CN107483651A - A kind of NAT borders based on terminal time change find method - Google Patents

A kind of NAT borders based on terminal time change find method Download PDF

Info

Publication number
CN107483651A
CN107483651A CN201710561369.3A CN201710561369A CN107483651A CN 107483651 A CN107483651 A CN 107483651A CN 201710561369 A CN201710561369 A CN 201710561369A CN 107483651 A CN107483651 A CN 107483651A
Authority
CN
China
Prior art keywords
terminal
nat
address
terminal time
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710561369.3A
Other languages
Chinese (zh)
Inventor
傅如毅
虞伯水
方磊
孙鹏科
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Yuanwang Information Co Ltd
Original Assignee
Zhejiang Yuanwang Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Yuanwang Information Co Ltd filed Critical Zhejiang Yuanwang Information Co Ltd
Priority to CN201710561369.3A priority Critical patent/CN107483651A/en
Publication of CN107483651A publication Critical patent/CN107483651A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2535Multiple local networks, e.g. resolving potential IP address conflicts

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention is applied to the technical field of network security,Disclose a kind of NAT borders based on terminal time change and find method,Kidnapped based on bypass to obtain the time response of terminal,Nat borders are distinguished with this,By bypassing a border hardware device on core switch,The packet transmitted by all terminal devices of border hardware device mirror image monitoring by interchanger,And intercept the GET request bag of " .js " type in http protocol in mirror image data bag,And return to one and the HTTP response bags that intercepted GET request bag matches to terminal device,After terminal device starts to perform HTTP response bags,Given server will receive IP address,And the information such as terminal operating time in the IP address,Pass through given server analytic statistics,If there are multiple simultaneous linearly features with an IP address,Then the IP address is NAT boundary points,The present invention is by terminal time variation characteristic come accurate discrimination Nat boundary points,Contribute to the normal operation of network operation management and network.

Description

A kind of NAT borders based on terminal time change find method
【Technical field】
The present invention relates to the technical field of network security monitoring, more particularly to a kind of NAT sides based on terminal time change Boundary finds method.
【Background technology】
NAT (Network Address Translation), i.e. network address translation.NAT technology conduct The modus vivendi of IPv4 address resources increasingly depleted at present, operated extensively, greatly to operator, as low as home network.It Main function be exactly that the public one outlet IP address of multiple terminal users of Intranet is made by network address translation, so from All network packets have nearly all been stripped information specific to its terminal itself from the point of view of network egress.It is being saved greatly The difficulty of network operation management is also increased while the IPv4 address resources of amount, particularly some relatively large network such as metropolitan areas Net etc., private, which connects, disorderly to be connect NAT networks and is seen everywhere, and harmful effect is caused to the normal operation of network.And due to NAT spy Property, NAT boundary points almost can not be distinguished from network egress.In order to solve problem above, it is necessary to when proposing that one kind is based on terminal Between the NAT borders that change find method.
【The content of the invention】
It is an object of the invention to overcome above-mentioned the deficiencies in the prior art, there is provided a kind of NAT based on terminal time change Border finds method, and it aims to solve the problem that NAT technology in the prior art adds the difficulty of network operation management, private Connect and disorderly connect NAT networks and be seen everywhere, harmful effect is caused to the normal operation of network, and almost can not distinguish from network egress The technical problem of NAT boundary points.
To achieve the above object, the present invention proposes a kind of NAT borders based on terminal time change and finds method, including Following steps:
S1 a border hardware device), is bypassed on core switch, all-network is monitored by border hardware device mirror image The upper packet transmitted by interchanger;
S2), border hardware device parses to the data flow of http protocol in mirror image data bag, and to http protocol GET request bag carries out data processing, intercepts the GET request bag of " .js " type;
S3 the forgery of one, terminal device directly), is returned to by the border hardware device and GET request bag with previously intercepting The HTTP response bags to match, described HTTP response bags, which contain, to be obtained terminal time and the terminal time of acquisition is uploaded To the js scripts of given server;
S4), terminal device starts to perform js scripts after the HTTP response bags of forgery are received, and acquisition terminal time simultaneously will The terminal time information got is sent to the given server in js scripts;
S5 the data and recording data information that), given server receiving terminal apparatus uploads;
S6), given server is analyzed all data messages of record, to same by periodic operation Analysis Service The Servers-all time recorded under individual IP address and terminal time are calculated, according to linearly characteristic matching, such as Fruit has multiple simultaneous linearly features with an IP address, then judges the IP address for NAT boundary points.
Preferably, the given server in described step S3 to step S6 builds service online inside to specify Device.
Preferably, in described step S5, data that terminal device uploads include IP address of terminal, uplink time and its Upload terminal time accessed in content.
Preferably, the data message recorded in described step S5 also includes service when given server receives data The device time.
Preferably, after specifying server analysis to go out NAT boundary points in described step S6, immediate record is simultaneously carried out Report.
Beneficial effects of the present invention:Compared with prior art, a kind of NAT based on terminal time change provided by the invention Border finds method, kidnapped based on bypass and obtain the time response of terminal, NAT borders is distinguished with this, by being handed in core Change planes one border hardware device of upper bypass, the number that all terminal devices are transmitted by interchanger is monitored by border hardware device mirror image According to bag, and the GET request bag of " .js " type in http protocol in mirror image data bag is intercepted, and return to one and asked with intercepting GET Seeking the HTTP response bags that bag matches, after terminal device starts to perform HTTP response bags, given server is just to terminal device The information such as the terminal operating time in IP address and the IP address can be received, by given server analytic statistics, if There are multiple simultaneous linearly features with an IP address, then the IP address is NAT boundary points, and the present invention passes through terminal Time behavior carrys out accurate discrimination Nat boundary points, contributes to the normal operation of network operation management and network.
The feature and advantage of the present invention will be described in detail by embodiment combination accompanying drawing.
【Brief description of the drawings】
Fig. 1 is the flow chart that a kind of NAT borders based on terminal time change of the embodiment of the present invention find method.
【Embodiment】
To make the object, technical solutions and advantages of the present invention of greater clarity, below by drawings and Examples, to this Invention is further elaborated.However, it should be understood that the specific embodiments described herein are merely illustrative of the present invention, The scope being not intended to limit the invention.In addition, in the following description, the description to known features and technology is eliminated, to keep away Exempt from unnecessarily to obscure idea of the invention.
Refering to Fig. 1, the embodiment of the present invention provides a kind of NAT borders based on terminal time change and finds method, including such as Lower step:
S1 a border hardware device), is bypassed on core switch, all-network is monitored by border hardware device mirror image The upper packet transmitted by interchanger.
S2), border hardware device parses to the data flow of http protocol in mirror image data bag, and to http protocol GET request bag carries out data processing, intercepts the GET request bag of " .js " type.
S3 the forgery of one, terminal device directly), is returned to by the border hardware device and GET request bag with previously intercepting The HTTP response bags to match, described HTTP response bags, which contain, to be obtained terminal time and the terminal time of acquisition is uploaded To the js scripts of given server, wherein given server builds server online inside to specify.
S4), terminal device starts to perform js scripts after the HTTP response bags of forgery are received, and acquisition terminal time simultaneously will The terminal time information got is sent to the given server in js scripts.
S5 the data and recording data information that), given server receiving terminal apparatus uploads, the data that terminal device uploads Including IP address of terminal, uplink time and its terminal time accessed in content is uploaded, the data message of record also includes Given server receives server time during data.
S6), given server is analyzed all data messages of record, to same by periodic operation Analysis Service The Servers-all time recorded under individual IP address and terminal time are calculated, according to linearly characteristic matching, such as Fruit has multiple simultaneous linearly features with an IP address, then judges the IP address for NAT boundary points, specified services After device analyzes NAT boundary points, immediate record is simultaneously reported.
A kind of NAT borders based on terminal time change of the present invention find method, are kidnapped based on bypass to obtain terminal Time response, Nat borders are distinguished with this, by bypassing a border hardware device on core switch, set by border hardware Standby mirror image monitors the packet that all terminal devices are transmitted by interchanger, and intercepts in mirror image data bag in http protocol The GET request bag of " .js " type, and one and the HTTP response bags that intercepted GET request bag matches to terminal device are returned, After terminal device starts to perform HTTP response bags, given server will receive the end in IP address and the IP address The information such as run time are held, by given server analytic statistics, if there are multiple simultaneous timelines with an IP address Property feature, then the IP address is NAT boundary points, the present invention by terminal time variation characteristic come accurate discrimination Nat boundary points, Contribute to the normal operation of network operation management and network.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention Any modification, equivalent substitution or improvement made within refreshing and principle etc., should be included in the scope of the protection.

Claims (5)

1. a kind of NAT borders based on terminal time change find method, it is characterised in that:Comprise the following steps:
S1 a border hardware device), is bypassed on core switch, is monitored by border hardware device mirror image and led on all-network Cross the packet of interchanger transmission;
S2), border hardware device parses to the data flow of http protocol in mirror image data bag, and to the GET of http protocol Request bag carries out data processing, intercepts the GET request bag of " .js " type;
S3 the forgery of one, terminal device directly), is returned to by the border hardware device and GET request bag phase with previously intercepting The HTTP response bags matched somebody with somebody, described HTTP response bags, which contain, to be obtained terminal time and the terminal time of acquisition is uploaded to finger Determine the js scripts of server;
S4), terminal device starts to perform js scripts after the HTTP response bags of forgery are received, and obtains terminal time and will obtain To terminal time information be sent to given server in js scripts;
S5 the data and recording data information that), given server receiving terminal apparatus uploads;
S6), given server is analyzed all data messages of record, to an IP by periodic operation Analysis Service The Servers-all time recorded under address and terminal time are calculated, according to linearly characteristic matching, if together Individual IP address has multiple simultaneous linearly features, then judges the IP address for NAT boundary points.
2. a kind of NAT borders based on terminal time change as claimed in claim 1 find method, it is characterised in that:It is described Step S3 to step S6 in given server build online server inside to specify.
3. a kind of NAT borders based on terminal time change as claimed in claim 1 find method, it is characterised in that:It is described Step S5 in, data that terminal device uploads include IP address of terminal, uplink time and its uploaded accessed in content Terminal time.
4. a kind of NAT borders based on terminal time change as claimed in claim 1 find method, it is characterised in that:It is described Step S5 in the data message that records also include server time when given server receives data.
5. a kind of NAT borders based on terminal time change as claimed in claim 1 find method, it is characterised in that:It is described Step S6 in specify after server analysis goes out NAT boundary points, immediate record is simultaneously reported.
CN201710561369.3A 2017-07-11 2017-07-11 A kind of NAT borders based on terminal time change find method Pending CN107483651A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710561369.3A CN107483651A (en) 2017-07-11 2017-07-11 A kind of NAT borders based on terminal time change find method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710561369.3A CN107483651A (en) 2017-07-11 2017-07-11 A kind of NAT borders based on terminal time change find method

Publications (1)

Publication Number Publication Date
CN107483651A true CN107483651A (en) 2017-12-15

Family

ID=60595082

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710561369.3A Pending CN107483651A (en) 2017-07-11 2017-07-11 A kind of NAT borders based on terminal time change find method

Country Status (1)

Country Link
CN (1) CN107483651A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114615017A (en) * 2022-02-09 2022-06-10 浙江远望信息股份有限公司 HTML 5-based NAT boundary discovery method for Canvas fingerprints

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442450A (en) * 2008-12-24 2009-05-27 成都市华为赛门铁克科技有限公司 Method, system and apparatus for detecting sharing access terminal quantity
CN101631052A (en) * 2009-08-25 2010-01-20 杭州华三通信技术有限公司 Method and device for detecting number of access terminals
CN105429996A (en) * 2015-12-15 2016-03-23 浙江远望信息股份有限公司 Method for intelligently finding and locating address translation equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442450A (en) * 2008-12-24 2009-05-27 成都市华为赛门铁克科技有限公司 Method, system and apparatus for detecting sharing access terminal quantity
CN101631052A (en) * 2009-08-25 2010-01-20 杭州华三通信技术有限公司 Method and device for detecting number of access terminals
CN105429996A (en) * 2015-12-15 2016-03-23 浙江远望信息股份有限公司 Method for intelligently finding and locating address translation equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114615017A (en) * 2022-02-09 2022-06-10 浙江远望信息股份有限公司 HTML 5-based NAT boundary discovery method for Canvas fingerprints

Similar Documents

Publication Publication Date Title
US8284786B2 (en) Method and system for context aware deep packet inspection in IP based mobile data networks
Molavi Kakhki et al. Identifying traffic differentiation in mobile networks
US9204293B2 (en) Apparatuses, methods, and computer program products for data retention and lawful intercept for law enforcement agencies
Dewes et al. An analysis of Internet chat systems
US9185093B2 (en) System and method for correlating network information with subscriber information in a mobile network environment
US8848528B1 (en) Network data flow collection and processing
US20060031928A1 (en) Detector and computerized method for determining an occurrence of tunneling activity
US20090238088A1 (en) Network traffic analyzing device, network traffic analyzing method and network traffic analyzing system
US10601639B2 (en) Multi cause correlation in wireless protocols
CN110401624A (en) The detection method and system of source net G system mutual message exception
CN109922073A (en) Network security monitoring device, method and system
CN105306246B (en) A kind of method, apparatus and server of the complaint of automatic-answering back device network class
CN100466560C (en) Method, system, device for detecting service quality, and charging and fault detecting system
US20060155866A1 (en) Method of data gathering of user network
CN107666486A (en) A kind of network data flow restoration methods and system based on message protocol feature
CN108259263A (en) Data analysing method, apparatus and system
CN105007175A (en) Openflow-based flow depth correlation analysis method and system
CN107483651A (en) A kind of NAT borders based on terminal time change find method
KR101338485B1 (en) Quality of each service management Method and system in total IP network
Aracil et al. Analysis of Internet Services in IP over ATM networks
CN116668801A (en) Network condition monitoring method and system based on video platform
Cuadra‐Sanchez et al. A novel blind traffic analysis technique for detection of WhatsApp VoIP calls
Georgiev Performance evaluation of Internet traffic by network measurements
CN107454202A (en) A kind of NAT borders based on http protocol analysis find method
Svoboda et al. Detection and tracking of Skype by exploiting cross layer information in a live 3G network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171215

RJ01 Rejection of invention patent application after publication