1. Field of the Invention
The present invention relates to a system analysis apparatus and a system analysis method for capturing flowing packets and performing transaction analysis in a multi-tiered server system connected to a high-speed network which exceeds, for instance, 1 Gbps (Giga bit per second). A multi-tiered server system is, for instance, a system in which servers configured in three tiers, namely a Web server, an application server (AP server) and a database server (DB server), perform predetermined processing by distributing the processing among the tiers.
2. Description of the Related Art
In a multi-tiered server system, system performance is analyzed by capturing flowing packets, performing packet analysis or transaction analysis, and either analyzing or visualizing the results thereof.
In packet analysis, captured packets are used for performing message-level analysis of TCP, application protocols (e.g., HTTP) or the like. In transaction analysis, the captured packets are used to analyze a processing time for each server or calling relationships among processing objects (OBJ) within each server on a per-transaction basis, such as operation A or B. In this description, transaction is defined as an association of a series of processing performed in response to a request from a client.
The result of the packet analysis or transaction analysis is either analyzed or visualized. For instance, the processing time of each server or calling relationships among processing objects (OBJ) within each server are visualized as system performance. Bottleneck analyses, tendency predictions and the like also fall into the same category of analysis or visualization processing. Such system analyses may be utilized when proposing countermeasures for systems in relation to determining problematic areas, adding required resources or switching networks.
There are two methods for analyzing systems. The first method involves temporarily storing captured packets into a disk or the like, and subsequently reading out the packets to perform packet analysis, transaction analysis and analysis/visualization. This method is called “cumulative analysis”. The second method involves performing packet analysis, transaction analysis, and analysis or visualization of captured packets in real-time and displaying the analysis results. This method is called “real-time analysis”.
As a conventional technique for capturing packets and performing transaction analysis, a technique related to a transaction tracing apparatus capable of easily extracting and analyzing an application log for a desired transaction from communication information collected from a transmission circuit, without consideration of protocol or application, has been described (for instance, refer to Patent Document 1: Japanese Patent Laid-Open No. 9-128342).
An example of system analysis in a multi-tiered server system will now be described in detail.
FIG. 15 is a diagram showing an example of a system to which a system analysis apparatus may be applied. This system is a multi-tiered server system comprised of a Web server 131, an AP server 132 and a DB server 133. It is assumed that the system is capable of communicating with a client 140 via a network 150. A system analysis apparatus 110 captures packets flowing through a client 140-Web server 131 segment, a Web server 131-AP server 132 segment, and an AP server 132-DB server 133 segment. Transaction analysis is performed on the captured packets to analyze processing time for each server, or calling relationships among processing objects (OBJ) within each server on a per-transaction basis, such as operation A or B. A transaction is defined as an association of a series of processing performed in response to a request from a client 140.
FIG. 16 is a diagram showing a flow of system analysis processing. The system analysis apparatus 110 captures packets flowing through the client 140-Web server 131 segment, the Web server 131-AP server 132 segment, and the AP server 132-DB server 133 segment (P100). Packet analysis is performed on the captured packets (P101). Packet analysis is analysis processing performed at the message levels of TCP, application protocols (e.g., HTTP) or the like. The results of packet analysis are recorded as a protocol log 200. Next, transaction analysis is performed on the captured packets (P102). Transaction analysis is analysis processing performed in order to identify nesting relationships of messages, to extract transactions using matching or the like, and to associate objects. The results of transaction analysis are recorded as protocol correlation log/transaction data 210. Finally, the result of the packet analysis or transaction analysis is either analyzed or visualized (P103). In this example, the processing time of each server or calling relationships among processing objects (OBJ) within each server and the like are visualized as system performance.
FIGS. 17A and 17B are diagrams showing examples of visualization output of analysis results. In FIG. 17A, the total processing time of an operation transaction, respective processing times of the servers, and network time for each segment are visualized as transaction-based information. In FIG. 17B, calling relationships among objects and processing time for each object are visualized as object-based information.
In the system analysis apparatus 110 of FIG. 15, when attempting to capture all flowing packets using software, the system will reach its limit as packet communication speed approaches approximately 1 Gbps. In systems where communication speeds exceed 1 Gbps, it is difficult to directly capture packets using a single system analysis apparatus. In addition, there are no commercially available products for packet capturing processing which have capturing capabilities in excess of 1 Gbps. Therefore, as methods for capturing packets to perform transaction analysis in high-speed network systems with speeds in excess of 1 Gbps, two different methods for different uses may be contemplated, as shown in FIGS. 18A and 18B.
As shown in FIG. 18A, the first method captures all packets and performs analysis by either distributing processing load among a plurality of apparatuses or implementing processing in hardware. While this method results in an increase in processing load, the method is effective if it is desired to perform analysis by reliably capturing all events. As shown in FIG. 18B, the second method samples packets on a per-transaction basis, and performs analysis statistically by reducing processing load required for capturing and analyzing. This method is effective when it is desired to reduce processing load for assessing tendencies based on statistical information such as connection time.
In the first method shown in FIG. 18A, the sorting apparatus 300 of a previous stage sorts packets among the plurality of capture/analysis apparatuses 310 of a subsequent stage. This improves overall processing performance. The processing performed by the sorting apparatus 300 is a determination function in which packets are sorted according to a predefined sorting logic, and has a lighter processing load than the capture/analysis apparatuses 310 which handle processing such as memory copying or writing to disks. While the processing ceiling of the capture/analysis apparatuses 310 are around 1 Gbps, commercially available sorting apparatuses 300 have processing capabilities of around 4 Gbps. In addition, higher processing speeds may by achieved by implementing the sorting apparatus 300 as a hardware using ASIC or the like, and increasing the number of units of the capture/analysis apparatuses 310 of the subsequent stage.
In the second method shown in FIG. 18B, inputted packets are thinned out according to a predetermined rule to reduce overall throughput, and an overall tendency is estimated from a subset of collected inputted packets. Processing capability is enhanced by performing analysis statistically. These are all performable within a single capture/analysis apparatus 320. A sampling section 321 may be considered as being capable of having a similar throughput to the sorting apparatus 300 of a previous stage of FIG. 18A. Thus, a rough indication of its processing capability would be approximately 4 Gbps. Processing at the capture/analysis section 322 after sampling also depends on the sampling rate, and the lower the sampling rate, the lighter the processing load. For instance, inputted packets of 4 Gbps may be brought down to 400 Mbps by sampling at 10 percent. A rough indication of the processing capability in regards to packets after sampling would be approximately 1 Gbps. As in the case of FIG. 18A, higher processing speeds may by achieved by implementing the sampling processing portion as hardware.
The above-described second method will now be further considered. In order to realize the above-described second method in system analysis, it is necessary to perform sampling processing on a per-transaction basis. In other words, when capturing packets, packets are ideally sampled on a per-transaction basis through processing performed as close to real time as possible.
However, this has not been realized due to problems such as (a) to (d) described below.                (a) Examples of sampling techniques include sFlow by IETF. However, sFlow only performs sampling on a per-packet basis, and is incapable of performing sampling on a per-transaction basis, in other words, sampling of groups of packets containing a series of processing flows on a per-group basis.        (b) As an inherent characteristic of transaction analysis, transactions may be determined only after all or a certain amount of packets are captured and transaction analysis is performed collectively on the captured packets.        (c) Since different TCP connections may belong to the same transaction, transactions cannot be defined on a per-TCP connection basis.        (d) Since source IP addresses (hereinafter referred to as SrcIP) and destination IP addresses (hereinafter referred to as DstIP) are respectively the IP addresses of servers and remain constant through all transactions, transactions may not be separated by IP addresses in a Web server-AP server segment and an AP server-DB server segment.        