CN107454202A - A kind of NAT borders based on http protocol analysis find method - Google Patents

A kind of NAT borders based on http protocol analysis find method Download PDF

Info

Publication number
CN107454202A
CN107454202A CN201710561840.9A CN201710561840A CN107454202A CN 107454202 A CN107454202 A CN 107454202A CN 201710561840 A CN201710561840 A CN 201710561840A CN 107454202 A CN107454202 A CN 107454202A
Authority
CN
China
Prior art keywords
http protocol
nat
address
outlet
operating system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710561840.9A
Other languages
Chinese (zh)
Inventor
傅如毅
张菲菲
陈春萍
姚龙飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Yuanwang Information Co Ltd
Original Assignee
Zhejiang Yuanwang Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Yuanwang Information Co Ltd filed Critical Zhejiang Yuanwang Information Co Ltd
Priority to CN201710561840.9A priority Critical patent/CN107454202A/en
Publication of CN107454202A publication Critical patent/CN107454202A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention is applied to network security monitoring technical field,Disclose a kind of NAT borders based on http protocol analysis and find method,Request header based on http protocol (HTTP) includes " User Agent " fields,The field can be by the operating system of terminal,The principle of browser and other attribute Tell servers,Gateway hardware equipment is bypassed on core switch,The packet transmitted on all-network is monitored by gateway hardware equipment,And the network packet of http protocol is analyzed,By obtaining the terminal operating system version information carried in the User Agent fields in http protocol request header,And operating system version information is counted,According to statistical result by under same IP address,IP address with multiple operating system features is judged as NAT boundary points,Solve the problems, such as almost not distinguish NAT boundary points from network egress.

Description

A kind of NAT borders based on http protocol analysis find method
【Technical field】
The present invention relates to the technical field of network security monitoring, more particularly to a kind of NAT sides based on http protocol analysis Boundary finds method.
【Background technology】
NAT (Network Address Translation), i.e. network address translation, NAT NAT technologies are made For the modus vivendi of current IPv4 address resources increasingly depleted, operated extensively, greatly to operator, as low as home network. Its main function is exactly to make the public one outlet IP address of multiple terminal users of Intranet by network address translation, so All network packets have nearly all been stripped information specific to its terminal itself from the point of view of network egress.It is being saved The difficulty of network operation management, particularly some relatively large network such as cities are also increased while substantial amounts of IPv4 address resources Domain net etc., private, which connects, disorderly to be connect NAT networks and is seen everywhere, and harmful effect is caused to the normal operation of network.And due to NAT spy Property, cause almost not distinguish NAT boundary points from network egress.In order to solve problem above, it is necessary to propose that one kind is based on The NAT borders of http protocol analysis find method.
【The content of the invention】
It is an object of the invention to overcome above-mentioned the deficiencies in the prior art, there is provided a kind of NAT based on http protocol analysis Border finds method, and it aims to solve the problem that NAT NAT technologies are saving substantial amounts of IPv4 addresses money in the prior art The difficulty of network operation management is also increased while source, particularly some relatively large network such as Metropolitan Area Network (MAN)s etc., private, which connects, disorderly to be connect NAT networks are seen everywhere, and cause harmful effect to the normal operation of network, NAT borders almost can not be distinguished from network egress The technical problem of point.
To achieve the above object, the present invention proposes a kind of NAT borders based on http protocol analysis and finds method, including Following steps:
S1 a gateway hardware equipment), is bypassed on core switch, is monitored by gateway hardware equipment and obtains all processes The mirror image data of core switch transmission;
S2), gateway hardware equipment is analyzed the network packet for including http protocol in mirror image data;
S3), gateway hardware equipment is asked according to http protocol, analyzes outlet IP address, and with obtaining each outlet IP The terminal device information of net connection is asked on location;
S4), statistics is connected to the terminal device information in each outlet IP address;
S5), gateway hardware equipment, by under same outlet IP address, has multiple terminal devices special according to statistical result The outlet IP address of sign is judged as NAT boundary points.
Preferably, http protocol request is made up of three parts in described step S3, row, request header are respectively asked And request text, described request header includes can be by " User-Agent " field of terminal device information Tell server.
Preferably, described terminal device information includes operating system version, browser type, host name.
Preferably, described step S4, which is statistics, is connected to each operating system for exporting the terminal device in IP address Version information;The outlet IP address for having multiple operating system features under same outlet IP address is judged as in step S5 NAT boundary points.
Beneficial effects of the present invention:Compared with prior art, a kind of NAT based on http protocol analysis provided by the invention Border finds method, and the request header based on http protocol (HTTP) includes " User-Agent " field, the word The principle of the operating system of terminal, browser and other attribute Tell servers can be bypassed gateway by section on core switch Hardware device, the packet transmitted on all-network is monitored by gateway hardware equipment, and to the network packet of http protocol Analyzed, believed by obtaining the terminal operating system version carried in the User-Agent fields in http protocol request header Breath, and operating system version information is counted, according to statistical result by under same IP address, there are multiple operating systems The IP address of feature is judged as NAT boundary points, solves the problems, such as almost not distinguish NAT boundary points from network egress.
The feature and advantage of the present invention will be described in detail by embodiment combination accompanying drawing.
【Brief description of the drawings】
Fig. 1 is the flow chart that a kind of NAT borders based on http protocol analysis of the embodiment of the present invention find method.
【Embodiment】
To make the object, technical solutions and advantages of the present invention of greater clarity, below by drawings and Examples, to this Invention is further elaborated.However, it should be understood that the specific embodiments described herein are merely illustrative of the present invention, The scope being not intended to limit the invention.In addition, in the following description, the description to known features and technology is eliminated, to keep away Exempt from unnecessarily to obscure idea of the invention.
Refering to Fig. 1, the embodiment of the present invention provides a kind of NAT borders based on http protocol analysis and finds method, including such as Lower step:
S1 a gateway hardware equipment), is bypassed on core switch, is monitored by gateway hardware equipment and obtains all processes The mirror image data of core switch transmission.
S2), gateway hardware equipment is analyzed the network packet for including http protocol in mirror image data.
S3), gateway hardware equipment is asked according to http protocol, analyzes outlet IP address, and with obtaining each outlet IP The terminal device information of net connection is asked on location, the request of described http protocol is made up of three parts, and respectively request is gone, asked Head and request text are asked, described request header includes can be by " User-Agent " word of terminal device information Tell server Section, wherein, terminal device information includes other attributes such as operating system version, browser type, host name.
S4), statistics is connected to the operating system version information of the terminal device in each outlet IP address.
S5), gateway hardware equipment, by under same outlet IP address, has multiple operating systems special according to statistical result The outlet IP address of sign is judged as NAT boundary points.
A kind of NAT borders based on http protocol analysis of the present invention find method, and based on http protocol, (Hyper text transfer is assisted View) request header include " User-Agent " field, the field can accuse the operating system of terminal, browser and other attributes The principle of server is told, gateway hardware equipment is bypassed on core switch, is monitored by gateway hardware equipment on all-network The packet of transmission, and the network packet of http protocol is analyzed, by obtaining in http protocol request header The terminal operating system version information carried in User-Agent fields, and operating system version information is counted, according to For statistical result by under same IP address, the IP address with multiple operating system features is judged as NAT boundary points, solve from Network egress almost can not distinguish the problem of NAT boundary points.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention Any modification, equivalent substitution or improvement made within refreshing and principle etc., should be included in the scope of the protection.

Claims (4)

1. a kind of NAT borders based on http protocol analysis find method, it is characterised in that:Comprise the following steps:
S1 a gateway hardware equipment), is bypassed on core switch, passes through core by the way that the monitoring acquisition of gateway hardware equipment is all The mirror image data of interchanger transmission;
S2), gateway hardware equipment is analyzed the network packet for including http protocol in mirror image data;
S3), gateway hardware equipment is asked according to http protocol, analyzes outlet IP address, and is obtained in each outlet IP address Ask the terminal device information of net connection;
S4), statistics is connected to the terminal device information in each outlet IP address;
S5), gateway hardware equipment, by under same outlet IP address, has multiple terminal devices feature according to statistical result Outlet IP address is judged as NAT boundary points.
2. a kind of NAT borders based on http protocol analysis as claimed in claim 1 find method, it is characterised in that:It is described Step S3 in http protocol request be made up of three parts, respectively request row, request header and request text, described request Head includes can be by " User-Agent " field of terminal device information Tell server.
3. a kind of NAT borders based on http protocol analysis as claimed in claim 2 find method, it is characterised in that:It is described Terminal device information include operating system version, browser type, host name.
4. a kind of NAT borders based on http protocol analysis as claimed in claim 1 find method, it is characterised in that:It is described Step S4 be statistics be connected to it is each outlet IP address on terminal device operating system version information;Will be same in step S5 The outlet IP address with multiple operating system features is judged as NAT boundary points under one outlet IP address.
CN201710561840.9A 2017-07-11 2017-07-11 A kind of NAT borders based on http protocol analysis find method Pending CN107454202A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710561840.9A CN107454202A (en) 2017-07-11 2017-07-11 A kind of NAT borders based on http protocol analysis find method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710561840.9A CN107454202A (en) 2017-07-11 2017-07-11 A kind of NAT borders based on http protocol analysis find method

Publications (1)

Publication Number Publication Date
CN107454202A true CN107454202A (en) 2017-12-08

Family

ID=60488807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710561840.9A Pending CN107454202A (en) 2017-07-11 2017-07-11 A kind of NAT borders based on http protocol analysis find method

Country Status (1)

Country Link
CN (1) CN107454202A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114615017A (en) * 2022-02-09 2022-06-10 浙江远望信息股份有限公司 HTML 5-based NAT boundary discovery method for Canvas fingerprints

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102307123A (en) * 2011-09-06 2012-01-04 电子科技大学 NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic
CN102882748A (en) * 2012-10-23 2013-01-16 深圳中兴网信科技有限公司 Network access detection system and network access detection method
CN105429996A (en) * 2015-12-15 2016-03-23 浙江远望信息股份有限公司 Method for intelligently finding and locating address translation equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102307123A (en) * 2011-09-06 2012-01-04 电子科技大学 NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic
CN102882748A (en) * 2012-10-23 2013-01-16 深圳中兴网信科技有限公司 Network access detection system and network access detection method
CN105429996A (en) * 2015-12-15 2016-03-23 浙江远望信息股份有限公司 Method for intelligently finding and locating address translation equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114615017A (en) * 2022-02-09 2022-06-10 浙江远望信息股份有限公司 HTML 5-based NAT boundary discovery method for Canvas fingerprints

Similar Documents

Publication Publication Date Title
US9185093B2 (en) System and method for correlating network information with subscriber information in a mobile network environment
EP3151470B1 (en) Analytics for a distributed network
US8537818B1 (en) Packet structure for mirrored traffic flow
KR101424490B1 (en) Reverse access detecting system and method based on latency
US9883010B2 (en) Method, apparatus, device and system for generating DHCP snooping binding table
US20050108434A1 (en) In-band firewall for an embedded system
US20090290492A1 (en) Method and apparatus to index network traffic meta-data
CN109391704B (en) Cross-private-network access method and device for video monitoring equipment
CN105072213A (en) IPSec NAT bidirection traversing method, IPSec NAT bidirection traversing system and VPN gateway
CN111970234A (en) Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment
KR101281160B1 (en) Intrusion Prevention System using extract of HTTP request information and Method URL cutoff using the same
CN106789413A (en) A kind of method and apparatus for detecting proxy surfing
CN106302351B (en) Collect the method, apparatus and system of accesses control list
CN107454202A (en) A kind of NAT borders based on http protocol analysis find method
WO2021052280A1 (en) Network measurement system and method, device and storage medium
JP2012249138A (en) Packet capture device and computer program
CN104994113B (en) A kind of ADSL wireless routers and the method and system for realizing forced gate under bridge mode using the router
CN103078865A (en) Network server communication model based on transmission control protocol (TCP)
WO2006060908A1 (en) Method for running an x.25-based application on a second protocol-based network
US20140313887A1 (en) Communication node having traffic optimization capability and method for optimizing traffic in communication node
CN112468610B (en) Data transmission method, monitoring node, monitoring server and monitoring network system
CN110708289B (en) Service detection method, browser, server, electronic device and storage medium
Trammell et al. A new transport encapsulation for middlebox cooperation
CN106657030B (en) A kind of method and system based on Dynamic Host Configuration Protocol server invalid packet security protection
CN107483651A (en) A kind of NAT borders based on terminal time change find method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171208