CN108092876A - A kind of NAT detection methods and system based on instant messaging application - Google Patents
A kind of NAT detection methods and system based on instant messaging application Download PDFInfo
- Publication number
- CN108092876A CN108092876A CN201711184625.8A CN201711184625A CN108092876A CN 108092876 A CN108092876 A CN 108092876A CN 201711184625 A CN201711184625 A CN 201711184625A CN 108092876 A CN108092876 A CN 108092876A
- Authority
- CN
- China
- Prior art keywords
- instant messaging
- mobile terminal
- messaging application
- nat
- detection methods
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/04—Real-time or near real-time messaging, e.g. instant messaging [IM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2571—NAT traversal for identification, e.g. for authentication or billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The present invention relates to a kind of NAT detection methods and system based on instant messaging application, using real-time data acquisition, QQ application identifications, QQ applied analyses, for same IP, if the QQ log recordings of PC ends and mobile terminal are existed simultaneously in interval of time, the equipment then can be accurately judged for NAT device, and this method is independent of some specific operating system, wide coverage, discrimination is high, easy to operate.
Description
Technical field
The present invention relates to technical field of communication network, and in particular to a kind of NAT detection methods based on instant messaging application.
Background technology
With the development of electronic technology and network technology, more and more terminal devices are linked into internet.NAT
The appearance of (Network Address Translation) technology alleviates the problem of current IPv4 address shortages, be family,
The users such as school, company provide easily internet access method.The technology provide the user with facilitate while, to network operator
Puzzlement is also brought with supervision department.On the one hand, there are multi-user, supervision is escaped by shared verification or the black Internet bar of operation privately;Separately
On the one hand, NAT technologies add the difficulty that personalized network service and disabled user's tracking are carried out using passive flux.In this,
NAT aft engines are detected and accurate positionin is to ensure information safety, the urgent needs such as the additional operating cost of operator is reduced and solves
The technical issues of, set forth herein a kind of NAT detection methods based on instant messaging application.
In the prior art, for NAT detection techniques, according to the characteristics of detection technique, two types are broadly divided into:First, association
View analysis detection method, second is that application layer feature detection method.Protocal analysis detection method:This method mainly utilizes and analyzes data link
Layer, network layer, the protocol fields of transport layer identify to carry out the detection of NAT, such as popular IPID, TTL;Application layer is special
Levy detection method:For detecting various application layer data message characteristics, so as to the different host of distinctive mark, common method has
CookieID and UserAgent.
IPID refers to IP packet stem identification field, for one ip message of unique mark.Windows operating systems will
For IPID as a counter, host often sends a data packet, and IPID values increase by 1, sent according to specified IP address host
How many continuous track of the IPID values of data packet, then judge how many host equipment.Its shortcoming is to be appointed as
The host of windows operating systems, equipment covering surface are small.Equipment detection for mobile terminal will be very big omission, and existing
NAT device possesses the means of modification IPID values, and it is big to be applicable in limitation in this approach, easy failure.
TTL (life span, Time TO Live) value is 8 bit fields in IP agreement bag, it represents the data packet
Life span.According to ICP/IP protocol, data packet often will by the ttl field value in a three-layer network appliance IP packet header
Automatically subtract 1.The ttl value of usual operating system is all fixed, and the value of general windows operating systems is 128.The judgement of NAT
Foundation can be smaller by 1 not by the value of NAT device than under equal conditions by the ttl value of NAT device for data packet.Its shortcoming has been
Entirely dependent on ttl field value, when equipment can change the ttl field value or since the TTL of different operating system is different, this
Testing result will be influenced.
Cookie ID technologies are to solve one of means of HTTP Stateless, and cookie deposits in client, allow clothes
The information being engaged in device reading cookie, maintains the session between server and client side.Different users meeting when browsing webpage
Different cookie is generated, cookie information is counted, according to the difference of cookie ID values, can speculate NAT aft engine numbers.
The method is affected by user's internet behavior, and the behavior that user accesses website is random, can generate the cookie ID of various kinds
Value is not easy to the statistics of cookie ID values or for worrying that the user of privacy leakage can then close cookie functions, then side
Method fails.
UserAgent states value of the browser for user agent's head of HTTP request so that server can identify
Operating system and version, browser and version, cpu type that client uses etc..Therefore the HTTP reports in application layer data message
UserAgent fields in head are not quite similar due to the difference of operating system version, browser version and patch, pass through analysis
The field in http header can determine the host number after NAT device.Shortcoming is:This method can be because of operating system, browser
Service condition generate erroneous judgement, for example host opens two browsers will influence detection result.
In conclusion there is presently no the NAT detection methods applied based on instant messaging.
The content of the invention
In view of this, the present invention provides a kind of NAT detection methods and system based on instant messaging application.
To achieve these goals, the technical solution that the present invention takes is as follows:
The present invention discloses a kind of NAT detection methods based on instant messaging application,
The method step is as follows:1) data on flows of end host in network environment is gathered;2) by the flow number of acquisition
According to for equipment end QQ application characteristic matchings;3) to meeting the data on flows of matched rule, equipment end QQ applications trigger things are formulated
Part and QQ scripts parsing strategy, generate QQ log recordings;4) to same IP same amount of time interval, there are the QQ daily records of equipment end
Record is judged.
In the above-mentioned technical solutions, the step 2) the equipment end QQ applications are that PC ends QQ is answered using with mobile terminal QQ
With using the difference of its port and channel, being matched according to different matched rules.
In the above-mentioned technical solutions, the PC ends and mobile terminal QQ application ports and channel are experiments verify that analysis, PC machine
Common udp/8000 communications, protocol identifier 0x02, mobile equipment are often communicated with tcp/8080, tcp/80, tcp/443, association
Protocolidentifier is 0x00.
In the above-mentioned technical solutions, the difference of the QQ of the PC ends and mobile terminal applications, defines different data knots respectively
Structure, PC ends define identifier, version number, operator, sequence number, QQ accounts, mobile terminal define identifier, version number, operator,
Sequence number, QQ number length, QQ accounts;
Invention additionally discloses a kind of NAT detecting systems based on instant messaging application, and the system comprises with lower module:It adopts
Collect module, gather the data on flows of end host in network environment;The data on flows of acquisition is used for equipment end QQ by matching module
Using characteristic matching;Parsing generation journal module, to meeting the data on flows of matched rule, formulates equipment end QQ applications trigger things
Part and QQ scripts parsing strategy, generate QQ log recordings;Judgment module, to same IP same amount of time interval, there are equipment ends
QQ log recordings are judged.
In the above-mentioned technical solutions, equipment end QQ applications are that PC ends QQ is answered using with mobile terminal QQ in the matching module
With using the difference of its port and channel, being matched according to different matched rules.
In the above-mentioned technical solutions, the PC ends and mobile terminal QQ application ports and channel are experiments verify that analysis, PC machine
Common udp/8000 communications, protocol identifier 0x02, mobile equipment are often communicated with tcp/8080, tcp/80, tcp/443, association
Protocolidentifier is 0x00.
In the above-mentioned technical solutions, the difference of the QQ of the PC ends and mobile terminal applications, defines different data knots respectively
Structure, PC ends define identifier, version number, operator, sequence number, QQ accounts, mobile terminal define identifier, version number, operator,
Sequence number, QQ number length, QQ accounts;
The present invention a kind of NAT detection methods and system based on instant messaging application, have the advantages that:This method
Operating system is not limited to, the selected device type of user can be covered on a large scale, while known using to application layer applications
It does not analyze, it is advantageous that:(1) NAT gateway is difficult modification application layer message;(2) host subscriber is difficult that modification oss message is kept away
Open detection;(3) application developer does not have direct motivation modification feature to avoid detecting.It is applied by the use of QQ as detection object, it is excellent
Gesture is:(1) line duration of QQ applications is long, and user volume is big, can be uniquely identified.(2) QQ applications have common channel, there is appearance
Easily identified feature is easily detected and identifies.(3) QQ applications are suitble to log in simultaneously in various terminals, are related to
Device type is wide, and compared to traditional recognition method, this method limitation is small, easy to operate, and dependence condition is few, and discrimination is high.
Description of the drawings
Fig. 1 is a kind of NAT detection method schematic diagrames based on instant messaging of the present invention
Fig. 2 is a kind of NAT detecting system module maps based on instant messaging of the present invention
Specific embodiment
The present invention is described in further detail below in conjunction with the accompanying drawings
A kind of NAT detection methods based on instant messaging application as shown in Figure 1
The method step is as follows:
The data on flows of end host in step 1) acquisition network environment;
Specifically, what is gathered is the network packet in whole network environment.
The data on flows of acquisition is used for equipment end QQ application characteristic matchings by step 2);
Specifically, this method is applied using PC ends and mobile terminal QQ, acquisition PC machine and movement are distinguished using wireshark
Equipment logs in network packet during QQ applications, and common channels and the port of QQ applications are analyzed by experimental verification.Experiment shows
PC machine is often communicated with udp/8000, protocol identifier 0x02, and mobile equipment is often led to tcp/8080, tcp/80, tcp/443
Letter, protocol identifier 0x00.
Step 3) formulates equipment end QQ applications triggers event and parses plan with QQ scripts to meeting the data on flows of matched rule
Slightly, QQ log recordings are generated;
Specifically, according to the difference that the QQ of PC ends and mobile terminal is applied, different data structures, wherein PC ends are defined respectively
Define identifier, version number, operator, sequence number, QQ accounts, mobile terminal define identifier, version number, operator, sequence number,
QQ number length, QQ accounts.The header information of QQ application protocols is parsed after matching, generates log recording.
Step 4) is judged there are equipment end QQ log recordings at same IP same amount of time interval.
Wherein, if existing simultaneously the QQ log recordings of PC ends and mobile terminal in interval of time, can accurately judge
The equipment is NAT device.
Invention additionally discloses it is a kind of based on instant messaging application NAT detecting systems,
The system comprises with lower module:
Acquisition module gathers the data on flows of end host in network environment;
The data on flows of acquisition is used for equipment end QQ application characteristic matchings by matching module;
Parsing generation journal module, to meeting the data on flows of matched rule, formulate equipment end QQ applications triggers event with
QQ scripts parsing strategy, generates QQ log recordings;
Judgment module is judged there are equipment end QQ log recordings at same IP same amount of time interval.
Wherein, equipment end is that PC ends QQ is applied using with mobile terminal QQ in the matching module, utilizes its port and channel
Difference, matched according to different matched rules.
Wherein, with mobile terminal QQ application ports and channel experiments verify that analyzing, PC machine often uses udp/8000 at the PC ends
Communication, protocol identifier 0x02, mobile equipment are often communicated with tcp/8080, tcp/80, tcp/443, and protocol identifier is
0x00。
Wherein, the difference of the QQ of the PC ends and mobile terminal applications defines different data structures, PC ends definition mark respectively
Know symbol, version number, operator, sequence number, QQ accounts, it is long that mobile terminal defines identifier, version number, operator, sequence number, QQ number
Degree, QQ accounts;
System above embodiment is one-to-one, the simple part of system embodiment with embodiment of the method, real referring to method
Apply example.
The part not illustrated in specification is the prior art or common knowledge.Present embodiment is merely to illustrate the hair
Bright rather than limit the scope of the invention, the modifications such as equivalent replacement that those skilled in the art are made for the present invention are recognized
To be fallen into invention claims institute protection domain.
Claims (8)
1. a kind of NAT detection methods based on instant messaging application, it is characterised in that:The method step is as follows:
The data on flows of end host in step 1) acquisition network environment;
The data on flows of acquisition is used for equipment end QQ application characteristic matchings by step 2);
For step 3) to meeting the data on flows of matched rule, the QQ applications triggers event and QQ scripts for formulating equipment end parse plan
Slightly, QQ log recordings are generated;
Step 4) judges QQ log recording of the same IP same amount of time interval there are equipment end.
2. a kind of NAT detection methods based on instant messaging application according to claim 1, it is characterised in that:The step
2) the equipment end QQ applications are that PC ends QQ is applied using with mobile terminal QQ, using the difference of its port and channel, according to difference
Matched rule matched.
3. a kind of NAT detection methods based on instant messaging application according to claim 2, it is characterised in that:The PC ends
With mobile terminal QQ application ports and channel experiments verify that analysis, PC machine are often communicated with udp/8000, protocol identifier 0x02,
Mobile equipment is often communicated with tcp/8080, tcp/80, tcp/443, protocol identifier 0x00.
4. a kind of NAT detection methods based on instant messaging application according to claim 3, it is characterised in that:The PC ends
The difference applied with the QQ of mobile terminal, defines different data structures, PC ends define identifier, version number, operator, sequence respectively
Row number, QQ accounts, mobile terminal define identifier, version number, operator, sequence number, QQ number length, QQ accounts.
5. a kind of NAT detecting systems based on instant messaging application, it is characterised in that:The system comprises with lower module:
Acquisition module gathers the data on flows of end host in network environment;
The data on flows of acquisition is used for equipment end QQ application characteristic matchings by matching module;
Parsing generation journal module, to meeting the data on flows of matched rule, formulates equipment end QQ applications triggers event and QQ feet
This parsing strategy, generates QQ log recordings;
Judgment module judges QQ log recording of the same IP same amount of time interval there are equipment end.
6. a kind of NAT detecting systems based on instant messaging application according to claim 5, it is characterised in that:The matching
Equipment end QQ described in module is applied to apply for PC ends QQ and applied with mobile terminal QQ, using the difference of its port and channel, according to
Different matched rules are matched.
7. a kind of NAT detection methods based on instant messaging application according to claim 6, it is characterised in that:The PC ends
With mobile terminal QQ application ports and channel experiments verify that analysis, PC machine are often communicated with udp/8000, protocol identifier 0x02,
Mobile equipment is often communicated with tcp/8080, tcp/80, tcp/443, protocol identifier 0x00.
8. a kind of NAT detection methods based on instant messaging application according to claim 7, it is characterised in that:The PC ends
The difference applied with the QQ of mobile terminal, defines different data structures, PC ends define identifier, version number, operator, sequence respectively
Row number, QQ accounts, mobile terminal define identifier, version number, operator, sequence number, QQ number length, QQ accounts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711184625.8A CN108092876A (en) | 2017-11-23 | 2017-11-23 | A kind of NAT detection methods and system based on instant messaging application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711184625.8A CN108092876A (en) | 2017-11-23 | 2017-11-23 | A kind of NAT detection methods and system based on instant messaging application |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108092876A true CN108092876A (en) | 2018-05-29 |
Family
ID=62172225
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711184625.8A Pending CN108092876A (en) | 2017-11-23 | 2017-11-23 | A kind of NAT detection methods and system based on instant messaging application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108092876A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110049147A (en) * | 2019-03-28 | 2019-07-23 | 中国科学院计算技术研究所 | A kind of NAT aft engine quantity detection method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060397A (en) * | 2006-04-20 | 2007-10-24 | 国际商业机器公司 | Apparatus and method for detecting network address translation device |
| CN101902484A (en) * | 2009-05-25 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and system for classifying local area network http application services |
| CN102196057A (en) * | 2010-03-03 | 2011-09-21 | 腾讯科技(深圳)有限公司 | Network address translation (NAT) type determination method and device |
| CN104243283A (en) * | 2014-09-16 | 2014-12-24 | 合肥协知行信息系统工程有限公司 | Instant messaging method based on NAT |
| CN105681487A (en) * | 2009-10-28 | 2016-06-15 | 惠普发展公司,有限责任合伙企业 | Method and device for detecting NAT device |
-
2017
- 2017-11-23 CN CN201711184625.8A patent/CN108092876A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060397A (en) * | 2006-04-20 | 2007-10-24 | 国际商业机器公司 | Apparatus and method for detecting network address translation device |
| CN101902484A (en) * | 2009-05-25 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and system for classifying local area network http application services |
| CN105681487A (en) * | 2009-10-28 | 2016-06-15 | 惠普发展公司,有限责任合伙企业 | Method and device for detecting NAT device |
| CN102196057A (en) * | 2010-03-03 | 2011-09-21 | 腾讯科技(深圳)有限公司 | Network address translation (NAT) type determination method and device |
| CN104243283A (en) * | 2014-09-16 | 2014-12-24 | 合肥协知行信息系统工程有限公司 | Instant messaging method based on NAT |
Non-Patent Citations (2)
| Title |
|---|
| 梁峰: "代理服务器及NAT网关检测技术的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 镇佳: "网络流量分类方法研究", 《信息通信》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110049147A (en) * | 2019-03-28 | 2019-07-23 | 中国科学院计算技术研究所 | A kind of NAT aft engine quantity detection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Saltaformaggio et al. | Eavesdropping on {Fine-Grained} user activities within smartphone apps over encrypted network traffic | |
| Dusi et al. | Quantifying the accuracy of the ground truth associated with Internet traffic traces | |
| CN101562534B (en) | Network behavior analytic system | |
| CN110324311A (en) | Method, apparatus, computer equipment and the storage medium of Hole Detection | |
| CN101741628A (en) | Application layer service analysis-based network flow analysis method | |
| CN105827593B (en) | A kind of recognition methods and identifying system for exempting from flow fraudulent user | |
| CN105930727A (en) | Web-based crawler identification algorithm | |
| Cherkasova et al. | Measuring and characterizing end-to-end internet service performance | |
| CN105306246B (en) | A kind of method, apparatus and server of the complaint of automatic-answering back device network class | |
| CN109450733B (en) | Network terminal equipment identification method and system based on machine learning | |
| CN108234345A (en) | A kind of traffic characteristic recognition methods of terminal network application, device and system | |
| CN107018001A (en) | A kind of application and trouble localization method and device | |
| CN106330584A (en) | Identification method and identification device of business flow | |
| Choi et al. | Automated classifier generation for application-level mobile traffic identification | |
| CN109743314A (en) | Monitoring method, device, computer equipment and its storage medium of Network Abnormal | |
| CN106789728A (en) | A kind of voip traffic real-time identification method based on NetFPGA | |
| CN108092876A (en) | A kind of NAT detection methods and system based on instant messaging application | |
| Mahmood et al. | Network traffic analysis and SCADA security | |
| CN107707549A (en) | A kind of device and method automatically extracted using feature | |
| US11115282B2 (en) | Apparatus and measurement method for identifying network devices | |
| CN107231271A (en) | A kind of detection method and device of shared verification | |
| Zungur et al. | Libspector: Context-aware large-scale network traffic analysis of android applications | |
| Rizothanasis et al. | Identifying user actions from HTTP (S) traffic | |
| Yan | A survey of traffic classification validation and ground truth collection | |
| SG11201809826WA (en) | Sip information analysis method and device, server, and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180529 |
|
| RJ01 | Rejection of invention patent application after publication |