CN1141659C - Remote user operation process recording and restoring method - Google Patents

Abstract

The present invention relates to a remote user operation process recording and restoring method which aims to solve the problem of recording and reducing remote operations of web page browsing, file transmission and remote login and mainly uses network protocols of HTTP, FTP and telnet. Therefore, the present invention is mainly used for the recording and the reducing of the three protocols. The present invention mainly comprises the steps that all operation in the process that a user remotely visits a web page by the HTTP protocol is recorded, and all contents and all referred information contents in the web page, which are observed and downloaded by the user are restored; all operation comprising downloading, catalogue listing, file upload, file deletion, file renaming, etc. in the process that the user remotely transmits files by the FTP protocol is recorded, the contents of all the files which are relative to the operation are restored, and connection is established with the relative operation; the operation of the remote login, which is carried out by the user through the telnet is recorded, and all dynamic interfaces and input instructions in a simulated terminal of the user are restored.

Description

The method of remote user operation process recording and reduction

Technical field

What the present invention relates to is a kind of method of reducing of network user's operating process, and particularly a kind of method to remote user operation process and content record and reduction belongs to networking technology area.

Background technology

Growing along with computer networking technology, network application has spread to each corner of society.OA system from Internet to each office from the real-time control system to E-business applications etc., embodies the importance of network invariably.But along with the large-scale application of network technology, make some problem come out day by day significantly, one of them major issue is exactly " invisible " property of network.Because network is the passage that is used to transmit various information, be by meeting the physical signalling of certain standards and norms in the data of transmission over networks, and these physical signallings are sightless for human eye.That is to say in transmission over networks some what information, human eye can't directly be seen, is unlike in the highway in the real world, and people can directly observe the accident of generation and the profile of vehicle.Because the invisibility of network has caused a series of safety problem.By literature search, find international application: PCT/US97/21322 1997.11.21 international publication: WO98/22875 English 1998.5.28, applicant: Computer Associates International Inc., denomination of invention: the method and apparatus that automated network monitors and safety is intervened in violation of rules and regulations, inventor: Denier. Esbensen, this technology comprises the handling procedure process that is used for the capture network packets of information and filters the invalid information bag, and the record document of first and second consecutive sorts is with all sessions that are used to scan generation on the net and check the scanning process that ad hoc rules exists.When indicating security incident, can adopt to comprise through electronics or other mail notification network security officials when meeting rule, or various suitable actions such as record or termination BlueDrama.Surveillance is totally independent of any other network service and network documentation server operation, therefore to not influence of network performance.The defective of existing technology: it is a kind of method and apparatus of realizing the network invasion monitoring function in essence, and its method that adopts is summarized as follows: adopt the method for network monitoring to obtain raw data packets as Data Source from network; Adopt the mode of two record documents to scan and the capturing information bag; According to the protocol specification of TCP/IP, packet is decoded and the session reconstruction; According to rule, scan by session and to judge safe violation operation; Carry out the warning of variety of way.But also there is following defective: 1, do not realize to remote-operated content intact emulation reduction and simulation playback; 2, the contact between a plurality of sessions of shortage.The other technologies means also have certain defective, as: 1, the network management function in the network equipment mainly can provide statistical information, rather than the details of each packet, therefore analysis and overview function on the macroscopic view can only be provided, analysis has certain effect to network failure, but for monitoring that specific intrusion behavior and specific user's operation can not provide effective support.2, the network monitoring instrument can write down the content of packet, decode and analyze, but these instruments are unit with the packet, and the process of operating or browsing comprises a series of packet, the user directly watches each packet can only obtain scrappy information, and for the information of non-text (as image, sound, the control information in the pseudo-terminal) can't observe.3, the screen surveillance can make the keeper see users' interfaces situation on the network intuitively, but need be on all machines that are monitored install software, but be that these softwares were not installed on hacker or internal sabotage personnel's the machine usually, also can deliberately be deleted even these softwares are installed, and therefore probably can't force to monitor.In a word, existing technology relatively lacks for record and the restoring function of realizing effective remote user operation process.

Summary of the invention

In present telecommunication network is used, Email, web page browsing, file transfer, Telnet is to use the most widely, wherein web page browsing, file transfer and Telnet relate to (the Email major function is that information sends and receives, and mainly is local operation) than the remote-operated information of horn of plenty.Therefore the present invention is primarily aimed at the solution web page browsing, the operated from a distance record of file transfer and Telnet and content intact emulation reduction problem, the procotol that is primarily aimed at is HTTP, FTP, telnet, therefore the present invention mainly is record and the reduction to above three agreements, mainly comprise: recording user is by all operations in the http protocol remote access webpage process, and be reduced into full content in the resultant and web pages downloaded of user, and all information contents of submitting to, process for each page browsing, the result of reduction is that all connect the paper series of content in the current page browsing process of record, the complete page interrelated between these files, that formation can directly be browsed by hyperlink; Recording user is by all operations in the File Transfer Protocol remote transmission file process, comprise download, the row catalogue, file upload, deleted file, Rename file etc., and the content of row directory operation, and record adopts the All Files that FTP transmitted, for each FTP operating process, the result of reduction is the FTP operation note file that comprises all operations instruction in the FTP operation control linkage, and comprise the file transfer instruction of operating control linkage thus and the ftp file transmission linkage record file of the transmission content of a series of ftp files transmission of setting up in connecting, in FTP operation note file content, comprise hyperlink to the filename of ftp file transmission linkage record file; The Telnet operation that recording user is undertaken by telnet, the process of all dynamic interfaces in the pseudo-terminal of reduction and replaying user and the instruction of input.

Telnet record and reduction

Below the operating process of the Telnet of telnet mode is write down and reduction further describes: (these raw data packets are by network information intercepting and capturing and filtering module by receiving telnet raw data packets on the network for telnet record and recovery module, the filtration of data packet analysis module), carry out assembly unit according to ICP/IP protocol, telnet transmission course file is a .tel suffix file, file is transferred in keeper's the browser by WEB Server and browser, and call telnet process playback plug-in unit according to the .tel suffix, playback goes out all telnet operating process:

1. for get access to the telnet network packet, be the packet imported of long-distance user or the packet of echo according to what comprise in this packet of telnet protocal analysis at first, input will be adopted different marks with the echo packet when writing telnet transmission course file;

2. search telnet connection status table, judge according to the information in the telnet link information state table whether current packet belongs to illegal packet or duplicate packages, if belong to duplicate packages or invalid data Bao Zezhuan 3., if 4. legal data packet then changes; The differentiation of illegal packet is the verification nuclear that obtains due TCP and IP in the packet according to calculating, and examines comparison with the verification that packet carries, if inconsistent be exactly the invalid data bag; The differentiation of duplicate packages is to send and the Sequence Number of response according to TCP in the check data bag, adds the value contrast of packet length with the Sequence Number of the last packet that is write down in the connection status table, if just belong to duplicate packages less than this value;

3. abandon invalid data bag and duplicate packages, prepare to obtain next packet, change 1.;

4. according to the content in the telnet link information state table, and ICP/IP protocol standard, content in the current data packet and former content are spliced, and write telnet transmission course file, in writing content, comprise time scale information according to the form of telnet transmission course file;

5. the keeper inquires about and gets access to corresponding telnet transmission course file by browser and WEB Server, and browser calls telnet process playback plug-in unit automatically according to the file suffixes name;

6. after telnet playback plug-in unit starts, enter telnet simulation playback executive program, this program is extracted the telnet service data after the reduction from telnet transmission course file, and start a telnet analog service end process and a telnet simulant-client process, and between the two, set up local the connection;

7. behind the telnet analog service end process initiation, under the control of telnet simulation playback executive program, read telnet information record one by one, and according to time scale information, according to the sequencing that each operation takes place, periodically the interface simulation data are sent to telnet simulation client process one by one;

8. telnet simulation client process shows the telnet whole operation process according to the interface simulation data of receiving.

FTP record and reduction

Complete each time FTP operating process is connected to form by several ftp file transmission of FTP operation control linkage, FTP operation control linkage is used to transmit the result that various instructions and idsplay order are carried out, and the ftp file transmission connects and is used for the relevant file of real transmission and the result of row catalogue.System adopts the content of a FTP operation process recording file logging FTP operation control linkage, write down the content that the ftp file transmission connects with ftp file transmission linkage record file, the content that ftp file transmission of ftp file transmission linkage record file logging connects.Ftp file transmission connect with FTP operation control between corresponding relation mainly be to be mapped by order and result in the FTP operation control linkage, therefore the record of FTP and reduction are mainly needed to solve corresponding relation between FTP operation control linkage and the ftp file transmission connection; The FTP record is to determine that by the order in analyzing FTP operation control linkage the ftp file that will set up transmits the sign that is connected with the method that recovery module mainly adopts: in the FTP operational order, the PORT order is used to specify service end IP and the port number information that next file transfer operation adopts.For example: PORT 203,120, and 96,123,1253 orders are illustrated in the current FTP operating process next file transfer and will use the 203.120.96.123:1253 port to connect, and this information just can indicate the ftp file that will set up and transmit connection.The system that just can make after having determined the sign that this ftp file transmission connects connects to intercept and capture the content of this connection when really setting up and be recorded in another ftp file in this ftp file transmission to be transmitted in linkage record file, this document name is specified with a hyperlink at FTP operation process recording file, because FTP operation process recording file itself adopts html format, so can use hyperlink.

Below the treatment scheme of FTP record and reduction is further described:

1. FTP record and recovery module are received a FTP packet, with at first judge it belong to FTP operation control linkage or the ftp file transmission connects, connect if belong to the ftp file transmission, then change 7., otherwise commentaries on classics 2.;

2. according to the information in the FTP operation control linkage state table, this packet content is spliced in the FTP operation process recording file;

3. analyze the FTP operational order in this packet, the PORT instruction is indicating that 6. will set up new ftp file transmission connects, then change if will set up ftp file transmission connection, otherwise change 4.;

4. judge whether that whole FTP operating process finishes,, accept next packet, otherwise change 5. if finish then change 1.;

5. closing FTP operation process recording file, and this file is done suitable adjustment, mainly is head and the trailer information that increases HTML, makes it become a html document, and record and reduction process finish;

6. in ftp file transmission link information state table, set up new list item, this list item has comprised according to the FTP operational order and definite connection indicates, be source/purpose IP and port, to set up corresponding file transfer linkage record file in addition, the name of this file is also determined according to the information in the FTP instruction, and in FTP operation process recording file, write the filename that associated documents transmit the linkage record file in the hyperlink mode, these files are connected by hyperlink;

7. according to the file transfer packet of receiving, search ftp file transmission connection status table,, then be spliced in the corresponding file transfer linkage record file if this is data packet matched to corresponding list item;

8. judge whether this ftp file transmission connection finishes, if finish then close corresponding document to transmit the linkage record file, the corresponding list item of deletion ftp file transmission connection control list, commentaries on classics is 1.;

9. the network manager browses FTP operation process recording file by WEB Server and Browser, because it is a html file, and comprise the hyperlink that all point to associated documents transmission linkage record file, so can browse to all relevant file transfer linkage record files by this file.

HTTP record and reduction

Adopt HTTP to browse a website or carry out some operation, usually send the instruction of HTTP to WEB Server by browser, wherein GET and POST are instructions with the most use, send after the instruction, WEB Server follows http protocol and sends html file to browser, after browser obtains html file, according to the relevant hyperlink information in this file, for Embedded picture and multiframe information, send out the HTTP instruction once more, obtain corresponding picture and multiframe information, obtain these information and come out in the corresponding position display of the page afterwards.A plurality of pictures in a page can transmit simultaneously;

The mode of browsing at HTTP, the HTTP record is earlier all being connected to be spliced to form paper series respectively with the method that recovery module mainly adopts, comprise all html documents and picture file in the page, each self-forming is file independently, then the hyperlink in the html page file of being preserved is replaced, point to the local file of depositing, form a html file system in this locality.When the network manager browsed first page, WEB Server was transferred to browser with this local html file system, and the network manager sees is page info after the full backup.

Below the treatment scheme that further HTTP is write down and reduces is described:

1. HTTP record and recovery module judge that GET or POST that whether it belongs in the HTIP agreement order, if then change 2., otherwise change 3. when getting access to a HTTP packet;

2. to GET or POST order, then indicating and to transmit a new HTML or other picture/audio files, therefore will set up new HTTP connection status list item, changeing 1. according to the concrete parameter of the order of GET/POST;

3. the packet of receiving is the transmission content that certain HTTP connects, and according to HTTP connection status table, this packet is spliced in the corresponding HTTP log file;

4. judge whether the transmission that current HTTP connects finishes,, otherwise change 1. if finish then change 5.;

5. close the pairing HTTP log file of current connection, the corresponding list item in the deletion HTTP connection status table is searched other HTTP log files of quoting the pairing URL of this file in localization link index file;

6. in the pairing HTTP log file of the pairing URL of this file of all references, make amendment, the hyperlink of wherein quoting the pairing URL of this file is changed into point to this file;

7. revise localization link index file, deletion wherein to the reference record of the pairing URL of presents, has not needed the record of localization link to delete for some; According to the URL that is quoted in the presents, add the new index record of a reflection presents hyperlink tabulation;

8. the keeper can browse the page that has reduced and formed local html file system by WEB Server and Browser.

The present invention has substantive distinguishing features and marked improvement, considers the various factors of network behavior comprehensively, realizes the accurate recording of network behavior truly and the reduction of network behavior; Can realize the leaching of data to express network, guarantee the integrality of network data; Realization is to the transparency of network management, for visual, the controllability of network behavior lays the foundation.

Description of drawings

Fig. 1 overall framework synoptic diagram of the present invention

Fig. 2 telnet record reduction treatment scheme synoptic diagram

Fig. 3 FTP record reduction treatment scheme synoptic diagram

Fig. 4 HTTP record and reduction treatment scheme synoptic diagram

Embodiment

As Fig. 1, Fig. 2, Fig. 3, shown in Figure 4, operate to example with a LAN environment, describe its embodiment: this LAN (Local Area Network) is made up by ethernet technology, and an internal server is arranged in this LAN (Local Area Network), offered the WEB service, FTP service and telnet service.An industry control PC is arranged on LAN (Local Area Network), adopt the linux system, the sniffit that adopts remote user operation process recording of the present invention and method of reducing has been installed above, and WEB SERVER is housed; Network manager in the LAN (Local Area Network) can adopt browser by being loaded in the data after WEBSERVER on the industrial computer consults reduction.

Certain hacker in this environment on the supposition Internet signs in on the LAN (Local Area Network) internal server by telnet, adopts vi to work out a program of utilizing buffer overflow, and by operation root authority; User PC1 adopts FTP to sign in on the LAN (Local Area Network) internal server, enters the pub catalogue, has downloaded xxx by name in this catalogue and the file of yyy; User PC2 adopts browser, is connected to the Internet irrelevant website of browsing and work, and supposes that the url that browses is Http:// www.nowork.com/index.html, comprise two gif files in this page: Http:// www.nowork.com/index.html/image/gifl.gif, http://www.nowork.com/image/gif2.gif;

Adopting method of the present invention can reduce whole content of operation in the above situation fully, below is concrete treatment scheme.

● system's setting and early-stage preparations: the network manager adjusts the every of the sniffit on the industrial computer, and the network interface card pattern is set, and filtering rule is set, and communicating by letter of LAN (Local Area Network) internal server and Internet write down and reduced.

● to record and the reduction of telnet in the example:

When the hacker on the Internet carried out the telnet operation, the whole operation process was decomposed into serial network packet automatically by telnet software, and these packets are that the network interface card of industrial computer is collected, and was sent in the software that adopts method of the present invention.

1. described as the treatment scheme among Fig. 2, for each the telnet network packet that gets access to, will be the packet imported of long-distance user or the packet of echo according to what comprised in this packet of above-mentioned methods analyst.

2. for each the telnet network packet that gets access to, telnet connection status table will be searched by system, judge according to the information in the telnet link information state table whether current packet belongs to illegal packet or duplicate packages.If belong to duplicate packages or invalid data Bao Ze abandons, if legal bag, then according to the content in the telnet link information state table, and ICP/IP protocol standard, content in the current data packet and former content are spliced, and write telnet transmission course file according to the form of telnet transmission course file.

3. the final telnet transmission course file that generates telnet_202.234.32.4_1302_203.120.96.4_23.tel by name, file is made of rule telnet information record, and each bar record has comprised time scale information and concrete content.

