CN111565200B - NAT (network Address translation) association detection method based on multi-path message detection analysis - Google Patents
NAT (network Address translation) association detection method based on multi-path message detection analysis Download PDFInfo
- Publication number
- CN111565200B CN111565200B CN202010674639.3A CN202010674639A CN111565200B CN 111565200 B CN111565200 B CN 111565200B CN 202010674639 A CN202010674639 A CN 202010674639A CN 111565200 B CN111565200 B CN 111565200B
- Authority
- CN
- China
- Prior art keywords
- message
- flow
- flows
- nat
- timestamp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24568—Data stream processing; Continuous queries
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an NAT (network Address translation) association detection method based on multi-path message detection and analysis, which mainly finds out NAT associated streams by analyzing statistical information such as protocol fields of all layers of a large number of messages, Payload data of Payload, timestamps, accumulated byte numbers and the like. The forwarding path of the associated flow, i.e. the network device through which the packet passes, can also be determined by analyzing the source MAC address and the destination MAC address of the associated flow. The invention can quickly extract a plurality of pairs of NAT associated flows from a large number of messages, can help operation and maintenance personnel to know the network operation condition and help the operation and maintenance personnel to locate problems when faults occur.
Description
Technical Field
The invention relates to the field of computers, in particular to an NAT (network Address translation) association detection method based on multi-path message detection and analysis.
Background
NAT (Network Address Translator), which is a technology for translating an internal private Network IP Address into a public Network IP Address, has a main purpose of enabling addresses to be reused in the case of an increasingly deficient IPv4 Address. NAT solves well the problem of address scarcity, hiding and protecting computers inside the network, but also makes the network more complex and the problem of location more difficult when network services fail.
Because the NAT technology will convert IP addresses and transport layer ports, one flow sent by a terminal device (e.g., a server, a personal computer) will be converted into another new flow after being converted by the NAT device, the data of each layer protocol below the transport layer may be different between the new and old flows except that Payload data is the same, and message analysis software such as wireshark and the like will also consider the two different flows.
Disclosure of Invention
Aiming at the defects in the prior art, the NAT association detection method based on multi-path message detection and analysis provided by the invention solves the problem that the NAT association stream cannot be found out quickly.
In order to achieve the purpose of the invention, the invention adopts the technical scheme that:
a multi-path message detection and analysis based NAT association detection method is provided, which comprises the following steps:
s1, analyzing a network message file in a pcap format, and acquiring a source MAC address, a destination MAC address, an Ethernet type, a quintuple, TTL, a TCPsequence sequence number, a TCP ack sequence number, TCP Flag, Payload data length and a timestamp when the message is captured; setting the message ID of the message according to the timestamp when the message is captured;
s2, judging whether the stream to which the TCP protocol message and the UDP protocol message belong can be found in the memory message stream data structure according to the quintuple of the TCP protocol message and the UDP protocol message, if so, acquiring and entering the step S4, and if not, entering the step S3;
s3, adding quintuple basic data of the message into a memory, setting total bytes for receiving and sending of the flow to which the message belongs according to the length of the message, and setting the flow ID to which the message belongs and the initial timestamp of the flow according to the capturing time of the message; setting the sending order and the receiving order of the message in the stream, and entering step S5;
s4, adding the total bytes received or sent of the flow to which the message belongs to the length of the message, and setting the sending order and the receiving order of the message in the flow;
s5, storing data obtained by analyzing the TCP protocol message and the UDP protocol message, the belonged stream ID and the timestamp obtained when the TCP protocol message and the UDP protocol message are captured into a database, and enabling each record to correspond to one message, namely, a message record; adding data of each stream in a memory message stream data structure into a database, and enabling each record to correspond to one stream;
s6, sorting all the flows in the database according to the ascending order of the flow IDs, judging whether the difference value of the starting timestamps of every two adjacent flows is within a first time difference threshold, if so, entering a step S7, otherwise, judging that the two flows are not flows related to the NAT;
s7, judging whether the L4 layer protocols of the two flows are the same, if so, combining the two flows as associated flows and entering the step S8, otherwise, judging that the two flows are not NAT associated flows;
s8, acquiring non-retransmitted message records of which the stream sending sequence and the stream receiving sequence are smaller than a sequence threshold from the database, and sequencing the acquired message records in an ascending order according to the stream ID and the message ID;
s9, for the message record obtained in the step S8, comparing the flow ID of the first message with the flow ID in the associated flow combination, and taking out 2 groups of messages of which the flow IDs are equal to the flow ID of the associated flow combination in the message sequence;
s10, comparing whether the length of the 2 groups of messages taken out simultaneously in the step S9 is the same as the Payload fingerprint characteristic value of Payload, if so, entering the step S11, otherwise, judging that the two flows are not flows related to NAT;
s11, judging whether the timestamp difference value of the 2 groups of messages simultaneously taken out in the step S9 is within a second time difference threshold value, if so, judging that the two flows are flows related to NAT; otherwise, the two flows are judged not to be NAT related flows.
Further, step S11 is followed by step S12:
comparing the IP addresses of the 2 groups of messages with the TCP/UDP port, and if the source IP address and the source port are the same, determining that the two are associated with DNAT; and if the destination IP address is the same as the destination port, judging that the SNAT is related.
Further, the specific method for setting the message ID of the message according to the timestamp when the message is captured in step S1 is as follows:
multiplying the second number of the capturing timestamp of the message by 1000000000, and then adding the serial number of the message as the ID of the message, namely the ID of the message is 64-bit unsigned number; capture the time stamp in seconds, i.e., POSIX time; the sequence number of the message is incremented from 1.
Further, the specific method for setting the flow ID and the start timestamp of the flow according to the capturing time of the packet in step S3 includes:
multiplying the second number of the capture timestamp of the message by 1000000000, and then adding the serial number of the flow as the flow ID of the flow, namely the flow ID is 64-bit unsigned number; the number of seconds in which the timestamp was captured is the POSIX time; the sequence number of the flow is incremented from 1.
Further, the first time difference threshold value in step S6 is 10 ms.
Further, the order threshold in step S8 is 5.
Further, in step S10, the Payload fingerprint feature value of Payload is an MD5Hash value of the first 80 bytes of Payload data.
Further, the second time difference threshold is 10ms in step S11.
The invention has the beneficial effects that: the invention finds out the stream associated with the NAT by analyzing the protocol fields of all layers of a large amount of messages, Payload data of Payload, statistical information such as time stamps and accumulated byte numbers and the like. And the forwarding path of the associated flow, namely the network equipment through which the message passes, can be determined by analyzing the source MAC address and the destination MAC address of the associated flow, so that operation and maintenance personnel can know the network operation condition more intuitively and can troubleshoot network faults.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
The NAT association detection method based on multi-path message detection and analysis comprises the following steps:
s1, analyzing the network message file in pcap format, and acquiring protocol fields from 2 layers to 4 layers, including a source MAC address, a destination MAC address, an Ethernet type, a quintuple, TTL, a TCPsequence sequence number, a TCP ack sequence number, TCP Flag, Payload data length, and a timestamp when capturing the message; setting the message ID of the message according to the timestamp when the message is captured;
s2, judging whether the stream to which the TCP protocol message and the UDP protocol message belong can be found in the memory message stream data structure according to the quintuple of the TCP protocol message and the UDP protocol message, if so, acquiring and entering the step S4, and if not, entering the step S3;
s3, adding quintuple basic data of the message into a memory, setting total bytes for receiving and sending of the flow to which the message belongs according to the length of the message, and setting the flow ID to which the message belongs and the initial timestamp of the flow according to the capturing time of the message; setting the sending order and the receiving order of the message in the stream, and entering step S5;
s4, adding the total bytes received or sent of the flow to which the message belongs to the length of the message, and setting the sending order and the receiving order of the message in the flow;
s5, storing data obtained by analyzing the TCP protocol message and the UDP protocol message, the belonged stream ID and the timestamp obtained when the TCP protocol message and the UDP protocol message are captured into a database, and enabling each record to correspond to one message, namely, a message record; adding data of each stream in a memory message stream data structure into a database, and enabling each record to correspond to one stream;
s6, sorting all the flows in the database according to the ascending order of the flow IDs, judging whether the difference value of the starting timestamps of every two adjacent flows is within a first time difference threshold, if so, entering a step S7, otherwise, judging that the two flows are not flows related to the NAT;
s7, judging whether the L4 layer protocols of the two flows are the same, if so, combining the two flows as associated flows and entering the step S8, otherwise, judging that the two flows are not NAT associated flows;
s8, acquiring non-retransmitted message records of which the stream sending sequence and the stream receiving sequence are smaller than a sequence threshold from the database, and sequencing the acquired message records in an ascending order according to the stream ID and the message ID;
s9, for the message record obtained in the step S8, comparing the flow ID of the first message with the flow ID in the associated flow combination, and taking out 2 groups of messages of which the flow IDs are equal to the flow ID of the associated flow combination in the message sequence;
s10, comparing whether the length of the 2 groups of messages taken out simultaneously in the step S9 is the same as the Payload fingerprint characteristic value of Payload, if so, entering the step S11, otherwise, judging that the two flows are not flows related to NAT;
s11, judging whether the timestamp difference value of the 2 groups of messages simultaneously taken out in the step S9 is within a second time difference threshold value, if so, judging that the two flows are flows related to NAT; otherwise, judging that the two flows are not NAT related flows;
s12, comparing the IP address and the TCP/UDP port of the 2 groups of messages, and if the source IP address and the source port are the same, determining that the two are associated with each other; and if the destination IP address is the same as the destination port, judging that the SNAT is related.
The specific method for setting the message ID of the message according to the timestamp when the message is captured in step S1 is as follows: multiplying the second number of the capturing timestamp of the message by 1000000000, and then adding the serial number of the message as the ID of the message, namely the ID of the message is 64-bit unsigned number; capture the time stamp in seconds, i.e., POSIX time; the sequence number of the message is incremented from 1.
The specific method for setting the flow ID and the start timestamp of the flow according to the capturing time of the packet in step S3 is as follows: multiplying the second number of the capture timestamp of the message by 1000000000, and then adding the serial number of the flow as the flow ID of the flow, namely the flow ID is 64-bit unsigned number; the number of seconds in which the timestamp was captured is the POSIX time; the sequence number of the flow is incremented from 1.
In one embodiment of the present invention, the first time difference threshold in step S6 is 10 ms. The order threshold in step S8 is 5. In step S10, the fingerprint feature value of Payload is MD5Hash value of the first 80 bytes of Payload data. The second time difference threshold is 10ms in step S11. In the specific using process, the position of the message capturing point is determined according to the source MAC address of the 2 groups of messages, and then the forwarding path of the flow can be determined.
In summary, the present invention can rapidly extract a plurality of pairs of NAT-related flows from a large number of messages, and can help operation and maintenance personnel to know the network operation status and to locate problems when a fault occurs.
Claims (8)
1. A NAT (network Address translation) association detection method based on multi-path message detection and analysis is characterized by comprising the following steps of:
s1, analyzing a network message file in a pcap format, and acquiring a source MAC address, a destination MAC address, an Ethernet type, a quintuple, TTL, a TCPsequence sequence number, a TCP ack sequence number, TCP Flag, Payload data length and a timestamp when the message is captured; setting the message ID of the message according to the timestamp when the message is captured;
s2, judging whether the stream to which the TCP protocol message and the UDP protocol message belong can be found in the memory message stream data structure according to the quintuple of the TCP protocol message and the UDP protocol message, if so, acquiring and entering the step S4, and if not, entering the step S3;
s3, adding quintuple basic data of the message into a memory, setting total bytes for receiving and sending of the flow to which the message belongs according to the length of the message, and setting the flow ID to which the message belongs and the initial timestamp of the flow according to the capturing time of the message; setting the sending order and the receiving order of the message in the stream, and entering step S5;
s4, adding the total bytes received or sent of the flow to which the message belongs to the length of the message, and setting the sending order and the receiving order of the message in the flow;
s5, storing data obtained by analyzing the TCP protocol message and the UDP protocol message, the belonged stream ID and the timestamp obtained when the TCP protocol message and the UDP protocol message are captured into a database, and enabling each record to correspond to one message, namely, a message record; adding data of each stream in a memory message stream data structure into a database, and enabling each record to correspond to one stream;
s6, sorting all the flows in the database according to the ascending order of the flow IDs, judging whether the difference value of the starting timestamps of every two adjacent flows is within a first time difference threshold, if so, entering a step S7, otherwise, judging that the two flows are not flows related to the NAT;
s7, judging whether the L4 layer protocols of the two flows are the same, if so, combining the two flows as associated flows and entering the step S8, otherwise, judging that the two flows are not NAT associated flows;
s8, acquiring non-retransmitted message records of which the stream sending sequence and the stream receiving sequence are smaller than a sequence threshold from the database, and sequencing the acquired message records in an ascending order according to the stream ID and the message ID;
s9, for the message record obtained in the step S8, comparing the flow ID of the first message with the flow ID in the associated flow combination, and taking out 2 groups of messages of which the flow IDs are equal to the flow ID of the associated flow combination in the message sequence;
s10, comparing whether the length of the 2 groups of messages taken out simultaneously in the step S9 is the same as the Payload fingerprint characteristic value of Payload, if so, entering the step S11, otherwise, judging that the two flows are not flows related to NAT;
s11, judging whether the timestamp difference value of the 2 groups of messages simultaneously taken out in the step S9 is within a second time difference threshold value, if so, judging that the two flows are flows related to NAT; otherwise, the two flows are judged not to be NAT related flows.
2. The method for detecting NAT association based on multi-path message detection analysis according to claim 1, wherein said step S11 is followed by step S12:
comparing the IP addresses of the 2 groups of messages with the TCP/UDP port, and if the source IP address and the source port are the same, determining that the two are associated with DNAT; and if the destination IP address is the same as the destination port, judging that the SNAT is related.
3. The method for detecting NAT association based on multi-path packet detection analysis according to claim 1, wherein the specific method for setting the packet ID of the packet according to the timestamp of the packet capturing in step S1 is as follows:
multiplying the second number of the capturing timestamp of the message by 1000000000, and then adding the serial number of the message as the ID of the message, namely the ID of the message is 64-bit unsigned number; capture the time stamp in seconds, i.e., POSIX time; the sequence number of the message is incremented from 1.
4. The method for detecting NAT association based on multi-path packet detection analysis according to claim 1, wherein the specific method for setting the flow ID and the start timestamp of the flow to which the packet belongs according to the capturing time of the packet in step S3 is as follows:
multiplying the second number of the capture timestamp of the message by 1000000000, and then adding the serial number of the flow as the flow ID of the flow, namely the flow ID is 64-bit unsigned number; the number of seconds in which the timestamp was captured is the POSIX time; the sequence number of the flow is incremented from 1.
5. The method for detecting NAT association based on multi-path packet inspection analysis according to claim 1, wherein the first time difference threshold in step S6 is 10 ms.
6. The method for detecting NAT association based on multi-path packet inspection analysis according to claim 1, wherein the order threshold in step S8 is 5.
7. The method for detecting NAT association based on multi-path message detection and analysis of claim 1, wherein the fingerprint feature value of Payload in step S10 is MD5Hash value of the first 80 bytes of Payload data.
8. The method for detecting NAT association based on multi-path packet inspection analysis according to claim 1, wherein the second time difference threshold in step S11 is 10 ms.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010674639.3A CN111565200B (en) | 2020-07-14 | 2020-07-14 | NAT (network Address translation) association detection method based on multi-path message detection analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010674639.3A CN111565200B (en) | 2020-07-14 | 2020-07-14 | NAT (network Address translation) association detection method based on multi-path message detection analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111565200A CN111565200A (en) | 2020-08-21 |
CN111565200B true CN111565200B (en) | 2020-10-09 |
Family
ID=72073983
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010674639.3A Active CN111565200B (en) | 2020-07-14 | 2020-07-14 | NAT (network Address translation) association detection method based on multi-path message detection analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111565200B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112787883B (en) * | 2020-12-26 | 2022-07-12 | 中国农业银行股份有限公司 | Method, device and equipment for detecting NAT (network Address translation) fault of equipment |
CN112822204A (en) * | 2021-01-28 | 2021-05-18 | 深信服科技股份有限公司 | NAT detection method, device, equipment and medium |
CN113438125B (en) * | 2021-06-08 | 2023-02-28 | 迈普通信技术股份有限公司 | Test method and system |
CN114389792B (en) * | 2022-03-22 | 2022-06-10 | 合肥全息网御科技有限公司 | WEB log NAT (network Address translation) front-back association method and system |
CN115086183B (en) * | 2022-07-05 | 2024-02-06 | 武汉思普崚技术有限公司 | Message association method and device of application layer gateway |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101594263A (en) * | 2009-01-09 | 2009-12-02 | 成都四方信息技术有限公司 | System to monitoring network communication data packets |
CN105610999A (en) * | 2016-03-30 | 2016-05-25 | 上海斐讯数据通信技术有限公司 | Method, device, server and system for implementing P2P communication by penetrating NAT (network address translator) |
CN110572325A (en) * | 2019-09-06 | 2019-12-13 | 成都深思科技有限公司 | NAT router flow identification method |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8254286B2 (en) * | 2006-07-24 | 2012-08-28 | Forescout Technologies Inc. | Method and system for detection of NAT devices in a network |
US8219675B2 (en) * | 2009-12-11 | 2012-07-10 | Tektronix, Inc. | System and method for correlating IP flows across network address translation firewalls |
US8683573B2 (en) * | 2011-06-27 | 2014-03-25 | International Business Machines Corporation | Detection of rogue client-agnostic nat device tunnels |
CN105407096B (en) * | 2015-11-26 | 2019-03-19 | 深圳市风云实业有限公司 | Message data detection method based on flow management |
CN110798461B (en) * | 2019-10-23 | 2022-04-05 | 国家计算机网络与信息安全管理中心 | VoIP (Voice over Internet protocol) association method and device under asymmetric routing network and readable storage medium |
-
2020
- 2020-07-14 CN CN202010674639.3A patent/CN111565200B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101594263A (en) * | 2009-01-09 | 2009-12-02 | 成都四方信息技术有限公司 | System to monitoring network communication data packets |
CN105610999A (en) * | 2016-03-30 | 2016-05-25 | 上海斐讯数据通信技术有限公司 | Method, device, server and system for implementing P2P communication by penetrating NAT (network address translator) |
CN110572325A (en) * | 2019-09-06 | 2019-12-13 | 成都深思科技有限公司 | NAT router flow identification method |
Also Published As
Publication number | Publication date |
---|---|
CN111565200A (en) | 2020-08-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111565200B (en) | NAT (network Address translation) association detection method based on multi-path message detection analysis | |
CN106034056B (en) | Method and system for analyzing business safety | |
US8306063B2 (en) | Real-time transport protocol stream detection system and method | |
CN103795709B (en) | Network security detection method and system | |
CN102487339B (en) | Attack preventing method for network equipment and device | |
US7729271B2 (en) | Detection method for abnormal traffic and packet relay apparatus | |
US8477774B2 (en) | Method and system for detecting accessing host contained in network, and statistic and analyzing server | |
US8254388B2 (en) | Management device to investigate path states of network and network system | |
JP2006279930A (en) | Method and device for detecting and blocking unauthorized access | |
US7420929B1 (en) | Adaptive network flow analysis | |
EP1420548A2 (en) | Expert system for protocols analysis | |
CN104994016B (en) | Method and apparatus for packet classification | |
US8505098B2 (en) | Method for recording, recovering, and replaying real traffic | |
EP3242240A1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
Mongkolluksamee et al. | Counting NATted hosts by observing TCP/IP field behaviors | |
EP3065343B1 (en) | Network monitoring method and apparatus, and packet filtering method and apparatus | |
CN110677327A (en) | Chip-based real-time detection method for RTP flow fault | |
CN110572325A (en) | NAT router flow identification method | |
CN115664833B (en) | Network hijacking detection method based on local area network safety equipment | |
US11770360B1 (en) | Correlating protocol data units transiting networks with differing addressing schemes | |
US8037167B1 (en) | Method for detecting hosts behind network address translators | |
US7869368B2 (en) | Performance measuring in a packet transmission network | |
CN113014578A (en) | Fragment message detection method based on convolutional neural network and storage medium | |
CN111614633A (en) | Auditing method and system for L2TP protocol | |
JP2009049592A (en) | Ip flow measuring circuit and ip flow measuring method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |