CN103326900A - Traffic playback method and system for virtual network - Google Patents
Traffic playback method and system for virtual network Download PDFInfo
- Publication number
- CN103326900A CN103326900A CN 201310253417 CN201310253417A CN103326900A CN 103326900 A CN103326900 A CN 103326900A CN 201310253417 CN201310253417 CN 201310253417 CN 201310253417 A CN201310253417 A CN 201310253417A CN 103326900 A CN103326900 A CN 103326900A
- Authority
- CN
- China
- Prior art keywords
- traffic
- real traffic
- module
- virtual network
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a traffic playback method and system for a virtual network. The traffic playback method includes a first step of capturing and processing real traffic, extracting a real IP address set R_IP, a second step of conducting depth-first search on a bipartite graph which is generated by real traffic communication relationships, dividing the real IP address set R_IP into two disjoint sets, namely, a set R_IPA and a set R_IPB, a third step of dividing all virtual nodes which are in communication through any virtual network routing interface v_interfacei into two disjoint sets, namely a set V_IPAi and a set V_IPBi, a fourth step of calculating similarities of all the virtual network routing interfaces and a real traffic collecting point, a fifth step of selecting a virtual network interface which is most similar to the real traffic collecting point to be used as a mapping node of the traffic collecting point, conducting IP address mapping based on the mapping mode, and a sixth step of traversing the real traffic again to achieve real traffic playback in the virtual network. When the traffic is played back in the virtual network through the traffic playback method and system for the virtual network, the real traffic communication environment is restored as good as possible, and the virtual network traffic system is improved.
Description
Technical field
The present invention relates to virtual and flow playback technology field, particularly relate to real traffic at the playback technology of virtual network, be specifically related to a kind of flow back method and system of Virtual network.
Background technology
Development along with technology such as virtual, network analogs, the cyberspace research that network security tool test, cyber attack scenarios structure etc. can't fully be implemented in the live network of complexity more and more launches in virtual network, and incident is that can virtual network improve as much as possible its authenticity and come to provide believable as far as possible research platform for relevant research test.The most important embodiment of virtual network authenticity is the authenticity of flow, not only requires virtual network can make up as required network topology, more needs to reappear real traffic in virtual network.
A suitable flow playback instrument comes controllable, the reproducible and real as far as possible network traffics of playback all to be absolutely necessary for multiple test environments such as comprising simulation and emulation.No matter real network environment or virtual network environment, the generating mode of flow all can be summarized as two kinds: a kind of is that the flow that utilizes analytical model to drive (model driven) generates, and the flow of generation can be followed a certain concrete generation model; Another kind is to review the flow generation that (traced driven) drives, and comes playback based on known real traffic, i.e. flow playback.
The flow of model-driven generates and uses a certain Mathematical Modeling to generate data on flows and environmental data, but model choose and the configuration of parameter directly affects the confidence level of flow.In the face of more various network research demand, because the flow playback has natural authenticity, it has comprised the full communication details of real traffic, research for the complex network behavior has more using value, but the restriction of flow build environment is so that the real traffic environment generally is applied to equipment performance test and simple fire compartment wall, IDS all the time.Virtual network provides underlying platform for research and the test of complex network space and behavior, therefore, for virtual network, the flow playback of research Virtual network has improved authenticity and the availability of virtual network greatly, the playback flow can directly provide foreground data for the researcher on the one hand in the virtual network, also can be used as on the other hand background traffic, enrich the flow system of virtual network, for real traffic, the researching value of data on flows has also been brought into play in the flow playback of virtual network greatly.
The flow playback of Virtual network has major application and is worth, yet common flow playback instrument still can not satisfy the flow playback demand of virtual network fully at present.Main flow playback technology has at present:
Tcpreplay uses the flow that is grasped by packet catchers such as Tcpdump as initial data, at link layer playback flow according to the order of sequence, does not need to know the details of upper-layer protocol.
From Tcpreplay etc. based on two-layer protocol different be, because Tcpreplay can not embody service interaction, the developer of Tcpreplay has developed FlowReplay, and Flowreplay is the enhanced edition of Tcpreplay, be designed to put the packet more than 4 layers, rather than 2 layers of playback.His target is to read a flow file, utilizes the client that connects, and the TCP/UDP agreement playback of data of Application standard comes the Connection Service end.Tomahawk goes out the client and server bag from the real traffic extracting data, sends respectively client and server data by two nodes, and guarantees the sending order of flow as far as possible.Similar means such as Monkey, Surge etc.
With the system designs of multicenter higi, design such as Monkey, the playback of whole TCP session traffic is implemented on two nodes, each node is responsible for the playback of a directional flow. and the playback of the whole TCP session traffic of the first grade design such as Tomahawk is implemented on the individual node in addition, two test interfaces of this node one general configuration, each test interface is responsible for the playback of a directional flow.Directly then directly use single network interface card playback flow in the system of two layers of playback flow such as this class of Tcpreplay.
From the flow playing back content, similar Tcpreplay is based on two layers of transmitted traffic, reproduction raw data packets flow that can be complete, but can't embody the reciprocal process of flow, and based on transport layer and above flow playback system thereof for except TCP the client server flow of UDP have reset preferably, other flows then can't embody.
Although above instrument is to some extent difference on playback granularity, playback level, but its common trait is to use the direct playback double layer network of single machine packet, or use two network interface cards to distinguish client and server in transport layer and carry out the flow playback, but in essence, above method is not to all considering actual network communications environment, for virtual network, can't utilize the virtual network resource, also the flow of real traffic and virtual network generation better can't be merged, can't be directly used in the virtual network.
The present invention is directed to the problems referred to above, according to the feature of virtual network, propose a kind of flow playback system and method for Virtual network, can be used for the virtual network platforms such as simulation, emulation and carry out the playback flow.
Summary of the invention
Technical problem to be solved by this invention provides a kind of flow back method and system of Virtual network, is used for solving prior art and fails to utilize well virtual network to carry out the problem of flow playback.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of flow back method of Virtual network comprises:
Real traffic is caught and processed to step 1 in arbitrary real traffic collection point, extracts real IP address set R_IP and timestamp information; Here choosing arbitrary real traffic collection point, to catch flow be the condition that will satisfy the turnover flow that only comprises an interface, that is to say the mixed traffic that can not comprise a plurality of interfaces.
Step 2 is set up corresponding bipartite graph according to the real traffic correspondence, and bipartite graph is carried out depth-first search (Deep first search, DFS), realizes that real IP address is gathered R_IP is divided into two disjoint set R_IPA and R_IPB;
Step 3 will be by any virtual network routing interface v_interface
iAll dummy nodes of communication are divided into two disjoint set V_IPA
iWith V_IPB
i
Step 4 is calculated the similarity of all virtual network routing interfaces and real traffic collection point;
Step 5 selects the virtual network interface the most close with the real traffic collection point as the mapping node of real traffic collection point according to the similarity result of calculating, and based on this mapping node R_IPA is mapped to V_IPA
i, R_IPB is mapped to V_IPB
i
Step 6 travels through real traffic again, and according to the IP mapping result of step 5, carries out that replace real traffic IP address and real traffic is cut apart, the real traffic file after will cutting apart again after by its mapping corresponding dummy node directly transmission puts.
On the basis of technique scheme, the present invention can also do following improvement.
Further, catching and process real traffic in the described step 1 specifically comprises: utilize the traffic capture instrument to catch real traffic and save as the flow file of specified format, adopt again the traffic analysis tool that adapts with the flow file format that the real traffic of catching is processed and analyzed, source IP, purpose IP and the timestamp information of each packet in the record real traffic.
Further, described step 2 specifically comprises: take R_IP as the summit, with the abstract nonoriented edge for take source IP, purpose IP as the summit respectively of each packet in the real traffic, obtain the set of corresponding limit, and set up non-directed graph R_Graph based on the set of this limit, recycling Depth Priority Algorithm DFS travels through R_Graph, realizes R_IP is divided into two disjoint set R_IPA and R_IPB.
Further, described step 3 specifically comprises: the routing iinformation of communicating by letter between the all-ones subnet of traversal virtual network and subnet, utilize two-layer circulation, and find the route of each antithetical phrase internetwork communication, and pass through virtual network routing interface v_interface on the way in route
iDummy node set V_IPA
iWith dummy node set V_IPB
iMiddle all nodes that insert respectively in two subnets obtain two disjoint set V_IPA
iWith V_IPB
i
Further, described step 6 specifically comprises: source IP address, the purpose IP address of packet in the real traffic replaced with respectively IP address in the virtual network after the mapping, and real traffic cut apart according to sending node, the API that each real traffic file after cutting apart will utilize imitation technology to provide by the virtual network node of correspondence directly sends, and is carried out sequencing control and the playback speed control of playback according to the relative time stamp of packet by the Virtual Networking System unification.
Corresponding above-mentioned flow back method, technical scheme of the present invention also comprises a kind of flow playback system of Virtual network, and it comprises that real traffic is caught and processing module, real traffic traffic model are set up module, virtual network model building module, similarity calculation module, IP mapping block and playback module;
Described real traffic is caught and processing module, and it is used for catching and process real traffic in arbitrary real traffic collection point, extracts real IP address set R_IP and timestamp information;
Described real traffic traffic model is set up module, and it is used for setting up corresponding bipartite graph according to the real traffic correspondence, and bipartite graph is carried out depth-first search, realizes that real IP address is gathered R_IP is divided into two disjoint set R_IPA and R_IPB;
Described virtual network model building module, it is used for will be by any virtual network routing interface v_interface
iAll dummy nodes of communication are divided into two disjoint set V_IPA
iWith V_IPB
i
Described similarity calculation module, it is used for calculating the similarity of all virtual network routing interfaces and real traffic collection point;
Described IP mapping block, it is used for selecting the virtual network interface the most close with the real traffic collection point as the mapping node of real traffic collection point according to the similarity result of calculating, and based on this mapping node R_IPA is mapped to V_IPA
i, R_IPB is mapped to V_IPB
i
Described playback module, replace real traffic IP address and real traffic is cut apart for carrying out according to the IP mapping result for it, and the real traffic file after will cutting apart again directly sends by the rear corresponding dummy node of its mapping.
Further, described real traffic is caught and processing module comprises traffic capture module, flow processing module and memory module;
Described traffic capture module, it is used for catching real traffic by the traffic capture instrument, and saves as the flow file of specified format;
Described flow processing module, it is used for processing and analyzing by the real traffic that the traffic analysis tool that uses and the flow file format adapts is caught described traffic capture module;
Described memory module, it is used for source IP, purpose IP and the timestamp information of each packet of record real traffic.
Further, described real traffic traffic model is set up module and is comprised that module is set up in limit set, non-directed graph sets up module and module is divided in the IP address;
Module is set up in the set of described limit, and it is used for take R_IP as the summit, is the nonoriented edge take source IP, purpose IP as the summit with each packet in the real traffic is abstract respectively, obtains the set of corresponding limit;
Described non-directed graph is set up module, and it is used for gathering the limit of setting up module foundation according to described limit and gathers to set up non-directed graph R_Graph;
Module is divided in described IP address, and it is used for by Depth Priority Algorithm DFS the non-directed graph R_Graph that sets up being traveled through, and R_IP is divided into two disjoint set R_IPA and R_IPB.
Further, described playback module comprises that IP address replacement module, real traffic cut apart module, sending module and control module;
Described IP address replacement module, it is used for source IP address, purpose IP address with the real traffic packet and replaces with respectively IP address in the virtual network after the mapping;
Described real traffic is cut apart module, and it is used for real traffic is cut apart according to sending node;
Described sending module, each the real traffic file after it is used for cutting apart is directly sent by the API that the virtual network node of correspondence utilizes imitation technology to provide;
Described control module, it is used for carrying out according to the relative time stamp of packet by the Virtual Networking System unification sequencing control and the playback speed control of playback.
The invention has the beneficial effects as follows: the flow back method and the system that the invention discloses a kind of Virtual network, with real traffic data bit basis, set up the live network traffic model, the IP address of live network is mapped to virtual network IP address with live network, the flow that mapping point in the virtual network is responsible for separately sends task, can collect and the rear consistent flow of real traffic mapping at the virtual routing interface that is mapped to.Utilize the method playback flow in virtual network, give full play to and utilize the virtual network resource, utilize the as far as possible communication environment of rediscover net flow of virtual network, improved the fidelity of flow playback, the flow of having realized real traffic that other flow instruments can't be realized and virtual network platform merges, improve virtual network flow system, for the virtual network user provides more true complete virtual network experiment porch.
Description of drawings
Fig. 1 is the schematic flow sheet of the flow back method of Virtual network of the present invention;
Fig. 2 calculates the used partitioning algorithm flow chart of real traffic traffic model in the embodiment of the invention;
Fig. 3 is that the IP address set of a real traffic in the embodiment of the invention is divided as a result exemplary plot;
Fig. 4 is the circulation internal process schematic diagram that route is calculated between virtual subnet in the embodiment of the invention;
Fig. 5 is a virtual network topology exemplary plot of the embodiment of the invention;
Fig. 6 is the structural representation of the flow playback system of Virtual network of the present invention.
Embodiment
Below in conjunction with accompanying drawing principle of the present invention and feature are described, institute gives an actual example and only is used for explaining the present invention, is not be used to limiting scope of the present invention.
As shown in Figure 1, the present embodiment has provided a kind of flow back method of Virtual network, comprising:
Real traffic is caught and processed to step 1 in arbitrary real traffic collection point, extracts real IP address set R_IP and timestamp information;
Step 2 is set up corresponding bipartite graph according to the real traffic correspondence, and bipartite graph is carried out depth-first search, realizes that real IP address is gathered R_IP is divided into two disjoint set R_IPA and R_IPB;
Step 3 will be by any virtual network routing interface v_interface
iAll dummy nodes of communication are divided into two disjoint set V_IPA
iWith V_IPB
i
Step 4 is calculated the similarity of all virtual network routing interfaces and real traffic collection point;
Step 5 selects the virtual network interface the most close with the real traffic collection point as the mapping node of real traffic collection point according to the similarity result of calculating, and based on this mapping node R_IPA is mapped to V_IPA
i, R_IPB is mapped to V_IPB
i
Step 6 travels through real traffic again, and according to the IP mapping result of step 5, carries out that replace real traffic IP address and real traffic is cut apart, the real traffic file after will cutting apart again by its mapping after the dummy node of correspondence directly send.
In the implementation, comprise following a few major part:
One, original flow catching and processing
Adopt Wireshark traffic capture instrument, Ethreal traffic capture instrument, Tcpdump traffic capture instrument, pcap traffic capture instrument, zero-copy traffic capture instrument etc. to catch real traffic in the described step 1, and the real traffic after catching is stored with the .pcap form such as the flow that adopts pcap traffic capture instrument to catch to store with specified format.After catching real traffic, the traffic analysis tool that adopts the real traffic file format to adapt is processed the real traffic of corresponding format, analysis is processed and read to the real traffic of catching, source IP, purpose IP and the timestamp information of each packet in the record real traffic such as using libpcap function library module under the linux system, the off-line mode of wincap module under the windows system or zero-copy interface etc.After going heavily to all real sources, purpose IP address, obtain following definition set:
R_IP={R_IP
1,R_IP
2,R_IP
3,…,R_IP
n|n>=2}
Definition real traffic collection point is that a network interface of a certain router is r_interface, then R_IP
1, R_IP
2..., R_IP
nTo catch all IP addresses that occur in the flow by r_interface.
Take the packet real.pcap that catches at certain route discharge coupling place as example, after this is processed, obtain to contain the set of 154 IP addresses.R_IP={37.252.244.2,208.111.148.6,123.54.180.8,128.185.235.10,……}。
In addition, when processing original flow, also obtained simultaneously the timestamp information of each bar packet.
Two, calculate the real traffic traffic model
Corresponding described step 2, take R_IP as the summit, with each packet in the real traffic respectively abstract for take the source, purpose IP is the nonoriented edge e=(R_IP on summit
i, R_IP
j).Then E={e=(R_IP is gathered on the abstract limit that can obtain thus
i, R_IP
j) | R_IP
i, R_IP
j∈ R_IP}.The data on flows that utilization captures is set up non-directed graph R_Graph=(R_IP, E).Can prove that R_Graph is a bipartite graph, therefore utilize the Depth Priority Algorithm of figure, R_Graph is traveled through, the vertex set R_IP of R_Graph can be divided into two disjoint set R_IPA and R_IPB, IP address in R_IPA and the R_IPB set has correspondence, does not communicate by letter between the IP of R_IPA and R_IPB set inside.
Proof R_Graph is that the method for a bipartite graph is a lot, provides a kind of method of proof here, and is specific as follows.
Proposition 1:R_Graph is a bipartite graph, and namely R_IP may be partitioned into two mutually disjoint subset R_IPA and R_IPB, and satisfies:
R_IP=R_IPA ∪ R_IPB, every limit (R_IP among the figure
i, R_IP
j) two associated summit R_IP
iAnd R_IP
jBelong to respectively this two different vertex sets, i.e. R_IP
i∈ R_IPA, R_IP
j∈ R_IPB, according to the set up the condition on R_Graph limit as can be known R_IPA, R_IPB gather separately inner all summits without communication, communicate by letter between R_IPA and the R_IPB.
Proof: be proof proposition 1, needing proof non-directed graph R_Graph is the sufficient and necessary condition of bipartite graph, and namely R_Graph has two summits at least, and the length in its all loops is even number.
Adequacy: obviously | R_IP| 〉=2 if C is arbitrary loop among the R_Graph, make C=(R_IP
0, R_IP
1, R_IP
2..., R_IP
N-1, R_IP
n, R_IP
0); Because R_Graph is bipartite graph, do not communicate by letter between R_IPA and the R_IPB IP ground, set inside separately, then R_IP
i(i=0,1 ..., n) must alternately come across among R_IPA and the R_IPB, might as well establish { R_IP
0, R_IP
2, R_IP
4..., R_IP
n, R_IP
0∈ R_IPA, { R_IP
1, R_IP
3, R_IP
5..., R_IP
N-1∈ R_IPB, so n must be even number, thus even number of edges is arranged among the C.
Necessity: obvious R_IP 〉=2.If R_Graph is not connected graph, then can do following discussion to all branches of R_Graph.
Might as well establish R_IP
x, R_IP
y, R_IP
zIf ∈ R_IP is R_IP
xWith R_IP
yCommunication, R_IP
yWith R_IP
zCommunication, R_IP
zWith R_IP
xDo not communicate by letter, then do not have the loop, namely feeder number is 0, is even number, then R_IP
xWith R_IP
zCan be divided into set R_IPA, R_IP
yCan be divided into set R_IPB.
If R_IP
zWith R_IP
xCommunication, then loop length is odd number, because R_IP
xWith R_IP
yThe prerequisite that has the limit is to have collected R_IP in true collection point
xWith R_IP
yCommunications packets, R_IP
yWith R_IP
zIn like manner, if R_IP
zWith R_IP
x, R_IP
yCommunication is all through collection point r_interface, according to the definition of route R_IP as can be known
xWith R_IP
yShould be at the same side of r_interface, then R_IP
xWith R_IP
yCommunication namely R_IP can not occur without r_interface in real traffic
xWith R_IP
yCommunication data, with hypothesis test, necessity is set up.
In this part R_IP is divided into two disjoint set R_IPA and R_IPB partitioning algorithm Partition (R_Graph) flow chart as shown in Figure 2, at first to each the summit initialization among the R_Graph, the mark vertex color is Gray, expression is not divided into any set, and access flag visited is false, represents also not visited; Next, to each summit of R_Graph, judge whether access flag visited is false, if false, then the mark vertex color is Black, this summit of deep search.Deep search algorithm DFS (r_ips) is the core of partitioning algorithm Partition (R_Graph), and its basic thought is to present node and the leaf node mark opposite color that links to each other with present node, and depth of recursion is searched for its leaf node.The final node that again travels through all R_Graph, the node that marker color is identical belongs to identity set.False code is described below:
Fig. 3 has namely provided the result after an IP address is divided for example.
Three, calculate the virtual network model
Described step 3 specifically comprises: the routing iinformation of communicating by letter between the all-ones subnet of traversal virtual network and subnet, utilize two-layer circulation, and find the route of each antithetical phrase internetwork communication, and pass through virtual network routing interface v_interface on the way in route
iDummy node set V_IPA
iWith dummy node set V_IPB
iMiddle all nodes that insert respectively in two subnets obtain two disjoint set V_IPA
iWith V_IPB
iVirtual networks routing interface set V_INTERFACE={v_interface
1, v_interface
2..., v_interface
n| n 〉=2}, for any virtual network routing interface v_interface
i, can will pass through v_interface
iAll dummy nodes be divided into two disjoint set V_IPA
iWith V_IPB
iBe to calculate the traffic model of virtual network, need the routing iinformation of communicating by letter between the all-ones subnet of traversal virtual network and subnet, utilize two-layer circulation, find the route of each antithetical phrase internetwork communication, and at the v_interface of route on the way process
iV_IPA
iAnd V_IPB
iMiddle all nodes that insert respectively in two subnets.Fig. 4 is for virtual network v_subnet
iAnd v_subnet
j, travel through all v_interface of process between two subnets, and respectively with v_subnet
iAnd v_subnet
jThe terminal node that comprises is filled into the on the way V_IPA of each v_interface and the main flow process among the V_IPB.
For example, Fig. 5 has provided a virtual network topology example, its v_interface
1The result who calculates is V_IPA
1={ A1, A2, A3, A4, A5, A6}, V_IPB
2={ B1, B2, B3, B4, B5, B6}.
Four, similarity is calculated the mapping with IP
After obtaining the virtual network traffic model, should choose the mapping node of the virtual true collection point of route network interface conduct in virtual network the most similar to r_interface among the V_INTERFACE.|V_IPA|>=|V_IPB|,|R_IPA|>=|R_IPB|。There is following situation for a bipartite graph node set mapping:
Situation 1:|V_IPA
i|=| R_IPA|, | V_IPB
i|=| R_IPB|
Situation 2:|V_IPA
i|<=| R_IPA|, | V_IPB
i|<=| R_IPB|
Situation 3:|V_IPA
i|=| R_IPA|, | V_IPB
i|<=| R_IPB| or | V_IPA
i|<=| R_IPA|, | V_IPB
i|=| R_IPB|
A mapping is compared with other mappings, and is higher with the more approaching more so similarity of number of element in the corresponding set of true set.Again because same mapping comprises simultaneously mapping of two groups of set, so need a kind of measure of definition to calculate two groups of comprehensive similarity values behind the compound mapping.Need to prove, the definition of similarity is not unique, and adoptable a kind of similarity that the present invention provides is defined as follows:
(R_IPA → V_IPA, the absolute similarity degree of R_IPB → V_IPB) are to avoid the absolute similarity degree deviation that occurs in the situation 3 on the impact of mapping to definition a_factor, and introducings x is smoothing factor, and defining s_factor is level and smooth similarity for mapping.When | during V_IPA|=|R_IPA|, | V_IPA|/| R_IPA|=1, under virtual network model and live network model are more or less the same situation, generally choose x=1.The computing formula of a_factor and s_factor is as follows:
a_factor=(|V_IPA|/|R_IPA|)*(|V_IPB|/|R_IPB|)
s_factor=(|V_IPA|/|R_IPA|>1?x:|V_IPA|/|R_IPA|)*(|V_IPB|/|R_IPB|>1?x:|V_IPB|/|R_IPB|)
The numerical value that for example provides in conjunction with Fig. 3, the a_factor=of v_interface1 shown in Figure 5 (6/78) * (6/76)=0.0061, s_factor=0.0061, data 78,76 are by providing among Fig. 3 in the formula, and numerical value 6 is above-mentioned v_interface
1The as a result V_IPA that calculates
1={ A1, A2, A3, A4, A5, A6}, V_IPB
2={ B1, B2, B3, B4, B5, B6}.
The similarity comparison principle: at first smoother similarity, if level and smooth similarity difference assert that so level and smooth similarity the greater similarity is better; Compare absolute similarity degree if level and smooth similarity is identical, assert that absolute similarity degree the greater similarity is better.According to above-mentioned comparison principle the mapping of all v_interface among all V_INTERFACE similarity values are sorted, select an optimum mapping and v_interface as the collection point in the final virtual network.Be v_interface for the collection point in the selected virtual network of virtual network shown in Figure 4 for example
1, the corresponding (R_IPA → V_IPA that is mapped as
1, R_IPB → V_IPB
1).When situation 2 or situation 3 occurring, a plurality of IP address among R_IPA or the R_IPB is mapped to same virtual IP address, in IP when mapping, only need the IP of correspondence is carried out one by one corresponding get final product, and for example the V_IPA that is mapped to of R_IPA shown in Figure 4 and R_IPB and the part mapping of V_IPB concern as shown in the table:
Five, flow playback
After the mapping according to live network traffic model and virtual network traffic model, again travel through real traffic: source, the purpose IP address of packet in the real traffic are replaced with respectively the virtual ip address after the mapping, and original flow is cut apart according to sending node.Be to guarantee that packet arrives the order of Map Interface, packet is that the timestamp-this node of this packet is to the routing delay of Map Interface from the transmitting time of sending node reality.The API that each flow file after punishment is cut will utilize imitation technology to provide by the virtual network node of correspondence directly sends and is carried out according to the relative time stamp of packet by the Virtual Networking System unification sequencing control and the playback speed control of playback.
The virtual net collection point of mapping can be arrived according to the order of real traffic for the flow that guarantees playback in virtual network, each packet should be recomputated at the playback duration stamp of virtual network.If packet pkt
iOriginal time stamp be t
i, pkti is by dummy node v_node
jBe responsible for transmission, the overall routing iinformation according to virtual network can calculate v_node
jLink delay delay to v_interfacem
j, pkt then
iRelative time stamp in the virtual network playback should be t
i-delay
j, negative value appears for avoiding relative time, make that t_off is overall non-negative time offset amount.Pkt then
iBe T at the final actual playback timestamp of virtual network
i=t
i-delay
j+ t_off.After determining the transmitting time of each packet, carried out sequencing control and the playback speed control of playback by the Virtual Networking System unification.
As shown in Figure 6, corresponding above-mentioned flow back method, the present embodiment gives a kind of flow playback system of Virtual network, and it comprises that real traffic is caught and processing module, real traffic traffic model are set up module, virtual network model building module, similarity calculation module, IP mapping block and playback module;
Described real traffic is caught and processing module, and it is used for catching and process real traffic in arbitrary real traffic collection point, extracts real IP address set R_IP and timestamp information;
Described real traffic traffic model is set up module, and it is used for setting up corresponding bipartite graph according to the real traffic correspondence, and bipartite graph is carried out depth-first search, realizes that real IP address is gathered R_IP is divided into two disjoint set R_IPA and R_IPB;
Described virtual network model building module, it is used for will be by any virtual network routing interface v_interface
iAll dummy nodes of communication are divided into two disjoint set V_IPA
iWith V_IPB
i
Described similarity calculation module, it is used for calculating the similarity of all virtual network routing interfaces and real traffic collection point;
Described IP mapping block, it is used for selecting the virtual network interface the most close with the real traffic collection point as the mapping node of real traffic collection point according to the similarity result of calculating, and based on this mapping node R_IPA is mapped to V_IPA
i, R_IPB is mapped to V_IPB
i
Described playback module, replace real traffic IP address and real traffic is cut apart for carrying out according to the IP mapping result for it, and the real traffic file after will cutting apart again directly sends by the rear corresponding dummy node of its mapping.
Wherein, described real traffic is caught and processing module comprises traffic capture module, flow processing module and memory module;
Described traffic capture module, it is used for catching real traffic by the traffic capture instrument, and saves as the flow file of specified format;
Described flow processing module, it is used for processing and analyzing by the real traffic that the traffic analysis tool that uses and the flow file format adapts is caught described traffic capture module;
Described memory module, it is used for source IP, purpose IP and the timestamp information of each packet of record real traffic.
Described real traffic traffic model is set up module and is comprised that again module is set up in the limit set, non-directed graph sets up module and module is divided in the IP address;
Module is set up in the set of described limit, and it is used for take R_IP as the summit, is the nonoriented edge take source IP, purpose IP as the summit with each packet in the real traffic is abstract respectively, obtains the set of corresponding limit;
Described non-directed graph is set up module, and it is used for gathering the limit of setting up module foundation according to described limit and gathers to set up non-directed graph R_Graph;
Module is divided in described IP address, and it is used for by Depth Priority Algorithm DFS the non-directed graph R_Graph that sets up being traveled through, and R_IP is divided into two disjoint set R_IPA and R_IPB.
Described playback module comprises that again IP address replacement module, real traffic cut apart module, sending module and control module;
Described IP address replacement module, it is used for source IP address, purpose IP address with the real traffic packet and replaces with respectively IP address in the virtual network after the mapping;
Described real traffic is cut apart module, and it is used for real traffic is cut apart according to sending node;
Described sending module, each the real traffic file after it is used for cutting apart is directly sent by the API that the virtual network node of correspondence utilizes imitation technology to provide;
Described control module, it is used for carrying out according to the relative time stamp of packet by the Virtual Networking System unification sequencing control and the playback speed control of playback.
Fig. 6 gives the workflow diagram based on the virtual network flow playback system of IP mapping simultaneously, and its details is consistent with above-mentioned flow back method.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1. the flow back method of a Virtual network is characterized in that, comprising:
Real traffic is caught and processed to step 1 in arbitrary real traffic collection point, extracts real IP address set R_IP and timestamp information;
Step 2 is set up corresponding bipartite graph according to the real traffic correspondence, and bipartite graph is carried out depth-first search, realizes that real IP address is gathered R_IP is divided into two disjoint set R_IPA and R_IPB;
Step 3 will be by any virtual network routing interface v_interface
iAll dummy nodes of communication are divided into two disjoint set V_IPA
iWith V_IPB
i
Step 4 is calculated the similarity of all virtual network routing interfaces and real traffic collection point;
Step 5 selects the virtual network interface the most close with the real traffic collection point as the mapping node of real traffic collection point according to the similarity result of calculating, and based on this mapping node R_IPA is mapped to V_IPA
i, R_IPB is mapped to V_IPB
i
Step 6 travels through real traffic again, and according to the IP mapping result of step 5, carries out that replace real traffic IP address and real traffic is cut apart, the real traffic file after will cutting apart again by its mapping after the dummy node of correspondence directly send.
2. flow back method according to claim 1, it is characterized in that, catching and process real traffic in the described step 1 specifically comprises: utilize the traffic capture instrument to catch real traffic and save as the flow file of specified format, adopt again the traffic analysis tool that adapts with the flow file format that the real traffic of catching is processed and analyzed, source IP, purpose IP and the timestamp information of each packet in the record real traffic.
3. flow back method according to claim 1, it is characterized in that, described step 2 specifically comprises: take R_IP as the summit, with the abstract nonoriented edge for take source IP, purpose IP as the summit respectively of each packet in the real traffic, obtain the set of corresponding limit, and setting up non-directed graph R_Graph based on the set of this limit, recycling Depth Priority Algorithm DFS travels through R_Graph, realizes R_IP is divided into two disjoint set R_IPA and R_IPB.
4. flow back method according to claim 1, it is characterized in that, described step 3 specifically comprises: the routing iinformation of communicating by letter between the all-ones subnet of traversal virtual network and subnet, utilize two-layer circulation, find the route of each antithetical phrase internetwork communication, and pass through virtual network routing interface v_interface on the way in route
iDummy node set V_IPA
iWith dummy node set V_IPB
iMiddle all nodes that insert respectively in two subnets obtain two disjoint set V_IPA
iWith V_IPB
i
5. flow back method according to claim 1, it is characterized in that, described step 6 specifically comprises: source IP address, the purpose IP address of packet in the real traffic replaced with respectively IP address in the virtual network after the mapping, and real traffic cut apart according to sending node, the API that each real traffic file after cutting apart will utilize imitation technology to provide by the virtual network node of correspondence directly sends, and is carried out sequencing control and the playback speed control of playback according to the relative time stamp of packet by the Virtual Networking System unification.
6. the flow playback system of a Virtual network is characterized in that, comprises that real traffic is caught and processing module, real traffic traffic model are set up module, virtual network model building module, similarity calculation module, IP mapping block and playback module;
Described real traffic is caught and processing module, and it is used for catching and process real traffic in arbitrary real traffic collection point, extracts real IP address set R_IP and timestamp information;
Described real traffic traffic model is set up module, and it is used for setting up corresponding bipartite graph according to the real traffic correspondence, and bipartite graph is carried out depth-first search, realizes that real IP address is gathered R_IP is divided into two disjoint set R_IPA and R_IPB;
Described virtual network model building module, it is used for will be by any virtual network routing interface v_interface
iAll dummy nodes of communication are divided into two disjoint set V_IPA
iWith V_IPB
i
Described similarity calculation module, it is used for calculating the similarity of all virtual network routing interfaces and real traffic collection point;
Described IP mapping block, it is used for selecting the virtual network interface the most close with the real traffic collection point as the mapping node of real traffic collection point according to the similarity result of calculating, and based on this mapping node R_IPA is mapped to V_IPA
i, R_IPB is mapped to V_IPB
i
Described playback module, replace real traffic IP address and real traffic is cut apart for carrying out according to the IP mapping result for it, and the real traffic file after will cutting apart again directly sends by the rear corresponding dummy node of its mapping.
7. flow playback system according to claim 6 is characterized in that, described real traffic is caught and processing module comprises traffic capture module, flow processing module and memory module;
Described traffic capture module, it is used for catching real traffic by the traffic capture instrument, and saves as the flow file of specified format;
Described flow processing module, it is used for processing and analyzing by the real traffic that the traffic analysis tool that uses and the flow file format adapts is caught described traffic capture module;
Described memory module, it is used for source IP, purpose IP and the timestamp information of each packet of record real traffic.
8. flow playback system according to claim 6 is characterized in that, described real traffic traffic model is set up module and comprised that module is set up in the limit set, non-directed graph sets up module and module is divided in the IP address;
Module is set up in the set of described limit, and it is used for take R_IP as the summit, is the nonoriented edge take source IP, purpose IP as the summit with each packet in the real traffic is abstract respectively, obtains the set of corresponding limit;
Described non-directed graph is set up module, and it is used for gathering the limit of setting up module foundation according to described limit and gathers to set up non-directed graph R_Graph;
Module is divided in described IP address, and it is used for by Depth Priority Algorithm DFS the non-directed graph R_Graph that sets up being traveled through, and R_IP is divided into two disjoint set R_IPA and R_IPB.
9. flow playback system according to claim 6 is characterized in that, described playback module comprises that IP address replacement module, real traffic cut apart module, sending module and control module;
Described IP address replacement module, it is used for source IP address, purpose IP address with the real traffic packet and replaces with respectively IP address in the virtual network after the mapping;
Described real traffic is cut apart module, and it is used for real traffic is cut apart according to sending node;
Described sending module, each the real traffic file after it is used for cutting apart is directly sent by the API that the virtual network node of correspondence utilizes imitation technology to provide;
Described control module, it is used for carrying out according to the relative time stamp of packet by the Virtual Networking System unification sequencing control and the playback speed control of playback.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310253417.4A CN103326900B (en) | 2013-06-24 | 2013-06-24 | A kind of traffic playback method of Virtual network and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310253417.4A CN103326900B (en) | 2013-06-24 | 2013-06-24 | A kind of traffic playback method of Virtual network and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103326900A true CN103326900A (en) | 2013-09-25 |
| CN103326900B CN103326900B (en) | 2016-03-16 |
Family
ID=49195443
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310253417.4A Active CN103326900B (en) | 2013-06-24 | 2013-06-24 | A kind of traffic playback method of Virtual network and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103326900B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103986624A (en) * | 2014-05-28 | 2014-08-13 | 西安交通大学 | Network traffic restoring and playback method |
| CN105099833A (en) * | 2015-09-14 | 2015-11-25 | 北京华青融天技术有限责任公司 | Business test method , device and system |
| CN105338341A (en) * | 2014-08-12 | 2016-02-17 | 杭州海康威视系统技术有限公司 | Method and device for reproducing real-time video code stream |
| CN106325081A (en) * | 2015-06-17 | 2017-01-11 | 派斡信息技术(上海)有限公司 | Method for controlling electronic device and control machine with application of method |
| CN106375118A (en) * | 2016-08-31 | 2017-02-01 | 哈尔滨工业大学(威海) | Multi-view-angle traffic mixed playback method and device |
| CN106953741A (en) * | 2017-01-25 | 2017-07-14 | 中国科学院信息工程研究所 | A kind of traffic playback method and system of network-oriented simulated environment |
| CN107302518A (en) * | 2016-04-15 | 2017-10-27 | 任子行网络技术股份有限公司 | Inter-domain routing system safe condition cognitive method and device based on Weighted Similarity |
| CN107770805A (en) * | 2016-08-22 | 2018-03-06 | 腾讯科技(深圳)有限公司 | The decision method and device of the identification information of terminal |
| CN108347384A (en) * | 2018-01-26 | 2018-07-31 | 乐鑫信息科技(上海)有限公司 | A method of being suitable for transmission packet one-to-many in mesh networks |
| CN108900360A (en) * | 2018-08-10 | 2018-11-27 | 哈尔滨工业大学(威海) | A kind of network context generation system and method based on the playback of multinode flow |
| CN108989142A (en) * | 2018-05-25 | 2018-12-11 | 中国科学院计算机网络信息中心 | Network test method, device and storage medium |
| CN110867967A (en) * | 2019-11-27 | 2020-03-06 | 云南电网有限责任公司电力科学研究院 | Background flow playback method for power monitoring system communication |
| CN111182087A (en) * | 2019-12-18 | 2020-05-19 | 哈尔滨工业大学(威海) | Flow playback method based on single network card binding multiple IPs |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011113386A2 (en) * | 2011-04-26 | 2011-09-22 | 华为技术有限公司 | Method and apparatus for network traffic simulation |
-
2013
- 2013-06-24 CN CN201310253417.4A patent/CN103326900B/en active Active
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103986624A (en) * | 2014-05-28 | 2014-08-13 | 西安交通大学 | Network traffic restoring and playback method |
| CN103986624B (en) * | 2014-05-28 | 2017-08-08 | 西安交通大学 | A kind of network flow recovery back method |
| CN105338341A (en) * | 2014-08-12 | 2016-02-17 | 杭州海康威视系统技术有限公司 | Method and device for reproducing real-time video code stream |
| CN106325081A (en) * | 2015-06-17 | 2017-01-11 | 派斡信息技术(上海)有限公司 | Method for controlling electronic device and control machine with application of method |
| CN105099833A (en) * | 2015-09-14 | 2015-11-25 | 北京华青融天技术有限责任公司 | Business test method , device and system |
| CN107302518A (en) * | 2016-04-15 | 2017-10-27 | 任子行网络技术股份有限公司 | Inter-domain routing system safe condition cognitive method and device based on Weighted Similarity |
| CN107770805A (en) * | 2016-08-22 | 2018-03-06 | 腾讯科技(深圳)有限公司 | The decision method and device of the identification information of terminal |
| CN107770805B (en) * | 2016-08-22 | 2021-07-27 | 腾讯科技(深圳)有限公司 | Method and device for judging identification information of terminal |
| CN106375118A (en) * | 2016-08-31 | 2017-02-01 | 哈尔滨工业大学(威海) | Multi-view-angle traffic mixed playback method and device |
| CN106953741B (en) * | 2017-01-25 | 2019-11-12 | 中国科学院信息工程研究所 | A kind of traffic playback method and system of network-oriented simulated environment |
| CN106953741A (en) * | 2017-01-25 | 2017-07-14 | 中国科学院信息工程研究所 | A kind of traffic playback method and system of network-oriented simulated environment |
| CN108347384A (en) * | 2018-01-26 | 2018-07-31 | 乐鑫信息科技(上海)有限公司 | A method of being suitable for transmission packet one-to-many in mesh networks |
| CN108347384B (en) * | 2018-01-26 | 2020-12-01 | 乐鑫信息科技(上海)股份有限公司 | One-to-many data packet transmission method suitable for mesh network |
| CN108989142A (en) * | 2018-05-25 | 2018-12-11 | 中国科学院计算机网络信息中心 | Network test method, device and storage medium |
| CN108900360A (en) * | 2018-08-10 | 2018-11-27 | 哈尔滨工业大学(威海) | A kind of network context generation system and method based on the playback of multinode flow |
| CN110867967A (en) * | 2019-11-27 | 2020-03-06 | 云南电网有限责任公司电力科学研究院 | Background flow playback method for power monitoring system communication |
| CN110867967B (en) * | 2019-11-27 | 2023-11-10 | 云南电网有限责任公司电力科学研究院 | Background flow playback method for communication of power monitoring system |
| CN111182087A (en) * | 2019-12-18 | 2020-05-19 | 哈尔滨工业大学(威海) | Flow playback method based on single network card binding multiple IPs |
| CN111182087B (en) * | 2019-12-18 | 2022-01-28 | 哈尔滨工业大学(威海) | Flow playback method based on single network card binding multiple IPs |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103326900B (en) | 2016-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103326900B (en) | A kind of traffic playback method of Virtual network and system | |
| EP3407562B1 (en) | Coflow recognition method and system, and server using method | |
| US11943249B2 (en) | Cyberspace coordinate system creation method and apparatus based on autonomous system | |
| CN102307123B (en) | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic | |
| CN102724317B (en) | A kind of network traffic data sorting technique and device | |
| Calvert et al. | Modeling internet topology | |
| CN103338150B (en) | Communication network architecture method for building up, device, server and router | |
| CN104283897B (en) | Wooden horse communication feature rapid extracting method based on multiple data stream cluster analysis | |
| CN106953741B (en) | A kind of traffic playback method and system of network-oriented simulated environment | |
| CN110519298A (en) | A kind of Tor method for recognizing flux and device based on machine learning | |
| Sharma et al. | Simulating attacks for RPL and generating multi-class dataset for supervised machine learning | |
| CN109840533A (en) | A kind of applied topology figure recognition methods and device | |
| CN103281211B (en) | Large-scale network node system for managing in groups and management method | |
| CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
| CN103746914A (en) | Method, device and system for building corresponding relationship between private network label and primary VRF (VPN (virtual private network) routing and forwarding table) | |
| Nur et al. | Cross-AS (X-AS) internet topology mapping | |
| Ubik et al. | Evaluating application-layer classification using a Machine Learning technique over different high speed networks | |
| Kiremire et al. | Using network motifs to investigate the influence of network topology on PPM-based IP traceback schemes | |
| CN111064817A (en) | City-level IP positioning method based on node sorting | |
| Tilch et al. | A multilayer graph model of the internet topology | |
| Prokkola | Opnet-network simulator | |
| CN108494583A (en) | A kind of method and device generating network topology based on sFlow | |
| CN111953552B (en) | Data flow classification method and message forwarding equipment | |
| CN104836700B (en) | NAT host number detection methods based on IPID and probability statistics model | |
| CN113726809B (en) | Internet of things equipment identification method based on flow data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |