been reached as a result of the arrival determination processing 532. The destination IP address of communication packet: port number 5733 indicates the destination IP address and destination port number of the communication packet that has not been reached as a result of the arrival determination processing 532. The node identifier 5734 and the node type 5735 of the destination node indicate the node identifier and the node type of the node that is the destination of the unreachable communication packet. In the destination node action 5736, the processing result of the communication packet in the destination node specified in the discard node specifying process 533 is registered. The types of processing results in the present embodiment are “reject”, “pass”, “arrival”, and “unreachable”. “Discard” and “pass” indicate the processing results that the firewall performs on the communication packet when the destination node type is the firewall. When the firewall performs a process other than “reject” and “pass”, the corresponding process may be registered in the process result. “Arrival” indicates that the communication packet has reached the destination node. “Unreachable” indicates that the communication packet has not reached the destination node. The discard node specifying table 573 includes a table for each unreachable communication packet.

  The tenant identifier 571, the arrival determination table 572, and the discard node specification table 573 are managed for each tenant identifier 571.

  11 and 12 are sequence diagrams showing an example of processing executed by the computer system of the present invention.

  The administrator instructs the analysis server 1 from the client 5 to identify the identifier of the tenant whose network state is to be analyzed and log collection (or communication packet collection) for analyzing the network state (S1). This instruction may be issued from the client 5 to the analysis server 1 via the wide area network 6, or may be performed by an administrator operating the console 407 of the analysis server 1. In this embodiment, the administrator operates the client 5 to notify the analysis server 1 of a collection start instruction, layer information for analyzing the network state, and a tenant identifier.

  The analysis server 1 receives a tenant identifier, information on a layer for analyzing the network state, and a collection start instruction instruction via the instruction reception process 501 shown in FIG. The instruction acceptance process calls the collection device selection process 511 of the setting process 510 shown in FIG. 5 since the content of the instruction is “start collection” (S2). In this embodiment, the tenant identifier is 1000, and the analysis layer is “service layer”. Note that the service layer is the fourth layer or higher in the OSI.

  In the collection device selection processing 511 (S2), the communication route and service route of the tenant are calculated as described later, and the device (node and interface) that collects the log or communication packet is selected. Then, the analysis server 1 performs a capture setting process 512 (S3) such as a log or a communication packet recording destination for the selected device.

  Next, in the traffic log collection setting process 513, the analysis server 1 sets the traffic log to be recorded for a node that needs to collect the traffic log (S4).

  When the analysis server 1 completes the setting of the collection target of the communication packet and the collection setting of the traffic log, the analysis server 1 starts collecting the communication packet or the traffic log (S5). Thereafter, the address requested by the client 5 is converted by the FW 9a (S6), and predetermined processing is executed by the VM (FW) 11, VM (WEB) 12, and VM (AP) 13 (S7, S8). .

  FIG. 13 is a flowchart showing an example of processing performed in the collection device selection processing 511 (S2) and capture setting processing (S3) in FIG. In the following description, the processing entity is the collection device selection process 511. However, when the collection device selection process 511 is implemented by a program as described above, the CPU 401 that executes the collection device selection program is the processing entity. Become. The CPU 401 functions as a collection device selection unit. Further, when the collection device selection processing 511 is realized by hardware, a collection device selection unit (not shown) becomes a main subject of the processing. The same applies to other flowcharts.

  The collection device selection processing 511 first calculates a communication path of a communication packet that occurs in association with the tenant system (step 1301). The communication route is calculated by referring to the node management table 542 and the interface management table 543 in the tenant configuration DB 540 of the corresponding tenant and using a known or publicly known route calculation algorithm.

  The configuration of the tenant system 1000 is shown in FIGS. 14A to 14D. FIG. 14A is a block diagram illustrating a logical configuration of the tenant system. 14B, 14C, and 14D are block diagrams illustrating an example of a communication path of the tenant system.

  The logical configuration of the tenant system with tenant identifier = 1000 is shown in FIG. 14A. The tenant system 1000 includes a client 5, a firewall 9a, a virtual machine 11 that provides a firewall service (hereinafter referred to as VM (FW)), a virtual machine 12 that provides a Web server service (hereinafter referred to as VM (WEB)), The virtual machine 13 (hereinafter referred to as VM (AP)) that provides an application server service is used. As shown in FIG. 1, the VM (FW) 11 and the VM (WEB) 12 are arranged in the server 8a, and the VM (AP) 13 is arranged in the server 8c.

  By the route calculation processing 1301, the communication route between nodes whose communication type is “termination” is calculated as shown in FIG. 14B.

  FIG. 14B shows a communication path between the client 5 and the firewall 9a. The interface I0 included in the client 5 communicates with the interface I1 included in the firewall 9a via the switches 7a, 7b, and 7e and the virtual switch 806.

  In the figure, the interfaces included in the nodes are indicated by hexagons. The IP address of the interface I0 is “Any”. When the IP address is “Any”, the corresponding interface can use any IP address. When the client 5a has one or more, or has one or more interfaces, it can be expressed collectively by “Any”, an address range, or the like.

  FIG. 14C shows a communication path between the firewall 9 a and the VM (WEB) 12. The interface I2 included in the firewall 9a is an interface included in the VM (WEB) 12 via the virtual switch 806, the switches 7e, 7b, 7c, 7d, 7f, the virtual switch 806, the VM (FW) 11, and the virtual switch 806. To communicate with I5. Since the switch configuration is a fabric configuration, it passes through one of the switches 7b, 7c, and 7d depending on the communication flow.

  FIG. 14D shows a communication path between the VM (WEB) 12 and the VM (AP) 13. The interface I5 included in the VM (WEB) 12 is included in the VM (AP) via the virtual switch 806, the VM (FW) 11, the virtual switch 806, the switches 7f, 7b, 7c, 7d, and 7g, and the virtual switch 806. It communicates with the interface I6.

  In the collection device selection process of FIG. 13, a service route calculation process 1302 is executed after the route calculation process 1301. In the service route calculation process 1302, the information of the payload portion of the TCP or UDP packet, which is the service layer data included in the communication packet, is finally subjected to address conversion of the IP header and port number conversion of the TCP or UDP header. A route (hereinafter referred to as a service route) to reach a node that is a service destination is calculated.

  For the calculation of the service route, the collection device selection processing 511 refers to the address conversion table 545 in the tenant configuration DB 540 of the corresponding tenant, and the route calculation processing 1301 is performed when address conversion is performed at a node whose communication type is “termination”. The communication paths obtained in (1) are connected by a node that performs address conversion.

  The collection device selection processing 511 refers to the destination IP address before translation in the address translation table 545 shown in FIG. 7A, and identifies the destination IP address 5454 after translation and the node (5455) that performs address translation. Further, the interface management table 543 in FIG. 6B is referred to based on the destination IP address 5454 after conversion, and the identifier 5431 and the node identifier 5435 of the interface that is the end of the service are specified.

  The collection device selection process 511 specifies a route to be connected from the specified interface identifier 5431 and node identifier 5435, and calculates a service route. The communication path calculated by the service path calculation process 1302 is shown in FIG. 15A.

  FIG. 15A is a block diagram illustrating an example of a service route of the tenant system. In FIG. 15A, since the address conversion is performed by the firewall 9a (node N2), FIG. 14B and FIG. 14C of the communication path are connected, and the communication path shown in FIG. 15A is connected to the client 5 (node N1) and the VM (WEB). 12 (node N4) as a service route.

  In the communication path shown in FIG. 14D, since the address conversion is not performed, the communication paths are not connected, and the service path is between the VM (WEB) 12 and the VM (AP) 13. FIG. 15B shows a service path between the VM (WEB) 12 (node N4) and the VM (AP) 13 (node N5).

  In the collection device selection processing 511, the device selection processing by layer 1303 is executed after the service route calculation processing 1302. The layer-specific device selection process 1303 is a process in which the administrator selects a device that collects communication packets and logs according to the layer for which the network state is desired to be analyzed.

  In order to select a device that collects logs or communication packets, the collection device selection processing 511 refers to the analysis layer management table 548 of the tenant configuration DB 540. A device corresponding to the analysis layer instructed by the administrator is selected as a device for collecting logs or communication packets. When the instructed analysis layer is “service”, the node management table 542 of the tenant configuration DB 540 is referred to, and a node whose communication type 5424 is “termination” is selected. In this case, devices that collect logs or communication packets are the client 5, the firewall 9a, the VM (WEB) 12, and the VM (AP).

  When the analysis layer is “Layer 3”, the node management table 542 of the tenant configuration DB 540 is referred to. Among the nodes whose communication type 5424 is “Termination” and the nodes whose communication type 5424 is “Transfer” A node 5423 selects a firewall (FW) and an L3 switch (SW).

  If the analysis layer is “Layer 2”, all nodes are selected.

  In this embodiment, since the analysis layer designated by the administrator is “service”, the client 5, the firewall 9a, the VM (WEB) 12, and the VM (AP) 13 are selected as devices for collecting logs or communication packets. To do.

  If the analysis layer designated by the administrator is “Layer 2” (Yes in Step 1304), the equal cost device selection processing 1305 is executed. The equal cost device selection processing 1305 will be described in detail with reference to FIG. 19B. If the analysis layer is other than “Layer 2” (No in Step 1304), the equal cost device selection processing 1305 is not executed, and the collection method determination processing 1306 is executed.

  When the analysis layer is “service”, the collection device 5482 has the communication type “termination” from the analysis layer management table 548, and the device that collects logs or communication packets from the node management table 542 has the communication type 5424 = “end”. Client 5 (node N1), firewall 9a (node N22), VM (WEB) 12 (node N4), and VM (AP) 13 (node N5).

  The collection method determination process 1306 is a process for determining a communication packet and log collection method for each device that needs to collect communication packets and logs. In order to determine a communication packet or log collection method, the log type management table 547 of the tenant configuration DB 540 is referred to.

  Since the node type of the client 5 is a client, the log type 5472 in the log type management table 547 is “capture”, the collection node is “node including an adjacent interface”, and the collection node is “capture device”. The interface included in the client 5 is I0, and the adjacent interface can be specified as I7 by referring to the interface management table 543. The node including the interface identifier I7 can be identified as the switch 7a (node identifier = N6) by referring to the node management table 542. The node identifier and interface identifier of the identified node are registered in the capture interface management table 562 of the collection management DB 560. The node identifier of the capture device is registered in the node identifier of the recording node.

  In the log type management table 547, the firewall 9a has a log type 5472 of “traffic log”, a collection node of “own node”, and a recording node of “own node”. Since the firewall 9a can use the traffic log for log collection, the communication log is not captured and the traffic log is used for analyzing the network state. The traffic log is a log in which processing performed on a communication session in a firewall, load balancer, or the like is recorded for each set policy.

  When a traffic log is used for log collection, an identifier (5631), a policy ID 5632, and a policy 5633 of the node (FW) collecting the log are registered in the traffic collection management table 563 of the collection management DB 560. In the log type management table 547, when the node type 5471 is “FW”, since the collection node 5473 is “own node”, N2 which is the node identifier of the firewall 9a is registered as the node identifier.

  Also, the collection method determination processing 1306 refers to the policy management table 546 and registers the policy ID set in the node identifier N2 and the policy in the traffic log collection management table 563.

  Since the node type 5471 is VM in the log type management table 547, the VM (WEB) 12 is “capture”, the collection node 5473 is “virtual switch”, and the recording node 5474 is “server”. .

  The collection method determination processing 1306 refers to the node management table 542 of the tenant configuration DB 540 and identifies the node identifier 5421 of the virtual switch to which the VM (WEB) 12 is connected and the interface identifier 5425 of the port. The identified identifier is registered in the node identifier 5622 and interface identifier 5623 of the collection node in the capture interface management table 562 shown in FIG. 9A. Further, the collection method determination processing 1306 refers to the virtual node management table 544 and identifies the server that is the physical node 5442 where the virtual machine is arranged. The identified node identifier 5442 of the server is registered in the node identifier 5624 of the recording node in the capture interface management table 562.

  The VM (AP) 13 has a node type VM. Using the same steps as those for the VM (WEB) 12, the node identifier of the virtual switch to which the VM (AP) 12 is connected, the interface identifier, and the node identifier of the server where the VM (AP) is arranged are captured in the collection management DB 560. Register in the interface management table 562.

  As described above, the node that collects the traffic log and the node and interface that capture the communication packet are determined. Devices that collect traffic logs are shown as double lines in FIG. 15A. In FIGS. 15A and 15B, an interface for capturing a communication packet is indicated by a bold line.

  After the collection device selection process 511, the analysis server 1 executes a traffic log collection setting process 513 (S3 in FIG. 11).

  The traffic log collection setting process 513 is configured to record a traffic log for a node that needs to collect the traffic log. With reference to the traffic log collection management table 563 of the collection management DB 560, a policy to be recorded in the traffic log is notified to the node that records the traffic log, and settings are made so as to start recording the traffic log. Thus, the traffic log collection setting process 513 is completed.

  Following the traffic log collection setting process 513, the analysis server 1 executes a capture setting process 512 (S4 in FIG. 11). The capture setting processing 512 refers to the capture interface management table 562 of the collection management DB 560 generated by the collection device selection processing 511, identifies a device that needs a new capture setting, and performs settings for capture.

  The collection interface management table 564 is a table for managing interfaces being captured in the data center. The capture interface management table 562 is compared with the collection interface management table 564. If an interface registered in the capture interface 662 is not registered in the collection interface management table 564, it is registered in the capture interface management table 562. The node identifier 5622, the interface identifier 5623, the node identifier 5624 of the recording node, and the tenant identifier 561 are registered in the collection interface management table 564.

  For devices that newly start collection, if the collection node and recording node are different, port mirroring is set for the collection node. For the recording node, the capture start is set, and the file name for recording the captured communication packet and the directory for storing the file are registered in the capture file name 5645.

  For the interface that has already been collected, only the tenant identifier 561 is registered.

  Thus, the capture setting process 512 is completed. The analysis server 1 notifies the client 5 that communication packets or logs are ready for collection. This notification may be displayed on the analysis server console 407 or a tenant portal. Further, the notification need not be performed.

  When capturing of a communication packet is started by the capture setting process 512, the packet collection process 522 of the collection process 520 is periodically executed. The packet collection processing 522 refers to the collection interface management table 564 of the collection management DB 560, collects a file in which communication packets are recorded from the recording node, adds a time stamp to the collected file, and stores the collected file in the packet storage DB 550.

  In order to analyze the network state of the tenant, a processing request is transmitted to the tenant system of the data center that is ready to collect communication packets or logs. The processing request from the client 5 is address-converted by the firewall 9a, access controlled by the VM (FW) 11, and reaches the VM (WEB) 12. The communication packet between the VM (WEB) 12 and the VM (AP) 13 is subjected to access control by the VM (FW) 11 and reaches the destination VM. At this time, the communication packet transmitted / received by the client is the switch 7a, the communication packet transmitted / received by the VM (WEB) 12 is transmitted by the virtual switch 806, and the communication packet transmitted / received by the VM (AP) 13 is transmitted by the capture function 810 of the virtual switch 806. Captured. A traffic log is recorded in the firewall 9a.

  FIG. 12 shows a sequence diagram after the analysis start instruction.

  The administrator instructs the analysis server 1 to collect an identifier of a tenant who wants to analyze the network state and a log or communication packet for network state analysis. This instruction may be performed from the client 5 via the wide area network 6 or may be performed by the administrator operating the console of the analysis server. In this embodiment, the tenant administrator operates the client 5 to notify the analysis server 1 of an analysis start instruction and a tenant identifier (S11).

  The analysis server 1 receives a tenant identifier and an analysis start instruction instruction via the instruction reception process 501. When the content of the instruction is “analysis”, the instruction reception process calls the traffic log collection process 521 of the collection process 520 (S12).

  The traffic log collection processing 521 refers to the traffic log collection management table 563 of the tenant that has issued the analysis start instruction, notifies the node that records the traffic log in relation to the tenant, and responds to the policy ID or policy. A traffic log is collected (S13).

  Following the traffic log collection process 521, the traffic log collection setting process 521 is called. When the instruction is “start analysis”, the traffic log collection is terminated. With reference to the traffic log collection management table 563 of the corresponding tenant, the node that records the traffic log is set to end the recording (S14, S15).

  Next to the traffic log collection setting process 513, the capture setting process 512 is called (S16). When the instruction from the client 5 is “analysis start”, the capture setting processing 512 ends the collection of communication packets of the related tenant.

  The analysis server 1 refers to the collection interface management table 564 and deletes the tenant identifier of the corresponding tenant. If all tenant identifiers registered in the collection interface are deleted by deleting the tenant identifier of the corresponding tenant, the corresponding interface is deleted from the collection interface management table 564.

  When deleting an interface from the collection interface management table 564, the port mirroring setting is canceled for the node including the interface and the collection node, and the capture is set to end.

  After canceling the collection setting, the analysis processing 530 is called to analyze the network state of the tenant system. In the analysis process 530, first, the tenant packet extraction process 531 is called (S17).

  In the tenant packet extraction process 531, the stored file management table 551 of the packet storage DB 550 is referred to extract a capture file including the communication packet of the corresponding tenant.

  Thereafter, in order to analyze the network state between the nodes serving as service endpoints, the arrival determination process 532 is called (S18).

  The arrival determination process 532 is a process for referring to the service route of the corresponding tenant and determining whether or not a communication packet has arrived between nodes serving as service endpoints. FIG. 16A is a flowchart illustrating an example of processing performed in the arrival determination processing 532.

  First, the analysis server 1 refers to the service route shown in FIG. 15A and selects a node and an interface that are service endpoints (step 1601). As shown in FIG. 15A, in the tenant system 1000, the nodes serving as the end points of the service route (c1) are the client 5 (node N1) and the VM (WEB) 12 (node N4), and communication that these nodes transmit and receive. Interfaces for capturing packets are the interface I7 of the switch 7a (node N8) and the interface I10 of the virtual switch 806 (node N7). The arrival determination process 532 refers to the packet accumulation DB 550 and acquires a capture file in which a communication packet transmitted / received by an interface serving as an end point of the selected service route is recorded.

  Next, packet comparison processing 1602 is executed. FIG. 17 is a flowchart illustrating an example of processing performed in the packet comparison processing 1602. The packet comparison processing 1602 compares the communication packets captured at two points, and determines whether or not the communication packet transmitted from the interface serving as one end point of the service route has reached the interface serving as the other end point. It is processing.

  First, one communication packet transmitted by the corresponding interface is selected as a comparison source packet from a file obtained by capturing one interface (step 1701).

  When the IP address of the comparison source packet, the TCP / UDP port number, etc. are converted and transferred to the node serving as the service end point (Yes in Step 1702), the IP address after conversion is referred to the address conversion table 545. Then, a TCP / UDP checksum of the converted comparison source packet is calculated using the TCP / UDP port number and the like (step 1703).

  One communication packet is acquired as a comparison destination packet from a file obtained by capturing the other interface of the service path (step 1704). The comparison source packet selected in Step 1701 is compared with the TCP / UDP checksum of the comparison destination packet (Step 1705). When the IP address and TCP / UDP port number are converted, the checksum value to be compared is the checksum calculated in step 1705 and the checksum of the comparison destination packet, and the IP address and TCP / UDP port number. Is not converted, it is the checksum of the comparison source packet and the comparison destination packet acquired in step 1701.

  If the checksums match (Yes in Step 1706), the payload portions of TCP / UDP are compared (Step 1707). If the two packets including the payload portion match (Yes in step 1708), it is determined that the comparison source packet transmitted from the interface serving as the end point of the service route has reached the interface serving as the end point of the other service route. (Step 1713).

  If the checksums do not match (No in step 1706), it is determined that the comparison source packet and the comparison destination packet have different payload information. It is determined whether comparison of all communication packets included in the comparison target file has been completed (step 1709). If the comparison of all communication packets has not been completed (No in step 1709), the process returns to step 1704 and continues. When the comparison of all communication packets is completed (Yes in Step 1709), it is determined that the comparison source packet has not reached the interface that is the other end point of the service route (Step 1710).

  Thus, the packet comparison process 1602 ends. Returning to FIG. 16A, the arrival determination process 532 will be described. After the execution of the packet comparison process 1602, the arrival determination process 532 refers to the packet accumulation DB 550 and identifies information on the session including the comparison source packet (step 1603). The session is from TCP connection establishment to termination, and can be specified using a signaling packet such as TCP SYNC, AC, FIN, and the sequence number. The time when the TCP session including the comparison source packet is started when the TCP SYNC packet is transmitted, the time when the TCP session including the comparison source packet is completed when the FIN packet is transmitted, and the amount of data transmitted from the start to the end Identify.

  Next, the processing results of steps 1602 and 1603 are recorded in the arrival determination table 572 (step 1604). The arrival determination processing 532 shows the source and destination IP addresses of the comparison source packet and the TCP / UDP port used in the packet comparison processing 1602 in the service source node column (57, 215, 722) of the arrival determination table 572. And the source and destination IP addresses of the comparison destination packet and the TCP / UDP port are recorded in the service destination node fields (57, 235, 724). If it is determined that the communication packet has arrived as a result of the packet comparison process 1602, “arrival” is recorded in the arrival determination (5725) column, and “unreachable” is recorded in the arrival determination column. The session start time and end time specified in the session calculation (step 1603) and the amount of data transmitted from the start to the end of the session are recorded in the session column (5726).

  When the comparison of the communication packets transmitted by the selected node has been completed for the capture file acquired in step 1601 (Yes in step 1605), the arrival determination process ends. If all communication packet comparisons have not been completed, the process returns to step 1602 to continue the processing.

  Thus, the arrival determination process 532 is completed. The arrival determination process 532 is executed for all interfaces that are end points of the service route. After the arrival determination process 532 ends, the discard node specifying process 533 is executed (S19 in FIG. 12).

  FIG. 16B is a flowchart illustrating an example of the discard node specifying process. The discard node specifying process 533 is a process for specifying a discarded node for the communication packet determined to have not arrived in the arrival determination process 532.

  First, the discard node specifying process 533 uses the arrival determination table 572 to determine the source and destination IP addresses and port numbers (57, 215,...) Of the communication packet transmitted by the service transmission source node whose determination result 5725 is “unreachable”. 722) is selected (step 1606).

  Next, the discard node specifying process 533 performs the interface management table 543, the collection device selection based on the information of the transmission source IP address and the destination IP address recorded in the service transmission source node column of the arrival determination table 572. With reference to the communication path calculated in the path calculation process 1301 of the process 511, the node that is the end point of the communication path is specified. (Step 1607).

  The discard node specifying process 533 refers to the log type management table 547, and if the node log type 5472 is “traffic log” (Yes in step 1608), the session comparison process 1609 is executed.

  An example of processing performed in the session comparison processing (1609) is shown in the flowchart of FIG. The session comparison process 1609 first acquires the traffic log of the corresponding node (step 1801). The traffic log is collected and retained in step S13 of FIG.

  The session information recorded in the acquired traffic log is compared with the session information recorded in the session information 5726 column of the arrival determination table 572. The source and destination IP addresses recorded in the traffic log are compared with the port number and data amount. If they match (Yes in step 1802), the session start time and end time are compared. If there is no traffic log having the same IP address, port number, and data amount (No in step 1802), the process ends.

  There is a time difference between the start and end times of the session registered in the arrival determination table 572 and the start and end times of the session recorded in the traffic log due to network transfer delay and jitter. Therefore, when the difference between the start time and the end time is equal to or smaller than a predetermined threshold (Yes in Step 1803), it is determined that the traffic logs match (Step 1804). On the other hand, if the time difference exceeds the threshold (No in step 1804), the process ends.

  The session comparison process 1609 may differ depending on the traffic log format. For example, in a format in which header information of a communication packet and an action to the communication packet are recorded in a traffic log, header information such as an IP address, a port number, and an identifier recorded in the traffic log, and an IP of the captured communication packet The header information such as the address, port number, and identifier may be compared, and if they match, it may be determined that the traffic logs match.

  This is the end of the session comparison process 1609. Returning to FIG. 16B, the discard node specifying process 533 will be described.

  When the log type of the node is “capture” (No in step 1608), based on the unreachable communication packet acquired in step 1606 and the capture file of the interface that is the destination of the communication packet specified in step 1707, The packet comparison process (1602) shown in FIG. 17 is executed.

  The discard node specifying process 533 updates the discard node specifying table 573 after the session comparison process (1609) or the packet comparison process (1602) ends. In the node identifier 5734 and the node type 5735 of the destination node, the node identifier and the node type specified in steps 16, 071 and 608 are recorded. The action 5736 records the action recorded in the traffic log or the judgment result of the packet comparison process.

  If the action 5736 of the discard node specification table 573 is rejection, it is specified that the communication packet is discarded at the destination node. When the action 5736 has not yet been reached, it is discarded at any node before the destination node on the communication path, and the range of the discarded nodes can be specified. When the action 5736 is passing or reaching, it is discarded at any node after the destination node, and the range of discarded nodes can be specified.

  If the discard node is specified (Yes in step 1611), the process is terminated. When the range of the discard node is specified and the log or the communication packet is collected in the node included in the range of the discard node (Yes in Step 1612), the node is selected from the nodes included in the range of the discard node. The process from step 1608 is repeated. If the range of the discard node is specified but the node collecting the log or the communication packet is not included (No in step 1612), the process ends.

  From the above, it is possible to specify the range of nodes that have discarded unreachable packets or nodes that have discarded unreachable packets.

  In this embodiment, the communication packet transmitted / received by the client 5 is captured by the switches 7a to 7h in the data center 100. However, the communication packet transmitted / received by the client 5 is captured by the client 5 itself and the switch in the data center 100. It is also possible to specify a communication packet discarded in the wide area network 6 that connects the client 5 and the data center 100 by capturing at both 7a to 7h.

  According to the present embodiment, by using the tenant configuration information, the communication packet arrival determination between the nodes serving as service endpoints is first performed, thereby analyzing the network state between the nodes serving as service endpoints. Can be done quickly.

  Also, by selecting the node that collects communication packets and traffic logs using the tenant configuration information, it is possible to reduce the amount of data for packet comparison with the nodes that collect communication packets and logs. it can.

  Furthermore, by preparing in advance the correspondence between the layer that analyzes the network status of the tenant and the types of nodes that need to collect logs or communication packets to analyze the network status of the corresponding layer, Collection equipment can be determined quickly.

  In addition, not only the communication packet capture but also the traffic log is used for the network state analysis, so that the number of communication packet comparisons can be reduced and the network state can be analyzed quickly.

  Next, the equal cost device selection process performed in step 1305 of the collection device selection process in FIG. 13 will be described. FIG. 19B is a flowchart illustrating an example of equal cost device selection processing. FIG. 19A is a diagram illustrating an example of a switch management table.

  In the equal cost device selection processing 1305, an example in which the network state is analyzed for layer 2 will be described. The analysis server 1 further includes a switch management table 549 in the tenant configuration DB 540, as shown in FIG.

  The switch management table 549 is a table for managing the flow allocation algorithm used in the flow allocation processing 722 of the switches 7a to 7h constituting the tenant system. The switch management table 549 includes node identifiers 5491 of the switches 7a to 7h and a flow allocation algorithm 5492.

  In FIG. 19B, the equal cost device selection processing 1305 is based on the communication flow that can occur in the tenant system when there are one or more routes with the same cost, such as fabric or multi-chassis link aggregation. And a switch through which a communication packet generated in the tenant system passes is selected.

  The equal cost device selection processing 1305 selects a branch node to the equal cost route from the service route of the tenant system (step 2001). In the service route of FIG. 15A, the communication route between the client 5 and the VM (WEB) 12 can select three routes via any of the switches 7b, 7c, and 7d, and the switches 7e and 7f are branch nodes. is there. In the service route of FIG. 15B, as the communication route between the VM (WEB) 12 and the VM (AP) 13, three routes that pass through any of the switches 7b, 7c, and 7d can be selected, and the switches 7b and 7g It is a branch node.

  The equal cost device selection processing 1305 identifies the branch node, and then refers to the switch management table 549 to identify the flow allocation algorithm 5492 of the branch node. The switches 7a to 7h use various flow allocation algorithms depending on the vendor providing the switch and the model. For example, in the switch management table 549 shown in FIG. 19A, the node indicated by the node identifier N8 assigns a communication flow path using the hash value of the destination MAC address and the source MAC address of the Ethernet frame included in the communication packet. It is registered. Further, the flow allocation algorithm of the node represented by the node identifier N9 is unknown.

  In the case where the flow allocation algorithm is known (Yes in step 2002) as in the node represented by the node identifier N8, the equal cost device selection processing 1305 performs service according to the flow allocation algorithm 5492 registered in the switch management table 549. A communication path through which the communication flow passes is specified in the path (step 2003).

  The equal cost device selection processing 1305 leaves the nodes on the communication path specified in step 2003 from the nodes selected in the layer-specific device selection processing 1303 shown in FIG. 13, and calculates the number of hops as the cost of the communication path. If there are a plurality of communication paths, the number of hops is calculated for each communication path (step 2004).

  The equal cost device selection processing 1305 excludes a node that does not become a communication path when there are a plurality of communication paths having the same cost (step 2005).

  On the other hand, when the flow allocation algorithm is unknown or not known (No in step 2002) as in the node represented by the node identifier N9 shown in FIG. 19A, the processing is terminated without narrowing down the devices.

  20A and 20B are block diagrams illustrating examples of service paths. In FIG. 20A and FIG. 20B, the nodes excluded from the devices that collect communication packets or logs by the equal cost device selection processing 1305 are indicated by double lines. In FIG. 20A, switches 7b and 7d have the same cost as the communication path of switch 7c, but switches 7b and 7d are not communication paths, and thus are excluded from the collection targets of communication packets and logs.

  As described above, the analysis server 1 manages the flow allocation algorithm of the switches 7a to 7h when there are one or more equal-cost communication paths such as fabric or multi-chassis link aggregation. When the devices that pass through can be calculated in advance, devices that do not pass communication packets can be excluded from the collection target of logs (or communication packets). As a result, the amount of data collected for communication packets and logs can be reduced, and the time required for analysis can be reduced.

  As described above, if the analysis target layer is “Layer 3” or higher, the node selected in the device selection processing by layer 1303 is a device that collects communication packets and logs, and the analysis target layer is “Layer 2”. If there is, after selecting all the nodes, the nodes that are not communication paths are excluded. As a result, by narrowing down the communication packet and log collection target nodes from the communication path used by the tenant system, the amount of data can be reduced and the time required for analysis can be shortened.

  In the first embodiment, the analysis server 1 and the capture device 2 are configured by independent computers. However, the analysis server processing and the capture processing may be executed by the same computer.

  In the second embodiment, an example will be described in which a capture of a communication packet transmitted and received by a virtual machine is performed by deploying a capture-dedicated virtual machine. The capture-dedicated virtual machine may be a virtual machine in which packet capture software is installed or a virtual machine having a packet capture function provided by OF (Open Virtualization Format) or the like.

  FIG. 25 is a block diagram illustrating an example of a computer system according to the second embodiment.

  In the configuration of the computer system in the second embodiment, the capture device 2 in the first embodiment is arranged in the virtual machine 2A of the server 8b, and information for managing the capture virtual machine 2A is added to the analysis server 1. Other configurations are the same as those of the first embodiment.

  In order to determine a network in which the virtual machine 2A that captures communication packets transmitted and received by the virtual machines 11, 12, and 13 is arranged, the analysis server 1 includes an interface group management table 2201 in addition to the configuration of the first embodiment. , A capture node management table 2202 for constructing and setting the capture virtual machine 2A, a collection method determination process 1306a and a capture setting process 512a corresponding to the capture-dedicated virtual machine.

  FIG. 21A is a diagram showing an example of the interface group management table 2201. The interface group management table 2201 includes, as components, an interface identifier 22011 and a group identifier 22012 for managing a group to which the interface belongs. A typical example of the interface group is a port group in the virtual switch 806. The virtual switch 806 associates each port with a port group in order to set a VLAN or the like by bundling a plurality of ports.

  FIG. 21B is a diagram showing an example of the capture node management table 2202. The capture node management table 2202 includes a target interface 22021, an interface group 22022, a physical node 22023, a collection / record node 22024, and a collection / record interface 22025 as components. The target interface 22021 is an interface identifier of an interface to be captured. The interface group 22022 is an identifier of a group to which the interface of the virtual switch connected to the interface to be captured belongs. The physical node 22023 is a node identifier of the physical node where the virtual switch 806 is deployed. The collection / recording node 22024 is a node identifier of the capture-only virtual machine 2A, and the collection / recording interface 22025 is an interface identifier of an interface provided in the capture-only virtual machine 2A.

  In the collection method determination process 1306a corresponding to the capture-only virtual machine 2A, in addition to the collection method determination process 1603 described in the first embodiment, the node type 5471 in the log type management table 547 of the tenant configuration DB 540 is “VM”. The log type 5472 is “capture”, the collection node 5473 is “capture VM”, and the recording node 5474 is a process corresponding to “capture VM”. Other processes are the same as those in the first embodiment.

  A description will be given based on an example in which a communication packet transmitted / received by the VM (WEB) 12 is captured by the virtual machine 2A.

  When the analysis server 1 captures the communication packets of the virtual machines 11, 12, and 13 with the capture-only virtual machine 2 </ b> A, the log type management table 547 includes “VM” for the node type 5471 and “Capture” for the log type 5472. In advance, “capture VM” is registered in the collection node 5473 and “capture VM” is registered in the recording node 5474 in advance.

  When the collection node 5473 is “capture VM”, the analysis server 1 refers to the node management table 542 and the interface management table 543 of the tenant configuration DB 540 and refers to the node identifier 54 of the virtual switch 806 to which the VM (WEB) 12 is connected, 235 and 431 and the port interface identifier 5431 are specified.

  The node identifier of the virtual switch 806 to which the VM (WEB) 12 is connected is N7, and the interface identifier of the port 808 of the virtual switch is I10. Based on the interface identifier = I10 of the identified interface, the analysis server 1 refers to the interface group management table 2201 and identifies the interface group to which the port 808 of the virtual switch 806 to which the VM (WEB) 12 is connected belongs. The analysis server 1 can identify the interface group identifier 22012 to which the interface identifier = I10 belongs as NW50.

  The analysis server 1 registers the interface identifier I5 of the VM (WEB) 12 in the target interface 22021 of the capture node management table 2202, and the identified interface group NW50 in the interface group 22022 of the capture node management table 2202.

  Furthermore, the analysis server 1 refers to the virtual node management table 544 based on the identified node identifier N7 of the virtual switch 806, and identifies a server that is a physical node in which the virtual switch 806 is arranged. The identified node identifier 5442 of the server is registered in the physical node 22023 of the capture node management table 2202.

  In the collection / record node 22024 and the collection / record interface 22025, when the capture-only virtual machine 2A is generated, the analysis server 1 registers the node identifier and interface identifier of the generated virtual machine 2A.

  As described above, in order to capture the communication packet of the target virtual machine, the interface group to which the node of the virtual machine 2A dedicated for capture and the interface of the virtual switch 806 connected to the virtual NICs 113 and 123 of the virtual machine belong is specified. can do. Thus, the collection method determination process 1306a ends.

  Next, the capture setting process 512a corresponding to the capture-only virtual machine 2A will be described. In addition to the processing described in the first embodiment, the capture setting processing 512a refers to the capture node management table 2202, and constructs and sets a capture virtual machine 2A.

  FIG. 22 is a flowchart illustrating an example of the capture setting process 512a. First, the capture setting process 512a selects an interface registered in the target interface 22021 of the capture node management table 2202, and specifies the node identifier (22023) of the server that provides the virtual machine including the target interface 22021 (step 2301). ).

  In the capture node management table 2202 shown in FIG. 21B, the server on which the target interface 22021 = I5 and the virtual switch 806 connected to the target interface are arranged is a node indicated by N11 by referring to the column of the physical node 22023. It can be identified as a certain server 8a.

  The capture setting process 512a determines whether or not the capture virtual machine 2A of the corresponding tenant is constructed on the virtual infrastructure 805 of the identified server 8a (step 2302). When the virtual machine 2A is not constructed (No in Step 2302), the capture setting process 512a instructs the virtual infrastructure 805 of the identified server 8a to generate the capture virtual machine 2A (Step 2305).

  After constructing the capture virtual machine 2A, the virtual infrastructure 805 adds a virtual NIC to the constructed virtual machine 2A (step 2306), so that the added virtual NIC belongs to the same interface group as the virtual machine to be captured. Is set by the capture setting processing 512a (step 2307). After the setting is completed, the capture software of the virtual machine 2A is executed by specifying the interface (22011) to be captured and the file name.

  The capture setting process 512 a registers the node identifier of the recording / collection node 22024 registered in the capture node management table 2202 in the fields of the node identifier 5642 and recording node 5644 of the collection interface management table 564. The capture setting process 512 a registers the interface identifier of the collection / record interface 22025 in the interface identifier 5641 of the collection interface management table 564. Further, the directory and file name specified when executing the tenant identifier 5543 and the capture software are registered in the capture file name 5645 column.

  The capture setting processing 512a does not construct a new capture virtual machine when the capture virtual machine 2A of the corresponding tenant is constructed on the virtual infrastructure 805 of the identified server 8a (Yes in step 2302). . The capture setting process 512a acquires an interface group identifier 22012 including a port to which the virtual NIC of the configured capture virtual machine 2A is connected, and compares it with an interface group registered in the capture node management table 2202. If the interface groups do not match (No in Step 2303), a virtual NIC is added to the capture virtual machine 2A and an interface group is set (Steps 2306 and 2307). Then, the capture setting process 512a registers an interface identifier 5641, a node identifier 5642, a tenant identifier 5634, a recording node 5644, and a capture file name 5645 in the collection interface management table 564.

  If the interface groups match (Yes in step 2303), the interface identifier registered in the collection / record interface 22025 of the capture node management table 2202 is acquired from the interface identifier 5641 of the collection interface management table 564, and only the tenant identifier 5463 is acquired. Register.

  Thus, the capture setting process 512a ends. Other processes are the same as those in the first embodiment.

  As described above, communication packets of the virtual machines 11 to 13 can be captured using the capture virtual machine 2A. According to the capture setting process in the second embodiment, even if a plurality of virtual machines are constructed on one server, if the interface groups match, a plurality of virtual machines can be used with one capture virtual machine 2A. The communication packet of the machine can be captured, and the number of capture virtual machines 2A can be reduced.

  In the third embodiment, the correspondence between the service provided by the tenant system and the port number of the protocol used by the service is managed, and the service continues before and after the setting of the IP address and port number of the virtual machine providing the service is changed. An example of analyzing what is being done will be described.

  The system configuration in the third embodiment is the same as that in the first embodiment. The analysis server 1 includes all the processes and DBs described in the first embodiment. Further, in the tenant configuration DB 540, the service port management table 2401 in which the correspondence between the service provided by the tenant system and the port number used by the service is registered, and the components of the arrival determination table 572 of the first embodiment are included. And an arrival determination table 572A to which a provision service 5727 is added.

  FIG. 23A is a diagram illustrating an example of the service port management table 2401 according to the third embodiment. The service port management table 2401 includes a service providing node 24011, a service 24012, a protocol 24013, and a port number 24014 as components.

  The service providing node 24011 is a node identifier of a node that provides a service. The service 24012 is a name of a service provided by the node indicated by the service providing node. Examples include HTTP (Hyper text Transport Protocol) and FTP (File Transport Protocol). The protocol 24013 is a type of protocol used for providing a service. Examples include TCP, UDP, ICMP, and the like. The port number 24014 is a port number used for providing a service.

  FIG. 23B is a diagram illustrating an example of the arrival determination table 572A according to the third embodiment. The arrival determination table 572A is obtained by adding a provision service 5727 for storing the name of the service provided by the node to the arrival determination table 572 of the first embodiment, and the other configurations are the same as those of the first embodiment.

  The administrator instructs the analysis server 1 to start collecting information and start analysis before requesting to change the settings of the virtual machine that provides the service, and requests network state analysis related to the tenant system.

  The logical configuration of the tenant system is as shown in FIG. 14A and is the same as that of the first embodiment. Similar to the first embodiment, the analysis server 1 analyzes the network configuration of the tenant system.

  FIG. 24 is a flowchart showing an example of the arrival determination process 532a in the third embodiment. In the arrival determination process 532a in the third embodiment, a service specifying process 2501 is added after the session calculation 1603 shown in FIG. 16A of the first embodiment, and other configurations are the same as those in the first embodiment. This is similar to the example arrival determination process 532.

  The service specifying process 2501 in FIG. 24 refers to the service port management table 2401 of the corresponding tenant from the destination IP address and port number of the comparison destination packet specified in the packet comparison process 1602 (see FIG. 17), and becomes the service destination. The service 24012 provided by the node is specified.

  In step 1604, in addition to the processing results of steps 1602 and 1603, the analysis server 1 registers the service specified in the service specifying process 2501 in the provided service 5727 column of the arrival determination table 572 A, and stores the arrival determination table 572 A before the change. create.

  As described above, in the tenant system before the setting change, the arrival determination table 572A including the list of services that have reached the communication destination node can be created.

  After the setting of the virtual machine that provides the service by the administrator is changed, the analysis server 1 changes the registered contents of the various tables of the tenant configuration DB 540 that need to be changed along with the setting change. For example, when the destination IP address of the virtual machine is changed, it is necessary to change to the node management table 542, the interface management table 543, the address management table 545, and the policy management table 456.

  After changing the tenant configuration DB 540, the administrator instructs the analysis server 1 to start collecting information and starting analysis, and to instruct the network state analysis related to the tenant system. The analysis server 1 performs the same processing as before the change, and creates an arrival determination table 2402b that includes a list of services that have reached the destination node of the service in the tenant system after the setting change.

  The services included in the arrival determination table 2402a before the setting change and the arrival determination table 2402b after the setting change are compared. When all the services included in the arrival determination table 2402a before the setting change are included in the arrival determination table 2402b after the setting change, it can be determined that all the services continue after the setting change. On the other hand, if the service included in the arrival determination table 2402a before the setting change is different from the service included in the arrival determination table 2402b after the setting change, it is determined that the service could not be continued due to the setting change. The node that has discarded the communication packet of the service that could not be continued can be specified by the discard node specifying process.

  As described above, it is possible to analyze that the same service continues before and after the setting change of the virtual machine that provides the service.

  The configuration of the computer, the processing unit, the processing unit, and the like described in the present invention may be partially or entirely realized by dedicated hardware.

  In addition, the various software exemplified in the present embodiment can be stored in various recording media (for example, non-transitory storage media) such as electromagnetic, electronic, and optical, and through a communication network such as the Internet. It can be downloaded to a computer.

  The present invention is not limited to the above-described embodiments, and includes various modifications. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described.

DESCRIPTION OF SYMBOLS 1 Analysis server 2 Capture apparatus 5 Client 6 Wide area network 7a-7h Switch 8a-8f Server 9a File and wall 10a Load balancer 11, 12, 13 Virtual machine 111, 121 Service 112 122 OS
113, 123 Virtual NIC
71, 91, 401, 802 CPU
72, 92, 402, 803 Memory 73, 93, 403, 804 Interface 404 Media interface 405 Input / output device 406 External recording medium 407 Console 501 Instruction reception processing 510 Setting processing 511 Collection device selection processing 512 Capture setting processing 513 Traffic log collection setting Processing 519 Switch management table 520 Collection processing 521 Traffic log collection processing 522 Packet collection processing 530 Analysis processing 531 Tenant packet extraction processing 532 Arrival determination processing 533 Discard node identification processing 540 Tenant configuration DB
541, 561, 571 Tenant identifier 542 Node management table 543 Interface management table 544 Virtual node management table 545 Address translation table 546 Policy management table 547 Log type management table 548 Analysis layer management table 550 Packet storage DB
560 Collection management DB
562 Capture interface management table 563 Traffic log collection management table 564 Collection interface management table 570 Analysis result DB
572 Arrival determination table 573 Discarded node specification table 721, 921 Routing table 722 Flow allocation processing 723 923 Transfer processing 806 Virtual switch 807, 808, 809 Port 810 Capture function 922 Policy table 924 Address conversion processing 925 Access control processing 926 Log recording processing

Claims (15)

An analysis server that analyzes a network state of one or more tenants constructed on an information processing system including a server and a network device,
The analysis server
Configuration information of nodes constituting the network of the information processing system of the tenant;
Based on the configuration information, a setting processing unit that selects a node that collects communication record information among nodes of the network;
A collection processing unit for causing the selected node to collect the communication record information;
An analysis processing unit that acquires the collected communication record information and analyzes the state of the network, and
The analysis processing unit
A service route calculation processing unit for calculating a communication route of a communication packet between nodes serving as end points of an analysis target layer in the network;
The communication record information of the first node that is the first endpoint of the analysis target layer is compared with the communication record information of the second node that is the second endpoint, and the communication packet of the first node is: An arrival determination processing unit for determining that the second node has been reached;
A specific processing unit that identifies a node that has discarded a communication packet that has not reached the second node;
An analysis server comprising: The analysis server according to claim 1,
The setting processing unit
For each layer that analyzes the state of the network, maintain a correspondence with a node that collects communication record information in order to analyze the state of the network;
An analysis server that receives the analysis target layer and selects a node that collects communication record information based on the analysis target layer and the correspondence relationship. The analysis server according to claim 2,
The setting processing unit further includes:
Holding the correspondence between the type of the node constituting the information processing system of the tenant and the node collecting the communication record information of the node;
An analysis server, wherein a node that collects the communication record information is selected based on the correspondence relationship. The analysis server according to claim 3,
The network is
Including multiple communication paths with equal communication costs,
The setting processing unit further includes:
Holding a correspondence relationship between the nodes constituting the information processing system of the tenant and the flow allocation algorithm in the plurality of communication paths used by the node;
An analysis server characterized in that, based on the correspondence relationship, a node through which a communication packet of the tenant does not pass is excluded from a node that collects communication record information. The analysis server according to any one of claims 1 to 4, wherein
The specific processing unit is
The communication record information of the destination node included in the unreachable communication packet is compared with the communication record information of the first node, and the node or the range of nodes that discarded the unreachable communication packet is specified. An analysis server characterized by The analysis server according to claim 5,
The communication record information is
Including traffic logs,
The arrival determination processing unit further includes:
Calculating session information including a communication packet that has not reached the second node;
The specific processing unit is
Selecting a node that is an end point of a communication path from the nodes that collect the communication record information, and when the communication record information of the selected node is a traffic log, the session information calculated by the arrival determination processing unit, An analysis server characterized by comparing with session information recorded in the traffic log and identifying a node that has discarded the unreachable communication packet. The analysis server according to claim 1,
The communication record information is
Including the communication packet;
The arrival determination processing unit
Comparing the checksum of the TCP or UDP header of the communication packet recorded in the communication record information of the first node and the communication packet recorded in the communication record information of the second node as the other end point, An analysis server characterized by comparing TCP or UDP payloads when checksums match and determining arrival when the payloads match. The analysis server according to claim 7,
The arrival determination processing unit further maintains a correspondence relationship between the IP address before conversion and the TCP or UDP port number, and the IP address after conversion and the TCP or UDP port number, which are converted by the information processing system of the tenant. ,
Calculating the converted TCP or UDP checksum of the communication record information recorded at the first node;
An analysis server that compares the calculated checksum with a TCP or UDP checksum of communication record information recorded in the second node. An analysis method for analyzing a state of a network of one or more tenants constructed on an information processing system including a server and a network device by a computer including a processor and a memory,
A first step in which the computer selects a node that collects communication record information among nodes of the network based on configuration information of a node that configures a network of the information processing system of the tenant;
A second step in which the computer collects the communication record information in the selected node;
A third step in which the computer acquires the collected communication record information and analyzes a state of the network;
The third step includes
Calculating a communication path of a communication packet between nodes serving as end points of an analysis target layer in the network;
The communication record information of the first node that is the first endpoint of the analysis target layer is compared with the communication record information of the second node that is the second endpoint, and the communication packet of the first node is: Determining that the second node has been reached;
Identifying a node that has discarded a communication packet that has not reached the second node. The analysis method according to claim 9, comprising:
The first step includes
For each layer that analyzes the state of the network, holds a correspondence relationship with a node that collects communication record information to analyze the state of the network, accepts the analysis target layer, and corresponds to the analysis target layer and the correspondence An analysis method comprising: selecting a node that collects communication record information based on the relationship. The analysis method according to claim 10, comprising:
The second step further includes
Holding the correspondence between the type of the node constituting the information processing system of the tenant and the node collecting the communication record information of the node;
An analysis method comprising: selecting a node that collects the communication record information based on the correspondence relationship. The analysis method according to claim 11, comprising:
The network is
Including multiple communication paths with equal communication costs,
The second step further comprises:
Holding a correspondence relationship between the nodes constituting the information processing system of the tenant and the flow allocation algorithm in the plurality of communication paths used by the node;
An analysis method characterized in that, based on the correspondence relationship, a node through which a communication packet of the tenant does not pass is excluded from a node that collects communication record information. The analysis method according to any one of claims 9 to 12,
The step of identifying a node that has discarded a communication packet that has not reached the second node includes:
The communication record information of the destination node included in the unreachable communication packet is compared with the communication record information of the first node, and the node or the range of nodes that discarded the unreachable communication packet is specified. An analysis method characterized by: The analysis method according to claim 13, comprising:
The communication record information is
Including traffic logs,
Determining that the communication packet of the first node has reached the second node further comprises:
Calculating session information including a communication packet that has not reached the second node;
The step of identifying a node that has discarded a communication packet that has not reached the second node includes:
When a node that is an end point of a communication path is selected from the nodes that collect the communication record information, and the communication record information of the selected node is a traffic log, the calculated session information and the traffic log An analysis method comprising comparing the recorded session information and identifying a node that has discarded the unreachable communication packet. The analysis method according to claim 9, comprising:
The communication record information is
Including the communication packet;
Determining that the communication packet of the first node has reached the second node;
Comparing the checksum of the TCP or UDP header of the communication packet recorded in the communication record information of the first node and the communication packet recorded in the communication record information of the second node as the other end point, An analysis method characterized by comparing TCP or UDP payloads when the checksums match, and determining arrival when the payloads match.

Images