TW201225581A - Network monitoring method and system thereof - Google Patents
Network monitoring method and system thereof Download PDFInfo
- Publication number
- TW201225581A TW201225581A TW99143007A TW99143007A TW201225581A TW 201225581 A TW201225581 A TW 201225581A TW 99143007 A TW99143007 A TW 99143007A TW 99143007 A TW99143007 A TW 99143007A TW 201225581 A TW201225581 A TW 201225581A
- Authority
- TW
- Taiwan
- Prior art keywords
- group
- identity
- record
- instant
- correspondence table
- Prior art date
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
201225581 六、發明說明: 囑 【發明所屬之技術領域】 本發明是有關於一種網路監測系統’特別是指一種對 於不限特定對象的網路行為進行監測之網路監測系統。 、【先前技術】 隨著企業網路化之推廣’員工可利用網路進行各項工 作,因此如何有效掌控企業内部所有員工上網情況,以避 ^ 免員工在勤務時間瀏覽不必要之網頁或利用即時通訊聊天 以影響工作效能,便成為大型企業中一門很重要的課題。 目前已見許多關於網路監控之技術,除可將封包進行 即時分析之外,還可對網路行為進行連線記錄,以利於管 理者掌握企業内部人員使用網路的情況。網路封包分析技 術主要根據國際標準組織提出的開放式通訊系統互連參考 模型(Open System Interconnection Reference Model,簡稱 〇SI)中定義的通訊協定來進行分析。於第三層網路層中取得 • 使用者之網際網路通訊協定(Internet Protocol,簡稱IP)位址 及媒體存取控制(Media Access Control,簡稱MAC)位址。 .於第四層傳輸層控制網路設備及資料流量的監督與管理, 以確保通訊順利。在第七層應用層中,根據不同的應用程 式,網路封包也有不同型態,例如在簡單郵件傳輸協定 (Simple Mail Transfer Protocol,簡稱 SMTP)中,封包具有 郵件帳號及郵件位址等資訊。 一習知的網路監控技術,如台灣專利1313993揭露一種 網路監聽系統,係在一代理伺服器及複數個分別具有一網 201225581 ……戶端之間設置一監控飼服器,該 存有具有至少一監控位址的一監控位址名單1中: 端透過網路並經由該代理健器通知相對應之-受話端, ,該發話端與該受話端開始傳輸複數封包資料,當該發話 知之位址符合該監控位址名單中的監控位址時’則該監控 伺服器立即進行監聽及記錄。 —以上所4習知之網路監控技術,健對某些預設的特 =對象(例如’其網路位址存在於該監控位址名單的用戶 鈿)進行I控,對於其網路位址未預設於該監控位址名單 中的用戶端並不會進行即時監控。 【發明内容】 因此,本發明之目的,即在提供一種網路監測方法。 於疋,本發明網路監測方法,包含下列步驟:(幻根據 擷取到之至少-封包得到-已分析封包資訊;(b)將該已分 析封包資訊與—組人員對應表進行比對,以產生包括-身 識另!攔位及至少一分析資訊欄位的一即時連線記錄,其 該且人員對應表包括用以作為索引的至少一身分識別 碼,該分析資訊欄位用以記錄該已分析封包資訊,若該組 人員對應表中不存在任一與該已分析封包資訊至少部分相 符的資料,則將該身分識別欄位記錄為一空值,否則,以 該已分析封包資訊對應更新該組人員對應表並將該組人 員對應表中與該至少部分相符的資料對應的該身分識別碼 °己錄於該即時連線記錄的該身分識別欄位;及(c)重複進行 步驟(a)〜(b)至一預定時間後,將該身分識別欄位被記錄為 201225581 該步驟(C)包 空值的該即時連線記錄進行重組更新,其中 括下列子步驟: ⑹)將其中-身分識別欄位被記錄為空值的該即時連 線記錄與該組人員對應表進行比對,若於該組人員對 中比對到任-與該即時連線記錄的分析資訊欄位中所_ 的已分析封包資訊至少部分相符的資料,則以該已分析封 包資Λ對應更新該組人貴對應表,並以該組人貝對應表中201225581 VI. Description of the Invention: 嘱 Technical Field of the Invention The present invention relates to a network monitoring system, particularly to a network monitoring system for monitoring network behavior that is not limited to a specific object. [Previous technology] With the promotion of enterprise networkization, employees can use the Internet to carry out various tasks. Therefore, how to effectively control the online access of all employees in the enterprise, so as to avoid the employees from browsing unnecessary web pages or using during the service hours. Instant messaging chats affect job performance and become a very important topic in large enterprises. At present, many technologies for network monitoring have been seen. In addition to real-time analysis of packets, network behaviors can be recorded to facilitate administrators to grasp the use of the network by internal employees. The network packet analysis technology is mainly analyzed according to the communication protocol defined in the Open System Interconnection Reference Model (〇SI) proposed by the International Standards Organization. Obtained in the third layer of the network layer: the user's Internet Protocol (IP) address and Media Access Control (MAC) address. The fourth layer of the transport layer controls the monitoring and management of network equipment and data traffic to ensure smooth communication. In the seventh layer application layer, the network packet has different types according to different application methods. For example, in the Simple Mail Transfer Protocol (SMTP), the packet has information such as a mail account and a mail address. A conventional network monitoring technology, such as Taiwan Patent No. 1313993, discloses a network monitoring system, which is provided with a monitoring feeding device between a proxy server and a plurality of computers each having a network 201225581... In a monitoring address list 1 having at least one monitoring address: the terminal transmits the plurality of packet data through the network and the corresponding terminal-receiving end, and the calling terminal and the receiving end start transmitting the plurality of packet data, when the calling message When the address is known to match the monitoring address in the monitoring address list, the monitoring server immediately monitors and records. - The above-mentioned 4 conventional network monitoring technologies, for which certain preset special objects (such as 'users whose network addresses exist in the monitoring address list') are controlled by I, for their network addresses Clients that are not preset to this monitoring address list are not monitored on the fly. SUMMARY OF THE INVENTION Accordingly, it is an object of the present invention to provide a network monitoring method.于疋, the network monitoring method of the present invention comprises the following steps: (the illusion is based on at least - the packet is obtained - the packet information is analyzed; (b) the analyzed packet information is compared with the group correspondence table, Generating an instant connection record including: an idiom and an at least one analysis information field, wherein the person correspondence table includes at least one identity code for use as an index, and the analysis information field is used for recording The analyzed packet information, if there is no data in the group corresponding to the at least part of the analyzed packet information, the identity identification field is recorded as a null value, otherwise, the analyzed packet information is corresponding to Updating the group personnel correspondence table and the identity identification code corresponding to the at least part of the data in the group correspondence table has been recorded in the identity identification field of the instant connection record; and (c) repeating the steps (a)~(b) After a predetermined period of time, the identity identification field is recorded as 201225581. The instant connection record of the step (C) empty value is reorganized and updated, including the following sub (6): comparing the instant connection record in which the identity identification field is recorded as a null value to the correspondence table of the group, if the pair is aligned with the group - the instant connection record The information of the analyzed packet information in the analysis information field is at least partially matched, and the corresponding person's expensive correspondence table is updated correspondingly to the analyzed package resource, and the corresponding person in the group is corresponding to the table.
與該至少部分相符的資料對應的該身分識別碼更新該即時 連線記錄的身分識別欄位’否則,產生一新的身分識別碼 給其身分識別攔位被記錄為空值的該即時連線記錄,並以 該新的身分識別碼更新該即時連線記錄的身分識別搁位, 同時對應新增已更新的該即時連線記錄至該組人員對應 ;及 (C-2)重複執行子步驟㈣,直到所有該身分識別攔位 皆不為空值為止。 本發明之另一目的,即在提供一種網路監測系統。 於是’本發明網路監測系統,包含一封包分析模址、 一即時連線記錄處理模組’及—記錄重組更新模組。 該封包分析模組,用以接收至少一封包,並根據該封 包得到一已分析封包資訊。 該即時連線記錄處理模組,用以將該已分析封包資訊 與-組人員對應表進行比對,以產生包括—身分識別棚位 及至少一分析資訊攔位的一即時連線記錄,其中,該組人 員對應表包括用以作為索引的至少一身分識別碼,該分析 201225581 資訊欄位用以記錄該已分析封包資訊,若該組人員對應表. 中不存在任一與該已分析封包資訊至少部分相符的資料,· 則將該身分識別欄位記錄為一空值,否則,以該已分析封 包資訊對應更新該組人員對應表,並將該組人員對應表中 與該至少部分相符的資料對應的該身分識別碼記錄於該即 時連線記錄的該身分識別攔位。 8亥δ己錄重組更新模組,用以在每隔一預定時間後將該 身分識別欄位被記錄為空值的該即時連線記錄進行重組更 新,其中,對於其身分識別欄位被記錄為空值的每一即時_ 連線記錄,該記錄重組更新模組係將該即時連線記錄與該 組人員對應表進行比對,若於該組人員對應表中比對到任 -與該即時連線記錄的分析資訊欄位中所紀錄的已分析封 包資訊至少部分相符的資料,則以該已分析封包資訊對應 更新該組人員對應表’並以該組人員對應表中與該至少部 刀相符的資料對應的該身分識別碼更新該即時連線記錄的 身刀識别欄位’否則,產生一新的身分識別碼給其身分識 別棚位被記錄為空值的該即時連線記錄,並以該新的身分♦ 識别碼更新該即時連線記錄的身分識別棚位同時對應新 增已更新的該即時連線記錄至該組人貢對應表。 本發明藉由該即時連線記錄處理模組與該記錄重組更 新模組’對於尚未存在於該組人員對應表中的任一人員的 網路行為亦皆能受到監測,故確實能朗本發明之目的。 【實施方式】 有關本發明之前述及其他技術内容、特點與功效,在 6 201225581 '下配口參考圖式之一個較佳實施例的詳細 清楚的呈現》 將可 參閱圖卜本發明網路監測系統】應用於包含複數個網 即點5之、網路系統架構中;該網路監測系統1可以 體、勃體 '硬體’或其等之組合來實施,其係整合於_電人 子裝置2。在本較佳實施例t,該網路系統架構為—企業 P周路It電子裝置2之實施態樣為設置於該企業内部網The identity identification code corresponding to the at least partially matching data updates the identity identification field of the instant connection record. Otherwise, a new identity identifier is generated for the instant connection whose identity recognition block is recorded as a null value. Recording, and updating the identity identification shelf of the instant connection record with the new identity identifier, and correspondingly adding the updated updated instant connection record to the group of personnel; and (C-2) repeating the substep (4) Until all of the identity recognition blocks are not null. Another object of the present invention is to provide a network monitoring system. Thus, the network monitoring system of the present invention comprises a packet analysis module, an instant connection recording processing module, and a recording reorganization update module. The packet analysis module is configured to receive at least one packet and obtain an analyzed packet information according to the packet. The instant connection record processing module is configured to compare the analyzed packet information with the group correspondence table to generate an instant connection record including an identity identification booth and at least one analysis information block, wherein The group correspondence table includes at least one identity identifier for use as an index, and the analysis 201225581 information field is used to record the analyzed packet information, if any of the analyzed packets are not present in the group correspondence table. If the information is at least partially consistent, the identity identification field is recorded as a null value; otherwise, the group correspondence table is updated corresponding to the analyzed packet information, and the at least part of the group correspondence table is matched. The identity identifier corresponding to the data is recorded in the identity identification block of the instant connection record. The 8H has recorded a reorganization update module for reorganizing the instant connection record in which the identity recognition field is recorded as a null value after every predetermined time, wherein the identification field for the identity is recorded For each instant_connection record of the null value, the record reorganization update module compares the instant connection record with the group correspondence table, and if the pair is matched in the group correspondence table If the information of the analyzed packet information recorded in the analysis information field of the instant connection record is at least partially matched, the corresponding personnel table of the group is updated corresponding to the analyzed packet information and the at least part of the group correspondence table The identity identification code corresponding to the knife-matching data updates the body knife identification field of the instant connection record. Otherwise, a new identity identification code is generated for the instant connection record whose identity recognition booth is recorded as a null value. And updating the identity identification booth of the instant connection record with the new identity ♦ identification code, and correspondingly adding the updated updated instant connection record to the group correspondence table. The present invention can also monitor the network behavior of any person who does not exist in the group correspondence table by the instant connection record processing module and the record reorganization update module. The purpose. [Embodiment] Regarding the foregoing and other technical contents, features and effects of the present invention, a detailed and clear presentation of a preferred embodiment of the reference profile of the following 2012 can be referred to. The system is applied to a network system architecture including a plurality of networks, that is, point 5; the network monitoring system 1 can be implemented by a combination of body, body, or the like, and is integrated in the system. Device 2. In the preferred embodiment t, the network system architecture is - the implementation manner of the enterprise P Zhoulu It electronic device 2 is set on the intranet of the enterprise.
路與對外網際網路之間的—網路行為"與控管伺服^ 用以收集網路上的封包並對其進行分析,以進—步對網路 行為進行控管。 參閱圖2 ’該網路監測系統1包含—封包分析模組U、 一即時連線記錄處理模組12、—記錄重組更13及— 資料庫14。 該封包分析模組η用以接收網路上的一封包,並根據 該封包得到一已分析封包資訊。 該即時連線記錄處理模組12用以將該已分析封包資訊 與存在於該㈣庫14巾的—組人員賴表進行比對,以產 生包括-身分識別欄位及至少—分析資訊攔位的—即時連 線記錄。該組人員對應表包括用以作為索引的至少一身分 識別碼,該分析資訊攔位用以記錄該已分析封包資訊。若 該組人員對應表中不存在任_與該已分析封包資訊相符的 資料,則料時連線記錄處理模組12該將該身分識別棚位 §己錄為-线。若該組人員對應表中存在任—與該已分析 封包負訊相符的資料,則蔣讲廄 貝了叶則將對應之該身分識別碼填入該身 201225581 分識位。該即時連線記錄處理模組 錄儲存在該資料座f。亥即時連線記 的查詢與監控 餘㈣㈣者進行網路行為 -預=ΓΓ模組13與_庫14連接,當經過 時間後,該記錄重組更新模組13收集 位被該即時連線記錄處識別攔 錄却棘 錄為空值的該等即時連 、…,、’且依序地將其中—身分識別攔 該即時連線記錄與該組人員對錄為工值的 員對庙“ 貝f應表進仃比對’若於該組人 Φ ^ 町廷深°己錄的为析資訊欄位 中所記錄的已分析封包資訊至少部分 已分析封包資訊對應更新該组 ’,則以該 員對應表,並以該組人員 新:肖該至少部分相符的資料對應的該身分識別碼更 、〜即時連線記錄的身分識別攔位,否則,產生一新的身 为識別碼給其身分識別欄位被記錄為空值的該即時連線記 錄’並以該新的身分識別瑪更新該即時連線記錄的身分識 ,欄位,同時對應新增已更新的該即時連線記錄至該組人 _^賴㈣”連線記錄之該身分識別攔位皆 不為空值為止。 參閱圖2與圖3,對應上述網路監測系統i之該較佳實 施例’以下配合―網路監測方法以詳述各模組間的運作。 該網路監測方法包含以下步驟。 在步驟S31中,§亥封包分析模組u掏取網路上之至少 一封包,並分析該封包以得到一已分析封包資訊。在本較 實施例中’該已刀析封包資訊包括一認證帳號、一網際 201225581 網路通訊協定位址、一媒體存取控制位址及一通訊協定資 訊之其中至少一者。值得一提的是,根據不同的網路應用 程式’該已分析封包資訊可具有不同的形態。 舉例來說,若認證帳號為jason的員工通過認證並進行 網頁〉劉覽’則該已分析封包資訊如表一所示,該通訊協定 資訊包括一網頁位址;又,若某員工是登入一即時通軟體 ’則該已分析封包資訊如表二所示,該通訊協定資訊包括 一即時通種類及一即時通帳號;又,若某員工是寄發郵件 ’則該已分析封包資訊如表三所示,該通訊協定資訊包括 一郵件帳號。 --- 表一 IP MAC 網頁位址 認證帳 號 192.168.1.2 0 00:17:31:1A:DB:67 http://tw.yaho o.com Jason --- 表二 IP ___mac 種類 即時通帳號 192.168.1.30 -^iii^lA:DD:67 MSN john@hotmail.c〇m --------The "network behavior" and control server between the road and the external Internet are used to collect and analyze the packets on the network to further control the network behavior. Referring to FIG. 2', the network monitoring system 1 includes a packet analysis module U, an instant connection record processing module 12, a record reorganization 13 and a database 14. The packet analysis module η is configured to receive a packet on the network, and obtain an analyzed packet information according to the packet. The instant connection record processing module 12 is configured to compare the analyzed packet information with the group of personnel present in the (four) library 14 to generate an include-identification field and at least an analysis information block. - instant connection record. The group correspondence table includes at least one identity identifier for use as an index, and the analysis information block is used to record the analyzed packet information. If there is no data in the group corresponding to the analyzed packet information, the wire-time recording processing module 12 should record the identity identification site as a line. If there is any data in the corresponding table in the corresponding table that matches the information of the analyzed packet, then Jiang said that the corresponding identification code is filled into the 201225581. The instant connection record processing module is stored in the data frame f. The query and monitoring of the instant connection record (4) (4) perform the network behavior - the pre-= module 13 is connected to the _ library 14, and after the elapse of time, the record reorganization update module 13 is collected by the instant connection record. Identifying the instants, which are randomly selected as the null value, ..., and 'and sequentially identify them - the identity of the instant connection record and the group of personnel recorded as the value of the staff member to the temple" It should be compared with the 'if the group Φ ^ 廷廷深° has recorded the analyzed packet information recorded in the information field, at least part of the analyzed packet information corresponding to update the group', then the member Correspondence table, and the group of personnel new: Xiao at least partially matched data corresponding to the identity identification code, ~ instant connection record identity identification block, otherwise, generate a new identity identification code to identify their identity The field is recorded as a null value of the instant connection record' and the identity identifier of the instant connection record is updated with the new identity, and the updated updated instant connection record is added to the group. The identity of the person _^赖(四)" connection record Don't block any of them. Referring to Figures 2 and 3, corresponding to the preferred embodiment of the network monitoring system i described below, the network monitoring method is used to detail the operation between the modules. The network monitoring method includes the following steps. In step S31, the § hai packet analysis module u extracts at least one packet on the network, and analyzes the packet to obtain an analyzed packet information. In the present embodiment, the processed packet information includes at least one of an authentication account number, an Internet 201225581 network protocol address, a media access control address, and a communication protocol message. It is worth mentioning that the analyzed packet information can have different forms according to different web applications. For example, if the employee whose authentication account is jason is authenticated and the webpage is "Liu Ming", the analyzed packet information is as shown in Table 1. The protocol information includes a web address; and, if an employee is logged in, The instant messaging software's information about the analyzed packet is shown in Table 2. The information of the protocol includes an instant messaging type and an instant messaging account. In addition, if an employee is sending a mail, the information of the analyzed packet is as shown in Table 3. As shown, the protocol information includes a mail account. --- Table 1 IP MAC Web Address Authentication Account 192.168.1.2 0 00:17:31:1A:DB:67 http://tw.yaho o.com Jason --- Table 2 IP ___mac Type Instant Messenger Account 192.168 .1.30 -^iii^lA:DD:67 MSN john@hotmail.c〇m --------
192.168.1.40 郵件帳號 mary@hotmail.com 在步驟S32中,兮'--- '^即時連線記錄處理模組12將該已分 析封包資訊與儲存於兮咨 子於。亥貧枓庫14中之該組人員對應表進 比對。該組人員對庙主 愿表包括利用該身分識別碼作為索引之 201225581 。一人員基本資料對應表、一即時通帳號對應表及一郵件帳 ' ί應表在本較佳實施例中,該即時連線記錄處理模組 12所進仃的比對流程係依照該認證帳號、該郵件帳號、該 即時通帳號、該網際網路通訊協定位址及該媒體存取控^ 位址之順序與該組人員對應表進行比對,當以上其中任一 種比對成功時(即,該組人員對應表中存在與該已分析封 包資訊至少部分相符的資料),則繼續執行步驟印,否則 執行步驟S34。 延續以上範例,假設目前在該資料庫14中的該組人員 對應表如表四〜六所示。對於表—之該已分析封包資訊, 由該認證帳號可於表四之該人員基本資料對應表比對得到 相對應之該身分朗碼2Gimm71_GGG;類似地,對於表 二之該已分析封包資訊’由該即時通帳號可於表五之該即 時通帳號對應表比對到相對應之該身分識別碼 2010072710100002;而對於表三之該已分析封包資訊由 該郵件帳號未能於表六之該郵件帳號對應表比對到任一相 符的資料。 身分識別碼 姓名 IP mac 認證帳 ___________ 號 20100727101 Jason 192.16 00:17:31:1a:DB: jason 00001 8.1.21 67 —~--- 五即時通帳號對施f 身分識別碼 即時通種類 即時通帳號 10 201225581 201225581 2010072710100002 MSN — john(Sh〇tmail.com 表六 ------ 郵件帳號對應表 身分識別碼 郵件帳號 」 在步驟S33巾,該即時連線記錄處理模組i2根據該步 驟S32之比對結果,连绫勹化 ήu 屋生包括一身分識別欄位及至少一分 析資efl欄位之-即時連線記錄,並以該已分析封包資訊對 • 應更新該#料庫14的該組人員對應表;其中,該身分識別 棚位用以記錄該已分析封包資訊與該組人員對應表比對後 得到相對應的該身分識別碼,且該分析資訊搁位用以記錄 該已分析封包資訊。 延續以上I巳例,由表一之該已分析封包資訊對應產 生如表七所示之一網頁即時連線記錄;由表二之該已分析 封包資。il ’對應產生如表八所示之一即時通即時連線記錄 表七網頁即時連線記錄 IP MAC 網頁位址 認證帳號 身分識別碼 192.168.1. 00:17:31: http://tw. jason 20100727101 21 1A:DB:6 7 yahoo.ς〇 m 00001 表八即時通即時連線記錄 IP MAC 種類 IM帳號 認證帳號 身分識別碼 201225581 192.1 00:16:3 MSN john@hot 2010072710 68.1.3 5:1A:D mail.com 100002 0 D:67 在步驟S34中’該即時連線記錄處理模組12根據該步 驟S32之比對結果,產生包括一身分識別攔位及至少一分 析資訊欄位之一即時連線記錄,其中,該身分識別欄位被 記錄為一空值,該分析資訊欄位記錄該已分析封包資訊。 延續以上範例,由表三之該已分析封包資訊,對應產 生如表九所示的該身分識別攔位被記錄為空值之一郵件即 時連線記錄。 表九郵件即時連線記錄 IP 192.16 8.1.40 MAC 00:15:33: 1A:BB:66 郵件帳號 rnary@h〇tm ail.com 認證帳號 身分識別碼 值得-提的是,該即時連線記錄處理模組12根據該已 分析封包資訊中的該通訊協定資訊,所對應產生之不同型 等即時連線記錄(如表七、表人及表九所示)係被 儲存在該資料庫14中’方便網路管理者進行查詢。 一 $步驟S35中’該記錄重組更新模組13判斷是否經過 =疋時間’ ^已達該預㈣間,則進行步驟咖,否則回 預=3卜繼續監聽網路上之封包。在本較佳實施例中, 該預疋時間設定為一小時。 12 201225581 -步驟S36中’該記錄重Μ更新模組13從該資料庫μ H出於該預定時間内’該身分識別欄位分別被記錄為空 值之该等即時連線記錄,並根據至少一關 關聯鍵值,將該等 P時連線記錄進行群組化。例如:在該等即時連線記錄中 ,將具有相同的該網際網路通訊協定位址之該即時連線記 錄’視為同-群組,方便網管人員針對特定群組進行監測 〇192.168.1.40 mail account mary@hotmail.com In step S32, 兮 '--- '^ instant connection record processing module 12 stores and stores the analyzed packet information. The group of people in the poor library 14 correspond to the table. The group's representative list of temples includes 201225581, which uses the identity code as an index. a person basic data correspondence table, an instant messaging account correspondence table, and a mail account. In the preferred embodiment, the comparison process of the instant connection record processing module 12 is performed according to the authentication account. And the order of the mail account, the instant messenger account, the internet protocol address, and the media access control address are compared with the group correspondence table, and when any one of the comparisons is successful (ie, If there is any information in the group corresponding to the at least part of the analyzed packet information, the step printing is continued, otherwise step S34 is performed. Continuing the above example, it is assumed that the current personnel correspondence table in the database 14 is as shown in Tables 4-6. For the analyzed packet information of the table, the authentication account can obtain the corresponding identity code 2Gimm71_GGG in the corresponding basic data correspondence table of Table 4; similarly, for the analyzed packet information of Table 2 The instant messenger account can be compared to the corresponding identity code 2010072710100002 in the instant pass account correspondence table in Table 5; and the analyzed packet information in Table 3 is not in the mail of the sixth account by the mail account. The account correspondence table is compared to any matching data. ID code name IP mac authentication account ___________ No. 20100727101 Jason 192.16 00:17:31:1a:DB: jason 00001 8.1.21 67 —~--- Five instant account number to apply f identity code instant pass type instant messaging Account number 10 201225581 201225581 2010072710100002 MSN — john (Sh〇tmail.com Table 6 ------ mail account correspondence table identity code mail account number) In step S33, the instant connection record processing module i2 according to the step S32 As a result of the comparison, the Lianhuahuau house includes a body identification field and at least one analysis of the efl field-instant connection record, and the information of the analyzed package information should be updated. The group identification table is configured to record the identification information of the analyzed package and the corresponding identification number of the group of personnel, and the analysis information is used to record the identity identifier. Analysis of the packet information. Continuing the above example, the analyzed packet information of Table 1 corresponds to one of the instant connection records of the webpage as shown in Table 7; the analyzed packet of Table 2 Il 'correspond to generate one of the instant instant connection records shown in Table 8. Table 7 Instant connection record IP MAC Web address authentication account identity ID 192.168.1. 00:17:31: http://tw Jason 20100727101 21 1A:DB:6 7 yahoo.ς〇m 00001 Table 8 Instant Messenger Instant Connection Record IP MAC Type IM Account Authentication Account Identity ID 201225581 192.1 00:16:3 MSN john@hot 2010072710 68.1.3 5 :1A:D mail.com 100002 0 D:67 In step S34, the instant connection record processing module 12 generates an identity recognition block and at least one analysis information field according to the comparison result of the step S32. An instant connection record, wherein the identity identification field is recorded as a null value, and the analysis information field records the analyzed packet information. Continuing the above example, the analyzed packet information in Table 3 is generated as shown in Table 9. The identity identification block shown is recorded as one of the null values of the instant connection record. Table 9 Mail instant connection record IP 192.16 8.1.40 MAC 00:15:33: 1A:BB:66 Email account rnary@h 〇tm ail.com certification account identity The code is worth mentioning that the instant connection record processing module 12 generates different types of instant connection records according to the communication protocol information in the analyzed package information (see Table 7, Table and Table 9). Shown) is stored in the database 14 'convenient for network administrators to query. In step S35, the record reorganization update module 13 determines whether the elapsed time has elapsed. If the pre- (four) time has elapsed, the step coffee is performed. Otherwise, the data is returned to the packet on the network. In the preferred embodiment, the pre-twist time is set to one hour. 12 201225581 - in step S36, the record resetting module 13 records, from the database μ H for the predetermined time period, the identity identification fields are recorded as null values, and according to at least Associate the key values and group the P-time connection records. For example, in the instant connection records, the instant connection record having the same Internet Protocol address is regarded as the same-group, so that the network administrator can monitor the specific group.
在步驟S37巾,該記錄重組更新模組13將群組化過後 且該身分識別欄位分別被記錄為空值的該等即時連線記錄 ,根據一比對鍵值依序地與該組人員對應表進行比對。該 比對鍵值可以由管理者自訂’在本較佳實施例中該比對 鍵值可為該認證帳號、該網際網路通訊協定位址或該媒體 存取控制位址的其中任一者。若比對成功則執行步驟S38, 否則,執行步驟S39。 延續以上範例,該記錄重組更新模組13取出如表九所 示的該身分識別攔位分別被記錄為空值之該郵件即時連線 圮錄,並依該認證帳號、該網際網路通訊協定位址或該媒 體存取控制位址的其中任一鍵值與該組人員對應表進行比 對,由於皆不存在相對應之資料,因此會接著進行步驟S39 在步驟S38中,該記錄重組更新模組13將根據該比對 鍵值所得到的該身分識別碼,更新至原本該身分識別欄位 被δ己錄為空值的該即時連線記錄中,即,以對應的該身分 識別碼更新該即時連線記錄的身分識別欄位;並以該即時 13 201225581 連線記錄的已分析封包資訊對應更新該資料庫Μ的該組人 員對應表。 、在步驟S39 +,該記錄重組更新模組13產生一新的身 分識別碼’並以該新的身分識別碼更新該即時連線記錄的 身刀識別欄位同時對應新增已更新的該即時連線記錄至 該資料庫14的該組人員對應表。 延續乂上範例’對於表九所示的該郵件即時連線記錄 ’對應產生—新的身分識別碼2G1GG7271G1G_3後,將該 新的身分識別碼分別更新至表九之該郵件即時連線記錄及 表六之該郵件帳號對應表中,更新過後的該郵件即時連線 記錄及該郵件帳號對應表分別如以下表十〜十一所干。In step S37, the record reorganization update module 13 records the instant connection records after the grouping and the identity recognition fields are respectively recorded as null values, and sequentially and the group of personnel according to a comparison key value. The correspondence table is compared. The comparison key value can be customized by the manager. In the preferred embodiment, the comparison key value can be any of the authentication account number, the internet protocol address, or the media access control address. By. If the comparison is successful, step S38 is performed; otherwise, step S39 is performed. Continuing the above example, the record reorganization update module 13 retrieves the instant connection record of the email whose identity identification block is recorded as a null value as shown in Table IX, and according to the authentication account number and the internet communication protocol. The address or any one of the media access control addresses is compared with the group of personnel correspondence table. Since there is no corresponding data, the process proceeds to step S39. In step S38, the record reorganization update module is performed. 13 updating the identity identification code obtained according to the comparison key value to the instant connection record in which the identity identification field is recorded as a null value, that is, updating the corresponding identity identification code The identity identification field of the instant connection record; and the analyzed package information recorded by the instant 13 201225581 connection corresponding to the group correspondence table of the update database. In step S39+, the record reorganization update module 13 generates a new identity identifier 'and updates the body cutter identification field of the instant connection record with the new identity identification code, and correspondingly adds the updated instant. The connection is recorded to the group correspondence table of the database 14. Continuing the example above, the new identity ID 2G1GG7271G1G_3 is generated for the instant connection record of the mail shown in Table IX, and the new identity code is updated to the instant connection record and table of the mail in Table 9. In the correspondence table of the mail account of the sixth, the updated instant connection record of the mail and the correspondence table of the mail account are respectively as shown in the following Tables 10-11.
14 201225581 一人員」的網路行為「皆能」受到監測,再者,每一即時 連線記錄經過更新處理後皆具有對應之該身分識別碼,網 路管理者可利用該身分識別碼作為索引,進行相關之監測 、控管與維護’使網路管理更具人性化,故確實能達成本 發明之目的。14 201225581 One person's network behavior is “monitored”. In addition, each instant connection record has the corresponding identity code after being updated, and the network administrator can use the identity identifier as an index. The related monitoring, control and maintenance 'make the network management more humane, so it can achieve the purpose of the present invention.
惟以上所述者’僅為本發明之較佳實施例而已,當不 能以此限定本發明實施之範圍’即大凡依本發明申請專利 範圍及發明說明内容所作之簡單的等效變化與修飾,皆仍 屬本發明專利涵蓋之範圍内。 【圖式簡單說明】 圖1是一網路系統架構圖,說明本發明網路監測系統 之一較佳實施例及應用該網路監測系統之一網路系統架 圖; …、However, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, that is, the simple equivalent changes and modifications made by the scope of the invention and the description of the invention, All remain within the scope of the invention patent. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a network system architecture diagram illustrating a preferred embodiment of the network monitoring system of the present invention and a network system diagram for applying the network monitoring system;
圖2是一方塊圖, 實施例;及 圖3是·一流程圖, 方法。 說明本發明網路監測系紙之該較佳 說明對應該較佳實施例之網路監測 15 201225581 【主要元件符號說明】 1 .......... ••網路監測系統 14..........資料庫 11......... •封包分析模組 2 ...........電子裝置 12......... •即時連線記錄處 S31〜S40 ·步驟 理模組 5 ...........網路節點 13......... •記錄重組更新模Figure 2 is a block diagram, an embodiment; and Figure 3 is a flow chart, method. The preferred description of the network monitoring system of the present invention corresponds to the network monitoring of the preferred embodiment. 15 201225581 [Signal Description of Main Components] 1 .......... • Network Monitoring System 14. .........Database 11......... • Packet Analysis Module 2 ........... Electronic Device 12... • Instant connection record S31~S40 · Step management module 5 ........... Network node 13......... Record reorganization update mode
1616
Claims (1)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW99143007A TWI411263B (en) | 2010-12-09 | 2010-12-09 | Network monitoring method and its system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW99143007A TWI411263B (en) | 2010-12-09 | 2010-12-09 | Network monitoring method and its system |
Publications (2)
Publication Number | Publication Date |
---|---|
TW201225581A true TW201225581A (en) | 2012-06-16 |
TWI411263B TWI411263B (en) | 2013-10-01 |
Family
ID=46726237
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW99143007A TWI411263B (en) | 2010-12-09 | 2010-12-09 | Network monitoring method and its system |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI411263B (en) |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW484282B (en) * | 2000-04-10 | 2002-04-21 | D Link Corp | Monitoring management method of network exchange system to the online frame |
GB2395090B (en) * | 2002-10-01 | 2006-04-05 | Ipwireless Inc | Arrangement and method for session control in wireless communication network |
US20070094374A1 (en) * | 2005-10-03 | 2007-04-26 | Snehal Karia | Enterprise-managed wireless communication |
IL189530A0 (en) * | 2007-02-15 | 2009-02-11 | Marvell Software Solutions Isr | Method and apparatus for deep packet inspection for network intrusion detection |
US8295188B2 (en) * | 2007-03-30 | 2012-10-23 | Extreme Networks, Inc. | VoIP security |
-
2010
- 2010-12-09 TW TW99143007A patent/TWI411263B/en active
Also Published As
Publication number | Publication date |
---|---|
TWI411263B (en) | 2013-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10893021B2 (en) | Methods for mapping IP addresses and domains to organizations using user activity data | |
CN102123156B (en) | System and method to associate a private user identity with a public user identity | |
CN102918801B (en) | By network traffics application of policies in the system and method for utility cession | |
CN101552801B (en) | A method and system for on-line browsing and downloading the address-book of user group | |
US20080144655A1 (en) | Systems, methods, and computer program products for passively transforming internet protocol (IP) network traffic | |
US8060602B2 (en) | Network usage collection system | |
CN110708322A (en) | Method for realizing proxy service of industrial internet identification analysis system | |
US20070180101A1 (en) | System and method for storing data-network activity information | |
WO2019228034A1 (en) | Method and apparatus for data synchronization | |
US20120158454A1 (en) | Method and system for monitoring high risk users | |
CA2534121A1 (en) | Network asset tracker for identifying users of networked computers | |
Janetzko | Nonreactive data collection online | |
CN114124861A (en) | Message group sending method and device, computer equipment and storage medium | |
CN107204050A (en) | A kind of WIFI sent based on raspberry is registered system and method | |
Laštovička et al. | Using TLS fingerprints for OS identification in encrypted traffic | |
CN105871638B (en) | A kind of network safety control method and device | |
Bertolotti et al. | Models of mail server workloads | |
CN105721274B (en) | The fusion method and device of one kind of multiple instant messagings | |
CN101267405A (en) | Instant communication monitoring method and system | |
CN110442611A (en) | A kind of company brand domain name automation querying method and system | |
JP2018055497A (en) | Information processing system, usage amount information formation method, information processing unit, and program | |
TW201225581A (en) | Network monitoring method and system thereof | |
CN104301412B (en) | A kind of big data cloud service centralized management system | |
KR20030042135A (en) | System and Method for collecting Internet bulletin | |
CN113037615A (en) | Intelligent communication system |