CN103888481A - Method and system for filtering DHCP data package of local area network - Google Patents

Method and system for filtering DHCP data package of local area network Download PDF

Info

Publication number
CN103888481A
CN103888481A CN201410160521.3A CN201410160521A CN103888481A CN 103888481 A CN103888481 A CN 103888481A CN 201410160521 A CN201410160521 A CN 201410160521A CN 103888481 A CN103888481 A CN 103888481A
Authority
CN
China
Prior art keywords
packet
dhcp
dynamic host
host configuration
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410160521.3A
Other languages
Chinese (zh)
Other versions
CN103888481B (en
Inventor
马俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Heilongjiang University of Chinese Medicine
Original Assignee
Heilongjiang University of Chinese Medicine
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Heilongjiang University of Chinese Medicine filed Critical Heilongjiang University of Chinese Medicine
Priority to CN201410160521.3A priority Critical patent/CN103888481B/en
Publication of CN103888481A publication Critical patent/CN103888481A/en
Application granted granted Critical
Publication of CN103888481B publication Critical patent/CN103888481B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method for filtering a DHCP data package of a local area network. According to the method, a middle layer between a network card drive and a protocol drive filters network data packages, sent to a DHCP client, in the local area network, and filtering comprises the four steps of network data package collecting, network data package screening, DHCP data package analyzing and network data package processing. The DHCP data package is gradually separated from the network data packages sent to the DHCP client, and is analyzed, a legal data package sent by a designated DHCP server is received, a data package sent by an illegal DHCP server is discarded, and therefore the aim that the DHCP client obtains the IP address from the designated DHCP server is achieved, the illegal DHCP server is prevented from distributing the IP address to the DHCP client, and meanwhile, the invention further discloses a system for filtering the DHCP data package of the local area network.

Description

A kind of local area network (LAN) DHCP packet filtering method and system
Technical field
The present invention relates to Computer Applied Technology and technical field of the computer network, be specifically related to DHCP packet filtering method and system in a kind of local area network (LAN).
Background technology
DHCP agreement is the abbreviation of DHCP (Dynamic Host Configuration Protocol), it is a kind of local net network agreement, can manage concentratedly and automatically distribute by this protocol network keeper, reclaim the IP address of DHCP client computer in local area network (LAN), greatly, in, in Small-scale LAN, be widely used, especially large, in lan medium, such as College campus network, Large enterprise network, number of clients in these networks is numerous, may be every client computer distribution network IP (Internet Protocol hardly by hand, Internet protocol) address, so be the scheme that client computer dynamic IP address allocation in network becomes a kind of the best by DHCP agreement.
But, these are large, the network manager of lan medium generally can only grasp Dynamic Host Configuration Protocol server quantity legal in network, the Dynamic Host Configuration Protocol server that some are illegal, such as student in the bedroom, the Dynamic Host Configuration Protocol server that set up privately in laboratory etc., the quantity of the Dynamic Host Configuration Protocol server that enterprise staff sets up privately in office etc. is difficult for grasping, therefore generally these are large, in lan medium, often exist many legal and illegal Dynamic Host Configuration Protocol server, and DHCP agreement has DHCP client computer that a shortcoming is exactly each access to LAN to find Dynamic Host Configuration Protocol server to sending DHCP discover packet in local area network (LAN) by the mode of broadcast, the Dynamic Host Configuration Protocol server that receives packet all can be made response, in the IP address of not yet hiring out, select a DHCP client computer of distributing to request in own address pool, and pass through DHCP offer Packet Generation to DHCP client computer, if now DHCP client computer is received the response message of many Dynamic Host Configuration Protocol server, DHCP client computer only can receive first dhcp server response information of receiving so, then in local area network (LAN), send DHCP request broadcast data packet, tell all Dynamic Host Configuration Protocol server in local area network (LAN) it accepted the IP address which platform Dynamic Host Configuration Protocol server provides, other Dynamic Host Configuration Protocol server that now receives DHCP request packet just can be regained the IP address just now distributed, so just, produced a problem, if the IP address that DHCP client computer receives is not exactly the IP address that its Dynamic Host Configuration Protocol server of wanting distributes, will cause a lot of problems, such as DHCP client computer cannot be accessed the Internet, or DHCP client computer cannot be accessed some Intranet resource, or DHCP client computer has accessed a unsafe internal network and has caused DHCP client computer by unauthorized access, network data is coated with illicit interception, the generation of the situations such as analysis.
So how for accessing the DHCP client computer of these large and medium-sized local area network (LAN)s, specify its required legal Dynamic Host Configuration Protocol server for its distribution network IP address, network ip address that to filter illegal DHCP server be its distribution, the reality that is that in these networks, network manager faces and stubborn problem.And in fact, we can be by driving the intermediate layer between protocol-driven at network interface card, gather by the mode of writing intermediate layer driving the packet that sends to DHCP client computer in all local area network (LAN)s, and the DHCP packet of choosing is wherein analyzed, thereby receive the packet of specifying Dynamic Host Configuration Protocol server to send, abandon the packet that other illegal DHCP server sends.
Summary of the invention
The invention provides a kind of local area network (LAN) DHCP packet filtering method, this method is by network packet collection in local area network, network packet screening, DHCP data packet analysis, network packet is processed four steps, realizing the DHCP packet that sends to DHCP client computer in local area network analyzes, judges and selection, receive the packet of specifying Dynamic Host Configuration Protocol server to send to realize DHCP client computer in local area network (LAN), abandon the packet that other illegal DHCP server sends, the present invention simultaneously also provides a kind of local area network (LAN) DHCP packet filtering system.
The present invention is achieved by the following technical solutions:
The invention provides a kind of local area network (LAN) DHCP packet filtering method, comprise following step:
(1) network packet gatherer process sends to all packets of the machine, and each packet is carried out to collection one by one in the driving of DHCP client computer network interface card and the intermediate layer between protocol-driven are intercepted and intercepted and captured local area network (LAN).First, in internal memory, distribute a core buffer that is more than or equal to maximum data packet length in local area network (LAN) to deposit intercepted and captured packet, then by described core buffer content zero clearing, finally intercepted and captured packet content piecemeal is copied in described core buffer.
(2) network packet screening process, first take out described core buffer the 13rd and the value of the 14th byte, if the value of the 13rd byte equals 8, and the value of the 14th byte equals 0, so described packet is IP packet, then take out the value of described core buffer the 24th byte, if the value of the 24th byte equals 17, illustrate that described IP packet is UDP (User Datagram Protocol, User Datagram Protoco (UDP)) packet, now need to calculate the length of described IP packet, the computational methods of IP data packet length are produced by following two formula:
a) L ip = Σ k = 1 4 2 k + 1 ( x k mod 2 )
b)x k+1=(x k-(x kmod2))/2 k=(1,2,3)
In described formula a) with formula b) in mod representative get the remainder that two numbers are divided by, wherein formula a) in, L ipthe length of the IP packet described in representative, k represents variable, and span is four positive integers between 1 to 4, and ∑ representative is carried out sum operation to the multinomial after it, and summation item number is the span of variable k, x kin in the time that k equals 1, i.e. x 1the value of core buffer the 15th byte described in representative, x kin in the time that k equals 2, i.e. x 2value, by x 1value substitution formula draw in b), by that analogy, x 3with x 4value respectively by x 2with x 3value substitution formula draw in b), formula b) in the span of variable k be three positive integers between 1 to 3.
Finally continue to judge that described core buffer side-play amount is 15+L ip, 16+L ip, 17+L ip, 18+L ipthe value of byte, if described core buffer side-play amount is 15+L ipthe value of byte equals 0, and described core buffer side-play amount is 16+L ipthe value of byte equals 67, and described core buffer side-play amount is 17+L ipthe value of byte equals 0, and described core buffer side-play amount is 18+L ipthe value of byte equals 68, illustrates that described UDP message bag is DHCP packet, need to carry out next step analysis, and it is medium pending that other packet will directly be submitted to step (4).
(3) DHCP data packet analysis: if described packet is DHCP packet, so first the core buffer the 27th described in judgement, the value of 28,29,30 bytes, the value of checking these four bytes whether respectively with the dhcp server ip address that will receive in four groups of numeral correspondent equals separating of ". " type separator, if correspondent equal one by one, described DHCP packet sends for legal Dynamic Host Configuration Protocol server, otherwise for illegal DHCP server sends, finally described DHCP packet is submitted to step (4) medium pending.
(4) network packet processing: according to the Analysis and judgments of in step (2) and step (3), described packet being made, reception sends to the legal DHCP packet of DHCP client computer and the packet of other type, remaining illegal DHCP packet is dropped immediately, do not received by DHCP client computer, finally discharge described core buffer.
Meanwhile, the present invention also provides a kind of local area network (LAN) DHCP packet filtering system.This system comprises driver sub-system and application subsystem two parts.Described driver sub-system comprises network packet acquisition module, network packet screening module, DHCP data packet analysis module, network data packet handing module, Communication processing module; Described application subsystem comprises bottom communication module, Dynamic Host Configuration Protocol server administration module, Dynamic Host Configuration Protocol server binding management module, IP address update module, system interface module.
Described network packet acquisition module, sends to all packets of the machine, and packet is carried out to acquisition and processing one by one for intercepting and intercept and capture local area network (LAN).
Described network packet screening module, for the packet collecting is carried out to category filter, isolates DHCP packet wherein, and the packet of other type is submitted to network data packet handing module wait processing.
Described DHCP data packet analysis module, for the DHCP packet filtering out is carried out to Analysis and judgments, find out wherein legal Dynamic Host Configuration Protocol server and send to the packet of the machine, and be submitted to network data packet handing module wait processing by analyzing complete DHCP packet.
Described network data packet handing module, for processing analyzing complete packet, receive legal Dynamic Host Configuration Protocol server and send to the packet of the machine and send to the packet of other type of the machine, abandon illegal DHCP server and send to the packet of the machine.
Described Communication processing module, sends to the information in intermediate layer, and the feedback information in intermediate layer is sent to upper level applications for receiving upper level applications.
Described bottom communication module, drives transmission information to intermediate layer for upper level applications, or upper level applications drives and obtain required information from intermediate layer, and can show in real time the DHCP packet information having abandoned.
Described Dynamic Host Configuration Protocol server administration module, for managing legal Dynamic Host Configuration Protocol server list, comprises and inserts Dynamic Host Configuration Protocol server record, deletes Dynamic Host Configuration Protocol server record, empties Dynamic Host Configuration Protocol server list, preserves four functions of Dynamic Host Configuration Protocol server list.
Described Dynamic Host Configuration Protocol server binding management module, be used for binding the legal Dynamic Host Configuration Protocol server of current appointment, and the excessively described bottom communication module of Dynamic Host Configuration Protocol server information exchange is sent to intermediate layer driving, as the rule of DHCP Packet Filtering, also can unbind Dynamic Host Configuration Protocol server, allow DHCP client computer to receive all DHCP packets in local area network (LAN).
Described IP address update module, is used for, when changing after the legal Dynamic Host Configuration Protocol server of complete appointment, emptying the IP address of current DHCP client computer, and upgrades the IP address that the IP address of current DHCP client computer is distributed to new Dynamic Host Configuration Protocol server.
Described system interface module, is used for generating the demonstration of each assembly in the operation interface, interface of upper level applications, and input and the output of data in each assembly.
Compare with more existing technology, the invention has the advantages that, the functional module that DHCP Packet Filtering is relevant is all operated in network interface card in the mode driving and drives the intermediate layer between protocol-driven, rather than the application layer of system, the application program of moving in system applies layer only plays the effect of driven management, do not participate in DHCP Packet Filtering directly, so can gather one by one, analyze all packets that send to DHCP client computer, like this DHCP packet is screened, filter accurately, do not omit, and execution efficiency is high, can effectively ensure and filter out the illegal DHCP packet that sends to the machine, and catch in time, reception sends to the legal DHCP packet of the machine.
Accompanying drawing explanation
Fig. 1 is a kind of local area network (LAN) DHCP packet filtering method schematic diagram provided by the present invention;
Fig. 2 is the functional block diagram of a kind of local area network (LAN) DHCP packet filtering system provided by the present invention;
Fig. 3 is that a kind of local area network (LAN) DHCP packet filtering system network packet provided by the present invention is filtered workflow diagram.
Embodiment
As shown in Figure 1, a kind of local area network (LAN) DHCP packet filtering method of the present invention, its main thought is all packets that send to the machine in the driving of DHCP client computer network interface card and the intermediate layer between protocol-driven are intercepted and tackled local area network (LAN), filter out DHCP packet wherein, and check that DHCP packet is that legal Dynamic Host Configuration Protocol server sends, if not abandoning this packet, other packet is normally let pass, received by DHCP client computer, concrete grammar comprises the following steps:
(1) network packet collection: send to all packets of the machine in the driving of DHCP client computer network interface card and the intermediate layer between protocol-driven are intercepted and intercepted and captured local area network (LAN), and each packet is carried out to collection one by one.First, in internal memory, distribute the region of memory of a fixed byte size to deposit intercepted and captured packet as buffering area, the size in this region can be more than or equal to the length of maximum data packet in local area network (LAN), such as 2048 bytes, and define pointer pPacketBuffer and point to described core buffer, then by core buffer content zero clearing pointed pPacketBuffer, finally intercepted and captured packet content piecemeal is copied in pPacketBuffer core buffer pointed, wait for that next step screens intercepted and captured packet.
(2) network packet screening: the content that first judges Ethernet data packet header, it is stored in front 14 bytes of pPacketBuffer core buffer pointed, take out the value of the 13rd byte and the 14th byte, be pPacketBuffer[12] and pPacketBuffer[13] value, the value of these two bytes represents the type of Ethernet data bag upper-layer protocol, if the content of the 13rd byte equals 8, and the content of the 14th byte equals 0, so described Ethernet data bag is IP packet, because DHCP packet encapsulates on UDP message package base, and UDP message bag encapsulates on IP packet basis, so we are for further analysis with the IP packet filtering out.
Then take out the value of pPacketBuffer core buffer pointed the 24th byte, be pPacketBuffer[23] value, it represents the upper-layer protocol type of described IP packet, if the value of the 24th byte equals 17, illustrate that described IP packet is UDP message bag, because the total length of IP packet is unfixing, in order further to analyze described IP packet, therefore need to calculate the length of described IP packet, again because the header length of IP packet and the total length of IP packet meet certain relation, so the computational methods of IP data packet length can be produced by following two formula:
a) L ip = Σ k = 1 4 2 k + 1 ( x k mod 2 )
b)x k+1=(x k-(x k mod2))/2 k=(1,2,3)
In described formula a) with formula b) in mod representative get the remainder that two numbers are divided by, wherein formula a) in, L ipthe length of the IP packet described in representative, k represents variable, and span is four positive integers between 1 to 4, and ∑ representative is carried out sum operation to the multinomial after it, and summation item number is the span of variable k, x kin in the time that k equals 1, i.e. x 1represent the value of the 15th byte of pPacketBuffer core buffer pointed, i.e. pPacketBuffer[14] value, this value is representing the header length of described IP packet, x kin in the time that k equals 2, i.e. x 2value, by x 1value substitution formula draw in b), by that analogy, x 3with x 4value respectively by x 2with x 3value substitution formula draw in b), formula b) in the span of variable k be three positive integers between 1 to 3.
Cite an actual example, such as working as pPacketBuffer[14] value, the header length of IP packet equals at 69 o'clock, a) can be obtained by above-mentioned formula:
c)L ip=2 2(x 1mod2)+2 3(x 2mod2)+2 4(x 3mod2)+2 5(x 4mod2)
Because x 1value equal 69, carry it into formula and can obtain x in b) 2=34, then continue x 2value substitution formula can obtain x in b) 3=17, then continue x 3value substitution formula can obtain x in b) 4=8, finally above-mentioned four values are brought into formula and can obtain in c):
L ip=2 2(69mod2)+2 3(34mod2)+2 4(17mod2)+2 5(8mod2)=2 2+2 4=20
Be can be calculated by above-mentioned formula, work as pPacketBuffer[14] value, the header length of IP packet equals at 69 o'clock, the length of described IP packet is 20 bytes.
Then continue to judge that pPacketBuffer core buffer side-play amount pointed is 15+L ip, 16+L ip, 17+L ip, 18+L ipthe value of byte, i.e. pPacketBuffer[14+L ip], pPacketBuffer[15+L ip], pPacketBuffer[16+L ip], pPacketBuffer[17+L ip] value, the source port of the described UDP message bag of the value representative of the first two byte, the value of latter two byte represents the destination interface of described UDP message bag, if pPacketBuffer[14+L ip] value equal 0, and pPacketBuffer[15+L ip] value equal 67, and pPacketBuffer[16+L ip] value equal 0, and pPacketBuffer[17+L ip] value equal 68, illustrate that described UDP message bag is DHCP packet, need to carry out next step analysis, it is medium pending that other packet will directly be submitted to step (4).
(3) DHCP data packet analysis: if described packet is DHCP packet, so first, judge pPacketBuffer core buffer pointed the 27th, 28, 29, the value of 30 bytes, be pPacketBuffer[26], pPacketBuffer[27], pPacketBuffer[28], pPacketBuffer[29] value of byte, the value of these four bytes is representing the source address of described DHCP packet, send the IP address of the Dynamic Host Configuration Protocol server of described DHCP packet, the value of checking these four bytes whether respectively with the dhcp server ip address that will receive in four groups of numeral correspondent equals separating of ". " type separator, such as the address of the Dynamic Host Configuration Protocol server that will receive is " 172.26.1.254 ", so relatively pPacketBuffer[26] value whether equal 172, pPacketBuffer[27] value whether equal 26, pPacketBuffer[28] value whether equal 1, pPacketBuffer[29] value whether equal 254, if correspondent equal one by one, described DHCP packet sends for legal Dynamic Host Configuration Protocol server, otherwise for illegal DHCP server sends, finally described DHCP packet is submitted to step (4) medium pending.
(4) network packet processing: according to the Analysis and judgments of in step (2) and step (3), described packet being made, reception sends to the legal DHCP packet of DHCP client computer and the packet of other type, and described Packet Generation is arrived to protocol-driven, remaining illegal DHCP packet is dropped immediately, do not received by DHCP client computer, finally discharge pPacketBuffer core buffer pointed.
Meanwhile, the present invention also provides a kind of local area network (LAN) DHCP packet filtering system, its functional block diagram, and as shown in Figure 2, described system comprises driver sub-system and application subsystem two parts.Described driver sub-system comprises network packet acquisition module, network packet screening module, DHCP data packet analysis module, network data packet handing module, Communication processing module; Described application subsystem comprises bottom communication module, Dynamic Host Configuration Protocol server administration module, Dynamic Host Configuration Protocol server binding management module, IP address update module, system interface module.
Described network packet acquisition module, be operated in intermediate layer, send to all packets of the machine for intercepting and intercept and capture local area network (LAN), and packet is carried out to acquisition and processing one by one, and the packet being disposed is copied in the buffering area of the regular length of having distributed in internal memory, this regular length is generally more than or equal to the length of maximum data packet in network.
Described network packet screening module, be operated in intermediate layer, for the value of the packet assigned address byte that copies core buffer to is carried out to Analysis and judgments, thereby the network packet of catching is carried out to category filter, isolate DHCP packet wherein, and the packet of other type is submitted to network data packet handing module wait processing.
Described DHCP data packet analysis module, be operated in intermediate layer, for the value of the DHCP packet assigned address byte that is stored in core buffer filtering out is carried out to Analysis and judgments, isolate the packet that legal Dynamic Host Configuration Protocol server sends to the machine, and be submitted to network data packet handing module wait processing by analyzing complete DHCP packet.
Described network data packet handing module, be operated in intermediate layer, for processing analyzing complete packet, receiving legal Dynamic Host Configuration Protocol server sends to the packet of the machine and sends to the packet of other type of the machine, abandon the packet that illegal DHCP server sends to the machine, and discharge the core buffer previously having distributed.
Described Communication processing module, be operated in intermediate layer, send to the information in intermediate layer for receiving upper level applications, and the feedback information in intermediate layer is sent to upper level applications, described information is stored in the self-defined structure body that a type is FILTERRULE, and this structure is defined as follows:
Figure BSA0000103173520000061
In described structure, member Header presentation protocol title, member Protocol presentation protocol type, member Server_IP represent that Dynamic Host Configuration Protocol server address, member Server_Port represent that Dynamic Host Configuration Protocol server port, member Client_Port represent DHCP client computer port, member Server_Bind represents binding state, and intermediate driver sends to the packet of DHCP client computer in using the information in this structure as rule-based filtering local area network (LAN).
Described bottom communication module, drive transmission information to intermediate layer for upper level applications, or upper level applications drives the required information of obtaining from intermediate layer, and demonstration that can be real-time, intermediate layer drives the relevant information sending in the DHCP packet that upper level applications abandoned, for reference.
Described Dynamic Host Configuration Protocol server administration module, for managing legal Dynamic Host Configuration Protocol server list, comprises and inserts Dynamic Host Configuration Protocol server record, deletes Dynamic Host Configuration Protocol server record, empties Dynamic Host Configuration Protocol server list, preserves four functions of Dynamic Host Configuration Protocol server list.
Described Dynamic Host Configuration Protocol server binding management module, be used for binding the legal Dynamic Host Configuration Protocol server that the some Dynamic Host Configuration Protocol server in legal Dynamic Host Configuration Protocol server list are current appointment, and the excessively described bottom communication module of Dynamic Host Configuration Protocol server information exchange is sent to intermediate layer driving, intermediate layer drives by Communication processing module and receives the information that upper level applications sends, and using this information as DHCP data packet analysis, the rule of filtering, now the Communication processing module in intermediate layer will send an identical information to upper level applications, judge that for upper level applications intermediate layer drives the information that it sends that whether receives, and whether intermediate layer drives the information receiving correct, simultaneously, above-mentioned module, also can the current Dynamic Host Configuration Protocol server of unbind, allow DHCP client computer to receive all DHCP packets in local area network (LAN).
Described IP address update module, be used for when changing after the legal Dynamic Host Configuration Protocol server of specifying, by creating a more new thread of DHCP client computer IP address, empty the IP address of current DHCP client computer, and upgrade the IP address that the IP address of current DHCP client computer is distributed to new Dynamic Host Configuration Protocol server.
Described system interface module, is used for generating the demonstration of each assembly in the operation interface, interface of upper level applications, and input and the output of data in each assembly.
As shown in Figure 3, be that the network packet of described system is filtered workflow diagram, describe and in described system local area network, send to the workflow that the packet of DHCP client computer filters below by an example:
Because may there are many legal Dynamic Host Configuration Protocol server in local area network (LAN), if and DHCP client computer is accessed the different resource in local area network (LAN) or the Internet, may need different Dynamic Host Configuration Protocol server for its distributing IP address, so first by the upper level applications in the system described in all legal Dynamic Host Configuration Protocol server address typings in local area network (LAN), then choosing a current required legal Dynamic Host Configuration Protocol server binds, the now upper level applications in described system, the structure FilterRule that can create a FILTERRULE type is used for the information of the legal Dynamic Host Configuration Protocol server of storing current binding, the IP address of serving such as the legal DHCP of current binding is " 172.26.1.254 ", so in described FilterRule structure, the value of member Header equals character string " DHCP ", the value of member Protocol equals 17, the value of member Server_IP equals character string " 172.26.1.254 " that draw and long shaping value its equivalence after conversion, the value of member Server_Port equals 67, the value of member Client_Port equals 68, the value of member Server_Bind equals 1.
Then the upper level applications in described system, structure FilterRule is sent to intermediate layer to be driven, intermediate layer drives and receives after FilterRule structure, first empty the doubly linked list of the LIST_ENTRY structure of system definition, then the information in FilterRule structure is inserted into the form of head node in the doubly linked list of LIST_ENTRY structure, then intermediate layer drives the information that will copy in a FilterRule structure to be transmitted to upper level applications, upper level applications receives intermediate layer driving and issues after its information, compare with the value of each member in the own FilterRule structure sending to intermediate layer, carry out data check, if equated, return to the prompting of Dynamic Host Configuration Protocol server binding success, if unequal, return data verification failure, the prompting of Dynamic Host Configuration Protocol server Bind Failed, if Dynamic Host Configuration Protocol server binding success, upper level applications will create a more new thread of DHCP client computer IP address so, empty the IP address of current configuration in DHCP client computer, the IP address that the legal Dynamic Host Configuration Protocol server that wait has been bound distributes for the machine, and by this IP address configuration in current DHCP client computer, then upper level applications will discharge the more new thread of DHCP client computer IP address creating, if after Dynamic Host Configuration Protocol server binding success, select unbind, so, the message that upper level applications will send a unbind drives to intermediate layer, intermediate layer drives after the message of receiving upper level applications transmission, the value of member Server_Bind in the doubly linked list of LIST_ENTRY structure node can be arranged to 0, intermediate layer drives and will can not analyze and filter sending to any packet of DHCP client computer like this, directly receive these packets, and send to protocol-driven.
Then, if during intermediate layer drives, in the doubly linked list of LIST_ENTRY structure, in a node, the value of member Server_Bind equals 1, intermediate layer drives in the doubly linked list with LIST_ENTRY structure so, node institute canned data is as filtering rule, the packet that sends to DHCP client computer in local area network carries out analysis and filtration one by one, and according to priority step, isolate the IP packet in these packets, UDP message bag in IP packet, DHCP packet in UDP message bag, and isolated DHCP packet is analyzed, find out the packet that legal Dynamic Host Configuration Protocol server wherein sends to DHCP client computer, and receive legal Dynamic Host Configuration Protocol server and send to the packet of the machine, and other type sends to the packet of the machine, abandon the packet that illegal DHCP server sends to the machine.
Finally, intermediate layer drives and will create the structure DropPacket of a FILTERRULE type, and by the relevant information in the DHCP packet having abandoned, store in the corresponding member in DropPacket structure, such as, the DHCP packet being dropped is that Dynamic Host Configuration Protocol server " 192.168.1.254 " sends, in DropPacket structure, the value of member Header equals character string " DHCP " so, the value of member Protocol equals 17, the value of member Server_IP equals character string " 192.168.1.254 " that draw and long shaping value its equivalence after conversion, the value of member Server_Port equals 67, the value of member Client_Port equals 68, the value of member Server_Bind can be given, then DropPacket structure is sent to upper level applications by driving meeting in intermediate layer, upper level applications receives intermediate layer and drives after the DropPacket structure sending, will be the information in DropPacket structure, the relevant information of the DHCP packet having abandoned, the mode that can intuitively browse with user, real-time shows in upper level applications, for reference.
Technique scheme is preferably embodiment of one of the present invention, not limits thus the scope of the claims of the present invention, and every equivalent transformation that utilizes specification of the present invention and Figure of description to do, includes in scope of patent protection of the present invention.

Claims (2)

1. a local area network (LAN) DHCP packet filtering method, is characterized in that, comprises the following steps:
(1) network packet gatherer process, in intercepting and intercept and capture local area network (LAN), the driving of DHCP client computer network interface card and the intermediate layer between protocol-driven send to all packets of the machine, and each packet is carried out to collection one by one, first, in internal memory, distribute a core buffer that is more than or equal to maximum data packet length in local area network (LAN) to deposit intercepted and captured packet, then by described core buffer content zero clearing, finally intercepted and captured packet content piecemeal is copied in described core buffer;
(2) network packet screening process, first take out described core buffer the 13rd byte and the value of the 14th byte, if the value of the 13rd byte equals 8, and the value of the 14th byte equals 0, so described packet is IP packet, then take out the value of described core buffer the 24th byte, if the value of the 24th byte equals 17, illustrate that described IP packet is UDP message bag, the length that now needs to calculate described IP packet, the computational methods of IP data packet length are produced by following two formula:
a) L ip = Σ k = 1 4 2 k + 1 ( x k mod 2 )
b)x k+1=(x k-(x kmod2))/2 k=(1,2,3)
In described formula a) with formula b) in mod representative get the remainder that two numbers are divided by, wherein formula a) in, L ipthe length of the IP packet described in representative, k represents variable, and span is four positive integers between 1 to 4, and ∑ representative is carried out sum operation to the multinomial after it, and summation item number is the span of variable k, x kin in the time that k equals 1, i.e. x 1the value of core buffer the 15th byte described in representative, x kin in the time that k equals 2, i.e. x 2value, by x 1value substitution formula draw in b), by that analogy, x 3with x 4value respectively by x 2with x 3value substitution formula draw in b), formula b) in the span of variable k be three positive integers between 1 to 3;
Finally continue to judge that described core buffer side-play amount is 15+L ip, 16+L ip, 17+L ip, 18+L ipthe value of byte, if described core buffer side-play amount is 15+L ipthe value of byte equals 0, and described core buffer side-play amount is 16+L ipthe value of byte equals 67, and described core buffer side-play amount is 17+L ipthe value of byte equals 0, and described core buffer side-play amount is 18+L ipthe value of byte equals 68, illustrates that described UDP message bag is DHCP packet, need to carry out next step analysis, and it is medium pending that other packet will directly be submitted to step (4).
(3) DHCP data packet analysis: if described packet is DHCP packet, so first the core buffer the 27th described in judgement, the value of 28,29,30 bytes, the value of checking these four bytes whether respectively with the dhcp server ip address that will receive in four groups of numeral correspondent equals separating of ". " type separator, if correspondent equal one by one, described DHCP packet sends for legal Dynamic Host Configuration Protocol server, otherwise for illegal DHCP server sends, finally described DHCP packet is submitted to step (4) medium pending;
(4) network packet processing: according to the Analysis and judgments of in step (2) and step (3), described packet being made, reception sends to the legal DHCP packet of DHCP client computer and the packet of other type, remaining illegal DHCP packet is dropped immediately, do not received by DHCP client computer, finally discharge described core buffer.
2. a local area network (LAN) DHCP packet filtering system, it is characterized in that, comprise driver sub-system and application subsystem two parts, described driver sub-system comprises network packet acquisition module, packet screening module, DHCP data packet analysis module, network data packet handing module, Communication processing module; Described application subsystem comprises bottom communication module, Dynamic Host Configuration Protocol server administration module, Dynamic Host Configuration Protocol server binding management module, IP address update module, system interface module;
Described network packet acquisition module, sends to all packets of the machine, and packet is carried out to acquisition and processing one by one for intercepting and intercept and capture local area network (LAN);
Described network packet screening module, for the packet collecting is carried out to category filter, isolates DHCP packet wherein, and the packet of other type is submitted to network data packet handing module wait processing;
Described DHCP data packet analysis module, for the DHCP packet filtering out is carried out to Analysis and judgments, find out wherein legal Dynamic Host Configuration Protocol server and send to the packet of the machine, and be submitted to network data packet handing module wait processing by analyzing complete DHCP packet;
Described network data packet handing module, for processing analyzing complete packet, receive legal Dynamic Host Configuration Protocol server and send to the packet of the machine and send to the packet of other type of the machine, abandon illegal DHCP server and send to the packet of the machine;
Described Communication processing module, sends to the information in intermediate layer, and the feedback information in intermediate layer is sent to upper level applications for receiving upper level applications;
Described bottom communication module, drives transmission information to intermediate layer for upper level applications, or upper level applications drives and obtain required information from intermediate layer, and can show in real time the DHCP packet information having abandoned;
Described Dynamic Host Configuration Protocol server administration module, for managing legal Dynamic Host Configuration Protocol server list, comprises and inserts Dynamic Host Configuration Protocol server record, deletes Dynamic Host Configuration Protocol server record, empties Dynamic Host Configuration Protocol server list, preserves four functions of Dynamic Host Configuration Protocol server list;
Described Dynamic Host Configuration Protocol server binding management module, be used for binding the legal Dynamic Host Configuration Protocol server of current appointment, and the excessively described bottom communication module of Dynamic Host Configuration Protocol server information exchange is sent to intermediate layer driving, as the rule of DHCP Packet Filtering, also can unbind Dynamic Host Configuration Protocol server, allow DHCP client computer to receive all DHCP packets in local area network (LAN);
Described IP address update module, is used for, when changing after the legal Dynamic Host Configuration Protocol server of complete appointment, emptying the IP address of current DHCP client computer, and upgrades the IP address that the IP address of current DHCP client computer is distributed to new Dynamic Host Configuration Protocol server;
Described system interface module, is used for generating the demonstration of each assembly in the operation interface, interface of upper level applications, and input and the output of data in each assembly.
CN201410160521.3A 2014-04-21 2014-04-21 A kind of LAN DHCP packet filtering method Expired - Fee Related CN103888481B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410160521.3A CN103888481B (en) 2014-04-21 2014-04-21 A kind of LAN DHCP packet filtering method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410160521.3A CN103888481B (en) 2014-04-21 2014-04-21 A kind of LAN DHCP packet filtering method

Publications (2)

Publication Number Publication Date
CN103888481A true CN103888481A (en) 2014-06-25
CN103888481B CN103888481B (en) 2016-09-28

Family

ID=50957199

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410160521.3A Expired - Fee Related CN103888481B (en) 2014-04-21 2014-04-21 A kind of LAN DHCP packet filtering method

Country Status (1)

Country Link
CN (1) CN103888481B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104219173A (en) * 2014-09-10 2014-12-17 珠海市君天电子科技有限公司 Local area network connection method, device and system based on DHCP (dynamic host configuration protocol)
CN110213399A (en) * 2019-06-05 2019-09-06 武汉思创易控科技有限公司 Dynamic Host Configuration Protocol server detection method, storage medium and terminal based on NETFILTER mechanism
CN113014530A (en) * 2019-12-19 2021-06-22 中国航发上海商用航空发动机制造有限责任公司 ARP spoofing attack prevention method and system
CN113835877A (en) * 2021-08-19 2021-12-24 重庆恩谷信息科技有限公司 Remote data information storage system based on big data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532957A (en) * 2013-10-18 2014-01-22 电子科技大学 Device and method for detecting trojan remote shell behavior
CN103560973A (en) * 2013-10-14 2014-02-05 深圳市同洲电子股份有限公司 Method and device for filtering data packets

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103560973A (en) * 2013-10-14 2014-02-05 深圳市同洲电子股份有限公司 Method and device for filtering data packets
CN103532957A (en) * 2013-10-18 2014-01-22 电子科技大学 Device and method for detecting trojan remote shell behavior

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
傅慧等: ""动态包过滤防火墙规则优化研究"", 《信息网络安全》 *
区咏莹: ""论DHCP网络协议的安全性问题与解决"", 《电脑知识与技术》 *
康波等: ""DHCP安全问题及防范措施_"", 《企业技术开发》 *
曾志高等: ""数据包过滤技术的分析与讨论_"", 《株洲师范高等专科学样学报》 *
罗江涛: ""基于SNOOPING的安全DHCP系统研究与实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
郭伟等: ""数据包过滤技术与防火墙的设计"", 《江汉大学学报》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104219173A (en) * 2014-09-10 2014-12-17 珠海市君天电子科技有限公司 Local area network connection method, device and system based on DHCP (dynamic host configuration protocol)
CN110213399A (en) * 2019-06-05 2019-09-06 武汉思创易控科技有限公司 Dynamic Host Configuration Protocol server detection method, storage medium and terminal based on NETFILTER mechanism
CN110213399B (en) * 2019-06-05 2022-03-25 武汉思创易控科技有限公司 NETFILTER mechanism-based DHCP server detection method, storage medium and terminal
CN113014530A (en) * 2019-12-19 2021-06-22 中国航发上海商用航空发动机制造有限责任公司 ARP spoofing attack prevention method and system
CN113835877A (en) * 2021-08-19 2021-12-24 重庆恩谷信息科技有限公司 Remote data information storage system based on big data

Also Published As

Publication number Publication date
CN103888481B (en) 2016-09-28

Similar Documents

Publication Publication Date Title
CN102694733B (en) Method for acquiring network flow data set with accurate application type identification
US8667556B2 (en) Method and apparatus for building and managing policies
US20020019945A1 (en) System and method for managing security events on a network
WO2014085952A1 (en) Policy processing method and network device
CN105989539A (en) Financial trading condition acquisition system and method
DE112011103082T5 (en) Multiple virtual machines sharing a single IP address
CN108234245A (en) The screening technique of log content and daily record data, device, system, readable medium
CN103888481A (en) Method and system for filtering DHCP data package of local area network
CN1761244A (en) Method for setting up notification function for route selection according to border gateway protocol
DE602004012660T2 (en) System and method for message-oriented adaptive data transport
CN106104550A (en) Site information extraction element, system, site information extracting method and site information extraction procedure
CN103684851B (en) Collecting method and device
CN102611626A (en) System and method for analyzing network flow
CN108833472B (en) System is established in the connection of cloud host
CN108574705A (en) Communication means, apparatus and system between a kind of container
CN107065616A (en) Inter-linked controlling method and device, computer-readable recording medium
CN106713077B (en) Proxy server traffic playback method and system
CN107133152A (en) The querying method and system of a kind of storage service state
CN102123079B (en) Method and device for processing transaction message
CN111181811A (en) Statistical method, device, electronic equipment and medium
CN104022917B (en) Cloud bridge monitoring method
CN107181701B (en) The collection method and device of common gateway interface data
CN109245941A (en) A kind of service compensation method and device
CN101478406A (en) Method for real-time monitoring network operation behavior of remote user
CN104023081B (en) The data processing method and IP hard disks of net association IP hard disks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160928