For example, a file metadata manipulating rootkit is a kind of computer virus. Infection by the rootkit causes a stoppage of a service and/or a leakage of information, thereby causing serious damage to a quality of the service. The file metadata manipulating rootkit alters data in a kernel of an operation system. Therefore, it is extremely difficult to detect the rootkit with the use of general antivirus software. In order to detect the rootkit, it is extremely efficient to establish a network system and then monitor a packet transmitted between virtual machine monitors. As in this example, extraction of information from a packet in process of transmission has been conducted.
Here, the following description will schematically discuss, with reference to FIG. 6, how a message is normally transmitted and received with the use of a packet.
As illustrated in FIG. 6, in a case where a message is transmitted, the following steps are carried out. That is, an application on a transmitting side (Application on a left side of FIG. 6) first creates the message (S51), and then requests an OS (Operating System) (OS on a left side of FIG. 6) to transmit the message (S52). The OS divides the message received from the application into packets and then adds headers to the respective packets (S53). Thereafter, the OS transmits the packets to an OS on a receiving side (S54).
In a case where the message is received, the following steps are carried out. That is, the OS on the receiving side (OS on a right side of FIG. 6) receives the packets (S54). The OS then removes the headers and creates the message in accordance with the headers (S55). Thereafter, the OS transmits the message thus created to an application (Application on right side of FIG. 6) (S56). The Application stores the message, received from the OS, in a memory (S57).
As described above, the OS on transmitting side converts a message into packets before transmitting the message to an NIC (Network Interface Card). In this case, the OS adds, to the respective packets, headers each including information, such as a sequence number (order) and a port number (identifier of connection), necessary for the OS on the receiving side to set up the message. The OS on the receiving side sets up the message from the packets with reference to the headers of the packets.
Next, the following description will discuss, with reference to FIGS. 7 and 8, a conventional method of extracting data from a message transmitted and received with the use of packets. Here, a case will be discussed where a VMM (Virtual Machine Monitor) extracts target data from a message.
As illustrated in FIG. 7, an OS on a transmitting side (OS on a left side of FIG. 7) transmits packets to a virtual Network Interface Card provided by a VMM. That is, the VMM receives the packets into which a message is divided by the OS. The VMM then transmits the packets thus received to an OS on a receiving side (OS on a right side of FIG. 7). Meanwhile, the VMM sets up the message based on the packets received, and then obtains target data which is desired information.
Specifically, as illustrated in FIG. 8, the VMM checks header information of each of packets received (S61), and then copies the packets except the headers (payloads) (S62). Thereafter, the VMM transmits the packets (S63). Meanwhile, the VMM sets up a message based on the copied data (S64), and then extracts the target data from the message (S65).
As described above, the VMM copies payloads of packets, and then arranges the payloads thus copied in accordance with header information of the packets. That is, the VMM extracts target data after setting up a message which has been divided into packets.