CN101035035A - Method, device, system and communication method for detecting the host number - Google Patents

Method, device, system and communication method for detecting the host number Download PDF

Info

Publication number
CN101035035A
CN101035035A CNA2007100962478A CN200710096247A CN101035035A CN 101035035 A CN101035035 A CN 101035035A CN A2007100962478 A CNA2007100962478 A CN A2007100962478A CN 200710096247 A CN200710096247 A CN 200710096247A CN 101035035 A CN101035035 A CN 101035035A
Authority
CN
China
Prior art keywords
main frame
packet
timestamp
content
monitored main
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007100962478A
Other languages
Chinese (zh)
Other versions
CN100495993C (en
Inventor
辛阳
刘利锋
郑志彬
王飞
赵凯
杨义先
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Original Assignee
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd, Beijing University of Posts and Telecommunications filed Critical Huawei Technologies Co Ltd
Priority to CNB2007100962478A priority Critical patent/CN100495993C/en
Publication of CN101035035A publication Critical patent/CN101035035A/en
Application granted granted Critical
Publication of CN100495993C publication Critical patent/CN100495993C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

This invention provides a detection method, the method including: intercepted information handshake send by the observed host to the purpose , the delivery of Monitoring was sent to the mainframe with timestamp handshake feedback information; intercepted the confirmation timestamp feedback by observed host and extract from the first key value; intercepted the direction feedback information feedback by host and extract from the second key value; to change the content of handshake for the purpose can receive and send handshake to the purpose of the confirmation information; the purpose was intercepted and monitoring between the mainframe data packet transmission, the data packets will be part of the agreement referred to by the contents of the first or second key value changes under surveillance for the purpose mainframe or to the right to receive the content, and transponders; corresponding to this method, but also provides a host of the number of devices, the device including: units intercepted information changes modules, sending units and calculation modules .

Description

Detect method, device and system and the communication means of host number
Technical field
The present invention relates to the communications field, relate in particular to a kind of detection method, device and system and communication means.
Background technology
In network environment, what NAT (network address translation apparatus) equipment was finished is the function of network address translation, NAT makes that its back is to share a real IP address (information such as the IP address of the packet of all NAT that flow through is all rewritten, for example 10.110.255.30) with the main frame of virtual ip address (for example 192.168.10.1).This is to be the deficient way that adopts in reply IP address, and NAT identifies each network connection of each main frame thereafter with a port numbers, is used as the foundation of intermediate transfer network data.
Under many circumstances, need the host number behind the NAT be detected, network structure therefore just occurred as Fig. 1 NAT.Watch-dog 101 is to have worn what main frames after being used for monitoring NAT102; NAT102 is exactly described network address translation apparatus; The main frame that on behalf of Duo Tai, main frame 103 can link to each other with NAT.Yet the feasible information that is difficult to observe the NAT aft engine from the process packet of NAT of the characteristic of NAT, thereby feasible host number behind the NAT is added up becomes very difficult.
For the host number after can making things convenient for the user to NAT device is added up, at present be the method for judging the host number behind the NAT device of stabbing mostly by acquisition time.
This method is to utilize TCP (Transmission Control Protocol, transmission control protocol) the timestamp option in the packet is a technical foundation, proved every main frame in the unit interval with absolute standard time timing error be mutually different, thereby utilize " fingerprint " of these characteristics as certain main frame of identification, and according to the report of this technology, the technology that this method realized is not subjected to the influence of network delay, access way etc., accuracy of judgement degree height.
But owing on the main frame of Windows operating system, can initiatively not send the packet that has the tcp timestamp, main frame is induced, make it send the packet that has timestamp so need a kind of method.
Be to begin when purpose side starts the tcp three-way handshake at present when monitored main frame, the watch-dog that is in the centre position of communicating pair pretends to be purpose IP to send a SYN who has timestamp for monitored main frame, (these two numerical value are two fields in the Transmission Control Protocol to the ACK bag, communicating pair respectively has a pair of this numerical value, mainly be in order to make the communicating pair can be with correct order recombination data bag, and also can judge whether to be the real purpose side that arrives according to these two fields, the content change of these two fields has the concrete regulation content in Transmission Control Protocol), when the source IP device is received the SYN that this is false, after the ACK bag, can reply an ack bag that has timestamp, thereby obtain the timestamp of monitored main frame.Its detailed process is carried out between monitored host A, purpose side B and monitoring side C three, referring to shown in Figure 2:
Step 201: monitored host A sends the SYN bag to purpose side B, but monitored side C intercepts and captures (correctly arriving the recipient but needn't influence packet) in transmission course; The seq value of carrying in its SYN bag is the seq value x of monitored host A, and ack is an initial value 0.
Step 202: the side of monitoring C is after intercepting and capturing the SYN bag, to the SYN of a band of monitored side A feedback timestamp, ACK bag.This SYN, the seq that carries in the ACK bag is the seqy of monitoring side C, ack is according to the seq+1 of the monitored host A that obtains to purpose side B;
Step 203: monitored host A is receiving that C pretends to be the SYN of this band timestamp of B feedback, behind the ACK bag, the ACK that replys a band timestamp to purpose side B wraps the foundation that is used for finishing three-way handshake, and the ack that carries in this ACK bag is according to the SYN that receives monitoring side C, the seq variation in the ACK bag.The seq that carries in the ACK bag of therefore replying is x+1; Ack is y+1; But this ACK wraps monitored side C and intercepts and captures, and therefore the side of monitoring C obtains timestamp.
Step 204: purpose side B is owing to also received the SYN bag that monitored host A sends in step 1, therefore to SYN of monitored host A feedback, ACK wraps, and seq is the seq value Z of purpose side B oneself in this bag, and ack is x+1; But for monitored host A, in step 202, received the SYN of seq:y, ack:seq+1, the ACK bag, in audit process, will think the SYN that purpose side B sends, the ACK bag is illegal, therefore the monitored host A SNY that purpose side B can be sent all the time, the ACK bag abandons.
Process as shown above, after obtaining timestamp, because the SYN that the side of monitoring C personation purpose side B sends for monitored host A, seq value (picked at random) in the response packet that seq value in the ACK bag and B really return to A is impossible consistent, just because of this key point, so in fact monitored host A is with purpose side B and can't set up correct being connected, so monitored host A finally can enter wait state (waiting for the response of purpose side B), and the monitored host A of giving that purpose side B can continue sends SYN, the ACK bag, because the SYN that the previous monitoring side C that receives of this packet and monitored host A sends, ACK bag seq value is different, so can not received by A all the time, the current connection that causes the A initiation at last is because overtime withdrawing from.Cause connecting and interrupt.
In sum, there is following shortcoming in prior art:
1, this scheme may cause communicating interrupt between monitored main frame and the purpose side: though obtained the timestamp that monitored host A sends, can judge behind the NAT how many platform main frames are arranged by timestamp, but because monitoring side C personation purpose side B sends SYN, the ACK bag, make monitored host A and purpose side B also not finish the tcp three-way handshake, promptly also do not finish the communication that connects between the two and just interrupted, can make the user of monitored host A feel that obviously network service quality reduces.
2, can only obtain a timestamp: because the communicating interrupt between the two causes monitoring side also can only obtain a timestamp, when needs obtained to judge host characteristics more accurately by timestamp, the more time of having no idea to reentry was stabbed.
Summary of the invention
The purpose of embodiments of the invention is: under the situation that does not influence communication party's communication, detect host number.
The embodiment of the invention realizes by following proposal: intercept and capture the handshaking information that monitored main frame sends to purpose side; Send the feedback information of shaking hands of band timestamp to monitored main frame; Intercept and capture the confirmation of shaking hands of monitored main frame timestamp feedback, and therefrom extract first key value;
Intercept and capture the feedback information of shaking hands that the monitored main frame of purpose direction sends, and therefrom extract second key value; This feedback information of shaking hands is changed to purpose can reach the content that correctly receives, send the confirmation of shaking hands to purpose side;
When intercepting and capturing the packet that purpose side sends, the content of protocol section in the packet is changed to the content that monitored main frame can correctly receive by described second key value, and transmit; Or when intercepting and capturing the packet that monitored main frame sends, the content of protocol section in the packet is changed to purpose by first key value can reach the content that correctly receives, and transmit;
The monitoring square tube is crossed the timestamp statistics host number that obtains.
Corresponding to said method, the embodiment of the invention provides a kind of device that detects host number, and this device comprises:
Intercept and capture the unit and comprise the information acquisition unit, be used to intercept and capture the handshaking information that monitored main frame sends to purpose side, and therefrom extract first key value; Intercept and capture the feedback information of shaking hands of the monitored main frame feedback of purpose direction, and obtain second key value; Intercept and capture the confirmation of shaking hands that carries timestamp that monitored main frame sends to purpose side; Intercept and capture data packets for transmission between purpose side and the monitored main frame;
The information change unit comprises the key value unit, is used for the key value in the feedback information of shaking hands being revised as purpose can reaching the content that correctly receives when feedback information is shaken hands in the monitored main frame transmission of intercepting and capturing purpose direction; Be used for when intercepting and capturing the packet of purpose side's transmission, the content of the protocol section of packet is changed to the content that monitored main frame can correctly receive by described second key value, perhaps when intercepting and capturing the packet that monitored main frame sends, the content of the protocol section of packet is changed to purpose by described first key value can reach the content that correctly receives;
Transmitting element: be used for sending the feedback information of shaking hands the confirmation of after purpose side sends intercepting and capturing and revises, must shaking hands to monitored main frame; Send the packet revised key value to purpose side,, revised the packet of key value to monitored side transmission;
Computing unit is used for after intercepting and capturing carry the handshaking information of timestamp, judges the quantity that main frame exists by timestamp.
On the basis of said method and device, the embodiment of the invention also provides a kind of system that detects host number, and this system comprises:
Monitored main frame is used for sending handshaking information to purpose side, receives the feedback handshaking information that carries timestamp; Handshaking information to purpose side's feedback band timestamp; Send packet to purpose side;
Monitoring side is used to intercept and capture the handshaking information that monitored main frame sends to purpose side, and therefrom extracts first key value; Send the feedback information of shaking hands of band timestamp to monitored main frame; Intercept and capture the confirmation of shaking hands of monitored main frame timestamp feedback; The feedback information and therefrom extract second key value of shaking hands of intercepting and capturing that the monitored main frame of purpose direction sends changes to the content that satisfies purpose side's needs with the content of this handshaking information, and sends the confirmation of shaking hands of the content of more correcting one's mistakes to purpose side; Intercept and capture the packet that the monitored main frame of purpose direction sends, the content of the protocol section in the packet is changed to the content that monitored main frame can correctly receive by described second key value, and transmit; Intercept and capture the packet that monitored main frame sends to purpose side, the content of the protocol section in the packet is changed to purpose by described first key value can reach the content that correctly receives, and transmit; Judge the quantity that main frame exists by the timestamp that obtains;
Purpose side is used for receiving the handshaking information of monitored main frame timestamp feedback to monitored main frame feedback handshaking information, sends packet to monitored main frame.
According to the embodiment of the invention, intercept and capture the handshake data bag of communicating pair by the side of monitoring, and therefrom extract the necessary relevant information (seq, ack value etc.) that connects, then utilize these information in communicating pair, to transmit data back and forth, make shaking hands of communicating pair under the transfer of monitoring side, to finish by the mode of revising the packet related content; And then monitoring side also intercepts and captures the data that it sends mutually when monitored main frame and purpose side carry out data communication, is revised as the packet that purpose side or monitored main frame can receive, and finishes continual data transmission service.
Description of drawings
Fig. 1 is the NAT network structure;
Fig. 2 is the prior art side of monitoring acquisition time stamp method signaling diagram;
Fig. 3 is that the embodiment of the invention 1 monitoring side's acquisition time stabs method flow diagram;
Fig. 4 is a method 1 of judging host number by timestamp;
Fig. 5 is a method 2 of judging host number by timestamp;
Fig. 6 is the embodiment of the invention 1 monitoring side's acquisition time stamp method signaling diagram;
Fig. 7 is the embodiment of the invention 2 monitoring side's acquisition time stamp method signaling diagrams;
Fig. 8 is that the embodiment of the invention 3 acquisition times stab installation drawing;
Fig. 9 is that the embodiment of the invention 4 acquisition times stab installation drawing.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, introduce several basic notions at first earlier.
1, timestamp: timestamp herein refers to a numerical value that carries at the tcp data bag of Transmission Control Protocol regulation, its numerical value is one and is carved into the count value that the some time carves when main frame is started shooting (this value is the windows system, every 100ms counting adds 1), this numerical value only depends on the main frame available machine time, does not depend on other factors.
2, seq value and ack value:
These two numerical value are two fields in the Transmission Control Protocol, and communicating pair respectively has a pair of this numerical value, mainly are in order to make the communicating pair can be with correct order recombination data bag.
The packet network transfer of data realizes by the following method: complete data are cut into fritter, transmit leg is put into each fritter in the packet, and packet sent to the recipient, the recipient is according to the order of the packet that receives, each data fritter is extracted, recombinate then, reassemble into original complete data at last.
But, because when packet transmits on network, having a lot of uncertain factors causes the delay of packet and loses, therefore the recipient has suitable possibility to be, the order of the packet that receives has been upset, and perhaps some packets have wherein just been lost, therefore need a kind of mechanism, find in time that when these situations occurring again the data re-transmission of losing, perhaps the recipient is out of order packet reorganization after finding.
The seq value is initially produced by communicating pair at random session, and with this random number as initial value, communication party A comprises this numerical value send to the opposing party B in packet, B is after receiving packet, extract this numerical value, and calculate the load length (removing the length of the remaining real data of protocol fields in the packet) of this packet, give ack with this numerical value and load length addition assignment at last, seq value together with oneself together sends to A, A is by the ack that the receives data of having judged reception that B is whether correct, and calculates ack in the same way, and ack and seq are sent to B, by that analogy, thus guaranteed the continuity of data.
Certainly, in the network of reality transmits a special regulation is arranged, set up in the process in connection exactly, the ack value between A and the B will add 1, though not data transmission at this moment.After data began to transmit, if there are not data (packet is made up of protocol section+data division, a protocols having in the packet that has) in the packet, the ack value did not just add so.
The present invention is described in further detail below in conjunction with accompanying drawing.
The embodiment of the invention 1, monitoring side intercepts and captures the handshaking information that monitored main frame sends to purpose side, and pretend to be purpose side B to send the response packet SYN that shakes hands to monitored main frame, ACK, and intercepting and capturing B issues the SYN of A, the ACK bag also obtains relevant numerical value, pretends to be A to send the confirmation ACK bag of shaking hands to B at last, thereby finishes the whole connection of shaking hands.The content of the part of monitoring side's intercepted data bag when monitored main frame and purpose side carry out transfer of data, and change data pack protocol subsequently satisfies the needs of purpose side and monitored main frame, thus make monitored main frame and purpose side continuous export transmission.
Referring to Fig. 3,
Step 301: monitoring side intercepts and captures the handshaking information (SYN) that monitored main frame sends to purpose side, and the data of transmitting between the monitored main frame of forwarding and the purpose side after writing down wherein seq value and being used for;
Step 302: the feedback information of shaking hands of the monitored main frame transmission of monitoring direction band timestamp (SYN, ACK);
Step 303: monitoring side intercepts and captures the confirmation of shaking hands (ACK) of monitored main frame timestamp feedback;
Step 304: monitoring side intercepts and captures purpose side and receives the feedback information of shaking hands that sends to monitored main frame after the handshaking information that monitored main frame sends, and the data of transmitting between the monitored main frame of forwarding and the purpose side after writing down wherein seq value and being used for;
Step 305: the seq value in the feedback information of shaking hands that the purpose side that monitoring side intercepts and captures according to step 304 sends is made amendment to the ack msg bag that obtains in the step 303, and pretends to be monitored side to send to purpose side;
Step 306: monitoring side intercepts and captures the data of purpose side and monitored main frame transmission, the content of data pack protocol part is changed to the content that monitored main frame or purpose can correctly receive, and transmit;
Step 307: the monitoring square tube is crossed the quantity of the timestamp judgement main frame of intercepting and capturing.
The timestamp that monitoring square tube described in the step 307 is crossed intercepting and capturing judge the method for the quantity of main frame can adopt prior art in judge according to timestamp and the method for the quantity of main frame can simply be described as following mode:
1, better simply mode, we suppose to have now 4 computers to share online, referring to Fig. 4, and the available machine time of supposing these 4 computers is respectively 8:00,8:15,8:30,9:00, article 4, bold line is represented the time locus of 4 online computings, in 8:00, the A start, Time Stamp Counter begins since 0 counting, suppose that 8:10 divides A to begin online, watch-dog gets access to the timestamp of A, at this moment timestamp should be 10 (minute) (100ms increases 1 to * 10 to * 60 (second/minute), 1 second=10ms)=6000, watch-dog writes down this numerical value.
The 8:15 branch, the B start, suppose that 8:20 divides B to begin online, watch-dog gets access to the timestamp of B, at this moment the timestamp of B should be 5*60*10=3000, and according to the numerical value of the timestamp of the A that obtained last time, the timestamp that can infer present A should be 20*60*10=12000, so be easy to judge to be two main frames.
Can judge after in like manner C and D reach the standard grade and come to 4 main frames.
2, another a little complicated situation be:
After watch-dog captures timestamp, open the counter of self simultaneously, continuous and monitored main frame compares.
Utilize watch-dog to catch the timestamp of 4 computers equally, because the counter of 4 computers (count value of counter is exactly the numerical value of timestamp) all can have different deviations with watch-dog, so behind record after a while, just can depict the deviation of the counter of the timestamp numerical value of 4 computers and watch-dog.As shown in Figure 5:
Timestamp (counter of every computer just) according to every computer is determined total several computers with the aberration curve of the counter of watch-dog.
Referring to Fig. 6, the side's of monitoring acquisition time stamp method signaling diagram specifically describes the process of the invention process 1:
Step 601: monitored host A sends the SYN bag to purpose side B, and the side of monitoring C intercepts and captures described SYN bag, and described SYN bag correctly arrives the recipient; The seq value of carrying in the described SYN bag is the seq value x of monitored host A, and ack is an initial value 0;
Step 602: the side of monitoring C is after intercepting and capturing the SYN bag, to the SYN of a band of monitored side A feedback timestamp, ACK bag.This SYN bag, the seq that carries among the ACK is the seqy of monitoring side C, ack is according to the seq+1 of the monitored host A that obtains to purpose side B;
Step 603: monitored host A is receiving that C pretends to be the SYN of this band timestamp of B feedback, behind the ACK bag, the ACK that replys a band timestamp to purpose side B wraps the foundation that is used for finishing three-way handshake, and the ack that carries in this ACK bag is according to the SYN that receives monitoring side C, the seq variation in the ACK bag.The seq that carries in the ACK bag of therefore replying is x+1; Ack is y+1; The side of monitoring C intercepts and captures described ACK bag, and obtains the timestamp of monitored main frame from described ACK bag; After described purpose side B received the ACK bag of described band timestamp, with the SYN of described band timestamp, the ACK bag did not abandon because seq, act value in the described ACK bag match;
Step 604: purpose side B is owing to also received the SYN bag that monitored host A sends in step 1, therefore to SYN of monitored host A feedback, ACK wraps, and seq is purpose side B seq value Z in this bag, and ack is x+1; Monitoring side intercepts and captures this SYN, the ACK bag;
Step 605: the side of monitoring C pretends to be monitored host A to feed back a SYN to purpose side B, the ACK bag; And change seq and ack according to data in the ACK bag that obtains in the step 603, to the SYN that purpose side C sends, the seq of ACK bag is x+1; Ack is z+1;
Step 606: after purpose side B receives monitoring side C and pretends to be the ACK bag that monitored host A sends, think to have set up with monitored host A to be connected that so just to monitored host A transmission packet #1, the seq in this packet is z+1, ack is x+1; But this packet arrives behind the monitored host A because seq is z+1, and ack is x+1, does not meet with the seq, the ack that receive before the monitored host A, and this packet can be abandoned by monitored host A; Simultaneously, the side of monitoring C intercepts and captures this packet;
Step 607: the side of monitoring C intercepts and captures purpose side B behind the packet #1 that monitored host A sends, and seq is changed to y+1; Ack remains unchanged, i.e. x+1; The side of monitoring C is sent to monitored host A with the packet #1 of the ack value of more correcting one's mistakes after the ack value is changed;
Step 608: after monitored host A was received packet, to purpose side B feedback reply data bag #1, the seq of this reply data bag #1 was that x+1, ack are y+1+len.But purpose side B receives behind this reply data bag that seq, the ack value of pretending to be monitored host A to send because of seq, ack value and the monitoring side C that receives before are different, so this reply data bag #1 can be abandoned; Simultaneously, the side of monitoring C intercepts and captures this reply data bag #1;
Step 609: the side of monitoring C intercepts and captures monitored host A behind the reply data bag #1 that purpose side B sends, and seq remains unchanged, i.e. x+1; Ack changes to z+1+len; The side of monitoring C is sent to purpose side B with the reply data bag #1 of the seq value of more correcting one's mistakes after the seq value is changed.
Above-mentioned steps 606 is after connecting with monitored host A in purpose side to the step 609, purpose side B at first sends packet to monitored host A, also can at first send packet by monitored host A to purpose side B, its process is similar to step 609 to above-mentioned steps 606, all be by monitoring side C intercepted data bag, change seq or ack value are transmitted, and reach the unbroken effect of communication.
Embodiment 2
Guaranteeing under the unbroken situation of communication process, in order better to judge the quantity of main frame by timestamp, so can be by repeatedly obtaining the method for timestamp, the quantity of the better judgment data of continuity by timestamp.
The difference of this embodiment and embodiment 1 is little, when only being the seq of the packet that the side of monitoring sends to monitored host A at change purpose side B or ack value, further adds timestamp in packet; Just can stab by acquisition time to the reply data bag of purpose side B feedback from the monitored host A of intercepting and capturing so corresponding monitoring side.Such data packet transmission is continuous, answers the acquisition time that this can be continuous to stab.
In detail signaling procedure is referring to Fig. 7:
Step 701: monitored host A sends the SYN bag to purpose side B, and the side of monitoring C intercepts and captures described SYN bag, and described SYN bag correctly arrives the recipient; The seq value of carrying in the described SYN bag is the seq value x of monitored host A, and ack is an initial value 0;
Step 702: the side of monitoring C is after intercepting and capturing the SYN bag, to the SYN of a band of monitored side A feedback timestamp, ACK bag.This SYN, the seq that carries in the ACK bag is the seqy of monitoring side C, ack is according to the seq+1 of the monitored host A that obtains to purpose side B;
Step 703: monitored host A is receiving that C pretends to be the SYN of this band timestamp of B feedback, behind the ACK bag, the ACK that replys a band timestamp to purpose side B wraps the foundation that is used for finishing three-way handshake, and the ack that carries in this ACK bag is according to the SYN that receives monitoring side C, the seq variation in the ACK bag.The seq that carries in the ACK bag of therefore replying is x+1; Ack is y+1; The side of monitoring C intercepts and captures described ACK bag, and obtains the timestamp of monitored main frame from described ACK bag; After described purpose side B received the ACK bag of described band timestamp, with the SYN of described band timestamp, the ACK bag did not abandon because seq, act value in the described ACK bag match;
Step 704: purpose side B is owing to also received the SYN bag that monitored host A sends in step 1, therefore to SYN of monitored host A feedback, ACK wraps, and seq is purpose side B seq value Z in this bag, and ack is x+1; Monitoring side intercepts and captures this SYN, the ACK bag;
Step 705: the side of monitoring C pretends to be monitored host A to ACK bag of purpose side B feedback; And the seq in the ACK bag that obtains in the step 703 changed to x+1; Ack changes to z+1;
Step 706: after purpose side B receives monitoring side C and pretends to be the ACK bag that monitored host A sends, think to have set up with monitored host A to be connected that so just to monitored host A transmission packet #1, the seq in this packet is z+1, ack is x+1; But this packet arrives behind the monitored host A because seq is z+1, and ack is x+1, does not meet with the seq, the ack that receive before the monitored host A, and this packet can be abandoned by monitored host A; Simultaneously, the side of monitoring C intercepts and captures this packet;
Step 707: the side of monitoring C intercepts and captures purpose side B behind the packet #1 that monitored host A sends, and seq is changed to y+1; Ack remains unchanged, i.e. x+1; The side of monitoring C and adds timestamp in this packet after the ack value is changed, the ack value is sent to monitored host A with the packet #1 that has added timestamp with more correcting one's mistakes;
Step 708: after monitored host A was received packet, to purpose side B feedback reply data bag #1, the seq of this reply data bag #1 was that x+1, ack are y+1+len.But purpose side B receives behind this reply data bag that seq, the ack value of pretending to be monitored host A to send because of seq, ack value and the monitoring side C that receives before are different, so this reply data bag #1 can be abandoned; Simultaneously, monitored side C intercepts and captures this reply data bag #1;
Step 709: the side of monitoring C intercepts and captures monitored host A behind the reply data bag #1 that purpose side B sends, and acquisition time stabs, and seq remains unchanged, i.e. x+1; Ack is changed to z+1+len; The side of monitoring C is sent to purpose side B with the reply data bag #1 of the seq value of more correcting one's mistakes after the seq value is changed.
When judging host number,, can preset monitoring side C and only intercept and capture handshaking information and the packet that monitored host A leads to the particular port of purpose side in order to improve the efficient of monitoring side C according to the method for embodiment 2.It for example can be the packet that only leads to purpose side's 80 ports.Perhaps the just periodic intercepting and capturing in monitoring side are sent to the handshaking information and the packet of same purpose side.For example can be the stream of only periodically intercepting and capturing towards a purpose IP,, when website of visit, can initiate a lot of connections simultaneously to same IP usually, there is no need each and connect all acquisition time stamps because of finding in practice; Can avoid duplicate detection like this.On the other hand, the possibility of the same IP of detected user's repeated accesses is very high, can avoid duplicate detection like this, improves detection efficiency, alleviates the burden of watch-dog.
Embodiment 3, and corresponding to embodiment 1, the embodiment of the invention also provides a kind of device that detects host number, and referring to Fig. 8, this device comprises: intercept and capture unit 801, transmitting element 802, information change unit 803, computing unit 804;
Intercept and capture unit 801 and comprise the information acquisition unit, be used to intercept and capture the handshaking information that monitored main frame sends to purpose side, and therefrom extract first key value; Intercept and capture the feedback information of shaking hands of the monitored main frame feedback of purpose direction, and obtain second key value; Intercept and capture the confirmation of shaking hands that carries timestamp that monitored main frame sends to purpose side; Intercept and capture data packets for transmission between purpose side and the monitored main frame;
Transmitting element 802: be used for sending the feedback information of shaking hands the confirmation of after purpose side sends intercepting and capturing and revises, must shaking hands to monitored main frame; Send the packet revised key value to purpose side,, revised the packet of key value to monitored side transmission;
Information change unit 803 comprises the key value unit, is used for the key value in the feedback information of shaking hands being revised as purpose can reaching the content that correctly receives when feedback information is shaken hands in the monitored main frame transmission of intercepting and capturing purpose direction, sends the confirmation of shaking hands to purpose side; Be used for when intercepting and capturing the packet of purpose side's transmission, the content of the protocol section of packet is changed to the content that monitored main frame can correctly receive by described second key value, perhaps when intercepting and capturing the packet that monitored main frame sends, the content of the protocol section of packet is changed to purpose by described first key value can reach the content that correctly receives;
Computing unit 804 is used for after intercepting and capturing carry the handshaking information of timestamp, judges the quantity that main frame exists by timestamp.
Embodiment 4, and corresponding to embodiment 2, this detection host number device comprises: intercept and capture unit 901, transmitting element 902, information change unit 903, computing unit 904;
Intercept and capture unit 901 and comprise information acquisition unit and timestamp intercepting and capturing unit:
The information acquisition unit is used to intercept and capture the handshaking information that monitored main frame sends to purpose side, and therefrom extracts first key value; Intercept and capture the feedback information of shaking hands of the monitored main frame feedback of purpose direction, and obtain second key value; Intercept and capture the confirmation of shaking hands that carries timestamp that monitored main frame sends to purpose side; Intercept and capture data packets for transmission between purpose side and the monitored main frame;
Timestamp is intercepted and captured the unit, is used for stabbing to purpose side's feedback data bag acquisition time from the monitored main frame of intercepting and capturing.
Transmitting element 902: be used for sending the feedback information of shaking hands the confirmation of after purpose side sends intercepting and capturing and revises, must shaking hands to monitored main frame; Send the packet revised key value to purpose side,, revised the packet of key value to monitored side transmission;
Information change unit 903 comprises key value unit and timestamp unit:
The key value unit is used for the key value in the feedback information of shaking hands being revised as purpose can reaching the content that correctly receives when feedback information is shaken hands in the monitored main frame transmission of intercepting and capturing purpose direction, sends the confirmation of shaking hands to purpose side; Be used for when intercepting and capturing the packet of purpose side's transmission, the content of the protocol section of packet is changed to the content that monitored main frame can correctly receive by described second key value, perhaps when intercepting and capturing the packet that monitored main frame sends, the content of the protocol section of packet is changed to purpose by described first key value can reach the content that correctly receives;
The timestamp unit is used for when the content of the protocol section of changing described packet makes that monitored main frame can correctly receive, and further protocol section adds timestamp in packet;
Computing unit 904 is used for after intercepting and capturing carry the handshaking information of timestamp, judges the quantity that main frame exists by timestamp.
The device of above-described detection host number can be watch-dog.
Corresponding to embodiment 1, the embodiment of the invention also provides a kind of system that detects host number, and this system comprises:
Monitored main frame is used for sending handshaking information to purpose side, receives the feedback handshaking information that carries timestamp; Handshaking information to purpose side's feedback band timestamp; Send packet to purpose side;
Monitoring side is used to intercept and capture the handshaking information that monitored main frame sends to purpose side, and therefrom extracts first key value; Send the feedback information of shaking hands of band timestamp to monitored main frame; Intercept and capture the confirmation of shaking hands of monitored main frame timestamp feedback; The feedback information and therefrom extract second key value of shaking hands of intercepting and capturing that the monitored main frame of purpose direction sends changes to the content that satisfies purpose side's needs with the content of this handshaking information, and sends the confirmation of shaking hands of the content of more correcting one's mistakes to purpose side; Intercept and capture the packet that the monitored main frame of purpose direction sends, the content of the protocol section in the packet is changed to the content that monitored main frame can correctly receive by described second key value, and transmit; Intercept and capture the packet that monitored main frame sends to purpose side, the content of the protocol section in the packet is changed to purpose by described first key value can reach the content that correctly receives, and transmit; Judge the quantity that main frame exists by the timestamp that obtains;
Purpose side is used for receiving the handshaking information of monitored main frame timestamp feedback to monitored main frame feedback handshaking information, sends packet to monitored main frame.
Corresponding to embodiment 2, the described monitoring side of this system intercept and capture packet that the monitored main frame of purpose direction sends, when the content of data pack protocol part is changed to the content that monitored main frame can correctly receive, the protocol option in packet partly adds timestamp;
Monitored main frame is when receiving the packet that carries timestamp, and feedback carries the packet of timestamp.
The embodiment of the invention also provides a kind of means of communication, this method comprises with the process of embodiment 1 roughly the same, just monitoring side is not comprising timestamp in the information of transmitting to monitored main frame, still still acts on the needs that the content that equally can change in packet and the handshaking information satisfies continuous communiction with among the embodiment 1 other.Therefore at this these means of communication are briefly described as follows:
Monitoring side intercepts and captures the handshaking information that monitored main frame sends to purpose side; Send the feedback information of shaking hands of band timestamp to monitored main frame; Intercept and capture the confirmation of shaking hands of monitored main frame feedback, and therefrom extract first key value;
Monitoring side intercepts and captures the feedback information of shaking hands that the monitored main frame of purpose direction sends, and therefrom extracts second key value; This feedback information of shaking hands is changed to purpose can reach the content that correctly receives, send the confirmation of shaking hands to purpose side;
When monitoring side intercepts and captures the packet that purpose side sends, the content of protocol section in the packet is changed to the content that monitored main frame can correctly receive by described second key value, and transmit; Or when intercepting and capturing the packet that monitored main frame sends, the content of protocol section in the packet is changed to purpose by first key value can reach the content that correctly receives, and transmit.
These means of communication can apply to fields such as the security control, monitoring in the network transmission process, are not restricted to be applied to acquisition time and stab, and determine in the method for host number.
In sum, according to the embodiment of the invention, intercept and capture the handshaking information that monitored main frame sends to purpose side by the side of monitoring, pretend to be purpose side to send the feedback information of shaking hands that has timestamp for monitored side, then intercept and capture the feedback information of shaking hands that purpose side sends for monitored side, therefrom extract the seq value, and pretend to be monitored main frame to send and shake hands confirmation, make purpose side and monitored main frame connect to purpose side; And then monitoring side also intercepts and captures the data that it sends mutually when monitored main frame and purpose side carry out data communication, is revised as the form that purpose side or monitored main frame need, and finishes continual data transmission service;
Further, the embodiment of the invention is when purpose side and monitored main frame carry out transfer of data, monitoring side continues adding timestamp when monitored main frame is transmitted packet, the monitored main frame of continuous induction feeds back its timestamp, can more accurately judge the quantity of main frame like this by the method that repeatedly obtains timestamp.
The explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, part in specific embodiments and applications all can change.In sum, this description should not be construed as limitation of the present invention.

Claims (9)

1, a kind of method that detects host number is characterized in that, this method comprises:
Intercept and capture the handshaking information that monitored main frame sends to purpose side; Send the feedback information of shaking hands of band timestamp to monitored main frame; Intercept and capture the confirmation of shaking hands of monitored main frame timestamp feedback, and therefrom extract first key value and described timestamp;
Intercept and capture the feedback information of shaking hands that the monitored main frame of purpose direction sends, and therefrom extract second key value; This feedback information of shaking hands is changed to purpose can reach the content that correctly receives, send the confirmation of shaking hands to purpose side;
Intercept and capture the packet that purpose side sends, the content of protocol section in the packet is changed to the content that monitored main frame can correctly receive by described second key value, and transmit; Or intercept and capture the packet that monitored main frame sends, the content of protocol section in the packet is changed to purpose by first key value can reach the content that correctly receives, and transmit;
The monitoring square tube is crossed the timestamp statistics host number that obtains.
2, the method for detection host number according to claim 1 is characterized in that,
Intercept and capture the packet that purpose side sends, the content of protocol section in the packet is changed to the content that monitored main frame can correctly receive by described second key value, and when transmitting, further in packet, add timestamp;
Stab from monitored main frame acquisition time to purpose side's feedback data bag of intercepting and capturing monitoring side.
3, the method for detection host number according to claim 1 and 2 is characterized in that, described monitoring side only intercepts and captures handshaking information and the packet that leads to monitored main frame particular port.
4, the method for detection host number according to claim 1 and 2 is characterized in that, intercepts and captures handshaking information and the packet that is sent to same purpose side for described monitoring side is periodic.
5, a kind of device that detects host number is characterized in that, this device comprises:
Intercept and capture the unit and comprise the information acquisition unit, be used to intercept and capture the handshaking information that monitored main frame sends to purpose side, and therefrom extract first key value; Intercept and capture the feedback information of shaking hands of the monitored main frame feedback of purpose direction, and obtain second key value; Intercept and capture the confirmation of shaking hands that carries timestamp that monitored main frame sends to purpose side; Intercept and capture data packets for transmission between purpose side and the monitored main frame;
The information change unit comprises the key value unit, is used for the key value in the feedback information of shaking hands being revised as purpose can reaching the content that correctly receives when feedback information is shaken hands in the monitored main frame transmission of intercepting and capturing purpose direction; Be used for when intercepting and capturing the packet of purpose side's transmission, the content of the protocol section of packet is changed to the content that monitored main frame can correctly receive by described second key value, perhaps when intercepting and capturing the packet that monitored main frame sends, the content of the protocol section of packet is changed to purpose by described first key value can reach the content that correctly receives;
Transmitting element: be used for sending the feedback information of shaking hands, send to purpose side and intercept and capture and the amended confirmation of shaking hands to monitored main frame; Send the packet of revising key value to purpose side, send the packet of revising key value to monitored side;
Computing unit is used for carrying from intercepting and capturing the described timestamp of handshaking information acquisition of timestamp, and judges the quantity of main frame existence by described timestamp.
6, the device of detection host number according to claim 5 is characterized in that,
Described information change unit also comprises the timestamp unit, is used for when the content of the protocol section of changing described packet makes that monitored main frame can correctly receive, and further protocol section adds timestamp in packet;
Intercept and capture the unit and also comprise timestamp intercepting and capturing unit, be used for stabbing to purpose side's feedback data bag acquisition time from the monitored main frame of intercepting and capturing.
7, a kind of system that detects host number is characterized in that, this system comprises:
Monitored main frame is used for sending handshaking information to purpose side, receives the feedback handshaking information that carries timestamp; Handshaking information to purpose side's feedback band timestamp; Send packet to purpose side;
Monitoring side is used to intercept and capture the handshaking information that monitored main frame sends to purpose side, and therefrom extracts first key value; Send the feedback information of shaking hands of band timestamp to monitored main frame; Intercept and capture the confirmation of shaking hands of monitored main frame timestamp feedback; The feedback information and therefrom extract second key value of shaking hands of intercepting and capturing that the monitored main frame of purpose direction sends changes to the content that satisfies purpose side's needs with the content of this handshaking information, and sends the confirmation of shaking hands of the content of more correcting one's mistakes to purpose side; Intercept and capture the packet that the monitored main frame of purpose direction sends, the content of the protocol section in the packet is changed to the content that monitored main frame can correctly receive by described second key value, and transmit; Intercept and capture the packet that monitored main frame sends to purpose side, the content of the protocol section in the packet is changed to purpose by described first key value can reach the content that correctly receives, and transmit; Judge the quantity that main frame exists by the timestamp that obtains;
Purpose side is used for receiving the handshaking information of monitored main frame timestamp feedback to monitored main frame feedback handshaking information, sends packet to monitored main frame.
8, the system of detection host number according to claim 7 is characterized in that,
Described monitoring side intercept and capture packet that the monitored main frame of purpose direction sends, when the content of data pack protocol part is changed to the content that monitored main frame can correctly receive, the protocol option in packet partly adds timestamp;
Monitored main frame is when receiving the packet that carries timestamp, and feedback carries the packet of timestamp.
9, a kind of communication means is characterized in that, described method comprises:
Intercept and capture the handshaking information that monitored main frame sends to purpose side; Send the feedback information of shaking hands of band timestamp to monitored main frame; Intercept and capture the confirmation of shaking hands of monitored main frame feedback, and therefrom extract first key value;
Intercept and capture the feedback information of shaking hands that the monitored main frame of purpose direction sends, and therefrom extract second key value; This feedback information of shaking hands is changed to purpose can reach the content that correctly receives, send the confirmation of shaking hands to purpose side;
When intercepting and capturing the packet that purpose side sends, the content of protocol section in the packet is changed to the content that monitored main frame can correctly receive by described second key value, and transmit; Or when intercepting and capturing the packet that monitored main frame sends, the content of protocol section in the packet is changed to purpose by first key value can reach the content that correctly receives, and transmit.
CNB2007100962478A 2007-04-02 2007-04-02 Method, device, system and communication method for detecting the host number Expired - Fee Related CN100495993C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2007100962478A CN100495993C (en) 2007-04-02 2007-04-02 Method, device, system and communication method for detecting the host number

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2007100962478A CN100495993C (en) 2007-04-02 2007-04-02 Method, device, system and communication method for detecting the host number

Publications (2)

Publication Number Publication Date
CN101035035A true CN101035035A (en) 2007-09-12
CN100495993C CN100495993C (en) 2009-06-03

Family

ID=38731354

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2007100962478A Expired - Fee Related CN100495993C (en) 2007-04-02 2007-04-02 Method, device, system and communication method for detecting the host number

Country Status (1)

Country Link
CN (1) CN100495993C (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102217326A (en) * 2008-11-13 2011-10-12 微动公司 Transmitter with a relative-time timer
CN101741815B (en) * 2008-11-26 2012-07-04 凹凸科技国际股份有限公司 System and method for refreshing statistic value
CN103685410A (en) * 2012-09-18 2014-03-26 华耀(中国)科技有限公司 Method for unvarnished transmission of timestamp
CN104023036A (en) * 2014-06-25 2014-09-03 北京蓝汛通信技术有限责任公司 TCP (transmission control protocol) bypass blocking method and device
CN106664223A (en) * 2015-06-18 2017-05-10 华为技术有限公司 Detection method and detection device for the number of shared access hosts
CN110807942A (en) * 2019-09-24 2020-02-18 联创汽车电子有限公司 Intelligent driving automobile track updating method and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102217326A (en) * 2008-11-13 2011-10-12 微动公司 Transmitter with a relative-time timer
US9820019B2 (en) 2008-11-13 2017-11-14 Micro Motion, Inc. Transmitter with a relative-time timer
CN101741815B (en) * 2008-11-26 2012-07-04 凹凸科技国际股份有限公司 System and method for refreshing statistic value
CN103685410A (en) * 2012-09-18 2014-03-26 华耀(中国)科技有限公司 Method for unvarnished transmission of timestamp
CN103685410B (en) * 2012-09-18 2016-08-31 华耀(中国)科技有限公司 A kind of method of transparent transmission timestamp
CN104023036A (en) * 2014-06-25 2014-09-03 北京蓝汛通信技术有限责任公司 TCP (transmission control protocol) bypass blocking method and device
CN106664223A (en) * 2015-06-18 2017-05-10 华为技术有限公司 Detection method and detection device for the number of shared access hosts
CN110807942A (en) * 2019-09-24 2020-02-18 联创汽车电子有限公司 Intelligent driving automobile track updating method and system

Also Published As

Publication number Publication date
CN100495993C (en) 2009-06-03

Similar Documents

Publication Publication Date Title
CN101035035A (en) Method, device, system and communication method for detecting the host number
CN1968074A (en) Network flow/stream simulation method
CN101035111A (en) Intelligent protocol parsing method and device
CN101047485A (en) Communication terminal and retransmission control method
CN101043384A (en) System and method for network test
CN1863157A (en) Method and apparatus for implementing network communication through NAT
CN106302495A (en) The means of defence of a kind of ACK Flood attack and intervening guard device
CN1848778A (en) Method of monitoring progress of a signalling message and network monitoring apparatus
CN1805388A (en) Method for establishing pier-to-pier direct channels
CN101039310A (en) Link sharing service apparatus and communication method thereof
CN107360247B (en) The method and the network equipment of processing business
CN101035270A (en) Peer-to-peer video monitoring method based on the Internet
CN1819593A (en) Information processor and data transmission system and method
CN101039309A (en) Link sharing service apparatus and communication method thereof
CN101075866A (en) Method and system for loading message on Internet
CN1842030A (en) Management system for warranting consistency between inter-client communication logs
CN103248606A (en) Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6)
CN104113598A (en) Three-layer auditing method for database
CN1805335A (en) Content supply system based authentication system and method
CN103944992B (en) Method for accelerating HTTP on IOS
CN1161924C (en) Data upgrading method of two-layer exchange equipment
WO2016008212A1 (en) Terminal as well as method for detecting security of terminal data interaction, and storage medium
CN102754488A (en) User access control method, apparatus and system
CN104184729B (en) A kind of message processing method and device
CN101075992A (en) Method and system for exchanging IP multiple service

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090603

Termination date: 20170402