CN111786985A - Method, device and storage medium for analyzing TCP and UDP data - Google Patents
Method, device and storage medium for analyzing TCP and UDP data Download PDFInfo
- Publication number
- CN111786985A CN111786985A CN202010599585.9A CN202010599585A CN111786985A CN 111786985 A CN111786985 A CN 111786985A CN 202010599585 A CN202010599585 A CN 202010599585A CN 111786985 A CN111786985 A CN 111786985A
- Authority
- CN
- China
- Prior art keywords
- data
- packet
- parsing
- analysis
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method, a device and a storage medium for analyzing TCP and UDP data, wherein an analysis parent class and an analysis child class are established according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet characteristic corresponding to the known application software and an analysis method; judging the protocol type of the data to be analyzed, and forming a queue by known application software in the analysis subclass and the first packet characteristic according to the protocol type; acquiring first packet data of data to be analyzed, and calling a first function or a second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; if the characteristics matched with the characteristics of the first packet exist, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the matched characteristics of the first packet, judging the application software corresponding to the data to be analyzed according to an analysis result, obtaining the content of the data to be analyzed, and realizing the analysis of the TCP/UDP data.
Description
Technical Field
The invention relates to the field of data analysis, in particular to a method, a device and a storage medium for analyzing TCP and UDP data.
Background
Today of network explosion, although most data are still Http data for transmission, more and more enterprises have started to pay attention to the security of user data, so the traditional way of Http plaintext is abandoned, and the communication between the client and the server is changed into TCP/UDP protocol communication, and the protocol format of the client and the server is added; some also employ the use of various conventional encryption schemes in conjunction with proprietary protocol formats or the use of SSL encryption to protect data.
At present, big data calculation is full of all corners of life, people pay more and more attention to the protection of data privacy, and the demand prompts enterprises to change the way of Http data transmission and select to communicate by a TCP/UDPp protocol. Therefore, facing the increasing number of TCP/UDP or proprietary protocol formats, it is also a great demand how to recover these data from massive amounts of data.
The biggest difference between the protocol using TCP/UDP transmission and the protocol using Http is that Http protocol has a fixed format, such as Host, Url and other characteristic fields, and TCP/UDP protocol has no fixed format. Therefore, analyzing the TCP/UDP needs to analyze the contents of the specific protocol data of various apps and then analyze the data according to the analysis result, but based on the uniqueness of each App protocol, each App is difficult to analyze one by one.
In view of the above, it is very significant to establish a method and apparatus for parsing TCP and UDP data.
Disclosure of Invention
The problems that the TCP/UDP protocol does not have a fixed format, each App has a unique transmission protocol, the analysis mode is not uniform and the like are solved. An object of the embodiments of the present application is to provide a method, an apparatus and a storage medium for parsing TCP and UDP data to solve the technical problems mentioned in the above background.
In a first aspect, an embodiment of the present application provides a method for parsing TCP and UDP data, including the following steps:
s1: establishing an analysis parent class and an analysis child class according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet characteristic corresponding to the known application software and an analysis method;
s2: judging the protocol type of the data to be analyzed, and forming a queue by known application software in the analysis subclass and the first packet characteristic according to the protocol type;
s3: acquiring first packet data of data to be analyzed, and calling a first function or a second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; and
s4: if the characteristics matched with the first package characteristics exist, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the matched first package characteristics, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed.
In some embodiments, the parsing parent class and the parsing child class are established in step S1 by analyzing the first package characteristics of different known applications, the first function and the second function are virtual functions defined in the parsing parent class, and the parsing child class inherits the virtual functions of the parsing parent class. Therefore, the characteristic judgment of each App can be integrated into a unified interface, the first function and the second function are used as interfaces, the TCP protocol uniformly calls the first function to judge, and the UDP protocol uniformly calls the second function to judge.
In some embodiments, calling a first function in the parsing parent class points to parsing known applications, first package features, and parsing methods in the child class that correspond to the TCP protocol, and calling a second function in the parsing parent class points to parsing known applications, first package features, and parsing methods in the child class that correspond to the UDP protocol. The first function and the second function as virtual functions can point to the content in the corresponding analysis subclass, and the data to be analyzed is filtered according to the known application software and the corresponding first package characteristics.
In some embodiments, in step S3, if the protocol type is TCP, the first function is called, and if the protocol type is UDP, the second function is called. In step S2, the protocol type of the data to be analyzed can be preliminarily determined, the data to be analyzed can be preliminarily screened, and then different virtual functions can be called according to different protocol types to filter the data to be analyzed.
In some embodiments, in step S3, the characteristics of the first packet data are matched with the characteristics of the first packet in the queue, if the characteristics of the first packet data are matched, the analysis method of the known application software corresponding to the characteristics of the first packet is called for analyzing the data to be analyzed, and if the characteristics of the first packet data are not matched, step S3 is repeated. By comparing with the first package characteristics of the known application software, the data which are not in conformity with the first package characteristics can be filtered out and analyzed by a corresponding analysis method, and finally the data to be analyzed are determined from which known application software the data to be analyzed are transmitted, and the specific content in the data to be analyzed is reduced.
In a second aspect, an embodiment of the present application further provides an apparatus for parsing TCP and UDP data, including:
the analysis class establishing module is configured to establish an analysis parent class and an analysis child class according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet feature and an analysis method corresponding to the known application software;
the queue forming module is configured to judge the protocol type of the data to be analyzed and form a queue with the known application software in the analysis subclass and the first packet characteristic according to the protocol type;
the characteristic matching module is configured to acquire first packet data of the data to be analyzed, and call a first function or a second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; and
and the analysis module is configured to analyze the data to be analyzed by adopting an analysis method of known application software corresponding to the matched first package feature if the feature matched with the first package feature exists, judge the application software corresponding to the data to be analyzed according to an analysis result, and obtain the content of the data to be analyzed.
In some embodiments, the parsing class establishing module establishes a parsing parent class and a parsing child class by analyzing first package characteristics of different known application software, the first function and the second function are virtual functions defined in the parsing parent class, and the parsing child inherits the virtual functions of the parsing parent class.
In some embodiments, calling a first function in the parsing parent class points to parsing known applications, first package features, and parsing methods in the child class that correspond to the TCP protocol, and calling a second function in the parsing parent class points to parsing known applications, first package features, and parsing methods in the child class that correspond to the UDP protocol.
In some embodiments, in the feature matching module, the first function is invoked if the protocol type is a TCP protocol, and the second function is invoked if the protocol type is a UDP protocol.
In some embodiments, the feature matching module matches the features of the first packet of data with the features of the first packet in the queue, if the features of the first packet of data match the features of the first packet of data, the data to be analyzed is analyzed by using an analysis method of known application software corresponding to the features of the first packet of data, and if the features of the first packet of data do not match the features of the first packet of data, the steps in the feature matching module are repeated.
In a third aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method as described in any implementation manner of the first aspect.
The invention discloses a method and a device for analyzing TCP and UDP data, wherein an analysis parent class and an analysis child class are established according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet characteristic corresponding to the known application software and an analysis method; judging the protocol type of the data to be analyzed, and forming a queue by known application software in the analysis subclass and the first packet characteristic according to the protocol type; acquiring first packet data of data to be analyzed, and calling a first function or a second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; if the characteristics matched with the first package characteristics exist, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the matched first package characteristics, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed. Based on the uniqueness of each App protocol, the first packet characteristics of each protocol are integrated into a unified interface and then analyzed, so that the purpose of analyzing TCP/UDP data of various Apps is achieved. Under the condition that more and more apps adopt private protocol communication to realize data interaction, the analysis of a TCP/UDP data protocol is realized by a method for identifying and analyzing the characteristics of each protocol and an App first packet; by the method for judging the first package characteristics, useless and invalid data are quickly filtered out, and the pressure of a data acquisition layer and a data storage layer is released. The method can also realize the reduction of the data of each App in the market under mass data.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is an exemplary device architecture diagram in which one embodiment of the present application may be applied;
fig. 2 is a flow chart illustrating a method for parsing TCP and UDP data according to an embodiment of the present invention;
FIG. 3 is a diagram of an apparatus for parsing TCP and UDP data according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computer device suitable for implementing the electronic device according to the embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 shows an exemplary device architecture 100 to which the method of parsing TCP and UDP data or the device parsing TCP and UDP data of the embodiments of the present application may be applied.
As shown in fig. 1, the apparatus architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. Various applications, such as data processing type applications, file processing type applications, etc., may be installed on the terminal apparatuses 101, 102, 103.
The terminal apparatuses 101, 102, and 103 may be hardware or software. When the terminal devices 101, 102, 103 are hardware, they may be various electronic devices including, but not limited to, smart phones, tablet computers, laptop portable computers, desktop computers, and the like. When the terminal apparatuses 101, 102, 103 are software, they can be installed in the electronic apparatuses listed above. It may be implemented as multiple pieces of software or software modules (e.g., software or software modules used to provide distributed services) or as a single piece of software or software module. And is not particularly limited herein.
The server 105 may be a server that provides various services, such as a background data processing server that processes files or data uploaded by the terminal devices 101, 102, 103. The background data processing server can process the acquired file or data to generate a processing result.
The method for parsing TCP and UDP data provided in the embodiment of the present application may be executed by the server 105, or may be executed by the terminal devices 101, 102, and 103, and accordingly, the apparatus for parsing TCP and UDP data may be disposed in the server 105, or may be disposed in the terminal devices 101, 102, and 103.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. In the case where the processed data does not need to be acquired from a remote location, the above device architecture may not include a network, but only a server or a terminal device.
Fig. 2 illustrates a method for parsing TCP and UDP data, disclosed in an embodiment of the present application, including the following steps:
s1: establishing an analysis parent class and an analysis child class according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet characteristic corresponding to the known application software and an analysis method;
s2: judging the protocol type of the data to be analyzed, and forming a queue by known application software in the analysis subclass and the first packet characteristic according to the protocol type;
s3: acquiring first packet data of data to be analyzed, and calling a first function or a second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; and
s4: if the characteristics matched with the first package characteristics exist, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the matched first package characteristics, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed.
In a specific embodiment, in step S1, an analysis parent class and an analysis child class are created by analyzing the first package characteristics of different known application software, the first function and the second function are virtual functions defined in the analysis parent class, and the analysis child class inherits the virtual function of the analysis parent class. Known application software includes apps such as QQ, wechat, nailing, etc., each of which may be either a mobile phone version or a computer version. The analytic parent class is a basic class, and the analytic child class inherits the method for analyzing the parent class when being established. Each resolution subclass may contain a respective method. The interface of the analysis parent class can be called uniformly during analysis, but the interface cannot be realized in the analysis parent class but is realized in the analysis subclass class, and the characteristics of each analysis subclass are different, so that the method of each analysis subclass is realized differently, and uniform calling can be realized. The method comprises the steps of analyzing the first packet data of each App to obtain corresponding first packet characteristics, classifying each App according to a transmission protocol, and dividing each App into a TCP protocol and a UDP protocol. And defining a first function according to the TCP protocol in the parsing parent class, and establishing known application software, a first packet characteristic and a parsing method corresponding to the TCP protocol and known application software, a first packet characteristic and a parsing method corresponding to the UDP protocol in the parsing child class. Therefore, the characteristic judgment of each App can be integrated into a unified interface, the first function and the second function are used as interfaces for analyzing father classes, the TCP protocol uniformly calls the first function to judge, and the UDP protocol uniformly calls the second function to judge.
In a specific embodiment, the first function in the parsing parent class is called to point to parsing the known application software, the first packet feature and the parsing method corresponding to the TCP protocol in the child class, and the second function in the parsing parent class is called to point to parsing the known application software, the first packet feature and the parsing method corresponding to the UDP protocol in the child class. The first function and the second function as virtual functions can point to the content in the corresponding analysis subclass, and the data to be analyzed is filtered according to the known application software and the corresponding first package characteristics.
In step S2, the protocol type of the data to be analyzed can be preliminarily determined, the data to be analyzed can be preliminarily screened, and then different virtual functions can be called according to different protocol types to filter the data to be analyzed. If the data to be analyzed belong to TCP protocol data, calling a first function as an interface, and then forming a queue by known application software, first package characteristics and an analysis method corresponding to the TCP protocol in the analysis subclass after initialization; and if the data to be analyzed belong to UDP protocol data, calling a second function as an interface, and then initializing and forming a queue by known application software, first packet characteristics and an analysis method corresponding to the UDP protocol in the analysis subclass. Each app inherits the interface for analyzing the judgment characteristic of the parent class during initialization, and then is put into the queue after initialization is finished. The queues established in the example are shown in table 1:
TABLE 1
During initialization, App1, App3 and App5 realize a first function as an interface, and App2, App4 and App6 realize a second function as an interface and are put into a queue in sequence.
In a specific embodiment, in step S3, if the protocol type is the TCP protocol, the first function is called, and if the protocol type is the UDP protocol, the second function is called. In a specific embodiment, in step S3, the characteristics of the first packet data are matched with the characteristics of the first packet in the queue, if the characteristics of the first packet data are matched, an analysis method of the known application software corresponding to the characteristics of the first packet is called for analyzing the data to be analyzed, and if the characteristics of the first packet data are not matched, step S3 is repeated. By comparing with the first package characteristics of the known application software, the data which are not in conformity with the first package characteristics can be filtered out and analyzed by a corresponding analysis method, and finally the data to be analyzed are determined from which known application software the data to be analyzed are transmitted, and the specific content in the data to be analyzed is reduced.
In the above example, if the data to be parsed is the TCP protocol, the characteristic of the first packet data is 3. Calling a first function of a first analysis parent class in the queue, wherein the first packet characteristic 1 is inconsistent with the characteristic 3 of the data to be analyzed, and therefore, continuing the next analysis; in the next parsing, the second and third parsing parents in the queue cannot implement the first function, but only the second function, so that the next parsing is directly continued. And calling a first function of a fourth parsing parent class in the queue, wherein the first packet characteristic 3 is consistent with the characteristic 3 of the data to be parsed, and then judging that the data to be parsed is from the App 4. Since having the same first package characteristics may also correspond to different known applications, having different parsing methods. Therefore, after the first packet feature is filtered, a specific analysis method is further required to be adopted for final determination, if the data to be analyzed can be analyzed and processed through the corresponding analysis method, the data to be analyzed which is transmitted in the known application software can be determined, and the data to be analyzed is analyzed through the analysis method of the known application software to obtain the content of the data to be analyzed. At this time, the analysis method corresponding to App4 is called to analyze the data to be analyzed, so as to further determine that the data to be analyzed is from App4, and the analysis method of App4 may be adopted to analyze the data to be analyzed, so as to obtain the content therein. Therefore, by the method, useless data can be filtered quickly, non-conforming useless data can be filtered by the first packet characteristic, protocol restoration is realized, unknown data can be restored to which known application software is specific, information extraction can be realized, and specific contents in the data to be analyzed can be analyzed in detail.
Corresponding to the method for parsing TCP and UDP data mentioned in the foregoing embodiment, an embodiment of the present application further provides an apparatus for parsing TCP and UDP data, as shown in fig. 3, including:
the analysis class establishing module 1 is configured to establish an analysis parent class and an analysis child class according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first package feature and an analysis method corresponding to the known application software;
the queue forming module 2 is configured to judge the protocol type of the data to be analyzed, and form a queue with the known application software in the analysis subclass and the first packet characteristic according to the protocol type;
the characteristic matching module 3 is configured to acquire first packet data of the data to be analyzed, and call a first function or a second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; and
and the analysis module 4 is configured to analyze the data to be analyzed by adopting an analysis method of known application software corresponding to the matched first package feature if the feature matched with the first package feature exists, judge the application software corresponding to the data to be analyzed according to an analysis result, and obtain the content of the data to be analyzed.
In a specific embodiment, the parsing class establishing module 1 establishes a parsing parent class and a parsing child class by analyzing the first package characteristics of different known application software, the first function and the second function are virtual functions defined in the parsing parent class, and the parsing child inherits the virtual functions of the parsing parent class.
In a specific embodiment, the first function in the parsing parent class is called to point to parsing the known application software, the first packet feature and the parsing method corresponding to the TCP protocol in the child class, and the second function in the parsing parent class is called to point to parsing the known application software, the first packet feature and the parsing method corresponding to the UDP protocol in the child class.
In a specific embodiment, in the feature matching module 3, if the protocol type is the TCP protocol, the first function is called, and if the protocol type is the UDP protocol, the second function is called.
In a specific embodiment, the feature matching module 3 matches the features of the first packet of data with the features of the first packet in the queue, if the features of the first packet of data match the features of the first packet of data, the data to be analyzed is analyzed by using an analysis method of known application software corresponding to the features of the first packet of data, and if the features of the first packet of data do not match the features of the first packet of data, the steps in the feature matching module 3 are repeated.
The invention discloses a method and a device for analyzing TCP and UDP data, wherein an analysis parent class and an analysis child class are established according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet characteristic corresponding to the known application software and an analysis method; judging the protocol type of the data to be analyzed, and forming a queue by known application software in the analysis subclass and the first packet characteristic according to the protocol type; acquiring first packet data of data to be analyzed, and calling a first function or a second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; if the characteristics matched with the first package characteristics exist, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the matched first package characteristics, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed. Based on the uniqueness of each App protocol, the first packet characteristics of each protocol are integrated into a unified interface and then analyzed, so that the purpose of analyzing TCP/UDP data of various Apps is achieved. Under the condition that more and more apps adopt private protocol communication to realize data interaction, the analysis of a TCP/UDP data protocol is realized by a method for identifying and analyzing the characteristics of each protocol and an App first packet; by the method for judging the first package characteristics, useless and invalid data are quickly filtered out, and the pressure of a data acquisition layer and a data storage layer is released. The method can also realize the reduction of the data of each App in the market under mass data.
Referring now to fig. 4, a schematic diagram of a computer apparatus 400 suitable for use in implementing an electronic device (e.g., the server or terminal device shown in fig. 1) according to an embodiment of the present application is shown. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 4, the computer apparatus 400 includes a Central Processing Unit (CPU)401 and a Graphic Processor (GPU)402, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)403 or a program loaded from a storage section 409 into a Random Access Memory (RAM) 404. In the RAM404, various programs and data necessary for the operation of the apparatus 400 are also stored. The CPU 401, GPU402, ROM 403, and RAM404 are connected to each other via a bus 405. An input/output (I/O) interface 406 is also connected to bus 405.
The following components are connected to the I/O interface 406: an input portion 407 including a keyboard, a mouse, and the like; an output section 408 including a display such as a Liquid Crystal Display (LCD) and a speaker; a storage portion 409 including a hard disk and the like; and a communication section 410 including a network interface card such as a LAN card, a modem, or the like. The communication section 410 performs communication processing via a network such as the internet. The driver 411 may also be connected to the I/O interface 406 as needed. A removable medium 412 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 411 as necessary, so that a computer program read out therefrom is mounted into the storage section 409 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 410, and/or installed from the removable medium 412. The computer program performs the above-described functions defined in the method of the present application when executed by a Central Processing Unit (CPU)401 and a Graphics Processing Unit (GPU) 402.
It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer readable medium or any combination of the two. The computer readable medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor device, apparatus, or any combination of the foregoing. More specific examples of the computer readable medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution apparatus, device, or apparatus. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution apparatus, device, or apparatus. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based devices that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present application may be implemented by software or hardware. The modules described may also be provided in a processor.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: establishing an analysis parent class and an analysis child class according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet characteristic corresponding to the known application software and an analysis method; judging the protocol type of the data to be analyzed, and forming a queue by known application software in the analysis subclass and the first packet characteristic according to the protocol type; acquiring first packet data of data to be analyzed, and calling a first function or a second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; and if the characteristics matched with the first packet characteristics exist, analyzing the data to be analyzed by adopting an analysis method of known application software corresponding to the matched first packet characteristics, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention herein disclosed is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the invention. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.
Claims (11)
1. A method for parsing TCP and UDP data, comprising the steps of:
s1: establishing an analysis parent class and an analysis child class according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet feature and an analysis method corresponding to the known application software;
s2: judging the protocol type of the data to be analyzed, and forming a queue by the known application software in the analysis subclass and the first packet characteristic according to the protocol type;
s3: acquiring the first packet data of the data to be analyzed, and calling the first function or the second function according to the protocol type to match the characteristics of the first packet data with the characteristics of the first packet in the queue; and
s4: if the characteristics matched with the first packet characteristics exist, analyzing the data to be analyzed by adopting an analysis method of the known application software corresponding to the matched first packet characteristics, judging the application software corresponding to the data to be analyzed according to an analysis result, and obtaining the content of the data to be analyzed.
2. The method according to claim 1, wherein the parsing parent class and the parsing child class are established in step S1 by analyzing the first packet characteristics of different known applications, the first function and the second function are virtual functions defined in the parsing parent class, and the parsing child class inherits the virtual functions of the parsing parent class.
3. The method of parsing TCP and UDP data as recited in claim 1, wherein invoking the first function in the parsing parent class points to the known application, the first packet feature and the parsing method in the parsing child class corresponding to TCP protocol, and invoking the second function in the parsing parent class points to the known application, the first packet feature and the parsing method in the parsing child class corresponding to UDP protocol.
4. The method according to claim 1, wherein in step S3, if the protocol type is TCP protocol, the first function is called, and if the protocol type is UDP protocol, the second function is called.
5. The method according to claim 1, wherein in step S3, the characteristics of the first packet data are matched with the characteristics of the first packet in the queue, if the characteristics of the first packet data are matched, the data to be analyzed is analyzed by invoking the analysis method of the known application software corresponding to the characteristics of the first packet, and if the characteristics of the first packet data are not matched, the step S3 is repeated.
6. An apparatus for parsing TCP and UDP data, comprising:
the analysis class establishing module is configured to establish an analysis parent class and an analysis child class according to different known application software, wherein the analysis parent class comprises a first function corresponding to a TCP protocol and a second function corresponding to a UDP protocol respectively, and the analysis child class comprises a first packet feature and an analysis method corresponding to the known application software;
the queue forming module is configured to judge the protocol type of the data to be analyzed and form the known application software in the analysis subclass and the first packet feature into a queue according to the protocol type;
the characteristic matching module is configured to acquire the first packet data of the data to be analyzed, and call the first function or the second function according to the protocol type to match the characteristics of the first packet data with the first packet characteristics in the queue; and
and the analysis module is configured to analyze the data to be analyzed by adopting an analysis method of the known application software corresponding to the matched first package feature if the feature matched with the first package feature exists, judge the application software corresponding to the data to be analyzed according to an analysis result, and obtain the content of the data to be analyzed.
7. The apparatus according to claim 6, wherein said parsing class creating module creates said parsing parent class and said parsing child class by analyzing said first packet characteristics of different known applications, said first function and said second function are virtual functions defined in said parsing parent class, and said parsing child class inherits virtual functions of said parsing parent class.
8. The apparatus according to claim 6, wherein said first function in said parsing parent class is invoked to point to said known application, said first packet feature and said parsing method in said parsing child class corresponding to the TCP protocol, and wherein said second function in said parsing parent class is invoked to point to said known application, said first packet feature and said parsing method in said parsing child class corresponding to the UDP protocol.
9. The apparatus according to claim 6, wherein the feature matching module calls the first function if the protocol type is TCP protocol and calls the second function if the protocol type is UDP protocol.
10. The apparatus according to claim 6, wherein the feature matching module performs matching according to the feature of the first packet data and the feature of the first packet in the queue, if the matching is successful, the data to be analyzed is analyzed by using the analysis method of the known application software corresponding to the feature of the first packet, and if the matching is unsuccessful, the steps in the feature matching module are repeated.
11. A computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a computer, implements the steps of the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010599585.9A CN111786985B (en) | 2020-06-28 | 2020-06-28 | Method, device and storage medium for analyzing TCP and UDP data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010599585.9A CN111786985B (en) | 2020-06-28 | 2020-06-28 | Method, device and storage medium for analyzing TCP and UDP data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111786985A true CN111786985A (en) | 2020-10-16 |
| CN111786985B CN111786985B (en) | 2023-05-23 |
Family
ID=72761583
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010599585.9A Active CN111786985B (en) | 2020-06-28 | 2020-06-28 | Method, device and storage medium for analyzing TCP and UDP data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111786985B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114520837A (en) * | 2021-12-27 | 2022-05-20 | 苏州绿科智能机器人研究院有限公司 | Method for analyzing message data sent upwards based on object-oriented technology |
| CN118075372A (en) * | 2024-03-12 | 2024-05-24 | 书行科技(北京)有限公司 | Multimedia data processing method, device, electronic device and computer storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852297A (en) * | 2005-11-11 | 2006-10-25 | 华为技术有限公司 | Network data flow recognizing system and method |
| US9853876B1 (en) * | 2014-06-13 | 2017-12-26 | Narus, Inc. | Mobile application identification in network traffic via a search engine approach |
| CN108173705A (en) * | 2017-11-28 | 2018-06-15 | 北京天融信网络安全技术有限公司 | First packet recognition methods, device, equipment and the medium of flow drainage |
| CN108377223A (en) * | 2018-01-05 | 2018-08-07 | 网宿科技股份有限公司 | A kind of more packet recognition methods, packet identifying method and flow bootstrap technique |
| CN108418758A (en) * | 2018-01-05 | 2018-08-17 | 网宿科技股份有限公司 | A single packet identification method and traffic guidance method |
| CN108900374A (en) * | 2018-06-22 | 2018-11-27 | 网宿科技股份有限公司 | A kind of data processing method and device applied to DPI equipment |
-
2020
- 2020-06-28 CN CN202010599585.9A patent/CN111786985B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852297A (en) * | 2005-11-11 | 2006-10-25 | 华为技术有限公司 | Network data flow recognizing system and method |
| US9853876B1 (en) * | 2014-06-13 | 2017-12-26 | Narus, Inc. | Mobile application identification in network traffic via a search engine approach |
| CN108173705A (en) * | 2017-11-28 | 2018-06-15 | 北京天融信网络安全技术有限公司 | First packet recognition methods, device, equipment and the medium of flow drainage |
| CN108377223A (en) * | 2018-01-05 | 2018-08-07 | 网宿科技股份有限公司 | A kind of more packet recognition methods, packet identifying method and flow bootstrap technique |
| CN108418758A (en) * | 2018-01-05 | 2018-08-17 | 网宿科技股份有限公司 | A single packet identification method and traffic guidance method |
| CN108900374A (en) * | 2018-06-22 | 2018-11-27 | 网宿科技股份有限公司 | A kind of data processing method and device applied to DPI equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114520837A (en) * | 2021-12-27 | 2022-05-20 | 苏州绿科智能机器人研究院有限公司 | Method for analyzing message data sent upwards based on object-oriented technology |
| CN118075372A (en) * | 2024-03-12 | 2024-05-24 | 书行科技(北京)有限公司 | Multimedia data processing method, device, electronic device and computer storage medium |
| CN118075372B (en) * | 2024-03-12 | 2024-11-05 | 书行科技(北京)有限公司 | Multimedia data processing method and device, electronic equipment and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111786985B (en) | 2023-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601633B2 (en) | Virtual window screen renderings using application connectors | |
| CN109074265B (en) | Preformed instructions for mobile cloud services | |
| CN111352912A (en) | Compressed file processing method, device, storage medium, terminal and server | |
| WO2022135547A1 (en) | Service operation method and apparatus, electronic device, and computer storage medium | |
| US9207913B2 (en) | API publication on a gateway using a developer portal | |
| CN111309407B (en) | Processing method and device for integrating third-party library | |
| CN111786985B (en) | Method, device and storage medium for analyzing TCP and UDP data | |
| CN111414154A (en) | Method and device for front-end development, electronic equipment and storage medium | |
| CN110377440A (en) | Information processing method and device | |
| CN107273226B (en) | Method and device for integrating components in android system and calling integrated components | |
| CN112835632A (en) | A terminal capability calling method, device and computer storage medium | |
| CN114579194A (en) | Spring remote call-based exception handling method and system | |
| CN112860566B (en) | Applet detection method, device, electronic equipment and readable medium | |
| CN114625458A (en) | Page data processing method and device, electronic equipment and storage medium | |
| CN110442416B (en) | Method, electronic device and computer-readable medium for presenting information | |
| CN112800363A (en) | Page display method and device, electronic equipment and computer readable medium | |
| CN114430417A (en) | Data storage and calling method and device of industrial Internet platform | |
| CN114040381B (en) | Encryption method, decryption device and electronic equipment | |
| CN113468487B (en) | Interface watermark rendering method and device, electronic equipment and computer readable medium | |
| CN113779018B (en) | A data processing method and device | |
| CN115756696A (en) | Information processing method, device, equipment and medium | |
| CN114816358A (en) | A service platform development method and device | |
| CN115113898A (en) | Dynamic update method, device, computer equipment and storage medium of micro-application | |
| CN113973139A (en) | Message processing method and device | |
| US10929429B2 (en) | Flexible subscriber data abstraction layer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210628 Address after: 361000 unit 102-402, No.12, guanri Road, phase II, software park, Siming District, Xiamen City, Fujian Province Applicant after: XIAMEN MEIYA PICO INFORMATION Co.,Ltd. Applicant after: Guangzhou Public Security Bureau Network Police Detachment Address before: 361000 unit 102-402, No.12, guanri Road, phase II, software park, Siming District, Xiamen City, Fujian Province Applicant before: XIAMEN MEIYA PICO INFORMATION Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |