Background technology
Figure 1 shows that the flow process of conversing among the present VoIP, user and core controlling party are controlled the foundation and the end of session by mutual signaling flow; After session is set up, adopt end to end directly connected mode media stream (speech data) between the user.
When user A and user B begin to converse, need send invitation (INVITE) message to the callee as session initiator's user A and converse so that set up to get in touch with user B.INVITE is the initial message of a session in session initiation protocol (SIP) agreement, and the c field in this message has comprised INVITE promoter's media address information, so that both call sides can connect.User A sends process that INVITE converses as shown in Figure 2 to user B.
After successfully having set up signaling flow between user A and the user B, begin to carry out media flow transmission between the user.When one of both sides that converse have changed the media channel attribute, the overweight invitation of this session square tube (Re-Invite) message is with another the session side of new media address notification of self, with the conversation of avoiding causing because of the change media address, its process of heavily inviting as shown in Figure 3.
For keep social stability, the safety that safeguards one's country, government or public security organ need monitor specific user's Content of Communication when exercising relevant function.Along with the ripe gradually and application of present voip technology, increasing people begins to adopt voip technology to carry out voice call, and the relevant monitoring technique that is used for the PSTN net originally is no longer suitable in the VoIP conversation.
If the user A that converses with user B among Fig. 1 is carried out voice monitoring, then should catch the signaling flow of user A, catch the Media Stream between A and the B again.The signaling flow of wherein said user A comprise user A relevant self information and the information of the user B that converses with user A, as positional information, the duration of call etc.
A kind of scheme of current prior art is to dispose a kind of forwarding unit at network boundary, as Session Border Controller (SBC), described retransmission unit can be transmitted two kinds of information, i.e. signaling flow between proxy user and the core controlling party, and the Media Stream between the forwarding user.The all right more integrated security modules of described forwarding unit are so that protection core controlling party.
Since described forwarding unit transfer all signaling flow and Media Streams, therefore can as shown in Figure 4 watch-dog be switched on this forwarding unit, (providing special-purpose listening port as SBC) obtains monitored side's all signaling flows and Media Stream.
As shown in Figure 4, forwarding unit both can only be transmitted to monitoring side C with signaling and Media Stream, was handled by monitoring side C, also can be in forwarding unit the inline processed module, after relevant information handled, directly result is sent to C.
In Fig. 4, SBC is transmitted to the core controlling party with it when receiving the signaling flow of user A and B, and the signaling flow that the core controlling party is replied is transmitted to the user.Media Stream between user A and the user B is also transmitted via SBC simultaneously.
Though described prior art scheme can realize the monitoring to the VIOP conversation, but owing to SBC designs for the safety of protecting core net, be not specially at monitoring work, if operator does not adopt SBC equipment under some network environment, then technology one can not realize, so the scope of application of this scheme is restricted; All signaling flows and Media Stream need be handled and transmit to the equipment of this type in addition, and the equipment complexity is required height, increases the cost input.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the purpose of this invention is to provide a kind of network monitoring processing method and system.
The objective of the invention is to be achieved through the following technical solutions:
A kind of network monitoring treatment system comprises core controlling party and monitoring side,
Described core controlling party comprises core control devices and monitors processing unit, and described monitoring processing unit is used to read the monitoring instruction of monitoring side, determines to instruct the signaling flow that mates with monitoring, and this signaling flow corresponding data flow is sent to monitoring side monitors;
Described monitoring side comprises:
Monitor instruction sending module, be used for sending the monitoring instruction to the core controlling party.
Described monitoring processing unit comprises:
Monitor module, be used to monitor the signaling flow of turnover core controlling party, and under the control of analysis and processing module monitored data information;
Analysis and processing module is used to receive the monitoring instruction of monitoring side, and control monitors module pair and monitor with monitoring the data flow that instruction mates, and the data flow that will be monitored is sent to communication module;
Communication module is used to receive the monitoring instruction of monitoring side and instruction is sent to analysis and processing module, and analysis and processing module and the data flow that the monitoring module listens to are sent to monitoring side;
Described core control devices is used to communication party's forwarding information;
Described monitoring side also comprises:
The monitored data receiver module is used to receive the signaling flow and the data flow data that are listened to.
Described monitoring processing unit is arranged in the described core control devices, or separate with described core control devices.
Described monitoring side directly links to each other with the core controlling party, or is arranged at other positions in the VOIP network, transmits by information to link to each other indirectly with the core controlling party.
A kind of network monitoring processing method comprises:
Determine and the signaling flow of monitoring the instruction coupling according to monitoring instruction, the communication party who sends this signaling flow is defined as the eavesdropping target;
Send data message to the eavesdropping target and obtain message, realize monitoring the data message that the eavesdropping target sent.
Described by determining to determine that with the signaling flow of monitoring the instruction coupling eavesdropping target's process comprises:
Carry out the signaling flow of signaling flow received communication side when mutual the communication party;
According to monitoring instruction signaling flow is detected, determine whether the communication party is the eavesdropping target.
Described monitoring square tube is crossed and is sent data message to the eavesdropping target and obtain the process that message monitors and comprise:
After determining the eavesdropping target, send data message to the communication party and obtain message, described data message obtains and comprises listen address in the message;
The communication party receives data and obtains message, and the listen address that obtains in the message according to data sends data message, realizes the monitoring to communication party's data message.
After realization was monitored communication party's data message, the data message that will be monitored was forwarded to other communication parties that communicate with the eavesdropping target, made and proceeded communication between each communication party.
Described when the eavesdropping target is monitored, also other communication parties that communicate with the eavesdropping target are monitored.
Described data message is a stream media information.
As seen from the above technical solution provided by the invention, the present invention replaces Session Border Controller that the communication party is monitored by the monitoring processing unit is set in the core controlling party, be arranged at the server controlling party owing to monitor processing unit, its method to set up is simple, does not increase network complexity; The present invention keeps VOIP network original basic structure, avoids increasing network security risk, can not roll up the cost input.
Embodiment
Core of the present invention is to determine and the signaling flow of monitoring the instruction coupling according to monitoring instruction, and the communication party who sends this signaling flow is defined as the eavesdropping target; Send data message to the eavesdropping target and obtain message, realize monitoring the data message that the eavesdropping target sent.
Say that more specifically the present invention sends address information to monitored communication party and obtains message for the data message of address, monitoring side after data transmission relations between a plurality of communication parties are set up; The address information that communication party's data message obtains in the message sends data message, realizes the monitoring to data message.The data message of communication party's transmission comprises medium stream information among the present invention.
The present invention determines by the signaling flow of intercept communications side whether the communication party is the eavesdropping target, and its process comprises:
Carry out the signaling flow of signaling flow received communication side when mutual the communication party;
Obtain and monitor instruction and signaling flow is detected, determine whether the communication party is the eavesdropping target according to monitoring instruction, and to monitoring side transmission notice message.
The core controlling party is confirming after whether the communication party is the eavesdropping target signaling flow to be forwarded to monitoring side, so that monitoring side continues signaling flow is handled.
The present invention monitors the communication party as the eavesdropping target after signaling flow is analyzed, and its process comprises:
Send data message to monitored communication party and obtain message, the address information that this data message obtains message is the listen address that is used to receive by monitored data;
The address information that the communication party obtains in the message according to data sends data message, and system realizes the monitoring to the communication party.
Monitoring side of the present invention is when monitoring the communication party, and described monitoring side also sends it to other communication parties that communicate with monitored communication party behind receiving data information, guarantees that the communication between the communication party is proceeded.
In addition, the present invention also monitors other communication parties that communicate with the eavesdropping target when the eavesdropping target is monitored.
Below in conjunction with the specific embodiment of the invention accompanying drawing the present invention is elaborated.
In conjunction with Fig. 5, Fig. 6, the monitoring flow process of a pair of VOIP conversation of the embodiment of the invention comprises:
Step 1, set up in the process of VOIP conversation at communication party A and communication party B, at first communication party A sends to the core controlling party and invites (Invite) message, and request communicates with communication party B;
Step 2, core controlling party receive the Invite message of A, enter the monitoring processing unit after making it enter the core controlling party;
Enter the Invite message of monitoring processing unit and at first enter the monitoring module of monitoring processing unit, and then enter analysis and processing module by monitoring module;
Received the instruction of the side of monitoring C in the analysis and processing module in advance, analysis and processing module is analyzed the signaling flow that is received according to the instruction of monitoring side C, and whether the transmit leg that detects signaling flow meets the monitoring requirement of monitoring side C:
If find that communication party A is the monitoring requirement that meets monitoring side C, determine that then the communication party is by the eavesdropping target, and the Invite message of communication party A is sent to communication module by analysis and processing module, be sent to monitoring side C by communication module again;
If communication party A does not meet the monitoring requirement of monitoring side C, give monitoring side C with the Invite forwards of A equally, the signaling flow of A is monitored, and Media Stream is not monitored;
The Invite message of step 3, communication party A not only is sent to monitoring side C, also is forwarded to communication party B by core control devices according to normal flow process;
Step 4, communication party B reply ring-back (Ringing) message to the core controlling party after receiving the Invite message of communication party A;
Core control devices in step 5, the core controlling party is given communication party A with the Ringing forwards;
Monitoring processing unit in step 6, the core controlling party is given monitoring side C with the Ringing forwards, passes through step 5 and step 6 like this, and the ring-back message that communication party B replys is sent to communication party A and monitoring side C respectively;
Step 7, behind communication party B off-hook, communication party B sends 200OK message to the core controlling party;
Step 8, core controlling party are given communication party A with the 200OK forwards;
Monitoring processing unit in step 9, the core controlling party is given monitoring side C with the 200OK forwards, passes through step 8 and step 9 like this, and communication party A and monitoring side C all receive 200OK message;
After step 10, communication party A receive that the core controlling party is transmitted next 200OK message, send and confirm that (ACK) acknowledge message is to core control devices;
Core control devices in step 11, the core controlling party with the ACK forwards to communication party B;
Monitoring processing unit in step 12, the core controlling party with the ACK forwards to the side of monitoring C;
Through above each step, as eavesdropping target's communication party A and communication party B finished signaling flow alternately, enter the media flow transmission state;
In the communication process of the present invention to eavesdropping target communication party A and communication party B Media Stream is monitored, its concrete steps are as follows:
Step 13, communication party A and communication party B finish signaling flow mutual after, communication party A and communication party B begin media stream;
Carry out in the process of media flow transmission at communication party A and communication party B, the side of monitoring C sends data message to communication party A and obtains message, it is Invite message that data message in the present embodiment obtains message, described Invite message and communication party A are basic identical to the Invite message that communication party B sends, its difference is that the media address of the c field in the message fills in the address of the listen address rather than the communication party B that are used to receive monitored data, listen address in the present embodiment can also be other addresses for the address of monitoring side C;
Step 14, monitoring side C send Invite message to communication party B, described Invite message and communication party A are basic identical to the Invite message that communication party B sends, its difference is that the c field in the message extends this as the address of the listen address rather than the A that are used to receive monitored data, listen address in the present embodiment can also be other addresses for the address of monitoring side C.
Step 15, communication party A receive and reply a 200OK message to the core controlling party after the Invite message that monitoring side C sends, in order to confirm to have received Invite message to B;
Step 16, core controlling party send to monitoring side C by the monitoring processing unit of its inside with this message, and this is because this 200OK message is response to the side of monitoring C, are not the response of message that core controlling party itself is initiated;
Step 17, monitoring side C reply an ACK message to communication party A after receiving described 200OK message, acknowledge receipt of the 200OK message of communication party A;
Step 18, communication party B receive and reply a 200OK message to the core controlling party after the Invite message that monitoring side C sends, and have received Invite message in order to confirm communication party B;
Step 19, core controlling party are not handled described 200OK message, but this message is sent to monitoring side C by monitoring processing unit, this is because this 200OK message is response to the side of monitoring C equally, is not the response of message that core controlling party itself is initiated;
Step 20, monitoring side C reply an ACK message to communication party B after receiving described 200OK message, acknowledge receipt of the 200OK message of communication party B;
Through above each step, communication party A has set up new being connected with the Media Stream between communication party B, and the Media Stream that communication party A issues communication party B at first is sent to monitoring side C, by monitoring side C Media Stream is forwarded to communication party B again; The Media Stream that communication party B sends to communication party A also is sent to monitoring side C earlier, is forwarded to communication party A by monitoring side C again.So just both realized the transmission of data between communication party A and communication party B, and can monitor the data of transmitting between communication party A and communication party B by communication party C again;
Behind step 21, the end of conversation, communication party A sends to the core controlling party and ends (BYE) message, because only contain the relevant information of communication party A in the BYE message, and C requirement again (Re-invite) message that sends in the side of monitoring do not change the relevant signaling information of current conversation, so core control devices receives this BYE message;
Step 22, core controlling party are transmitted BYE message to communication party B;
Monitoring processing unit in step 23, the core controlling party is transmitted BYE message to monitoring side C;
Step 24, communication party B receive that the core controlling party is responded 200OK message to core control devices in the step 22 after the BYE of its forwarding message;
Step 25, core controlling party are transmitted described 200OK message to communication party A;
The monitoring processing unit of step 26, core controlling party is transmitted described 200OK message to monitoring side C, and the sign off between communication party A and communication party B is to the also corresponding end of the monitoring of its communication.
Be illustrated in figure 7 as the embodiment of the invention two described a kind of network monitoring treatment systems, it comprises monitoring side and core controlling party.
Core controlling party in the described present embodiment also links to each other with a plurality of correspondent except that with monitoring side links to each other;
Described core controlling party comprises core control devices and monitors processing unit that described monitoring processing unit comprises again monitors module, analysis and processing module and communication module.
Described controlling party comprises monitors instruction sending module and monitoring information receiver module.
Described monitoring processing unit is used to read the monitoring instruction of monitoring side, determines and the signaling flow of monitoring the instruction coupling, and this signaling flow corresponding data flow is sent to monitoring side monitors;
Described monitoring processing unit comprises:
Monitor module, be used to monitor the signaling flow of turnover core controlling party, and under the control of analysis and processing module monitored data information;
Analysis and processing module is used to receive the monitoring instruction of monitoring side, and control monitors module pair and monitor with monitoring the data flow that instruction mates, and the data flow that will be monitored is sent to communication module;
Communication module is used to receive the monitoring instruction of monitoring side and instruction is sent to analysis and processing module, and analysis and processing module and the data flow that the monitoring module listens to are sent to monitoring side;
Described core control devices is used to communication party's forwarding information;
Described monitoring side comprises:
Monitor instruction sending module, be used for sending the monitoring instruction to the core controlling party;
The monitored data receiver module is used to receive the signaling flow and the data flow data that are listened to.
The process that work is monitored by system shown in the embodiment of the invention two is as follows:
A plurality of communication parties carry out signaling flow mutual before or in the reciprocal process, the monitoring instruction sending module in the monitoring side sends to the core controlling party and monitors instruction, the analyzed processing module reception of the forwarding that communication module is passed through in described monitoring instruction.
When a plurality of communication parties carry out signaling flow when mutual, the core control devices of core controlling party is with other communication parties that set up correspondence with it of a communication party's signaling flow forwarding;
Whole signaling flows of the monitoring processing module intercept communications side of while core controlling party, and send it to analysis and processing module;
Analysis and processing module has received to monitor and has instructed, so analysis and processing module determines according to the signaling flow that the requirement analysis of monitoring instruction is listened to whether the communication party of transmission signaling flow meets the monitoring requirement of monitoring side;
Analysis and processing module sends to monitoring side with described signaling flow by communication module after whether the communication party who determines the transmission signaling flow is monitored side, for proceeding other processing in monitoring side.
After definite communication party was the eavesdropping target, monitoring side sent invitation (Invite) message by the core controlling party to the communication party when the communication party carries out media flow transmission, and the address information in the Invite message is the address of monitoring side;
The communication party is sent to monitoring side with Media Stream after receiving this Invite message, by monitoring side Media Stream is monitored;
Not only monitor Media Stream monitoring side, also Media Stream is forwarded to other communication parties that communicate with the eavesdropping target, keeps original communication can not interrupt.
When the communication party stopped to communicate by letter, monitoring side also stopped the monitoring to the communication party.
In addition, described monitoring processing unit is arranged in the described core control devices, or separate with described core control devices.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.