CN105656730A - Network application quick discovery method and system based on TCP data packet - Google Patents
Network application quick discovery method and system based on TCP data packet Download PDFInfo
- Publication number
- CN105656730A CN105656730A CN201610225633.1A CN201610225633A CN105656730A CN 105656730 A CN105656730 A CN 105656730A CN 201610225633 A CN201610225633 A CN 201610225633A CN 105656730 A CN105656730 A CN 105656730A
- Authority
- CN
- China
- Prior art keywords
- network
- application
- information
- source
- detector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network application quick discovery method and system based on a TCP data packet. The method comprises the following steps: connecting a network packet capturer with a switch mirror port to capture network data packets; resolving the TCP data packet in the captured network data packet, preliminarily analyzing the adopted protocol and acquiring the TCP information; storing the acquired TCP information in a local database; generating an application matching feature string in a multi-thread working mode by an application analyzer according to the collected application protocol feature database, and quickly analyzing the captured application type; detecting specific network equipment by using the application protocol feature string by a detector according to the TCP information; and for the network protocol data which cannot be matched temporarily, performing tracing analysis of the target IP and storing the feature value obtained from the analysis result in the application protocol feature database. Through the invention, the problem of non-timely and non-comprehensive supervision on network application is solved, a network administrator can be helped in network management, and the method and system can be widely applied to network management products.
Description
Technical field
The present invention relates to network technology field, and it is specifically related to a kind of quick discover method of the network application based on tcp data bag and system.
Background technology
Currently, along with the develop rapidly of computer network communication, also development is rapid thereupon for the hardware kimonos service type in network. For network manager, the state of application apparatus and the supervision of application content need the system helps of a real-time high-efficiency to manage.
At present, conventional network application management process has two kinds: the first method grabs bag device by network to capture network HTTP data packet, then network message is carried out eigenwert coupling. 2nd kind of method is that application analyzer is embedded in TCP/IP protocol stack flow process, then relies on application analyzer, the protocol stack of TCP/IP protocol stack and network application is done algorithmic match.
In the above-mentioned methods, mainly there is following defect: the first method can cause the network application of other procotols that cannot find except http protocol, and feature database renewal can cause network application to be failed to report not in time. 2nd kind of method can upset original TCP transmission agreement flow process, makes normal network communication there is certain risk.
Summary of the invention
For above-mentioned problems of the prior art, it is an object of the invention to provide a kind of quick discover method of the network application based on tcp data bag and system, for network manager provides in time comprehensively network application information, to realize the Timeliness coverage to application in existing network environment and efficient management.
In order to realize above-mentioned purpose, the present invention proposes a kind of quick discover method of the network application based on tcp data bag, comprising:
Step 1: network is grabbed bag device and is connected to exchange board mirror image mouth to capture network packet;
Step 2: the tcp data bag in the network packet captured in analyzing step 1, the agreement that initial analysis uses, and obtain TCP message;
Step 3: the TCP message obtained in step 2 is stored in the local database;
Step 4: by application analyzer, according to the application protocol features storehouse gathered, it may also be useful to multi-thread journey operating mode generates application matching characteristic string and the type used of real-time analysis crawl;
Step 5: by detector, according to TCP message, it may also be useful to application protocol features string detects the specific network equipment; And
Step 6: for the Internet protocol data temporarily cannot mated, carries out the analysis of tracing to the source of Target IP, and the eigenwert of analytical results gained is stored in application protocol features storehouse.
Further, TCP message comprises one or more in IP address, source, source port, Target IP address, target port, tagged word.
Further, the analysis of tracing to the source in step 6 comprises:
The network environment at detector detection place, Target IP address, to obtain fireproof brickwork status information and port information;
Detector generates and pushes scan script to target equipment, obtains hardware information, the operation system information of target equipment further and has installed application information;
Detector is collected and has been installed the described network packet of application program, and the characteristic information of procotol that statistics application program uses; And
Detector extracts application protocol by from the characteristic information of the procotol counted on, and is stored in application protocol features storehouse by application protocol.
Further, IP address, detector scanning source, obtains software installation information.
Further, in step 5, according to IP address, source and source port, it may also be useful to application protocol features string detects the specific network equipment.
Based on aforesaid method, the invention allows for a kind of network application based on tcp data bag and find system fast, it comprises network and grabs bag device, application analyzer and detector, wherein:
Network is grabbed bag device and is connected to exchange board mirror image port and to capture network packet and network packet is transferred to application analyzer;
Application analyzer is connected to network and grabs between bag device and detector, grab the data packet of bag device crawl for obtaining network, use multi-thread journey operating mode to generate application matching characteristic string according to the application protocol features storehouse gathered, and the network application type that real-time analysis captures.
Detector is connected to application analyzer output port, for network equipment detection and analysis of tracing to the source, and the Internet protocol data temporarily cannot mated carries out the analysis of tracing to the source of Target IP address, and analytical results of tracing to the source is stored in application protocol features storehouse.
Further, analysis of tracing to the source is that the source to the network packet adopting unknown agreement to send carries out sampling analysis, adds up detection information with the use of network probe and obtains eigenwert, specifically comprises:
The network environment at detector detection place, Target IP address, to obtain fireproof brickwork status information and port information;
Detector generates and pushes scan script to target equipment, obtains further the hardware information of target equipment, operation system information, installs application information;
The network packet installing application program collected by detector, and the characteristic information of procotol that statistics application program uses; And
Detector extracts application protocol by from the characteristic information of the procotol counted on, and is stored in application protocol features storehouse by application protocol.
The invention solves network application supervise not in time, incomplete problem, it is possible to help network manager's supervising the network. The present invention has good performance and accuracy, can be widely used in network management product. In addition, the present invention captures tcp data bag can analyze network application comprehensively, the exchange board bypass pattern taked, and not affect former network as starting point, uses analytical procedure of tracing to the source, it is possible to intelligence finds network application simultaneously.
Accompanying drawing explanation
Fig. 1 is the schematic diagram that the network application based on tcp data bag of the present invention finds system fast;
Fig. 2 is the schematic flow sheet traced to the source and analyze that the quick discover method of the network application based on tcp data bag of the present invention and system use.
Embodiment
In order to make the object of the present invention, technical scheme and advantage clearly understand, below in conjunction with accompanying drawing, the present invention is further elaborated. It is to be understood that specific embodiment described herein is only in order to explain the present invention, it is not intended to limit the present invention.
As shown in Figure 1, the network application based on tcp data bag of the present invention finds system fast, it comprises network and grabs bag device, application analyzer, detector, wherein: network is grabbed bag device and is connected to exchange board mirror image port, namely network packet is captured with exchange board bypass pattern when not affecting former network, resolve the tcp data bag in network packet, the agreement that initial analysis uses, obtain TCP message, comprise IP address, source, source port, Target IP address, target port, tagged word, and TCP message is stored in the local database for searching analytical applications agreement fast, evidence obtaining business etc., application analyzer is connected to network and grabs between bag device and detector, grabs, for obtaining network, data packet that bag device captures, uses multi-thread journey operating mode to generate application matching characteristic string according to the application protocol features storehouse gathered and the network application type that captures of real-time analysis, detector is connected to application analyzer output port, for network equipment detection and analysis of tracing to the source, application protocol features string is used to detect the specific network equipment according to IP address, source and port, and the Internet protocol data temporarily cannot mated is carried out the analysis of tracing to the source of Target IP address, analytical results of tracing to the source is stored in application protocol features storehouse.
As shown in Figure 2, analysis of tracing to the source is that the source to the network packet adopting unknown agreement to send carries out sampling analysis, adds up detection information with the use of detector and obtains eigenwert, specifically comprises:
For unknown agreement network packet, the network environment at detector detection place, Target IP address, to obtain fireproof brickwork status information and port information;
Detector generates and pushes scan script to target equipment, obtains further the hardware information of target equipment, operation system information, installs application information;
The network packet installing application program collected by detector, and adds up the characteristic information installing the procotol that application program uses; And
Detector extracts application protocol from the characteristic information of the procotol counted on and is stored in application protocol features storehouse by application protocol.
Can selection of land, IP address, detector scanning source, obtain software installation information;
The quick discover method of network application based on tcp data bag disclosed by the invention comprises: network is grabbed bag device and is connected to exchange board mirror image mouth, namely adopts exchange board bypass pattern, captures network packet when not affecting network packet normally circulates; The agreement that the tcp data bag of parsing crawl, initial analysis use, and obtain TCP message: IP address, source, source port, Target IP address, target port, tagged word; The TCP message obtained is stored in the local database, for searching fast, analytical applications agreement, it is possible to for the business of collecting evidence; By application analyzer, according to the application protocol features storehouse gathered, it may also be useful to multi-thread journey operating mode generates application matching characteristic string and the type used of real-time analysis crawl; By detector, according to IP address, source and source port, it may also be useful to application protocol features string, detects the specific network equipment; And for the Internet protocol data temporarily cannot mated, carry out the analysis of tracing to the source of Target IP, and the eigenwert of analytical results gained is stored in application protocol features storehouse.
In order to better aforesaid method and system are described, set forth in the way of specific embodiment below. Should be understood that, embodiment is only not used in restriction the present invention for illustration of the present invention.
In one embodiment of the invention, network manager need to Web access information add up, enterprise's applied business service condition is analyzed and according to blocking strategy to illegitimate site access control. HTTP application finds the statistics that can be used for website visiting situation or the control of illegal website access. First, network manager configures illegitimate site, enterprises application site or other websites in systems in which. Then, network is grabbed bag device and is connected to exchange board mirror image mouth, for capturing the all-network data packet through exchange board, and filter HTTP access. Then, Get bag keyword in tcp data bag analyzed by network analyser, obtains HTTP and accesses information, and marks Web application. Finally, statistics Web accesses information, enterprise's applied business service condition is analyzed and illegitimate site access is controlled according to blocking strategy.
In yet another embodiment of the present invention, network manager needs to grasp in time the edge device in network, such as net brake apparatus, agent equipment or network break-in terminal type etc. First, network is grabbed bag device and is connected to exchange board mirror image mouth, for capturing the all-network data packet through exchange board, and the mark value of recording unit network packet. Then, network analyser obtains IP and port information in tcp data bag, and the undulating quantity of network of computing devices package identification. Then, detector is according to undulating quantity fetch equipment keyword from application characteristic storehouse, and forms feature string with the IP in tcp data bag and port information. Finally, detector uses feature string detection equipment, the response bag that analyzing device returns, and according to coupling rule match keyword, and then equipment type, equipment produce the information such as business.
In yet another embodiment of the present invention, network manager needs how record and supervising the network access terminal use network resource, and statistics application software, such as the use information of IM application software, P2P application software or Video Applications software etc. First, network is grabbed bag device and is connected to exchange board mirror image mouth, with exchange board bypass pattern, capture the all-network data packet through exchange board network packet normally circulates and add up terminal flow information when not affecting. Then, network analyser uses the characteristic information comparison content of network data packet of procotol, identifies application software. When None-identified application software, application software traced to the source analysis according to above-mentioned analytical procedure of tracing to the source, and then enrich application features information storage.
The above embodiment illustrate only embodiments of the present invention, and it describes comparatively concrete and detailed, but therefore can not be interpreted as the restriction to patent scope of the present invention. , it is also possible to make some distortion and improvement, it should be appreciated that for the person of ordinary skill of the art, without departing from the inventive concept of the premise these all belong to protection scope of the present invention. Therefore, the protection domain of patent of the present invention should be as the criterion with claims.
Claims (10)
1., based on the quick discover method of network application of tcp data bag, described method comprises:
Step 1: network is grabbed bag device and is connected to exchange board mirror image mouth to capture network packet;
Step 2: the tcp data bag in the described network packet captured in analyzing step 1, the agreement that initial analysis uses, and obtain TCP message;
Step 3: the described TCP message obtained in step 2 is stored in the local database;
Step 4: by application analyzer, according to the application protocol features storehouse gathered, it may also be useful to multi-thread journey operating mode generates application matching characteristic string and the type used of real-time analysis crawl;
Step 5: by detector, according to described TCP message, it may also be useful to described application protocol features string detects the specific network equipment; And
Step 6: for the Internet protocol data temporarily cannot mated, carries out the analysis of tracing to the source of Target IP, and the eigenwert of analytical results gained is stored in described application protocol features storehouse.
2. method according to claim 1, it is characterised in that: described TCP message comprises one or more in IP address, source, source port, Target IP address, target port, tagged word.
3. method according to claim 2, it is characterised in that: analysis of tracing to the source described in step 6 comprises:
Described detector detects the network environment at place, described Target IP address, to obtain fireproof brickwork status information and port information;
Described detector generates and pushes scan script to target equipment, obtains hardware information, the operation system information of described target equipment further and has installed application information;
The described network packet of application program is installed described in the collection of described detector, and has added up the characteristic information of the procotol that described application program uses; And
Described detector extracts application protocol by from the described characteristic information of the described procotol counted on, and is stored in described application protocol features storehouse by described application protocol.
4. method according to claim 3, it is characterised in that: IP address in source described in described detector scanning, obtains software installation information.
5. method according to claim 2, it is characterised in that: in step 5, according to IP address, described source and described source port, it may also be useful to described application protocol features string detects the specific network equipment.
6. network application based on tcp data bag finds a system fast, and described system comprises network and grabs bag device, application analyzer and detector.
7. system according to claim 6, it is characterised in that: described network is grabbed bag device and is connected to exchange board mirror image port and to capture network packet and described network packet is transferred to described application analyzer.
8. system according to claim 6, it is characterized in that: described application analyzer is connected to described network and grabs between bag device and described detector, grab the described network packet of bag device crawl for obtaining described network, use multi-thread journey operating mode to generate application matching characteristic string according to the application protocol features storehouse gathered, and the network application type that real-time analysis captures.
9. system according to claim 6, it is characterized in that: described detector is connected to described application analyzer output port, for network equipment detection and analysis of tracing to the source, and the Internet protocol data temporarily cannot mated carries out tracing to the source described in Target IP address analysis, described analytical results of tracing to the source is stored in described application protocol features storehouse.
10. system according to claim 9, it is characterised in that: described in trace to the source that to analyze be that the source to the network packet adopting unknown agreement to send carries out sampling analysis, add up detection information with the use of described detector and obtain eigenwert, specifically comprise:
Described detector detects the network environment at place, described Target IP address, to obtain fireproof brickwork status information and port information;
Described detector generates and pushes scan script to target equipment, obtains hardware information, the operation system information of described target equipment further and has installed application information;
The described network packet of application program is installed described in the collection of described detector, and has added up the characteristic information of the procotol that described application program uses; And
Described detector extracts application protocol by from the described characteristic information of the described procotol counted on, and is stored in described application protocol features storehouse by described application protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610225633.1A CN105656730A (en) | 2016-04-12 | 2016-04-12 | Network application quick discovery method and system based on TCP data packet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610225633.1A CN105656730A (en) | 2016-04-12 | 2016-04-12 | Network application quick discovery method and system based on TCP data packet |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105656730A true CN105656730A (en) | 2016-06-08 |
Family
ID=56497302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610225633.1A Pending CN105656730A (en) | 2016-04-12 | 2016-04-12 | Network application quick discovery method and system based on TCP data packet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105656730A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108696450A (en) * | 2018-07-05 | 2018-10-23 | 深圳华信系统技术有限公司 | A kind of network TCP flow amount processing method and its device |
| CN109257254A (en) * | 2018-09-21 | 2019-01-22 | 平安科技(深圳)有限公司 | Network connectivty inspection method, device, computer equipment and storage medium |
| CN109889552A (en) * | 2019-04-18 | 2019-06-14 | 南瑞集团有限公司 | Power marketing terminal abnormal flux monitoring method, system and Electric Power Marketing System |
| CN111147523A (en) * | 2020-02-09 | 2020-05-12 | 福建奇点时空数字科技有限公司 | Comprehensive application protocol identification method based on service camouflage detection technology |
| CN114666169A (en) * | 2022-05-24 | 2022-06-24 | 杭州安恒信息技术股份有限公司 | Scanning detection type identification method, device, equipment and medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080313738A1 (en) * | 2007-06-15 | 2008-12-18 | Broadcom Corporation | Multi-Stage Deep Packet Inspection for Lightweight Devices |
| CN101854330A (en) * | 2009-04-02 | 2010-10-06 | 上海互联网络交换中心 | Method and system for collecting and analyzing network applications of Internet |
| CN102271090A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Transport-layer-characteristic-based traffic classification method and device |
| CN102347949A (en) * | 2011-09-28 | 2012-02-08 | 上海西默通信技术有限公司 | Application protocol analysis method based on DPI (Distributed Protocol Interface) |
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN104023046A (en) * | 2014-05-08 | 2014-09-03 | 深圳市深信服电子科技有限公司 | Mobile terminal recognition method and device |
| CN104601570A (en) * | 2015-01-13 | 2015-05-06 | 国家电网公司 | Network security monitoring method based on bypass monitoring and software packet capturing technology |
-
2016
- 2016-04-12 CN CN201610225633.1A patent/CN105656730A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080313738A1 (en) * | 2007-06-15 | 2008-12-18 | Broadcom Corporation | Multi-Stage Deep Packet Inspection for Lightweight Devices |
| CN101854330A (en) * | 2009-04-02 | 2010-10-06 | 上海互联网络交换中心 | Method and system for collecting and analyzing network applications of Internet |
| CN102271090A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Transport-layer-characteristic-based traffic classification method and device |
| CN102347949A (en) * | 2011-09-28 | 2012-02-08 | 上海西默通信技术有限公司 | Application protocol analysis method based on DPI (Distributed Protocol Interface) |
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN104023046A (en) * | 2014-05-08 | 2014-09-03 | 深圳市深信服电子科技有限公司 | Mobile terminal recognition method and device |
| CN104601570A (en) * | 2015-01-13 | 2015-05-06 | 国家电网公司 | Network security monitoring method based on bypass monitoring and software packet capturing technology |
Non-Patent Citations (1)
| Title |
|---|
| 出击: "利用Nmap实现快速的网络发现与管理", 《道客巴巴》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108696450A (en) * | 2018-07-05 | 2018-10-23 | 深圳华信系统技术有限公司 | A kind of network TCP flow amount processing method and its device |
| CN109257254A (en) * | 2018-09-21 | 2019-01-22 | 平安科技(深圳)有限公司 | Network connectivty inspection method, device, computer equipment and storage medium |
| CN109889552A (en) * | 2019-04-18 | 2019-06-14 | 南瑞集团有限公司 | Power marketing terminal abnormal flux monitoring method, system and Electric Power Marketing System |
| CN111147523A (en) * | 2020-02-09 | 2020-05-12 | 福建奇点时空数字科技有限公司 | Comprehensive application protocol identification method based on service camouflage detection technology |
| CN114666169A (en) * | 2022-05-24 | 2022-06-24 | 杭州安恒信息技术股份有限公司 | Scanning detection type identification method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105656730A (en) | Network application quick discovery method and system based on TCP data packet | |
| CN109962903B (en) | Home gateway security monitoring method, device, system and medium | |
| JP4523480B2 (en) | Log analysis system, analysis method, and log analysis device | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| CN111147513B (en) | Transverse moving attack path determination method in honey net based on attack behavior analysis | |
| WO2022083226A1 (en) | Anomaly identification method and system, storage medium and electronic device | |
| US20100031093A1 (en) | Internal tracing method for network attack detection | |
| CN103746992B (en) | Based on reverse intruding detection system and method thereof | |
| CN105323247A (en) | Intrusion detection system for mobile terminal | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| KR20140025316A (en) | Method and system for fingerprinting operating systems running on nodes in a communication network | |
| CN106534146A (en) | Safety monitoring system and method | |
| CN110392013A (en) | A kind of Malware recognition methods, system and electronic equipment based on net flow assorted | |
| CN112235161A (en) | Camera network protocol fuzzy test method based on FSM | |
| CN110798427A (en) | Anomaly detection method, device and equipment in network security defense | |
| CN113660115B (en) | Alarm-based network security data processing method, device and system | |
| CN114124516A (en) | Situation awareness prediction method, device and system | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN110138780B (en) | Method for realizing Internet of things terminal threat detection based on probe technology | |
| CN112291213A (en) | Abnormal flow analysis method and device based on intelligent terminal | |
| Kaushik et al. | Network forensic system for ICMP attacks | |
| CN104618181A (en) | Method for detecting intranet operation system of power system based on NMAP (Network Mapper) | |
| Wüstrich et al. | Network profiles for detecting application-characteristic behavior using linux eBPF | |
| CN101453454B (en) | Internal tracking method and network attack detection | |
| CN109474529B (en) | Method for feeding back terminal network associated data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160608 |
|
| RJ01 | Rejection of invention patent application after publication |