CN106302349B - HTTP packet analysis method and device based on libpcap - Google Patents
HTTP packet analysis method and device based on libpcap Download PDFInfo
- Publication number
- CN106302349B CN106302349B CN201510288169.6A CN201510288169A CN106302349B CN 106302349 B CN106302349 B CN 106302349B CN 201510288169 A CN201510288169 A CN 201510288169A CN 106302349 B CN106302349 B CN 106302349B
- Authority
- CN
- China
- Prior art keywords
- packet
- http
- request
- judging whether
- analyzing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for HTTP packet analysis based on libpcap, which can reduce the analysis threshold of HTTP packet capture files, improve the analysis efficiency, and provide a function of automatically exporting cross-platform format data, thereby facilitating expansion. The HTTP packet analysis method based on the libpcap comprises the following steps: storing a plurality of analysis rules for analyzing data in the HTTP packet; acquiring a plurality of HTTP packets from a libpcap file; respectively acquiring a request packet and a response packet in each HTTP packet; and analyzing the request packet and the response packet according to the plurality of analysis rules, and then outputting an analysis result.
Description
Technical Field
The invention relates to the technical field of computer networks, in particular to a method and a device for analyzing an HTTP packet based on libpcap.
Background
In the software testing and developing process, the HTTP request sent by the application program is often required to be subjected to packet capturing and analysis, that is, the data packets sent and received by the network transmission are subjected to operations such as interception, retransmission, editing, and unloading, so as to perform data interception and analysis. There are many commonly used bale plucking tools, such as tcpdump. And generating a packet capturing file with universal formats such as libpcap and the like after the Tcpdump captures the packet.
At present, when analyzing a bale plucking file in a libpcap format, a tcp package is generally analyzed by using an existing tool (such as wireshark), and meanwhile, statistics and analysis are carried out by means of excel and other tools.
In the using process, each tcp packet is manually checked through a wireshark tool, so that the technical requirements on an analyst are high, the analysis efficiency is low, and errors are easy to occur.
Disclosure of Invention
In view of the above, the present invention provides a HTTP packet analysis method and apparatus based on libpcap, which can reduce an analysis threshold of an HTTP packet capture file, improve analysis efficiency, and provide an automatic export function of cross-platform format data, thereby facilitating expansion. The HTTP packet analysis method and device based on the libpcap can analyze the libpcap packet capture file and automatically generate a report. The report is started from multiple dimensions, statistics and analysis are carried out on the request and the response of the HTTP packet, the request and the response are displayed in the forms of characters, graphs and tables, the function of user interaction operation is provided, and the user can directly operate the functions of filtering, checking details and the like on the report.
To achieve the above objects, according to one aspect of the present invention, there is provided a HTTP packet parsing method based on libpcap.
The HTTP packet analysis method based on the libpcap comprises the following steps: storing a plurality of analysis rules for analyzing data in the HTTP packet; acquiring a plurality of HTTP packets from a libpcap file; acquiring a request packet and a response packet in each HTTP packet; and analyzing the request packet and the response packet according to the plurality of analysis rules, and then outputting an analysis result.
Optionally, the plurality of analysis rules are for several of: judging whether the picture is cached or not by analyzing whether an HTTP response packet of the picture request contains a cache head or not; judging whether the URL is cached or not by analyzing whether an HTTP response packet of Javascript containing the version request character string in the URL contains a cache header or not; judging whether the HTTP response packet of the CSS containing the version request character string in the URL contains a cache head or not by analyzing whether the HTTP response packet contains the cache head or not; judging whether the same request frequency is higher than once every 5 seconds or not by analyzing whether the interval time of the same request is more than 5 seconds or not; judging whether the request packet or the response packet is larger than 10KB or not by analyzing the size of each request packet and response packet; judging whether the URL is cached or not by analyzing whether an HTTP response packet of the Javascript, which does not contain the version request character string, in the URL contains a cache header or not; judging whether the HTTP response packet of the CSS, which does not contain the version request character string in the URL, contains a cache head or not; judging whether abnormal response exists or not by analyzing each response packet; judging whether a request exceeds 5 seconds and a response is not returned by analyzing the sending time of a request packet and a response packet of the same connection; judging whether the detailed type header of the picture is abnormal or not by analyzing a request packet and a response packet corresponding to the detailed type header of the picture; judging whether the HTML detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the HTML detailed type header; judging whether the Javascript detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the Javascript detailed type header; and judging whether the CSS detailed type header has abnormity or not by analyzing the request packet and the response packet corresponding to the CSS detailed type header.
Optionally, the step of obtaining a plurality of HTTP packets from the libpcap file includes: unpacking the libpcap file to obtain a TCP (transmission control protocol) packet; and judging whether the data in the TCP packet is an HTTP packet, and if so, acquiring the HTTP packet.
Optionally, before obtaining the request packet and the response packet in each HTTP packet, the method further includes: the HTTP packet specifying the content is deleted.
Optionally, before the step of outputting the analysis result, the method further includes: the request and response packets are serialized to generate data in a cross-platform format.
According to another aspect of the present invention, there is provided a libpcap-based HTTP packet parsing apparatus.
The HTTP packet analysis device based on libpcap of the invention comprises: the parameter setting module is used for storing a plurality of analysis rules for analyzing the data in the HTTP packet; the basic unpacking module is used for acquiring a plurality of HTTP packets from the libpcap file; the data analysis module is used for acquiring a request packet and a response packet in each HTTP packet; and the report generation module is used for analyzing the request packet and the response packet according to the plurality of analysis rules and then outputting an analysis result.
Optionally, the plurality of analysis rules are for several of: judging whether the picture is cached or not by analyzing whether an HTTP response packet of the picture request contains a cache head or not; judging whether the URL is cached or not by analyzing whether an HTTP response packet of Javascript containing the version request character string in the URL contains a cache header or not; judging whether the HTTP response packet of the CSS containing the version request character string in the URL contains a cache head or not by analyzing whether the HTTP response packet contains the cache head or not; judging whether the same request frequency is higher than once every 5 seconds or not by analyzing whether the interval time of the same request is more than 5 seconds or not; judging whether the request packet or the response packet is larger than 10KB or not by analyzing the size of each request packet and response packet; judging whether the URL is cached or not by analyzing whether an HTTP response packet of the Javascript, which does not contain the version request character string, in the URL contains a cache header or not; judging whether the HTTP response packet of the CSS, which does not contain the version request character string in the URL, contains a cache head or not; judging whether abnormal response exists or not by analyzing each response packet; judging whether a request exceeds 5 seconds and a response is not returned by analyzing the sending time of a request packet and a response packet of the same connection; judging whether the detailed type header of the picture is abnormal or not by analyzing a request packet and a response packet corresponding to the detailed type header of the picture; judging whether the HTML detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the HTML detailed type header; judging whether the Javascript detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the Javascript detailed type header; and judging whether the CSS detailed type header has abnormity or not by analyzing the request packet and the response packet corresponding to the CSS detailed type header.
Optionally, the base unpacking module is further configured to: unpacking the libpcap file to obtain a TCP (transmission control protocol) packet; and judging whether the data in the TCP packet is an HTTP packet, and if so, acquiring the HTTP packet.
Optionally, the data parsing module is further configured to: the HTTP packet specifying the content is deleted.
Optionally, the report generating module is further configured to: the request and response packets are serialized to generate data in a cross-platform format.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided an electronic apparatus including: one or more processors; and a storage device, configured to store one or more programs, where when the one or more programs are executed by the one or more processors, the one or more processors implement the HTTP packet parsing method based on libpcap provided in an embodiment of the present invention.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided a computer readable medium having stored thereon a computer program, which when executed by a processor, implements the libpcap-based HTTP packet parsing method provided by embodiments of the present invention.
According to the technical scheme of the invention, the analysis rule for analyzing the data in the HTTP packet is stored in advance, and the request packet and the response packet in the HTTP packet acquired from the libpcap file are analyzed according to the analysis rule, so that the effects of automatically analyzing the data in the HTTP packet and marking and displaying abnormal information can be realized, the technical threshold of packet capturing file analysis is reduced, and the analysis error rate is reduced. Meanwhile, the method can filter and delete the HTTP sessions which are not concerned when data analysis is carried out, and can help a user to quickly find some common problems in HTTP packet capturing analysis, so that the analysis efficiency of the HTTP packets in the libpcap packets is improved, and the method is more flexible to use.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram illustrating the main steps of a HTTP packet parsing method based on libpcap according to an embodiment of the present invention;
FIG. 2 is a flowchart of a TCP packet parsing process of a HTTP packet parsing method based on libpcap according to an embodiment of the present invention;
fig. 3 is a schematic diagram of main blocks of a libpcap-based HTTP packet parsing apparatus according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram illustrating main steps of a HTTP packet parsing method based on libpcap according to an embodiment of the present invention. As shown in fig. 1, the HTTP packet parsing method based on libpcap according to the embodiment of the present invention mainly includes the following steps S11 to S14.
Step S11: a plurality of analysis rules for analyzing data within the HTTP packet are stored. The analysis rules in the present invention are presented in the form of codes, and the analysis rules can be used for various functions actually required, such as:
judging whether the picture is cached or not by analyzing whether an HTTP response packet of the picture request contains a cache head or not;
judging whether the URL is cached or not by analyzing whether an HTTP response packet of Javascript containing the version request character string in the URL contains a cache header or not;
judging whether the HTTP response packet of the CSS containing the version request character string in the URL contains a cache head or not by analyzing whether the HTTP response packet contains the cache head or not;
judging whether the same request frequency is higher than once every 5 seconds or not by analyzing whether the interval time of the same request is more than 5 seconds or not;
judging whether the request packet or the response packet is larger than 10KB or not by analyzing the size of each request packet and response packet;
judging whether the URL is cached or not by analyzing whether an HTTP response packet of the Javascript, which does not contain the version request character string, in the URL contains a cache header or not;
judging whether the HTTP response packet of the CSS, which does not contain the version request character string in the URL, contains a cache head or not;
judging whether abnormal response exists or not by analyzing each response packet;
judging whether a request exceeds 5 seconds and a response is not returned by analyzing the sending time of a request packet and a response packet of the same connection;
judging whether the detailed type header of the picture is abnormal or not by analyzing a request packet and a response packet corresponding to the detailed type header of the picture;
judging whether the HTML detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the HTML detailed type header;
judging whether the Javascript detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the Javascript detailed type header;
and judging whether the CSS detailed type header has abnormity or not by analyzing the request packet and the response packet corresponding to the CSS detailed type header.
Step S12: a plurality of HTTP packets are obtained from the libpcap file. In the step, the libpcap file can be unpacked to obtain a TCP packet; and then judging whether the data in the TCP packet is an HTTP packet, and if so, acquiring the HTTP packet.
When the libpcap file is unpacked, common unpacking software such as PCAP. Unpacking the libpcap file to obtain a plurality of TCP packets, analyzing data in each TCP packet, and acquiring the HTTP packet by checking whether three-way handshake of TCP exists before HTTP message transmission or judging whether the data contains some character strings specific to HTTP protocol.
Step S13: and acquiring a request packet and a response packet in each HTTP packet. After the HTTP packets are obtained in step S12, each HTTP packet needs to be analyzed, and whether the current HTTP packet is a request packet or a response packet is determined and stored in a dictionary a in the memory, so as to perform further statistics and analysis.
Before the step S13 is performed, it may be determined whether filtering is required according to the preset filtering condition, and the content of the HTTP packet that is not concerned is deleted, so that the relevant HTTP packet is more directly analyzed, thereby reducing unnecessary workload.
Step S14: and analyzing the request packet and the response packet according to the plurality of analysis rules, and then outputting an analysis result. The request and response packets may be serialized prior to outputting the analysis results to generate data in a cross-platform format for presentation on other platforms. In this step, the request packet and the response packet in the HTTP packet data are analyzed according to the analysis rule stored in advance in step S11, and the analysis result is displayed in the report in the form of characters, a graph, or the like.
In addition, the result report generated by the present invention may also include some other contents, such as: after the original data are converted, each HTTP request or the detailed information of the response data; performing grouping, aggregation, sequencing and other operations on the HTTP packet data according to multiple dimensions such as types, detailed information, domain names and the like to generate multi-dimensional statistical data; browsing the details of the single piece of HTTP session data of the corresponding content; and filtering the data according to the corresponding filtering condition, and the like.
It can be seen from steps S11 to S14 that the analysis rule for analyzing the data in the HTTP packet is stored in advance, and the request packet and the response packet in the HTTP packet acquired from the libpcap file are analyzed according to the analysis rule, so that the efficiency of automatically analyzing the data in the HTTP packet and displaying the abnormal information mark can be achieved, thereby reducing the technical threshold of packet capture file analysis and reducing the analysis error rate. Meanwhile, the method can filter and delete the HTTP sessions which are not concerned when data analysis is carried out, and can help a user to quickly find some common problems in HTTP packet capturing analysis, so that the analysis efficiency of the HTTP packets in the libpcap packets is improved, and the method is more flexible to use.
Fig. 2 is a flowchart of a TCP packet parsing process of the HTTP packet parsing method based on libpcap according to an embodiment of the present invention.
As shown in fig. 2, the libpcap file is unpacked to obtain a TCP packet, and a TCP packet is obtained and analyzed (step S20). First, the HTTP packet of the present invention is screened from the TCP packet, that is, whether the current packet is the HTTP packet is determined (step S21), and whether the current packet is the HTTP packet can be determined by checking whether there is a three-way handshake of TCP before transmitting the HTTP packet or according to whether the current data includes some character strings specific to the HTTP protocol. If not, it is discarded, if so, it is analyzed. Thereafter, the HTTP packet is filtered as necessary, and it is determined whether or not the filtering condition is satisfied (step S22), and the HTTP packet content that is not concerned is deleted, for example: only requests/responses for specified domain names are displayed; not displaying a request/response specifying a domain name; only displaying the request/response containing the appointed character string in the User-Agent head; the user can set the filter condition according to his own needs without displaying the request/response including the specified character string in the URL. After filtering, the data packets meeting the filtering condition are analyzed, and the data packets not meeting the filtering condition are discarded, so that the workload can be reduced.
For the filtered HTTP packet, first determining whether it is a first request packet of a connection (step S23), and if so, adding the request packet as a Key name (Key) to a dictionary a in a memory (step S26); if not, continuing to judge whether the HTTP data packet is the first response packet of the connection (step S24), if so, adding the response packet as a key Value (Value) to a dictionary A in the memory (step S27); if not, continuing to judge whether the HTTP packet is a subsequent response packet (step S25), if so, splicing the data packet to a corresponding response packet in the dictionary A (step S28); if not, the data packet is a subsequent request packet for the connection, and the packet is spliced to the corresponding request packet in dictionary A (step S29). After the above process, the single TCP packet is analyzed. And then, reading the next TCP packet, analyzing according to the same method, classifying the corresponding HTTP data packet according to the request and response information, splicing, storing and the like.
Fig. 3 is a schematic diagram of main blocks of a libpcap-based HTTP packet parsing apparatus according to an embodiment of the present invention. As shown in fig. 3, the HTTP packet analysis apparatus 3 based on libpcap in the embodiment of the present invention mainly includes a parameter setting module 31, a basic unpacking module 32, a data parsing module 33, and a report generating module 34.
The parameter setting module 31 is configured to store a plurality of analysis rules for analyzing data in the HTTP packet, where the analysis rules mainly include some of the following:
judging whether the picture is cached or not by analyzing whether an HTTP response packet of the picture request contains a cache head or not;
judging whether the URL is cached or not by analyzing whether an HTTP response packet of Javascript containing the version request character string in the URL contains a cache header or not;
judging whether the HTTP response packet of the CSS containing the version request character string in the URL contains a cache head or not by analyzing whether the HTTP response packet contains the cache head or not;
judging whether the same request frequency is higher than once every 5 seconds or not by analyzing whether the interval time of the same request is more than 5 seconds or not;
judging whether the request packet or the response packet is larger than 10KB or not by analyzing the size of each request packet and response packet;
judging whether the URL is cached or not by analyzing whether an HTTP response packet of the Javascript, which does not contain the version request character string, in the URL contains a cache header or not;
judging whether the HTTP response packet of the CSS, which does not contain the version request character string in the URL, contains a cache head or not;
judging whether abnormal response exists or not by analyzing each response packet;
judging whether a request exceeds 5 seconds and a response is not returned by analyzing the sending time of a request packet and a response packet of the same connection;
judging whether the detailed type header of the picture is abnormal or not by analyzing a request packet and a response packet corresponding to the detailed type header of the picture;
judging whether the HTML detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the HTML detailed type header;
judging whether the Javascript detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the Javascript detailed type header;
and judging whether the CSS detailed type header has abnormity or not by analyzing the request packet and the response packet corresponding to the CSS detailed type header.
The analysis rules are stored in the form of codes, and in practical application, a user can set the analysis rules according to needs.
And the basic unpacking module 32 is used for acquiring a plurality of HTTP packets from the libpcap file. The method can be specifically used for: unpacking the libpcap file to obtain a TCP (transmission control protocol) packet; and judging whether the data in the TCP packet is an HTTP packet, and if so, acquiring the HTTP packet.
A data parsing module 33, configured to obtain a request packet and a response packet in each HTTP packet, and further configured to delete the HTTP packet of the specified content. The data analysis module 33 analyzes each HTTP packet, determines whether the current HTTP packet is a request packet or a response packet, and stores the request packet or the response packet in the dictionary a in the memory, so as to perform further statistics and analysis. Before judging whether the current HTTP packet is a request packet or a response packet, whether filtering is needed according to preset filtering conditions can be judged, and irrelevant contents are deleted so as to more directly analyze the related HTTP packet, thereby reducing unnecessary workload.
And the report generating module 34 is configured to analyze the request packet and the response packet according to the multiple analysis rules, and then output an analysis result. Prior to outputting the analysis results, the request and response packets may be serialized to generate data in a cross-platform format, such as: JSON, XML, etc., which are convenient for presentation on other platforms. The analysis result report can be presented in the form of characters, diagrams or tables, and the presentation part of the report can be selected according to the needs by using the modes of HTML, client App, mobile App, Flash, Excel, Word, mail and the like.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An HTTP packet analysis method based on libpcap is characterized by comprising the following steps:
storing a plurality of analysis rules for analyzing data in the HTTP packet;
acquiring a plurality of HTTP packets from a libpcap file;
deleting an HTTP packet of specified content from a plurality of acquired HTTP packets according to a preset filtering condition, and then acquiring a request packet and a response packet in each HTTP packet, wherein the steps comprise: firstly, judging whether the HTTP packet is a first request packet connected or not, and if so, adding the request packet into a dictionary A in a memory as a key name; if not, continuously judging whether the HTTP data packet is the first response packet of the connection, and if so, adding the response packet as a key value into a dictionary A in the memory; if not, continuously judging whether the HTTP packet is a subsequent response packet, and if so, splicing the data packet to a corresponding response packet in the dictionary A; if not, the data packet is a subsequent request packet of the connection, and the data packet is spliced to a corresponding request packet in the dictionary A;
and analyzing the request packet and the response packet according to the plurality of analysis rules, and then outputting an analysis result.
2. The method of claim 1, wherein the plurality of analysis rules are for several of:
judging whether the picture is cached or not by analyzing whether an HTTP response packet of the picture request contains a cache head or not;
judging whether the URL is cached or not by analyzing whether an HTTP response packet of Javascript containing the version request character string in the URL contains a cache header or not;
judging whether the HTTP response packet of the CSS containing the version request character string in the URL contains a cache head or not by analyzing whether the HTTP response packet contains the cache head or not;
judging whether the same request frequency is higher than once every 5 seconds or not by analyzing whether the interval time of the same request is more than 5 seconds or not;
judging whether the request packet or the response packet is larger than 10KB or not by analyzing the size of each request packet and response packet;
judging whether the URL is cached or not by analyzing whether an HTTP response packet of the Javascript, which does not contain the version request character string, in the URL contains a cache header or not;
judging whether the HTTP response packet of the CSS, which does not contain the version request character string in the URL, contains a cache head or not;
judging whether abnormal response exists or not by analyzing each response packet;
judging whether a request exceeds 5 seconds and a response is not returned by analyzing the sending time of a request packet and a response packet of the same connection;
judging whether the detailed type header of the picture is abnormal or not by analyzing a request packet and a response packet corresponding to the detailed type header of the picture;
judging whether the HTML detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the HTML detailed type header;
judging whether the Javascript detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the Javascript detailed type header;
and judging whether the CSS detailed type header has abnormity or not by analyzing the request packet and the response packet corresponding to the CSS detailed type header.
3. The method as claimed in claim 1, wherein the step of obtaining the plurality of HTTP packets from the libpcap file comprises:
unpacking the libpcap file to obtain a TCP (transmission control protocol) packet;
and judging whether the data in the TCP packet is an HTTP packet, and if so, acquiring the HTTP packet.
4. The method of claim 1, further comprising, prior to the step of outputting the analysis results: the request and response packets are serialized to generate data in a cross-platform format.
5. An HTTP packet analysis apparatus based on libpcap, comprising:
the parameter setting module is used for storing a plurality of analysis rules for analyzing the data in the HTTP packet;
the basic unpacking module is used for acquiring a plurality of HTTP packets from the libpcap file;
the data analysis module is used for deleting the HTTP packets of the specified content from the plurality of acquired HTTP packets according to the preset filtering condition, and then acquiring the request packets and the response packets in the HTTP packets, and comprises: firstly, judging whether the HTTP packet is a first request packet connected or not, and if so, adding the request packet into a dictionary A in a memory as a key name; if not, continuously judging whether the HTTP data packet is the first response packet of the connection, and if so, adding the response packet as a key value into a dictionary A in the memory; if not, continuously judging whether the HTTP packet is a subsequent response packet, and if so, splicing the data packet to a corresponding response packet in the dictionary A; if not, the data packet is a subsequent request packet of the connection, and the data packet is spliced to a corresponding request packet in the dictionary A;
and the report generation module is used for analyzing the request packet and the response packet according to the plurality of analysis rules and then outputting an analysis result.
6. The apparatus of claim 5, wherein the plurality of analysis rules are for several of:
judging whether the picture is cached or not by analyzing whether an HTTP response packet of the picture request contains a cache head or not;
judging whether the URL is cached or not by analyzing whether an HTTP response packet of Javascript containing the version request character string in the URL contains a cache header or not;
judging whether the HTTP response packet of the CSS containing the version request character string in the URL contains a cache head or not by analyzing whether the HTTP response packet contains the cache head or not;
judging whether the same request frequency is higher than once every 5 seconds or not by analyzing whether the interval time of the same request is more than 5 seconds or not;
judging whether the request packet or the response packet is larger than 10KB or not by analyzing the size of each request packet and response packet;
judging whether the URL is cached or not by analyzing whether an HTTP response packet of the Javascript, which does not contain the version request character string, in the URL contains a cache header or not;
judging whether the HTTP response packet of the CSS, which does not contain the version request character string in the URL, contains a cache head or not;
judging whether abnormal response exists or not by analyzing each response packet;
judging whether a request exceeds 5 seconds and a response is not returned by analyzing the sending time of a request packet and a response packet of the same connection;
judging whether the detailed type header of the picture is abnormal or not by analyzing a request packet and a response packet corresponding to the detailed type header of the picture;
judging whether the HTML detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the HTML detailed type header;
judging whether the Javascript detailed type header is abnormal or not by analyzing a request packet and a response packet corresponding to the Javascript detailed type header;
and judging whether the CSS detailed type header has abnormity or not by analyzing the request packet and the response packet corresponding to the CSS detailed type header.
7. The apparatus of claim 5, wherein the base unpacking module is further configured to:
unpacking the libpcap file to obtain a TCP (transmission control protocol) packet;
and judging whether the data in the TCP packet is an HTTP packet, and if so, acquiring the HTTP packet.
8. The apparatus of claim 5, wherein the report generation module is further configured to: the request and response packets are serialized to generate data in a cross-platform format.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-4.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510288169.6A CN106302349B (en) | 2015-05-29 | 2015-05-29 | HTTP packet analysis method and device based on libpcap |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510288169.6A CN106302349B (en) | 2015-05-29 | 2015-05-29 | HTTP packet analysis method and device based on libpcap |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106302349A CN106302349A (en) | 2017-01-04 |
| CN106302349B true CN106302349B (en) | 2020-06-05 |
Family
ID=57655689
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510288169.6A Active CN106302349B (en) | 2015-05-29 | 2015-05-29 | HTTP packet analysis method and device based on libpcap |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106302349B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112237743B (en) * | 2019-07-17 | 2024-03-08 | 腾讯科技(上海)有限公司 | User data statistics method, device, computer equipment and storage medium |
| CN110661683B (en) * | 2019-09-26 | 2021-07-16 | 苏州浪潮智能科技有限公司 | Method and device for analyzing UDP (user Datagram protocol) protocol by file based on pcap format |
| CN110912919B (en) * | 2019-12-03 | 2020-10-23 | 电子科技大学 | Network data acquisition method for network health condition modeling analysis |
| CN113141282B (en) * | 2021-05-12 | 2022-03-18 | 深圳赛安特技术服务有限公司 | Packet capturing method, device, equipment and storage medium based on Libpcap |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6795848B1 (en) * | 2000-11-08 | 2004-09-21 | Hughes Electronics Corporation | System and method of reading ahead of objects for delivery to an HTTP proxy server |
| CN101888312A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Attack detection and response method and device of WEB page |
| CN103312551A (en) * | 2012-03-12 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Test method and test device of common gateway interface |
| CN104135536A (en) * | 2014-08-15 | 2014-11-05 | 浪潮电子信息产业股份有限公司 | Data interaction method of Web management system based on Json data protocols |
| CN104601573A (en) * | 2015-01-15 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Verification method and device for Android platform URL (Uniform Resource Locator) access result |
-
2015
- 2015-05-29 CN CN201510288169.6A patent/CN106302349B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6795848B1 (en) * | 2000-11-08 | 2004-09-21 | Hughes Electronics Corporation | System and method of reading ahead of objects for delivery to an HTTP proxy server |
| CN101888312A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Attack detection and response method and device of WEB page |
| CN103312551A (en) * | 2012-03-12 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Test method and test device of common gateway interface |
| CN104135536A (en) * | 2014-08-15 | 2014-11-05 | 浪潮电子信息产业股份有限公司 | Data interaction method of Web management system based on Json data protocols |
| CN104601573A (en) * | 2015-01-15 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Verification method and device for Android platform URL (Uniform Resource Locator) access result |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106302349A (en) | 2017-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106302349B (en) | HTTP packet analysis method and device based on libpcap | |
| WO2020119434A1 (en) | Method and apparatus for interface data processing, method and apparatus for automated testing, device, and medium | |
| US20130318604A1 (en) | Blacklisting and whitelisting of security-related events | |
| CN107133161B (en) | Method and device for generating client performance test script | |
| CN107957940B (en) | Test log processing method, system and terminal | |
| CN109327357B (en) | Feature extraction method and device of application software and electronic equipment | |
| US11030384B2 (en) | Identification of sequential browsing operations | |
| US9614766B2 (en) | System and method to analyze congestion in low latency network | |
| EP2857987A1 (en) | Acquiring method, device and system of user behavior | |
| US20160119449A1 (en) | Packet compression method and apparatus | |
| US8713368B2 (en) | Methods for testing OData services | |
| JP6093449B2 (en) | Homepage forming method, peripheral device, and homepage forming system | |
| CN111104587A (en) | Webpage display method and device and server | |
| WO2016082696A1 (en) | Ua recognition method and device | |
| CN104573520A (en) | Method and device for detecting permanent type cross site scripting vulnerability | |
| AU2014359172B2 (en) | Network server system, client device, computer program product and computer-implemented method | |
| CN110633195A (en) | Performance data display method and device, electronic equipment and storage medium | |
| CN111277569A (en) | Network message decoding method and device and electronic equipment | |
| CN108287874B (en) | DB2 database management method and device | |
| CN103825772A (en) | Method for identifying user click behavior and gateway equipment | |
| CN105068926A (en) | Program test method and device thereof | |
| CN105939304B (en) | Tunnel message parsing method and device | |
| CN112256557B (en) | Program regression testing method, device, system, computer equipment and storage medium | |
| CA3149794C (en) | Error handling during asynchronous processing of sequential data blocks | |
| JP7003909B2 (en) | Communication analysis device, communication analysis method and computer program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |