CN105162656B - A kind of ntp server detection method based on LAN - Google Patents
A kind of ntp server detection method based on LAN Download PDFInfo
- Publication number
- CN105162656B CN105162656B CN201510532117.9A CN201510532117A CN105162656B CN 105162656 B CN105162656 B CN 105162656B CN 201510532117 A CN201510532117 A CN 201510532117A CN 105162656 B CN105162656 B CN 105162656B
- Authority
- CN
- China
- Prior art keywords
- protocol
- data
- ntp
- ntp server
- lan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to the IP address of ntp server in LAN to obtain field, especially a kind of ntp server detection method based on LAN.In view of the problems of the existing technology the present invention, proposes a kind of ntp server detection method based on LAN, can accurately obtain ntp server IP address information.This law passes through, and constructs NTP request bags;And posttectonic NTP request bags are sent to All hosts by broadcast mode, after All hosts return data to detection module by data acquisition module, the data that acquisition module returns are filtered by filtering module to analyze finally by protocol-analysis model, obtain ntp server IP address information.
Description
Technical field
The present invention relates to the IP address of ntp server in LAN to obtain field, especially a kind of NTP based on LAN
Server detection method.
Background technology
Currently without the correlative study of the ntp server cognitive method explicitly based on LAN, existing perception NTP services
The methods availalbe of device is port scan, i.e.,:For all destination hosts in LAN, one by one to one section of port or specified end
Mouth is scanned, and the application service type provided on certain computer is obtained by scanning result, to perceive in LAN
Ntp server.The principle of port scan is to detect host to propose to establish the request of connection, hair to some port of destination host
Go out request bag, if destination host provides this service, response bag will be replied;If destination host does not provide this service,
After receiving the response bag that detection host is sent, is abandoned and do not reply response bag.Therefore, by checking answering for destination host
The application service information of its offer can be perceived by answering packet.Using this principle, if it is desired to the ntp server in LAN is perceived, it must
Notice road NTP services corresponding port numbers, and all destination hosts in local area network carry out port scan, if had in LAN
The application service of other hosts occupies NTP and services corresponding port numbers, and detection host, which then can not be perceived accurately in LAN, to be carried
For the information of the host of NTP services.
Invention content
The technical problem to be solved by the present invention is to:It is existing using in port scan perception LAN by analyzing and researching
The method of ntp server proposes a kind of based on LAN for its existing accuracy and the imperfect problem of accuracy
Ntp server detection method can accurately obtain ntp server IP address information.
The technical solution adopted by the present invention is as follows:
A kind of ntp server detection method based on LAN includes:
Step 1:Detection module constructs NTP request bags according to ICP/IP protocol cluster;
Step 2:Detection module sends posttectonic NTP request bags to All hosts by broadcast mode, and All hosts are logical
It crosses data acquisition module and returns data to detection module;
Step 3:After filtering module filters the data that acquisition module returns, it is sent to protocol-analysis model and is analyzed, from
And the ntp server in LAN is detected, obtain ntp server IP address information.
Further, step 1 detailed process includes:
Step 11:Detection module acquires interaction data packet when multiple ntp server data interactions, according to ICP/IP protocol
Cluster successively carries out protocal analysis to the data content of NTP interaction data packets, specifies the data format of NTP interaction data packets;
Step 12:Detection module fills the data format of NTP request bags in data link layer according to ICP/IP protocol cluster
Corresponding protocol fields construct NTP request bags.
Further, the data detailed process of filtering module filtering acquisition module return is in the step 3:Filtering module
It is by Berkeley packet filtering(BPF, Berkeley Packet Filter)Protocol type and five-tuple letter are set
The filtering rule of breath.
Further, the detailed process that protocol-analysis model is analyzed in described 3 is:The design philosophy of protocal analysis be according to
TCP/IP reference models successively identify network protocol type according to protocol-identifier, for corresponding protocol format to collected net
Network data packet carries out underlying protocol analysis.Encapsulation based on ICP/IP protocol cluster data packet point principle, protocol-analysis model connect
After receiving the collected network packet of acquisition module, protocal analysis identification operation is carried out for each data packet;According to association
It discusses mode stack and protocal analysis is carried out by bottom-up layer, while removing the corresponding heading of each layer protocol and trailer information, solve
It will go to check the protocol-identifier in heading information when analysis is per layer protocol, to determine the upper-layer protocol for receiving data, obtain
Ntp server IP address information..
In conclusion by adopting the above-described technical solution, the beneficial effects of the invention are as follows:
LAN ntp server cognitive method proposed by the present invention breaches port scanning method and obtains application server letter
The limitation of breath, construct and send NTP request bags for server info acquisition provide more sufficient data source, pass through analysis
The details of NTP response bags, it is final to obtain more fully ntp server information.
Description of the drawings
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is flow chart of the present invention.
Specific implementation mode
All features disclosed in this specification or disclosed all methods or in the process the step of, in addition to mutually exclusive
Feature and/or step other than, can combine in any way.
This specification(Including any accessory claim, abstract and attached drawing)Disclosed in any feature, except non-specifically chatting
It states, can be replaced by other alternative features that are equivalent or have similar purpose.That is, unless specifically stated, each feature is only
It is an example in a series of equivalent or similar characteristics.
This patent related description:
1, broadcasting network(broadcast networks)Only there are one communication channel, on network, All hosts are all shared should
Channel.The data packet that any host is sent by the channel can be received by other all hosts.Normal data
Packet is sent, and there are one address fields in data packet grouping, specify the target receiver of the grouping.Each host has received one
After grouping, address domain information is read, if the address domain information is the machine, receives and processes the grouping information;If this point
Group is destined to other hosts, then ignores the grouping information.Broadcast system allows to send packets to one into the institute in network
There is host, by using a special address coding to realize in address field, i.e.,:MAC Address is complete 1, and IP address is network
Number add complete 1 host number.If network packet to be sent carries such address coding, each in the network
Host can all receive the grouping, and be handled, and this sending mode is known as broadcasting.It is acquisition office that ntp server, which perceives purpose,
The information of ntp server can not accurately fill target address information under the premise of unknown ntp server information in the net of domain, because
This cannot use point-to-point sending method, and the NTP request bags of construction can only be sent in the form of broadcast, are ensured in LAN
All hosts all receive this data packet and it handled, the response feelings of the further each destination host of research and application
Condition, the host that NTP services are provided in destination host will produce corresponding response bag.
2, filtering module is by Berkeley packet filtering(BPF, Berkeley Packet Filter)Setting association
Discuss the filtering rule of type and five-tuple information.
3, the data detailed process that filtering module filtering acquisition module returns is:Filtering module is by Berkeley data packet
Filter(BPF, Berkeley Packet Filter)Protocol type and the filtering rule of five-tuple information are set, specifically
Be the handling function for packet information Boolean, if function return value is True, stored by filtering, it is on the contrary then by
It abandons.Filtering rule is the character string that each primitive is made up of conjunctions such as " and ", " or " or " not ", and primitive includes mark
Know and identify qualifier.It includes the three types modifier such as type, direction and agreement to identify qualifier.Type qualifier represents mark
The type of knowledge, including host, net and port, host represent it as Host Type, and net represents it as network type, and port is represented
It is port type.Direction qualifier defines the transmission direction of data, including src, dst, src or dst and src and
The four type transmission direction such as dst, src indicate source address, i.e. the transmission end main frame of this data packet;Dst indicates destination address, i.e.,
The reception end main frame of this data packet;Src or dst indicate directionless;Src and dst indicate that source address and destination address all must
It must meet.Agreement qualifier indicate network packet transmission when based on protocol type, mainly have ip, arp, tcp, udp, icmp
Deng having respectively represented the agreement of corresponding type.In this patent, in order to more accurately obtain ntp server IP address information, according to
Filtering rule is designed according to above-mentioned standard, host is set as detection host, and port is set as Network Time Protocol port numbers, and dst is set as examining
The IP address of host is surveyed, agreement qualifier is set as udp, and above each qualifier is attached by conjunction " and ", constitutes this
The filtering rule of patent.
As shown in the picture, the ntp server cognitive method that this patent proposes constructs NTP request bags first, then broadcast hair
The All hosts inside LAN are given, the reply data packet of each host is acquired, packet content is analyzed, finally perceives LAN
Interior ntp server.
The present invention includes:
(1)NTP request bags construct
Simulation NTP interbehaviors are asked in LAN internal trigger time synchronization, it is a large amount of using data collecting module collected
NTP interaction data packets successively assist NTP request bags data content using protocol-analysis model according to ICP/IP protocol cluster
View analysis, specifies the data format of NTP request bags, to realize that data link layer constructs NTP request bags.First, host is detected
Network is initialized, the network interface of detection host is opened, distributes memory space for NTP request bags to be constructed, then
Corresponding protocol fields are filled for the data format of NTP request bags construct legal NTP request bags according to ICP/IP protocol cluster,
Finally the NTP request bags constructed are sent in network.
(2)Broadcasting network is sent
Broadcasting network(broadcast networks)Only there are one communication channel, All hosts all share the letter on network
Road.The data packet that any host is sent by the channel can be received by other all hosts.Normal data packet
It sends, there are one address fields in data packet grouping, specify the target receiver of the grouping.Each host has received one point
After group, address domain information is read, if the address domain information is the machine, receives and processes the grouping information;If the grouping
Other hosts are destined to, then ignore the grouping information.Broadcast system allows to send packets to one all in network
Host, by using a special address coding to realize in address field, i.e.,:MAC Address is complete 1, and IP address is network number
In addition complete 1 host number.If network packet to be sent carries such address coding, each master in the network
Machine can all receive the grouping, and be handled, and this sending mode is known as broadcasting.Ntp server perception purpose is to obtain local
The information of ntp server can not accurately fill target address information, therefore under the premise of unknown ntp server information in net
Point-to-point sending method cannot be used, the NTP request bags of construction can only be sent in the form of broadcast, are ensured in LAN
All hosts all receive this data packet and handle it, the response condition of the further each destination host of research and application,
The host that NTP services are provided in destination host will produce corresponding response bag.
(3)NTP response bag collection analysis
The acquisition of NTP response bags is firstly the need of all data informations using data collecting module collected whole network;Then,
By Berkeley packet filtering(BPF, Berkeley Packet Filter)Filtering module is designed by the way that protocol class is arranged
Network data needed for the filtering rule acquisition of the five-tuples information such as type, IP address;Finally, by the valid data of filtering module processing
It is sent to high-level protocol-analysis model to be analyzed, to perceive the ntp server in LAN, obtain required
Ntp server IP address information.
(4), protocol-analysis model analysis detailed process be:The design philosophy of protocal analysis is to refer to mould according to TCP/IP
Type successively identifies network protocol type according to protocol-identifier, is carried out to collected network packet for corresponding protocol format
Underlying protocol is analyzed.Encapsulation based on ICP/IP protocol cluster data packet point principle, protocol-analysis model receive acquisition module
After collected network packet, protocal analysis identification operation is carried out for each data packet.According to agreement mode stack the bottom of by
Layer carries out protocal analysis to upper layer, while removing the corresponding heading of each layer protocol and trailer information, when parsing per layer protocol
It will go to check the protocol-identifier in heading information, to determine the upper-layer protocol for receiving data, at further operating
Reason.By taking Ethernet data frame structure as an example, defined according to Ethernet data frame structure, the 13rd byte-identifier net of network packet
Network layers protocol type, the 10th byte-identifier transport layer protocol type of IP data packets, UDP message packet the 3rd byte-identifier are answered
It is further to be never directed to each protocol type by reading identification number field information identification protocol type with layer protocol port numbers
Analysis obtains its protocol contents.
Embodiment one:The LAN experimental enviroment based on NTP verification experimental verification network topologies is built, is arranged altogether in experimental enviroment
8 mobile host computers terminals, be based on network topology structure, dispose 2 ntp servers, IP address be respectively 192.168.1.3 and
192.168.1.30.Realize that this patent proposes the ntp server cognitive method based on LAN, final accurate acquisition verification experimental verification
Ntp server information in environment.
The invention is not limited in specific implementation modes above-mentioned.The present invention, which expands to, any in the present specification to be disclosed
New feature or any new combination, and disclose any new method or process the step of or any new combination.
Claims (2)
1. a kind of ntp server detection method based on LAN, it is characterised in that including:
Step 1:Detection module acquires interaction data packet when multiple ntp server data interactions, right according to ICP/IP protocol cluster
The data content of NTP interaction data packets successively carries out protocal analysis, specifies the data format of NTP interaction data packets;Detection module
Corresponding protocol fields are filled to the data format of NTP request bags in data link layer according to ICP/IP protocol cluster, construction NTP is asked
Seek packet;
Step 2:Detection module sends posttectonic NTP request bags to All hosts by broadcast mode, and data acquisition module is adopted
Collect the response bag that All hosts are replied, returns to detection module;
Step 3:It after filtering module filters the data that acquisition module returns, is sent to protocol-analysis model and is analyzed, obtain NTP
Server ip address information;The design philosophy of wherein protocal analysis is successively known according to protocol-identifier according to TCP/IP reference models
Other network protocol type carries out underlying protocol analysis for corresponding protocol format to collected network packet;It is based on
The encapsulation of ICP/IP protocol cluster data packet point principle, protocol-analysis model receive the collected network packet of acquisition module
Afterwards, protocal analysis identification operation is carried out for each data packet;Agreement point is carried out by bottom-up layer according to agreement mode stack
Analysis, while removing the corresponding heading of each layer protocol and trailer information, it will go to check heading when parsing per layer protocol
Protocol-identifier in information obtains ntp server IP address information to determine the upper-layer protocol for receiving data.
2. a kind of ntp server detection method based on LAN according to claim 1, it is characterised in that the step
The data detailed process of filtering module filtering acquisition module return is in 3:Filtering module is by Berkeley packet filtering
Protocol type and the filtering rule of five-tuple information are set, to filter the data of return.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510532117.9A CN105162656B (en) | 2015-08-27 | 2015-08-27 | A kind of ntp server detection method based on LAN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510532117.9A CN105162656B (en) | 2015-08-27 | 2015-08-27 | A kind of ntp server detection method based on LAN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105162656A CN105162656A (en) | 2015-12-16 |
| CN105162656B true CN105162656B (en) | 2018-08-21 |
Family
ID=54803416
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510532117.9A Active CN105162656B (en) | 2015-08-27 | 2015-08-27 | A kind of ntp server detection method based on LAN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105162656B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973645A (en) * | 2013-01-30 | 2014-08-06 | 华为技术有限公司 | Data transmission method and data transmission device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4489684B2 (en) * | 2005-10-25 | 2010-06-23 | 日本電信電話株式会社 | Time synchronization information or synchronous clock generation and supply method and apparatus |
| CN101202643A (en) * | 2006-12-15 | 2008-06-18 | 中兴通讯股份有限公司 | Time synchronization control method |
| CN102171999A (en) * | 2011-04-12 | 2011-08-31 | 华为技术有限公司 | Parameter configuration method and network element device |
| CN103023596A (en) * | 2012-12-04 | 2013-04-03 | 上海斐讯数据通信技术有限公司 | Method for achieving synchronization of network device and time server |
-
2015
- 2015-08-27 CN CN201510532117.9A patent/CN105162656B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973645A (en) * | 2013-01-30 | 2014-08-06 | 华为技术有限公司 | Data transmission method and data transmission device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105162656A (en) | 2015-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111865815B (en) | Flow classification method and system based on federal learning | |
| CN101171809B (en) | Method and system for transmitting a multicast stream in data exchange network | |
| CN102307123B (en) | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic | |
| US20130191890A1 (en) | Method and system for user identity recognition based on specific information | |
| US20090129389A1 (en) | Method for managing frames in a global-area communications network, corresponding computer-readable storage medium and tunnel endpoint | |
| CN112866075A (en) | In-band network telemetering method, system and related device for Overlay network | |
| CN106027358A (en) | Network security management and control system for accessing social video networks to video private network | |
| GB2426145A (en) | Protocol-generic eavesdropping network device | |
| CN105634857A (en) | Link connectivity detecting method and device | |
| CN104320304A (en) | Multimode integration core network user traffic application identification method easy to expand | |
| WO2022078293A1 (en) | Method for detecting multicast service flow and related apparatus | |
| CN105847343B (en) | Public network information detection method, apparatus and system for point-to-point transmission | |
| WO2020137304A1 (en) | Statistic information generation device, statistic information generation method, and program | |
| CN110460488B (en) | Service flow identification method and device, and model generation method and device | |
| CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
| CN105847250A (en) | VoIP stream media multi-dimensional information steganography real time detection method | |
| EP3910906A1 (en) | Communication security apparatus, control method, and storage medium storing a program | |
| CN110226312A (en) | Transmission device and communication network | |
| CN106973124A (en) | Network connection collocation method and its electronic installation | |
| KR100501080B1 (en) | A method and system for distinguishing higher layer protocols of the internet traffic | |
| CN101175030A (en) | Method for implementing proxy to multiple isomorphic subnets | |
| CN105162656B (en) | A kind of ntp server detection method based on LAN | |
| CN105610808A (en) | Network traffic identification method and system based on dynamic domain name resolution | |
| CN104184565B (en) | A kind of method and device of processing retransmission information | |
| CN104768176B (en) | The method, apparatus that sFlow is sampled in wireless network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |