CN101459489A - Deep packet detection device and method - Google Patents
Deep packet detection device and method Download PDFInfo
- Publication number
- CN101459489A CN101459489A CNA2007101985547A CN200710198554A CN101459489A CN 101459489 A CN101459489 A CN 101459489A CN A2007101985547 A CNA2007101985547 A CN A2007101985547A CN 200710198554 A CN200710198554 A CN 200710198554A CN 101459489 A CN101459489 A CN 101459489A
- Authority
- CN
- China
- Prior art keywords
- keyword
- message
- sign
- detected
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a device of depth message detection and method thereof, wherein the method comprises the following steps: firstly sending to-be-detected message data to a depth message detection device by a network processor, including a to-be-detected message and additional control information of the network processor, wherein the control information comprises current to-be-detect keyword information, secondly detecting by the depth message detection device according to the to-be-detected message data sent by the network processor, continuing to detect according to allocation of whether conducting further detection and the next keyword information when detecting the current to-be-detected keyword, until to unable to detect a certain keyword or detect that all keywords are detected, and recording the detection results by the depth message detection device, finally returning the detection results to the network processor by the depth message detection device. The device and the method of the invention can strengthen the detection function, and provide forceful support for the upper software processing.
Description
Technical field
The present invention relates to data communication field, especially a kind of based on hard-wired deep packet detection device and method.
Background technology
Along with the fast development of Internet technology, the content of carrying on network is also more and more abundanter, and Internet service provider provides increasing service content to the client, and these services simultaneously are again to distinguish according to different application.This just requires the network equipment that complicated message processing capability can be provided, can distinguish different application, previously used application layer 2-4 heading information has been not enough to distinguish heterogeneous networks and has used, now for meticulousr differentiation message, usually the information that needs detection messages 5-7 layer, even need to check message content.Except distinguishing message, the occasion of some special applications also needs content of message is checked sometimes, such as the search to special key words.Realize that these functions just need deep packet detection device.
The realization of deep message detection at present is to use software approach, checks message content by network processing unit, and this method processing speed is slower, and increases the primary processor burden and the demand that more and more is not suitable for developing.
Summary of the invention
The technical problem to be solved in the present invention provides equipment and the method that a kind of deep message detects, and detects to realize the hardware message, alleviates the network processing unit burden, improves and detects treatment effeciency.
For solving the problems of the technologies described above, the invention provides a kind of deep packet detection device, this deep packet detection device comprises Data Input Interface control and buffer area, message detection processing module and data output interface, wherein Data Input Interface control and buffer area are used for receiving data from network processing unit, and with metadata cache in the inner buffer district; This message detects processing module and is used for detecting and write down testing result according to the message data to be detected that network processing unit sends; Data output interface is used to read message and testing result, and sends to network processing unit.
Further, this message detects processing module and comprises the data buffer area that memory, message detection sub-module, result organize submodule, are used for the control information buffer area of buffer memory control information and are used for the buffer memory message data, wherein,
Memory is used for storage depth packet detection apparatus whole keywords and control information to be detected;
The stored information that the message detection sub-module is used for the data that receive according to Data Input Interface control and buffer area and the plug-in memory of field programmable gate array is carried out that message detects and is sent testing result to molded tissue block as a result;
The result organizes submodule to be used for testing result with the message detection sub-module by the desired format organization of control information buffer area, and after testing process finishes with these testing result write control information buffer areas, and in the message testing process, the message data that had detected is write data buffer area.
Further, the control information of memory stores comprises keyword effective marker, the sign that need further search, the groups of keywords sign of further searching and keyword sign, memory also is used for keyword is split into the length that subregion can be supported, leave different subregions respectively in, and with chained list of these subregions compositions, the preceding deployment of keyword is further searched sign and current keyword is the sign of the part of certain longer keyword.
Further, the message detection sub-module is used for carrying out doubtful coupling according to the message that network processing unit sends; Result according to doubtful coupling chooses corresponding data in the message, and does the address that Hash operation produces keyword in the memory with data of choosing and group id, and the content that reads is wherein accurately mated, and returns testing result; When detecting current keyword to be detected, proceed detection,, return the detection end mark up to detecting certain keyword or detecting all keywords according to the configuration and the next keyword message that whether further detect.
Further, when detecting all keywords, the testing result that the result organizes the deep packet detection device of submodule write control information buffer area to return comprises number of times that keyword detects, detects successfully indicate, the information of last keyword and the information of detected each keyword, wherein the information of last keyword comprises group id, sign knowledge and the position in message thereof of this last keyword, and the information of each keyword comprises the group id of all keywords, sign knowledge and the position in message thereof; When only detecting partial key, the testing result that deep packet detection device returns comprises the information of number of times and detected each keyword of detection, and wherein the information of each keyword comprises group id, sign knowledge and the position in message thereof of detected each keyword.
Further, this deep packet detection device adopts field programmable gate array and plug-in memory to realize.
A kind of method that adopts above-mentioned deep packet detection device to carry out the deep message detection, this method may further comprise the steps:
(a) send message data to be detected by network processing unit to deep packet detection device;
(b) deep packet detection device detects according to the message data to be detected that network processing unit sends;
(c) deep packet detection device returns testing result and gives network processing unit.
Further, the message data to be detected that network processing unit sends in the step (a) comprises message to be detected and the additional control information of network processing unit, this control information comprises current groups of keywords sign to be detected, when the message data to be detected that deep packet detection device sends according to network processing unit in the step (b) detects, further comprise:
(b1) extract current groups of keywords to be detected sign;
(b2) carry out doubtful coupling scanning,, then extract keyword and accurately mate if find doubtful coupling;
(b3) if accurately mate, then according to further whether the configuration and the next keyword message of detection judge whether further detection;
(b4) further detect as needs, then replace current groups of keywords sign with next groups of keywords sign to be detected, repeating step (b2) is to (b3); Otherwise detection of end.
Further, the control information that network processes is added in the step (a) also comprises searches original position, the information that deep packet detection device extracts in the step (b1) also comprises searches original position, begins to carry out doubtful coupling scanning from searching original position in the step (b2).
Method as claimed in claim 8 is characterized in that, step (b2) further comprises:
(b21) carry out doubtful coupling, if find doubtful coupling, then the result according to doubtful coupling chooses corresponding data in the data flow;
(b22) obtain the keyword address according to current group id to be detected and the data of choosing by Hash operation, read keyword;
(b23) with this keyword and the data of choosing byte comparison one by one, comparative result is identical, and expression is coupling accurately.
Further, when detecting all keywords, the testing result that deep packet detection device returns comprises number of times that keyword detects, detects successfully indicate, the information of last keyword and the information of detected each keyword, wherein the information of last keyword comprises group id, sign knowledge and the position in message thereof of this last keyword, and the information of each keyword comprises the group id of all keywords, sign knowledge and the position in message thereof; When only detecting partial key, the testing result that deep packet detection device returns comprises the information of number of times and detected each keyword of detection, and wherein the information of each keyword comprises group id, sign knowledge and the position in message thereof of detected each keyword.
Further, the employed deep packet detection device of this method adopts memory stores whole keywords and control information to be detected, described control information comprises keyword effective marker, the sign that need further search, the groups of keywords sign of further searching and keyword sign, memory also is used for keyword is split into the length that subregion can be supported, leave different subregions respectively in, and with chained list of these subregions compositions, the preceding deployment of keyword is further searched sign and current keyword is the sign of the part of certain longer keyword.
Compared to prior art, message depth detection equipment of the present invention and method have realized that the hardware message detects, can alleviate the network processing unit burden, improve and detect treatment effeciency, and present device and method detect at message content, realized the message depth detection, after retrieving first keyword, carry out the whether further judgement of retrieval, thereby can realize detection to a plurality of keywords, and can return the result who repeatedly searches, strengthening measuring ability, and handle for upper layer software (applications) stronger support is provided.In addition, the keyword that length surpasses a plug-in memory items is decomposed, can make the inventive method realize the random length keyword is retrieved by plug-in memory.
Description of drawings
Fig. 1 is the deep packet detection device module frame chart that the inventive method adopts.
Fig. 2 is that the schematic flow sheet that deep message detects is carried out in deep packet detection device of the present invention inside.
Fig. 3 is the process chart of message detection sub-module in the deep packet detection device of the present invention.
Embodiment
As shown in Figure 1, deep packet detection device of the present invention adopts on-site programmable gate array FPGA to detect engine as deep message, this deep packet detection device comprises: Data Input Interface control and buffer area 101, message detect processing module and data output interface 106, below each Elementary Function are specifically introduced:
Data Input Interface control and buffer area 101: be used for receiving data from network processing unit, and with metadata cache in the inner buffer district;
Message detects processing module: be used for detecting and write down testing result according to the message data to be detected that network processing unit sends.
Data output interface 106: read message and testing result, and send to network processing unit.
Particularly, message detects processing module and comprises that message detection sub-module 102, result organize submodule 103, the plug-in memory 104 of FPGA, control information buffer area and data buffer area 105, and the functional description of each several part is as follows:
Message detection sub-module 102: be used for carrying out the message detection, return the lookup result of detection and organize submodule 103 to the result according to the message of network processing unit transmission and the content of the plug-in memory stores of FPGA.This message detection sub-module detects according to the message data to be detected that network processing unit sends, when detecting current keyword to be detected, whether further configuration and next keyword message according to detection are proceeded to detect, and detect end up to detecting certain keyword or detecting all keywords.
When this module detects keyword to be detected, at first from message, obtain the group id listid of keyword to be detected and search original position startpos.Begin to scan message from the startpos position, carry out doubtful coupling.After in case doubtful coupling has been arranged, result according to doubtful coupling chooses corresponding data key in the message, do the keyword address that Hash operation produces the plug-in memory 104 of FPGA with data key and group id listid then, read the content of the plug-in memory 104 of FPGA afterwards, be used for accurate coupling (by the keyword of byte comparing data key and memory one by one), return testing result, and the configuration that further detects according to whether and next keyword message are proceeded to detect, up to detecting certain keyword or detecting all keywords, return the detection end mark.
The result organizes submodule 103: message detection sub-module 102 all can produce a testing result at the detection of each keyword.This module with these testing results by the desired format organization of control information buffer area, and after testing process finishes with these testing result write control information buffer areas.In the message testing process, the message data that this module will detect simultaneously writes data buffer area.
The comparative result that the result organizes submodule that the message detection sub-module is returned is organized into the form that the control information buffer area can be discerned, the keyword that need detect owing to a message has a plurality of, so it is a plurality of that the comparative result that returns also has, in this present invention these information are divided into two groups of write control information buffer areas, write one group, so need just can write for twice at every turn.And message content is write data buffer area, this operation is carried out in the keyword search process, Yi Bian search key, to finish the data of searching writes data buffer area on one side, adopt the control information buffer area,, make operation simple more efficient with the data buffer area separate operation.In case the control information buffer area has data, represent currently have at least a message to finish deep message to detect, deep packet detection device is just read data and control information from corresponding cache region, the message format that returns to the network processing unit regulation according to packet detection apparatus reorganizes message, and sends it back network processing unit.
The plug-in memory 104 of FPGA: whole keywords and control information that the storage depth packet detection apparatus is to be detected, concrete control information will describe in detail below.
Control information buffer area and data buffer area 105: be used for buffer memory control information and message data.
The method that adopts above-mentioned deep packet detection device to carry out the deep message detection may further comprise the steps:
Step 1: send message data to be detected to deep packet detection device by network processing unit;
Step 2: deep packet detection device detects according to the message data to be detected that network processing unit sends, and the record testing result;
Step 3: deep packet detection device returns testing result and gives network processing unit.
Below divide four parts that the inventive method is elaborated:
One: network processing unit sends to the data structure of the message to be detected of deep packet detection device;
Two: deep packet detection device inside is to detecting the information processing flow process;
Three: deep packet detection device returns to the message data structure of network processing unit;
Four: the plug-in memory data of deep packet detection device is organized structure;
Network processing unit sends to the data structure of the message to be detected of deep packet detection device
The message that network processing unit sends comprises two parts, the one, the message content that network processing unit receives from circuit (being the message data byte the following table), the 2nd, the control information that network processing unit is additional, these control informations comprise the groups of keywords sign and search original position, wherein:
Groups of keywords sign: the group id of representing current keyword to be detected, the address that in testing process, is used for doubtful coupling and produces deep packet detection device external memory storage 104, when needs further detected, the group id that subsequent detection is used was replaced by the next_listid that FPGA external memory storage 104 reads.
Search original position: the original position of searching of determining the deep message detection, the present invention only detects and searches original position startpos message content afterwards, the message content of searching before the original position startpos is not detected performance that like this can lifting means.
Following table is the example that network processing unit sends to the message data of deep packet detection device:
Below each field in the last table is remarked additionally in detail:
First keeps position (8 byte): used by network processing unit, deep packet detection device is indifferent to, this field is in the start of message (SOM) position, deep packet detection device is not handled this field, when deep packet detection device returns testing result, also do not take this field, this field is used by network processing unit.As for whether the content of this field being carried out the deep message detection, by searching original position startpos (2 byte) decision, when original position before this field, then explanation need be carried out deep message to this field and detects, and detects otherwise do not need that this field is carried out deep message.
Groups of keywords sign listid (2 byte): the present invention is that example describes with 2048 groups of keywords of maximum supports, only needs 11 hyte identification informations, so this field is only used low 11 bits
Second keeps position (2 byte): slack byte, be indifferent to.
The 3rd keeps position (2 byte): slack byte, be indifferent to.
The 4th keeps position (16 byte): the position that is used for the deep packet detection device return information, send in the data of deep packet detection device at network processing unit, the data of this 16 byte are invalid data, and this field sends to expression testing result information in the data of network processing unit at deep packet detection device.The message data that sends to deep packet detection device at network processing unit transmits the invalid data of this 16 byte, not only can keep the uniformity of transmission data format between network processing unit and the deep packet detection device, can also simplify the handling process of deep packet detection device inside.
The message data byte: need carry out the message data of message depth detection, indefinite length, content is indefinite.
Deep packet detection device inside is to detecting the information processing flow process
When deep packet detection device detects current keyword, whether further configuration and next keyword message to be detected according to detection are proceeded to detect, detect end up to detecting certain keyword or detecting all keywords, particularly, schematic flow sheet that message detects is carried out as shown in Figure 2 in deep packet detection device inside, and this flow process may further comprise the steps:
Step 201: extract current groups of keywords to be detected sign;
Step 202: carry out doubtful coupling scanning,, then extract keyword and accurately mate if find doubtful coupling;
Step 203:, then judge whether further detection if accurately mate;
Step 204: further detect as needs, then replace current groups of keywords sign, repeating step 202 to 203 with next groups of keywords sign to be detected; Otherwise detection of end.
Below in conjunction with Fig. 3 the handling process of message detection sub-module 102 inside in the deep packet detection device is elaborated, this flow process may further comprise the steps:
Step 301: receive message data when this module, extract the group id listid of keyword to be detected and search original position startpos, begin to scan message from the startpos position;
Step 302: in scanning process, judge whether to find doubtful coupling.' if being ', then execution in step 303, otherwise execution in step 309;
Step 303: the result according to doubtful coupling chooses corresponding data key, and listid does Hash operation with the groups of keywords sign, produces the address of the plug-in memory 104 of FPGA;
Step 304: read the content of plug-in memory 104 appropriate address of FPGA, controlled information and keyword;
Step 305: the data key that chooses of the keyword that reads of byte comparison step 304 and step 303 one by one;
Step 306: result relatively is identical for step 305, and expression is coupling accurately, and then execution in step 307, otherwise the data key that expression step 303 is chosen is not a keyword to be detected, continues scanning subsequent packet, execution in step 302 from the position of finding doubtful coupling;
Step 307: represent that current keyword detects the testing result of accurately being mated, give the result with this testing result and organize submodule, and change step 308;
Whether step 308: differentiating needs further to detect keyword, the groups of keywords sign listid that then replaces current use if desired with the groups of keywords sign next_listid that further detects, continue the scanning subsequent packet from the position of finding doubtful coupling, execution in step 302, otherwise, execution in step 310;
In general, what keywords a message need detect, and is ignorant at the beginning, has only etc. to detect after first keyword, and just knowing needs further detection.Whether step 304 comprises from the data that the plug-in memory 104 of FPGA reads needs the sign next that further detects, when this indicates that when effective, expression needs further to detect subsequent packet; When next indicates when invalid, expression does not need further detection.
Step 309: differentiate message and whether finish, if, execution in step 310, otherwise continue scanning subsequent packet, execution in step 302;
Step 310 finishes the deep message detecting operation of current message, provides the detection end mark.
Advise fate is organized the buffer area of write control information as a result that submodule will compare afterwards, and deep packet detection device returns to network processing unit with comparative result and the message content of searching.
Deep packet detection device returns to the message data structure of network processing unit
The message that returns from deep packet detection device has result and the message content that message detects, the result who detects is placed on before the message content, wherein the outcome record of Jian Ceing the comparative result of searching, the number of times that comprise that detection successfully indicates, keyword detects, the information of last keyword and the information of detected each keyword when detecting successfully.Message content is the message that sends from network processing unit, and deep packet detection device is not made any modification to message content.
The information of keyword comprises groups of keywords sign, keyword sign and the position of keyword in message.
Wherein:
Detect successfully sign: detects and indicate that successfully when effective, expression detects all keywords, further detects if desired, illustrate that further detection also successfully detects keyword; Detect and indicate successfully when invalid that expression detects failure, do not detect first keyword or only detect before several keywords.
The number of times that keyword detects: promptly detect the number of times of keyword, when detecting successfully, identical with all keyword numbers that need detect; Detect when getting nowhere identical with detected keyword number;
The information of last keyword: only successfully indicate when effective detecting, the information that just comprises last keyword in the message testing result, comprise the group id of last keyword, sign knowledge and three fields such as position in message thereof of last keyword, wherein
Groups of keywords sign detects if this message only carries out keywords one time, and does not further detect, then the groups of keywords identification field with network processing unit send the same.
The sign of keyword: obtained by step 204, the present invention adopts groups of keywords sign and keyword sign to come unique keyword of determining.
The position of keyword in message: the promptly last end position of keyword in message that detects.
The information of each keyword: these information are whenever to detect a keyword just to write down once, that is to say, even final detect not success (detect successfully indicate invalid, only detect partial key), but the information of the detected keyword in front also can be recorded in here.
Following table is the message data topology example that deep packet detection device sends to the message testing result of network processing unit, and it is that example describes that this message data structure detects with 4 keywords of multipotency support:
Below each field in the testing result is remarked additionally in detail:
Keep the position: use by network processing unit, deep packet detection device is indifferent to (8 byte): keep the field of using to network processing unit, deep packet detection device directly extracts this information from the message that the network processing unit sending and receiving are sent here, former state returns to network processing unit again then.
Check_cnt (2bits): the number of times that the expression keyword detects;
Success (1bit): expression detects successfully sign;
Listid (14bits): the groups of keywords sign listid of last keyword that returns when expression detects successfully;
Sigid (14bits): the keyword sign of last keyword that returns when expression detects is successfully known;
Offset (2 byte): the last end position of keyword in message that detects of expression.
Offset0[13:10]: the keyword that expression detects for the first time is high 4 the end position of message.
Offset1[13:10]: the keyword that expression detects for the second time is high 4 the end position of message.
Offset2[13:10]: the keyword that expression detects for the third time is high 4 the end position of message.
Offset3[13:10]: represent high 4 at the end position of message of the keyword that detects for the 4th time.
Listid0 (11bits): the groups of keywords sign that expression detects for the first time, only get low 11 bits, because the present invention is designated example to support 2048 groups of keywords, so adopt the sign groups of keywords that 11 bits fully can be unique.
Sigid0 (11bits): the keyword sign that expression detects for the first time, only get low 11 bits, because the present invention comprises 2048 keywords at present at most in a groups of keywords, so adopt each keyword in the sign groups of keywords that 11 bits fully can be unique.
Offset0[9:0]: low 10 of the end position of keyword in message that expression detects for the first time.
Listid1 (11bits): the groups of keywords sign that expression detects for the second time, only get low 11 bits.
Sigid1 (11bits): the keyword sign that expression detects for the second time, only get low 11 bits.
Offset1[9:0]: the keyword that expression detects for the second time is at low 10 of the end position of message.
Listid2 (11bits): the groups of keywords sign that expression detects for the third time, only get low 11 bits.
Sigid2 (11bits): the keyword sign that expression detects for the third time, only get low 11 bits.
Offset2[9:0]: the keyword that expression detects for the third time is at low 10 of the end position of message.
Listid3 (11bits): represent the groups of keywords sign of the 4th detection, only get low 11 bits.
Sigid3 (11bits): represent the keyword sign of the 4th detection, only get low 11 bits.
Offset3[9:0]: represent the keyword that detects for the 4th time low 10 at the end position of message.
The message data byte: by the message data that network processing unit sends, former state is returned.
More than support 4 secondary keies to detect with multipotency and multipotency to return 4 keyword messages be that example describes, this generally speaking data structure can satisfy application demand, can improve the ability that deep message detects compared to existing technologies greatly.When the number of times less than that detects 4 times, that is to say the also information of 4 keywords of less than of the information that need return, so with the keyword message that detects by the filling of detection order, the back useless to part all use ' 0 ' filling.
Particularly, detect all keywords, promptly detect number of times check_cnt that effective testing result information of successfully returning comprises that keyword detects, detect and successfully indicate success (being changed to effective), the information of last keyword and the information of detected each keyword, wherein the information of last keyword comprises group id listid, sign knowledge sigid and the position Offset in message thereof of this last keyword, and the information of each keyword comprises group id listid, sign knowledge sigid and the position Offset in message thereof of all keywords.
Thereby only detecting partial key detects when failing, effective testing result information of returning comprises the number of times check_cnt of detection and the information of detected each keyword, and wherein the information of each keyword comprises listid, sign knowledge sigid and the position Offset in message thereof of detected each keyword.
The plug-in memory data of the FPGA of deep packet detection device is organized structure
The plug-in memory of FPGA is used for memory device may need the whole keywords and relevant control information that detect.Keyword is stored in the plug-in memory by the chained list situation, and the address of keyword is obtained by Hash operation by keyword itself and groups of keywords sign listid.Relevant control information has: keyword effective marker vld, detection number of times cnt, current keyword byte length sig_len, groups of keywords sign next_listid, the sign next that need further search that further searches, current keyword are part sign suc, the keyword sign sigid of certain longer keyword.
Following table is the example of the plug-in memory data structure of FPGA:
Below each field is elaborated:
Vld: expression keyword effective marker, if when refreshing keyword, need certain keyword of deletion, only need that this position is filled out ' 0 ' and get final product;
Sigid: expression keyword sign by software arrangements, after keyword is successfully detected, returns to software;
Rsv: keep the position, use when upgrading in the future;
Cnt: expression detects number of times, is used to illustrate that current message being carried out keyword before detecting this keyword detects and detect successful number of times, the just position of this keyword in chained list.Because message scans in order, so after the position that the big more keyword of cnt value occurs in message is leaned on more.Have only in the keyword chained list, previous keyword is successfully detected, and could continue to detect next keyword
Sig_len: expression keyword byte length.
Next: after representing that this keyword is successfully detected, still need further to detect, the groups of keywords sign that further detects is provided by the next_listid field;
Suc: represent that this keyword is the part of certain long keyword.In order efficiently to utilize memory resource, so the present invention carries out subregion to memory, the data (comprising keyword and control information) of 32 bytes are deposited in each zone at most, because the length of control information is fixed as 4 bytes, so the length of keyword is supported 28 bytes at most, when in case the length of certain keyword surpasses the maximum length that subregion can support, keyword need be split into the length that subregion can be supported, leave different subregions respectively in, and with chained list of these subregions compositions, the front portion of keyword needs set next sign and suc sign.
Signature: expression keyword;
Next_listid: the groups of keywords sign when expression further detects, the effect of in list structure, serving as the chain list index.
Message depth detection equipment of the present invention and method have realized that the hardware message detects, alleviate the network processing unit burden, improve and detect treatment effeciency, and the inventive method detects at message content rather than at the heading packaging information, realized the depth detection of message, after retrieving first keyword, carry out the whether further judgement of retrieval, thereby can realize detection to a plurality of keywords, and can return the result who repeatedly searches, strengthening measuring ability, and handle for upper layer software (applications) stronger support is provided.In addition, the keyword that length surpasses a plug-in memory items is decomposed, can make the inventive method realize the random length keyword is retrieved by plug-in memory.And employing the method for the invention, filled up the blank of deep packet detection device data structure aspect, enriched the keyword search information that deep packet detection device returns to network processing unit, for the subsequent treatment of network processing unit provides stronger support, data organization management simultaneously of the present invention is effectively simple, has improved the efficient that deep message detects.
Claims (12)
1, a kind of deep packet detection device, it is characterized in that: this deep packet detection device comprises Data Input Interface control and buffer area, message detection processing module and data output interface, wherein Data Input Interface control and buffer area are used for receiving data from network processing unit, and with metadata cache in the inner buffer district; This message detects processing module and is used for detecting and write down testing result according to the message data to be detected that network processing unit sends; Data output interface is used to read message and testing result, and sends to network processing unit.
2, equipment as claimed in claim 1, it is characterized in that: this message detects processing module and comprises the data buffer area that memory, message detection sub-module, result organize submodule, are used for the control information buffer area of buffer memory control information and are used for the buffer memory message data, wherein
Memory is used for storage depth packet detection apparatus whole keywords and control information to be detected;
The stored information that the message detection sub-module is used for the data that receive according to Data Input Interface control and buffer area and the plug-in memory of field programmable gate array is carried out that message detects and is sent testing result to molded tissue block as a result;
The result organizes submodule to be used for testing result with the message detection sub-module by the desired format organization of control information buffer area, and after testing process finishes with these testing result write control information buffer areas, and in the message testing process, the message data that had detected is write data buffer area.
3, equipment as claimed in claim 2, it is characterized in that: the control information of above-mentioned memory stores comprises keyword effective marker, the sign that need further search, the groups of keywords sign of further searching and keyword sign, this memory also is used for keyword is split into the length that subregion can be supported, leave different subregions respectively in, and with chained list of these subregions compositions, the preceding deployment of keyword is further searched sign and current keyword is the sign of the part of certain longer keyword.
4, equipment as claimed in claim 3 is characterized in that: above-mentioned message detection sub-module is used for carrying out doubtful coupling according to the message that network processing unit sends; Result according to doubtful coupling chooses corresponding data in the message, and does the address that Hash operation produces keyword in the memory with data of choosing and group id, and the content that reads is wherein accurately mated, and returns testing result; When detecting current keyword to be detected, proceed detection,, return the detection end mark up to detecting certain keyword or detecting all keywords according to the configuration and the next keyword message that whether further detect.
5, equipment as claimed in claim 2, it is characterized in that: when detecting all keywords, the testing result that The above results organizes the deep packet detection device of submodule write control information buffer area to return comprises the number of times that keyword detects, detect successfully sign, the information of last keyword and the information of detected each keyword, wherein the information of last keyword comprises the group id of this last keyword, sign is known and the position in message, and the information of each keyword comprises the group id of all keywords, sign is known and the position in message; When only detecting partial key, the testing result that deep packet detection device returns comprises the information of number of times and detected each keyword of detection, and wherein the information of each keyword comprises group id, sign knowledge and the position in message thereof of detected each keyword.
6, as each described equipment in the claim 1 to 5, it is characterized in that: this deep packet detection device adopts field programmable gate array and plug-in memory to realize.
7, a kind of described deep packet detection device of claim 1 that adopts carries out the method that deep message detects, and it is characterized in that this method may further comprise the steps:
(a) send message data to be detected by network processing unit to deep packet detection device;
(b) deep packet detection device detects according to the message data to be detected that network processing unit sends;
(c) deep packet detection device returns testing result and gives network processing unit.
8, method as claimed in claim 7, it is characterized in that, the message data to be detected that network processing unit sends in the step (a) comprises message to be detected and the additional control information of network processing unit, this control information comprises current groups of keywords sign to be detected, when the message data to be detected that deep packet detection device sends according to network processing unit in the step (b) detects, further comprise:
(b1) extract current groups of keywords to be detected sign;
(b2) carry out doubtful coupling scanning,, then extract keyword and accurately mate if find doubtful coupling;
(b3) if accurately mate, then according to further whether the configuration and the next keyword message of detection judge whether further detection;
(b4) further detect as needs, then replace current groups of keywords sign with next groups of keywords sign to be detected, repeating step (b2) is to (b3); Otherwise detection of end.
9, method as claimed in claim 8, it is characterized in that: the control information that network processes is added in the step (a) also comprises searches original position, the information that deep packet detection device extracts in the step (b1) also comprises searches original position, begins to carry out doubtful coupling scanning from searching original position in the step (b2).
10, method as claimed in claim 8 is characterized in that, step (b2) further comprises:
(b21) carry out doubtful coupling, if find doubtful coupling, then the result according to doubtful coupling chooses corresponding data in the data flow;
(b22) obtain the keyword address according to current group id to be detected and the data of choosing by Hash operation, read keyword;
(b23) with this keyword and the data of choosing byte comparison one by one, comparative result is identical, and expression is coupling accurately.
11, as each described method in the claim 7 to 10, it is characterized in that: when detecting all keywords, the testing result that deep packet detection device returns comprises number of times that keyword detects, detects successfully indicate, the information of last keyword and the information of detected each keyword, wherein the information of last keyword comprises group id, sign knowledge and the position in message thereof of this last keyword, and the information of each keyword comprises the group id of all keywords, sign knowledge and the position in message thereof; When only detecting partial key, the testing result that deep packet detection device returns comprises the information of number of times and detected each keyword of detection, and wherein the information of each keyword comprises group id, sign knowledge and the position in message thereof of detected each keyword.
12, as each described method in the claim 7 to 10, it is characterized in that: the employed deep packet detection device of this method adopts memory stores whole keywords and control information to be detected, described control information comprises the keyword effective marker, the sign that need further search, groups of keywords sign of further searching and keyword sign, memory also is used for keyword is split into the length that subregion can be supported, leave different subregions respectively in, and with chained list of these subregions compositions, the preceding deployment of keyword is further searched sign and current keyword is the sign of the part of certain longer keyword.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101985547A CN101459489B (en) | 2007-12-11 | 2007-12-11 | Deep packet detection device and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101985547A CN101459489B (en) | 2007-12-11 | 2007-12-11 | Deep packet detection device and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101459489A true CN101459489A (en) | 2009-06-17 |
| CN101459489B CN101459489B (en) | 2011-12-07 |
Family
ID=40770136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101985547A Expired - Fee Related CN101459489B (en) | 2007-12-11 | 2007-12-11 | Deep packet detection device and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101459489B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841474A (en) * | 2010-04-15 | 2010-09-22 | 华为技术有限公司 | Device for realizing access control lists |
| CN101908985A (en) * | 2010-08-05 | 2010-12-08 | 中兴通讯股份有限公司 | Message checking method and device |
| CN102662891A (en) * | 2012-03-22 | 2012-09-12 | 北京北大众志微系统科技有限责任公司 | Method and device of DMA (direct memory access) buffer management based on affinity sensing |
| WO2014029094A1 (en) * | 2012-08-23 | 2014-02-27 | 华为技术有限公司 | Packet processing method, deep packet inspection requesting network element, and deep packet inspection device |
| CN103986628A (en) * | 2014-05-30 | 2014-08-13 | 无锡市同飞科技有限公司 | Keyword detection circuit based on field-programmable gate array |
| CN104572498A (en) * | 2014-12-26 | 2015-04-29 | 曙光信息产业(北京)有限公司 | Cache management method for message and device |
| CN104778197A (en) * | 2014-12-30 | 2015-07-15 | 北京锐安科技有限公司 | Data searching method and device |
| CN114531986A (en) * | 2022-03-03 | 2022-05-27 | 星光农机股份有限公司 | Tilling depth control method and device for field operation machine tool |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100474819C (en) * | 2007-05-17 | 2009-04-01 | 华为技术有限公司 | A deep message detection method, network device and system |
| CN101051966B (en) * | 2007-05-22 | 2010-06-09 | 网御神州科技(北京)有限公司 | Detecting system and method for network invasion behaviour |
-
2007
- 2007-12-11 CN CN2007101985547A patent/CN101459489B/en not_active Expired - Fee Related
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841474A (en) * | 2010-04-15 | 2010-09-22 | 华为技术有限公司 | Device for realizing access control lists |
| CN101908985A (en) * | 2010-08-05 | 2010-12-08 | 中兴通讯股份有限公司 | Message checking method and device |
| CN101908985B (en) * | 2010-08-05 | 2016-06-29 | 中兴通讯股份有限公司 | A kind of method of message checking and device |
| CN102662891B (en) * | 2012-03-22 | 2014-11-26 | 北京北大众志微系统科技有限责任公司 | Method and device of DMA (direct memory access) buffer management based on affinity sensing |
| CN102662891A (en) * | 2012-03-22 | 2012-09-12 | 北京北大众志微系统科技有限责任公司 | Method and device of DMA (direct memory access) buffer management based on affinity sensing |
| CN104145451A (en) * | 2012-08-23 | 2014-11-12 | 华为技术有限公司 | Packet processing method, deep packet inspection requesting network element, and deep packet inspection device |
| WO2014029094A1 (en) * | 2012-08-23 | 2014-02-27 | 华为技术有限公司 | Packet processing method, deep packet inspection requesting network element, and deep packet inspection device |
| US9461894B2 (en) | 2012-08-23 | 2016-10-04 | Huawei Technologies Co., Ltd. | Packet processing method, deep packet inspection request network element and deep packet inspection device |
| CN104145451B (en) * | 2012-08-23 | 2017-07-14 | 华为技术有限公司 | Message processing method, deep-packet detection request network element and deep packet inspection device |
| CN103986628A (en) * | 2014-05-30 | 2014-08-13 | 无锡市同飞科技有限公司 | Keyword detection circuit based on field-programmable gate array |
| CN104572498A (en) * | 2014-12-26 | 2015-04-29 | 曙光信息产业(北京)有限公司 | Cache management method for message and device |
| CN104778197A (en) * | 2014-12-30 | 2015-07-15 | 北京锐安科技有限公司 | Data searching method and device |
| CN104778197B (en) * | 2014-12-30 | 2019-02-01 | 北京锐安科技有限公司 | A kind of data search method and device |
| CN114531986A (en) * | 2022-03-03 | 2022-05-27 | 星光农机股份有限公司 | Tilling depth control method and device for field operation machine tool |
| CN114531986B (en) * | 2022-03-03 | 2023-08-11 | 星光农机股份有限公司 | Tilling depth control method and device for field working machine |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101459489B (en) | 2011-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101459489B (en) | Deep packet detection device and method | |
| US20190222603A1 (en) | Method and apparatus for network forensics compression and storage | |
| KR100921845B1 (en) | Method, system, computer programs and devices for management of media items | |
| EP3767483A1 (en) | Method, device, system, and server for image retrieval, and storage medium | |
| CN104679830A (en) | File processing method and device | |
| CN102754394B (en) | Method for hash table storage, method for hash table lookup, and devices thereof | |
| CN104348859B (en) | File synchronisation method, device, server, terminal and system | |
| CN109165222A (en) | A kind of HBase secondary index creation method and system based on coprocessor | |
| CN106708956B (en) | A kind of HTTP data matching method based on more URL rule sets | |
| US20060161594A1 (en) | Method and apparatus for improving data processing speed through storage of record information of identity module | |
| CN102253948B (en) | Method and device for searching information in multi-source information system | |
| CN110515920A (en) | A kind of mass small documents access method and system based on Hadoop | |
| US20200125493A1 (en) | Pattern-Aware Prefetching Using Parallel Log-Structured File System | |
| RU2568276C2 (en) | Method of extracting useful content from mobile application setup files for further computer data processing, particularly search | |
| CN102722540A (en) | Method and device for processing data in real-time memory database system | |
| CN104636368A (en) | Data retrieval method and device and server | |
| CN106372109A (en) | Internet resource file caching method and apparatus | |
| CN116756253B (en) | Data storage and query methods, devices, equipment and media of relational database | |
| US20090138453A1 (en) | System and method for searching large amount of data at high speed for digital forensic system | |
| CN103927325A (en) | URL (uniform resource locator) classifying method and device | |
| CN108241639B (en) | A kind of data duplicate removal method | |
| CN105447016B (en) | A kind of fast search of component and the method for reuse | |
| CN101261645B (en) | Method and apparatus for obtaining multiple layer information | |
| CN106603610A (en) | Data acquisition method and apparatus | |
| CN106959975B (en) | Transcoding resource cache processing method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111207 Termination date: 20201211 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |