Login
- Table of Contents
-
- H3C SecPath Security Products FAQ(V7)-6W101
- 00-Preface
- 01-AFT FAQ
- 02-Anti-virus FAQ
- 03-Application audit and management FAQ
- 04-APR FAQ
- 05-ASPF FAQ
- 06-Attack detection and prevention FAQ
- 07-Bandwidth management FAQ
- 08-Data analysis center FAQ
- 09-Data filtering FAQ
- 10-Device forwarding FAQ
- 11-DPI FAQ
- 12-FAQ on Intranet security comprehensive scoring (Security overview)
- 13-File filtering FAQ
- 14-IPsec FAQ
- 15-IPS FAQ
- 16-IRF FAQ
- 17-License management FAQ
- 18-Load balancing FAQ
- 19-Mirroring FAQ
- 20-NAT FAQ
- 21-NetShare control FAQ
- 22-PKI FAQ
- 23-RBM-based hot backup FAQ
- 24-Security zone FAQ
- 25-Security policy FAQ
- 26-SSL decryption FAQ
- 27-SSL VPN FAQ
- 28-System management and maintenance FAQ
- 29-URL filtering FAQ
- 30-User access and authentication FAQ
- 31-WAF FAQ
- 32-Web operations FAQ
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 21-NetShare control FAQ | 23.15 KB |
NetShare control FAQ
Q. What are methods to detect network sharing behaviors?
A. NetShare control uses the following methods to detect network sharing behaviors:
· APR-based detection:
The device analyzes the application layer information of packets based on the Application Recognition (APR)-based packet analysis to calculate the number of endpoints attached to a host. The device extracts the account, cookie, and other information to calculate the number of endpoints attached to a host and to detect the NetShare behaviors of endpoints.
· IPID trail tracking:
The IPID field in IP packet headers is a 16-bit field to uniquely identify an IP packet. The IPID value of packets sent by the same host is contiguous and incremental. If a source IP address has multiple IPID values, the user is a NetShare user. The number of endpoints attached can be appropriately determined by the number of IPID values.
Q. What are the restrictions and guidelines for using the NetShare control module?
A. If IPID trail tracking is disabled, the device can detect an endpoint only when QQ or WeChat exist on the endpoint.
Each application has a weight. An endpoint might have multiple applications, and the number of endpoints is the number of applications multiplied by the weight (rounded up to the nearest integer). The weight of QQ is 50%, and the weight of WeChat is 80%. For example, if endpoints have five QQ accounts and two WeChat accounts, the number of endpoints is 3, which is rounded up from max[5x50%,2x80%]=2.5. This method uses the weights obtained from experience and is not inaccurate.
IPID trail tracking might degrade the device performance.
IPID trail tracking can only detect PCs can cannot detect mobile endpoints (for example, mobile phones), whose IPIDs are not contiguous.
