A method for analyzing tcp flow long connection data
A technology for connecting data and analysis methods, applied in transmission systems, electrical components, etc., can solve problems such as flow data loss
Active Publication Date: 2021-06-25
全知科技(杭州)有限责任公司
View PDF7 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
At present, most of the protocol analysis connection technologies on the mirrored traffic need or be based on a complete TCP session connection. For the transmission data on the established connection, it is generally ignored and no longer processed, resulting in the loss of the currently established connection traffic data.
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreExamples
Experimental program
Comparison scheme
Effect test
Embodiment Construction
[0016] The present invention will be further described below.
[0017] Application layer protocols all have a certain message format, and there are generally no obvious characteristics among multiple message formats in a long connection. Taking the HTTP protocol as an example, the message format is divided into three parts: the first line, the header (Header), and the body (Body). These three parts are separated by CRLF (carriage return and line feed), and there are multiple lines (CRLF separated) inside the header (Header) part, in the form of Key-Value.
[0018] The message format is the same for both the client and the server, which are the first line of the HTTP request and the first line of the HTTP response. The format of the first line of an HTTP request is method, path, and version, separated by spaces. The format of the first line of an HTTP response is version number, status code, and status text, separated by spaces.
[0019] According to the location and characte...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses a TCP flow long connection data analysis method. For the established TCP connection data flow, the four-tuple information establishes a session, caches a small amount of TCP data, and uses the data packet boundary and port number information to detect the content to match Know the characteristics of the protocol, and then distinguish the direction of the connection according to the content, IP address and port information analyzed by the protocol, completely analyze the protocol message, distinguish the boundary of the message body, and add a simulated handshake in the existing communication analysis process Connection information, compatible with maintaining the TCP standard communication protocol, and continuously analyzing subsequent valid data. The present invention solves the problem of protocol identification, analysis and restoration of valid data for the data of established connections in the flow, and restores the complete session behavior of the application layer protocol in the network flow data, which is used as an information source for behavior audit and risk discovery; Through data flow on unknown system services, it is used to discover information sources associated with data flow.
Description
technical field [0001] The invention belongs to the field of network connection analysis, in particular to a method for analyzing TCP flow long connection data. Background technique [0002] The common network communication process is that the TCP client initiates a network connection, connects to the server, performs data communication on a specific protocol, and closes the connection after completion. There will be a large number of such connection initiation and closing operations for the server-oriented terminal. For system services with large traffic, usually a single server cannot complete the task, but multiple servers provide services equally through proxy. Establish TCP long-term connections in time, and respond to customer requests and provide services on this connection. The effective time of these long-term connections can range from minutes to hours or days. At present, most of the protocol analysis connection technologies on the mirrored traffic need or be bas...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L29/08
Inventor 梁永喜
Owner 全知科技(杭州)有限责任公司