CN1913528A - P2P data message detection method based on character code - Google Patents
P2P data message detection method based on character code Download PDFInfo
- Publication number
- CN1913528A CN1913528A CNA2006101125955A CN200610112595A CN1913528A CN 1913528 A CN1913528 A CN 1913528A CN A2006101125955 A CNA2006101125955 A CN A2006101125955A CN 200610112595 A CN200610112595 A CN 200610112595A CN 1913528 A CN1913528 A CN 1913528A
- Authority
- CN
- China
- Prior art keywords
- message
- condition code
- datagram
- ppstream
- detection module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
This invention relates to a test method for P2P data message based on character codes characterizing in carrying out relativity research to large quantities of P2P applied data packets and protocol analysis of the applied layer to pick up various P2P applied message character code samples and determine them the related P2P character codes, then filtering the applied layer content to each IP packet passing through the gateway device based on the character codes to confirm said IP packet is a P2P one, then the test result is added to the P2P database to be provided to the hardware. This invention is also suitable for IPv4 and IPv6 networks and analyzes the data messages of any communication protocols.
Description
Technical field
The invention belongs to Internet technical field.
Background technology
Along with the P2P broad application, make and the network non-profit with the increased production brought bigger pressure in recent years to the sustainable benign development of broadband telecommunication operator.P2P is with the characteristics of its parallel transmission, and for the user provides convenient and high-quality user experience, new P2P uses and also constantly emerging in large numbers.P2P uses and to have accounted for 60%~80% of ISP total business volume according to statistics, the consumer of the maximum that becomes the network bandwidth of appearing vividly.Under the situation of a large number of users shared bandwidth, especially in the peak period, a large amount of P2P data congestion networks, because the demand that this class is used bandwidth is endless in theory, they can make the smooth network of original operation become more and more congested, also greatly changed the discharge model on the network simultaneously, and operation cost is carried 30% even higher, also can traditional application be impacted, influence the regular traffic flow.
Before P2P used appearance, too big change did not appear in the flow rate mode of the Internet, and network at that time is when the user stops using their computer, and the flow of network has also just stopped; After P2P uses appearance, network becomes and no longer includes any free time, reason is that the user that P2P uses is placed on a lot of large-scale files in the download formation usually, go to do other work then, P2P uses and is operated under the background mode, can obtain maximum bandwidth that network can provide in order to finish downloading task with exhausting one's ability night and day, P2P software adopts the downloading mode that multiple spot connects in addition, be that every download person is when obtaining data, also become other download persons' Data Source, the people of Xia Zaiing is many more like this, the speed of downloading is just fast more, according to the traffic model of this equity, analyzes theoretically, the speed of download of P2P software only is subjected to the restriction of Computer Data Communication processing speed, and the bandwidth resources of consumption network as much as possible.This shows that in the face of this special communication pattern, our network becomes already and can't bear the heavy load.Through long-term observation, we find that these are the P2P application of representative with BT, Edonkey, KaZaA etc., have consumed the effective bandwidth of network more than 40%, have produced 40% flow simultaneously, and common web browsing has only taken about 30% bandwidth, has produced 20% flow.
This shows, it is most important for network manager that detection and effective management P2P use the flow that is produced, and still, do not have unified procotol standard owing to P2P uses, have many, the various informative characteristics of kind, use traditional firewall technology to be difficult to find and filter the P2P flow.The P2P that how effectively to detect in the network uses and control P2P flow, and this is to allow bandwidth operator feel very awkward problem always.
The method of the shutoff P2P flow that everybody adopted before we made eye bright so that file download software BT is example, full name of BT is called BitTorrent, Chinese translations " bit turbulent flow ", present domestic solution BT downloads and causes the way of network blockage to mainly contain: ways such as BT website, disable access tracking server (Tracker), sealing BT download port, limited subscriber bandwidth, restriction maximum number of connections are browsed in the download of restriction seed file, restriction.
(1) download of restriction seed file
The method for down loading of restriction seed file is fairly simple, and restriction forbids that BT downloads for one time among the HTTP in the strategy that sets.Certain this method in addition, is not 80 ports of standard if certain website provides the port of downloading the Torrent file as long as download person changes an extension name just can continue to download, and the method also can lose efficacy.
(2) the BT website is browsed in restriction
To some relatively more popular BT websites, configuration unified resource location filtering rule on security gateway, and on outgoing interface, enable Hypertext Transmission Protocol Http filtering function, forbid also can shielding a part of BT download to their visit, but the BT website is a lot of on the one hand, can't comprehensively shield; On the other hand, some erroneous judgements may be caused in the shielding website, cause that some are legal, reasonably the website can't be visited.
(3) disable access tracking server Tracker
Tracker is a program that runs on the server, and this program can track the end has downloading same file simultaneously for how many people.The quantity of tracking server is far fewer than the quantity of popular BT website, and a lot of websites all are the seed files of reprinting other websites, if can find out the address of these tracking servers, shields and also can mask some BT downloads.But the One's name is legion of one side tracking server, the operation of shielding server bothers very much; On the other hand, seed file is reprinted everywhere on the internet, is propagated, and find real tracking server to be difficult to find the real cradle of BT seed file through repeatedly link, thereby make the shielding tracking server be difficult to implement.
(4) sealing particular port
BT generally uses 6881~6889 the port of TCP, and the network manager can judge according to the variation of network traffics, in gateway specific seed distribution site and port is sealed, and can obtain these information in BT downloads tracking server in the software.But present most of BT software can the dynamic assignment port, thereby make the keeper can't really grasp the present employed port of BT, on the other hand, too much shielding port may make some normal accesss to netwoks to carry out, thereby causes negative influence.
This several method all can only rigidly connect the new hand who touches BT to some and limit, and then has no idea for the user who is familiar with the BT download at all; P2P uses and adopts privately owned communication protocol mostly, relies on the shield technology of traditional shutoff Transmission Control Protocol uncontrollable at all.In a word, come BT is controlled, download though can control BT to a certain extent by above-mentioned several method commonly used in the industry, but depend merely on single scheme and be difficult to really to accomplish control BT, and if implement a lot of schemes simultaneously, workload is big, complicated operation has increased management cost; Said method more or less will be used hardware firewall or other network equipments, and the purchase cost of these equipment is higher, the system upgrade complexity; At last, these network equipments or other software systems are had relatively high expectations to network configuration, need adjust network system, thereby increase the difficulty and the cost of system implementation.
The present invention is based on the P2P condition code and carry out the deep layer information filtering using layer protocol, this method is carried out deep study and analysis and summary by the packet that a large amount of P2P are used, and a large amount of messages are carried out correlation research and application layer protocol analysis, extract the message characteristic sign indicating number sample that various P2P use according to different message characteristics, be defined as the message characteristic sign indicating number that corresponding P2P uses, according to these condition codes each the IP bag by gateway device is carried out detecting based on the data message of condition code, in case going up certain category feature sign indicating number, coupling just can determine that this IP bag is the P2P datagram, then, testing result is added in the P2P rule base use for hardware.The present invention is applicable to IPv4 and IPv6 network simultaneously, can comprehensively analyze the datagram of random communication protocol, the P2P that can detect and filter BitTorrent (bit turbulent flow), Edonkey (electric donkey), EMule (electric mule), KaZaA (a kind of P2P file is downloaded software), PPLive (P2P Web TV), PPStream multiple present main flows such as (streamium TV) uses, and the present invention realizes in " supporting the isolated device of IPV6 " of Tsing-Hua University.
Summary of the invention
The objective of the invention is to overcome the deficiency of existing P2P data message detection method, provide a kind of and new be applicable to that the P2P data message of IPv4 and IPv6 network detects and strobe utility when carrying out the application layer information filtering based on condition code.
The technical solution adopted for the present invention to solve the technical problems is: carry out correlation research and application layer protocol analysis by the packet that the various P2P that catch are used, extract the special key words that occurs in the message of various P2P application, and be defined as the message characteristic sign indicating number that corresponding P2P uses, according to these condition codes each the IP bag by gateway device is carried out the application layer content match, just carry out character string relatively with the character string in condition code and the datagram, if the match is successful to equate just expression, otherwise it fails to match in expression, in case certain condition code that the match is successful just can determine that this IP bag is the P2P datagram, then this datagram is filtered and the relevant detection result added in the P2P filtering rule storehouse and use for hardware.
The invention is characterized in:
Described method realizes successively according to the following steps:
Step 1: on the CPU board of the isolated device of supporting IPV6, set up a P2P detection module, isolated device one end of this support IPv6 is connecting a shielded IPv4 or IPv6 network through router, and the other end is connecting an IPv4 or IPv6 network through another router;
Step 2: after multichannel merges IP on the parts and wraps in the software Transmit-Receive Unit in the CPU board described in the step 1 is being received bag disposable plates in the described support IPv6 isolated device, described IP bag is transmitted to the P2P detection module described in the step 1, carries out data message successively according to the following steps by this module and detect;
Step 3: described P2P detection module is resolved the IP bag of receiving, if initial 4 bits are 0100, then be judged to be the IPv4 packet, mobile backward ipv4headlen+head_len the byte of structured fingers skb of pointing to IP packet header, this ipv4headlen is an IPv4 packet header length, and head_len is a transport layer header length; If initial 4 bits are 0110, then be judged to be the IPv6 packet, mobile backward ipv6headlen+head_len the byte of bar structure pointer skb, this ipv6headlen is an ipv6 header length; Call different functions: P2PDetect_IPv4 according to the type of packet again or P2PDetect_IPv6 detects IPv4 or IPv6 message;
Step 4: described P2P detection module detects bit turbulent flow BitTorrent datagram:
If: main frame download to need inquiry tracking server Tracker in order to carry out the bit turbulent flow, and this server just parameter of the GET order by Hypertext Transmission Protocol HTTP comes reception information, and described P2P detection module is handled by following situation respectively:
A. detect the beginning part of the net load data of Hypertext Transmission Protocol HTTP, if have condition code " User-Agent:BitTorrent ", then this datagram is judged to be bit turbulent flow datagram, then, finds the datagram of all bit turbulent flows by detecting following four class messages respectively;
Or b. detects the HTTP request message that peer host mails to tracking server, the condition code that in this class message, occurs be " User-Agent:BitTorrent ", " GET/announce? info hash=" with " and GET/scrape? info hash ";
Or the transmission data between the c. detection filtration peer host, the condition code that occurs in this class message is " BitTorrent protocole ";
Or the UDP negotiation packet between the d. detection filtration peer host, the condition code that occurs in this class message is " d1:ad2:id " or " d1:rd2:id20: ";
Or the HTTP message of e. detection tracking server response peer host, to return in the HTTP 200 OK messages behind the B coding to peer host at tracking server, the condition code of appearance is " Set-Cookie:bt=";
Step 5: described P2P detection module detects electric donkey EDonkey datagram, belongs to the response message of electric donkey, and the tcp data Partial Feature sign indicating number of electric donkey is: " e3 * * 00 00 00 47 "; The condition code of the UDP message part of electricity donkey is: " e3 9a " or " e3 96 " or " e3 94 ";
Step 6: described P2P detection module detects the electric mule EMule datagram based on electric donkey EDonkey agreement, the condition code of the tcp data part of electricity mule is " e3 * * 00 00 00 4c " and " c5 * * 00 00 00 ", this message is the response message of electric mule, and the condition code of the UDP message part of electric mule is " e3 a3 ff f0 " and " 02 00 00 3c 02 00 ";
Step 7: described P2P detection module detects the P2P file and downloads software KaZaA datagram, the tcp data of KaZaA newspaper the beginning part have condition code " 0d 0a GET/? " condition code " X-Kazaa-Username: " or " User-Agent:PeerEnabler/ " are arranged subsequently, also have " 0d 0a GIVE? " or " 0d 0a GET/.hash? " Condition code in the UDP datagram of KaZaA is " KaZaA ";
Step 8: described P2P detection module detects P2P Web TV PPLive datagram, condition code in this class message is " www.pplive.chinacache.net ", condition code in the tcp data bag of this class message is " e9 03 44 01 " or " e9 0,345 01 " or " e9 03 46 01 ", and the condition code in the UDP message of PPLive is " e9 03 42 01 98 ab 01 02 " or " 70 70 6c 69 76 65 ";
Step 9: described P2P detection module detects streamium TV PPStream datagram, and following several situation is arranged:
Main frame is when login PPStream server, will visit the website of PPStream earlier, the condition code in this class datagram is " list1.PPStream.com " or " stat.PPStream.com " or " notice.PPStream.com " or " xml1.PPStream.com ";
Contain condition code in the negotiation packet between main frame before the beginning transmission of media data " GET/? ppNotice﹠amp; Lang=" and " PSProtocol ";
Main frame all has condition code " PPStream.com " to ending place of the HTTP request message that the PPStream server sends;
Step 10: described P2P detection module 4~step 9 pair described various condition codes set by step carries out character string relatively with the character string in the message that receives, if equate, just the match is successful in expression, and the type of affirmation received packet;
Step 11: described P2P detection module is formed detected information in the P2P rule base that P2P filtering rule that one rule includes five-tuple is inserted into described CPU board and is gone, offer the bottom hardware visit with this, described five-tuple is meant: source address, destination address, source port, destination interface, protocol type, the operation and maintenance module OAM in the described CPU board filters or limits corresponding P2P flow according to different control strategies and demand.
P2P data message detection method based on condition code proposed by the invention, overcome the deficiency of existing P2P data message detection method, a kind of new detection is provided and has filtered the technical method of P2P application traffic, this method can satisfy the demand that detects various P2P application traffics, and has a good expandability, Fig. 6~Figure 17 has listed this method and has detected the step that several main flow P2P use, thereby has solved existing method inefficiency and detected incomplete problem.Tsing-Hua University is used in the research achievement in " isolated device of supporting IPv6 " at present, is the important component part of this equipment.
Description of drawings
Fig. 1. xegregating unit functional localization schematic diagram;
Fig. 2. support the isolated device interface schema of IPv6;
Fig. 3. the outfit of equipment functional structure chart;
Fig. 4. based on the P2P data message detection method flow chart of condition code;
Fig. 5. based on the P2P data message detection method general frame of condition code;
Fig. 6. detect the flow chart of the tcp data bag of BitTorrent;
Fig. 7. detect the flow chart of the UDP message bag of BitTorrent;
Fig. 8. detect the flow chart of the tcp data bag of EDonkey;
Fig. 9. detect the flow chart of the UDP message bag of EDonkey;
Figure 10. detect the flow chart of the tcp data bag of EMule;
Figure 11. detect the flow chart of the UDP message bag of EMule;
Figure 12. detect the flow chart of the tcp data bag of KaZaA;
Figure 13. detect the flow chart of the UDP message bag of KaZaA;
Figure 14. detect the flow chart of the tcp data bag of PPLive;
Figure 15. detect the flow chart of the UDP message bag of PPLive;
Figure 16. detect the flow chart of the tcp data bag of PPStream;
Figure 17. detect the flow chart of the UDP message bag of PPStream;
Figure 18 .P2P rule base data structure diagram.
Embodiment
Step 1: be defined as follows three functions
static?int?P2PDetect(const?struct?skBuff*skb,int?ip_version)
static?int?P2PDetect_IPv4(const?struct?skBuff*skb)
static?int?P2PDetect_IPv6(const?struct?skBuff*skb)
Skb is the pointer that points to IP packet header, when ip_version=4, function P2PDetect call function P2PDetect_IPv4 detects the IPv4 message, when ip_version=6, function P2PDetect call function P2PDetect_IPv6 detects the IPv6 message, function P2PDetect_IPv4 or P2PDetect_IPv6 judge the IP message that receives from the software kit Transmit-Receive Unit respectively, and with the mobile backward ipv4headlen+head_len of pointer skb or ipv6headlen+head_len byte, wherein ipv4headlen is an IPV4 header length, ipv6headlen is an ipv6 header length, head_len is a transport layer header length, Fig. 4 is based on the P2P data message detection method flow chart of condition code, at first the IP bag of receiving being carried out version judges, if IPv4 packet, carry out the detection of P2P condition code to the parsing of IPv4 bag and to it so, just add the P2P rule base and return the P2P type if P2P wraps according to testing result, otherwise directly return, if IPv6 packet, carry out the detection of P2P condition code to the parsing of IPv6 bag and to it so, just add the P2P rule base and return the P2P type if P2P wraps according to testing result, otherwise directly return, Fig. 5 is based on the general frame of the P2P data message detection method of condition code, at first the IP bag is resolved, call each submodule then successively and carry out the P2P detection, then testing result is added in the P2P rule base and return detected P2P type, here we provide some macrodefinitions and identify certain specific P2P application, make SKP2P_BIT=1024, SKP2P_EDK=2, SKP2P_EMU=512, SKP2P_KZA=8, SKP2P_PPL=16, SKP2P_PPS=32;
Step 2: definition detects the function of BitTorrent datagram
int?seek_BitTorrent(unsigned?char*haystack,int?packet_len,int?head_len)
int?udp_seek_BitTorrent(unsigned?char*haystack,int?packet_len)
Seek_BitTorrent is for detecting the function of the BitTorrent data in the TCP message, Fig. 6 is the flow chart that detects the tcp data bag of BitTorrent, successively every kind of condition code is mated among the figure, and return testing result, udp_seek_BitTorrent is for detecting the function of the BitTorrent data in the UDP message, Fig. 7 is the flow chart that detects the UDP message bag of BitTorrent, successively every kind of condition code is mated among the figure, and return testing result, parameter haystack is for pointing to the pointer of transport layer header, packet_len is the net load data length, packet_len is a transport layer header length, condition code can appear in the beginning position in the net load data of IP bag, function seek_BitTorrent is the matching characteristic sign indicating number respectively: " BitTorrent protocol ", " User-Agent:BItTorrent ", " GET/scrape? info_hash ", " GET/announce? info_hash ", " Set-Cookie:bt=", function udp_seek_BitTorrent is the matching characteristic sign indicating number respectively: " d1:ad2:id ", " d1:rd2:id20: ", the match is successful then returns SKP2P_BIT, illustrates that this message is the BitTorrent datagram, otherwise returns 0;
Step 3: definition detects the function of EDonkey datagram
int?seek_EDonkey(unsigned?char*haystack,int?packet_len,int?head_len)
int?udp_seek_EDonkey(unsigned?char*haystack,int?packet_len)
Seek_EDonkey is for detecting the function of the EDonkey data in the TCP message, Fig. 8 is the flow chart that detects the tcp data bag of EDonkey, successively every kind of condition code is mated among the figure, and return testing result, udp_seek_EDonkey is for detecting the function of the EDonkey data in the UDP message, Fig. 9 is the flow chart that detects the UDP message bag of EDonkey, successively every kind of condition code is mated among the figure, and return testing result, parameter haystack is for pointing to the pointer of transport layer header, packet_len is the net load data length, and packet_len is a transport layer header length, function seek_EDonkey matching characteristic sign indicating number: " e3 01 00 00 00 47 ", " e3 03 00 00 00 47 ", " e3 1a 00 00 00 47 ", function udp_seek_Edonkey is the matching characteristic sign indicating number respectively: " e3 9a ", " e3 96 ", " e3 94 ", the match is successful then returns SKP2P_EDK, illustrates that this message is the EDonkey datagram, otherwise returns 0;
Step 4: definition detects the function of EMule datagram
int?seek_EMule(unsigned?char*haystack,int?packet_len,int?head_len)
int?udp_seek_EMule(unsigned?char*haystack,int?packet_len)
Seek_EMule is for detecting the function of the EMule data in the TCP message, Figure 10 is the flow chart that detects the tcp data bag of EMule, successively every kind of condition code is mated among the figure, and return testing result, udp_seek_EMule is for detecting the function of the EMule data in the UDP message, Figure 11 is the flow chart that detects the UDP message bag of EMule, successively every kind of condition code is mated among the figure, and return testing result, parameter haystack is for pointing to the pointer of transport layer header, packet_len is the net load data length, packet_len is a transport layer header length, function seek_EMule is the matching characteristic sign indicating number respectively: " e3 * * 00 00 00 4c " and " c5 * * 00 00 00 ", function udp_seek_EMule is the matching characteristic sign indicating number respectively: " e3 a3 fff0 ", " 02 00 00 3c 02 00 ", the match is successful then returns SKP2P_EMU, illustrate that this message is the EMule datagram, otherwise return 0;
Step 5: definition detects the function of KaZaA datagram
int?seek_KaZaA(unsigned?char?*haystack,int?packet_len,int?head_len)
int?udp_seek_KaZaA(unsigned?char?*haystack,int?packet_len)
Seek_KaZaA is for detecting the function of the KaZaA data in the TCP message, Figure 12 is the flow chart that detects the tcp data bag of KaZaA, successively every kind of condition code is mated among the figure, and return testing result, udp_seek_KaZaA is for detecting the function of the KaZaA data in the UDP message, Figure 13 is the flow chart that detects the UDP message bag of KaZaA, successively every kind of condition code is mated among the figure, and return testing result, parameter haystack is for pointing to the pointer of transport layer header, packet_len is the net load data length, packet_len is a transport layer header length, and function seek_KaZaA is the matching characteristic sign indicating number respectively: " 0d 0a GIVE? ", " 0d 0a GET/.hash? " " 0d 0a GET/? X-Kazaa-Username: ", " 0d 0a GET/? User-Agent:PeerEnabler/ ", function udp_seek_KaZaA matching characteristic sign indicating number: " KaZaA ", the match is successful then returns SKP2P_KZA, illustrate that this message is the KaZaA datagram, otherwise return 0;
Step 6: definition detects the function of PPLive datagram
int?seek_PPLive(unsigned?char*haystack,int?packet_len,int?head_len)
int?udp_seek_PPLive(unsigned?char*haystack,int?packet_len)
Seek_PPLive is for detecting the function of the PPLive data in the TCP message, Figure 14 is the flow chart that detects the tcp data bag of PPLive, successively every kind of condition code is mated among the figure, and return testing result, udp_seek_PPLive is for detecting the function of the PPLive data in the UDP message, Figure 15 is the flow chart that detects the UDP message bag of PPLive, successively every kind of condition code is mated among the figure, and return testing result, parameter haystack is for pointing to the pointer of transport layer header, packet_len is the net load data length, packet_len is a transport layer header length, function seek_PPLive is the matching characteristic sign indicating number respectively: " www.pplive.chinacache.net ", " e9 03 44 01 ", " e9 03 45 01 " and " e9 03 46 01 ", function udp_seek_PPLive matching characteristic sign indicating number: " e9 03 42 01 98 ab 01 02 ", " 00 ef 01 00 ", " e9 03 02 00 98 ab 01 02 ", " 70 70 6c 69 76 65 " the match is successful then returns SKP2P_PPL, illustrate that this message is the PPLive datagram, otherwise return 0;
Step 7: definition detects the function of PPstream datagram
int?seek_PPstream(unsigned?char*haystack,int?packet_len,int?head_len)
int?udp_seek_PPstream(unsigned?char*haystack,int?packet_len)
Seek_PPstream is for detecting the function of the PPstream data in the TCP message, Figure 16 is the flow chart that detects the tcp data bag of PPStream, successively every kind of condition code is mated among the figure, and return testing result, udp_seek_PPstream is for detecting the function of the PPstream data in the UDP message, Figure 17 is the flow chart that detects the UDP message bag of PPStream, successively every kind of condition code is mated among the figure, and return testing result, parameter haystack is for pointing to the pointer of transport layer header, packet_len is the net load data length, packet_len is a transport layer header length, and function seek_PPstream is the matching characteristic sign indicating number respectively: " GET/? ppNotice﹠amp; Lang=, " PSProtocol ", " ppstream.com ", " 15 20 00 0,004 00 5c 34 44 ", function udp_seekk_PPstream mates " list1.ppstream.com ", " stat.ppstream.com ", " notice.ppstream.com ", " lst3.ppstream.com ", " xml1.ppstream.com ", the match is successful then returns SKP2P_PPS, illustrates that this message is the PPstream datagram, otherwise returns 0;
Step 8: be defined as follows function creation and insert the P2P rule base
TrieTree?CreateTrieTree(int?info[8])
Node?InsertList(Node?T,int?info[8],int?j)
CreateTrieTree is a function of creating the P2P rule base, InsertList is the function that inserts rule in the P2P rule base, we adopt Trie to set and organize the P2P rule, Figure 18 is the data structure diagram of P2P rule base, the Trie tree is a kind of multiway tree structure of retrieval fast that is used for, it in the Trie tree element of storage, the Trie tree is regarded the keyword that will search as a character string, and the tree structure that is configured to retrieve according to the sequencing that constitutes the keyword character, we are grouped into a rule with detected result and contain hexa-atomic group of (source address, source port, destination address, destination interface, protocol type, the P2P type) P2P filtering rule is inserted in the P2P rule base, offers the bottom hardware visit with this, filters or limit corresponding P2P flow according to different control strategies and demand that OAM module in the xegregating unit is disposed.
Step 9: the present invention realizes successively according to the following steps:
Step 9.1: the present invention realizes in " support IPV6 isolated device ", the isolated device of supporting IPV6 be can support IPv6, simultaneously compatible IPv4, also can realize the high performance network safety xegregating unit of IPv6 network and IPv4 network interconnection.This equipment is between edge access network and backbone network, perhaps on the backbone network.The equipment major function is as follows:
1) IPv6 to IPv6, IPv4 to IPv6, isolation and the exchanges data of IPv6 to IPv4, IPv4 to the IPv4 network, the IPv4/v6 transitional technology of support comprises that IPv4 tunnel on IPv4 tunnel conversion, IPv6 of configured tunneling technique, IPv6, IPv4 are to the IPv6 transitional technology;
2) IPv4/IPv6 five-tuple (source address, destination address, source port, destination interface, protocol type) blacklist and white list filter;
3) connection status inspection and invasion flag check are supported in intrusion detection and dynamically blocking-up;
4) the P2P data message detects and filters;
5) P2P control, limiting P 2 P application traffic as required;
6) network management realizes the network management based on XML;
7) operation and management realize the operation of remote emulation and two kinds of forms of control desk;
The interface of this equipment support has 4 2.5G interfaces, 4 1000M ether interfaces, 2 10/100M ether interfaces and 1 serial ports; In " supporting the isolated device of IPv6 ", P2P data message detection module is positioned on the CPU board of equipment, the multichannel merging parts that the software kit Transmit-Receive Unit receives in the bag disposable plates are caught after the next IP bag, the IP bag is transmitted to the P2P detection module carries out the detection of P2P data message, P2P data message detection module adopts the P2P data message detection method based on condition code of indication of the present invention that the IP bag is detected, and detected result is write the P2P rule base;
Step 9.2: establish: skb is a structured fingers of pointing to IP packet header, ipv4headlen is an IPV4 header length, ipv6head1en is an ipv6 header length, head_len is a transport layer header length, at first, the IP bag of receiving is resolved, if initial 4 bits are 0100, just can judge that this bag is the IPv4 packet, and with mobile backward ipv4headlen+head_len the byte of pointer skb, if initial 4 bits are 0110, just can judge that this bag is the IPv6 packet, and with mobile backward ipv6headlen+head_len the byte of pointer skb;
Step 9.3: described P2P detection module detects bit turbulent flow BitTorrent datagram, when a main frame carries out the BT download, must carry out tracking server Tracker inquiry, tracking server comes reception information by the parameter of the GET order of Hypertext Transmission Protocol HTTP, and the other side (download person) is given in response is the message of B coding, beginning position in the net load data of Hypertext Transmission Protocol HTTP request message, carry the condition code " User-Agent:BitTorrent " of BT, also have some BT softwares not obtain peer host (Peers) tabulation now by HTTP, but employing udp protocol, but still comprise " BitTorrent " condition code in its BT stream, we can discern its " BitTorrent " condition code equally, and described P2P detection module detects following four class messages respectively and finds all BitTorrent flows:
(1) detect the HTTP request message that Peers is sent to Tracker, the condition code that in this class message, occurs be " User-Agent:BitTorrent ", " GET/announce? info_hash=" with " and GET/scrape? info_hash ";
(2) detect the transmission data of filtering between the Peers, the condition code that occurs in this class message is " BitTorrent protocole ";
(3) detect the UDP negotiation packet that filters between the Peers, when a Peer obtains Peers tabulation and relevant information from Tracker after, this Peer at first will hold consultation by all Peers transmission UDP messages in tabulation, in case consult successfully, this Peer just can set up TCP with these Peers and be connected, and beginning data download segment, the condition code that occurs in this class message is " d1:ad2:id " or " d1:rd2:id20: ";
(4) detect the HTTP message that Tracker responds Peer, it is two-way that Tracker addresses inquires to, Tracker is by HTTPGET parameter acquired information, return the HTTP 200 OK messages behind the B coding then, the condition code that occurs in this class message is " Set-Cookie:bt=", we mate with these condition codes each datagram, just carry out character string relatively with the character string in condition code and the datagram, if the match is successful to equate just expression, otherwise it fails to match in expression, and these condition codes just can determine that this message is the BitTorrent datagram in case the match is successful;
Step 9.4: described P2P detection module detects electric donkey EDonkey datagram, the tcp data Partial Feature sign indicating number of EDonkey is: e3 * * 00 00 00 47, this message is the response message of EDonkey, the UDP message Partial Feature sign indicating number of EDonkey is: " e3 9a ", " e3 96 ", " e3 94 " just can determine that this message is the EDonkey datagram in case coupling goes up these condition codes;
Step 9.5: described P2P detection module detects electric mule EMule datagram, EMule is based on the EDonkey agreement, the EMule network is made up of hundreds of EMule servers and millions of EMule clients, client must be connected to server and obtain the network service, this connection will keep closing up to client always, the condition code of the tcp data part of EMule is " e3 * * 00 00 00 4c " and " c5 * * 00 00 00 ", this message is the response message of EMule, the condition code of the UDP message part of EMule is " e3 a3 ff f0 " and " 02 00 00 3c 02 00 ", just can determine that this message is the EMule datagram in case coupling goes up these condition codes;
Step 9.6: described P2P detection module detects the P2P file and downloads software KaZaA datagram, the tcp data of KaZaA newspaper the beginning part have condition code " 0d 0a GET/? " have condition code " X-Kazaa-Username: " or " User-Agent:PeerEnabler/ " subsequently, also have " 0d 0a GIVE? " or " 0d 0a GET/.hash? " in case going up these condition codes, coupling just can determine that this message is the tcp data newspaper of KaZaA, the condition code that often occurs in the UDP datagram of KaZaA is " KaZaA ", and this condition code just can determine that this message is the UDP datagram of KaZaA on the coupling;
Step 9.7: described P2P detection module detects P2P Web TV PPLive datagram, PPLive at first will be to server requests the rendition list when operation, condition code " www.pplive.chinacache.net " can appear in this class request message, PPLive also has and contains condition code " e9 03 44 01 " in a large amount of tcp data bags, " e9 03 45 01 " and " e9 03 46 01 ", condition code " e9 03 42 01 98 ab 01 02 " and " 70 70 6c 69 76 65 " etc. are arranged, so we can detect the message that filters out PPLive according to these condition codes in the UDP message of PPLive;
Step 9.8: described P2P detection module detects streamium TV PPStream datagram, main frame can at first be visited the website of PPStream when login PPStream server, " list1.PPStream.com " or " stat.PPStream.com " or " notice.PPStream.com " or condition codes such as " xml1.ppstream.com " can appear in these class data, PPStream software at first can remove to visit web server such as list1.PPStream.com automatically and obtain current the rendition list when starting, contain condition code in the negotiation packet between main frame before the real transmission of media data of beginning " GET/? ppNotice﹠amp; Lang=" and " PSProtocol "; we can detect in view of the above and filter out this class TCP message; also have some PPStream end of message places that condition code " PPStream.com " is all arranged; this class message all is the HTTP request message that main frame sends to the PPStream server, just can determine that this message is the PPStream datagram in case coupling goes up these condition codes;
Step 9.9: insert the P2P rule base, we adopt Trie to set and organize the P2P rule, the Trie tree is a kind of multiway tree structure of retrieval fast that is used for, it in the Trie tree element of storage, the Trie tree is regarded the keyword that will search as a character string, and the tree structure that is configured to retrieve according to the sequencing that constitutes the keyword character, it is irrelevant to search the nodal point number that comprises in time of a keyword and the tree in Trie tree, and depend on the number of characters of forming keyword, and the time of searching of binary search tree with the tree in the relevant O (log of nodal point number
2N), we are grouped into the P2P filtering rule that a rule contains five-tuple with detected result and are inserted in the P2P rule base, offer the bottom hardware visit with this, filter or limit corresponding P2P flow according to different control strategies and demand that OAM module in the xegregating unit is disposed.
We are applied at 4 the most popular on present network class P2P and have carried out experiment test on Tsing-Hua University's campus network, and test result is as follows:
1.BitTorrent
■ message total: 15239
■ TCP message number: 13746 UDP message numbers: 1363
The detected BitTorrent message total of ■: 1430
TCP message number in the detected BitTorrent message of ■: 290
UDP message number in the detected BitTorrent message of ■: 1140
■ BitTorrent message proportion: 9.38%
2.EMule
■ message total: 16601
■ TCP message number: 14588 UDP message numbers: 2009
The detected EMule message total of ■: 2446
TCP message number in the detected EMule message of ■: 1235
UDP message number in the detected EMule message of ■: 1211
■ EMule message proportion: 14.73%
3.PPLive
■ message total: 17501
■ TCP message number: 17131 UDP message numbers: 350
The detected PPLive message total of ■: 2409
TCP message number in the detected PPLive message of ■: 2087
UDP message number in the detected PPLive message of ■: 322
■ PPLive message proportion: 13.77%
4.PPStream
■ message total: 17350
■ TCP message number: 15133 UDP message numbers: 2140
The detected PPStream message total of ■: 2103
TCP message number in the detected PPStream message of ■: 2103
UDP message number in the detected PPStream message of ■: 0
■ PPStream message proportion: 12.12%
This shows that the present invention has reached intended purposes.
Claims (1)
1. based on the P2P data message detection method of condition code, it is characterized in that having following steps successively:
Step 1: on the CPU board of the isolated device of supporting IPV6, set up a P2P detection module, isolated device one end of this support IPv6 is connecting a shielded IPv4 or IPv6 network through router, and the other end is connecting an IPv4 or IPv6 network through another router;
Step 2: after multichannel merges IP on the parts and wraps in the software Transmit-Receive Unit in the CPU board described in the step 1 is being received bag disposable plates in the described support IPv6 isolated device, described IP bag is transmitted to the P2P detection module described in the step 1, carries out data message successively according to the following steps by this module and detect;
Step 3: described P2P detection module is resolved the IP bag of receiving, if initial 4 bits are 0100, then be judged to be the IPv4 packet, mobile backward ipv4headlen+head_len the byte of structured fingers skb of pointing to IP packet header, this ipv4headlen is an IPv4 packet header length, and head_len is a transport layer header length; If initial 4 bits are 0110, then be judged to be the IPv6 packet, mobile backward ipv6headlen+head_len the byte of bar structure pointer skb, this ipv6headlen is an ipv6 header length; Call different functions: P2PDetect_IPv4 according to the type of packet again or P2PDetect_IPv6 detects IPv4 or IPv6 message;
Step 4: described P2P detection module detects bit turbulent flow BitTorrent datagram:
If: main frame download to need inquiry tracking server Tracker in order to carry out the bit turbulent flow, and this server just parameter of the GET order by Hypertext Transmission Protocol HTTP comes reception information, and described P2P detection module is handled by following situation respectively:
A. detect the beginning part of the net load data of Hypertext Transmission Protocol HTTP, if have condition code " User-Agent:BitTorrent ", then this datagram is judged to be bit turbulent flow datagram, then, finds the datagram of all bit turbulent flows by detecting following four class messages respectively;
Or b. detects the HTTP request message that peer host mails to tracking server, the condition code that in this class message, occurs be " User-Agent:BitTorrent ", " GET/announce? info_hash=" with " and GET/scrape? info_hash ";
Or the transmission data between the c. detection filtration peer host, the condition code that occurs in this class message is " BitTorrent protocole ";
Or the UDP negotiation packet between the d. detection filtration peer host, the condition code that occurs in this class message is " d1:ad2:id " or " d1:rd2:id20: ";
Or the HTTP message of e. detection tracking server response peer host, to return in the HTTP 200OK message behind the B coding to peer host at tracking server, the condition code of appearance is " Set-Cookie:bt=";
Step 5: described P2P detection module detects electric donkey EDonkey datagram, belongs to the response message of electric donkey, and the tcp data Partial Feature sign indicating number of electric donkey is: " e3 * * 00 00 00 47 "; The condition code of the UDP message part of electricity donkey is: " e3 9a " or " e3 96 " or " e3 94 ";
Step 6: described P2P detection module detects the electric mule EMule datagram based on electric donkey EDonkey agreement, the condition code of the tcp data part of electricity mule is " e3 * * 00 00 00 4c " and " c5 * * 00 00 00 ", this message is the response message of electric mule, and the condition code of the UDP message part of electric mule is " e3 a3 ff f0 " and " 02 00 00 3c 02 00 ";
Step 7: described P2P detection module detects the P2P file and downloads software KaZaA datagram, the tcp data of KaZaA newspaper the beginning part have condition code " 0d 0a GET/? " condition code " X-Kazaa-Username: " or " User-Agent:PeerEnabler/ " are arranged subsequently, also have " 0d 0a GIVE? " or " 0d 0a GET/.hash? " Condition code in the UDP datagram of KaZaA is " KaZaA ";
Step 8: described P2P detection module detects P2P Web TV PPLive datagram, condition code in this class message is " www.pplive.chinacache.net ", condition code in the tcp data bag of this class message is " e9 03 44 01 " or " e9 0,345 01 " or " e9 03 46 01 ", and the condition code in the UDP message of PPLive is " e9 03 42 01 98 ab 01 02 " or " 70 70 6c 69 76 65 ";
Step 9: described P2P detection module detects streamium TV PPStream datagram, and following several situation is arranged:
Main frame is when login PPStream server, will visit the website of PPStream earlier, the condition code in this class datagram is " list1.PPStream.com " or " stat.PPStream.com " or " notice.PPStream.com " or " xml1.PPStream.com ";
Contain condition code in the negotiation packet between main frame before the beginning transmission of media data " GET/? ppNotice﹠amp; Lang=" and " PSProtocol ";
Main frame all has condition code " PPStream.com " to ending place of the HTTP request message that the PPStream server sends;
Step 10: described P2P detection module 4~step 9 pair described various condition codes set by step carries out character string relatively with the character string in the message that receives, if equate, just the match is successful in expression, and the type of affirmation received packet;
Step 11: described P2P detection module is formed detected information in the P2P rule base that P2P filtering rule that one rule includes five-tuple is inserted into described CPU board and is gone, offer the bottom hardware visit with this, described five-tuple is meant: source address, destination address, source port, destination interface, protocol type, the operation and maintenance module OAM in the described CPU board filters or limits corresponding P2P flow according to different control strategies and demand.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101125955A CN100493094C (en) | 2006-08-25 | 2006-08-25 | P2P data message detection method based on character code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101125955A CN100493094C (en) | 2006-08-25 | 2006-08-25 | P2P data message detection method based on character code |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1913528A true CN1913528A (en) | 2007-02-14 |
| CN100493094C CN100493094C (en) | 2009-05-27 |
Family
ID=37722295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101125955A Expired - Fee Related CN100493094C (en) | 2006-08-25 | 2006-08-25 | P2P data message detection method based on character code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100493094C (en) |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009115034A1 (en) * | 2008-03-21 | 2009-09-24 | 华为技术有限公司 | Method, system and apparatus for detecting protocol message |
| CN101764815A (en) * | 2009-12-23 | 2010-06-30 | 杭州华三通信技术有限公司 | Method and device for acquiring XML messages |
| CN101783816A (en) * | 2010-03-22 | 2010-07-21 | 杭州华三通信技术有限公司 | Download traffic control method and device |
| WO2010139237A1 (en) * | 2009-06-02 | 2010-12-09 | 中兴通讯股份有限公司 | Method and device for deep packet inspection |
| CN101388848B (en) * | 2008-10-13 | 2010-12-22 | 北京航空航天大学 | Flow recognition method combining network processor with general processor |
| CN101459554B (en) * | 2008-12-30 | 2011-02-09 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for data stream detection |
| CN101577626B (en) * | 2009-06-05 | 2011-04-13 | 西北工业大学 | Method for monitoring initiative specific information dissemination based on eMule |
| CN102014065A (en) * | 2010-12-10 | 2011-04-13 | 中兴通讯股份有限公司 | Method for analyzing packet headers, header analysis preprocessing device and network processor |
| CN101282331B (en) * | 2008-05-09 | 2011-06-01 | 西安交通大学 | Method for recognizing P2P network flow based on transport layer characteristics |
| CN102148854A (en) * | 2010-10-19 | 2011-08-10 | 华为数字技术有限公司 | Method and device for identifying peer-to-peer (P2P) shared flows |
| CN101567811B (en) * | 2009-05-26 | 2011-09-14 | 西北工业大学 | Active type specific information transmission monitoring method based on BitTorrent |
| CN102318310A (en) * | 2009-02-10 | 2012-01-11 | 阿尔卡特朗讯公司 | A method and device for reconstructing torrent content metadata |
| CN101778006B (en) * | 2009-01-09 | 2012-01-25 | 华为技术有限公司 | Method and system for reporting media instant message and a media gateway |
| CN102437936A (en) * | 2011-12-20 | 2012-05-02 | 东南大学 | Detection method of high speed network bot message based on double-filtering mechanism |
| CN101494663B (en) * | 2009-01-23 | 2012-05-23 | 北京网御星云信息技术有限公司 | Active identification method and apparatus based on peer-to-peer network |
| CN101741644B (en) * | 2009-12-16 | 2012-05-30 | 成都市华为赛门铁克科技有限公司 | Flow detection method and apparatus |
| CN102497371A (en) * | 2011-12-13 | 2012-06-13 | 曙光信息产业(北京)有限公司 | Sampling equipment based on quintuple and load contents |
| CN101741867B (en) * | 2008-11-14 | 2012-07-25 | 电子科技大学 | Method for capturing node information in BitTorrent network |
| CN101599976B (en) * | 2009-07-10 | 2012-10-17 | 成都市华为赛门铁克科技有限公司 | Method and device for filtering user datagram protocol data packet |
| CN101325518B (en) * | 2007-06-15 | 2013-03-20 | 阿尔卡特朗讯 | Supervisor peer for malicious peer detection in structured peer-to-peer networks |
| CN103139315A (en) * | 2013-03-26 | 2013-06-05 | 烽火通信科技股份有限公司 | Application layer protocol analysis method suitable for home gateway |
| CN103166963A (en) * | 2013-03-05 | 2013-06-19 | 汉柏科技有限公司 | Protocol identification method and system for de-encapsulation |
| CN103384240A (en) * | 2012-12-21 | 2013-11-06 | 北京安天电子设备有限公司 | P2P active defense method and system |
| CN103595729A (en) * | 2013-11-25 | 2014-02-19 | 北京锐安科技有限公司 | Protocol analysis method and device |
| CN104994016A (en) * | 2014-01-14 | 2015-10-21 | 马维尔国际有限公司 | Method and apparatus for packet classification |
| WO2016127634A1 (en) * | 2015-02-09 | 2016-08-18 | 中兴通讯股份有限公司 | Service processing method, device and system for application program, and storage medium |
| CN110602038A (en) * | 2019-08-01 | 2019-12-20 | 中国科学院信息工程研究所 | Abnormal UA detection and analysis method and system based on rules |
| CN111787026A (en) * | 2020-07-27 | 2020-10-16 | 北京飞讯数码科技有限公司 | Method, device and equipment for transmitting media data and storage medium |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895469A (en) * | 2010-07-19 | 2010-11-24 | 重庆邮电大学 | Peer-to-peer network flow traction system and method |
-
2006
- 2006-08-25 CN CNB2006101125955A patent/CN100493094C/en not_active Expired - Fee Related
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325518B (en) * | 2007-06-15 | 2013-03-20 | 阿尔卡特朗讯 | Supervisor peer for malicious peer detection in structured peer-to-peer networks |
| WO2009115034A1 (en) * | 2008-03-21 | 2009-09-24 | 华为技术有限公司 | Method, system and apparatus for detecting protocol message |
| CN101282331B (en) * | 2008-05-09 | 2011-06-01 | 西安交通大学 | Method for recognizing P2P network flow based on transport layer characteristics |
| CN101388848B (en) * | 2008-10-13 | 2010-12-22 | 北京航空航天大学 | Flow recognition method combining network processor with general processor |
| CN101741867B (en) * | 2008-11-14 | 2012-07-25 | 电子科技大学 | Method for capturing node information in BitTorrent network |
| CN101459554B (en) * | 2008-12-30 | 2011-02-09 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for data stream detection |
| CN101778006B (en) * | 2009-01-09 | 2012-01-25 | 华为技术有限公司 | Method and system for reporting media instant message and a media gateway |
| CN101494663B (en) * | 2009-01-23 | 2012-05-23 | 北京网御星云信息技术有限公司 | Active identification method and apparatus based on peer-to-peer network |
| CN102318310A (en) * | 2009-02-10 | 2012-01-11 | 阿尔卡特朗讯公司 | A method and device for reconstructing torrent content metadata |
| CN102318310B (en) * | 2009-02-10 | 2014-11-05 | 阿尔卡特朗讯公司 | A method and device for reconstructing torrent content metadata |
| CN101567811B (en) * | 2009-05-26 | 2011-09-14 | 西北工业大学 | Active type specific information transmission monitoring method based on BitTorrent |
| WO2010139237A1 (en) * | 2009-06-02 | 2010-12-09 | 中兴通讯股份有限公司 | Method and device for deep packet inspection |
| CN101577626B (en) * | 2009-06-05 | 2011-04-13 | 西北工业大学 | Method for monitoring initiative specific information dissemination based on eMule |
| CN101599976B (en) * | 2009-07-10 | 2012-10-17 | 成都市华为赛门铁克科技有限公司 | Method and device for filtering user datagram protocol data packet |
| CN101741644B (en) * | 2009-12-16 | 2012-05-30 | 成都市华为赛门铁克科技有限公司 | Flow detection method and apparatus |
| CN101764815A (en) * | 2009-12-23 | 2010-06-30 | 杭州华三通信技术有限公司 | Method and device for acquiring XML messages |
| CN101783816A (en) * | 2010-03-22 | 2010-07-21 | 杭州华三通信技术有限公司 | Download traffic control method and device |
| CN101783816B (en) * | 2010-03-22 | 2013-04-17 | 杭州华三通信技术有限公司 | Download traffic control method and device |
| CN102148854A (en) * | 2010-10-19 | 2011-08-10 | 华为数字技术有限公司 | Method and device for identifying peer-to-peer (P2P) shared flows |
| CN102148854B (en) * | 2010-10-19 | 2013-08-28 | 北京华为数字技术有限公司 | Method and device for identifying peer-to-peer (P2P) shared flows |
| CN102014065A (en) * | 2010-12-10 | 2011-04-13 | 中兴通讯股份有限公司 | Method for analyzing packet headers, header analysis preprocessing device and network processor |
| CN102497371A (en) * | 2011-12-13 | 2012-06-13 | 曙光信息产业(北京)有限公司 | Sampling equipment based on quintuple and load contents |
| CN102437936A (en) * | 2011-12-20 | 2012-05-02 | 东南大学 | Detection method of high speed network bot message based on double-filtering mechanism |
| CN102437936B (en) * | 2011-12-20 | 2013-12-18 | 东南大学 | Detection method of high speed network bot message based on double-filtering mechanism |
| CN103384240A (en) * | 2012-12-21 | 2013-11-06 | 北京安天电子设备有限公司 | P2P active defense method and system |
| CN103384240B (en) * | 2012-12-21 | 2016-09-07 | 北京安天电子设备有限公司 | A kind of P2P active defense method and system |
| CN103166963A (en) * | 2013-03-05 | 2013-06-19 | 汉柏科技有限公司 | Protocol identification method and system for de-encapsulation |
| CN103139315A (en) * | 2013-03-26 | 2013-06-05 | 烽火通信科技股份有限公司 | Application layer protocol analysis method suitable for home gateway |
| CN103595729A (en) * | 2013-11-25 | 2014-02-19 | 北京锐安科技有限公司 | Protocol analysis method and device |
| CN104994016A (en) * | 2014-01-14 | 2015-10-21 | 马维尔国际有限公司 | Method and apparatus for packet classification |
| CN104994016B (en) * | 2014-01-14 | 2020-10-23 | 马维尔亚洲私人有限公司 | Method and apparatus for packet classification |
| WO2016127634A1 (en) * | 2015-02-09 | 2016-08-18 | 中兴通讯股份有限公司 | Service processing method, device and system for application program, and storage medium |
| CN105991465A (en) * | 2015-02-09 | 2016-10-05 | 中兴通讯股份有限公司 | Service processing method, device and system for application |
| CN105991465B (en) * | 2015-02-09 | 2020-12-04 | 中兴通讯股份有限公司 | Method, device and system for processing application program service |
| CN110602038A (en) * | 2019-08-01 | 2019-12-20 | 中国科学院信息工程研究所 | Abnormal UA detection and analysis method and system based on rules |
| CN111787026A (en) * | 2020-07-27 | 2020-10-16 | 北京飞讯数码科技有限公司 | Method, device and equipment for transmitting media data and storage medium |
| CN111787026B (en) * | 2020-07-27 | 2022-09-27 | 北京飞讯数码科技有限公司 | Method, device and equipment for transmitting media data and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100493094C (en) | 2009-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1913528A (en) | P2P data message detection method based on character code | |
| Wustrow et al. | Internet background radiation revisited | |
| EP3148118B1 (en) | Providing application metadata using export protocols in computer networks | |
| US7916652B1 (en) | Analyzing network traffic to diagnose subscriber network errors | |
| JP5167501B2 (en) | Network monitoring system and its operation method | |
| CN1531264A (en) | Peer-to-peer communication apparatus and communication method | |
| CN1929472A (en) | Method, system, signal and medium for managing data transmission in a data network | |
| CN1692616A (en) | Network traffic control in peer-to-peer environments | |
| CN1414746A (en) | Method of providing internal service apparatus in network for saving IP address | |
| CN1838636A (en) | Method and apparatus for packet traversal of a network address translation device | |
| Fiadino et al. | Vivisecting whatsapp in cellular networks: Servers, flows, and quality of experience | |
| Lara et al. | OpenSec: A framework for implementing security policies using OpenFlow | |
| CN1518281A (en) | IP router, communication system and its used band setting method and program | |
| CN1773993A (en) | Session relay equipment and session relay method | |
| CN1805396A (en) | Method for implementing network access through broadband router | |
| CN1574790A (en) | Method and apparatus for controlling packet transmission and generating packet billing data | |
| CN108111558A (en) | A kind of high-speed packet disposal method, apparatus and system | |
| US20120047248A1 (en) | Method and System for Monitoring Flows in Network Traffic | |
| CN100336349C (en) | Implementation method and system for testing consistency of border gateway protocol of supporting IPv6 | |
| CN1917512A (en) | Method for establishing direct connected peer-to-peer channel | |
| CN1878141A (en) | Network control apparatus and control method | |
| CN1852164A (en) | P2P network management method based on federal model | |
| CN1863154A (en) | Method for limiting current for point to point application | |
| US20200042527A1 (en) | Monitoring network traffic to determine similar content | |
| CN1801718A (en) | OMA download realizing method in content distributing network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090527 Termination date: 20120825 |