CN107483651A - A kind of NAT borders based on terminal time change find method - Google Patents
A kind of NAT borders based on terminal time change find method Download PDFInfo
- Publication number
- CN107483651A CN107483651A CN201710561369.3A CN201710561369A CN107483651A CN 107483651 A CN107483651 A CN 107483651A CN 201710561369 A CN201710561369 A CN 201710561369A CN 107483651 A CN107483651 A CN 107483651A
- Authority
- CN
- China
- Prior art keywords
- terminal
- nat
- address
- terminal time
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
- H04L61/2535—Multiple local networks, e.g. resolving potential IP address conflicts
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention is applied to the technical field of network security,Disclose a kind of NAT borders based on terminal time change and find method,Kidnapped based on bypass to obtain the time response of terminal,Nat borders are distinguished with this,By bypassing a border hardware device on core switch,The packet transmitted by all terminal devices of border hardware device mirror image monitoring by interchanger,And intercept the GET request bag of " .js " type in http protocol in mirror image data bag,And return to one and the HTTP response bags that intercepted GET request bag matches to terminal device,After terminal device starts to perform HTTP response bags,Given server will receive IP address,And the information such as terminal operating time in the IP address,Pass through given server analytic statistics,If there are multiple simultaneous linearly features with an IP address,Then the IP address is NAT boundary points,The present invention is by terminal time variation characteristic come accurate discrimination Nat boundary points,Contribute to the normal operation of network operation management and network.
Description
【Technical field】
The present invention relates to the technical field of network security monitoring, more particularly to a kind of NAT sides based on terminal time change
Boundary finds method.
【Background technology】
NAT (Network Address Translation), i.e. network address translation.NAT technology conduct
The modus vivendi of IPv4 address resources increasingly depleted at present, operated extensively, greatly to operator, as low as home network.It
Main function be exactly that the public one outlet IP address of multiple terminal users of Intranet is made by network address translation, so from
All network packets have nearly all been stripped information specific to its terminal itself from the point of view of network egress.It is being saved greatly
The difficulty of network operation management is also increased while the IPv4 address resources of amount, particularly some relatively large network such as metropolitan areas
Net etc., private, which connects, disorderly to be connect NAT networks and is seen everywhere, and harmful effect is caused to the normal operation of network.And due to NAT spy
Property, NAT boundary points almost can not be distinguished from network egress.In order to solve problem above, it is necessary to when proposing that one kind is based on terminal
Between the NAT borders that change find method.
【The content of the invention】
It is an object of the invention to overcome above-mentioned the deficiencies in the prior art, there is provided a kind of NAT based on terminal time change
Border finds method, and it aims to solve the problem that NAT technology in the prior art adds the difficulty of network operation management, private
Connect and disorderly connect NAT networks and be seen everywhere, harmful effect is caused to the normal operation of network, and almost can not distinguish from network egress
The technical problem of NAT boundary points.
To achieve the above object, the present invention proposes a kind of NAT borders based on terminal time change and finds method, including
Following steps:
S1 a border hardware device), is bypassed on core switch, all-network is monitored by border hardware device mirror image
The upper packet transmitted by interchanger;
S2), border hardware device parses to the data flow of http protocol in mirror image data bag, and to http protocol
GET request bag carries out data processing, intercepts the GET request bag of " .js " type;
S3 the forgery of one, terminal device directly), is returned to by the border hardware device and GET request bag with previously intercepting
The HTTP response bags to match, described HTTP response bags, which contain, to be obtained terminal time and the terminal time of acquisition is uploaded
To the js scripts of given server;
S4), terminal device starts to perform js scripts after the HTTP response bags of forgery are received, and acquisition terminal time simultaneously will
The terminal time information got is sent to the given server in js scripts;
S5 the data and recording data information that), given server receiving terminal apparatus uploads;
S6), given server is analyzed all data messages of record, to same by periodic operation Analysis Service
The Servers-all time recorded under individual IP address and terminal time are calculated, according to linearly characteristic matching, such as
Fruit has multiple simultaneous linearly features with an IP address, then judges the IP address for NAT boundary points.
Preferably, the given server in described step S3 to step S6 builds service online inside to specify
Device.
Preferably, in described step S5, data that terminal device uploads include IP address of terminal, uplink time and its
Upload terminal time accessed in content.
Preferably, the data message recorded in described step S5 also includes service when given server receives data
The device time.
Preferably, after specifying server analysis to go out NAT boundary points in described step S6, immediate record is simultaneously carried out
Report.
Beneficial effects of the present invention:Compared with prior art, a kind of NAT based on terminal time change provided by the invention
Border finds method, kidnapped based on bypass and obtain the time response of terminal, NAT borders is distinguished with this, by being handed in core
Change planes one border hardware device of upper bypass, the number that all terminal devices are transmitted by interchanger is monitored by border hardware device mirror image
According to bag, and the GET request bag of " .js " type in http protocol in mirror image data bag is intercepted, and return to one and asked with intercepting GET
Seeking the HTTP response bags that bag matches, after terminal device starts to perform HTTP response bags, given server is just to terminal device
The information such as the terminal operating time in IP address and the IP address can be received, by given server analytic statistics, if
There are multiple simultaneous linearly features with an IP address, then the IP address is NAT boundary points, and the present invention passes through terminal
Time behavior carrys out accurate discrimination Nat boundary points, contributes to the normal operation of network operation management and network.
The feature and advantage of the present invention will be described in detail by embodiment combination accompanying drawing.
【Brief description of the drawings】
Fig. 1 is the flow chart that a kind of NAT borders based on terminal time change of the embodiment of the present invention find method.
【Embodiment】
To make the object, technical solutions and advantages of the present invention of greater clarity, below by drawings and Examples, to this
Invention is further elaborated.However, it should be understood that the specific embodiments described herein are merely illustrative of the present invention,
The scope being not intended to limit the invention.In addition, in the following description, the description to known features and technology is eliminated, to keep away
Exempt from unnecessarily to obscure idea of the invention.
Refering to Fig. 1, the embodiment of the present invention provides a kind of NAT borders based on terminal time change and finds method, including such as
Lower step:
S1 a border hardware device), is bypassed on core switch, all-network is monitored by border hardware device mirror image
The upper packet transmitted by interchanger.
S2), border hardware device parses to the data flow of http protocol in mirror image data bag, and to http protocol
GET request bag carries out data processing, intercepts the GET request bag of " .js " type.
S3 the forgery of one, terminal device directly), is returned to by the border hardware device and GET request bag with previously intercepting
The HTTP response bags to match, described HTTP response bags, which contain, to be obtained terminal time and the terminal time of acquisition is uploaded
To the js scripts of given server, wherein given server builds server online inside to specify.
S4), terminal device starts to perform js scripts after the HTTP response bags of forgery are received, and acquisition terminal time simultaneously will
The terminal time information got is sent to the given server in js scripts.
S5 the data and recording data information that), given server receiving terminal apparatus uploads, the data that terminal device uploads
Including IP address of terminal, uplink time and its terminal time accessed in content is uploaded, the data message of record also includes
Given server receives server time during data.
S6), given server is analyzed all data messages of record, to same by periodic operation Analysis Service
The Servers-all time recorded under individual IP address and terminal time are calculated, according to linearly characteristic matching, such as
Fruit has multiple simultaneous linearly features with an IP address, then judges the IP address for NAT boundary points, specified services
After device analyzes NAT boundary points, immediate record is simultaneously reported.
A kind of NAT borders based on terminal time change of the present invention find method, are kidnapped based on bypass to obtain terminal
Time response, Nat borders are distinguished with this, by bypassing a border hardware device on core switch, set by border hardware
Standby mirror image monitors the packet that all terminal devices are transmitted by interchanger, and intercepts in mirror image data bag in http protocol
The GET request bag of " .js " type, and one and the HTTP response bags that intercepted GET request bag matches to terminal device are returned,
After terminal device starts to perform HTTP response bags, given server will receive the end in IP address and the IP address
The information such as run time are held, by given server analytic statistics, if there are multiple simultaneous timelines with an IP address
Property feature, then the IP address is NAT boundary points, the present invention by terminal time variation characteristic come accurate discrimination Nat boundary points,
Contribute to the normal operation of network operation management and network.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
Any modification, equivalent substitution or improvement made within refreshing and principle etc., should be included in the scope of the protection.
Claims (5)
1. a kind of NAT borders based on terminal time change find method, it is characterised in that:Comprise the following steps:
S1 a border hardware device), is bypassed on core switch, is monitored by border hardware device mirror image and led on all-network
Cross the packet of interchanger transmission;
S2), border hardware device parses to the data flow of http protocol in mirror image data bag, and to the GET of http protocol
Request bag carries out data processing, intercepts the GET request bag of " .js " type;
S3 the forgery of one, terminal device directly), is returned to by the border hardware device and GET request bag phase with previously intercepting
The HTTP response bags matched somebody with somebody, described HTTP response bags, which contain, to be obtained terminal time and the terminal time of acquisition is uploaded to finger
Determine the js scripts of server;
S4), terminal device starts to perform js scripts after the HTTP response bags of forgery are received, and obtains terminal time and will obtain
To terminal time information be sent to given server in js scripts;
S5 the data and recording data information that), given server receiving terminal apparatus uploads;
S6), given server is analyzed all data messages of record, to an IP by periodic operation Analysis Service
The Servers-all time recorded under address and terminal time are calculated, according to linearly characteristic matching, if together
Individual IP address has multiple simultaneous linearly features, then judges the IP address for NAT boundary points.
2. a kind of NAT borders based on terminal time change as claimed in claim 1 find method, it is characterised in that:It is described
Step S3 to step S6 in given server build online server inside to specify.
3. a kind of NAT borders based on terminal time change as claimed in claim 1 find method, it is characterised in that:It is described
Step S5 in, data that terminal device uploads include IP address of terminal, uplink time and its uploaded accessed in content
Terminal time.
4. a kind of NAT borders based on terminal time change as claimed in claim 1 find method, it is characterised in that:It is described
Step S5 in the data message that records also include server time when given server receives data.
5. a kind of NAT borders based on terminal time change as claimed in claim 1 find method, it is characterised in that:It is described
Step S6 in specify after server analysis goes out NAT boundary points, immediate record is simultaneously reported.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710561369.3A CN107483651A (en) | 2017-07-11 | 2017-07-11 | A kind of NAT borders based on terminal time change find method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710561369.3A CN107483651A (en) | 2017-07-11 | 2017-07-11 | A kind of NAT borders based on terminal time change find method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107483651A true CN107483651A (en) | 2017-12-15 |
Family
ID=60595082
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710561369.3A Pending CN107483651A (en) | 2017-07-11 | 2017-07-11 | A kind of NAT borders based on terminal time change find method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107483651A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114615017A (en) * | 2022-02-09 | 2022-06-10 | 浙江远望信息股份有限公司 | HTML 5-based NAT boundary discovery method for Canvas fingerprints |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442450A (en) * | 2008-12-24 | 2009-05-27 | 成都市华为赛门铁克科技有限公司 | Method, system and apparatus for detecting sharing access terminal quantity |
CN101631052A (en) * | 2009-08-25 | 2010-01-20 | 杭州华三通信技术有限公司 | Method and device for detecting number of access terminals |
CN105429996A (en) * | 2015-12-15 | 2016-03-23 | 浙江远望信息股份有限公司 | Method for intelligently finding and locating address translation equipment |
-
2017
- 2017-07-11 CN CN201710561369.3A patent/CN107483651A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442450A (en) * | 2008-12-24 | 2009-05-27 | 成都市华为赛门铁克科技有限公司 | Method, system and apparatus for detecting sharing access terminal quantity |
CN101631052A (en) * | 2009-08-25 | 2010-01-20 | 杭州华三通信技术有限公司 | Method and device for detecting number of access terminals |
CN105429996A (en) * | 2015-12-15 | 2016-03-23 | 浙江远望信息股份有限公司 | Method for intelligently finding and locating address translation equipment |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114615017A (en) * | 2022-02-09 | 2022-06-10 | 浙江远望信息股份有限公司 | HTML 5-based NAT boundary discovery method for Canvas fingerprints |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8284786B2 (en) | Method and system for context aware deep packet inspection in IP based mobile data networks | |
Molavi Kakhki et al. | Identifying traffic differentiation in mobile networks | |
US9204293B2 (en) | Apparatuses, methods, and computer program products for data retention and lawful intercept for law enforcement agencies | |
Dewes et al. | An analysis of Internet chat systems | |
US9185093B2 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
US8848528B1 (en) | Network data flow collection and processing | |
US20060031928A1 (en) | Detector and computerized method for determining an occurrence of tunneling activity | |
US20090238088A1 (en) | Network traffic analyzing device, network traffic analyzing method and network traffic analyzing system | |
US10601639B2 (en) | Multi cause correlation in wireless protocols | |
CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
CN109922073A (en) | Network security monitoring device, method and system | |
CN105306246B (en) | A kind of method, apparatus and server of the complaint of automatic-answering back device network class | |
CN100466560C (en) | Method, system, device for detecting service quality, and charging and fault detecting system | |
US20060155866A1 (en) | Method of data gathering of user network | |
CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
CN108259263A (en) | Data analysing method, apparatus and system | |
CN105007175A (en) | Openflow-based flow depth correlation analysis method and system | |
CN107483651A (en) | A kind of NAT borders based on terminal time change find method | |
KR101338485B1 (en) | Quality of each service management Method and system in total IP network | |
Aracil et al. | Analysis of Internet Services in IP over ATM networks | |
CN116668801A (en) | Network condition monitoring method and system based on video platform | |
Cuadra‐Sanchez et al. | A novel blind traffic analysis technique for detection of WhatsApp VoIP calls | |
Georgiev | Performance evaluation of Internet traffic by network measurements | |
CN107454202A (en) | A kind of NAT borders based on http protocol analysis find method | |
Svoboda et al. | Detection and tracking of Skype by exploiting cross layer information in a live 3G network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171215 |
|
RJ01 | Rejection of invention patent application after publication |