CN110719215B - Flow information acquisition method and device of virtual network - Google Patents

Flow information acquisition method and device of virtual network Download PDF

Info

Publication number
CN110719215B
CN110719215B CN201910999665.0A CN201910999665A CN110719215B CN 110719215 B CN110719215 B CN 110719215B CN 201910999665 A CN201910999665 A CN 201910999665A CN 110719215 B CN110719215 B CN 110719215B
Authority
CN
China
Prior art keywords
information
forwarding
message information
aggregation module
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910999665.0A
Other languages
Chinese (zh)
Other versions
CN110719215A (en
Inventor
胡延楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201910999665.0A priority Critical patent/CN110719215B/en
Publication of CN110719215A publication Critical patent/CN110719215A/en
Application granted granted Critical
Publication of CN110719215B publication Critical patent/CN110719215B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a method and a device for collecting flow information of a virtual network, and relates to the field of cloud computing. One embodiment of the method comprises: acquiring message information in a virtual network; in response to the fact that the message information is matched with the matching domain of the preset forwarding rule, forwarding meta information of the message information to an aggregation module specified by a forwarding instruction through the forwarding instruction in the action domain of the preset forwarding rule; and based on the meta-information of the message information, the flow information of the virtual switch is obtained through statistics of the aggregation module. According to the method and the device, the matching domain based on the forwarding rule forwards the meta information of the matched message information to the aggregation module for statistics, so that unnecessary message information is prevented from being counted; and only the meta information of the message information is forwarded to the aggregation module, so that the data volume of the meta information is small, and the overhead during data forwarding is reduced.

Description

Flow information acquisition method and device of virtual network
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a method and a device for acquiring flow information of a virtual network.
Background
With the rapid growth of cloud services, more and more services are loaded on a cloud computing platform. With the complexity of services, the traffic of the cloud platform also shows explosive growth. The traffic increase not only tests the carrying capacity of the cloud network, but also provides a greater challenge for traffic monitoring of the cloud network.
Currently, in a virtual network, a statistical component of traffic is implemented on OVS-vSwitch, and a OVS-vSwitch daemon is a core component of an OVS (Open vSwitch, Open virtual switch standard), which implements OVS stream-based data exchange together with a data channel kernel module. For each data packet needing flow collection, the OVS needs to copy the message from the data channel to OVS-vswitch d in a certain mode, and then the message is classified and counted by OVS-vswitch d. In the process of counting the large flow, the process of copying the data packet and transmitting the data packet from the data channel to ovs-vswitchd causes a large overhead, and the normal forwarding of the data packet is likely to be influenced by the flow collection.
Disclosure of Invention
The embodiment of the application provides a method and a device for acquiring flow information of a virtual network.
In a first aspect, an embodiment of the present application provides a method for acquiring flow information of a virtual network, where the method includes: acquiring message information in a virtual network; in response to determining that the message information is matched with a matching domain of a preset forwarding rule, forwarding meta information of the message information to an aggregation module specified by a forwarding instruction through the forwarding instruction in an action domain of the preset forwarding rule, wherein the matching domain is used for identifying the message information corresponding to the forwarding rule, and the action domain is used for representing instruction information executed on the matched message information; and based on the meta-information of the message information, the flow information of the virtual switch is obtained through statistics of the aggregation module.
In some embodiments, the meta information of the message information includes: the system comprises a local area network address and a forwarding port, wherein the forwarding port is a forwarding port for data transmission between a virtual switch and a virtual machine in a virtual network; the above-mentioned meta information based on message information, flow information of the virtual switch is obtained through aggregation module statistics, including: identifying virtual private network attribute information corresponding to the message information through an aggregation module according to the local area network address and the forwarding port of the message information; and based on the attribute information of the virtual private network, counting by an aggregation module to obtain the flow information of the virtual private network corresponding to the message information.
In some embodiments, the forwarding, in response to determining that the packet information matches the matching field of the preset forwarding rule, the aggregation module specified by the forwarding instruction to forward the meta information of the packet information to the forwarding instruction through the forwarding instruction in the action field of the preset forwarding rule includes: in response to the fact that the message information is matched with the matching domain of the preset forwarding rule, adding an access identifier for the message information, wherein the access identifier is used for representing whether the security access rule of the virtual network accepts the access request of the terminal corresponding to the message information; and forwarding the meta information of the message information added with the access identifier to an aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule, wherein the meta information comprises the access identifier.
In some embodiments, the obtaining, by the aggregation module, flow information of the virtual switch based on the meta information of the message information includes: and based on the access identifier of the message information, counting by an aggregation module to obtain flow information which distinguishes whether the flow information is accepted by the security access rule.
In some embodiments, the forwarding, in response to determining that the packet information matches the matching field of the preset forwarding rule, the aggregation module specified by the forwarding instruction to forward the meta information of the packet information to the forwarding instruction through the forwarding instruction in the action field of the preset forwarding rule includes: storing the meta information of the message information into a cache in response to determining that the message information is matched with the matching domain of the preset forwarding rule; and in response to the preset export moment, forwarding the meta information of the message information in the cache to an aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule.
In a second aspect, an embodiment of the present application provides a flow information collecting apparatus for a virtual network, where the apparatus includes: an acquisition unit configured to acquire message information in a virtual network; the forwarding unit is configured to forward meta information of the message information to an aggregation module specified by a forwarding instruction through the forwarding instruction in an action domain in the preset forwarding rule in response to determining that the message information is matched with the matching domain of the preset forwarding rule, wherein the matching domain is used for identifying the message information corresponding to the forwarding rule, and the action domain is used for representing instruction information executed on the matched message information; and the statistical unit is configured to obtain the flow information of the virtual switch through statistics of the aggregation module based on the meta information of the message information.
In some embodiments, the meta information of the message information includes: the system comprises a local area network address and a forwarding port, wherein the forwarding port is a forwarding port for data transmission between a virtual switch and a virtual machine in a virtual network; the statistical unit is further configured to identify, through the aggregation module, virtual private network attribute information corresponding to the message information according to the local area network address and the forwarding port of the message information; and based on the attribute information of the virtual private network, counting by an aggregation module to obtain the flow information of the virtual private network corresponding to the message information.
In some embodiments, the forwarding unit is further configured to add, in response to determining that the message information matches the matching field of the preset forwarding rule, an access identifier to the message information, the access identifier being used to characterize whether the security access rule of the virtual network accepts an access request of the terminal corresponding to the message information; and forwarding the meta information of the message information added with the access identifier to an aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule, wherein the meta information comprises the access identifier.
In some embodiments, the statistical unit is further configured to statistically obtain, by the aggregation module, flow information that distinguishes whether the flow information is accepted by the security access rule, based on the access identifier of the message information.
In some embodiments, the forwarding unit is further configured to store the meta information of the message information into the cache in response to determining that the message information matches the matching field of the preset forwarding rule; and in response to the preset export moment, forwarding the meta information of the message information in the cache to an aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule.
In a third aspect, the present application provides a computer-readable medium, on which a computer program is stored, where the program, when executed by a processor, implements the method as described in any implementation manner of the first aspect.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: one or more processors; a storage device having one or more programs stored thereon, which when executed by one or more processors, cause the one or more processors to implement a method as described in any implementation of the first aspect.
The method and the device for acquiring the flow information of the virtual network provided by the embodiment of the application comprise the steps of firstly, acquiring message information in the virtual network; then, in response to determining that the message information is matched with a matching domain of a preset forwarding rule, forwarding meta information of the message information to an aggregation module specified by a forwarding instruction through the forwarding instruction in an action domain in the preset forwarding rule; then, based on the meta-information of the message information, the flow information of the virtual switch is obtained through statistics of the aggregation module. According to the method and the device, the matching domain based on the forwarding rule forwards the meta information of the matched message information to the aggregation module for statistics, so that unnecessary message information is prevented from being counted; in addition, only the meta information of the message information is forwarded to the aggregation module, and the data volume of the meta information is small, so that the overhead during data forwarding is reduced.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is an exemplary system architecture diagram in which one embodiment of the present application may be applied;
FIG. 2 is a flow diagram of one embodiment of a method for flow information collection for a virtual network according to the present application;
fig. 3 is a schematic diagram of an application scenario of a flow information collection method of a virtual network according to the present embodiment;
fig. 4 is a flowchart of yet another embodiment of a flow information collection method of a virtual network according to the present application;
FIG. 5 is a block diagram of one embodiment of a flow information collection apparatus for a virtual network according to the present application;
FIG. 6 is a block diagram of a computer system suitable for use in implementing embodiments of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 shows an exemplary architecture 100 to which the flow information collection method and apparatus of the virtual network of the present application may be applied.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The terminal devices 101, 102, 103 may be hardware devices or software that support network connections for data interaction and data processing. When the terminal devices 101, 102, and 103 are hardware, they may be various electronic devices with functions of information interaction, network connection, and the like, including but not limited to smart phones, tablet computers, e-book readers, laptop portable computers, desktop computers, and the like. When the terminal apparatuses 101, 102, 103 are software, they can be installed in the electronic apparatuses listed above. It may be implemented, for example, as multiple software or software modules to provide distributed services, or as a single software or software module. And is not particularly limited herein.
The server 105 may be a server that provides various services, such as a server that provides functions of virtual network connection, data processing, and the like to the terminal apparatuses 101, 102, 103. The server can store or process various received data and feed back the processing result to the terminal equipment.
It should be noted that the flow information collection method of the virtual network provided by the embodiment of the present disclosure may be executed by the server 105; accordingly, a stream information collecting apparatus of the virtual network may be provided in the server 105. And is not particularly limited herein.
The server may be hardware or software. When the server is hardware, it may be implemented as a distributed server cluster formed by multiple servers, or may be implemented as a single server. When the server is software, it may be implemented as multiple pieces of software or software modules, for example, to provide distributed services, or as a single piece of software or software module. And is not particularly limited herein.
It should be understood that the number of terminal devices and servers in fig. 1 is merely illustrative. There may be any number of terminal devices and servers, as desired for implementation.
With continued reference to fig. 2, a flow 200 of an embodiment of a flow information collection method of a virtual network according to the present application is shown, comprising the steps of:
step 201, obtaining message information in the virtual network.
In this embodiment, the virtual network is a computer network that is at least partially linked by a virtual network. Virtual network links are implemented by network virtualization, rather than involving a physical connection between two computing devices. In a Virtual network, VMs (Virtual Machine Server) can be connected to a Virtual switch, and by means of the Virtual switch, a logical Virtual ethernet interface can be provided for VMs or containers running on the Server, so as to implement offloading and forwarding of network data.
In this embodiment, the message information is a data unit exchanged and transmitted in the virtual network, and includes complete data information such as a source IP (Internet Protocol) address, a source port, a destination IP address, a destination port, a transport layer Protocol, time, and message data. In the virtual network, the message information is shunted and forwarded through the virtual switch.
The execution body (for example, the server in fig. 1) is provided with a virtual switch, and can acquire message information in the virtual network.
Step 202, in response to determining that the message information matches the matching domain of the preset forwarding rule, forwarding the meta information of the message information to the aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain of the preset forwarding rule.
In this embodiment, the preset matching rule at least includes a matching field and an action field. The matching domain is used for identifying the message information corresponding to the forwarding rule, and the action domain is used for representing the instruction information executed on the matched message information.
The match field includes, but is not limited to, the following fields: virtual local area network ID (Identity document), virtual local area network priority, source IP address, destination IP address, IP protocol, source port, destination port, transport layer protocol. Action fields include, but are not limited to, the following instructions: the instruction for forwarding the meta information of the message information, the instruction for discarding the message information when the condition is satisfied, and the instruction for assigning a queue ID to the message for implementing QOS (Quality of Service).
For example, the format of the preset forwarding rule may be "source IP is 11:11:11:11/24, destination IP is 10.10.10.0/24, action is statistical flow information, and the forwarding rule is forwarded from the port 10". The preset forwarding rule is used for representing that the meta information of the message information with the source IP of 11:11:11:11/24 and the destination IP of 10.10.10.0/24 is forwarded to the aggregation module from the port 10 for flow information statistics.
In this embodiment, the execution body matches the packet information in the matching domain through the matching domain identifier of the preset matching rule, and forwards the meta information of the matched packet information to the aggregation module through the forwarding instruction in the action domain of the preset forwarding rule.
In some optional implementation manners, the execution main body forwards the meta information of the message information according to a preset export moment so as to intensively forward the meta information of the message information, and reduce the operation overhead time caused by forwarding the meta information of the message information in real time. Specifically, the execution main body stores the meta information of the message information into a cache in response to determining that the message information is matched with a matching field of a preset forwarding rule; and in response to the preset export moment, forwarding the meta information of the message information in the cache to an aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule.
In some optional implementations, the preset forwarding rule may be implemented by an OpenFlow protocol.
In this embodiment, the meta information of the message information is obtained by extracting feature information in the message information, and includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol.
And 203, counting to obtain the flow information of the virtual switch through the aggregation module based on the meta information of the message information.
In this embodiment, the aggregation module may obtain corresponding flow information according to statistics of all or part of the meta information of the message information. For example, the aggregation module may count the message information with meta information "a source IP address is a, a source port is B, a destination IP address is a ', a destination port is B', and a transport layer protocol is C", to obtain the flow information corresponding to the meta information. The flow information includes, but is not limited to, the number of packets, the number of bytes, the start time and the end time of the flow information.
In some optional implementations, the meta information of the message information further includes: the system comprises a local area network address and a forwarding port, wherein the forwarding port is used for data transmission between a virtual switch and a virtual machine in a virtual network. The execution body can obtain the flow information for distinguishing the virtual private network according to the meta information of the message information. Specifically, the execution main body identifies the virtual private network attribute information corresponding to the message information through the aggregation module according to the local area network address and the forwarding port of the message information; and based on the attribute information of the virtual private network, counting by an aggregation module to obtain the flow information of the virtual private network corresponding to the message information.
In the embodiment, the execution main body forwards the meta information of the matched message information to the aggregation module for statistics based on the matching domain of the forwarding rule, so that unnecessary message information is prevented from being counted; and only the meta information of the message information is forwarded to the aggregation module, so that the data volume of the meta information is small, and the overhead during data forwarding is reduced.
Fig. 3 schematically shows an application scenario of the flow information collection method of the virtual network according to the present embodiment. The server 301 is provided with a virtual server and a virtual switch, and the virtual server forwards and branches network data information through the virtual switch to provide virtual network services for a plurality of companies, including a company 302, a company 303, and a company 304. The method comprises the steps that a server obtains message information of a plurality of companies in the process of providing virtual network service, the server obtains the message information of the companies 302 and 303 through matching of matching domains of preset matching rules, the meta information of the message information is forwarded to an aggregation module appointed by a forwarding instruction through the forwarding instruction in an action domain of the preset forwarding rule, and flow information of the companies 302 and 303 is obtained through statistics of the aggregation module.
With continuing reference to fig. 4, a schematic flow chart 400 illustrating another embodiment of a method for flow information collection for a virtual network in accordance with the present application is shown that includes the steps of:
step 401, obtaining message information in the virtual network.
In this embodiment, step 401 is performed in a manner similar to step 201, and is not described herein again.
Step 402, in response to determining that the message information matches the matching domain of the preset forwarding rule, adding an access identifier to the message information.
In this embodiment, the access identifier is used to characterize whether the security access rule of the virtual network accepts the access request of the terminal corresponding to the message information.
In the process of shunting the message information, the virtual switch in the execution main body can identify whether the message information is admitted by the security access rule or not, and adds corresponding characteristic information to the message information based on the identification result of the secured access rule; and adding an access identifier for the message information by the execution main body by identifying the characteristic information whether the message information is accepted by the security access rule of the virtual network or not.
Step 403, forwarding the meta information of the message information added with the access identifier to an aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule.
In this embodiment, the forwarding action of the execution subject on the meta information of the packet information is performed in a similar manner to the forwarding action in step 202, but the difference is that the meta information of the packet information in this embodiment includes the access identifier.
And step 404, counting by the aggregation module based on the meta information of the message information to obtain the flow information of the virtual switch.
In this embodiment, the execution main body may obtain, through the aggregation module, the corresponding flow information according to the meta information statistics of the message information. In some optional implementation manners, the meta information of the message information includes an access identifier, and the execution subject may statistically obtain flow information that distinguishes whether the flow information is accepted by the security access rule according to the access identifier of the message information.
In some optional implementations, the execution body may obtain flow information according to the meta information statistics of the part of the message information, and perform statistics again based on other meta information on the basis of the flow information. For example, the execution main body obtains the flow information X according to the meta information source IP address, the source port, the destination IP address, the destination port, and the transport layer protocol statistics of the message information, and on the basis of the flow information X, performs statistics again on the flow information X according to the access identifier, and distinguishes whether the flow information X is the flow information accepted by the security access rule.
As can be seen from fig. 4, compared with the embodiment corresponding to fig. 2, a flow 400 of the flow information collection method of the virtual network in this embodiment specifically illustrates that the meta information of the message information may further include an access identifier, and the access identifier may be used to distinguish whether the flow information is accepted by the security access rule.
With continuing reference to fig. 5, as an implementation of the method shown in the above-mentioned figures, the present disclosure provides an embodiment of a flow information collecting apparatus for a virtual network, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied to various electronic devices.
As shown in fig. 5, the flow information collecting apparatus includes: an acquisition unit 501, a forwarding unit 502 and a statistics unit 503.
An obtaining unit 501 configured to obtain message information in a virtual network; a forwarding unit 502 configured to, in response to determining that the packet information matches a matching domain of a preset forwarding rule, forward meta information of the packet information to an aggregation module specified by a forwarding instruction through a forwarding instruction in an action domain in the preset forwarding rule, where the matching domain is used to identify the packet information corresponding to the forwarding rule, and the action domain is used to represent instruction information executed on the matched packet information; and a counting unit 503 configured to count flow information of the virtual switch by the aggregation module based on the meta information of the message information.
In some embodiments, the meta information of the message information includes: the system comprises a local area network address and a forwarding port, wherein the forwarding port is a forwarding port for data transmission between a virtual switch and a virtual machine in a virtual network; the statistical unit 503 is further configured to identify, by the aggregation module, the virtual private network attribute information corresponding to the message information according to the local area network address and the forwarding port of the message information; and based on the attribute information of the virtual private network, counting by an aggregation module to obtain the flow information of the virtual private network corresponding to the message information.
In some embodiments, the forwarding unit 502 is further configured to add, in response to determining that the message information matches the matching field of the preset forwarding rule, an access identifier to the message information, where the access identifier is used to characterize whether the security access rule of the virtual network accepts an access request of the terminal corresponding to the message information; and forwarding the meta information of the message information added with the access identifier to an aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule, wherein the meta information comprises the access identifier.
In some embodiments, the counting unit 503 is further configured to count, by the aggregation module, flow information that distinguishes whether the flow information is accepted by the security access rule based on the access identifier of the packet information.
In some embodiments, the forwarding unit 501 is further configured to store the meta information of the message information into the cache in response to determining that the message information matches the matching field of the preset forwarding rule; and in response to the preset export moment, forwarding the meta information of the message information in the cache to an aggregation module specified by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule.
Referring now to FIG. 6, shown is a block diagram of a computer system 600 suitable for use in implementing devices of embodiments of the present application (e.g., devices 101, 102, 103, 105 shown in FIG. 1). The apparatus shown in fig. 6 is only an example, and should not bring any limitation to the function and use range of the embodiments of the present application.
As shown in fig. 6, the computer system 600 includes a processor (e.g., CPU, central processing unit) 601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data necessary for the operation of the system 600 are also stored. The processor 601, the ROM602, and the RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the method of the present application.
It should be noted that the computer readable medium of the present application can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the client computer, partly on the client computer, as a stand-alone software package, partly on the client computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the client computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes an acquisition unit, a forwarding unit, and a statistics unit. The names of these units do not in some cases form a limitation on the unit itself, and for example, the acquiring unit may also be described as a unit for "acquiring message information in a virtual network".
As another aspect, the present application also provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by the apparatus, cause the computer device to: acquiring message information in a virtual network; in response to determining that the message information is matched with a matching domain of a preset forwarding rule, forwarding meta information of the message information to an aggregation module specified by a forwarding instruction through the forwarding instruction in an action domain of the preset forwarding rule, wherein the matching domain is used for identifying the message information corresponding to the forwarding rule, and the action domain is used for representing instruction information executed on the matched message information; and based on the meta-information of the message information, the flow information of the virtual switch is obtained through statistics of the aggregation module.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention herein disclosed is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the invention. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.

Claims (10)

1. A flow information collection method of a virtual network, wherein the method comprises the following steps:
acquiring message information in a virtual network;
in response to determining that the packet information matches the matching domain of a preset forwarding rule, forwarding meta information of the packet information to an aggregation module specified by a forwarding instruction through the forwarding instruction in an action domain in the preset forwarding rule, including: storing the meta information of the message information into a cache in response to determining that the message information is matched with a matching field of a preset forwarding rule; in response to the arrival of a preset export moment, forwarding meta information of the message information in the cache to an aggregation module specified by a forwarding instruction through the forwarding instruction in an action domain in the preset forwarding rule; the matching domain is used for identifying message information corresponding to the forwarding rule, and the action domain is used for representing instruction information executed on the matched message information;
and counting to obtain the flow information of the virtual switch through the aggregation module based on the meta information of the message information.
2. The method of claim 1, wherein the meta information of the packet information comprises: the system comprises a local area network address and a forwarding port, wherein the forwarding port is used for data transmission between a virtual switch and a virtual machine in a virtual network;
the obtaining of the flow information of the virtual switch through the statistics of the aggregation module based on the meta information of the message information includes:
identifying virtual private network attribute information corresponding to the message information through the aggregation module according to the local area network address and the forwarding port of the message information;
and based on the attribute information of the virtual private network, counting by an aggregation module to obtain the flow information of the virtual private network corresponding to the message information.
3. The method of claim 1, wherein the forwarding, in response to determining that the packet information matches a matching field of a preset forwarding rule, meta information of the packet information to an aggregation module specified by a forwarding instruction in an action field of the preset forwarding rule comprises:
in response to determining that the message information is matched with a matching domain of a preset forwarding rule, adding an access identifier for the message information, wherein the access identifier is used for representing whether a security access rule of a virtual network accepts an access request of a terminal corresponding to the message information;
and forwarding the meta information of the message information added with the access identifier to an aggregation module appointed by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule, wherein the meta information comprises the access identifier.
4. The method according to claim 3, wherein the obtaining, by the aggregation module, flow information of the virtual switch based on the meta information of the packet information includes:
and counting to obtain flow information which distinguishes whether to be accepted by the security access rule or not through the aggregation module based on the access identifier of the message information.
5. A flow information collecting apparatus of a virtual network, wherein the apparatus comprises:
an acquisition unit configured to acquire message information in a virtual network;
a forwarding unit configured to, in response to determining that the packet information matches a matching domain of a preset forwarding rule, forward meta information of the packet information to an aggregation module specified by a forwarding instruction in an action domain in the preset forwarding rule, including: storing the meta information of the message information into a cache in response to determining that the message information is matched with a matching field of a preset forwarding rule; in response to the arrival of a preset export moment, forwarding meta information of the message information in the cache to an aggregation module specified by a forwarding instruction through the forwarding instruction in an action domain in the preset forwarding rule; the matching domain is used for identifying message information corresponding to the forwarding rule, and the action domain is used for representing instruction information executed on the matched message information;
and the statistical unit is configured to obtain the flow information of the virtual switch through statistics of the aggregation module based on the meta information of the message information.
6. The apparatus of claim 5, wherein the meta information of the packet information comprises: the system comprises a local area network address and a forwarding port, wherein the forwarding port is used for data transmission between a virtual switch and a virtual machine in a virtual network;
the statistical unit is further configured to identify, by the aggregation module, virtual private network attribute information corresponding to the message information according to a local area network address and a forwarding port of the message information; and based on the attribute information of the virtual private network, counting by an aggregation module to obtain the flow information of the virtual private network corresponding to the message information.
7. The apparatus of claim 5, wherein,
the forwarding unit is further configured to add an access identifier to the message information in response to determining that the message information matches a matching domain of a preset forwarding rule, wherein the access identifier is used for representing whether a security access rule of a virtual network accepts an access request of a terminal corresponding to the message information; and forwarding the meta information of the message information added with the access identifier to an aggregation module appointed by the forwarding instruction through the forwarding instruction in the action domain in the preset forwarding rule, wherein the meta information comprises the access identifier.
8. The apparatus of claim 7, wherein,
the statistical unit is further configured to obtain, through the aggregation module, flow information for distinguishing whether the flow information is accepted by the security access rule based on the access identifier of the packet information.
9. A computer-readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method of any one of claims 1-4.
10. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-4.
CN201910999665.0A 2019-10-21 2019-10-21 Flow information acquisition method and device of virtual network Active CN110719215B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910999665.0A CN110719215B (en) 2019-10-21 2019-10-21 Flow information acquisition method and device of virtual network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910999665.0A CN110719215B (en) 2019-10-21 2019-10-21 Flow information acquisition method and device of virtual network

Publications (2)

Publication Number Publication Date
CN110719215A CN110719215A (en) 2020-01-21
CN110719215B true CN110719215B (en) 2022-02-18

Family

ID=69213936

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910999665.0A Active CN110719215B (en) 2019-10-21 2019-10-21 Flow information acquisition method and device of virtual network

Country Status (1)

Country Link
CN (1) CN110719215B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111355639A (en) * 2020-03-10 2020-06-30 北京意锐新创科技有限公司 Heartbeat packet forwarding method and device suitable for payment equipment
CN113709052B (en) * 2020-05-21 2024-02-27 中移(苏州)软件技术有限公司 Processing method and device of network message, electronic equipment and storage medium
CN111786973B (en) * 2020-06-19 2022-09-23 北京百度网讯科技有限公司 Stream log acquisition method, device, equipment and storage medium
CN113783825B (en) * 2020-09-15 2023-12-05 北京京东尚科信息技术有限公司 Message flow statistics method and device
CN115529245A (en) * 2021-06-25 2022-12-27 深信服科技股份有限公司 Stream information completion method and device, cloud host equipment and computer storage medium
CN113824772B (en) * 2021-08-30 2023-04-18 济南浪潮数据技术有限公司 Data acquisition method, system and device based on cloud network and readable storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997415A (en) * 2013-02-20 2014-08-20 中兴通讯股份有限公司 Apparatus and method for realizing message statistics
CN104063267B (en) * 2014-07-11 2017-11-14 孙强强 A kind of virtual machine traffic monitoring method and system
US9781037B2 (en) * 2015-09-15 2017-10-03 Cisco Technology, Inc. Method and apparatus for advanced statistics collection
CN107682275B (en) * 2016-08-01 2020-08-04 新华三技术有限公司 Message monitoring method and device
CN109981403A (en) * 2019-03-05 2019-07-05 北京勤慕数据科技有限公司 Virtual machine network data traffic monitoring method and device

Also Published As

Publication number Publication date
CN110719215A (en) 2020-01-21

Similar Documents

Publication Publication Date Title
CN110719215B (en) Flow information acquisition method and device of virtual network
US9356844B2 (en) Efficient application recognition in network traffic
CN108491267B (en) Method and apparatus for generating information
CN110198248B (en) Method and device for detecting IP address
CN107465693B (en) Request message processing method and device
CN113364804B (en) Method and device for processing flow data
CN112039796A (en) Data packet transmission method and device, storage medium and electronic equipment
CN112416632B (en) Event communication method and device, electronic equipment and computer readable medium
CN110427304A (en) O&M method, apparatus, electronic equipment and medium for banking system
US20230164148A1 (en) Enhanced cloud infrastructure security through runtime visibility into deployed software
US11064021B2 (en) Method, device and computer program product for managing network system
CN110545230B (en) Method and device for forwarding VXLAN message
CN108399046B (en) File operation request processing method and device
US11616759B2 (en) Increased coverage of application-based traffic classification with local and cloud classification services
CN113115120B (en) Video slicing method and device, electronic equipment and storage medium
US9948694B2 (en) Addressing application program interface format modifications to ensure client compatibility
CN114490280A (en) Log processing method, device, equipment and medium
US20210336890A1 (en) Determining network flow direction
CN113778499A (en) Method, device, equipment and computer readable medium for publishing service
CN115374207A (en) Service processing method and device, electronic equipment and computer readable storage medium
US10516767B2 (en) Unifying realtime and static data for presenting over a web service
CN117312761B (en) Method and device for calculating data fragment processing time
CN115250254B (en) Netflow message distribution processing method and device
US9674282B2 (en) Synchronizing SLM statuses of a plurality of appliances in a cluster
US11824767B2 (en) Communication system and method of verifying continuity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20200121

Assignee: Beijing Intellectual Property Management Co.,Ltd.

Assignor: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd.

Contract record no.: X2023110000093

Denomination of invention: Method and device for collecting flow information in virtual networks

Granted publication date: 20220218

License type: Common License

Record date: 20230818

EE01 Entry into force of recordation of patent licensing contract