CN111786985B - Method, device and storage medium for analyzing TCP and UDP data - Google Patents
Method, device and storage medium for analyzing TCP and UDP data Download PDFInfo
- Publication number
- CN111786985B CN111786985B CN202010599585.9A CN202010599585A CN111786985B CN 111786985 B CN111786985 B CN 111786985B CN 202010599585 A CN202010599585 A CN 202010599585A CN 111786985 B CN111786985 B CN 111786985B
- Authority
- CN
- China
- Prior art keywords
- data
- application software
- function
- parsing
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a method, a device and a storage medium for analyzing TCP and UDP data, which are characterized in that an analysis parent class and an analysis subclass are established according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol, and the analysis subclass comprises a first package feature and an analysis method corresponding to the known application software; judging the protocol type of the data to be analyzed, and forming a queue by the known application software in the analysis subclass and the first package feature according to the protocol type; acquiring first packet data of data to be analyzed, calling a first function or a second function according to the protocol type, and matching the characteristics of the first packet data with the first packet characteristics in the queue; if the feature matched with the first package feature exists, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the first package feature matched with the first package feature, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed to realize the analysis of the TCP/UDP data.
Description
Technical Field
The invention relates to the field of data analysis, in particular to a method, a device and a storage medium for analyzing TCP and UDP data.
Background
At the present day of network explosion, although most data is still transmitted by Http data, more and more enterprises have been focusing on protecting the security of user data, so that the traditional mode of discarding Http plaintext is started, and the communication between a client and a server is changed into TCP/UDP protocol communication, and then the protocol format of the client and the server is added; some also employ the use of various conventional encryption schemes in combination with proprietary protocol formats or the use of SSL encryption to protect the data.
Big data computing is filled in every corner of life, people pay more and more attention to protection of data privacy, and the requirement is to promote enterprises to change the mode of Http data transmission and select to communicate by the TCP/UDPp protocol. Therefore, it is also a great need to recover these data from massive amounts of data, facing an increasing number of TCP/UDP or proprietary protocol formats.
The biggest difference between the protocol using TCP/UDP transport and the protocol using Http is that the Http protocol has a fixed format, such as the Host, url, etc. feature fields, whereas the TCP/UDP protocol has no fixed format. Therefore, the analysis of TCP/UDP requires the analysis of the content of various App specific protocol data and then the analysis according to the analysis result, but it is difficult to analyze each App one by one based on the uniqueness of each App protocol.
In view of this, it is very significant to build a method and apparatus for parsing TCP and UDP data.
Disclosure of Invention
Aiming at the problems that the TCP/UDP protocol has no fixed format, each App has a unique transmission protocol, the analysis modes are not uniform and the like. An objective of the embodiments of the present application is to provide a method, an apparatus and a storage medium for parsing TCP and UDP data, so as to solve the technical problems mentioned in the background section.
In a first aspect, embodiments of the present application provide a method for parsing TCP and UDP data, including the steps of:
s1: establishing an analysis parent class and an analysis subclass according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol, and the analysis subclass comprises a first package feature and an analysis method corresponding to the known application software;
s2: judging the protocol type of the data to be analyzed, and forming a queue by the known application software in the analysis subclass and the first package feature according to the protocol type;
s3: acquiring first packet data of data to be analyzed, calling a first function or a second function according to the protocol type, and matching the characteristics of the first packet data with the first packet characteristics in the queue; and
s4: if the feature matched with the first package feature exists, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the first package feature matched with the first package feature, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed.
In some embodiments, in step S1, the parsing parent class and the parsing subclass are created by analyzing the first package characteristics of different known application software, the first function and the second function being virtual functions defined in the parsing parent class, the parsing subclass inheriting the virtual functions of the parsing parent class. Therefore, the characteristic judgment of each App can be integrated into a unified interface, the first function and the second function are used as interfaces, the TCP protocol calls the first function to judge in a unified way, and the UDP protocol calls the second function to judge in a unified way.
In some embodiments, a first function in the parsing parent class is called to point to a known application software, first package feature, and parsing method in the parsing subclass that corresponds to the TCP protocol, and a second function in the parsing parent class is called to point to a known application software, first package feature, and parsing method in the parsing subclass that corresponds to the UDP protocol. The first function and the second function can be used as virtual functions to point to the content in the analysis subclass corresponding to the first function and filter the data to be analyzed according to the known application software and the corresponding first package characteristics.
In some embodiments, in step S3, if the protocol type is the TCP protocol, a first function is called, and if the protocol type is the UDP protocol, a second function is called. In step S2, the protocol type of the data to be analyzed can be primarily determined, and primarily screened, and different virtual functions are respectively called according to different protocol types to filter the data to be analyzed.
In some embodiments, in step S3, the feature of the first packet data is matched with the first packet feature in the queue, if so, the analysis method of the known application software corresponding to the first packet feature is invoked for the data to be analyzed, and if not, step S3 is repeated. By comparing the first package characteristics with the first package characteristics of the known application software, useless data which do not accord with the first package characteristics can be filtered, the useless data are analyzed through a corresponding analysis method, the known application software from which the data to be analyzed are transmitted is finally determined, and the specific content in the data to be analyzed is restored.
In a second aspect, an apparatus for parsing TCP and UDP data is further provided in an embodiment of the present application, including:
the analysis class establishing module is configured to establish analysis parent classes and analysis subclasses according to different known application software, wherein the analysis parent classes comprise a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis subclasses comprise first package characteristics and analysis methods corresponding to the known application software;
the queue forming module is configured to judge the protocol type of the data to be analyzed, and form a queue with the known application software and the first packet feature in the analysis subclass according to the protocol type;
the feature matching module is configured to acquire first packet data of the data to be analyzed, call a first function or a second function according to the protocol type, and match the features of the first packet data with the first packet features in the queue; and
and the analysis module is configured to analyze the data to be analyzed by adopting an analysis method of known application software corresponding to the first package feature on the matching if the feature matched with the first package feature exists, judge the application software corresponding to the data to be analyzed according to the analysis result, and acquire the content of the data to be analyzed.
In some embodiments, the parsing class building module builds the parsing parent class and the parsing sub-class by analyzing first package features of different known application software, the first function and the second function are virtual functions defined in the parsing parent class, and the parsing sub-class inherits the virtual functions of the parsing parent class.
In some embodiments, a first function in the parsing parent class is called to point to a known application software, first package feature, and parsing method in the parsing subclass that corresponds to the TCP protocol, and a second function in the parsing parent class is called to point to a known application software, first package feature, and parsing method in the parsing subclass that corresponds to the UDP protocol.
In some embodiments, in the feature matching module, if the protocol type is a TCP protocol, a first function is invoked, and if the protocol type is a UDP protocol, a second function is invoked.
In some embodiments, the feature matching module matches the feature of the first packet data with the feature of the first packet in the queue, if so, the method analyzes the known application software corresponding to the feature of the first packet called by the data to be analyzed, and if not, the steps in the feature matching module are repeated.
In a third aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements a method as described in any of the implementations of the first aspect.
The invention discloses a method and a device for analyzing TCP and UDP data, which are characterized in that an analysis parent class and an analysis subclass are established according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis subclass comprises a first packet feature and an analysis method corresponding to the known application software; judging the protocol type of the data to be analyzed, and forming a queue by the known application software in the analysis subclass and the first package feature according to the protocol type; acquiring first packet data of data to be analyzed, calling a first function or a second function according to the protocol type, and matching the characteristics of the first packet data with the first packet characteristics in the queue; if the feature matched with the first package feature exists, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the first package feature matched with the first package feature, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed. Based on the uniqueness of each App protocol, the first packet feature of each protocol is integrated into a unified interface, and then analysis is carried out, so that the aim of analyzing TCP/UDP data of various Apps is achieved. Under the condition that more and more apps adopt private protocol communication to realize data interaction, analyzing TCP/UDP data protocols is realized by a method for identifying and analyzing characteristics of each protocol and App first packets; useless and invalid data is filtered out rapidly by the judging method of the first packet characteristics, and the pressure of the data acquisition layer and the data storage layer is released. The method can restore the data of each App in the market under the condition of mass data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is an exemplary device frame pattern to which an embodiment of the present application may be applied;
FIG. 2 is a flow chart of a method of parsing TCP and UDP data according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an apparatus for parsing TCP and UDP data according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computer device suitable for use in implementing the embodiments of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 illustrates an exemplary device architecture 100 to which the method of parsing TCP and UDP data or the device of parsing TCP and UDP data of the embodiments of the present application may be applied.
As shown in fig. 1, the apparatus architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various applications, such as a data processing class application, a file processing class application, and the like, may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be hardware or software. When the terminal devices 101, 102, 103 are hardware, they may be various electronic devices including, but not limited to, smartphones, tablets, laptop and desktop computers, and the like. When the terminal devices 101, 102, 103 are software, they can be installed in the above-listed electronic devices. Which may be implemented as multiple software or software modules (e.g., software or software modules for providing distributed services) or as a single software or software module. The present invention is not particularly limited herein.
The server 105 may be a server providing various services, such as a background data processing server processing files or data uploaded by the terminal devices 101, 102, 103. The background data processing server can process the acquired file or data to generate a processing result.
It should be noted that, the method for analyzing TCP and UDP data provided in the embodiment of the present application may be executed by the server 105, or may be executed by the terminal devices 101, 102, and 103, and accordingly, the device for analyzing TCP and UDP data may be provided in the server 105, or may be provided in the terminal devices 101, 102, and 103.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. In the case where the processed data does not need to be acquired from a remote location, the above-described apparatus architecture may not include a network, but only a server or terminal device.
Fig. 2 shows a method of parsing TCP and UDP data disclosed in an embodiment of the present application, including the steps of:
s1: establishing an analysis parent class and an analysis subclass according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol, and the analysis subclass comprises a first package feature and an analysis method corresponding to the known application software;
s2: judging the protocol type of the data to be analyzed, and forming a queue by the known application software in the analysis subclass and the first package feature according to the protocol type;
s3: acquiring first packet data of data to be analyzed, calling a first function or a second function according to the protocol type, and matching the characteristics of the first packet data with the first packet characteristics in the queue; and
s4: if the feature matched with the first package feature exists, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the first package feature matched with the first package feature, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed.
In a specific embodiment, in step S1, the parsing parent class and the parsing subclass are established by analyzing the first package characteristics of different known application software, the first function and the second function are virtual functions defined in the parsing parent class, and the parsing subclass inherits the virtual functions of the parsing parent class. The known application software comprises various apps, such as QQ, weChat, nail, etc., and each App can be a mobile phone version or a computer version. The analysis parent class is a basic class, and when the analysis subclass is established, the method for analyzing the parent class is inherited. Each parsing subclass may contain a respective method. The interface of the analysis parent class can be called uniformly during analysis, but cannot be realized in the analysis parent class, but can be realized in analysis subclasses, and the characteristics of each analysis subclass are different, so that the method of each analysis subclass is different in realization, and uniform calling can be realized. And analyzing the first packet data of each App to obtain corresponding first packet characteristics, and classifying each App according to the transmission protocol into a TCP protocol and a UDP protocol. A first function is defined in the parsing parent class according to the TCP protocol, and known application software, first packet characteristics and parsing methods corresponding to the TCP protocol and known application software, first packet characteristics and parsing methods corresponding to the UDP protocol are established in the parsing child class. Therefore, the characteristic judgment of each App can be integrated into a unified interface, the first function and the second function are used as interfaces for analyzing the parent class, the TCP protocol calls the first function in a unified way to judge, and the UDP protocol calls the second function in a unified way to judge.
In a specific embodiment, a first function in the parsing parent class is called to point to a known application software, a first package feature and a parsing method corresponding to a TCP protocol in the parsing subclass, and a second function in the parsing parent class is called to point to a known application software, a first package feature and a parsing method corresponding to a UDP protocol in the parsing subclass. The first function and the second function can be used as virtual functions to point to the content in the analysis subclass corresponding to the first function and filter the data to be analyzed according to the known application software and the corresponding first package characteristics.
In step S2, the protocol type of the data to be analyzed can be primarily determined, and primarily screened, and different virtual functions are respectively called according to different protocol types to filter the data to be analyzed. If the data to be analyzed belongs to TCP protocol data, a first function is called as an interface, and then known application software, first package characteristics and an analysis method corresponding to the TCP protocol in the analysis subclass are formed into a queue after initialization; and if the data to be analyzed belongs to the UDP protocol data, calling a second function as an interface, and forming a queue by initializing known application software, a first package feature and an analysis method corresponding to the UDP protocol in the analysis subclass. Each app inherits the interface of the judging feature of the analysis parent class when initializing, and then puts the interface into the queue after initializing. The queues established in the examples are shown in table 1:
TABLE 1
During initialization, app1, app3 and App5 realize a first function as an interface, app2, app4 and App6 realize a second function as an interface, and put into a queue in sequence.
In a specific embodiment, in step S3, if the protocol type is the TCP protocol, the first function is called, and if the protocol type is the UDP protocol, the second function is called. In a specific embodiment, in step S3, the feature of the first packet data is matched with the first packet feature in the queue, if so, the analysis method of the known application software corresponding to the first packet feature is invoked for the data to be analyzed, and if not, step S3 is repeated. By comparing the first package characteristics with the first package characteristics of the known application software, useless data which do not accord with the first package characteristics can be filtered, the useless data are analyzed through a corresponding analysis method, the known application software from which the data to be analyzed are transmitted is finally determined, and the specific content in the data to be analyzed is restored.
In the above example, if the data to be parsed is the TCP protocol, the feature of the first packet data is 3. Calling a first function of a first analysis parent class in the queue, wherein the first packet feature 1 is inconsistent with the feature 3 of the data to be analyzed, so that the next analysis is continued; in the next parsing, the second and third parsing parents in the queue cannot implement the first function, only the second function is implemented, and thus the next parsing is directly continued. And calling a first function of a fourth analysis parent class in the queue, wherein the first packet feature 3 is consistent with the feature 3 of the data to be analyzed, and judging that the data to be analyzed is derived from App4. Because having the same first package feature may also correspond to different known applications, having different parsing methods. Therefore, after the first packet feature is filtered, a specific analysis method is needed to carry out final determination, if the data to be analyzed is analyzed by the corresponding analysis method, the determination of which known application software the data to be analyzed belongs to is carried out, and the analysis method of the known application software is used for analyzing the data to be analyzed to obtain the content of the data to be analyzed. At this time, the analysis method corresponding to App4 is called to analyze the data to be analyzed, so as to further determine that the data to be analyzed is derived from App4, and the analysis method of App4 can be adopted to analyze the data to be analyzed to obtain the content therein. Therefore, useless data can be filtered rapidly through the method, useless data which does not accord with the method can be filtered through the first packet feature, protocol restoration is achieved, unknown data can be restored to specific known application software, information extraction can be achieved, and specific contents in the data to be analyzed can be analyzed in detail.
Corresponding to the method for analyzing TCP and UDP data mentioned in the foregoing embodiments, an apparatus for analyzing TCP and UDP data is further provided in the embodiments of the present application, as shown in fig. 3, including:
a parsing class establishing module 1 configured to establish a parsing parent class and a parsing sub-class according to different known application software, wherein the parsing parent class includes a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol, respectively, and the parsing sub-class includes a first packet feature and a parsing method corresponding to the known application software;
the queue forming module 2 is configured to judge the protocol type of the data to be analyzed, and form a queue of known application software and first package features in the analysis subclass according to the protocol type;
the feature matching module 3 is configured to acquire first packet data of the data to be analyzed, call a first function or a second function according to the protocol type, and match the features of the first packet data with the first packet features in the queue; and
and the analysis module 4 is configured to analyze the data to be analyzed by adopting an analysis method of known application software corresponding to the matched first package feature if the feature matched with the first package feature exists, judge the application software corresponding to the data to be analyzed according to the analysis result, and obtain the content of the data to be analyzed.
In a specific embodiment, the analysis class creation module 1 creates an analysis parent class and an analysis child class by analyzing first package features of different known application software, where the first function and the second function are virtual functions defined in the analysis parent class, and the analysis child class inherits the virtual functions of the analysis parent class.
In a specific embodiment, a first function in the parsing parent class is called to point to a known application software, a first package feature and a parsing method corresponding to a TCP protocol in the parsing subclass, and a second function in the parsing parent class is called to point to a known application software, a first package feature and a parsing method corresponding to a UDP protocol in the parsing subclass.
In a specific embodiment, in the feature matching module 3, if the protocol type is the TCP protocol, a first function is called, and if the protocol type is the UDP protocol, a second function is called.
In a specific embodiment, the feature matching module 3 matches the feature of the first packet data with the feature of the first packet in the queue, if the feature matching module matches the feature of the first packet, the method for analyzing the known application software corresponding to the feature of the first packet is called for analyzing the data to be analyzed, and if the feature matching module does not match the feature, the steps in the feature matching module 3 are repeated.
The invention discloses a method and a device for analyzing TCP and UDP data, which are characterized in that an analysis parent class and an analysis subclass are established according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis subclass comprises a first packet feature and an analysis method corresponding to the known application software; judging the protocol type of the data to be analyzed, and forming a queue by the known application software in the analysis subclass and the first package feature according to the protocol type; acquiring first packet data of data to be analyzed, calling a first function or a second function according to the protocol type, and matching the characteristics of the first packet data with the first packet characteristics in the queue; if the feature matched with the first package feature exists, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the first package feature matched with the first package feature, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed. Based on the uniqueness of each App protocol, the first packet feature of each protocol is integrated into a unified interface, and then analysis is carried out, so that the aim of analyzing TCP/UDP data of various Apps is achieved. Under the condition that more and more apps adopt private protocol communication to realize data interaction, analyzing TCP/UDP data protocols is realized by a method for identifying and analyzing characteristics of each protocol and App first packets; useless and invalid data is filtered out rapidly by the judging method of the first packet characteristics, and the pressure of the data acquisition layer and the data storage layer is released. The method can restore the data of each App in the market under the condition of mass data.
Referring now to fig. 4, there is illustrated a schematic diagram of a computer apparatus 400 suitable for use in implementing an electronic device (e.g., a server or terminal device as illustrated in fig. 1) of an embodiment of the present application. The electronic device shown in fig. 4 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments herein.
As shown in fig. 4, the computer apparatus 400 includes a Central Processing Unit (CPU) 401 and a Graphics Processor (GPU) 402, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 403 or a program loaded from a storage portion 409 into a Random Access Memory (RAM) 404. In the RAM404, various programs and data required for the operation of the apparatus 400 are also stored. The CPU 401, GPU402, ROM 403, and RAM404 are connected to each other by a bus 405. An input/output (I/O) interface 406 is also connected to bus 405.
The following components are connected to the I/O interface 406: an input section 407 including a keyboard, a mouse, and the like; an output portion 408 including a speaker, such as a Liquid Crystal Display (LCD), etc.; a storage portion 409 including a hard disk or the like; and a communication section 410 including a network interface card such as a LAN card, a modem, and the like. The communication section 410 performs communication processing via a network such as the internet. The drives 411 may also be connected to the I/O interface 406 as needed. A removable medium 412 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed on the drive 411 as needed, so that a computer program read therefrom is installed into the storage section 409 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 410, and/or installed from the removable medium 412. The above-described functions defined in the method of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 401 and a Graphics Processor (GPU) 402.
It should be noted that the computer readable medium described in the present application may be a computer readable signal medium or a computer readable medium, or any combination of the two. The computer readable medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor apparatus, device, or means, or a combination of any of the foregoing. More specific examples of the computer-readable medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution apparatus, device, or apparatus. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may be any computer readable medium that is not a computer readable medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution apparatus, device, or apparatus. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present application may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based devices which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments described in the present application may be implemented by software, or may be implemented by hardware. The described modules may also be provided in a processor.
As another aspect, the present application also provides a computer-readable medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: establishing an analysis parent class and an analysis subclass according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol, and the analysis subclass comprises a first package feature and an analysis method corresponding to the known application software; judging the protocol type of the data to be analyzed, and forming a queue by the known application software in the analysis subclass and the first package feature according to the protocol type; acquiring first packet data of data to be analyzed, calling a first function or a second function according to the protocol type, and matching the characteristics of the first packet data with the first packet characteristics in the queue; and if the feature matched with the first package feature exists, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the first package feature matched with the first package feature, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by persons skilled in the art that the scope of the invention referred to in this application is not limited to the specific combinations of features described above, but it is intended to cover other embodiments in which any combination of features described above or equivalents thereof is possible without departing from the spirit of the invention. Such as the above-described features and technical features having similar functions (but not limited to) disclosed in the present application are replaced with each other.
Claims (9)
1. A method for parsing TCP and UDP data, comprising the steps of:
s1: establishing a parsing parent class and a parsing subclass according to different known application software, wherein the parsing parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol, and the parsing subclass comprises a first package feature and a parsing method corresponding to the known application software;
s2: judging the protocol type of data to be analyzed, calling the first function or the second function in the analysis parent class as an interface according to the protocol type, and forming a queue by the known application software corresponding to the TCP protocol and the UDP protocol in the analysis subclass and the first packet feature;
s3: acquiring first packet data of the data to be analyzed, calling analysis parent classes of known application software in a queue according to the sequence of the queue, if the analysis parent class corresponding to the known application software in the queue can realize a first function or a second function corresponding to the protocol type of the data to be analyzed, matching the characteristics of the first packet data with the first packet characteristics of the known application software in the queue, and if not, carrying out next analysis; and
s4: if the features of the first package data are consistent with the first package features of the known application software in the queue, analyzing the data to be analyzed by adopting an analysis method of the known application software corresponding to the first package features on matching, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed.
2. The method according to claim 1, wherein in step S1, the parsing parent class and the parsing sub-class are established by analyzing the first package characteristics of different known application software, the first function and the second function are virtual functions defined in the parsing parent class, and the parsing sub-class inherits the virtual functions of the parsing parent class.
3. The method of claim 1, wherein invoking the first function in the resolution parent class then points to the known application software, the first package feature, and the resolution method in the resolution subclass that correspond to the TCP protocol, and wherein invoking the second function in the resolution parent class then points to the known application software, the first package feature, and the resolution method in the resolution subclass that correspond to the UDP protocol.
4. The method according to claim 1, wherein in the step S2, the first function is called if the protocol type is a TCP protocol, and the second function is called if the protocol type is a UDP protocol.
5. An apparatus for parsing TCP and UDP data, comprising:
a parsing class building module configured to build parsing parent classes and parsing subclasses according to different known application software, wherein the parsing parent classes comprise a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol, respectively, and the parsing subclasses comprise first package features and parsing methods corresponding to the known application software;
the queue forming module is configured to judge the protocol type of data to be analyzed, call the first function or the second function in the analysis parent class according to the protocol type to be used as an interface, and form a queue by the known application software corresponding to the TCP protocol and the UDP protocol in the analysis subclass and the first packet characteristic;
the feature matching module is configured to acquire the first packet data of the data to be analyzed, call the analysis parent class of the known application software in the queue according to the sequence of the queue, and match the features of the first packet data with the first packet features of the known application software in the queue if the analysis parent class corresponding to the known application software in the queue can realize the first function or the second function corresponding to the protocol type of the data to be analyzed, and then perform the next analysis if the features of the first packet data cannot be matched with the first packet features of the known application software in the queue; and
and the analysis module is configured to analyze the data to be analyzed by adopting an analysis method of the known application software corresponding to the first package feature on the matching if the feature of the first package data is consistent with the first package feature of the known application software in the queue, judge the application software corresponding to the data to be analyzed according to the analysis result, and obtain the content of the data to be analyzed.
6. The apparatus according to claim 5, wherein the parsing class creation module creates the parsing parent class and the parsing sub-class by analyzing the first package feature of different known application software, the first function and the second function being virtual functions defined in the parsing parent class, and the parsing sub-class inheriting the virtual functions of the parsing parent class.
7. The apparatus of claim 5, wherein invoking the first function in the resolution parent class then points to the known application software, the first package feature, and the resolution method in the resolution subclass that correspond to the TCP protocol, and wherein invoking the second function in the resolution parent class then points to the known application software, the first package feature, and the resolution method in the resolution subclass that correspond to the UDP protocol.
8. The apparatus according to claim 5, wherein the first function is called if the protocol type is a TCP protocol, and the second function is called if the protocol type is a UDP protocol.
9. A computer storage medium having stored thereon a computer program, which when executed by a computer performs the steps of the method according to any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010599585.9A CN111786985B (en) | 2020-06-28 | 2020-06-28 | Method, device and storage medium for analyzing TCP and UDP data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010599585.9A CN111786985B (en) | 2020-06-28 | 2020-06-28 | Method, device and storage medium for analyzing TCP and UDP data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111786985A CN111786985A (en) | 2020-10-16 |
| CN111786985B true CN111786985B (en) | 2023-05-23 |
Family
ID=72761583
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010599585.9A Active CN111786985B (en) | 2020-06-28 | 2020-06-28 | Method, device and storage medium for analyzing TCP and UDP data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111786985B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114520837A (en) * | 2021-12-27 | 2022-05-20 | 苏州绿科智能机器人研究院有限公司 | Method for analyzing message data sent upwards based on object-oriented technology |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852297B (en) * | 2005-11-11 | 2010-05-12 | 华为技术有限公司 | Network data flow recognizing system and method |
| US9853876B1 (en) * | 2014-06-13 | 2017-12-26 | Narus, Inc. | Mobile application identification in network traffic via a search engine approach |
| CN108173705A (en) * | 2017-11-28 | 2018-06-15 | 北京天融信网络安全技术有限公司 | First packet recognition methods, device, equipment and the medium of flow drainage |
| CN108377223B (en) * | 2018-01-05 | 2019-12-06 | 网宿科技股份有限公司 | multi-packet identification method, data packet identification method and flow guiding method |
| CN108418758B (en) * | 2018-01-05 | 2021-01-29 | 网宿科技股份有限公司 | Single packet identification method and flow guiding method |
| CN108900374B (en) * | 2018-06-22 | 2021-05-25 | 网宿科技股份有限公司 | Data processing method and device applied to DPI equipment |
-
2020
- 2020-06-28 CN CN202010599585.9A patent/CN111786985B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111786985A (en) | 2020-10-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10803274B2 (en) | Computer configured to display multimedia content | |
| US10601633B2 (en) | Virtual window screen renderings using application connectors | |
| US8769127B2 (en) | Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT) | |
| CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
| CN111131320B (en) | Asset identification method, device, system and medium | |
| CN111163094B (en) | Network attack detection method, network attack detection device, electronic device, and medium | |
| US20170317948A1 (en) | Hosting apps with native capabilities | |
| CN112559928B (en) | Page processing method and device based on hybrid development, electronic equipment and storage medium | |
| CN111786985B (en) | Method, device and storage medium for analyzing TCP and UDP data | |
| CN112347169A (en) | PHP (hypertext preprocessor) framework based user request processing method and device and electronic equipment | |
| US10225276B2 (en) | Endpoint vulnerability analysis platform | |
| CN112631590A (en) | Component library generation method and device, electronic equipment and computer readable medium | |
| CN110795741A (en) | Method and device for carrying out security processing on data | |
| CN114579194A (en) | Spring remote call-based exception handling method and system | |
| CN112860566B (en) | Applet detection method, device, electronic equipment and readable medium | |
| CN112416303A (en) | Software development kit thermal restoration method and device and electronic equipment | |
| CN112346774A (en) | Method and device for generating application installation package | |
| CN115374207A (en) | Service processing method and device, electronic equipment and computer readable storage medium | |
| CN111447298A (en) | Method, device, equipment and medium for acquiring network address in application program | |
| CN112671797B (en) | Safety protection method and system for DNP3 protocol | |
| CN111309323A (en) | Parameter initialization method and device and electronic equipment | |
| CN112015394B (en) | Android function module development method and device, computer system and storage medium | |
| CN116192950A (en) | Communication method and device based on GRPC communication protocol and electronic equipment | |
| US20240134723A1 (en) | Technology and protocol agnostic key-value pair based user interface and data rendering to support a transaction | |
| US20230105469A1 (en) | Screen capture protection using time decomposition |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210628 Address after: 361000 unit 102-402, No.12, guanri Road, phase II, software park, Siming District, Xiamen City, Fujian Province Applicant after: XIAMEN MEIYA PICO INFORMATION Co.,Ltd. Applicant after: Guangzhou Public Security Bureau Network Police Detachment Address before: 361000 unit 102-402, No.12, guanri Road, phase II, software park, Siming District, Xiamen City, Fujian Province Applicant before: XIAMEN MEIYA PICO INFORMATION Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |