1. Field
The embodiments discussed herein are directed to a technique for IT (Information Technology) system operation and maintenance, and more particularly to a packet analysis method for analyzing the content of communications obtained as the result of monitoring or capturing a packet passing through a network.
2. Description of the Related Art
In a protocol having a resending procedure in a layer above IP (Internet Protocol) belonging to a network layer, such as TCP (Transmission Control Protocol) belonging to a transport layer, generally, after a packet is lost due to some factor, a packet is resent to recover the loss. In other words, packet loss is identified by a monotonously increasing sequence number included in a packet, and a packet to resend is specified and resent. Thus, whether a series of data is complete can be determined by sequence numbers.
The resent packet has the same sequence number as the lost packet, so that when another packet is sent without loss immediately before resending, a portion in which the sequence number that originally increases monotonously decreases.
On the other hand, packets may be reordered on a communication path due to some factor. Also in this case, a portion in which the sequence number that originally increases monotonously decreases.
FIG. 1 is a diagram showing the outline of conventional packet monitoring, in which a packet monitoring apparatus 4 is connected to a communication path from a sending host 1 to a receiving host 2 via a branch module 3, such as a tap or a switch, and packets flowing from the sending host 1 to the receiving host 2 are monitored.
In FIG. 1, a case is shown where after a packet P1 having the sequence number (Seq) “1” is detected, there is packet dropout, and then, a packet P2 having the sequence number “3” and a packet P3 having the sequence number “2” follow. The actual sequence number starts from a first byte number in a data field (a random value) so that the sequence numbers are not continuous as “1,” “2,” “3” . . . , but for convenience of explanation, the sequence numbers are simplified.
In this case, the packet monitoring apparatus 4 detects that the sequence number increases from “1” to “3” and then decreases to “2.” However, the behavior is exactly the same for a case where a lost packet is resent and a case where the order of packets is reordered, so that the possibility of some failure can be detected, but whether a lost packet is resent or the order of packets is reordered cannot be accurately identified. Therefore, as the result of analyzing such sequence, it is determined that either all packets are resending due to loss or all packets are reordered.
However, the mechanisms of packet loss and reordering are totally different, so that if the determination is wrong, failure cannot be restored, and much time is wasted.
On the other hand, Japanese Laid-open Patent Publication No. 2004-80139 discloses a technique for distinguishing an unarriving packet and a disappearing packet, based on the sequence number of a packet arriving at this point and the sequence number of a packet expected to arrive next, and the like. However, identifying packet loss and reordering as described above is not mentioned, and the above problem cannot be solved.
Also, Japanese Laid-open Patent Publication No. H5-252179 discloses a technique in which when a receiver communication node selects a necessary cell among cells arriving at the node from two transmission lines, based on cell sending order information, and when cell dropout occurs for an arriving cell, the cell dropout is stored, and the processing is changed by next arriving cell arrival order information. However, identifying packet loss and reordering as described above is not mentioned, and the above problem cannot be solved.
A technique disclosed in the present invention is proposed in view of the above conventional problem. The present invention provides a packet analysis method in which in analyzing the sequence of a protocol having a resending procedure in a layer above an IP layer, such as TCP, whether a packet is resent after packet loss, or reordering occurs in a network to change the arrival order can be accurately identified. It is an object of the present invention to separate the failure phenomenon of reordering and the failure phenomenon of packet loss occurring in a network.