Summary of the invention
In view of this, the embodiment of the invention provides a kind of network monitoring method, Apparatus and system, and to realize the monitoring to IP network, technical scheme is following:
The embodiment of the invention provides a kind of network monitoring method, comprising:
Obtain to resolve and monitor the accurate matched rule that strategy obtains;
According to said accurate matched rule, adopt deep-packet detection that the data that receive are selected, obtain snoop results, the data of said reception are to monitor the business customizing rule that strategy obtains according to resolving, and adopt the data preliminary treatment that grouped data is filtered and obtain; Said employing deep-packet detection is selected the data that receive, and obtains snoop results, specifically comprises: adopt deep-packet detection, the data that receive are analyzed; According to said accurate matched rule analysis result is selected, obtained to treat the Intercept related information of monitoring service data; Through the unique characteristic identifier of association, obtain the said pairing Media Stream of Intercept related information of treating the monitoring service data, with the Intercept related information of treating the monitoring service data and pairing Media Stream jointly as snoop results.
The embodiment of the invention also provides a kind of business diagnosis server, comprising:
Monitor policy processing unit, be used for parsing and monitor strategy, obtain business customizing rule and accurate matched rule;
Data selection unit adopts deep-packet detection, according to the accurate matched rule that said monitoring policy processing unit obtains the data that professional detecting server sends is selected, and obtains snoop results;
Said data selection unit specifically comprises: analyze subelement, adopt deep-packet detection, the data that professional detecting server sends are analyzed; The chooser unit according to the accurate matched rule that said monitoring policy processing unit obtains, is selected the analysis result of said analysis subelement, obtains to treat the Intercept related information of monitoring service data; Snoop results generates subelement, is used for the Intercept related information of treating the monitoring service data that obtains according to said chooser unit, generates snoop results.
The embodiment of the invention also provides a kind of network monitoring system, comprises professional detecting server and business diagnosis server;
Said professional detecting server is used to obtain the grouped data of IP network, and the application data preconditioning technique filters the grouped data of being obtained according to the business customizing rule that said business diagnosis server obtains;
Said business diagnosis server is used for parsing and monitors strategy, obtains business customizing rule and accurate matched rule; Adopt deep-packet detection, said professional detecting server filtered data is selected, obtain snoop results according to accurate matched rule;
Wherein, said employing deep-packet detection is selected the data that receive, and obtains snoop results and specifically comprises: adopt deep-packet detection, the data that receive are analyzed; According to said accurate matched rule analysis result is selected, obtained to treat the Intercept related information of monitoring service data; Through the unique characteristic identifier of association, obtain the pairing Media Stream of Intercept related information of said monitoring service data, with the Intercept related information of treating the monitoring service data and pairing Media Stream jointly as snoop results.
Realization is to the monitoring of IP network, and the problem that needs emphasis to solve is the grouped data of transmitting in the identification IP network, and from wherein selecting the business datum of required monitoring.In the technique scheme, after professional detecting server (SPS, Service Probe Server) obtains the grouped data of IP network, at first grouped data is carried out preliminary treatment, according to the business customizing rule grouped data is filtered then; Business diagnosis server (SAS; Service Analyze Server) uses deep-packet detection (DPI; Deep Packet Inspection) technology does further analysis to the grouped data after filtering through SPS; According to accurate matched rule analysis result is selected again, finally obtained required snoop results, realize monitoring IP network.In addition, can monitor for various Packet data services such as the text that transmits in the IP network, image, audio frequency, videos, this also provides more effectively monitoring means for the monitoring personnel.
Embodiment
At first the monitor method to embodiment of the invention IP network describes, and comprising:
Obtain to resolve and monitor the accurate matched rule that strategy obtains;
According to said accurate matched rule, adopt deep-packet detection that the data that receive are selected, obtain snoop results, the data of said reception are to monitor the business customizing rule that strategy obtains according to resolving, and adopt the data preliminary treatment that grouped data is filtered and obtain.
Below in conjunction with accompanying drawing, the embodiment of the embodiment of the invention is set forth in detail.
Fig. 1 is a kind of IP network monitor method of embodiment of the invention schematic flow sheet, and this method comprises:
S101, SAS receive and monitor after the strategy, resolve monitoring strategy, obtain business customizing rule and accurate matched rule, and the business customizing rule is sent to SPS.Wherein, business customizing rule correspondence is treated the essential information of monitoring service, can comprise medium access control (MAC) address, Internet Protocol (IP) address, transmission control protocol/UDP (TCP/UDP) port, type of service etc.; Accurately the matched rule correspondence is treated the specifying information of monitoring service, can comprise user name, number of the account, e-mail address, telephone number etc.
S102; SPS adopts the mode of smelling spy to obtain the packet communication data of IP network; At first grouped data report is carried out preliminary treatment: can mate the basic service information of discerning grouped data through layer 2-4 protocal analysis or message characteristic; According to the business customizing rule, filter out basic service information and the data that rule does not conform to then, filtered data is continued to be sent to SAS.
S103, SAS use the DPI technology that the Intercept related information (IRI, Intercept Related Information) that SPS sends data is analyzed, and obtain data corresponding service specifying information.Said IRI is in the IP network grouped data, and with the relevant call control information of Media Stream (CC, Content of Communication), the IRI of identical services data is associated through unique characteristic identifier with CC.According to the accurate matched rule that obtains among the S101 analysis result is selected then, can accurately be hit the IRI that treats the monitoring service data.Through related unique characteristic identifier, obtain the pairing CC of IRI at last, with the IRI that treats the monitoring service data and CC jointly as snoop results.
Wherein, the monitoring strategy described in the S101 comprises information such as IP address that needs are monitored or number of the account, and monitoring strategy can be by being sent to SAS after network end server (WBS, the Web Server) configuration.
For snoop results is further done business recovery, present embodiment can also may further comprise the steps:
S104, database and file server (DFS, Dbase and Files Server) are preserved snoop results.Deposit the CC in the snoop results in the file service district, deposit IRI in database, can retrieve by monitoring service through the incidence relation of IRI and CC easily like this.Snoop results keeps the original storage form constant in the DFS storage system always, so that generate evidence, up to filing to exterior storage medium or being deleted.Memory capacity depends on the destination number of monitoring, is generally hundreds of G to several T bits.
S105, the monitoring personnel login WBS, and the snoop results of preserving among the DFS is carried out business recovery.WBS takes out a snoop results from DFS copy recovers processing or generates analysis report to supply the monitoring personnel to check.
The monitor method that the foregoing description provides is applicable to non real-time monitoring professional in the IP network, and for the business that needs real-time listening, WBS directly obtains snoop results from front end system SAS and carries out business recovery, and referring to shown in Figure 2, concrete grammar is following:
S201-S203 is said identical with S101-S103;
S204, WBS directly obtains snoop results from SAS, and business is recovered, and supplies monitoring personnel real-time listening.
Wherein, to the processing that backups of the data of real-time listening, present embodiment can also comprise so if desired:
S205, WBS generate a real-time listening result's copy simultaneously, send into DFS and preserve, for further analyze or produce evidence in the future.To similar described in the store method of snoop results copy and the S104, repeat no more here.
In above-mentioned two embodiment, the monitoring personnel can also carry out management maintenance to whole monitoring system through login WBS, comprise issuing the operation that control command is coordinated the monitoring system various piece, produce operation, maintenance and the running log etc. of monitoring system simultaneously.
Need to prove that the monitoring personnel also can pass through networking client (WBC, Web Client) login WBS and carry out associative operation, these do not influence realization of the present invention.
It is thus clear that in the foregoing description, to the grouped data of transmitting in the IP network, at first the essential information of application data preconditioning technique recognition data is tentatively filtered, and uses DPI technical Analysis data again, realize accurately selecting, obtain required snoop results.The monitoring personnel are through the logging in network server, can be effectively to snoop results preserve, recover, operation such as management, thereby realize monitoring to IP network.
The embodiment of the invention provides a kind of professional detecting server SPS, referring to shown in Figure 3, comprising:
Data capture unit 310 is used to obtain the grouped data of IP network;
Data filtering units 320, the application data preconditioning technique according to the business customizing rule, filters the grouped data that said data capture unit 310 obtains.
Wherein, said data filtering units 320 specifically comprises:
Recognin unit 321, the application data preconditioning technique is discerned the basic service information of the grouped data that said data capture unit 320 obtains;
Filter subelement 322,, data are filtered according to the recognition result and the business customizing rule of said type of service recognin unit 321.
The embodiment of the invention provides a kind of business diagnosis server S AS, referring to shown in Figure 4, comprising:
Monitor policy processing unit 410, be used for parsing and monitor strategy, obtain business customizing rule and accurate matched rule;
Data selection unit 420 adopts deep-packet detection, according to the accurate matched rule that said monitoring policy processing unit 410 obtains the data that professional detecting server sends is selected, and obtains snoop results.
Wherein, said data selection unit 420 specifically comprises:
Analyze subelement 421, use the DPI technology, the data that SPS sends are analyzed;
Chooser unit 422 according to the accurate matched rule that said monitoring policy resolution unit 410 obtains, is selected the analysis result of said analysis subelement 421, accurately hits the IRI that treats the monitoring service data;
Snoop results generates subelement 423, is used for the IRI that treats the monitoring service data that obtains according to said chooser unit 422, generates snoop results.
The embodiment of the invention also provides a kind of IP network monitoring system, referring to shown in Figure 5, comprises SPS 510 and SAS 520;
SPS 510, are used to obtain the grouped data of IP network, and the application data preconditioning technique filters the grouped data of being obtained according to the business customizing rule that SAS520 obtains;
SAS 520, are used for parsing and monitor strategy, obtain business customizing rule and accurate matched rule; Use the DPI technology and SPS 510 filtered data are selected, obtain snoop results with accurate matched rule.
For snoop results is carried out business recovery, monitoring system can further include management of monitor equipment, and referring to shown in Figure 6, management of monitor equipment specifically comprises: WBS 630 and DFS 640;
WBS 630, are used for snoop results is carried out business recovery;
DFS 640, are used to store snoop results.
For non-real-time service, snoop results at first is stored among the DFS 640, when needs are monitored, from DFS 640, extracts snoop results by WBS 630 and carries out business recovery; For the business that needs real-time listening; WBS 630 directly obtains snoop results by SAS 520 and carries out business recovery; Supply monitoring personnel real-time listening; If desired snoop results is backed up, WBS 640 can generate the copy of a snoop results in business recovery, sends into DFS 640 storages.
Wherein, WBS 630 can also be used for being configured monitoring strategy, manages and safeguard the operation of whole monitoring system; DFS 640 can also be used for configuration information, the operation maintenance daily record of saved system, monitors information such as personnel's account and authority.
Monitor personnel's operation for ease, monitoring system can also comprise:
WBC 650; For monitoring system provides user interface; All be to have graphical user interface (GUI generally speaking; Graphic User Interface) terminal is as the user interface of whole monitoring system, and the monitoring personnel carry out operations such as business recovery or system management maintenance through WBC Telnet WBS.
For device and system embodiment, because it is basically corresponding to method embodiment, so describe fairly simplely, relevant part gets final product referring to the part explanation of method embodiment.Device described above and system embodiment only are schematic; Wherein said unit as the separating component explanation can or can not be physically to separate also; The parts that show as the unit can be or can not be physical locations also; Promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of present embodiment scheme according to the needs selection some or all of module wherein of reality.Those of ordinary skills promptly can understand and implement under the situation of not paying performing creative labour.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Above-described embodiment of the present invention does not constitute the qualification to protection range of the present invention.Any modification of within spirit of the present invention and principle, being done, be equal to replacement and improvement etc., all should be included within protection scope of the present invention.