CN101848214B

Movatterモバイル変換

Info

Publication number: CN101848214B
Application number: CN201010160380A
Authority: CN
Inventors: 郑龙; 李曙强
Original assignee: Datcent Technology Co Ltd
Current assignee: Datcent Technology Co Ltd
Priority date: 2010-04-30
Filing date: 2010-04-30
Publication date: 2012-10-03
Anticipated expiration: 2030-04-30
Also published as: CN101848214A

Abstract

The invention belongs to the technical field of computer and network security audit, and relates to an arbitrary positioning playback method and system based on RDP audit data, which comprises an RDP audit data server and an RDP playback client; the RDP audit data server comprises: the RDP proxy server and the audit data server; the RDP playback client comprises: the device comprises an audit data client, an RDP decoding module, a compression module, an RDP positioning module, an RDP playback module and an RDP playback interface module. The invention can realize the audit playback of RDP, arbitrarily position the playback, and quickly position the overlength audit content.

Description

Any location back method and system based on the RDP Audit data

Technical field

The invention belongs to computer and network security audit technical field, relate to a kind of playback technology of long-range RDP session audit content, a kind of specifically any location back method and system based on the RDP Audit data.

Background technology

Understand according to the applicant: along with computer and development of internet technology, growing field has been used computer and network, even many fields rely on computer and network basically fully; Especially the field of computer and network very dense; For example to the operation maintenance of computer and network, there are very high requirement in telecommunications room, data center, bank etc.; To the audit demand of O&M, also growing simultaneously.

Through applicant's research: O&M commonly used at present mainly contains modes such as TELNET, SSH, VNC, RDP.Preceding 2 is character mode, audit and playback, locate blowback ratio arbitrarily and better realize, simultaneously since the VNC server of main flow to the VNC agreement realize relatively good, its audit and playback, locate playback arbitrarily and also can realize smoothly.And the RDP agreement is the Microsoft of Microsoft design and has realized the server and client side in its Windows operating system; And process is discovered the RDP agreement, realize audit and playback, and problem is little; But realize locating arbitrarily playback, still there is very big difficulty in prior art.

Find through research summary: influence the main difficult point that RDP locatees playback arbitrarily and exist: a kind of agreement that (1) RDP agreement relies on before and after being, navigate to afterbody, and the data that rely on maybe be at head, also maybe be in the centre uncertain position; (2) realization of RDP agreement itself is to realize with C/C++, and owing to be that Microsoft grasps, adds that the overwhelming majority all is on windows platform, so the code of increasing income is C/C++ basically also, does not have the version of Pascal.This mainly is because the design philosophy of RDP agreement is utilized the TCP/IP network exactly, and target Windows computer is carried out Long-distance Control, and data volumes such as mouse-keyboard are less; And the screen picture data volume is very big, thus the RDP design of protocol notion of data buffering, that is to say certain image if repeat; Then server can re-transmitted not given client, and just tells client in buffering (calculator memory), to fetch data, if therefore directly store RDP protocol data record; The normal sequence playback, problem is little, but in case will locate playback arbitrarily; Gently then picture is imperfect, and is heavy then picture chaotic, loses the location meaning.

Also have at present some such as value rule of thumb read in advance forward, technology such as reconstructed image data; Realize the instance of RDP positioning playing; But owing to can not guarantee 100% to read enough data in advance, can not rebuild complete data; Especially running into is the audit content of long or overlength, locatees playback arbitrarily and almost can not satisfy application.

Summary of the invention

Technical problem to be solved by this invention is: to the shortcoming of above prior art existence; A kind of any location back method and system based on the RDP Audit data proposed; Realized the audit playback of RDP, located playback arbitrarily, also can locate rapidly overlength audit content.

The technical scheme that the present invention solves above technical problem is:

Any location back method based on the RDP Audit data, carry out according to the following steps:

(1) tackles the RDP protocol data bag that all RDP servers send to the RDP client through the RDP acting server from tcp protocol layer;

(2) the RDP packet of intercepting is recorded in the storage medium disk file through the storage format of setting, the storage format of said setting is the Audit data form of band timestamp, length and serial number information;

When (3) writing down the RDP Audit data, zero-time, client-side information, session number and the state of the operation of record RDP O&M in database;

(4) RDP playback client is connected to the Audit data Service-Port through long-range TCP; The RDP Audit data of queued session numbering; The Audit data server is according to request; With the file content of the session number of correspondence, encapsulate by the storage format of setting, send to RDP playback client with the form of packet;

(5) after RDP playback client receives packet, unpack, take-off time stabs, and takes out real RDP packet according to length;

(6) RDP playback client obtains the real laggard line translation of RDP packet: 1. screen drawing commonly used is upgraded, be decoded in the temporary file; 2. with the data of memory copying, from internal memory, obtain, be written in the temporary file; 3. in internal memory, keep virtual screen, various screen drawings are upgraded orientation output on the virtual screen, by certain algorithm at interval, sampling full-screen image data as key frame, record in the temporary file; 4. according to writing the loosening degree of temporary file data, compress, the key message that compression sign and decompressions are needed and compress after data write in the temporary file;

(7) playback module is started working, and reads the data in the temporary file, then carries out decompress(ion) if any the compression sign, obtains 3 kinds of data: normal drawing, special drawing and key frame are drawn.

Locate playback system arbitrarily based on the RDP Audit data, comprise RDP Audit data service end and RDP playback client; RDP Audit data service end comprises: the RDP acting server: RDP is provided agent functionality, and in the agency, carries out Data Audit, store disk file into; Audit data server: wait for and the connection of response Audit data client, read and Location Request; RDP playback client comprises: the Audit data client: connect the Audit data server, and receive Audit data; RDP decoder module: the Audit data that receives is carried out dissection process, reaches the form conversion, in handling conversion process, select whether the data after the conversion are carried out compression memory automatically as required; Compression module: the data after the conversion are carried out processed compressed, simultaneously the data of compressing are decompressed to discharge and launch the reduction True Data; RDP locating module: the data after the conversion are carried out the search of special algorithm, to confirm the correctly exact position of playback; RDP playback module: the data after the conversion are carried out image restoring, simultaneously pictorial element is outputed to the viewing area of RDP playback interface, run into the data of compressing and call compression module automatically and carry out decompression; RDP playback interface module: be responsible for and user interactions, accept playback, suspend, stop and Location Request.

Technical scheme as the further qualification of the present invention: in the step (1), the type of RDP protocol data bag comprises background filling, pinup picture, setting-out, screen copy and memory copying.In the step (2), the RDP packet-filename that records in the storage medium disk file is claimed to stab the Hour Minute Second millisecond name of character string date with 17 bit times.The storage format that step (2) and (4) are set is the Audit data form of band timestamp, length and serial number information.

In the step (7), playback module adopts the method for format conversion to realize the location playback: 1. handle through the pre decoding to the RDP Audit data, various plotting motions and data are discerned, record file; 2. run into the data that have front and back to rely on and all discharge expansion, also record file; 3. the Audit data after the conversion is pressed sequential playback from the beginning to the end; 4. if the screen area image that part appears in the playback meeting of any location not to be had to change lacks, make up full frame key frame, record file.

The present invention mainly contains following innovation and advantage: the present invention has carried out investigation extensively and profoundly, has overcome all difficulties, has realized any location playback of RDP Audit data with growing out of nothing, has filled up the blank in this field; That the present invention designs is ingenious, thinking is novel, maintains the leading position in this field at present; The present invention to overlength audit content also can be accurately, location promptly, efficient is very high, can save great amount of time for the invention end user, increases work efficiency; The present invention has used data compression technique, has greatly improved the utilance of memory device, can save the fund input of memory device greatly for the invention end user, and high economic benefit is arranged; The present invention adopts the modularized program design, the plug-in unit programming, and clear in structure, reliable and stable, can let the invention end user be easy to, use easily the present invention.

Description of drawings

Fig. 1 is based on the integral body connection block diagram that the RDP Audit data is located playback system arbitrarily.

Fig. 2 is the connection block diagram of RDP playback client.

Fig. 3 is a location playback sketch map.

Embodiment

Embodiment one

Present embodiment is applied in certain IT basic facilities operation management system, is used for visit, the operation of RDP class are audited.Its concrete deployment way is:

At Linux deploy RDP acting server, Audit data server, and the necessary parameter of service end such as configuration store medium, port, database parameter; Anyly like this carry out the visit of RDP class, operation etc., all will be recorded storage medium, for the client playback through the RDP acting server;

In Windows deploy RDP playback client, parameters such as the IP address of setting Audit data server, port are so that can obtain Audit data, with playback.

Locate playback system arbitrarily based on the RDP Audit data and form by RDP Audit data service end and RDP playback client, as shown in Figure 1.

RDP Audit data service end comprises:

RDP acting server: be responsible for providing the RDP agent functionality, and in the agency, carry out Data Audit, store disk file into.

The Audit data server: be responsible for to wait for and the connection of response Audit data client, read, request such as location.

RDP playback client is as shown in Figure 2, comprises:

Audit data client: be responsible for connecting the Audit data server, and receive Audit data.

RDP decoder module: be responsible for the Audit data that receives is carried out dissection process, reaches form conversion etc., in handling conversion process, with selecting whether the data after the conversion are carried out compression memory automatically as required.

Compression module: be responsible for the data after the conversion are carried out processed compressed, practice thrift disk space to a great extent.Simultaneously the data of compressing are decompressed to discharge and launch the reduction True Data.

RDP locating module: be responsible for the data after the conversion are carried out the search of special algorithm, to confirm the correctly exact position of playback.

RDP playback module: be responsible for the data after the conversion are carried out image restoring, simultaneously pictorial element outputed to the viewing area of RDP playback interface.Running into the data of compressing will call compression module automatically and carry out decompression.

RDP playback interface module: be responsible for and user interactions, accept playback, suspend, stop and request such as location.

Relation between the module is following:

The RDP client connects the RDP acting server, and through acting server visit Windows main frame, the RDP acting server will produce Audit data automatically this moment.

The Audit data server is in wait state, waits for that the Audit data client of RDP playback client connects.

The Audit data client successfully connects after the Audit data server, automatically request msg.

The request of Audit data server response Audit data client is transferred to the Audit data client with Audit data through ICP/IP protocol.

The Audit data client passes to the RDP decoder module with the data of receiving.

The RDP decoder module carries out dissection process and carries out format conversion according to various situation data according to the RDP agreement.

Whether the data of RDP decoder module after according to conversion loose, whether needs compression, calls compression module automatically, carries out data compression, stores in the temporary file.

The RDP playback module is reading of data the temporary file after conversion then, carries out image restoring, simultaneously pictorial element is outputed to the viewing area of RDP playback interface.

The RDP playback module is incited somebody to action the data of compressing, and calls compression module automatically and carries out decompression.

The user assigns various instructions (playback, suspend, stop, location etc.) through RDP playback interface module.If play-back command, RDP playback interface module can be coordinated each module and turn round continuously, makes to reach smooth playback effect by output image continuously.If pause instruction, RDP playback interface module can order the RDP playback module temporarily to stop image output.If positioning instruction, RDP playback interface module can pass to the RDP locating module with the parameter of location, and the RDP locating module positions action according to parameter.If halt instruction, RDP playback interface module can order each module to quit work.

Any location back method based on the RDP Audit data is following:

The RDP acting server is tackled the RDP protocol data bag that all RDP servers send to the RDP client from tcp protocol layer, and type of data packet mainly is that screen drawing upgrades: background is filled (FillRect), pinup picture (bitblt), setting-out (Line), screen copy (ScrollWindow), memory copying (MemBlt) etc.

The format record that the RDP packet of intercepting passes through to set is in the storage medium disk file, and file name is to stab character string date Hour Minute Second milliseconds (YYYYMMDDHHMMSSXYZ) name with 17 bit times.Setting storage format is the Audit data form of band timestamp (TimeStamp), length (Length), sequence number information such as (ID).

In the time of record RDP Audit data, the zero-time (StartTime) of record RDP O&M operation, client-side information (IP/Port), session number (SessionID), state (Status) etc. in database.Wherein session number is corresponding with the filename of record, plays the effect of index.

RDP playback client is connected to Audit data Service-Port (7776) through long-range TCP, the RDP Audit data of queued session numbering.Server is according to request, with the file content of respective session numbering, encapsulates by setting storage format, sends to client with the form of packet.

After RDP playback client receives packet, need unpack: take-off time stabs, takes out real RDP packet according to length.

Obtain just can carry out conversion behind the real RDP packet: 1. screen drawing commonly used is upgraded, be decoded in the temporary file; 2. with special data such as memory copyings, from internal memory, obtain, be written in the temporary file; 3. in internal memory, keep simultaneously virtual screen, various screen drawings are upgraded orientation output on this virtual screen, by certain algorithm at interval, sampling full-screen image data as key frame, record in the temporary file; 4. according to writing the loosening degree of temporary file data, compress, the key message that compression sign and decompressions are needed and compress after data write in the temporary file.

Above-mentioned conversion process uninterruptedly carries out on the backstage continuously; Along with the continuous conversion of data generates; Real playback module is started working: read the data in the temporary file, then carry out decompress(ion) if any the compression sign, the data that therefore acquire have 3 kinds: normal drawing, special drawing, key frame are drawn.Wherein special drawing is owing to being not relied on the data of front, so even locate playback arbitrarily, can not lack; Unique flaw is that some screen area does not change for a long time, causes local nothing to be drawn and refreshes, and influences the playback effect; The while key frame is dispersed in the temporary file after the conversion almost evenly, also can remedy the local screen area of not drawing and refreshing that as early as possible.

Consider as wanting to carry out perfect flawless location playback; Can location algorithm be omited the inching strategy: locate granularity as minimum with key frame; Hypothesis treats that playback of data contains 1000 key frames for one section like this, and so minimum location granularity is about 1/1000=0.1%, supposes to contain 100 key frames; Then minimum location granularity is about 1%, satisfies fully and uses.

Because the design of RDP agreement has been doomed directly to realize locating playback; Can only adopt the method for format conversion, as shown in Figure 3, figure ABCD..XYZ representes indivisible minimum data; 1. represent normal decoder; 2. expression discharges and launches, and 3. expression makes up key frame, 4. representes loose data are compressed.Pre decoding through to the RDP Audit data is handled, and various plotting motions and data are discerned, and records file, runs into the data that have front and back to rely on and all discharges expansion, also records file.Because the particularity of RDP agreement, and in order greatly to reduce the storage overhead, the Audit data after the conversion only is fit to sequential playback from the beginning to the end; If the screen area image that the playback meeting of any location part occurs and do not have to change lacks.Therefore as remedial measure, the full frame key frame of suitable structure records file.After the effect of full frame key frame was feasible location playback arbitrarily, picture can regain one's integrity as early as possible.

The present invention can also have other execution mode, and the technical scheme that equal replacement of all employings or equivalent transformation form all drops within the scope of requirement protection of the present invention.

Claims

1. based on any location back method of RDP Audit data, it is characterized in that: carry out according to the following steps:

⑴ send to the RDP protocol data bag of RDP client from all RDP servers of tcp protocol layer interception through the RDP acting server;

⑵ record the RDP protocol data bag of intercepting in the storage medium disk file through the storage format of setting, and the storage format of said setting is the RDP Audit data form of band timestamp, length and serial number information;

⑶ in the time of record RDP Audit data, zero-time, client-side information, session number and the state of the operation of record RDP O&M in database;

⑷ RDP playback client is connected to the Audit data Service-Port through long-range TCP; The corresponding RDP Audit data of queued session numbering; The Audit data server is according to request; The corresponding file content is numbered in session, encapsulate, send to RDP playback client with the form of packet by the storage format of setting;

⑸ after RDP playback client receives packet, unpack, take-off time stabs, and takes out real RDP protocol data bag according to length;

⑹ RDP playback client obtains the real laggard line translation of RDP protocol data bag: 1. screen drawing commonly used is upgraded, be decoded in the temporary file; 2. with the data of memory copying, from internal memory, obtain, be written in the temporary file; 3. in internal memory, keep virtual screen, various screen drawings are upgraded orientation output on the virtual screen, by certain algorithm at interval, sampling full-screen image data as key frame, record in the temporary file; 4. according to writing the loosening degree of temporary file data, compress, the key message that compression sign and decompressions are needed and compress after data write in the temporary file;

⑺ the playback module in the RDP playback client is started working, and reads the data in the temporary file, then carries out decompress(ion) if any the compression sign, obtains 3 kinds of data: normal drawing, special drawing and key frame are drawn.

2. any location back method based on the RDP Audit data as claimed in claim 1 is characterized in that: among the said step ⑴, the type of RDP protocol data bag comprises background filling, pinup picture, setting-out, screen copy and memory copying.

3. any location back method based on the RDP Audit data as claimed in claim 1; It is characterized in that: among the said step ⑵, the RDP protocol data APMB package title that records in the storage medium disk file is stabbed the Hour Minute Second millisecond name of character string date with 17 bit times.

4. any location back method based on the RDP Audit data as claimed in claim 1 is characterized in that: the storage format that said step ⑵ and ⑷ set is the Audit data form of band timestamp, length and serial number information.

5. any location back method based on the RDP Audit data as claimed in claim 1; It is characterized in that: among the said step ⑺; Playback module adopts the method for format conversion to realize the location playback: 1. handle through the pre decoding to the RDP Audit data; Various plotting motions and data are discerned, recorded file; 2. run into the data that have front and back to rely on and all discharge expansion, also record file; 3. the RDP Audit data after the conversion is pressed sequential playback from the beginning to the end; 4. if the screen area image that part appears in the playback meeting of any location not to be had to change lacks, make up full frame key frame, record file.

6. be used for that claim 1 is said locatees the system of back method arbitrarily based on the RDP Audit data, comprise RDP Audit data service end and RDP playback client, it is characterized in that:

Said RDP Audit data service end comprises:

RDP acting server: RDP is provided agent functionality, and in the agency, carries out Data Audit, store disk file into;

Audit data server: wait for and the connection of response Audit data client, read and Location Request;

Said RDP playback client comprises:

Audit data client: connect the Audit data server, and receive the RDP Audit data;

RDP decoder module: the RDP Audit data that receives is carried out dissection process, reaches the form conversion, in handling conversion process, select whether the data after the conversion are carried out compression memory automatically as required;

Compression module: the data after the conversion are carried out processed compressed, simultaneously the data of compressing are decompressed to discharge and launch the reduction True Data;

RDP locating module: the data after the conversion are carried out the search of special algorithm, to confirm the correctly exact position of playback;

RDP playback module: the data after the conversion are carried out image restoring, simultaneously pictorial element is outputed to the viewing area of RDP playback interface, run into the data of compressing and call compression module automatically and carry out decompression;

RDP playback interface module: be responsible for and user interactions, accept playback, suspend, stop and Location Request.