CN110336896A - A kind of lan device kind identification method - Google Patents
A kind of lan device kind identification method Download PDFInfo
- Publication number
- CN110336896A CN110336896A CN201910646567.9A CN201910646567A CN110336896A CN 110336896 A CN110336896 A CN 110336896A CN 201910646567 A CN201910646567 A CN 201910646567A CN 110336896 A CN110336896 A CN 110336896A
- Authority
- CN
- China
- Prior art keywords
- client computer
- type
- identification
- network
- identification feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a kind of lan device kind identification method, specific steps are as follows: parses to the message content for the DHCP protocol that the client computer received is sent;Utilize the device end type of the message information identification client computer parsed;If can not identify, it is supplied to the available address of one short time of client computer, while guiding the gateway flow of client computer;Network protocol stack and the application traffic for parsing client computer, determine the identification feature of client computer;By the identification feature of client computer, match the device type of client computer according to type identification feature database, at the same Dynamic Host Configuration Protocol server by new lease synchronizing information to client computer, do not reboot the network flow of subsequent client;Client computer identification feature in updating type identification feature library.The quantity of probe messages in the influence that may cause The present invention reduces the network bandwidth of local area network during active probe and local area network reduces the invasion to network as far as possible.
Description
Technical field
The present invention relates to a kind of device type recognition methods more particularly to a kind of lan device kind identification methods.
Background technique
With various types smart machine, mobile device, the rapid proliferation of terminal device and popularization, the trend of IT consumerization
It is more and more obvious, more and more people do well out of mobile device, smart machine and each Terminal Type and set during life and work
Standby is convenient and efficient, more and more enterprises, government unit employee also wish can be added more shiftings in routine office work
The dynamic workflow for simplifying oneself with smart machine terminal.BYOD (Bring Your Own Device) is used as IT consumerization
Important behaviour form, while offering convenience for enterprise, also to original network security management bring it is huge threat and
Challenge.
For theoretically, the communication process of all smart machines, mobile device and terminal device is all according to network protocol
What specification was designed, the communication feature of various equipment should be unrelated with operating system, device type, manufacturer, however by
In the angle of definition, reading and understanding these network standards, different, all types of appliance services need different and all types of equipment
In order to facilitate reasons such as the identifications and control of Equipment of the Company, various types of smart machines, operating system, mobile device are past for producer
The unique features that different mark contents is identified as device type are carried on the basis of network protocol standard toward meeting, these are solely
Special feature is referred to as device-fingerprint by industry, common device-fingerprint type such as: operating system, DHCP option, TTL, TCP window
The common elements such as mouth, application software, network interface card type all can serve as the fingerprint elements of identification device type.
Device type identification is divided according to detection mode, is divided into active probe and passive discerning, active probe refers to
Detecting module actively sends a large amount of specific detection packets to goal systems, judges master according to the packet content that destination host is responded
Operating system, service port, Protocol fingerprint or the device type of machine, often need when having a large amount of hosts or equipment in local area network
A large amount of probe messages are constructed, local area network network bandwidth makes a big impact, and is usually identified as by safety in network equipment
Attack intension is prevented.
Summary of the invention
The purpose of the present invention is to solve the above-mentioned problems, provides a kind of lan device kind identification method, can
It identifies all mobile devices, the type of terminal device, operating system, application version number etc. in local area network, subsequent IT is facilitated to provide
The management of production and the access control of lan device.
To achieve the goals above, the present invention adopts the following technical scheme:
A kind of lan device kind identification method, specific steps are as follows:
The message content for the DHCP protocol that the client computer received is sent is parsed;
Utilize the device end type of the message information identification client computer parsed;
If can not identify, it is supplied to the available address of one short time of client computer, while guiding the network of client computer logical
Letter flow amount;
Traffic monitoring is carried out to the subsequent all-network flow of client computer, network protocol stack and the network for parsing client computer are logical
Letter flow amount determines the identification feature of client computer;
By the identification feature of client computer, the device type of client computer is matched according to type identification feature database, and to visitor
The information of family machine is registered, at the same Dynamic Host Configuration Protocol server by new lease synchronizing information to client computer, do not reboot subsequent
The network traffic of client computer;
Client computer identification feature in updating type identification feature library.
The gateway flow of the guidance client computer specifically: the interim rent for being sent to client computer by modifying Dynamic Host Configuration Protocol server
Gateway information about, and then the subsequent network traffic of client computer is made to be directed to specified position, it is passive to monitor client computer pair
Outer network traffic.
It is described to carry out traffic monitoring specific steps using to the subsequent all-network flow of client computer are as follows: monitoring client computer pair
Outer all normal network communications flows are believed by the ttl value of protocol stack, DF flag bit, window size, TOS service and fingerprint
The OS Type for determining client computer is ceased, while monitoring the interaction flow of client computer, passes through parsing interaction, connection datagram
Text identifies the application type and version information of client computer.
The identification feature of the client computer includes MAC Address of Network Card, host name, operating system, the protocol stack class of client computer
Type, application type/version etc..
The specific steps of the device type that client computer is matched according to type identification feature database are as follows: pass through what is identified
MAC Address of Network Card, host name, operating system, agreement stack type, application type/version information and the type identification of client computer are special
Sign library is matched, and obtains client device types, and register to client information, while Dynamic Host Configuration Protocol server will be new
Lease synchronizing information to client computer, the subsequent network traffic for not rebooting client computer.
Client computer identification feature specific steps in updating type identification feature library are as follows: pass through the MAC of client computer, master
Machine name, operating system, protocol stack, application type identification feature are updated into type identification feature database, according to identification precision
Identification feature is combined by difference, the equipment for obtaining client computer according to priority orders when a plurality of identification feature matches simultaneously
Type.
Beneficial effects of the present invention: the present invention is different from tradition and identifies equipment by way of active probe, active scan
Terminal type, using it is a kind of it is passive it is silent by the way of device type, operating system are identified, reduce active probe
The quantity of probe messages in local area network network bandwidth may cause in the process influence and local area network, is reduced pair as far as possible
The invasion of local area network;Traditional active detection is easy to be that attack traffic is prevented, is right by the wrong report of safety in network equipment
Destination host causes system overload, to generate unnecessary loss.
The present invention is based on Protocol fingerprint knowledges to identify otherwise to device type, operating system, by normal
The parsing of network communication message carries out comprehensive analysis by plurality of kinds of contents such as agreement label, option, data in data packet, more
With accuracy.
The present invention realizes the drainage, audit and parsing to client computer flow by DHCP protocol, passes through DHCP protocol itself
Lease management client address, gateway, DNS information etc. are guided, will not to the normal network of client computer access cause
It influences.
Detailed description of the invention
Fig. 1 is flow chart of the method for the present invention.
Specific embodiment
The invention will be further described with embodiment with reference to the accompanying drawing.
The present invention is intended to provide a kind of passively device type recognition methods is to cope with, the internet of things era is largely all types of to be set
Standby discovery, identification and management, by below the normal network communications in detection local area network to application technology of the present invention and
Realization principle is explained:
DHCP protocol identification
DHCP (Dynamic Host Configuration Protocol dynamic host configuration protocol) is commonly used in large size
Lan networking environment in, be mainly used for dynamic allocation, the management, recycling of IP address, set network-based all kinds of intelligence
Standby, mobile device, IT assets can dynamically obtain the information such as IP address, gateway, dns server, WINS server.DHCP association
View uses client, server model, and the dynamic allocation task of host address is driven by network host.When Dynamic Host Configuration Protocol server receives
To network host applied address information when, Cai Huixiang network host sends relevant address configuration information, to realize network master
The dynamic setting of machine address information.
DHCP protocol provides a frame for configuration information to be sent to the equipment on local net network, configuration parameter
It is stored in mark in the Option field of DHCP protocol message with other controls control information and carry.DHCP protocol also provides greatly
The Option field of amount is for the information transmitting between client and server and interacts.Different operating system is sending DHCP
Agreement request when carry Option combination, content may be entirely different, and the information of a large amount of client computer, such as class can be carried
The different operating system performance of the parameter permutation and combination of type Option 55 has significantly different, and the arrangement of the parameter of the option can be with
Reliably distinguish hundreds of device types and OS Type;Type Option 43 then is used to describe the manufacturer's information of terminal;
Type Option 61 carries client identification option etc.;Type Option 12 carries Client Host name etc..Therefore, from skill
For in art we may be implemented by DHCP protocol Option option and option content go identification equipment type
With the information such as operating system, host name, manufacturer.
Common DHCP protocol option description:
Flow guidance
Gateway Gateway is also known as gateway, protocol converter, and gateway realizes the network interconnection in network layer, in visitor
When the normal network communication of family machine, gateway information is most important.It is described according to DHCP protocol, Dynamic Host Configuration Protocol server mentions for client computer
It may be implemented in the form of preliminary rental agreement for information, the present invention such as IP address, gateway information, dns server, WINS servers
Client computer flow is directed on specified gateway address, realizes the guiding function of flow.
Protocol fingerprint identification
The present invention does not actively send data packet to Destination client by the way of passive protocol stack fingerprint recognition, but
Using the network communication that passive monitoring client computer is external in such a way that flow guides, then according to different operating system, agreement
The specific properties such as ttl value, window size, DF flag bit, TOS service in stack judge Client OS type in turn, together
When can monitor client computer interaction flow, by parsing interaction, connection data message, identify client computer starting application class
The contents such as type, version information.
TTL: time-to-live of the operating system to outbound data packet setting;Such as: Linux TTL=64, OSX TTL=
255, Windows XP and the above TTL=128 etc.
Window size: the window size in Transmission Control Protocol, the option for including when included in FIN packet;As AIX window is big
Small 45046, FreeBSD window size 65535, Vista window size 8192, windows XP window 65520 etc.
DF: message fragment marker bit;
TOS: service type.
As shown in Figure 1, a kind of lan device kind identification method, specific steps are as follows:
The message content for the DHCP protocol that the client computer received is sent is parsed;
Utilize the device end type of the message information identification client computer parsed;
If can not identify, it is supplied to the available address of one short time of client computer, while guiding the gateway stream of client computer
Amount;
Traffic monitoring is carried out to the subsequent all-network flow of client computer, parses the network protocol stack and application stream of client computer
Amount, determines the identification feature of client computer;
By the identification feature of client computer, the device type of client computer is matched according to type identification feature database, and to visitor
The information of family machine is registered, at the same Dynamic Host Configuration Protocol server by new lease synchronizing information to client computer, do not reboot subsequent
The network flow of client computer;
Client computer identification feature in updating type identification feature library.
The network traffic of the guidance client computer specifically: be sent to facing for client computer by modifying Dynamic Host Configuration Protocol server
When lease gateway information, and then the subsequent network traffic of client computer is made to be directed to specified position, passively monitors client
The external network communication communication of machine.
It is described to carry out traffic monitoring specific steps using to the subsequent all-network communication flows of client computer are as follows: monitoring client
The external all normal network communications flows of machine are serviced and are referred to by the ttl value of protocol stack, DF flag bit, window size, TOS
Line information determines the OS Type of client computer, while monitoring the interaction flow of client computer, passes through parsing interaction, connection data
Message identifies the application type and version information of client computer.
The identification feature of the client computer includes MAC Address of Network Card, host name, operating system, the protocol stack class of client computer
Type, application type/version etc..
The type identification feature database according in Dynamic Host Configuration Protocol server matches the specific steps of the device type of client computer
Are as follows: believed by the MAC Address of Network Card of the client computer identified, host name, operating system, agreement stack type, application type/version
Breath is matched with type identification feature database, obtains client device types, and register to client information, simultaneously
Dynamic Host Configuration Protocol server is by new lease synchronizing information to client computer, the subsequent network traffic for not rebooting client computer.
Client computer identification feature specific steps in updating type identification feature library are as follows: pass through the MAC of client computer, master
Machine name, operating system, protocol stack, application type identification feature are updated into type identification feature database, according to identification precision
Identification feature is combined by difference, the equipment for obtaining client computer according to priority orders when a plurality of identification feature matches simultaneously
Type.
Above-mentioned, although the foregoing specific embodiments of the present invention is described with reference to the accompanying drawings, not protects model to the present invention
The limitation enclosed, those skilled in the art should understand that, based on the technical solutions of the present invention, those skilled in the art are not
Need to make the creative labor the various modifications or changes that can be made still within protection scope of the present invention.
Claims (6)
1. a kind of lan device kind identification method, which is characterized in that specific steps are as follows:
The message content for the DHCP protocol that the client computer received is sent is parsed;
Utilize the device end type of the message information identification client computer parsed;
If can not identify, it is supplied to the available address of one short time of client computer, while guiding the network traffic flow of client computer
Amount;
Traffic monitoring is carried out to the subsequent all-network communication flows of client computer, parses the network protocol stack and application stream of client computer
Amount, determines the identification feature of client computer;
By the identification feature of client computer, the device type of client computer is matched according to type identification feature database, and to client computer
Information registered, while Dynamic Host Configuration Protocol server by new lease synchronizing information to client computer, do not reboot subsequent clients
The network traffic of machine;
Client computer identification feature in updating type identification feature library.
2. a kind of lan device kind identification method as described in claim 1, which is characterized in that the guidance client computer
Network traffic specifically: the gateway information for being sent to the preliminary rental agreement of client computer by modifying Dynamic Host Configuration Protocol server, and then make
The subsequent flowing of access of client computer is directed to specified position, passive to monitor the external network traffic of client computer.
3. a kind of lan device kind identification method as described in claim 1, which is characterized in that described using to client computer
Subsequent all-network communication flows carries out traffic monitoring specific steps are as follows: the external all normal network communications of monitoring client computer
Flow determines the operation system of client computer by the ttl value of protocol stack, DF flag bit, window size, TOS service and finger print information
System type, while the interaction flow of client computer is monitored, by parsing interaction, connection data message, identify the application class of client computer
Type and version information.
4. a kind of lan device kind identification method as described in claim 1, which is characterized in that the identification of the client computer
Feature includes the MAC Address of Network Card, host name, operating system, agreement stack type, application type/version of client computer.
5. a kind of lan device kind identification method as described in claim 1, which is characterized in that described according to DHCP service
Type identification feature database in device matches the specific steps of the device type of client computer are as follows: by the net of the client computer identified
Card MAC Address, host name, operating system, agreement stack type, application type/version information and the progress of type identification feature database
Match, obtain client device types, and register to client information, while Dynamic Host Configuration Protocol server is by new lease information
It is synchronized to client computer, the subsequent network traffic for not rebooting client computer.
6. a kind of lan device kind identification method as described in claim 1, which is characterized in that the updating type identification
Client computer identification feature specific steps in feature database are as follows: by the MAC of client computer, host name, operating system, protocol stack, answer
It is updated with type identification feature into type identification feature database, is combined identification feature according to the difference of identification precision,
The device type of client computer is obtained according to priority orders when a plurality of identification feature matches simultaneously.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910646567.9A CN110336896B (en) | 2019-07-17 | 2019-07-17 | Local area network equipment type identification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910646567.9A CN110336896B (en) | 2019-07-17 | 2019-07-17 | Local area network equipment type identification method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110336896A true CN110336896A (en) | 2019-10-15 |
| CN110336896B CN110336896B (en) | 2022-04-01 |
Family
ID=68145769
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910646567.9A Active CN110336896B (en) | 2019-07-17 | 2019-07-17 | Local area network equipment type identification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110336896B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111385360A (en) * | 2020-03-05 | 2020-07-07 | 深信服科技股份有限公司 | Terminal equipment identification method and device and computer readable storage medium |
| CN112099867A (en) * | 2020-08-17 | 2020-12-18 | 北京天元特通科技有限公司 | APP identification framework supporting online dynamic update |
| CN113676459A (en) * | 2021-07-28 | 2021-11-19 | 中国石油化工股份有限公司 | Real-time industrial control passive identification method for Rockwell equipment |
| CN114172980A (en) * | 2021-12-08 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Method, system, device, equipment and medium for identifying type of operating system |
| WO2022083641A1 (en) * | 2020-10-23 | 2022-04-28 | 华为技术有限公司 | Device identification method, apparatus and system |
| CN114760279A (en) * | 2022-03-10 | 2022-07-15 | 深圳市联洲国际技术有限公司 | Method for identifying device type, server and computer readable storage medium |
| CN115150207A (en) * | 2022-09-06 | 2022-10-04 | 北京六方云信息技术有限公司 | Industrial network equipment identification method and device, terminal equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103346972A (en) * | 2013-06-26 | 2013-10-09 | 北京傲天动联技术股份有限公司 | Flow control device and method based on user terminal |
| CN103475751A (en) * | 2013-09-18 | 2013-12-25 | 杭州华三通信技术有限公司 | Method and device for IP address switch |
| CN105554009A (en) * | 2015-12-28 | 2016-05-04 | 成都千牛信息技术有限公司 | Method for acquiring equipment operating system information through network data |
| CN106302397A (en) * | 2016-07-29 | 2017-01-04 | 北京北信源软件股份有限公司 | A kind of equipment identification system based on device-fingerprint |
| CN108092976A (en) * | 2017-12-15 | 2018-05-29 | 北京知道创宇信息技术有限公司 | Device-fingerprint building method and device |
-
2019
- 2019-07-17 CN CN201910646567.9A patent/CN110336896B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103346972A (en) * | 2013-06-26 | 2013-10-09 | 北京傲天动联技术股份有限公司 | Flow control device and method based on user terminal |
| CN103475751A (en) * | 2013-09-18 | 2013-12-25 | 杭州华三通信技术有限公司 | Method and device for IP address switch |
| CN105554009A (en) * | 2015-12-28 | 2016-05-04 | 成都千牛信息技术有限公司 | Method for acquiring equipment operating system information through network data |
| CN106302397A (en) * | 2016-07-29 | 2017-01-04 | 北京北信源软件股份有限公司 | A kind of equipment identification system based on device-fingerprint |
| CN108092976A (en) * | 2017-12-15 | 2018-05-29 | 北京知道创宇信息技术有限公司 | Device-fingerprint building method and device |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111385360A (en) * | 2020-03-05 | 2020-07-07 | 深信服科技股份有限公司 | Terminal equipment identification method and device and computer readable storage medium |
| CN111385360B (en) * | 2020-03-05 | 2023-09-05 | 深信服科技股份有限公司 | Terminal equipment identification method, device and computer readable storage medium |
| CN112099867A (en) * | 2020-08-17 | 2020-12-18 | 北京天元特通科技有限公司 | APP identification framework supporting online dynamic update |
| WO2022083641A1 (en) * | 2020-10-23 | 2022-04-28 | 华为技术有限公司 | Device identification method, apparatus and system |
| CN113676459A (en) * | 2021-07-28 | 2021-11-19 | 中国石油化工股份有限公司 | Real-time industrial control passive identification method for Rockwell equipment |
| CN114172980A (en) * | 2021-12-08 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Method, system, device, equipment and medium for identifying type of operating system |
| CN114760279A (en) * | 2022-03-10 | 2022-07-15 | 深圳市联洲国际技术有限公司 | Method for identifying device type, server and computer readable storage medium |
| CN115150207A (en) * | 2022-09-06 | 2022-10-04 | 北京六方云信息技术有限公司 | Industrial network equipment identification method and device, terminal equipment and storage medium |
| CN115150207B (en) * | 2022-09-06 | 2022-11-29 | 北京六方云信息技术有限公司 | Industrial network equipment identification method and device, terminal equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110336896B (en) | 2022-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110336896A (en) | A kind of lan device kind identification method | |
| CN110113345B (en) | Automatic asset discovery method based on flow of Internet of things | |
| EP2472824B1 (en) | A method and a device in an IP network | |
| US8972571B2 (en) | System and method for correlating network identities and addresses | |
| US8107396B1 (en) | Host tracking in a layer 2 IP ethernet network | |
| CN1938982B (en) | Method and apparatus for preventing network attacks by authenticating internet control message protocol packets | |
| US20030210699A1 (en) | Extending a network management protocol to network nodes without IP address allocations | |
| US9883010B2 (en) | Method, apparatus, device and system for generating DHCP snooping binding table | |
| CN102055674B (en) | Internet protocol (IP) message as well as information processing method and device based on same | |
| CN112217771B (en) | Data forwarding method and data forwarding device based on tenant information | |
| US7451203B2 (en) | Method and system for communicating between a management station and at least two networks having duplicate internet protocol addresses | |
| CN104660730B (en) | The means of communication and its system of server-side and far-end unit | |
| KR20080107599A (en) | Arp attack blocking system in communication network and method thereof | |
| CN111917706A (en) | Method for identifying NAT equipment and determining number of terminals behind NAT | |
| US20040117473A1 (en) | Proxy network control apparatus | |
| CN116719868A (en) | Network asset identification method, device and equipment | |
| CN115086276B (en) | Address management method, device, equipment and system | |
| CN114629725A (en) | User domain dumb terminal management method, device, system and storage medium | |
| CN105791458B (en) | Address configuration method and device | |
| US20040199579A1 (en) | Collaboration bus apparatus and method | |
| CN1996960A (en) | A filtering method for instant communication message and instant communication system | |
| TW202232922A (en) | Management system for network devices and management method network devices | |
| CN108632090B (en) | Network management method and system | |
| CN113726689B (en) | Security service processing method and device | |
| CN111193722B (en) | Linux kernel based accelerated forwarding method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A Method of Device Type Identification in LAN Effective date of registration: 20220929 Granted publication date: 20220401 Pledgee: Bank of Beijing Co.,Ltd. Jinan Branch Pledgor: Shandong Zhongwang Yunan Intelligent Technology Co.,Ltd. Registration number: Y2022370000123 |