As is well known, there is a piece of software for visualizing the status of communication between a plurality of computers connected through an IP (internet protocol) network. A computer where this piece of software is installed receives copies of packets flowing between a plurality of computers to be monitored, and displays the contents of the received packets as they are received. Moreover, the computer where this piece of software is installed displays protocols described in the packets, or information on addresses, after converting them into a format that is easy-to-understand for the user, or extracts a packet conforming to a specific condition and performs statistical processing thereon to display a diagram or a graph. Moreover, the computer where this piece of software is installed sometimes ladder-displays a TCP (transmission control protocol) connection establishment sequence or message exchanges based on the received packets. Here, the message is one obtained by performing reassembly into an original form based on segments that are left when the IP header and the TCP header are removed, and refers to a unit of transmission of a communication layer higher than the TCP.
When reassembling a message based on segments in a plurality of packets, the computer where the piece of software is installed reads, from the forefront segment, the value of a “message length” field in the message header included in the message. And the computer where the piece of software is installed identifies all the packets that are necessary to reassemble one message, based on the read value.
The reception of copies of packets flowing between a plurality of computers to be monitored is normally implemented by a port mirroring function of a LAN (local area network) switch. The port mirroring function is for copying packets that pass through a specific communication port and transmitting them from a mirror port. The computer where the above-mentioned piece of software is installed is connected to the mirror port of the LAN switch to which a plurality of computers to be monitored are both connected.
With this LAN switch, if the throughput (processability per unit time) of the mirror port exceeds its limit, a packet loss (disappearance of a packet) occurs. Even if all the copied packets are sent out to the computer where the piece of software is installed, a packet loss sometimes occurs because of the computer not having sufficient resources.
For this reason, when message reassembly is performed based on segments in a plurality of packets, if the forefront packet containing the “message length” field is lost due to a packet loss, it cannot be determined which continuous ones of the succeeding packets constitute one message. Consequently, message reassembly cannot be performed.
The art disclosed in the present specification is made in view of the above-mentioned problem of the related art, and an object thereof is to enable the identification of the packet containing the forefront segment even after a packet loss occurs.