[go: up one dir, main page]

CN119211090A - Protocol identification method, equipment and storage medium - Google Patents

Protocol identification method, equipment and storage medium Download PDF

Info

Publication number
CN119211090A
CN119211090A CN202310717720.9A CN202310717720A CN119211090A CN 119211090 A CN119211090 A CN 119211090A CN 202310717720 A CN202310717720 A CN 202310717720A CN 119211090 A CN119211090 A CN 119211090A
Authority
CN
China
Prior art keywords
protocol
signaling
http
frame
decoding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310717720.9A
Other languages
Chinese (zh)
Inventor
冯森
阚长江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202310717720.9A priority Critical patent/CN119211090A/en
Priority to PCT/CN2024/089402 priority patent/WO2024255449A1/en
Publication of CN119211090A publication Critical patent/CN119211090A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Communication Control (AREA)

Abstract

The embodiment of the invention provides a protocol identification method, equipment and a storage medium, belonging to the technical field of communication. The method comprises the steps of receiving signaling borne by TCP, extracting four-tuple information of the signaling, carrying out protocol identification on the signaling according to the four-tuple information, if the identification fails to determine whether a protocol corresponding to the signaling belongs to an HTTP/2 protocol, carrying out protocol decoding on the signaling, and determining the protocol corresponding to the signaling as the HTTP/2 protocol under the condition that the decoding is successful. The embodiment of the invention can realize accurate identification on the signaling carried by the TCP through the unknown port, and improves the identification efficiency, comprehensiveness and accuracy.

Description

Protocol identification method, equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a storage medium for identifying a protocol.
Background
With the development of communication technology, the communication industry has come to a new era of 4G traffic explosion and 5G deployment acceleration, and meanwhile, operators face challenges of higher network complexity and construction, operation and maintenance cost. The traditional operation system is huge and complex, and the network management difficulty exceeds the manual processing capacity. In order to assist operators to manage and control network data services, the signaling monitoring method is widely applied to networks, and key indexes of the operation of the network data services can be mastered through real-time signaling monitoring, so that early warning can be performed in advance, potential network hazards can be rapidly located and eliminated, and user experience perceptibility is improved.
The 5G core Network and the 5G new call core Network are designed by adopting a service Network architecture, and business interaction is carried out between NF (Network Function) through HTTP/2 (Hypertext Transfer Protocol Version < 2 >, 2 nd edition of hypertext transfer protocol). For monitoring of network HTTP/2 signaling in both systems, the first problem to be solved is how to identify HTTP/2 signaling.
In the related art, the identification of HTTP/2 signaling is generally performed by a well-known port identification method, where a well-known port 80 or 8080 port is reserved for HTTP/2 signaling interaction, and if TCP (Transmission Control Protocol, network transmission protocol) carries signaling through the port 80 or 8080, the signaling can be determined to be HTTP/2 signaling. However, NF may be configured to use a non-known port for traffic interactions that are not identifiable for HTTP/2 signaling carried by TCP over the non-known port.
In view of this, how to identify whether the signaling carried by TCP belongs to the HTTP/2 protocol type is a technical problem to be solved.
Disclosure of Invention
The embodiment of the invention mainly aims to provide a protocol identification method, equipment and a storage medium, which aim to solve the technical problem of how to identify whether signaling borne by TCP belongs to HTTP/2 protocol types.
In a first aspect, an embodiment of the present invention provides a protocol identification method, including:
receiving a signaling carried by a TCP, extracting four-tuple information of the signaling, and carrying out protocol identification on the signaling according to the four-tuple information;
If the identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, performing protocol decoding on the signaling;
And under the condition that the decoding is successful, determining the protocol corresponding to the signaling as an HTTP/2 protocol.
In a second aspect, an embodiment of the present invention further provides a protocol identification device, the protocol identification device comprising a processor, a memory, a computer program stored on the memory and executable by the processor, and a data bus for enabling a connection communication between the processor and the memory, wherein the computer program, when executed by the processor, implements the steps of any one of the protocol identification methods as provided in the present specification.
In a third aspect, embodiments of the present invention further provide a storage medium for computer readable storage, wherein the storage medium stores one or more programs executable by one or more processors to implement steps of any protocol identification method as provided in the present specification.
The embodiment of the invention provides a protocol identification method, equipment and a storage medium, wherein the protocol identification method is used for receiving signaling borne by a TCP, extracting four-tuple information of the signaling, and carrying out protocol identification on the signaling according to the four-tuple information; if the identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, the signaling is subjected to protocol decoding, and if the decoding is successful, the protocol corresponding to the signaling is determined to be the HTTP/2 protocol. According to the method, whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol can be primarily and rapidly identified based on the four-tuple information of the signaling, if the primary identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, the signaling is further subjected to protocol decoding, and whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol is finally identified through a decoding result.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a protocol identification method according to an embodiment of the present invention;
Fig. 2 is a schematic frame structure diagram of an HTTP/2 protocol related to a protocol identification method according to an embodiment of the present invention;
Fig. 3a is a schematic deployment diagram of a protocol identification device according to a protocol identification method according to an embodiment of the present invention;
fig. 3b is another deployment schematic diagram of a protocol identification device related to a protocol identification method according to an embodiment of the present invention;
fig. 4a is a schematic architecture diagram of a protocol identification device related to a protocol identification method according to an embodiment of the present invention;
Fig. 4b is a schematic flow chart of implementing protocol identification by the protocol identification device according to the protocol identification method provided by the embodiment of the present invention;
Fig. 5 is a schematic flow chart of protocol decoding of signaling by a HEADER frame decoding module according to the protocol identification method provided by the embodiment of the present invention;
fig. 6 is an exemplary diagram of an application scenario involved in a protocol identification method according to an embodiment of the present invention;
Fig. 7 is a schematic block diagram of a protocol identification device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The flow diagrams depicted in the figures are merely illustrative and not necessarily all of the elements and operations/steps are included or performed in the order described. For example, some operations/steps may be further divided, combined, or partially combined, so that the order of actual execution may be changed according to actual situations.
It is to be understood that the terminology used in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the related art, for identifying the signaling carried by the TCP through the unknown port, one way is that the client sends a message containing a 24-byte Magic string "PRI HTTP/2.0 \r\r\n sm \r\n" to the server, if the first application layer message after the TCP handshake is collected contains the string, the application layer protocol carried by the current TCP connection is the HTTP/2 protocol, but the signaling is received at any time, and there may be a case that the client has sent the Magic string when the signaling is received, or the signaling carrying the Magic information is lost on the intermediate transmission device and the Magic string message is not collected, so that the subsequent signaling on the TCP connection cannot be identified.
And in addition, signaling monitoring operation staff pre-configures unknown port numbers used by the NF HTTP/2 to obtain configuration files, and when the TCP carries signaling through the unknown port, the configuration files are matched, and the HTTP/2 protocol corresponding to the signaling can be identified after the matching is successful. However, this approach has a limitation in use, and it is necessary to obtain a unknown port number used by NF HTTP/2 of the whole network, and when NF configuration is changed, it is also necessary to notify signaling monitoring operators in time to modify the configuration, which is almost impossible to achieve in terms of implementation.
It can be seen that the existing recognition mode for the signaling carried by the TCP through the unknown port has low efficiency, comprehensiveness and accuracy.
To this end, the embodiment of the invention provides a protocol identification method, equipment and a storage medium. According to the protocol identification method, whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol can be primarily and rapidly identified based on the four-tuple information of the signaling, if the primary identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, the protocol decoding is further carried out on the signaling, and whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol is finally identified through a decoding result.
Some embodiments of the invention are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a flow chart of a protocol identification method according to an embodiment of the invention.
As shown in fig. 1, the protocol identification method includes steps S101 to S103.
Step S101, receiving signaling carried by TCP, extracting four-tuple information of the signaling, and carrying out protocol identification on the signaling according to the four-tuple information.
The protocol identification method can be applied to network operation and maintenance scenes of two modes, namely a 5G core network and a 5G new call core network. In the network operation and maintenance scene, the protocol identification method can be realized by a protocol identification device, and the protocol identification device can be a terminal device with a data processing function such as a server.
Under the condition that the signaling monitoring system receives the signaling borne by the TCP, the four-tuple information of the signaling is extracted, and the signaling is subjected to protocol identification according to the extracted four-tuple information, so that whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol or not is primarily and rapidly identified.
In some embodiments, the four tuple information of the signaling includes a source IP address, a source port number, a destination IP address, and a destination port number.
In some embodiments, the identifying of the signaling according to the quadruple information may be comparing the quadruple information with a pre-stored protocol type database, determining whether there is pre-stored quadruple information matched with the quadruple information in the pre-stored protocol type database, if there is pre-stored quadruple information matched with the quadruple information in the pre-stored protocol type database, determining the protocol corresponding to the signaling as an HTTP/2 protocol, and if there is no pre-stored quadruple information matched with the quadruple information in the pre-stored protocol type database, failing to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol.
In order to simplify the protocol identification process and improve the protocol identification efficiency, a pre-stored protocol type database can be constructed in advance. In the pre-stored protocol type data, four-tuple information (defined as pre-stored four-tuple information) corresponding to the TCP through HTTP/2 signaling carried by the unknown port is stored. Specifically, since HTTP/2 is a long connection, after the connection is established, the signaling with the protocol type of HTTP/2 protocol may be transmitted multiple times, and for the connection established by using the unknown port for TCP, if one signaling on the connection is identified that the protocol type belongs to the HTTP/2 protocol, then the signaling on the subsequent connection must also be the signaling with the protocol type of HTTP/2. Therefore, the four-tuple information corresponding to the HTTP/2 signaling carried by the TCP through the unknown port and identified by the history can be recorded, the protocol type of the application layer is marked as HTTP/2, and then the data is stored to obtain a pre-stored protocol type database.
In this way, the signaling monitoring system can extract the four-tuple information of the signaling under the condition of receiving the signaling carried by the TCP, and compares the extracted four-tuple information with the pre-stored protocol type database, so as to find out whether the pre-stored four-tuple information consistent with the extracted four-tuple information exists in the pre-stored protocol type database.
If pre-stored four-tuple information consistent with the extracted four-tuple information is found in the pre-stored protocol type database, determining that the protocol corresponding to the signaling belongs to the HTTP/2 protocol.
If the pre-stored four-tuple information consistent with the extracted four-tuple information cannot be found in the pre-stored protocol type database, whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol cannot be determined in consideration of the limitation of the pre-stored protocol type database, and the protocol identification fails.
Therefore, whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol or not can be primarily and rapidly identified based on the four-tuple information of the signaling and the pre-stored protocol type database, and the efficiency of protocol identification is improved.
Step S102, if the identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, performing protocol decoding on the signaling;
After the signaling is subjected to protocol identification according to the four-tuple information of the signaling, if the protocol corresponding to the signaling cannot be determined whether the protocol belongs to the HTTP/2 protocol, in order to improve the accuracy of protocol identification, the signaling is further subjected to protocol decoding.
In some embodiments, the protocol decoding of the signaling may be to analyze the protocol characteristics of the signaling, determine whether the protocol characteristics of the signaling conform to the characteristics of the HTTP/2 protocol, and determine that the decoding is successful if the protocol characteristics of the signaling conform to the characteristics of the HTTP/2 protocol.
Since RFC7540 defines the HTTP/2 protocol specification, it can be known that the HTTP/2 protocol has specific features, so that the protocol features of the signaling can be analyzed, whether the protocol features of the signaling conform to the features of the HTTP/2 protocol can be determined, and if the protocol features of the signaling conform to the features of the HTTP/2 protocol, the decoding is determined to be successful. If the characteristics of the signaling do not conform to the characteristics of the HTTP/2 protocol, a decoding failure is determined.
In some embodiments, the determining whether the protocol feature of the signaling accords with the feature of the HTTP/2 protocol may be decoding a frame structure corresponding to the signaling, determining whether the frame structure corresponding to the signaling accords with the frame structure of the HTTP/2 protocol, decoding a header field corresponding to the signaling if the frame structure accords with the frame structure of the HTTP/2 protocol, and determining that the protocol feature of the signaling accords with the feature of the HTTP/2 protocol if the number of the decoded header fields meets a preset number.
Specific features provided by the HTTP/2 protocol include that the HTTP/2 protocol has a specific frame structure (also referred to as a frame format). Based on RFC7540, the HTTP/2 protocol consists of multiple types of frames. Referring to fig. 2, fig. 2 is a schematic diagram of a frame structure of the HTTP/2 protocol. As shown in fig. 2, the Frame HEADER Length of the HTTP/2 protocol is 9 (24+8+8+1+31=72 bit) bytes, the Frame Type is indicated by Type, it should be noted that in the application scenario of the embodiment of the invention, the signaling monitoring system processes a HEADER Frame with type=1 and a DATA Frame with type=0, and the Frame Payload Length is indicated by the Length field.
Wherein, the load of the HEADER frame is coded by HPACK, HPACK is a HEADER frame compression coding technology, which comprises 8 coding modes. The HEADER field of the HEADER frame transmission selects 1 coding mode from 8 coding modes according to rules, and each coding mode implies a coding type and a coding length.
Therefore, the frame structure of the signaling can be decoded according to the frame structure of the HTTP/2 protocol, and whether the frame structure corresponding to the signaling accords with the frame structure of the HTTP/2 protocol can be judged.
In some embodiments, the determining whether the frame structure corresponding to the signaling accords with the frame structure of the HTTP/2 protocol may be determining whether the frame header length corresponding to the signaling meets a first preset length, if the frame header length meets the first preset length, determining whether the type of the frame corresponding to the signaling belongs to a preset frame type, if the type of the frame belongs to the preset frame type, determining whether the load length of the frame corresponding to the signaling meets a second preset length, if the load length of the frame meets the second preset length, determining whether the sum of the frame header length and the load length of the frame meets a third preset length, and if the sum of the frame header length and the load length of the frame meets the third preset length, determining that the frame structure accords with a preset condition.
That is, firstly, according to the frame header format of the HTTP/2 protocol, the frame header length corresponding to the signaling is decoded, and whether the frame header length corresponding to the signaling is greater than or equal to 9 (defined as a first preset length) is determined. If the frame header length corresponding to the signaling is less than 9, the frame header is not the complete HTTP/2 frame header, the decoding of the protocol of the signaling fails, and the protocol corresponding to the signaling is determined not to belong to the HTTP/2 protocol.
If the frame HEADER length corresponding to the signaling is greater than or equal to 9, then decoding the frame Type (Type) corresponding to the signaling, and judging whether the frame Type corresponding to the signaling belongs to a HEADER frame (defined as a preset frame Type). If the frame Type corresponding to the signaling does not belong to the HEADER frame (i.e. the Type corresponding to the signaling is not equal to 1), indicating that decoding of the HEADER frame of the signaling fails, and determining that the protocol corresponding to the signaling does not belong to the HTTP/2 protocol.
If the frame type corresponding to the signaling is a HEADER frame, a payload exists, and the frame HEADER Length field is greater than 0, so that the payload Length of the frame corresponding to the signaling is further decoded, and whether the payload Length of the frame corresponding to the signaling is greater than 0 (defined as a second preset Length) is judged. If the payload Length of the frame corresponding to the signaling is 0 (i.e., the frame HEADER Length field corresponding to the signaling is 0), determining that the frame corresponding to the signaling does not belong to the HEADER frame, indicating that decoding of the HEADER frame of the signaling fails, and determining that the protocol corresponding to the signaling does not belong to the HTTP/2 protocol.
If the Payload length of the frame corresponding to the signaling is greater than 0, it is further determined whether the sum of the frame header length corresponding to the signaling and the Payload length of the frame is less than or equal to the length of the TCP Payload (defined as a third preset length). If the sum of the frame HEADER length corresponding to the signaling and the Payload length of the frame is greater than the length of the TCP Payload, indicating that the frame corresponding to the signaling is not a complete HEADER frame, determining that decoding of the HEADER frame of the signaling fails, and determining that a protocol corresponding to the signaling does not belong to the HTTP/2 protocol.
If the sum of the frame HEADER length corresponding to the signaling and the frame Payload length is less than or equal to the length of the TCP Payload, which indicates that the frame corresponding to the signaling is a complete HEADER frame, the success of decoding the HEADER frame of the signaling can be preliminarily determined, and at the moment, the frame structure corresponding to the signaling can be determined to accord with the frame structure of the HTTP/2 protocol.
In order to improve the identification accuracy, the header field corresponding to the signaling is further decoded according to HPACK coding mode. It should be noted that, only more than 3 header fields are resolved, so it is determined whether the number of header fields corresponding to the signaling is more than 3 (defined as a preset number). If the number of HEADER field corresponding to the signaling is more than 3, the HEADER frame decoding success of the signaling is finally determined, and the protocol corresponding to the signaling is determined to belong to the HTTP/2 protocol.
By the method, the accuracy of the signaling decoding is improved, and therefore the accuracy of protocol identification is improved.
Step S103, when decoding is successful, determining the protocol corresponding to the signaling as HTTP/2 protocol.
And under the condition that the decoding is successful, determining the protocol corresponding to the signaling as the HTTP/2 protocol. Therefore, under the condition that whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol cannot be identified according to the four-tuple information of the signaling, the protocol decoding of the signaling is further realized, and finally whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol is determined through decoding, so that the identification comprehensiveness and accuracy are improved.
In some embodiments, after determining the protocol corresponding to the signaling as the HTTP/2 protocol, the protocol type of the four-tuple information of the signaling may be further marked as the HTTP/2 protocol, and the marked four-tuple information may be stored in a pre-stored protocol type database, so as to implement expansion of the pre-stored protocol type database, and provide convenience for subsequent protocol identification.
In some embodiments, in case of decoding failure, it is determined that the protocol corresponding to the signaling does not belong to the HTTP/2 protocol, and the signaling is discarded.
The protocol identification method provided by the invention receives the signaling borne by the TCP, extracts the four-tuple information of the signaling, carries out protocol identification on the signaling according to the four-tuple information, if the identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, carries out protocol decoding on the signaling, and determines the protocol corresponding to the signaling as the HTTP/2 protocol under the condition that the decoding is successful. According to the method, whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol can be primarily and rapidly identified based on the four-tuple information of the signaling, if the primary identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, the signaling is further subjected to protocol decoding, and whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol is finally identified through a decoding result.
In some embodiments, to facilitate the protocol identification of the signaling monitoring system, a protocol identification device may be deployed for the signaling monitoring system, so that the protocol identification of the signaling is implemented by the protocol identification device. The protocol recognition means may be built in the signaling monitoring system, as shown in fig. 3a, and may be pre-positioned in the signaling monitoring system, as shown in fig. 3b, for example. Regardless of the deployment mode, the signaling monitoring system firstly carries out protocol identification on the signaling, and can carry out subsequent XDR synthesis processing under the condition that the protocol corresponding to the signaling is identified to belong to the HTTP/2 protocol.
In some embodiments, as shown in fig. 4a, fig. 4a is a schematic architecture diagram of a protocol identification device, where the protocol identification device may include a protocol identification main module, a data storage module, a HEADER frame decoding module, and other functional modules.
With continued reference to fig. 4b, fig. 4b is a schematic flow chart illustrating the implementation of protocol recognition by the signaling monitoring system through the above functional modules of the protocol recognition device. Specifically, ① the signaling monitoring system firstly identifies the main module through the protocol of the protocol identification device under the condition of receiving the signaling carried by the TCP, extracts the four-tuple information of the signaling, ② then inquires whether the pre-stored four-tuple information matched with the four-tuple information of the signaling exists in the pre-stored protocol type database through the data storage module of the protocol identification device, if the inquiry is successful, the inquired information is returned to the protocol identification main module, the protocol identification main module determines the protocol corresponding to the signaling as an HTTP/2 protocol, if the inquiry is failed, the inquired information is returned to the protocol identification main module, ③ then decodes the signaling according to the format of HEADER frames of the HTTP/2 through the HEADER frame decoding module of the protocol identification device, ④ decoding results are returned to the protocol identification main module, ⑤ marks the protocol type of the four-tuple information of the signaling as an HTTP/2 protocol through the data storage module under the condition that the decoding is confirmed to be successful through the protocol identification main module, and stores the marked four-tuple information into the pre-stored protocol type database, ⑥ determines the protocol corresponding to the signaling as the HTTP/2 protocol through the protocol identification main module.
In this way, the signaling monitoring system performs preliminary protocol recognition on the signaling carried by the TCP through the functional module of the protocol recognition device, and performs further protocol decoding on the signaling under the condition that the preliminary recognition fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, and finally determines whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol through the decoding, thereby realizing efficient, comprehensive and accurate recognition on the signaling.
In some embodiments, referring to fig. 5, fig. 5 is a flow chart of protocol decoding of signaling by a HEADER frame decoding module. The method comprises the steps of firstly decoding a frame HEADER length corresponding to a signaling, judging whether the frame HEADER length corresponding to the signaling is greater than or equal to 9, if the frame HEADER length corresponding to the signaling is less than 9, decoding a HEADER frame, if the frame HEADER length corresponding to the signaling is greater than or equal to 9, decoding a frame type corresponding to the signaling, judging whether the frame type corresponding to the signaling is a HEADER frame, if the frame type corresponding to the signaling is not a HEADER frame, then decoding a load length of the frame corresponding to the signaling, judging whether the load length of the frame corresponding to the signaling is greater than 0, if the load length of the frame corresponding to the signaling is greater than 0, decoding a HEADER frame failure, if the sum of the frame HEADER length corresponding to the signaling and the load length of the frame is less than or equal to TCP Payload, continuing to judge whether the sum of the frame HEADER length corresponding to the signaling and the load length of the frame is greater than or equal to TCP Payload length, if the sum of the frame HEADER length corresponding to the signaling and the load length of the frame is greater than or equal to TCP Payload length of the Payload, and if the frame HEADER length of the frame is greater than or equal to 3, decoding a HEADER length of the frame HEADER is greater than or equal to TCP Payload field, and further decoding a HEADER field is more than or equal to 3, and a Payload field is further capable of decoding a Payload field according to a Payload field of a protocol and a Payload field of a protocol is more than a Payload field is successfully decoded than a field. By the method, the precision and the correctness of protocol decoding are improved, so that the accuracy of signaling identification is improved.
For a better understanding of the above embodiments, please refer to fig. 6, fig. 6 is an exemplary diagram of an application scenario for protocol identification, where the exemplary application scenario is as follows:
Under the network operation and maintenance scene of two modes of 5G core network and 5G new call core network, the signaling monitoring system firstly carries out the identification of a known port under the condition of receiving the signaling borne by TCP, judges whether the signaling is the signaling borne by TCP through the known port 80 or 8080, if not, the signaling is the signaling borne by TCP through the unknown port, then extracts the four-element information of the signaling, inquires whether the pre-stored four-element information matched with the four-element information of the signaling exists in a pre-stored protocol type database, if the inquiry is successful, determines the protocol corresponding to the signaling as HTTP/2 protocol, if the inquiry is failed, then carries out protocol decoding on the signaling, and finally determines the protocol corresponding to the signaling as HTTP/2 protocol under the condition of successful decoding, thereby realizing the accurate identification of the signaling borne by the unknown port and improving the identification efficiency, comprehensiveness and accuracy.
Referring to fig. 7, fig. 7 is a schematic block diagram of a protocol identification device according to an embodiment of the present invention.
As shown in fig. 7, the protocol recognition device 300 includes a processor 301 and a memory 302, the processor 301 and the memory 302 being connected by a bus 303, such as an I2C (Inter-INTEGRATED CIRCUIT) bus.
In particular, the processor 301 is configured to provide computing and control capabilities that support the operation of the overall protocol identification device. The Processor 301 may be a central processing unit (Central Processing Unit, CPU), the Processor 301 may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Specifically, the Memory 302 may be a Flash chip, a Read-Only Memory (ROM) disk, an optical disk, a U-disk, a removable hard disk, or the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 7 is merely a block diagram of a portion of the structure related to the embodiment of the present invention, and does not constitute a limitation of the protocol identification apparatus to which the embodiment of the present invention is applied, and that a specific server may include more or less components than those shown in the drawings, or may combine some components, or have a different arrangement of components.
The processor is configured to run a computer program stored in the memory, and implement any one of the protocol identification methods provided by the embodiments of the present invention when the computer program is executed.
In an embodiment, the processor is configured to run a computer program stored in a memory and to implement the following steps when executing the computer program:
receiving a signaling carried by a TCP, extracting four-tuple information of the signaling, and carrying out protocol identification on the signaling according to the four-tuple information;
If the identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, performing protocol decoding on the signaling;
And under the condition that the decoding is successful, determining the protocol corresponding to the signaling as an HTTP/2 protocol.
In an embodiment, when implementing the protocol identification for the signaling according to the four-tuple information, the processor is configured to implement:
comparing the four-tuple information with a pre-stored protocol type database, and determining whether pre-stored four-tuple information matched with the four-tuple information exists in the pre-stored protocol type database;
If pre-stored four-tuple information matched with the four-tuple information exists in the pre-stored protocol type database, determining a protocol corresponding to the signaling as an HTTP/2 protocol;
If the pre-stored four-tuple information matched with the four-tuple information does not exist in the pre-stored protocol type database, whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol cannot be determined.
In an embodiment, when implementing the protocol decoding of the signaling, the processor is configured to implement:
Analyzing the protocol characteristics of the signaling, and judging whether the protocol characteristics of the signaling accord with the characteristics of HTTP/2 protocol;
and if the protocol characteristics of the signaling accord with the characteristics of the HTTP/2 protocol, determining that the decoding is successful.
In an embodiment, when implementing the parsing the protocol feature of the signaling, the processor is configured to implement:
Decoding the frame structure corresponding to the signaling, and judging whether the frame structure corresponding to the signaling accords with the frame structure of the HTTP/2 protocol;
if the frame structure accords with the frame structure of the HTTP/2 protocol, decoding a header field corresponding to the signaling;
If the number of the decoded header fields meets the preset number, determining that the protocol characteristics of the signaling accord with the characteristics of the HTTP/2 protocol.
In an embodiment, when implementing the determining whether the frame structure corresponding to the signaling conforms to the frame structure of the HTTP/2 protocol, the processor is further configured to implement:
Judging whether the frame head length corresponding to the signaling meets a first preset length or not;
If the frame header length meets a first preset length, judging whether the type of the frame corresponding to the signaling belongs to a preset frame type or not;
if the frame type belongs to a preset frame type, judging whether the load length of the frame corresponding to the signaling meets a second preset length or not;
If the load length of the frame meets the second preset length, judging whether the sum of the frame head length and the load length of the frame meets a third preset length;
And if the sum of the frame header length and the frame load length meets a third preset length, determining that the frame structure accords with the frame structure of the HTTP/2 protocol.
In an embodiment, after implementing the determining that the protocol corresponding to the signaling is the HTTP/2 protocol in the case of successful decoding, the processor is further configured to implement:
and marking the protocol type of the four-tuple information as an HTTP/2 protocol, and storing the marked four-tuple information into the pre-stored protocol type database.
In an embodiment, the processor, after implementing the protocol decoding of the signaling, is further configured to implement:
and under the condition that the decoding fails, determining that the protocol corresponding to the signaling does not belong to the HTTP/2 protocol, and discarding the signaling.
It should be noted that, for convenience and brevity of description, a specific working process of the above-described protocol identification apparatus may refer to a corresponding process in the foregoing protocol identification method embodiment, which is not described herein again.
Embodiments of the present invention also provide a storage medium for computer readable storage, where the storage medium stores one or more programs that can be executed by one or more processors to implement the steps of any of the protocol identification methods provided in the embodiments of the present invention.
The storage medium may be an internal storage unit of the protocol identification device according to the foregoing embodiment, for example, a hard disk or a memory of the protocol identification device. The storage medium may also be an external storage device of the protocol identification device, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD), or the like, which are provided on the protocol identification device.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware embodiment, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components, for example, one physical component may have a plurality of functions, or one function or step may be cooperatively performed by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
It should be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments. While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1.一种协议识别方法,其特征在于,包括:1. A protocol identification method, characterized by comprising: 接收TCP承载的信令,提取所述信令的四元组信息,并根据所述四元组信息对所述信令进行协议识别;Receive signaling carried by TCP, extract quadruple information of the signaling, and perform protocol identification on the signaling according to the quadruple information; 若所述识别未能确定所述信令对应的协议是否属于HTTP/2协议,对所述信令进行协议解码;If the identification fails to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol, performing protocol decoding on the signaling; 在所述解码成功的情况下,将所述信令对应的协议确定为HTTP/2协议。When the decoding is successful, the protocol corresponding to the signaling is determined to be the HTTP/2 protocol. 2.根据权利要求1所述的协议识别方法,其特征在于,所述根据所述四元组信息对所述信令进行协议识别,包括:2. The protocol identification method according to claim 1, wherein the performing protocol identification on the signaling according to the four-tuple information comprises: 将所述四元组信息与预存协议类型数据库进行比对,确定所述预存协议类型数据库中是否存在与所述四元组信息匹配的预存四元组信息;Compare the four-tuple information with a pre-stored protocol type database to determine whether there is pre-stored four-tuple information matching the four-tuple information in the pre-stored protocol type database; 若所述预存协议类型数据库中存在与所述四元组信息匹配的预存四元组信息,将所述信令对应的协议确定为HTTP/2协议;If there is pre-stored four-tuple information matching the four-tuple information in the pre-stored protocol type database, determining the protocol corresponding to the signaling as the HTTP/2 protocol; 若所述预存协议类型数据库中不存在与所述四元组信息匹配的预存四元组信息,未能确定所述信令对应的协议是否属于HTTP/2协议。If there is no pre-stored four-tuple information matching the four-tuple information in the pre-stored protocol type database, it is not possible to determine whether the protocol corresponding to the signaling belongs to the HTTP/2 protocol. 3.根据权利要求1所述的协议识别方法,其特征在于,所述对所述信令进行协议解码,包括:3. The protocol identification method according to claim 1, wherein the performing protocol decoding on the signaling comprises: 解析所述信令的协议特征,判断所述信令的协议特征是否符合HTTP/2协议的特征;Parsing the protocol characteristics of the signaling, and determining whether the protocol characteristics of the signaling conform to the characteristics of the HTTP/2 protocol; 若所述信令的协议特征符合HTTP/2协议的特征,确定解码成功。If the protocol characteristics of the signaling conform to the characteristics of the HTTP/2 protocol, it is determined that the decoding is successful. 4.根据权利要求3所述的协议识别方法,其特征在于,所述解析所述信令的协议特征,判断所述信令的协议特征是否符合HTTP/2协议的特征,包括:4. The protocol identification method according to claim 3, characterized in that the parsing of the protocol features of the signaling and determining whether the protocol features of the signaling conform to the features of the HTTP/2 protocol comprises: 对所述信令对应的帧结构进行解码,判断所述信令对应的帧结构是否符合HTTP/2协议的帧结构;Decoding the frame structure corresponding to the signaling, and determining whether the frame structure corresponding to the signaling conforms to the frame structure of the HTTP/2 protocol; 若所述帧结构符合HTTP/2协议的帧结构,对所述信令对应的头域字段进行解码;If the frame structure conforms to the frame structure of the HTTP/2 protocol, decoding the header field corresponding to the signaling; 若解码出的头域字段的数量满足预设数量,确定所述信令的协议特征符合HTTP/2协议的特征。If the number of decoded header field fields meets the preset number, it is determined that the protocol characteristics of the signaling meet the characteristics of the HTTP/2 protocol. 5.根据权利要求4所述的协议识别方法,其特征在于,所述判断所述信令对应的帧结构是否符合HTTP/2协议的帧结构,包括:5. The protocol identification method according to claim 4, characterized in that the step of determining whether the frame structure corresponding to the signaling conforms to the frame structure of the HTTP/2 protocol comprises: 判断所述信令对应的帧头长度是否满足第一预设长度;Determining whether the frame header length corresponding to the signaling meets a first preset length; 若所述帧头长度满足第一预设长度,判断所述信令对应的帧的类型是否属于预设帧类型;If the frame header length satisfies a first preset length, determining whether the type of the frame corresponding to the signaling belongs to a preset frame type; 若所述帧的类型属于预设帧类型,判断所述信令对应的帧的载荷长度是否满足第二预设长度;If the type of the frame belongs to the preset frame type, determining whether the payload length of the frame corresponding to the signaling satisfies a second preset length; 若所述帧的载荷长度满足第二预设长度,判断所述帧头长度与所述帧的载荷长度之和是否满足第三预设长度;If the payload length of the frame satisfies the second preset length, determining whether the sum of the frame header length and the payload length of the frame satisfies the third preset length; 若所述帧头长度和所述帧的载荷长度之和满足第三预设长度,确定所述帧结构符合HTTP/2协议的帧结构。If the sum of the frame header length and the frame payload length meets a third preset length, it is determined that the frame structure complies with the frame structure of the HTTP/2 protocol. 6.根据权利要求2所述的协议识别方法,其特征在于,所述在解码成功的情况下,将所述信令对应的协议确定为HTTP/2协议之后,包括:6. The protocol identification method according to claim 2, characterized in that, when the decoding is successful, after determining that the protocol corresponding to the signaling is the HTTP/2 protocol, it comprises: 将所述四元组信息的协议类型标记为HTTP/2协议,并将标记后的四元组信息存储至所述预存协议类型数据库。The protocol type of the four-tuple information is marked as HTTP/2 protocol, and the marked four-tuple information is stored in the pre-stored protocol type database. 7.根据权利要求1所述的协议识别方法,其特征在于,所述四元组信息包括源IP地址、源端号、目的IP地址和目的端口号。7. The protocol identification method according to claim 1 is characterized in that the four-tuple information includes a source IP address, a source port number, a destination IP address and a destination port number. 8.根据权利要求1所述的协议识别方法,其特征在于,所述对所述信令进行协议解码之后,包括:8. The protocol identification method according to claim 1, characterized in that after the protocol decoding of the signaling, it comprises: 在所述解码失败的情况下,确定所述信令对应的协议不属于HTTP/2协议,丢弃所述信令。In the case where the decoding fails, it is determined that the protocol corresponding to the signaling does not belong to the HTTP/2 protocol, and the signaling is discarded. 9.一种协议识别设备,其特征在于,所述协议识别设备包括处理器、存储器、存储在所述存储器上并可被所述处理器执行的计算机程序以及用于实现所述处理器和所述存储器之间的连接通信的数据总线,其中所述计算机程序被所述处理器执行时,实现如权利要求1至8中任一项所述的协议识别方法的步骤。9. A protocol identification device, characterized in that the protocol identification device includes a processor, a memory, a computer program stored in the memory and executable by the processor, and a data bus for realizing connection and communication between the processor and the memory, wherein when the computer program is executed by the processor, the steps of the protocol identification method as described in any one of claims 1 to 8 are implemented. 10.一种存储介质,用于计算机可读存储,其特征在于,所述存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现权利要求1至8中任一项所述的协议识别方法的步骤。10. A storage medium for computer-readable storage, characterized in that the storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps of the protocol identification method described in any one of claims 1 to 8.
CN202310717720.9A 2023-06-15 2023-06-15 Protocol identification method, equipment and storage medium Pending CN119211090A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310717720.9A CN119211090A (en) 2023-06-15 2023-06-15 Protocol identification method, equipment and storage medium
PCT/CN2024/089402 WO2024255449A1 (en) 2023-06-15 2024-04-23 Protocol identification method and device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310717720.9A CN119211090A (en) 2023-06-15 2023-06-15 Protocol identification method, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN119211090A true CN119211090A (en) 2024-12-27

Family

ID=93851294

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310717720.9A Pending CN119211090A (en) 2023-06-15 2023-06-15 Protocol identification method, equipment and storage medium

Country Status (2)

Country Link
CN (1) CN119211090A (en)
WO (1) WO2024255449A1 (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035131A (en) * 2007-02-16 2007-09-12 杭州华为三康技术有限公司 Protocol recognition method and device
CN102724317B (en) * 2012-06-21 2016-05-25 华为技术有限公司 A kind of network traffic data sorting technique and device
US10291682B1 (en) * 2016-09-22 2019-05-14 Juniper Networks, Inc. Efficient transmission control protocol (TCP) reassembly for HTTP/2 streams
FR3083659B1 (en) * 2018-07-06 2020-08-28 Qosmos Tech PROTOCOL IDENTIFICATION OF A DATA FLOW
CN112311789B (en) * 2020-10-28 2023-02-28 北京锐安科技有限公司 Deep packet processing method and device, electronic device and storage medium
CN114205151B (en) * 2021-12-12 2024-08-20 南京理工大学 HTTP/2 page access flow identification method based on multi-feature fusion learning

Also Published As

Publication number Publication date
WO2024255449A1 (en) 2024-12-19

Similar Documents

Publication Publication Date Title
US11425047B2 (en) Traffic analysis method, common service traffic attribution method, and corresponding computer system
CN112311789B (en) Deep packet processing method and device, electronic device and storage medium
CN111447102B (en) SDN network device access method and device, computer device and storage medium
CN114362885B (en) Data transmission method, communication system, equipment and medium of Internet of things
CN105706045A (en) Semantics-oriented analysis of log message content
CN111901300A (en) A method and classification device for classifying network traffic
WO2021174833A1 (en) Facial key point correction method and apparatus, and computer device
CN111277569B (en) Network message decoding method and device and electronic equipment
CN116634494A (en) Multi-component heterogeneous data coding and framing method based on Beidou short message
CN116546545A (en) Method and device for detecting signaling storm, electronic equipment and storage medium
CN111404768A (en) DPI recognition realization method and equipment
CN114553730B (en) Application identification method and device, electronic equipment and storage medium
CN119211090A (en) Protocol identification method, equipment and storage medium
CN104079450B (en) Feature mode set creation method and device
CN113630418A (en) A network service identification method, device, equipment and medium
CN112787978B (en) Data acquisition method and device, computer equipment and computer-readable storage medium
CN110650014B (en) Signature authentication method, system, equipment and storage medium based on hessian protocol
CN114629917B (en) Data processing method and device for cross-system communication and electronic equipment
CN112003816A (en) Data transmission method, device, equipment and storage medium
CN116233317A (en) Real-time VoLTE voice restoration and detection method and device for network traffic
CN109981548B (en) Method and device for analyzing charging message
CN113987474B (en) Detection data processing method and system for intelligent edge computing network gateway
CN113438506B (en) Video file restoration method and device, computer equipment and storage medium
CN110572415B (en) Safety protection method, equipment and system
CN114143079A (en) Verification device and method for packet filtering strategy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication