JP2009225089A - Communication device and method of capturing packet - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication device which can easily obtain a specific packet without designating a packet to be captured in advance, and to provide a method of capturing packets. <P>SOLUTION: A packet capturing section 15 captures packets continuously while PC 10 is powered on. When powered off, the captured packets are stored as captured data 141 in a storage section 14. When a program to be executed by a control section 11 performs communication, history information 142, which contains a communication ID, temporal information relating to communication, information relating to the type of the program are recorded for each communication, is created. A user designates a communication ID to designate a time zone to extract a packet, and also designates extraction conditions corresponding to the type of the program. A packet extraction section 17 extracts a packet from the captured data 141 based on the temporal information and extraction conditions corresponding to the designated communication ID. The extracted packet is displayed on a monitor 13. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a communication apparatus that connects to a packet communication network and captures a packet, and a packet capture method.

  In a packet communication network that performs communication in a state in which data is divided into packets, a communication error such as inability to transmit data to a specific device may occur. In this case, the administrator of the packet communication network needs to identify the cause of the communication error and restore the packet communication network at an early stage.

  When a communication error occurs in the packet communication network, packet capture is performed to identify the cause of the communication error. The administrator can identify the cause of the communication error by analyzing the captured packet.

  Patent Document 1 discloses a packet monitoring method for capturing a packet flowing through a high-speed router. In the packet monitoring method according to Patent Document 1, when a packet input to the high-speed router is a preset monitoring target packet, the input packet is stored in the storage unit. In addition, the input packet is transferred to the device corresponding to the destination in its original form.

JP 2004-207962 A

  In the packet monitoring method according to Patent Document 1 described above, it is necessary to set a monitoring target packet before starting packet capture. That is, when the cause of the communication error is specified using the packet monitoring method according to Patent Document 1, the administrator must estimate the cause of the communication error and specify the packet corresponding to the estimated cause as the monitoring target packet. Don't be.

  However, when a communication error occurs due to a cause different from the cause estimated by the administrator, the packet monitoring method according to Patent Document 1 cannot capture a packet corresponding to the actual cause. As a result, the administrator needs to capture the packet again after changing the setting of the monitoring target packet. As described above, when the packet monitoring method according to Patent Document 1 is used, there is a risk that a lot of time may be spent identifying the cause of the communication error.

  Therefore, in view of the above problems, an object of the present invention is to provide a communication device and a packet capture method that can easily extract a specific packet without specifying a packet to be captured in advance.

  In order to solve the above problem, the invention according to claim 1 is configured to continuously capture packets transmitted / received via a packet communication network, and connect to the packet communication network a capture unit that stores a plurality of captured packets. A history information creation unit that creates history information about data communication performed with an external device, and a packet extraction unit that extracts a packet corresponding to the data communication from the plurality of packets based on the history information. It is characterized by providing.

  According to a second aspect of the present invention, in the communication device according to the first aspect, the history information includes processing time information indicating a time when the data communication is performed, and the packet extraction unit includes the processing time information. Based on this, a packet corresponding to the data communication is extracted.

  According to a third aspect of the present invention, in the communication device according to the first or second aspect, the history information includes identification information for identifying a program that performs the data communication, and the packet extraction unit includes A packet corresponding to the data communication is extracted based on the identification information.

  According to a fourth aspect of the present invention, a capture step of continuously capturing a packet transmitted / received by a communication device via a packet communication network and storing a plurality of captured packets is connected to the communication device and the packet communication network. A history information creation step for creating history information regarding data communication performed with an external device, and a packet extraction step for extracting a packet corresponding to the data communication from the plurality of packets based on the history information. It is characterized by providing.

  The communication apparatus and the packet capture method of the present invention continuously capture packets to be transmitted and received and create history information related to data communication. Of the captured packets, a packet corresponding to data communication is extracted based on the history information. Thereby, the user can easily acquire a packet corresponding to data communication when an error occurs in the data communication.

  Further, the history information includes processing time information indicating a time when data communication is performed. Thereby, the packet corresponding to the time when data communication was performed can be extracted. The history information includes identification information of a program that performs data communication. Thereby, the packet according to the feature of the program can be extracted as a packet corresponding to data communication.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a configuration diagram of a network system 1 according to the present embodiment. A network system 1 shown in FIG. 1 includes a personal computer (hereinafter referred to as “PC”) 10, an authentication server 20, a mail server 30, and a file server 40 in a LAN (Local Area Network) 50. It is a connected configuration. Such a network system 1 is installed in an office, for example.

  The PC 10 is a terminal device used by a user. The user can use the service provided by each server connected to the LAN 50 via the PC 10. The authentication server 20 performs an authentication process for the user to access each server in the network system 1 from the PC 10. The mail server 30 is a server for the PC 10 to send or receive electronic mail. The file server 40 stores document data, image data, and the like created by the PC 10. The LAN 50 is provided with a router (not shown) for connecting to the Internet or another LAN.

  First, the configuration of the PC 10 will be described. The PC 10 includes a control unit 11, an operation unit 12, a monitor 13, a storage unit 14, a packet capture unit 15, a history information creation unit 16, a packet extraction unit 17, and a LAN interface 18.

  The control unit 11 includes hardware resources such as a CPU (Central Processing Unit) and a RAM (Random Access Memory), and performs overall control of the PC 10. The control part 11 implement | achieves each function of PC10 by executing an operating system, various application programs, etc. using these hardware resources.

  The operation unit 12 includes a mouse and a keyboard. The monitor 13 is a liquid crystal display or the like, and displays an execution screen of the application program.

  The storage unit 14 is configured by a hard disk device or the like. The storage unit 14 stores various application programs such as e-mail software 143, and capture data 141, 141,. The electronic mail software 143 performs processing such as creation, storage, and transmission / reception of electronic mail.

  The packet capture unit 15 captures TCP packets (hereinafter referred to as “packets”) transmitted and received by the LAN interface 18. The history information creation unit 16 creates a communication history of the application program executed by the control unit 11. The packet extraction unit 17 extracts a packet corresponding to the extraction condition set by the user from the capture data 141.

  The packet capture unit 15, the history information creation unit 16, and the packet extraction unit 17 are illustrated as individual functional blocks in FIG. 1, but are actually executed using hardware resources included in the control unit 11. Application program.

  The LAN interface 18 communicates with each computer connected to the LAN 50 or the Internet using TCP (Transmission Control Protocol) / IP (Internet Protocol) or the like.

  Hereinafter, a process flow when the PC 10 having the above-described configuration captures a packet will be described. FIG. 2 is a flowchart showing the flow of the packet capture process.

  First, when the user turns on the PC 10, the control unit 11 executes an initialization process. Further, the packet capture unit 15 and the history information creation unit 16 are activated. The history information creation unit 16 acquires the history information 142 from the storage unit 14 (step S11). If the history information 142 cannot be acquired, the history information creation unit 16 creates new history information 142.

  The packet capture unit 15 starts capturing packets transmitted and received by the LAN interface 18 (step S12). The packet capture unit 15 accumulates captured packets as capture data 141 in the order of capture. The capture data 141 in which the packets are accumulated is held by the packet capture unit 15 until the capture is completed. Further, the packet capture unit 15 continues to capture packets in the subsequent processing.

  Next, when the user instructs execution of the e-mail software 143, the control unit 11 activates the e-mail software 143. The e-mail software 143 accesses the mail server 30 and transmits / receives e-mails according to user instructions.

  When the e-mail software 143 starts communication with the mail server 30 (Yes in step S13), the history information creation unit 16 acquires communication start information 61 indicating that the e-mail software 143 has started communication from the control unit 11. (Step S14). The communication start information 61 includes an application program name and a communication start time. The communication start time is the time when the PC 10 transmits a TCP connection request to the mail server 30. The history information creation unit 16 assigns a communication ID that is a unique number to the acquired communication start information 61 and holds the communication start information 61.

  When the electronic mail software 143 ends communication with the mail server 30 (Yes in step S15), the history information creation unit 16 acquires the communication end information 62 including the communication end time and the communication result from the control unit 11 (step S15). S16). The communication result is information indicating whether or not the communication with the mail server 30 has ended normally. The communication end time is a time at which the TCP connection between the PC 10 and the mail server 30 is disconnected due to completion of transmission / reception of electronic mail or an error in transmission / reception of electronic mail.

  Next, the history information creation unit 16 creates a new communication record based on the communication start information 61 and the communication end information 62, and adds the created communication record to the history information 142 (step S17). In the history information 142, a communication ID, a communication start time, a communication end time, an application program type, a communication result, and an IP address of a communication destination computer are recorded for each communication record (see FIG. 4 described later).

  The PC 10 repeats the processes shown in steps S13 to S18 until the user inputs an instruction to turn off the power (Yes in step S18).

  Note that the processing shown in steps S13 to S18 is also executed when an application program different from the electronic mail software 143 performs communication via the LAN 50. For example, when the authentication program sends a user name, password, etc. to the authentication server 20 to request authentication, a new communication record is created. The same applies to a case where an FTP (File Transfer Protocol) program accesses the file server 40 to acquire a file. In this way, every time an executing application program communicates via the LAN 50, a new communication record is created and added to the history information 142.

  When the user gives an instruction to turn off the power (Yes in Step S18), the packet capture unit 15 ends the packet capture (Step S19). Capture data 141 held by the packet capture unit 15 and history information 142 held by the history information creation unit 16 are stored in the storage unit 14 (step S20). As a result, the storage unit 14 stores a plurality of capture data 141, 141,. Further, the history information 142 stored in the storage unit 14 is deleted, and only the history information 142 to which a new communication record is added is stored in the storage unit 14.

  In this way, in the packet capture process, the PC 10 captures all packets transmitted and received while the power is on. For this reason, a packet can be captured without performing detailed settings.

  Next, the process flow of the PC 10 in the packet extraction process will be described. FIG. 3 is a flowchart showing the flow of the packet extraction process. In the packet extraction process, the capture data 141 stored in the storage unit 14 is used instead of the capture data 141 being created by the packet capture unit 15.

  First, the user sets packet extraction conditions. Specifically, the packet extraction unit 17 displays the history information 142 stored in the storage unit 14 on the monitor 13 in accordance with a user instruction (step S21).

  FIG. 4 is a diagram illustrating an example of the display screen 63 of the history information 142. As shown in FIG. 4, the communication record corresponding to each communication ID is displayed on the display screen 63. The program types “authentication”, “mail”, and “ftp” indicate communications performed by the authentication program, the e-mail software 143, and the FTP program, respectively. The program type “folder” indicates a file sharing service provided by an application program using the SMB (Server Message Block) protocol. In the communication result, “OK” indicates that the communication is normally completed, and “NG” indicates that the communication is ended due to an error or the like. Thus, since the communication result for every communication ID is displayed, the user can specify easily the time when the communication error occurred.

  In addition, an extraction condition setting button 631 and an extraction start button 632 are displayed corresponding to each communication ID. The extraction condition setting button 631 is a button for calling an extraction condition setting screen 64 for each communication ID. The extraction start button 632 is a button for instructing the packet extraction unit 17 to extract a packet based on time information corresponding to the communication ID.

  Next, the user determines a communication record from which a packet is to be extracted. When the extraction condition setting button 631 is pressed (Yes in step S22), a setting screen 64 for setting packet extraction conditions is displayed on the monitor 13 (step S23). The contents displayed on the setting screen 64 differ depending on the program type. This is because the packet extraction conditions change as the application protocol to be used, the communication destination computer, and the like change depending on the application program.

  FIG. 5 is a diagram showing a setting screen 64 corresponding to the program type “mail”. The user uses the setting screen 64 to set detailed extraction conditions. First, the user designates an application protocol from which packets are to be extracted. In the setting screen 64 shown in FIG. 5, each protocol of SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) can be designated as a packet extraction target. For example, the user can extract a packet corresponding to SMTP by checking the SMTP check box.

  When the message setting button 641 corresponding to the display of “SMTP” is pressed, a screen for setting a packet extraction condition for each SMTP message is displayed on the monitor 13. Thereby, only the packet corresponding to the specific message of SMTP can be extracted. A POP can also be set for each message.

  In addition, the IP address of the mail server 30 is displayed below the setting screen 64. In the case of mail transmission / reception, since the communication destination is limited to the mail server 30, it is not necessary to set an IP address. As shown in FIG. 4, in the authentication process with the communication ID “1”, communication is performed with a plurality of computers. In this case, the IP address of the communication destination computer can be designated as the packet extraction condition as the packet extraction condition. Although not shown in FIG. 5, a port number may be designated as a packet extraction condition.

  The user ends the setting of the extraction condition by pressing the completion button 642 shown in FIG. Thereby, the packet extraction part 17 determines the extraction conditions of a packet based on the set content (step S24). Subsequently, when the extraction start button 632 is pressed (Yes in Step S25), the packet extraction unit 17 performs a packet extraction process based on the extraction condition (Step S26). Specifically, the time information corresponding to the designated communication ID and the packet corresponding to the extraction condition are extracted from the capture data 141 stored in the storage unit 14. The packet extracted from the capture data 141 is stored in the storage unit 14 as the extracted data 144 and displayed on the monitor 13 (step S27). Thereby, the PC 10 ends the packet extraction process shown in FIG.

  In the packet extraction process, the capture data 141 itself stored in the storage unit 14 is not changed. Therefore, the user can repeatedly execute the packet extraction process shown in FIG. 3 by changing the packet extraction condition.

  As described above, the PC 10 according to the present embodiment captures and stores all packets transmitted and received while the power is on, and captures packets according to the extraction condition set by the user from the capture data 141. Extract. Therefore, the user can surely capture a packet that causes a communication error, and can easily extract a desired packet from the captured packets.

  In the present embodiment, the example in which the packet extraction condition is set using the setting screen 64 has been described. However, the present invention is not limited to this. For example, the user may instruct the packet extraction unit 17 to extract a packet without calling the setting screen 64. In this case, the packet extraction part 17 should just extract all the packets corresponding to the time information of the communication record extracted by the user.

  In the present embodiment, the example in which the user checks the check box (see FIG. 5) corresponding to the application protocol to be extracted has been described, but the present invention is not limited to this. For example, the packet extraction unit 17 may display the setting screen 64 in a state where check boxes corresponding to all application protocols are checked.

  In the present embodiment, the example in which the PC 10 performs the packet capture process and the packet extraction process has been described. However, the present invention is not limited to this. In this case, the PC 10 may perform packet extraction processing using the capture data 141 and the history information 142 created by another device. That is, the packet capture process may be performed by another device having a network function.

1 is a configuration diagram of a network system according to an embodiment of the present invention. It is a flowchart which shows the flow of a packet capture process. It is a flowchart which shows the flow of a packet extraction process. It is a figure which shows an example of the log | history information displayed on a monitor. It is a figure which shows an example of the setting screen of a packet extraction condition.

Explanation of symbols

10 PC (personal computer)
30 mail server 11 control unit 12 operation unit 13 monitor 14 storage unit 15 packet capture unit 16 history information creation unit 17 packet extraction unit

Claims (4)

A capture unit that continuously captures packets transmitted and received via the packet communication network and stores a plurality of captured packets;
A history information creation unit that creates history information related to data communication performed with an external device connected to the packet communication network;
A packet extraction unit that extracts a packet corresponding to the data communication from the plurality of packets based on the history information;
A communication apparatus comprising: The communication device according to claim 1,
The history information includes processing time information indicating a time when the data communication is performed,
The packet extraction unit extracts a packet corresponding to the data communication based on the processing time information. The communication device according to claim 1 or 2,
The history information includes identification information for identifying a program that performs the data communication,
The packet extraction unit extracts a packet corresponding to the data communication based on the identification information. A capture step for continuously capturing packets transmitted and received by the communication device via the packet communication network, and storing a plurality of captured packets;
History information creating step for creating history information regarding data communication performed between the communication device and an external device connected to the packet communication network;
A packet extraction step of extracting a packet corresponding to the data communication from the plurality of packets based on the history information;
A packet capture method comprising:

Images