Summary of the invention
Technical problems to be solved in this application are to provide a kind of packet altering detecting method, device
And system, whether the packet of network intermediary device cannot be usurped by prior art in order to solving
Improve the technical problem of row detection.
This application provides a kind of packet altering detecting method, be applied to network intermediary device, described
Network intermediary device includes inlet side mouth and goes out port, and described method includes:
Obtain packet set, described packet set include flowing through described inlet side mouth and described go out port
Packet;
Transmission in described packet set is identified consistent packet compare, obtain comparing
Result;
According to described comparing result, generate tampering detection result.
Said method, it is preferred that pre-set current cache, wherein, described acquisition packet set
Including:
To flow through described inlet side mouth and described go out port packet be acquired;
Judge whether the packet collected meets the IP data packet format preset, if it is, judge
Whether described current cache contains idle storage space, otherwise, abandons described packet, return
Perform described to flow through described inlet side mouth and described go out port packet be acquired;
If containing idle storage space in described current cache, described packet is inserted described current slow
In depositing, return perform described to flow through described inlet side mouth and described go out port packet be acquired,
Otherwise, obtain the merging of the packet collection in described current cache and empty described current cache.
Said method, it is preferred that pre-set stream table, described by transmission mark in described packet set
Know consistent packet to compare, obtain comparing result, including:
Choose a packet in described packet set as current data packet;
Extract the transmission mark of described current data packet;
According to described transmission mark, generate the current flow data corresponding with described current data packet;
Described stream table is inquired about whether contain, with described current flow data, there is same transmission mark
Target flow data, if it is, described current flow data is compared with described target flow data,
Obtain comparing result, it is judged that described comparing result whether this is indicate that described current flow data with
Described target flow data is consistent, if described comparing result shows that described current flow data is with described
Target flow data is consistent, current described in packet unselected in choosing described packet set
The next packet of packet, as current data packet, returns and performs the described current number of described extraction
According to the transmission mark of bag, until all packets in described packet set are all selected, if institute
State comparing result and show that described current flow data is inconsistent with described target flow data, by described
In packet set, the packet of the inconsistent correspondence of flow data preserves;
With described current flow data, there is the mesh that same transmission identifies if not inquiring in described stream table
Mark flow data, creates the stream corresponding with described current flow data at described stream table, chooses described number
The next packet of current data packet described in packet unselected in gathering according to bag is as working as
Front packet, returns the transmission mark performing the described current data packet of described extraction, until described number
All it is selected according to all packets in bag set.
Said method, it is preferred that described transmission mark includes the source IP address information of packet, mesh
IP address information, source port information and destination interface information.
Present invention also provides a kind of packet tampering detection apparatus, be applied to network intermediary device, institute
Stating network intermediary device include inlet side mouth and go out port, described device includes:
Packet acquisition module, is used for obtaining packet set, and described packet set includes flowing through institute
State inlet side mouth and described go out port packet;
Packet comparing module, enters for transmission in described packet set is identified consistent packet
Row comparison, obtains comparing result;
Testing result generation module, for according to described comparing result, generates tampering detection result.
Said apparatus, it is preferred that pre-set current cache, wherein, described packet acquisition module
Including:
Packet capture submodule, for flow through described inlet side mouth and described go out port packet enter
Row gathers;
Form judges submodule, for judging whether the packet collected meets the IP data preset
Bag form, if it is, trigger idle determination submodule, otherwise trigger data bag abandons submodule;
Idle determination submodule, is used for judging whether contain idle storage space in described current cache,
If it is, submodule inserted by trigger data bag, otherwise, trigger set and obtain submodule;
Data packet discarding submodule, is used for abandoning described packet, triggers described packet capture submodule
Block again to flow through described inlet side mouth and described go out port packet be acquired;
Packet inserts submodule, for inserting in described current cache by described packet, triggers institute
State packet capture submodule again to flow through described inlet side mouth and described go out port packet carry out
Gather;
Set obtains submodule, empties described for obtaining the packet collection merging in described current cache
Current cache.
Said apparatus, it is preferred that pre-setting stream table, wherein, described packet comparing module includes:
Packet chooses submodule, for choosing a packet in described packet set as working as
Front packet;
Marker extraction submodule, for extracting the transmission mark of described current data packet;
Flow data generates submodule, for according to described transmission mark, generates described transmission mark, raw
Become the current flow data corresponding with described current data packet;
Whether target continuous query submodule, contain and described current fluxion for inquiring about in described stream table
According to having the target flow data that same transmission identifies, if it is, trigger flow data comparer module,
Otherwise, trigger stream and create submodule;
Flow data comparer module, for comparing described current flow data with described target flow data
Right, obtain comparing result, trigger comparison decision sub-module;
Stream creates submodule, corresponding with described current flow data for creating in described stream table
Stream, trigger data bag updates submodule;
Comparison decision sub-module, is used for judging described comparing result whether this is indicate that described current fluxion
According to consistent with described target flow data, if described comparing result show described current flow data with
Described target flow data is consistent, and trigger data bag updates submodule, and otherwise, trigger data bag preserves
Submodule;
Packet updates submodule, in packet unselected in choosing described packet set
The next packet of described current data packet, as current data packet, triggers described marker extraction
Module, until all packets in described packet set are all selected;
Packet preserves submodule, for by the number of the inconsistent correspondence of flow data in described packet set
Preserve according to bag.
Said apparatus, it is preferred that described transmission mark includes the source IP address information of packet, mesh
IP address information, source port information and destination interface information.
Present invention also provides a kind of packet tampering detection system, including the claims 5 to 8
Packet tampering detection apparatus described in middle any one.
Said system, it is preferred that also include:
Display device, for carrying out the tampering detection result that described packet tampering detection apparatus generates
Display.
From such scheme, a kind of packet altering detecting method, device that the application provides and be
System, by the inlet side mouth of network intermediary device and go out the packet that port flows through and obtain, group
Become a certain size packet set, then transmission in this packet set is identified two consistent numbers
Compare according to bag, obtain comparing result, and then according to this comparing result, generation is usurped
Change testing result.The application can to have same transmission mark packet the most in a network between set
Compare before and after the transmission of the same packet of standby middle transmission, and then obtain tampering detection result,
Realize whether network intermediary device is detected its packet transmitted, it is achieved the application purpose.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is entered
Row clearly and completely describes, it is clear that described embodiment is only that the application part is implemented
Example rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art
The every other embodiment obtained under not making creative work premise, broadly falls into the application and protects
The scope protected.
With reference to Fig. 1, for the flow process of a kind of packet altering detecting method embodiment one that the application provides
Figure, described method is applied on network intermediary device, and described network intermediary device includes inlet side mouth and goes out
Port, described method may comprise steps of:
Step 101: obtain packet set, described packet set include flowing through described inlet side mouth and
Described go out port packet.
Wherein, described network intermediary device can be HUB, the switch being connected in computer network
Or router etc., the inlet side mouth of this network intermediary device refers to that the packet of computer network enters this net
The input port of network intermediate equipment, the port that goes out of described network intermediary device refers to the data in this equipment
Export the output port to computer network.Such as, in Fig. 2, A point is described network intermediary device S
Inlet side mouth, B point for described network intermediary device S goes out port, the packet in computer network by
A point enters described network intermediary device S and is exported described network intermediary device S by B point.
It should be noted that described packet set includes multiple packet, and in described step 101
Flow through described inlet side mouth and described go out port packet, refer to, described by the input of described inlet side mouth
The packet of network intermediary device and go out port described in passing through and export the data of described network intermediary device
Bag.
Step 102: transmission in described packet set is identified two consistent packets and compares,
Obtain comparing result.
Wherein, described transmission mark refers to, unique identification information representing described packet.Calculating
Each packet of transmission in machine network, all has its most different transmission mark to this packet
Identity ID be identified.Carry out turning to the packet in computer network at described network intermediary device
During Faing, the transmission mark of this packet does not changes.
In the embodiment of the present application, concrete can being accomplished by of described step 102:
First to described network intermediary device inlet side mouth and go out there is in the packet that port flows through same biography
The packet of defeated mark extracts, say, that first carry out by described network intermediary device
The packet forwarded, its be forwarded before raw data packets and current data packet after being forwarded
Extract, afterwards, then this raw data packets is compared with current data packet, obtain data ratio
To result.
It should be noted that the comparing result obtained in described step 102 can be understood as described
The comparison result of corresponding data content between above-mentioned raw data packets and current data packet, this comparing
Result shows the data consistency between described raw data packets and current data packet.
Step 103: according to described comparing result, generates tampering detection result.
Wherein, described step 103 is specifically as follows: resolve described comparing result, if institute
State comparing result to show between described raw data packets and described current data packet about in packet
Hold consistent, generate the tampering detection result that packet is not distorted by described network intermediary device;If
Described comparing result shows between described raw data packets and described current data packet about packet
Content is the most non-uniform, generates the tampering detection knot that packet is distorted by described network intermediary device
Really.
It should be noted that described packet content refers to, in described packet in addition to transmission mark
Data content, this data content does not include when described packet is forwarded by described network intermediary device
The amendment of the packet header content made, the amendment of this packet header content refers at computer network
In network, network intermediary device is according to the amendment of network transmission protocol defined.
From such scheme, a kind of packet altering detecting method embodiment one that the application provides,
By to the inlet side mouth of network intermediary device and go out the packet that port flows through and obtain, composition is certain
The packet set of size, then two consistent packets of transmission mark in this packet set are carried out
Comparison, obtains comparing result, and then according to this comparing result, generates tampering detection knot
Really.The embodiment of the present application one by have the packet of same transmission mark the most in a network between equipment
Compare before and after the transmission of the same packet of middle transmission, and then obtain tampering detection result, it is achieved
Whether network intermediary device is detected its packet transmitted, it is achieved the application purpose.
It should be noted that described step 101 is in implementing, can be by described to flowing through successively
Inlet side mouth and described in go out the packet of port and be acquired, be combined into a packet set and obtain
Take, during realizing at this, can be gathered as storage by pre-setting a current cache
The carrier of packet.Now, with reference to Fig. 3, a kind of packet tampering detection side provided for the application
The flow chart of step 101 described in method embodiment two, wherein, described step 101 can be by following step
Rapid realization:
Step 301: to flow through described inlet side mouth and described go out port packet be acquired.
Wherein, in described step 301 gather packet it can be understood as, at a time gather flow through
Described inlet side mouth and described go out port individual data bag.
Step 302: judge whether the packet collected meets the IP data packet format preset, if
It is to perform step 303, otherwise, perform step 304.
Wherein, described default IP data packet format, refer to the IPV4 data of regulation in computer network
Bag form, judges in described step 302 whether the form of this packet meets IP data packet format, is
Refer to, whether be that the packet meeting computer network protocol judges, in these data to this packet
When bag is the packet meeting this computer network protocol, performs step 303, otherwise, perform step
304。
Step 303: judge whether contain idle storage space in described current cache, if it is, perform
Step 305, otherwise, performs step 306.
Step 304: abandon described packet, returns the described step 301 of execution and continues to enter described in flowing through
Port and described go out port packet be acquired.
Wherein, described step 304 abandons this packet and refers to, be unsatisfactory for computer network at this packet
During network agreement, this packet is not as the object data bag of packet tampering detection, therefore by these data
Bag abandons, again to flow through described inlet side mouth and described go out port packet be acquired, until adopt
Collect to packet meet default IP data packet format, perform step 303.
Step 305: inserted by described packet in described current cache, returns and performs described step 301
Continue to flow through described inlet side mouth and described go out port packet be acquired.
Step 306: obtain the merging of the packet collection in described current cache and empty described current cache.
Wherein, described step 303 is judged when described current cache currently also has idle storage space,
This packet is placed in current cache, and continue to flow through described inlet side mouth and described go out port
Packet is acquired, until the most no longer containing idle storage space in described current cache.Cause
This, judge in described step 303 when described current cache does not contains idle storage space, show institute
State and current cache has been filled with packet, in the packet of storage is a period of time in this current cache
The input of described network intermediary device and all packets of output, at this point it is possible to described current cache
In packet set obtain, using this packet set as comparing object, perform follow-up
Transmission in described packet set is identified two consistent packets and compares by step 102 and step 103
Right, obtain comparing result, then according to described comparing result, generate in tampering detection result
Obtain tampering detection result, it is achieved the embodiment of the present application purpose.
In actual applications, described network intermediary device is forwarded the data of (transmission) within a period of time
When measuring bigger, in order to improve the feasibility of packet storage, a memory cache team can be pre-set
Row, can include multiple spatial cache in this memory cache queue, one of them spatial cache conduct
Current cache, when described step 303 judges that described current cache is completely, the tool of described step 306
Body realizes:
First described current cache is inserted in default process queue, at this as a cache object
Reason queue is in order to place the cache object being filled with packet, then, in described memory cache queue
Obtain a spatial cache as current cache, in order to store after subsequent acquisition to packet,
Meanwhile, set is analyzed event and is started data packet analysis thread, and this data packet analysis thread is appreciated that
For: the packet set in a cache object in described process queue is obtained, and then will
In described packet set, two consistent packets of transmission mark are compared, and obtain comparing knot
Really, then according to described comparing result, tampering detection result is generated.Getting packet set
Afterwards, cache object corresponding for the packet set got is inserted described internal memory as spatial cache
In buffer queue, in order to the follow-up packet that can again collect as current cache storage.Such as Fig. 4
Shown in.
It should be noted that in flowchart as shown in Figure 4, to flowing in described step 301
Described inlet side mouth and described go out port the collection of packet there is persistence, say, that the application
The packet flowing through described network intermediary device can persistently be acquired by embodiment, and will collect
Packet is inserted in current cache, when current cache is filled with, this current cache is inserted process queue,
By subsequent acquisition to packet be placed to the most in the buffer between in the current cache chosen.If
Described memory cache queue does not the most exist can current cache, then by data packet discarding, then return
Return step 301, re-start packet and obtain, now, the only cache object quilt in processing queue
Spatial cache could be discharged after analyzing and processing, the spatial cache of this release is moved back to memory cache queue
In, in order to follow-up storage packet.And in the process processing queue, the embodiment of the present application is to the most right
In process queue, the packet set as the current cache of cache object obtains, and to these data
Data in bag set are compared process, obtain comparison result and tampering detection result.Require emphasis
, in a network between equipment flow through packet collected described current cache when being filled with, meeting
Complete the acquisition to a packet set, and then realize, in this packet set, there is same transmission
Two packets of mark are compared, and obtain comparison result and tampering detection result, it is achieved the application
Embodiment purpose.
With reference to Fig. 5, for walking described in a kind of packet altering detecting method embodiment three that the application provides
The flow chart of rapid 102, in the embodiment of the present application, can pre-set stream table, in order to store fluxion
According to.Wherein, described step 102 may comprise steps of:
Step 501: choose a packet in described packet set as current data packet.
Step 502: extract the transmission mark of described current data packet.
Wherein, from hereinbefore, described transmission mark is in a computer network by network intermediary device
Will not change when forwarding, described transmission mark has uniqueness to described current data packet.Described
Transmission mark can include the source IP address information of packet, purpose IP address information, source port information
With destination interface information.
Step 503: according to described transmission mark, generate the current stream corresponding with described current data packet item
Data.
Wherein, described current flow data can be the stream key that described current data packet is corresponding, and it is by described
The source IP address of packet, purpose IP address, source port number and destination slogan are formed.
Step 504: whether contain in the inquiry of described stream table, with described current flow data, there is same transmission mark
The target flow data known, if it is, perform step 505, otherwise, performs step 506.
Step 505: compared with described target flow data by described current flow data, obtains data ratio
To result, perform step 507;
Wherein, described current flow data and described target flow data are compared by described step 505 tool
Body refers to: compared with the described respective streaming data content of target flow data by described current flow data
Right, obtain comparing result.
Step 506: create the stream corresponding with described current flow data at described stream table, performs step
508。
Wherein, described step 504 does not finds in described stream table and has same with described current flow data
The target flow data of transmission mark, shows packet that described current flow data is corresponding unselected,
Now, the stream corresponding with described current flow data is created at described stream table, in order to choose follow-up again
Lookup to flow data corresponding to packet.
Step 507: judge described comparing result whether this is indicate that described current flow data and described target
Flow data is consistent, if it is, perform step 508, otherwise, performs step 509.
Step 508: current data packet described in packet unselected in choosing described packet set
Next packet as current data packet, return and perform described step 502, until described packet
All packets in set are all selected.
Step 509: the packet of the inconsistent correspondence of flow data in described packet set is preserved.
Wherein, by the next packet conduct in described packet set in described step 508
Current data packet is chosen, and returns execution step 502, forms circulation, thus, until described number
Before there is the packet that flow data is inconsistent in bag set, each institute in described packet set
State packet can be selected successively, and containing the packet phase chosen with this in described packet set
During the packet that consistent transmission identifies, it is possible to the two packet is compared, obtain comparison knot
Really, and when occurring that flow data is inconsistent, by the inconsistent correspondence of flow data in described packet set
Packet preserves, and completes whether to distort packet in a packet set to examine
Survey.
In implementing, described stream table is provided with storage cap, say, that in described step 506
Before described current flow data is written to described stream table, need the most stored full to described stream table
Judge, when described stream table has been filled with, create in described stream table according to described current flow data
Build new stream, and this new stream is set to waste streams.
It should be noted that each waste streams in described stream table all can be provided with first-class time, this stream
Time corresponding waste streams retention time in described stream table is corresponding, when some waste streams
Stream time when exceeding Preset Time limit value, this waste streams is deleted in described stream table.
Now, inquire about containing having same with described current flow data at described stream table in described step 504
Whether after the target flow data of transmission mark, needing this target flow data is that waste streams is sentenced
Fixed, when described target flow data is waste streams, the TCP flow in described stream table again record this mesh
The stream mode of mark flow data, is checked by UDP flow whether the stream time of described target flow data exceedes default
Time limit value, when exceeding Preset Time limit value, deletes this target flow data, performs step 508, as
Shown in Fig. 6.
With reference to Fig. 7, the structure for a kind of packet tampering detection apparatus embodiment four of the application offer is shown
Be intended to, described device is applied on network intermediary device, described network intermediary device include inlet side mouth and
Going out port, described device may include that
Packet acquisition module 701, is used for obtaining packet set, and described packet set includes stream
Through described inlet side mouth and described go out port packet.
Wherein, described network intermediary device can be HUB, the switch being connected in computer network
Or router etc., the inlet side mouth of this network intermediary device refers to that the packet of computer network enters this net
The input port of network intermediate equipment, the port that goes out of described network intermediary device refers to the data in this equipment
Export the output port to computer network.Such as, in Fig. 2, A point is described network intermediary device S
Inlet side mouth, B point for described network intermediary device S goes out port, the packet in computer network by
A point enters described network intermediary device S and is exported described network intermediary device S by B point.
It should be noted that described packet set includes multiple packet, and described packet obtains
Delivery block 701 gather flow through described inlet side mouth and described go out port packet, refer to, by described
Inlet side mouth inputs the packet of described network intermediary device and goes out port described in passing through and exports described network
The packet of intermediate equipment.
Packet comparing module 702, for by packet consistent for transmission mark in described packet set
Compare, obtain comparing result.
Wherein, described transmission mark refers to, unique identification information representing described packet.Calculating
Each packet of transmission in machine network, all has its most different transmission mark to this packet
Identity ID be identified.Carry out turning to the packet in computer network at described network intermediary device
During Faing, the transmission mark of this packet does not changes.
In the embodiment of the present application, what described packet comparing module 702 was concrete can be in the following manner
Realize:
First to described network intermediary device inlet side mouth and go out there is in the packet that port flows through same biography
The packet of defeated mark extracts, say, that first carry out by described network intermediary device
The packet forwarded, its be forwarded before raw data packets and current data packet after being forwarded
Extract, afterwards, then this raw data packets is compared with current data packet, obtain data ratio
To result.
It should be noted that the comparing result that described packet comparing module 702 obtains is appreciated that
For the comparison result of corresponding data content between described above-mentioned raw data packets and current data packet, this number
The data consistency between described raw data packets and current data packet is shown according to comparison result.
Testing result generation module 703, for according to described comparing result, generates tampering detection knot
Really.
Wherein, described testing result generation module 703 specifically can be accomplished by:
Described comparing result is resolved, if described comparing result shows described original number
Consistent about packet content with between described current data packet according to bag, generate described network intermediary device
The tampering detection result packet not distorted;If described comparing result shows described original
About packet content non-uniform between packet and described current data packet, generate in described network
Between equipment tampering detection result that packet is distorted.
It should be noted that described packet content refers to, in described packet in addition to transmission mark
Data content, this data content does not include when described packet is forwarded by described network intermediary device
The amendment of the packet header content made, the amendment of this packet header content refers at computer network
In network, network intermediary device is according to the amendment of network transmission protocol defined.
From such scheme, a kind of packet tampering detection apparatus embodiment four that the application provides,
By to the inlet side mouth of network intermediary device and go out the packet that port flows through and obtain, composition is certain
The packet set of size, then two consistent packets of transmission mark in this packet set are carried out
Comparison, obtains comparing result, and then according to this comparing result, generates tampering detection knot
Really.The embodiment of the present application four by have the packet of same transmission mark the most in a network between equipment
Compare before and after the transmission of the same packet of middle transmission, and then obtain tampering detection result, it is achieved
Whether network intermediary device is detected its packet transmitted, it is achieved the application purpose.
It should be noted that described packet acquisition module 701 is in implementing, can be by successively
To flow through described inlet side mouth and described in go out the packet of port and be acquired, be combined into a packet
Set obtain, at this realize during, can by pre-setting a current cache, as
The carrier of the packet that storage is gathered.Now, with reference to Fig. 8, a kind of packet provided for the application
The structural representation of packet acquisition module 701 described in tampering detection apparatus embodiment five, wherein, institute
State packet acquisition module 701 may include that
Packet capture submodule 711, for flow through described inlet side mouth and described go out port packet
It is acquired.
Wherein, collection packet in described packet capture submodule 711 it can be understood as, at certain
One the moment gather flow through described inlet side mouth and described go out port individual data bag.
Form judges submodule 712, for judging whether the packet collected meets the IP data preset
Bag form, if it is, trigger idle determination submodule 713, otherwise trigger data bag abandons submodule
714。
Wherein, described default IP data packet format, refer to the IPV4 data of regulation in computer network
Bag form, described form judges that submodule 712 judges whether the form of this packet meets IP packet
Whether form, refers to, be that the packet meeting computer network protocol judges to this packet,
When this packet is the packet meeting this computer network protocol, trigger described idle determination submodule
Block 713, otherwise, triggers described data packet discarding submodule 714.
Whether idle determination submodule 713, be used for judging in described current cache containing available free storage sky
Between, if it is, submodule 715 inserted by trigger data bag, otherwise, trigger set and obtain submodule
716。
Data packet discarding submodule 714, is used for abandoning described packet, triggers described packet capture
Module 711 again to flow through described inlet side mouth and described go out port packet be acquired.
Wherein, described data packet discarding submodule 714 abandons this packet and refers to, is discontented with at this packet
During foot computer network protocol, this packet not as the object data bag of packet tampering detection, because of
This is by this data packet discarding, again to flow through described inlet side mouth and described go out port packet adopt
Collection, until the packet collected meets default IP data packet format, triggers described idle determination
Module 713.
Packet inserts submodule 715, for inserting in described current cache by described packet, triggers
Described packet capture submodule 711 again to flow through described inlet side mouth and described go out port packet enter
Row gathers.
Set obtains submodule 716, empties institute for obtaining the packet collection merging in described current cache
State current cache.
Wherein, described idle determination submodule 713 judges the most available free storage of described current cache
During space, described packet is inserted submodule 715 and is placed in current cache by this packet, and by institute
State packet capture submodule 711 continue to flow through described inlet side mouth and described go out port packet carry out
Gather, until described current cache the most no longer contains idle storage space.Therefore, at described sky
Spare time judges that submodule 713 is judged when described current cache does not contains idle storage space, shows described working as
Front caching has been filled with packet, described in this current cache, the packet of storage is a period of time
Network intermediary device input and all packets of output, at this point it is possible to obtained submodule by described set
Packet set in described current cache is obtained by block 716, using this packet set as data
Comparison object, triggers described packet comparing module 702 and described testing result generation module 703 by institute
State two consistent packets of transmission mark in packet set to compare, obtain comparing knot
Really, then according to described comparing result, generate in tampering detection result and obtain tampering detection result,
Realize the embodiment of the present application purpose.
In actual applications, described network intermediary device is forwarded the data of (transmission) within a period of time
When measuring bigger, in order to improve the feasibility of packet storage, a memory cache team can be pre-set
Row, can include multiple spatial cache in this memory cache queue, one of them spatial cache conduct
Current cache, when described idle determination submodule 713 judges that described current cache is completely, described collection
Closing implementing of submodule 716 of acquisition can be:
First described current cache is inserted in default process queue, at this as a cache object
Reason queue is in order to place the cache object being filled with packet, then, in described memory cache queue
Obtain a spatial cache as current cache, in order to store after subsequent acquisition to packet,
Meanwhile, set is analyzed event and is started data packet analysis thread, and this data packet analysis thread is appreciated that
For: the packet set in a cache object in described process queue is obtained, and then will
In described packet set, two consistent packets of transmission mark are compared, and obtain comparing knot
Really, then according to described comparing result, tampering detection result is generated.Getting packet set
Afterwards, cache object corresponding for the packet set got is inserted described internal memory as spatial cache
In buffer queue, in order to the follow-up packet that can again collect as current cache storage.
It should be noted that described packet capture submodule 711 to flow to described inlet side mouth and described go out
The collection of the packet of port has persistence, say, that the embodiment of the present application can be persistently to flowing through
The packet of described network intermediary device is acquired, and the packet collected is inserted current cache
In, when current cache is filled with, this current cache is inserted process queue, data subsequent acquisition arrived
In the current cache chosen in wrapping between being placed to the most in the buffer.If in described memory cache queue
The most do not exist can current cache, then by data packet discarding, then trigger described packet capture
Module 711, re-starts packet and obtains, and now, the only cache object in processing queue is divided
Analysis could discharge spatial cache after processing, and the spatial cache of this release is moved back to memory cache queue
In, in order to follow-up storage packet in the process processing queue, the embodiment of the present application is to persistently to place
In reason queue, the packet set as the current cache of cache object obtains, and to this packet
Data in set are compared process, obtain comparison result and tampering detection result.Require emphasis
Be, in a network between equipment flow through packet collected described current cache when being filled with, understood
The acquisition of a paired packet set, and then realize this packet set has same transmission mark
Two packets known are compared, and obtain comparison result and tampering detection result, it is achieved the application is real
Execute example purpose.
With reference to Fig. 9, for number described in a kind of packet tampering detection apparatus embodiment six that the application provides
According to the structural representation of bag comparing module 702, in the embodiment of the present application, stream table can be pre-set,
In order to store flow data.Wherein, described packet comparing module 702 may include that
Packet chooses submodule 721, for choosing a packet conduct in described packet set
Current data packet.
Marker extraction submodule 722, for extracting the transmission mark of described current data packet.
Wherein, from hereinbefore, described transmission mark is in a computer network by network intermediary device
Will not change when forwarding, described transmission mark has uniqueness to described current data packet.Described
Transmission mark can include the source IP address information of packet, purpose IP address information, source port information
With destination interface information.
Flow data generates submodule 723, for according to described transmission mark, generates described transmission mark,
Generate the current flow data corresponding with described current data packet.
Wherein, described current flow data can be the stream key that described current data packet is corresponding, and it is by described
The source IP address of packet, purpose IP address, source port number and destination slogan are formed.
Whether target continuous query submodule 724, contain and described current stream for inquiring about in described stream table
Data have the target flow data of same transmission mark, if it is, trigger flow data comparer module
725, otherwise, trigger stream and create submodule 726.
Flow data comparer module 725, for carrying out described current flow data with described target flow data
Comparison, obtains comparing result, triggers comparison decision sub-module 727.
Wherein, described flow data comparer module 725 is by described current flow data and described target flow data
Compare and specifically refer to: by described current flow data and the described respective flow data of target flow data
Appearance is compared, and obtains comparing result.
Stream creates submodule 726, corresponding with described current flow data for creating in described stream table
Stream, trigger data bag updates submodule 728.
Wherein, described target continuous query submodule 724 does not finds and described current stream in described stream table
Data have the target flow data of same transmission mark, show the packet that described current flow data is corresponding
And unselected, now, described stream create submodule 726 and create and described current stream at described stream table
The stream that data are corresponding, in order to the follow-up lookup choosing flow data corresponding to packet again.
Comparison decision sub-module 727, is used for judging described comparing result whether this is indicate that described current stream
Data are consistent with described target flow data, if described comparing result show described current flow data with
Described target flow data is consistent, and trigger data bag updates submodule 728, and otherwise, trigger data bag preserves
Submodule 729.
Packet updates submodule 728, packet unselected in choosing described packet set
Described in the next packet of current data packet as current data packet, trigger described marker extraction
Module 722, until all packets in described packet set are all selected.
Packet preserves submodule 729, for by the inconsistent correspondence of flow data in described packet set
Packet preserves.
Wherein, the embodiment of the present application updates submodule 728 to described packet set by described packet
In next packet choose as current data packet, and trigger described marker extraction submodule
722, form circulation, thus, until the packet that flow data is inconsistent occurs in described packet set
Before, each described packet in described packet set can be selected successively, and in described data
Time in bag set containing the packet of the transmission mark consistent with the packet that this is chosen, it is possible to this
Two packets are compared, and obtain comparison result, and when occurring that flow data is inconsistent, by described
In packet set, the packet of the inconsistent correspondence of flow data preserves, and completes a packet collection
In conjunction, whether packet is distorted and is detected.
In implementing, described stream table is provided with storage cap, say, that described stream creates son
Module 726 is before being written to described stream table by described current flow data, and the embodiment of the present application needs institute
State that stream table is the most stored full to be judged, when described stream table has been filled with, described stream create
Submodule 726 creates new stream according to described current flow data in described stream table, and is set to by this new stream
Waste streams.
It should be noted that each waste streams in described stream table all can be provided with first-class time, this stream
Time corresponding waste streams retention time in described stream table is corresponding, when some waste streams
Stream time when exceeding Preset Time limit value, this waste streams is deleted in described stream table.
Now, the embodiment of the present application described in described target continuous query submodule 724 flow table inquiry containing with
After described current flow data has the target flow data of same transmission mark, need this target fluxion
According to whether being that waste streams judges, when described target flow data is waste streams, by described stream table
TCP flow again record the stream mode of this target flow data, UDP flow check described target flow data
The stream time whether exceed Preset Time limit value, when exceeding Preset Time limit value, delete this target stream
Data, trigger described packet and update submodule 728.
With reference to Figure 10, the structure for a kind of packet tampering detection system embodiment seven of the application offer is shown
Being intended to, wherein, described system includes that the packet described in above-mentioned any one device embodiment distorts inspection
Survey device 1001.
Wherein, each functional module in described packet tampering detection apparatus 1001 can be integrated in same
In one server, this server can be used as described packet tampering detection apparatus and realizes flowing through described net
The inlet side mouth of network intermediate equipment and the packet set going out port obtain, and then to same transmission mark
Packet between compare, obtain comparing result, and then generate tampering detection result, it is achieved
The application purpose.
It should be noted that described server is when realizing packet capture, collection of server can be passed through
The existing collection to packet of cause for gossip.
With reference to Figure 11, the structure for a kind of packet tampering detection system embodiment eight of the application offer is shown
Being intended to, wherein, described system can also include:
Display device 1002, for distorting inspection by what described packet tampering detection apparatus 1001 generated
Survey result to show.
Wherein, described display device 1002 can be by having the fixed terminal of touch-screen display etc.
Or mobile terminal realizes.
It should be noted that described display device 1002 can be also used for showing that described packet is distorted
The statistical datas such as the packet set that detection device 1001 collects.
It should be noted that each embodiment in this specification all uses the mode gone forward one by one to describe,
What each embodiment stressed is the difference with other embodiments, between each embodiment
Identical similar part sees mutually.
Finally, in addition it is also necessary to explanation, in this article, the relation art of such as first and second or the like
Language is used merely to separate an entity or operation with another entity or operating space, and not necessarily
Require or imply relation or the order that there is any this reality between these entities or operation.And
And, term " includes ", " comprising " or its any other variant are intended to the bag of nonexcludability
Contain, so that include that the process of a series of key element, method, article or equipment not only include those
Key element, but also include other key elements being not expressly set out, or also include for this process,
The key element that method, article or equipment are intrinsic.In the case of there is no more restriction, by statement
The key element that " including one ... " limits, it is not excluded that include the process of described key element, method,
Article or equipment there is also other identical element.
Above a kind of packet altering detecting method provided herein, Apparatus and system are carried out
Being discussed in detail, principle and the embodiment of the application are explained by specific case used herein
Stating, the explanation of above example is only intended to help and understands the present processes and core concept thereof;
Simultaneously for one of ordinary skill in the art, according to the thought of the application, in specific embodiment party
All will change in formula and range of application, in sum, this specification content should not be construed as
Restriction to the application.