KR101545687B1 - packet analysis apparatus based on application - Google Patents

Abstract

The present invention relates to an application-based packet analysis apparatus, which enables to analyze the cause whether it is a network problem or an internal problem of a program by monitoring a transmitting/receiving packet for the corresponding application, if a certain application is abnormally operated and an exact cause is not figured out when developing a program or in an execution environment after development. More specifically, by monitoring a UDP and TCP transmitting/receiving packet per application unit which is executed by operating the program in a smart device such as a PC, a smart pad, a smartphone, or a wall pad for home, the apparatus of the present invention enables to analyze the cause whether the cause of the problem is the network problem or the internal problem of the program. The present invention comprises: a GUI (10); an application information processing module (20); a data managing module (30); a packet collecting module (40); and a packet analyzing module (50).

Description

[0001] The present invention relates to a packet analysis apparatus based on application,

The present invention relates to a packet analyzing apparatus and, more particularly, to a packet analyzing apparatus, more particularly, to a packet analyzing apparatus, more particularly, Or an internal problem of the program, which is a problem in the application-based packet analysis apparatus.

More specifically, UDP and TCP transmission / reception packets are transmitted in a unit of application that is executed by running a program in a smart device such as a PC, a smart pad, a smart phone, or a household wall pad The present invention relates to an application-based packet analyzing apparatus capable of performing a cause analysis of whether a cause of an error is a network problem or an internal problem of a program.

Packet analysis is the process of collecting and analyzing the actual data flowing on the network to solve various errors that may occur in the network. It analyzes the network characteristics, identifies who is using the network, Network usage Peak time is used as a means of identifying when an attack is likely or malicious activity and looking for unusual applications.

In other words, by capturing and analyzing packets traveling in a wired / wireless environment, packets can be monitored when a server fails and the problem of whether the server is a problem or the cause of a client or a network can be identified.

This packet analysis is used for failure analysis and processing in the case of server failure, analysis of the operation principle of the server / client, checking of possibility when developing network equipment, and security enhancement by monitoring network call volume.

Various techniques have been developed for such packet analyzing apparatuses and methods, including Patent Documents 1 and 2.

Patent Document 1 relates to a ZigBee packet analyzing apparatus that captures packets in a signal transmitted in a wireless manner according to the ZigBee protocol, analyzes the packets, and displays the packet according to a user's request. Patent Document 2 discloses a ZigBee packet analyzing apparatus that analyzes various phenomena occurring in an actual IP network Point packet delay and packet loss, which is a performance parameter of the IP network.

In the case of wireshark such as various packet analyzing apparatuses, it is possible to perform transmission / reception packet monitoring for TCP, UDP and other protocols for a specific Internet interface, (port) filtering function.

However, these analytical tools have limitations in monitoring packets for specific applications after they are specified.

For example, an application called 'appA' operates as a TCP client on the local PC, and performs TCP communication with the server program of the remote PC IP address 192.168.1.101. Likewise, an application called 'appB' When the user operates the wire shark on the local PC and analyzes the packet after designating the remote IP address 192.168.1.101 as the filtering function, when the user performs the TCP communication with the server program of the remote PC IP address 192.168.1.101 while operating as a client, Packets sent and received by 'appA' and 'appB' with remote PC IP address 192.168.1.101 are monitored.

However, when the user wants to see only the packet corresponding to 'appA', but the 'appB' packet is analyzed at the same time, there is a problem in seeing one packet separately.

1. Korean Patent No. 0582889 2. Korea Patent No. 1261053

The present invention has been developed to solve the problems of the related art as described above, and it is an object of the present invention to provide an IP address filtering function and a filtering function for each application, so that even when a plurality of applications are transmitted to one IP address, And to provide an application-based packet analyzing apparatus.

That is, according to the present invention, when a plurality of applications communicate in an existing IP address or port-based packet analysis technology, it is impossible to analyze only one application packet, It is an object of the present invention to provide an application-based packet analyzing apparatus capable of monitoring network data trend and illegal data with a real-time packet analyzing tool in an operating environment after debugging and development of network transmission / reception data for an application.

In order to achieve the above object, an application-based packet analyzing apparatus according to the present invention comprises: GU; An application information processing module for mapping the application information set by the GUI and the packet information collected by the packet collection unit 40; A data management module for managing process information on an application set in the GUI; A packet collection module for collecting application packet information; And a packet analysis module for analyzing a packet for each application by referring to the application packet collected in the packet collection module and the value set in the GUI.

The GUI may comprise a packet collection setting unit for setting packet information to be collected by the packet collection module, and an analysis result display unit for outputting a result analyzed by the packet analysis module.

The application information processing module may include an Ns thread for updating a process ID, a protocol type, and a port number of an application, and a Ps thread for updating a process ID process name of the application. The data management module includes a process ID, An NS hash that manages the protocol type and port number, and a Ps hash that manages the process ID and name of the application; It can be composed of the application name, source and destination IP address, port number, and protocol filtering information set by the user.

In addition, the packet collection module intercepts the transmission / reception packet when there is network transmission / reception data to the opened interface card so that network data can be transmitted / received by the interface name set by the user, A packet parsing module for parsing network transmission / reception data received from the packet collection module to find and analyze an application corresponding to the packet; A packet filtering module for comparing the packet data with the packet data of the packet collection module when the filtering condition is set in the data management module; And an output format generation module for generating an output format of the GUI.

The above-described application-based packet analyzing apparatus according to the present invention can classify the packets into application units and perform packet monitoring so that filtering can be applied for each unit, so that packet monitoring and analysis are facilitated It is effective.

That is, the present invention can be used at the time of application failure analysis and processing, server / client operation principle analysis, network equipment development, and operation time. Since the unit can be narrowed down to a specific application, the data analysis time can be shortened and the desired application can be analyzed.

1 is a conceptual diagram of a communication network having an application-based packet analyzing apparatus according to the present invention.
2 is a block diagram of software constituting an application-based packet analyzing apparatus according to the invention
FIG. 3 is an example of a packet collection setting GUI of a GUI constituting an application-based packet analyzing apparatus according to the invention
4 is a data structure diagram managed by the application-based packet analyzing apparatus according to the present invention.
FIG. 5 is a diagram illustrating a data format of a packet in an application-
6 shows an example of the analysis result screen

Hereinafter, an application-based packet analyzing apparatus according to the present invention will be described in detail with reference to the accompanying drawings.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Like reference numerals are used for like elements in describing each drawing. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

The present invention makes it easier to analyze the network.

The application-based packet analyzing apparatus according to the present invention is made of software, that is, a program, and is not a physical apparatus, but will be described below as means or modules.

The application-based packet analyzing apparatus according to the present invention can be used on a network as shown in FIG. 1, and includes a GUI 10; An application information processing module (20) for mapping the application information set in the GUI and the packet information collected in the packet collection (40); A data management module 30 for managing process information on an application set in the GUI; A packet collection module (40) for collecting application packet information; And a packet analysis module 50 for analyzing a packet for each application by referring to the application packet collected in the packet collection module and the value set in the GUI.

According to the present invention, the data management module 30 constructs information on the process information about the application set by the application information processing module 20 in the GUI according to the packet collection information set by the GUI 10, The packet analyzing module 50 refers to the value set in the GUI 10 by the packet analyzing module 50 and analyzes the packet for each application.

The application-based packet analyzing apparatus of the present invention is capable of debugging network transmission / reception data for a specific application (program) at the time of program development, and for analyzing trends of network data and illegal data And can be used for monitoring purposes. In the case where an abnormality occurs in a PC or other smart device as an operating environment, it can be used as a tool for solving problems by using the program of the present invention, and even if a normal state is not permitted It is possible to monitor whether data is transmitted / received through the network by an application.

3 is a screen for setting the packet collection information in the GUI 10, and is configured to set the selection of the interface name (LAN card name) of the collection target application and the collection target application information. The application setting outputs a list of application names registered in the system (Windows or Linux). If a new application is detected during the analysis according to the present invention, the application is added to the list, and if an existing application is lost So that the data can be analyzed.

The GUI 10 provides an operating environment based on graphic display such as icons or windows. In the apparatus according to the present invention, the GUI 10 includes a packet collection setting unit 10c for setting packet information to be collected by the packet collection module 40, an analysis And a result display unit 10r.

The application information processing module 20 processes the application process ID to map the application information set in the packet collection setting 10c of the GUI 10 and the packet information collected in the packet collection module 40, A protocol type (UDP or TCP), and a process name (process name), periodically collects the information, and stores the value in an application resolution 30a provided in the data management module 30, And is used as information for distinguishing data collected by the packet collecting module 40 by an application when analyzing in the module 50. [

The application information processing module 20 may include an Ns thread 20n for updating a process ID, a protocol type, and a port number of an application, and a Ps thread 20p for updating a process ID process name of the application.

The data management module 30 is a module for managing various data. As shown in FIG. 4, the managed data item 30o includes an application name set by the user, a source and a destination IP address (destination ip address), port number, and protocol (UDP or TCP) filtering information.

The data management module 30 includes an application resolution 30a for managing a process id, a port number, and a protocol type of the application. The application resolution 30a includes: An NS hash that manages the process ID, protocol type, and port number, and a Ps hash that manages the process ID and name of the application. The process ID and the process name of the application are managed in the Ps hash. The Ns hash data is periodically updated by the Ns thread 20n of the application information processing module 20, and the Ps hash data is stored in the Ps thread (20p) updates periodically.

That is, the application information processing module 20 includes an Ns thread 20n for updating a process ID, a protocol type, and a port number of an application, and a Ps thread 20p for updating a process ID process name of the application .

The packet collection module 40 intercepts a transmission / reception packet when there is network transmission / reception data for an interface card that is opened so that network data can be transmitted / received at an interface name set by the user, And a packet receiver 40r for transmitting the contents to the packet analysis module. The packet type is as shown in Fig.

The packet analysis module 50 includes a packet parsing module 50p for parsing network transmission / reception data received from the interface opener 40o of the packet collection module 40 to find and analyze an application corresponding to the packet; A packet filtering module 50f for filtering data by comparing the packet data with packet data of the packet collection module when a filtering condition is set in the data management module; And an output format generation module 50c for generating an output format of the GUI.

That is, the packet analysis module 50 parses the network transmission / reception data received from the packet receiver 40r of the packet collection module 40, finds an application corresponding to the packet, (10r) to display the result in the GUI. The source / destination IP address, the port number, and the protocol shown in FIG. 5 in the packet received by the packet receiver 40r in order to find out which packet the network transmission / reception data is for, And compares the information of the data management module 30 shown in Fig. Since there is no application name information in the packet receiver 40r, the comparison job is performed, and the search logic is as follows.

1. Retrieve the IP address (ip address) of the currently opened interface name (LAN card).

2. If the IP address of the interface and the source IP address of the packet of the packet receiver 40r are the same, the packet is transmitted to the outside.

3. If it is not equal to 2, it is a packet received from the outside.

(The IP address of the interface is the same as the destination IP address of the packet receiver (40r) packet)

4. In case of external transmission, it is checked that the protocol of the packet receiver 40r packet and the protocol of the Ns hash management item are the same, while the source port number of the packet receiver 40r packet and the port of the Ns hash management item are the same .

5.4, it is searched that the protocol of the packet receiver 40r packet and the protocol of the Ns hash management item are the same, while the port of the destination port number of the packet receiver 40r packet and the port of the Ns hash management item are the same.

6. Retrieve the process ID of the found Ns hash management entry and the process ID of the Ps hash management list to the same value.

7. It is a packet that the application of the Ps hash management item retrieved in 6 should transmit or receive the packet receiver (40r) packet.

8. If the filter information of the application information (App_Info) management item is inquired and the filtering condition is applied, the filter information format is filtered by comparing the packet information with the packet receiver 40r packet data, and the filter information format of the application information (App_Info) The same format of commercial tcpdump is applied.

The packet analysis module 50 transmits the application information retrieved in the above step 7 and the packet receiver 40r packet filtered at step 8 to the GUI module 10 so as to be displayed on the GUI, And outputs the analysis result to the screen. FIG. 6 is an example of an analysis result screen.

As described above, the application-based packet analyzing apparatus according to the present invention is composed of software and can be variously modified and implemented. For example, a conceptual diagram is shown in FIG. 7 using a Linux system.

1. Run ApplicationPcap, a tool for capturing incoming packets from the Linux system.

ApplicationPcap allows you to capture and analyze packets by program you want.

2. When ApplicationPcap starts, it collects incoming packets from outside.

The packets to be collected can be filtered by ip address or port number.

3. When the user finishes collecting packets, ApplicationPcap separates collected packets into separate analysis files for each program set by the operator.

4. The operator analyzes the collected packets by checking the files collected by ApplicationPcap.

Saved files are available in a standard format that can be verified by WireShark and other packet analysis tools, so they can be found with tools such as WireShark.

2 is a block diagram illustrating a software block of an application-based packet analysis apparatus according to the present invention.

pkt_collect block

The pkt_collect block collects packets received by a specific interface card using a library named libpcap. The pkt_collect block opens a capture target interface and receives packets by filtering a specific ip address and UDP or TCP port. The received packet is stored in a memory called pkt_buf, and the result is parsed at the time of completion of collection to separate the storage file for each application (App_info) and save it as a file.

The main api of the packet capture library libpcap used in this program is as follows.

pcap_open_live

pcap_open_live () is used to get the packet capture descriptor needed to view packets on the network. The promiscuous mode of a NIC is a mode in which it accepts packets that are not its destination. Even if it is set to not work as promiscuous, it can operate in some promiscuous mode as needed inside the library. The function prototype is as follows.

pcap_t * pcap_open_live (char * device, int snaplen, int promisc, int to_ms, char * ebuf);

device A string indicating the network device to use.

snaplen Maximum bytes to capture

promisc Whether the NIC will operate in promiscuous mode

to_ms read timeout in milliseconds

ebuf Save error messages only if pcap_open_live () fails

pcap_compile

There may or may not be a need for all packets traveling around the network. For example, when analyzing the traffic of a Web server managed by the user, it is necessary to capture and analyze only packets destined to the address and port number of the corresponding server. This way of picking only the packets you want is called filtering, and the following is the filtering function prototype.

int pcap_compile (pcap_t * p, struct bpf_program * fp, char * str, int optimize, bpf_u_int32 netmask);

p packet capture descriptor

The structure to be determined according to the fp filtering rule

Filtering rules in the form of a str string

Optimize Whether to optimize when executing result code

mask of netmask network

The function prototype used when applying the bpf_program structure determined by pcap_compile () is as follows.

int pcap_setfilter (pcap_t * p, struct bpf_program * fp);

p packet capture descriptor

fp The value returned from the result in pcap_compile ()

pcap_next_ex

pcap_open_live and pcap_compile If a packet is received in the set descriptor, it will be used as a function to capture the packet using this API. The following is a function prototype.

int pcap_next_ex (pcap_t * p, struct pcap_pkthdr * h, unsigned char * pp);

p packet capture descriptor

h Pointer indicating information of the packet

pp packet data buffer

Config block

The Config block manages the program information (appInfo) that the user wants to capture packets as a configuration file and parses the set file. After completing the packet collection, Ns_Hash information (process id, protocol type, port number) and Ps_Hash information protocol type, and process name) to provide a management function for creating a separate collection result file for each program when creating a packet analysis result file.

The program (appInfo) management items are as follows.

Process Info block

The process info block periodically sends Ns_Hash information (process id, protocol type, port number) and Ps_Hash information (process id, protocol type, and process name) for the purpose of creating a packet collection result file for each program set by the user. This is a function to update to a thread.

Ns_Hash management items are as follows.

The procedure for periodically updating the Ns_Hash management item is as follows.

1. Create an update thread

2. Search the currently running program (process) information list in order.

process id, process name, protocol type (UDP, TCP), port number

3. Insert or update the read process information in Ns_Hash.

Ps_Hash management items are as follows.

The process of periodically updating Ps_Hash management items is as follows.

1. Create an update thread

2. Search the currently running program (process) information list in order.

process id, protocol name

3. Insert or update the read process information into Ps_Hash.

pkt_result block

The pkt_result block parses the collected buffer pkt_buf using the libpcap library after completing the packet collection, and creates a separate collection result file for each program.

The following figure shows the procedure for parsing collected packets and saving them as separate result files.

1. The packet is read from the collection packet buffer pkt_buf in units of received packets.

2. If there is no packet, terminate.

3. Retrieve whether there is an application in Ns_Hash with protocol information (UDP or TCP) and port number among the contents of the read packet. Ns_Hash has information that can refer to App_Info. App_Info contains the process pid of the program and file information of the packet collection result.

4. If no information is found in Ns_Hash, the next incoming packet is read from pkt_buf.

5. If the information is found in Ns_Hash, store the packet in the result file for the program. Store packet in the collection result file that App_Info has

6. Perform from step 1 again.

Collective Complete Procedure

The following figure shows the overall procedure of packet collection of this software.

1. The user issues an acquisition start command. The information needed to configure the packet collection must be set in the cfg.ini file before the command is issued. config.in information - network interface, collection program (process), filtering information, etc.

2. Manage the collection process information by parsing cfg.ini.

3. Create a thread that periodically updates the process information.

Process id, the port number that the process is opening Manage: Ns_Hash

Process id, process name Management: Ps_Hash

This information is used as a value for distinguishing the storage file when the packet is stored by process after the end of collection.

4. Open the packet collection device with the information set in cfg.ini. Using libpcap api

5. It enables packet collection filtering function with the information set in cfg.ini. Using libpcap api

6. Create a thread to receive packets after device open and filtering.

7. Receive the packet. Using libpcap api

8. If the acquisition start state, store the received packet in the buffer.

9. Continue 7 to 8 until collection ends. However, if the size of the packet storage buffer is exceeded, it is automatically terminated after storing the packet.

10. The user issues an end-of-collection command.

11. Parset the packet from the packet collection buffer. Parsing by packet unit

12. Find the process information with the port number of the parsed information. From Ns_Hash and Ps_Hash information search

13. Store the parsed packet information in the corresponding process save file. In other words, the packet is stored in each file separately for each program set by the operator.

14. Repeat steps 11 through 13 until there are no more packets.

This section describes the members and functions for the main classes.

Software Configuration Key Class

The following is a software directory structure diagram.

/ iklim / pcap / source root directory

/ iklim / pcap / bin / The directory for the capture executable file.

pcap: capture executable

cfg.ini: capture target configuration file

vp: process verification executable

ps.dat: file to be automatically created when pcap is executed - reference to process name and pid

ns.dat: File to be automatically created when pcap is executed - Refer to process name and port number

/ iklim / pcap / bin / data / Capture save file directory

Key class member variables and functions

The main function of this software is to manage start and end of packet capture. The main member variables are as follows.

Main key member variables

Main functions are as follows.

The CApplicationPcapDlg class is called from this Main to perform the packet capture function. The main member variables are as follows.

The main functions of the CApplicationPcapDlg class are as follows.

The CAppInfo class manages the config configuration information and stores the collected packets in a file. The main member variables are as follows.

The main functions of the CAppInfo class are as follows.

The CHashMap class performs a template class function to manage hash of process name, pid, and port number. The main functions of the CHashMap class are as follows.

The CNsHash class manages the pid and port number used by each process with hash. The main member variables are as follows.

The main functions of the CNsHash class are as follows.

The CPsHash class manages the pid and process name used by each process with hash. The main member variables are as follows.

The main functions of the CPsHash class are as follows.

The CNsThread class is a thread that periodically updates the hash that manages the process pid and process name used by each process. The main member variables are as follows.

The main functions of the CNsThread class are as follows.

The CPsThread class is a thread that periodically updates hash that manages the process-specific process pid and process name. The main member variables are as follows.

The main functions of the CPsThread class are as follows.

The CPacket class is used to parse collected packets using the libpcap library. The main member variables are:

The main functions of the CPacket class are:

The CPcapDump class is a function that stores collected packets using the libpcap library. The main member variables are as follows.

The main functions of the CPacket class are:

Setup and Packet Capture

This software is implemented in Linux and does not provide a GUI-based user interface. Instead, it manages the configuration values for packet capture in a config file to run the software.

Directory structure and files

The following is a software directory structure.

/ iklim / pcap / source root directory

/ iklim / pcap / bin / The directory for the capture executable file.

pcap: capture executable

cfg.ini: capture target configuration file

vp: process verification executable

ps.dat: file to be automatically created when pcap is executed - reference to process name and pid

ns.dat: File to be automatically created when pcap is executed - Refer to process name and port number

/ iklim / pcap / bin / data / Capture save file directory

Capture target config settings

The value for packet capture is set in cfg.ini as interface name, maximum size of capture data, capture filter, name of program execution target file to be captured, and service type, so that this value can be referred to when the program is started.

The following is an example of the configuration for the capture target config file cfg.ini.

interface-name

Capture interface to capture packets to capture

See interface-name configuration

buffer-size

Capture buffer size: Automatically save and exit as capture information file when size is exceeded

filter

Filtering input: UDP / TCP ip and port filtering information setting

See filter configuration example

app-name

Application filename

Affected by packet capture data & capture filename generation

See app-name settings

app-type

Application type

svc-name

Service Name

svc-type

Type of service

svc-provider

Service Provider

Caution: Must be placed at the end of the order in the configuration file

In the above configuration, app-type, svc-name, svc-type, and svc-provider do not affect packet capture data, but only capture file name.

Set interface-name

To set the interface name for packet capture in the cfg.ini file, refer to the inserface name as follows.

ifconfig -a run

Set the detected interface name (eth0, ..) to the interface-name in the cfg.ini file.

filter setting

The packet filtering function is set in the cfg.ini file as follows, and the rule for filtering is the same as that of tcpdump, so refer to tcpdump for detailed configuration.

filter =

filtering not working

filter = port 40001

UDP or TCP port 40001 capture only

filter = dst port 40001

UDP or TCP destinatioport 40001 Capture only

filter = src port 40001

UDP or TCP source port 40001 capture only

filter = udp port 40001

Capture UDP port 40001 only

filter = host 192.168.1.2

UDP or TCP host only capture IP address 192.168.1.2

filter = port 40001 and host 192.168.1.2

UDP or TCP port is 40001 and host ip address is 192.168.1.2.

Set app-name

To set the capture target process name in the cfg.ini file when capturing a packet, use a process name search program called vp. vp is not a commercial shell command in Linux, it is a user program implemented in this project and exists in the sub-path bin (/ iklim / pcap / bin) of the software source root, and you do not need to use vp if you know the process name. The results of running vp are the same.

Run vp from the executable directory

./vp

Refer to vp execution result & app-name setting

Set the retrieved process name (urecv, trecv, ..) to the app-name in the cfg.ini file.

Capture execution and termination

Once the cfg.ini configuration is done, run the program to proceed with the packet capture and exit at the desired point to save the capture information to a file.

Run the program

Here's how it works.

Go to executable path

Sub-bi directory of program source source root

Run the executable

./pcap

It should be run as root.

Check program progress

When pcap is executed, the capture state is output in 1 second as follows.

exName

process name (app-name set in cfg.ini)

exCnt

Number of processes in exName

Exit the program

The method of termination is as follows.

Save the capture file and exit the program

s Enter

As the capture file name is displayed as below, please bring the file in that directory to windows using ftp and check with Wireshark.

Exit the program without saving the capture file

x Enter

The program ends without generating a capture file.

Confirm Packet Capture

The result file generated after packet capture on Linux is confirmed by using WireShark in Windows. So, check out the result file from Linux using ftp to windows. Fig. 6 is an example of a packet capture result file generated by Linux from WireShark

[Development System Environment]

The system environment for implementing the above program can be variously modified, but a preferable software OS environment and a compile method will be described. This software was developed by gcc compiler in Linux environment.

Software compilation environment

Compilation environment

Libraries required for compilation

To compile and run this software, the libpcap library must be installed. If it is not installed, you must download and install the library.

Compile Procedure

Go to the root directory where the software source is located.

/ iklim / pcap: Assuming you installed the source code here

Run the makefile to compile.

make clean; make

Where to create the executable

If the compile succeeds, the executable file pcap is created in the bi directory.

/ iklim / pcap / pcap: executable name

10: GUI 10c: Packet collection setting section 10r: Analysis result display section
20: Application information search module 20n: Ns thread 20p: Ps thread
30: Data management module 30a: Application 30o: Operation management
40: Packet collection module 40r: Packet receiver 40o: Interface opener
50: packet analysis module 50p: packet parsing module 50f: packet filtering module
50c: output format generation module

Claims (6)

GUI 10; An application information processing module 20 for mapping the application information set in the GUI and the packet information collected by the packet collection module 40; A data management module 30 for managing process information on an application set in the GUI; A packet collection module (40) for collecting application packet information; And a packet analysis module (50) for analyzing a packet for each application by referring to an application packet collected in the packet collection module and a value set in a GUI, the application based packet analysis device comprising:
The packet collection module intercepts a transmission / reception packet when there is network transmission / reception data to an interface card that is opened so that network data can be transmitted / received at an interface name set by the user, And a packet receiver (40r) for delivering the packet to the analysis module,
The packet receiver 40r performs a comparison job because there is no application name information,
1. Obtain the IP address (ip address) of the currently opened interface name (LAN card)
2. If the IP address of the interface and the source IP address of the packet of the packet receiver 40r are the same,
3. If it is not equal to 2, it recognizes that it is received from the outside (the IP address of the interface is the same as the destination IP address of the packet receiver (40r) packet)
4. When transmitting from outside, it is found that the source port number of the packet receiver 40r packet and the port of the Ns hash management item are the same and the protocol of the packet receiver 40r packet is the same as the protocol of the Ns hash management item and,
5. 4, it is searched that the protocol of the packet receiver 40r packet and the protocol of the Ns hash management item are the same while the port of the destination port number of the packet receiver 40r packet and the port of the Ns hash management item are the same,
6. The process ID of the discovered Ns hash management entry and the process ID of the Ps hash management list are retrieved with the same value,
7. The application of the Ps hash management item retrieved at 6 recognizes the packet receiver 40r packet as a packet to be transmitted or received,
8. If the filter information of the application information (App_Info) management item is inquired and the filtering condition is applied, the filter information format is filtered by comparing the packet information with the packet receiver 40r packet data, and the filter information format of the application information (App_Info) Wherein the same format of the commercial tcpdump is applied. The method according to claim 1,
Wherein the GUI comprises a packet collection setting unit (10c) for setting packet information to be collected by the packet collection module, and an analysis result display unit (10r) for outputting a result analyzed by the packet analysis module Analysis device. The method according to claim 1,
Wherein the application information processing module comprises an Ns thread 20n for updating a process ID, a protocol type, and a port number of an application, and a Ps thread 20p for updating a process ID process name of the application. Analysis device. The method according to claim 1,
The data management module includes an application hash function (30a) including an NS hash for managing a process ID, a protocol type, and a port number of an application, and a Ps hash for managing a process ID and name of an application;
And an operation management solution (30o) for managing application name, source and destination IP address, port number, and protocol filtering information set by the user. delete The method according to claim 1,
The packet analysis module includes a packet parsing module (50p) for parsing the network transmission / reception data received from the packet collection module to find and analyze an application corresponding to the packet;
A packet filtering module 50f for filtering data by comparing the packet data with packet data of the packet collection module when a filtering condition is set in the data management module; And
And an output format generation module (50c) for generating an output format of the GUI.

Images