CN102932474B - Method, device and system for analyzing message - Google Patents
Method, device and system for analyzing message Download PDFInfo
- Publication number
- CN102932474B CN102932474B CN201210458111.8A CN201210458111A CN102932474B CN 102932474 B CN102932474 B CN 102932474B CN 201210458111 A CN201210458111 A CN 201210458111A CN 102932474 B CN102932474 B CN 102932474B
- Authority
- CN
- China
- Prior art keywords
- function
- message
- operand
- parsing
- packet parsing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, a device and a system for analyzing a message. The method comprises the steps of: receiving a feature library rule analysis file by a message analysis device, wherein the feature library rule analysis file comprises character string marks of at least two basic functions, and corresponding operation object character strings; generating a function chain comprising the at least two basic functions according to the character string marks of the at least two basic functions and corresponding operation object character strings; analyzing the message by carrying out function chain, and operating a memory space directed by operation objects of the basic functions when the message analysis device carries out the function chain. The method, the device and the system for analyzing the message are used for effectively analyzing the message with frequent change and relevance.
Description
Technical field
The present invention relates to packet parsing technology, particularly relate to a kind of message parsing method, equipment and system, belong to communication technical field.
Background technology
In recent years, various peer-to-peer network (Peer-to-Peer, the P2P) application in computer network are more and more abundanter, and occurred many new application types and agreement, these P2P application consumes a large amount of network bandwidths.Because the demand of different network applications to bandwidth resources is different, real-time application is (as online game, the networking telephone (Voice over Internet Protocol, VOIP), video conference etc.) comparatively responsive to the characteristic such as network transfer delay, shake, when network there being the flow type application such as sudden high P2P application traffic, the use of application in real time will by very large impact.In order to effectively utilize Internet resources, must to P2P application flow effectively manage, and first must be able to realize to P2P flow efficient, identify accurately.
Existing application identification, normally to resolve message based on static nature storehouse and realizes.Following feature is generally described: message port, Internet protocol (Internet Protocol, IP) address feature, message load characteristic and message loaded length in static nature storehouse.Such as: identify what whether a message was produced by a certain application software, then message is resolved, can to judge extract the character string of specifying in static nature storehouse from message load, if so, we just think that this message is produced by corresponding software.
Existing technology of resolving message based on static nature storehouse is all the message coupling of carrying out do not have the prerequisite of relevance between message under.And in actual applications, often exist and utilize static nature storehouse effectively cannot resolve, identify the situation of message.For strange skill video software, such as: object IP and the destination interface feature that several messages below in the content of Article 1 message, can be indicated, as long as therefore there is Intranet user to go to access these IP and destination interface, the message now produced also is produced by " strange skill video software ".And now, because static nature storehouse is resolved message, in static nature storehouse, do not configure corresponding object IP and destination interface feature, so packet parsing can not be carried out for these object IP and destination interface feature, thus cannot effectively identify.
At present, although by directly compiling packet parsing program on the equipment carrying out message identification, the message identification of this kind of situation can be realized.But the packet parsing program compiled is changeless, each software upgrading, all need update routine code, the cycle is long, workload is large, and needs close and restart, user network can be caused during this to interrupt, therefore cannot adapt with the frequent variations of message.
Summary of the invention
For the defect existed in prior art, the invention provides a kind of message parsing method, setting and system, for effectively resolving frequent variations, the message with relevance.
According to a first aspect of the invention, a kind of message parsing method is provided, comprises:
Packet parsing equipment receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and the operand character string of correspondence;
Described packet parsing equipment, according to the operand character string of the character string identification of described at least two basic functions and described correspondence, generates the functional-link of at least two basic functions described in comprising;
Described packet parsing equipment, by performing described functional-link, is resolved message, and wherein, described packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
According to a second aspect of the invention, another kind of message parsing method is provided, comprises:
Be loaded into the syntactic definition that packet parsing equipment provides, described syntactic definition comprises the basic function and data type that define in described packet parsing equipment;
Receive user according to described syntactic definition, the feature database rule parsing file write;
By described feature database rule parsing files loading to packet parsing equipment, to make packet parsing equipment according to described feature database rule parsing file, generate the functional-link of at least two basic functions described in comprising, and by performing described functional-link, message is resolved, wherein, packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
According to a third aspect of the invention we, a kind of packet parsing equipment is provided, comprises:
Receiver module, for receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and the operand character string of correspondence;
Rule parsing module, for according to the character string identification of described at least two basic functions and the operand character string of described correspondence, generates the functional-link of at least two basic functions described in comprising;
Packet parsing module, for by performing described functional-link, resolves message, and wherein, described packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
According to a forth aspect of the invention, a kind of feature database is provided, it is characterized in that, comprising:
Syntactic definition insmods, and for being loaded into the syntactic definition that packet parsing equipment provides, described syntactic definition comprises the basic function and data type that define in described packet parsing equipment;
Rule receiver module, for receiving user according to described syntactic definition, the feature database rule parsing file write;
Load-on module, for by described feature database rule parsing files loading to packet parsing equipment, to make packet parsing equipment according to described feature database rule parsing file, generate the functional-link of at least two basic functions described in comprising, and by performing described functional-link, message is resolved, wherein, packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
According to a fifth aspect of the invention, provide a kind of packet parsing system, comprise packet parsing equipment provided by the invention, and feature database provided by the invention, described packet parsing equipment is connected with described feature database.
According to message parsing method provided by the invention, setting and system, packet parsing equipment receive feature storehouse rule parsing file, according to the character string identification of the basic function in feature database rule parsing file, and the operand character string of correspondence, basic function and operand are combined, dynamically determines packet parsing logic.Due to the function of basic function is peeled off mutually with operand, make when message changes due to reasons such as application software renewals, by in the rule parsing file in feature database, syntagmatic/the logic of basic function and/or operand carries out adjusting, amendment is convenient, workload is little, and without the need to restarting packet parsing equipment.And the operand due to basic function points to concrete memory headroom, when performing packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted between the different messages with relevance.Therefore, above-mentioned message parsing method effectively can be resolved frequent variations, the message with relevance.
Accompanying drawing explanation
Fig. 1 is a kind of system architecture diagram of the message parsing method for realizing the embodiment of the present invention.
Fig. 2 is the flow chart of the message parsing method of one embodiment of the invention.
Fig. 3 is the schematic diagram of an example of resolving feature database rule parsing file.
Fig. 4 is the flow chart of the message parsing method of another embodiment of the present invention.
Fig. 5 is the structural representation of the packet parsing equipment of one embodiment of the invention.
Fig. 6 is the structural representation of the feature database of one embodiment of the invention.
Embodiment
Fig. 1 is a kind of system architecture diagram of the message parsing method for realizing the embodiment of the present invention.As shown in Figure 1, this system comprises packet parsing equipment 11 and feature database 12.Wherein, feature database 12 can be deployed in arbitrary equipment or computer, does not limit in the embodiment of the present invention.Hereinafter, the system shown in composition graphs 1, respectively from the angle of packet parsing equipment 11 and feature database 12, is described in detail to the idiographic flow of the message parsing method of the embodiment of the present invention.
Embodiment one
Fig. 2 is the flow chart of the message parsing method of one embodiment of the invention.Message parsing method shown in Fig. 2 is performed by packet parsing equipment.As shown in Figure 2, comprise the following steps:
201, packet parsing equipment receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and the operand character string of correspondence;
Wherein, packet parsing device abstract goes out the syntactic definition of general similar high-level programming language, and by Software Coding and software translating, on packet parsing equipment, once property realizes these abstract syntactic definitions.
Particularly, packet parsing equipment is by multiple actions of existing function complexity, changeless packet parsing program, the basic function disassembled as multiple function singleness realizes, and defines in advance, basis of formation function set to the basic function of these function singlenesses.Further, character string name (be each basic function and distribute character string identification) is carried out to each basic function in basic function set, quotes for feature database.The function of these basic functions is determined by static state.
Also define the data type on basis in packet parsing equipment, based on the operand of each basic function and operation result in function set, comprise immediate, variable, constant, buffering area etc.Concrete data type is relevant to the program language of packet parsing equipment use, and can redefine, and composition composite construction, is not limited to above-mentioned several.
Above-mentioned syntactic definition (comprising basic function definition and dtd--data type definition) is loaded into feature database by packet parsing equipment, writes feature database rule parsing file for user according to syntactic definition loaded in feature database.More specifically, user is according to the packet parsing demand of reality, the basic function of corresponding function is selected from the basic function set of syntactic definition, represent in feature database rule parsing file with the character string identification of selected basic function, and determine the operand of selected basic function, be shown in feature database rule parsing file with operand string table.
Such as, feature database rule parsing file is: & (the character string identification int1 string1 of basic function 1) & (the character string identification string1 buf1 of basic function 2) & (the character string identification int1int2 buf1 of basic function 3).Wherein, the operand character string of function 1 correspondence based on " int1 string1 ", based on the implication of this operand character string, function 1 comprises two operands, and the title of these two operands is respectively " int1 " and " string1 "; Similarly, the operand character string of function 2 correspondence based on " string1 buf1 ", the operand character string of function 3 correspondence based on " int1 int2 buf1 ".This feature database rule parsing file relates to three basic functions altogether, wherein basic function 1 and basic function 2 are associated by operand " string1 ", basic function 1 and basic function 3 are associated by operand " int1 ", and basic function 2 and basic function 3 are associated by operand " buf1 ".
After user completes writing of feature database rule parsing file, feature database will include the feature database files loading of feature database rule parsing file in packet parsing equipment.
202, described packet parsing equipment, according to the operand character string of the character string identification of described at least two basic functions and described correspondence, generates the functional-link of at least two basic functions described in comprising;
Particularly, after packet parsing equipment obtains feature database rule parsing file, automatically resolve feature database rule parsing file, with by the statement in user-defined feature database rule parsing file, be converted into the executable functional-link of packet parsing equipment.
203, described packet parsing equipment, by performing described functional-link, is resolved message, and wherein, described packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
Particularly, packet parsing equipment is need the operand of the basic function called to distribute the memory headroom of specifying, and the entrance of basic function is pointed in the address by a memory headroom determined.Packet parsing equipment performs each basic function in functional-link successively, and when performing each basic function, the actual content of the memory headroom of the entrance of this basic function will be pointed to, as the operand of this basic function, perform function performance, and execution result is kept in memory headroom, the basic function for follow-up execution is quoted.
According to the message parsing method of above-described embodiment, packet parsing equipment receive feature storehouse rule parsing file, according to the character string identification of the basic function in feature database rule parsing file, and the operand character string of correspondence, basic function and operand are combined, dynamically determines packet parsing logic.Due to the function of basic function is peeled off mutually with operand, make when message changes due to reasons such as application software renewals, by in the rule parsing file in feature database, syntagmatic/the logic of basic function and/or operand carries out adjusting, amendment is convenient, workload is little, and without the need to restarting packet parsing equipment.And the operand due to basic function points to concrete memory headroom, when performing packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted between the different messages with relevance.Therefore, above-mentioned message parsing method effectively can be resolved frequent variations, the message with relevance.
Embodiment two
In the present embodiment, on the basis of above-described embodiment, expansion explanation is carried out to the flow process of packet parsing device parses feature database rule parsing file.
Particularly, described packet parsing equipment, according to the operand character string of the character string identification of described at least two basic functions and described correspondence, generates the functional-link of at least two basic functions described in comprising, specifically comprises:
Described packet parsing equipment is according to described operand character string, generate the fundamental operation object structure corresponding with each operand, and determine the memory headroom that described operand points to, wherein said fundamental operation object structure comprises data type and operand title;
By described fundamental operation object structure, encapsulate according to the parameter list of the basic function corresponding with described character string identification, generate the function operation list object structure being used for the memory headroom that described basic function and described operand point to be associated;
Functional-link according to the order of the character string identification of at least two basic functions described in described feature database rule parsing file and function operation list object structural generation corresponding to each basic function.
More specifically, Fig. 3 is the schematic diagram of an example of resolving feature database rule parsing file.In figure 3, be described for feature database rule parsing file " & (the character string identification int1 string1 of basic function 1) & (the character string identification string1 buf1 of basic function 2) & (the character string identification int1int2 buf1 of basic function 3) ".
Packet parsing equipment operand character string " int1 string1 " is converted to fundamental operation object structure " int, int1 " (in Fig. 3 with
represent) and " string, string1 " (in Fig. 3 with
represent).Wherein, " int " represents that data type is integer variable, and " int1 " represents operand title; " string " represents that data type is string variable, and " string1 " represents operand title.The fundamental operation object structure that basis obtains by packet parsing equipment, the memory headroom of determination operation objects point.Such as, the preliminery application of packet parsing equipment has the memory headroom of various data type, then packet parsing equipment is according to the data type in fundamental operation object structure, determine the memory address range that this data type is corresponding, (or multiple) memory address is selected from this memory address range, and the corresponding relation of the memory address selected by setting up and the operand title in fundamental operation object structure, get final product the memory headroom of determination operation objects point.
Packet parsing equipment is also encapsulated fundamental operation object structure by the parameter list according to basic function, sets up the corresponding relation of basic function and operand, and is associated by the memory headroom that basic function and operand point to.As shown in Figure 3, the function operation list object structure of basic function 1 comprises " int, int1 " and " string, string1 " two fundamental operation object structure.This function operation list object structure, is mapped as memory headroom corresponding for operand int1 and string1 in running space " the int1 memory headroom of basic function 1 " and " the string1 memory headroom of basic function 1 ".Wherein, defining when the parameter list of basic function is and defines basic function in packet parsing equipment, for representing the implication of different parameters, not limiting in its concrete form embodiment of the present invention.
The character string identification of the basic function in feature database rule parsing file also associates with the operation address of basic function in packet parsing equipment by packet parsing equipment.This operation address is also mapped to running space.In running space, automatically can run basic function, and corresponding memory headroom is operated.
According to the operation address of the ordinal relation (i.e. the numbering of each basic function) between basic function multiple in packet parsing equipment, each basic function and the function operation list object structure of each basic function, the packet parsing program that packet parsing equipment can automatically perform can be formed, i.e. functional-link.
When packet parsing equipment carries out packet parsing, first can carry out traditional static nature storehouse to message and identify, obtain preliminary message recognition result, then determine whether to extract dynamically the content of message and to analyze.If needed, then the flow process (i.e. the packet parsing flow process of above-described embodiment) of triggering and dynamic packet parsing.The running space that the preliminery application of packet parsing device initialize is good, is set to first basic function in functional-link by the numbering of the basic function of current operation, then perform all basic functions in functional-link successively, but also can perform multiple functional-link successively.
For each basic function, first according to function operation list object structure, the operand of basic function is mapped as physical memory variable, namely the member variable in running space, then perform function performance, and execution result is kept in running space, quote for other basic function.
By defining the life cycle of different running spaces, by the actual value (i.e. the actual content of packet parsing) of operand parsed in running space, between multiple messages of same data stream, transmit between different data streams or between multiple application module, such as become more meticulous identification module, data cache module, content auditing module and database processing module etc., to realize the application identification in different category.
Further, in the message parsing method of above-described embodiment, described basic function comprises the function for carrying out computing to message payload content, and/or for the function to message payload content format input and output, and/or for the function of interface operation, and/or for the algorithmic function decompressed to message or decipher, and/or the function of recorded message payload content, and/or for controlling the function of actuating logic.
Wherein, for controlling the function that the function of actuating logic is a kind of specific type, its function is the execution result according to other basic function, the numbering of the next basic function run of amendment.Therefore, it is possible to perform in order on the basis of the packet parsing program (functional-link) dynamically generated, realize selecting the resolution logic such as judgement, cycling jump, really reach intelligently parsing and the effect identified that becomes more meticulous.
Embodiment three
In the present embodiment, provide some concrete examples of syntactic definition in packet parsing equipment, and provide and write feature database rule parsing file according to these syntactic definitions, and packet parsing equipment performs the concrete example of packet parsing according to feature database rule parsing file.It, for more clearly and detailedly illustrating message parsing method of the present invention and is not construed as limiting the invention only as example of the present invention.
Following content is such as comprised in the syntactic definition of packet parsing equipment:
(1) constant
Constant is also immediate, just refers to the constant in our usual understanding, as 1,2,0X03 etc.The constant title, form and the related description that define in packet parsing equipment are see table 1.
Table 1
(2) overall well-known variable
The value of the well-known variable of the overall situation is mainly derived from message and application module (being such as the identification module that becomes more meticulous, data cache module, content auditing module and database processing module etc.), computing can be participated in, may be used in different data streams and different message, but be read-only.Mainly in order to the extraction of message public information and module public information, therefore define overall well-known variable.
The well-known variable of the overall situation take@as prefix usually, and as@in_ip, specifically by packet parsing device definition, can participate in computing, be the integer variable can not carrying out assignment, actual value is determined when packet parsing, as the five-tuple information of message.
In order to support message analysis, usual packet parsing equipment needs to possess the well-known variable of the overall situation as shown in table 2:
Table 2
(3) common variables
The title of the common variables defined in packet parsing equipment, form and related description are see table 3.
Table 3
(4) operator grammer
Operator grammatical operations be integer constant and integer variable, be mainly responsible for arithmetic and bit arithmetic.Usual operator grammer is at the deviation post calculating message, uses when calculating the length in some territory of message.
Typical operator grammer is such as shown in table 4:
Table 4
(5) logic control grammer
Logic control grammer is mainly used in the comparison of operation result, jumps to the syntactic node of specifying perform according to comparative result.From a syntactic node of a feature database rule, according to comparative result, jump to another syntactic node and perform.
By this grammer, we can realize logic branch to packet parsing operation and control.Also the Logic judgment process of similar while, if else can be realized in packet parsing process.
Typical logic control grammer is such as shown in table 5:
Table 5
(6) data buffer zone operation grammer
Data buffer zone operation grammer is used for operating message buffer, can realize the basic read-write of message buffer, substantially comparing of message buffer, and the format of message buffer is read, the format write of message buffer.
By usage data buffer district operation grammer, message is more convenient to operate, can any message content of flexible construction.
Typical data buffer zone operation grammer is such as shown in table 6:
Table 6
As shown in table 6, by definition " rint " and " rint_le ", when message reads, can fully take into account the characteristic of network message syllable sequence, decision reads message according to large end syllable sequence, or read message according to little-endian.
(7) message algorithm operating grammer
The network message of some application software is compressed at present, encryption, or will carry out MD5 verification.The http resource of typical such as some WEB Video Applications, will carry out gzip compression, therefore for this kind of message, the resource content of analytic message, just just passable decompressing.
Therefore can define decompress messages in packet parsing equipment, deciphering, the grammer of MD5 verify calculation, main conventional algorithm is all converted to feature database grammer, be supplied to packet parsing and use.
Typical packet parsing grammer is such as shown in table 7:
Table 7
(8) message traffic process grammer
Message, except resolving contents extraction information, be the more important thing is and needed to carry out Business Processing for message.Such as: carry out interface (SOCKET) communication alternately with opposite end server, thus understand the application type of opposite end server; Such as: according to the resource IP of message analysis, create expection connect, when meet expection connect new message come time, identify the application type of this message, thus realize the application route of this message, particularly TCP connect application route; Such as: such as according to the result of message analysis, appointed information is inserted in database, uses to other application modules.
Typical message traffic process grammer is such as shown in table 8:
Table 8
Below, for the control flow check resource packet parsing of WEB Online Video application, in conjunction with concrete syntactic definition, the specific implementation flow process of packet parsing equipment is described.
Such as, WEB Online Video application " strange skill HD video ", there is following resource message information in its control flow check resource message:
GET...net-vod-iqiyi...
Host:conf.ppweb.com.cn...
rtmfp://201.101.11.34:9921…
rtmfp://58.61.211.74:10037...
Present target is exactly when recognizing data flow and being the control flow check of " strange skill HD video ", extracts above-mentioned server ip and port information, creates expection and connects.
Be common feature database identification grammer before packet parsing rule, be the control flow check of strange skill HD video by judging that Host:conf.ppweb.com.cn identifies, then want the syntactic analysis of trigger server IP and port information.
Syntax statement is as follows:
&(main:0)\
&(nextpkt:2,0,2)&(exit)\
&(mov:int0,0)&(search:payload,int0,int1,″rtmfp://″)&(jl:int0,1)\
&(add:int0,int0,8)\
&(fmt_bufin:payload,int0,25,″%s:%d″,str0,int4)&(str2ip:int3,str0)\
&(expect:@in_ip,0,int3,int4,17,0x1D,@idx,int5)&(jmp:3)
Pre-defined following basic function, data type and running space in packet parsing equipment.Wherein, the actual content of the operand of basic function is not determined in syntactic definition part, but when waiting until packet parsing, by memory-mapped, dynamically determines.
In packet parsing equipment, predefined basic function comprises:
(1) Nextpkt: instruction subsequent packet needs the syntactic analysis proceeding this rule, transmits between multiple messages of current data stream by runtime environment.
(2) Exit: the execution exiting packet parsing program.
(3) Mov: assignment is carried out to integer variable.
(4) Search: search specific character string in designated character buffering area (normally message load), and the deviation post of character string is recorded.
(5) Jl: whether be less than 0 according to first function object, the next function numbering run of amendment amendment.
(6) Add: sum operation is carried out to two integer variables.
(7) Fmt_bufin: message character string is read in format.
(8) Str2ip: character string is converted to integer IP value.
(9) Expect: named data stream five-tuple, inserts a record in expection connection table, and for reporting for the first time, literary composition identifies.
(10) Jmp: the next function numbering run of unconditional amendment, realizes loop control function.
In packet parsing equipment, predefined data type comprises:
(1) immediate: as 0,1,2.
(2) integer variable: as int0, int1.
(3) integer constant: as Intranet IP@in_ip.
(4) character string: as " rtmfp: // ".
(5) string variable: as str0.
(6) character string constant: as message load payload.
In packet parsing equipment, predefined running space is for preserving the operand value of running, for C language, is defined as follows data structure:
Packet parsing equipment is loaded on feature database after completing above-mentioned syntactic definition, and receives the feature database rule parsing file that user writes according to this syntactic definition.When packet parsing equipment is resolved feature database rule parsing file, perform following syntax parsing process:
Step 1, definition basic data object structure: for C language, be defined as follows data structure.
When feature database upgrades to equipment, can be structure in C language according to its name translation by first parameter of & (mov:int0,0): type is integer variable, and un.offset is 0.
Step 2, defined function operand list structure object_list_t, as by & (mov:int0,0) integer variable parameter int0 and immediate parameter 0 are converted into data_object_t structure, and be together in series, form the function operation list object structure of mov function.
Step 3, defined function object structure, for C language, is defined as follows data structure.
Step 4, all basic functions in a feature database rule are together in series, form packet parsing program by definition packet parsing program structure, and the position of function in chain is function numbering, can be specified by immediate.
Obtain packet parsing program in above-mentioned steps 4 after, perform following packet parsing flow process:
Step 5, is identified by DPI, determines the feature database rule that carrying out becomes more meticulous identifies, distributes and initialization runtime environment runtime_t.
Step 6, initialization integer constant and character string constant set, character string constant generally includes the information such as source object IP, port in IP agreement, TCP/UDP protocol header, and the application type index that current rule is corresponding, and character string constant is often referred to application layer load.
Step 7, each function of the basic function chain successively in scheduled for executing packet parsing program structure:
(1) Nextpkt: current runtime environment shared in multiple messages of same data stream, specifies the subsequent packet of current data stream to carry out packet parsing from the 2nd basic function of rule.
(2) Exit: the process of analysis exiting current message.
(3) Mov: be 0 by integer variable int0 assignment.All functions, before executable operations, need to carry out memory headroom mapping to the operand of types of variables.With Mov example, need first by int0, be mapped on int_set [0] member of runtime environment runtime_t.
(4) Seach: search in message load " rtmfp: // " character string, offset and be saved to int0 variable.
(5) Jl: according to Search Results, determines whether carry out subsequent solves flow process.If do not have all to character string, namely int0 is less than 0, then jump to the function object Exit being numbered 1, exit the process of analysis of current message.
(6) Add: the deviation post of character string " rtmfp: // " is added string length 8, points to the position that in message load, IP 201.101.11.34 is corresponding.
(7) Fmt_bufin: the IP in format reading message and port, be stored in the string variable str0 in runtime environment and integer variable int4. respectively
(8) Str2ip: the string variable str0 of message IP is converted to integer numerical value, is stored in variable i nt3.
(9) Expect: according to the outer net IP stored in Intranet IP, str0 and int4 that@in_ip represents and port, inserts node in expection connection table, and for reporting for the first time, literary composition identifies.
(10) Jmp: revise the function object numbering that next performs, the sp value namely in runtime environment, jumps to the function object being numbered 3, continues above-mentioned process of analysis.
By above-mentioned steps, packet parsing can be completed.
According to the message parsing method of above-described embodiment, by the control flow check of analytical applications, extract server address and port from control flow check, these servers and port are exactly the data cube computation that next will carry out communication usually.Connected by the expection creating this application, just achieve civilian identification data stream application type of reporting for the first time.
Further, in above-mentioned application example, the resource message of control flow check is all expressly, but the resource message of some application is likely encryption, or compression, therefore the message position just needing packet parsing process to run into encryption or compress, calls the deciphering of corresponding message or decompression algorithm is decrypted or decompresses, and then proceeds packet parsing to the message content after deciphering and decompression.
Such as, the Resources list being carried at the BT in message is crossed by gzip compression algorithm.Message format content is as follows:
GET/announce?info_hash=...
Content-Encoding:
gzip...Content-Length:32......sdercsklfskdfsldfknvvy487sdkrmXq...
For effectively resolving the Resources list of compressed BT, can by as follows for the file edit of feature database rule parsing:
“&(main:0)\
&(nextpkt:2,0,2)&(exit)\
&(search:payload,0,int0,″Content-Encoding:gzip″)&(jl:int0,32)\
&(search:payload,0,int0,″Content-Length:″)&(jl:int0,1)&(add:int0,int0,16)\
&(search:payload,int0,int1,″[0D 0A]″)&(rstr:payload,int0,str0,int 1)\
&(search:payload,int0,int2,″[0D 0A]″)&(jl:int2,1)&(add:int0,int0,int2)
&(unzip:″gzip″,buf0,payload,int0,int1)\
&(search:buf0,0,int0,″5:peers″)&(jl:int0,1)&(add:int0,int0,7)\
&(search:buf0,int0,int2,″:″)&(rstr:buf0,int0,str0,int2)&(str2int:int4,str0,10)\
&(rint:buf0,int0,int2,4)&(add:int0,int0,4)&(rint:buf0,int0,int3,2)\
&(expect:@in_ip,0,int2,int3,6,0x1D,@idx,0,int5)\”
Wherein, statement & (unzip: " gzip ", buf0, payload, int0, int1) implication be: find Content-Length: after call gzip decompression algorithm, decompress to the message length of 32 bytes, the message content after decompression is placed in buf0; The implication of statement & (search:buf0,0, int0, " 5:peers ") is: in buf0, message content is the Resources list after decompressing, and can analyze in a conventional manner.Such as " 5:peers1146:10.45.2.31 "; 1146 is exactly port, and 10.45.2.31 is exactly server ip.
Embodiment five
In the present embodiment, the example of the message parsing method applying above-described embodiment in another kind of application scenarios is provided, that is: the message parsing method of above-described embodiment is applied to detection and identify unknown traffic.
The data flow that a lot of P2P downloads software is at present all encryption, common DPI recognition technology None-identified, but these initiation protocol reciprocal processes downloading software may not be encryptions, therefore can be detected by message, attempt sending probe messages according to the protocol format of these softwares, if this server has response just to specify this server to be the server that certain class P2P downloads software, the data flow to this server can be identified as such P2P and download software.
Based on above-mentioned thought, following feature database rule parsing file can be write:
“30-0-0-0 1-0-0-0&(app_user:int2,@in_ip,″5-5-0-0″)&(jge:int2,2)&(exit)\
&(session:18,″emule_detect″,@src_ip,@src_port,@dst_ip,@dst_port,6,0xF8000000,@src_intf,@dst_intf,@src_mac,@dst_mac,@ori_dir,@fid,0,0,2,0)&(exit)
session emule_detect&(idx:5-5-0-0)\
&(wstr:buf0,0,″[e3 56 00 00 00 01 10 aa bb cc dd ee ff 00 11 22 33 44 55 6677 88 99 01 00 00 00 26 85 06 00 00 00 02 01 00 01 06 00 6d 79 64 65 61 72 0301 00 11 3c 00 00 00 03 01 00 f9 ec 17 ec 17 03 01 00 fa 1e 42 13 34 03 01 00 feb4 01 00 00 03 01 00 ee 0c e9 89 14 00 00 00 00 00 00]″,91)\
&(connect:6,@s_src_ip,@s_src_port,$s_src_mac,@s_src_intf,@s_dst_ip,@s_dst_port,$s_dst_mac,@s_dst_intf)\
&(send:buf0,0,91)\
&(recv:buf0)&(get_strlen:int0,buf0)&(jg:int0,6)&(exit)&(rint:buf0,0,int1,1)&(cmp:int0,int1,0xE3)&(je:int0,10)&(exit)\
&(set_idx:@s_ori_fid,@s_app_idx,9,0)&(exit)”
Wherein, the implication of statement & (app_user:int2 ,@in_ip, " 5-5-0-0 ") is: only have when this Intranet IP is electricity consumption donkey, just triggers the detection to unknown traffic; Statement & (session:18, " emule_detect " ... .) implication be: create an electric donkey detection session, import the global parameter that session detection needs into; Statement & (wstr:buf0,0, " [e3 56...] ", 91) implication is: structural exploration message template, because the probe messages of electric donkey does not also have variable element at present, therefore fairly simple, directly can construct fixing data message buffering area with wstr grammer.If run in message template content and have variable element, so we just can consider with the variable data message buffering area of fmt_bufout grammer; The implication of statement & (connect:6 ,@s_src_ip...) is: create detection with TCP connect; The implication of statement & (send:buf0,0,91) is: send probe messages; The implication of statement & (recv:buf0) is: receive probe response message, some arithmetic statements after recv grammer, all that validity checking is carried out to the content of probe response message, judging whether it is the response that true electric donkey server sends, still may be the response of forging; The implication of statement & (set_idx:@s_ori_d ,@s_app_idx, 9,0) is: really detecting server corresponding to this unknown traffic is electric donkey server, and arranging this unknown traffic is electric donkey application type.
After above-mentioned feature database rule parsing document upgrading to packet parsing equipment, packet parsing equipment will produce the basic function chain for message detection automatically, by packet parsing scheduler program when having determined unknown traffic and having occurred, this basic function chain will be called and carry out message detection.Particularly, the reciprocal process of packet parsing equipment and server is as follows:
Step 1, the basic function that packet parsing equipment calls wstr grammer is corresponding, is configured to the message detected.
Step 2, the basic function that packet parsing equipment calls connect grammer is corresponding, sets up tcp with server and is connected.
Step 3, the basic function that packet parsing equipment calls send grammer is corresponding, sends probe messages to server.
Step 4, the basic function that packet parsing equipment calls recv grammer is corresponding, waits for service end back message.After service end back message, recc grammer corresponding basic function can receive this message.
Step 5, the basic function that grammer such as basic character string such as packet parsing equipment calls get_strlen, cmp etc. is corresponding, resolves the message content received from service end, determines that the server detected is electric donkey server.
As can be seen from above-mentioned steps, the message parsing method of the embodiment of the present invention, by function based on abstract for each action of equipment and server reciprocal process, concrete reciprocal process independently can be defined according to abstract basic function in feature database by user, arbitrarily combines.
Further, said process is described for the detection of fairly simple agreement, that is: packet parsing equipment sends an agreement probe messages, and server sends a probe response message, then by packet parsing device analysis probe response message.But in actual applications, also may there is comparatively complicated protocol massages and detect alternately, such as:
Packet parsing equipment sends a probe messages; Server receives this probe messages, sends a probe messages and responds, contain some variable informations, require further certification; Packet parsing equipment receives this back message, resolves the variable information of the inside, re-constructs next probe messages template, continues to send next probe messages; Server receives second probe messages, and the type of accreditation packet parsing equipment, sends final back message; Packet parsing equipment receives final back message, confirms the application type of server.
For above-mentioned scene, then need to modify to characterization rules resolution file, meet following reciprocal process with the analysis program making packet parsing equipment generate according to characterization rules resolution file:
Step 1, packet parsing equipment calls session Grammer creation detection session;
Step 2, the basic function that packet parsing equipment calls wstr grammer is corresponding, is configured to the message detected.
Step 2, the basic function that packet parsing equipment calls connect grammer is corresponding, sets up tcp with server and is connected.
Step 3, the basic function that packet parsing equipment calls send grammer is corresponding, sends probe messages to server.
Step 4, the basic function that packet parsing equipment calls recv grammer is corresponding, waiting for server back message.After server response message, recc grammer corresponding basic function can receive this message.
Step 5, the basic function that grammer such as basic character string such as packet parsing equipment calls get_strlen, cmp etc. is corresponding, resolves the message content received from service end, extracts variable information.
Step 6, packet parsing equipment calls fmt_bufout grammer, complex structure probe messages template.
Step 7, the basic function that packet parsing equipment calls send grammer is corresponding, sends complex survey message template to server.
Step 8, the basic function that packet parsing equipment calls recv grammer is corresponding, waiting for server back message.After server response message, the basic function that recc grammer is corresponding can receive this message.
Step 9, the basic function that grammer such as basic character string such as packet parsing equipment calls get_strlen, cmp etc. is corresponding, resolves the message content received from service end, determines that the server detected is electric donkey server.
Therefore, according to the message parsing method of above-described embodiment, effectively achieve the identification of unknown traffic.
Embodiment six
In the present embodiment, provide the example of the message parsing method applying above-described embodiment in another kind of application scenarios, that is: being applied to by the message parsing method of above-described embodiment becomes more meticulous identifies web video resource.
Egress gateways is except being used as gateway online, and also likely as buffer memory (cache) equipment, for Intranet user provides good online to experience, such as, the WEB Online Video WEB page of hot topic and user often watched is buffered on the hard disk of egress gateways.
Therefore, if the relevant information of the WEB Online Video each Intranet user can accessed is recorded on device databases, equipment is just by analytical database, know which video is that user often accesses more accurately, these video caches on egress gateways hard disk, directly these video contents are returned to user when Intranet user access next time, do not take outlet bandwidth, and experience is very good to allow user feel.
User is when being connected to certain web Online Video website and watching certain film or TV play, and this Online Video website all can return to user other relevant informations of this film or TV play by the page usually.Where are the ordinary sharpness of such as this film or the resource file of high definition, and file size has much.Where, file size has much the resource file of all collection numbers of such as this TV play again.
If can by above-mentioned information analysis out, just the high definition caching resource of popular film can be got off, time user sees this film, egress gateways equipment returns the video content of high definition.This makes it possible to bring good experience to user.
But, because the organizational form of the video resource information of each video website is different, therefore utilize common DPI recognition technology to complete, and apply the message parsing method of the above embodiment of the present invention, then can realize effective parsing.
Suppose that user watches the Online Video at Yoqoo station, observed content is the ordinary sharpness resource of " transformer 2.rmvb ".User is when click WEB watches list, and server site will return relevant WEB page, and it is as shown in table 9 that this WEB page comprises following information:
Table 9
Adopt message analysis statement similar in the example with above-described embodiment four, the relevant information of resource can be got off by the whole analytic record of str variable; And by calling " write_sql " grammer, the IP address of internal network of the relevant information of resource and this resource of access is inserted in the database table of packet parsing equipment.Afterwards, packet parsing equipment just can by regularly inquiring about in this database table, and judge which resource is accessed by the IP address of internal network that quantity is maximum, then the associated video of these being accessed maximum resources is cached in database.
Therefore, according to the message parsing method of above-described embodiment, can also effectively realize the web video resource identification that becomes more meticulous.
Embodiment seven
Fig. 4 is the flow chart of the message parsing method of another embodiment of the present invention.Message parsing method shown in Fig. 4 is performed by feature database, and this feature database is such as computer.As shown in Figure 4, comprise the following steps:
Step 401, be loaded into the syntactic definition that packet parsing equipment provides, described syntactic definition comprises the basic function and data type that define in described packet parsing equipment;
Step 402, receives user according to described syntactic definition, the feature database rule parsing file write;
Step 403, by described feature database rule parsing files loading to packet parsing equipment, to make packet parsing equipment according to described feature database rule parsing file, generate the functional-link of at least two basic functions described in comprising, and by performing described functional-link, message is resolved, wherein, packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
The idiographic flow of the message parsing method of the present embodiment, identical with the message parsing method in above-mentioned any embodiment, so place repeats no more.
According to the message parsing method of the present embodiment, feature database is loaded into the external grammar definition that packet parsing equipment provides, and receive the feature database rule parsing file that user writes according to this syntactic definition, be loaded into packet parsing equipment again, to make packet parsing equipment according to feature database rule parsing file, basic function and operand are combined, dynamically determines packet parsing logic.Due to the function of basic function is peeled off mutually with operand, make when message changes due to reasons such as application software renewals, by in the rule parsing file in feature database, syntagmatic/the logic of basic function and/or operand carries out adjusting, amendment is convenient, workload is little, and without the need to restarting packet parsing equipment.And the operand due to basic function points to concrete memory headroom, when performing packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted between the different messages with relevance.Therefore, above-mentioned message parsing method effectively can be resolved frequent variations, the message with relevance.
Further, in the message parsing method of above-described embodiment, also comprise:
If receive the feature database rule parsing file of renewal, then by the feature database rule parsing files loading of described renewal extremely described packet parsing equipment.
Embodiment eight
Fig. 5 is the structural representation of the packet parsing equipment of one embodiment of the invention.As shown in Figure 5, this packet parsing equipment comprises:
Receiver module 51, for receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and the operand character string of correspondence;
Rule parsing module 52, for according to the character string identification of described at least two basic functions and the operand character string of described correspondence, generates the functional-link of at least two basic functions described in comprising;
Packet parsing module 53, for by performing described functional-link, resolves message, and wherein, described packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
The packet parsing equipment of above-described embodiment performs the idiographic flow of packet parsing, identical with the message parsing method of above-mentioned any embodiment, so place repeats no more.
According to the packet parsing equipment of above-described embodiment, receive feature storehouse rule parsing file, according to the character string identification of the basic function in feature database rule parsing file, and the operand character string of correspondence, basic function and operand are combined, dynamically determines packet parsing logic.Due to the function of basic function is peeled off mutually with operand, make when message changes due to reasons such as application software renewals, by in the rule parsing file in feature database, syntagmatic/the logic of basic function and/or operand carries out adjusting, amendment is convenient, workload is little, and without the need to restarting packet parsing equipment.And the operand due to basic function points to concrete memory headroom, when performing packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted between the different messages with relevance.Therefore, above-mentioned packet parsing equipment effectively can be resolved frequent variations, the message with relevance.
Further, in the packet parsing equipment of above-described embodiment, described rule parsing module is used for:
According to described operand character string, generate the fundamental operation object structure corresponding with each operand, and determine the memory headroom that described operand points to, wherein said fundamental operation object structure comprises data type and operand title;
By described fundamental operation object structure, encapsulate according to the parameter list of the basic function corresponding with described character string identification, generate the function operation list object structure being used for the memory headroom that described basic function and described operand point to be associated;
Functional-link according to the order of the character string identification of at least two basic functions described in described feature database rule parsing file and function operation list object structural generation corresponding to each basic function.
Further, in the packet parsing equipment of above-described embodiment, described rule parsing module also for:
According to the data type of described operand, determining in described packet parsing equipment, is the memory headroom that described data type is distributed in advance;
From described be the memory headroom that distributes of described data type in advance, be that described operand distributes corresponding memory headroom, and set up described operand title and the mapping relations of distributing corresponding memory headroom for described operand.
Further, in the packet parsing equipment of above-described embodiment, described basic function comprises the function for carrying out computing to message payload content, and/or for the function to message payload content format input and output, and/or for the function of interface operation, and/or for the algorithmic function decompressed to message or decipher, and/or the function of recorded message payload content, and/or for controlling the function of actuating logic.
Embodiment nine
Fig. 6 is the structural representation of the feature database of one embodiment of the invention.As shown in Figure 6, this feature database comprises:
Syntactic definition insmods 61, and for being loaded into the syntactic definition that packet parsing equipment provides, described syntactic definition comprises the basic function and data type that define in described packet parsing equipment;
Rule receiver module 62, for receiving user according to described syntactic definition, the feature database rule parsing file write;
Load-on module 63, for by described feature database rule parsing files loading to packet parsing equipment, to make packet parsing equipment according to described feature database rule parsing file, generate the functional-link of at least two basic functions described in comprising, and by performing described functional-link, message is resolved, wherein, packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
The feature database of above-described embodiment is such as by computer or other hardware device of above-mentioned each functions of modules can be provided arbitrarily to realize.The feature database of above-described embodiment performs the idiographic flow of packet parsing, identical with the message parsing method of above-mentioned any embodiment, so place repeats no more.
According to the feature database of above-described embodiment, be loaded into the external grammar definition that packet parsing equipment provides, and receive the feature database rule parsing file that user writes according to this syntactic definition, be loaded into packet parsing equipment again, to make packet parsing equipment according to feature database rule parsing file, basic function and operand are combined, dynamically determines packet parsing logic.Due to the function of basic function is peeled off mutually with operand, make when message changes due to reasons such as application software renewals, by in the rule parsing file in feature database, syntagmatic/the logic of basic function and/or operand carries out adjusting, amendment is convenient, workload is little, and without the need to restarting packet parsing equipment.And the operand due to basic function points to concrete memory headroom, when performing packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted between the different messages with relevance.Therefore, above-mentioned packet parsing feature database can be used in effectively resolving frequent variations, the message with relevance.
Further, in the feature database of above-described embodiment, if described regular receiver module is also for receiving the feature database rule parsing file of renewal, then trigger described load-on module executable operations;
Described load-on module also for by the feature database rule parsing files loading of described renewal to described packet parsing equipment.
Embodiment ten
The embodiment of the present invention also provides a kind of packet parsing system, and this packet parsing system comprises the packet parsing equipment of above-described embodiment, and the feature database of above-described embodiment, and packet parsing equipment is connected with described feature database.
In the packet parsing system of the present embodiment, the idiographic flow implementing packet parsing is identical with the message parsing method of above-mentioned any embodiment, so place repeats no more.
According to the packet parsing system of above-described embodiment, packet parsing equipment receive feature storehouse rule parsing file, according to the character string identification of the basic function in feature database rule parsing file, and the operand character string of correspondence, basic function and operand are combined, dynamically determines packet parsing logic.Due to the function of basic function is peeled off mutually with operand, make when message changes due to reasons such as application software renewals, by in the rule parsing file in feature database, syntagmatic/the logic of basic function and/or operand carries out adjusting, amendment is convenient, workload is little, and without the need to restarting packet parsing equipment.And the operand due to basic function points to concrete memory headroom, when performing packet parsing, corresponding memory headroom is operated, so the actual value of operand can be transmitted between the different messages with relevance.Therefore, above-mentioned packet parsing system effectively can be resolved frequent variations, the message with relevance.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (11)
1. a message parsing method, is characterized in that, comprising:
Packet parsing equipment receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and the operand character string of correspondence;
Described packet parsing equipment, according to the operand character string of the character string identification of described at least two basic functions and described correspondence, generates the functional-link of at least two basic functions described in comprising;
Described packet parsing equipment, by performing described functional-link, is resolved message, and wherein, described packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to;
Described packet parsing equipment, according to the operand character string of the character string identification of described at least two basic functions and described correspondence, generates the functional-link of at least two basic functions described in comprising, specifically comprises:
Described packet parsing equipment is according to described operand character string, generate the fundamental operation object structure corresponding with each operand, and determine the memory headroom that described operand points to, wherein said fundamental operation object structure comprises data type and operand title;
By described fundamental operation object structure, encapsulate according to the parameter list of the basic function corresponding with described character string identification, generate the function operation list object structure being used for the memory headroom that described basic function and described operand point to be associated;
Functional-link according to the order of the character string identification of at least two basic functions described in described feature database rule parsing file and function operation list object structural generation corresponding to each basic function.
2. message parsing method according to claim 1, is characterized in that, the described memory headroom determining that described operand points to specifically comprises:
According to the data type of described operand, determining in described packet parsing equipment, is the memory headroom that described data type is distributed in advance;
From described be the memory headroom that distributes of described data type in advance, be that described operand distributes corresponding memory headroom, and set up described operand title and the mapping relations of distributing corresponding memory headroom for described operand.
3. message parsing method according to claim 1 and 2, it is characterized in that, described basic function comprises the function for carrying out computing to message payload content, and/or for the function to message payload content format input and output, and/or for the function of interface operation, and/or for the algorithmic function decompressed to message or decipher, and/or the function of recorded message payload content, and/or for controlling the function of actuating logic.
4. a message parsing method, is characterized in that, comprising:
Be loaded into the syntactic definition that packet parsing equipment provides, described syntactic definition comprises the basic function and data type that define in described packet parsing equipment; Described basic function comprises the function for carrying out computing to message payload content, and/or for the function to message payload content format input and output, and/or for the function of interface operation, and/or for the algorithmic function decompressed to message or decipher, and/or the function of recorded message payload content, and/or for controlling the function of actuating logic;
Receive user according to described syntactic definition, the feature database rule parsing file write;
By described feature database rule parsing files loading to packet parsing equipment, to make packet parsing equipment according to described feature database rule parsing file, generate the functional-link of at least two basic functions described in comprising, and by performing described functional-link, message is resolved, wherein, packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
5. message parsing method according to claim 4, is characterized in that, also comprises:
If described feature database receives the feature database rule parsing file of renewal, then by the feature database rule parsing files loading of described renewal extremely described packet parsing equipment.
6. a packet parsing equipment, is characterized in that, comprising:
Receiver module, for receive feature storehouse rule parsing file, described feature database rule parsing file comprises the character string identification of at least two basic functions, and the operand character string of correspondence;
Rule parsing module, for according to the character string identification of described at least two basic functions and the operand character string of described correspondence, generates the functional-link of at least two basic functions described in comprising;
Packet parsing module, for by performing described functional-link, resolves message, and wherein, described packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to;
Described rule parsing module is used for:
According to described operand character string, generate the fundamental operation object structure corresponding with each operand, and determine the memory headroom that described operand points to, wherein said fundamental operation object structure comprises data type and operand title;
By described fundamental operation object structure, encapsulate according to the parameter list of the basic function corresponding with described character string identification, generate the function operation list object structure being used for the memory headroom that described basic function and described operand point to be associated;
Functional-link according to the order of the character string identification of at least two basic functions described in described feature database rule parsing file and function operation list object structural generation corresponding to each basic function.
7. packet parsing equipment according to claim 6, is characterized in that, described rule parsing module also for:
According to the data type of described operand, determining in described packet parsing equipment, is the memory headroom that described data type is distributed in advance;
From described be the memory headroom that distributes of described data type in advance, be that described operand distributes corresponding memory headroom, and set up described operand title and the mapping relations of distributing corresponding memory headroom for described operand.
8. the packet parsing equipment according to claim 6 or 7, it is characterized in that, described basic function comprises the function for carrying out computing to message payload content, and/or for the function to message payload content format input and output, and/or for the function of interface operation, and/or for the algorithmic function decompressed to message or decipher, and/or the function of recorded message payload content, and/or for controlling the function of actuating logic.
9. a computer, is characterized in that, comprising:
Syntactic definition insmods, and for being loaded into the syntactic definition that packet parsing equipment provides, described syntactic definition comprises the basic function and data type that define in described packet parsing equipment; Described basic function comprises the function for carrying out computing to message payload content, and/or for the function to message payload content format input and output, and/or for the function of interface operation, and/or for the algorithmic function decompressed to message or decipher, and/or the function of recorded message payload content, and/or for controlling the function of actuating logic;
Rule receiver module, for receiving user according to described syntactic definition, the feature database rule parsing file write;
Load-on module, for by described feature database rule parsing files loading to packet parsing equipment, to make packet parsing equipment according to described feature database rule parsing file, generate the functional-link of at least two basic functions described in comprising, and by performing described functional-link, message is resolved, wherein, packet parsing equipment, when performing described functional-link, operates the memory headroom that the operand of described basic function points to.
10. computer according to claim 9, wherein, if described regular receiver module is also for receiving the feature database rule parsing file of renewal, then triggers described load-on module executable operations;
Described load-on module also for by the feature database rule parsing files loading of described renewal to described packet parsing equipment.
11. 1 kinds of packet parsing systems, is characterized in that, comprise the arbitrary described packet parsing equipment of claim 6-8, and the computer described in claim 9 or 10, and described packet parsing equipment is connected with described computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210458111.8A CN102932474B (en) | 2012-11-14 | 2012-11-14 | Method, device and system for analyzing message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210458111.8A CN102932474B (en) | 2012-11-14 | 2012-11-14 | Method, device and system for analyzing message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102932474A CN102932474A (en) | 2013-02-13 |
| CN102932474B true CN102932474B (en) | 2015-06-17 |
Family
ID=47647170
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210458111.8A Active CN102932474B (en) | 2012-11-14 | 2012-11-14 | Method, device and system for analyzing message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102932474B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103886087B (en) * | 2014-03-28 | 2018-10-12 | 上海斐讯数据通信技术有限公司 | The calculation process and file verification method of MD5 |
| CN109145014A (en) * | 2017-06-15 | 2019-01-04 | 北京京东尚科信息技术有限公司 | The method and apparatus for generating elastic searching request |
| CN110162413B (en) * | 2018-02-12 | 2021-06-04 | 华为技术有限公司 | Event-driven method and device |
| CN110782512A (en) * | 2019-10-10 | 2020-02-11 | 成都四方伟业软件股份有限公司 | 3D model redrawing method and system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1317868C (en) * | 2002-05-28 | 2007-05-23 | 中兴通讯股份有限公司 | Communication message treatment equipment based on class template like management apparatus and method |
| WO2005082102A2 (en) * | 2004-02-26 | 2005-09-09 | Datapower Technology, Inc. | Method and apparatus of streaming data transformation using code generator and translator |
| CN100440809C (en) * | 2006-11-13 | 2008-12-03 | 杭州华三通信技术有限公司 | Method and device for service configuration of network equipment |
| CN101202742B (en) * | 2006-12-13 | 2011-10-26 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
-
2012
- 2012-11-14 CN CN201210458111.8A patent/CN102932474B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN102932474A (en) | 2013-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108628947B (en) | Business rule matching processing method, device and processing equipment | |
| US20160050128A1 (en) | System and Method for Facilitating Communication with Network-Enabled Devices | |
| CN108510082A (en) | The method and device that machine learning model is handled | |
| CN102932474B (en) | Method, device and system for analyzing message | |
| CN111026982A (en) | Intelligent contract processing method, computer equipment and storage medium | |
| CN111930709B (en) | Data storage method, apparatus, electronic device, and computer readable medium | |
| CN111683066A (en) | Heterogeneous system integration method and device, computer equipment and storage medium | |
| CN109067732A (en) | Internet of things equipment and data insertion system, method and computer readable storage medium | |
| CN110413329A (en) | IOT equipment remote debugging method, apparatus and system | |
| Benedetto et al. | MobiCOP: a scalable and reliable mobile code offloading solution | |
| US20170295059A1 (en) | Distributed remote execution | |
| CN113946602A (en) | Data searching method, device, equipment and medium | |
| CN115237853A (en) | Data query method and device, electronic equipment and storage medium | |
| CN112445700A (en) | Test method and device | |
| CN104010045B (en) | The method that mobile node based on cloud platform performs task | |
| US11552868B1 (en) | Collect and forward | |
| CA2533825A1 (en) | System and method for testing a data format using targeted variant input | |
| CN114328217A (en) | Application testing method, device, equipment, medium and computer program product | |
| CN114253798A (en) | Index data acquisition method and device, electronic equipment and storage medium | |
| CN105681823A (en) | Method and device for transcoding video file online | |
| Tan et al. | Unified IIoT cloud platform for smart factory | |
| Hine et al. | Scalable emulation of enterprise systems | |
| CN115203674A (en) | Automatic login method, system, device and storage medium for application program | |
| Zilhão et al. | A modular tool for benchmarking loT publish-subscribe middleware | |
| CN113204683B (en) | Information reconstruction method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |