CN102347933A - Network traffic capturing, recovering and replaying method - Google Patents
Network traffic capturing, recovering and replaying method Download PDFInfo
- Publication number
- CN102347933A CN102347933A CN2010102412313A CN201010241231A CN102347933A CN 102347933 A CN102347933 A CN 102347933A CN 2010102412313 A CN2010102412313 A CN 2010102412313A CN 201010241231 A CN201010241231 A CN 201010241231A CN 102347933 A CN102347933 A CN 102347933A
- Authority
- CN
- China
- Prior art keywords
- network
- package
- payload
- record
- incomplete
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000005540 biological transmission Effects 0.000 claims description 14
- 230000008439 repair process Effects 0.000 claims description 12
- 241000700605 Viruses Species 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 description 20
- 230000000875 corresponding effect Effects 0.000 description 15
- 102100026278 Cysteine sulfinic acid decarboxylase Human genes 0.000 description 9
- 108010064775 protein C activator peptide Proteins 0.000 description 9
- 238000012360 testing method Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000002474 experimental method Methods 0.000 description 4
- 239000002699 waste material Substances 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 241000282693 Cercopithecidae Species 0.000 description 1
- 240000004859 Gamochaeta purpurea Species 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 238000013064 process characterization Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000033458 reproduction Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network traffic capturing, recovering and replaying method, which is used for processing a plurality of network packets of a plurality of pieces of network connection. The network traffic capturing, recovering and replaying method may comprise a capturing process, a recovering process or a selective replaying process. The capturing process comprises the following steps of: receiving capturing parameters (N, M, P); finishing capturing headers and payloads of each network packet, and accumulating total payload values of each piece of network connection; when one of the total payload values exceeds N, capturing the headers of each of continuous P network packets of the network connection corresponding to the total payload value and the first M bytes of corresponding payloads; and when one of the total payload values exceeds N and the continuous P network packets of the network connection corresponding to the total payload value are captured, capturing heads of each network packet of the network connection corresponding to the total payload value.
Description
Technical field
The present invention records, reduces and the method for the network traffics of replaying about a kind of, particularly about comprising the method for the program of recording, reducing program or selectivity replay program.
Background technology
About recording the technology of flow, existing way comprises with the special exclusive hardware designs various software suites of arranging in pairs or groups comes real the work, to reduce the recording system that leaks record (capture loss) situation as far as possible.The emphasis of this technology is everlasting in the number that preprocessor is discussed, operating system, buffer size or the like subject under discussion.Except the technology that promotes software and hardware system usefulness, the technology of similar the time machine (Time Machine) is also arranged, save the storage area with the mode of phase-split network flow behavior.This technology adopts (cutoff) mechanism of blocking of 10000~20000 bytes (bytes) to record every network connection.Because it finds that big flow normally comes from the connection of minority, therefore as a whole, the network that the technology of the time machine can completely be recorded to most low discharges connects.And its cutoff value is according to doing dynamically adjustment for the analysis of flow.
Yet but not being the test-purpose from " triggering/recasting network event ", these technology do not decide strategy, the design of recording flow to record the method for flow, and the usefulness that causes at present these recording technology and method extremely not to be fit to be used as test.And prior art need be wasted huge storage area and gone to store nugatory network traffics, thereby can't record fully in a large number and live network flow fast.What is more, owing to be unable to cope with in a large number and live network flow fast, and cause the situation of recording with Louing.
And about the technology of replay network traffics, for example TCPreplay replays according to time stamp (timestamp); Tomahawk can wait for that then a package arrives at the next package of replaying again afterwards.Yet these two kinds of technology are not kept the state of procotol in the process of replay network traffics, and produce the problem of stateless replay (stateless replay).
This is developed several states that can keep procotol and (be called state and replay technology statefulreplay).For example TCPopera uses 4 kinds of heuristics (heuristics) to reach according to transmission control/Internet Protocol (Transmission ControlProtocol/Internet Protocol, TCP/IP) rule of transmission data when the replay network traffics.Monkey can set up socket (socket) voluntarily with emulation ICP/IP protocol and artificial network situation.Avalanche then can accept a trace files (trace file) sample, and simulates a large amount of network traffics that the multidigit user is arranged simultaneously after analyzing trace files voluntarily.Also have some technology not only can accomplish the state of network layer and transport layer in addition, can also accomplish the state of application layer.
Yet the technology with recording flow is the same; At present the technology of these replay flows does not go out to send from the test-purpose of triggerings/recasting network event fully and designs and real work, causes present these replay technology and method extremely not to be fit to be used as the usefulness of test.Existing replay technology and instrument can't connect according to the incomplete network package network that meets procotol of replaying out exactly.The prior art incident (reproduce event) of also can't remaking efficiently, and be difficult to the reason of learning that network event takes place.
Summary of the invention
Can learn by above-mentioned analysis; In the processing method of traditional network package (packet); No matter be to record or the method for the network traffics of replaying; All have the huge replay time of the huge storage area of waste, waste, can't play the network that meet procotol according to incomplete network package and connect, or can't precisely reappear problem such as network event.
For solving these problem, the present invention's provide a kind of and record, reduce and replay method of network traffics, a plurality of network package that it connects in order to a plurality of networks of handling network.
Provided by the inventionly record, reduce and the method for the network traffics of replaying comprises the program of recording, record the network package that network connects to connect to each network.The program of recording then comprises: parameter is recorded in reception one, and (P), wherein N, M and P are the integer more than or equal to zero for N, M; A complete file header and a payload (payload) of recording each network package of these networks connections, and a payload total value of each network connection of accumulative total; When one of payload total value surpasses N, a continuous P network package of the network connection corresponding with the payload total value is recorded this document head of each network package and preceding M byte of payload; And after one of payload total value is recorded P network package continuously above N and to the network connection corresponding with the payload total value, the network package of the network connection corresponding with the payload total value is recorded the file header of each network package.
Implement example according to of the present invention one, record, reduce and the method for the network traffics of replaying can comprise a reducing program in addition, and reducing program can may further comprise the steps.Whether file header and the payload of checking network package one by one be complete; When obtaining at least one incomplete network package, judge whether it has the complete file head; And when incomplete network package has complete file, carry out following step:, obtain a payload length of incomplete network package according to the file header of incomplete network package; And, write the payload of a virtual value (dummy) as incomplete network package according to payload length.
Reducing program can may further comprise the steps in addition.When incomplete network package has incomplete file header, carry out following step: other network package that the foundation network corresponding with incomplete network package connects, repair the file header of incomplete network package; According to the file header of incomplete network package, obtain the payload length of incomplete network package; And, write the payload of virtual value as incomplete network package according to payload length.
Reducing program also can may further comprise the steps.One sequence number (sequence number) and one of the file header of the network package that connects according to network is confirmed number (acknowledgement number), finds out at least one leakage record package that is leaked record (capture loss); Other network package that the foundation network corresponding with leaking the record package connects is repaired the file header that leaks the record package; According to the file header that leaks the record package, obtain the leak payload length of record package; And, write virtual value as the payload of leaking the record package according to payload length.
And wherein virtual value can be random number.
Implement example according to of the present invention one, record, reduce and the method for the network traffics of replaying can comprise a selectivity replay program in addition, and it can may further comprise the steps.Receive an event time and a network connection information, wherein network connection information comprises at least one network link address; And the network package that connects of replay at least one network corresponding with the network link address.
Selectivity replay program can comprise in addition: according to network link address, a network connection protocol and a network connection port of network connection information, obtain the specific connection in these networks connections; And the network package of the specific connection of replaying.
Selectivity replay program also can comprise: replay when event time the network package that at least one network that is transmitting connects.
Selectivity replay program can comprise again: the network package that at least one network of the end transmission before event time of replaying connects.
Wherein above-mentioned network link address can be Internet Protocol address (IP address).And these networks connect can be meet transmission control protocol (Transmission Control Protocol, TCP) or user's data protocol (User Datagram Protocol, UDP).
In sum, provided by the present inventionly record, reduce and the method for the network traffics of replaying can solve the waste storage area and can't precisely reappear problem such as network event.The program of recording at more valuable network traffics, and has saved exhausted big storage area.Reducing program also can omit or leak the network package reparation of record with the program of recording, to obtain meeting the whole network package of network communication protocol.And selectivity replay program can be found out the technology that is connected with the maximally related network of network event, precisely also to reappear network event apace.
Description of drawings
Fig. 1 is for one implementing recording, reduce and the flow chart of the method for the network traffics of replaying of example according to the present invention;
Fig. 2 is one flow chart of implementing the program of recording of example according to the present invention;
Fig. 3 A for according to the present invention one implement example record the parameter proof diagram;
Fig. 3 B for according to the present invention one implement example record the parameter proof diagram;
Fig. 3 C for according to the present invention one implement example record the parameter proof diagram;
Fig. 3 D for according to the present invention one implement example record the parameter proof diagram;
Fig. 4 is one calcspar of implementing the record device of example according to the present invention;
Fig. 5 is one flow chart of implementing the reducing program of example according to the present invention;
Fig. 6 is another flow chart of implementing the reducing program of example according to the present invention;
Fig. 7 is one flow chart of implementing the selectivity replay program of example according to the present invention;
Fig. 8 is another flow chart of implementing the selectivity replay program of example according to the present invention;
Fig. 9 is the sketch map that one selectivity of implementing example is play according to the present invention; And
Figure 10 is one calcspar of implementing the selectivity replay device of example according to the present invention.
Wherein, Reference numeral:
20 network events-N value curve
21 successfully reappear network event-N value curve
22 storage areas that expend-N value curve
23 network events-M value curve
24 successfully reappear network event-P value curve
25 storage areas that expend-P value curve
30 record devices
32 connect tracing module
34 package extracting databases
36 network cards
40 selectivity replay devices
41 selectivity replay interfaces
42 front processors
422 package extracting databases
43 connect tracing module
44 leak record repairs engine
45 playback engine
452 replay records
46 socket applications routine interfaces
47 routing modules
48 authentication modules
49a, the 49b network card
50 devices to be measured
60,60a, 60b, 60c, the 60d network connects
62 event times
Embodiment
Below in execution mode, be described in detail detailed features of the present invention and advantage; Its content is enough to make any those skilled in the art to understand technology contents of the present invention and implements according to this; And according to the disclosed content of this specification, claim scope and accompanying drawing, any those skilled in the art can understand purpose and the advantage that the present invention is correlated with easily.
The present invention's provide a kind of and record, reduce and replay method of network traffics, it is in order to handle a plurality of network package (packet) that a plurality of networks connect (connection).Wherein network connect can be meet transmission control protocol (Transmission Control Protocol, TCP) or user's data protocol (UserDatagram Protocol, network UDP) connects.And network package refers to the network package of internet layer (InternetProtocol layer, IP layer).
Record, reduce and the method for the network traffics of replaying comprises the program of recording, record the network package that these networks connect to connect to each network.Connect for each network, the program of recording is only recorded the part of more valuable package in the network connection, and can save a large amount of storage areas.
Record, reduce and the method for the network traffics of replaying can comprise a reducing program or a selectivity replay program in addition.Wherein reducing program is repaired the network package that network connects in order to connect to each network, and among the package that selectivity replay program is then connected by the network of having recorded, the part of optionally replaying package is to reappear a network event.Wherein network event for example be in the network attack (attack event), virus event (virus event), point-to-point application (peer-to-peer application, P2Papplication) or connect interrupt event etc.
Please with reference to Fig. 1, it is for one implementing recording, reduce and the flow chart of the method for the network traffics of replaying of example according to the present invention.As shown in Figure 1, record, reduce and step that the method for the network traffics of replaying can be recorded program (step S300), carry out reducing program (step S400) and carry out selectivity replay program (step S500) according to execution.Yet program, reducing program and the selectivity replay program recorded provided by the invention can be distinguished execution individually, can also carry out it after the combined in any order.For example, selectivity replay program can be play-overed by the complete network traffic information of recording; Or carry out when recording program and can carry out reducing program simultaneously, to obtain than the whole network flow information.
Next record the step of program through Fig. 2 explanation, Fig. 2 is one flow chart of implementing the program of recording of example according to the present invention.
At first receiving one records parameter (P), wherein N, M and P is the integer (step S310) more than or equal to zero for N, M.The program of recording can use the identical parameter of recording to record the network package that all-network connects, also can for each network connect configuration different record parameter to record network package.The program of recording is intactly recorded earlier a file header (header) and a payload (payload) of each network package of these networks connections, and a payload total value (step S320) of each network connection of accumulative total.In other words, in step S320, the file header of network package and payload are all intactly recorded.The payload total value is total size of the payload of the present network package of having recorded, and unit can be byte (byte).
The program of recording constantly judges whether the payload total value surpasses the N (step S330) that records parameter simultaneously when recording network package.If one of payload total value (the payload total value of any one network connection just) surpasses N as yet, then continue intactly to grasp the content of network package.And when one of payload total value surpasses N, a continuous P network package of the network connection corresponding with this payload total value that surpasses N is recorded the file header of each network package and preceding M the byte (step S340) of payload.In other words, when finding that the cumulative size that a network connects the payload of the network package of being recorded surpassed N, ensuing P the network package that connects for this network just only recorded preceding M byte of its file header and payload.
And after one of payload total value is recorded P network package continuously above N and to the network connection corresponding with this payload total value that surpasses N, the network package of the network connection corresponding with the payload total value is recorded the file header (step S350) of each network package.In other words, after step S340 records P incomplete network package, only record its file header for next all network package that this network connects, and do not recording the payload of network package.
Because the program of recording has been omitted the payload of subsequent network package in the network connection according to recording parameter, therefore can significantly reduce storage area required when recording network traffics.And the program of recording is existing records the file header of all-network package and the payload content that network connects early stage, and therefore the content of the network traffics of recording is valuable and is enough to offer the usefulness of down-stream analysis or replay.
(N, M P) can be obtained by experimental method, and the various network incident possibly be fit to use different values to record parameter.In more detail,, can test and adjust the value of N, M and P one by one, to obtain the parameter of recording that save space can precisely reappear network event again for network event not of the same race.
To be example to the parameter of recording of attack, please with reference to Fig. 3 A and Fig. 3 B, its be respectively according to the present invention one implement example record the parameter proof diagram.Wherein visible one network event-N value curve 20, successfully reappears the storage area that network event-N value curve 21 and expends-N value curve 22.
Suppose in the network traffics that all are recorded to, to have found altogether 1929 attacks, the length that the payload of 333 attacks is wherein arranged is to surpass 2000bytes.At first the parameter of recording with (N, 0,0) experimentizes.That is to say the top n bytes of the payload that each network connects in the network traffics that broadcast records, whether can be reappeared to test this attack of 333.And result of experiment such as Fig. 3 A.When N is 2000, can reappear 317 attacks, and need very big N value could reappear for remaining not replicable 16 attacks.This is tested in order to trigger the required storage area size that expends of these 16 attacks with another, and experimental result such as Fig. 3 B.In order to trigger all attacks, just then must expend sizable storage area and can reach with very big N value.
Next being directed against can't be to record four attacks that parameter (50000,0,0) is reappeared, and (0, M ∞) makes an experiment, the preceding M bytes's of each network package of just replaying to record parameter.Experimental result such as following table.
Can know by last table, when M is 200, just can reappear three attacks wherein.In addition, (2000, M ∞) tests before to record 16 attacks that parameter (2000,0,0) can't be reappeared, result such as Fig. 3 C to record parameter again.Can know by one network event among Fig. 3 C-M value curve 23, when M can reappear 11 attack wherein during for 200bytes.
Then in experiment, adjust P, find out with record parameter (2000,200, when ∞) replaying, the relation between the number of bursts of required storage area size that expends and network event.Experimental result is shown in Fig. 3 D.Wherein visible one successfully reappears the storage area that network event-P value curve 24 and expends-P value curve 25.When P was 1300,11 attacks all can be reappeared.And, when P is 1300, can save 87% storage area compared to the existing way of recording the all-network package.And when P is 200, then can reappears 8 attacks and save 90% storage area.
In summary, for the network event of attack, record parameter (2000,200,1300) and can trigger 98.5% network event.And, can save 87% storage area compared to the prior art of recording all packages.After experimentizing with similar method, can know network event, record that parameter (6000,0,0) can trigger 93% network event and save 70% storage area than prior art for the virus event type.Again for example for point-to-point application, the network package that then is fit to comprise with payload UDP message is main recording.
Please with reference to Fig. 4, it is one calcspar of implementing the record device of example according to the present invention.The program of recording can be implemented into a record device 30; Wherein record device 30 can comprise that one connects tracing module (connection track module) 32, one package extracting database (processcharacterization analysis package database; Or be called packet capturedatabase; PCAP database; The PCAP database) 34 and one network card (network interfacecard, NIC) 36.
Record, reduce and the method for the network traffics of replaying and can comprise reducing program.Please with reference to Fig. 5, it is one flow chart of implementing the reducing program of example according to the present invention.
The program of recording possibly deliberately cast out the data of the network package of part for saving the storage area.Therefore before playing (reproductions) network traffics, need earlier through reducing program thus through whether it complete with the network package affirmation of recording according to these network package.The whole network package can directly be handed to selectivity replay program; Intact not positive network package offers selectivity replay program after then being handled by reducing program again.
Reducing program at first utilizes the information such as package total length (total length) field of file header, and whether file header and the payload of judging present network package complete (step S410).If network package does not just need it is handled originally as complete.If network package is imperfect, (header length, HLEN) information such as field judges whether this incomplete network package has complete file head (step S415) then further to utilize file header length.
When incomplete network package has complete file,, obtain a payload length (step S425) of incomplete network package then according to the file header of incomplete network package.Reducing program writes the payload (step S430) of a virtual value (dummy) as incomplete network package again according to payload length.In more detail, the package total length that writes down in the file header with incomplete network package deducts file header length and can obtain payload length.Virtual value as the payload of network package then can be random number.
And when incomplete network package has incomplete file header, then need other network package of the network connection of the incomplete therewith network package correspondence of foundation earlier, repair the file header (step S420) of incomplete network package.The content of file header that belongs to the network package that same network connects is identical mostly; For example these file headers can have identical source IP addresses (Source IP address), purpose IP address (destination IP address), communication protocol (Protocol), time-to-live (timeto live) or flag value (flags); Therefore other network package that connects with reference to same network can be repaired incomplete file header.Reparation for HLEN in the file header and these two field values of total length can utilize " total length=HLEN+ payload length " this relation to calculate.The algorithm of identification code (identification) field value is a corresponding same source end, and a network package identification of every increase field value just adds 1; Therefore the identification field value of the network package of same source end calculates before and after can utilizing.At last, just can carry out a verification and calculating (checksum), to repair checksum field value in the file header to the network package in repairing.Thus, just can carry out above-mentioned steps S425 and step S430, with the whole network package that obtains repairing according to repairing good file header.
In addition, whether reducing program and detecting has what record hourglass record (capture loss) and one leaks the record package and repair it.Because network traffics are crossed high situation for the moment, also may produce incomplete network package, or even leaked the leakage record package of record fully.For TCP, confirm number (acknowledgement number) according to disassembling a sequence number (sequence number) and that can obtain transmission control protocol file header (TCP header) after the payload, whether reducing program can find to have network package to be leaked record.As for UDP, can't find then whether network package the situation of record has taken place to leak.
Please with reference to Fig. 6, it is another flow chart of implementing the reducing program of example according to the present invention.
The sequence number of the file header of the network package that reducing program can be earlier connects according to network and confirm number has judged whether to record package (step S435) with Louing.Do not find to leak record package, then execution in step S410 and subsequent step if.
If reducing program finds at least one to leak the record package, then leak the record package with following step reparation: other network package that the foundation network corresponding with leaking the record network package connects, repair the file header (step S440) that leaks the record network package; According to the file header that leaks the record network package, obtain the leak payload length (step S445) of record network package; And, write virtual value as the payload (step S450) of leaking the record network package according to payload length.
In more detail; According to TCP communication protocol; A network package in being connected for the fixing consolidated network in source IP addresses and purpose IP address, its sequence number can be the data length (data length) that the sequence number of previous network package adds previous network package.Following table is the network package table that a network of implementing example connects, represent in regular turn this network in connecting continuous a plurality of network package and the sequence number that has thereof and information such as confirm number.
It is as shown in the table, and the sequence number of network package 2 can be the data length (10byte) that the sequence number of network package 1 adds network package 1.
Suppose network package 4 for leaking the record package, then reducing program can obtain network package 1-3 and 5-6.Wherein by being together can be learnt to the network package 2 of B and 5 sequence number by A, wherein should have the network package of a data length for (a+20)-(a+10), just network package 4.According to above-mentioned logic, reducing program can be found out Lou record package, and repairs whole leakage record package according to other network package that consolidated network connects.
This shows that reducing program can be found out the network package of omitting or leaking record when recording network traffics through the characteristic of procotol, and improve the accuracy of its behavior of network traffics.
Obtain after the whole network flow, selectivity replay program is replayed network traffics partly to reappear network event accurately.Replay the spent time of all network package of having recorded for fear of need; Selectivity replay program is according to the relevant information of network event, contrary operation pick out part possibly be enough to reappear network event key network traffics (being network package) and replay it.
Please with reference to Fig. 7, it is one flow chart of implementing the selectivity replay program of example according to the present invention.
Selectivity replay program at first receives an event time and a network connection information (step S510) of network event, and wherein network connection information comprises at least one network link address.Follow according to the network link address network package (step S520) that at least one network of replaying corresponding with the network link address connects.Wherein the network link address can be Internet Protocol address (IP address), and it can comprise source IP addresses and target ip address.
In more detail, the network that the middle searching that selectivity replay program connects at the network of having recorded has source IP addresses identical with the network link address that receives and target ip address connects (network package), and replays it.
Please refer again to Fig. 8, it is another flow chart of implementing the selectivity replay program of example according to the present invention.In this enforcement example, selectivity replay program increases the network package of broadcast gradually till successfully reappearing appointed network event.
Network connection information can comprise a network connection protocol and a network connection port (port) in addition except the network link address; Wherein network connection port can comprise a port, a source and a purpose port.And, just can specify a specific connection according to this 5 dimension information (be source IP addresses, purpose IP address, communication protocol, come source port and purpose degree port).
Therefore when network connection information comprised above-mentioned 5 dimension information, the selectivity playing program can obtain the specific connection (step S512) in the network connection according to network link address, network connection protocol and the network linker of network connection information; And the network package of this specific connection of replaying (step S514).
The selectivity playing program also judges whether to reappear network event (step S516).When the package of this specific connection of only replaying is not enough to reappear network event; Or when network connection information is not enough to specify specific connection, the network package (step S520) of replaying at least one network connection corresponding according to the network link address then with the network link address.In step S520, all all-networks corresponding with the network link address of can replaying connect, to attempt reappearing network event.
Rejudge once more in step S522 and to reappear network event whether.If success is not then replayed when event time yet, the network package (step S524) that at least one network that is transmitting connects.According to event time, selectivity replay program all other networks that when network event takes place, transmitting of can replaying connect, to attempt reappearing network event.
Similarly, rejudge once more in step S526 and reappear network event whether.If success not yet, the network package (step S528) that at least one network of the end transmission before event time of then replaying connects.
And according to an enforcement example of the present invention, if after step S528, successfully do not reappear network event yet, the network package that the replay of selectivity playing program is all is to reappear network event.
Please control reference Fig. 9, it is the sketch map that one selectivity of implementing example is play according to the present invention.According to event time 62 and network connection information, the selectivity playing program is connected in 60 by a plurality of networks optionally to be play, to reappear network event.Suppose according to network connection information, can obtain the specific network that is connected to and connect 60e, and network connects 60e system and is being connected between host A and B.Then according to the flow process of Fig. 8, selectivity replay program will connect these networks connections 60 of order replay that 60e, network connection 60a, network connection 60c, network connection 60b and network connect 60d according to network.
Can be according to reducing program of the present invention and selectivity replay program in fact as a selectivity playing device.Please with reference to Figure 10, it is one calcspar of implementing the selectivity replay device of example according to the present invention.One selectivity replay device 40 can comprise a selectivity replay interface (selective replay interface) 41; One front processor (preprocessor) 42; Connect tracing module 43; One leaks record repairs engine (loss-recovery engine) 44; One playback engine (replay engine) 45; One socket applications routine interface (socket application program interface, socket API) 46; One routing module (routing module) 47; One authentication module (validate source) 48; Network card 49a; Network card 49b; PCAP database 422 and one is replayed and is write down (replay log) 452.And selectivity replay device 40 provides the network package of replay to a device to be measured (device under test) 50 through network card 49a and 49b.
Selectivity replay interface 41 offers user's allocate event time 62 or network connection information, and sends these information to front processor 42.Front processor 42 and by the network traffics that recorded in the PCAP database 422 offers tcp data section complete in the network traffics (TCP segment) or UDP message piece (UDP datagram) and connects tracing module 43.Connect tracing module 43 record networks and connect 60 various states, and the content of TCP that will be obtained by the payload of present network package or UDP file header offers Lou record reparation engine 44.Leak record and repair 44 execution of engine reducing program, judge whether present network package is complete, or whether the package that leaks record is arranged.When being necessary, leaking record and repair engine 44 reparation network package.So and the replay of the leakage record reparation engine 44 responsible network package of confirming in proper order.
Thus, playback engine 45 obtains complete data flow (stream), and will spread out of in order to the data of replaying through socket applications routine interface 46.Selectivity replay device 40 can give device 50 to be measured through routing module 47 and network card 49a replay network traffics; And can reclaim the network package of sending through network card 49b and authentication module 48 by device 50 to be measured.Whether the network package of getting back to selectivity replay device 40 through device 50 to be measured can transfer to socket applications routine interface 46 by authentication module 48, be modified to judge network package, and then guarantee the correctness of procotol.
According to an enforcement example of the present invention, with after being recovered, the next network package of just replaying is given device 50 to be measured to playback engine 45 in the network package of confirming before to have seen off.And the network of having replayed connects at 60 o'clock, this network can be connected 60 begin connect and time of finishing to connect is recorded in to replay and writes down in 452.
In sum, provided by the present inventionly record, reduce and the method for the network traffics of replaying can comprise the program of recording, reducing program and selectivity replay program.It can solve the huge storage area of waste of prior art and can't precisely reappear problems such as network event.Parameter is recorded in utilization, and the program of recording is only recorded more valuable network traffics, and has saved exhausted big storage area.Omit or leak the network package of record for the program of recording, reducing program also can be repaired back it whole network package that meets network communication protocol.And through finding out the technology that is connected with the maximally related network of network event, selectivity replay program can precisely and be reappeared network event apace, and then significantly reduces the test required time of testing apparatus.
Claims (22)
1. method of recording network traffics in order to handle a plurality of network package that a plurality of networks connect, is characterized in that this method comprises:
One records program, comprising:
Parameter is recorded in reception one, and (P), wherein N, M and P are the integer more than or equal to zero for N, M;
A complete file header and a payload of recording each this network package of this network connection, and a payload total value of each this network connection of accumulative total;
When one of this payload total value surpassed N, individual this network package of continuous P that this network corresponding with this payload total value connected was recorded this document head of each this network package, and preceding M byte of this payload; And
After one of this payload total value is recorded P this network package continuously above N and to this network connection corresponding with this payload total value, this network package of this network connection corresponding with this payload total value is recorded this document head of each this network package.
2. the method for recording network traffics as claimed in claim 1 is characterized in that, records parameter to this of attack and is (2000,200,1300).
3. the method for recording network traffics as claimed in claim 1 is characterized in that, records parameter to this of virus event and is (6000,0,0).
4. the method for recording network traffics as claimed in claim 1 is characterized in that, this network connects and meets transmission control protocol or user's data protocol.
5. record and reduce the method for network traffics for one kind,, it is characterized in that this method comprises in order to handle a plurality of network package that a plurality of networks connect:
One records program, comprising:
Parameter is recorded in reception one, and (P), wherein N, M and P are the integer more than or equal to zero for N, M;
A complete file header and a payload of recording each this network package of this network connection, and a payload total value of each this network connection of accumulative total;
When one of this payload total value surpassed N, individual this network package of continuous P that this network corresponding with this payload total value connected was recorded this document head of each this network package, and preceding M byte of this payload; And
After one of this payload total value is recorded P this network package continuously above N and to this network connection corresponding with this payload total value, this network package of this network connection corresponding with this payload total value is recorded this document head of each this network package; And
One reducing program comprises:
Whether this document head and this payload of checking this network package one by one be complete;
When obtaining at least one incomplete this network package, judge whether it has complete this document head; And
When incomplete this network package has complete this document head, carry out following step:
According to this document head of incomplete this network package, obtain a payload length of incomplete this network package; And
According to this payload length, write a virtual value this payload as incomplete this network package.
6. the method for recording and reduce network traffics as claimed in claim 5 is characterized in that, records parameter to this of attack and is (2000,200,1300).
7. the method for recording and reduce network traffics as claimed in claim 5 is characterized in that, records parameter to this of virus event and is (6000,0,0).
8. the method for recording and reduce network traffics as claimed in claim 5 is characterized in that, this network connects and meets transmission control protocol or user's data protocol.
9. the method for recording and reduce network traffics as claimed in claim 5 is characterized in that this reducing program also comprises:
When incomplete this network package has incomplete this document head, carry out following step:
Other this network package that foundation this network corresponding with incomplete this network package connects is repaired this document head of incomplete this network package;
According to this document head of incomplete this network package, obtain this payload length of incomplete this network package; And
According to this payload length, write this virtual value this payload as incomplete this network package.
10. the method for recording and reduce network traffics as claimed in claim 5 is characterized in that this reducing program also comprises:
One sequence number and one of this document head that connects according to this network is confirmed number, finds out at least one leakage record package that is leaked record;
Foundation is leaked other this network package that this corresponding network of record package connects with this, repairs this document head of this leakage record package;
According to this this document head that leaks the record package, obtain this payload length of this leakage record package; And
According to this payload length, write this virtual value this payload as this leakage record package.
11. the method for recording and reduce network traffics as claimed in claim 5 is characterized in that this virtual value is a random number.
12. record, reduce and the method for the network traffics of replaying for one kind,, it is characterized in that this method comprises in order to handle a plurality of network package that a plurality of networks connect:
One records program, comprising:
Parameter is recorded in reception one, and (P), wherein N, M and P are the integer more than or equal to zero for N, M;
A complete file header and a payload of recording each this network package of this network connection, and a payload total value of each this network connection of accumulative total;
When one of this payload total value surpassed N, individual this network package of continuous P that this network corresponding with this payload total value connected was recorded this document head of each this network package, and preceding M byte of this payload; And
After one of this payload total value is recorded P this network package continuously above N and to this network connection corresponding with this payload total value, this network package of this network connection corresponding with this payload total value is recorded this document head of each this network package;
One reducing program comprises:
Whether this document head and this payload of checking this network package one by one be complete;
When obtaining at least one incomplete this network package, judge whether it has complete this document head; And
When incomplete this network package has complete this document head, carry out following step:
According to this document head of incomplete this network package, obtain a payload length of incomplete this network package; And
According to this payload length, write a virtual value this payload as incomplete this network package; And
One replay program comprises:
Receive an event time and a network connection information, wherein this network connection information comprises at least one network link address; And
This network package that this network of at least one that replay corresponding with this network link address connects.
13. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that, record parameter to this of attack and be (2000,200,1300).
14. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that, record parameter to this of virus event and be (6000,0,0).
15. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that this network connects and meets transmission control protocol or user's data protocol.
16. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that this reducing program also comprises:
When incomplete this network package has incomplete this document head, carry out following step:
Other this network package that foundation this network corresponding with incomplete this network package connects is repaired this document head of incomplete this network package;
According to this document head of incomplete this network package, obtain this payload length of incomplete this network package; And
According to this payload length, write this virtual value this payload as incomplete this network package.
17. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that this reducing program also comprises:
One sequence number and one of this document head that connects according to this network is confirmed number, finds out at least one leakage record package that is leaked record;
Foundation is leaked other this network package that this corresponding network of record package connects with this, repairs this document head of this leakage record package;
According to this this document head that leaks the record package, obtain this payload length of this leakage record package; And
According to this payload length, write this virtual value this payload as this leakage record package.
18. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that this virtual value is a random number.
19. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that this replay program also comprises:
According to this network link address, a network connection protocol and a network connection port of this network connection information, obtain the specific connection in this network connection; And
This network package of this specific connection of replaying.
20. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that this replay program also comprises:
Replay when this event time, this network package of connecting of this network of at least one that transmit.
21. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that this replay program also comprises:
Replay finished this network package of at least one this network connection of transmission before this event time.
22. as claimed in claim 12ly record, reduce and the method for the network traffics of replaying, it is characterized in that this network link address is an Internet Protocol address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010241231.3A CN102347933B (en) | 2010-07-27 | 2010-07-27 | Network traffic capturing, recovering and replaying method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010241231.3A CN102347933B (en) | 2010-07-27 | 2010-07-27 | Network traffic capturing, recovering and replaying method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102347933A true CN102347933A (en) | 2012-02-08 |
| CN102347933B CN102347933B (en) | 2014-05-14 |
Family
ID=45546226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010241231.3A Expired - Fee Related CN102347933B (en) | 2010-07-27 | 2010-07-27 | Network traffic capturing, recovering and replaying method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102347933B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6542501B1 (en) * | 1996-01-29 | 2003-04-01 | Nokia Telecommunications Oy | Speech transmission in a mobile communication network |
| US20040090923A1 (en) * | 2002-11-07 | 2004-05-13 | Chao Kan | Network monitoring system responsive to changes in packet arrival variance and mean |
| US20050240656A1 (en) * | 2001-02-12 | 2005-10-27 | Blair Christopher D | Packet data recording method and system |
| CN1784662A (en) * | 2003-05-09 | 2006-06-07 | 国际商业机器公司 | Methods,systems and computer program products for replicating servers and network traffic for problem determination and/or tuning |
| CN101051959A (en) * | 2007-05-11 | 2007-10-10 | 北京邮电大学 | Detecting method for network link band width based on hop-by-hop time stamp label |
| US7376969B1 (en) * | 2002-12-02 | 2008-05-20 | Arcsight, Inc. | Real time monitoring and analysis of events from multiple network security devices |
| TW200830780A (en) * | 2007-01-10 | 2008-07-16 | Genie Networks Ltd | System and method for controlling the network traffic |
| US7653006B1 (en) * | 2007-03-12 | 2010-01-26 | Deja Vu Networks, Inc. | Network traffic capture and replay with transaction integrity and scaling |
| US7684320B1 (en) * | 2006-12-22 | 2010-03-23 | Narus, Inc. | Method for real time network traffic classification |
-
2010
- 2010-07-27 CN CN201010241231.3A patent/CN102347933B/en not_active Expired - Fee Related
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6542501B1 (en) * | 1996-01-29 | 2003-04-01 | Nokia Telecommunications Oy | Speech transmission in a mobile communication network |
| US20050240656A1 (en) * | 2001-02-12 | 2005-10-27 | Blair Christopher D | Packet data recording method and system |
| US20040090923A1 (en) * | 2002-11-07 | 2004-05-13 | Chao Kan | Network monitoring system responsive to changes in packet arrival variance and mean |
| US7376969B1 (en) * | 2002-12-02 | 2008-05-20 | Arcsight, Inc. | Real time monitoring and analysis of events from multiple network security devices |
| CN1784662A (en) * | 2003-05-09 | 2006-06-07 | 国际商业机器公司 | Methods,systems and computer program products for replicating servers and network traffic for problem determination and/or tuning |
| TWI305312B (en) * | 2003-05-09 | 2009-01-11 | Ibm | Methods, systems and computer program products for replicating servers and network traffic for problem determination and/or tuning |
| US7684320B1 (en) * | 2006-12-22 | 2010-03-23 | Narus, Inc. | Method for real time network traffic classification |
| TW200830780A (en) * | 2007-01-10 | 2008-07-16 | Genie Networks Ltd | System and method for controlling the network traffic |
| US7653006B1 (en) * | 2007-03-12 | 2010-01-26 | Deja Vu Networks, Inc. | Network traffic capture and replay with transaction integrity and scaling |
| CN101051959A (en) * | 2007-05-11 | 2007-10-10 | 北京邮电大学 | Detecting method for network link band width based on hop-by-hop time stamp label |
Non-Patent Citations (2)
| Title |
|---|
| 《中国优秀硕士学位论文全文数据库 信息科技辑》 20081124 杨阳 《即时通讯流量识别还原技术研究》 I138-132 1-22 , 第1期 * |
| 杨阳: "《即时通讯流量识别还原技术研究》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102347933B (en) | 2014-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI428034B (en) | Recording, recovering, and replaying real traffic | |
| US8667119B2 (en) | System and method for re-generating packet load for load test | |
| Feng et al. | Characterizing industrial control system devices on the internet | |
| WO2021151300A1 (en) | Secure network attack processing method and apparatus, computer device, and storage medium | |
| CN112039904A (en) | Network traffic analysis and file extraction system and method | |
| CN113422774B (en) | Automatic penetration testing method and device based on network protocol and storage medium | |
| CN109347892B (en) | Internet industrial asset scanning processing method and device | |
| CN113067812B (en) | APT attack event tracing analysis method and device and computer readable medium | |
| CN111953527B (en) | Network attack recovery system | |
| Lin et al. | Low-storage capture and loss recovery selective replay of real flows | |
| CN111028085A (en) | Network shooting range asset information acquisition method and device based on active and passive combination | |
| CN109450733A (en) | A kind of network-termination device recognition methods and system based on machine learning | |
| CN104219221A (en) | Network security flow generating method and network security flow generating system | |
| CN114389792A (en) | WEB log NAT (network Address translation) front-back association method and system | |
| CN109005082A (en) | Method and device for capturing Ethernet message by using CRC (Cyclic redundancy check) field | |
| CN104618192A (en) | Testing method and device of audit device of database | |
| Patil et al. | A Hybrid Traceback based Network Forensic Technique to Identifying Origin of Cybercrime. | |
| CN101453454B (en) | Internal tracking method and network attack detection | |
| CN102347933B (en) | Network traffic capturing, recovering and replaying method | |
| CN113760753B (en) | QUIC protocol testing method based on gray box blurring technology | |
| CN106557535A (en) | A kind of processing method and system of big data level Pcap file | |
| CN102185758A (en) | Protocol recognizing method based on Ares message tagged word | |
| CN113708978B (en) | Network availability test method and device, computer equipment and storage medium | |
| CN113014578A (en) | Fragment message detection method based on convolutional neural network and storage medium | |
| US20130028262A1 (en) | Method and arrangement for message analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140514 Termination date: 20200727 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |