1. Field of the Invention
The present invention relates to an application monitor apparatus, and more particularly to an application monitor apparatus that is required for monitoring processing in which a data loss does not arise in real time.
2. Related Art
The importance of functions that monitor data communicated between a transmitting terminal and a receiving terminal has been increasing in recent years accompanying the explosive spread in the use of the Internet. In particular, monitoring processing requires not only layer 3 (IP: Internet Protocol), layer 4 [TCP (Transmission Control Protocol)] and UDP (User Datagram Protocol)], but also complex monitoring processing that refers to the contents of an application layer.
Further, when utilizing monitoring processing for accounting or the like, it is necessary for an application monitor apparatus to execute complete monitoring processing in real time without losing the data that is the object of monitoring.
In general, methods of monitoring application data communicated between a transmitting terminal and a receiving terminal can be broadly classified into two kinds. The first kind is a method that monitors the communicated packets without influencing the communication between the transmitting terminal and the receiving terminal (for example, see Japanese Patent Laid-Open No. 11-243389).
A configuration example of an application monitor apparatus that utilizes this first method is shown in FIG. 12. In FIG. 12, an application monitor apparatus 8 comprises a packet receiving means 81 and an application monitor means 82.
Packets that are transmitted from transmitting terminals 1 (1-1, 1-2, . . . , 1-N) are input into receiving terminals 2 (2-1, 2-2, . . . , 2-N) via a plurality of intermediary devices 3 (3-1, 3-2). A data replication means 7 is present at some point along the path of communication between the transmitting terminal 1 and the receiving terminal 2, and all of the replicated packets are input into the application monitor apparatus 8.
As the intermediary devices 3, routers, LAN (Local Area Network) switches, repeaters and the like are used. Although in FIG. 12 the transmitting terminals 1 and the receiving terminals 2 are connected to one of the intermediary devices 3, respectively, this merely represents one example of a connection between the transmitting terminals 1, receiving terminals 2 and intermediary devices 3 on the Internet. Configurations can also be considered in which a plurality of the intermediary devices 3 are provided and in which no intermediary devices 3 are provided, and the connection configuration thereof is arbitrary. Further, although the transmitting terminal 1 and receiving terminal 2 are described separately in FIG. 12 to facilitate explanation, in general an actual terminal has the functions of both the transmitting terminal 1 and the receiving terminal 2.
All of the packets that are input to the application monitor apparatus 8 are subjected to termination processing up to layer 4 (transport layer) in the packet receiving means 82 to assemble the application data, after which the required monitoring processing is carried out in the application monitor means 81. With respect to the termination processing up to layer 4, it is not necessary to execute all the layer 4 termination processing in the receiving terminals 2.
For example, when layer 4 is TCP, although it is necessary to perform processing that reassembles the data in order to guarantee the data sequence, there is no necessity to transmit data to the transmitting terminal 1, such as when processing an ACK (acknowledgement) transmission to the transmitting terminal 1. Further, when layer 4 is UDP, special processing is not required and data may be simply passed to the application monitor means 81.
According to the first method, when the processing speed at the application monitor means 81 is lower than the rate of inputting packets to the packet receiving means 82, a data loss is generated inside the application monitor apparatus 8 and complete monitoring processing cannot be executed.
The second method is one in which an application monitor apparatus relays application data between a transmitting terminal and a receiving terminal and performs monitoring processing at the time of the relay processing. In order to relay the application data it is necessary for the monitor apparatus to execute termination processing up to layer 4.
A configuration example of an application monitor apparatus that utilizes this second method is shown in FIG. 13. In FIG. 13, an application monitor apparatus 9 comprises a packet receiving means 91, an application monitor means 92 and a packet transmitting means 93.
Packets that are transmitted from the transmitting terminals 1 (1-1, 1-2, . . . , 1-N) always pass through the application monitor apparatus 9 via the intermediary device 3-1 to be transferred to the receiving terminals 2 (2-1, 2-2, . . . , 2-N) via the intermediary device 3-2. The packets that are input into the application monitor apparatus 9 undergo termination processing up to layer 4 in the packet receiving means 91, and are then input into the application monitor means 92.
When layer 4 is TCP, the termination processing up to layer 4 in the packet receiving means 91 includes ACK transmission processing with respect to the transmitting terminal 1. Accordingly, with the application monitor apparatus 9 of the second method it is possible to execute rate control for the input traffic. More specifically, when the processing speed at the application monitor means 92 is slower than the rate of inputting packets to the packet receiving means 91, by transmitting feedback from the application monitor means 92 to the packet receiving means 91 the transmitting terminal 1 dynamically controls the rate of transmitting packets with the TCP rate control.
Therefore, according to the second method monitoring can be executed in which packet loss does not occur. In this connection, although according to the second method communication between the transmitting terminals 1 and receiving terminals 2 is split into two parts by the application monitor apparatus 9, the application monitor apparatus 9 may comprise one of two kinds of apparatus. The first kind is an apparatus such as a proxy server, in which case the transmitting terminals 1 and receiving terminals 2 know of the existence of the application monitor apparatus 9. The second kind is a stealth type of apparatus, in which case the transmitting terminals 1 and receiving terminals 2 do not know of the existence of the application monitor apparatus 9.
More specifically, the term “know of the existence of the application monitor apparatus 9” refers to the transmitting terminals 1 transmitting the packets to the application monitor apparatus 9 with the assumption that layer 4 termination will be conducted once at the application monitor apparatus 9.
FIG. 14 shows a detailed configuration of an application monitor apparatus that utilizes the above-described second method. In FIG. 14, after packets that are received from a network (not shown) are subjected to termination processing up to IP layer at an IP receiver processing part 101, TCP termination processing is conducted at a TCP receiver processing part 102 and the data is then passed to an application monitoring processing part 105.
After the application monitoring processing part 105 performs the required monitoring processing it carries out a request to transmit data to a TCP transmission processing part 103. After subjecting the transmitting data to termination processing of the TCP layer at the TCP transmission processing part 103, and then performing termination processing up to the IP layer at the IP transmission processing part 104, the packets are transmitted to the network.
As the TCP termination processing performed at the TCP receiver processing part 102 and the TCP transmission processing part 103, it is necessary to execute all TCP processing such as guaranteeing the packet sequence, send processing of ACK packets, rate control at the transmitting side and receiving side, and control for retransmission of packets. Further, the TCP receiver processing part 102, the TCP transmission processing part 103 and the application monitoring processing part 105 are generally connected by an API (Application Programming Interface) called a “socket”, and it is known that TCP processing also entails heavy processing in the respect that each of these parts always requires a copy of the data being transmitted or received.
Examples of the application monitor apparatus 10 that utilizes the second method include a firewall device (application gateway) that refers to the application layer and a proxy server.
In the above-described conventional application monitor apparatus utilizing the first method, a problem exists in that feedback can not be sent from the application monitor apparatus to the transmitting terminal. More specifically, when the processing performance of the application monitor means is lower than the performance of processing communication between the transmitting and receiving terminals in the application monitor apparatus utilizing the first method, complete monitoring processing can not be carried out because the monitoring processing does not keep up with the rate of communication between the transmitting terminal and receiving terminal and a packet loss occurs.
Further, according to the conventional application monitor apparatus utilizing the second method, since it is necessary for the application monitor means to perform monitoring processing of data at the application layer and also to relay data received from a packet receiving means to a packet transmitting means, there is a problem in that the processing load required to execute monitoring processing is extremely heavy in the application monitor apparatus that utilizes the second method.
In this case, it is necessary to execute all the TCP termination processing including guaranteeing the packet sequence, send processing of ACK packets, rate control at the transmitting side and receiving side, and control for retransmission of packets. A heavy processing load thus exists, particularly in the TCP receiver processing part and TCP transmission processing part.
Further, the socket API for connecting the TCP receiver processing part, the TCP transmission processing part and the application monitoring processing part is also a factor that produces a heavy processing load in the respect that a copy of data being sent and received is always required at each respective part when data passes from the TCP receiver processing part to the application monitoring processing part and then from the application monitoring processing part to the TCP transmission processing part.
Since it is necessary to always continue execution of relay processing for the corresponding connection, even after the application monitor means decides that monitoring processing is unnecessary, there is a problem that the processing load for executing the monitoring processing is extremely heavy in the application monitor apparatus that utilizes the second method.