CN116405345A - Vtap flow distribution method and system based on network protocol - Google Patents
Vtap flow distribution method and system based on network protocol Download PDFInfo
- Publication number
- CN116405345A CN116405345A CN202310346257.1A CN202310346257A CN116405345A CN 116405345 A CN116405345 A CN 116405345A CN 202310346257 A CN202310346257 A CN 202310346257A CN 116405345 A CN116405345 A CN 116405345A
- Authority
- CN
- China
- Prior art keywords
- message
- vtap
- network
- network protocol
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000009826 distribution Methods 0.000 title claims abstract description 57
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000005538 encapsulation Methods 0.000 claims abstract description 12
- 238000005520 cutting process Methods 0.000 claims abstract description 6
- 238000004806 packaging method and process Methods 0.000 claims abstract description 6
- 108090000623 proteins and genes Proteins 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 2
- 238000004590 computer program Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000003860 storage Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a vtap flow distribution method and a vtap flow distribution system based on a network protocol, which relate to the technical field of network communication and have the technical scheme that: generating an acquisition strategy comprising a network card list and vtap information; capturing the interface flow in the network card list according to the acquisition strategy to obtain a network message, writing the vtap information into the header of a network protocol corresponding to the forwarding network message, and then carrying out protocol encapsulation to obtain a forwarding message; analyzing the head of the received forwarding message to obtain an analyzer IP list and a message cut-off length, cutting the network message according to the message cut-off length, then encoding and packaging, and distributing the packaged distribution message according to the analyzer IP list; analyzing the received distribution message after analyzing. The invention reduces the bandwidth consumption of the acquisition node and realizes flexible programmable control when the distribution target completes the flow mirror image distribution.
Description
Technical Field
The invention relates to the technical field of network communication, in particular to a vtap flow distribution method and a vtap flow distribution system based on a network protocol.
Background
When centralized monitoring and collection analysis are performed on network data packets of a plurality of nodes at the same time, if a plurality of analysis terminals with different purposes exist, a plurality of analysis terminals need to be forwarded for collecting one data packet, which leads to that one flow of the analyzed node is forwarded for a plurality of times, and network bandwidth pressure of the node is increased.
The hard tap method described in the prior art can introduce the flow into the hardware tap device, configure a port mirroring rule on the tap device, mirror the flow input from one port to a plurality of ports, thereby achieving the purpose of forwarding one flow to a plurality of analysis terminals. However, the port mirroring rule needs to be manually configured in the hardware tap device in advance, which is not beneficial to flexible configuration, and software cannot be used for control to realize automation.
Therefore, how to study and design a vtap traffic distribution method and system based on network protocol, which can overcome the above-mentioned drawbacks, is an urgent problem to be solved at present.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a vtap flow distribution method and a vtap flow distribution system based on a network protocol, which realize flexible programmable control when distributing a flow mirror image of a distribution target while reducing the bandwidth consumption of an acquisition node.
The technical aim of the invention is realized by the following technical scheme:
in a first aspect, a vtap traffic distribution method based on a network protocol is provided, including the following steps:
generating an acquisition strategy comprising a network card list and vtap information;
capturing the interface flow in the network card list according to the acquisition strategy to obtain a network message, writing the vtap information into the header of a network protocol corresponding to the forwarding network message, and then carrying out protocol encapsulation to obtain a forwarding message;
analyzing the head of the received forwarding message to obtain an analyzer IP list and a message cut-off length, cutting the network message according to the message cut-off length, then encoding and packaging, and distributing the packaged distribution message according to the analyzer IP list;
analyzing the received distribution message after analyzing.
Further, the vtap information includes an IP address of the vtap device, an IP list of the analyzer to be forwarded, and a message cut-off length.
Further, the network protocol is any one of a gene protocol, a tcp protocol and a udp protocol.
Further, the forwarding message is sent to the vtap device through the raw_socket.
Further, the header of the network protocol may be configured as a plurality of independent information areas;
each information area includes an address area where the IP address of the analyzer can be written, and a length area where the truncated length can be written.
Further, the method further comprises:
generating an identification mark according to the vtap information;
writing the identification identifier to a type area in a header of the network protocol;
and the vtap equipment receives and analyzes the forwarding message after the identification in the forwarding message passes verification.
Further, the encoding encapsulation encapsulates the payload using VXLAN message format.
Furthermore, the VNI information in the distribution packet encapsulated in the VXLAN packet format is directly integrated with the VNI information of the header in the network protocol.
In a second aspect, a vtap traffic distribution system based on a network protocol is provided, including:
the controller is used for generating an acquisition strategy comprising a network card list and vtap information;
the collector is used for capturing the interface flow in the network card list according to the collection strategy to obtain a network message, writing the vtap information into the header of the network protocol corresponding to the forwarding network message, and then carrying out protocol encapsulation to obtain a forwarding message;
the Vtap device is used for analyzing the head of the received forwarding message to obtain an analyzer IP list and a message cut-off length, cutting a network message according to the message cut-off length, then encoding and packaging, and distributing the packaged distribution message according to the analyzer IP list;
and the analyzers are used for analyzing the received distribution messages after analyzing the received distribution messages.
Further, the acquisition strategy generated by the controller is broadcast to all the subordinate collectors in a gRPC broadcast mode.
Compared with the prior art, the invention has the following beneficial effects:
1. according to the vtap flow distribution method based on the network protocol, based on the head extensible characteristic of the network protocol, the collected network messages are packaged into data packets and then forwarded to the vtap equipment, the header is used for describing address information of a plurality of analysis terminals, then the vtap equipment analyzes the information, the network protocol header is stripped and then data is forwarded to the corresponding analysis terminals, and flexible programmable control is realized when the distribution of flow mirror images is completed by the distribution targets while the bandwidth consumption of the collection nodes is reduced;
2. the invention has the advantages that the identification mark for identifying and verifying the vtap equipment is packaged in the network protocol head, the occurrence of the situation that the vtap equipment wrongly forwards data is reduced, and the safety and the reliability of flow distribution are enhanced;
3. when the analyzer changes, the invention only needs to directly update the vtap information through the API of the controller, and all changes can be completed without any manual intervention.
Drawings
The accompanying drawings, which are included to provide a further understanding of embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention. In the drawings:
FIG. 1 is a flow chart in embodiment 1 of the present invention;
fig. 2 is a system block diagram in embodiment 2 of the present invention.
Detailed Description
For the purpose of making apparent the objects, technical solutions and advantages of the present invention, the present invention will be further described in detail with reference to the following examples and the accompanying drawings, wherein the exemplary embodiments of the present invention and the descriptions thereof are for illustrating the present invention only and are not to be construed as limiting the present invention.
Example 1: the vtap flow distribution method based on the network protocol, as shown in fig. 1, comprises the following steps:
step S1: generating an acquisition strategy comprising a network card list and vtap information; the vtap information comprises an IP address of the vtap device, an analyzer IP list to be forwarded and a message cut-off length;
step S2: capturing the interface flow in the network card list according to the acquisition strategy to obtain a network message, writing the vtap information into the header of a network protocol corresponding to the forwarding network message, and then carrying out protocol encapsulation to obtain a forwarding message;
step S3: analyzing the head of the received forwarding message to obtain an analyzer IP list and a message cut-off length, cutting the network message according to the message cut-off length, then encoding and packaging, and distributing the packaged distribution message according to the analyzer IP list;
step S4: analyzing the received distribution message after analyzing.
The vtap flow distribution method based on the network protocol provided by the invention is based on the head extensible property of the network protocol, packages the acquired network message into the data packet and then forwards the data packet to the vtap device, uses the head to describe a plurality of analysis terminal address information, then the vtap device analyzes the information, and forwards the data to the corresponding analysis terminal after stripping the network protocol head, thereby realizing flexible programmable control when the distribution target finishes flow mirror distribution while reducing the bandwidth consumption of the acquisition node.
The vtap information includes the IP address of the vtap device, the IP list of the analyzer to be forwarded, and the message cut-off length.
The forwarding message is sent to the vtap device through the raw_socket, namely the original socket can receive the data frame or the data packet on the local network card, and the method has a very good effect on monitoring the flow and analysis of the network.
In this embodiment, the header of the network protocol may be configured as a plurality of independent information areas; each information area includes an address area where the IP address of the analyzer can be written, and a length area where the truncated length can be written.
In addition, in order to reduce the occurrence of error forwarding data of the vtap device and enhance the safety and reliability of traffic distribution, the vtap traffic distribution method in the invention further comprises the following steps: generating an identification mark according to the vtap information; writing the identification identifier to a type area in a header of the network protocol; and the vtap equipment receives and analyzes the forwarding message after the identification in the forwarding message passes verification.
The encoding encapsulation encapsulates the payload in VXLAN message format. And the VNI information in the distribution message packaged by the VXLAN message format is directly integrated with the VNI information of the header in the network protocol.
The network protocol is any one of a gene protocol, a tcp protocol and a udp protocol. The general protocol is described in detail.
The header format of the gene message obtained after the encapsulation by the gene protocol is as follows:
the following is the format of the Variable-Length Option:
in order to distinguish the gene message sent after collection from the real service message by the vtap device, when the gene message is packaged, the Option Class design value is 0xFF64, and when the vtap device analyzes the gene message which is not the value, the vtap device directly discards the gene message and does not further process. Type 0b 0000 0010 is used to declare Variable-Length Option Data (hereinafter referred to as VLOD) to represent an analyzer information. When the Type is 0b 0000 0010, the length of VLOD is fixed 64 bits, wherein the upper 32 bits represent the IPv4 address of the parser and the lower 32 bits represent the message cut-off length. One gene message can carry multiple Variable-Length Option data, so that IP addresses of multiple analyzers can be carried at one time, and all the addresses are encapsulated into a message header. After the head is assembled, the grabbed data message is used as a general load to be directly sent to the designated vtap device through the raw_socket.
The Vtap device monitors the data message through the raw_socket, analyzes the gene message after finding the gene message, and starts to analyze the VLOD if the analysis reaches the message with the Option Class of 0xFF64, and acquires the IP list of the analyzer and the message cut-off length. And after the analysis of the geneve head, obtaining the real load. The payload is then encapsulated in VXLAN message format and sent to the parser IP list specified by the geneve header. The packet length is cut during encapsulation, and each specific analyzer can only take the original load length with the cut-off length set. Meanwhile, the VNI information of the encapsulated VXLAN message is directly integrated with the VNI information of the genedie header.
Example 2: the Vtap traffic distribution system based on the network protocol, which is used to implement the Vtap traffic distribution method based on the network protocol described in embodiment 1, includes a controller, a collector, a Vtap device, and an analyzer, as shown in fig. 2.
The controller is deployed at a non-service node, an API interface is exposed to the outside through a REST API, vtap information is set, and a control instruction is issued to the collector. Specifically, the controller is used for generating an acquisition strategy comprising a network card list and vtap information.
The collector is deployed at the user service node, grabs the packet of the network card of the node and then forwards the packet to the vtap device. Specifically, the collector is configured to capture the interface traffic in the network card list according to the collection policy to obtain a network packet, write the vtap information into the header of the network protocol corresponding to the forwarding network packet, and then perform protocol encapsulation to obtain the forwarding packet.
The Vtap equipment is deployed at a non-service node, receives the geneve flow from the collector, analyzes the flow and distributes the flow to the analyzer. Specifically, the Vtap device is configured to parse a header of a received forwarding message to obtain an analyzer IP list and a message cut-off length, cut a network message according to the message cut-off length, then encode and encapsulate the network message, and distribute the encapsulated distribution message according to the analyzer IP list.
The analyzer is deployed at a non-business node and is responsible for accepting and analyzing traffic from the vtap device. Specifically, the analyzer is used for analyzing the received distribution message after analyzing.
In this embodiment, the acquisition policy generated by the controller is broadcast to all the subordinate collectors in the manner of gRPC broadcast.
Working principle: the invention is based on the expandable characteristic of the header of the network protocol, the network message collected is packaged into the data packet and then forwarded to the vtap device, the header is used for describing a plurality of analysis terminal address information, then the vtap device analyzes the information, the data is forwarded to the corresponding analysis terminal after the network protocol header is stripped, and flexible programmable control is realized when the bandwidth consumption of the collection node is reduced and the distribution target is distributed by the flow mirror image.
In addition, the invention packages the identification mark for the identification verification of the vtap device in the network protocol head, reduces the occurrence of the error data forwarding of the vtap device, and enhances the safety and reliability of the flow distribution.
In addition, when the analyzer changes, the invention only needs to directly update the vtap information through the API of the controller, and all changes can be completed without any manual intervention.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing detailed description of the invention has been presented for purposes of illustration and description, and it should be understood that the invention is not limited to the particular embodiments disclosed, but is intended to cover all modifications, equivalents, alternatives, and improvements within the spirit and principles of the invention.
Claims (10)
1. The vtap flow distribution method based on the network protocol is characterized by comprising the following steps:
generating an acquisition strategy comprising a network card list and vtap information;
capturing the interface flow in the network card list according to the acquisition strategy to obtain a network message, writing the vtap information into the header of a network protocol corresponding to the forwarding network message, and then carrying out protocol encapsulation to obtain a forwarding message;
analyzing the head of the received forwarding message to obtain an analyzer IP list and a message cut-off length, cutting the network message according to the message cut-off length, then encoding and packaging, and distributing the packaged distribution message according to the analyzer IP list;
analyzing the received distribution message after analyzing.
2. The vtap traffic distribution method based on network protocol according to claim 1, wherein the vtap information includes IP address of the vtap device, an analyzer IP list to be forwarded, and a message cut-off length.
3. The vtap traffic distribution method based on network protocol according to claim 1, wherein the network protocol is any one of a gene protocol, a tcp protocol, and a udp protocol.
4. The vtap traffic distribution method based on network protocol as claimed in claim 1, wherein the forwarding message is sent to the vtap device through a raw_socket.
5. The vtap traffic distribution method based on network protocol of claim 1, wherein the header of the network protocol is configurable as a plurality of independent information areas;
each information area includes an address area where the IP address of the analyzer can be written, and a length area where the truncated length can be written.
6. The vtap traffic distribution method based on network protocol of claim 1, further comprising:
generating an identification mark according to the vtap information;
writing the identification identifier to a type area in a header of the network protocol;
and the vtap equipment receives and analyzes the forwarding message after the identification in the forwarding message passes verification.
7. The vtap traffic distribution method based on network protocol of claim 1, wherein the encoding encapsulation encapsulates the payload using VXLAN message format.
8. The vtap traffic distribution method based on network protocol according to claim 7, wherein the VNI information in the distribution message encapsulated by VXLAN message format is directly integrated with the VNI information of the header in the network protocol.
9. The vtap flow distribution system based on the network protocol is characterized by comprising:
the controller is used for generating an acquisition strategy comprising a network card list and vtap information;
the collector is used for capturing the interface flow in the network card list according to the collection strategy to obtain a network message, writing the vtap information into the header of the network protocol corresponding to the forwarding network message, and then carrying out protocol encapsulation to obtain a forwarding message;
the Vtap device is used for analyzing the head of the received forwarding message to obtain an analyzer IP list and a message cut-off length, cutting a network message according to the message cut-off length, then encoding and packaging, and distributing the packaged distribution message according to the analyzer IP list;
and the analyzers are used for analyzing the received distribution messages after analyzing the received distribution messages.
10. The vtap traffic distribution system based on network protocol according to claim 9, wherein the collection policy generated by the controller is broadcast to all collectors under control in a gppc broadcast manner.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310346257.1A CN116405345A (en) | 2023-04-03 | 2023-04-03 | Vtap flow distribution method and system based on network protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310346257.1A CN116405345A (en) | 2023-04-03 | 2023-04-03 | Vtap flow distribution method and system based on network protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116405345A true CN116405345A (en) | 2023-07-07 |
Family
ID=87019403
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310346257.1A Pending CN116405345A (en) | 2023-04-03 | 2023-04-03 | Vtap flow distribution method and system based on network protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116405345A (en) |
-
2023
- 2023-04-03 CN CN202310346257.1A patent/CN116405345A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11258719B1 (en) | Methods, systems and computer readable media for network congestion control tuning | |
| CN106815112B (en) | Massive data monitoring system and method based on deep packet inspection | |
| CN112714047B (en) | Industrial control protocol flow based test method, device, equipment and storage medium | |
| US8149705B2 (en) | Packet communications unit | |
| EP2806602A1 (en) | Feature extraction device, network traffic identification method, device and system. | |
| CN107800663B (en) | Method and device for detecting flow offline file | |
| EP3499837A1 (en) | Ot system monitoring method, apparatus, system, and storage medium | |
| CN113347258B (en) | Method and system for data acquisition, monitoring and analysis under cloud flow | |
| CN112291724A (en) | 5G signaling visualization method and device | |
| CN108141387B (en) | Length control for packet header samples | |
| CN106656838A (en) | Data flow analyzing method and system | |
| CN111314179A (en) | Network quality detection method, device, equipment and storage medium | |
| CN112565338A (en) | Method and system for capturing, filtering, storing and analyzing Ethernet message in real time | |
| CN102629944B (en) | Method and device as well as system for network acceleration | |
| CN113489652A (en) | Data stream amplification method and device, convergence splitter and storage medium | |
| WO2020206849A1 (en) | Method and system for processing dhcp data with vlan tag | |
| CN103220188B (en) | A kind of HTTP data acquisition equipment | |
| CN112688924A (en) | Network protocol analysis system | |
| CN113179229A (en) | Verification method, verification device, storage medium and electronic equipment | |
| CN110611644A (en) | Data transmission method and device | |
| CN116405345A (en) | Vtap flow distribution method and system based on network protocol | |
| CN116016295B (en) | Ethernet performance monitoring method, system, industrial control equipment and storage medium | |
| CN111224891A (en) | Traffic application identification system and method based on dynamic learning triples | |
| CN108574609B (en) | Transmission monitoring method and device | |
| US8041833B2 (en) | Electronic network filter for classified partitioning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |