CN102932474A - Method, device and system for analyzing message - Google Patents
Method, device and system for analyzing message Download PDFInfo
- Publication number
- CN102932474A CN102932474A CN2012104581118A CN201210458111A CN102932474A CN 102932474 A CN102932474 A CN 102932474A CN 2012104581118 A CN2012104581118 A CN 2012104581118A CN 201210458111 A CN201210458111 A CN 201210458111A CN 102932474 A CN102932474 A CN 102932474A
- Authority
- CN
- China
- Prior art keywords
- operand
- message
- parsing
- packet parsing
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, a device and a system for analyzing a message. The method comprises the steps of: receiving a feature library rule analysis file by a message analysis device, wherein the feature library rule analysis file comprises character string marks of at least two basic functions, and corresponding operation object character strings; generating a function chain comprising the at least two basic functions according to the character string marks of the at least two basic functions and corresponding operation object character strings; analyzing the message by carrying out function chain, and operating a memory space directed by operation objects of the basic functions when the message analysis device carries out the function chain. The method, the device and the system for analyzing the message are used for effectively analyzing the message with frequent change and relevance.
Description
Technical field
The present invention relates to the packet parsing technology, relate in particular to a kind of message parsing method, equipment and system, belong to communication technical field.
Background technology
In recent years, the various peer-to-peer networks (Peer-to-Peer, P2P) in the computer network are used more and more abundanter, many new application types and agreement have occurred, and these P2P use and consumed a large amount of network bandwidths.Because different network applications is different to the demand of bandwidth resources, use (such as online game, the networking telephone (Voice over Internet Protocol in real time, VOIP), video conference etc.) comparatively responsive to characteristics such as network transfer delay, shakes, when having the sudden high flow types such as P2P application traffic to use on the network, the use of using in real time will be subjected to very large impact.In order effectively to utilize Internet resources, must effectively manage the flow that P2P uses, and at first must can realize to the P2P flow efficiently, identify accurately.
Existing application identification normally resolves to realize to message based on the static nature storehouse.Following feature has been described usually: message port, Internet protocol (Internet Protocol, IP) address feature, message load characteristic and message loaded length in the static nature storehouse.For example: identify a message is to be produced by a certain application software, then message is resolved, to judge the character string that can from message load, extract appointment in the static nature storehouse, if we just think that this message is produced by corresponding software.
Existing technology of message being resolved based on the static nature storehouse all is the message coupling of carrying out under the prerequisite that does not have relevance between the message.And in actual applications, often exist and utilize the static nature storehouse can't effectively resolve, identify the situation of message.Take strange skill video software as example, for example: purpose IP and the destination interface feature that can indicate several the messages in back in the content of article one message, as long as therefore have Intranet user to remove to access these IP and destination interface, the message that produce this moment is also produced by " video software of very planting ".And because resolve message in the static nature storehouse, do not dispose corresponding purpose IP and destination interface feature this moment in the static nature storehouse, thus can not carry out packet parsing for these purposes IP and destination interface feature, thus can't effectively identify.
At present, although can by directly carrying out the equipment compiling packet parsing program of message identification, realize the message identification of this class situation.But the packet parsing program that compiles is changeless, each software upgrading, all need the update routine code, the cycle is long, workload is large, and need to close and restart, can cause user network to interrupt during this, therefore can't adapt with the frequent variations of message.
Summary of the invention
For the defective that exists in the prior art, the invention provides a kind of message parsing method, setting and system, be used for frequent variations, message with relevance are effectively resolved.
According to a first aspect of the invention, provide a kind of message parsing method, comprising:
Packet parsing equipment receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and corresponding operand character string;
Described packet parsing equipment generates the functional-link that comprises described at least two basic functions according to the character string identification of described at least two basic functions and the operand character string of described correspondence;
Described packet parsing equipment is resolved message by carrying out described functional-link, and wherein, described packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
According to a second aspect of the invention, provide another kind of message parsing method, comprising:
Be written into the syntactic definition that packet parsing equipment provides, described syntactic definition comprises basic function and the data type that defines in the described packet parsing equipment;
Receive the user according to described syntactic definition, the feature database rule parsing file of writing;
With described feature database rule parsing file load to packet parsing equipment, so that packet parsing equipment is according to described feature database rule parsing file, generation comprises the functional-link of described at least two basic functions, and by carrying out described functional-link, message is resolved, wherein, packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
According to a third aspect of the invention we, provide a kind of packet parsing equipment, comprising:
Receiver module is used for receive feature storehouse rule parsing file, and described feature database rule parsing file comprises the character string identification of at least two basic functions, and corresponding operand character string;
The rule parsing module is used for according to the character string identification of described two basic functions and the operand character string of described correspondence at least, generates the functional-link that comprises described at least two basic functions;
The packet parsing module is used for by carrying out described functional-link message being resolved, and wherein, described packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
According to a forth aspect of the invention, provide a kind of feature database, it is characterized in that, comprising:
Syntactic definition insmods, and is used for being written into the syntactic definition that packet parsing equipment provides, and described syntactic definition comprises basic function and the data type that defines in the described packet parsing equipment;
The rule receiver module is used for receiving the user according to described syntactic definition, the feature database rule parsing file of writing;
Load-on module, be used for described feature database rule parsing file load to packet parsing equipment, so that packet parsing equipment is according to described feature database rule parsing file, generation comprises the functional-link of described at least two basic functions, and by carrying out described functional-link, message is resolved, wherein, packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
According to a fifth aspect of the invention, provide a kind of packet parsing system, comprise packet parsing equipment provided by the invention, and feature database provided by the invention, described packet parsing equipment is connected with described feature database.
According to message parsing method provided by the invention, setting and system, packet parsing equipment receive feature storehouse rule parsing file, character string identification according to the basic function in the feature database rule parsing file, and corresponding operand character string, basic function and operand are made up, dynamically determine the packet parsing logic.Because the function of basic function is peeled off mutually with operand, so that when message changes owing to reasons such as application software renewals, by in the rule parsing file in the feature database, syntagmatic/logic adjustment of basic function and/or operand gets final product, modification is convenient, workload is little, and need not to restart packet parsing equipment.And, because the operand of basic function points to concrete memory headroom, when carrying out packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted having between the different messages of relevance.Therefore, above-mentioned message parsing method can effectively be resolved frequent variations, message with relevance.
Description of drawings
Fig. 1 is a kind of system architecture diagram of the message parsing method for realizing the embodiment of the invention.
Fig. 2 is the flow chart of the message parsing method of one embodiment of the invention.
Fig. 3 is the schematic diagram of an example of parsing feature database rule parsing file.
Fig. 4 is the flow chart of the message parsing method of another embodiment of the present invention.
Fig. 5 is the structural representation of the packet parsing equipment of one embodiment of the invention.
Fig. 6 is the structural representation of the feature database of one embodiment of the invention.
