CN105337797B - A kind of sophisticated electronic information systems internetting protocol data catching method - Google Patents
A kind of sophisticated electronic information systems internetting protocol data catching method Download PDFInfo
- Publication number
- CN105337797B CN105337797B CN201510665851.2A CN201510665851A CN105337797B CN 105337797 B CN105337797 B CN 105337797B CN 201510665851 A CN201510665851 A CN 201510665851A CN 105337797 B CN105337797 B CN 105337797B
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- protocol data
- internet protocol
- capture
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of sophisticated electronic information network protocol data catching method, it is related to a kind of sophisticated electronic information network protocol data capture technique, in order to solve the problems, such as that internal system transmission information is difficult to directly monitoring in current sophisticated electronic information system debugging and operational process.The capture data procedures of data capture method of the present invention are to establish protocol filtering template, log-on data filtering, capture and buffer network data, data extraction, agreement matching treatment, protocol element data to show.Beneficial effects of the present invention are to realize to capture internal system high speed Ethernet data protocol unit rank, realize the transformation that data packet is clipped to protocol element rank from data cell grade, it solves the problems, such as that current Network Data Capturing tool is only capable of providing the capture of data cell rank and influencing system monitoring efficiency, is suitable for surface ship combat system field adjustable.
Description
Technical field
The present invention relates to a kind of sophisticated electronic information network protocol data capture techniques.
Background technique
Network acquisition technology is that bottom data is obtained from network, is reached by analyzing these data to network state progress
The purpose of monitoring.In the normal mode, the data packet that network interface card often receives an arrival will check the destination of the data packet
Location.If it is the machine address and broadcast address, then received data packet is put into buffer area, the data packet of other purposes address is then straight
It connects and loses.Therefore, host only handles the data packet for the purpose of the machine under normal mode.Under promiscuous mode, network interface card is to all
The data received are all reported to operating system, and operating system directly accesses data link layer capture related data.In this way
All data for flowing through network interface card can be captured.Network Data Capturing must utilize the promiscuous mode of network interface card, obtain by this
All data informations of network segment.
WinPcap (Windows Packet Capture) is that free, the public network of one under windows platform is visited
Ask system, based on design is developed on the basis of Libpcap, major function is exactly to capture to network packet.It is capturing
When data packet, system model setting or Function Extension can be carried out to WinPcap, limitation captures object or the specific data of filtering
Packet is analyzed the essential information inside simultaneously read data packet, or is analyzed the flow of network, the detection of network intrusions, net
The monitoring etc. of network safety.
Inside the sophisticated electronics information system such as aircraft avionics system and Shipborne Combat System, the information between each unit is passed
It is defeated to be realized with the agreement packet form for meeting specific format by high speed Ethernet.Although the Ethernet data based on WinPcap is caught
The method of obtaining has extensive application, but the above method is only able to achieve the capture of data cell rank, is extremely unfavorable for system use
Personnel are monitored the content (usually protocol format) of internal transmission information, and then influence identification and the place of the system failure
Reason.To realize to the real-time monitoring for exchanging information between sophisticated electronic information system internal element, in available data unit rank
Capture on the basis of realize that the capture of protocol element rank is even more important, therefore there is an urgent need to one kind based on being directed to complicated electricity
The Network Data Capturing method of sub-information system.
Summary of the invention
The purpose of the present invention is to solve internal systems in the debugging of current sophisticated electronic information system and operational process to pass
The problem of defeated information is difficult to directly monitoring proposes a kind of sophisticated electronic information network protocol data catching method.
A kind of specific steps of sophisticated electronic information network protocol data catching method of the present invention are as follows:
Step 1: establishing protocol filtering template;
What the protocol filtering template was established in a manner of writing XML file manually;The protocol filtering template is specific
Format is as follows:
The XML file is extensible markup language document;
Step 2: the filter condition identified according to the protocol filtering templated synthesis of foundation based on WinPcap;
The specific steps packet of the protocol filtering templated synthesis according to foundation based on the WinPcap filter condition identified
It includes:
Step 2 one, first record for obtaining protocol filtering template;
Step 2 two reads source IP address, and filter condition is added;
Step 2 three reads source port, connects rapid 22 obtained filter conditions with and;
Step 2 four reads target ip address, connects rapid 23 obtained filter conditions with and;
Step 2 five reads target port, the filter condition obtained with and Connection Step two or four;
Step 2 six reads transport-type, the filter condition obtained with and Connection Step two or five;
Whether step 2 seven judges to determine that result is "Yes" there are also other records having not been obtained in protocol filtering template, hold
Row step 2 eight;Determine that result is "No", thens follow the steps 20;
Step 2 eight, with the filter condition of or Connection Step two or six;
Step 2 nine obtains protocol filtering template lower record, then returns to step two or two;
Step 20: output final filtration condition;
" and " operator indicates only to meet the Internet protocol data energy that all conditions are recorded in protocol filtering template
It is enough captured;
" or " operator indicates to meet the Internet protocol data recorded in any one protocol filtering template all will be by
Capture;
Step 3: the filter condition based on WinPcap, carries out the Internet protocol data capture using multithread mode;And it will
The Internet protocol data of capture is cached to buffer area set in protocol filtering template;
The described specific steps for carrying out the Internet protocol data capture using multithread mode include:
Step 3 one carries out the Internet protocol data capture using pcap_next_ex function, if the function return value is little
In 0, the Internet protocol data acquisition procedure is continued to execute;If the function return value is greater than 0, goes to step 3 two and carry out network association
Discuss data prediction;
The Internet protocol data is transmitted and is stored in the form of the Internet protocol data packet;
Step 3 two, the Internet protocol data packet content for reading capture, utilize the proto structure in the Internet protocol data packet
Parse transport-type therein;With parsing source IP therein respectively using saddr the and daddr structure in the Internet protocol data packet
Location and target ip address;
Step 3 three extracts corresponding frame originating point information according to the transport-type after parsing, from frame originating point information sport and
Dport structure elucidation source port therein and target port, and the Internet protocol data packet length is parsed according to frame originating point information;
Step 3 four, according to the transport-type, source IP address, Target IP parsed in step 3 two and step 3 three
Location, source port and target port synthesize keyword;
Step 3 five indexes corresponding to the keyword in protocol filtering template according to the keyword that step 3 four synthesizes
Record;
The buffering of step 3 six, this record for indexing the content copy for capturing the Internet protocol data into step 3 five
Area updates data cached length and each data packet length that this records;
Step 3 seven judges whether stopping the Internet protocol data acquisition procedure, and end is gone to if receiving halt instruction,
Otherwise it goes to step 3 one and continues the Internet protocol data capture;
The pcap_next_ex function is by the method for the WinPcap crawl the Internet protocol data provided, pcap_
The function of next_ex function is the reading the Internet protocol data content from network interface card or data APMB package;
Step 4: the Internet protocol data of buffer area is extracted under multithread mode;
The specific steps that the Internet protocol data for being cached to buffer area is extracted include:
Step 4 one takes out a record from protocol filtering template;
Step 4 two, the size for obtaining each data packet length array in this record;
Whether array size is greater than 0 in step 4 three, judgment step four or two, if it is greater than 0, goes to step 4 four;If
Array size is not more than 0, then goes to step 4 nine without buffer network protocol data in the record;
Step 4 four, the value for taking out each first element of data packet length array in this record;
Step 4 five, the Internet protocol data that preceding L byte is taken out from the buffer area that this records;
The Internet protocol data of step 4 six, the L byte taken out into agreement matching thread sending step four or five;
Step 4 seven deletes the Internet protocol data of L byte before the buffer area of this record, and will be behind buffer area
The Internet protocol data successively move forward L byte;
The data cached length that this records is subtracted L, and deletes each data packet length of this record by step 4 eight
The first element of array, goes to step 4 two;
Whether step 4 nine judges in protocol filtering template also comprising other records not taken out;Judging result is "Yes",
Then go to step 4 one;Judging result is "No", then goes to 40;
Step 4 ten terminates this buffer network protocol data extraction process;
The L is positive integer, and L≤500.
Step 5: the Internet protocol data extracted is carried out agreement matching treatment, the network protocol with extraction is determined
The communications protocol of Data Matching;
It is described that the Internet protocol data extracted is subjected to agreement matching treatment, determine the Internet protocol data with extraction
The method of matched communications protocol are as follows:
Utilize the feature progress of communications protocol in the feature and communications protocol queue of the Internet protocol data extracted
Match, determines communications protocol corresponding with the Internet protocol data extracted;
The describing mode of the feature of the communications protocol are as follows:
Described carries out agreement matching treatment for the Internet protocol data extracted, determines the network protocol number with extraction
Specific steps according to matched communications protocol include:
Step 5 one takes out a communications protocol from communications protocol queue;
Step 5 two, the data value for extracting first characteristic item of this communications protocol and agreement match the received network of thread
First element value of protocol data;
The data value of the characteristic item of extraction is compared by step 5 three with element value, if the data value of characteristic item with
Element value is equal, goes to step 5 four;If the data value of characteristic item is unequal with element value, step 5 six is gone to;
Step 5 four judges whether current signature item is the last one characteristic item of this communications protocol, if current signature
Item is not the last one characteristic item of this communications protocol, goes to step 5 five;If current signature item be this communications protocol most
Later feature item goes to step 5 seven;
Step 5 five extracts the next feature item data value of this communications protocol and the received network association of agreement matching thread
The next element value for discussing data, goes to step 5 three;
If including also other communications protocol that do not take out in step 5 six, communications protocol queue, step 5 one is gone to,
If not including other communications protocol that do not take out in communications protocol queue, step 5 seven is gone to;
If step 5 seven, all feature item data values are all equal with element value, this communications protocol successful match,
This communications protocol information is exported, if all feature item data values and element value not whole equal, this communications protocol
With failure.
Step 6: the protocol element format according to determining communications protocol shows the Internet protocol data.
The beneficial effects of the invention are as follows realizing to capture internal system high speed Ethernet data protocol unit rank, realize
Data packet is clipped to the transformation of protocol element rank from data cell grade, solves the debugging of sophisticated electronic information system and ran
The problem of internal system transmission information is difficult to directly monitoring in journey, has reached and has handed between sophisticated electronic information system internal element
The target of information real-time monitoring is changed, the system running state for system designer and user of service's monitoring specific format provides fastly
Prompt and intuitive approach.
Detailed description of the invention
Fig. 1 is that a kind of process of sophisticated electronic information network protocol data catching method described in specific embodiment one is shown
It is intended to;
Fig. 2 is the filtering that protocol filtering templated synthesis is identified based on WinPcap in step 2 described in specific embodiment three
The specific steps flow diagram of condition;
Fig. 3 is the tool for carrying out the Internet protocol data capture in step 3 described in specific embodiment four using multithread mode
Body steps flow chart schematic diagram;
Fig. 4 is the specific steps process for extracting the Internet protocol data of buffer area described in specific embodiment five
Schematic diagram;
Fig. 5 is the specific step determined described in specific embodiment seven with the matched communications protocol of the Internet protocol data extracted
Rapid flow diagram.
Specific embodiment
Specific embodiment 1: being illustrated with reference to Fig. 1 originally is embodiment, a kind of sophisticated electronic letter described in present embodiment
The Internet protocol data catching method is ceased, described method includes following steps:
Step 1: establishing protocol filtering template;
Step 2: the filter condition identified according to the protocol filtering templated synthesis of foundation based on WinPcap;
Step 3: the filter condition based on WinPcap, carries out the Internet protocol data capture using multithread mode;And it will
The Internet protocol data of capture is cached to buffer area set in protocol filtering template;
Step 4: the Internet protocol data of buffer area is extracted under multithread mode;
Step 5: the Internet protocol data extracted is carried out agreement matching treatment, the network protocol with extraction is determined
The communications protocol of Data Matching;
Step 6: the protocol element format according to determining communications protocol shows the Internet protocol data.
Specific embodiment 2: present embodiment is to a kind of sophisticated electronic information network described in specific embodiment one
Protocol data catching method further limits, in the present embodiment, in the step 1, the method for establishing protocol filtering template
Are as follows: it is established in a manner of writing XML file manually;The specific format of the protocol filtering template is as follows:
The XML file is extensible markup language document;
Inside sophisticated electronic information system, each unit has independent IP address information, the data transmitted between unit
Also there is different ports, therefore system operation can be set according to address specified in Interface Control File and port information
In protocol filtering condition be just captured so that meeting the data information of protocol filtering condition, to reach reduction processing network
The purpose of protocol data amount.
Specific embodiment 3: embodiment is described with reference to Fig. 2, present embodiment is to described in specific embodiment two
A kind of sophisticated electronic information network protocol data catching method further limit, in the present embodiment, in the step 2
Specific steps according to the protocol filtering templated synthesis of foundation based on the WinPcap filter condition identified include:
Step 2 one, first record for obtaining protocol filtering template;
The source IP address in record that step 2 two, reading obtain, is added filter condition;
Step 2 three reads source port, the filter condition obtained with and Connection Step two or two;
Step 2 four reads target ip address, the filter condition obtained with and Connection Step two or three;
Step 2 five reads target port, the filter condition obtained with and Connection Step two or four;
Step 2 six reads transport-type, the filter condition obtained with and Connection Step two or five;
Whether step 2 seven judges to determine that result is "Yes" there are also other records having not been obtained in protocol filtering template, hold
Row step 2 eight;Determine that result is "No", thens follow the steps 20;
Step 2 eight, the filter condition obtained with or Connection Step two or six;
Step 2 nine, next record for obtaining protocol filtering template, then return to step two or two;
Step 20: output final filtration condition;
" and " operator indicates only to meet the Internet protocol data energy that all conditions are recorded in protocol filtering template
It is enough captured;
" or " operator indicates to meet the Internet protocol data recorded in any one protocol filtering template all will be by
Capture.
After according to protocol filtering templated synthesis WinPcap filter condition, the pcap_compile letter in WinPcap is called
Filter condition after synthesis is compiled into WinPcap packet by number, finally pcap_setfilter function is called to make filter condition
It comes into force.The above process was provided as address specified in sophisticated electronic information system interface control file and port information
Filter condition is embedded in WinPcap, to achieve the purpose that data preliminary screening;
The filter condition is temporarily stored with character string mode.
Specific embodiment 4: embodiment is described with reference to Fig. 3, present embodiment is to described in specific embodiment three
A kind of sophisticated electronic information network protocol data catching method further limit, in the present embodiment, in the step 3
Include: using the specific steps that multithread mode carries out the Internet protocol data capture
Step 3 one carries out the Internet protocol data capture using pcap_next_ex function, if the function return value is little
In 0, the Internet protocol data acquisition procedure is continued to execute;If the function return value is greater than 0, goes to step 3 two and carry out network association
Discuss data prediction;
The Internet protocol data is transmitted in the form of the Internet protocol data packet;
Step 3 two, the Internet protocol data packet content for reading capture, utilize the proto structure in the Internet protocol data packet
Parse transport-type therein;With parsing source IP therein respectively using saddr the and daddr structure in the Internet protocol data packet
Location and target ip address;
Step 3 three extracts corresponding frame originating point information according to the transport-type after parsing, from frame originating point information sport and
Dport structure elucidation source port therein and target port, and the Internet protocol data packet length is parsed according to frame originating point information;
Step 3 four, according to the transport-type, source IP address, Target IP parsed in step 3 two and step 3 three
Location, source port and target port synthesize keyword;
Step 3 five indexes corresponding to the keyword in protocol filtering template according to the keyword that step 3 four synthesizes
Record;
The buffering of step 3 six, this record for indexing the content copy for capturing the Internet protocol data into step 3 five
Area updates data cached length and each data packet length that this records;
Step 3 seven judges whether stopping the Internet protocol data acquisition procedure, and end is gone to if receiving halt instruction,
Otherwise it goes to step 3 one and continues the Internet protocol data capture.
The pcap_next_ex function is by the method for the WinPcap crawl the Internet protocol data provided, pcap_
The function of next_ex function is the reading the Internet protocol data content from network interface card or the Internet protocol data file.
Specific embodiment 5: embodiment is described with reference to Fig. 4, present embodiment is to described in specific embodiment four
A kind of sophisticated electronic information network protocol data catching method further limit, in the present embodiment, the data mention
It takes using the data cached extraction mechanism under multithread mode;When being consumed due to data handling procedure and agreement matching process
Between it is longer, to prevent the above process from influencing data capture and appearance the case where cause loss of data, using under multithread mode
Data cached extraction mechanism, by improving efficiency data capture and the independent method for the treatment of process, reduce loss of data can
It can property;In the step 4, under multithread mode, specific steps packet that the Internet protocol data of buffer area is extracted
It includes:
Step 4 one takes out a record from protocol filtering template;
Step 4 two, the size for obtaining each data packet length array in this record;
Whether array size is greater than 0 in step 4 three, judgment step four or two, if it is greater than 0, goes to step 4 four;If
Array size is not more than 0, then goes to step 4 nine without buffer network protocol data in the record;
Step 4 four, the value for taking out the first element of each data packet length array in this record;
Step 4 five, the Internet protocol data that preceding L byte is taken out from the buffer area that this records;
The Internet protocol data of step 4 six, the L byte taken out into agreement matching thread sending step four or five, is realized
The extraction of the Internet protocol data;
Step 4 seven deletes the Internet protocol data of L byte before the buffer area of this record, and will be behind buffer area
The Internet protocol data successively move forward L byte;
The data cached length that this records is subtracted L, and deletes each data packet length of this record by step 4 eight
The first element of array, goes to step 4 two;
Whether step 4 nine judges in protocol filtering template also comprising other records not taken out;Judging result is "Yes",
Then go to step 4 one;Judging result is "No", then goes to 40;
Step 4 ten terminates this buffer network protocol data extraction process;
The L is positive integer, and L≤500.
Specific embodiment 6: present embodiment is to a kind of sophisticated electronic information network described in specific embodiment five
Protocol data catching method further limits, in the present embodiment, in the step 5, the network protocol number that will extract
According to agreement matching treatment is carried out, the method with the matched communications protocol of the Internet protocol data extracted is determined are as follows:
Utilize the feature progress of communications protocol in the feature and communications protocol queue of the Internet protocol data extracted
Match, determines communications protocol corresponding with the Internet protocol data extracted;
The describing mode of the feature of the communications protocol are as follows:
After data cached proposition thread matches the taken out data of thread transmission by step 4 six-way agreement, agreement
With processing thread, data carry out agreement matching treatment based on the received, and the matched target of agreement is searched according to the data packet of capture
It can be by the information captured according to protocol element data pattern after corresponding agreement, protocol characteristic and the success of data packet characteristic matching
Carry out synthesis display.
Specific embodiment 7: embodiment is described with reference to Fig.5, present embodiment is to described in specific embodiment six
A kind of sophisticated electronic information network protocol data catching method further limit, in the present embodiment, in the step 5,
The Internet protocol data extracted is subjected to agreement matching treatment, determines and is assisted with the matched communication of the Internet protocol data extracted
The specific steps of view include:
Step 5 one takes out a communications protocol from communications protocol queue;
Step 5 two, the data value for extracting first characteristic item of this communications protocol and agreement match the received network of thread
First element value of protocol data;
The data value of the characteristic item of extraction is compared by step 5 three with element value, if the data value of characteristic item with
Element value is equal, goes to step 5 four;If the data value of characteristic item is unequal with element value, step 5 six is gone to;
Step 5 four judges whether current signature item is the last one characteristic item of this communications protocol, if current signature
Item is not the last one characteristic item of this communications protocol, goes to step 5 five;If current signature item be this communications protocol most
Later feature item goes to step 5 seven;
Step 5 five extracts the next feature item data value of this communications protocol and the received network association of agreement matching thread
The next element value for discussing data, goes to step 5 three;
If including also other communications protocol that do not take out in step 5 six, communications protocol queue, step 5 one is gone to,
If not including other communications protocol that do not take out in communications protocol queue, step 5 seven is gone to;
If step 5 seven, all feature item data values are all equal with element value, this communications protocol successful match,
This communications protocol information is exported, if all feature item data values and element value not whole equal, this communications protocol
With failure.
Specific embodiment 8: present embodiment is to a kind of sophisticated electronic information network described in specific embodiment seven
Protocol data catching method further limits, and in the present embodiment, the protocol element format is as follows:
The sophisticated electronic information systems internetting protocol data catching method is combined by WinPcap with agreement matching
Mechanism the capture of protocol element rank can be realized on the basis of available data unit rank captures, to reach to complicated electricity
The target that information real-time monitoring is exchanged between sub-information internal system unit is that system designer and user of service monitor system
Operating status provides quick and intuitive approach.
Claims (5)
1. a kind of sophisticated electronic information systems internetting protocol data catching method, described method includes following steps:
Step 1: establishing protocol filtering template;
Step 2: the filter condition identified according to the protocol filtering templated synthesis of foundation based on WinPcap;
Step 3: the filter condition based on WinPcap, carries out the Internet protocol data capture using multithread mode;And it will capture
The Internet protocol data be cached in protocol filtering template set buffer area;
Step 4: the Internet protocol data of buffer area is extracted under multithread mode;
Step 5: the Internet protocol data extracted is carried out agreement matching treatment, the Internet protocol data with extraction is determined
Matched communications protocol;
Step 6: the protocol element format according to determining communications protocol shows the Internet protocol data;
In the step 1, the method for establishing protocol filtering template are as follows: established in a manner of writing XML file manually;It is described
The specific format of protocol filtering template is as follows:
The XML file is extensible markup language document;
Protocol filtering templated synthesis in the step 2 according to foundation is based on the specific steps of the WinPcap filter condition identified
Include:
Step 2 one, first record for obtaining protocol filtering template;
The source IP address in record that step 2 two, reading obtain, is added filter condition;
Step 2 three reads source port, the filter condition obtained with and Connection Step two or two;
Step 2 four reads target ip address, the filter condition obtained with and Connection Step two or three;
Step 2 five reads target port, the filter condition obtained with and Connection Step two or four;
Step 2 six reads transport-type, the filter condition obtained with and Connection Step two or five;
Whether step 2 seven judges to determine that result is "Yes" there are also other records having not been obtained in protocol filtering template, execute step
Rapid sixteen;Determine that result is "No", thens follow the steps 20;
Step 2 eight, the filter condition obtained with or Connection Step two or six;
Step 2 nine, next record for obtaining protocol filtering template, then return to step two or two;
Step 20: output final filtration condition;
" and " operator indicate only to meet the Internet protocol datas of all conditions is recorded in protocol filtering template can be by
Capture;
" or " the operator expression, which meets the Internet protocol data recorded in any one protocol filtering template, will all be captured;
It is characterized in that, including: using the specific steps that multithread mode carries out the Internet protocol data capture in the step 3
Step 3 one carries out the Internet protocol data capture using pcap_next_ex function, if the function return value is not more than 0,
Continue to execute the Internet protocol data acquisition procedure;If the function return value is greater than 0, goes to step 3 two and carry out network protocol number
Data preprocess;
The Internet protocol data is transmitted in the form of the Internet protocol data packet;
Step 3 two, the Internet protocol data packet content for reading capture, utilize the proto structure elucidation in the Internet protocol data packet
Transport-type therein;Using saddr the and daddr structure in the Internet protocol data packet parse respectively source IP address therein and
Target ip address;
Step 3 three extracts corresponding frame originating point information according to the transport-type after parsing, from frame originating point information sport and
Dport structure elucidation source port therein and target port, and the Internet protocol data packet length is parsed according to frame originating point information;
Step 3 four, according to the transport-type, source IP address, target ip address, source parsed in step 3 two and step 3 three
Port and target port synthesize keyword;
Step 3 five indexes note corresponding to the keyword according to the keyword that step 3 four synthesizes in protocol filtering template
Record;
The buffer area of step 3 six, this record for indexing the content copy for capturing data into step 3 five, updates this
The data cached length of record and each data packet length;
Step 3 seven judges whether stopping the Internet protocol data acquisition procedure, end is gone to if receiving halt instruction, otherwise
It goes to step 3 one and continues the Internet protocol data capture.
2. a kind of sophisticated electronic information systems internetting protocol data catching method according to claim 1, which is characterized in that
In the step 4, under multithread mode, include: by the specific steps that the Internet protocol data of buffer area extracts
Step 4 one takes out a record from protocol filtering template;
Step 4 two, the size for obtaining each data packet length array in this record;
Whether array size is greater than 0 in step 4 three, judgment step four or two, if it is greater than 0, goes to step 4 four;If array
Size is not more than 0, then goes to step 4 nine without buffer network protocol data in the record;
Step 4 four, the value for taking out the first element of each data packet length array in this record;
Step 4 five, the Internet protocol data that preceding L byte is taken out from the buffer area that this records;
The Internet protocol data of step 4 six, the L byte taken out into agreement matching thread sending step four or five, realizes network
The extraction of protocol data;
Step 4 seven, by the Internet protocol data deletion of L byte before the buffer area of this record, and by the subsequent net in buffer area
Network protocol data successively moves forward L byte;
The data cached length that this records is subtracted L, and deletes each data packet length array of this record by step 4 eight
First element, go to step 4 two;
Whether step 4 nine judges in protocol filtering template also comprising other records not taken out;Judging result is "Yes", then turns
To step 4 one;Judging result is "No", then goes to 40;
Step 4 ten terminates this buffer network protocol data extraction process;
The L is positive integer, and L≤500.
3. a kind of sophisticated electronic information systems internetting protocol data catching method according to claim 2, which is characterized in that
In the step 5, the Internet protocol data extracted is subjected to agreement matching treatment, determines the network protocol number with extraction
According to the method for matched communications protocol are as follows:
It is matched using the feature of the Internet protocol data extracted with the feature of communications protocol in communications protocol queue, really
Fixed communications protocol corresponding with the Internet protocol data extracted;
The describing mode of the feature of the communications protocol are as follows:
4. a kind of sophisticated electronic information systems internetting protocol data catching method according to claim 3, which is characterized in that
In the step 5, the Internet protocol data extracted is subjected to agreement matching treatment, determines the network protocol number with extraction
Specific steps according to matched communications protocol include:
Step 5 one takes out a communications protocol from communications protocol queue;
Step 5 two, the data value for extracting first characteristic item of this communications protocol and agreement match thread institute receiving network protocol
First element value of data;
The data value of the characteristic item of extraction is compared by step 5 three with element value, if the data value and element of characteristic item
It is worth equal, goes to step 5 four;If the data value of characteristic item is unequal with element value, step 5 six is gone to;
Step 5 four judges whether current signature item is the last one characteristic item of this communications protocol, if current signature item is not
It is the last one characteristic item of this communications protocol, goes to step 5 five;If current signature item be this communications protocol last
A characteristic item goes to step 5 seven;
Step 5 five extracts the next feature item data value of this communications protocol and agreement matching thread institute receiving network protocol number
According to next element value, go to step 5 three;
If including also other communications protocol that do not take out in step 5 six, communications protocol queue, step 5 one is gone to, if
Do not include other communications protocol that do not take out in communications protocol queue, then goes to step 5 seven;
If step 5 seven, all feature item data values are all equal with element value, this communications protocol successful match, output
This communications protocol information, if all feature item data values are not all equal with element value, the matching of this communications protocol is lost
It loses.
5. a kind of sophisticated electronic information systems internetting protocol data catching method according to claim 1 or 4, feature exist
In protocol element format is as follows: in the step 6
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510665851.2A CN105337797B (en) | 2015-10-15 | 2015-10-15 | A kind of sophisticated electronic information systems internetting protocol data catching method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510665851.2A CN105337797B (en) | 2015-10-15 | 2015-10-15 | A kind of sophisticated electronic information systems internetting protocol data catching method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105337797A CN105337797A (en) | 2016-02-17 |
| CN105337797B true CN105337797B (en) | 2018-12-11 |
Family
ID=55288109
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510665851.2A Active CN105337797B (en) | 2015-10-15 | 2015-10-15 | A kind of sophisticated electronic information systems internetting protocol data catching method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105337797B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254034B (en) * | 2016-08-08 | 2019-12-13 | 山东大学 | Working method of network protocol of ARM-based parameter identification system |
| CN107360051B (en) * | 2016-09-30 | 2021-06-15 | 成都科来软件有限公司 | Method and device for controlling analysis switch of multiple different network protocols |
| CN112311717B (en) * | 2019-07-24 | 2022-08-23 | 腾讯科技(深圳)有限公司 | Network data recovery method and device, storage medium and computer equipment |
| CN115037610B (en) * | 2022-04-24 | 2023-09-22 | 浙江清捷智能科技有限公司 | Automatic configuration system and automatic configuration method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873285A (en) * | 2012-12-18 | 2014-06-18 | 河南省电力公司郑州供电公司 | Unified information network management platform |
-
2015
- 2015-10-15 CN CN201510665851.2A patent/CN105337797B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873285A (en) * | 2012-12-18 | 2014-06-18 | 河南省电力公司郑州供电公司 | Unified information network management platform |
Non-Patent Citations (4)
| Title |
|---|
| 基于WinPcap的数据包捕获系统的设计与实现;郭凯;《中国优秀硕士学位论文全文数据库(电子期刊)(信息科技辑)》;20150215;I138-425 * |
| 基于WinPcap的网络协议分析系统的设计与实现;鲁晓帆,孙卫佳,付双胜;《沈阳师范大学学报(自然科学版)》;20101031;第28卷(第4期);514-516 * |
| 基于Winpcap的网络嗅探程序设计;庄春兴,彭奇志;《计算机与现代化》;20020531;11-13 * |
| 基于winpcap的网络监控系统的设计与实现;费绍敏,龚晓峰,李宾,卢海峰;《通信技术》;20091130;第42卷(第11期);206-210 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105337797A (en) | 2016-02-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105337797B (en) | A kind of sophisticated electronic information systems internetting protocol data catching method | |
| US20220368703A1 (en) | Method and device for detecting security based on machine learning in combination with rule matching | |
| TWI477106B (en) | System and method for line-rate application recognition integrated in a switch asic | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN107404400A (en) | A kind of network situation awareness implementation method and device | |
| CN106372606A (en) | Target object information generation method and unit identification method and unit and system | |
| CN103067218B (en) | A kind of express network packet content analytical equipment | |
| CN113259313A (en) | Malicious HTTPS flow intelligent analysis method based on online training algorithm | |
| CN107426049A (en) | A kind of network traffics accurate detecting method, equipment and storage medium | |
| CN107995226A (en) | A kind of device-fingerprint recognition methods based on passive flux | |
| AU2014236179A1 (en) | System and method for extracting and preserving metadata for analyzing network communications | |
| CN101605074A (en) | The method and system of communication behavioural characteristic monitoring wooden horse Network Based | |
| CN107360145A (en) | A kind of multinode honey pot system and its data analysing method | |
| CN109309626A (en) | A kind of high-speed network data packet capturing shunting and caching method based on DPDK | |
| CN106685984A (en) | Network threat analysis system and method based on data pocket capture technology | |
| CN106161395A (en) | A kind of prevent the method for Brute Force, Apparatus and system | |
| CN109525572A (en) | A kind of internet site safety monitoring guard system and method | |
| CN103248606A (en) | Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) | |
| CN106027497A (en) | DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM | |
| CN114091602A (en) | SSR flow identification system and method based on machine learning | |
| CN106789728A (en) | A kind of voip traffic real-time identification method based on NetFPGA | |
| CN105812346B (en) | A kind of data interactive method of serial equipment and ethernet device | |
| CN110225062A (en) | A kind of method and apparatus monitoring network attack | |
| CN106713351A (en) | Secure communication method and device based on serial server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |