CN112104670B - Method and device for analyzing rail transit data based on link mapping - Google Patents

Method and device for analyzing rail transit data based on link mapping Download PDF

Info

Publication number
CN112104670B
CN112104670B CN202011250296.4A CN202011250296A CN112104670B CN 112104670 B CN112104670 B CN 112104670B CN 202011250296 A CN202011250296 A CN 202011250296A CN 112104670 B CN112104670 B CN 112104670B
Authority
CN
China
Prior art keywords
data
protocol
address
source
rail transit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011250296.4A
Other languages
Chinese (zh)
Other versions
CN112104670A (en
Inventor
杨艳艳
吴迪
范全勇
王锡磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Mtr Construction Consultation Co ltd
Original Assignee
Beijing Mtr Construction Consultation Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Mtr Construction Consultation Co ltd filed Critical Beijing Mtr Construction Consultation Co ltd
Priority to CN202011250296.4A priority Critical patent/CN112104670B/en
Publication of CN112104670A publication Critical patent/CN112104670A/en
Application granted granted Critical
Publication of CN112104670B publication Critical patent/CN112104670B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/18Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a device for analyzing rail transit data based on link mapping, wherein the rail transit data is obtained by packaging based on a secure communication layer protocol and an application layer protocol, and the method comprises the following steps: capturing rail transit data transmitted by a communication-based train control system through a network by using a packet capturing tool; analyzing a transport layer, a network layer and a network interface layer of the rail transit data by using the packet capturing tool, and acquiring unanalyzed data and link information of the rail transit data, wherein the link information comprises: a source IP address, a source port, a destination IP address, a destination port; inquiring a pre-stored configuration file, and acquiring a protocol resolver mapped by the source IP address, the source port, the destination IP address and the destination port; and calling the acquired protocol analyzer to analyze the unresolved data. The analysis efficiency of the rail transit data can be improved.

Description

Method and device for analyzing rail transit data based on link mapping
Technical Field
The invention relates to the technical field of rail transit, in particular to a method and a device for analyzing rail transit data based on link mapping.
Background
The development of a Communication Based Train Control (CBTC) system is greatly promoted by the continuous development of urban rail transit. Under the condition of good communication condition, the system can realize the rail transit data communication with two-way, continuous, large capacity and high resolution among a plurality of subsystems of the CBTC system, and provides necessary conditions for the real-time and efficient control of urban rail transit trains.
In the development and test process of the CBTC system, the rail transit data running among the subsystems needs to be collected, the collected rail transit data are analyzed according to the communication protocols formulated by the subsystems, the running performance of each subsystem is obtained according to the analysis results, faults in the running process of the CBTC system are processed and analyzed, the running state of a rail transit train is effectively monitored, and therefore the running safety of the rail transit train is guaranteed.
At present, in the process of developing and testing a CBTC system, developed network data analysis tools all perform application layer analysis for a protocol of a single subsystem, for example, after capturing rail transit data communicated between subsystems by using a packet capture tool, such as Wireshark, ipool, and the like, application layer data in the rail transit data is analyzed by an application layer protocol analyzer of each subsystem pre-stored in the CBTC system, so as to obtain an analysis result, and perform corresponding analysis based on the analysis result. However, in the method for analyzing the rail transit data, in order to improve the transmission security of the rail transit data in practical application, the CTBC application layer data is transmitted after being encapsulated by using the secure communication layer protocol, so that the current application layer protocol analyzer cannot correctly analyze the rail transit data obtained by encapsulating the CTBC application layer data based on the secure communication layer protocol and the application layer protocol, and the analysis efficiency of the rail transit data is not high.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for analyzing rail transit data based on link mapping, so as to improve the analysis efficiency of rail transit data.
In a first aspect, an embodiment of the present invention provides a method for analyzing rail transit data based on link mapping, where the rail transit data is obtained by encapsulating based on a secure communication layer protocol and an application layer protocol, and the method includes:
capturing rail transit data transmitted by a communication-based train control system through a network by using a packet capturing tool;
analyzing a transport layer, a network layer and a network interface layer of the rail transit data by using the packet capturing tool, and acquiring unanalyzed data and link information of the rail transit data, wherein the link information comprises: a source IP address, a source port, a destination IP address, a destination port;
inquiring a pre-stored configuration file, and acquiring a protocol resolver mapped by the source IP address, the source port, the destination IP address and the destination port;
and calling the acquired protocol analyzer to analyze the unresolved data.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the method further includes:
acquiring a secure communication layer protocol and an application layer protocol, setting a corresponding secure communication layer protocol resolver for each secure communication layer protocol, and setting a corresponding application layer protocol resolver for each application layer protocol;
constructing a configuration file, wherein the configuration file comprises a plurality of set mapping relations, and each mapping relation comprises: source IP address, source port, destination IP address, destination port, and protocol resolvers to which they map.
With reference to the first possible implementation manner of the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where setting the mapping relationship includes:
aiming at a data sending subsystem and a data receiving subsystem for data transmission in the communication-based train control system, acquiring a first protocol of the data sending subsystem for packaging and sending data, and a second protocol of the data receiving subsystem for analyzing and receiving data;
determining an analysis protocol used by the data receiving subsystem for analyzing the data sent by the data sending subsystem based on the first protocol, the second protocol and the received data of the data receiving subsystem;
and according to the source IP address and the source port of the data sending subsystem and the target IP address and the target port of the data receiving subsystem, constructing a mapping relation between the source IP address, the source port, the target IP address and the target port and a protocol analyzer corresponding to the analysis protocol.
With reference to the first aspect, the first or second possible implementation manner of the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where the invoking the obtained protocol parser to parse the unresolved data includes:
calling a secure communication layer protocol analyzer in the obtained protocol analyzers, and analyzing the unresolved data to obtain secure communication data and application layer data;
and calling an application layer protocol analyzer in the obtained protocol analyzers to analyze the application layer data to obtain application data.
With reference to the first aspect, the first or second possible implementation manner of the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the method further includes:
if the protocol resolvers mapped by the source IP address, the source port, the destination IP address and the destination port are not obtained from the configuration file, the protocol resolvers in the configuration file are sequentially called to resolve the unresolved data.
In a second aspect, an embodiment of the present invention further provides a device for analyzing rail transit data based on link mapping, where the rail transit data is obtained by encapsulating based on a secure communication layer protocol and an application layer protocol, and the device includes:
the data capturing module is used for capturing rail transit data transmitted by the train control system based on communication through a network by using a packet capturing tool;
a link information obtaining module, configured to perform transport layer, network layer and network interface layer analysis on the rail transit data by using the packet capturing tool, and obtain unanalyzed data and link information of the rail transit data, where the link information includes: a source IP address, a source port, a destination IP address, a destination port;
the resolver query module is used for querying a pre-stored configuration file and acquiring a protocol resolver mapped by the source IP address, the source port, the destination IP address and the destination port;
and the data analysis module is used for calling the acquired protocol analyzer to analyze the unresolved data.
With reference to the second aspect, an embodiment of the present invention provides a first possible implementation manner of the second aspect, where the method further includes:
the configuration file construction module is used for acquiring the secure communication layer protocols and the application layer protocols, setting a corresponding secure communication layer protocol parser for each secure communication layer protocol, and setting a corresponding application layer protocol parser for each application layer protocol;
constructing a configuration file, wherein the configuration file comprises a plurality of set mapping relations, and each mapping relation comprises: source IP address, source port, destination IP address, destination port, and protocol resolvers to which they map.
With reference to the first possible implementation manner of the second aspect, an embodiment of the present invention provides a second possible implementation manner of the second aspect, where the method further includes:
the mapping relation generating module is used for acquiring a first protocol of the data transmitting subsystem for packaging and transmitting data and a second protocol of the data receiving subsystem for analyzing and receiving data aiming at the data transmitting subsystem and the data receiving subsystem for data transmission in the communication-based train control system;
determining an analysis protocol used by the data receiving subsystem for analyzing the data sent by the data sending subsystem based on the first protocol, the second protocol and the received data of the data receiving subsystem;
and according to the source IP address and the source port of the data sending subsystem and the target IP address and the target port of the data receiving subsystem, constructing a mapping relation between the source IP address, the source port, the target IP address and the target port and a protocol analyzer corresponding to the analysis protocol.
In a third aspect, an embodiment of the present application provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor implements the steps of the above method when executing the computer program.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, performs the steps of the method described above.
According to the method and the device for analyzing the rail transit data based on the link mapping, provided by the embodiment of the invention, the rail transit data is obtained by packaging based on a safety communication layer protocol and an application layer protocol, and the rail transit data transmitted by a train control system based on communication through a network is captured by a packet capturing tool; analyzing a transport layer, a network layer and a network interface layer of the rail transit data by using the packet capturing tool, and acquiring unanalyzed data and link information of the rail transit data, wherein the link information comprises: a source IP address, a source port, a destination IP address, a destination port; inquiring a pre-stored configuration file, and acquiring a protocol resolver mapped by the source IP address, the source port, the destination IP address and the destination port; and calling the acquired protocol analyzer to analyze the unresolved data. Therefore, the protocol analyzer for analyzing the data to be analyzed is obtained by acquiring the link information of the data to be analyzed and inquiring the mapping relation based on the mapping relation between the link information and the protocol analyzer, the analysis of the rail transit data packaged based on the safe communication layer protocol and the application layer protocol can be automatically realized, and the efficiency and the success rate of data analysis are improved.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic flow chart illustrating a method for analyzing rail transit data based on link mapping according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram illustrating an apparatus for analyzing rail transit data based on link mapping according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a computer device 300 according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The existing rail transit data analysis method can only analyze rail transit data packaged by an application layer protocol, and can not accurately analyze rail transit data obtained by packaging based on a safety communication layer protocol and the application layer protocol, so that the analysis efficiency and the analysis success rate of the rail transit data are low. In the embodiment of the present invention, a configuration file is set, where the configuration file includes a plurality of mapping relationships, and each mapping relationship includes: the device comprises a source IP address, a source port, a destination IP address, a destination port and protocol resolvers mapped by the source IP address, the source port, the destination IP address and the destination port, wherein the protocol resolvers comprise a safety communication layer protocol resolver set based on a safety communication layer protocol, an application layer protocol resolver set based on an application layer protocol, and the source IP address, the source port, the destination IP address and the destination port of the rail transit data to be resolved based on the link mapping are inquired for mapping relation, so that the protocol resolver used for resolving the rail transit data to be resolved is determined, the resolving of the rail transit data to be resolved based on the link mapping and packaged based on the safety communication layer protocol and the application layer protocol is realized, and the data resolving efficiency and the resolving success rate are improved.
The embodiment of the invention provides a method and a device for analyzing rail transit data based on link mapping, which are described by the following embodiments.
Fig. 1 is a schematic flow chart illustrating a method for resolving rail transit data based on link mapping according to an embodiment of the present invention. As shown in fig. 1, the rail transit data is obtained by encapsulating based on a secure communication layer protocol and an application layer protocol, and the method includes:
101, capturing rail transit data transmitted by a communication-based train control system through a network by using a packet capturing tool;
in the embodiment of the present invention, as an optional embodiment, the bale plucking tool includes but is not limited to: wirereshark, ipool.
In the embodiment of the invention, the packet capturing tool captures rail transit data which is communicated among a plurality of subsystems of the CBTC through a network.
102, analyzing the rail transit data by using the packet capturing tool through a transport layer, a network layer and a network interface layer, and acquiring unresolved data and link information of the rail transit data, wherein the link information comprises: a source IP address, a source port, a destination IP address, a destination port;
in the embodiment of the invention, the packet capturing tool analyzes the captured rail transit data according to the TCP/IP protocol, and the rail transit data which cannot be analyzed, namely the unanalyzed data, is analyzed by using the method of the embodiment of the invention.
In the embodiment of the invention, the TCP/IP protocol comprises: the system comprises an application layer protocol, a transport layer protocol, a network layer protocol and a network interface layer protocol, wherein the TCP protocol and the UDP protocol belong to a transport layer, and the IP protocol belongs to a network layer. The packet capturing tool captures a data packet (rail transit data) transmitted on the network and analyzes data of a transport layer, a network layer and a network interface layer in the data packet, and the data of the application layer is analyzed by selecting an application layer protocol analyzer by using the method of the embodiment of the invention.
In this embodiment of the present invention, as an optional embodiment, the track traffic data includes: bottom layer data, secure communication layer data, and CBTC application layer data. The data of the bottom layer is data obtained by packaging a transport layer protocol, a network layer protocol and a network interface layer protocol, the data of the application layer is data obtained by packaging the application layer protocol, and the data of the safety communication layer is data obtained by packaging the data of the application layer by using the safety communication layer protocol.
In the embodiment of the invention, the protocol parser for parsing the secure communication layer data and the CBTC application layer data is determined by using the IP address (including the source IP address and the destination IP address of the byte stream) parsed by the Wireshark from the network layer and the port address (including the source port and the destination port of the byte stream) parsed from the TCP/UDP layer.
In the embodiment of the invention, after capturing the rail transit data, a packet capturing tool is used for analyzing to obtain the following link information:
a transport layer protocol (e.g., TCP protocol or UDP protocol) used for rail transit data;
a source IP address and a source port of the rail transit data;
and the destination IP address and the destination port of the rail transit data.
Step 103, inquiring a pre-stored configuration file, and acquiring the source IP address, the source port, the destination IP address and a protocol resolver mapped by the destination port;
in the embodiment of the present invention, a configuration file is pre-constructed, where the configuration file includes a plurality of mapping relationships, and each mapping relationship includes: source IP address, source port, destination IP address, destination port, and protocol resolvers to which they map.
In the embodiment of the present invention, the configuration file needs to be constructed in advance, and therefore, as an optional embodiment, the method further includes:
a11, acquiring a secure communication layer protocol and an application layer protocol, setting a corresponding secure communication layer protocol resolver for each secure communication layer protocol, and setting a corresponding application layer protocol resolver for each application layer protocol;
in this embodiment of the present invention, as an optional embodiment, the secure communication layer protocol includes but is not limited to: EN50159 Safety Protocol, FSFB Safety Protocol, CSEE Safety Protocol, Railway Signal Safety Protocol (RSSP), wherein the RSSP further comprises: RSSP-1 and RSSP-2, etc., for each protocol included in the secure communication layer protocol, a corresponding protocol resolver is provided, for example, a FSFB security protocol resolver is provided for the FSFB security protocol, a CSEE security protocol resolver is provided for the CSEE security protocol, a RSSP-1 protocol resolver is provided for the RSSP-1, etc. Wherein, the corresponding protocol resolver is set according to the protocol, which can be referred to the related technical literature specifically, and the detailed description is omitted here.
In this embodiment of the present invention, as an optional embodiment, the application layer protocol includes but is not limited to: basic CBTC protocol, I-CBTC protocol, FAO protocol. Among them, the basic CBTC protocol includes but is not limited to: ATS-VOBC protocol, VOBC-ZC protocol, ZC-ZC protocol, CI-CI protocol, etc. And setting a corresponding protocol resolver for each protocol in the application layer protocol, which is the same as the setting of the safe communication layer protocol resolver for the safe communication layer protocol.
A12, constructing a configuration file, wherein the configuration file comprises a plurality of set mapping relations, and each mapping relation comprises: source IP address, source port, destination IP address, destination port, and protocol resolvers to which they map.
In the embodiment of the present invention, the mapping relationship in the configuration file may be a corresponding relationship between the link information and the protocol parser, or may be a regular expression relationship between the link information and the protocol parser. For example, a regular expression may be utilized for wildcard, and a corresponding protocol parser may be automatically selected in accordance with the regular expression.
In the embodiment of the invention, the mapping relation between the protocol resolver and the link information is constructed in advance according to the statistics and analysis of the protocol resolver adopted by each subsystem, so that the configuration of the protocol resolver of the rail transit data can be carried out according to the mapping relation.
In this embodiment of the present invention, as an optional embodiment, setting the mapping relationship includes:
b11, aiming at a data sending subsystem and a data receiving subsystem used for data transmission in the communication-based train control system, acquiring a first protocol used by the data sending subsystem for packaging and sending data, and a second protocol used by the data receiving subsystem for analyzing and receiving data;
in the embodiment of the present invention, any subsystem in the train control system based on communication may be used as a data sending subsystem or may be used as a data receiving subsystem, and for the data sending subsystem, protocols used for encapsulating and sending data sent to different data receiving subsystems may be the same or may be different, so that all protocols (first protocols) used for encapsulating and sending data by the data sending subsystem are obtained. Similarly, for the data receiving subsystem, the protocol used for analyzing the received data may be the same or different for receiving the data of different data sending subsystems, and for the data receiving subsystem, all the protocols (second protocols) used for analyzing the received data by the data receiving subsystem are obtained.
B12, determining a resolution protocol used by the data receiving subsystem to resolve the data sent by the data sending subsystem based on the first protocol, the second protocol and the received data of the data receiving subsystem;
b13, according to the source IP address and the source port of the data sending subsystem, and the destination IP address and the destination port of the data receiving subsystem, constructing a mapping relationship between the source IP address, the source port, the destination IP address, the destination port, and the protocol parser corresponding to the parsing protocol.
In the embodiment of the present invention, it should be noted that the mapping relationship is related to the transmission direction of the byte stream of the data. For example, if a byte stream is transmitted from the data transmission subsystem a to the data reception subsystem B, the first mapping relationship may be different from the second mapping relationship, corresponding to the first mapping relationship, and the byte stream is transmitted from the data reception subsystem B to the data transmission subsystem a, corresponding to the second mapping relationship.
In the embodiment of the present invention, the set mapping relationship is related to link information, that is, related to four parameters, namely, a source IP address, a source port, a destination IP address, and a destination port, so that one or more of the four parameters may change, and the correspondingly set mapping relationship may or may not change.
In the embodiment of the present invention, for example, taking data communication between an Automatic Train monitoring system (ATS) and a Vehicle-mounted Controller (VOBC), the following are recorded in a configuration file:
ATS is used as a data sending party, VOBC is used as a first mapping relation of a data receiving party, and the first mapping relation comprises: the source IP address is A, the source port number is B, the destination IP address is C, the destination port is D, and the mapped protocol analyzer is a secure communication layer protocol and an application layer protocol;
the ATS is used as a data receiver, the VOBC is used as a second mapping relation of the data sender, and the second mapping relation comprises: the source IP address is C, the source port number is D, the destination IP address is A, the destination port is B, and the mapped protocol resolver is an application layer protocol.
In the embodiment of the present invention, as an optional embodiment, the content in the configuration file is as follows:
[Item1]
ChainOfParser=0x03010101,0x10070C21
ProtocolType=UDP
VectorLink1=^9\.9\.\d{1,3}\.\d{1,3}:50503$>^9\.10\.\d{1,3}\.\d{1,3}:50503$
VectorLink2=^9\.13\.\d{1,3}\.\d{1,3}:50503$>^9\.14\.\d{1,3}\.\d{1,3}:50503$
description = protocol that ZC sends to VOBC.
[Item2]
ChainOfParser=0x03010101,0x10070C31
ProtocolType=UDP
VectorLink1=^9\.8\.\d{1,3}\.\d{1,3}:50503$>^9\.9\.\d{1,3}\.\d{1,3}:50503$
VectorLink2=^9\.12\.\d{1,3}\.\d{1,3}:50503$>^9\.13\.\d{1,3}\.\d{1,3}:50503$
Description = protocol of CI to ZC.
Note:
ChainoOfParser is the number of the protocol parser (including the protocol of the secure communication layer and the protocol of the application layer) required
Protocol type is the protocol used by the transport layer
VectorLink is a regular expression form of IP address, and the corresponding link can have a plurality of links
Description is the Description of this item
In the embodiment of the present invention, after the mapping relationship is constructed, the constructed mapping relationship may be integrated, for example, according to an application layer protocol parser, a secure communication layer protocol parser and an application layer protocol parser, the constructed mapping relationship is integrated, and a corresponding regular expression is set.
In this embodiment of the present invention, as an optional embodiment, a mapping relationship between a source IP address, a source port, a destination IP address, a destination port, and a protocol parser may be represented in a table form, for example, as shown in table 1.
TABLE 1
Source IP address Source port Destination IP address Destination port Protocol parser
A B C D E
C D A B E+F
And 104, calling the acquired protocol analyzer to analyze the unresolved data.
In this embodiment of the present invention, as an optional embodiment, invoking the obtained protocol parser to parse the unresolved data includes:
c11, calling a secure communication layer protocol analyzer in the obtained protocol analyzers, and analyzing the unresolved data to obtain secure communication data and application layer data;
in the embodiment of the invention, as an optional embodiment, the secure communication layer protocol resolvers in the obtained protocol resolvers are sequentially called to resolve the unresolved data, if the resolution is successful, the next secure communication layer protocol resolver does not need to be called, and if the resolution is unsuccessful, the next secure communication layer protocol resolver is called until the resolution is successful or all the secure communication layer protocol resolvers are called.
And C12, calling an application layer protocol analyzer in the obtained protocol analyzers, and analyzing the application layer data to obtain application data.
In the embodiment of the invention, after the safety communication data and the application data are obtained, the safety communication data and the application data are combined to obtain the analysis result of the rail transit data.
In this embodiment of the present invention, as an optional embodiment, the method further includes:
if the protocol resolvers mapped by the source IP address, the source port, the destination IP address and the destination port are not obtained from the configuration file, the protocol resolvers in the configuration file are sequentially called to resolve the unresolved data.
In the embodiment of the invention, if all protocol analyzers in the configuration file cannot successfully analyze the unanalyzed data, the failure of analysis is displayed, and corresponding failure prompt information is given.
In this embodiment of the present invention, as an optional embodiment, the method further includes:
and pushing the analysis result to a preset user by using mobility information.
In the embodiment of the invention, the analysis result is sent to the corresponding user through the mobility information, so that the user can acquire the analysis information in time, the operation of the CBTC system is monitored according to the analysis information, and the CBTC system is processed in time when the operation abnormity is found.
In the embodiment of the invention, based on the mapping relation between the link information and the protocol parser, the link information of the byte stream corresponding to the rail transit data is obtained, the mapping relation is inquired according to the obtained link information, the matched protocol parser can be automatically recommended and selected to parse the byte stream, so that the protocol parser corresponding to the rail transit data is obtained, the rail transit data is automatically parsed by using the obtained protocol parser, and the parsing efficiency and the parsing success rate are high.
In the embodiment of the invention, a correct protocol analyzer is selected to analyze the rail transit data packet according to the mapping relation between the link information and the protocol analyzer.
Fig. 2 is a schematic structural diagram illustrating an apparatus for resolving track traffic data based on link mapping according to an embodiment of the present invention. As shown in fig. 2, the rail transit data is obtained by encapsulating based on a secure communication layer protocol and an application layer protocol, and the apparatus includes:
the data capturing module 201 is used for capturing rail transit data transmitted by a train control system based on communication through a network by using a packet capturing tool;
in the embodiment of the present invention, as an optional embodiment, the bale plucking tool includes but is not limited to: wirereshark, ipool.
A link information obtaining module 202, configured to perform transport layer, network layer and network interface layer analysis on the rail transit data by using the packet capturing tool, and obtain unresolved data and link information of the rail transit data, where the link information includes: a source IP address, a source port, a destination IP address, a destination port;
in the embodiment of the invention, the packet capturing tool analyzes the captured rail transit data according to the TCP/IP protocol, and the rail transit data which cannot be analyzed, namely the unanalyzed data, is analyzed by using the device in the embodiment of the invention.
In the embodiment of the invention, the IP address (including the source IP address and the destination IP address of the byte stream) resolved from the network layer by utilizing Wireshark and the port address (including the source port and the destination port of the byte stream) resolved from the TCP/UDP layer.
The resolver query module 203 is configured to query a pre-stored configuration file, and obtain a protocol resolver mapped by the source IP address, the source port, the destination IP address, and the destination port;
in the embodiment of the present invention, the configuration file includes a plurality of mapping relationships, and each mapping relationship includes: source IP address, source port, destination IP address, destination port, and protocol resolvers to which they map.
And the data analysis module 204 is configured to invoke the obtained protocol analyzer to analyze the unresolved data.
In this embodiment of the present invention, as an optional embodiment, the data parsing module 204 includes:
a secure communication layer parsing unit (not shown in the figure) for calling a secure communication layer protocol parser in the obtained protocol parsers, and parsing the unresolved data to obtain secure communication data and application layer data;
and the application layer analysis unit is used for calling an application layer protocol analyzer in the obtained protocol analyzers to analyze the data of the application layer to obtain the application data.
In this embodiment of the present invention, as an optional embodiment, the apparatus further includes:
a configuration file constructing module (not shown in the figure) for acquiring the secure communication layer protocols and the application layer protocols, setting a corresponding secure communication layer protocol parser for each secure communication layer protocol, and setting a corresponding application layer protocol parser for each application layer protocol;
constructing a configuration file, wherein the configuration file comprises a plurality of set mapping relations, and each mapping relation comprises: source IP address, source port, destination IP address, destination port, and protocol resolvers to which they map.
In the embodiment of the present invention, the mapping relationship in the configuration file may be a corresponding relationship between the link information and the protocol parser, or may be a regular expression relationship between the link information and the protocol parser.
In this embodiment, as another optional embodiment, the apparatus further includes:
the mapping relation generating module is used for acquiring a first protocol of the data transmitting subsystem for packaging and transmitting data and a second protocol of the data receiving subsystem for analyzing and receiving data aiming at the data transmitting subsystem and the data receiving subsystem for data transmission in the communication-based train control system;
determining an analysis protocol used by the data receiving subsystem for analyzing the data sent by the data sending subsystem based on the first protocol, the second protocol and the received data of the data receiving subsystem;
and according to the source IP address and the source port of the data sending subsystem and the target IP address and the target port of the data receiving subsystem, constructing a mapping relation between the source IP address, the source port, the target IP address and the target port and a protocol analyzer corresponding to the analysis protocol.
In the embodiment of the invention, the mapping relation is related to the transmission direction of the byte stream of the data.
In this embodiment, as a further optional embodiment, the apparatus further includes:
and the query processing module is used for calling protocol resolvers in the configuration file in sequence to resolve the unresolved data if the protocol resolvers mapped by the source IP address, the source port, the destination IP address and the destination port are not obtained from the configuration file.
In the embodiment of the invention, if all protocol analyzers in the configuration file cannot successfully analyze the unanalyzed data, the failure of analysis is displayed, and corresponding failure prompt information is given.
As shown in fig. 3, an embodiment of the present application provides a computer device 300, configured to execute the method for resolving track traffic data based on link mapping in fig. 1, where the device includes a memory 301, a processor 302, and a computer program stored on the memory 301 and executable on the processor 302, where the processor 302 implements the steps of the method for resolving track traffic data based on link mapping when executing the computer program.
Specifically, the memory 301 and the processor 302 can be general-purpose memory and processor, which are not limited to specific embodiments, and when the processor 302 runs the computer program stored in the memory 301, the method for analyzing the rail transit data based on the link map can be performed.
Corresponding to the method for analyzing rail transit data based on link mapping in fig. 1, an embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program is executed by a processor to perform the steps of the method for analyzing rail transit data based on link mapping.
Specifically, the storage medium can be a general-purpose storage medium, such as a removable disk, a hard disk, or the like, and when executed, the computer program on the storage medium can execute the method for analyzing the rail transit data based on the link map.
In the embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other ways. The above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and there may be other divisions in actual implementation, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of systems or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided in the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the present disclosure, which should be construed in light of the above teachings. Are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (5)

1. A method for analyzing rail transit data based on link mapping is characterized in that the rail transit data is obtained by encapsulation based on a secure communication layer protocol and an application layer protocol, and comprises the following steps:
capturing rail transit data transmitted by a communication-based train control system through a network by using a packet capturing tool;
analyzing a transport layer, a network layer and a network interface layer of the rail transit data by using the packet capturing tool, and acquiring unanalyzed data and link information of the rail transit data, wherein the link information comprises: a source IP address, a source port, a destination IP address, a destination port;
inquiring a pre-stored configuration file, and acquiring a protocol resolver mapped by the source IP address, the source port, the destination IP address and the destination port;
calling the obtained protocol analyzer to analyze the unresolved data;
the step of calling the acquired protocol analyzer to analyze the unresolved data comprises the following steps:
calling a secure communication layer protocol analyzer in the obtained protocol analyzers, and analyzing the unresolved data to obtain secure communication data and application layer data;
calling an application layer protocol analyzer in the obtained protocol analyzers to analyze the data of the application layer to obtain application data;
after the safe communication data and the application data are obtained, the safe communication data and the application data are combined to obtain an analysis result of the rail transit data;
the method further comprises the following steps:
acquiring a secure communication layer protocol and an application layer protocol, setting a corresponding secure communication layer protocol resolver for each secure communication layer protocol, and setting a corresponding application layer protocol resolver for each application layer protocol;
constructing a configuration file, wherein the configuration file comprises a plurality of set mapping relations, and each mapping relation comprises: the source IP address, the source port, the destination IP address, the destination port and the protocol resolver mapped by the source IP address, the source port, the destination IP address and the destination port;
setting the mapping relation, including:
aiming at a data sending subsystem and a data receiving subsystem for data transmission in the communication-based train control system, acquiring a first protocol of the data sending subsystem for packaging and sending data, and a second protocol of the data receiving subsystem for analyzing and receiving data;
determining an analysis protocol used by the data receiving subsystem for analyzing the data sent by the data sending subsystem based on the first protocol, the second protocol and the received data of the data receiving subsystem;
and according to the source IP address and the source port of the data sending subsystem and the target IP address and the target port of the data receiving subsystem, constructing a mapping relation between the source IP address, the source port, the target IP address and the target port and a protocol analyzer corresponding to the analysis protocol.
2. The method of claim 1, further comprising:
if the protocol resolvers mapped by the source IP address, the source port, the destination IP address and the destination port are not obtained from the configuration file, the protocol resolvers in the configuration file are sequentially called to resolve the unresolved data.
3. A device for analyzing rail transit data based on link mapping is characterized in that the rail transit data is obtained by encapsulation based on a secure communication layer protocol and an application layer protocol, and the device comprises:
the data capturing module is used for capturing rail transit data transmitted by the train control system based on communication through a network by using a packet capturing tool;
a link information obtaining module, configured to perform transport layer, network layer and network interface layer analysis on the rail transit data by using the packet capturing tool, and obtain unanalyzed data and link information of the rail transit data, where the link information includes: a source IP address, a source port, a destination IP address, a destination port;
the resolver query module is used for querying a pre-stored configuration file and acquiring a protocol resolver mapped by the source IP address, the source port, the destination IP address and the destination port;
the data analysis module is used for calling the acquired protocol analyzer to analyze the unresolved data;
the step of calling the acquired protocol analyzer to analyze the unresolved data comprises the following steps:
calling a secure communication layer protocol analyzer in the obtained protocol analyzers, and analyzing the unresolved data to obtain secure communication data and application layer data;
calling an application layer protocol analyzer in the obtained protocol analyzers to analyze the data of the application layer to obtain application data;
after the safe communication data and the application data are obtained, the safe communication data and the application data are combined to obtain an analysis result of the rail transit data;
the configuration file construction module is used for acquiring the secure communication layer protocols and the application layer protocols, setting a corresponding secure communication layer protocol parser for each secure communication layer protocol, and setting a corresponding application layer protocol parser for each application layer protocol;
constructing a configuration file, wherein the configuration file comprises a plurality of set mapping relations, and each mapping relation comprises: source IP address, source port, destination IP address, destination port mapping and their protocol resolvers;
the mapping relation generating module is used for acquiring a first protocol of the data transmitting subsystem for packaging and transmitting data and a second protocol of the data receiving subsystem for analyzing and receiving data aiming at the data transmitting subsystem and the data receiving subsystem for data transmission in the communication-based train control system;
determining an analysis protocol used by the data receiving subsystem for analyzing the data sent by the data sending subsystem based on the first protocol, the second protocol and the received data of the data receiving subsystem;
and according to the source IP address and the source port of the data sending subsystem and the target IP address and the target port of the data receiving subsystem, constructing a mapping relation between the source IP address, the source port, the target IP address and the target port and a protocol analyzer corresponding to the analysis protocol.
4. A computer device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when a computer device is run, the machine-readable instructions when executed by the processor performing the steps of the method of resolving track traffic data based on link maps of claim 1 or 2.
5. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of resolving track traffic data on the basis of link maps according to claim 1 or 2.
CN202011250296.4A 2020-11-11 2020-11-11 Method and device for analyzing rail transit data based on link mapping Active CN112104670B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011250296.4A CN112104670B (en) 2020-11-11 2020-11-11 Method and device for analyzing rail transit data based on link mapping

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011250296.4A CN112104670B (en) 2020-11-11 2020-11-11 Method and device for analyzing rail transit data based on link mapping

Publications (2)

Publication Number Publication Date
CN112104670A CN112104670A (en) 2020-12-18
CN112104670B true CN112104670B (en) 2021-02-26

Family

ID=73785111

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011250296.4A Active CN112104670B (en) 2020-11-11 2020-11-11 Method and device for analyzing rail transit data based on link mapping

Country Status (1)

Country Link
CN (1) CN112104670B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666424B (en) * 2022-03-24 2024-03-08 卡斯柯信号(成都)有限公司 Configurable railway signal communication data analysis method
CN115334178A (en) * 2022-07-08 2022-11-11 北京天融信网络安全技术有限公司 Application layer data analysis method and device, electronic equipment and storage medium
CN116233282B (en) * 2023-05-05 2023-09-19 北京全路通信信号研究设计院集团有限公司 Method and system for analyzing application layer data of signal safety communication protocol

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262472A (en) * 2007-03-07 2008-09-10 力博特公司 A multi-function protocol parser and its realization method

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100383839B1 (en) * 2000-11-20 2003-05-14 주식회사 빌테크놀로지 The contents amount data collection method by using packet monitoring
KR20110067264A (en) * 2009-12-14 2011-06-22 성균관대학교산학협력단 Anomalous event detection apparatus and method
CN102970189B (en) * 2012-12-06 2016-06-29 北京锐安科技有限公司 A kind of network data analysis method and system based on application layer data
CN109150631B (en) * 2018-10-16 2021-10-08 湖南中车时代通信信号有限公司 Rail transit signal system simulation interface management server
CN111262812A (en) * 2018-11-30 2020-06-09 比亚迪股份有限公司 Data packet screening method and device
CN110417766B (en) * 2019-07-22 2021-10-22 深圳市酷达通讯有限公司 Protocol analysis method and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262472A (en) * 2007-03-07 2008-09-10 力博特公司 A multi-function protocol parser and its realization method

Also Published As

Publication number Publication date
CN112104670A (en) 2020-12-18

Similar Documents

Publication Publication Date Title
CN112104670B (en) Method and device for analyzing rail transit data based on link mapping
CN112104669B (en) Method and device for analyzing rail transit data based on protocol extension
CN114500690B (en) Interface data processing method and device, electronic equipment and storage medium
CN109995555B (en) Monitoring method, device, equipment and medium
CN109981475B (en) Data transmitting, receiving and transmitting method, device, system and readable storage medium
CN110798480A (en) Data communication method and system between safety instrument systems
CN112073272B (en) Method and device for analyzing rail transit data based on index matching
CN111988170B (en) Terminal fault positioning method and device
CN115001829B (en) Protocol vulnerability discovery method, device, equipment and storage medium
CN111526109B (en) Method and device for automatically detecting running state of web threat recognition defense system
CN114172980A (en) Method, system, device, equipment and medium for identifying type of operating system
CN117544676B (en) Multi-terminal operation and maintenance data interactive transmission method and system
CN109783330B (en) Log processing method, log display method, and related device and system
CN114338347A (en) Ampere platform-based fault information out-of-band acquisition method and device
CN114414255A (en) Automatic driving test method and system based on CAN message period monitoring
CN113807697B (en) Alarm association-based order sending method and device
CN115859941A (en) Real-time analysis method and device for vehicle-mounted ATC log
CN114567682B (en) Equipment state monitoring method and signal maintenance support system
CN114172796A (en) Fault positioning method and related device for communication network
CN104504029B (en) Data convert information processing method and device
CN114765633A (en) Network message analysis method and device based on train real-time Ethernet protocol
CN114553512B (en) Ethernet packet filtering method and device for power edge computing chip
CN116886445B (en) Processing method and device of filtering result, storage medium and electronic equipment
CN118573414A (en) Safety alarm log testing method and system
CN113641576B (en) Database testing method and device and terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant