CN103595590B - A kind of packet altering detecting method, Apparatus and system - Google Patents

Abstract

This application discloses a kind of packet altering detecting method, Apparatus and system, it is applied to network intermediary device, described network intermediary device includes inlet side mouth and goes out port, described method includes: obtain packet set, described packet set include flowing through described inlet side mouth and described go out port packet；Transmission in described packet set is identified consistent packet compare, obtain comparing result；According to described comparing result, generate tampering detection result.The embodiment of the present application can to have the packet of same transmission mark the most in a network between equipment is compared before and after the transmission of the same packet of transmission, and then obtain tampering detection result, realize whether network intermediary device is detected its packet transmitted, it is achieved the application purpose.

Description

A kind of packet altering detecting method, Apparatus and system

Technical field

The application relates to testing techniques of equipment field, particularly to a kind of packet altering detecting method, Apparatus and system.

Background technology

Along with the development of computer network, various network intermediary device such as HUB, switch, route Devices etc. are applied in a computer network.

When network intermediary device is applied in a network, the behavior of altered data bag, i.e. net may be there is A certain packet in network its packet content after forwarding through network intermediary device is tampered, Reduce the data transmission credibility of network intermediary device.

Therefore, need badly and a kind of whether the packet of network intermediary device can be distorted the side detected Case.

Summary of the invention

Technical problems to be solved in this application are to provide a kind of packet altering detecting method, device And system, whether the packet of network intermediary device cannot be usurped by prior art in order to solving Improve the technical problem of row detection.

This application provides a kind of packet altering detecting method, be applied to network intermediary device, described Network intermediary device includes inlet side mouth and goes out port, and described method includes:

Obtain packet set, described packet set include flowing through described inlet side mouth and described go out port Packet；

Transmission in described packet set is identified consistent packet compare, obtain comparing Result；

According to described comparing result, generate tampering detection result.

Said method, it is preferred that pre-set current cache, wherein, described acquisition packet set Including:

To flow through described inlet side mouth and described go out port packet be acquired；

Judge whether the packet collected meets the IP data packet format preset, if it is, judge Whether described current cache contains idle storage space, otherwise, abandons described packet, return Perform described to flow through described inlet side mouth and described go out port packet be acquired；

If containing idle storage space in described current cache, described packet is inserted described current slow In depositing, return perform described to flow through described inlet side mouth and described go out port packet be acquired, Otherwise, obtain the merging of the packet collection in described current cache and empty described current cache.

Said method, it is preferred that pre-set stream table, described by transmission mark in described packet set Know consistent packet to compare, obtain comparing result, including:

Choose a packet in described packet set as current data packet；

Extract the transmission mark of described current data packet；

According to described transmission mark, generate the current flow data corresponding with described current data packet；

Described stream table is inquired about whether contain, with described current flow data, there is same transmission mark Target flow data, if it is, described current flow data is compared with described target flow data, Obtain comparing result, it is judged that described comparing result whether this is indicate that described current flow data with Described target flow data is consistent, if described comparing result shows that described current flow data is with described Target flow data is consistent, current described in packet unselected in choosing described packet set The next packet of packet, as current data packet, returns and performs the described current number of described extraction According to the transmission mark of bag, until all packets in described packet set are all selected, if institute State comparing result and show that described current flow data is inconsistent with described target flow data, by described In packet set, the packet of the inconsistent correspondence of flow data preserves；

With described current flow data, there is the mesh that same transmission identifies if not inquiring in described stream table Mark flow data, creates the stream corresponding with described current flow data at described stream table, chooses described number The next packet of current data packet described in packet unselected in gathering according to bag is as working as Front packet, returns the transmission mark performing the described current data packet of described extraction, until described number All it is selected according to all packets in bag set.

Said method, it is preferred that described transmission mark includes the source IP address information of packet, mesh IP address information, source port information and destination interface information.

Present invention also provides a kind of packet tampering detection apparatus, be applied to network intermediary device, institute Stating network intermediary device include inlet side mouth and go out port, described device includes:

Packet acquisition module, is used for obtaining packet set, and described packet set includes flowing through institute State inlet side mouth and described go out port packet；

Packet comparing module, enters for transmission in described packet set is identified consistent packet Row comparison, obtains comparing result；

Testing result generation module, for according to described comparing result, generates tampering detection result.

Said apparatus, it is preferred that pre-set current cache, wherein, described packet acquisition module Including:

Packet capture submodule, for flow through described inlet side mouth and described go out port packet enter Row gathers；

Form judges submodule, for judging whether the packet collected meets the IP data preset Bag form, if it is, trigger idle determination submodule, otherwise trigger data bag abandons submodule；

Idle determination submodule, is used for judging whether contain idle storage space in described current cache, If it is, submodule inserted by trigger data bag, otherwise, trigger set and obtain submodule；

Data packet discarding submodule, is used for abandoning described packet, triggers described packet capture submodule Block again to flow through described inlet side mouth and described go out port packet be acquired；

Packet inserts submodule, for inserting in described current cache by described packet, triggers institute State packet capture submodule again to flow through described inlet side mouth and described go out port packet carry out Gather；

Set obtains submodule, empties described for obtaining the packet collection merging in described current cache Current cache.

Said apparatus, it is preferred that pre-setting stream table, wherein, described packet comparing module includes:

Packet chooses submodule, for choosing a packet in described packet set as working as Front packet；

Marker extraction submodule, for extracting the transmission mark of described current data packet；

Flow data generates submodule, for according to described transmission mark, generates described transmission mark, raw Become the current flow data corresponding with described current data packet；

Whether target continuous query submodule, contain and described current fluxion for inquiring about in described stream table According to having the target flow data that same transmission identifies, if it is, trigger flow data comparer module, Otherwise, trigger stream and create submodule；

Flow data comparer module, for comparing described current flow data with described target flow data Right, obtain comparing result, trigger comparison decision sub-module；

Stream creates submodule, corresponding with described current flow data for creating in described stream table Stream, trigger data bag updates submodule；

Comparison decision sub-module, is used for judging described comparing result whether this is indicate that described current fluxion According to consistent with described target flow data, if described comparing result show described current flow data with Described target flow data is consistent, and trigger data bag updates submodule, and otherwise, trigger data bag preserves Submodule；

Packet updates submodule, in packet unselected in choosing described packet set The next packet of described current data packet, as current data packet, triggers described marker extraction Module, until all packets in described packet set are all selected；

Packet preserves submodule, for by the number of the inconsistent correspondence of flow data in described packet set Preserve according to bag.

Said apparatus, it is preferred that described transmission mark includes the source IP address information of packet, mesh IP address information, source port information and destination interface information.

Present invention also provides a kind of packet tampering detection system, including the claims 5 to 8 Packet tampering detection apparatus described in middle any one.

Said system, it is preferred that also include:

Display device, for carrying out the tampering detection result that described packet tampering detection apparatus generates Display.

From such scheme, a kind of packet altering detecting method, device that the application provides and be System, by the inlet side mouth of network intermediary device and go out the packet that port flows through and obtain, group Become a certain size packet set, then transmission in this packet set is identified two consistent numbers Compare according to bag, obtain comparing result, and then according to this comparing result, generation is usurped Change testing result.The application can to have same transmission mark packet the most in a network between set Compare before and after the transmission of the same packet of standby middle transmission, and then obtain tampering detection result, Realize whether network intermediary device is detected its packet transmitted, it is achieved the application purpose.

Accompanying drawing explanation

For the technical scheme being illustrated more clearly that in the embodiment of the present application, embodiment will be retouched below In stating, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below It is only some embodiments of the application, for those of ordinary skill in the art, is not paying On the premise of creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.

The flow chart of a kind of packet altering detecting method embodiment one that Fig. 1 provides for the application；

Fig. 2 is the application example figure of the embodiment of the present application one；

The partial process view of a kind of packet altering detecting method embodiment two that Fig. 3 provides for the application；

Fig. 4 is another part flow chart of the embodiment of the present application two；

The partial process view of a kind of packet altering detecting method embodiment three that Fig. 5 provides for the application；

Fig. 6 is another part flow chart of the embodiment of the present application three；

The structural representation of a kind of packet tampering detection apparatus embodiment four that Fig. 7 provides for the application；

The part-structure signal of a kind of packet tampering detection apparatus embodiment five that Fig. 8 provides for the application Figure；

The part-structure signal of a kind of packet tampering detection apparatus embodiment six that Fig. 9 provides for the application Figure；

The structural representation of a kind of packet tampering detection system embodiment seven that Figure 10 provides for the application；

The structural representation of a kind of packet tampering detection system embodiment eight that Figure 11 provides for the application Figure.

Detailed description of the invention

Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is entered Row clearly and completely describes, it is clear that described embodiment is only that the application part is implemented Example rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art The every other embodiment obtained under not making creative work premise, broadly falls into the application and protects The scope protected.

With reference to Fig. 1, for the flow process of a kind of packet altering detecting method embodiment one that the application provides Figure, described method is applied on network intermediary device, and described network intermediary device includes inlet side mouth and goes out Port, described method may comprise steps of:

Step 101: obtain packet set, described packet set include flowing through described inlet side mouth and Described go out port packet.

Wherein, described network intermediary device can be HUB, the switch being connected in computer network Or router etc., the inlet side mouth of this network intermediary device refers to that the packet of computer network enters this net The input port of network intermediate equipment, the port that goes out of described network intermediary device refers to the data in this equipment Export the output port to computer network.Such as, in Fig. 2, A point is described network intermediary device S Inlet side mouth, B point for described network intermediary device S goes out port, the packet in computer network by A point enters described network intermediary device S and is exported described network intermediary device S by B point.

It should be noted that described packet set includes multiple packet, and in described step 101 Flow through described inlet side mouth and described go out port packet, refer to, described by the input of described inlet side mouth The packet of network intermediary device and go out port described in passing through and export the data of described network intermediary device Bag.

Step 102: transmission in described packet set is identified two consistent packets and compares, Obtain comparing result.

Wherein, described transmission mark refers to, unique identification information representing described packet.Calculating Each packet of transmission in machine network, all has its most different transmission mark to this packet Identity ID be identified.Carry out turning to the packet in computer network at described network intermediary device During Faing, the transmission mark of this packet does not changes.

In the embodiment of the present application, concrete can being accomplished by of described step 102:

First to described network intermediary device inlet side mouth and go out there is in the packet that port flows through same biography The packet of defeated mark extracts, say, that first carry out by described network intermediary device The packet forwarded, its be forwarded before raw data packets and current data packet after being forwarded Extract, afterwards, then this raw data packets is compared with current data packet, obtain data ratio To result.

It should be noted that the comparing result obtained in described step 102 can be understood as described The comparison result of corresponding data content between above-mentioned raw data packets and current data packet, this comparing Result shows the data consistency between described raw data packets and current data packet.

Step 103: according to described comparing result, generates tampering detection result.

Wherein, described step 103 is specifically as follows: resolve described comparing result, if institute State comparing result to show between described raw data packets and described current data packet about in packet Hold consistent, generate the tampering detection result that packet is not distorted by described network intermediary device；If Described comparing result shows between described raw data packets and described current data packet about packet Content is the most non-uniform, generates the tampering detection knot that packet is distorted by described network intermediary device Really.

It should be noted that described packet content refers to, in described packet in addition to transmission mark Data content, this data content does not include when described packet is forwarded by described network intermediary device The amendment of the packet header content made, the amendment of this packet header content refers at computer network In network, network intermediary device is according to the amendment of network transmission protocol defined.

From such scheme, a kind of packet altering detecting method embodiment one that the application provides, By to the inlet side mouth of network intermediary device and go out the packet that port flows through and obtain, composition is certain The packet set of size, then two consistent packets of transmission mark in this packet set are carried out Comparison, obtains comparing result, and then according to this comparing result, generates tampering detection knot Really.The embodiment of the present application one by have the packet of same transmission mark the most in a network between equipment Compare before and after the transmission of the same packet of middle transmission, and then obtain tampering detection result, it is achieved Whether network intermediary device is detected its packet transmitted, it is achieved the application purpose.

It should be noted that described step 101 is in implementing, can be by described to flowing through successively Inlet side mouth and described in go out the packet of port and be acquired, be combined into a packet set and obtain Take, during realizing at this, can be gathered as storage by pre-setting a current cache The carrier of packet.Now, with reference to Fig. 3, a kind of packet tampering detection side provided for the application The flow chart of step 101 described in method embodiment two, wherein, described step 101 can be by following step Rapid realization:

Step 301: to flow through described inlet side mouth and described go out port packet be acquired.

Wherein, in described step 301 gather packet it can be understood as, at a time gather flow through Described inlet side mouth and described go out port individual data bag.

Step 302: judge whether the packet collected meets the IP data packet format preset, if It is to perform step 303, otherwise, perform step 304.

Wherein, described default IP data packet format, refer to the IPV4 data of regulation in computer network Bag form, judges in described step 302 whether the form of this packet meets IP data packet format, is Refer to, whether be that the packet meeting computer network protocol judges, in these data to this packet When bag is the packet meeting this computer network protocol, performs step 303, otherwise, perform step 304。

Step 303: judge whether contain idle storage space in described current cache, if it is, perform Step 305, otherwise, performs step 306.

Step 304: abandon described packet, returns the described step 301 of execution and continues to enter described in flowing through Port and described go out port packet be acquired.

Wherein, described step 304 abandons this packet and refers to, be unsatisfactory for computer network at this packet During network agreement, this packet is not as the object data bag of packet tampering detection, therefore by these data Bag abandons, again to flow through described inlet side mouth and described go out port packet be acquired, until adopt Collect to packet meet default IP data packet format, perform step 303.

Step 305: inserted by described packet in described current cache, returns and performs described step 301 Continue to flow through described inlet side mouth and described go out port packet be acquired.

Step 306: obtain the merging of the packet collection in described current cache and empty described current cache.

Wherein, described step 303 is judged when described current cache currently also has idle storage space, This packet is placed in current cache, and continue to flow through described inlet side mouth and described go out port Packet is acquired, until the most no longer containing idle storage space in described current cache.Cause This, judge in described step 303 when described current cache does not contains idle storage space, show institute State and current cache has been filled with packet, in the packet of storage is a period of time in this current cache The input of described network intermediary device and all packets of output, at this point it is possible to described current cache In packet set obtain, using this packet set as comparing object, perform follow-up Transmission in described packet set is identified two consistent packets and compares by step 102 and step 103 Right, obtain comparing result, then according to described comparing result, generate in tampering detection result Obtain tampering detection result, it is achieved the embodiment of the present application purpose.

In actual applications, described network intermediary device is forwarded the data of (transmission) within a period of time When measuring bigger, in order to improve the feasibility of packet storage, a memory cache team can be pre-set Row, can include multiple spatial cache in this memory cache queue, one of them spatial cache conduct Current cache, when described step 303 judges that described current cache is completely, the tool of described step 306 Body realizes:

First described current cache is inserted in default process queue, at this as a cache object Reason queue is in order to place the cache object being filled with packet, then, in described memory cache queue Obtain a spatial cache as current cache, in order to store after subsequent acquisition to packet, Meanwhile, set is analyzed event and is started data packet analysis thread, and this data packet analysis thread is appreciated that For: the packet set in a cache object in described process queue is obtained, and then will In described packet set, two consistent packets of transmission mark are compared, and obtain comparing knot Really, then according to described comparing result, tampering detection result is generated.Getting packet set Afterwards, cache object corresponding for the packet set got is inserted described internal memory as spatial cache In buffer queue, in order to the follow-up packet that can again collect as current cache storage.Such as Fig. 4 Shown in.

It should be noted that in flowchart as shown in Figure 4, to flowing in described step 301 Described inlet side mouth and described go out port the collection of packet there is persistence, say, that the application The packet flowing through described network intermediary device can persistently be acquired by embodiment, and will collect Packet is inserted in current cache, when current cache is filled with, this current cache is inserted process queue, By subsequent acquisition to packet be placed to the most in the buffer between in the current cache chosen.If Described memory cache queue does not the most exist can current cache, then by data packet discarding, then return Return step 301, re-start packet and obtain, now, the only cache object quilt in processing queue Spatial cache could be discharged after analyzing and processing, the spatial cache of this release is moved back to memory cache queue In, in order to follow-up storage packet.And in the process processing queue, the embodiment of the present application is to the most right In process queue, the packet set as the current cache of cache object obtains, and to these data Data in bag set are compared process, obtain comparison result and tampering detection result.Require emphasis , in a network between equipment flow through packet collected described current cache when being filled with, meeting Complete the acquisition to a packet set, and then realize, in this packet set, there is same transmission Two packets of mark are compared, and obtain comparison result and tampering detection result, it is achieved the application Embodiment purpose.

With reference to Fig. 5, for walking described in a kind of packet altering detecting method embodiment three that the application provides The flow chart of rapid 102, in the embodiment of the present application, can pre-set stream table, in order to store fluxion According to.Wherein, described step 102 may comprise steps of:

Step 501: choose a packet in described packet set as current data packet.

Step 502: extract the transmission mark of described current data packet.

Wherein, from hereinbefore, described transmission mark is in a computer network by network intermediary device Will not change when forwarding, described transmission mark has uniqueness to described current data packet.Described Transmission mark can include the source IP address information of packet, purpose IP address information, source port information With destination interface information.

Step 503: according to described transmission mark, generate the current stream corresponding with described current data packet item Data.

Wherein, described current flow data can be the stream key that described current data packet is corresponding, and it is by described The source IP address of packet, purpose IP address, source port number and destination slogan are formed.

Step 504: whether contain in the inquiry of described stream table, with described current flow data, there is same transmission mark The target flow data known, if it is, perform step 505, otherwise, performs step 506.

Step 505: compared with described target flow data by described current flow data, obtains data ratio To result, perform step 507；

Wherein, described current flow data and described target flow data are compared by described step 505 tool Body refers to: compared with the described respective streaming data content of target flow data by described current flow data Right, obtain comparing result.

Step 506: create the stream corresponding with described current flow data at described stream table, performs step 508。

Wherein, described step 504 does not finds in described stream table and has same with described current flow data The target flow data of transmission mark, shows packet that described current flow data is corresponding unselected, Now, the stream corresponding with described current flow data is created at described stream table, in order to choose follow-up again Lookup to flow data corresponding to packet.

Step 507: judge described comparing result whether this is indicate that described current flow data and described target Flow data is consistent, if it is, perform step 508, otherwise, performs step 509.

Step 508: current data packet described in packet unselected in choosing described packet set Next packet as current data packet, return and perform described step 502, until described packet All packets in set are all selected.

Step 509: the packet of the inconsistent correspondence of flow data in described packet set is preserved.

Wherein, by the next packet conduct in described packet set in described step 508 Current data packet is chosen, and returns execution step 502, forms circulation, thus, until described number Before there is the packet that flow data is inconsistent in bag set, each institute in described packet set State packet can be selected successively, and containing the packet phase chosen with this in described packet set During the packet that consistent transmission identifies, it is possible to the two packet is compared, obtain comparison knot Really, and when occurring that flow data is inconsistent, by the inconsistent correspondence of flow data in described packet set Packet preserves, and completes whether to distort packet in a packet set to examine Survey.

In implementing, described stream table is provided with storage cap, say, that in described step 506 Before described current flow data is written to described stream table, need the most stored full to described stream table Judge, when described stream table has been filled with, create in described stream table according to described current flow data Build new stream, and this new stream is set to waste streams.

It should be noted that each waste streams in described stream table all can be provided with first-class time, this stream Time corresponding waste streams retention time in described stream table is corresponding, when some waste streams Stream time when exceeding Preset Time limit value, this waste streams is deleted in described stream table.

Now, inquire about containing having same with described current flow data at described stream table in described step 504 Whether after the target flow data of transmission mark, needing this target flow data is that waste streams is sentenced Fixed, when described target flow data is waste streams, the TCP flow in described stream table again record this mesh The stream mode of mark flow data, is checked by UDP flow whether the stream time of described target flow data exceedes default Time limit value, when exceeding Preset Time limit value, deletes this target flow data, performs step 508, as Shown in Fig. 6.

With reference to Fig. 7, the structure for a kind of packet tampering detection apparatus embodiment four of the application offer is shown Be intended to, described device is applied on network intermediary device, described network intermediary device include inlet side mouth and Going out port, described device may include that

Packet acquisition module 701, is used for obtaining packet set, and described packet set includes stream Through described inlet side mouth and described go out port packet.

Wherein, described network intermediary device can be HUB, the switch being connected in computer network Or router etc., the inlet side mouth of this network intermediary device refers to that the packet of computer network enters this net The input port of network intermediate equipment, the port that goes out of described network intermediary device refers to the data in this equipment Export the output port to computer network.Such as, in Fig. 2, A point is described network intermediary device S Inlet side mouth, B point for described network intermediary device S goes out port, the packet in computer network by A point enters described network intermediary device S and is exported described network intermediary device S by B point.

It should be noted that described packet set includes multiple packet, and described packet obtains Delivery block 701 gather flow through described inlet side mouth and described go out port packet, refer to, by described Inlet side mouth inputs the packet of described network intermediary device and goes out port described in passing through and exports described network The packet of intermediate equipment.

Packet comparing module 702, for by packet consistent for transmission mark in described packet set Compare, obtain comparing result.

Wherein, described transmission mark refers to, unique identification information representing described packet.Calculating Each packet of transmission in machine network, all has its most different transmission mark to this packet Identity ID be identified.Carry out turning to the packet in computer network at described network intermediary device During Faing, the transmission mark of this packet does not changes.

In the embodiment of the present application, what described packet comparing module 702 was concrete can be in the following manner Realize:

First to described network intermediary device inlet side mouth and go out there is in the packet that port flows through same biography The packet of defeated mark extracts, say, that first carry out by described network intermediary device The packet forwarded, its be forwarded before raw data packets and current data packet after being forwarded Extract, afterwards, then this raw data packets is compared with current data packet, obtain data ratio To result.

It should be noted that the comparing result that described packet comparing module 702 obtains is appreciated that For the comparison result of corresponding data content between described above-mentioned raw data packets and current data packet, this number The data consistency between described raw data packets and current data packet is shown according to comparison result.

Testing result generation module 703, for according to described comparing result, generates tampering detection knot Really.

Wherein, described testing result generation module 703 specifically can be accomplished by:

Described comparing result is resolved, if described comparing result shows described original number Consistent about packet content with between described current data packet according to bag, generate described network intermediary device The tampering detection result packet not distorted；If described comparing result shows described original About packet content non-uniform between packet and described current data packet, generate in described network Between equipment tampering detection result that packet is distorted.

It should be noted that described packet content refers to, in described packet in addition to transmission mark Data content, this data content does not include when described packet is forwarded by described network intermediary device The amendment of the packet header content made, the amendment of this packet header content refers at computer network In network, network intermediary device is according to the amendment of network transmission protocol defined.

From such scheme, a kind of packet tampering detection apparatus embodiment four that the application provides, By to the inlet side mouth of network intermediary device and go out the packet that port flows through and obtain, composition is certain The packet set of size, then two consistent packets of transmission mark in this packet set are carried out Comparison, obtains comparing result, and then according to this comparing result, generates tampering detection knot Really.The embodiment of the present application four by have the packet of same transmission mark the most in a network between equipment Compare before and after the transmission of the same packet of middle transmission, and then obtain tampering detection result, it is achieved Whether network intermediary device is detected its packet transmitted, it is achieved the application purpose.

It should be noted that described packet acquisition module 701 is in implementing, can be by successively To flow through described inlet side mouth and described in go out the packet of port and be acquired, be combined into a packet Set obtain, at this realize during, can by pre-setting a current cache, as The carrier of the packet that storage is gathered.Now, with reference to Fig. 8, a kind of packet provided for the application The structural representation of packet acquisition module 701 described in tampering detection apparatus embodiment five, wherein, institute State packet acquisition module 701 may include that

Packet capture submodule 711, for flow through described inlet side mouth and described go out port packet It is acquired.

Wherein, collection packet in described packet capture submodule 711 it can be understood as, at certain One the moment gather flow through described inlet side mouth and described go out port individual data bag.

Form judges submodule 712, for judging whether the packet collected meets the IP data preset Bag form, if it is, trigger idle determination submodule 713, otherwise trigger data bag abandons submodule 714。

Wherein, described default IP data packet format, refer to the IPV4 data of regulation in computer network Bag form, described form judges that submodule 712 judges whether the form of this packet meets IP packet Whether form, refers to, be that the packet meeting computer network protocol judges to this packet, When this packet is the packet meeting this computer network protocol, trigger described idle determination submodule Block 713, otherwise, triggers described data packet discarding submodule 714.

Whether idle determination submodule 713, be used for judging in described current cache containing available free storage sky Between, if it is, submodule 715 inserted by trigger data bag, otherwise, trigger set and obtain submodule 716。

Data packet discarding submodule 714, is used for abandoning described packet, triggers described packet capture Module 711 again to flow through described inlet side mouth and described go out port packet be acquired.

Wherein, described data packet discarding submodule 714 abandons this packet and refers to, is discontented with at this packet During foot computer network protocol, this packet not as the object data bag of packet tampering detection, because of This is by this data packet discarding, again to flow through described inlet side mouth and described go out port packet adopt Collection, until the packet collected meets default IP data packet format, triggers described idle determination Module 713.

Packet inserts submodule 715, for inserting in described current cache by described packet, triggers Described packet capture submodule 711 again to flow through described inlet side mouth and described go out port packet enter Row gathers.

Set obtains submodule 716, empties institute for obtaining the packet collection merging in described current cache State current cache.

Wherein, described idle determination submodule 713 judges the most available free storage of described current cache During space, described packet is inserted submodule 715 and is placed in current cache by this packet, and by institute State packet capture submodule 711 continue to flow through described inlet side mouth and described go out port packet carry out Gather, until described current cache the most no longer contains idle storage space.Therefore, at described sky Spare time judges that submodule 713 is judged when described current cache does not contains idle storage space, shows described working as Front caching has been filled with packet, described in this current cache, the packet of storage is a period of time Network intermediary device input and all packets of output, at this point it is possible to obtained submodule by described set Packet set in described current cache is obtained by block 716, using this packet set as data Comparison object, triggers described packet comparing module 702 and described testing result generation module 703 by institute State two consistent packets of transmission mark in packet set to compare, obtain comparing knot Really, then according to described comparing result, generate in tampering detection result and obtain tampering detection result, Realize the embodiment of the present application purpose.

In actual applications, described network intermediary device is forwarded the data of (transmission) within a period of time When measuring bigger, in order to improve the feasibility of packet storage, a memory cache team can be pre-set Row, can include multiple spatial cache in this memory cache queue, one of them spatial cache conduct Current cache, when described idle determination submodule 713 judges that described current cache is completely, described collection Closing implementing of submodule 716 of acquisition can be:

First described current cache is inserted in default process queue, at this as a cache object Reason queue is in order to place the cache object being filled with packet, then, in described memory cache queue Obtain a spatial cache as current cache, in order to store after subsequent acquisition to packet, Meanwhile, set is analyzed event and is started data packet analysis thread, and this data packet analysis thread is appreciated that For: the packet set in a cache object in described process queue is obtained, and then will In described packet set, two consistent packets of transmission mark are compared, and obtain comparing knot Really, then according to described comparing result, tampering detection result is generated.Getting packet set Afterwards, cache object corresponding for the packet set got is inserted described internal memory as spatial cache In buffer queue, in order to the follow-up packet that can again collect as current cache storage.

It should be noted that described packet capture submodule 711 to flow to described inlet side mouth and described go out The collection of the packet of port has persistence, say, that the embodiment of the present application can be persistently to flowing through The packet of described network intermediary device is acquired, and the packet collected is inserted current cache In, when current cache is filled with, this current cache is inserted process queue, data subsequent acquisition arrived In the current cache chosen in wrapping between being placed to the most in the buffer.If in described memory cache queue The most do not exist can current cache, then by data packet discarding, then trigger described packet capture Module 711, re-starts packet and obtains, and now, the only cache object in processing queue is divided Analysis could discharge spatial cache after processing, and the spatial cache of this release is moved back to memory cache queue In, in order to follow-up storage packet in the process processing queue, the embodiment of the present application is to persistently to place In reason queue, the packet set as the current cache of cache object obtains, and to this packet Data in set are compared process, obtain comparison result and tampering detection result.Require emphasis Be, in a network between equipment flow through packet collected described current cache when being filled with, understood The acquisition of a paired packet set, and then realize this packet set has same transmission mark Two packets known are compared, and obtain comparison result and tampering detection result, it is achieved the application is real Execute example purpose.

With reference to Fig. 9, for number described in a kind of packet tampering detection apparatus embodiment six that the application provides According to the structural representation of bag comparing module 702, in the embodiment of the present application, stream table can be pre-set, In order to store flow data.Wherein, described packet comparing module 702 may include that

Packet chooses submodule 721, for choosing a packet conduct in described packet set Current data packet.

Marker extraction submodule 722, for extracting the transmission mark of described current data packet.

Wherein, from hereinbefore, described transmission mark is in a computer network by network intermediary device Will not change when forwarding, described transmission mark has uniqueness to described current data packet.Described Transmission mark can include the source IP address information of packet, purpose IP address information, source port information With destination interface information.

Flow data generates submodule 723, for according to described transmission mark, generates described transmission mark, Generate the current flow data corresponding with described current data packet.

Wherein, described current flow data can be the stream key that described current data packet is corresponding, and it is by described The source IP address of packet, purpose IP address, source port number and destination slogan are formed.

Whether target continuous query submodule 724, contain and described current stream for inquiring about in described stream table Data have the target flow data of same transmission mark, if it is, trigger flow data comparer module 725, otherwise, trigger stream and create submodule 726.

Flow data comparer module 725, for carrying out described current flow data with described target flow data Comparison, obtains comparing result, triggers comparison decision sub-module 727.

Wherein, described flow data comparer module 725 is by described current flow data and described target flow data Compare and specifically refer to: by described current flow data and the described respective flow data of target flow data Appearance is compared, and obtains comparing result.

Stream creates submodule 726, corresponding with described current flow data for creating in described stream table Stream, trigger data bag updates submodule 728.

Wherein, described target continuous query submodule 724 does not finds and described current stream in described stream table Data have the target flow data of same transmission mark, show the packet that described current flow data is corresponding And unselected, now, described stream create submodule 726 and create and described current stream at described stream table The stream that data are corresponding, in order to the follow-up lookup choosing flow data corresponding to packet again.

Comparison decision sub-module 727, is used for judging described comparing result whether this is indicate that described current stream Data are consistent with described target flow data, if described comparing result show described current flow data with Described target flow data is consistent, and trigger data bag updates submodule 728, and otherwise, trigger data bag preserves Submodule 729.

Packet updates submodule 728, packet unselected in choosing described packet set Described in the next packet of current data packet as current data packet, trigger described marker extraction Module 722, until all packets in described packet set are all selected.

Packet preserves submodule 729, for by the inconsistent correspondence of flow data in described packet set Packet preserves.

Wherein, the embodiment of the present application updates submodule 728 to described packet set by described packet In next packet choose as current data packet, and trigger described marker extraction submodule 722, form circulation, thus, until the packet that flow data is inconsistent occurs in described packet set Before, each described packet in described packet set can be selected successively, and in described data Time in bag set containing the packet of the transmission mark consistent with the packet that this is chosen, it is possible to this Two packets are compared, and obtain comparison result, and when occurring that flow data is inconsistent, by described In packet set, the packet of the inconsistent correspondence of flow data preserves, and completes a packet collection In conjunction, whether packet is distorted and is detected.

In implementing, described stream table is provided with storage cap, say, that described stream creates son Module 726 is before being written to described stream table by described current flow data, and the embodiment of the present application needs institute State that stream table is the most stored full to be judged, when described stream table has been filled with, described stream create Submodule 726 creates new stream according to described current flow data in described stream table, and is set to by this new stream Waste streams.

It should be noted that each waste streams in described stream table all can be provided with first-class time, this stream Time corresponding waste streams retention time in described stream table is corresponding, when some waste streams Stream time when exceeding Preset Time limit value, this waste streams is deleted in described stream table.

Now, the embodiment of the present application described in described target continuous query submodule 724 flow table inquiry containing with After described current flow data has the target flow data of same transmission mark, need this target fluxion According to whether being that waste streams judges, when described target flow data is waste streams, by described stream table TCP flow again record the stream mode of this target flow data, UDP flow check described target flow data The stream time whether exceed Preset Time limit value, when exceeding Preset Time limit value, delete this target stream Data, trigger described packet and update submodule 728.

With reference to Figure 10, the structure for a kind of packet tampering detection system embodiment seven of the application offer is shown Being intended to, wherein, described system includes that the packet described in above-mentioned any one device embodiment distorts inspection Survey device 1001.

Wherein, each functional module in described packet tampering detection apparatus 1001 can be integrated in same In one server, this server can be used as described packet tampering detection apparatus and realizes flowing through described net The inlet side mouth of network intermediate equipment and the packet set going out port obtain, and then to same transmission mark Packet between compare, obtain comparing result, and then generate tampering detection result, it is achieved The application purpose.

It should be noted that described server is when realizing packet capture, collection of server can be passed through The existing collection to packet of cause for gossip.

With reference to Figure 11, the structure for a kind of packet tampering detection system embodiment eight of the application offer is shown Being intended to, wherein, described system can also include:

Display device 1002, for distorting inspection by what described packet tampering detection apparatus 1001 generated Survey result to show.

Wherein, described display device 1002 can be by having the fixed terminal of touch-screen display etc. Or mobile terminal realizes.

It should be noted that described display device 1002 can be also used for showing that described packet is distorted The statistical datas such as the packet set that detection device 1001 collects.

It should be noted that each embodiment in this specification all uses the mode gone forward one by one to describe, What each embodiment stressed is the difference with other embodiments, between each embodiment Identical similar part sees mutually.

Finally, in addition it is also necessary to explanation, in this article, the relation art of such as first and second or the like Language is used merely to separate an entity or operation with another entity or operating space, and not necessarily Require or imply relation or the order that there is any this reality between these entities or operation.And And, term " includes ", " comprising " or its any other variant are intended to the bag of nonexcludability Contain, so that include that the process of a series of key element, method, article or equipment not only include those Key element, but also include other key elements being not expressly set out, or also include for this process, The key element that method, article or equipment are intrinsic.In the case of there is no more restriction, by statement The key element that " including one ... " limits, it is not excluded that include the process of described key element, method, Article or equipment there is also other identical element.

Above a kind of packet altering detecting method provided herein, Apparatus and system are carried out Being discussed in detail, principle and the embodiment of the application are explained by specific case used herein Stating, the explanation of above example is only intended to help and understands the present processes and core concept thereof； Simultaneously for one of ordinary skill in the art, according to the thought of the application, in specific embodiment party All will change in formula and range of application, in sum, this specification content should not be construed as Restriction to the application.

Claims (8)

1. a packet altering detecting method, it is characterised in that be applied to network intermediary device, Described network intermediary device includes inlet side mouth and goes out port, and described method includes:

Obtain packet set, described packet set include flowing through described inlet side mouth and described go out port Packet；

Transmission in described packet set is identified consistent packet compare, obtain comparing Result；

According to described comparing result, generate tampering detection result；

Wherein, pre-set stream table, described by data consistent for transmission mark in described packet set Bag is compared, and obtains comparing result, including:

Choose a packet in described packet set as current data packet；

Extract the transmission mark of described current data packet；

According to described transmission mark, generate the current flow data corresponding with described current data packet；

Described stream table is inquired about whether contain, with described current flow data, there is same transmission mark Target flow data, if it is, described current flow data is compared with described target flow data, Obtain comparing result, it is judged that described comparing result whether this is indicate that described current flow data with Described target flow data is consistent, if described comparing result shows that described current flow data is with described Target flow data is consistent, current described in packet unselected in choosing described packet set The next packet of packet, as current data packet, returns and performs the described current number of described extraction According to the transmission mark of bag, until all packets in described packet set are all selected, if institute State comparing result and show that described current flow data is inconsistent with described target flow data, by described In packet set, the packet of the inconsistent correspondence of flow data preserves；

With described current flow data, there is the mesh that same transmission identifies if not inquiring in described stream table Mark flow data, creates the stream corresponding with described current flow data at described stream table, chooses described number The next packet of current data packet described in packet unselected in gathering according to bag is as working as Front packet, returns the transmission mark performing the described current data packet of described extraction, until described number All it is selected according to all packets in bag set.

Method the most according to claim 1, it is characterised in that pre-set current cache, Wherein, described acquisition packet set includes:

To flow through described inlet side mouth and described go out port packet be acquired；

Judge whether the packet collected meets the IP data packet format preset, if it is, judge Whether described current cache contains idle storage space, otherwise, abandons described packet, return Perform described to flow through described inlet side mouth and described go out port packet be acquired；

If containing idle storage space in described current cache, described packet is inserted described current slow In depositing, return perform described to flow through described inlet side mouth and described go out port packet be acquired, Otherwise, obtain the merging of the packet collection in described current cache and empty described current cache.

Method the most according to claim 1 and 2, it is characterised in that described transmission mark bag Include the source IP address information of packet, purpose IP address information, source port information and destination message Breath.

4. a packet tampering detection apparatus, it is characterised in that be applied to network intermediary device, Described network intermediary device includes inlet side mouth and goes out port, and described device includes:

Packet acquisition module, is used for obtaining packet set, and described packet set includes flowing through institute State inlet side mouth and go out the packet of port；

Packet comparing module, enters for transmission in described packet set is identified consistent packet Row comparison, obtains comparing result；

Testing result generation module, for according to described comparing result, generates tampering detection result；

Wherein, pre-setting stream table, described packet comparing module includes:

Packet chooses submodule, for choosing a packet in described packet set as working as Front packet；

Marker extraction submodule, for extracting the transmission mark of described current data packet；

Flow data generates submodule, for according to described transmission mark, generates described transmission mark, raw Become the current flow data corresponding with described current data packet；

Whether target continuous query submodule, contain and described current fluxion for inquiring about in described stream table According to having the target flow data that same transmission identifies, if it is, trigger flow data comparer module, Otherwise, trigger stream and create submodule；

Flow data comparer module, for comparing described current flow data with described target flow data Right, obtain comparing result, trigger comparison decision sub-module；

Stream creates submodule, corresponding with described current flow data for creating in described stream table Stream, trigger data bag updates submodule；

Comparison decision sub-module, is used for judging described comparing result whether this is indicate that described current fluxion According to consistent with described target flow data, if described comparing result show described current flow data with Described target flow data is consistent, and trigger data bag updates submodule, and otherwise, trigger data bag preserves Submodule；

Packet updates submodule, in packet unselected in choosing described packet set The next packet of described current data packet, as current data packet, triggers described marker extraction Module, until all packets in described packet set are all selected；

Packet preserves submodule, for by the number of the inconsistent correspondence of flow data in described packet set Preserve according to bag.

Device the most according to claim 4, it is characterised in that pre-set current cache, Wherein, described packet acquisition module includes:

Packet capture submodule, for flow through described inlet side mouth and described go out port packet enter Row gathers；

Form judges submodule, for judging whether the packet collected meets the IP data preset Bag form, if it is, trigger idle determination submodule, otherwise trigger data bag abandons submodule；

Idle determination submodule, is used for judging whether contain idle storage space in described current cache, If it is, submodule inserted by trigger data bag, otherwise, trigger set and obtain submodule；

Data packet discarding submodule, is used for abandoning described packet, triggers described packet capture submodule Block again to flow through described inlet side mouth and described go out port packet be acquired；

Packet inserts submodule, for inserting in described current cache by described packet, triggers institute State packet capture submodule again to flow through described inlet side mouth and described go out port packet carry out Gather；

Set obtains submodule, empties described for obtaining the packet collection merging in described current cache Current cache.

6. according to the device described in claim 4 or 5, it is characterised in that described transmission mark bag Include the source IP address information of packet, purpose IP address information, source port information and destination message Breath.

7. a packet tampering detection system, it is characterised in that include the claims 4 to Packet tampering detection apparatus described in any one in 6.

System the most according to claim 7, it is characterised in that also include:

Display device, for carrying out the tampering detection result that described packet tampering detection apparatus generates Display.