CN118075227A - A method for accurately matching domain names and variable domain names with IP - Google Patents

Abstract

The invention particularly relates to a method for precisely matching domain names and variable domain names with IP (Internet protocol), which comprises the following steps: monitoring DNS ports of all appointed network ports, and capturing packets by adopting a Libpcap; distinguishing IP/ARP/RARP packets through shift operation; analyzing the IP packet to obtain a slice offset, and calculating the offset to obtain a Protocol upper layer as TCP/UDP/ICMP; the hash algorithm matches questions, answers values under the query region; and acquiring a new IP corresponding relation in the DNS return packet, and giving the new IP corresponding relation to the flow control in real time through the shared memory, and ending the flow. The invention provides a method for accurately matching domain names and maximally covering the relationship between network traffic and IP and CDN (variable IP), and the portability and easy operability of flow control can be improved by adopting a Libpcap library.

Description

A method for accurately matching domain names and variable domain names with IP

Technical Field

The present invention specifically relates to a method for accurately matching domain names and variable domain names with IPs.

Background technique

With the advent of the 5G era for end users, traffic control can effectively prevent the impact of large amounts of data on the network in an instant, ensuring efficient and stable operation of the user network.

The traditional data link layer and network layer network traffic control mainly rely on three reliable protocols: stop-wait protocol (SW), back-off N frame protocol (GBN), and selective repeat protocol (SR). With the continuous development of the network, the second-layer flow control is not easy to meet the needs. On the one hand, it is disconnected from the application. On the other hand, if there are multiple points between the sender and the receiver, the flow control also needs to be controlled at multiple points, so naturally this business is thrown to the upper layer. At present, more flow control is based on the session layer, presentation layer, and application layer. Basically, flow control is only for IP and port control. This is not a problem in a service-based network environment, but there will still be NAT hiding the public network IP on the terminal, resulting in the widespread use of NAT traversal technology and CDN-based distribution networks.

Summary of the invention

The purpose of the present invention is to provide a method for accurately matching domain names and variable domain names with IP addresses, so as to solve the problems raised in the above-mentioned background technology.

In order to solve the above technical problems, the present invention provides the following technical solutions:

The method for accurately matching domain names and variable domain names with IPs includes the following steps:

The DNS ports that monitor all specified network ports are captured using libpcap;

Distinguish IP/ARP/RARP packets through shift operations;

Parse the IP packet to obtain the fragment offset, and calculate the upper layer of the Protocol as TCP/UDP/ICMP through the offset;

The hash algorithm matches the questions and answers values under the query area;

Get the new IP correspondence in the DNS reply packet, give it to the flow control in real time through shared memory, and end the process.

Furthermore, it also includes identifying the IP aging period in the CDN distribution network, the local DNS re-obtaining the cache server IP provided by the global load balancer of the CDN network, modifying the IP header TOS life cycle &0xFF; obtaining the new IP correspondence in the DNS response packet, and ending the process.

Furthermore, the specific steps of monitoring the DNS ports of all specified network ports using libpcap packet capture are as follows: use libpcap to capture the DNS port data packets of all specified network ports, including opening the network device: use the pcap_open_live() function to open the network device, the device name is usually "eth0" or other, the device type is "net80281", the data link layer type is "DLT_EN10MB", and the network mask of the network device interface is specified; compile the filtering policy: use the pcap_compile() function to compile the user-specified filtering policy into the filtering program; set the filter: use the pcap_setfilter() function to apply the filter compiled in the previous step to the network device; capture data packets: use the pcap_loop() or pcap_dispatch() function to capture data packets; process data packets: in the callback function, various processing can be performed on the captured data packets; close the network device: when the application completes its work, the pcap_close() function can be called to close the network device and release resources.

Furthermore, the specific steps of distinguishing IP/ARP/RARP packets by shift operation are as follows: Reading data packets: First, you need to read data packets from the network, which can be achieved by using the pcap_loop() or pcap_dispatch() function of the libpcap library, and passing the captured data packets to the specified callback function for processing; Extracting data packet headers: When processing each data packet, you need to extract its header information; the header of an IP data packet contains version, header length, service type, total length, identifier, flag, fragment offset, and time to live (TTL) fields, while the headers of ARP and RARP data packets contain different fields; Determine the protocol type: Based on the extracted packet header information, you can determine which protocol the packet is. Determine the operation type: For ARP and RARP packets, you also need to determine their operation type. The operation type field of the ARP packet is 0x0001, indicating a request, and 0x0002, indicating a response. The operation type field of the RARP packet is 0x8035, indicating a request, and 0x8036, indicating a response. Process packets: Different packets can be processed differently based on the determined protocol type and operation type.

Furthermore, it is necessary to parse the IP packet and obtain the fragment offset, and then calculate the upper layer of the protocol as TCP, UDP or ICMP based on the offset. The specific steps are as follows: Read the IP packet: First, the IP packet needs to be captured from the network, and the captured IP packet will be passed to the processing function as a parameter of the callback function; parse the IP packet: In the processing function, the captured IP packet needs to be parsed. The structure of the IP packet includes version, header length, service type, total length, identifier, flag, fragment offset and time to live (TTL) field. The structure can be used to represent the various fields of the IP packet; extract the fragment offset: after parsing the IP packet, the fragment offset field can be extracted; determine the protocol type: the protocol type can be determined based on the value of the fragment offset; process the protocol data: different protocol data can be processed differently based on the determined protocol type.

Compared with the prior art, the present invention has the following beneficial effects:

The present invention provides a method for accurately matching domain names and maximally covering the relationship between network traffic and IP and CDN (variable IP), and the use of libpcap library can improve the portability and operability of flow control.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of the present invention for accurately matching domain names and variable domain names (CDN) with IP;

FIG. 2 is a flow chart of the corresponding relationship of identifying the CDN aging period and automatically unbinding the CDN according to the present invention.

Detailed ways

The following will be combined with the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

As shown in Figure 1, the method for accurately matching domain names and variable domain names with IP addresses includes the following steps:

①Monitor the DNS ports of all designated network ports and use libpcap to capture packets;

②Distinguish IP/ARP/RARP packets through shift operations;

③ Parse the IP packet to obtain the fragment offset, and calculate the upper layer of the Protocol as TCP/UDP/ICMP through the offset;

④Hash algorithm matches questions, answers and other values in the query area;

By identifying the IP aging period in the CDN distribution network, the local DNS obtains the cache server IP provided by the global load balancer of the CDN network for the second time, modifies the IP header TOS lifecycle &0xFF; obtains the new IP correspondence in the DNS reply packet, and ends the process.

The specific steps of using libpcap to capture packets for the DNS ports of all specified network ports are as follows: 1. Open the network device: Use the pcap_open_live() function to open the network device. The device name is usually "eth0" or other, the device type is "net80281", the data link layer type is "DLT_EN10MB", and the network mask of the network device interface is specified. 2. Compile the filtering policy: Use the pcap_compile() function to compile the user-specified filtering policy into the filtering program. For example, if you are only interested in DNS packets, you can use filtering rules to filter out packets from UDP port 53. 3. Set the filter: Use the pcap_setfilter() function to apply the filter compiled in the previous step to the network device, so that the captured packets will only include data that meets the filtering rules. 4. Capture packets: Use the pcap_loop() or pcap_dispatch() function to capture packets. These functions will process each captured packet according to the specified callback function. If you need more precise control, you can also use the pcap_next() or pcap_next_ex() functions to get packets one by one. 5. Processing packets: In the callback function, you can perform various processing on the captured packets, such as resolving DNS records, analyzing HTTP requests, etc. 6. Turning off network devices: When the application finishes its work, you can call the pcap_close() function to turn off the network device and release resources.

Distinguish IP/ARP/RARP packets by shift operation Specific steps: 1. Read data packets: First, you need to read data packets from the network. This can be achieved by using the pcap_loop() or pcap_dispatch() function of the libpcap library. These functions pass the captured data packets to the specified callback function for processing. 2. Extract the data packet header: When processing each data packet, you need to extract its header information. The header of the IP data packet contains fields such as version, header length, service type, total length, identifier, flag, fragment offset, and survival time (TTL). The headers of ARP and RARP data packets contain different fields. 3. Determine the protocol type: Based on the extracted data packet header information, you can determine which protocol it is. The version field of the IP data packet indicates whether it is an IPv4 or IPv6 data packet. If the version field is 4, it is an IPv4 data packet; if the version field is 6, it is an IPv6 data packet. The protocol type field of the ARP data packet is 0x0806, while the protocol type field of the RARP data packet is 0x8035. 4. Determine the operation type: For ARP and RARP data packets, you also need to determine their operation type. The operation type field of the ARP data packet is 0x0001, indicating a request, and 0x0002, indicating a response. The operation type field of the RARP data packet is 0x8035, indicating a request, and 0x8036, indicating a response. 5. Processing data packets: Different data packets can be processed differently based on the determined protocol type and operation type. For example, for IP data packets, their header information can be parsed and the IP address and port number can be extracted; for ARP and RARP data packets, their hardware address information can be extracted and processed accordingly. The above are the steps to distinguish IP, ARP, and RARP data packets through shift operations.

To parse the IP packet and get the fragment offset, and then calculate the upper layer of the protocol as TCP, UDP or ICMP based on the offset, the specific steps are as follows: 1. Read the IP packet: First, you need to capture the IP packet from the network. This can be achieved by using the pcap_loop() or pcap_dispatch() function of the libpcap library. The captured IP packet will be passed to the processing function as a parameter of the callback function. 2. Parse the IP packet: In the processing function, you need to parse the captured IP packet. The structure of the IP packet includes fields such as version, header length, service type, total length, identifier, flag, fragment offset and time to live (TTL). The structure can be used to represent the various fields of the IP packet. 3. Extract the fragment offset: After parsing the IP packet, you can extract the fragment offset field. The fragment offset indicates the offset position of the IP datagram in the fragment. Based on the offset, you can determine whether the IP datagram is fragmented and the order of the fragments. 4. Determine the protocol type: The protocol type can be determined based on the value of the fragment offset. Generally speaking, if the fragment offset is 0, the protocol type is TCP; if the fragment offset is 40, the protocol type is UDP; if the fragment offset is 8, the protocol type is ICMP. Of course, this is not absolute, because different operating systems or network environments may be different. Therefore, it is best to combine other fields to determine the protocol type. 5. Processing protocol data: Different protocol data can be processed differently according to the determined protocol type. For example, if the protocol type is TCP, the TCP header information can be extracted and the port number and sequence number can be parsed out; if the protocol type is UDP, the UDP header information can be extracted and the port number can be parsed out; if the protocol type is ICMP, the ICMP header information can be extracted and the type, code, and checksum can be parsed out.

The present invention provides a method for accurately matching domain names and maximally covering the relationship between network traffic and IP and CDN (variable IP). The use of the libpcap library can improve the portability and operability of flow control.

The embodiments that require protection in this application include:

The method for accurately matching domain names and variable domain names with IPs includes the following steps:

The DNS ports that monitor all specified network ports are captured using libpcap;

Distinguish IP/ARP/RARP packets through shift operations;

Parse the IP packet to obtain the fragment offset, and calculate the upper layer of the Protocol as TCP/UDP/ICMP through the offset;

The hash algorithm matches the questions and answers values in the query area;

Get the new IP correspondence in the DNS reply packet, give it to the flow control in real time through shared memory, and end the process.

Preferably, it also includes identifying the IP aging period in the CDN distribution network, the local DNS secondary obtaining the cache server IP provided by the global load balancer of the CDN network, modifying the IP header TOS life cycle &0xFF; obtaining the new IP correspondence in the DNS response packet, and ending the process.

Preferably, the specific steps of monitoring the DNS ports of all designated network ports using libpcap to capture packets are as follows, and libpcap is used to capture the DNS port data packets of all designated network ports, including opening the network device: using the pcap_open_live() function to open the network device, the device name is usually "eth0" or other, the device type is "net80281", the data link layer type is "DLT_EN10MB", and the network mask of the network device interface is specified; compiling the filtering policy: using the pcap_compile() function to compile the user-specified filtering policy into the filtering program; setting the filter: using the pcap_setfilter() function to apply the filter compiled in the previous step to the network device; capturing data packets: using the pcap_loop() or pcap_dispatch() function to capture data packets; processing data packets: in the callback function, various processing can be performed on the captured data packets; closing the network device: when the application completes its work, the pcap_close() function can be called to close the network device and release resources.

Preferably, the specific steps of distinguishing IP/ARP/RARP packets by shift operation are as follows: Reading data packets: First, it is necessary to read data packets from the network, which is implemented by using the pcap_loop() or pcap_dispatch() function of the libpcap library, and passing the captured data packets to the specified callback function for processing; Extracting data packet headers: When processing each data packet, it is necessary to extract its header information; the header of the IP data packet contains version, header length, service type, total length, identifier, flag, fragment offset and time to live (TTL) fields, while the headers of the ARP and RARP data packets contain different fields; Determine the protocol type: Based on the extracted packet header information, you can determine which protocol the packet is. Determine the operation type: For ARP and RARP packets, you also need to determine their operation type. The operation type field of the ARP packet is 0x0001, indicating a request (Request), and 0x0002, indicating a response (Reply). The operation type field of the RARP packet is 0x8035, indicating a request (Request), and 0x8036, indicating a response (Reply). Process packets: Different packets can be processed differently based on the determined protocol type and operation type.

Preferably, it is necessary to parse the IP packet and obtain the fragment offset, and then calculate the upper layer of the protocol as TCP, UDP or ICMP based on the offset. The specific steps are as follows: read the IP packet: first, it is necessary to capture the IP packet from the network, and the captured IP packet will be passed to the processing function as a parameter of the callback function; parse the IP packet: in the processing function, it is necessary to parse the captured IP packet, and the structure of the IP packet includes version, header length, service type, total length, identifier, flag, fragment offset and time to live (TTL) field, and a structure can be used to represent each field of the IP packet; extract the fragment offset: after parsing the IP packet, the fragment offset field can be extracted; determine the protocol type: the protocol type can be determined according to the value of the fragment offset; process the protocol data: according to the determined protocol type, different protocol data can be processed differently.

The embodiment of the present application further provides a computer device, which may include a terminal device or a server, and the data calculation program of the aforementioned method of accurately matching domain names and variable domain names with IP addresses may be configured in the computer device. The computer device is introduced below.

If the computer device is a terminal device, the present application embodiment provides a terminal device, taking the terminal device as a mobile phone as an example:

The mobile phone includes components such as a radio frequency (RF) circuit, a memory, an input unit, a display unit, a sensor, an audio circuit, a wireless fidelity (WiFi) module, a processor, and a power supply.

RF circuits can be used to receive and send signals during the process of sending and receiving information or making calls. In particular, after receiving the downlink information of the base station, it is processed by the processor; in addition, the designed uplink data is sent to the base station. Usually, the RF circuit includes but is not limited to an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (Low Noise Amplifier, referred to as LNA), a duplexer, etc. In addition, the RF circuit can also communicate with the network and other devices through wireless communication. The above-mentioned wireless communication can use any communication standard or protocol, including but not limited to the Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Messaging Service (SMS), etc.

The memory can be used to store software programs and modules. The processor executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory. The memory can mainly include a program storage area and a data storage area, wherein the program storage area can store an operating system, an application required for at least one function (such as a sound playback function, an image playback function, etc.), etc.; the data storage area can store data created according to the use of the mobile phone (such as audio data, a phone book, etc.), etc. In addition, the memory can include a high-speed random access memory, and can also include a non-volatile memory, such as at least one disk storage device, a flash memory device, or other volatile solid-state storage devices.

The input unit can be used to receive input digital or character information, and to generate key signal input related to the user settings and function control of the mobile phone. Specifically, the input unit may include a touch panel and other input devices. The touch panel, also known as a touch screen, can collect the user's touch operation on or near it (such as the user's operation on or near the touch panel using any suitable object or accessory such as a finger, stylus, etc.), and drive the corresponding connection device according to a pre-set program. Optionally, the touch panel may include two parts: a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch orientation, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into the contact coordinates, and then sends it to the processor, and can receive the command sent by the processor and execute it. In addition, the touch panel can be implemented using multiple types such as resistive, capacitive, infrared and surface acoustic waves. In addition to the touch panel, the input unit may also include other input devices. Specifically, other input devices may include but are not limited to one or more of a physical keyboard, a function key (such as a volume control key, a switch key, etc.), a trackball, a mouse, a joystick, etc.

The display unit can be used to display information input by the user or information provided to the user and various menus of the mobile phone. The display unit may include a display panel, and optionally, a liquid crystal display (LiquidCrystal Display, LCD for short), an organic light-emitting diode (Organic Light-Emitting Diode, OLED for short) and the like can be used to configure the display panel. Further, the touch panel can cover the display panel, and when the touch panel detects a touch operation on or near it, it is transmitted to the processor to determine the type of touch event, and then the processor provides corresponding visual output on the display panel according to the type of touch event. Although in the figure, the touch panel and the display panel are used as two independent components to realize the input and output functions of the mobile phone, in some embodiments, the touch panel and the display panel can be integrated to realize the input and output functions of the mobile phone.

The mobile phone may also include at least one sensor, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may configure the brightness of the display panel according to the brightness of the ambient light, and the proximity sensor may turn off the display panel and/or backlight when the mobile phone is moved to the ear. As a type of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in all directions (generally three axes), and can detect the magnitude and direction of gravity when stationary. It can be used for applications that identify the posture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for other sensors that can be configured in the mobile phone, such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc., they will not be repeated here.

The audio circuit, speaker, and microphone can provide an audio interface between the user and the mobile phone. The audio circuit can convert the received audio data into an electrical signal and transmit it to the speaker, which converts it into a sound signal for output; on the other hand, the microphone converts the collected sound signal into an electrical signal, which is received by the audio circuit and converted into audio data. The audio data is then processed by the output processor and sent to, for example, another mobile phone through the RF circuit, or the audio data is output to the memory for further processing.

WiFi is a short-range wireless transmission technology. A mobile phone can help users send and receive emails, browse web pages, and access streaming media through a WiFi module, which provides users with wireless broadband Internet access. Although the WiFi module is shown in the figure, it is understandable that it is not a necessary component of the mobile phone and can be omitted as needed without changing the essence of the invention.

The processor is the control center of the mobile phone. It uses various interfaces and lines to connect the various parts of the entire mobile phone. It executes various functions of the mobile phone and processes data by running or executing software programs and/or modules stored in the memory, and calling data stored in the memory, so as to monitor the mobile phone as a whole. Optionally, the processor may include one or more processing units; preferably, the processor may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface and application programs, etc., and the modem processor mainly processes wireless communications. It is understandable that the above-mentioned modem processor may not be integrated into the processor.

The mobile phone also includes a power source (such as a battery) for supplying power to various components. Preferably, the power source can be logically connected to the processor through a power management system, so that the power management system can manage charging, discharging, power consumption and other functions.

Although not shown, the mobile phone may also include a camera, a Bluetooth module, etc., which will not be described in detail here.

In this embodiment, the processor included in the terminal device also has the following functions:

A data calculation program that performs methods for accurately matching domain names and variable domain names with IP addresses.

If the computer device is a server, an embodiment of the present application also provides a server, which may have relatively large differences due to different configurations or performances, and may include one or more central processing units (CPU) (for example, one or more processors) and memories, and one or more storage media for storing applications or data (for example, one or more mass storage devices). Among them, the memory and the storage medium can be short-term storage or permanent storage. The program stored in the storage medium may include one or more modules, each of which may include a series of instruction operations on the server. Furthermore, the central processing unit can be configured to communicate with the storage medium and execute a series of instruction operations in the storage medium on the server.

The server may also include one or more power supplies, one or more wired or wireless network interfaces, one or more input and output interfaces, and/or one or more operating systems, such as Windows Server™, Mac OS X™, Unix™, Linux™, FreeBSD™, etc.

In addition, an embodiment of the present application further provides a storage medium, wherein the storage medium is used to store a computer program, and the computer program is used to execute the method provided in the above embodiment.

The embodiments of the present application also provide a computer program product including instructions, which, when executed on a computer, enables the computer to execute the method provided in the above embodiments.

A person of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiment can be completed by hardware related to program instructions, and the above program can be stored in a computer-readable storage medium. When the program is executed, it executes the steps of the above method embodiment; and the above storage medium can be at least one of the following media: read-only memory (English: Read-only Memory, abbreviated: ROM), RAM, magnetic disk or optical disk, etc. Various media that can store program codes.

It should be noted that each embodiment in this specification is described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the device and system embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiments. The device and system embodiments described above are merely schematic, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the scheme of this embodiment. Ordinary technicians in this field can understand and implement it without creative work.

Claims (5)

1. The method for precisely matching the domain name and the variable domain name with the IP is characterized by comprising the following steps:

monitoring DNS ports of all appointed network ports, and capturing packets by adopting a Libpcap;

distinguishing IP/ARP/RARP packets through shift operation;

analyzing the IP packet to obtain a slice offset, and calculating the offset to obtain a Protocol upper layer as TCP/UDP/ICMP;

The hash algorithm matches questions, answers values under the query region;

And acquiring a new IP corresponding relation in the DNS return packet, and giving the new IP corresponding relation to the flow control in real time through the shared memory, and ending the flow.

2. The method for precisely matching domain names and variable domain names with IPs according to claim 1, further comprising modifying IP header TOS lifecycle &0xFF by identifying IP aging periods in the CDN delivery network, and the local DNS secondarily obtains a cache server IP provided by a global load balancer of the CDN network; and acquiring a new IP corresponding relation in the DNS echo packet, and ending the flow.

3. The method for precisely matching domain names and variable domain names with IP according to claim 1, wherein the specific step of monitoring DNS ports of all specified ports to capture packets by using a libpcap includes the steps of using the libpcap to capture DNS port packets of all specified ports, including opening a network device: the network device is turned on using the pcap_open_live () function, the device name is typically "eth0" or other, the device type is "net80281", the data link layer type is "dlt_en10mb", and the network mask of the network device interface is specified; compiling a filtering strategy: compiling the filtering strategy specified by the user into a filtering program by using a pcap_common () function; setting a filter: applying the filter compiled in the previous step to the network device using the pcap_ setfilter () function; capturing a data packet: capturing a data packet using a pcap_loop () or pcap_dispatch () function; processing the data packet: in the callback function, various processing can be performed on the captured data packet; closing the network device: when the application completes work, the pcap_close () function may be called to close the network device, freeing up resources.

4. The method for precisely matching domain names and variable domain names with IP according to claim 1, wherein the specific steps of distinguishing IP/ARP/RARP packets by shift operation are as follows: reading a data packet: firstly, a data packet is required to be read from a network, the data packet is realized by using a pcap_loop () or a pcap_dispatch () function of a libpcap library, and the captured data packet is transferred to a designated callback function for processing; extracting a data packet head: when each data packet is processed, the header information of the data packet needs to be extracted; the header of the IP packet contains version, header length, service type, total length, identifier, flag, sheet offset and time-to-live (TTL) fields, and the header of ARP and RARP packets contains different fields; judging the protocol type: according to the extracted data packet head information, judging which protocol data packet it is; judging the operation type: for ARP and RARP packets, it is also necessary to determine their operation types, where an operation type field of ARP packet is 0x0001 for Request (Reply), 0x0002 for response (Reply), and an operation type field of RARP packet is 0x8035 for Request (Request), and 0x8036 for response (Reply); processing the data packet: different data packets can be processed differently according to the determined protocol type and operation type.

5. The method for precisely matching domain name and variable domain name with IP according to claim 1, wherein the specific steps of parsing an IP packet and obtaining a slice offset, and then calculating a protocol upper layer as TCP, UDP or ICMP according to the offset are performed: reading an IP packet: firstly, capturing an IP packet from a network, and transmitting the captured IP packet as a parameter of a callback function to a processing function; analyzing the IP packet: in the processing function, the captured IP packet needs to be parsed, and the structure of the IP packet includes version, header length, service type, total length, identifier, flag, slice offset and Time To Live (TTL) fields, and each field of the IP packet may be represented by a structure body; extract tile offset: after the IP packet is analyzed, a slice offset field can be extracted; judging the protocol type: the protocol type can be judged according to the value of the slice offset; processing protocol data: different protocol data can be processed differently according to the determined protocol type.