CN107454202A - A kind of NAT borders based on http protocol analysis find method - Google Patents
A kind of NAT borders based on http protocol analysis find method Download PDFInfo
- Publication number
- CN107454202A CN107454202A CN201710561840.9A CN201710561840A CN107454202A CN 107454202 A CN107454202 A CN 107454202A CN 201710561840 A CN201710561840 A CN 201710561840A CN 107454202 A CN107454202 A CN 107454202A
- Authority
- CN
- China
- Prior art keywords
- http protocol
- nat
- address
- outlet
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/30—Managing network names, e.g. use of aliases or nicknames
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention is applied to network security monitoring technical field,Disclose a kind of NAT borders based on http protocol analysis and find method,Request header based on http protocol (HTTP) includes " User Agent " fields,The field can be by the operating system of terminal,The principle of browser and other attribute Tell servers,Gateway hardware equipment is bypassed on core switch,The packet transmitted on all-network is monitored by gateway hardware equipment,And the network packet of http protocol is analyzed,By obtaining the terminal operating system version information carried in the User Agent fields in http protocol request header,And operating system version information is counted,According to statistical result by under same IP address,IP address with multiple operating system features is judged as NAT boundary points,Solve the problems, such as almost not distinguish NAT boundary points from network egress.
Description
【Technical field】
The present invention relates to the technical field of network security monitoring, more particularly to a kind of NAT sides based on http protocol analysis
Boundary finds method.
【Background technology】
NAT (Network Address Translation), i.e. network address translation, NAT NAT technologies are made
For the modus vivendi of current IPv4 address resources increasingly depleted, operated extensively, greatly to operator, as low as home network.
Its main function is exactly to make the public one outlet IP address of multiple terminal users of Intranet by network address translation, so
All network packets have nearly all been stripped information specific to its terminal itself from the point of view of network egress.It is being saved
The difficulty of network operation management, particularly some relatively large network such as cities are also increased while substantial amounts of IPv4 address resources
Domain net etc., private, which connects, disorderly to be connect NAT networks and is seen everywhere, and harmful effect is caused to the normal operation of network.And due to NAT spy
Property, cause almost not distinguish NAT boundary points from network egress.In order to solve problem above, it is necessary to propose that one kind is based on
The NAT borders of http protocol analysis find method.
【The content of the invention】
It is an object of the invention to overcome above-mentioned the deficiencies in the prior art, there is provided a kind of NAT based on http protocol analysis
Border finds method, and it aims to solve the problem that NAT NAT technologies are saving substantial amounts of IPv4 addresses money in the prior art
The difficulty of network operation management is also increased while source, particularly some relatively large network such as Metropolitan Area Network (MAN)s etc., private, which connects, disorderly to be connect
NAT networks are seen everywhere, and cause harmful effect to the normal operation of network, NAT borders almost can not be distinguished from network egress
The technical problem of point.
To achieve the above object, the present invention proposes a kind of NAT borders based on http protocol analysis and finds method, including
Following steps:
S1 a gateway hardware equipment), is bypassed on core switch, is monitored by gateway hardware equipment and obtains all processes
The mirror image data of core switch transmission;
S2), gateway hardware equipment is analyzed the network packet for including http protocol in mirror image data;
S3), gateway hardware equipment is asked according to http protocol, analyzes outlet IP address, and with obtaining each outlet IP
The terminal device information of net connection is asked on location;
S4), statistics is connected to the terminal device information in each outlet IP address;
S5), gateway hardware equipment, by under same outlet IP address, has multiple terminal devices special according to statistical result
The outlet IP address of sign is judged as NAT boundary points.
Preferably, http protocol request is made up of three parts in described step S3, row, request header are respectively asked
And request text, described request header includes can be by " User-Agent " field of terminal device information Tell server.
Preferably, described terminal device information includes operating system version, browser type, host name.
Preferably, described step S4, which is statistics, is connected to each operating system for exporting the terminal device in IP address
Version information;The outlet IP address for having multiple operating system features under same outlet IP address is judged as in step S5
NAT boundary points.
Beneficial effects of the present invention:Compared with prior art, a kind of NAT based on http protocol analysis provided by the invention
Border finds method, and the request header based on http protocol (HTTP) includes " User-Agent " field, the word
The principle of the operating system of terminal, browser and other attribute Tell servers can be bypassed gateway by section on core switch
Hardware device, the packet transmitted on all-network is monitored by gateway hardware equipment, and to the network packet of http protocol
Analyzed, believed by obtaining the terminal operating system version carried in the User-Agent fields in http protocol request header
Breath, and operating system version information is counted, according to statistical result by under same IP address, there are multiple operating systems
The IP address of feature is judged as NAT boundary points, solves the problems, such as almost not distinguish NAT boundary points from network egress.
The feature and advantage of the present invention will be described in detail by embodiment combination accompanying drawing.
【Brief description of the drawings】
Fig. 1 is the flow chart that a kind of NAT borders based on http protocol analysis of the embodiment of the present invention find method.
【Embodiment】
To make the object, technical solutions and advantages of the present invention of greater clarity, below by drawings and Examples, to this
Invention is further elaborated.However, it should be understood that the specific embodiments described herein are merely illustrative of the present invention,
The scope being not intended to limit the invention.In addition, in the following description, the description to known features and technology is eliminated, to keep away
Exempt from unnecessarily to obscure idea of the invention.
Refering to Fig. 1, the embodiment of the present invention provides a kind of NAT borders based on http protocol analysis and finds method, including such as
Lower step:
S1 a gateway hardware equipment), is bypassed on core switch, is monitored by gateway hardware equipment and obtains all processes
The mirror image data of core switch transmission.
S2), gateway hardware equipment is analyzed the network packet for including http protocol in mirror image data.
S3), gateway hardware equipment is asked according to http protocol, analyzes outlet IP address, and with obtaining each outlet IP
The terminal device information of net connection is asked on location, the request of described http protocol is made up of three parts, and respectively request is gone, asked
Head and request text are asked, described request header includes can be by " User-Agent " word of terminal device information Tell server
Section, wherein, terminal device information includes other attributes such as operating system version, browser type, host name.
S4), statistics is connected to the operating system version information of the terminal device in each outlet IP address.
S5), gateway hardware equipment, by under same outlet IP address, has multiple operating systems special according to statistical result
The outlet IP address of sign is judged as NAT boundary points.
A kind of NAT borders based on http protocol analysis of the present invention find method, and based on http protocol, (Hyper text transfer is assisted
View) request header include " User-Agent " field, the field can accuse the operating system of terminal, browser and other attributes
The principle of server is told, gateway hardware equipment is bypassed on core switch, is monitored by gateway hardware equipment on all-network
The packet of transmission, and the network packet of http protocol is analyzed, by obtaining in http protocol request header
The terminal operating system version information carried in User-Agent fields, and operating system version information is counted, according to
For statistical result by under same IP address, the IP address with multiple operating system features is judged as NAT boundary points, solve from
Network egress almost can not distinguish the problem of NAT boundary points.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
Any modification, equivalent substitution or improvement made within refreshing and principle etc., should be included in the scope of the protection.
Claims (4)
1. a kind of NAT borders based on http protocol analysis find method, it is characterised in that:Comprise the following steps:
S1 a gateway hardware equipment), is bypassed on core switch, passes through core by the way that the monitoring acquisition of gateway hardware equipment is all
The mirror image data of interchanger transmission;
S2), gateway hardware equipment is analyzed the network packet for including http protocol in mirror image data;
S3), gateway hardware equipment is asked according to http protocol, analyzes outlet IP address, and is obtained in each outlet IP address
Ask the terminal device information of net connection;
S4), statistics is connected to the terminal device information in each outlet IP address;
S5), gateway hardware equipment, by under same outlet IP address, has multiple terminal devices feature according to statistical result
Outlet IP address is judged as NAT boundary points.
2. a kind of NAT borders based on http protocol analysis as claimed in claim 1 find method, it is characterised in that:It is described
Step S3 in http protocol request be made up of three parts, respectively request row, request header and request text, described request
Head includes can be by " User-Agent " field of terminal device information Tell server.
3. a kind of NAT borders based on http protocol analysis as claimed in claim 2 find method, it is characterised in that:It is described
Terminal device information include operating system version, browser type, host name.
4. a kind of NAT borders based on http protocol analysis as claimed in claim 1 find method, it is characterised in that:It is described
Step S4 be statistics be connected to it is each outlet IP address on terminal device operating system version information;Will be same in step S5
The outlet IP address with multiple operating system features is judged as NAT boundary points under one outlet IP address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710561840.9A CN107454202A (en) | 2017-07-11 | 2017-07-11 | A kind of NAT borders based on http protocol analysis find method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710561840.9A CN107454202A (en) | 2017-07-11 | 2017-07-11 | A kind of NAT borders based on http protocol analysis find method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107454202A true CN107454202A (en) | 2017-12-08 |
Family
ID=60488807
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710561840.9A Pending CN107454202A (en) | 2017-07-11 | 2017-07-11 | A kind of NAT borders based on http protocol analysis find method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107454202A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114615017A (en) * | 2022-02-09 | 2022-06-10 | 浙江远望信息股份有限公司 | HTML 5-based NAT boundary discovery method for Canvas fingerprints |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102307123A (en) * | 2011-09-06 | 2012-01-04 | 电子科技大学 | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic |
CN102882748A (en) * | 2012-10-23 | 2013-01-16 | 深圳中兴网信科技有限公司 | Network access detection system and network access detection method |
CN105429996A (en) * | 2015-12-15 | 2016-03-23 | 浙江远望信息股份有限公司 | Method for intelligently finding and locating address translation equipment |
-
2017
- 2017-07-11 CN CN201710561840.9A patent/CN107454202A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102307123A (en) * | 2011-09-06 | 2012-01-04 | 电子科技大学 | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic |
CN102882748A (en) * | 2012-10-23 | 2013-01-16 | 深圳中兴网信科技有限公司 | Network access detection system and network access detection method |
CN105429996A (en) * | 2015-12-15 | 2016-03-23 | 浙江远望信息股份有限公司 | Method for intelligently finding and locating address translation equipment |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114615017A (en) * | 2022-02-09 | 2022-06-10 | 浙江远望信息股份有限公司 | HTML 5-based NAT boundary discovery method for Canvas fingerprints |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9185093B2 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
EP3151470B1 (en) | Analytics for a distributed network | |
US8537818B1 (en) | Packet structure for mirrored traffic flow | |
KR101424490B1 (en) | Reverse access detecting system and method based on latency | |
US9883010B2 (en) | Method, apparatus, device and system for generating DHCP snooping binding table | |
US20050108434A1 (en) | In-band firewall for an embedded system | |
US20090290492A1 (en) | Method and apparatus to index network traffic meta-data | |
CN109391704B (en) | Cross-private-network access method and device for video monitoring equipment | |
CN105072213A (en) | IPSec NAT bidirection traversing method, IPSec NAT bidirection traversing system and VPN gateway | |
CN111970234A (en) | Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment | |
KR101281160B1 (en) | Intrusion Prevention System using extract of HTTP request information and Method URL cutoff using the same | |
CN106789413A (en) | A kind of method and apparatus for detecting proxy surfing | |
CN106302351B (en) | Collect the method, apparatus and system of accesses control list | |
CN107454202A (en) | A kind of NAT borders based on http protocol analysis find method | |
WO2021052280A1 (en) | Network measurement system and method, device and storage medium | |
JP2012249138A (en) | Packet capture device and computer program | |
CN104994113B (en) | A kind of ADSL wireless routers and the method and system for realizing forced gate under bridge mode using the router | |
CN103078865A (en) | Network server communication model based on transmission control protocol (TCP) | |
WO2006060908A1 (en) | Method for running an x.25-based application on a second protocol-based network | |
US20140313887A1 (en) | Communication node having traffic optimization capability and method for optimizing traffic in communication node | |
CN112468610B (en) | Data transmission method, monitoring node, monitoring server and monitoring network system | |
CN110708289B (en) | Service detection method, browser, server, electronic device and storage medium | |
Trammell et al. | A new transport encapsulation for middlebox cooperation | |
CN106657030B (en) | A kind of method and system based on Dynamic Host Configuration Protocol server invalid packet security protection | |
CN107483651A (en) | A kind of NAT borders based on terminal time change find method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171208 |