CN106911644A - A kind of message recombining method and equipment - Google Patents
A kind of message recombining method and equipment Download PDFInfo
- Publication number
- CN106911644A CN106911644A CN201510980136.8A CN201510980136A CN106911644A CN 106911644 A CN106911644 A CN 106911644A CN 201510980136 A CN201510980136 A CN 201510980136A CN 106911644 A CN106911644 A CN 106911644A
- Authority
- CN
- China
- Prior art keywords
- tcp
- message
- tcp message
- seq
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/9057—Arrangements for supporting packet reassembly or resequencing
Abstract
The present embodiments relate to communication technical field, more particularly to a kind of message recombining method and equipment, the restructuring for realizing message by simple method.In the embodiment of the present invention, receive the corresponding TCP message of TCP sessions to be reorganized, and it is determined that during the corresponding all TCP message end of transmissions of TCP sessions to be reorganized, confirmation ACK according to each TCP session, all TCP messages in normal queue and out-of-sequence queue are recombinated, multigroup TCP message is obtained;Wherein, the ACK of all TCP messages in every group of TCP message is identical;And all TCP messages in every group of TCP message are arranged by the SEQ ascending orders of each TCP message.In this way, can be to be capable of achieving the restructuring to message only by the ACK and SEQ of TCP message, method is simply efficient.
Description
Technical field
The present embodiments relate to the communications field, more particularly to a kind of message recombining method and equipment.
Background technology
With increasing rapidly for network traffic, it usually needs the message to transmitting carries out statistical analysis, with
Just detection security threat and understanding user's request.Needed first to adopt before statistical analysis is carried out to the message for transmitting
Collect these messages.
Transmission control protocol (Transfer Control Protocol, abbreviation TCP) is that one kind is connection-oriented,
Transportation level communication protocol based on byte stream.TCP connections have asks and two corresponding directions of response, often
Individual TCP bags have sequence number (Sequence, abbreviation SEQ), confirm number (Acknowledgement,
Abbreviation ACK) and packet the parameter such as length (Length, abbreviation LEN).The number of single TCP bags
According to limited length, when the data of application layer are larger, several tcp data bags can be split as and sent,
So application layer is in the TCP bag datas that parsing is received, it is necessary to first recombinated the TCP bags of fractionation.
A kind of method of Packet reassembling is provided in the prior art, the source network agreement according to TCP fragment messages
(Internet Protocol, abbreviation IP), purpose IP and source port determine HTTP (HyperText
Transfer Protocol, abbreviation HTTP) TCP sessions belonging to message;Calculated according to hash function
The Hash key of TCP sessions, the TCP fragment messages of reception are linked to according to test serial number order
In the ltsh chain table of the TCP sessions of foundation;After whole TCP fragment messages of TCP sessions are received,
HTTP message restructuring is carried out according to the corresponding ltsh chain table of TCP sessions.It can be seen that, in the method, according to
The source IP of TCP fragment messages, purpose IP and source port determine the TCP sessions belonging to HTTP message, need
The Hash key of TCP sessions is calculated by hash function, method comparison is complicated, repeatedly calculates
Recombination efficiency is relatively low in the case of mass data.
To sum up, a kind of message recombining method is needed badly, the restructuring for realizing message by simple method.
The content of the invention
The embodiment of the present invention provides a kind of message recombining method, the weight for realizing message by simple method
Group.
The embodiment of the present invention provides a kind of TCP message recombination method, including:
Determine whether currently received transmission control protocol TCP message is TCP sessions to be reorganized, if so,
Then the sequence number SEQ according to currently received TCP message judges whether currently received TCP message is just
Chang Shunxu is reached;
If currently received TCP message is reached for normal sequence, current TCP message is put into normal team
Row;Otherwise, from all TCP in the SEQ and out-of-sequence queue of last TCP message of normal queue
The maximum SEQ of the SEQ of no more than current TCP message is determined in the SEQ of message, it is current by being not more than
The corresponding TCP messages of maximum SEQ of the SEQ of TCP message are defined as currently received TCP message
A upper TCP message;
Deduplication operation is carried out to current TCP message according to a upper TCP message, and according to a upper TCP
Message, it is determined that whether current TCP message is put into normal queue or out-of-sequence queue;
It is determined that during the corresponding all TCP message end of transmissions of TCP sessions to be reorganized, according to each TCP
The confirmation ACK of session, all TCP messages in normal queue and out-of-sequence queue are recombinated, and are obtained
To multigroup TCP message;Wherein, the ACK of all TCP messages in every group of TCP message is identical;And
All TCP messages in every group of TCP message are arranged by the SEQ ascending orders of each TCP message.
Optionally it is determined that whether currently received TCP message is TCP sessions to be reorganized, specifically include:
It is pre-configured with the corresponding procotol IP of TCP sessions to be reorganized and port;
If it is determined that the source IP and source port of the TCP message for receiving are the corresponding IP of TCP sessions to be reorganized
And port, or determine that the Target IP of TCP message that receives and target port are TCP sessions to be reorganized
Corresponding IP and port, it is determined that receive TCP message for TCP sessions to be reorganized;
Otherwise, it is determined that it is not TCP sessions to be reorganized to receive TCP message.
Alternatively, determine the current TCP message for receiving for normal sequence is reached in the following manner:
The SEQ of the current TCP message for receiving is equal to the SEQ of last TCP message of normal queue
With the length LEN sum of last TCP message of normal queue.
Alternatively, deduplication operation is carried out to current TCP message according to a upper TCP message, and according to upper
One TCP message, it is determined that whether current TCP message is put into normal queue or out-of-sequence queue, specifically includes:
If the SEQ of current TCP message is equal to the SEQ of a upper TCP message, and current TCP message
LEN be not more than a LEN for TCP message, then:
All the elements of current TCP message are defined as duplicate contents, and current TCP message is abandoned.
Alternatively, deduplication operation is carried out to current TCP message according to a upper TCP message, and according to upper
One TCP message, it is determined that whether current TCP message is put into normal queue or out-of-sequence queue, specifically includes:
If the SEQs of the SEQ more than a upper TCP message of current TCP message, current TCP message
SEQ less than a upper TCP message SEQ and LEN sum, and the SEQ of current TCP message and
SEQ and LEN sum of the LEN sums more than a upper TCP message;Then:
Using the preceding M byte in current TCP message as duplicate contents, and will from current TCP message
Duplicate contents are deleted;Wherein, M is subtracted currently equal to SEQ and the LEN sum of a upper TCP message
Difference obtained by the SEQ of TCP message;
The SEQ of current TCP message is reset, the SEQ of the current TCP message after replacement is equal to upper one
SEQ and the LEN sum of TCP message;
If a upper TCP message is located at normal queue, current TCP message is put into normal queue;If
A upper TCP message is located at out-of-sequence queue, then current TCP message is put into out-of-sequence queue.
Alternatively, deduplication operation is carried out to current TCP message according to a upper TCP message, and according to upper
One TCP message, it is determined that whether current TCP message is put into normal queue or out-of-sequence queue, specifically includes:
If it is determined that when the SEQ of current TCP message is more than SEQ and the LEN sum of a upper TCP message,
It is determined that current TCP message does not have duplicate contents with a upper TCP message, current TCP message is put into mistake
Sequence queue;And/or
If it is determined that when the SEQ of current TCP message is equal to SEQ and the LEN sum of a upper TCP message,
Then determine that current TCP message does not have duplicate contents with a upper TCP message, if upper TCP message position
In normal queue, then current TCP message is put into normal queue;If a upper TCP message is located at out-of-sequence
Queue, then be put into out-of-sequence queue by current TCP message.
Optionally it is determined that the corresponding all TCP messages of TCP sessions to be reorganized end of transmission, specifically
Including:
When being 1 for FIN of current TCP message, the corresponding all TCP of TCP sessions to be reorganized are determined
Message end of transmission.
Alternatively, according to the ACK of each TCP session, by all TCP in normal queue and out-of-sequence queue
Message is recombinated, and is obtained after multigroup TCP message, is also included:
For one group of TCP message in multigroup TCP message, if one group of Target IP and mesh of TCP message
Mark port is identical with the corresponding IP of TCP sessions to be reorganized being pre-configured with and port, it is determined that one group of TCP
Message is request message group;If the source IP and source port and the TCP to be reorganized being pre-configured with of one group of TCP message
Corresponding IP is identical with port for session, it is determined that one group of TCP message is response message group;
For multigroup TCP message, the request message group and response message group in multigroup TCP message are carried out
Matching, obtains the request message group and response message group of at least one pair of matching;A pair of the request reports for wherein matching
Text group and response message group meet matching condition, and matching condition is:The ACK of request message group is equal to response
First SEQ of TCP message of message group, and last TCP message in request message group SEQ
With the ACK that LEN sums are equal to response message group.
Alternatively, for multigroup TCP message, the request message group in multigroup TCP message and response are reported
Literary group is matched, and is obtained after the request message group and response message group of at least one pair of matching, is also included:
For each pair request message group and sound in request message group and response message group that at least one pair of is matched
Message group is answered, is performed:
Request message group and response message group are parsed respectively, request shape is parsed from request message group
State row, request header and request content, parsed from response message group responsive state row, head response and
Response contents;
The corresponding business of request message is matched according to solicited status row, request header and request content, according to
Responsive state row, head response and response contents determine the implementing result of business.
The embodiment of the present invention provides a kind of TCP message reconstitution device, including:
Determining unit, for determining whether currently received transmission control protocol TCP message is to be reorganized
TCP sessions, if so, then the sequence number SEQ according to currently received TCP message judges currently received
Whether TCP message is that normal sequence is reached;If currently received TCP message is reached for normal sequence,
Current TCP message is put into normal queue;Otherwise, from the SEQ of last TCP message of normal queue
With the SEQ that no more than current TCP message is determined in the SEQ of all TCP messages in out-of-sequence queue
Maximum SEQ, the corresponding TCP messages of maximum SEQ of the SEQ of no more than current TCP message is true
It is set to a upper TCP message of currently received TCP message;
Processing unit, for carrying out deduplication operation to current TCP message according to a upper TCP message, and
According to a upper TCP message, it is determined that whether current TCP message is put into normal queue or out-of-sequence queue;
Recomposition unit, for it is determined that during the corresponding all TCP message end of transmissions of TCP sessions to be reorganized,
Confirmation ACK according to each TCP session, by all TCP messages in normal queue and out-of-sequence queue
Recombinated, obtained multigroup TCP message;Wherein, all TCP messages in every group of TCP message
ACK is identical;And all TCP messages in every group of TCP message are by the SEQ ascending orders of each TCP message
Arrangement.
Optionally it is determined that unit, specifically for:It is pre-configured with the corresponding network association of TCP sessions to be reorganized
View IP and port;
If it is determined that the source IP and source port of the TCP message for receiving are the corresponding IP of TCP sessions to be reorganized
And port, or determine that the Target IP of TCP message that receives and target port are TCP sessions to be reorganized
Corresponding IP and port, it is determined that receive TCP message for TCP sessions to be reorganized;
Otherwise, it is determined that it is not TCP sessions to be reorganized to receive TCP message.
Alternatively, determine the current TCP message for receiving for normal sequence is reached in the following manner:
The SEQ of the current TCP message for receiving is equal to the SEQ of last TCP message of normal queue
With the length LEN sum of last TCP message of normal queue.
Alternatively, processing unit, specifically for:
If the SEQ of current TCP message is equal to the SEQ of a upper TCP message, and current TCP message
LEN be not more than a LEN for TCP message, then:
All the elements of current TCP message are defined as duplicate contents, and current TCP message is abandoned.
Alternatively, processing unit, specifically for:
If the SEQs of the SEQ more than a upper TCP message of current TCP message, current TCP message
SEQ less than a upper TCP message SEQ and LEN sum, and the SEQ of current TCP message and
SEQ and LEN sum of the LEN sums more than a upper TCP message;Then:
Using the preceding M byte in current TCP message as duplicate contents, and will from current TCP message
Duplicate contents are deleted;Wherein, M is subtracted currently equal to SEQ and the LEN sum of a upper TCP message
Difference obtained by the SEQ of TCP message;
The SEQ of current TCP message is reset, the SEQ of the current TCP message after replacement is equal to upper one
SEQ and the LEN sum of TCP message;
If a upper TCP message is located at normal queue, current TCP message is put into normal queue;If
A upper TCP message is located at out-of-sequence queue, then current TCP message is put into out-of-sequence queue.
Alternatively, processing unit, specifically for:
If it is determined that when the SEQ of current TCP message is more than SEQ and the LEN sum of a upper TCP message,
It is determined that current TCP message does not have duplicate contents with a upper TCP message, current TCP message is put into mistake
Sequence queue;And/or
If it is determined that when the SEQ of current TCP message is equal to SEQ and the LEN sum of a upper TCP message,
Then determine that current TCP message does not have duplicate contents with a upper TCP message, if upper TCP message position
In normal queue, then current TCP message is put into normal queue;If a upper TCP message is located at out-of-sequence
Queue, then be put into out-of-sequence queue by current TCP message.
Alternatively, recomposition unit, specifically for:
When being 1 for FIN of current TCP message, the corresponding all TCP of TCP sessions to be reorganized are determined
Message end of transmission.
Alternatively, also including reduction unit, it is used for:
In the ACK according to each TCP session, by all TCP messages in normal queue and out-of-sequence queue
Recombinated, after obtaining multigroup TCP message, for one group of TCP message in multigroup TCP message,
If one group of Target IP and target port of TCP message IP corresponding with the TCP sessions to be reorganized being pre-configured with
It is identical with port, it is determined that one group of TCP message is request message group;If one group of source IP of TCP message and
Source port is identical with the corresponding IP of TCP sessions to be reorganized being pre-configured with and port, it is determined that one group of TCP
Message is response message group;
For multigroup TCP message, the request message group and response message group in multigroup TCP message are carried out
Matching, obtains the request message group and response message group of at least one pair of matching;A pair of the request reports for wherein matching
Text group and response message group meet matching condition, and matching condition is:The ACK of request message group is equal to response
First SEQ of TCP message of message group, and last TCP message in request message group SEQ
With the ACK that LEN sums are equal to response message group.
Alternatively, reduction unit, is additionally operable to:
For each pair request message group and sound in request message group and response message group that at least one pair of is matched
Message group is answered, is performed:
Request message group and response message group are parsed respectively, request shape is parsed from request message group
State row, request header and request content, parsed from response message group responsive state row, head response and
Response contents;
The corresponding business of request message is matched according to solicited status row, request header and request content, according to
Responsive state row, head response and response contents determine the implementing result of business.
In the embodiment of the present invention, determine whether currently received transmission control protocol TCP message is to be reorganized
TCP sessions, if so, then the SEQ according to currently received TCP message judges currently received TCP
Whether message is that normal sequence is reached;If currently received TCP message is reached for normal sequence, ought
Preceding TCP message is put into normal queue;Otherwise, from the SEQ of last TCP message of normal queue and
Determine the SEQ's of no more than current TCP message in the SEQ of all TCP messages in out-of-sequence queue
Maximum SEQ, the corresponding TCP messages of the maximum SEQ of the SEQ of no more than current TCP message are determined
It is a upper TCP message of currently received TCP message;According to a upper TCP message to current TCP
Message carries out deduplication operation, and according to a upper TCP message, it is determined that whether current TCP message is put into just
Normal queue or out-of-sequence queue;It is determined that during the corresponding all TCP message end of transmissions of TCP sessions to be reorganized,
Confirmation ACK according to each TCP session, by all TCP messages in normal queue and out-of-sequence queue
Recombinated, obtained multigroup TCP message;Wherein, all TCP messages in every group of TCP message
ACK is identical;And all TCP messages in every group of TCP message are by the SEQ ascending orders of each TCP message
Arrangement.Due to carrying out deduplication operation to current TCP message according to a upper TCP message, therefore will can work as
Deleted with the content that repeats in a upper TCP message in preceding TCP message, it is to avoid because message is repeated
The problem that caused message is overlapped;Further, due to it is determined that TCP sessions to be reorganized are corresponding all
During TCP message end of transmission, the confirmation ACK according to each TCP session, by normal queue and out-of-sequence
All TCP messages in queue are recombinated, and obtain multigroup TCP message, in this way, TCP can only be passed through
The ACK and SEQ of message are to be capable of achieving the restructuring to message, and method is simply efficient.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, institute in being described to embodiment below
The accompanying drawing for needing to use is briefly introduced, it should be apparent that, drawings in the following description are only of the invention
Some embodiments, for one of ordinary skill in the art, on the premise of not paying creative work,
Other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of SNA schematic diagram that the embodiment of the present invention is applicable;
Fig. 2 is a kind of method flow schematic diagram of Packet reassembling provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of the equipment of Packet reassembling provided in an embodiment of the present invention.
Specific embodiment
In order that the purpose of the present invention, technical scheme and beneficial effect become more apparent, below in conjunction with accompanying drawing
And embodiment, the present invention will be described in further detail.It should be appreciated that specific implementation described herein
Example is only used to explain the present invention, is not intended to limit the present invention.
Fig. 1 illustrates a kind of applicable system architecture schematic diagram of the embodiment of the present invention, as shown in figure 1,
The system architecture includes terminal 101 and terminal 102, and interchanger is passed through between terminal 101 and terminal 102
103 mutually send message, and data acquisition equipment 104, data acquisition equipment 104 are also included in the system architecture
It is connected on interchanger 103, for the message sent between acquisition terminal 101 and terminal 102.
The flow that Fig. 2 illustrates a kind of TCP message recombination method provided in an embodiment of the present invention is shown
It is intended to.
Based on the system architecture shown in Fig. 1, as shown in Fig. 2 a kind of TCP provided in an embodiment of the present invention
Message recombining method, including:
Step 201, determines whether currently received transmission control protocol TCP message is TCP to be reorganized
Session, if so, then the sequence number SEQ according to currently received TCP message judges currently received TCP
Whether message is that normal sequence is reached;
Step 202, if currently received TCP message is reached for normal sequence, by current TCP message
It is put into normal queue;Otherwise, from the SEQ and out-of-sequence queue of last TCP message of normal queue
All TCP messages SEQ in determine no more than current TCP message SEQ maximum SEQ,
The corresponding TCP messages of maximum SEQ of the SEQ of no more than current TCP message are defined as current reception
TCP message a upper TCP message;
Step 203, deduplication operation is carried out to current TCP message according to a upper TCP message, and according to
A upper TCP message, it is determined that whether current TCP message is put into normal queue or out-of-sequence queue;
Step 204, it is determined that during the corresponding all TCP message end of transmissions of TCP sessions to be reorganized, root
According to the confirmation ACK of each TCP session, all TCP messages in normal queue and out-of-sequence queue are entered
Row restructuring, obtains multigroup TCP message;Wherein, the ACK of all TCP messages in every group of TCP message
It is identical;And all TCP messages in every group of TCP message are arranged by the SEQ ascending orders of each TCP message.
Due to carrying out deduplication operation to current TCP message according to a upper TCP message, therefore can currently
Deleted with the content that repeats in a upper TCP message in TCP message, it is to avoid because message repeats institute
The problem of the Packet reassembling failure for causing;Further, by it is determined that the corresponding institute of TCP sessions to be reorganized
When having TCP message end of transmission, the confirmation ACK according to each TCP session, by normal queue and mistake
All TCP messages in sequence queue are recombinated, and obtain multigroup TCP message, in this way, TCP can only be passed through
The ACK and SEQ of message are to be capable of achieving the restructuring to message, and method is simply efficient.
Alternatively, in above-mentioned steps 201, determine whether currently received TCP message is TCP to be reorganized
Session, specifically includes:
It is pre-configured with the corresponding IP of TCP sessions to be reorganized and port;
If it is determined that the source IP and source port of the TCP message for receiving are the corresponding IP of TCP sessions to be reorganized
And port, or determine that the Target IP of TCP message that receives and target port are TCP sessions to be reorganized
Corresponding IP and port, it is determined that receive TCP message for TCP sessions to be reorganized;Otherwise, it is determined that
It is not TCP sessions to be reorganized to receive TCP message.
Specifically, a message is received, first the agreement of the bottom-layer network packet header according to the message
Number judge whether the message is TCP message, if so, then determining whether whether the message is TCP to be reorganized
The corresponding message of session;If the message is not TCP message, the message for receiving is abandoned.
Further according to the corresponding procotol IP of default TCP sessions to be reorganized and port, it is determined that receiving
To message whether be the corresponding message of TCP sessions to be reorganized.For example, such as it is default to be reorganized
The corresponding IP of TCP sessions and port are IP and the port of the target terminal of TCP sessions to be reorganized, then:
If the source IP and source port of the TCP message for receiving be the corresponding IP of TCP sessions to be reorganized and
Port, then the TCP message for receiving is the response message in TCP sessions to be reorganized;If it is determined that connecing
The Target IP and target port of the TCP message for receiving be the corresponding IP of TCP sessions to be reorganized and port,
Then the TCP message for receiving is the request message in TCP sessions to be reorganized.In TCP sessions to be reorganized
Including request message and response message.
Alternatively, in above-mentioned steps 202, determine that the current TCP message for receiving is in the following manner
Normal sequence is reached:The SEQ of the current TCP message for receiving is equal to last TCP of normal queue
The LEN sums of the SEQ of message and last TCP message of normal queue.
In above-mentioned steps 202, from the SEQ and out-of-sequence queue of last TCP message of normal queue
All TCP messages SEQ in determine no more than current TCP message SEQ maximum SEQ,
The corresponding TCP messages of maximum SEQ of the SEQ of no more than current TCP message are defined as current reception
TCP message a upper TCP message, specifically, first reported from last TCP of normal queue
Determine that SEQ is not more than current TCP in the SEQ of all TCP messages in the SEQ and out-of-sequence queue of text
All TCP messages of the SEQ of message, are not more than current TCP message from the SEQ for determining afterwards
A maximum TCP message of SEQ is determined in all TCP messages of SEQ, a TCP is as gone up
Message.
For example, for illustrating above-mentioned steps 202, the SEQ of the TCP message being firstly received is 1,
SEQ is that the LEN of 1 TCP message is 2, now, the TCP message that SEQ is 1 is put into normally
Queue;SEQ be 1 TCP message for normal queue last TCP message;
The SEQ of the TCP message for subsequently receiving is that the LEN of the TCP message that 3, SEQ is 3 is 2,
Now, due to TCP message that SEQ is 3 SEQ equal to the TCP message that SEQ is 1 SEQ with
The sum of LEN, therefore the TCP message that SEQ is 3 is put into normal queue;SEQ is 3 TCP reports
Text is last TCP message of normal queue;
The SEQ of the TCP message for subsequently receiving is that the LEN of the TCP message that 8, SEQ is 8 is 2,
Now, there is no TCP message in out-of-sequence queue, therefore from last TCP message of normal queue and mistake
Determine that SEQ is not more than all of the SEQ of current TCP message in all TCP messages in sequence queue
TCP message, determines in being not more than all TCP messages of the SEQ of current TCP message from SEQ afterwards
Go out the maximum TCP messages of SEQ, as SEQ is the SEQ of 3 TCP message, that is, that determines is upper
One TCP message is the SEQ of TCP message that SEQ is 3, further, due to the TCP that SEQ is 8
The SEQ of message more than the TCP message that SEQ is 3 SEQ and LEN sums, so, by SEQ
TCP message for 8 is put into out-of-sequence queue;SEQ is that 8 TCP message is all TCP in out-of-sequence queue
Message;
The SEQ of the TCP message for subsequently receiving is that the LEN of the TCP message that 10, SEQ is 10 is 3,
Now, out-of-sequence queue includes the TCP message that SEQ is 8, and SEQ be 3 TCP message for just
Last TCP message of normal queue, therefore last TCP message from normal queue and out-of-sequence team
All TCP messages of the SEQ of no more than current TCP message are determined in all TCP messages in row
Respectively:The TCP message that SEQ is 8 TCP message and SEQ is 3;From the TCP that SEQ is 8
Message and SEQ be 3 TCP message in determine that the maximum TCP messages of SEQ are:SEQ is 8
TCP message, that is, the upper TCP message determined is the SEQ of TCP message that SEQ is 8, enters one
Step, due to TCP message that SEQ is 10 SEQ equal to the TCP message that SEQ is 8 SEQ and
LEN sums, and SEQ is that 8 TCP message is located at out-of-sequence queue, therefore by TCP that SEQ is 10
Message is put into out-of-sequence queue;Now, out-of-sequence queue is 10 including TCP message that SEQ is 8 and SEQ
TCP message;
The SEQ of the TCP message for subsequently receiving is that the LEN of the TCP message that 13, SEQ is 13 is 2,
Now, out-of-sequence queue includes the TCP message that SEQ is 8 and the TCP message that SEQ is 10, and SEQ
For 3 TCP message for normal queue last TCP message, therefore from normal queue last
No more than current TCP message is determined in all TCP messages in individual TCP message and out-of-sequence queue
All TCP messages of SEQ are respectively:TCP message that TCP message that SEQ is 8, SEQ are 10,
SEQ is 3 TCP message;From the TCP message that SEQ is 8, the TCP message that SEQ is 10 and
SEQ be 3 TCP message in determine that the maximum TCP messages of SEQ are:SEQ is 10 TCP reports
Text, that is, the upper TCP message determined is the SEQ of TCP message that SEQ is 10, further,
Due to the SEQs and LEN of the SEQ equal to the TCP message that SEQ is 10 of TCP message that SEQ is 13
Sum, and SEQ is that 10 TCP message is located at out-of-sequence queue, therefore by TCP that SEQ is 13 report
Text is put into out-of-sequence queue;Now, out-of-sequence queue is 10 including TCP message that SEQ is 8, SEQ
TCP message, SEQ are 13 TCP message.
Alternatively, above-mentioned steps 203, duplicate removal is carried out according to a upper TCP message to current TCP message
Operation, and according to a upper TCP message, it is determined that whether current TCP message is put into normal queue or out-of-sequence
Queue, specifically includes various implementations, and following several alternatively implementation methods are provided in the embodiment of the present invention:
Mode one, if the SEQ of current TCP message is equal to the SEQ of a upper TCP message, and currently
The LEN of TCP message is not more than a LEN for TCP message, then by all of current TCP message
Content is defined as duplicate contents, and current TCP message is abandoned.
Mode two, if the SEQs, current TCP of the SEQ more than a upper TCP message of current TCP message
The SEQ of message is less than SEQ and the LEN sum of a upper TCP message, and the currently SEQ of TCP message
SEQ and LEN sum with LEN sums more than a upper TCP message;Then:
Using the preceding M byte in current TCP message as duplicate contents, and will from current TCP message
Duplicate contents are deleted;Wherein, M is subtracted currently equal to SEQ and the LEN sum of a upper TCP message
Difference obtained by the SEQ of TCP message;
The SEQ of current TCP message is reset, the SEQ of the current TCP message after replacement is equal to upper one
SEQ and the LEN sum of TCP message;
If a upper TCP message is located at normal queue, current TCP message is put into normal queue;If
A upper TCP message is located at out-of-sequence queue, then current TCP message is put into out-of-sequence queue.
Mode three, however, it is determined that the SEQs and LEN of the SEQ more than a upper TCP message of current TCP message
During sum, it is determined that current TCP message does not have duplicate contents with a upper TCP message, by current TCP reports
Text is put into out-of-sequence queue.
Mode four, however, it is determined that the SEQ of current TCP message is equal to the SEQ and LEN of a upper TCP message
During sum, it is determined that current TCP message does not have duplicate contents with a upper TCP message, if a upper TCP
Message is located at normal queue, then current TCP message is put into normal queue;If upper TCP message position
In out-of-sequence queue, then current TCP message is put into out-of-sequence queue.
The above method is introduced in order to clearer, the SEQ of a upper TCP message is represented with SEQ1 below,
The LEN of a upper TCP message is represented with LEN1, the SEQ of current TCP message is represented with SEQ2,
The LEN of current TCP message is represented with LEN2.Then:
In aforesaid way one, if SEQ2=SEQ1, and LEN2≤LEN1, then abandon current TCP message;
In aforesaid way two, if SEQ2 > SEQ1, and SEQ2 < (SEQ1+LEN1), and
(SEQ2+LEN2) > (SEQ1+LEN1), then delete the preceding M byte in current TCP message,
M=[(SEQ1+LEN1)-SEQ2];And the SEQ of current TCP message is updated, it is current after renewal
TCP message SEQ be (SEQ1+LEN1);If a upper TCP message is located at normal queue,
Current TCP message is put into normal queue;If a upper TCP message is located at out-of-sequence queue, will be current
TCP message is put into out-of-sequence queue;
In aforesaid way three, if SEQ2 > (SEQ1+LEN1), it is determined that current TCP message and upper
Individual TCP message does not have duplicate contents, and current TCP message is to advance to the message for reaching, and now should
Preceding TCP message is put into out-of-sequence queue;
In aforesaid way four, if SEQ2=(SEQ1+LEN1), it is determined that current TCP message and upper
Individual TCP message does not have duplicate contents, if a upper TCP message is located at normal queue, by current TCP
Message is put into normal queue;If a upper TCP message is located at out-of-sequence queue, current TCP message is put
Enter out-of-sequence queue.
Alternatively, in above-mentioned steps 204, the corresponding all TCP messages of TCP sessions to be reorganized have been determined
Through end of transmission, specifically include:When being 1 for FIN of current TCP message, TCP to be reorganized is determined
The corresponding all TCP messages of session end of transmission.
Specifically:One big packet be split as many small packets etc. it is to be transmitted (such as from
Terminal A is transmitted to terminal B), there are FIN and RST bit in each packet the inside, and default value is 0.
FIN is used for representing that normal switching-off is connected, similar with FIN effect.RST bit is represented due to Network Abnormal
It is caused to close connection.
During actual data transfer, when a big packet is split resulting multiple small data
When wrapping equal end of transmission, then A can send a mark bag to B, and FIN is 1 in the mark bag, is represented
Data transfer is finished can turn off connection, and now, all messages for the TCP sessions for receiving are carried out
Restructuring.
If running into abnormal conditions, such as network interruption during A passes packet to B, and now
Multiple small packet obtained by one big packet is split is had not been transmitted and finishes, and now A need not be waited
All of packet all sends out, and directly just being split by this big packet in discarding buffer area obtains
Small packet, and send a mark bag to B, RST bit receives this for 1, B in the mark bag
After RST bit is 1 packet, need not also send ACK to confirm.When Packet reassembling device analysis go out this
There is the mark bag that RST bit is 1 in TCP sessions, it is determined that the corresponding business of TCP sessions performs mistake
Lose.
In above-mentioned steps 204, alternatively, according to the ACK of each TCP session, by normal queue and mistake
All TCP messages in sequence queue are recombinated, and are obtained after multigroup TCP message, are also included:
For one group of TCP message in multigroup TCP message, if one group of Target IP and mesh of TCP message
Mark port is identical with the corresponding IP of TCP sessions to be reorganized being pre-configured with and port, it is determined that one group of TCP
Message is request message group;If the source IP and source port and the TCP to be reorganized being pre-configured with of one group of TCP message
Corresponding IP is identical with port for session, it is determined that one group of TCP message is response message group;
For multigroup TCP message, the request message group and response message group in multigroup TCP message are carried out
Matching, obtains the request message group and response message group of at least one pair of matching;A pair of the request reports for wherein matching
Text group and response message group meet matching condition, and matching condition is:
The ACK of request message group is equal to first SEQ of TCP message of response message group, and request report
SEQ and the LEN sum of last TCP message of Wen Zuzhong are equal to the ACK of response message group.
Specifically, when the request or a response in TCP sessions split into multiple TCP messages, should
The ACK all sames of multiple TCP messages, therefore, it is in the embodiment of the present invention that same ACK is corresponding
All TCP messages that all TCP messages are classified as in one group, and every group of TCP message press each TCP
The SEQ ascending orders arrangement of message, now every group of TCP message is the request before a fractionation or is one
Response before fractionation.
TCP sessions include multigroup TCP message, first determine every group of TCP message be request message group or
Response message group, is afterwards matched request message group and response message group.In such as request message group according to
Ascending order arrangement is carried out according to SEQ, to be then SEQ in the request message group maximum for last TCP message
One TCP message, the SEQ of last TCP message in the request message group is 851912353,
The ACK of last TCP message in the request message group is 163461939, in the request message group
Last TCP message LEN be 430;The response message group for then matching with the request message group
In first SEQ of TCP message be 163461939, i.e., the response for matching with the request message group
First SEQ of TCP message in message group is equal to last TCP message in the request message group
ACK;First ACK of TCP message in response message group is equal to (851912353+430),
First ACK of TCP message i.e. in response message group is equal to last in the request message group
SEQ and the LEN sum of TCP message.
The request message group and response message group string that will be mutually matched in TCP message group by the above method are existed
Together.Alternatively, in above-mentioned steps 204, for multigroup TCP message, in multigroup TCP message
Request message group and response message group are matched, and the request message group and response for obtaining at least one pair of matching are reported
After literary group, also include:
For each pair request message group and sound in request message group and response message group that at least one pair of is matched
Message group is answered, is performed:
Request message group and response message group are parsed respectively, request shape is parsed from request message group
State row, request header and request content, parsed from response message group responsive state row, head response and
Response contents;
The corresponding business of request message is matched according to solicited status row, request header and request content, according to
Responsive state row, head response and response contents determine the implementing result of business.
For example, solicited status row can be:
POST/ncs/accept4gselfpackage/Accept4GSelfPackageAction/submitSoSzdAcc
eptBusi.menu HTTP/1.1
The http protocol versions that the request message group is used can be HTTP/1.1.
In order to be further described above-described embodiment, take a particular example below.
To the core switch configuration mirroring port of certain network business hall, by data acquisition equipment and interchanger
Mirror port be attached.All IP and port information of Configuration network business hall web services.
The message of network business hall dealing is gathered by data acquisition equipment.The tcp data bag for collecting
Filtered, only treatment and the IP for being configured and the TCP message of port match.According to TCP message
SEQ, ACK and LEN carry out duplicate removal treatment to TCP message.
It is determined that FIN of TCP message for 1 when, the confirmation ACK according to each TCP session will
All TCP messages in normal queue and out-of-sequence queue are recombinated, and obtain multigroup TCP message;And really
It is request message group or response message group to make every group of TCP message.
By request message group together with response message group string, and solicited status is parsed from request message group
Row, request header and request content, parse responsive state row, head response and sound from response message group
Answer content.The corresponding business of request message is matched according to solicited status row, request header and request content,
The implementing result of business is determined according to responsive state row, head response and response contents, to realize seeking network
The purpose that the business in the industry Room is monitored.
It can be seen from the above:In the embodiment of the present invention, currently received transmission control protocol is determined
Whether TCP message is TCP sessions to be reorganized, if so, then according to the SEQ of currently received TCP message
Judge whether currently received TCP message is that normal sequence is reached;If currently received TCP message is for just
Chang Shunxu is reached, then current TCP message is put into normal queue;Otherwise, from normal queue last
Determined in the SEQ of all TCP messages in the SEQ of individual TCP message and out-of-sequence queue and no more than work as
The maximum SEQ of the SEQ of preceding TCP message, by the maximum SEQ of the SEQ of no more than current TCP message
Corresponding TCP message is defined as a upper TCP message of currently received TCP message;According to upper one
TCP message carries out deduplication operation to current TCP message, and according to a upper TCP message, it is determined that currently
Whether TCP message is put into normal queue or out-of-sequence queue;It is determined that TCP sessions to be reorganized are corresponding all
During TCP message end of transmission, the confirmation ACK according to each TCP session, by normal queue and out-of-sequence
All TCP messages in queue are recombinated, and obtain multigroup TCP message;Wherein, every group of TCP message
In all TCP messages ACK it is identical;And all TCP messages in every group of TCP message press each
The SEQ ascending orders arrangement of TCP message.Due to being gone to current TCP message according to a upper TCP message
Operate again, thus can by current TCP message with a upper TCP message in repeat content deleted,
Avoid because message repeats the problem that caused message is overlapped;Further, due to it is determined that TCP to be reorganized
During the corresponding all TCP message end of transmissions of session, the confirmation ACK according to each TCP session will
All TCP messages in normal queue and out-of-sequence queue are recombinated, and obtain multigroup TCP message, in this way,
Can be to be capable of achieving the restructuring to message only by the ACK and SEQ of TCP message, method is simply efficient.
The structure that Fig. 3 illustrates a kind of TCP message reconstitution device provided in an embodiment of the present invention is shown
It is intended to.
Based on same idea, as shown in figure 3, the embodiment of the present invention provides a kind of TCP message reconstitution device
300, for performing above method flow, including determining unit 301, processing unit 302, recomposition unit 303,
Alternatively, also including reduction unit 304:
Determining unit, for determining whether currently received transmission control protocol TCP message is to be reorganized
TCP sessions, if so, then the sequence number SEQ according to currently received TCP message judges currently received
Whether TCP message is that normal sequence is reached;If currently received TCP message is reached for normal sequence,
Current TCP message is put into normal queue;Otherwise, from the SEQ of last TCP message of normal queue
With the SEQ that no more than current TCP message is determined in the SEQ of all TCP messages in out-of-sequence queue
Maximum SEQ, the corresponding TCP messages of maximum SEQ of the SEQ of no more than current TCP message is true
It is set to a upper TCP message of currently received TCP message;
Processing unit, for carrying out deduplication operation to current TCP message according to a upper TCP message, and
According to a upper TCP message, it is determined that whether current TCP message is put into normal queue or out-of-sequence queue;
Recomposition unit, for it is determined that during the corresponding all TCP message end of transmissions of TCP sessions to be reorganized,
Confirmation ACK according to each TCP session, by all TCP messages in normal queue and out-of-sequence queue
Recombinated, obtained multigroup TCP message;Wherein, all TCP messages in every group of TCP message
ACK is identical;And all TCP messages in every group of TCP message are by the SEQ ascending orders of each TCP message
Arrangement.
Optionally it is determined that unit, specifically for:It is pre-configured with the corresponding network association of TCP sessions to be reorganized
View IP and port;
If it is determined that the source IP and source port of the TCP message for receiving are the corresponding IP of TCP sessions to be reorganized
And port, or determine that the Target IP of TCP message that receives and target port are TCP sessions to be reorganized
Corresponding IP and port, it is determined that receive TCP message for TCP sessions to be reorganized;
Otherwise, it is determined that it is not TCP sessions to be reorganized to receive TCP message.
Alternatively, determine the current TCP message for receiving for normal sequence is reached in the following manner:
The SEQ of the current TCP message for receiving is equal to the SEQ of last TCP message of normal queue
With the length LEN sum of last TCP message of normal queue.
Alternatively, processing unit, specifically for:
If the SEQ of current TCP message is equal to the SEQ of a upper TCP message, and current TCP message
LEN be not more than a LEN for TCP message, then:
All the elements of current TCP message are defined as duplicate contents, and current TCP message is abandoned.
Alternatively, processing unit, specifically for:
If the SEQs of the SEQ more than a upper TCP message of current TCP message, current TCP message
SEQ less than a upper TCP message SEQ and LEN sum, and the SEQ of current TCP message and
SEQ and LEN sum of the LEN sums more than a upper TCP message;Then:
Using the preceding M byte in current TCP message as duplicate contents, and will from current TCP message
Duplicate contents are deleted;Wherein, M is subtracted currently equal to SEQ and the LEN sum of a upper TCP message
Difference obtained by the SEQ of TCP message;
The SEQ of current TCP message is reset, the SEQ of the current TCP message after replacement is equal to upper one
SEQ and the LEN sum of TCP message;
If a upper TCP message is located at normal queue, current TCP message is put into normal queue;If
A upper TCP message is located at out-of-sequence queue, then current TCP message is put into out-of-sequence queue.
Alternatively, processing unit, specifically for:
If it is determined that when the SEQ of current TCP message is more than SEQ and the LEN sum of a upper TCP message,
It is determined that current TCP message does not have duplicate contents with a upper TCP message, current TCP message is put into mistake
Sequence queue;And/or
If it is determined that when the SEQ of current TCP message is equal to SEQ and the LEN sum of a upper TCP message,
Then determine that current TCP message does not have duplicate contents with a upper TCP message, if upper TCP message position
In normal queue, then current TCP message is put into normal queue;If a upper TCP message is located at out-of-sequence
Queue, then be put into out-of-sequence queue by current TCP message.
Alternatively, recomposition unit, specifically for:
When being 1 for FIN of current TCP message, the corresponding all TCP of TCP sessions to be reorganized are determined
Message end of transmission.
Alternatively, also including reduction unit, it is used for:
In the ACK according to each TCP session, by all TCP messages in normal queue and out-of-sequence queue
Recombinated, after obtaining multigroup TCP message, for one group of TCP message in multigroup TCP message,
If one group of Target IP and target port of TCP message IP corresponding with the TCP sessions to be reorganized being pre-configured with
It is identical with port, it is determined that one group of TCP message is request message group;If one group of source IP of TCP message and
Source port is identical with the corresponding IP of TCP sessions to be reorganized being pre-configured with and port, it is determined that one group of TCP
Message is response message group;
For multigroup TCP message, the request message group and response message group in multigroup TCP message are carried out
Matching, obtains the request message group and response message group of at least one pair of matching;A pair of the request reports for wherein matching
Text group and response message group meet matching condition, and matching condition is:The ACK of request message group is equal to response
First SEQ of TCP message of message group, and last TCP message in request message group SEQ
With the ACK that LEN sums are equal to response message group.
Alternatively, reduction unit, is additionally operable to:
For each pair request message group and sound in request message group and response message group that at least one pair of is matched
Message group is answered, is performed:
Request message group and response message group are parsed respectively, request shape is parsed from request message group
State row, request header and request content, parsed from response message group responsive state row, head response and
Response contents;
The corresponding business of request message is matched according to solicited status row, request header and request content, according to
Responsive state row, head response and response contents determine the implementing result of business.
It can be seen from the above:In the embodiment of the present invention, currently received transmission control protocol is determined
Whether TCP message is TCP sessions to be reorganized, if so, then according to the SEQ of currently received TCP message
Judge whether currently received TCP message is that normal sequence is reached;If currently received TCP message is for just
Chang Shunxu is reached, then current TCP message is put into normal queue;Otherwise, from normal queue last
Determined in the SEQ of all TCP messages in the SEQ of individual TCP message and out-of-sequence queue and no more than work as
The maximum SEQ of the SEQ of preceding TCP message, by the maximum SEQ of the SEQ of no more than current TCP message
Corresponding TCP message is defined as a upper TCP message of currently received TCP message;According to upper one
TCP message carries out deduplication operation to current TCP message, and according to a upper TCP message, it is determined that currently
Whether TCP message is put into normal queue or out-of-sequence queue;It is determined that TCP sessions to be reorganized are corresponding all
During TCP message end of transmission, the confirmation ACK according to each TCP session, by normal queue and out-of-sequence
All TCP messages in queue are recombinated, and obtain multigroup TCP message;Wherein, every group of TCP message
In all TCP messages ACK it is identical;And all TCP messages in every group of TCP message press each
The SEQ ascending orders arrangement of TCP message.Due to being gone to current TCP message according to a upper TCP message
Operate again, thus can by current TCP message with a upper TCP message in repeat content deleted,
Avoid because message repeats the problem that caused message is overlapped;Further, due to it is determined that TCP to be reorganized
During the corresponding all TCP message end of transmissions of session, the confirmation ACK according to each TCP session will
All TCP messages in normal queue and out-of-sequence queue are recombinated, and obtain multigroup TCP message, in this way,
Can be to be capable of achieving the restructuring to message only by the ACK and SEQ of TCP message, method is simply efficient.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method or computer journey
Sequence product.Therefore, the present invention can use complete hardware embodiment, complete software embodiment or combine software
With the form of the embodiment of hardware aspect.And, the present invention can be used and wherein include meter at one or more
Calculation machine usable program code computer-usable storage medium (including but not limited to magnetic disk storage,
CD-ROM, optical memory etc.) on implement computer program product form.
The present invention is produced with reference to method according to embodiments of the present invention, equipment (system) and computer program
The flow chart and/or block diagram of product is described.It should be understood that can by computer program instructions realize flow chart and
/ or block diagram in each flow and/or the flow in square frame and flow chart and/or block diagram and/
Or the combination of square frame.These computer program instructions to all-purpose computer, special-purpose computer, insertion can be provided
The processor of formula processor or other programmable data processing devices is producing a machine so that by calculating
The instruction of the computing device of machine or other programmable data processing devices is produced for realizing in flow chart one
The equipment of the function of being specified in individual flow or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or the treatment of other programmable datas to set
In the standby computer-readable memory for working in a specific way so that storage is in the computer-readable memory
Instruction produce include the manufacture of commander equipment, the commander equipment realization in one flow of flow chart or multiple
The function of being specified in one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices, made
Obtain and series of operation steps is performed on computer or other programmable devices to produce computer implemented place
Reason, so as to the instruction performed on computer or other programmable devices is provided for realizing in flow chart one
The step of function of being specified in flow or multiple one square frame of flow and/or block diagram or multiple square frames.
, but those skilled in the art once know base although preferred embodiments of the present invention have been described
This creative concept, then can make other change and modification to these embodiments.So, appended right will
Ask and be intended to be construed to include preferred embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without deviating from of the invention to the present invention
Spirit and scope.So, if these modifications of the invention and modification belong to the claims in the present invention and its wait
Within the scope of technology, then the present invention is also intended to comprising these changes and modification.
Claims (18)
1. a kind of TCP message recombination method, it is characterised in that including:
Determine whether currently received transmission control protocol TCP message is TCP sessions to be reorganized, if so,
Then whether the sequence number SEQ according to currently received TCP message judges the currently received TCP message
For normal sequence is reached;
If the currently received TCP message is reached for normal sequence, the current TCP message is put
Enter normal queue;Otherwise, the SEQ from last TCP message of the normal queue and out-of-sequence queue
In all TCP messages SEQ in determine no more than described current TCP message SEQ maximum
SEQ, by the corresponding TCP messages of maximum SEQ of the SEQ for being not more than the current TCP message
It is defined as a upper TCP message of the currently received TCP message;
Deduplication operation is carried out to the current TCP message according to a upper TCP message, and according to institute
A TCP message is stated, determines whether the current TCP message is put into the normal queue or the mistake
Sequence queue;
It is determined that during the corresponding all TCP message end of transmissions of the TCP sessions to be reorganized, according to each
The confirmation ACK of TCP sessions, by all TCP messages in the normal queue and the out-of-sequence queue
Recombinated, obtained multigroup TCP message;Wherein, all TCP messages in every group of TCP message
ACK is identical;And all TCP messages in every group of TCP message are by the SEQ ascending orders of each TCP message
Arrangement.
2. the method for claim 1, it is characterised in that the currently received TCP reports of determination
Whether text is TCP sessions to be reorganized, is specifically included:
It is pre-configured with the corresponding procotol IP of the TCP sessions to be reorganized and port;
If it is determined that the source IP and source port of the TCP message for receiving are that the TCP sessions to be reorganized are corresponding
IP and port, or determine that the Target IP of TCP message that receives and target port are the TCP to be reorganized
The corresponding IP of session and port, it is determined that receive TCP message for the TCP sessions to be reorganized;
Otherwise, it is determined that it is not the TCP sessions to be reorganized to receive TCP message.
3. the method for claim 1, it is characterised in that determine what is received in the following manner
Current TCP message is reached for normal sequence:
Last TCP that the SEQ of the described current TCP message for receiving is equal to the normal queue is reported
The SEQ of text and the length LEN sum of last TCP message of the normal queue.
4. method as claimed in claim 3, it is characterised in that described to be reported according to a upper TCP
Text carries out deduplication operation to the current TCP message, and according to a upper TCP message, determines institute
State whether current TCP message is put into the normal queue or the out-of-sequence queue, specifically include:
If the SEQ of the current TCP message be equal to a upper TCP message SEQ, and it is described work as
The LEN of preceding TCP message is not more than the LEN of a upper TCP message, then:
All the elements of the current TCP message are defined as duplicate contents, and the current TCP is reported
Text is abandoned.
5. method as claimed in claim 3, it is characterised in that described to be reported according to a upper TCP
Text carries out deduplication operation to the current TCP message, and according to a upper TCP message, determines institute
State whether current TCP message is put into the normal queue or the out-of-sequence queue, specifically include:
It is described current if the SEQ of the current TCP message is more than the SEQ of a upper TCP message
The SEQ of TCP message is less than SEQ and the LEN sum of a upper TCP message, and described current
SEQ and LEN sum of SEQ and the LEN sum of TCP message more than a upper TCP message;
Then:
Using the preceding M byte in the current TCP message as duplicate contents, and from the current TCP
The duplicate contents are deleted in message;Wherein, the M is equal to the SEQ of a upper TCP message
With the difference obtained by the SEQ that LEN sums subtract the current TCP message;
Reset the SEQ of the current TCP message, the SEQ of described current TCP message after replacement etc.
In SEQ and the LEN sum of a upper TCP message;
If a upper TCP message is located at the normal queue, the current TCP message is put into
The normal queue;If a upper TCP message is located at the out-of-sequence queue, by the current TCP
Message is put into the out-of-sequence queue.
6. method as claimed in claim 3, it is characterised in that described to be reported according to a upper TCP
Text carries out deduplication operation to the current TCP message, and according to a upper TCP message, determines institute
State whether current TCP message is put into the normal queue or the out-of-sequence queue, specifically include:
If it is determined that SEQs and LEN of the SEQ of the current TCP message more than a upper TCP message
During sum, determine that the current TCP message does not have duplicate contents with a upper TCP message, by institute
State current TCP message and be put into the out-of-sequence queue;And/or
If it is determined that the SEQ of the current TCP message is equal to the SEQ and LEN of a upper TCP message
During sum, it is determined that the current TCP message does not have duplicate contents with a upper TCP message, if
A upper TCP message be located at the normal queue, then by the current TCP message be put into it is described just
Normal queue;If a upper TCP message is located at the out-of-sequence queue, by the current TCP message
It is put into the out-of-sequence queue.
7. the method for claim 1, it is characterised in that the determination TCP meetings to be reorganized
Corresponding all TCP messages end of transmission is talked about, is specifically included:
When being 1 for FIN of the current TCP message, determine that the TCP sessions to be reorganized are corresponding
All TCP messages end of transmission.
8. method as claimed in claim 2, it is characterised in that the ACK according to each TCP session,
All TCP messages in the normal queue and the out-of-sequence queue are recombinated, multigroup TCP is obtained
After message, also include:
For one group of TCP message in multigroup TCP message, if the target of one group of TCP message
IP and target port are identical with the corresponding IP of TCP sessions described to be reorganized being pre-configured with and port, then really
Fixed one group of TCP message is request message group;If the source IP and source port of one group of TCP message with
The corresponding IP of TCP sessions described to be reorganized being pre-configured with is identical with port, it is determined that one group of TCP
Message is response message group;
For multigroup TCP message, the request message group in multigroup TCP message and response are reported
Literary group is matched, and obtains the request message group and response message group of at least one pair of matching;Wherein described matching
A pair of request message groups and response message group meet matching condition, the matching condition is:Request message group
ACK be equal to first SEQ of TCP message of response message group, and last in request message group
SEQ and the LEN sum of individual TCP message are equal to the ACK of response message group.
9. method as claimed in claim 8, it is characterised in that described for multigroup TCP message,
Request message group and response message group in multigroup TCP message is matched, at least one pair of is obtained
After the request message group and response message group of matching, also include:
For each pair request message group in the request message group and response message group of at least one pair of matching
With response message group, perform:
The request message group and the response message group are parsed respectively, is parsed from request message group
Go out solicited status row, request header and request content, responsive state row, sound are parsed from response message group
Answer head and response contents;
The corresponding industry of the request message is matched according to the solicited status row, request header and request content
Business, the implementing result of the business is determined according to the responsive state row, head response and response contents.
10. a kind of TCP message reconstitution device, it is characterised in that including:
Determining unit, for determining whether currently received transmission control protocol TCP message is to be reorganized
TCP sessions, if so, then the sequence number SEQ according to currently received TCP message judges described currently to connect
Whether the TCP message of receipts is that normal sequence is reached;If the currently received TCP message is normal sequence
Reach, then the current TCP message is put into normal queue;Otherwise, from the last of the normal queue
Determined no more than in the SEQ of all TCP messages in the SEQ and out-of-sequence queue of TCP message
The maximum SEQ of the SEQ of the current TCP message, by the no more than current TCP message
The corresponding TCP messages of maximum SEQ of SEQ are defined as upper of the currently received TCP message
TCP message;
Processing unit, for carrying out duplicate removal to the current TCP message according to a upper TCP message
Operation, and according to a upper TCP message, determine the current TCP message whether be put into it is described just
Normal queue or the out-of-sequence queue;
Recomposition unit, for it is determined that the corresponding all TCP messages of the TCP sessions to be reorganized are transferred
Bi Shi, the confirmation ACK according to each TCP session, by the normal queue and the out-of-sequence queue
All TCP messages recombinated, obtain multigroup TCP message;Wherein, the institute in every group of TCP message
There is the ACK of TCP message identical;And all TCP messages in every group of TCP message are reported by each TCP
The SEQ ascending orders arrangement of text.
11. equipment as claimed in claim 10, it is characterised in that the determining unit, specifically for:
It is pre-configured with the corresponding procotol IP of the TCP sessions to be reorganized and port;
If it is determined that the source IP and source port of the TCP message for receiving are that the TCP sessions to be reorganized are corresponding
IP and port, or determine that the Target IP of TCP message that receives and target port are the TCP to be reorganized
The corresponding IP of session and port, it is determined that receive TCP message for the TCP sessions to be reorganized;
Otherwise, it is determined that it is not the TCP sessions to be reorganized to receive TCP message.
12. equipment as claimed in claim 10, it is characterised in that determine to receive in the following manner
Current TCP message be normal sequence reach:
Last TCP that the SEQ of the described current TCP message for receiving is equal to the normal queue is reported
The SEQ of text and the length LEN sum of last TCP message of the normal queue.
13. equipment as claimed in claim 12, it is characterised in that the processing unit, specifically for:
If the SEQ of the current TCP message be equal to a upper TCP message SEQ, and it is described work as
The LEN of preceding TCP message is not more than the LEN of a upper TCP message, then:
All the elements of the current TCP message are defined as duplicate contents, and the current TCP is reported
Text is abandoned.
14. equipment as claimed in claim 12, it is characterised in that the processing unit, specifically for:
It is described current if the SEQ of the current TCP message is more than the SEQ of a upper TCP message
The SEQ of TCP message is less than SEQ and the LEN sum of a upper TCP message, and described current
SEQ and LEN sum of SEQ and the LEN sum of TCP message more than a upper TCP message;
Then:
Using the preceding M byte in the current TCP message as duplicate contents, and from the current TCP
The duplicate contents are deleted in message;Wherein, the M is equal to the SEQ of a upper TCP message
With the difference obtained by the SEQ that LEN sums subtract the current TCP message;
Reset the SEQ of the current TCP message, the SEQ of described current TCP message after replacement etc.
In SEQ and the LEN sum of a upper TCP message;
If a upper TCP message is located at the normal queue, the current TCP message is put into
The normal queue;If a upper TCP message is located at the out-of-sequence queue, by the current TCP
Message is put into the out-of-sequence queue.
15. equipment as claimed in claim 12, it is characterised in that the processing unit, specifically for:
If it is determined that SEQs and LEN of the SEQ of the current TCP message more than a upper TCP message
During sum, determine that the current TCP message does not have duplicate contents with a upper TCP message, by institute
State current TCP message and be put into the out-of-sequence queue;And/or
If it is determined that the SEQ of the current TCP message is equal to the SEQ and LEN of a upper TCP message
During sum, it is determined that the current TCP message does not have duplicate contents with a upper TCP message, if
A upper TCP message be located at the normal queue, then by the current TCP message be put into it is described just
Normal queue;If a upper TCP message is located at the out-of-sequence queue, by the current TCP message
It is put into the out-of-sequence queue.
16. equipment as claimed in claim 10, it is characterised in that the recomposition unit, specifically for:
When being 1 for FIN of the current TCP message, determine that the TCP sessions to be reorganized are corresponding
All TCP messages end of transmission.
17. equipment as claimed in claim 11, it is characterised in that also including reduction unit, be used for:
In the ACK according to each TCP session, by the normal queue and the out-of-sequence queue
All TCP messages are recombinated, after obtaining multigroup TCP message, in multigroup TCP message
One group of TCP message, if the Target IP and target port of one group of TCP message and the institute being pre-configured with
State the corresponding IP of TCP sessions to be reorganized identical with port, it is determined that one group of TCP message is reported for request
Literary group;If the source IP and source port of one group of TCP message and the TCP meetings described to be reorganized being pre-configured with
Talk about corresponding IP identical with port, it is determined that one group of TCP message is response message group;
For multigroup TCP message, the request message group in multigroup TCP message and response are reported
Literary group is matched, and obtains the request message group and response message group of at least one pair of matching;Wherein described matching
A pair of request message groups and response message group meet matching condition, the matching condition is:Request message group
ACK be equal to first SEQ of TCP message of response message group, and last in request message group
SEQ and the LEN sum of individual TCP message are equal to the ACK of response message group.
18. equipment as claimed in claim 17, it is characterised in that the reduction unit, are additionally operable to:
For each pair request message group in the request message group and response message group of at least one pair of matching
With response message group, perform:
The request message group and the response message group are parsed respectively, is parsed from request message group
Go out solicited status row, request header and request content, responsive state row, sound are parsed from response message group
Answer head and response contents;
The corresponding industry of the request message is matched according to the solicited status row, request header and request content
Business, the implementing result of the business is determined according to the responsive state row, head response and response contents.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510980136.8A CN106911644A (en) | 2015-12-23 | 2015-12-23 | A kind of message recombining method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510980136.8A CN106911644A (en) | 2015-12-23 | 2015-12-23 | A kind of message recombining method and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106911644A true CN106911644A (en) | 2017-06-30 |
Family
ID=59200094
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510980136.8A Pending CN106911644A (en) | 2015-12-23 | 2015-12-23 | A kind of message recombining method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106911644A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107835138A (en) * | 2017-09-15 | 2018-03-23 | 南京安讯科技有限责任公司 | Packet sorting method in a kind of TCP communications connection |
| CN111371782A (en) * | 2020-03-03 | 2020-07-03 | 深信服科技股份有限公司 | Message transmission method and device and storage medium |
| CN111741127A (en) * | 2020-07-23 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Communication connection blocking method and device, electronic equipment and storage medium |
| CN115190090A (en) * | 2022-07-12 | 2022-10-14 | 国泰君安证券股份有限公司 | TCP stream recombination behavior monitoring processing method, system, device, processor and storage medium based on hash table and queue structure |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841545A (en) * | 2010-05-14 | 2010-09-22 | 中国科学院计算技术研究所 | TCP stream restructuring and/or packetizing method and device |
| CN102307151A (en) * | 2011-10-10 | 2012-01-04 | 上海西默通信技术有限公司 | HTTP (hyper text transport protocol)-based network packet reduction method |
| WO2012162949A1 (en) * | 2011-08-17 | 2012-12-06 | 华为技术有限公司 | Packet reassembly and resequence method, apparatus and system |
| CN103117948A (en) * | 2013-02-22 | 2013-05-22 | 桂林电子科技大学 | Hierarchical parallel high-speed network transmission control protocol (TCP) flow recombination method based on field programmable gate array (FPGA) |
| CN105939297A (en) * | 2015-10-26 | 2016-09-14 | 杭州迪普科技有限公司 | TCP message reassembling method and TCP message reassembling device |
-
2015
- 2015-12-23 CN CN201510980136.8A patent/CN106911644A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841545A (en) * | 2010-05-14 | 2010-09-22 | 中国科学院计算技术研究所 | TCP stream restructuring and/or packetizing method and device |
| WO2012162949A1 (en) * | 2011-08-17 | 2012-12-06 | 华为技术有限公司 | Packet reassembly and resequence method, apparatus and system |
| CN102307151A (en) * | 2011-10-10 | 2012-01-04 | 上海西默通信技术有限公司 | HTTP (hyper text transport protocol)-based network packet reduction method |
| CN103117948A (en) * | 2013-02-22 | 2013-05-22 | 桂林电子科技大学 | Hierarchical parallel high-speed network transmission control protocol (TCP) flow recombination method based on field programmable gate array (FPGA) |
| CN105939297A (en) * | 2015-10-26 | 2016-09-14 | 杭州迪普科技有限公司 | TCP message reassembling method and TCP message reassembling device |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107835138A (en) * | 2017-09-15 | 2018-03-23 | 南京安讯科技有限责任公司 | Packet sorting method in a kind of TCP communications connection |
| CN107835138B (en) * | 2017-09-15 | 2022-01-04 | 南京安讯科技有限责任公司 | Message ordering method in TCP communication connection |
| CN111371782A (en) * | 2020-03-03 | 2020-07-03 | 深信服科技股份有限公司 | Message transmission method and device and storage medium |
| CN111741127A (en) * | 2020-07-23 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Communication connection blocking method and device, electronic equipment and storage medium |
| CN111741127B (en) * | 2020-07-23 | 2020-11-13 | 杭州海康威视数字技术股份有限公司 | Communication connection blocking method and device, electronic equipment and storage medium |
| CN115190090A (en) * | 2022-07-12 | 2022-10-14 | 国泰君安证券股份有限公司 | TCP stream recombination behavior monitoring processing method, system, device, processor and storage medium based on hash table and queue structure |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11700275B2 (en) | Detection of malware and malicious applications | |
| EP3758412B1 (en) | Multichannel data transmission method, apparatus, system and computer-readable medium | |
| JP5208945B2 (en) | Method and apparatus for transmitting and analyzing data in a wireless communication network | |
| CN106911644A (en) | A kind of message recombining method and equipment | |
| CN107645398A (en) | A kind of method and apparatus of diagnostic network performance and failure | |
| US20180343182A1 (en) | Network traffic capture analysis | |
| CN106470116B (en) | A kind of Network Fault Detection and restoration methods and device | |
| US20150036513A1 (en) | Multicore processing of bidirectional traffic flows | |
| CN111835708A (en) | Characteristic information analysis method and device | |
| CN102859921A (en) | System and method for achieving accelerated throughput | |
| JP2001285400A (en) | Correcting method of traffic statistics information | |
| CN101986648A (en) | Negotiation method, device and network device of TCP option | |
| CN1761244A (en) | Method for setting up notification function for route selection according to border gateway protocol | |
| CN108632931A (en) | A kind of data transmission method, device, equipment and medium based on 5G networks | |
| US20210250268A1 (en) | Method and Apparatus for Measuring End-to-End Packet Latency and Packet Delay Variation Via Deep Packet Inspection at an Intermediate Node of a Communication Network | |
| CN107682434A (en) | A kind of underwater sensor network framework and its implementation | |
| CN103117946A (en) | Flow sharing method based on combined application of isolating device and isolation gateway | |
| CN110838930B (en) | Method and device for generating service logic topology | |
| CN111478865A (en) | TCP stream reconfiguration technology based on interval management algorithm | |
| CN103731376A (en) | Method and system for selecting chain aggregation root ports on stacked equipment | |
| WO2016095379A1 (en) | Assistant positioning method and device for packet loss position and computer storage medium | |
| CN104580171B (en) | The transmission method of Transmission Control Protocol, device and system | |
| WO2022270767A1 (en) | Device for generating and managing information bundle for intelligent network management system, and method of same | |
| CN107018518A (en) | A kind of method and system for obtaining link detecting information | |
| CN110166185A (en) | Processing method, device, storage medium and the processor of audio data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170630 |