Embodiment
Fig. 1 is a kind of system architecture diagram of the message parsing method for realizing the embodiment of the invention.As shown in Figure 1, this system comprises packet parsing equipment 11 and feature database 12.Wherein, feature database 12 can be deployed in any apparatus or the computer, does not limit in the embodiment of the invention.Hereinafter, in conjunction with system shown in Figure 1, respectively from the angle of packet parsing equipment 11 and feature database 12, the idiographic flow of the message parsing method of the embodiment of the invention is elaborated.
Embodiment one
Fig. 2 is the flow chart of the message parsing method of one embodiment of the invention.Message parsing method shown in Figure 2 is carried out by packet parsing equipment.As shown in Figure 2, may further comprise the steps:
201, packet parsing equipment receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and corresponding operand character string;
Wherein, the packet parsing device abstract goes out the syntactic definition of general similar high-level programming language, and by Software Coding and software translating, these abstract syntactic definitions of property realization once on packet parsing equipment.
Particularly, packet parsing equipment is with a plurality of actions of packet parsing program existing function complexity, changeless, disassemble as the basic function of a plurality of function singlenesses and realize, in advance the basic function of these function singlenesses defined the basis of formation function set.And, each basic function in the basic function set is carried out character string name (be each basic function and distribute character string identification), quote for feature database.The function of these basic functions is determined by static state.
Also defined basic data type in the packet parsing equipment, operand and operation result as each basic function in the basic function set comprise immediately number, variable, constant, buffering area etc.Concrete data type is relevant with the program language that packet parsing equipment uses, and can redefine, and forms composite construction, is not limited to above-mentioned several.
Packet parsing equipment is written into feature database with above-mentioned syntactic definition (comprising basic function definition and dtd——data type definition), writes feature database rule parsing file for the user according to syntactic definition loaded in the feature database.More specifically, the user is according to the packet parsing demand of reality, from the basic function set of syntactic definition, select the basic function of corresponding function, character string identification with selected basic function is illustrated in the feature database rule parsing file, and the operand of definite selected basic function, be shown in the feature database rule parsing file with the operand string table.
For example, feature database rule parsing file is: ﹠amp; (the character string identification int1 string1) ﹠amp of basic function 1; (the character string identification string1 buf1) ﹠amp of basic function 2; (the character string identification int1int2 buf1 of basic function 3).Wherein, " int1 string1 " is the operand character string of basic function 1 correspondence, and the implication of this operand character string is that basic function 1 comprises two operands, and the title of these two operands is respectively " int1 " and " string1 "; Similarly, " string1 buf1 " is the operand character string of basic function 2 correspondences, and " int1 int2 buf1 " is the operand character string of basic function 3 correspondences.This feature database rule parsing file relates to three basic functions altogether, wherein basic function 1 and basic function 2 are associated by operand " string1 ", basic function 1 and basic function 3 are associated by operand " int1 ", and basic function 2 and basic function 3 are associated by operand " buf1 ".
After the user finishes writing of feature database rule parsing file, feature database will include the feature database file load of feature database rule parsing file in packet parsing equipment.
202, described packet parsing equipment generates the functional-link that comprises described at least two basic functions according to the character string identification of described at least two basic functions and the operand character string of described correspondence;
Particularly, after packet parsing equipment obtains feature database rule parsing file, automatically resolve feature database rule parsing file, with the statement in the user-defined feature database rule parsing file, be converted into the executable functional-link of packet parsing equipment.
203, described packet parsing equipment is resolved message by carrying out described functional-link, and wherein, described packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
Particularly, packet parsing equipment distributes the memory headroom of appointment for the operand of the basic function that need to call, and the entrance of basic function is pointed in the address that is about to a definite memory headroom.Packet parsing equipment is carried out each basic function in the functional-link successively, and when carrying out each basic function, the actual content of memory headroom of the entrance of this basic function will be pointed to, operand as this basic function, carry out function performance, and execution result is kept in the memory headroom, quote for the basic function of follow-up execution.
Message parsing method according to above-described embodiment, packet parsing equipment receive feature storehouse rule parsing file, character string identification according to the basic function in the feature database rule parsing file, and corresponding operand character string, basic function and operand are made up, dynamically determine the packet parsing logic.Because the function of basic function is peeled off mutually with operand, so that when message changes owing to reasons such as application software renewals, by in the rule parsing file in the feature database, syntagmatic/logic adjustment of basic function and/or operand gets final product, modification is convenient, workload is little, and need not to restart packet parsing equipment.And, because the operand of basic function points to concrete memory headroom, when carrying out packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted having between the different messages of relevance.Therefore, above-mentioned message parsing method can effectively be resolved frequent variations, message with relevance.
Embodiment two
In the present embodiment, on the basis of above-described embodiment, the flow process of packet parsing device parses feature database rule parsing file is expanded explanation.
Particularly, described packet parsing equipment generates the functional-link that comprises described at least two basic functions according to the character string identification of described at least two basic functions and the operand character string of described correspondence, specifically comprises:
Described packet parsing equipment is according to described operand character string, generate the fundamental operation object structure corresponding with each operand, and determine the memory headroom that described operand points to, wherein said fundamental operation object structure comprises data type and operand title;
With described fundamental operation object structure, encapsulate according to the parameter list of the basic function corresponding with described character string identification, generate and be used for function operand list structure that described basic function is associated with the memory headroom of described operand sensing;
Order and function operand list structure corresponding to each basic function according to the character string identification of at least two basic functions described in the described feature database rule parsing file generate described functional-link.
More specifically, Fig. 3 is the schematic diagram of an example of parsing feature database rule parsing file.In Fig. 3, with feature database rule parsing file “ ﹠amp; (the character string identification int1 string1) ﹠amp of basic function 1; (the character string identification string1 buf1) ﹠amp of basic function 2; (the character string identification int1int2 buf1 of basic function 3) " describe for example.
Packet parsing equipment with operand character string " int1 string1 " be converted to fundamental operation object structure " int, int1 " (among Fig. 3 with
The expression) and " string, string1 " (among Fig. 3 with
Expression).Wherein, " int " expression data type is integer variable, " int1 " expression operand title; " string " expression data type is string variable, " string1 " expression operand title.Packet parsing equipment will according to the fundamental operation object structure that obtains, be determined the memory headroom that operand points to.For example, the preliminery application of packet parsing equipment has the memory headroom of various data types, then packet parsing equipment is according to the data type in the fundamental operation object structure, determine the memory address range that this data type is corresponding, from this memory address range, select (or a plurality of) memory address, and set up the corresponding relation of the operand title in selected memory address and the fundamental operation object structure, can determine the memory headroom that operand points to.
Packet parsing equipment also encapsulates the fundamental operation object structure by the parameter list according to basic function, sets up the corresponding relation of basic function and operand, and basic function is associated with the memory headroom that operand points to.As shown in Figure 3, the function operand list structure of basic function 1 comprises " int, int1 " and " string, string1 " two fundamental operation object structure.This function operand list structure is mapped as " the int1 memory headroom of basic function 1 " and " the string1 memory headroom of basic function 1 " with operand int1 and memory headroom corresponding to string1 in running space.Wherein, the parameter list of basic function is defined when defining basic function in the packet parsing equipment, is used for the implication of expression different parameters, does not limit in its concrete form embodiment of the invention.
Packet parsing equipment also carries out related with the operation address of basic function in packet parsing equipment the character string identification of the basic function in the feature database rule parsing file.Should move the address and also map to running space.Can in running space, automatically move basic function, and corresponding memory headroom is operated.
According to the operation address of the ordinal relation between a plurality of basic functions in the packet parsing equipment (being the numbering of each basic function), each basic function and the function operand list structure of each basic function, can form the packet parsing program that packet parsing equipment can automatically perform, i.e. functional-link.
When packet parsing equipment carries out packet parsing, can at first carry out traditional static nature storehouse identification to message, obtain preliminary message recognition result, then determine whether and will extract dynamically and analyze the content of message.If necessary, then triggering is the flow process (being the packet parsing flow process of above-described embodiment) of dynamic packet parsing.The good running space of packet parsing device initialize preliminery application, the numbering of the basic function of current operation is set to first basic function in the functional-link, then carries out successively all basic functions in the functional-link, but also can carry out successively a plurality of functional-link.
For each basic function, at first according to function operand list structure, the operand of basic function is mapped as the physical memory variable, it is the member variable in the running space, then carry out function performance, and execution result is kept in the running space, quote for other basic function.
By defining the life cycle of different running spaces, actual value (being the actual content of packet parsing) with the operand that parses in the running space, between a plurality of messages of same data stream, transmit between the different data streams or between a plurality of application module, such as the identification module that becomes more meticulous, data cache module, content auditing module and database processing module etc. is to realize the application identification in the different categories.
Further, in the message parsing method of above-described embodiment, described basic function comprises for the function that the message payload content is carried out computing, and/or for the function to message payload content format input and output, and/or be used for the function of interface operation, and/or for the algorithmic function that message is decompressed or deciphers, and/or the function of recorded message payload content, and/or for the function of controlling actuating logic.
Wherein, the function that is used for the control actuating logic is a kind of function of specific type, and its function is the execution result according to other basic function, revises the numbering of the basic function of next operation.Therefore, can carry out on the basis of the packet parsing program (functional-link) that dynamically generates in order, realize selecting the resolution logic such as judgement, cycling jump, really reach intelligently parsing and the effect of the identification that becomes more meticulous.
Embodiment three
In the present embodiment, provide some concrete examples of syntactic definition in the packet parsing equipment, and provide according to these syntactic definitions and write feature database rule parsing file, and packet parsing equipment is carried out the concrete example of packet parsing according to feature database rule parsing file.It is used for message parsing method of the present invention is carried out more clear, detailed explanation, and is not construed as limiting the invention only as example of the present invention.
For example comprise following content in the syntactic definition of packet parsing equipment:
(1) constant
Constant is also named immediately to be counted, and just refers to our constant in usually understanding, such as 1,2,0X03 etc.The constant title, form and the related description that define in the packet parsing equipment are referring to table 1.
Table 1
(2) overall well-known variable
The value of the well-known variable of the overall situation is mainly derived from message and the application module (such as being the identification module that becomes more meticulous, data cache module, content auditing module and database processing module etc.), can participate in computing, may in different data streams and different messages, be used, but be read-only.Mainly be the extraction for message public information and module public information, therefore defined overall well-known variable.
The well-known variable of the overall situation such as@in_ip, specifically by the packet parsing device definition, can participate in computing usually take@as prefix, is the integer variable that can not carry out assignment, and actual value is determined when packet parsing, such as the five-tuple information of message.
In order to support message analysis, packet parsing equipment need to possess overall well-known variable as shown in table 2 usually:
Table 2
(3) common variables
The title of the common variables that defines in the packet parsing equipment, form and related description are referring to table 3.
Table 3
(4) operator grammer
What the operator grammer operated is integer constant and integer variable, mainly is to be responsible for finishing arithmetic and bit arithmetic.Usually the operator grammer is at the deviation post that calculates message, uses when calculating the length in some territory of message.
Typical operator grammer example is as shown in table 4:
Table 4
(5) logic control grammer
The logic control grammer is mainly used in the comparison of operation result, and the syntactic node that jumps to appointment according to comparative result is carried out.From a syntactic node of a feature database rule, according to comparative result, jump to another syntactic node and carry out.
By this grammer, we can realize logic branch control to the packet parsing operation.Also can realize similar while in the packet parsing process, the logic of if else is judged processing.
Typical logic control grammer example is as shown in table 5:
Table 5
(6) data buffer zone operation grammer
Data buffer zone operation grammer is used for message buffer is operated, and can realize the basic read-write of message buffer, the basic comparison of message buffer, and the format of message buffer is read, and the format of message buffer writes.
By usage data buffer district operation grammer, message is more convenient to operate, can any message content of flexible construction.
Typical data buffer zone operation grammer example is as shown in table 6:
Table 6
As shown in table 6, by definition " rint " and " rint_le ", can when reading, message fully take into account the characteristic of network message syllable sequence, and decision is to read message according to large end syllable sequence, or reads message according to the small end syllable sequence.
(7) message algorithm operating grammer
The network message of some application software is compressed at present, encrypts, and perhaps will carry out the MD5 verification.Typically such as the HTTP resource of some WEB Video Applications, will carry out the gzip compression, therefore for this class message, the resource content of analytic message, just must decompression just can.
Therefore can in packet parsing equipment, define message and decompress, deciphering, the grammer that the MD5 verification is calculated all is converted to the feature database grammer to main algorithm commonly used, offers packet parsing and uses.
Typical packet parsing grammer example is as shown in table 7:
Table 7
(8) message traffic is processed grammer
Message be the more important thing is and need to be carried out Business Processing for message except resolving contents extraction information.For example: to carry out interface (SOCKET) communication mutual with the opposite end server, thereby understand the application type of opposite end server; For example: according to the resource IP of message analysis, create expection and connect, when meeting new message that expection connects and come, identify the application type of this message, thereby realize the application route of this message, particularly the application route that connects of TCP; For example: such as the result according to message analysis, appointed information is inserted in the database, uses for other application modules.
It is as shown in table 8 that typical message traffic is processed the grammer example:
Table 8
Below, flow the resource packet parsing as example take the control that the WEB Online Video is used, in conjunction with concrete syntactic definition, the specific implementation flow process of packet parsing equipment is described.
For example, the WEB Online Video is used " HD video of very planting ", and there is following resource message information in its control stream resource message:
GET...net-vod-iqiyi...
Host:conf.ppweb.com.cn...
rtmfp://201.101.11.34:9921…
rtmfp://58.61.211.74:10037...
Present target is exactly will to extract above-mentioned server ip and port information when recognizing data flow and be the control stream of " HD video of very planting ", creates expection and connects.
Packet parsing rule front is common feature database identification grammer, is the control stream of HD video of very planting by judging that Host:conf.ppweb.com.cn identifies, and then will trigger the syntactic analysis of server ip and port information.
Syntax statement is as follows:
&(main:0)\
&(nextpkt:2,0,2)&(exit)\
&(mov:int0,0)&(search:payload,int0,int1,″rtmfp://″)&(jl:int0,1)\
&(add:int0,int0,8)\
&(fmt_bufin:payload,int0,25,″%s:%d″,str0,int4)&(str2ip:int3,str0)\
&(expect:@in_ip,0,int3,int4,17,0x1D,@idx,int5)&(jmp:3)
Pre-defined following basic function, data type and running space in the packet parsing equipment.Wherein, the actual content of the operand of basic function determines in syntactic definition part, but by the time when packet parsing, by memory-mapped, dynamically determines.
Predefined basic function comprises in the packet parsing equipment:
(1) Nextpkt: the indication subsequent packet need to be proceeded this regular syntactic analysis, is about to runtime environment and transmits between a plurality of messages of current data stream.
(2) Exit: withdraw from the packet parsing program implementation.
(3) Mov: integer variable is carried out assignment.
(4) Search: in designated character buffering area (normally message load), search for specific character string, and the deviation post of character string is recorded.
(5) Jl: whether less than 0, revise the function numbering of next operation according to first function object.
(6) Add: two integer variables are carried out sum operation.
(7) Fmt_bufin: the message character string is read in format.
(8) Str2ip: character string is converted to integer IP value.
(9) Expect: the named data stream five-tuple, in the expection connection table, insert a record, literary composition identification is used for reporting for the first time.
(10) Jmp: the unconditional function numbering of revising next operation, realize the loop control function.
Predefined data type comprises in the packet parsing equipment:
(1) counts immediately: such as 0,1,2.
(2) integer variable: such as int0, int1.
(3) integer constant: such as Intranet IP@in_ip.
(4) character string: as " rtmfp: // ".
(5) string variable: such as str0.
(6) character string constant: such as message load payload.
Predefined running space is used for preserving the operand value of running in the packet parsing equipment, take the C language as example, is defined as follows data structure:
Packet parsing equipment is loaded on feature database with it after finishing above-mentioned syntactic definition, and receives the feature database rule parsing file that the user writes according to this syntactic definition.When packet parsing equipment is resolved feature database rule parsing file, carry out following syntax parsing and process:
Step 1, definition basic data object structure: take the C language as example, be defined as follows data structure.
When feature database upgrades to equipment, can be with ﹠amp; First parameter of (mov:int0,0) is structure in the C language according to its name translation: type is integer variable, and un.offset is 0.
Step 2, defined function operand list structure object_list_t is as with ﹠amp; The integer variable parameter int0 of (mov:int0,0) and count immediately parameters 0 and be converted into the data_object_t structure, and be together in series, the function operand list structure of mov function formed.
Step 3, the defined function object structure take the C language as example, is defined as follows data structure.
Step 4, definition packet parsing program structure is together in series all basic functions in the feature database rule, forms the packet parsing program, and the position of function in chain is the function numbering, can specify by counting immediately.
After in above-mentioned steps 4, obtaining the packet parsing program, carry out following packet parsing flow process:
Step 5, by DPI identification, the feature database rule of determining to become more meticulous and identifying is distributed and initialization runtime environment runtime_t.
Step 6, initialization integer constant and character string constant set, character string constant generally includes the information such as source purpose IP in IP agreement, the TCP/UDP protocol header, port, and application type index corresponding to current rule, and character string constant is often referred to application layer load.
Step 7, successively each function of the basic function chain in the scheduled for executing packet parsing program structure:
(1) Nextpkt: current runtime environment is shared in a plurality of messages of same data stream, and the subsequent packet of appointment current data stream begins to carry out packet parsing from the 2nd basic function of rule.
(2) Exit: the process of analysis that withdraws from current message.
(3) Mov: be 0 with integer variable int0 assignment.All functions need to carry out to the operand of types of variables the memory headroom mapping before executable operations.With Mov example, need first with int0, be mapped to the int_set[0 of runtime environment runtime_t] on the member.
(4) Seach: search in message load " rtmfp: // " character string, its skew is saved to the int0 variable.
(5) Jl: according to Search Results, determine whether to carry out follow-up process of analysis.If there are not all to arrive character string, namely int0 then jumps to and is numbered 1 function object Exit less than 0, withdraws from the process of analysis of current message.
(6) Add: the deviation post of character string " rtmfp: // " is added string length 8, point to position corresponding to IP 201.101.11.34 in the message load.
(7) Fmt_bufin: IP and the port in the message read in format, is stored in respectively string variable str0 and integer variable int4. in the runtime environment
(8) Str2ip: the string variable str0 of message IP is converted to integer numerical value, is stored among the variable i nt3.
(9) Expect: outer net IP and port according to storing among Intranet IP, the str0 of@in_ip representative and the int4, in the expection connection table, insert node, literary composition identification is used for reporting for the first time.
(10) Jmp: revise the function object numbering that next bar is carried out, namely the sp value in the runtime environment jumps to and is numbered 3 function object, continues above-mentioned process of analysis.
By above-mentioned steps, can finish packet parsing.
According to the message parsing method of above-described embodiment, the control stream by analytical applications extracts server address and port from control stream, and these servers are connected that the data that next will carry out communication connect with port usually.Connect the civilian recognition data stream application type of just having realized reporting for the first time by the expection that creates this application.
Further, in above-mentioned application example, the resource message of control stream all is expressly, but the resource message of some application might be encrypted, or compression, therefore just need the packet parsing process to run into to encrypt or the message position of compression, call corresponding message deciphering or decompression algorithm and be decrypted or decompress, then to deciphering and the message content after decompressing proceed packet parsing.
For example, the Resources list that is carried at the BT in the message is crossed by the gzip compression algorithm.Message format thes contents are as follows:
GET/announce?info_hash=...
Content-Encoding:
gzip...Content-Length:32......sdercsklfskdfsldfknvvy487sdkrmXq...
For effectively resolving the Resources list of compressed BT, can the file edit of feature database rule parsing is as follows:
“&(main:0)\
&(nextpkt:2,0,2)&(exit)\
&(search:payload,0,int0,″Content-Encoding:gzip″)&(jl:int0,32)\
&(search:payload,0,int0,″Content-Length:″)&(jl:int0,1)&(add:int0,int0,16)\
&(search:payload,int0,int1,″[0D?0A]″)&(rstr:payload,int0,str0,int?1)\
&(search:payload,int0,int2,″[0D?0A]″)&(jl:int2,1)&(add:int0,int0,int2)
&(unzip:″gzip″,buf0,payload,int0,int1)\
&(search:buf0,0,int0,″5:peers″)&(jl:int0,1)&(add:int0,int0,7)\
&(search:buf0,int0,int2,″:″)&(rstr:buf0,int0,str0,int2)&(str2int:int4,str0,10)\
&(rint:buf0,int0,int2,4)&(add:int0,int0,4)&(rint:buf0,int0,int3,2)\
&(expect:@in_ip,0,int2,int3,6,0x1D,@idx,0,int5)\”
Wherein, Yu Ju ﹠amp; The implication of (unzip: " gzip ", buf0, payload, int0, int1) is: find Content-Length: after call the gzip decompression algorithm, the message length of 32 bytes is decompressed, the message content after the decompression is placed among the buf0; Yu Ju ﹠amp; The implication of (search:buf0,0, int0, " 5:peers ") is: message content is the Resources list after decompressing among the buf0, can analyze in a conventional manner.Such as " 5:peers1146:10.45.2.31 "; 1146 is exactly port, and 10.45.2.31 is exactly server ip.
Embodiment five
In the present embodiment, provide the example of using the message parsing method of above-described embodiment in the another kind of application scenarios, that is: the message parsing method with above-described embodiment is applied to the detection and identify unknown traffic.
The data flow that at present a lot of P2P download software is all encrypted, common DPI recognition technology None-identified, but these initiation protocol reciprocal processes of downloading software may not encrypted, therefore can survey by message, trial is sent probe messages according to the protocol format of these softwares, if it is the server that certain class P2P downloads software that this server has response just to specify this server, can be identified as such P2P download software to the data flow of this server.
Based on above-mentioned thought, can write following feature database rule parsing file:
“30-0-0-0?1-0-0-0&(app_user:int2,@in_ip,″5-5-0-0″)&(jge:int2,2)&(exit)\
&(session:18,″emule_detect″,@src_ip,@src_port,@dst_ip,@dst_port,6,0xF8000000,@src_intf,@dst_intf,@src_mac,@dst_mac,@ori_dir,@fid,0,0,2,0)&(exit)
session?emule_detect&(idx:5-5-0-0)\
&(wstr:buf0,0,″[e3?56?00?00?00?01?10?aa?bb?cc?dd?ee?ff?00?11?22?33?44?55?6677?88?99?01?00?00?00?26?85?06?00?00?00?02?01?00?01?06?00?6d?79?64?65?61?72?0301?00?11?3c?00?00?00?03?01?00?f9?ec?17?ec?17?03?01?00?fa?1e?42?13?34?03?01?00?feb4?01?00?00?03?01?00?ee?0c?e9?89?14?00?00?00?00?00?00]″,91)\
&(connect:6,@s_src_ip,@s_src_port,$s_src_mac,@s_src_intf,@s_dst_ip,@s_dst_port,$s_dst_mac,@s_dst_intf)\
&(send:buf0,0,91)\
&(recv:buf0)&(get_strlen:int0,buf0)&(jg:int0,6)&(exit)&(rint:buf0,0,int1,1)&(cmp:int0,int1,0xE3)&(je:int0,10)&(exit)\
&(set_idx:@s_ori_fid,@s_app_idx,9,0)&(exit)”
Wherein, Yu Ju ﹠amp; The implication of (app_user:int2 ,@in_ip, " 5-5-0-0 ") is: only have when this Intranet IP the electricity consumption donkey, just trigger the detection to unknown traffic; Yu Ju ﹠amp; (session:18, " emule_detect " ... .) implication be: create an electric donkey and survey session, import the global parameter that session is surveyed to be needed into; Yu Ju ﹠amp; The implication of (wstr:buf0,0, " [e3 56...] ", 91) is: structural exploration message template, and therefore fairly simple because the probe messages of electric donkey does not also have variable element at present, can directly construct fixing data message buffering area with the wstr grammer.If run in the message template content variable element is arranged, we just can consider with the variable data message buffering area of fmt_bufout grammer so; Yu Ju ﹠amp; The implication of (connect:6 ,@s_src_ip...) is: create the TCP that surveys usefulness and connect; Yu Ju ﹠amp; The implication of (send:buf0,0,91) is: send probe messages; Yu Ju ﹠amp; (recv:buf0) implication is: receive the probe response message, some arithmetic statements behind the recv grammer, all being that the content of probe response message is carried out validity checking, judging whether it is the response that true electric donkey server sends, still may be the response of forging; Yu Ju ﹠amp; The implication of (set_idx:@s_ori_d ,@s_app_idx, 9,0) is: really detecting server corresponding to this unknown traffic is electric donkey server, and it is electric donkey application type that this unknown traffic is set.
Above-mentioned feature database rule parsing document upgrading is behind packet parsing equipment, packet parsing equipment will produce the basic function chain of surveying for message automatically,, when having determined the unknown traffic appearance, will call this basic function chain and carry out the message detection by the packet parsing scheduler program.Particularly, the reciprocal process of packet parsing equipment and server is as follows:
Step 1, basic function corresponding to packet parsing equipment calls wstr grammer, the message that is configured to survey.
Step 2, basic function corresponding to packet parsing equipment calls connect grammer is connected tcp and connected with server.
Step 3, basic function corresponding to packet parsing equipment calls send grammer sends probe messages to server.
Step 4, basic function corresponding to packet parsing equipment calls recv grammer waited for the service end back message using.Behind the service end back message using, the recc grammer corresponding basic function can receive this message.
Step 5, packet parsing equipment calls get_strlen, basic function corresponding to the basic character string grammer such as cmp resolved the message content that receives from service end, determines that the server of surveying is electric donkey server.
Can find out from above-mentioned steps, the message parsing method of the embodiment of the invention, with each action of equipment and server reciprocal process abstract be basic function, concrete reciprocal process can independently be defined according to abstract basic function in feature database by the user, arbitrarily makes up.
Further, said process is to describe as an example of fairly simple agreement detection example, that is: packet parsing equipment sends an agreement probe messages, and server sends a probe response message, is got final product by packet parsing device analysis probe response message again.But in actual applications, also may exist comparatively complicated protocol massages to survey alternately, for example:
Packet parsing equipment sends a probe messages; Server is received this probe messages, sends a probe messages and responds, and has comprised some variable informations, requires further authentication; Packet parsing equipment is received this back message using, resolves the variable information of the inside, re-constructs next probe messages template, continues to send next probe messages; Server is received second probe messages, and the type of approval packet parsing equipment sends final back message using; Packet parsing equipment is received final back message using, has confirmed the application type of server.
For above-mentioned scene, then need to make amendment to feature rule parsing file, so that packet parsing equipment satisfies following reciprocal process according to the analysis program of feature rule parsing file generated:
Step 1, packet parsing equipment calls session Grammer creation is surveyed session;
Step 2, basic function corresponding to packet parsing equipment calls wstr grammer, the message that is configured to survey.
Step 2, basic function corresponding to packet parsing equipment calls connect grammer is connected tcp and connected with server.
Step 3, basic function corresponding to packet parsing equipment calls send grammer sends probe messages to server.
Step 4, basic function corresponding to packet parsing equipment calls recv grammer, waiting for server back message using.Behind the server response message, the recc grammer corresponding basic function can receive this message.
Step 5, packet parsing equipment calls get_strlen, basic function corresponding to the basic character string grammer such as cmp resolved the message content that receives from service end, extracts variable information.
Step 6, packet parsing equipment calls fmt_bufout grammer, complex structure probe messages template.
Step 7, basic function corresponding to packet parsing equipment calls send grammer sends complex survey message template to server.
Step 8, basic function corresponding to packet parsing equipment calls recv grammer, waiting for server back message using.Behind the server response message, the basic function that the recc grammer is corresponding can receive this message.
Step 9, packet parsing equipment calls get_strlen, basic function corresponding to the basic character string grammer such as cmp resolved the message content that receives from service end, determines that the server of surveying is electric donkey server.
Therefore, according to the message parsing method of above-described embodiment, effectively realized the identification of unknown traffic.
Embodiment six
In the present embodiment, provide in the another kind of application scenarios example of the message parsing method of using above-described embodiment, that is: identification web video resource is applied to the message parsing method of above-described embodiment to become more meticulous.
The outlet gateway also might be experienced for Intranet user provides good online as buffer memory (cache) equipment except being used as gateway online, and for example, the WEB Online Video that the WEB page and the user of hot topic often watched is buffered on the hard disk of outlet gateway.
Therefore, if can be recorded in the relevant information of the WEB Online Video of each Intranet user access on the device databases, equipment just can pass through analytical database, know that more accurately which video is often access of user, these video caches to outlet gateway hard disk, directly these video contents are returned to the user in the time of Intranet user access next time, do not take outlet bandwidth, and allow the user think that experience is very good.
The user is when being connected to certain web Online Video website and watching certain film or TV play, and this Online Video website all can return to the user to other relevant informations of this film or TV play by the page usually., such as the resource file of the ordinary sharpness of this film or high definition where file size has much.Such as the resource file of all collection numbers of this TV play where, file size has much again.
If can with above-mentioned information analysis out just can get off the high definition caching resource of popular film, the outlet gateway device returned the video content of high definition when the user saw this film.So just can bring good experience to the user.
But, because the organizational form of the video resource information of each video website is different, therefore utilize common DPI recognition technology to finish, and use the message parsing method of the above embodiment of the present invention, then can realize effective parsing.
Suppose that the user watches the Online Video at Yoqoo station, observed content is the ordinary sharpness resource of " transformer 2.rmvb ".The user is when click WEB watches tabulation, and server site will be returned the relevant WEB page, and it is as shown in table 9 that this WEB page comprises following information:
Table 9
Similar message analysis statement can get off the relevant information of resource in the example of employing and above-described embodiment four by the whole analytic records of str variable; And by calling " write_sql " grammer, the relevant information of resource and the IP address of internal network of this resource of access are inserted in the database table of packet parsing equipment.Afterwards, which resource packet parsing equipment just can judge by the maximum IP address of internal network access of quantity by regularly inquiring about in this database table, and then associated videos of the resource that these access are maximum are cached in the database.
Therefore, according to the message parsing method of above-described embodiment, the web video resource identification can also effectively realize becoming more meticulous.
Embodiment seven
Fig. 4 is the flow chart of the message parsing method of another embodiment of the present invention.Message parsing method shown in Figure 4 is carried out by feature database, and this feature database for example is computer.As shown in Figure 4, may further comprise the steps:
Step 401 is written into the syntactic definition that packet parsing equipment provides, and described syntactic definition comprises basic function and the data type that defines in the described packet parsing equipment;
Step 402 receives the user according to described syntactic definition, the feature database rule parsing file of writing;
The idiographic flow of the message parsing method of present embodiment, identical with message parsing method among above-mentioned arbitrary embodiment, so locate to repeat no more.
Message parsing method according to present embodiment, feature database is written into the external grammar definition that packet parsing equipment provides, and receive the feature database rule parsing file that the user writes according to this syntactic definition, again it is loaded into packet parsing equipment, so that packet parsing equipment is according to feature database rule parsing file, basic function and operand are made up, dynamically determine the packet parsing logic.Because the function of basic function is peeled off mutually with operand, so that when message changes owing to reasons such as application software renewals, by in the rule parsing file in the feature database, syntagmatic/logic adjustment of basic function and/or operand gets final product, modification is convenient, workload is little, and need not to restart packet parsing equipment.And, because the operand of basic function points to concrete memory headroom, when carrying out packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted having between the different messages of relevance.Therefore, above-mentioned message parsing method can effectively be resolved frequent variations, message with relevance.
Further, in the message parsing method of above-described embodiment, also comprise:
If receive the feature database rule parsing file of renewal, then with the feature database rule parsing file load of described renewal to described packet parsing equipment.
Embodiment eight
Fig. 5 is the structural representation of the packet parsing equipment of one embodiment of the invention.As shown in Figure 5, this packet parsing equipment comprises:
Receiver module 51 is used for receive feature storehouse rule parsing file, and described feature database rule parsing file comprises the character string identification of at least two basic functions, and corresponding operand character string;
Rule parsing module 52 is used for according to the character string identification of described two basic functions and the operand character string of described correspondence at least, generates the functional-link that comprises described at least two basic functions;
Packet parsing module 53 is used for by carrying out described functional-link message being resolved, and wherein, described packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
The packet parsing equipment of above-described embodiment is carried out the idiographic flow of packet parsing, and is identical with the message parsing method of above-mentioned arbitrary embodiment, so locate to repeat no more.
Packet parsing equipment according to above-described embodiment, receive feature storehouse rule parsing file, according to the character string identification of the basic function in the feature database rule parsing file, and corresponding operand character string, basic function and operand are made up, dynamically determine the packet parsing logic.Because the function of basic function is peeled off mutually with operand, so that when message changes owing to reasons such as application software renewals, by in the rule parsing file in the feature database, syntagmatic/logic adjustment of basic function and/or operand gets final product, modification is convenient, workload is little, and need not to restart packet parsing equipment.And, because the operand of basic function points to concrete memory headroom, when carrying out packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted having between the different messages of relevance.Therefore, above-mentioned packet parsing equipment can effectively be resolved frequent variations, message with relevance.
Further, in the packet parsing equipment of above-described embodiment, described rule parsing module is used for:
According to described operand character string, generate the fundamental operation object structure corresponding with each operand, and determine the memory headroom that described operand points to, wherein said fundamental operation object structure comprises data type and operand title;
With described fundamental operation object structure, encapsulate according to the parameter list of the basic function corresponding with described character string identification, generate and be used for function operand list structure that described basic function is associated with the memory headroom of described operand sensing;
Order and function operand list structure corresponding to each basic function according to the character string identification of at least two basic functions described in the described feature database rule parsing file generate described functional-link.
Further, in the packet parsing equipment of above-described embodiment, described rule parsing module also is used for:
According to the data type of described operand, determine in the described packet parsing equipment, be the memory headroom that described data type is distributed in advance;
From described be the memory headroom that distributes of described data type in advance, be that described operand distributes corresponding memory headroom, and set up described operand title and mapping relations for memory headroom corresponding to described operand distribution.
Further, in the packet parsing equipment of above-described embodiment, described basic function comprises for the function that the message payload content is carried out computing, and/or for the function to message payload content format input and output, and/or be used for the function of interface operation, and/or for the algorithmic function that message is decompressed or deciphers, and/or the function of recorded message payload content, and/or for the function of controlling actuating logic.
Embodiment nine
Fig. 6 is the structural representation of the feature database of one embodiment of the invention.As shown in Figure 6, this feature database comprises:
Syntactic definition insmods 61, is used for being written into the syntactic definition that packet parsing equipment provides, and described syntactic definition comprises basic function and the data type that defines in the described packet parsing equipment;
Load-on module 63, be used for described feature database rule parsing file load to packet parsing equipment, so that packet parsing equipment is according to described feature database rule parsing file, generation comprises the functional-link of described at least two basic functions, and by carrying out described functional-link, message is resolved, wherein, packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
The feature database of above-described embodiment is for example by computer or can provide arbitrarily other hardware device of above-mentioned each functions of modules to realize.The feature database of above-described embodiment is carried out the idiographic flow of packet parsing, and is identical with the message parsing method of above-mentioned arbitrary embodiment, so locate to repeat no more.
Feature database according to above-described embodiment, be written into the external grammar definition that packet parsing equipment provides, and receive the feature database rule parsing file that the user writes according to this syntactic definition, again it is loaded into packet parsing equipment, so that packet parsing equipment is according to feature database rule parsing file, basic function and operand are made up, dynamically determine the packet parsing logic.Because the function of basic function is peeled off mutually with operand, so that when message changes owing to reasons such as application software renewals, by in the rule parsing file in the feature database, syntagmatic/logic adjustment of basic function and/or operand gets final product, modification is convenient, workload is little, and need not to restart packet parsing equipment.And, because the operand of basic function points to concrete memory headroom, when carrying out packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted having between the different messages of relevance.Therefore, above-mentioned packet parsing feature database can be used in frequent variations, message with relevance are effectively resolved.
Further, in the feature database of above-described embodiment, if described regular receiver module also is used for receiving the feature database rule parsing file of renewal, then trigger described load-on module executable operations;
Described load-on module also is used for feature database rule parsing file load with described renewal to described packet parsing equipment.
Embodiment ten
The embodiment of the invention also provides a kind of packet parsing system, and this packet parsing system comprises the packet parsing equipment of above-described embodiment, and the feature database of above-described embodiment, and packet parsing equipment is connected with described feature database.
In the packet parsing system of present embodiment, the idiographic flow of implementing packet parsing is identical with the message parsing method of above-mentioned arbitrary embodiment, so locate to repeat no more.
Packet parsing system according to above-described embodiment, packet parsing equipment receive feature storehouse rule parsing file, character string identification according to the basic function in the feature database rule parsing file, and corresponding operand character string, basic function and operand are made up, dynamically determine the packet parsing logic.Because the function of basic function is peeled off mutually with operand, so that when message changes owing to reasons such as application software renewals, by in the rule parsing file in the feature database, syntagmatic/logic adjustment of basic function and/or operand gets final product, modification is convenient, workload is little, and need not to restart packet parsing equipment.And, because the operand of basic function points to concrete memory headroom, when carrying out packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted having between the different messages of relevance.Therefore, above-mentioned packet parsing system can effectively resolve frequent variations, message with relevance.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (13)
1. a message parsing method is characterized in that, comprising:
Packet parsing equipment receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and corresponding operand character string;
Described packet parsing equipment generates the functional-link that comprises described at least two basic functions according to the character string identification of described at least two basic functions and the operand character string of described correspondence;
Described packet parsing equipment is resolved message by carrying out described functional-link, and wherein, described packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
2. message parsing method according to claim 1, it is characterized in that, described packet parsing equipment generates the functional-link that comprises described at least two basic functions according to the character string identification of described at least two basic functions and the operand character string of described correspondence, specifically comprises:
Described packet parsing equipment is according to described operand character string, generate the fundamental operation object structure corresponding with each operand, and determine the memory headroom that described operand points to, wherein said fundamental operation object structure comprises data type and operand title;
With described fundamental operation object structure, encapsulate according to the parameter list of the basic function corresponding with described character string identification, generate and be used for function operand list structure that described basic function is associated with the memory headroom of described operand sensing;
Order and function operand list structure corresponding to each basic function according to the character string identification of at least two basic functions described in the described feature database rule parsing file generate described functional-link.
3. message parsing method according to claim 2 is characterized in that, the described memory headroom of determining that described operand points to specifically comprises:
According to the data type of described operand, determine in the described packet parsing equipment, be the memory headroom that described data type is distributed in advance;
From described be the memory headroom that distributes of described data type in advance, be that described operand distributes corresponding memory headroom, and set up described operand title and mapping relations for memory headroom corresponding to described operand distribution.
4. arbitrary described message parsing method according to claim 1-3, it is characterized in that, described basic function comprises for the function that the message payload content is carried out computing, and/or for the function to message payload content format input and output, and/or be used for the function of interface operation, and/or for the algorithmic function that message is decompressed or deciphers, and/or the function of recorded message payload content, and/or for the function of controlling actuating logic.
5. a message parsing method is characterized in that, comprising:
Be written into the syntactic definition that packet parsing equipment provides, described syntactic definition comprises basic function and the data type that defines in the described packet parsing equipment;
Receive the user according to described syntactic definition, the feature database rule parsing file of writing;
With described feature database rule parsing file load to packet parsing equipment, so that packet parsing equipment is according to described feature database rule parsing file, generation comprises the functional-link of described at least two basic functions, and by carrying out described functional-link, message is resolved, wherein, packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
6. message parsing method according to claim 6 is characterized in that, also comprises:
If described feature database receives the feature database rule parsing file of renewal, then with the feature database rule parsing file load of described renewal to described packet parsing equipment.
7. a packet parsing equipment is characterized in that, comprising:
Receiver module is used for receive feature storehouse rule parsing file, and described feature database rule parsing file comprises the character string identification of at least two basic functions, and corresponding operand character string;
The rule parsing module is used for according to the character string identification of described two basic functions and the operand character string of described correspondence at least, generates the functional-link that comprises described at least two basic functions;
The packet parsing module is used for by carrying out described functional-link message being resolved, and wherein, described packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
8. packet parsing equipment according to claim 7 is characterized in that, described rule parsing module is used for:
According to described operand character string, generate the fundamental operation object structure corresponding with each operand, and determine the memory headroom that described operand points to, wherein said fundamental operation object structure comprises data type and operand title;
With described fundamental operation object structure, encapsulate according to the parameter list of the basic function corresponding with described character string identification, generate and be used for function operand list structure that described basic function is associated with the memory headroom of described operand sensing;
Order and function operand list structure corresponding to each basic function according to the character string identification of at least two basic functions described in the described feature database rule parsing file generate described functional-link.
9. packet parsing equipment according to claim 8 is characterized in that, described rule parsing module also is used for:
According to the data type of described operand, determine in the described packet parsing equipment, be the memory headroom that described data type is distributed in advance;
From described be the memory headroom that distributes of described data type in advance, be that described operand distributes corresponding memory headroom, and set up described operand title and mapping relations for memory headroom corresponding to described operand distribution.
10. arbitrary described packet parsing equipment according to claim 7-9, it is characterized in that, described basic function comprises for the function that the message payload content is carried out computing, and/or for the function to message payload content format input and output, and/or be used for the function of interface operation, and/or for the algorithmic function that message is decompressed or deciphers, and/or the function of recorded message payload content, and/or for the function of controlling actuating logic.
11. a feature database is characterized in that, comprising:
Syntactic definition insmods, and is used for being written into the syntactic definition that packet parsing equipment provides, and described syntactic definition comprises basic function and the data type that defines in the described packet parsing equipment;
The rule receiver module is used for receiving the user according to described syntactic definition, the feature database rule parsing file of writing;
Load-on module, be used for described feature database rule parsing file load to packet parsing equipment, so that packet parsing equipment is according to described feature database rule parsing file, generation comprises the functional-link of described at least two basic functions, and by carrying out described functional-link, message is resolved, wherein, packet parsing equipment is when carrying out described functional-link, and the memory headroom that the operand of described basic function is pointed to operates.
12. feature database according to claim 11 wherein, if described regular receiver module also is used for receiving the feature database rule parsing file of renewal, then triggers described load-on module executable operations;
Described load-on module also is used for feature database rule parsing file load with described renewal to described packet parsing equipment.
13. a packet parsing system is characterized in that, comprises the arbitrary described packet parsing equipment of claim 7-10, and claim 11 or 12 described feature databases, described packet parsing equipment is connected with described feature database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210458111.8A CN102932474B (en) | 2012-11-14 | 2012-11-14 | Method, device and system for analyzing message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210458111.8A CN102932474B (en) | 2012-11-14 | 2012-11-14 | Method, device and system for analyzing message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102932474A true CN102932474A (en) | 2013-02-13 |
| CN102932474B CN102932474B (en) | 2015-06-17 |
Family
ID=47647170
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210458111.8A Active CN102932474B (en) | 2012-11-14 | 2012-11-14 | Method, device and system for analyzing message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102932474B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103886087A (en) * | 2014-03-28 | 2014-06-25 | 上海斐讯数据通信技术有限公司 | Calculating procedure and file verifying method for MD5 |
| CN109145014A (en) * | 2017-06-15 | 2019-01-04 | 北京京东尚科信息技术有限公司 | The method and apparatus for generating elastic searching request |
| CN110162413A (en) * | 2018-02-12 | 2019-08-23 | 华为技术有限公司 | Event-driven method and device |
| CN110782512A (en) * | 2019-10-10 | 2020-02-11 | 成都四方伟业软件股份有限公司 | 3D model redrawing method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1462135A (en) * | 2002-05-28 | 2003-12-17 | 深圳市中兴通讯股份有限公司上海第二研究所 | Communication message treatment equipment based on class template like management apparatus and method |
| WO2005082102A2 (en) * | 2004-02-26 | 2005-09-09 | Datapower Technology, Inc. | Method and apparatus of streaming data transformation using code generator and translator |
| CN1956394A (en) * | 2006-11-13 | 2007-05-02 | 杭州华为三康技术有限公司 | Method and device for service configuration of network equipment |
| CN101202742A (en) * | 2006-12-13 | 2008-06-18 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
-
2012
- 2012-11-14 CN CN201210458111.8A patent/CN102932474B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1462135A (en) * | 2002-05-28 | 2003-12-17 | 深圳市中兴通讯股份有限公司上海第二研究所 | Communication message treatment equipment based on class template like management apparatus and method |
| WO2005082102A2 (en) * | 2004-02-26 | 2005-09-09 | Datapower Technology, Inc. | Method and apparatus of streaming data transformation using code generator and translator |
| CN1956394A (en) * | 2006-11-13 | 2007-05-02 | 杭州华为三康技术有限公司 | Method and device for service configuration of network equipment |
| CN101202742A (en) * | 2006-12-13 | 2008-06-18 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103886087A (en) * | 2014-03-28 | 2014-06-25 | 上海斐讯数据通信技术有限公司 | Calculating procedure and file verifying method for MD5 |
| CN103886087B (en) * | 2014-03-28 | 2018-10-12 | 上海斐讯数据通信技术有限公司 | The calculation process and file verification method of MD5 |
| CN109145014A (en) * | 2017-06-15 | 2019-01-04 | 北京京东尚科信息技术有限公司 | The method and apparatus for generating elastic searching request |
| CN110162413A (en) * | 2018-02-12 | 2019-08-23 | 华为技术有限公司 | Event-driven method and device |
| CN110782512A (en) * | 2019-10-10 | 2020-02-11 | 成都四方伟业软件股份有限公司 | 3D model redrawing method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102932474B (en) | 2015-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101454764B (en) | Independent actionscript analytics tools and techniques | |
| US9536261B2 (en) | Resolving conflicts within saved state data | |
| KR102220127B1 (en) | Method and apparatus for customized software development kit (sdk) generation | |
| Caballero et al. | Automatic protocol reverse-engineering: Message format extraction and field semantics inference | |
| CN107864065B (en) | Non-buried point data acquisition method, system and computer readable storage medium | |
| US20160050128A1 (en) | System and Method for Facilitating Communication with Network-Enabled Devices | |
| CN104506484A (en) | Proprietary protocol analysis and identification method | |
| CA2912852A1 (en) | Method and apparatus for code virtualization and remote process call generation | |
| CN109067732A (en) | Internet of things equipment and data insertion system, method and computer readable storage medium | |
| CN111708927B (en) | Information recommendation method and device and electronic equipment | |
| CN102932474A (en) | Method, device and system for analyzing message | |
| CN110413329A (en) | IOT equipment remote debugging method, apparatus and system | |
| CN112445700A (en) | Test method and device | |
| CN104010045B (en) | The method that mobile node based on cloud platform performs task | |
| CN114328217A (en) | Application testing method, device, equipment, medium and computer program product | |
| CN112100689B (en) | Trusted data processing method, device and equipment | |
| Haenisch | A case study on using functional programming for internet of things applications | |
| CN111427710B (en) | Communication method, device, equipment and storage medium of components in application program | |
| CN102055623A (en) | Method and system for automatically testing embedded type browser | |
| CN115203674A (en) | Automatic login method, system, device and storage medium for application program | |
| US11556649B2 (en) | Methods and apparatus to facilitate malware detection using compressed data | |
| JP2023517614A (en) | CODE CONSTRUCTION METHOD, APPARATUS, DEVICE AND STORAGE MEDIUM | |
| Palmese et al. | Designing a Forensic-Ready Wi-Fi Access Point for the Internet of Things | |
| CN105391552A (en) | Authority management method, device and system | |
| CN105812433B (en) | Cloud adaptation processing method and device, terminal and cloud server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |