CN104113553A

CN104113553A - Port state recognition method, device and system

Info

Publication number: CN104113553A
Application number: CN201410367580.8A
Authority: CN
Inventors: 沈龙; 常月; 朱震
Original assignee: Netlegend Technology (beijing) Co Ltd; Secworld Information Technology Beijing Co Ltd
Current assignee: Netlegend Technology (beijing) Co Ltd; Secworld Information Technology Beijing Co Ltd
Priority date: 2014-07-29
Filing date: 2014-07-29
Publication date: 2014-10-22

Abstract

The invention discloses a port state recognition method, device and system. The port state recognition method includes acquiring a TCP-SYN data package constructed in advance, wherein the TCP-SYN data package comprises a first MAC address and a service port parameter, the first MAC address is the MAC address of a recognized server, and the service port parameter of the parameter that a service port of the recognized server corresponds to; transmitting the TCP-SYN data package to a server that the first MAC address corresponds to, wherein the server that the first MAC address corresponds to returns a response package after receiving the TCP-SYN data package, and the response package comprises information used for reflecting the state of the service port that the service port parameter corresponds to; receiving the response package returned by the server that the first MAC address corresponds to; analyzing the returned response package to obtain the state of the service port that the service port parameter corresponds to. The method, device and system solves the problem that the application service recognition efficiency is low and achieves the effect of improving the application service recognition efficiency.

Description

Port status recognition methods, device and system

Technical field

The present invention relates to application service scanning field, in particular to a kind of port status recognition methods, device and system.

Background technology

Application service identification is one of basic function of network management class, safety management type systematic.Perfect application service identification scan function, can provide for the upper-layer functionality of management system abundant technical support.And applied widely, such as: the identification of host system service, Web service, database service and middleware services all can be based on this scan function.In addition, following virtualization services, large data storage network service etc. also can realize resilient expansion based on this scan function.

Generally, manufacturer's development teams of each management system can be selected to realize application service recognition function based on Telnet agreement.This realization approach versatility is good, exploitation implementation efficiency is high: almost all the application service port of Transmission Control Protocol family all can be used Telnet agreement to be differentiated, and does not need too much size of code developer can realize a complete Telnet agreement calling function simultaneously.But be simple and easy to also be accompanied by when realizing the problems that Telnet agreement self realizes: application service recognition efficiency is low, cannot cross over fire compartment wall, lack distributed implementation possibility flexibly, seriously limited the technical development of application service recognition function.

For the low problem of application service recognition efficiency in prior art, effective solution is not yet proposed at present.

Summary of the invention

Main purpose of the present invention is to provide a kind of port status recognition methods, device and system, to solve the problem that application service recognition efficiency is low.

To achieve these goals, according to an aspect of the present invention, provide a kind of port status recognition methods.Port status recognition methods according to the present invention comprises: obtain the TCP-SYN packet building in advance, described TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, described the first MAC Address is the MAC Address of the server that is identified, the parameter corresponding to serve port of the server that described serve port parameter is identified described in being; By described TCP-SYN Packet Generation to server corresponding to described the first MAC Address, wherein, after server corresponding to described the first MAC Address receives described TCP-SYN packet, return to response packet, described response packet comprises for reflecting the information of the serve port state that described serve port parameter is corresponding; Receive the response packet that server corresponding to described the first MAC Address returns; And the described response packet returning is resolved to serve port state corresponding to described serve port parameter that obtain.

Further, described TCP-SYN packet comprises the second MAC Address, wherein, first server by described TCP-SYN Packet Generation to server corresponding to described the first MAC Address; And second server receives the response packet that server corresponding to described the first MAC Address returns, wherein, described first server and described second server are different servers, the MAC Address that described the second MAC Address is described second server.

Further, described TCP-SYN Packet Generation to server corresponding to described the first MAC Address comprised: turn-on data bag send-thread, described Packet Generation thread sprays and sends for the address of packet; Based on described Packet Generation thread dispatching WinPcap plug-in unit; And by described WinPcap plug-in unit by described TCP-SYN packet to server corresponding to described the first MAC Address.

Further, described TCP-SYN packet also comprises: an IP address, the second MAC Address and the 2nd IP address, wherein, the server that the one IP address is identified described in being, described the second MAC Address is for receiving the MAC Address of the server of described response packet, described the 2nd IP address is for receiving the IP address of the server of described response packet, before obtaining the TCP-SYN packet building in advance, described port status recognition methods also comprises: obtain a described IP address, described the second MAC Address, described the 2nd IP address and described serve port parameter, obtain described the first MAC Address, and using a described IP address, described the second MAC Address, described the 2nd IP address, described serve port parameter and described the first MAC Address build described TCP-SYN packet as formal parameter.

Further, obtaining described the first MAC Address comprises: using a described IP address, described the second MAC Address and described the 2nd IP address build ARP packet as formal parameter; By described ARP Packet Generation to a described server corresponding to IP address, wherein, server return address response packet after receiving described ARP packet that a described IP address is corresponding, described address response packet is the response packet that includes the information of described the first MAC Address; And resolve and obtain described the first MAC Address from the response packet of described address.

To achieve these goals, according to a further aspect in the invention, provide a kind of port status recognition device.Port status recognition device according to the present invention comprises: the first acquiring unit, for obtaining the TCP-SYN packet building in advance, described TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, described the first MAC Address is the MAC Address of the server that is identified, the parameter corresponding to serve port of the server that described serve port parameter is identified described in being; Transmitting element, be used for described TCP-SYN Packet Generation to server corresponding to described the first MAC Address, wherein, after server corresponding to described the first MAC Address receives described TCP-SYN packet, return to response packet, described response packet comprises for reflecting the information of the serve port state that described serve port parameter is corresponding; Receiving element, the response packet returning for receiving server corresponding to described the first MAC Address; And resolution unit, for described response packet being resolved to serve port state corresponding to described serve port parameter that obtain.

Further, described TCP-SYN packet comprises the second MAC Address, and wherein, described transmitting element comprises: the first sending module, for make first server by described TCP-SYN Packet Generation to server corresponding to described the first MAC Address; And described receiving element comprises: receiver module, for making second server receive the response packet that server corresponding to described the first MAC Address returns, wherein, described first server and described second server are different servers, the MAC Address that described the second MAC Address is described second server.

Further, described transmitting element comprises: opening module, and for turn-on data bag send-thread, described Packet Generation thread sprays and sends for the address of packet; Calling module, for based on described Packet Generation thread dispatching WinPcap plug-in unit; And second sending module, for by described WinPcap plug-in unit by described TCP-SYN packet to server corresponding to described the first MAC Address.

Further, described TCP-SYN packet also comprises: an IP address, the second MAC Address and the 2nd IP address, wherein, the server that the one IP address is identified described in being, described the second MAC Address is for receiving the MAC Address of the server of described response packet, described the 2nd IP address is for receiving the IP address of the server of described response packet, described port status recognition device also comprises: second acquisition unit, for before obtaining the TCP-SYN packet building in advance, obtain a described IP address, described the second MAC Address, described the 2nd IP address and described serve port parameter, the 3rd acquiring unit, for obtaining described the first MAC Address, and set up unit, for using a described IP address, described the second MAC Address, described the 2nd IP address, described serve port parameter and described the first MAC Address build described TCP-SYN packet as formal parameter.

Further, described the 3rd acquiring unit comprises: set up module, for using a described IP address, described the second MAC Address and described the 2nd IP address build ARP packet as formal parameter; The 3rd sending module, be used for described ARP Packet Generation to a described server corresponding to IP address, wherein, server return address response packet after receiving described ARP packet that a described IP address is corresponding, described address response packet is the response packet that includes the information of described the first MAC Address; And parsing module, for resolving and obtain described the first MAC Address from described address response packet.

To achieve these goals, according to a further aspect in the invention, provide a kind of port status recognition system.Port status recognition system according to the present invention comprises: the first identifier, the second identifier and the server being identified, described the first identifier and described the second identifier are different servers, wherein, described the first identifier is for obtaining the TCP-SYN packet building in advance, and send described TCP-SYN packet to the server being identified, wherein, described TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, the MAC Address of the server that described the first MAC Address is identified described in being, the parameter corresponding to serve port of the server that described serve port parameter is identified described in being, the described server being identified is for receiving described TCP-SYN packet, and returns to response packet to described the second identifier, and described response packet comprises for reflecting the information of the serve port state that described serve port parameter is corresponding, and the response packet that returns for the server being identified described in receiving of described the second identifier, and the described response packet returning is resolved to serve port state corresponding to described serve port parameter that obtain.

According to the present invention, by the server to being identified, send TCP-SYN packet, state information with its serve port of server request to being identified, after the server being identified receives TCP-SYN packet, return to response packet, this response packet comprises for reflecting the information of the serve port state that serve port parameter is corresponding, receive this response packet, and it is resolved to the state that obtains serve port, because the data structure of TCP-SYN packet self is more succinct, with respect to adopting Telnet agreement, carry out serve port identification, without setting up session, reduced the process step of serve port identification, can tackle the fire compartment wall problem that session is blocked for TCP, as far as possible broadly carry out application service discovery, effectively control data load, thereby solved the low problem of application service recognition efficiency, reached the effect of the efficiency that improves application service identification.

Accompanying drawing explanation

The accompanying drawing that forms the application's a part is used to provide a further understanding of the present invention, and schematic description and description of the present invention is used for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:

Fig. 1 is according to the flow chart of the port status recognition methods of the embodiment of the present invention;

Fig. 2 is according to the network architecture diagram of the port status recognition methods running environment of the embodiment of the present invention;

Fig. 3 is according to the network architecture diagram of the optional port status recognition methods of embodiment of the present invention running environment;

Fig. 4 calls frame diagram according to the module of the port status recognition methods of the embodiment of the present invention;

Fig. 5 is the functional module graph of a relation according to the embodiment of the present invention; And

Fig. 6 is according to the schematic diagram of the port status recognition device of the embodiment of the present invention.

Embodiment

It should be noted that, in the situation that not conflicting, embodiment and the feature in embodiment in the application can combine mutually.Describe below with reference to the accompanying drawings and in conjunction with the embodiments the present invention in detail.

In order to make those skilled in the art person understand better the present invention program, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, should belong to the scope of protection of the invention.

It should be noted that, the term " first " in specification of the present invention and claims and above-mentioned accompanying drawing, " second " etc. are for distinguishing similar object, and needn't be for describing specific order or precedence.Should be appreciated that the data of such use are suitably exchanging in situation, so that embodiments of the invention described herein.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, for example, those steps or unit that the process that has comprised series of steps or unit, method, system, product or equipment are not necessarily limited to clearly list, but can comprise clearly do not list or for these processes, method, product or equipment intrinsic other step or unit.

The embodiment of the present invention provides a kind of port status recognition methods.The method can be for to comprising the identification of host system service, Web service, database service and middleware services.

Fig. 1 is according to the flow chart of the port status recognition methods of the embodiment of the present invention.As shown in Figure 1, this port status recognition methods comprises that step is as follows:

Step S102, obtain the TCP-SYN packet building in advance, TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, the first MAC Address is the MAC Address of the server that is identified, and serve port parameter is the parameter corresponding to serve port of the server that is identified.

SYN (synchronous) is the handshake that TCP/IP is used while connecting, and TCP-SYN packet i.e. the corresponding packet for connecting.TCP-SYN packet comprises the first MAC Address and serves port parameter and when building TCP-SYN packet, need to use the first MAC Address and service port parameter, wherein, the first MAC Address can comprise a MAC Address, also can comprise a plurality of MAC Address, serve port corresponding to serve port parameter can be a plurality of serve ports that need to carry out state recognition.The server being identified represents to carry out to it server of port status identification.

For building the first MAC Address of TCP-SYN packet, can be to obtain by local search, can be also to obtain by broadcast query.The serve port that need to inquire about can be by pre-defined, and for example, the serve port that need to carry out port identification is input in device scan address list, by importing this device scan address list, obtains the serve port that need to carry out port identification.The first MAC Address and serve port parameter have certain corresponding relation, and serve port is the port that is identified server corresponding to the first MAC Address.The first MAC Address can be called destination MAC Address.

Step S104, by server corresponding to TCP-SYN Packet Generation to the first MAC Address, wherein, after server corresponding to the first MAC Address receives TCP-SYN packet, return to response packet, this response packet comprises for reflecting the information of the serve port state that serve port parameter is corresponding.

After getting TCP-SYN packet, by TCP-SYN Packet Generation to i.e. server corresponding to the first MAC Address of the server being identified, for the state of the serve port that will inquire about to this server request.This server, after receiving TCP-SYN packet, returns and includes for reflecting the response packet of serve port state information, so that resolve the state that obtains serve port from this response packet.

Step S106, receives the response packet that server corresponding to the first MAC Address returns.

Step S108, resolves to the response packet returning serve port state corresponding to serve port parameter that obtain.

After server corresponding to the first MAC Address returns to response packet, corresponding identifier receives the response packet that this returns, and the response packet receiving is resolved, and obtains the state of the serve port that will inquire about, and wherein, the state of serve port comprises opening.

Particularly, as shown in Figure 2, this network design framework is centralized deployment structure, wherein, main identifier is for carrying out the server of application service scanning, wherein, server A, server B, server C and server D are the server being identified, main identifier is after getting TCP-SYN packet, to server A, server B, server C and server D send TCP-SYN packet, this TCP-SYN packet comprises handshake SYN and the service port number (PORT 80) of using when TCP/IP connects, server A, server B, while there is port PO RT 80 in the server that server C and server D etc. are identified, to main identifier, return to the response packet of shaking hands (SYN/ACK), for example server A and server C, while there is not port PO RT 80, for example server B and server D, return to RST message.Main identifier is opened response packet and is caught thread, catches the response packet returning, and the response packet of catching is resolved, and obtains the state information of serve port.

As shown in Figure 3, this network design framework is distributed deployment structure, wherein, main identifier is for carrying out the server of application service scanning, be mainly used in sending TCP-SYN packet, this TCP-SYN packet comprises handshake SYN and the service port number (PORT 80) of using when TCP/IP connects, wherein, aid identification device-1 and aid identification device-2 are all for receiving response packet or message, and aid identification device-1 is set up and communicated by letter by signalling path with main identifier with aid identification device-2.The difference of the framework shown in this framework and Fig. 2 is, sending the identifier of TCP-SYN packet and the identifier of reception response packet or message is different servers, and the transmission of packet is all identical with Fig. 2 with the mode of acceptance, does not repeat here.

According to the embodiment of the present invention, by the server to being identified, send TCP-SYN packet, state information with its serve port of server request to being identified, after the server being identified receives TCP-SYN packet, return to response packet, this response packet comprises for reflecting the information of the serve port state that serve port parameter is corresponding, receive this response packet, and it is resolved to the state that obtains serve port, because the data structure of TCP-SYN packet self is more succinct, with respect to adopting Telnet agreement, carry out serve port identification, without setting up session, reduced the process step of serve port identification, can tackle the fire compartment wall problem that session is blocked for TCP, as far as possible broadly carry out application service discovery, effectively control data load, thereby solved the low problem of application service recognition efficiency, reached the effect of the efficiency that improves application service identification.

Preferably, TCP-SYN packet comprises the second MAC Address, and wherein, first server is by server corresponding to TCP-SYN Packet Generation to the first MAC Address; Second server receives the response packet that server corresponding to the first MAC Address returns, and wherein, first server and second server are different servers, the MAC Address that the second MAC Address is second server.

Second server can comprise one or more server, correspondingly, the second MAC Address can comprise one or more MAC Address, first server is server corresponding to the first MAC Address by the TCP-SYN Packet Generation with the second MAC Address to the server being identified, after the server being identified receives TCP-SYN packet, the second server corresponding to the second MAC Address sends response packet, second server receives Gai Ying road bag, and this response packet is resolved to the serve port state information of the server that obtains being identified.

In the embodiment of the present invention, for sending the first server of TCP-SYN packet and being different servers for receiving the second server of response packet, this shows, the network design framework of this embodiment is distributed structure/architecture.

Particularly, as shown in Figure 3, first server can be main identifier, second server comprises aid identification device-1 and aid identification device-2, TCP-SYN packet comprises the second MAC Address, and first server is the server A shown in Fig. 3, server B, server C, server D etc. by server corresponding to TCP-SYN Packet Generation to the first MAC Address.Main identifier is after getting TCP-SYN packet, to server A, server B, server C and server D etc., send TCP-SYN packet, this TCP-SYN packet comprises handshake SYN and the service port number (PORT 80) of using when TCP/IP connects, while there is port PO RT 80 in the server that server A, server B, server C and server D etc. are identified, to aid identification device, return to the response packet of shaking hands (SYN/ACK), for example server A is returned to SYN/ACK to aid identification device-1, and server C returns to SYN/ACK to aid identification device-2; While there is not port PO RT 80, for example server B and server D, return to RST message.Main identifier is opened response packet and is caught thread, catches the response packet returning, and the response packet of catching is resolved, and obtains the state information of serve port.

According to the embodiment of the present invention, by first server, send TCP-SYN packet, second server receives response packet, and parsing receives Ying road bag, adopt distributed framework that response packet is received and resolved, when improving the efficiency of application service scanning, can guarantee to visit scanning motion concurrent in the situation that smelling in a large number, do not cause the wrong report of intrusion detection device, guarantee works fine under the three-layer equipment environment such as fire compartment wall, intrusion detection.

In addition, by utilizing distributed structure/architecture, by means of heap, spray the thought of (Heap Spraying), for application service scanning, wherein, in computer safety field, Heap Spraying (heap sprays) is a kind of technological means that arbitrary code is carried out Exploit that more easily obtains.In (stack overflow technology) memory environment of Computer Micro, it is the important means of penetration testing field antagonism ASLR (random address space layout) technology that heap sprays.Comparatively speaking, in the Ethernet environment of computer macroscopic view, IP address-based injection scanning is better than traditional poll scanning technique equally.At the utmost point, in the short time, the SYN scanning of different IP addresses is wrapped to whole eruption types and throw in network, not only effectively increased the successful probability of scanning, also shortened substantially the global overhead of scanning process.

Preferably, server corresponding to TCP-SYN Packet Generation to the first MAC Address comprised: turn-on data bag send-thread, Packet Generation thread sprays and sends for the address of packet; Based on Packet Generation thread dispatching WinPcap plug-in unit; By WinPcap plug-in unit by server corresponding to TCP-SYN packet to the first MAC Address.

Windows packet capture, referred to as WinPcap, is that windows platform is next free, public network access system.The object of this project of exploitation winpcap is to provide for win32 application program the ability of accesses network bottom.

Turn-on data bag send-thread, wherein, packet thread sprays and sends for the address of packet.The process of transmitting that is different from Telnet agreement, the reception of packet, process of transmitting are separate implementation procedure.This has not only effectively been avoided because the Telnet agreement that network condition causes is waited for, and the obstruction invocation pattern of thread.By two engine thread independent part being deployed on different physical equipments, for example, transmission packet thread is deployed in to probe node device.

By such as the dynamic technology such as adjustment of: TTL random value, Sleep interval disordering, packet load, realize the effective escape of Packet Generation to IDS (intruding detection system) monitoring equipment.Under default situations, the millisecond number that also can dispose fixed intervals between each target transmission bag is to control Packet Generation rhythm.

Final data packet addressed spraying, needs delivery network interface card information, data packet byte code information as parameter.And call sendPacket () the function complete operation of WinPcap.

Calling WinPcap plug-in unit comprises: activate network interface card, overtime configuration; Receive data packet byte yardage group; Call WinPcap plug-in unit and carry out transmission.

Activate network interface card, overtime configuration comprises: activating network interface card is fixing function call, its form for example:

Pcap.openlive()

Activate in network interface card, overtime configuration and need the information such as delivery network interface card information, capture of labels, overtime configuration, error code statement.

Receiving data packet byte yardage group comprises: the data packet byte code of reception is array form, the data mode of the data packet byte code of this array form for adopting when building packet in advance.This array content is different from concrete packet array content, between each packet without permanent order but carry out at random encapsulation operation.

Calling WinPcap plug-in unit execution transmission comprises: since WinPcap plug-in unit calls needs, localization realizes.And finally by sendPcaket () function, be responsible for transmission.Can calling of reference be achieved as follows:

Preferably, TCP-SYN packet also comprises: an IP address, the second MAC Address and the 2nd IP address, wherein, the one IP address is the server that is identified, the second MAC Address is for receiving the MAC Address of the server of response packet, the 2nd IP address is for receiving the IP address of the server of response packet, and before obtaining the TCP-SYN packet building in advance, port status recognition methods also comprises: obtain an IP address, the second MAC Address, the 2nd IP address and service port parameter; Obtain the first MAC Address; And using an IP address, the second MAC Address, the 2nd IP address, serve port parameter and the first MAC Address build TCP-SYN packet as formal parameter.

The second MAC Address can be the MAC Address of the main identifier shown in Fig. 3, also can be the MAC Address of aid identification device, wherein, the MAC Address of main identifier can be called local mac address, the MAC Address of aid identification device can be called source MAC Address, the 2nd IP address is corresponding with the second MAC Address, and the IP address of main identifier can be called local ip address, and aid identification device can be called source IP address.The one IP address can be the residing IP section of server that need to carry out port identification.The serve port that need to inquire about can be by pre-defined, and for example, the serve port that need to carry out port identification is input in device scan address list, by importing this device scan address list, obtains the serve port that need to carry out port identification.

Particularly, obtain source (this locality) mac address information and can, by calling the network device interface of WinPcap, obtain the network interface card apparatus of this locality or appointment source.If there is polylith interface card equipment, acquiescence is chosen first.After choosing, by the getHardwareAddress () method having encapsulated, obtain interface card physical address information.

Obtaining source (this locality) IP address information can be by calling the network device interface of WinPcap, obtains the network interface card apparatus of this locality or appointment source.If there is polylith interface card equipment, acquiescence is chosen first.After choosing, by the getAddresses () method having encapsulated, obtain a plurality of binding IP address of interface card information.Choose first IP address information of acquiescence and be converted to byte[] array form, so that follow-up encapsulation is used.

The first MAC Address can be to obtain by local search, can be also to obtain by broadcast query.

Construct single TCP-SYN packet example, acquiescence need to be imported source MAC information, source IP address information, destination MAC information, destination IP address information, destination serve port into as formal parameter, other parameters are loaded by the attribute declaration of acquiescence, specifically in 1, define.

Table 1

After instance constructs, need to manually call and once merge parameter.According to ICP/IP protocol stack code requirement, merging process is permanent order.Order information is as follows:

/ * * merging link layer */

byte[]byte_tcp＝ByteTools.byteMerger(this.Eth_DestinationAddress,this.Eth_SourceAddress)；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.Eth_Protocol)；

/ * * merging IP layer */

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Version_Header_Length())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Differentiated_Services_Field())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Total_Length())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Identification())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Fragment_Flags())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Fragment_Offset())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Time_to_Live())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Protocol())；

byte[]ip_checksum＝ByteTools.ckSum_Ip_Checksum(this)；

byte_tcp＝ByteTools.byteMerger(byte_tcp,ip_checksum)；

// merge the verification of IP layer and

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Source_IP())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Destination_IP())；

/ * * merging TCP layer */

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Source_Port())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Destination_Port())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Sequence_Number())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_AckNumber())；

Byte_tcp=ByteTools.byteMerger (byte_tcp, this.getTcp_Tcp_Offset ()); // because this attribute belongs to TCP part, so use at this secondary

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Flags())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Window())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Urgent_point())；

byte[]tcp_checksum＝ByteTools.chSum_Tcp_Checksum(this)；

byte_tcp＝ByteTools.byteMerger(byte_tcp,tcp_checksum)；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Tcp_Option())；

Preferably, obtaining the first MAC Address comprises: using an IP address, the second MAC Address and the 2nd IP address build ARP packet as formal parameter; By ARP Packet Generation to the server corresponding to IP address, wherein, server return address response packet after receiving ARP packet that an IP address is corresponding, address response packet is the response packet that includes the information of the first MAC Address; From the response packet of address, resolve and obtain the first MAC Address.

Construct single ARP packet example, acquiescence need to be imported source MAC information, source IP address information, destination IP address information into as formal parameter, and other parameters are loaded by the attribute declaration of acquiescence, defines particularly in 2.

Table 2

byte[]byte_arp＝ByteTools.byteMerger(this.Eth_DestinationAddress,this.Eth_SourceAddress)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Eth_Protocol)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Hardware_type)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Protocol_type)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Hardware_Address_Length)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Protocol_Address_Length)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Type)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Source_Physics)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Source_IP)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Destination_Physics)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Destination_IP)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Extra_Data)；

ARP packet combining process does not exist check value to merge.By ARP packet, by broadcast transmission to the server corresponding to IP address, wherein an IP address is the IP section that need to carry out application service identification.

After the one server corresponding to IP address receives this ARP bag, return address response packet can be resolved and obtain the first MAC Address from this address response packet, for use in building TCP-SYN packet.

In the embodiment of the present invention, the running environment of port status recognition methods is as shown in table 3,

Table 3

Project	Index
		Cpu	>2GHz
Internal memory	>2G
		Operating system	Windows
Hard disk	>40G
		Database	Mysql,Sql?Server,Oracle
Rely on plug-in unit	WinPcap?4.1.3

Based on Fig. 2 to Fig. 5, the embodiment of the present invention is described in detail below.

The port status recognition methods of the embodiment of the present invention, no matter be centralized deployment environment or distributed environment, from the functional steps angle realizing, roughly can be decomposed into: encapsulated data packet, transmission packet, reception response packet, parsing response packet, preservation serve port state five steps.Wherein, encapsulation of data packet procedures comprises: ARP packet encapsulation, TCP-SYN seal dress and sub address packet encapsulation array; Process of transmitting is as the criterion with the 16 system bytecode array parameters that transmit after package, and WinPcap plug-in unit is carried out and called; Receiving response packet process comprises: generated data bag is caught expression formula, packet capturing Thread control; Resolve response packet and be mainly used in protocol analysis, serve port state recognition, return data assembling; Preserving serve port is the collection result that final coupling warehouse-in is preserved.

The port status recognition methods of the embodiment of the present invention can be based on twice surface sweeping, can be IP-MAC information inquiry based on ARP packet scanning and based on TCP-SYN application service identification scanning for the first time, in twice sweep process, the encapsulation transmission of packet and the principle of accepting are roughly the same, as shown in Figure 4, first in application layer, carry out the encapsulation of packet, the WinPcap plug-in unit by sending module calling system layer sends packet through operating system nucleus (OS Kernel) by network layer.At unlatching response packet, catch thread, generate response packet capture rule and filter expression formula, call screening washer and prepare to receive reply data bag, the receiving course of response packet also needs then by receiver module, to be received through operating system nucleus, and resolves response packet.Wherein, signaling scheduling passage is the signalling path shown in Fig. 3, by Socket, opens signalling path and main identifier communicates.

In the embodiment of the present invention, for the data object of ARP packet and TCP-SYN packet encapsulation, refer to table 1 and table 2.

For the design of the functional module in port status identifying schemes and relation each other thereof as shown in Figure 5, the first module 501 (DiscoveryMonitorService module) is the startup module of whole application service recognition function, is responsible for follow-up modules to initiate to call.

The second module 502 (Send_Tcp_v4) and the 3rd module 503 (Send_Arp) are the infrastructure elements class of encapsulation, parse operation, and the two all can call ByteTools tool-class.The set that ByteTools moved as merge towards hexadecimal format, disassemble, calculating etc., is responsible for infrastructure elements class atom level operation is provided.

Scanning engine part: four module 504 (SprayArp) and the 5th module 505 (ArpDumpDevice) conduct ' the IP-MAC information inquiry scanning based on ARP ' work engine class; The 6th module 506 (SprayTcpv4) and the 7th module 507 (TcpSynDumpDevice) conduct ' based on TCP-SYN application service identification scanning ' work engine class; The 8th module 508 (InitEthernetDev) and the 9th module 509 (DefaultDumpDevice) are responsible for signaling with separate threads form and are called passage, packet capture operation, the start and stop network interface card background action such as packet receiving of giving out a contract for a project.

Particularly, port status recognition methods comprises the following steps particularly:

Step S1, obtains source (this locality) mac address information.

By calling the network device interface of WinPcap, obtain the network interface card apparatus of this locality or appointment source.If there is polylith interface card equipment, acquiescence is chosen first.After choosing, by the getHardwareAddress () method having encapsulated, obtain interface card physical address information.

Step S2, obtains source (this locality) IP address information.

By calling the network device interface of WinPcap, obtain the network interface card apparatus of this locality or appointment source.If there is polylith interface card equipment, acquiescence is chosen first.After choosing, by the getAddresses () method having encapsulated, obtain a plurality of binding IP address of interface card information.Choose first IP address information of acquiescence and be converted to byte[] array form, so that follow-up encapsulation is used.

Step S3, structure ARP packet.

Construct single ARP packet example, acquiescence need to be imported source MAC information, source IP address information, destination IP address information into as formal parameter, and other parameters are loaded by the attribute declaration of acquiescence, specifically in Table 1.

After instance constructs, need to manually call and once merge parameter.According to ICP/IP protocol stack code requirement, merging process is permanent order.Order information example code is as follows:

byte_arp＝ByteTools.byteMerger(byte_arp,this.Eth_Protocol)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Hardware_type)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Protocol_type)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Hardware_Address_Length)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Protocol_Address_Length)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Type)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Source_Physics)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Source_IP)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Destination_Physics)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Arp_Destination_IP)；

byte_arp＝ByteTools.byteMerger(byte_arp,this.Extra_Data)；

ARP merging process does not exist check value to merge.

Step S4, structure TCP-SYN packet.

Construct single TCP-SYN packet example, acquiescence need to be imported source MAC information, source IP address information, destination MAC information, destination IP address information, destination serve port into as formal parameter, and other parameters are loaded by the attribute declaration of giving tacit consent to, and (relevant field please refer to < < 3.2 fundamental objects and attribute: TCP-SYN packet object definition > >).

/ * * merging link layer */

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.Eth_Protocol)；

/ * * merging IP layer */

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Version_Header_Length())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Total_Length())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Identification())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Fragment_Flags())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Fragment_Offset())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Time_to_Live())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Protocol())；

byte[]ip_checksum＝ByteTools.ckSum_Ip_Checksum(this)；

byte_tcp＝ByteTools.byteMerger(byte_tcp,ip_checksum)；

// merge the verification of IP layer and

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Source_IP())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getIp_Destination_IP())；

/ * * merging TCP layer */

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Source_Port())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Destination_Port())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Sequence_Number())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_AckNumber())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Flags())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Window())；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Urgent_point())；

byte[]tcp_checksum＝ByteTools.chSum_Tcp_Checksum(this)；

byte_tcp＝ByteTools.byteMerger(byte_tcp,tcp_checksum)；

byte_tcp＝ByteTools.byteMerger(byte_tcp,this.getTcp_Tcp_Option())；

TCP-SYN merging process exists check value to merge, and now will notice that layering merges and the merging process of verification and information.

Step S5, agreement on merging stack.

This function is as general realization, for the bytecode union operation of protocol stack.The parameter transmission, the result that merge are returned and are bytecode array form, and only merge two byte arrays at every turn.With what guarantee every step operating process, realize versatility, atomicity.

Can realize by primary API, example code for example:

System.arraycopy()

Need to consider the situation that array is overflowed, invoked procedure must guarantee to transmit clear and definite dope vector and array length information.

Step S6, calculation check and.

This function is used for calculating TCP check and calculating, comprising: the verification of IP layer and calculating, the verification of TCP layer and calculating.Computational methods realize according to agreement stipulations, and the protocol header field relevant information relating to repeats no more.The process need emphasis added example codes such as bit manipulation wherein, negate are as follows:

Integer type turns the little operation that turns greatly of byte type can be with reference to as follows:

Step S7, opens and sends packet thread.

Sending packet thread sprays and sends for the address of packet.The process of transmitting that is different from Telnet agreement, the reception of packet, process of transmitting are separate implementation procedure.This has not only effectively been avoided because the Telnet agreement that network condition causes is waited for, and the obstruction invocation pattern of thread.By two engine thread independent part being deployed on different physical equipments, for example, transmission packet thread is deployed in to probe node device.

By such as the dynamic technology such as adjustment of: TTL random value, Sleep interval disordering, packet load, realize the effective escape of Packet Generation to IDS monitoring equipment.Under default situations, the millisecond number that also can dispose fixed intervals between each target transmission bag sends rhythm to control.

Step S8, activates network interface card, overtime configuration.

Activating network interface card is fixing function call, its form for example:

Pcap.openlive()

Wherein need the information such as delivery network interface card information, capture of labels, overtime configuration, error code statement.

Step S9, receives data packet byte yardage group.

The data packet byte code receiving is array form.This array content is different from concrete packet array content, between each packet without permanent order but carry out at random encapsulation operation.

Step S10, calls WinPcap plug-in unit and carries out transmission.

Since WinPcap plug-in unit calls and needs, localization realizes.And finally by sendPcaket () function, be responsible for transmission.Can calling of reference be achieved as follows:

Step S11, opens response packet and catches thread.

Response packet is caught thread for the collection analysis of packet.Different according to the form that sends packet, corresponding response packet is caught thread and is also divided into some extent: arp reply bag is caught thread, TCP-SYN response packet is caught thread.Catching thread needs delivery network interface card information, filters expression formula and sends address list as parameter, and above-mentioned information is respectively used to activation and specifies the packet capture operation of network interface card, garbled data bag, data packet analysis judgement etc.

Step S12, generates response packet capture rule and filters expression formula.

Capture rule filters expression formula and meets TcpDump expression formula standard, is captured as example: the filter of generation can be " dst host local_ip_address " form with this locality.More production form can be with reference to annex: the TCPDUMP filters chapters and sections of < < ethereal-tcpdump > >.

Step S13, calls screening washer and prepares to receive.

By calling the pcapPacketHandler () function of WinPcap, open and to catch snoop-operations, example code that can reference is as follows:

Step S14, calling data bag analyzer.

According to the pcapPacketHandler function call requirement of WinPcap, all analytical works will be pointed in a call back function.This call back function can be used for analyzing judgement by each response packet example that transmits a PcapPacket type.

The different requirements of resolving according to ARP, TCP-SYN are different concrete operations by this call back function Override.The ARP analyzer of comparing, TCP-SYN analyzer will complete more detail inspection work, and the linkage work of processing address spraying technique.Comprise: packet packet header checks, address field judges, port judgement.

Step S15, disassembles packet attribute.

The attribute that TCP-SYN bag need to be disassembled comprises: response packet source address information, response packet source port information, response packet flag marker bit, the packet that meets above-mentioned three judgement requirements can enter next step encapsulation analysis result operation.Example code that can reference is as follows:

Step S16, encapsulation analysis result.

Encapsulation process is carried out packing by use with reference to defining content in table 4.

Main contents comprise that example code thes contents are as follows:

SnifferPackge?return_packge＝new?SnifferPackge()；

return_packge.setIp_Destination_IP(ip.source())；

return_packge.setTcp_dport(tcp.source())；

return_packge.setTcp_dport_status(1)；

Step S17, returns results and notifies to close and catch thread

By calling the close () function of WinPcap, close and catch snoop-operations, example code that can reference is as follows:

public?void?stopDump(){

pcap.close()；

}

Step S18, structuring analysis result collection.

According to the needs of current techniques framework, on the result set basis of analyzing, continue to improve the process of association attributes field.Such as: the information such as port and the mapping of application service classification, node type, protocol type, port information, authentication information, dictionary table numbering.

Step S19, result set is processed.

By final result set batch data buffer memory to the process in local file or data inserting storehouse.With acquiescence batch in-stockroom operation.

The embodiment of the present invention also provides a kind of port status recognition device.This device can be realized its function by computer equipment.It should be noted that, the port status recognition methods that the port status recognition device of the embodiment of the present invention can provide for carrying out the embodiment of the present invention, the port status recognition device that the port status recognition methods of the embodiment of the present invention also can provide by the embodiment of the present invention is carried out.

Fig. 6 is according to the schematic diagram of the port status recognition device of the embodiment of the present invention.As shown in Figure 6, this port status recognition device comprises: the first acquiring unit 10, transmitting element 20, receiving element 30 and resolution unit 40.

The first acquiring unit 10 is for obtaining the TCP-SYN packet building in advance, TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, the first MAC Address is the MAC Address of the server that is identified, and serve port parameter is the parameter corresponding to serve port of the server that is identified.

Transmitting element 20 is for by server corresponding to TCP-SYN Packet Generation to the first MAC Address, wherein, after server corresponding to the first MAC Address receives TCP-SYN packet, return to response packet, response packet comprises for reflecting the information of the serve port state that serve port parameter is corresponding.

The response packet that receiving element 30 returns for receiving server corresponding to the first MAC Address.

Resolution unit 40 is for resolving serve port state corresponding to serve port parameter that obtain to response packet.

Preferably, TCP-SYN packet comprises the second MAC Address, and wherein, transmitting element comprises: the first sending module, for making first server by server corresponding to TCP-SYN Packet Generation to the first MAC Address; Receiving element comprises: receiver module, for making second server receive the response packet that server corresponding to the first MAC Address returns, wherein, first server and second server are different servers, the MAC Address that the second MAC Address is second server.

Preferably, transmitting element comprises: opening module, and for turn-on data bag send-thread, Packet Generation thread sprays and sends for the address of packet; Calling module, for based on Packet Generation thread dispatching WinPcap plug-in unit; The second sending module, for passing through WinPcap plug-in unit by server corresponding to TCP-SYN packet to the first MAC Address.

Pcap.openlive()

Calling WinPcap plug-in unit execution transmission comprises: since WinPcap plug-in unit calls needs, localization realizes.And finally by sendPcaket () function, be responsible for transmission.

Preferably, TCP-SYN packet also comprises: an IP address, the second MAC Address and the 2nd IP address, wherein, the one IP address is the server that is identified, the second MAC Address is for receiving the MAC Address of the server of response packet, the 2nd IP address is for receiving the IP address of the server of response packet, port status recognition device also comprises: second acquisition unit, for before obtaining the TCP-SYN packet building in advance, obtain an IP address, the second MAC Address, the 2nd IP address and service port parameter; The 3rd acquiring unit, for obtaining the first MAC Address; Set up unit, for using an IP address, the second MAC Address, the 2nd IP address, serve port parameter and the first MAC Address build TCP-SYN packet as formal parameter.

Construct single TCP-SYN packet example, acquiescence need to be imported source MAC information, source IP address information, destination MAC information, destination IP address information, destination serve port into as formal parameter, other parameters are loaded by the attribute declaration of acquiescence, specifically in 1, define.After instance constructs, need to manually call and once merge parameter.According to ICP/IP protocol stack code requirement, merging process is permanent order.

Preferably, the 3rd acquiring unit comprises: set up module, for using an IP address, the second MAC Address and the 2nd IP address build ARP packet as formal parameter; The 3rd sending module, be used for ARP Packet Generation to the server corresponding to IP address, wherein, server return address response packet after receiving ARP packet that an IP address is corresponding, address response packet is the response packet that includes the information of the first MAC Address; Parsing module, for resolving and obtain the first MAC Address from address response packet.

Construct single ARP packet example, acquiescence need to be imported source MAC information, source IP address information, destination IP address information into as formal parameter, and other parameters are loaded by the attribute declaration of acquiescence, defines particularly in 2.After instance constructs, need to manually call and once merge parameter.According to ICP/IP protocol stack code requirement, merging process is permanent order.

The embodiment of the present invention also provides a kind of port status recognition system.It should be noted that, the port status recognition methods that the port status recognition system of the embodiment of the present invention can provide for carrying out the embodiment of the present invention, the port status recognition system that the port status recognition methods of the embodiment of the present invention also can provide by the embodiment of the present invention is carried out.

The port status recognition system of the embodiment of the present invention comprises: the first identifier, the second identifier and the server being identified, the first identifier and the second identifier are different servers, wherein, the first identifier can be the first server of mentioning in the above embodiment of the present invention, and the second identifier can be the second server of mentioning in the above embodiment of the present invention.The first identifier can be for realizing acquiring unit in the port status recognition device of the embodiment of the present invention and the function of transmitting element, and the second identifier can be realized the function of receiving element and resolution unit in the port status recognition device of the embodiment of the present invention.Particularly, method step before sending TCP-SYN packet and sending TCP-SYN packet, or send TCP-SYN packet and send TCP-SYN packet functional module before and all can realize by the first identifier, correspondingly, sending method step or functional module afterwards all can realize by the second identifier.

The first identifier is for obtaining the TCP-SYN packet building in advance, and send TCP-SYN packet to the server being identified, wherein, TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, the first MAC Address is the MAC Address of the server that is identified, and serve port parameter is the parameter corresponding to serve port of the server that is identified.

The server being identified is for receiving TCP-SYN packet, and returns to response packet to the second identifier, and response packet comprises for reflecting the information of the serve port state that serve port parameter is corresponding.

The response packet that the second identifier returns for receiving the server that is identified, and the response packet returning is resolved to serve port state corresponding to serve port parameter that obtain.

It should be noted that, for aforesaid each embodiment of the method, for simple description, therefore it is all expressed as to a series of combination of actions, but those skilled in the art should know, the present invention is not subject to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.

In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part of detailed description, can be referring to the associated description of other embodiment.

In the several embodiment that provide in the application, should be understood that disclosed device can be realized by another way.For example, device embodiment described above is only schematic, the for example division of described unit, be only that a kind of logic function is divided, during actual realization, can there is other dividing mode, for example a plurality of unit or assembly can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, indirect coupling or the communication connection of device or unit can be electrical or other form.

The described unit as separating component explanation can or can not be also physically to separate, and the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in a plurality of network element.Can select according to the actual needs some or all of unit wherein to realize the object of the present embodiment scheme.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can be also that the independent physics of unit exists, and also can be integrated in a unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, and also can adopt the form of SFU software functional unit to realize.

If the form of SFU software functional unit of usining described integrated unit realizes and during as production marketing independently or use, can be stored in a computer read/write memory medium.Understanding based on such, the all or part of of the part that technical scheme of the present invention contributes to prior art in essence in other words or this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprises that some instructions are with so that a computer equipment (can be personal computer, mobile terminal, server or the network equipment etc.) is carried out all or part of step of method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, read-only memory (ROM, Read-Only Memory), the various media that can be program code stored such as random access memory (RAM, Random Access Memory), portable hard drive, magnetic disc or CD.

The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

Claims

1. a port status recognition methods, is characterized in that, comprising:

Obtain the TCP-SYN packet building in advance, described TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, described the first MAC Address is the MAC Address of the server that is identified, the parameter corresponding to serve port of the server that described serve port parameter is identified described in being;

By described TCP-SYN Packet Generation to server corresponding to described the first MAC Address, wherein, after server corresponding to described the first MAC Address receives described TCP-SYN packet, return to response packet, described response packet comprises for reflecting the information of the serve port state that described serve port parameter is corresponding;

Receive the response packet that server corresponding to described the first MAC Address returns; And

The described response packet returning is resolved to serve port state corresponding to described serve port parameter that obtain.

2. port status recognition methods according to claim 1, is characterized in that, described TCP-SYN packet comprises the second MAC Address, wherein,

First server by described TCP-SYN Packet Generation to server corresponding to described the first MAC Address; And

Second server receives the response packet that server corresponding to described the first MAC Address returns, and wherein, described first server and described second server are different servers, the MAC Address that described the second MAC Address is described second server.

3. port status recognition methods according to claim 1, is characterized in that, described TCP-SYN Packet Generation to server corresponding to described the first MAC Address comprised:

Turn-on data bag send-thread, described Packet Generation thread sprays and sends for the address of packet;

Based on described Packet Generation thread dispatching WinPcap plug-in unit; And

By described WinPcap plug-in unit by described TCP-SYN packet to server corresponding to described the first MAC Address.

4. port status recognition methods according to claim 1, it is characterized in that, described TCP-SYN packet also comprises: an IP address, the second MAC Address and the 2nd IP address, wherein, the server that the one IP address is identified described in being, described the second MAC Address is for receiving the MAC Address of the server of described response packet, described the 2nd IP address is for receiving the IP address of the server of described response packet, before obtaining the TCP-SYN packet building in advance, described port status recognition methods also comprises:

Obtain a described IP address, described the second MAC Address, described the 2nd IP address and described serve port parameter;

Obtain described the first MAC Address; And

Using a described IP address, described the second MAC Address, described the 2nd IP address, described serve port parameter and described the first MAC Address build described TCP-SYN packet as formal parameter.

5. port status recognition methods according to claim 4, is characterized in that, obtains described the first MAC Address and comprises:

Using a described IP address, described the second MAC Address and described the 2nd IP address build ARP packet as formal parameter;

By described ARP Packet Generation to a described server corresponding to IP address, wherein, server return address response packet after receiving described ARP packet that a described IP address is corresponding, described address response packet is the response packet that includes the information of described the first MAC Address; And

From the response packet of described address, resolve and obtain described the first MAC Address.

6. a port status recognition device, is characterized in that, comprising:

The first acquiring unit, for obtaining the TCP-SYN packet building in advance, described TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, described the first MAC Address is the MAC Address of the server that is identified, the parameter corresponding to serve port of the server that described serve port parameter is identified described in being;

Transmitting element, be used for described TCP-SYN Packet Generation to server corresponding to described the first MAC Address, wherein, after server corresponding to described the first MAC Address receives described TCP-SYN packet, return to response packet, described response packet comprises for reflecting the information of the serve port state that described serve port parameter is corresponding;

Receiving element, the response packet returning for receiving server corresponding to described the first MAC Address; And

Resolution unit, for resolving serve port state corresponding to described serve port parameter that obtain to described response packet.

7. port status recognition device according to claim 6, is characterized in that, described TCP-SYN packet comprises the second MAC Address, wherein,

Described transmitting element comprises: the first sending module, for make first server by described TCP-SYN Packet Generation to server corresponding to described the first MAC Address,

Described receiving element comprises: receiver module, for making second server receive the response packet that server corresponding to described the first MAC Address returns, wherein, described first server and described second server are different servers, the MAC Address that described the second MAC Address is described second server.

8. port status recognition device according to claim 6, is characterized in that, described transmitting element comprises:

Opening module, for turn-on data bag send-thread, described Packet Generation thread sprays and sends for the address of packet;

Calling module, for based on described Packet Generation thread dispatching WinPcap plug-in unit; And

The second sending module, for by described WinPcap plug-in unit by described TCP-SYN packet to server corresponding to described the first MAC Address.

9. port status recognition device according to claim 6, it is characterized in that, described TCP-SYN packet also comprises: an IP address, the second MAC Address and the 2nd IP address, wherein, the server that the one IP address is identified described in being, described the second MAC Address is for receiving the MAC Address of the server of described response packet, and described the 2nd IP address is that described port status recognition device also comprises for receiving the IP address of the server of described response packet:

Second acquisition unit, for before obtaining the TCP-SYN packet building in advance, obtains a described IP address, described the second MAC Address, described the 2nd IP address and described serve port parameter;

The 3rd acquiring unit, for obtaining described the first MAC Address; And

Set up unit, for using a described IP address, described the second MAC Address, described the 2nd IP address, described serve port parameter and described the first MAC Address build described TCP-SYN packet as formal parameter.

10. port status recognition device according to claim 9, is characterized in that, described the 3rd acquiring unit comprises:

Set up module, for using a described IP address, described the second MAC Address and described the 2nd IP address build ARP packet as formal parameter;

The 3rd sending module, be used for described ARP Packet Generation to a described server corresponding to IP address, wherein, server return address response packet after receiving described ARP packet that a described IP address is corresponding, described address response packet is the response packet that includes the information of described the first MAC Address; And

Parsing module, for resolving and obtain described the first MAC Address from described address response packet.

11. 1 kinds of port status recognition systems, is characterized in that, comprising: the first identifier, the second identifier and the server being identified, and described the first identifier and described the second identifier are different servers, wherein,

Described the first identifier is for obtaining the TCP-SYN packet building in advance, and send described TCP-SYN packet to the server being identified, wherein, described TCP-SYN packet comprises the first MAC Address and service port parameter, wherein, the MAC Address of the server that described the first MAC Address is identified described in being, the parameter corresponding to serve port of the server that described serve port parameter is identified described in being;

The described server being identified is for receiving described TCP-SYN packet, and returns to response packet to described the second identifier, and described response packet comprises for reflecting the information of the serve port state that described serve port parameter is corresponding; And

The response packet that described the second identifier returns for the server being identified described in receiving, and the described response packet returning is resolved to serve port state corresponding to described serve port parameter that obtain.