Assume as illustrated in FIG. 1, e.g., that a system to be analyzed connected to a client terminal (not illustrated) through a firewall 1000 includes a Web server 1002, an application server 1004 and a DB server 1006 connected to one switch or a plurality of switches (switches A and B in FIG. 1). Such a system to be analyzed copies a message (e.g., an HTTP (Hyper Text Transfer Protocol) message, an IIOP (Internet Inter-ORB Protocol) message or an SQL (Structured Query Language) message) transmitted and received through the switches by means of port monitoring functions of the switches A and B, and transmits the copy of the message to a system visualization device 1100 connected to the switches A and B. The system visualization device 1100 analyzes the received message so as to visualize a transaction in the system to be analyzed.
Then, it can be known that transactions are done in the system to be analyzed, e.g., as illustrated in FIG. 2. That is, the client terminal outputs an HTTP request to the Web server 1002, and the Web server 1002 outputs an IIOP request to the application server 1004 upon receiving the HTTP request. Upon receiving the IIOP request, the application server 1004 outputs an SQL request divided into three parts to the DB server 1006 in order. Every time upon receiving one of the parts of the SQL request, the DB server 1006 carries out a process and transmits an SQL response back to the application server 1004. Upon receiving a third response from the DB server 1006, the application server 1004 transmits an IIOP response back to the Web server 1002. Upon receiving the IIOP response, the Web server 1002 transmits an HTTP response back to the client terminal.
The network inside the firewall 1000 not being divided into a plurality of segments in accordance with security levels or something, as described above, does not cause a problem in particular. As illustrated in FIG. 3, however, a network divided into a plurality of segments by means of introduction of a DMZ (DeMilitarized Zone) causes a problem. That is, if a single unit of the system visualization device 1100 is connected to the switch B similarly as in FIG. 1, it is supposed to connect the switch A to the system visualization device 1100 across the segments and to transmit an HTTP message copied by the switch A to the system visualization device 1100. It can be prohibited in some cases, however, to connect segments of different security levels to each other without relaying them through a firewall B, resulting in that the system visualization device 1100 can capture only IIOP and SQL messages, and that the transactions cannot be correctly visualized.
Incidentally, as a method for transmitting the HTTP message copied by the switch A to the system visualization device 1100 through the firewall B excessively increases a processing load of the firewall B, such a method significantly causes unfavorable effects such as a degraded throughput across the entire system. Further, the system visualization device 1100 carries out processes for recording a time when a message is received and for sorting the message by using the time when the message is received. Thus, if a big time lag is caused between the recorded time when the message is received and a time when the Web server 1002 received the HTTP message, analysis accuracy of the system visualization device 1100 is significantly affected.