Delayed network protocol proxy for packet inspection in a network

摘要

An intermediary device, which behaves as a proxy for two entities after the entities have established a connection between themselves, is disclosed, as is a method that may be performed by such a device. The intermediary device can inspect a complete message, whose parts may be spread among multiple separate packets, without engaging in handshake phases with the message's origin or destination. As a first entity negotiates connection parameters with a second entity, the intermediary device stores the connection parameters as the parameters flow through the intermediary device. After the two entities have established an original connection, the intermediary device uses the intercepted parameters to form two separate connections in the place of the original connection: one between the intermediary device and the first entity, and another between the intermediary device and the second entity. To the entities, the newly formed connections appear to be same as the original connection.

主权项

1. A method of enabling an intermediary device to behave as a proxy device relative to two communicating entities after a connection already has been established between the two communicating entities, the method comprising the computer-implemented steps of:
receiving, at the intermediary device, a Transmission Control Protocol (TCP) SYN/ACK packet that indicates one or more TCP parameters that a second entity has accepted for use in an original TCP connection between the second entity and a first entity for which the TCP SYN/ACK packet is destined; the intermediary device storing one or more of the TCP parameters in a connection block data structure, wherein the one or more TCP parameters include at least one of a) maximum segment size; b) window scale factor; c) a first flag that indicates whether time stamping will be used; or d) a second flag that indicates whether selective acknowledgement will be used; the intermediary device sending the TCP SYN/ACK packet toward the first entity; based on the one or more TCP parameters that are stored in the connection block data structure, the intermediary device creating a first TCP endpoint of a first TCP connection to the first entity; and based on the one or more TCP parameters that are stored in the connection block data structure, the intermediary device creating a second TCP endpoint of a second TCP connection to the second entity; using the intermediary device, creating a proxied TCP connection between the first entity and the second entity without negotiating TCP parameters with the first entity or the second entity, wherein the proxied TCP connection comprises the first TCP endpoint and the second TCP endpoint; in response to a data packet passing through the original connection, replacing the original connection with the proxied connection; the intermediary device accumulating a plurality of packets received via one of the first or second TCP endpoints, sending a corresponding TCP ACK packet for each of the plurality of packets on behalf of one of the first entity or second entity, and before forwarding the plurality of packets, assembling portions of the plurality of packets to form a message and inspecting the message; wherein the intermediary device comprises a computer system positioned between the two communicating entities.