CN1866951B - Method and system for detecting shared access host machine in network - Google Patents
Method and system for detecting shared access host machine in network Download PDFInfo
- Publication number
- CN1866951B CN1866951B CN2005100711324A CN200510071132A CN1866951B CN 1866951 B CN1866951 B CN 1866951B CN 2005100711324 A CN2005100711324 A CN 2005100711324A CN 200510071132 A CN200510071132 A CN 200510071132A CN 1866951 B CN1866951 B CN 1866951B
- Authority
- CN
- China
- Prior art keywords
- source
- address
- main frame
- difference
- bag
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for detecting the shared access host in network. Wherein, it comprises: obtaining the accessed network data from the network; extracting the transmission control protocol (TCP) data pack from said network data, and extracting the original IP address and relative IP pack mark from said TCP data pack; according to the change character of IP pack mark of TCP data pack in same original IP address in some time, assuring the host relative to said IP address as the share access host. The invention also discloses an access detecting system, which comprises a data transfer device, a diversion filter server, and a statistic analyze server.
Description
Technical field
The present invention relates to the network technology of sharing in the communication network, relate in particular to and in network, detect method and the system thereof that inserts main frame of sharing.
Background technology
Broadband services in the data service is the important component part of telecommunication service.There are some to utilize network address translation (nat), agency (Proxy) etc. to realize the shared technology that inserts of network at present.This access mainly is by NAT mode or Proxy agent way, makes a plurality of users or multiple host use same IP address or number of the account to insert the Internet, realizes that network is shared.This access way has obtained the application of considerable scale, and is rapidly developing.
Share the online main frame in order to detect fast and accurately on network, prior art mainly contains following two kinds of technical schemes:
A kind of scheme is in client computer specific software to be installed, obtain sharing Internet user's information by host characteristics such as software analysis subscriber's main station system information, IP addresses, and regularly send monitor data to monitoring server, add up and definite online main frame of sharing by monitoring server.
Another kind of scheme is to go up at asymmetric user data loop-around modem (ADSL modem) to reserve backdoor programs, by reserving Simple Network Management Protocol (SNMP) port, scanning is in host operating system in the local area network (LAN) inside, and statistical magnitude and determine to share the online main frame.
There is following shortcoming respectively in above-mentioned two kinds of schemes:
Client software is installed on client computer can be caused that not only the user dislikes, and can increase operator's maintenance workload, promptly when client software work is abnormal, need regular software is safeguarded of operator.More seriously client software can be got around technically by operation, thereby accurate information can't be monitored out in client.
Method by scanning SNMP port base unit search quantity can cause that also the user dislikes, and the user can make its inefficacy by closing methods such as SNMP service, can't monitor out accurate information.
In a word, above-mentioned two kinds of methods not only all can influence the user, also can not accurately detect because of user's operation to share the online main frame.
Summary of the invention
The invention provides a kind of method and system thereof of sharing the access main frame that in network, detect, to solve the problem that causes influencing the user and can not accurately detect shared online main frame Yin user's operation when the online main frame is shared in the prior art detection.
For addressing the above problem, the invention provides following technical scheme:
A kind of detection in network shared the method that inserts main frame, comprises the steps:
A, from network, obtain the network data of access network; B, from described network data, extract transmission control protocol (TCP) packet, and from this tcp data bag, extract source IP address and corresponding IP bag sign; C, according to the variation characteristic of the IP bag sign of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, wherein, variation characteristic according to the IP bag sign of the tcp data bag of identical source IP address determines whether specifically to comprise for sharing the process that inserts main frame: calculates the difference that the IP bag of continuous and two tcp data bags that source IP address is identical identifies; Described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference; Or, in the sense cycle of setting then, calculate the difference of maximum IP bag sign and minimum IP bag sign in the IP bag sign that source IP address is identical in this cycle; Described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
In step B, also from described tcp data bag, extract source port number.
Before step C, also comprise step: C1, according to the source port number variation characteristic of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, and can not determine that main frame is then to carry out step C when sharing the access main frame.
Step C1 comprises step: the difference of calculating the source port number of continuous and two tcp data bags that source IP address is identical; Described difference is compared with corresponding set point,, otherwise carry out step C if this difference, determines then that the pairing main frame of this source IP address inserts main frame for sharing greater than the set point of correspondence.
Perhaps step C1 comprises step: in the sense cycle of setting then, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle; Described difference is compared with corresponding set point,, otherwise carry out step C if this difference, determines then that the pairing main frame of this source IP address inserts main frame for sharing greater than the set point of correspondence.
A kind of detection in network shared the method that inserts main frame, comprises the steps:
(1) from network, obtains the network data of access network; (2) from described network data, extract transmission control protocol (TCP) packet, and from this tcp data bag, extract source IP address and corresponding source port number; (3) according to the variation characteristic of the source port number of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, wherein, variation characteristic according to the source port number of the tcp data bag of identical source IP address, determine whether specifically to comprise: the difference of calculating the source port number of continuous and two tcp data bags that source IP address is identical for sharing the process that inserts main frame, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference; Or then in the sense cycle of setting, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
A kind of access supervisory control system is characterized in that comprising:
Data forwarding device is arranged on monitored main frame group's the exit or the exit of network, is used to transmit the network data by the exit access network;
The shunt filtering server, be connected with described data forwarding device, be used for obtaining network data from described data forwarding device, from this network data, extract the packet of specified type and parse the information that needs, wherein this parses the information that needs and comprises: source IP address and corresponding IP bag sign, or, source port number, source IP address and corresponding IP bag sign, or, source IP address and corresponding source port number;
Statistic analysis server, be connected with described shunt filtering server, determine to share the main frame that inserts according to the analysis rule of information that parses and configuration, wherein, when the information that parses is the IP bag sign of source IP address and correspondence, this analysis rule is the variation characteristic of the IP bag sign of the tcp data bag of the identical source IP address of analysis, when the information that parses is source port number, when source IP address and corresponding IP bag identify, this analysis rule is the variation characteristic of the source port number of the tcp data bag of the identical source IP address of analysis, whether the main frame of determining this source IP address correspondence is to share to insert main frame, and can not determine that main frame is when sharing the access main frame, variation characteristic according to the IP bag sign of the tcp data bag of analyzing identical source IP address is determined, when the information that parses was the source port number of source IP address and correspondence, this analysis rule was the variation characteristic of the source port number of the tcp data bag of the identical source IP address of analysis; The variation characteristic of the source port number of the tcp data bag of the identical source IP address of described analysis comprises: the difference of calculating the source port number of continuous and two tcp data bags that source IP address is identical, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference, or, in the sense cycle of setting then, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference;
The variation characteristic of the IP bag sign of the tcp data bag of the identical source IP address of described analysis comprises: the difference of calculating the IP bag sign of continuous and two tcp data bags that source IP address is identical, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference, or, in the sense cycle of setting then, calculate the difference of maximum IP bag sign and minimum IP bag sign in source IP address is identical in this cycle the IP bag sign, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
Described data forwarding device is an optical splitter, perhaps is the mirror image module that is used for mirror image data in the switch, perhaps for being used to transmit the switch of described network data.
The present invention has following beneficial effect:
The present invention is by extracting the TCP bag from the network data of obtaining, wrap the jump of sign and be aided with the application that the IP port changes the shared online of use NAT mode that detects fast and accurately in the Internet according to IP, the working method of the passive monitoring of this employing, the accuracy of its testing result is not subjected to the influence of user side operation, can user's normal online not had any impact yet, but also reduced operator's maintenance workload.
Description of drawings
Fig. 1 is for inserting the supervisory control system structural representation among the present invention;
Fig. 2 is for detecting the shared flow chart that inserts main frame according to IP bag sign variation characteristic among the present invention;
Fig. 3 shares the flow chart that inserts main frame for the present invention in conjunction with IP bag port and the detection of IP bag sign variation characteristic;
Fig. 4 shares the flow chart that inserts main frame for the present invention detects according to IP bag port variation characteristic.
Embodiment
The present invention has mainly judged whether that from the tcp/ip layer face a plurality of users or multiple host are by same IP or number of the account access network and internet usage Internet resources.
In network, when a main frame obtains when taking a different resource on the access internet of IP address, along with increasing progressively of transmission control protocol/Internet Protocol (TCP/IP) linking number, the host ip port increases progressively by+1; The IP bag sign (Identification) that is used to identify the IP bag simultaneously also is mutual along with what connect, progressively increment+1 ,+2.And during by network address translation (nat) mode access internet, variation has at random been carried out by NAT conversion rear port in private network IP address, also is left original private network IP bag Identifcation but change back IP bag sign (Identification).The distribution of the IP of different private network main frames bag sign is that its scope is that (this Identification is fixed by operating system nucleus, different operating system ID differences for 0-65535 at random in private network.)。When many private networks main frame passes through NAT mode accesses network resource simultaneously, by IP bag port and Identification after the NAT conversion very big variation has taken place all like this, port has certain jump, and Identification also has very big jump simultaneously.For example: when the several different Internet resources of public network main frame connected reference, its IP port is respectively 3024,3025,3026 and increases progressively gradually, increase along with linking number, its IP bag Identification is respectively 54231,54232,54233,54234,54236, also be by+1 ,+2 increase progressively; And when two main frames pass through NAT mode access internet resource simultaneously, port by NAT conversion back IP is respectively 2315,7238,5320, its variation does not have rule, and the Identification of IP is respectively 76482,1684,31217,348 etc., and its variation is also very irregular.
The variation characteristic of its IP bag sign and IP bag source port number during simultaneously by NAT mode accesses network resource is shared the application of surfing the Net by the use NAT mode that the check and analysis to IP bag Identification, IP bag port numbers detect in the Internet fast and accurately according to many private networks main frame of above-mentioned analysis.One by network side among the present invention is inserted the application that supervisory control system is obtained network data and detected the shared online of use NAT mode in the Internet according to network data.
Consult shown in Figure 1ly, insert supervisory control system and comprise data forwarding device, the shunt filtering server that is connected with data forwarding device, the statistic analysis server that is connected with the shunt filtering server.Wherein:
Data forwarding device is used for introducing from the exit of monitored main frame group's exit or network the all-network data of access network, gathers described network data and is sent to the shunt filtering server by inserting independently the broadband.Data forwarding device adopts optical splitter in Fig. 1, is arranged on metropolitan area network interface and backbone interface place, and optical splitter is a kind of conventional network equipment that can be drawn out to the data on the network in another branching networks.Described retransmission unit also can be a mirror image module of supporting to be used in the switch of port data mirror image data image, utilizes this mirror image module to obtain copy by the network data of outlet access network; Data forwarding device can also be a switch, and this switch is specifically designed to from the network data of exit bypass access network.Certainly, also can be other other network equipments that can obtain the copy of network data from the exit.
The shunt filtering server is used for isolating from the network data that optical splitter sends the packet of specified type, the packet that distributes is parsed useful data, and these data are reported to statistic analysis server, then abandon for the data of non-specified type.The packet of specified type mainly is the tcp data bag, the Radius packet that also can comprise authentification of user, charging in addition, carry user's IP address and user account in this packet, according to this Radius packet can recording user IP address and user account between corresponding relation.
Dispose analysis rule on the statistic analysis server, the data that shunt filtering goes out are carried out analytic statistics, the foundation of multiple users share online is provided by this analysis rule.Analysis rule comprises the set point that is used for analyzing IP bag Identification variation characteristic at least, also can comprise the set point of analyzing IP bag port variation characteristic in addition, the corresponding relation of IP address and account etc.
Described shunt filtering server and statistic analysis server can be same server, also can be separate server.
Consult shown in Figure 2ly, it is as follows by the process of same IP or number of the account Access Network to detect a plurality of users or multiple host:
Step 1: from network, shunt the all-network data that insert the Internet by optical splitter, and be incorporated into the shunt filtering server that inserts in the supervisory control system.
Step 2: the shunt filtering server carries out filter analysis, extracts tcp data bag and Radius packet according to the protocol type in the IP bag from network data, abandons other unnecessary packets.
Step 3: the shunt filtering server extracts source IP address and IP bag Identification from the tcp data bag, and these data are reported statistic analysis server.
If obtained the Radius packet, then from this packet, extract IP address and corresponding accounts information, and be reported to statistic analysis server.
Step 4: after statistic analysis server receives that source IP address and corresponding IP wrap Identification, the IP that analyzes the tcp data of identical source IP address wraps the variation characteristic of Identification, judges whether the pairing user in this IP address is to share the Internet user.The statistical analysis service is then write down the corresponding relation between IP address and the account if receive the IP address and corresponding accounts information.
The variation characteristic of analyzing IP bag Identification can be undertaken by following dual mode:
1, by calculating the difference of IP bag sign continuous and two tcp data bags that the IP address is identical, this difference is compared with corresponding set point, if difference is greater than this set point, determine that then the pairing main frame of this source IP address inserts main frame for sharing, otherwise can not determine that main frame is to share to insert main frame (can be defaulted as non-shared access main frame in this case).For example: the Identification from two packets of same IP address in continuous a period of time is respectively 79231 and 4171, and then proof has two users to use this public network IP to share online.When considering IP bag Identification variation characteristic, its jump generally just thinks suspicious greater than 200.
In this manner, because only changing the bag of the IP in two continuous T CP packets of identical ip addresses sign, statistic analysis server compares, therefore, not judging that inserting the pairing user of IP is when sharing the Internet user, can only preserve up-to-date IP address and corresponding IP bag sign thereof.
2, by setting a sense cycle, in this sense cycle then, calculate the difference of maximum IP bag sign and minimum IP bag sign in source IP address is identical in this cycle the IP bag sign, this difference is compared with corresponding set point, if difference is greater than this set point, determine that then the pairing main frame of this source IP address inserts main frame for sharing, otherwise can not determine that main frame is to share to insert main frame (can be defaulted as non-shared access main frame in this case).Set point in set point in this case and the preceding a kind of mode should be differentiated, and is relevant with the sense cycle length of setting.This sense cycle length can be set according to actual needs, as be set at 1 minute, 5 minutes or 1 hour etc. all can.
After having determined that the user is by the online of share I P address, can obtain corresponding user account information according to the IP address with the corresponding relation of account, the account statements of online is shared in output, and is also exportable simultaneously as the data of analyzing foundation.
Because IP bag Identification Random assignment, two or multiple host are during simultaneously by NAT mode access internet resource, the variation of IP bag Identification is bigger generally speaking, but also may there be the less situation that changes, therefore, can change to detect in conjunction with port and share to insert main frame.Its processing procedure is as shown in Figure 3:
Step 10: from network, shunt the all-network data that insert the Internet by optical splitter, and be incorporated into the shunt filtering server that inserts in the supervisory control system.
Step 11: the shunt filtering server carries out filter analysis, extracts tcp data bag and Radius packet according to the protocol type in the IP bag from network data.
Step 12: the shunt filtering server is extraction source port numbers, source IP address and IP bag Identification from the tcp data bag, and these data are reported statistic analysis server.
If obtained the Radius packet, then from this packet, extract IP address and corresponding accounts information, and be reported to statistic analysis server.
Step 13: statistic analysis server is analyzed the port numbers variation characteristic of identical source IP address, judge whether the pairing user in this IP address is to share the Internet user, if can not determine it is to share the Internet user, then carry out step 14, if determine it is to share the Internet user, then export the main frame that next IP address correspondence is judged in corresponding information and continuation.
The port variation characteristic of analyzing tcp data can be undertaken by following dual mode:
1, be by the difference between the port numbers of calculating continuous and two tcp data bags that the IP address is identical, this difference is compared with corresponding set point, if difference is greater than this set point, determine that then the pairing main frame of this source IP address inserts main frame for sharing, otherwise can not determine that main frame is to share to insert main frame (can be defaulted as non-shared access main frame in this case).For example: the port from two tcp data bags of same IP address in continuous a period of time is respectively 3024 and 4140, and then proof has two users to use this public network IP to share online.When considering the port variation characteristic, in one period short time, port jumps and generally just can think that greater than 100 having two users to use this public network IP to share has surfed the Net.
In this manner, because only changing the port in two continuous T CP packets of identical ip addresses, statistic analysis server compares, therefore, can not judge that inserting the IP pairing user in address is when sharing the Internet user, for port numbers, can only preserve up-to-date IP address corresponding port number.
2, by setting a sense cycle, in this sense cycle then, calculate the difference between the maximum port numbers and smallest end slogan in the port numbers that source IP address is identical in this cycle, this difference is compared with corresponding set point, if difference is greater than this set point, determine that then the pairing main frame of this source IP address inserts main frame for sharing, otherwise can not determine that main frame is to share to insert main frame (can be defaulted as non-shared access main frame in this case).Set point in set point in this case and the preceding a kind of mode should be differentiated, and is relevant with the sense cycle length of setting, and sense cycle length can be set according to actual needs, as be set at 1 minute, 5 minutes or 1 hour etc. all can.
The variation characteristic of step 14, statistic analysis server analyzing IP bag Identification judges whether the pairing user in this IP address is to share the Internet user, and its judgment mode is identical with above-mentioned step 4.
Equally, the statistical analysis service is then write down the corresponding relation between IP address and the account if receive the IP address and corresponding accounts information.After having determined that the user is by the online of share I P address, can obtain corresponding user account information according to the IP address with the corresponding relation of account, the account statements of online is shared in output, and is also exportable simultaneously as the data of analyzing foundation.
In addition, also can only change to detect to share by port and insert main frame, as shown in Figure 4, its processing procedure be as follows:
Step 20: from network, shunt the all-network data that insert the Internet by optical splitter, and be incorporated into the shunt filtering server that inserts in the supervisory control system.
Step 21: the shunt filtering server carries out filter analysis, extracts tcp data bag and Radius packet according to the protocol type in the IP bag from network data, abandons other unnecessary packets.
Step 22: the shunt filtering server extracts source IP address and source port number from the tcp data bag, and these data are reported statistic analysis server.
Step 23: after statistic analysis server is received the source port number of source IP address and correspondence, analyze the source port variation characteristic of the tcp data of identical source IP address, judge whether the pairing user in this IP address is to share the Internet user.The mode of the port variation characteristic of analysis tcp data is same as described above, and remaining processing procedure and in like manner aforementioned repeats no more.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (14)
1. one kind is detected the method for sharing the access main frame in network, it is characterized in that comprising the steps:
A, from network, obtain the network data of access network;
B, from described network data, extract transmission control protocol tcp data bag, and from this tcp data bag, extract source IP address and corresponding IP bag sign;
C, according to the variation characteristic of the IP bag sign of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, wherein, variation characteristic according to the IP bag sign of the tcp data bag of identical source IP address determines whether specifically to comprise for sharing the process that inserts main frame:
Calculate the difference of the IP bag sign of continuous and two tcp data bags that source IP address is identical;
Described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference; Or,
In the sense cycle of setting then, calculate the difference of maximum IP bag sign and minimum IP bag sign in the IP bag sign that source IP address is identical in this cycle;
Described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
2. the method for claim 1 is characterized in that, also extracts source port number from described tcp data bag in step B.
3. method as claimed in claim 2 is characterized in that, also comprises step before step C:
C1, according to the source port number variation characteristic of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, and can not determine that main frame is to share then to carry out step C when inserting main frame.
4. method as claimed in claim 3 is characterized in that step C1 comprises step:
Calculate the difference of the source port number of continuous and two tcp data bags that source IP address is identical;
Described difference is compared with corresponding set point,, otherwise carry out step C if this difference, determines then that the pairing main frame of this source IP address inserts main frame for sharing greater than the set point of correspondence.
5. method as claimed in claim 3 is characterized in that step C1 comprises step:
In the sense cycle of setting then, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle;
Described difference is compared with corresponding set point,, otherwise carry out step C if this difference, determines then that the pairing main frame of this source IP address inserts main frame for sharing greater than the set point of correspondence.
6. as each described method of claim 1 to 5, it is characterized in that, from described network data, also extract the Radius packet, and write down IP address in this packet and the corresponding relation between the account.
7. method as claimed in claim 6 is characterized in that, for after sharing the access main frame, utilizes source IP address to search described corresponding relation to obtain and to export corresponding accounts information at definite main frame.
8. method as claimed in claim 6 is characterized in that, obtains the network data of described access network from network exit by Port Mirroring or beam split mode.
9. one kind is detected the method for sharing the access main frame in network, it is characterized in that comprising the steps:
(1) from network, obtains the network data of access network;
(2) from described network data, extract transmission control protocol tcp data bag, and from this tcp data bag, extract source IP address and corresponding source port number;
(3) according to the variation characteristic of the source port number of the tcp data bag of identical source IP address, determine whether the pairing main frame of this source IP address is to share to insert main frame, wherein, variation characteristic according to the source port number of the tcp data bag of identical source IP address determines whether specifically to comprise for sharing the process that inserts main frame:
Calculate the difference of the source port number of continuous and two tcp data bags that source IP address is identical, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference; Or
In the sense cycle of setting then, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
10. method as claimed in claim 9 is characterized in that, also extracts the Radius packet from described network data, and writes down IP address in this packet and the corresponding relation between the account.
11. method as claimed in claim 10 is characterized in that, for after sharing the access main frame, utilizes source IP address to search described corresponding relation to obtain and to export corresponding accounts information at definite main frame.
12. method as claimed in claim 9 is characterized in that, obtains the network data of described access network from network exit by Port Mirroring or beam split mode.
13. one kind is inserted supervisory control system, it is characterized in that comprising:
Data forwarding device is arranged on monitored main frame group's the exit or the exit of network, is used to transmit the network data by this exit access network;
The shunt filtering server, be connected with described data forwarding device, be used for obtaining network data from described data forwarding device, from this network data, extract transmission control protocol tcp data bag and parse the information that needs, wherein this parses the information that needs and comprises: source IP address and corresponding IP bag sign, or, source port number, source IP address and corresponding IP bag sign, or, source IP address and corresponding source port number;
Statistic analysis server, be connected with described shunt filtering server, determine to share the main frame that inserts according to the analysis rule of information that parses and configuration, wherein, when the information that parses was the IP bag sign of source IP address and correspondence, this analysis rule was that the IP that analyzes the tcp data bag of identical source IP address wraps the variation characteristic of sign; When the information that parses is the IP bag sign of source port number, source IP address and correspondence, this analysis rule is the variation characteristic of the source port number of the tcp data bag of the identical source IP address of analysis, whether the main frame of determining this source IP address correspondence is to share to insert main frame, and can not determine that main frame is when share inserting main frame, determine according to the variation characteristic of the IP bag sign of the tcp data bag of analyzing identical source IP address; When the information that parses was the source port number of source IP address and correspondence, this analysis rule was the variation characteristic of the source port number of the tcp data bag of the identical source IP address of analysis;
The variation characteristic of the source port number of the tcp data bag of the identical source IP address of described analysis comprises: the difference of calculating the source port number of continuous and two tcp data bags that source IP address is identical, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference, or, in the sense cycle of setting then, calculate the difference between the maximum source port number and minimum source port number in the source port number that source IP address is identical in this cycle, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference;
The variation characteristic of the IP bag sign of the tcp data bag of the identical source IP address of described analysis comprises: the difference of calculating the IP bag sign of continuous and two tcp data bags that source IP address is identical, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference, or, in the sense cycle of setting then, calculate the difference of maximum IP bag sign and minimum IP bag sign in source IP address is identical in this cycle the IP bag sign, described difference is compared with corresponding set point, and determine that the pairing main frame of this source IP address inserts main frame for sharing during greater than the set point of correspondence in this difference.
14. access supervisory control system as claimed in claim 13 is characterized in that, described data forwarding device is an optical splitter, perhaps is the mirror image module that is used for mirror image data in the switch, perhaps for being used to transmit the switch of described network data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005100711324A CN1866951B (en) | 2005-05-20 | 2005-05-20 | Method and system for detecting shared access host machine in network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005100711324A CN1866951B (en) | 2005-05-20 | 2005-05-20 | Method and system for detecting shared access host machine in network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1866951A CN1866951A (en) | 2006-11-22 |
| CN1866951B true CN1866951B (en) | 2010-09-22 |
Family
ID=37425835
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2005100711324A Expired - Fee Related CN1866951B (en) | 2005-05-20 | 2005-05-20 | Method and system for detecting shared access host machine in network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1866951B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100562020C (en) | 2007-03-30 | 2009-11-18 | 华为技术有限公司 | Detection method, statistic analysis server and detection system |
| CN101599857B (en) * | 2009-06-25 | 2011-12-07 | 成都市华为赛门铁克科技有限公司 | Method, device and network detection system for detecting number of host computers accessed to sharing |
| CN101800681B (en) * | 2010-03-23 | 2014-02-05 | 中兴通讯股份有限公司 | On-line detection method, equipment and system for SOHO router |
| CN102546364B (en) * | 2010-12-22 | 2014-12-10 | 深圳市恒扬科技有限公司 | Network data distribution method and device |
| CN102523263B (en) * | 2011-12-06 | 2014-03-05 | 中国联合网络通信集团有限公司 | Sharing access host quantity monitoring method, device and system thereof |
| CN106302423B (en) | 2012-06-20 | 2019-07-23 | 华为技术有限公司 | A kind of method, node, mobile terminal and system identifying network share behavior |
| CN102984163B (en) * | 2012-12-06 | 2015-09-30 | 华为技术有限公司 | Control the method and system of multiple host access networks of same IP address |
| CN103501351A (en) * | 2013-10-22 | 2014-01-08 | 广东睿江科技有限公司 | Monitoring method and monitoring device of network export |
| CN104023089B (en) * | 2014-06-30 | 2017-12-26 | 北京奇虎科技有限公司 | The system of selection of the accelerated method, application acceleration device of application and device |
| CN108259263A (en) * | 2017-12-01 | 2018-07-06 | 国家电网公司 | Data analysing method, apparatus and system |
| CN111131339A (en) * | 2020-04-01 | 2020-05-08 | 深圳市云盾科技有限公司 | NAT equipment identification method and system based on IP identification number |
| CN111970175B (en) * | 2020-08-26 | 2022-06-21 | 武汉绿色网络信息服务有限责任公司 | Method and device for malicious sharing detection of network-access account |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6629137B1 (en) * | 2000-04-26 | 2003-09-30 | Telefonaktiebolaget L.M. Ericsson | Network interface devices methods system and computer program products for connecting networks using different address domains through address translation |
| CN1479499A (en) * | 2002-08-26 | 2004-03-03 | 丽台科技股份有限公司 | Network address transfer system and its method |
| CN1611053A (en) * | 2001-06-27 | 2005-04-27 | 英特尔公司 | Network address translation of incoming SIP connections |
-
2005
- 2005-05-20 CN CN2005100711324A patent/CN1866951B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6629137B1 (en) * | 2000-04-26 | 2003-09-30 | Telefonaktiebolaget L.M. Ericsson | Network interface devices methods system and computer program products for connecting networks using different address domains through address translation |
| CN1611053A (en) * | 2001-06-27 | 2005-04-27 | 英特尔公司 | Network address translation of incoming SIP connections |
| CN1479499A (en) * | 2002-08-26 | 2004-03-03 | 丽台科技股份有限公司 | Network address transfer system and its method |
Non-Patent Citations (1)
| Title |
|---|
| Steven M. Bellovin.A Technique for Counting NATted Hosts.2002,1-10. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1866951A (en) | 2006-11-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1866951B (en) | Method and system for detecting shared access host machine in network | |
| US9270567B2 (en) | Shared terminal identification system using a network packet and processing method thereof | |
| CN101026505B (en) | Method and apparatus for monitoring malicious traffic in communication networks | |
| CN101803305B (en) | Network monitoring device, network monitoring method, and network monitoring program | |
| KR100561628B1 (en) | Method for detecting abnormal traffic in network level using statistical analysis | |
| US20070074272A1 (en) | Network security apparatus, network security control method and network security system | |
| CA2436710A1 (en) | Network port profiling | |
| CN106533724B (en) | Method, device and system for monitoring and optimizing Network Function Virtualization (NFV) network | |
| CN101267312B (en) | A method for preventing address from confliction detection and cheat in network | |
| CN105007175A (en) | Openflow-based flow depth correlation analysis method and system | |
| CN102883347A (en) | Monitoring and analysis method and device for PS domain large-flow network data | |
| CN111654486A (en) | Server equipment judgment and identification method | |
| CN112350854A (en) | Flow fault positioning method, device, equipment and storage medium | |
| CN101291327B (en) | Method and apparatus for detecting sharing access host number | |
| CN113965355A (en) | SOC-based illegal IP (Internet protocol) provincial network plugging method and device | |
| EP3641222A1 (en) | Method, apparatus and system for monitoring data traffic | |
| KR20110067871A (en) | Network access apparatus and method for watching and controlling traffic using oam packet in ip network | |
| CN100401703C (en) | Wide-band network system | |
| CN108809677A (en) | The system of testing characteristics of network | |
| CN115242686A (en) | Power secondary equipment network communication fault detection system and method | |
| JP4871775B2 (en) | Statistical information collection device | |
| KR101544846B1 (en) | Packet Billing System and Method | |
| CN116471212B (en) | Service type-based network traffic data processing method and system | |
| JP3782319B2 (en) | Network analyzer | |
| Hall et al. | Counting the cycles: a comparative study of NFS performance over high speed networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100922 Termination date: 20190520 |