4. the keeper sees warning from 202.234.32.4 to LAN server that carried out the telnet operation by by browser, click corresponding record, browser gets access to telnet_202.234.32.4_1302_203.120.96.4_23.tel on the PC, and calls telnet operating process playback plug-in unit automatically.

After 5.telnet the playback plug-in unit starts, enter telnet simulation playback executive program, this program is extracted the telnet service data after the reduction from the telnet_202.234.32.4_1302_203.120.96.4_23.tel file, and start a telnet analog service end process and a telnet simulant-client process, and between the two, set up local the connection.

6.telnet behind the analog service end process initiation, under the control of telnet simulation playback executive program, read telnet information record one by one, and, periodically the interface simulation data sent to telnet simulation client process one by one according to time scale information.

7. see in the window of keeper by telnet simulation client process showing that the hacker adopts editor's hacker software of telnet operation, and operation obtains the overall process of superuser right.

● to record and the reduction of FTP in the example:

1. described as the treatment scheme among Fig. 3, all packets of the employing FTP login internal server of user PC1 will be used software of the present invention and obtain, for all data in the FTP operation control linkage, software will all be recorded in file, and by analyzing the sign that the FTP action statement judges that the ftp file transmission connects.

When user PC1 login ftp server, connect setting up the TCP of a 202.120.96.123:1252 to 202.120.96.4:21, this is a FTP operation control linkage, so system will generate a ftp_202.120.96.123_1252_202.120.96.4_21_control.html file

When user PC1 obtains the xxx file, PORT 203 will be arranged, 120,96, the order of 123,1253 order RETR xxx is when getting access to these orders, system will add corresponding list item in ftp file transmission connection status table, describe the connection sign of 202.120.96.4:20 to 203.120.96.123:1253.

2. the FTP Server software on the server will be set up the TCP connection of a 202.120.96.4:20 to 203.120.96.123:1253, by this connection file xxx be sent to user PC1.These packets are intercepted and captured by industrial computer, and match in ftp file transmission connection status, will all note.

3. when user PC1 obtains the yyy file, also can intercept and capture according to 2,3 flow process.

4. the final log file that generates of system comprises the ftp_202.120.96.123.1252_202.120.96.4_21_control.html file of record FTP operation control connection; Ftp_202.120.96.123_1252_202.120.96.4_21_xxx file and ftp_202.120.96.123_1252_202.120.96.4_21_yyy file, wherein the ftp_202.120.96.123_1252.202.120.96.4_21_control.html file contains the hyperlink to ftp_202.120.96.123_1252_202.120.96.4_21_xxx and ftp_202.120.96.123_1252_202.120.96.4_21_yyy file.

Because xxx and yyy file are to be downloaded in the operating process of this FTP operation control linkage of 202.120.96.4:21 by 202.120.96.123:1252, on the naming method of the ftp file transmission linkage record file that generates, prefix part still adopts the sign of its 202.120.96.123:1252 to 202.120.96.4:21, and connect the sign of 202.120.96.4:20 to 203.120.96.123:1253 without the ftp file transmission, can further embody them from filename like this is the file transfer of carrying out same FTP operating process, and helps the management of system.This also is one of this method characteristics in reduction, has promptly realized the contact between related data connects in the FTP operating process.

5. the network manager finds the record of FTP by browser, to show the ftp_202.120.96.123_1252_202.120.96.4_21_control.html file after the click, this file shows the FTP whole operation process, click the content that xxx filename in this page then will obtain the xxx file, click the content that yyy filename in this page then will obtain the yyy file.

● to record and the reduction of HTTP in the example:

1. described as the treatment scheme among Fig. 4, when user PC2 visit Internet goes up the webpage that has nothing to do with work, relevant packet will be obtained by industrial computer, and at each HTTP packet, system will write down and reduce.

2. system will intercept and capture 3 HTTP connections comprehensively, and one is to download Http:// www.nowork.com/index.htmlFile, one is to download Http:// www.nowork.com/image/gifl.gifFile, also have one to be to download Http:// www.nowork.com/image/gif2.gifFile.

3. at these three connections, what at first finish intercepting and capturing is to download Http:// www.nowork.com/index.htmlConnection, generate corresponding local file: http_203.120.96.124_1532_192.1.223.65_80_1_index.html, according to quote in this file image/gifl.gif and Image/gif2.gifHyperlink, in localization link index file, set up the list item that contains following content:

filename：http_203.120.96.124_1532_192.1.223.65_80_1_index.html

url： http：//www.nowork.com/index.htmllinked_url： http：//www.nowork.com/image/gifl.gif. http：//www.nowork.com/image/gif2gif

4. system finishes transmission Http:// ww.nowork.com/image/gifl.gifAfter the data recording that the HTTP of file connects, generate http_203.120.96.124_1533_192.1.223.65_80_1_image_gifl.gi f file, and be that content in the GET order determines that the url of this file correspondence is according to this file of transmission Http:// www.nowork.com/image/gifl.gifDuring relative recording in searching localization link index file, it is right to find to contain in the http_203.120.96.124_1532_192.1.223.65_80_1_index.html file Http:// www.nowork.com/image/gif1.gifHyperlink, then all these hyperlinks in this file are changed into the hyperlink of pointing to http_203.120.96.124_1533_192.1.223.65_80_1_image_gifl.gi f.And in localization link index file linked_url, delete Http:// www.nowork.com/image/gifl.gifRecord.

5. system finishes transmission Http:// www.nowork.com/image/gif2.gifAfter the data recording that the HTTP of file connects, will adopt and 4 similar methods processing.Relevant entries deletion in the localization link index file the most at last.

6. system forms http_203.120.96.124_1532_192.1.223.65_80_1_index.html on industrial computer, http_203.120.96.124_1532_192.1.223.65_80_1_image_gifl.gi f, three files of http_203.120.96.124_1532_192.1.223.65_80_1_image_gif2.gi f, and first file is hyperlinked to second, third file.

Though when downloading two gif files, when connecting with transmission index.html file, the TCP that adopts is connected difference, be not to use the connection of 203.120.96.124:1532 to 192.1.223.65:80, but two gif files are 203.120.96.124:1532 ingredients to the index.html page of 192.1.223.65:80 transmission, therefore in file designation, still adopt the prefix of http_203.120.96.124_1532_192.1.223.65_80_1, belong to the same page to demonstrate it from filename better, be beneficial to system management.What decline " _ 1 " was mainly represented among the filename prefix http_203.120.96.124_1532_192.1.223.65_80_1 in addition is first page of this connection, because present most of browser can be supported " connect and keep mechanism ", still this that set up before adopting when promptly obtaining the next page connects, so can there be the situation of transmitting a plurality of pages in the connection successively.Therefore this method is at page restore, when this situation occurring, the different pages in the same connection is left in the different files, distinguishes the page with this numeric suffix.This also is one of this method characteristics in reduction, has promptly realized in the page browsing process contact between many connections, and can distinguish a plurality of pages that transmit in the connection.

7. the keeper finds that by browser user PC2 browses and the record of the irrelevant website of working, and enters the good whole content of pages of reduction that can see the page that user PC2 is browsed behind the http_203.120.96.124_1532_192.1.223.65_80_1_index.html file.

Claims (6)

1, the method of a kind of remote user operation process recording and reduction, it is characterized in that, at solving web page browsing, the operated from a distance record of file transfer and Telnet and reduction problem, the procotol that adopts is HTTP, FTP, telnet, therefore the present invention is record and the reduction to above three agreements, comprise: recording user is by all operations in the http protocol remote access webpage process, and be reduced into full content in the resultant and web pages downloaded of user, and all information contents of submitting to, process for each page browsing, the result of reduction is that all connect the paper series of content in the current page browsing process of record, interrelated between these files by hyperlink, the complete page that formation can directly be browsed, recording user is by all operations in the File Transfer Protocol remote transmission file process, comprise download, the row catalogue, file upload, deleted file, Rename file, and the content of row directory operation, and record adopts the All Files of FTP transmission, for each FTP operating process, the result of reduction comprises the FTP operation process recording file of all operations instruction in the FTP operation control linkage, and the ftp file transmission linkage record file that comprises All Files transmission content, and by in the FTP operation process recording file ftp file being transmitted the hyperlink of the filename of linkage record file, the FTP operation is got up with the file transfer relevance, the Telnet operation that recording user is undertaken by telnet, the process of all dynamic interfaces in the pseudo-terminal of reduction and replaying user and the instruction of input.

2, the method of remote user operation process recording according to claim 1 and reduction, it is characterized in that, below the operating process of the Telnet of telnet mode is write down and reduction is further qualified: telnet record and recovery module handle are .tel suffix file according to the ICP/IP protocol assembly unit to telnet transmission course file from the content of the telnet raw data packets that network receives, this telnet transmission course file is transferred in keeper's the browser by WEB Server and browser, and call telnet process playback plug-in unit according to the .tel suffix, playback goes out all telnet operating process:

1. for get access to the telnet network packet, be the packet imported of long-distance user or the packet of echo according to what comprise in this packet of telnet protocal analysis at first, input will be adopted different marks with the echo packet when writing telnet transmission course file;

2. search telnet connection status table, judge according to the information in the telnet link information state table whether current packet belongs to illegal packet or duplicate packages, if belong to duplicate packages or invalid data Bao Zezhuan 3., if 4. legal data packet then changes, the differentiation of illegal packet is to obtain in the packet verification of due TCP and IP to examine according to calculating, and the verification that carries with packet nuclear relatively, if inconsistent is exactly the invalid data bag, the differentiation of duplicate packages is the Sequence Number that sends and respond according to TCP in the check data bag, add that with the Sequence Number of the last packet that is write down in the connection status table value of packet length contrasts, if just belong to duplicate packages less than this value;

3. abandon invalid data bag and duplicate packages, prepare to obtain next packet, change 1.;

4. according to the content in the telnet link information state table, and ICP/IP protocol standard, content in the current data packet and former content are spliced, and write telnet transmission course file, in writing content, comprise time scale information according to the form of telnet transmission course file;

5. the keeper inquires about and gets access to corresponding telnet transmission course file by browser and WEB Server, and browser calls telnet process playback plug-in unit automatically according to the file suffixes name;

6. after telnet playback plug-in unit starts, enter telnet simulation playback executive program, this program is extracted the telnet service data after the reduction from telnet transmission course file, and start a telnet analog service end process and a telnet simulant-client process, and between the two, set up local the connection;

7. behind the telnet analog service end process initiation, under the control of telnet simulation playback executive program, read telnet information record one by one, and, periodically the interface simulation data are sent to telnet simulation client process one by one according to time scale information;

8. telnet simulation client process shows the telnet whole operation process according to the interface simulation data of receiving.

3, the method of remote user operation process recording according to claim 1 and reduction, it is characterized in that, complete each time FTP operating process is connected to form by several ftp file transmission of FTP operation control linkage, FTP operation control linkage is used to transmit the result of various instructions and idsplay order execution, the ftp file transmission connects and is used for the relevant file of real transmission and the result of row catalogue, system adopts the content of a FTP operation process recording file logging FTP operation control linkage, write down the content that the ftp file transmission connects with ftp file transmission linkage record file, the content that ftp file transmission of ftp file transmission linkage record file logging connects, corresponding relation between ftp file transmission connection and the FTP operation control is mapped by instruction in the FTP operation control linkage and result, therefore the record of FTP and reduction are needed to solve FTP operation control linkage and the ftp file transmission corresponding relation between connecting, the FTP record is to determine that by the instruction of analyzing in the FTP operation control linkage ftp file that will set up transmits the sign that is connected with the method that recovery module adopts: in the FTP operational order, the PORT order is used to specify imminent new service end IP that file transfer operation adopted and port number information, just can indicate the ftp file transmission that will set up with server ip that comprises in the PORT order and port number information is connected, after having determined the sign that this ftp file transmission connects, just can make system connect to intercept and capture the content of this connection when really setting up and be recorded in corresponding ftp file in this ftp file transmission and transmit in the linkage record file, the filename of this ftp file transmission linkage record file is specified with a hyperlink in FTP operation process recording file.

4, according to the method for claim 1 or 3 described remote user operation process recordings and reduction, it is characterized in that, below the treatment scheme of FTP record and reduction further limited:

1. FTP record and recovery module are received a FTP packet, at first judge it belong to FTP operation control linkage or the ftp file transmission connects, connect if belong to the ftp file transmission, then change 7., otherwise commentaries on classics 2.;

2. according to the information in the FTP operation control linkage state table, this packet content is spliced in the FTP operation process recording file;

3. analyze the FTP operational order in this packet, the PORT instruction is indicating that will set up new ftp file transmission connects, and comprised the beacon information that the ftp file transmission that will set up connects, connect then change 6. if will set up the ftp file transmission, otherwise change 4.;

4. judge whether that whole FTP operating process finishes,, accept next packet, otherwise change 5. if finish then change 1.;

5. close FTP operation process recording file, and this FTP operation process recording file is done suitable adjustment, increase head and the trailer information of HTML, make it become a HTML, document, record and reduction process finish;

6. in ftp file transmission link information state table, set up new list item, this list item comprised according to the FTP operational order and definite connection to indicate be source/purpose IP and port, set up corresponding ftp file transmission linkage record file in addition, the name of this ftp file transmission linkage record file is also determined according to the information in the FTP instruction, and in FTP operation process recording file, write the filename that this ftp file transmits the linkage record file in the hyperlink mode, FTP operation process recording file and ftp file transmission linkage record file are connected by hyperlink;

7. according to the file transfer packet of receiving, search ftp file transmission connection status table,, then be spliced in the corresponding ftp file transmission linkage record file if this is data packet matched to corresponding list item;

8. judge whether this ftp file transmission connection finishes, if finish then close corresponding ftp file to transmit the linkage record file, 1. the corresponding mark item of deletion ftp file transmission connection control list changes;

9. the network manager browses FTP operation process recording file by WEB Server and Browser, because it is a html file, and comprise the hyperlink that all point to relevant ftp file transmission linkage record file, so arrive all relevant ftp file transmission linkage record files by the FTP operation process recording browsing file of this html form.

5, the method of remote user operation process recording according to claim 1 and reduction, it is characterized in that, when the employing http protocol is browsed a website or is operated, send the instruction of HTTP to WEB Server by browser, wherein GET and POST are instructions with the most use, send after the instruction, WEB Server follows http protocol and sends html file to browser, after browser obtains html file, according to the relevant hyperlink information in the html file, for Embedded picture and multiframe information, send out the HTTP instruction once more, obtain corresponding picture and multiframe information, come out in the corresponding position display of the page after obtaining these information, a plurality of pictures in a page transmit simultaneously, the mode of browsing at HTTP, the method that HTTP record and recovery module adopt is that first all with in the page are connected content and splice respectively, each self-forming is file independently, be kept at this locality, form a local html file system, comprising all html files and the picture file in the page, after all HTTP connection end that current website browsing comprised, hyperlink in the html page is replaced, point to the local file of depositing.

6, the method for remote user operation process recording and reduction according to claim 1 or 5 is characterized in that followingly further the treatment scheme of HTTP record and reduction being limited:

1. HTTP record and recovery module judge that GET or POST that whether it belongs in the http protocol order, if then change 2., otherwise change 3. when getting access to a HTTP packet;

2. to GET or POST order, then indicating and to transmit a new HTML or other picture/audio files, therefore will set up new HTTP connection status list item, changeing 1. according to the concrete parameter of the order of GET/POST;

3. the packet of receiving is the transmission content that certain HTTP connects, and according to HTTP connection status table, this packet is spliced in the corresponding HTTP log file;

4. judge whether the transmission that current HTTP connects finishes,, otherwise change 1. if finish then change 5.;

5. close the pairing HTTP log file of current connection, this file is called file A hereinafter, and the corresponding list item in the deletion HTTP connection status table links other HTTP log files of searching the pairing URL of reference document A in the index file in localization;

6. in the every other HTTP log file of the pairing URL of all references file A, make amendment, the hyperlink of the pairing URL of reference document A is wherein changed into point to file A;

7. revise localization link index file, deletion is wherein to the reference record of the pairing URL of file A, delete for the record that does not need the localization link,, add the new index record of a reflection file A hyperlink tabulation according to the URL that is quoted among the file A;

8. the keeper browses the page that reduces and form local html file system by WEB Server and Browser.

Images