A multi-layer protocol stack structure is employed in the existing communication network. For example, four-layer protocol stack structure employed in TCP/IP network includes from top to button: an application layer, a transport layer, an internet layer and a link layer. Therefore, a packet transmitted in the existing communication network usually adopts a multi-layer protocol encapsulation format, i.e., protocol headers corresponding to multiple layer protocol stacks are encapsulated in turn outside of the payload of the packet.
Identifying data content includes identifying every layer protocol header of the packet and specific contents in the payload of the packet, or identifying contents of a data fragment in a data stream. According to identifying results, the method for identifying data content may be divided into two classes: one method is for identifying a protocol to which the data belongs; the other method is for identifying a service application of the data. The service application includes, except protocols, applications which can be identified from the contents of the data, such as an attack, virus, designated operation, etc. The method for identifying data content is applied abroad in various data processing devices in the communication network. For example, a bandwidth management device identifies the protocol to which the data content belongs, and further performs bandwidth restriction according to the protocol to which the data belongs. An Intrusion Detection System/Intrusion Prevention System (IDS/IPS) and some anti-virus products identify a service application of the data (attack, virus, etc.), and further perform resisting operation or give an alarm according to the identified service application.
However, in the prior art, identifying schemes for different protocols and service applications are different, and every data processing device identifies certain data content separately. For example, the bandwidth management device identifies the protocol to which the data belongs, while the anti-virus product identifies viruses in the data. Moreover, new identifying schemes need to be developed for newly extended protocols and service applications.
Therefore, in the prior art, the method for identifying data content has a single function and has no good scalability.