CN110430080A - Network topology probe method and device - Google Patents

Network topology probe method and device Download PDF

Info

Publication number
CN110430080A
CN110430080A CN201910724612.8A CN201910724612A CN110430080A CN 110430080 A CN110430080 A CN 110430080A CN 201910724612 A CN201910724612 A CN 201910724612A CN 110430080 A CN110430080 A CN 110430080A
Authority
CN
China
Prior art keywords
network
information
node
topological
subnet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910724612.8A
Other languages
Chinese (zh)
Other versions
CN110430080B (en
Inventor
林星辰
黄元飞
李燕伟
夏剑锋
张峰
权晓文
王润合
黄石海
赵建聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yuanjiang Shengbang (beijing) Network Security Polytron Technologies Inc
National Computer Network and Information Security Management Center
Original Assignee
Yuanjiang Shengbang (beijing) Network Security Polytron Technologies Inc
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yuanjiang Shengbang (beijing) Network Security Polytron Technologies Inc, National Computer Network and Information Security Management Center filed Critical Yuanjiang Shengbang (beijing) Network Security Polytron Technologies Inc
Priority to CN201910724612.8A priority Critical patent/CN110430080B/en
Publication of CN110430080A publication Critical patent/CN110430080A/en
Application granted granted Critical
Publication of CN110430080B publication Critical patent/CN110430080B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides a kind of network topology probe method and device, the described method includes: tracking technique is scanned and routed based on TCP, UDP and/or ICMP carries out active probe to the syntople between equipment in network, the topological trunk information of the network is obtained;Data acquisition is carried out using image network flow mode at the traffic aggregation node or switching node of the network, various dimensions comprehensive analysis comprising ethernet layer analysis, network layer analysis and application layer analysis is carried out to the network flow of acquisition, obtains the topological branch information of the network;The topological trunk information of the network is carried out information as dimension using IP with the topological branch information of the network to merge, obtains the network topology of the network.The embodiment of the present invention is sufficiently used main passive topology probe information, reduces and has an impact to user network, improves detection efficient and accuracy.

Description

Network topology probe method and device
Technical field
The present invention relates to network topology probes and discovery technique field, more particularly, to a kind of network topology probe side Method and device.
Background technique
Network topology probe is the network structure cognition to networked asset management, security breaches protection, visualized management weight Want means.
Traditional network detection is generally using based on network protocol, such as, ICMP, SNMP, the detection modes such as LLDP, OSPF come It was found that the network equipment and subnet, this detection method fast speed, but limited coverage area, simultaneously as this detection is logical It crosses and actively gives out a contract for a project to be detected, a large amount of flow can be generated, and cause network traffic congestion, network environment is generated biggish It influences;Another mode is passive mode, is realized by disposing the acquisition of probe node and analysis data in network to flow Monitoring will not generate additional flow, therefore will not be right because passive detection mainly analyzes existing network flow Network impacts, but passive detection can not but detect inactive host.
Most of topology probes can not accomplish the complementation of two ways advantage using actively or passively mode at present, therefore, How main passive topology probe information is made full use of, and reduction has an impact user network, and improving detection efficient and quality seems It is particularly important.
Summary of the invention
The embodiment of the present invention provides a kind of network topology for overcoming the above problem or at least being partially solved the above problem Detection method and device.
In a first aspect, the embodiment of the present invention provides a kind of network topology probe method, comprising:
Based on TCP, UDP and/or ICMP scan and route tracking technique to the syntople between equipment in network into Row active probe obtains the topological trunk information of the network;
Data acquisition is carried out using image network flow mode at the traffic aggregation node or switching node of the network, Various dimensions comprehensive analysis comprising ethernet layer analysis, network layer analysis and application layer analysis is carried out to the network flow of acquisition, Obtain the topological branch information of the network;
The topological branch information of the topological trunk information of the network and the network is carried out information as dimension using IP to melt It closes, obtains the network topology of the network.
Second aspect, the embodiment of the present invention provide a kind of network topology probe device, comprising:
Active probe module, for tracking technique to be scanned and routed based on TCP, UDP and/or ICMP to equipment in network Between syntople carry out active probe, obtain the topological trunk information of the network;
Passive detection module, for using image network flow at the traffic aggregation node or switching node of the network Mode carries out data acquisition, carries out the network flow of acquisition comprising ethernet layer analysis, network layer analysis and application layer analysis Various dimensions comprehensive analysis, obtain the topological branch information of the network;
Information Fusion Module, for by the topological branch information of the topological trunk information of the network and the network with IP Information fusion is carried out for dimension, obtains the network topology of the network.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory Computer program that is upper and can running on a processor, is realized when the processor executes described program as first aspect provides Network topology probe method the step of.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating Machine program realizes the step of the network topology probe method as provided by first aspect when the computer program is executed by processor Suddenly.
Network topology probe method and device provided in an embodiment of the present invention completes topological trunk inspection by active probe It surveys, realizes topological branch's supplement by passively listening, subnet is calculated and divided, and is merged to the passive topology probe information of master Analysis is sufficiently used main passive topology probe information, reduces to user network to complete the description to entire topology It has an impact, improves detection efficient and accuracy.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of flow diagram of network topology probe method provided in an embodiment of the present invention;
Fig. 2 is that syntople provided in an embodiment of the present invention collects schematic diagram;
Fig. 3 is that passive flux data provided in an embodiment of the present invention analyze schematic diagram;
Fig. 4 is IPID deviation schematic diagram of calculation result provided in an embodiment of the present invention;
Fig. 5 is subnet connected relation figure provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of network topology probe device provided in an embodiment of the present invention;
Fig. 7 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
In order to make full use of main passive topology probe information, reduction has an impact user network, improve detection efficient and Accuracy, the embodiment of the present invention provides a kind of network topology probe method based on main passive detection data fusion, such as Fig. 1 institute Show, be a kind of flow diagram of network topology probe method provided in an embodiment of the present invention, comprising:
Step 100 is scanned based on TCP, UDP and/or ICMP and routes tracking technique to the neighbour between equipment in network It connects relationship and carries out active probe, obtain the topological trunk information of the network;
The embodiment of the present invention uses active probing technique to establish network skeleton first, obtains the topological trunk information of network.
Specifically, the embodiment of the present invention is based on TCP (Transmission Control Protocol, biography transport control protocol View), UDP (User Datagram Protocol, User Datagram Protocol) and/or ICMP (Internet Control Message Protocol, internet Internet Control Message Protocol) tracking technique (such as traceroute) is scanned and routed to network Syntople between middle equipment carries out active probe.
In TCP scanning technique mainly using the flag bit in the three-way handshake characteristic and TCP data head of TCP connection come into Row.ICMP scanning technique is mainly the purposes for utilizing ICMP agreement most basic: it reports an error, if there is mistake according to agreement, that Receiving end will generate the error message of an ICMP.UDP Scan is according to whether there is return information, if unreachable comprising port To judge.
Tracking technique is routed, is traceroute for Linux, is then tracer in windows.Traceroute's Active probe is carried out to the syntople between equipment in network.
Traceroute program complete procedure: its transmission portion TTL (Time To Live, time-to-live) field is first To destination host, ttl value is subtracted 1, then abandons the data 1 IP data packet by first router for handling this data packet Packet, and (" time-out " information, this message contain the IP address of router, thus to one icmp packet of source host transmission Obtain the address of first router), then traceroute sends the data packet that a TTL is 2 to obtain second road By the IP address of device, continue this process, until this data packet reaches destination host.
In one embodiment, described to scan and route tracking technique based on TCP, UDP and/or ICMP to setting in network Syntople between standby carries out active probe, obtains the topological trunk information of the network, further comprises:
Step 101, initialization queue Q and connected relation set E, and assume that the address for detecting origin is p;
Step 102 carries out survival detection to the address in IP sections known using based on TCP, UDP and/or ICMP scanning, really Surely equipment of surviving and (IP, the TTL) tuple for recording survival equipment, and the queue Q is added in the survival equipment;
Specifically, it is scanned based on TCP, UDP and/or ICMP and survival detection is carried out to the address in IP sections known, according to spy It surveys the information obtained and determines all survival equipment, and record the IP address and ttl field value of each survival equipment, form survival and set Standby (IP, TTL) tuple, all survival equipment and its (IP, TTL) tuple are added in queue Q.
Step 103 takes out a node progress syntople detection from the queue Q: judging the ttl value of the node Whether be 1, if the ttl value of the node be 1, create it is described detection origin and the node triplet information (p, r, Rtt the connected relation set E), and by the triplet information is added, otherwise, the IP of the node is carried out Traceroute is tracked, and all nodes in traverse path create adjacent next-hop node group information (r1, r2, rtt2), and judge (r1, r2) and the address (r2, r1) whether there is in the connected relation set E, if it does not exist, then will be described adjacent next Hop node group information is added to the connected relation set E;
Specifically, traceroute tracking is carried out for all survival equipment in queue Q, constructed between equipment in network Syntople, obtain connected relation set.
A node is arbitrarily taken out from the queue Q and carries out syntople detection: first determining whether the ttl value of the node Whether be 1, if the ttl value of the node be 1, directly create it is described detection origin and the node triplet information (p, R, rtt), and the connected relation set E is added in the triplet information.
Otherwise, if the ttl value of the node is more than or equal to 2, traceroute tracking, traversal are carried out to the IP of the node All nodes on path create adjacent next-hop node group information (r1, r2, rtt2), and with judging (r1, r2) and (r2, r1) Whether location has existed in the connected relation set E, if it does not exist, then adds the adjacent next-hop node group information Add to the connected relation set E;
Step 104 checks whether the queue Q is empty, if the queue Q is not sky, under taking out in the queue Q One node carries out syntople detection, otherwise terminates.
Specifically, judge whether the queue Q is sky, if the queue Q is not sky, is continued from return step 103 from institute It states and takes out next node execution syntople detection steps in queue Q, until the queue Q interior joint is all taken out.Most Afterwards, it obtains and contains the connected relation set of all of its neighbor relationship between equipment in network.As shown in Fig. 2, implementing for the present invention The syntople that example provides collects schematic diagram.So far, the network topology trunk information detection of the network is completed.
Step 200 uses image network flow mode to carry out at the traffic aggregation node or switching node of the network Data acquisition carries out the various dimensions comprising ethernet layer analysis, network layer analysis and application layer analysis to the network flow of acquisition Comprehensive analysis obtains the topological branch information of the network;
Specifically, the embodiment of the present invention is calculated and is divided by passively listening the topological branch's supplement of realization, subnet, thus by Step completes the description to entire topology.Using the network topology portrait based on passive type, i.e., in the traffic aggregation section of the network Data acquisition is carried out using image network flow mode at point or switching node, the network flow of acquisition is carried out comprising Ethernet The various dimensions comprehensive analysis of layer analysis, network layer analysis and application layer analysis obtains the topological branch information of the network.
As shown in figure 3, analyzing schematic diagram, the network of described pair of acquisition for passive flux data provided in an embodiment of the present invention Flow carries out various dimensions comprehensive analysis, obtains the topological branch information of the network, further comprises:
Step 201 finds that message, two layers of forwarding data, STP BPDUs and group are broadcasted to network A RP broadcasting packet, neighbours Text is for statistical analysis, calculates the connected relation between network boundary, corresponding gateway and each node;
Specifically, ethernet layer analysis is carried out:
Collection network ARP broadcasting packet or neighbours have found message, and the ARP request or neighbours generate to same IP address is found Request message carries out affiliated subnet mask and defines;
The corresponding relationship of data acquisition VLAN and IP subnet are forwarded according to two layers;
Root switch and switching port information are determined according to STP BPDUs, and interchanger is determined according to interchanger network interface MAC Address Manufacturer's information determines switch port transfer capability according to port bandwidth;
Multicast message is collected, determines the subnet mask of affiliated subnet.
Step 202, the five-tuple information based on network layer and transport layer, determine Webweb equipment present in the network Type and quantity, source, purpose IP address are added to connected relation set to connected relation is formed by, to the source, mesh IP address pair communication flows it is for statistical analysis, calculate the traffic of subnet;
Specifically, to network layer, the five-tuple information of transport layer,
IPID is continuous when a) being sent out message according to same equipment, and different type system IPID initial value is different former Reason, by the grouping to IPID, to have found that it is likely that the type and quantity of existing Webweb equipment;
B) by source, purpose IP address to being formed by connected relation to being added to connected relation set E;
C) for statistical analysis to communication flows to IP, calculate the traffic of subnet.
Step 203 analyzes all kinds of protocol massages of application layer, obtains client Agent and server finger print information, And determine device type information and system type information, obtain routing node and subnet mask information.
Specifically, pass through HTTP (Hyper Text Transfer Protocol, hypertext transfer protocol) and FTP The analysis of (File TransferProtocol, text transfer protocol) protocol traffic, obtains client Agent and server fingerprint Information, existing device type and system type information in analytical equipment type, subnet;
Pass through OSPF (Open Shortest Path First, ospf) agreement and BGP (Border GatewayProtocol, Border Gateway Protocol) protocol information crawl, obtain routing node and subnet mask information.
Step 300, by the topological branch information of the topological trunk information of the network and the network using IP as dimension into Row information fusion, obtains the network topology of the network.
Specifically, the topological branch information of the topological trunk information of the network and the network is carried out by dimension of IP Information fusion, specifically:
The topological branch information of the topological trunk information of the network and the network is carried out information as dimension using IP to melt Close, obtain IP address, subnet mask, affiliated vlan port, gateway IP list, routing device information Neighbor Subnet List, whether Webweb and Webweb host number, adjacent host complexes and adjacent switching equipment information;
Wherein, it realizes that subnet calculates by syntople and the detection of passive intercommunity, Webweb host is calculated according to IPID Group's size calculates subnet connectivity according to the connectivity of host.
Specifically, subnet calculates:
It, can be according to such as if having identical next hop address, VLAN and ttl value with subnet m for the element in queue Q Under type calculates subnet mask:
Mask=log2 (^ (ip1&N [m] .ip_net))
Wherein N [m] .ip_net is the IP section initial value of subnet m, if the son of ip is arranged less than N [m] .mask in Mask Network No. is m, and it is Mask that N [m] .mask, which is otherwise arranged,.If not finding affiliated subnet, new subnet, initial subnet are created Section is ip1/32.
Webweb host group's size is calculated according to IPID:
The average value that the IPID difference of same source IP is calculated for a certain subnet N [m] node, if absolute value is bigger, Illustrate that IPID variation is bigger, then the host number comprising Webweb is more.Calculation formula is as follows:
D=| SUM (ipid [m]-ipid [m-1])/N |;
Wherein, 1 < m < N.
As shown in figure 4, being IPID deviation schematic diagram of calculation result provided in an embodiment of the present invention, for host A, B, C are main Group of planes size is respectively 1,2,3, and according to statistics and analysis, difference average value is bigger, then the host that host group includes is more, for Individual host IPID difference average value includes that then IPID is changed greatly for the Webweb of multiple equipment close to 1, can be with by calculating The size of identification Webweb node and description Webweb group well.
Content based on the above embodiment, it is described that subnet connectivity is calculated according to the connectivity of host, specifically:
Creation adjacent relation matrix simultaneously draws subnet connected relation figure;
If there is loop in the subnet connected relation figure, weight is done to the traffic statistics of inter-subnet communication, is calculated most Small spanning tree, removal generate the access of loop.
Specifically, the adjacent relation matrix L of m*m is created, initialization L value is -1 (infinity).For the node M in E, such as Two node i p1 of fruit M, ip2 are belonging respectively to two different subnet N [k] and N [j], are then set to L [k] [j] and L [j] [k] 1, as shown in figure 5, be subnet connected relation figure provided in an embodiment of the present invention, A in figure, tri- networks of B, C, separately include IP1, IP2, IP3, three hosts.(IP1, IP2) can intercommunication, (IP2, IP3) can intercommunication.
If there is loop, then weight being done by the traffic statistics of inter-subnet communication, calculating minimum spanning tree, removal produces The access of raw loop.
Network topology probe method provided in an embodiment of the present invention is completed topological trunk detection by active probe, is passed through The topological branch's supplement of realization is passively listened, subnet is calculated and is divided, and carries out convergence analysis to the passive topology probe information of master, from And the description to entire topology is completed, it is sufficiently used main passive topology probe information, reduces and shadow is generated to user network It rings, improves detection efficient and accuracy.
As shown in fig. 6, being the structural schematic diagram of network topology probe device provided in an embodiment of the present invention, comprising: actively Detecting module 601, passive detection module 602 and information Fusion Module 603, wherein
Active probe module 601, for tracking technique to be scanned and routed based on TCP, UDP and/or ICMP in network Syntople between equipment carries out active probe, obtains the topological trunk information of the network;
Specifically, the embodiment of the present invention uses active probing technique to establish network skeleton first, the topology for obtaining network is main Dry information.Active probe module 601 is primarily based on TCP, UDP and/or ICMP scanning and survives to the address in IP sections known Detection determines survival equipment.Then, syntople detection is carried out using routing tracking technique, in collection network between equipment Syntople constructs connected relation set, completes network topology trunk information detection.
Shown active probe module 601 is specifically used for:
Queue Q and connected relation set E is initialized, and assumes that the address for detecting origin is p;
Survival detection is carried out to the address in IP section known using based on TCP, UDP and/or ICMP scanning, determines to survive and sets (IP, TTL) tuple that is standby and recording survival equipment, and the queue Q is added in the survival equipment;
Take out a node from the queue Q and carry out syntople detection: whether the ttl value for judging the node is 1, If the ttl value of the node is 1, the triplet information (p, r, rtt) of the detection origin and the node is created, and by institute It states triplet information and the connected relation set E is added, otherwise, traceroute tracking, traversal are carried out to the IP of the node All nodes on path create adjacent next-hop node group information (r1, r2, rtt2), and with judging (r1, r2) and (r2, r1) Location whether there is in the connected relation set E, if it does not exist, then be added to the adjacent next-hop node group information The connected relation set E;
Check the queue Q whether be it is empty, if the queue Q be not it is empty, take out next node from the queue Q Syntople detection is carried out, is otherwise terminated.
Passive detection module 602, for using image network at the traffic aggregation node or switching node of the network Flow mode carries out data acquisition, carries out the network flow of acquisition comprising ethernet layer analysis, network layer analysis and application layer The various dimensions comprehensive analysis of analysis obtains the topological branch information of the network;
Specifically, the embodiment of the present invention is calculated and is divided by passively listening the topological branch's supplement of realization, subnet, thus by Step completes the description to entire topology.Passive detection module 602 is using the network topology portrait based on passive type, i.e., in the net Data acquisition is carried out using image network flow mode at the traffic aggregation node or switching node of network, to the network flow of acquisition The various dimensions comprehensive analysis comprising ethernet layer analysis, network layer analysis and application layer analysis is carried out, opening up for the network is obtained Flutter branch information.
The passive detection module 602 is specifically used for:
Message, two layers of forwarding data, STP BPDUs and multicast message, which are united, to be found to network A RP broadcasting packet, neighbours Meter analysis, calculates the connected relation between network boundary, corresponding gateway and each node;
Five-tuple information based on network layer and transport layer, determine the type of Webweb equipment present in the network and Source, purpose IP address are added to connected relation set to connected relation is formed by, to the source, purpose IP address by quantity Pair communication flows it is for statistical analysis, calculate the traffic of subnet;
All kinds of protocol massages of application layer are analyzed, obtain client Agent and server finger print information, and determination is set Standby type information and system type information, obtain routing node and subnet mask information.
Information Fusion Module 603, for by the topological branch information of the topological trunk information of the network and the network Information fusion is carried out by dimension of IP, obtains the network topology of the network.
Specifically, information Fusion Module 603 believes the topological branch of the topological trunk information of the network and the network Breath carries out information fusion by dimension of IP.
Information Fusion Module 603 is specifically used for:
The topological branch information of the topological trunk information of the network and the network is carried out information as dimension using IP to melt Close, obtain IP address, subnet mask, affiliated vlan port, gateway IP list, routing device information Neighbor Subnet List, whether Webweb and Webweb host number, adjacent host complexes and adjacent switching equipment information;
Wherein, it realizes that subnet calculates by syntople and the detection of passive intercommunity, Webweb host is calculated according to IPID Group's size calculates subnet connectivity according to the connectivity of host.
Network topology probe device provided in an embodiment of the present invention is completed topological trunk detection by active probe, is passed through The topological branch's supplement of realization is passively listened, subnet is calculated and is divided, and carries out convergence analysis to the passive topology probe information of master, from And the description to entire topology is completed, it is sufficiently used main passive topology probe information, reduces and shadow is generated to user network It rings, improves detection efficient and accuracy.
Fig. 7 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention, as shown in fig. 7, the electronic equipment It may include: processor (processor) 710,720, memory communication interface (Communications Interface) (memory) 730 and communication bus 740, wherein processor 710, communication interface 720, memory 730 pass through communication bus 740 Complete mutual communication.Processor 710 can call the meter that is stored on memory 730 and can run on the processor 710 Calculation machine program, to execute network topology probe method provided by above-mentioned each method embodiment, for example, be based on TCP, UDP And/or ICMP scanning and routing tracking technique carry out active probe to the syntople between equipment in network, described in acquisition The topological trunk information of network;At the traffic aggregation node or switching node of the network using image network flow mode into The acquisition of row data carries out the multidimensional comprising ethernet layer analysis, network layer analysis and application layer analysis to the network flow of acquisition Comprehensive analysis is spent, the topological branch information of the network is obtained;By the topological trunk information of the network and opening up for the network It flutters branch information and carries out information fusion by dimension of IP, obtain the network topology of the network.
In addition, the logical order in above-mentioned memory 730 can be realized by way of SFU software functional unit and conduct Independent product when selling or using, can store in a computer readable storage medium.Based on this understanding, originally The technical solution of the inventive embodiments substantially part of the part that contributes to existing technology or the technical solution in other words It can be expressed in the form of software products, which is stored in a storage medium, including some instructions With so that computer equipment (can be personal computer, server or the network equipment an etc.) execution present invention is each The all or part of the steps of embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk Etc. the various media that can store program code.
The embodiment of the present invention also provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, The computer program realizes the network topology probe method that above-mentioned each method embodiment provides when being executed by processor, such as wraps It includes: tracking technique is scanned and routed based on TCP, UDP and/or ICMP, the syntople between equipment in network is carried out actively Detection, obtains the topological trunk information of the network;Mirror image is used at the traffic aggregation node or switching node of the network Network flow mode carries out data acquisition, and the network flow of acquisition is carried out comprising ethernet layer analysis, network layer analysis and answered With the various dimensions comprehensive analysis of layer analysis, the topological branch information of the network is obtained;By the topological trunk information of the network Information is carried out as dimension using IP with the topological branch information of the network to merge, and obtains the network topology of the network.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member It is physically separated with being or may not be, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of network topology probe method characterized by comprising
Tracking technique is scanned and routed based on TCP, UDP and/or ICMP to lead the syntople between equipment in network Dynamic detection, obtains the topological trunk information of the network;
Data acquisition is carried out using image network flow mode at the traffic aggregation node or switching node of the network, to adopting The network flow of collection carries out the various dimensions comprehensive analysis comprising ethernet layer analysis, network layer analysis and application layer analysis, obtains The topological branch information of the network;
The topological trunk information of the network is carried out information as dimension using IP with the topological branch information of the network to merge, is obtained Obtain the network topology of the network.
2. network topology probe method according to claim 1, which is characterized in that described to be based on TCP, UDP and/or ICMP Scanning and routing tracking technique carry out active probe to the syntople between equipment in network, obtain the topology of the network Trunk information, specifically:
Queue Q and connected relation set E is initialized, and assumes that the address for detecting origin is p;
Survival detection is carried out to the address in IP section known using based on TCP, UDP and/or ICMP scanning, determines and survives equipment simultaneously (IP, TTL) tuple of record survival equipment, and the queue Q is added in the survival equipment;
Take out a node from the queue Q and carry out syntople detection: whether the ttl value for judging the node is 1, if institute The ttl value for stating node is 1, then creates the triplet information (p, r, rtt) of the detection origin and the node, and by described three The connected relation set E is added in tuple information, otherwise, carries out traceroute tracking, traverse path to the IP of the node Upper all nodes, create adjacent next-hop node group information (r1, r2, rtt2), and judge the address pair (r1, r2) and (r2, r1) It whether there is in the connected relation set E, if it does not exist, be then added to the adjacent next-hop node group information described Connected relation set E;
Check whether the queue Q is empty, if the queue Q is not empty, the taking-up next node progress from the queue Q Syntople detection, otherwise terminates.
3. network topology probe method according to claim 1, which is characterized in that the network flow of described pair of acquisition carries out Various dimensions comprehensive analysis obtains the topological branch information of the network, specifically:
Message, two layers of forwarding data, STP BPDUs and multicast message, which carry out statistical, to be found to network A RP broadcasting packet, neighbours Analysis calculates the connected relation between network boundary, corresponding gateway and each node;
Five-tuple information based on network layer and transport layer, determines the type sum number of Webweb equipment present in the network Amount, is added to connected relation set to connected relation is formed by for source, purpose IP address, to the source, purpose IP address pair Communication flows it is for statistical analysis, calculate the traffic of subnet;
All kinds of protocol massages of application layer are analyzed, obtain client Agent and server finger print information, and determine equipment class Type information and system type information obtain routing node and subnet mask information.
4. according to the method described in claim 3, it is characterized in that, it is described to network A RP broadcasting packet, neighbours find message, Two layers of forwarding data, STP BPDUs and multicast message are for statistical analysis, calculate network boundary, corresponding gateway and each section Connected relation between point, specifically:
Collection network ARP broadcasting packet or neighbours have found message, the ARP request or neighbor discovery requests generate to same IP address Message carries out affiliated subnet mask and defines;
The corresponding relationship of data acquisition VLAN and IP subnet are forwarded according to two layers;
Root switch and switching port information are determined according to STP BPDUs, and interchanger manufacturer is determined according to interchanger network interface MAC Address Information determines switch port transfer capability according to port bandwidth;
Multicast message is collected, determines the subnet mask of affiliated subnet.
5. according to the method described in claim 3, obtaining it is characterized in that, described analyze all kinds of protocol massages of application layer Take client Agent and server finger print information, and determine device type information and system type information, obtain routing node and Subnet mask information, specifically:
By HTTP and File Transfer Protocol flow analysis, client Agent and server finger print information, analytical equipment type, son are obtained Existing device type and system type information in net;
By OSPF and bgp protocol information scratching, routing node and subnet mask information are obtained.
6. network topology probe method according to claim 1, which is characterized in that by the topological trunk information of the network Information is carried out as dimension using IP with the topological branch information of the network to merge, specifically:
The topological trunk information of the network is carried out information as dimension using IP with the topological branch information of the network to merge, is obtained Take IP address, subnet mask, affiliated vlan port, gateway IP list, routing device information Neighbor Subnet List, whether Webweb And Webweb host number, adjacent host complexes and adjacent switching equipment information;
Wherein, realize that subnet calculates by syntople and the detection of passive intercommunity, it is big to calculate Webweb host group according to IPID It is small, subnet connectivity is calculated according to the connectivity of host.
7. network topology probe method according to claim 6, which is characterized in that described to be calculated according to the connectivity of host Subnet connectivity, specifically:
Creation adjacent relation matrix simultaneously draws subnet connected relation figure;
If there is loop in the subnet connected relation figure, weight is done to the traffic statistics of inter-subnet communication, calculates most your pupil Cheng Shu, removal generate the access of loop.
8. a kind of network topology probe device characterized by comprising
Active probe module, for tracking technique to be scanned and routed based on TCP, UDP and/or ICMP between equipment in network Syntople carry out active probe, obtain the topological trunk information of the network;
Passive detection module, for using image network flow mode at the traffic aggregation node or switching node of the network Data acquisition is carried out, the network flow of acquisition is carried out comprising the more of ethernet layer analysis, network layer analysis and application layer analysis Dimension comprehensive analysis obtains the topological branch information of the network;
Information Fusion Module, for IP being dimension by the topological branch information of the topological trunk information of the network and the network Degree carries out information fusion, obtains the network topology of the network.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that realize that the network as described in any one of claim 1 to 7 is opened up when the processor executes described program The step of flutterring detection method.
10. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer It is realized when program is executed by processor as described in any one of claim 1 to 7 the step of network topology probe method.
CN201910724612.8A 2019-08-07 2019-08-07 Network topology detection method and device Active CN110430080B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910724612.8A CN110430080B (en) 2019-08-07 2019-08-07 Network topology detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910724612.8A CN110430080B (en) 2019-08-07 2019-08-07 Network topology detection method and device

Publications (2)

Publication Number Publication Date
CN110430080A true CN110430080A (en) 2019-11-08
CN110430080B CN110430080B (en) 2021-02-05

Family

ID=68412998

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910724612.8A Active CN110430080B (en) 2019-08-07 2019-08-07 Network topology detection method and device

Country Status (1)

Country Link
CN (1) CN110430080B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111130883A (en) * 2019-12-25 2020-05-08 杭州安恒信息技术股份有限公司 Method and device for determining topological graph of industrial control equipment and electronic equipment
CN111756598A (en) * 2020-06-23 2020-10-09 北京凌云信安科技有限公司 Asset discovery method based on combination of active detection and flow analysis
CN111814605A (en) * 2020-06-23 2020-10-23 浙江大华技术股份有限公司 Main road identification method, main road identification device and main road storage device based on topological map
CN111934946A (en) * 2020-07-16 2020-11-13 深信服科技股份有限公司 Network equipment identification method, device, equipment and readable storage medium
CN112448963A (en) * 2021-02-01 2021-03-05 博智安全科技股份有限公司 Method, device, equipment and storage medium for analyzing automatic attack industrial assets
CN112532448A (en) * 2020-11-27 2021-03-19 北京知道创宇信息技术股份有限公司 Network topology processing method and device and electronic equipment
CN112653588A (en) * 2020-07-10 2021-04-13 深圳市唯特视科技有限公司 Adaptive network traffic collection method, system, electronic device and storage medium
CN112671553A (en) * 2020-11-26 2021-04-16 中国电子科技网络信息安全有限公司 Industrial control network topological graph generation method based on active and passive detection
CN112751704A (en) * 2020-12-17 2021-05-04 杭州安恒信息技术股份有限公司 Method, device and equipment for checking connectivity of heterogeneous network in network target range
CN113645058A (en) * 2021-06-28 2021-11-12 苏州浪潮智能科技有限公司 Network link flow monitoring method, device and system
CN114124789A (en) * 2021-11-22 2022-03-01 广东电网有限责任公司 Network cooperative detection method, device, equipment and computer medium
CN114157554A (en) * 2021-12-21 2022-03-08 唯品会(广州)软件有限公司 Troubleshooting method and device, storage medium and computer equipment
CN114268551A (en) * 2021-12-16 2022-04-01 南京华飞数据技术有限公司 Autonomous domain level network topology mapping method based on active and passive cooperation
CN114285718A (en) * 2021-12-28 2022-04-05 北京航天数据股份有限公司 Topology generation method and device, electronic equipment and storage medium
CN114338414A (en) * 2022-01-30 2022-04-12 阿里巴巴(中国)有限公司 Backbone network topology discovery method and device and control equipment
CN115277437A (en) * 2022-07-29 2022-11-01 湖南大学 Network topology construction method and device, computer equipment and storage medium
CN115550192A (en) * 2022-11-24 2022-12-30 中孚信息股份有限公司 Method and device for collecting and analyzing asset connection relation based on multi-source data in network
CN115695206A (en) * 2022-11-01 2023-02-03 北京惠而特科技有限公司 Method and device for determining network topology, computer equipment and storage medium
CN116155743A (en) * 2023-04-20 2023-05-23 北京广通优云科技股份有限公司 Third-layer network topology structure correction method in automatic operation and maintenance

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101764759A (en) * 2010-02-10 2010-06-30 黑龙江大学 Path active measurement method based on open shortest path prior message Internet protocol
CN102143007A (en) * 2011-05-03 2011-08-03 中国南方电网有限责任公司 Distribution-based hierarchical network topology discovery method
CN102801567A (en) * 2012-08-28 2012-11-28 北京傲天动联技术有限公司 Method for automatically discovering hierarchical network topology and method for establishing hierarchical network topology
CN104202211A (en) * 2014-08-25 2014-12-10 电子科技大学 Autonomous system level network topology identification method combining active and passive measurement
CN107786366A (en) * 2016-08-31 2018-03-09 北京北信源软件股份有限公司 A kind of LAN internal network topology structural scan method
US20180139104A1 (en) * 2016-11-12 2018-05-17 Solana Networks Inc. Method and System for Discovery and Mapping of a Network Topology

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101764759A (en) * 2010-02-10 2010-06-30 黑龙江大学 Path active measurement method based on open shortest path prior message Internet protocol
CN102143007A (en) * 2011-05-03 2011-08-03 中国南方电网有限责任公司 Distribution-based hierarchical network topology discovery method
CN102801567A (en) * 2012-08-28 2012-11-28 北京傲天动联技术有限公司 Method for automatically discovering hierarchical network topology and method for establishing hierarchical network topology
CN104202211A (en) * 2014-08-25 2014-12-10 电子科技大学 Autonomous system level network topology identification method combining active and passive measurement
CN107786366A (en) * 2016-08-31 2018-03-09 北京北信源软件股份有限公司 A kind of LAN internal network topology structural scan method
US20180139104A1 (en) * 2016-11-12 2018-05-17 Solana Networks Inc. Method and System for Discovery and Mapping of a Network Topology

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111130883A (en) * 2019-12-25 2020-05-08 杭州安恒信息技术股份有限公司 Method and device for determining topological graph of industrial control equipment and electronic equipment
CN111130883B (en) * 2019-12-25 2022-12-30 杭州安恒信息技术股份有限公司 Method and device for determining topological graph of industrial control equipment and electronic equipment
CN111756598A (en) * 2020-06-23 2020-10-09 北京凌云信安科技有限公司 Asset discovery method based on combination of active detection and flow analysis
CN111814605A (en) * 2020-06-23 2020-10-23 浙江大华技术股份有限公司 Main road identification method, main road identification device and main road storage device based on topological map
CN111814605B (en) * 2020-06-23 2024-01-19 浙江华睿科技股份有限公司 Main road identification method, main road identification device and storage device based on topological map
CN112653588A (en) * 2020-07-10 2021-04-13 深圳市唯特视科技有限公司 Adaptive network traffic collection method, system, electronic device and storage medium
CN111934946A (en) * 2020-07-16 2020-11-13 深信服科技股份有限公司 Network equipment identification method, device, equipment and readable storage medium
CN112671553A (en) * 2020-11-26 2021-04-16 中国电子科技网络信息安全有限公司 Industrial control network topological graph generation method based on active and passive detection
CN112532448A (en) * 2020-11-27 2021-03-19 北京知道创宇信息技术股份有限公司 Network topology processing method and device and electronic equipment
CN112532448B (en) * 2020-11-27 2023-11-28 北京知道创宇信息技术股份有限公司 Network topology processing method and device and electronic equipment
CN112751704B (en) * 2020-12-17 2022-07-05 杭州安恒信息技术股份有限公司 Method, device and equipment for checking connectivity of heterogeneous network in network target range
CN112751704A (en) * 2020-12-17 2021-05-04 杭州安恒信息技术股份有限公司 Method, device and equipment for checking connectivity of heterogeneous network in network target range
CN112448963A (en) * 2021-02-01 2021-03-05 博智安全科技股份有限公司 Method, device, equipment and storage medium for analyzing automatic attack industrial assets
CN113645058A (en) * 2021-06-28 2021-11-12 苏州浪潮智能科技有限公司 Network link flow monitoring method, device and system
CN114124789A (en) * 2021-11-22 2022-03-01 广东电网有限责任公司 Network cooperative detection method, device, equipment and computer medium
CN114268551A (en) * 2021-12-16 2022-04-01 南京华飞数据技术有限公司 Autonomous domain level network topology mapping method based on active and passive cooperation
CN114157554A (en) * 2021-12-21 2022-03-08 唯品会(广州)软件有限公司 Troubleshooting method and device, storage medium and computer equipment
CN114157554B (en) * 2021-12-21 2024-02-23 唯品会(广州)软件有限公司 Fault checking method and device, storage medium and computer equipment
CN114285718A (en) * 2021-12-28 2022-04-05 北京航天数据股份有限公司 Topology generation method and device, electronic equipment and storage medium
CN114285718B (en) * 2021-12-28 2024-02-09 北京航天数据股份有限公司 Topology generation method and device, electronic equipment and storage medium
CN114338414A (en) * 2022-01-30 2022-04-12 阿里巴巴(中国)有限公司 Backbone network topology discovery method and device and control equipment
CN114338414B (en) * 2022-01-30 2024-01-16 阿里巴巴(中国)有限公司 Backbone network topology discovery method, device and control equipment
CN115277437B (en) * 2022-07-29 2023-12-01 湖南大学 Network topology construction method, device, computer equipment and storage medium
CN115277437A (en) * 2022-07-29 2022-11-01 湖南大学 Network topology construction method and device, computer equipment and storage medium
CN115695206A (en) * 2022-11-01 2023-02-03 北京惠而特科技有限公司 Method and device for determining network topology, computer equipment and storage medium
CN115550192B (en) * 2022-11-24 2023-03-14 中孚信息股份有限公司 Method and device for collecting and analyzing asset connection relation based on multi-source data in network
CN115550192A (en) * 2022-11-24 2022-12-30 中孚信息股份有限公司 Method and device for collecting and analyzing asset connection relation based on multi-source data in network
CN116155743A (en) * 2023-04-20 2023-05-23 北京广通优云科技股份有限公司 Third-layer network topology structure correction method in automatic operation and maintenance
CN116155743B (en) * 2023-04-20 2023-07-07 北京广通优云科技股份有限公司 Third-layer network topology structure correction method in automatic operation and maintenance

Also Published As

Publication number Publication date
CN110430080B (en) 2021-02-05

Similar Documents

Publication Publication Date Title
CN110430080A (en) Network topology probe method and device
EP3222005B1 (en) Passive performance measurement for inline service chaining
EP3222006B1 (en) Passive performance measurement for inline service chaining
Haddadi et al. Network topologies: inference, modeling, and generation
US8844041B1 (en) Detecting network devices and mapping topology using network introspection by collaborating endpoints
Spring et al. Measuring ISP topologies with Rocketfuel
US8077718B2 (en) Distributed network management
Motamedi et al. A survey of techniques for internet topology discovery
EP2984798B1 (en) Identification of paths taken through a network of interconnected devices
ES2617196T3 (en) Route identification in a network of mixed routing / switching devices
CN108781171A (en) System and method for using data plane signal notice packet to capture in IPV6 environment
ES2626578T3 (en) Identification of an output port of a device
WO2016157133A1 (en) Method of packet marking for flow analytics
Waddington et al. Topology discovery for public IPv6 networks
US8165038B2 (en) Network physical connection inference for IP tunnels
US9531598B2 (en) Querying a traffic forwarding table
US10868728B2 (en) Graph-based network management
CN109088756B (en) Network topology completion method based on network equipment identification
Marchetta et al. Measuring networks using IP options
Raspall Building Nemo, a system to monitor IP routing and traffic paths in real time
US20230327983A1 (en) Performance measurement in a segment routing network
Wang et al. A Survey on the Classic Active Measurement Methods for IPv6
Almehmadi The State of the Art in Internet Topology Discovery
Golkar Measuring and Comparing the Stability of Internet Paths over IPv4 & IPv6
Lawrence End-to-End Approachesfor Ethernet Switch Level Topology Discovery

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant