CN114244560B - Flow processing method and device, electronic equipment and storage medium - Google Patents
Flow processing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114244560B CN114244560B CN202111327821.2A CN202111327821A CN114244560B CN 114244560 B CN114244560 B CN 114244560B CN 202111327821 A CN202111327821 A CN 202111327821A CN 114244560 B CN114244560 B CN 114244560B
- Authority
- CN
- China
- Prior art keywords
- data packet
- network card
- point information
- hook point
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000005111 flow chemistry technique Methods 0.000 title claims abstract description 34
- 238000001914 filtration Methods 0.000 claims abstract description 107
- 238000012545 processing Methods 0.000 claims description 32
- 238000004590 computer program Methods 0.000 claims description 11
- 238000003672 processing method Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 description 17
- 230000006870 function Effects 0.000 description 16
- 239000000243 solution Substances 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 101150093240 Brd2 gene Proteins 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 2
- 101150007742 RING1 gene Proteins 0.000 description 1
- 208000035217 Ring chromosome 1 syndrome Diseases 0.000 description 1
- 208000032825 Ring chromosome 2 syndrome Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a flow processing method and a flow processing device. Wherein the method comprises the following steps: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information; the hook point information is sent to a network card control module in a kernel mode; filtering the flow data through a data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending hook point information and the at least one first data packet to a network card driving module in a kernel mode; at least one second data packet of the virtual network card in the kernel mode is captured, wherein the second data packet is the flow passing through the virtual network card. The method realizes that the data packet can be reserved and analyzed in real time by a flow processing tool based on the Libpcap at any position. The filtering rule of the network flow equivalent to the filtering function of the kernel packet is realized in the user mode, so that the filtering rule of the data packet is dynamically matched.
Description
Technical Field
The present invention relates to the field of information security, and in particular, to a flow processing method and apparatus.
Background
For forensic tracking or diagnostic analysis purposes, industrial control network security devices often need to leave samples of a particular network traffic at the appropriate hook points during its processing.
In the prior art, a network security device embeds a code reserved for a data packet sample in service logic of a data forwarding flow, and a filtering function of the data packet is realized by means of hard coding. In IT networks, filtering rules based on IP and ports generally can meet the requirements, but for industrial control networks, filtering based on data packet content is often needed to determine which data packet samples are reserved, and the message formats of various industrial control protocols are different, so that hard-coded filtering logic cannot meet the dynamically configurable data filtering requirements in practical application scenarios.
The existing network traffic capturing and analyzing tool based on the Libpcap library and with an open source, such as a wireshark and the like, has a powerful data filtering and analyzing function, but only can save and analyze data packets received and transmitted by a network card, and cannot be used for any hook point of a user space program.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a flow processing method and a flow processing device.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a traffic processing method, applied to a user mode, including: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents a position where the flow data is intercepted; the hook point information is sent to a network card control module in a kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through the data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information; capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
Further, the filtering the traffic data according to the packet filtering rule to obtain at least one first packet conforming to the packet filtering rule includes: converting the data packet filtering rule into a BPF byte code instruction; and filtering the flow data through the BPF byte code instruction to obtain the at least one first data packet conforming to the BPF byte code instruction.
In a second aspect, an embodiment of the present invention provides a traffic processing method, applied to a kernel mode, including: receiving hook point information through a network card control module, and establishing a virtual network card corresponding to the hook point information; receiving and storing at least one first data packet and the hook point information through a network card driving module, wherein the at least one first data packet corresponds to the hook point information, and sending the at least one first data packet to the corresponding virtual network card according to the hook point information, and the first data packet represents a data packet conforming to a data packet filtering rule; and obtaining at least one second data packet through the virtual network card.
Further, the network card driving module comprises a cache descriptor and a packet receiving thread; and receiving and storing the at least one first data packet and the hook point information through a network card driving module, wherein the at least one first data packet corresponds to the hook point information, and sending the at least one first data packet to the corresponding virtual network card according to the hook point information, and the method comprises the following steps: receiving and storing the at least one first data packet and the hook point information through the cache descriptor, wherein the at least one first data packet corresponds to the hook point information; and the wrapping thread sends the at least one first data packet to the corresponding virtual network card according to the hook point information.
Further, the obtaining, by the virtual network card, at least one second data packet includes: and judging whether the network card name of the virtual network card is a preset network card name, if so, obtaining at least one second data PACKET after the AF_PACKET logic is operated in the virtual network card, and discarding the at least one second data PACKET.
In a third aspect, an embodiment of the present invention further provides a traffic processing apparatus, applied to a user mode, including: the first processing module is used for receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents a position where the flow data is intercepted; the second processing module is used for sending the hook point information to the network card control module in the kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information; the third processing module is used for filtering the flow data through the data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, sending the hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information; and the fourth processing module is used for capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
In a fourth aspect, an embodiment of the present invention further provides a flow processing apparatus, applied to a kernel mode, including: the fifth processing module is used for receiving the hook point information through the network card control module and establishing a virtual network card corresponding to the hook point information; the sixth processing module is configured to receive and store at least one first data packet and the hook point information through the network card driving module, where the at least one first data packet corresponds to the hook point information, and send the at least one first data packet to the corresponding virtual network card according to the hook point information, where the first data packet represents a data packet that meets a data packet filtering rule; and the seventh processing module is used for obtaining at least one second data packet through the virtual network card.
In a fifth aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the flow processing method according to the first aspect when the processor executes the program.
In a sixth aspect, embodiments of the present invention also provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the flow processing method according to the first aspect.
In a fifth aspect, embodiments of the present invention also provide a computer program product having stored thereon executable instructions which when executed by a processor cause the processor to implement the steps of the flow processing method according to the first or second aspect.
According to the flow processing method and device provided by the embodiment of the invention, through receiving flow data, hook point information and a data packet filtering rule, the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data; the hook point information is sent to a network card control module in a kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through the data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information; capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card. The invention can realize that the data packet can be reserved and analyzed in real time by a flow processing tool based on the Libpcap at any position. And realizing the network flow filtering rule equivalent to the kernel packet filtering function in the user mode, so that the filtering rule of the data packet is dynamically matched.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an embodiment of a flow processing method of the present invention;
FIG. 2 is a flow chart of another embodiment of a flow processing method of the present invention;
fig. 3 is a schematic diagram of an application scenario of the flow processing method of the present invention;
FIG. 4 is a schematic diagram of an embodiment of a flow treatment device according to the present invention;
FIG. 5 is a schematic view of another embodiment of a flow treatment device according to the present invention;
fig. 6 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
FIG. 1 is a flow chart of an embodiment of a flow processing method of the present invention, which is applied to a user mode. As shown in fig. 1, the flow processing method in the embodiment of the invention includes:
s101, receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents a position where the flow data is intercepted.
The traffic data may be data containing arbitrary content. The position of the hook point information for intercepting the flow data is specific to the application program, so that the flow data in the network card cannot be intercepted. The packet filtering rules may be user-defined (e.g., filtering on a certain key) and may be received by invoking predefined rules. When receiving the flow data, hook point information and data packet filtering rules, the computer is in a user state, wherein the user state is two operation levels of an operating system, and the intelcpu provides three operation modes of Ring0-Ring3 levels. Ring0 is highest and Ring3 is lowest. Wherein privilege level 0 (Ring 0) is reserved for operating system code, device driver code uses, they operate in system kernel mode; while privilege electrode 3 (Ring 3) is used by common user programs, which operate in user mode.
S102, the hook point information is sent to a network card control module in a kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information.
In some embodiments, when a task (process) performs a system call while trapped in kernel code for execution, we refer to the process as being in kernel mode (or simply kernel mode). The processor is now executing in the highest privilege level (level 0) kernel code. When a process is in kernel mode, the executing kernel code may use the kernel stack of the current process. Each process has its own kernel stack. When a process is executing its own code, it is said to be in a user running state (user state). I.e. when the processor is running in the lowest privilege level (level 3) user code. The kernel mode and the user mode can be mutually converted by a programmable interrupt, a hardware interrupt, a soft interrupt and the like. For example, linux uses Ring3 level running user mode, ring0 as kernel mode, without using Ring1 and Ring2.Ring3 state cannot access Ring 0's address space, including code and data. The 4GB address space of Linux process, the 3G-4G part is shared, is the address space of kernel state, and stores the code and all kernel modules in the whole kernel, and the data maintained by the kernel. The user runs a program, the process created by the program starts to run in the user mode, if file operation, network data transmission and other operations are to be executed, the system calls such as write, send and the like are needed, the system calls call codes in the kernel to complete the operation (namely, hook point information is sent to a network card control module in the kernel mode, the network card control module creates a virtual network card corresponding to the hook point information by calling the codes in the kernel), at this time, the system has to be switched to Ring0, then the kernel address space in 3GB-4GB is entered to execute the codes to complete the operation, and after the system calls are completed, the system calls are switched back to Ring3 to the user mode. Thus, the user-state program cannot randomly operate the kernel address space, and has a certain safety protection effect.
And S103, filtering the flow data through a data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information.
In some embodiments, filtering traffic data by packet filtering rules may be accomplished with a packet filter that examines all packets passing in and out through it and prevents transmission of those packets that do not meet established rules. The packet filter may filter packets based on the following criteria: the protocol (TCP, UDP, etc.), source address, destination address, port number (request type) of the destination device, and transmission direction of the data packet, and the data packet is transmitted to the internet or to the local area network, signature of the given data packet in the database, etc. The flow data can be filtered through the data packet filter to obtain at least one first data packet, at this time, the user state is changed to the kernel state, and the hook point information corresponds to the flow data (also corresponds to the first data packet), so that the kernel-state network card driving module is called, and the virtual network card corresponding to the at least one first data packet (hook point information corresponds to the at least one first data packet) is driven according to the hook point information (hook point information corresponds to the virtual network card).
S104, capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
In some embodiments, when at least one first data packet is sent to the kernel state, the processing procedure of the at least one first data packet in the kernel is mainly performed between the network card and the protocol stack: receiving data from the network card and delivering the data to a protocol stack for processing; the protocol stack transmits the data (i.e., the at least one second data packet) to be transmitted through the network. Because the at least one first data packet passes through the network card (i.e., the virtual network card) in the processing process of the kernel, the at least one second data packet becomes the flow passing through the network card, and the method can be applied to the existing network flow capturing and analyzing tool based on the Libpcap library and the open source, such as a wireshark and the like. Since the at least one first data packet is data that can be captured at any hook point by the data packet filtering rules, having the at least one second data packet obtained by the first data packet enables the use of a libpcap based traffic handling tool at any hook point to preserve network data samples.
According to the flow processing method provided by the embodiment of the invention, through receiving flow data, hook point information and a data packet filtering rule, the flow data corresponds to the hook point information, and the hook point information represents a intercepted position of the flow data; the hook point information is sent to a network card control module in a kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through a data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information; at least one second data packet of the virtual network card in the kernel mode is captured, wherein the second data packet is the flow passing through the virtual network card. The invention can realize that the data packet can be reserved and analyzed in real time by a flow processing tool based on the Libpcap at any position. And realizing the network flow filtering rule equivalent to the kernel packet filtering function in the user mode, so that the filtering rule of the data packet is dynamically matched.
In some alternative implementations, filtering the traffic data by the packet filtering rule to obtain at least one first packet that conforms to the packet filtering rule includes: converting the data packet filtering rule into a BPF byte code instruction; and filtering the flow data through the BPF byte code instruction to obtain at least one first data packet conforming to the BPF byte code instruction.
As an example, a berkeley packet filter (Berkeley Packet Filter, BPF for short) is aimed at providing a method of filtering packets (i.e. filtering traffic data by BPF bytecode instructions) and avoiding useless packet duplication behavior from kernel space to user space. It initially consists of a simple bytecode injected into the kernel from user space, which is checked at that location with a checker to avoid kernel crashes or security problems, and attached to a socket, which then runs on each received packet. The packet filtering rules may also be converted into an extended berkeley packet filter (extended Berkeley Packet Filter, eBPF) bytecode file, eBPF providing a kernel packet filtering mechanism. It expands the functions of the BPF and enriches the instruction set. The BPF interpreter is implemented to filter the data packet in the user mode, and filtering rules based on BPF byte codes can be dynamically injected.
As an example, as shown in fig. 3, the user mode may include a data transmitting module, a filtering instruction generating module, a filtering instruction executing module, and a start-stop control module.
(1) And a data transmitting module. And the system works in a user mode and is used for sending the data packet to a kernel mode. During initialization, the/dev/mem can be mapped to a process address space through mmap system call, and then offset of a physical address and a user state virtual address is obtained. When the user state is to send the data packet to the kernel state, the following steps are executed:
step 1-1, judging hook point information of a caller, obtaining a physical address pdes of a virtual network card cache descriptor of a target virtual network card, and converting the physical address pdes into a user state virtual address;
step 1-2, calling a filtered instruction execution module, and if the instruction execution module returns a failure in matching, exiting;
step 1-3, taking out the physical address paddr of the data field of a skb from the idle data packet storage area;
step 1-4, adding offset to the paddr, and converting the paddr into a user-state virtual address uaddr;
step 1-5, copying the content of a data packet to be transmitted to a pkt_data area;
step 1-6, filling in a data_len field;
step 1-7, filling in a dev_name field according to source hook point information of a data packet;
step 1-8, putting the paddr into an available data packet storage area.
(2) And a filtering instruction generation module. Filtering rules in tcpdump format written by users are converted into BPF bytecodes through a libpcap library or the like.
(3) And a filtering instruction execution module. In the prior art, BPF machine instructions are issued to the kernel and executed by the operating system kernel. The invention additionally realizes the BPF byte code interpreter in the user space.
The execution steps are as follows:
step 2-1, analyzing the instruction, and extracting information such as an operation code, an operand, a jump address and the like;
step 2-2, according to the operation code, invoking security check logic of the corresponding instruction: if the division instruction is a division instruction, judging whether the divisor is 0; if the check fails, the method exits;
step 2-3, calling execution logic corresponding to the instruction, and explaining and executing;
step 2-4, goto step1, returns 1 (indicating at least one first packet that meets the packet filtering rules) or 0 (indicating at least one first packet that does not meet the packet filtering rules) until a ret instruction is encountered.
(4) And a start-stop control module. For controlling the opening and closing of the data packet capturing function. The opening process refers to the following steps:
step 3-1, acquiring an opening command issued by a user through a human-computer interface, wherein the opening command comprises opening hook point information and data packet filtering rule information;
and 3-2, notifying a virtual network card control module to create a virtual network card with a specified name in an operating system through a netlink socket. For example, the hook point information stored in the sample is an entry of the Modbus protocol parsing module, where the hook point information may include a number, for example, the number is 25, and a virtual network card named sample25 is created;
step 3-3, calling a filtering instruction generation module to generate BPF byte codes according to filtering rules issued by a user, and transmitting the BPF byte codes to a data transmission module through inter-process communication;
step 3-4, starting a data packet capturing and analyzing tool based on a Libpcap on a sample25 network card;
and 3-5, notifying a data transmission module to start a data packet capturing function of the designated hook point.
And 3-6, the data forwarding process sends the inlet flow of the Modbus protocol analysis module to the kernel protocol stack through the data sending module, and finally the inlet flow is captured by the Libpcap tool.
The closing process refers to the following steps:
step 4-1, notifying a data forwarding process to close a data packet capturing function of a designated hook point;
step 4-2, waiting for the completion of the data packet processing sent to the kernel;
step 4-3, closing a Libpcap-based data packet capturing analysis tool;
and 4-4, notifying the virtual network card control module to cancel the appointed virtual network card in the operating system through the netlink socket.
FIG. 2 is a flow chart of another embodiment of the flow processing method of the present invention, which is applied to kernel mode. As shown in fig. 2, the flow processing method in the embodiment of the present invention includes:
s201, receiving hook point information through a network card control module, and establishing a virtual network card corresponding to the hook point information.
In some embodiments, each data packet capturing hook point is regarded as a virtual network card, so that multiplexing of the data packet capturing analysis tool based on the network card is realized. The network card control module as shown in fig. 3 may be used to create virtual and delete virtual network cards. The network card control module monitors a netlink socket in the kernel, and the start-stop control module for the user mode is communicated with the network card control module. The network card control module may provide two functions:
(1) Hot-plug virtual network card
In the kernel of the operating system, a virtual network card is established and registered in a kernel protocol stack. The name of the network card is generally the number of sample+hook point information. For example, the hook point information of virus detection is numbered 34, and a network card named sample34 is dynamically inserted in the kernel protocol stack.
(2) Hot-unplugged virtual network card
And logging off the hot-inserted virtual network card from the kernel protocol stack. For example, the dev_get_by_name function may be used to obtain the pointer of the net_device through the network card name, call the unregister_net device function, and log out the network card from the kernel protocol stack.
S202, at least one first data packet and hook point information are received and stored through the network card driving module, the at least one first data packet corresponds to the hook point information, the at least one first data packet is sent to a corresponding virtual network card according to the hook point information, and the first data packet represents a data packet conforming to a data packet filtering rule.
In some alternative implementations, the network card driver module includes a cache descriptor and a packet receiving thread; and receiving and storing at least one first data packet and hook point information through the network card driving module, the at least one first data packet corresponding to the hook point information, and transmitting the at least one first data packet to a corresponding virtual network card according to the hook point information, comprising: receiving and storing at least one first data packet and hook point information through a cache descriptor, wherein the at least one first data packet corresponds to the hook point information; and the packet receiving process sends at least one first data packet to the corresponding virtual network card according to the hook point information.
As an example, as shown in fig. 3, the kernel mode includes a network card driver module, which has a function of enabling a user mode libpcap-based packet capture analysis program to select a virtual network card when capturing a packet, and capturing a packet from the virtual network card. The virtual network card is not associated with a real physical network card, and the physical address of the virtual network card is randomly generated.
Three large core sub-modules are arranged in the virtual network card driving module: the virtual network card caches descriptors, a packet receiving thread and a packet sending interface.
(1) Virtual network card buffer descriptor
The virtual network card driving kernel realizes a memory-based cache descriptor, which essentially is a section of continuous memory applied on physical memory, and comprises two first-in first-out queues in the interior:
(a) Idle packet queues: stored is an empty sk_buff (sk_buff is the physical address of the data field of the structure of the kernel for storing data packets, abbreviated as skb), which is filled once at system start-up, and then filled with a skb every time the data receiving module fetches a skb from the available packet storage queue.
Filling:
step1, call dev_alloc_skb () function applies for a skb, and initialize the virt_addr field of the data area of the skb (the remaining fields are filled by the user mode data path submodule).
In the prior art, the data field of the skb is used to store the contents of the data packet. In the present invention, the data field is interpreted as the following format:
TABLE 1 field meanings
step2, converting the data pointer of the skb from the kernel virtual address to the physical address paddr through the virt_to_Phys () function.
step3, put the paddr into the free packet memory.
(b) Available packet store queues: stored is the physical address of the data field of the skb, which is filled by the data transmission module when the packet is sent.
(2) Wrapping thread
The kernel thread receives the packets from the available data packet storage queue in a polling mode and submits the data packets sent by the data path to the kernel protocol stack, and the steps are as follows:
step1, taking out a physical address paddr from the available data packet storage queue, and entering step6 if the taking out fails;
step2, converting the paddr into a kernel virtual address kaddr through a phys_to_virt () function;
step3, acquiring virt_addr, data_len and dev_name through kaddr, and filling in the metadata part of sk_buff according to the three fields;
step4, backward moving a data pointer of the sk_buff to point to the pkt_data;
step5, submitting the data packet to a packet receiving interface of the corresponding virtual network card according to the dev_name, and submitting the data packet to an operating system kernel protocol stack;
step6, the kernel protocol stack judges the network card, if the network card name starts with sample, the data PACKET is discarded after the AF_PACKET logic is finished. The upper protocol stack is not walked, so that the application layer network program running in the machine is not influenced, and the data packet is actively sent out after the data packet is received, so that the data packet retention result is not influenced;
step7 gives way to cpu for a period of time before returning to step1.
(3) Hair packet interface
The virtual network card is not used for data communication, but the operating system may send out a DHCP or other data packet through the virtual network card. The interface is directly released when receiving the data packet issued by the operating system.
S203, obtaining at least one second data packet through the virtual network card.
In some optional implementations, obtaining, by the virtual network card, at least one second data packet includes: and judging whether the network card name of the virtual network card is a preset network card name, if so, obtaining at least one second data PACKET after the AF_PACKET logic is operated in the virtual network card, and discarding the at least one second data PACKET.
As an example, in Linux, the af_packet logic may open a specified network card through a socket, and then read using recvmsg, and the actual process needs to copy a PACKET from a kernel area (kernel mode) to a user area (i.e., the user mode obtains at least one second data PACKET). A block of kernel buffer area can be allocated in kernel space by using a shared memory mode through packet_mmap, and then mmap is called by a user space program to be mapped to the user space. The received skb is copied to that kernel buffer (or the packet is discarded) so that the program in user space can read the captured packet directly.
The flow processing method provided by the embodiment of the invention has the advantages that a plurality of virtual hot pluggable network cards are verified in the kernel, and the filtered data packets can be introduced into the virtual network card of the operating system kernel at any hook point information through the physical memory mapping technology, so that the user-state data forwarding program also has the dynamic injection function of the data packet filtering codes of the kernel protocol stack.
FIG. 4 is a schematic structural diagram of an embodiment of a flow processing apparatus of the present invention, which is applied to a user mode. As shown in fig. 4, the flow rate processing apparatus includes:
the first processing module 401 is configured to receive traffic data, hook point information and a packet filtering rule, where the traffic data corresponds to the hook point information, and the hook point information indicates a position where the traffic data is intercepted;
the second processing module 402 is configured to send hook point information to a network card control module in kernel mode, where the network card control module is configured to create a virtual network card corresponding to the hook point information;
the third processing module 403 is configured to filter the traffic data according to the packet filtering rule, obtain at least one first packet that accords with the packet filtering rule, send the hook point information and the at least one first packet to the network card driving module in kernel mode, and the network card driving module is configured to drive a virtual network card corresponding to the at least one first packet according to the hook point information;
the fourth processing module 404 is configured to capture at least one second data packet of the virtual network card in the kernel mode, where the second data packet is a traffic passing through the virtual network card.
Optionally, the third processing module 403 is further configured to convert the packet filtering rule into a BPF bytecode instruction; and filtering the flow data through the BPF byte code instruction to obtain at least one first data packet conforming to the BPF byte code instruction.
FIG. 5 is a schematic diagram of another embodiment of a flow processing apparatus of the present invention, which is applied to a kernel mode. As shown in fig. 5, the flow rate processing apparatus includes:
the fifth processing module 501 is configured to receive the hook point information through the network card control module, and establish a virtual network card corresponding to the hook point information;
the sixth processing module 502 is configured to receive and store at least one first data packet and hook point information through the network card driving module, where the at least one first data packet corresponds to the hook point information, and send the at least one first data packet to a corresponding virtual network card according to the hook point information, where the first data packet represents a data packet that meets a data packet filtering rule;
the seventh processing module 503 is configured to obtain at least one second data packet through the virtual network card.
Optionally, the network card driving module includes a buffer descriptor and a packet receiving thread; and, the sixth processing module 502 is further configured to receive and store at least one first data packet and hook point information through the buffer descriptor, where the at least one first data packet corresponds to the hook point information; and the packet receiving process sends at least one first data packet to the corresponding virtual network card according to the hook point information.
Optionally, the seventh processing module 503 is further configured to determine whether the network card name of the virtual network card is a preset network card name, if yes, obtain at least one second data PACKET after the af_packet logic is run in the virtual network card, discard the at least one second data PACKET, and discard the at least one second data PACKET.
Examples are as follows:
fig. 6 illustrates a physical schematic diagram of an electronic device, as shown in fig. 6, which may include: processor 601, communication interface (Communications Interface) 602, memory 603 and communication bus 604, wherein processor 601, communication interface 602, memory 603 complete the communication between each other through communication bus 604. The processor 601 may call logic instructions in the memory 603 to perform the following method: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents a position where the flow data is intercepted; the hook point information is sent to a network card control module in a kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through a data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information; at least one second data packet of the virtual network card in the kernel mode is captured, wherein the second data packet is the flow passing through the virtual network card.
Further, the logic instructions in the memory 603 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, embodiments of the present invention further provide a computer program product, where the computer program product includes a computer program stored on a non-transitory computer readable storage medium, where the computer program includes program instructions, when executed by a computer, enable the computer to perform the flow processing method provided in the foregoing embodiments, where the flow processing method is applied to a user state, and includes, for example: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents a position where the flow data is intercepted; the hook point information is sent to a network card control module in a kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through a data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information; at least one second data packet of the virtual network card in the kernel mode is captured, wherein the second data packet is the flow passing through the virtual network card.
In yet another aspect, the present invention further provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the traffic processing method provided in the above embodiments, and is applied to a user state, for example, including: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents a position where the flow data is intercepted; the hook point information is sent to a network card control module in a kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through a data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information; at least one second data packet of the virtual network card in the kernel mode is captured, wherein the second data packet is the flow passing through the virtual network card.
The apparatus embodiments described above are merely illustrative, in which the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product, which may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the various embodiments or methods of some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (9)
1. A traffic handling method, characterized by being applied to a user state, the method comprising:
receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents a position where the flow data is intercepted;
the hook point information is sent to a network card control module in a kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information;
filtering the flow data through the data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information;
capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
2. The traffic processing method according to claim 1, wherein said filtering said traffic data by said packet filtering rule to obtain at least one first packet conforming to said packet filtering rule comprises:
converting the data packet filtering rule into a Berkeley packet filter byte code instruction;
and filtering the flow data through the Berkeley packet filter byte code instruction to obtain the at least one first data packet conforming to the Berkeley packet filter byte code instruction.
3. A method of traffic handling, characterized by being applied in a kernel mode, the method comprising:
receiving hook point information through a network card control module, and establishing a virtual network card corresponding to the hook point information;
receiving and storing at least one first data packet and the hook point information through a network card driving module, wherein the at least one first data packet corresponds to the hook point information, and sending the at least one first data packet to the corresponding virtual network card according to the hook point information, and the first data packet represents a data packet conforming to a data packet filtering rule;
and obtaining at least one second data packet through the virtual network card.
4. The traffic processing method according to claim 3, wherein the network card driving module includes a buffer descriptor and a packet receiving thread; the method comprises the steps of,
the receiving and storing, by the network card driving module, the at least one first data packet and the hook point information, where the at least one first data packet corresponds to the hook point information, and sending, according to the hook point information, the at least one first data packet to the corresponding virtual network card, where the receiving includes:
receiving and storing the at least one first data packet and the hook point information through the cache descriptor, wherein the at least one first data packet corresponds to the hook point information;
and the wrapping thread sends the at least one first data packet to the corresponding virtual network card according to the hook point information.
5. The traffic processing method according to claim 3 or 4, wherein the obtaining, by the virtual network card, at least one second data packet includes:
and judging whether the network card name of the virtual network card is a preset network card name, if so, obtaining at least one second data PACKET after the AF_PACKET logic is operated in the virtual network card, and discarding the at least one second data PACKET.
6. A flow processing apparatus for use in a user mode, comprising:
the first processing module is used for receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents a position where the flow data is intercepted;
the second processing module is used for sending the hook point information to the network card control module in the kernel mode, and the network card control module is used for creating a virtual network card corresponding to the hook point information;
the third processing module is used for filtering the flow data through the data packet filtering rule to obtain at least one first data packet conforming to the data packet filtering rule, sending the hook point information and the at least one first data packet to a network card driving module in a kernel mode, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information;
and the fourth processing module is used for capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
7. A flow processing apparatus, for use in a kernel mode, comprising:
the fifth processing module is used for receiving the hook point information through the network card control module and establishing a virtual network card corresponding to the hook point information;
the sixth processing module is configured to receive and store at least one first data packet and the hook point information through the network card driving module, where the at least one first data packet corresponds to the hook point information, and send the at least one first data packet to the corresponding virtual network card according to the hook point information, where the first data packet represents a data packet that meets a data packet filtering rule;
and the seventh processing module is used for obtaining at least one second data packet through the virtual network card.
8. An electronic device comprising a memory, a processor, wherein the memory stores a computer program executable on the processor, wherein the processor, when executing the program, implements the flow processing method of any one of claims 1 to 2 or the steps of the flow processing method of any one of claims 3 to 5.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the flow processing method according to any of claims 1 to 2 or the flow processing method according to any of claims 3 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111327821.2A CN114244560B (en) | 2021-11-10 | 2021-11-10 | Flow processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111327821.2A CN114244560B (en) | 2021-11-10 | 2021-11-10 | Flow processing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244560A CN114244560A (en) | 2022-03-25 |
| CN114244560B true CN114244560B (en) | 2024-04-16 |
Family
ID=80749032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111327821.2A Active CN114244560B (en) | 2021-11-10 | 2021-11-10 | Flow processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244560B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726633B (en) * | 2022-04-14 | 2023-10-03 | 中国电信股份有限公司 | Traffic data processing method and device, storage medium and electronic equipment |
| CN114978897B (en) * | 2022-05-17 | 2023-09-05 | 阿里巴巴(中国)有限公司 | Network control method and system based on eBPF and application identification technology |
| CN115033407B (en) * | 2022-08-09 | 2022-11-04 | 微栈科技(浙江)有限公司 | System and method for collecting and identifying flow suitable for cloud computing |
| CN115580485B (en) * | 2022-11-18 | 2023-03-21 | 网络通信与安全紫金山实验室 | Data traffic processing method and device, optical network equipment and storage medium |
| CN115883255B (en) * | 2023-02-02 | 2023-06-23 | 中信证券股份有限公司 | Data filtering method, device and computer readable medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101815014A (en) * | 2010-02-09 | 2010-08-25 | 上海百络信息技术有限公司 | Real-time network data capture method based on connection |
| CN112422453A (en) * | 2020-12-09 | 2021-02-26 | 新华三信息技术有限公司 | Message processing method, device, medium and equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8861369B2 (en) * | 2011-03-07 | 2014-10-14 | Oracle International Corporation | Virtual network interface with packet filtering hooks |
-
2021
- 2021-11-10 CN CN202111327821.2A patent/CN114244560B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101815014A (en) * | 2010-02-09 | 2010-08-25 | 上海百络信息技术有限公司 | Real-time network data capture method based on connection |
| CN112422453A (en) * | 2020-12-09 | 2021-02-26 | 新华三信息技术有限公司 | Message processing method, device, medium and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244560A (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114244560B (en) | Flow processing method and device, electronic equipment and storage medium | |
| US10055580B2 (en) | Technologies for multi-factor security analysis and runtime control | |
| EP2562646B1 (en) | Modifying application behaviour | |
| CN109639652B (en) | Method and system for accessing internetwork data based on security isolation | |
| US8176300B2 (en) | Method and apparatus for content based searching | |
| US9397901B2 (en) | Methods, systems, and computer readable media for classifying application traffic received at a network traffic emulation device that emulates multiple application servers | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| CN104994032B (en) | A kind of method and apparatus of information processing | |
| CN110784361A (en) | Virtualized cloud honey network deployment method, device, system and computer-readable storage medium | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| EP3862879A1 (en) | Container network interface monitoring | |
| CN108989151B (en) | Flow collection method for network or application performance management | |
| CN105939284B (en) | The matching process and device of message control strategy | |
| CN106161396B (en) | A kind of method and device for realizing virtual machine network access control | |
| EP3097662B1 (en) | Methods, systems and computer readable media for testing network devices using simulated application traffic | |
| CN106528267B (en) | Network communication monitoring system and method based on Xen privileged domain | |
| US10248790B2 (en) | Information processing system, controlling method, and controlling computer program | |
| CN115033407B (en) | System and method for collecting and identifying flow suitable for cloud computing | |
| CN103036895A (en) | Method and system for state tracking | |
| de Bruijn et al. | sendmsg copy avoidance with MSG_ZEROCOPY | |
| CN114944996B (en) | Data acquisition method and device and computer readable medium | |
| CN116996602B (en) | Data packet processing method and device, storage medium and electronic equipment | |
| Matsumoto et al. | Accelerating TCP/IP Communications in Rootless Containers by Socket Switching | |
| EP4141675A1 (en) | Coordinating data packet processing between kernel space and user space | |
| CN115190077A (en) | Control method and device and computing equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: Qianxin Technology Group Co.,Ltd. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: Qianxin Technology Group Co.,Ltd. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |