[go: up one dir, main page]

TWI411263B - Network monitoring method and its system - Google Patents

Network monitoring method and its system Download PDF

Info

Publication number
TWI411263B
TWI411263B TW99143007A TW99143007A TWI411263B TW I411263 B TWI411263 B TW I411263B TW 99143007 A TW99143007 A TW 99143007A TW 99143007 A TW99143007 A TW 99143007A TW I411263 B TWI411263 B TW I411263B
Authority
TW
Taiwan
Prior art keywords
correspondence table
group
instant connection
record
connection record
Prior art date
Application number
TW99143007A
Other languages
Chinese (zh)
Other versions
TW201225581A (en
Original Assignee
Softnext Technologies Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Softnext Technologies Corp filed Critical Softnext Technologies Corp
Priority to TW99143007A priority Critical patent/TWI411263B/en
Publication of TW201225581A publication Critical patent/TW201225581A/en
Application granted granted Critical
Publication of TWI411263B publication Critical patent/TWI411263B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a network monitoring method and the system thereof. The system comprises a packet analyzing module, a real-time connection record processing module, and a record rearrangement update module. The packet analyzing module is for obtaining analyzed packet information according to a packet. The real-time connection record processing module generates a real-time connection record including an identification column according to the analyzed packet information. The record rearrangement update module is for rearranging and updating the real-time connection record whose identification column is recorded as void; and if there doesn't exist any data at least partially corresponding to a group of member relation tables, a new identification code will be generated and used to update the identification column of the real-time connection record; meanwhile, the updated real-time connection record will be added to the group of member relation tables.

Description

網路監測方法及其系統Network monitoring method and system thereof

本發明是有關於一種網路監測系統,特別是指一種對於不限特定對象的網路行為進行監測之網路監測系統。The present invention relates to a network monitoring system, and more particularly to a network monitoring system for monitoring network behavior that is not limited to a specific object.

隨著企業網路化之推廣,員工可利用網路進行各項工作,因此如何有效掌控企業內部所有員工上網情況,以避免員工在勤務時間瀏覽不必要之網頁或利用即時通訊聊天以影響工作效能,便成為大型企業中一門很重要的課題。With the promotion of enterprise networking, employees can use the Internet to carry out various tasks. Therefore, how to effectively control the online access of all employees in the enterprise, so as to avoid employees browsing unnecessary pages during the service hours or using instant messaging chat to affect work efficiency. It has become a very important topic in large enterprises.

目前已見許多關於網路監控之技術,除可將封包進行即時分析之外,還可對網路行為進行連線記錄,以利於管理者掌握企業內部人員使用網路的情況。網路封包分析技術主要根據國際標準組織提出的開放式通訊系統互連參考模型(Open System Interconnection Reference Model,簡稱OSI)中定義的通訊協定來進行分析。於第三層網路層中取得使用者之網際網路通訊協定(Internet Protocol,簡稱IP)位址及媒體存取控制(Media Access Control,簡稱MAC)位址。於第四層傳輸層控制網路設備及資料流量的監督與管理,以確保通訊順利。在第七層應用層中,根據不同的應用程式,網路封包也有不同型態,例如在簡單郵件傳輸協定(Simple Mail Transfer Protocol,簡稱SMTP)中,封包具有郵件帳號及郵件位址等資訊。At present, many technologies for network monitoring have been seen. In addition to real-time analysis of packets, network behaviors can be recorded to facilitate managers to grasp the use of the network by internal employees. The network packet analysis technology is mainly analyzed according to the communication protocol defined in the Open System Interconnection Reference Model (OSI) proposed by the International Standards Organization. The Internet Protocol (IP) address and the Media Access Control (MAC) address of the user are obtained in the third layer of the network layer. The fourth layer of the transport layer controls the monitoring and management of network equipment and data traffic to ensure smooth communication. In the seventh layer application layer, network packets have different types according to different applications. For example, in the Simple Mail Transfer Protocol (SMTP), the packet has information such as a mail account and a mail address.

一習知的網路監控技術,如台灣專利I313993揭露一種網路監聽系統,係在一代理伺服器及複數個分別具有一網路位址的用戶端之間設置一監控伺服器,該監控伺服器儲存有具有至少一監控位址的一監控位址名單,其中一發話端透過網路並經由該代理伺服器通知相對應之一受話端,使該發話端與該受話端開始傳輸複數封包資料,當該發話端之位址符合該監控位址名單中的監控位址時,則該監控伺服器立即進行監聽及記錄。A conventional network monitoring technology, such as Taiwan Patent No. I313993 discloses a network monitoring system, which is a monitoring server between a proxy server and a plurality of client terminals each having a network address, the monitoring servo The device stores a monitoring address list having at least one monitoring address, wherein a calling terminal transmits a plurality of packet data through the network and the corresponding one of the receiving terminals through the proxy server, so that the calling terminal and the receiving end start transmitting the plurality of packet data. When the address of the calling terminal meets the monitoring address in the monitoring address list, the monitoring server immediately monitors and records.

以上所述習知之網路監控技術,僅能對某些預設的特定對象(例如,其網路位址存在於該監控位址名單的用戶端)進行監控,對於其網路位址未預設於該監控位址名單中的用戶端並不會進行即時監控。The above-mentioned conventional network monitoring technology can only monitor certain preset specific objects (for example, the user whose network address exists in the monitoring address list), and the network address is not pre-prescribed. The user terminal located in the monitoring address list does not perform real-time monitoring.

因此,本發明之目的,即在提供一種網路監測方法。Accordingly, it is an object of the present invention to provide a method of network monitoring.

於是,本發明網路監測方法,包含下列步驟:(a)根據擷取到之至少一封包得到一已分析封包資訊;(b)將該已分析封包資訊與一組人員對應表進行比對,以產生包括一身分識別欄位及至少一分析資訊欄位的一即時連線記錄,其中,該組人員對應表包括用以作為索引的至少一身分識別碼,該分析資訊欄位用以記錄該已分析封包資訊,若該組人員對應表中不存在任一與該已分析封包資訊至少部分相符的資料,則將該身分識別欄位記錄為一空值,否則,以該已分析封包資訊對應更新該組人員對應表,並將該組人員對應表中與該至少部分相符的資料對應的該身分識別碼記錄於該即時連線記錄的該身分識別欄位;及(c)重複進行步驟(a)~(b)至一預定時間後,將該身分識別欄位被記錄為空值的該即時連線記錄進行重組更新,其中,該步驟(c)包括下列子步驟:Therefore, the network monitoring method of the present invention comprises the following steps: (a) obtaining an analyzed packet information according to at least one packet retrieved; (b) comparing the analyzed packet information with a group of personnel correspondence tables, Generating an instant connection record including an identity identification field and at least one analysis information field, wherein the group of personnel correspondence table includes at least one identity identifier for use as an index, and the analysis information field is used to record the The packet information is analyzed. If there is no data in the corresponding table corresponding to at least part of the analyzed packet information, the identity identification field is recorded as a null value; otherwise, the analyzed packet information is updated accordingly. The group correspondence table records the identity identifier corresponding to the at least part of the data in the group correspondence table in the identity identification field of the instant connection record; and (c) repeats the step (a) - (b) After a predetermined time, the instant connection record in which the identity recognition field is recorded as a null value is reorganized, wherein the step (c) includes the following sub-steps:

(c-1)將其中一身分識別欄位被記錄為空值的該即時連線記錄與該組人員對應表進行比對,若於該組人員對應表中比對到任一與該即時連線記錄的分析資訊欄位中所紀錄的已分析封包資訊至少部分相符的資料,則以該已分析封包資訊對應更新該組人員對應表,並以該組人員對應表中與該至少部分相符的資料對應的該身分識別碼更新該即時連線記錄的身分識別欄位,否則,產生一新的身分識別碼給其身分識別欄位被記錄為空值的該即時連線記錄,並以該新的身分識別碼更新該即時連線記錄的身分識別欄位,同時對應新增已更新的該即時連線記錄至該組人員對應表;及(c-1) comparing the instant connection record in which one of the identification fields is recorded as a null value with the correspondence table of the group of persons, if the pair is matched with the instant connection in the group correspondence table The data of the analyzed packet information recorded in the analysis information field of the line record is at least partially matched, and the corresponding personnel table is updated correspondingly to the analyzed packet information, and the at least part of the group correspondence table is matched with the at least part The identity identifier corresponding to the data updates the identity identification field of the instant connection record, otherwise, a new identity identifier is generated for the instant connection record whose identity recognition field is recorded as a null value, and the new connection record is used. The identity identifier updates the identity identification field of the instant connection record, and correspondingly adds the updated instant connection record to the group correspondence table; and

(c-2)重複執行子步驟(c-1),直到所有該身分識別欄位皆不為空值為止。(c-2) Repeat sub-step (c-1) until all of the identity recognition fields are not null.

本發明之另一目的,即在提供一種網路監測系統。Another object of the present invention is to provide a network monitoring system.

於是,本發明網路監測系統,包含一封包分析模組、一即時連線記錄處理模組,及一記錄重組更新模組。Therefore, the network monitoring system of the present invention comprises a packet analysis module, an instant connection recording processing module, and a record reorganization update module.

該封包分析模組,用以接收至少一封包,並根據該封包得到一已分析封包資訊。The packet analysis module is configured to receive at least one packet, and obtain an analyzed packet information according to the packet.

該即時連線記錄處理模組,用以將該已分析封包資訊與一組人員對應表進行比對,以產生包括一身分識別欄位及至少一分析資訊欄位的一即時連線記錄,其中,該組人員對應表包括用以作為索引的至少一身分識別碼,該分析資訊欄位用以記錄該已分析封包資訊,若該組人員對應表中不存在任一與該已分析封包資訊至少部分相符的資料,則將該身分識別欄位記錄為一空值,否則,以該已分析封包資訊對應更新該組人員對應表,並將該組人員對應表中與該至少部分相符的資料對應的該身分識別碼記錄於該即時連線記錄的該身分識別欄位。The instant connection record processing module is configured to compare the analyzed packet information with a set of personnel correspondence tables to generate an instant connection record including an identity identification field and at least one analysis information field, wherein The group correspondence table includes at least one identity identifier used as an index, and the analysis information field is used to record the analyzed packet information, and if the group correspondence table does not exist, at least one of the analyzed packet information is not present. If the data is partially consistent, the identity identification field is recorded as a null value; otherwise, the group correspondence table is updated correspondingly to the analyzed packet information, and the data corresponding to the at least part of the group correspondence table is corresponding. The identity identifier is recorded in the identity identification field of the instant connection record.

該記錄重組更新模組,用以在每隔一預定時間後將該身分識別欄位被記錄為空值的該即時連線記錄進行重組更新,其中,對於其身分識別欄位被記錄為空值的每一即時連線記錄,該記錄重組更新模組係將該即時連線記錄與該組人員對應表進行比對,若於該組人員對應表中比對到任一與該即時連線記錄的分析資訊欄位中所紀錄的已分析封包資訊至少部分相符的資料,則以該已分析封包資訊對應更新該組人員對應表,並以該組人員對應表中與該至少部分相符的資料對應的該身分識別碼更新該即時連線記錄的身分識別欄位,否則,產生一新的身分識別碼給其身分識別欄位被記錄為空值的該即時連線記錄,並以該新的身分識別碼更新該即時連線記錄的身分識別欄位,同時對應新增已更新的該即時連線記錄至該組人員對應表。The record reorganization update module is configured to reorganize the instant connection record in which the identity recognition field is recorded as a null value after every predetermined time, wherein the identity recognition field is recorded as a null value Each of the instant connection records, the record reorganization update module compares the instant connection record with the group correspondence table, and compares any of the instant connection records in the group correspondence table The information of the analyzed packet information recorded in the analysis information field is at least partially matched, and the corresponding personnel correspondence table is updated correspondingly to the analyzed packet information, and corresponding to the at least part of the data in the group correspondence table The identity identification code updates the identity identification field of the instant connection record, otherwise, generates a new identity identification code for the instant connection record whose identity recognition field is recorded as a null value, and uses the new identity The identification code updates the identity identification field of the instant connection record, and correspondingly adds the updated instant connection record to the group correspondence table.

本發明藉由該即時連線記錄處理模組與該記錄重組更新模組,對於尚未存在於該組人員對應表中的任一人員的網路行為亦皆能受到監測,故確實能達到本發明之目的。The present invention can also monitor the network behavior of any person who does not exist in the group correspondence table by using the instant connection record processing module and the record reorganization update module, so that the present invention can be achieved. The purpose.

有關本發明之前述及其他技術內容、特點與功效,在以下配合參考圖式之一個較佳實施例的詳細說明中,將可清楚的呈現。The above and other technical contents, features and advantages of the present invention will be apparent from the following detailed description of the preferred embodiments.

參閱圖1,本發明網路監測系統1應用於包含複數個網路節點5之一網路系統架構中;該網路監測系統1可以軟體、韌體、硬體,或其等之組合來實施,其係整合於一電子裝置2。在本較佳實施例中,該網路系統架構為一企業內部網路,該電子裝置2之實施態樣為設置於該企業內部網路與對外網際網路之間的一網路行為分析與控管伺服器,用以收集網路上的封包並對其進行分析,以進一步對網路行為進行控管。Referring to FIG. 1, the network monitoring system 1 of the present invention is applied to a network system architecture including a plurality of network nodes 5; the network monitoring system 1 can be implemented by a combination of software, firmware, hardware, or the like. It is integrated into an electronic device 2. In the preferred embodiment, the network system architecture is an enterprise internal network, and the implementation of the electronic device 2 is a network behavior analysis between the internal network of the enterprise and the external Internet. A control server that collects packets from the network and analyzes them to further control network behavior.

參閱圖2,該網路監測系統1包含一封包分析模組11、一即時連線記錄處理模組12、一記錄重組更新模組13及一資料庫14。Referring to FIG. 2, the network monitoring system 1 includes a packet analysis module 11, an instant connection record processing module 12, a record reorganization update module 13 and a database 14.

該封包分析模組11用以接收網路上的一封包,並根據該封包得到一已分析封包資訊。The packet analysis module 11 is configured to receive a packet on the network, and obtain an analyzed packet information according to the packet.

該即時連線記錄處理模組12用以將該已分析封包資訊與存在於該資料庫14中的一組人員對應表進行比對,以產生包括一身分識別欄位及至少一分析資訊欄位的一即時連線記錄。該組人員對應表包括用以作為索引的至少一身分識別碼,該分析資訊欄位用以記錄該已分析封包資訊。若該組人員對應表中不存在任一與該已分析封包資訊相符的資料,則該即時連線記錄處理模組12該將該身分識別欄位記錄為一空值。若該組人員對應表中存在任一與該已分析封包資訊相符的資料,則將對應之該身分識別碼填入該身分識別欄位。該即時連線記錄處理模組12將該即時連線記錄儲存在該資料庫14中,以利於網路管理者進行網路行為的查詢與監控。The instant connection record processing module 12 is configured to compare the analyzed packet information with a group of personnel correspondence tables existing in the database 14 to generate an identity identification field and at least one analysis information field. An instant connection record. The group correspondence table includes at least one identity identifier for use as an index, and the analysis information field is used to record the analyzed packet information. If there is no data in the group corresponding to the analyzed packet information, the instant connection record processing module 12 records the identity identification field as a null value. If any data corresponding to the analyzed packet information exists in the group correspondence table, the corresponding identity identification code is filled in the identity identification field. The instant connection record processing module 12 stores the instant connection record in the database 14 to facilitate network administrators to query and monitor network behavior.

該記錄重組更新模組13與該資料庫14連接,當經過一預定時間後,該記錄重組更新模組13收集該身分識別欄位被該即時連線記錄處理模組12記錄為空值的該等即時連線記錄,且依序地將其中一身分識別欄位被記錄為空值的該即時連線記錄與該組人員對應表進行比對,若於該組人員對應表中比對到任一與該即時連線記錄的分析資訊欄位中所記錄的已分析封包資訊至少部分相符的資料,則以該已分析封包資訊對應更新該組人員對應表,並以該組人員對應表中與該至少部分相符的資料對應的該身分識別碼更新該即時連線記錄的身分識別欄位,否則,產生一新的身分識別碼給其身分識別欄位被記錄為空值的該即時連線記錄,並以該新的身分識別碼更新該即時連線記錄的身分識別欄位,同時對應新增已更新的該即時連線記錄至該組人員對應表,直到所有該即時連線記錄之該身分識別欄位皆不為空值為止。The record reorganization update module 13 is connected to the database 14. After a predetermined time, the record reorganization update module 13 collects the identity identification field recorded by the instant connection record processing module 12 as a null value. Waiting for the instant connection record, and sequentially comparing the instant connection record in which one of the identification fields is recorded as a null value with the corresponding table of the group of personnel, if the comparison is in the correspondence table of the group And the data corresponding to the analyzed packet information recorded in the analysis information field of the instant connection record is at least partially matched, and the group correspondence table is updated corresponding to the analyzed packet information, and the correspondence table of the group is The identity identification code corresponding to the at least partially matching data updates the identity identification field of the instant connection record; otherwise, a new identity identification code is generated for the instant connection record whose identity recognition field is recorded as a null value. And updating the identity identification field of the instant connection record with the new identity identifier, and correspondingly adding the updated instant connection record to the group correspondence table until all the instants are The Identity field of linear recording neither null value.

參閱圖2與圖3,對應上述網路監測系統1之該較佳實施例,以下配合一網路監測方法以詳述各模組間的運作。該網路監測方法包含以下步驟。Referring to FIG. 2 and FIG. 3, corresponding to the preferred embodiment of the network monitoring system 1, the following is a network monitoring method to detail the operation between modules. The network monitoring method includes the following steps.

在步驟S31中,該封包分析模組11擷取網路上之至少一封包,並分析該封包以得到一已分析封包資訊。在本較佳實施例中,該已分析封包資訊包括一認證帳號、一網際網路通訊協定位址、一媒體存取控制位址及一通訊協定資訊之其中至少一者。值得一提的是,根據不同的網路應用程式,該已分析封包資訊可具有不同的形態。In step S31, the packet analysis module 11 captures at least one packet on the network and analyzes the packet to obtain an analyzed packet information. In the preferred embodiment, the analyzed packet information includes at least one of an authentication account number, an internet protocol address, a media access control address, and a communication protocol information. It is worth mentioning that the analyzed packet information can have different forms according to different web applications.

舉例來說,若認證帳號為Jason的員工通過認證並進行網頁瀏覽,則該已分析封包資訊如表一所示,該通訊協定資訊包括一網頁位址;又,若某員工是登入一即時通軟體,則該已分析封包資訊如表二所示,該通訊協定資訊包括一即時通種類及一即時通帳號;又,若某員工是寄發郵件,則該已分析封包資訊如表三所示,該通訊協定資訊包括一郵件帳號。For example, if the authentication account is Jason's employee authenticated and browsed the webpage, the analyzed packet information is as shown in Table 1. The protocol information includes a web address; and, if an employee is logged in, an instant message For software, the information of the analyzed packet is as shown in Table 2. The information of the protocol includes an instant messaging type and an instant messaging account. In addition, if an employee sends a mail, the analyzed packet information is as shown in Table 3. The newsletter information includes a mail account.

在步驟S32中,該即時連線記錄處理模組12將該已分析封包資訊與儲存於該資料庫14中之該組人員對應表進行比對。該組人員對應表包括利用該身分識別碼作為索引之一人員基本資料對應表、一即時通帳號對應表及一郵件帳號對應表。在本較佳實施例中,該即時連線記錄處理模組12所進行的比對流程係依照該認證帳號、該郵件帳號、該即時通帳號、該網際網路通訊協定位址及該媒體存取控制位址之順序與該組人員對應表進行比對,當以上其中任一種比對成功時(即,該組人員對應表中存在與該已分析封包資訊至少部分相符的資料),則繼續執行步驟S33,否則執行步驟S34。In step S32, the instant connection record processing module 12 compares the analyzed package information with the group of personnel correspondence tables stored in the database 14. The group correspondence table includes a person basic data correspondence table, an instant pass account correspondence table, and a mail account correspondence table using the identity identification code as an index. In the preferred embodiment, the comparison process performed by the instant connection recording processing module 12 is performed according to the authentication account, the email account, the instant messaging account, the internet protocol address, and the media storage. The order of taking the control address is compared with the corresponding table of the group of personnel. When any of the above comparisons is successful (that is, the data in the group corresponding to the at least part of the analyzed packet information is present), the continuation is continued. Step S33 is performed, otherwise step S34 is performed.

延續以上範例,假設目前在該資料庫14中的該組人員對應表如表四~六所示。對於表一之該已分析封包資訊,由該認證帳號可於表四之該人員基本資料對應表比對得到相對應之該身分識別碼201007271010000;類似地,對於表二之該已分析封包資訊,由該即時通帳號可於表五之該即時通帳號對應表比對到相對應之該身分識別碼2010072710100002;而對於表三之該已分析封包資訊,由該郵件帳號未能於表六之該郵件帳號對應表比對到任一相符的資料。Continuing the above example, it is assumed that the current personnel correspondence table in the database 14 is as shown in Tables 4-6. For the analyzed packet information of Table 1, the authentication account can obtain the corresponding identity ID 201007271010000 in the corresponding basic data correspondence table of Table 4; similarly, for the analyzed packet information of Table 2, The instant messenger account can be compared to the corresponding identity code 2010072710100002 in the instant pass account correspondence table in Table 5; and for the analyzed packet information in Table 3, the mail account cannot be in the table 6 The mail account correspondence table is compared to any matching data.

在步驟S33中,該即時連線記錄處理模組12根據該步驟S32之比對結果,產生包括一身分識別欄位及至少一分析資訊欄位之一即時連線記錄,並以該已分析封包資訊對應更新該資料庫14的該組人員對應表;其中,該身分識別欄位用以記錄該已分析封包資訊與該組人員對應表比對後得到相對應的該身分識別碼,且該分析資訊欄位用以記錄該已分析封包資訊。In step S33, the instant connection record processing module 12 generates an instant connection record including an identity identification field and at least one analysis information field according to the comparison result of the step S32, and uses the analyzed packet. The information correspondingly updates the group correspondence table of the database 14; wherein the identity identification field is used to record the identity identifier of the analyzed packet information and the pair of personnel correspondence tables, and the analysis is performed. The information field is used to record the analyzed packet information.

延續以上範例,由表一之該已分析封包資訊,對應產生如表七所示之一網頁即時連線記錄;由表二之該已分析封包資訊,對應產生如表八所示之一即時通即時連線記錄。Continuing the above example, the analyzed packet information in Table 1 corresponds to one of the instant connection records of the webpage as shown in Table 7. The analyzed packet information in Table 2 corresponds to one instant communication as shown in Table 8. Instant connection record.

在步驟S34中,該即時連線記錄處理模組12根據該步驟S32之比對結果,產生包括一身分識別欄位及至少一分析資訊欄位之一即時連線記錄,其中,該身分識別欄位被記錄為一空值,該分析資訊欄位記錄該已分析封包資訊。In step S34, the instant connection record processing module 12 generates an instant connection record including an identity identification field and at least one analysis information field according to the comparison result of the step S32, wherein the identity identification column The bit is recorded as a null value, and the analysis information field records the analyzed packet information.

延續以上範例,由表三之該已分析封包資訊,對應產生如表九所示的該身分識別欄位被記錄為空值之一郵件即時連線記錄。Continuing the above example, the analyzed packet information of Table 3 is correspondingly generated as shown in Table IX. The identity identification field is recorded as one of the null instant mail connection records.

值得一提的是,該即時連線記錄處理模組12根據該已分析封包資訊中的該通訊協定資訊,所對應產生之不同型態的該等即時連線記錄(如表七、表八及表九所示)係被儲存在該資料庫14中,方便網路管理者進行查詢。It is worth mentioning that the instant connection record processing module 12 generates different types of instant connection records corresponding to the communication protocol information in the analyzed package information (see Tables 7 and 8). The table 9 is stored in the database 14 for the network administrator to query.

在步驟S35中,該記錄重組更新模組13判斷是否經過一預定時間,若已達該預定時間,則進行步驟S36,否則回到步驟S31,繼續監聽網路上之封包。在本較佳實施例中,該預定時間設定為一小時。In step S35, the record reorganization update module 13 determines whether a predetermined time has elapsed. If the predetermined time has elapsed, the process proceeds to step S36. Otherwise, the process returns to step S31 to continue to listen to the packet on the network. In the preferred embodiment, the predetermined time is set to one hour.

在步驟S36中,該記錄重組更新模組13從該資料庫14中取出於該預定時間內,該身分識別欄位分別被記錄為空值之該等即時連線記錄,並根據至少一關聯鍵值,將該等即時連線記錄進行群組化。例如:在該等即時連線記錄中,將具有相同的該網際網路通訊協定位址之該即時連線記錄,視為同一群組,方便網管人員針對特定群組進行監測。In step S36, the record reorganization update module 13 is retrieved from the database 14 for the predetermined time, and the identity recognition fields are respectively recorded as null-valued instant connection records, and according to at least one associated key. Values, grouping these instant connection records. For example, in the instant connection records, the instant connection records having the same Internet Protocol address are regarded as the same group, so that the network administrator can monitor the specific group.

在步驟S37中,該記錄重組更新模組13將群組化過後且該身分識別欄位分別被記錄為空值的該等即時連線記錄,根據一比對鍵值依序地與該組人員對應表進行比對。該比對鍵值可以由管理者自訂,在本較佳實施例中,該比對鍵值可為該認證帳號、該網際網路通訊協定位址或該媒體存取控制位址的其中任一者。若比對成功則執行步驟S38,否則,執行步驟S39。In step S37, the record reorganization update module 13 records the instant connection records after the grouping and the identity recognition fields are respectively recorded as null values, and sequentially and the group of personnel according to a comparison key value. The correspondence table is compared. The comparison key value can be customized by the administrator. In the preferred embodiment, the comparison key value can be the authentication account number, the internet protocol address, or the media access control address. One. If the comparison is successful, step S38 is performed; otherwise, step S39 is performed.

延續以上範例,該記錄重組更新模組13取出如表九所示的該身分識別欄位分別被記錄為空值之該郵件即時連線記錄,並依該認證帳號、該網際網路通訊協定位址或該媒體存取控制位址的其中任一鍵值與該組人員對應表進行比對,由於皆不存在相對應之資料,因此會接著進行步驟S39。Continuing the above example, the record reorganization update module 13 takes out the instant connection record of the email whose identification field is recorded as a null value as shown in Table IX, and according to the authentication account number and the internet protocol bit. Any one of the address or the media access control address is compared with the group of personnel correspondence table. Since there is no corresponding data, step S39 is followed.

在步驟S38中,該記錄重組更新模組13將根據該比對鍵值所得到的該身分識別碼,更新至原本該身分識別欄位被記錄為空值的該即時連線記錄中,即,以對應的該身分識別碼更新該即時連線記錄的身分識別欄位;並以該即時連線記錄的已分析封包資訊對應更新該資料庫14的該組人員對應表。In step S38, the record reorganization update module 13 updates the identity identification code obtained according to the comparison key value to the instant connection record in which the identity identification field is recorded as a null value, that is, And updating the identity identification field of the instant connection record with the corresponding identity identifier; and updating the group correspondence table of the database 14 corresponding to the analyzed packet information recorded by the instant connection.

在步驟S39中,該記錄重組更新模組13產生一新的身分識別碼,並以該新的身分識別碼更新該即時連線記錄的身分識別欄位,同時對應新增已更新的該即時連線記錄至該資料庫14的該組人員對應表。In step S39, the record reorganization update module 13 generates a new identity identification code, and updates the identity identification field of the instant connection record with the new identity identification code, and correspondingly adds the updated instant connection. The line is recorded to the group of personnel correspondence tables of the database 14.

延續以上範例,對於表九所示的該郵件即時連線記錄,對應產生一新的身分識別碼2010072710100003後,將該新的身分識別碼分別更新至表九之該郵件即時連線記錄及表六之該郵件帳號對應表中,更新過後的該郵件即時連線記錄及該郵件帳號對應表分別如以下表十~十一所示。Continuing the above example, for the instant connection record of the mail shown in Table 9, after generating a new identity code 2010072710100003, the new identity code is updated to the instant connection record of the mail and the table 6 In the mail account correspondence table, the updated instant connection record of the mail and the correspondence table of the mail account are respectively shown in the following tenth to eleventh.

在步驟S40中,該記錄重組更新模組13判斷是否還存在該身分識別欄位被記錄為空值之該即時連線記錄,若是,則回到步驟S37,否則,回到該步驟S31。In step S40, the record reorganization update module 13 determines whether there is still the instant connection record in which the identity recognition field is recorded as a null value, and if so, returns to step S37, otherwise, returns to step S31.

藉由本發明之該即時連線記錄處理模組12及該記錄重組更新模組13,對於尚未存在於該組人員對應表中的「任一人員」的網路行為「皆能」受到監測,再者,每一即時連線記錄經過更新處理後皆具有對應之該身分識別碼,網路管理者可利用該身分識別碼作為索引,進行相關之監測、控管與維護,使網路管理更具人性化,故確實能達成本發明之目的。With the instant connection record processing module 12 and the record reorganization update module 13 of the present invention, the network behavior of "anyone" that does not exist in the group correspondence table is monitored. Each instant connection record has an corresponding identity identifier after being updated, and the network administrator can use the identity identifier as an index to perform related monitoring, control, and maintenance, thereby making the network management more It is humanized, so it can achieve the purpose of the present invention.

惟以上所述者,僅為本發明之較佳實施例而已,當不能以此限定本發明實施之範圍,即大凡依本發明申請專利範圍及發明說明內容所作之簡單的等效變化與修飾,皆仍屬本發明專利涵蓋之範圍內。The above is only the preferred embodiment of the present invention, and the scope of the invention is not limited thereto, that is, the simple equivalent changes and modifications made by the scope of the invention and the description of the invention are All remain within the scope of the invention patent.

1...網路監測系統1. . . Network monitoring system

11...封包分析模組11. . . Packet analysis module

12...即時連線記錄處理模組12. . . Instant connection recording processing module

13...記錄重組更新模組13. . . Record reorganization update module

14...資料庫14. . . database

2...電子裝置2. . . Electronic device

S31~S40...步驟S31~S40. . . step

5...網路節點5. . . Network node

圖1是一網路系統架構圖,說明本發明網路監測系統之一較佳實施例及應用該網路監測系統之一網路系統架構圖;1 is a network system architecture diagram illustrating a preferred embodiment of the network monitoring system of the present invention and a network system architecture diagram of one of the network monitoring systems;

圖2是一方塊圖,說明本發明網路監測系統之該較佳實施例;及Figure 2 is a block diagram showing the preferred embodiment of the network monitoring system of the present invention; and

圖3是一流程圖,說明對應該較佳實施例之網路監測方法。Figure 3 is a flow chart illustrating a network monitoring method in accordance with a preferred embodiment.

1...網路監測系統1. . . Network monitoring system

11...封包分析模組11. . . Packet analysis module

12...即時連線記錄處理模組12. . . Instant connection recording processing module

13...記錄重組更新模組13. . . Record reorganization update module

14...資料庫14. . . database

Claims (10)

一種網路監測方法,實現於一電子裝置,該方法包含下列步驟:(a)根據擷取到之至少一封包得到一已分析封包資訊;(b)將該已分析封包資訊與一組人員對應表進行比對,以產生包括一身分識別欄位及至少一分析資訊欄位的一即時連線記錄,其中,該組人員對應表包括用以作為索引的至少一身分識別碼,該分析資訊欄位用以記錄該已分析封包資訊,若該組人員對應表中不存在任一與該已分析封包資訊至少部分相符的資料,則將該身分識別欄位記錄為一空值,否則,以該已分析封包資訊對應更新該組人員對應表,並將該組人員對應表中與該至少部分相符的資料對應的該身分識別碼記錄於該即時連線記錄的該身分識別欄位;及(c)重複進行步驟(a)~(b)至一預定時間後,將該身分識別欄位被記錄為空值的該即時連線記錄進行重組更新,其中,該步驟(c)包括下列子步驟:(c-1)將其中一身分識別欄位被記錄為空值的即時連線記錄與該組人員對應表進行比對,若於該組人員對應表中比對到任一與該即時連線記錄的分析資訊欄位中所紀錄的已分析封包資訊至少部分相符的資料,則以該已分析封包資訊對應更新該組人員對應表,並以該組人員對應表中與該至少部分相符的資料對應的該身分識別碼更新該即時連線記錄的身分識別欄位,否則,產生一新的身分識別碼給其身分識別欄位被記錄為空值的該即時連線記錄,並以該新的身分識別碼更新該即時連線記錄的身分識別欄位,同時對應新增已更新的該即時連線記錄至該組人員對應表;及(c-2)重複執行子步驟(c-1),直到所有該身分識別欄位皆不為空值為止。A network monitoring method is implemented in an electronic device, the method comprising the steps of: (a) obtaining an analyzed packet information according to at least one packet retrieved; and (b) correspondingly analyzing the analyzed packet information with a group of personnel The table is compared to generate an instant connection record including an identity identification field and at least one analysis information field, wherein the group personnel correspondence table includes at least one identity identifier for use as an index, and the analysis information column The bit is used to record the analyzed packet information, and if there is no data in the group corresponding to the at least part of the analyzed packet information, the identity identification field is recorded as a null value; otherwise, the The analyzing the packet information corresponds to updating the group correspondence table, and recording the identity identifier corresponding to the at least part of the data in the group correspondence table in the identity identification field of the instant connection record; and (c) After repeating steps (a)-(b) to a predetermined time, the instant connection record whose identity recognition field is recorded as a null value is reorganized and updated, wherein the step (c) includes Sub-step: (c-1) comparing the instant connection record in which one of the identification fields is recorded as a null value with the corresponding person's correspondence table, if any one of the group correspondence table is compared with the If the analyzed packet information recorded in the analysis information field of the instant connection record is at least partially matched, the group correspondence table is updated correspondingly to the analyzed packet information, and the at least part of the group correspondence table is The identity identification code corresponding to the matching data updates the identity identification field of the instant connection record, otherwise, a new identity identification code is generated for the instant connection record whose identity recognition field is recorded as a null value, and The new identity identifier updates the identity identification field of the instant connection record, and correspondingly adds the updated instant connection record to the group correspondence table; and (c-2) repeats the execution sub-step (c- 1) Until all of the identity recognition fields are not null. 根據申請專利範圍第1項所述之網路監測方法,其中,該步驟(a)之該已分析封包資訊包括一認證帳號、一網際網路通訊協定位址、一媒體存取控制位址及一通訊協定資訊之其中至少一者。According to the network monitoring method of claim 1, wherein the analyzed packet information of the step (a) includes an authentication account, an internet protocol address, a media access control address, and At least one of the information of the communication agreement. 根據申請專利範圍第1項所述之網路監測方法,其中,該步驟(b)之該組人員對應表包括利用該身分識別碼作為索引之一人員基本資料對應表、一即時通帳號對應表及一郵件帳號對應表。According to the network monitoring method of claim 1, wherein the group correspondence table of the step (b) includes a person basic data correspondence table using the identity identification code as an index, and an instant account account correspondence table. And a mail account correspondence table. 根據申請專利範圍第1項所述之網路監測方法,其中,在該步驟(b)中,該比對流程是依照該已分析封包資訊中之一認證帳號、一郵件帳號、一即時通帳號、一網際網路通訊協定位址及一媒體存取控制位址之順序進行比對。According to the network monitoring method of claim 1, wherein in the step (b), the comparison process is based on one of the analyzed packet information, an email account, and an instant account. The order of an internet protocol address and a media access control address are compared. 根據申請專利範圍第1項所述之網路監測方法,還包含該子步驟(c-1)之前之一子步驟(c-3),根據至少一關連鍵值,將其身分識別欄位分別被記錄為空值之該等即時連線記錄進行群組化,以將具有相同關聯鍵值之該等即時連線記錄群組為同一群組。According to the network monitoring method described in claim 1, the sub-step (c-3) before the sub-step (c-1) is further included, and the identity identification field is respectively determined according to at least one associated key value. The instant connection records recorded as null values are grouped to group the instant connection records having the same associated key value into the same group. 一種網路監測系統,包含:一封包分析模組,用以接收至少一封包,並根據該封包得到一已分析封包資訊;一即時連線記錄處理模組,用以將該已分析封包資訊與一組人員對應表進行比對,以產生包括一身分識別欄位及至少一分析資訊欄位的一即時連線記錄,其中,該組人員對應表包括用以作為索引的至少一身分識別碼,該分析資訊欄位用以記錄該已分析封包資訊,若該組人員對應表中不存在任一與該已分析封包資訊至少部分相符的資料,則將該身分識別欄位記錄為一空值,否則,以該已分析封包資訊對應更新該組人員對應表,並將該組人員對應表中與該至少部分相符的資料對應的該身分識別碼記錄於該即時連線記錄的該身分識別欄位;及一記錄重組更新模組,用以在每隔一預定時間後將該身分識別欄位被記錄為空值的該即時連線記錄進行重組更新,其中,對於其身分識別欄位被記錄為空值的每一即時連線記錄,該記錄重組更新模組係將該即時連線記錄與該組人員對應表進行比對,若於該組人員對應表中比對到任一與該即時連線記錄的分析資訊欄位中所紀錄的已分析封包資訊至少部分相符的資料,則以該已分析封包資訊對應更新該組人員對應表,並以該組人員對應表中與該至少部分相符的資料對應的該身分識別碼更新該即時連線記錄的身分識別欄位,否則,產生一新的身分識別碼給其身分識別欄位被記錄為空值的該即時連線記錄,並以該新的身分識別碼更新該即時連線記錄的身分識別欄位,同時對應新增已更新的該即時連線記錄至該組人員對應表。A network monitoring system includes: a packet analysis module for receiving at least one packet, and obtaining an analyzed packet information according to the packet; and an instant connection recording processing module for using the analyzed packet information Comparing a set of personnel correspondence tables to generate an instant connection record including an identity identification field and at least one analysis information field, wherein the group personnel correspondence table includes at least one identity identifier for use as an index, The analysis information field is used to record the analyzed packet information. If there is no data in the group corresponding to the at least part of the analyzed packet information, the identity identification field is recorded as a null value, otherwise And updating the group correspondence table corresponding to the analyzed packet information, and recording the identity identification code corresponding to the at least part of the data in the group correspondence table in the identity identification field of the instant connection record; And a record reorganization update module for reorganizing the instant connection record in which the identity recognition field is recorded as a null value after every predetermined time Wherein, for each instant connection record whose identity recognition field is recorded as a null value, the record reorganization update module compares the instant connection record with the group of personnel correspondence table, if the group of personnel And comparing, in the correspondence table, any data that is at least partially consistent with the analyzed packet information recorded in the analysis information field of the instant connection record, updating the group correspondence table corresponding to the analyzed package information, and The identity identification code corresponding to the at least partially matching data in the group correspondence table updates the identity identification field of the instant connection record; otherwise, a new identity identification code is generated to record the identity identification field is blank. The instant connection record of the value, and updating the identity identification field of the instant connection record with the new identity identifier, and correspondingly adding the updated instant connection record to the group correspondence table. 根據申請專利範圍第6項所述之網路監測系統,其中,該已分析封包資訊包括一認證帳號、一網際網路通訊協定位址、一媒體存取控制位址及一通訊協定資訊之其中至少一者。The network monitoring system according to claim 6, wherein the analyzed packet information includes an authentication account number, an internet protocol address, a media access control address, and a communication protocol information. At least one. 根據申請專利範圍第6項所述之網路監測系統,其中,該組人員對應表包括利用該身分識別碼作為索引之一人員基本資料對應表、一即時通帳號對應表及一郵件帳號對應表。According to the network monitoring system of claim 6, wherein the group correspondence table includes a person basic data correspondence table, an instant account number correspondence table, and a mail account correspondence table using the identity identification code as an index. . 根據申請專利範圍第6項所述之網路監測系統,其中,該即時連線記錄處理模組之比對順序是依照該已分析封包資訊中之一認證帳號、一郵件帳號、一即時通帳號、一網際網路通訊協定位址及一媒體存取控制位址之順序進行比對。According to the network monitoring system of claim 6, wherein the order of the instant connection recording processing module is an authentication account, a mail account, and an instant account according to the analyzed packet information. The order of an internet protocol address and a media access control address are compared. 根據申請專利範圍第6項所述之網路監測系統,其中,該記錄重組更新模組還根據至少一關聯鍵值,將其身分識別欄位被記錄為空值之該等即時連線記錄進行群組化,以將具有相同之關聯鍵值的該等即時連線記錄群組為同一群組。The network monitoring system of claim 6, wherein the record reorganization update module further performs the instant connection record whose identity recognition field is recorded as a null value according to at least one associated key value. Grouping to group the instant connection records having the same associated key value into the same group.
TW99143007A 2010-12-09 2010-12-09 Network monitoring method and its system TWI411263B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW99143007A TWI411263B (en) 2010-12-09 2010-12-09 Network monitoring method and its system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW99143007A TWI411263B (en) 2010-12-09 2010-12-09 Network monitoring method and its system

Publications (2)

Publication Number Publication Date
TW201225581A TW201225581A (en) 2012-06-16
TWI411263B true TWI411263B (en) 2013-10-01

Family

ID=46726237

Family Applications (1)

Application Number Title Priority Date Filing Date
TW99143007A TWI411263B (en) 2010-12-09 2010-12-09 Network monitoring method and its system

Country Status (1)

Country Link
TW (1) TWI411263B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW484282B (en) * 2000-04-10 2002-04-21 D Link Corp Monitoring management method of network exchange system to the online frame
US20060251000A1 (en) * 2002-10-01 2006-11-09 Williams Andrew G Arrangement and method for session control in wireless communication network
EP1932280A2 (en) * 2005-10-03 2008-06-18 Divitas Networks, Inc. Classification for media stream packets in a media gateway
US20080201772A1 (en) * 2007-02-15 2008-08-21 Maxim Mondaeev Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection
US20080240128A1 (en) * 2007-03-30 2008-10-02 Elrod Craig T VoIP Security

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW484282B (en) * 2000-04-10 2002-04-21 D Link Corp Monitoring management method of network exchange system to the online frame
US20060251000A1 (en) * 2002-10-01 2006-11-09 Williams Andrew G Arrangement and method for session control in wireless communication network
EP1932280A2 (en) * 2005-10-03 2008-06-18 Divitas Networks, Inc. Classification for media stream packets in a media gateway
US20080201772A1 (en) * 2007-02-15 2008-08-21 Maxim Mondaeev Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection
US20080240128A1 (en) * 2007-03-30 2008-10-02 Elrod Craig T VoIP Security

Also Published As

Publication number Publication date
TW201225581A (en) 2012-06-16

Similar Documents

Publication Publication Date Title
CN102098316B (en) Systems and methods for associating private and public user identities
CN100395766C (en) Method and system for time limiting online game users
CN102932493B (en) Record stateless IP address
US8060602B2 (en) Network usage collection system
CN103546343B (en) The network traffics methods of exhibiting of network traffic analysis system and system
CN109379390B (en) Network security baseline generation method based on full flow
CN105207853A (en) Local area network monitoring management method
CN102497427B (en) Method and device for realizing data acquisition services of renewable energy source monitoring system
CN106850318A (en) The visualization of IMS signaling processes represents system, method and server
CN103606052A (en) Enterprise information management system
CN107122324B (en) A message transmission method and device
CN100438432C (en) Method and system for integrating multiple demand communication accounts
Bertolotti et al. Models of mail server workloads
CN115150207B (en) Industrial network equipment identification method and device, terminal equipment and storage medium
Wakup et al. Analyzing a TCP/IP-protocol with process mining techniques
CN105721274B (en) Method and device for integrating multiple instant messaging
TWI411263B (en) Network monitoring method and its system
US9400729B2 (en) System and method for determining topology of monitored entities
JP5662735B2 (en) How to improve call tracing
CN112235367A (en) Method, system, terminal and storage medium for subscribing entity behavior relation message
Humski et al. Building implicit corporate social networks: The case of a multinational company
CN111614726A (en) Data forwarding method, cluster system and storage medium
Yuan et al. Harvesting unique characteristics in packet sequences for effective application classification
CN105631559A (en) Enterprise information management system
CN100477604C (en) A method for monitoring network user data flow