CN117914974A - Network data packet analysis method and device and electronic equipment - Google Patents
Network data packet analysis method and device and electronic equipment Download PDFInfo
- Publication number
- CN117914974A CN117914974A CN202410074159.1A CN202410074159A CN117914974A CN 117914974 A CN117914974 A CN 117914974A CN 202410074159 A CN202410074159 A CN 202410074159A CN 117914974 A CN117914974 A CN 117914974A
- Authority
- CN
- China
- Prior art keywords
- protocol
- network
- layer
- type
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 31
- 230000005540 biological transmission Effects 0.000 claims abstract description 36
- 238000000034 method Methods 0.000 claims abstract description 23
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000007547 defect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a network data packet analysis method, a device and electronic equipment, wherein the method comprises the following steps: acquiring a network data packet; analyzing the data link layer of the network data packet to obtain a first upper layer protocol type and the protocol length of the data link layer; analyzing the network layer, and analyzing through the network layer to obtain a corresponding transmission layer protocol type and a network layer protocol length; analyzing the transmission layer to obtain the length of the transmission layer protocol, a source port and a destination port; analyzing an application layer of a network data packet, and judging the type of an application layer protocol used by the application layer through the type of the transmission layer protocol, a source port and a destination port; according to the protocol types and the protocol content information of the different protocol layers of the analytic network data packet, carrying out equipment discovery and identification; the effect is that: and all contents are not required to be analyzed, and only data required by part of application layer protocols are required to be analyzed, so that the analysis speed of network data packet messages is high, and the efficiency is high.
Description
Technical Field
The present invention relates to the field of data analysis technologies, and in particular, to a method and an apparatus for analyzing a network data packet, and an electronic device.
Background
Network packet parsing is a critical ring in network management and security. As networks continue to grow and increase in complexity, it is becoming increasingly important to network performance and security. The analysis of the network data packet involves analyzing the data packet transmitted in the network one by one, identifying and understanding the source and destination IP address, MAC address, protocol and other information contained in the network data packet, and has important significance for asset discovery and network security in the system.
According to the OSI model, packets on a network are divided into seven layers, from the highest level representation of distributed application data to the physical implementation of transmitting data across a communication medium, including the physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer.
At present, the adopted technical scheme is that each layer of protocol is sequentially analyzed according to the sequence from bottom to top of an OSI seven-layer protocol structure through Wireshark, so that multiple protocols are supported, and the depth analysis and analysis of network data packets are carried out; the DPI technology identifies and analyzes an application layer protocol by deeply analyzing the content of a data packet; other network packet parsing tools parse according to the OSI seven layer protocol architecture.
Because wireshark is focused on the deep analysis and inspection of the network data packets, all information of each network data packet can be analyzed in detail, more system resources can be occupied when large-scale network data packets are processed, and the processing efficiency is relatively low; DPI technology needs to deeply analyze the content of network data packets to identify an application layer protocol and detect the content, and has high requirements on system resources.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention aims to provide a network data packet analysis method, a network data packet analysis device and electronic equipment so as to improve the processing efficiency.
First aspect: the embodiment of the invention provides a network data packet analysis method, which comprises the following steps:
acquiring a network data packet;
Analyzing the data link layer of the network data packet to obtain a first upper layer protocol type of the network data packet and the protocol length of the data link layer;
Analyzing a network layer of the network data packet, and shifting the protocol length of the data link layer through the first upper layer protocol type analyzed by the data link layer to obtain a network layer protocol type and a starting position; determining a corresponding protocol length according to the network layer protocol type, wherein the network layer protocol type comprises a second upper layer protocol type;
Analyzing a transmission layer of the network data packet, and shifting the length of a network layer protocol through a second upper layer protocol type analyzed by the network layer to obtain a corresponding transmission layer protocol type and a starting position; analyzing the transmission layer to obtain the length of the transmission layer protocol, a source port and a destination port;
Analyzing an application layer of the network data packet, and judging the type of an application layer protocol used by the application layer through the type of the transmission layer protocol, a source port and a destination port;
And carrying out equipment discovery and identification according to the protocol types and the protocol content information of the different protocol layers of the analytic network data packet.
As an optional implementation manner of the present application, if the first upper layer protocol type is a VLAN layer, a VLAN ID and a corresponding upper layer protocol type in the VLAN layer are resolved.
As an alternative embodiment of the present application, if there are multiple VLAN layers, the analysis of the corresponding layers is performed.
As an optional implementation manner of the present application, the network layer protocol types correspond to IPv4, IPv6 and ARP protocols;
The ARP protocol is used for resolving an IP address into an MAC address in an IPv4 network, so that the IP and the MAC information of the equipment are resolved, and the equipment discovery is realized;
the total length of the IPv4 protocol header and the IPv6 protocol header is fixed, and the protocols comprise the current network layer protocol version and the upper layer protocol type; the upper layer protocol type is the second upper layer protocol type.
As an optional implementation manner of the present application, the device discovery and identification according to the protocol type and the protocol content information of the different protocol layers for parsing the network data packet specifically includes:
Extracting key information of the corresponding protocol type based on the protocol types of the different protocol layers;
And based on the extracted key information matched with a preset rule, realizing equipment discovery and identifying the operating system, type, manufacturer and model of the equipment.
Second aspect: the embodiment of the invention provides a network data packet analysis device, which comprises:
the acquisition module is used for acquiring the network data packet;
The analysis module is used for:
Analyzing the data link layer of the network data packet to obtain a first upper layer protocol type of the network data packet and the protocol length of the data link layer;
Analyzing a network layer of the network data packet, and shifting the protocol length of the data link layer through the first upper layer protocol type analyzed by the data link layer to obtain a network layer protocol type and a starting position; determining a corresponding protocol length according to the network layer protocol type, wherein the network layer protocol type comprises a second upper layer protocol type;
Analyzing a transmission layer of the network data packet, and shifting the length of a network layer protocol through a second upper layer protocol type analyzed by the network layer to obtain a corresponding transmission layer protocol type and a starting position; the transport layer protocol type comprises a corresponding length, a source port and a destination port;
Analyzing an application layer of the network data packet, and judging the type of an application layer protocol used by the application layer through the type of the transmission layer protocol, a source port and a destination port;
and the processing module is used for carrying out equipment discovery and identification according to the protocol types and the protocol content information of the different protocol layers of the analytic network data packet.
Third aspect: an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of a network packet parsing method according to the first aspect when the computer program is executed.
By adopting the technical scheme, the method has the following advantages: according to the network data packet analysis method, the network data packet analysis device and the electronic equipment, all contents are not needed to be analyzed, and only data needed by part of application layer protocols are needed to be analyzed, so that the network data packet analysis speed is high, and the efficiency is high; thereby overcoming the defect of low processing efficiency existing in the prior network data packet analysis technology; meanwhile, device discovery and identification are performed according to the application layer protocol type obtained through analysis, so that asset discovery is achieved.
Drawings
Fig. 1 is a flowchart of a network packet parsing method according to an embodiment of the present invention;
FIG. 2 is a block diagram illustrating network packet parsing according to an embodiment of the present invention;
Fig. 3 is a schematic structural diagram of a network packet analysis device according to an embodiment of the present invention.
Detailed Description
Specific embodiments of the invention will be described in detail below, it being noted that the embodiments described herein are for illustration only and are not intended to limit the invention. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, it will be apparent to one of ordinary skill in the art that: no such specific details are necessary to practice the invention. In other instances, well-known circuits, software, or methods have not been described in detail in order not to obscure the invention.
Throughout the specification, references to "one embodiment," "an embodiment," "one example," or "an example" mean: a particular feature, structure, or characteristic described in connection with the embodiment or example is included within at least one embodiment of the invention. Thus, the appearances of the phrases "in one embodiment," "in an embodiment," "one example," or "an example" in various places throughout this specification are not necessarily all referring to the same embodiment or example. Furthermore, the particular features, structures, or characteristics may be combined in any suitable combination and/or sub-combination in one or more embodiments or examples. Moreover, those of ordinary skill in the art will appreciate that the illustrations provided herein are for illustrative purposes and that the illustrations are not necessarily drawn to scale.
It is noted that unless otherwise indicated, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs.
TCP (Transmission Control Protocol): a connection-oriented, reliable, byte stream based transport layer communication protocol.
UDP (User Datagram Protocol): a connectionless transport layer protocol for packet transmission in the internet protocol suite (TCP/IP protocol suite).
ICMPv4 (Internet Control Message Protocol version 4): control message protocol version 4 in the IPv4 protocol cluster.
ICMPv6 (Internet Control Message Protocol version 6): control message protocol version 6 in the IPv6 protocol cluster.
ARP (Address Resolution Protocol ): a protocol for converting IP addresses to physical (MAC) addresses in network communications.
IPv4 (Internet Protocol version 4): the fourth version of the Internet Protocol (IP), the first, is widely used and is the underlying protocol for the internet today.
IPv6 (Internet Protocol version) 6): sixth edition of Internet Protocol (IP), next generation internet protocol.
VLAN (Virtual Local Area Network ): a technique for logically dividing a local area network device into individual network segments to implement a virtual workgroup.
PPPoE (point-to-Point Protocol over Ethernet): a link layer protocol encapsulates a point-to-point protocol (PPP) in an Ethernet (Ethernet) framework.
MPLS (multi-Protocol Label Switching, multiprotocol label switching): a protocol for fast packet switching and routing that provides efficient, scalable and flexible data transmission over a variety of network layer protocols.
CAPWAP (Control And Provisioning of WIRELESS ACCESS points): a protocol for communication interaction between a wireless Access Point (AP) and a radio network controller (AC).
DHCP (Dynamic Host Configuration Protocol ): a network protocol is used for automatically distributing network configuration information such as IP addresses, subnet masks, default gateways, DNS servers and the like to devices in a network.
SMB (SERVER MESSAGE Block): a network protocol for sharing files, printing shares, and network services in a network.
MDNS (Multicast DNS, multicast domain name system): a network protocol is used for searching and resolving service names in a local network.
HTTP (Hypertext Transfer Protocol ): a protocol for transmitting data over a network is widely used for communication between a Web browser and a Web server.
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Referring to fig. 1 and 2, a network packet parsing method is shown. The parsing method is applied to computer equipment (the computer equipment can be a terminal or a server, the terminal comprises but is not limited to various personal computers, notebook computers, smart phones, tablet computers and portable wearable equipment, and the server can be an independent server or a server cluster formed by a plurality of servers.
The method comprises the following steps:
s101, acquiring a network data packet.
In particular, the network data packets originate from captured from a network interface or from reading captured offline network data packet files.
S102, analyzing the data link layer of the network data packet, and analyzing the first upper layer protocol type and the protocol length of the data link layer of the network data packet.
Specifically, firstly analyzing an upper protocol type in an Ethernet header, and stripping the Ethernet header; analyzing the destination MAC address, the source MAC address and the upper layer protocol type of the network data packet; the upper layer protocol type is the first upper layer protocol type, and the data format of the data link layer is fixed length.
As shown in fig. 2, in this embodiment, the parsed first upper layer protocol types include IPv4, IPv6 and ARP protocols;
If the first upper layer protocol type is a VLAN layer, a VLAN ID and a corresponding upper layer protocol type in the VLAN layer are analyzed.
If a plurality of VLAN layers exist, analyzing the corresponding layer number.
If the first upper layer protocol type is PPPoE protocol, the total length of the protocol is 7 or 8 bytes, and the upper layer protocol type is contained in the protocol.
If the first upper layer protocol type is an MPLS protocol, the total length of the protocol is 4 bytes, and the protocol does not include the upper layer protocol type, and the type of the upper layer protocol needs to be deduced by analyzing the packet information of the upper layer protocol, which specifically includes:
The data packet information after the MPLS protocol is analyzed first, an upper protocol type is assumed, the data packet is analyzed, the upper protocol characteristics are extracted, and whether the data packet is the assumed protocol type or not is really determined. For example, if the upper layer protocol type is an IPv4 protocol, version information in the IPv4 header is extracted, and if the version information is 4, it is determined that the upper layer protocol is the IPv4 protocol, and if the version information is not the assumed IPv4 protocol, it is assumed that the version information is other protocols.
S103, analyzing a network layer of the network data packet, and shifting the protocol length of the data link layer through the first upper layer protocol type analyzed by the data link layer to obtain the network layer protocol type and the initial position; and determining a corresponding protocol length according to the network layer protocol type, wherein the network layer protocol type comprises a second upper layer protocol type.
Specifically, the upper protocol type in the upper protocol header is analyzed again, and the header of the upper protocol is stripped; according to the foregoing description and as shown in fig. 2, the network layer protocol types correspond to IPv4, IPv6 and ARP protocols;
The ARP protocol is used for resolving an IP address into an MAC address in an IPv4 network, so that the IP and the MAC information of the equipment are resolved, and the equipment discovery is realized;
the total length of the IPv4 protocol header and the IPv6 protocol header is fixed, and the protocols comprise the current network layer protocol version and the upper layer protocol type; information such as the birth time, the slice offset and the like is extracted from the IPv4 protocol header and is used for equipment type identification. The upper layer protocol type is the second upper layer protocol type.
S104, analyzing a transmission layer of the network data packet, and shifting the length of a network layer protocol through a second upper layer protocol type analyzed by the network layer to obtain a corresponding transmission layer protocol type and a starting position; analyzing the transmission layer to obtain the length of the transmission layer protocol, the source port and the destination port.
Specifically, the second upper layer protocol type is analyzed, namely the transmission layer protocol type, and the protocol types include TCP, UDP, ICMP protocol and the like.
TCP is a connection-oriented, reliable, byte stream based transport layer protocol that contains the total length and source ports, destination ports, and some other information for device type identification.
UDP is a simple connectionless-oriented transport layer protocol, with a fixed overall length, and includes a source port and a destination port.
The ICMP protocol includes two major versions of ICMPv4 and ICMPv6, ICMPv4 may acquire a type, a checksum sequence number, etc. for device type identification, and ICMPv6 may acquire an IP and MAC address of a device through a neighbor discovery protocol for device discovery.
CAPWAP tunnel protocol analysis, wherein the protocol comprises a header length, a data segment length is fixed, and an upper layer protocol type is included.
S105, analyzing an application layer of the network data packet, and judging an application layer protocol type used by the application layer through the transmission layer protocol type, a source port and a destination port;
The principle is as follows: the application layer protocol typically uses a specific port number and transport layer protocol type; such as the http protocol uses 80 ports and the TCP protocol; therefore, the protocol type of the application layer can be primarily judged, the content of the protocol data packet of the application layer can be analyzed later, and whether the protocol type is correct or not can be further determined.
In application, the application layer protocol types specifically include the following:
The DHCP protocols, including DHCPv4 and DHCPv6 protocols, acquire the IP, MAC, manufacturer, device name, DHCP parameter list and option list of the device. For device discovery and device type identification.
And the SMB protocol is used for acquiring local operating system information and LAN manager information and identifying the type of the equipment.
MDNS, acquiring equipment model and operating system version information for equipment type identification.
The HTTP protocol obtains useragent information of the device for device type identification.
S106, device discovery and identification are carried out according to the protocol types and the protocol content information of the different protocol layers of the analysis network data packet.
Specifically, extracting key information of a corresponding protocol type based on the protocol types of the different protocol layers; the key information is the protocol content information;
And based on the extracted key information matched with a preset rule, realizing equipment discovery and identifying the operating system, type, manufacturer and model of the equipment.
The preset rules are to summarize the proposed equipment identification rules according to the flow characteristic information of the acquired actual equipment, and continuously collect the equipment identification rules; and when in recognition, matching equipment recognition rules according to the characteristic information analyzed to different protocols, and giving a recognition result.
Thereby realizing the identification of the device type through the key information parsed by the network data packet.
And identifying information such as an operating system, a type, a manufacturer and the like of the equipment through a DHCP manufacturer, a DHCP option and a DHCP parameter list information matching rule which are analyzed by a DHCP protocol in the network data packet.
And identifying the equipment operating system information through information matching rules such as ICMP type, code, id, serial number, checksum, survival time and the like which are analyzed by the ICMP protocol of the network data packet.
And identifying the equipment type and the operating system information through information matching rules such as a TCP mark, a survival time, a window size, a header length, options and the like which are analyzed by a TCP protocol SYN packet of the network data packet.
And analyzing the device model and the operating system version information matching rule through MDNS protocol of the network data packet, and identifying the device type and the operating system information.
And analyzing the SMB protocol of the network data packet to obtain matching rules of the local operating system information and the LAN manager information, and identifying the equipment operating system information.
And analyzing useragent information analyzed by the HTTP of the network data packet, analyzing the carried operating system, and identifying the type, operating system, model and manufacturer information of the equipment according to the equipment model information matching rule.
In the scheme, all contents of the network data packet are not required to be analyzed, only data required by part of application layer protocols are required to be analyzed according to an OSI seven-layer protocol structure, so that the analysis speed of the network data packet message is high, and the efficiency is high; thereby overcoming the defect of low processing efficiency existing in the prior network data packet analysis technology; meanwhile, device discovery and identification are performed according to the application layer protocol type obtained through analysis, so that asset discovery is achieved.
Based on the same inventive concept, referring to fig. 3, an embodiment of the present invention further provides a network data packet parsing apparatus, where the apparatus includes:
the acquisition module is used for acquiring the network data packet;
The analysis module is used for:
Analyzing the data link layer of the network data packet to obtain a first upper layer protocol type of the network data packet and the protocol length of the data link layer;
Analyzing a network layer of the network data packet, and shifting the protocol length of the data link layer through the first upper layer protocol type analyzed by the data link layer to obtain a network layer protocol type and a starting position; determining a corresponding protocol length according to the network layer protocol type, wherein the network layer protocol type comprises a second upper layer protocol type;
Analyzing a transmission layer of the network data packet, and shifting the length of a network layer protocol through a second upper layer protocol type analyzed by the network layer to obtain a corresponding transmission layer protocol type and a starting position; analyzing the transmission layer to obtain the length of the transmission layer protocol, a source port and a destination port;
Analyzing an application layer of the network data packet, and judging the type of an application layer protocol used by the application layer through the type of the transmission layer protocol, a source port and a destination port;
and the processing module is used for carrying out equipment discovery and identification according to the protocol types and the protocol content information of the different protocol layers of the analytic network data packet.
If the first upper protocol type is a VLAN layer, analyzing a VLAN ID and a corresponding upper protocol type in the VLAN layer.
The network layer protocol type corresponds to IPv4, IPv6 and ARP protocols;
The ARP protocol is used for resolving an IP address into an MAC address in an IPv4 network, so that the IP and the MAC information of the equipment are resolved, and the equipment discovery is realized;
the total length of the IPv4 protocol header and the IPv6 protocol header is fixed, and the protocols comprise the current network layer protocol version and the upper layer protocol type; the upper layer protocol type is the second upper layer protocol type.
Further, the device discovery and identification are performed according to the protocol types and the protocol content information of the different protocol layers of the analytic network data packet, which specifically includes:
Extracting key information of the corresponding protocol type based on the protocol types of the different protocol layers;
And based on the extracted key information matched with a preset rule, realizing equipment discovery and identifying the operating system, type, manufacturer and model of the equipment.
In the foregoing apparatus claims, specific embodiments and beneficial effects of each step are referred to in the foregoing method embodiment section, and are not described herein again.
By the scheme, the network data packet message analysis speed is high, all contents are not required to be analyzed, and only the required data of part of application layer protocols are required to be analyzed; and supporting header analysis of various network data packets, and identifying equipment operating systems, equipment types, models and manufacturer information by analyzing information in the network data packets.
In another embodiment of the present invention, an embodiment of the present disclosure provides an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements a method as in any of the method embodiments described above when the computer program is executed.
The processor may be a central processing unit (Central Processing Unit, CPU), which may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), off-the-shelf programmable gate array (field-programmable GATE ARRAY, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may include read only memory and random access memory. A portion of the memory may also include non-volatile random access memory. For example, the memory may also store information of the device type.
The processes described above with reference to flowcharts may be implemented as computer software programs according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via a communication device, or installed from a storage device, or installed from ROM. The above-described functions defined in the methods of the embodiments of the present disclosure are performed when the computer program is executed by a processing device.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limited thereto; those of ordinary skill in the art will appreciate that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention, and are intended to be included within the scope of the appended claims and description.
Claims (10)
1. A method for parsing a network packet, the method comprising:
acquiring a network data packet;
Analyzing the data link layer of the network data packet to obtain a first upper layer protocol type of the network data packet and the protocol length of the data link layer;
Analyzing a network layer of the network data packet, and shifting the protocol length of the data link layer through the first upper layer protocol type analyzed by the data link layer to obtain a network layer protocol type and a starting position; determining a corresponding protocol length according to the network layer protocol type, wherein the network layer protocol type comprises a second upper layer protocol type;
Analyzing a transmission layer of the network data packet, and shifting the length of a network layer protocol through a second upper layer protocol type analyzed by the network layer to obtain a corresponding transmission layer protocol type and a starting position; analyzing the transmission layer to obtain the length of the transmission layer protocol, a source port and a destination port;
Analyzing an application layer of the network data packet, and judging the type of an application layer protocol used by the application layer through the type of the transmission layer protocol, a source port and a destination port;
and carrying out device discovery and identification according to the protocol types and the protocol content information of the different protocol layers of the analytic network data packet.
2. The network packet parsing method according to claim 1, wherein if the first upper layer protocol type is a VLAN layer, then parsing a VLAN ID and a corresponding upper layer protocol type in the VLAN layer.
3. The network packet parsing method according to claim 2, wherein, if there are a plurality of VLAN layers, parsing of the corresponding layer number is performed.
4. A network data packet parsing method according to claim 3, wherein the network layer protocol types correspond to IPv4, IPv6 and ARP protocols;
The ARP protocol is used for resolving an IP address into an MAC address in an IPv4 network, so that the IP and the MAC information of the equipment are resolved, and the equipment discovery is realized;
the total length of the IPv4 protocol header and the IPv6 protocol header is fixed, and the protocols comprise the current network layer protocol version and the upper layer protocol type; the upper layer protocol type is the second upper layer protocol type.
5. The method for analyzing network data packets according to claim 2, wherein the device discovery and identification is performed according to the protocol types and the protocol content information of the different protocol layers for analyzing the network data packets, specifically comprising:
Extracting key information of the corresponding protocol type based on the protocol types of the different protocol layers;
And based on the extracted key information matched with a preset rule, realizing equipment discovery and identifying the operating system, type, manufacturer and model of the equipment.
6. A network packet parsing apparatus, the apparatus comprising:
the acquisition module is used for acquiring the network data packet;
The analysis module is used for:
Analyzing the data link layer of the network data packet to obtain a first upper layer protocol type of the network data packet and the protocol length of the data link layer;
Analyzing a network layer of the network data packet, and shifting the protocol length of the data link layer through the first upper layer protocol type analyzed by the data link layer to obtain a network layer protocol type and a starting position; determining a corresponding protocol length according to the network layer protocol type, wherein the network layer protocol type comprises a second upper layer protocol type;
Analyzing a transmission layer of the network data packet, and shifting the length of a network layer protocol through a second upper layer protocol type analyzed by the network layer to obtain a corresponding transmission layer protocol type and a starting position; analyzing the transmission layer to obtain the length of the transmission layer protocol, a source port and a destination port;
Analyzing an application layer of the network data packet, and judging the type of an application layer protocol used by the application layer through the type of the transmission layer protocol, a source port and a destination port;
and the processing module is used for carrying out equipment discovery and identification according to the protocol types and the protocol content information of the different protocol layers of the analytic network data packet.
7. The network packet analysis device according to claim 6, wherein if the first upper layer protocol type is a VLAN layer, the VLAN ID and the corresponding upper layer protocol type in the VLAN layer are analyzed.
8. The network packet analysis device according to claim 6, wherein the network layer protocol types correspond to IPv4, IPv6 and ARP protocols;
The ARP protocol is used for resolving an IP address into an MAC address in an IPv4 network, so that the IP and the MAC information of the equipment are resolved, and the equipment discovery is realized;
the total length of the IPv4 protocol header and the IPv6 protocol header is fixed, and the protocols comprise the current network layer protocol version and the upper layer protocol type; the upper layer protocol type is the second upper layer protocol type.
9. The network data packet parsing apparatus according to claim 6, wherein the device discovery and identification is performed according to the protocol types and protocol content information of the different protocol layers for parsing the network data packet, and specifically includes:
Extracting key information of the corresponding protocol type based on the protocol types of the different protocol layers;
And based on the extracted key information matched with a preset rule, realizing equipment discovery and identifying the operating system, type, manufacturer and model of the equipment.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of a network packet parsing method as claimed in any one of claims 1 to 5 when the computer program is executed by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410074159.1A CN117914974A (en) | 2024-01-18 | 2024-01-18 | Network data packet analysis method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410074159.1A CN117914974A (en) | 2024-01-18 | 2024-01-18 | Network data packet analysis method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117914974A true CN117914974A (en) | 2024-04-19 |
Family
ID=90683438
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410074159.1A Pending CN117914974A (en) | 2024-01-18 | 2024-01-18 | Network data packet analysis method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117914974A (en) |
-
2024
- 2024-01-18 CN CN202410074159.1A patent/CN117914974A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735564B2 (en) | Flow information analysis apparatus, flow information analysis method, and flow information analysis program | |
| Inacio et al. | {YAF}: Yet another flowmeter | |
| CN102025792B (en) | Router and IP address setting method thereof | |
| CN108141387B (en) | Length control for packet header samples | |
| CN101582774B (en) | Modem and method thereof for fixing user terminal IP address | |
| JP2005513957A (en) | Method for automatically configuring a network routing device | |
| Babatunde et al. | A comparative review of internet protocol version 4 (ipv4) and internet protocol version 6 (ipv6) | |
| CN113347258A (en) | Method and system for data acquisition, monitoring and analysis under cloud flow | |
| CN117914974A (en) | Network data packet analysis method and device and electronic equipment | |
| CN108881178B (en) | Information transmission method and apparatus, device, storage medium, and electronic apparatus | |
| CN113746654A (en) | IPv6 address management and flow analysis method and device | |
| Panwar | TCP/IP Essentials: A Lab-Based Approach | |
| EP1883187A1 (en) | Packet processing device, communication system, packet processing method, and program executing the method | |
| Cisco | Cisco uBR7100 Series - Cisco IOS Release 12.2 BC | |
| Cisco | Configuring SLIP and PPP | |
| Cisco | Configuring SLIP and PPP | |
| WO2022132208A1 (en) | Performance measurement in a segment routing network | |
| KR101015464B1 (en) | Single chip processor supporting communication connection between outer net apparatus and inner net apparatus not having public ip address | |
| Hilal et al. | Yarrpbox: Detecting middleboxes at internet-scale | |
| JP2005072701A (en) | Interface providing apparatus | |
| EP4358483A1 (en) | Method and apparatus for determining slice information, and storage medium and electronic apparatus | |
| JP3834157B2 (en) | Service attribute assignment method and network device | |
| US20230015347A1 (en) | System and method for forwarding packets in a hierarchical network architecture using variable length addresses | |
| CN114466398A (en) | Method and device for analyzing 5G terminal user behaviors through netflow data | |
| CN104917658B (en) | A kind of information acquisition method, equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |