CN101184002A - Point-to-point flux deepness monitoring method and equipment - Google Patents

Point-to-point flux deepness monitoring method and equipment Download PDF

Info

Publication number
CN101184002A
CN101184002A CNA2007101796140A CN200710179614A CN101184002A CN 101184002 A CN101184002 A CN 101184002A CN A2007101796140 A CNA2007101796140 A CN A2007101796140A CN 200710179614 A CN200710179614 A CN 200710179614A CN 101184002 A CN101184002 A CN 101184002A
Authority
CN
China
Prior art keywords
packet
judge
port
address
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007101796140A
Other languages
Chinese (zh)
Inventor
袁敏
夏勇
马爽
杨显锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Academy of Broadcasting Science of SAPPRFT
Original Assignee
Academy of Broadcasting Science of SAPPRFT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Academy of Broadcasting Science of SAPPRFT filed Critical Academy of Broadcasting Science of SAPPRFT
Priority to CNA2007101796140A priority Critical patent/CN101184002A/en
Publication of CN101184002A publication Critical patent/CN101184002A/en
Pending legal-status Critical Current

Links

Abstract

The invention embodiment discloses a point to point flowrate intensive monitoring method, which comprises: a data packet is captured real-timely, and is put into a buffer; the date packet is extracted from the buffer, the data packet is judged whether be a BT packet through one of more than two pre-set identification modes of the bit stream (BT) date packet. If yes, then the result is issued, and the flow is finished. Otherwise the data packet is judged whether be a BT packet through other non-used identification modes of the BT data packet from more than two pre-set identification modes of the bit stream (BT) date packet, if the date packet is judged not to be the BT date packet via all the identification modes of the BT data packet, the flow is finished. The invention embodiment simultaneously discloses a point to point flowrate intensive monitoring equipment. The invention has an advantage of accurate identification for the BT date packet through the method and the equipment of the invention.

Description

A kind of point-to-point flux deepness monitoring method and equipment
Technical field
The present invention relates to the flow monitoring technology, particularly a kind of point-to-point (P2P, Point to Point) flux deepness monitoring method and equipment.
Background technology
(BT, BitTorrent) agreement is a kind of file distributing agreement based on the P2P technology to bit stream, by URL(uniform resource locator) (URL, Uniform Resource Locator) identification content and and network seamless combination.The BT agreement is based on HTML (Hypertext Markup Language) (HTTP, Hypertext Transfer Protocol) platform is realized, its characteristics are that file download person is in file in download, can also constantly upload data mutually, so that file source can support that download person downloads simultaneously in a large number under limited load increase situation.
A BT formula file distributing needs following entity usually: a general network server, as personal computer (PC, Personal Computer); A static meta-information file; A BT tracking server (Tracker); " original " download person promptly provides the user of seed; Network terminal viewer; Network terminal download person.
Suppose that ideally a file has a plurality of download persons, in the prior art, the step of setting up a BT server is as follows so:
Tracker (that has moved skips this step) brings into operation; The network server end that brings into operation program (that has moved skips this step); On the webserver, meta-information file (.torrent file) is associated with Mimetype type application/x-bittorrent (related skips this step); URL with the complete file that will issue and Tracker creates a .torrent file; The .torrent file is placed on the webserver; Issue .torrent file chaining on webpage; Original download person provides complete file (originally).The webserver in the said process is meant the server of issue seed information, promptly issue the webserver at the place, website of seed information, and Tracker is meant the server of actual preservation seed information and corresponding file, and the user is invisible.That is to say,, only know by web page browsing for the user, download from a certain website seed information and with this seed corresponding file, but in fact, be stored on the Tracker with this seed corresponding file.
The step that the user carries out the BT download by client is as follows:
BT client-side program (mounted skipping this step) is installed; Online; Click a link that is linked to the .torrent file; Select local store path, the selected downloaded files that needs; Wait for downloads and finish; The user withdraws from download.Before withdrawing from download, the user ceaselessly uploads data.
During client downloads, the connection state of whole network is as follows:
The website normally provides static file to connect; The user starts the BT program on the client.Tracker receives all download person's information immediately, and to equity side (peer) tabulation at random of each download person's portion, i.e. the information of download person's other client that can connect.Download person connects Tracher at set intervals one time, informing the progress of Tracher oneself, such as, downloaded how much information, also have how much information not download etc., and carry out the download of uploading of data with the peer that directly is connected.BitTorrent peer agreement is all followed in these connections, and (TCP, Transfer ControlProtocol) communicates by transmission control protocol.Wherein, original download person promptly provides the user of seed only to upload and does not download, and he has whole file, so need be to all parts of Network Transmission file.But in the very prosperous download of some popularities, original download person can withdraw from the short period of time and upload, and is continued to provide by other download person who has downloaded to whole file and uploads.
In the prior art, support that the P2P application program of BT agreement is a lot, such as, BitBuddy (BitBuddy), FlashBT (FlashBT), BitComet (BitComet) and Bit irit (BitSpirit) etc.
Based on above-mentioned introduction, in the prior art, the course of work of BT application program can reduce following steps:
1) the seed supplier to the seed distribution site, and releases news the torrent file loading on the tracker server.Under the default situations, the listening port of BT agreement is 6881-6889, also can be specified by the user; The listening port of tracker server mainly contains 8080,8000,6969 and 2710, and the connected mode that they are taked all is TCP.
2) download person place client is obtained the .torrent file, and the tracker server that provides in the .torrent file is initiated connection request successively, be connected and obtain Peer tabulation until setting up TCP, promptly obtain other client-side information that download person place client can connect with one of them.
3) the download person place client Peer initiation connection request grouping in the Peer tabulation randomly is because the Peer number is many in the Peer tabulation, so can send a large amount of TCP connection requests groupings at short notice.The source address of these connection requests grouping is identical, and source port number is adjacent, destination address/port numbers difference, and the destination slogan that quite a few is arranged is between 6881-6889.
4) set up successfully if connect, shake hands between the BT Peer, use characteristic character string in the handshake procedure " BitTorrent protocol ", 4 kinds of grouping intercommunications such as usability interest (interested), lose interest in (notinterested), inhibition (choke) and unimpeded (unchoke) are to the wish situation of resource, afterwards by request piecemeal (Request Piece) and Piece transmitted in packets resource then.
5) resource transmission finishes, and closes TCP and connects.
In the prior art, under many circumstances, need discern, promptly which packet in the network service process be discerned for the BT packet, and carried out subsequent treatment according to recognition result to the P2P flow, such as, analysis, evidence obtaining etc.RM commonly used in the prior art is port identification mode and single keyword recognition mode.Because generally, the port that the BT protocol transmission is used is 6881~6889, so whether the port by the identification current data packet is certain port between 6881~6889, can determine whether this packet is the BT packet.Perhaps, by whether carrying certain keyword in the resolution data bag,, determine whether current data packet is the BT packet such as " BitTorrent protocol ".
Though adopt above-mentioned dual mode can identify the BT packet to a certain extent, adopt the accuracy rate of above-mentioned dual mode identification BT packet all lower.Because, if the port that the user uses is not one in 6881~6889, but a port of user oneself definition; Whether perhaps, when the BT protocol version is upgraded, may no longer carry " BitTorrent protocol " this keyword in the BT data packet format, adopting aforesaid way just can not correctly identify current data packet so is the BT packet.
Summary of the invention
The embodiment of the invention provides a kind of point-to-point flux deepness monitoring method, can identify the BT packet exactly.
The embodiment of the invention provides a kind of point-to-point flux deepness monitoring equipment simultaneously, can identify the BT packet exactly.
The technical scheme of the embodiment of the invention is achieved in that
A kind of point-to-point flux deepness monitoring method, this method comprises:
Catch packet in real time, and put into buffer memory;
Extract packet from described buffer memory, a kind of by in the two or more bit stream BT identification of data packets modes that set in advance judges whether described packet is the BT packet, if, then issue judged result, and process ends;
Otherwise, by other untapped BT identification of data packets mode in the described two or more BT identification of data packets modes that set in advance, judge whether described packet is the BT packet, if judge all that by all BT identification of data packets modes described packet is not BT packet, then process ends.
A kind of point-to-point flux deepness monitoring equipment, this equipment comprises: packet capture unit, application protocol and content analysis unit and release unit as a result;
Described packet capture unit is used for catching in real time packet, and puts into buffer memory;
Described application protocol and content analysis unit, be used for extracting packet from described buffer memory, a kind of by in the two or more BT identification of data packets modes that set in advance judges whether described packet is the BT packet, if then described judged result is sent to described release unit as a result; If not, then by other untapped BT identification of data packets mode in the described two or more BT identification of data packets modes that set in advance, judge whether described packet is the BT packet, if judge all that by all BT identification of data packets modes described packet is not the BT packet, can determine that then described packet is not the BT packet;
Described release unit as a result is used for the judged result that is received from described application protocol and content analysis unit is issued.
As seen, adopt the technical scheme of the embodiment of the invention, catch packet in real time, and put into buffer memory; Extract packet from buffer memory, a kind of by in the two or more BT identification of data packets modes that set in advance judges whether this packet is the BT packet, if then issue judged result; Otherwise, judge by other untapped mode in the described two or more BT identification of data packets modes that set in advance whether this packet is the BT packet, if judge all that by all modes this packet is not BT packet, then process ends.Compared with prior art, judge in several ways in the described scheme of the embodiment of the invention whether current data packet is the BT packet, thereby improved the recognition accuracy of BT packet.
Description of drawings
Fig. 1 is the flow chart of the inventive method embodiment.
Fig. 2 is the composition structural representation of present device embodiment.
Embodiment
At problems of the prior art, a kind of P2P flux deepness monitoring scheme is proposed in the embodiment of the present invention, that is: catch packet in real time, and put into buffer memory; From buffer memory, extract packet, a kind of by in the two or more BT identification of data packets modes that set in advance, judge whether this packet is the BT packet, if, then issue judged result information, comprise source and destination IP address and port, capture time and the data packet length etc. of this packet; Otherwise, judge by other untapped mode in the two or more BT identification of data packets modes that set in advance whether this packet is the BT packet, if judge all that by all modes this packet is not the BT packet, think that then this packet is not the BT packet.
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
Fig. 1 is the flow chart of the inventive method embodiment.In actual applications, the described method of the embodiment of the invention can realize by the identification equipment that converges the net place that is arranged on a certain local area network (LAN).As shown in Figure 1, may further comprise the steps:
Step 101: carry out initialization.
This step specifically comprises: read configuration information, load discovery strategy and read record in the historical context chained list.Wherein, read configuration information and be meant and obtain the configuration information that sets in advance, such as, where and whether need port, the recognition result of monitoring to leave in needs information such as recognition result derivation.Load discovery strategy and promptly refer to obtain the BT identification of data packets mode that sets in advance, the BT identification of data packets mode of being mentioned here is generally two or more.The historical context chained list is the packet relevant information that sets in advance, be defined as the BT packet before being used to put down in writing, as source IP address and port, and purpose IP address and port etc.
Step 102: open three threads, promptly packet capture thread, application protocol and content analysis thread and result issue thread.
Wherein, the packet capture thread is used for catching packet in real time from network interface card, and puts into buffer memory; Application protocol and content analysis thread are used for carrying out protocal analysis and content analysis from buffer memory extract real-time packet; The result issues thread, is used for analysis result is issued by the Web technology, such as, be published on many employed clients of monitoring personnel, so that the monitoring personnel carry out subsequent treatment according to analysis result.
Step 103: the packet capture thread is caught packet in real time from network interface card, and puts into buffer memory, forms formation.
Step 104: application protocol and content analysis thread rapid extraction from buffer memory go out packet analysis, promptly carry out the decapsulation of IP protocol massages, as remove frame head etc., extract the source and destination IP address and the port that wherein carry, find TCP or User Datagram Protoco (UDP) (UDP, User Datagram Protocol) original position of message content extracts data message.
Wherein, identical in the mode of decapsulation and the prior art, repeat no more.
Step 105: the information that writes down in the source and destination IP address that extracts in the step 104 and port and the historical context chained list that sets in advance is compared, judge promptly whether the source and destination IP address and the port that extract have been recorded in the historical context chained list, if, judge that then current packet is the BT packet, and process ends; Otherwise, judge that current data packet is not the BT packet, and execution in step 106.
According to introduction before as can be known, the information that writes down in the historical context chained list is for being judged to be the packet relevant information of BT packet, so in this step, compare by the information that will extract in the current data packet and the packet relevant information of record, promptly whether the current packet of decidable is the BT packet.
Step 106: the data message that extracts in the analytical procedure 104, judge wherein whether to carry keyword " GET ", " " HTTP/1.1 simultaneously ", " .torrent "; If have, judge that then current packet is the BT datagram, and process ends; If no, execution in step 107 then.
In this step, if judge and carry keyword " GET ", " " HTTP/1.1 in the data message simultaneously " and " .torrent ", illustrate that then this packet is the meta-information file download package, wherein contain the file name of BT; so, then need further to parse this BT file name.Concrete analysis mode is known in this field.Such as, in the embodiment of the invention, can call a function handle_tornt_from_http who is used to resolve the BT file name under this situation who sets in advance and resolve.And, the BT file name that parses can be sent to the result and issue thread, issue thread by the result BT file name that receives is issued, concrete published method can only refer to store on the disk or be shown to the screen of monitoring personnel place client first-class.
In addition, in this step, after judging current data packet and being the BT packet, also need to judge in the source and destination IP address of current data packet and the historical context chained list that whether port Already in sets in advance, if do not have, then source and destination IP address and the port with current data packet adds in the historical context chained list, so that when capturing this packet once more afterwards, can judge whether this packet is the BT packet by the described mode of step 105.If when judging current data packet in the following steps and being the BT packet, also to carry out above-mentioned judgement and add flow process, will repeat no more during follow-up analogue.
Step 107: the data message that extracts in the analytical procedure 104, judge wherein whether carry keyword " notice (announce) "; If have, judge that then current packet is the BT datagram, and process ends; If no, execution in step 108 then.
In this step, carry keyword " announce " in the data message, illustrate that so then this packet is the message that client sends to Tracker, and wherein carry the file name of BT if judge.So, then need further to parse this BT file name.In the prior art, to the message that Tracker sends, can adopt the B coded system usually,, obtain the BT message name of wherein carrying so in this step, need resolve to B coded data message for client.
Wherein, the concrete rule of B coding is:
String table is shown decimal numeral set string length and puts in a colon and add former character string again, just is equivalent to ' spam ' as 4:spam.
The integer data are expressed as the front and add ' and i ' back adds ' and e ' centre is a decimal number, just is equivalent to 3 as i3e, and i-3e just is equivalent to-3; The integer data do not have length restriction; I-0e represents invalid, all with ' i0 ' beginning except representing 0 i0e, other is also all invalid.
List coding is with one ' l ' beginning, and the back adds one ' e ' at last with the project (encoding) that it comprised, and just is equivalent to [' spam ', ' eggs '] such as 14:spam4:eggse.
Dictionary encoding is with one ' d ' beginning, and the back adds one ' e ' at last with the tabulation of an alternate key (key) and respective value thereof; Be equivalent to { ' cow ': ' moo ', ' spam ': ' eggs ' } as: d3:cow3:moo4:spam4:eggse, d4:spamll:al:bee is equivalent to { ' spam ': [' a ', ' b '] }.
Keyword must be the character string of handling, this character string original character string encoding, and can not be the digital alphabet hybrid coding.Generally, meta-information file is exactly to adopt the dictionary with following keyword of B coding:
Notice (announce): the URL of tracker server, as http://tracker.cnxp.com:8080/announce;
Notify list (announce-list): optional, the url list of standby tracker server;
Date created (creation date): optional, the date created of .torrent file, the UNIX time (from the zero-time second number that the current time pass by that picks up counting) of using standard;
(comment) is described: optional, the explanation of the arbitrary format that .torrent documenting person adds;
Establishment instrument (created by): optional, the instrument of making .torrent file, for example BitComet/0.67;
Coding (encoding): optional, the coded system that the resource of issue is used, for example Chinese character code expansion international standard (GBK);
Information (info): the information of the file of issue has two kinds of forms, i.e. monofile form and multiple file format usually; The coded system (md5sum) (optional) that wherein, comprise file size (length) in the monofile form, might adopt, file name (name), branch block length (piece length), piecemeal number (pieces); Comprise file (files), name, piece length, pieces in the multiple file format, wherein comprise length, path (path), md5sum (optional) among the files, each file all has independent length, path, md5sum (optional).
The concrete implication of each included keyword is known in this field in monofile in the Info information or the multiple file format, repeats no more.Generally, all may carry the BT file name in the keywords such as files, path or name, so, in this step the BT message name of wherein carrying is resolved and obtained to B coded data message, just be meant keywords such as the files, the path that find in the data message, name, then according to coding rule taking out immediately following content thereafter.Based on above-mentioned introduction, those skilled in the art can relatively easily know how to realize resolving, repeat no more.Such as, can adopt a function handle_file_from_bcod who is used to resolve the BT file name under this situation who sets in advance to resolve in the present embodiment.Afterwards, the BT file name that parses can be sent to the result and issue thread, issue thread by the result BT file name that receives is issued.
Step 108: with source IP address and the port that extracts in the step 104, or the information that writes down in purpose IP address and port and the historical context chained list that sets in advance compares, promptly judge source IP address and the port that extracts, perhaps whether purpose IP address and port have been recorded in the historical context chained list, if, judge that then current packet is the BT packet, and process ends; Otherwise, judge that current data packet is not the BT packet, and execution in step 109.
In the judgment mode of this step, one side is arranged is fixed BT data packet transmission person as long as judge communicating pair, then current data packet is judged to be the BT packet.
Step 109: whether the port numbers of source that extracts in the analytical procedure 104 or purpose IP port is within 6881~6889 scope, if judge that then current packet is the BT datagram, and process ends; Otherwise, execution in step 110.
Step 110: whether carry keyword " BitTorrent protocol " in the data message that extracts in the analytical procedure 104, if, judge that then current packet is the BT datagram, and process ends; Otherwise, judge that current packet is not the BT packet, process ends.
Step 109 and 110 judgment mode are prior art, repeat no more.
As seen, adopt the technical scheme of the embodiment of the invention, for a certain packet, since can adopt the multiple key mode to judge whether it is the BT packet, so recognition result is more accurate, and, can obtain the file attribute information that wherein carries, as BT file name etc.
Need to prove that embodiment illustrated in fig. 1 only being used to illustrates, and is not limited to technical scheme of the present invention.Such as, in actual applications, be not must first execution in step 105, could carry out steps such as 106,107 or 108 then, not strict sequencing before these steps.In other words, for several BT identification of data packets modes that provide in the embodiment of the invention, can adopt any mode wherein to carry out the BT identification of data packets earlier, when adopting this mode to judge current data packet not to be the BT packet, adopt any in the residue mode to judge again.The execution sequence of these BT identification of data packets modes can be set in actual applications, according to actual needs.And, in the practical application, being not limited to adopt above several BT identification of data packets modes, for other known BT identification of data packets mode, also should be included within the protection range of the embodiment of the invention.
Based on said method, Fig. 2 is the composition structural representation of present device embodiment.As shown in Figure 2, this equipment comprises: packet capture unit 201, application protocol and content analysis unit 202 and release unit 203 as a result;
Packet capture unit 201 is used for catching in real time packet, and puts into buffer memory;
Application protocol and content analysis unit 202, be used for extracting packet from buffer memory, a kind of by in the two or more BT identification of data packets modes that set in advance judges whether this packet is the BT packet, if then judged result is sent to release unit 203 as a result; If not, then judge by other untapped mode in the two or more BT identification of data packets modes that set in advance whether this packet is the BT packet, if judge all that by all modes this packet is not the BT packet, then from buffer memory, extract next packet, and re-execute self function;
Release unit 203 as a result, are used for the judged result that is received from application protocol and content analysis unit 202 is issued.
Wherein, the described two or more BT identification of data packets modes that set in advance can be any two or more combination in the following mode:
Extract the source IP address and the port of packet, and purpose IP address and port; Whether source IP address that judgement extracts and port and purpose IP address and port have been recorded in the historical context chained list that sets in advance, if judge that then this packet is the BT packet;
Extract the data message in the packet, judge wherein whether carry keyword " GET ", " HTTP/1.1 " and " .torrent " simultaneously, if judge that then this packet is the BT packet;
Extract the data message in the packet, judge wherein whether carry keyword " announce ", if judge that then this packet is the BT packet;
Extract the source IP address and the port of packet, and purpose IP address and port; Whether source IP address that judgement extracts and port or purpose IP address and port have been recorded in the historical context chained list that sets in advance, if judge that then this packet is the BT packet;
Extract the source IP port and the purpose IP port of packet; Whether the port numbers of judging source IP port or purpose IP port is within 6881~6889 scope, if judge that then this packet is the BT packet;
Extract the data message in the packet, judge wherein whether carry keyword " BitTorrentprotocol ", if judge that then this packet is the BT packet.
Above-mentioned application protocol and content analysis unit 202 can be further used for, and resolve and obtain the BT file name of carrying in the BT packet, and the BT file name that gets access to is sent to as a result release unit 203 issue.
In a word, in the technical scheme of the embodiment of the invention,, improved recognition accuracy by adopting whether the multiple key recognition technology is the identification of BT packet; Can from the link layer to the application layer, carry out depth analysis, the situation when identification uses different transport layer protocols to carry out communication with a kind of application protocol automatically to agreement.And, for a packet, can utilize multiple key recognition technology extraction file attribute information wherein, the support of special technology and special equipment is provided for the supervision of subsequent implementation audio frequency and video.That is to say, adopt the technical scheme of the embodiment of the invention, in the subsequent process, can export storage, with analysis, the evidence obtaining work that is used for the later stage to recognition result; And, can set up or upgrade the monitoring rule as requested, support online upgrading; Provide agreement extensive interface flexibly, by interface model definition New Deal, with of the monitoring support of realization system to New Deal.
In sum, more than be preferred embodiment of the present invention only, be not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1. a point-to-point flux deepness monitoring method is characterized in that, this method comprises:
Catch packet in real time, and put into buffer memory;
Extract packet from described buffer memory, a kind of by in the two or more bit stream BT identification of data packets modes that set in advance judges whether described packet is the BT packet, if, then issue judged result, and process ends;
Otherwise, by other untapped BT identification of data packets mode in the described two or more BT identification of data packets modes that set in advance, judge whether described packet is the BT packet, if judge all that by all BT identification of data packets modes described packet is not BT packet, then process ends.
2. method according to claim 1 is characterized in that, described a kind of by in the two or more BT identification of data packets modes that set in advance judges that whether described packet for the BT packet is:
Extract the source IP address and the port of described packet, and purpose IP address and port;
Judge whether described source IP address and port and described purpose IP address and port have been recorded in the historical context chained list that sets in advance, if judge that then described packet is the BT packet.
3. method according to claim 1 is characterized in that, described a kind of by in the two or more BT identification of data packets modes that set in advance judges that whether described packet for the BT packet is:
Extract the data message in the described packet, judge wherein whether carry keyword " GET ", " HTTP/1.1 " and " .torrent " simultaneously, if judge that then described packet is the BT packet.
4. method according to claim 1 is characterized in that, described a kind of by in the two or more BT identification of data packets modes that set in advance judges that whether described packet for the BT packet is:
Extract the data message in the described packet, judge wherein whether carry keyword " announce ", if judge that then described packet is the BT packet.
5. method according to claim 1 is characterized in that, described a kind of by in the two or more BT identification of data packets modes that set in advance judges that whether described packet for the BT packet is:
Extract the source IP address and the port of described packet, and purpose IP address and port;
Judge whether described source IP address and port or described purpose IP address and port have been recorded in the historical context chained list that sets in advance, if judge that then described packet is the BT packet.
6. method according to claim 1 is characterized in that, described a kind of by in the two or more BT identification of data packets modes that set in advance judges that whether described packet for the BT packet is:
Extract the source IP port and the purpose IP port of described packet; Whether the port numbers of judging described source IP port or purpose IP port is within 6881~6889 scope, if judge that then described packet is the BT packet;
Perhaps, extract the data message in the described packet, judge wherein whether carry keyword " BitTorrent protocol ", if judge that then described packet is the BT packet.
7. according to claim 3 or 4 described methods, it is characterized in that the described packet of described judgement is after the BT packet, further comprises:
Parsing is also obtained the BT file name of carrying in the described BT packet, and the described BT file name that gets access to is issued.
8. point-to-point flux deepness monitoring equipment is characterized in that this equipment comprises: packet capture unit, application protocol and content analysis unit and release unit as a result;
Described packet capture unit is used for catching in real time packet, and puts into buffer memory;
Described application protocol and content analysis unit, be used for extracting packet from described buffer memory, a kind of by in the two or more BT identification of data packets modes that set in advance judges whether described packet is the BT packet, if then described judged result is sent to described release unit as a result; If not, then by other untapped BT identification of data packets mode in the described two or more BT identification of data packets modes that set in advance, judge whether described packet is the BT packet, if judge all that by all BT identification of data packets modes described packet is not the BT packet, can determine that then described packet is not the BT packet;
Described release unit as a result is used for the judged result that is received from described application protocol and content analysis unit is issued.
9. equipment according to claim 8 is characterized in that, the described two or more BT identification of data packets modes that set in advance are any two or more combination in following each mode:
Extract the source IP address and the port of described packet, and purpose IP address and port; Judge whether described source IP address and port and described purpose IP address and port have been recorded in the historical context chained list that sets in advance, if judge that then described packet is the BT packet;
Extract the datagram zhang in the described packet, judge wherein whether carry keyword " GET ", " HTTP/1.1 " and " .torrent " simultaneously, if judge that then described packet is the BT packet;
Extract the data message in the described packet, judge wherein whether carry keyword " announce ", if judge that then described packet is the BT packet;
Extract the source IP address and the port of described packet, and purpose IP address and port; Judge whether described source IP address and port or described purpose IP address and port have been recorded in the historical context chained list that sets in advance, if judge that then described packet is the BT packet;
Extract the source IP port and the purpose IP port of described packet; Whether the port numbers of judging described source IP port or purpose IP port is within 6881~6889 scope, if judge that then described packet is the BT packet;
Extract the data message in the described packet, judge wherein whether carry keyword " BitTorrentprotocol ", if judge that then described packet is the BT packet.
10. equipment according to claim 9, it is characterized in that, described application protocol and content analysis unit are further used for, and resolve and obtain the BT file name of carrying in the BT packet, and the described BT file name that gets access to is sent to described release unit as a result issue.
CNA2007101796140A 2007-12-14 2007-12-14 Point-to-point flux deepness monitoring method and equipment Pending CN101184002A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2007101796140A CN101184002A (en) 2007-12-14 2007-12-14 Point-to-point flux deepness monitoring method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007101796140A CN101184002A (en) 2007-12-14 2007-12-14 Point-to-point flux deepness monitoring method and equipment

Publications (1)

Publication Number Publication Date
CN101184002A true CN101184002A (en) 2008-05-21

Family

ID=39449096

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007101796140A Pending CN101184002A (en) 2007-12-14 2007-12-14 Point-to-point flux deepness monitoring method and equipment

Country Status (1)

Country Link
CN (1) CN101184002A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572663B (en) * 2009-06-03 2011-04-13 湖北工业大学 Depth message scanning method using trust sampling in peer-to-peer network
CN101645803B (en) * 2008-08-05 2011-11-23 中兴通讯股份有限公司 P2P service identification method and Internet service identification system
CN102318310A (en) * 2009-02-10 2012-01-11 阿尔卡特朗讯公司 A method and device for reconstructing torrent content metadata
CN101883001B (en) * 2009-05-08 2012-06-06 北京启明星辰信息技术股份有限公司 Method and system for traffic identification and management of P2P application in small network
CN103166987A (en) * 2011-12-12 2013-06-19 中国科学院深圳先进技术研究院 Data synchronization method and system in virtual surgery
CN104579851A (en) * 2015-01-28 2015-04-29 中国人民解放军国防科学技术大学 Evidence obtaining system for large-scale mobile internet core network

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645803B (en) * 2008-08-05 2011-11-23 中兴通讯股份有限公司 P2P service identification method and Internet service identification system
CN102318310A (en) * 2009-02-10 2012-01-11 阿尔卡特朗讯公司 A method and device for reconstructing torrent content metadata
CN102318310B (en) * 2009-02-10 2014-11-05 阿尔卡特朗讯公司 A method and device for reconstructing torrent content metadata
CN101883001B (en) * 2009-05-08 2012-06-06 北京启明星辰信息技术股份有限公司 Method and system for traffic identification and management of P2P application in small network
CN101572663B (en) * 2009-06-03 2011-04-13 湖北工业大学 Depth message scanning method using trust sampling in peer-to-peer network
CN103166987A (en) * 2011-12-12 2013-06-19 中国科学院深圳先进技术研究院 Data synchronization method and system in virtual surgery
CN103166987B (en) * 2011-12-12 2016-06-15 中国科学院深圳先进技术研究院 Method of data synchronization in virtual operation and system
CN104579851A (en) * 2015-01-28 2015-04-29 中国人民解放军国防科学技术大学 Evidence obtaining system for large-scale mobile internet core network
CN104579851B (en) * 2015-01-28 2016-03-09 中国人民解放军国防科学技术大学 A kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile

Similar Documents

Publication Publication Date Title
CN104301436B (en) Content to be displayed push, subscription, update method and its corresponding device
CN102111685B (en) Acceleration method, equipment and system for network video loading
EP2773080A1 (en) Sharing control system and method for network resources download information
US7987243B2 (en) Method for media discovery
CN105321108A (en) System and method for creating a list of shared information on a peer-to-peer network
CN102355426A (en) Method for transmitting off-line file and system
CN101184002A (en) Point-to-point flux deepness monitoring method and equipment
US10691748B2 (en) Methods and apparatus to process call packets collected in a communications network
CN102882703A (en) Hyper text transfer protocol (HTTP)-analysis-based uniform resource locator (URL) automatically classifying and grading system and method
CN106878074B (en) Flow filtering method and device
CN103401850A (en) Message filtering method and device
US9055113B2 (en) Method and system for monitoring flows in network traffic
CN108769830B (en) Method for caching video and related equipment
CN109688483A (en) A kind of method, apparatus and electronic equipment obtaining video
KR101912778B1 (en) Method and device for extracting data from a data stream travelling around an ip network
US20170220218A1 (en) Automatic Generation of Regular Expression Based on Log Line Data
US9483575B2 (en) Reproducing a graphical user interface display
JP2007200271A (en) Retrieval method and system for retrieving multimedia content in content network
WO2020198384A1 (en) Methods and apparatus for census and panel matching using http headers
CN107911481A (en) Data transfer mode between a kind of application system
CN104202618B (en) Obtain method, agent client, proxy server and the system of playing resource
CN1972285A (en) Interception assembly and method for generating united resource positioning symbol
WO2017016248A1 (en) Data output method and apparatus
CN108183831A (en) Information processing method and device in a kind of P2P transmission
CN104737121B (en) Video playing is multiplexed and is demultiplexed in a browser

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20080521