CN113067810A - Network packet capturing method, device, equipment and medium - Google Patents

Network packet capturing method, device, equipment and medium Download PDF

Info

Publication number
CN113067810A
CN113067810A CN202110283492.XA CN202110283492A CN113067810A CN 113067810 A CN113067810 A CN 113067810A CN 202110283492 A CN202110283492 A CN 202110283492A CN 113067810 A CN113067810 A CN 113067810A
Authority
CN
China
Prior art keywords
data packet
network
socket information
socket
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110283492.XA
Other languages
Chinese (zh)
Other versions
CN113067810B (en
Inventor
翁佳林
陈景雄
王玺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Huya Technology Co Ltd
Original Assignee
Guangzhou Huya Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Huya Technology Co Ltd filed Critical Guangzhou Huya Technology Co Ltd
Priority to CN202110283492.XA priority Critical patent/CN113067810B/en
Publication of CN113067810A publication Critical patent/CN113067810A/en
Application granted granted Critical
Publication of CN113067810B publication Critical patent/CN113067810B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a network packet capturing method, a device, equipment and a medium. The method comprises the following steps: acquiring a network data packet captured aiming at a network card; regularly acquiring socket information related to a designated process; and filtering the network data packet according to the socket information to obtain the network data packet belonging to the specified process. The technical scheme realizes effective network packet capturing aiming at the appointed process on the premise of not knowing the characteristics of the appointed process.

Description

Network packet capturing method, device, equipment and medium
Technical Field
The embodiment of the invention relates to the technical field of networks, in particular to a network packet capturing method, a device, equipment and a medium.
Background
Network packet capturing has become an important way for analyzing and debugging network protocols and detecting network security. The network packet capturing tool can capture the data packet transmitted on the host network, and persistently store the data packet or perform real-time display analysis. Common data packet analyzers, intrusion detection systems and traffic recording and playback systems all depend on reliable network packet capturing tools, but the current network packet capturing tools cannot directly capture packets for processes, which is a major bottleneck of the current network packet capturing tools in process data packet analysis.
Currently, when a host network card is subjected to packet capture, some filtering rules of a network layer, such as IP address (Internet Protocol) address or port filtering, may be set before the packet capture. If the monitoring port of the designated process and the far-end IP address and port of the external request are known in advance, the capturing of partial data packets of the designated process can be attempted by setting the corresponding IP address and port filtering rule.
If the monitoring port of the designated process and the remote IP address and port of the external request are unknown, the partial data packet of the designated process cannot be captured by setting a network layer filtering rule; if the specified process changes the monitoring port or the remote IP address and the port requested to the outside in the running process, the network layer filtering rule set before packet capturing is invalid, and an effective network data packet cannot be captured; if there are other processes on the host that request the same remote IP address and port as the specified process, then the packets of other processes will be captured at the same time in the fetch of the outbound packet of the process. Therefore, how to effectively perform network packet capturing aiming at the specified process is an urgent problem to be solved on the premise of not knowing the characteristics of the specified process.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a device, and a medium for network packet capturing, so as to perform effective network packet capturing for a specified process without knowing characteristics of the specified process.
In a first aspect, an embodiment of the present invention provides a network packet capturing method, including:
acquiring a network data packet captured aiming at a network card;
regularly acquiring socket information related to a designated process;
and filtering the network data packet according to the socket information to obtain the network data packet belonging to the specified process.
In a second aspect, an embodiment of the present invention further provides a network packet capturing device, including:
the network card data packet acquisition module is used for acquiring a network data packet captured by a network card;
the socket information timing acquisition module is used for acquiring socket information related to the specified process at fixed time;
and the network data packet filtering module is used for filtering the network data packet according to the socket information to obtain the network data packet belonging to the specified process.
In a third aspect, an embodiment of the present invention further provides a computer device, where the computer device includes:
one or more processors;
a memory for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the network packet capturing method according to any embodiment.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the network packet capturing method according to any embodiment.
In the technical scheme provided by the embodiment of the invention, when network packet capturing is carried out on a specified process, socket information related to the specified process is obtained at regular time, and a network data packet captured on the network is filtered according to the socket information, so that the network data packet belonging to the specified process can be obtained. The socket information used for filtering the network data packet is related to the designated process and is obtained regularly, network data packets belonging to other processes cannot be filtered, and invalid network packet capturing caused by changing the monitoring port or the remote IP address and the remote IP port requested externally in the running process of the designated process can be avoided, so that effective network packet capturing is performed on the designated process on the premise of not knowing characteristics of the designated process.
Drawings
Fig. 1 is a flowchart of a network packet capturing method according to an embodiment of the present invention;
fig. 2 is a flowchart of a network packet capturing method according to a second embodiment of the present invention;
fig. 3 is a flowchart of a network packet capturing method according to a third embodiment of the present invention;
fig. 4 is a schematic block diagram of a network packet capturing apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a network packet capturing method according to an embodiment of the present invention, where this embodiment is applicable to a case of performing network packet capturing on a specified process, and this method may be executed by a network packet capturing apparatus according to any embodiment of the present invention, where the apparatus may be composed of hardware and/or software, and may be generally integrated in a computer device.
As shown in fig. 1, the network packet capturing method provided in this embodiment includes the following steps:
and S110, acquiring a network data packet captured by the network card.
Packet capturing refers to operations such as intercepting and recording data packets transmitted and received by a network.
And capturing the whole host network card by using a preset packet capturing tool, wherein the obtained data packet is a network data packet captured by the network card. After packet capture is performed on the entire host network, the captured network data packets may be temporarily stored in a buffer of the memory.
Optionally, a packet capturing tool such as Tcpdump, Wireshark, etc. is used to capture the packet for the whole host network card.
In an optional implementation manner of this embodiment, a TCP (Transmission Control Protocol) data packet on a network card of a host may be captured by a pcap (process feature analysis software package), and temporarily stored in a memory buffer.
Among them, in the field of computer networks, pcap is an application programming interface for capturing network traffic. Different operating systems have different libraries for implementing pcaps, such as libpcap for UNIX-like systems and WinPcap for Windows systems.
And S120, regularly acquiring socket information related to the designated process.
A process refers to a program already running in a computer, and multiple processes can be simultaneously run on one host. The designated process is a process that needs to capture the network data packet.
Sockets (sockets), are abstractions of endpoints that communicate bi-directionally between application processes on different hosts in a network. A socket is the end of a process's communication over a network and provides a mechanism for application layer processes to exchange data using a network protocol. In terms of status, the socket upper connection application process and the lower connection network protocol stack are interfaces through which the application program communicates through the network protocol. In the present embodiment, the socket may refer to a TCP socket.
Optionally, socket information related to the specified process is obtained based on the inode number of the socket.
Although there is no direct process associated with the operating system maintaining the socket, the inode number of the socket may be used as an intermediate to establish an association relationship between the socket and the process. Wherein, the inode refers to a data structure in many Unix-like file systems, and is used for describing file system objects (including files, directories, device files, sockets, pipes, etc.). The inode number is a value used by the file system to uniquely identify the inode.
And acquiring a socket inode number list related to the specified process, and taking socket information related to the socket inode number list as socket information related to the specified process.
As an optional implementation manner, the obtaining of the socket information related to the specified process may specifically be: socket information related to a specified process is obtained through the Procfs of the process file system based on the inode number of the socket.
procfs, a special file system within UNIX-like systems, may serve as an interface to internal data structures within the operating system kernel. Information about the operating system can be obtained through procfs, and certain kernel parameters can be changed at runtime.
In this embodiment, TCP socket information related to a specific process may be obtained through procfs as a condition for filtering a network packet. Specifically, a socket inode number list related to a specified process is first obtained from a directory/proc/process ID/fd through procfs, and then TCP socket information related to the socket inode number list is obtained as TCP socket information related to the specified process.
Further, as an optional implementation manner, obtaining socket information related to a specified process by the procfs of the process file system based on an inode number of the socket may specifically be:
and acquiring socket information related to a specified process based on the inode number of the socket by combining Netlink on the basis of procfs.
In order to improve efficiency of acquiring socket information related to a specified process, TCP socket information related to the specified process may be acquired in combination with procfs and Netlink.
Netlink, a communication method provided by Linux for the kernel and the user mode process, is designed for transmitting network related information between the kernel and the user mode process.
In this embodiment, a socket inode number list related to a specific process may be first obtained from the directory/proc/process ID/fd through the procfs, and then TCP socket information related to the socket inode number list may be obtained through Netlink.
The TCP socket information related to the designated process needs to be periodically executed, so that the TCP socket information related to the designated process can be timely updated when the designated process changes the monitoring port or changes the remote IP and the port of the external request.
As an alternative implementation, the execution time interval for regularly acquiring the socket information related to the designated process is less than 2 times of the Maximum Message Segment Lifetime (MSL).
MSL, refers to the longest time a TCP packet has been in the network, beyond which the packet will be dropped. Wherein the MSL duration is determined by the specific UNIX implementation, and is generally between 30 seconds and 2 minutes.
Because the TCP socket enters the TIME _ WAIT stage with a duration of 2 × MSL after the client is disconnected, when the execution TIME interval for regularly acquiring the socket information related to the designated process is within 2 × MSL, it can be ensured that the network data packet is not lost.
S130, filtering the network data packet according to the socket information to obtain the network data packet belonging to the specified process.
Socket information related to the specified process is acquired at regular time and is used as a condition for filtering and screening network data packets captured by the host network card.
If the characteristics of the network data packet conform to the information provided by the TCP socket related to the specified process, the network data packet belonging to the specified process can be determined. The characteristics of the network data packet mainly refer to IP information and port information of the network data packet. And analyzing IP information and port information aiming at each network data packet captured by the network card, comparing the IP information and the port information with information provided by a TCP socket related to the specified process according to a preset rule, and determining that the network data packet belongs to the specified process if the comparison result is consistent.
Network packets belonging to a given process may be divided into inbound and outbound packets. The inbound data packet refers to a data packet when a process is used as a server and communicates with a client; an outbend packet is a packet when a process is acting as a client and communicating with a remote service.
Optionally, the inbound packet (including the request packet and the response packet) of the specified process is screened according to the TCP socket in the LISTEN state, and the outbound packet (including the request packet and the response packet) of the specified process is screened according to the TCP socket in the ESTABLISHED state, the FIN _ WAIT1 state, the FIN _ WAIT2 state, and the TIME _ WAIT state.
Therefore, network data packets belonging to the designated process can be screened out and stored in a local file or transmitted to a remote storage for subsequent analysis, for example, the data packets are subjected to flow playback or are subjected to real-time display analysis, so that testers can debug network problems and the like, and packet capturing operation for the designated process is realized.
In the technical scheme provided by the embodiment of the invention, when network packet capturing is carried out on a specified process, socket information related to the specified process is obtained at regular time, and a network data packet captured on the network is filtered according to the socket information, so that the network data packet belonging to the specified process can be obtained. The socket information used for filtering the network data packet is related to the designated process and is obtained regularly, network data packets belonging to other processes cannot be filtered, and invalid network packet capturing caused by changing the monitoring port or the remote IP address and the remote IP port requested externally in the running process of the designated process can be avoided, so that effective network packet capturing is performed on the designated process on the premise of not knowing characteristics of the designated process.
Example two
Fig. 2 is a flowchart of a network packet capturing method according to a second embodiment of the present invention. The embodiment is embodied on the basis of the above embodiment, wherein the filtering the network data packet according to the socket information to obtain the network data packet belonging to the designated process may specifically be:
screening out target socket information with states of LISTEN, ESTABLISHED, FIN _ WAIT1, FIN _ WAIT2 and TIME _ WAIT;
and filtering the network data packet according to the target socket information to obtain the network data packet belonging to the specified process.
As shown in fig. 2, the network packet capturing method provided in this embodiment includes the following steps:
s210, network data packets captured aiming at the network card are obtained.
And S220, regularly acquiring TCP socket information related to the specified process.
S230, screening out the target TCP socket information with the states of LISTEN, ESTABLISHED, FIN _ WAIT1, FIN _ WAIT2 and TIME _ WAIT.
After TCP socket information related to a specified process is acquired regularly, the TCP socket information is screened, and socket information with the states of LISTEN, ESTABLISHED, FIN _ WAIT1, FIN _ WAIT2 and TIME _ WAIT is screened out to be used as target TCP socket information for filtering the captured network data packet.
S240, filtering the network data packet according to the target TCP socket information to obtain the network data packet belonging to the specified process.
In the destination TCP socket information, the TCP socket information in the LISTEN state is used to filter the inbound request/response packet, and the other TCP socket information in the non-LISTEN state is used to filter the outbound request/response packet. Wherein the non-LISTEN state comprises: ESTABLISHED state, FIN _ WAIT1 state, FIN _ WAIT2 state, and TIME _ WAIT state.
As an optional implementation manner, filtering the network data packet according to the target socket information to obtain the network data packet belonging to the specified process includes:
if the source port of a target data packet in the network data packet is the same as the destination port of the target socket information in the LISTEN state, and the source IP address of the target data packet is the same as the IP address of the host, determining that the target data packet belongs to the inbound data packet of the specified process;
and if the destination port of the target data packet is the same as the destination port of the target socket information in the LISTEN state, and the destination IP address of the target data packet is the same as the IP address of the host, determining that the target data packet belongs to the inbound data packet of the specified process.
As another optional implementation, filtering the network data packet according to the target socket information to obtain the network data packet belonging to the designated process includes:
if the source port of a target data packet in the network data packet is the same as the source port of target socket information in a non-LISTEN state, and the source IP address of the target data packet is the same as the IP address of a host, determining that the target data packet belongs to an outbound data packet of the specified process;
and if the destination port of the target data packet is the same as the source port of the target socket information in the non-LISTEN state, and the destination IP address of the target data packet is the same as the IP address of the host, determining that the target data packet belongs to the outbound data packet of the specified process.
The target data packet mentioned above refers to any one of network data packets captured by the host network card, and specifically may refer to any one of TCP data packets captured.
For each captured TCP data packet, analyzing IP information and port information of the captured TCP data packet, specifically including a source IP address, a source port, a destination IP address and a destination port, and further judging whether the TCP data packet belongs to an inbound data packet of a specified process according to the source IP address, the source port or the destination IP address and the destination port of the TCP data packet, and a TCP socket destination port and a host IP address in a LISTEN state, and judging whether the TCP data packet belongs to an outbound data packet of the specified process according to the source IP address, the source port or the destination IP address and the destination port of the TCP data packet, and the source port and the host IP address of the TCP socket in a non-LISTEN state.
If the source port of the TCP data packet is the same as the destination port of the TCP socket in the LISTEN state, and the source IP address of the TCP data packet is the same as the IP address of the host, determining that the TCP data packet belongs to the inbound data packet of the specified process; and if the destination port of the TCP data packet is the same as the destination port of the TCP socket in the LISTEN state, and the destination IP address of the TCP data packet is the same as the IP address of the host, determining the inbound data packet of the TCP data packet, which belongs to the specified process.
If the source port of the TCP data packet is the same as the source port of the TCP socket in the non-LISTEN state, and the source IP address of the TCP data packet is the same as the IP address of the host, determining an outbend data packet of the TCP data packet which belongs to the specified process; and if the destination port of the TCP data packet is the same as the source port of the TCP socket in the non-LISTEN state, and the destination IP address of the TCP data packet is the same as the IP address of the host, determining that the TCP data packet belongs to the outbend data packet of the specified process.
For a TCP packet that does not belong to either an outbend packet or an inbound packet of the specified process, the TCP packet may be directly discarded.
For those parts of this embodiment that are not explained in detail, reference is made to the aforementioned embodiments, which are not repeated herein.
In the above technical solution, the outbound packet of the designated process is judged by the source port of the TCP socket in the non-LISTEN state, instead of the traditional method of judging the screening by the target IP address and the target port, and the inbound packet of the designated process is judged by the target port of the TCP socket in the LISTEN state. Because different processes cannot occupy the same TCP socket source port at the same time, the problem of mistakenly capturing other process outbend data packets can be solved; because different processes cannot occupy the same TCP socket destination port at the same time, the problem of mistakenly capturing the inbound data packet of other processes can be solved.
EXAMPLE III
Fig. 3 is a flowchart of a network packet capturing method according to a third embodiment of the present invention. The present embodiment provides a specific implementation manner based on the above-mentioned embodiments.
As shown in fig. 3, the network packet capturing method provided in this embodiment includes the following steps:
s310, a TCP data packet on the host network card is captured through the pcap and temporarily stored in the memory buffer area.
And S320, acquiring TCP socket information related to the specified process through procfs and Netlink timing at a time interval smaller than 2 MSL.
The method comprises the steps of firstly obtaining a socket inode number list related to a specified process from a catalog/proc/process ID/fd through procfs, and then obtaining TCP socket information related to the socket inode number list through Netlink.
S330, screening out target TCP socket information with states of LISTEN, ESTABLISED, FIN _ WAIT1, FIN _ WAIT2 and TIME _ WAIT from the TCP socket information.
S340, analyzing a source IP address, a source port, a destination IP address and a destination port of each TCP data packet in the memory buffer area.
And S350, judging whether the source port or the destination port is the same as the destination port of the TCP socket in the LISTEN state, if so, executing S360, and if not, executing S390.
And S360, judging whether the source IP address or the destination IP address is the same as the host IP address, if so, executing S370, and if not, executing S380.
And S370, determining that the TCP data packet belongs to the designated process and filtering out the TCP data packet.
If the source port of the TCP data packet is the same as the destination port of the TCP socket in the LISTEN state, and the source IP address of the TCP data packet is the same as the IP address of the host, determining that the TCP data packet belongs to the inbound data packet of the specified process; and if the destination port of the TCP data packet is the same as the destination port of the TCP socket in the LISTEN state, and the destination IP address of the TCP data packet is the same as the IP address of the host, determining the inbound data packet of the TCP data packet, which belongs to the specified process.
If the source port of the TCP data packet is the same as the source port of the TCP socket in the non-LISTEN state, and the source IP address of the TCP data packet is the same as the IP address of the host, determining an outbend data packet of the TCP data packet which belongs to the specified process; and if the destination port of the TCP data packet is the same as the source port of the TCP socket in the non-LISTEN state, and the destination IP address of the TCP data packet is the same as the IP address of the host, determining that the TCP data packet belongs to the outbend data packet of the specified process.
Furthermore, the TCP packets belonging to the designated process may be screened out, stored in a local file or transmitted to a remote storage for subsequent analysis, for example, the data packets may be subjected to flow playback or real-time display and analysis, so that a tester may debug a network problem, and the like, thereby implementing a packet capture operation for the designated process.
And S380, determining that the TCP data packet does not belong to the designated process, and discarding.
And S390, judging whether the source port or the destination port is the same as the source port of the TCP socket in the non-LISTEN state, if so, executing S360, and if not, executing S380.
For those parts of this embodiment that are not explained in detail, reference is made to the aforementioned embodiments, which are not repeated herein.
In the technical scheme, the TCP socket information of the designated process is obtained by combining the procfs and the Netlink to serve as a data packet filtering condition, so that the TCP data packets belonging to the designated process can be screened out without knowing the characteristics of the designated process in advance; TCP socket information related to the designated process can be regularly updated in 2 × MSL, and data packets can be guaranteed not to be lost in the process of packet capturing; when filtering TCP data packets, the outbond data packets of the screening designated process are judged by a source port of a TCP socket in a non-LISTEN state, instead of the traditional method of judging the screening by a target IP address and a target port, the inbound data packets of the designated process are judged by a target port of the TCP socket in the LISTEN state, and because different processes cannot occupy the same TCP socket source port and different processes cannot occupy the same TCP socket target port, the problem of mistakenly capturing other process outbond data packets and inbound data packets can be solved.
By the network packet capturing method provided by the embodiment, the capturing of the data packet related to the designated process is simple and labor-saving, and the method can be directly applied to scenes such as online process flow recording playback, process data packet real-time analysis and the like.
Example four
Fig. 4 is a schematic block structure diagram of a network packet capturing device according to a fourth embodiment of the present invention, where this embodiment is applicable to a case of performing network packet capturing on a specific process, and the device may be implemented in a software and/or hardware manner, and may be generally integrated in a computer device. As shown in fig. 4, the apparatus includes: a network card packet obtaining module 410, a socket information timing obtaining module 420 and a network packet filtering module 430. Wherein the content of the first and second substances,
a network card data packet obtaining module 410, configured to obtain a network data packet captured for a network card;
a socket information timing obtaining module 420, configured to obtain socket information related to a specified process at a fixed time;
and a network data packet filtering module 430, configured to filter the network data packet according to the socket information to obtain a network data packet belonging to the specified process.
In the technical scheme provided by the embodiment of the invention, when network packet capturing is carried out on a specified process, socket information related to the specified process is obtained at regular time, and a network data packet captured on the network is filtered according to the socket information, so that the network data packet belonging to the specified process can be obtained. The socket information used for filtering the network data packet is related to the designated process and is obtained regularly, network data packets belonging to other processes cannot be filtered, and invalid network packet capturing caused by changing the monitoring port or the remote IP address and the remote IP port requested externally in the running process of the designated process can be avoided, so that effective network packet capturing is performed on the designated process on the premise of not knowing characteristics of the designated process.
Optionally, the socket information timing obtaining module 420 is specifically configured to obtain socket information related to a specified process based on an inode number of a socket.
Optionally, the socket information timing obtaining module 420 is specifically configured to obtain, by using the procfs of the process file system, socket information related to a specified process based on an inode number of the socket.
Further, the socket information timing obtaining module 420 is specifically configured to obtain, on the basis of procfs, socket information related to a specified process based on an inode number of a socket in combination with Netlink.
Optionally, the network packet filtering module 430 includes: a socket information screening unit and a network packet filtering unit, wherein,
the socket information screening unit is used for screening target socket information with the states of LISTEN, ESTABISHED, FIN _ WAIT1, FIN _ WAIT2 and TIME _ WAIT;
and the network data packet filtering unit is used for filtering the network data packet according to the target socket information to obtain the network data packet belonging to the specified process.
Further, the network packet filtering unit is specifically configured to determine that a target packet in the network packet belongs to the inbound packet of the specified process if a source port of the target packet is the same as a destination port of the target socket information in the LISTEN state and a source IP address of the target packet is the same as a host IP address; and if the destination port of the target data packet is the same as the destination port of the target socket information in the LISTEN state, and the destination IP address of the target data packet is the same as the IP address of the host, determining that the target data packet belongs to the inbound data packet of the specified process.
Further, the network packet filtering unit is specifically configured to determine that a target packet in the network packet belongs to an outbound packet of the specified process if a source port of the target packet is the same as a source port of target socket information in a non-LISTEN state and a source IP address of the target packet is the same as a host IP address; if the destination port of the target data packet is the same as the source port of the target socket information in the non-LISTEN state, and the destination IP address of the target data packet is the same as the IP address of the host, determining that the target data packet belongs to the outbound data packet of the specified process;
wherein the non-LISTEN state comprises: ESTABLISHED state, FIN _ WAIT1 state, FIN _ WAIT2 state, and TIME _ WAIT state.
Optionally, the socket information timing obtaining module 420 obtains the socket information related to the designated process at a timing, where an execution time interval of the socket information is smaller than 2 times of the longest survival time of the message.
The network packet capturing device provided by the embodiment of the invention can execute the network packet capturing method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 5 is a schematic structural diagram of a computer apparatus according to a fifth embodiment of the present invention, as shown in fig. 5, the computer apparatus includes a processor 50, a memory 51, an input device 52, and an output device 53; the number of processors 50 in the computer device may be one or more, and one processor 50 is taken as an example in fig. 5; the processor 50, the memory 51, the input device 52 and the output device 53 in the computer apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 5.
The memory 51 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the network packet capturing method in the embodiment of the present invention (for example, the network card packet obtaining module 410, the socket information timing obtaining module 420, and the network packet filtering module 430 in the network packet capturing device in fig. 4). The processor 50 executes various functional applications and data processing of the computer device by executing software programs, instructions and modules stored in the memory 51, namely, implements the network packet capturing method described above.
The memory 51 may mainly include a storage program area and a storage data table area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data table area may store data created according to use of the computer device, and the like. Further, the memory 51 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 51 may further include memory located remotely from the processor 50, which may be connected to a computer device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 52 is operable to receive input numeric or character information and to generate key signal inputs relating to user settings and function controls of the computer apparatus. The output device 53 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a computer-readable storage medium storing a computer program, where the computer program is executed by a computer processor to perform a network packet capturing method, and the method includes:
acquiring a network data packet captured aiming at a network card;
regularly acquiring socket information related to a designated process;
and filtering the network data packet according to the socket information to obtain the network data packet belonging to the specified process.
Of course, the computer program of the computer-readable storage medium storing the computer program provided in the embodiments of the present invention is not limited to the above method operations, and may also perform related operations in the network packet capturing method provided in any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods of the embodiments of the present invention.
It should be noted that, in the embodiment of the network packet capturing apparatus, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments illustrated herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (11)

1. A network packet capturing method is characterized by comprising the following steps:
acquiring a network data packet captured aiming at a network card;
regularly acquiring socket information related to a designated process;
and filtering the network data packet according to the socket information to obtain the network data packet belonging to the specified process.
2. The method of claim 1, wherein obtaining socket information associated with a given process comprises:
socket information related to a specified process is obtained based on the inode number of the socket.
3. The method of claim 2, wherein obtaining socket information related to a specified process based on an inode number of a socket comprises:
socket information related to a specified process is obtained through the Procfs of the process file system based on the inode number of the socket.
4. The method of claim 3, wherein obtaining socket information related to a specified process by a process filesystem procfs based on an inode number of a socket comprises:
and acquiring socket information related to a specified process based on the inode number of the socket by combining Netlink on the basis of procfs.
5. The method of claim 1, wherein filtering the network packets according to the socket information to obtain the network packets belonging to the designated process comprises:
screening out target socket information with states of LISTEN, ESTABLISHED, FIN _ WAIT1, FIN _ WAIT2 and TIME _ WAIT;
and filtering the network data packet according to the target socket information to obtain the network data packet belonging to the specified process.
6. The method of claim 5, wherein filtering the network packets according to the target socket information to obtain the network packets belonging to the designated process comprises:
if the source port of a target data packet in the network data packet is the same as the destination port of the target socket information in the LISTEN state, and the source IP address of the target data packet is the same as the IP address of the host, determining that the target data packet belongs to the inbound data packet of the specified process;
and if the destination port of the target data packet is the same as the destination port of the target socket information in the LISTEN state, and the destination IP address of the target data packet is the same as the IP address of the host, determining that the target data packet belongs to the inbound data packet of the specified process.
7. The method of claim 5, wherein filtering the network packets according to the target socket information to obtain the network packets belonging to the designated process comprises:
if the source port of a target data packet in the network data packet is the same as the source port of target socket information in a non-LISTEN state, and the source IP address of the target data packet is the same as the IP address of a host, determining that the target data packet belongs to an outbound data packet of the specified process;
if the destination port of the target data packet is the same as the source port of the target socket information in the non-LISTEN state, and the destination IP address of the target data packet is the same as the IP address of the host, determining that the target data packet belongs to the outbound data packet of the specified process;
wherein the non-LISTEN state comprises: ESTABLISHED state, FIN _ WAIT1 state, FIN _ WAIT2 state, and TIME _ WAIT state.
8. The method of claim 1, wherein the timing of the socket information associated with the given process is performed within an interval of less than 2 times a longest message lifetime.
9. A network packet capturing apparatus, comprising:
the network card data packet acquisition module is used for acquiring a network data packet captured by a network card;
the socket information timing acquisition module is used for acquiring socket information related to the specified process at fixed time;
and the network data packet filtering module is used for filtering the network data packet according to the socket information to obtain the network data packet belonging to the specified process.
10. A computer device, characterized in that the computer device comprises:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-8.
11. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 8.
CN202110283492.XA 2021-03-16 2021-03-16 Network packet capturing method, device, equipment and medium Active CN113067810B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110283492.XA CN113067810B (en) 2021-03-16 2021-03-16 Network packet capturing method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110283492.XA CN113067810B (en) 2021-03-16 2021-03-16 Network packet capturing method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN113067810A true CN113067810A (en) 2021-07-02
CN113067810B CN113067810B (en) 2023-05-26

Family

ID=76560754

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110283492.XA Active CN113067810B (en) 2021-03-16 2021-03-16 Network packet capturing method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN113067810B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113746925A (en) * 2021-09-06 2021-12-03 北京天融信网络安全技术有限公司 File transmission behavior auditing method and device, electronic equipment and storage medium
CN115174214A (en) * 2022-07-05 2022-10-11 中孚安全技术有限公司 Method and system for packet capturing of operating system application layer global network
WO2023019877A1 (en) * 2021-08-19 2023-02-23 平安科技(深圳)有限公司 Security protection method, apparatus and device for network host, and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217493A (en) * 2008-01-08 2008-07-09 北京大学 TCP data package transmission method
CN103560973A (en) * 2013-10-14 2014-02-05 深圳市同洲电子股份有限公司 Method and device for filtering data packets
US20140156857A1 (en) * 2012-12-03 2014-06-05 International Business Machines Corporation Binding multiple addresses to a socket in a network system
CN106789242A (en) * 2016-12-22 2017-05-31 广东华仝九方科技有限公司 A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse
CN107608852A (en) * 2017-09-01 2018-01-19 清华大学 A kind of process monitoring method and device
CN108881328A (en) * 2018-09-29 2018-11-23 北京东土军悦科技有限公司 Packet filtering method, device, gateway and storage medium
CN109660535A (en) * 2018-12-17 2019-04-19 郑州云海信息技术有限公司 The treating method and apparatus of data in linux system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217493A (en) * 2008-01-08 2008-07-09 北京大学 TCP data package transmission method
US20140156857A1 (en) * 2012-12-03 2014-06-05 International Business Machines Corporation Binding multiple addresses to a socket in a network system
CN103560973A (en) * 2013-10-14 2014-02-05 深圳市同洲电子股份有限公司 Method and device for filtering data packets
CN106789242A (en) * 2016-12-22 2017-05-31 广东华仝九方科技有限公司 A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse
CN107608852A (en) * 2017-09-01 2018-01-19 清华大学 A kind of process monitoring method and device
CN108881328A (en) * 2018-09-29 2018-11-23 北京东土军悦科技有限公司 Packet filtering method, device, gateway and storage medium
CN109660535A (en) * 2018-12-17 2019-04-19 郑州云海信息技术有限公司 The treating method and apparatus of data in linux system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023019877A1 (en) * 2021-08-19 2023-02-23 平安科技(深圳)有限公司 Security protection method, apparatus and device for network host, and storage medium
CN113746925A (en) * 2021-09-06 2021-12-03 北京天融信网络安全技术有限公司 File transmission behavior auditing method and device, electronic equipment and storage medium
CN115174214A (en) * 2022-07-05 2022-10-11 中孚安全技术有限公司 Method and system for packet capturing of operating system application layer global network

Also Published As

Publication number Publication date
CN113067810B (en) 2023-05-26

Similar Documents

Publication Publication Date Title
CN113067810B (en) Network packet capturing method, device, equipment and medium
WO2020135575A1 (en) System and method for obtaining network topology, and server
US20190075049A1 (en) Determining Direction of Network Sessions
CN109960634B (en) Application program monitoring method, device and system
CN108683553B (en) Method and device for fault injection
CN110855493B (en) Application topological graph drawing device for mixed environment
CN113794605A (en) Method, system and device for detecting kernel packet loss based on eBPF
CN111371740B (en) Message flow monitoring method and system and electronic equipment
CN108989151B (en) Flow collection method for network or application performance management
CN112929376A (en) Flow data processing method and device, computer equipment and storage medium
JP6764313B2 (en) Immediate traffic collection / analysis system and method
CN110784364B (en) Data monitoring method and device, storage medium and terminal
US11595419B2 (en) Communication monitoring system, communication monitoring apparatus, and communication monitoring method
CN115033407B (en) System and method for collecting and identifying flow suitable for cloud computing
JP3892322B2 (en) Unauthorized access route analysis system and unauthorized access route analysis method
CN106161339A (en) Obtain the method and device of IP access relation
CN110620682B (en) Resource information acquisition method and device, storage medium and terminal
CN110661799B (en) ARP (Address resolution protocol) deception behavior detection method and system
JP5925287B1 (en) Information processing apparatus, method, and program
CN114301812A (en) Method, device, equipment and storage medium for monitoring message processing result
WO2020158896A1 (en) Communication device
CN117118824B (en) Log data collection method and device
CN112769599B (en) Automatic resource access method, system and readable storage medium
CN112073258B (en) Method for identifying user, electronic equipment and storage medium
CN110708208B (en) Monitoring data acquisition method and device, storage medium and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant