CN1567258A - IP log system and method - Google Patents

IP log system and method Download PDF

Info

Publication number
CN1567258A
CN1567258A CN 03139623 CN03139623A CN1567258A CN 1567258 A CN1567258 A CN 1567258A CN 03139623 CN03139623 CN 03139623 CN 03139623 A CN03139623 A CN 03139623A CN 1567258 A CN1567258 A CN 1567258A
Authority
CN
China
Prior art keywords
information
log
packets
network
approach
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 03139623
Other languages
Chinese (zh)
Inventor
周星雨
何唐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hongfujin Precision Industry Shenzhen Co Ltd
Hon Hai Precision Industry Co Ltd
Original Assignee
Hongfujin Precision Industry Shenzhen Co Ltd
Hon Hai Precision Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hongfujin Precision Industry Shenzhen Co Ltd, Hon Hai Precision Industry Co Ltd filed Critical Hongfujin Precision Industry Shenzhen Co Ltd
Priority to CN 03139623 priority Critical patent/CN1567258A/en
Publication of CN1567258A publication Critical patent/CN1567258A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

It is a kind of IP log system, which comprises a logging module, a Netfilter, a Kernel Log Daemon program, an event log, a logging API, a configuration manager and a user interface. The Netfilter can acquire the information package that includes the user-required information from network connection. The logging module can obtain the information in package, and transfer them to Klogd program. The Klogd program transfers the information from logging module to event log for recording. The logging application interface can set the on or off of logging module according to the instruction from user interface.

Description

IP log system and method
[technical field]
The present invention relates to a kind of diary record system and method, relate in particular to a kind of system and method for IP log record.
[background technology]
For the linux system that is connected on the network, the fire wall defense mechanism that is absolutely necessary, it only allows legal network traffics turnover system, and forbids other any network traffics.In order to determine whether network traffics legal, fire wall rely on that it comprised by network or the predefined one group of rule of system manager.These rules tell certain flow of fire wall whether legal and for from certain source, to certain destination or the network traffics with certain protocol type what will be done.
Network traffics are made up of IP packets of information (abbreviation packets of information).Described packets of information is some fritter data that are transferred to the destination system with the form of stream (Flow) from origin system, these information are surrounded by packet header, promptly in each more incidental data bits in bag front, they comprise the information of source, destination and the protocol type of relevant packets of information.Fire wall is checked these heads according to one group of rule, accepts which packets of information and refuses which packets of information determining, this process is called packet filtration.
Traditional fire wall just is used for intercepting or the refusal packets of information, rare it is used for carrying out the IP daily record.If the user is applied to obtain the needed network information of user with the defense mechanism of fire wall, then only needs to filter few network traffics and can reach this purpose.
[summary of the invention]
Fundamental purpose of the present invention is to provide a kind of IP log system, and it combines network firewall and journal function, can obtain information from network according to user's demand, and can block unwanted information, to reduce network traffics.
Another purpose of the present invention is to provide a kind of IP log approach, and it can obtain information from network according to user's demand, and can block unwanted information, to reduce network traffics.
For realizing above-mentioned goal of the invention, IP log system provided by the invention includes a log pattern, a network filter (Netfilter), a Klogd (Kernel Log Daemon) program, an event log, a logging application interface (LoggingAPI), a configuration manager and a user interface.Network filter is to be used for obtaining the packets of information that contains the required information of user from the network connection.Log pattern is used to obtain information in package, and sends the Klogd program to.The information that the Klogd program then sends log pattern is sent in the event log notes down.Logging application interface can be set opening or closing of log pattern according to the instruction that the user imports from user interface.
IP log approach provided by the present invention includes following steps: (i) obtain packets of information from network; (ii) packets of information and predetermined matching condition are mated; (iii) when packets of information is not complementary with the matching condition of being scheduled to, block this packets of information; If (iv) packets of information is complementary with the matching condition of being scheduled to, check the service load of this packets of information; (v) obtain information in package; (vi) the information of being obtained is sent to event log and carries out record.
Adopt IP log approach of the present invention, when obtaining the network information, can on purpose only obtain to comprise the network information bag of this information, and block the packets of information that those do not comprise required this information, thereby can effectively reduce the flow of network.
[description of drawings]
Fig. 1 is the Organization Chart of IP log system of the present invention.
Fig. 2 is the process flow diagram of IP log approach of the present invention.
[embodiment]
Consulting Fig. 1, is the Organization Chart of IP log system 100 of the present invention.In embodiments of the present invention, IP log system 100 includes a log pattern 110, a network filter 120, a Klogd program 130, an event log 140, a logging application interface 150, a configuration manager 160 and a user interface 170.The network filter 120 of this IP log system 100 is connected 180 with network and is connected.
Log pattern 110 is used to analyze and handle the packets of information that network filter 120 is received, from this packets of information, obtain required information and see through Klogd program 130 and be sent to event log 140, it can the person's of being to use program (User Space Program), or kernel (Kernel).User's program is easy to debugging, but under this kind pattern, the data bag must send user's program to by the memcpy function, reaches kernel after treatment again.If what log pattern adopted is kernel, then only need structure in kernel inner analysis data.Kernel module is much better than user's program on performance, and therefore in embodiments of the present invention, log pattern is to adopt kernel.Above-mentioned memcpy function is to be used for doing copy, and it can copy the object of any data type, and can specify the data length of copy.
In embodiments of the present invention, because log pattern 110 is to adopt kernel, therefore adopt getsockopt (obtaining the socket option) and setsockopt (the socket option is set) to obtain and be provided with the configuration of log pattern 110.
Network filter 120 in linux kernel IPv4, IPv6 and network protocol stack such as DECnet in realization is all arranged.Above-mentioned protocol stack is in order to realize the support to network filter 120 frameworks, five reference point among the traversal route on the protocol stack, have been selected in the IP packets of information, on these five reference point, each has been introduced delegation one of the grand function of NF_HOOK () has been called accordingly.These five reference point are by difference called after PREROUTING, LOCAL-IN, FORWARD, LOCAL-OUT and POSTROUTING.Network filter 120 is to be a series of " hook (hook) " in five reference point in the protocol stack, and its essence is a nf_hookfn function.This function will carry out preliminary processing to the IP packets of information of being angled up in above-mentioned five reference point.This " hook " described with the following structure that defines among the linux-2.4.19/include/linux/netfilter.h:
struct?nf_hook_ops
{
struct?list_head?list;
nf_hookfn *hook;
int?pf;
int?hooknum;
int?priority;
};
The kernel portion of network filter 120 provides the framework of an analysis, process information bag, but the kernel portion code and unspecificly go to analyze, the process information bag.Concrete analysis, the task of processing are finished by log pattern 110.Kernel portion can be given the corresponding module that can handle packets of information according to the rule that writes down among the Table (Rules) information.These rules can determine certain flow whether legal and for from certain source, to certain destination or the network traffics with certain protocol type what will be done.In the time of each module starting, initiatively whereabouts kernel code registration.In this registration process, each module can be notified kernel code, and this module has a target (Target) function, can determine the destiny of packets of information; Or this module has a coupling (Match) function, can judge the whether legal coupling requirement of a packets of information.
Target is to specify operation to carrying out with the packets of information of those rule match by rule.The user can self-defined all types of target.Following some targets and explanation thereof for using always:
ACCEPT: when packets of information is mated fully with the rule with ACCEPT target, can be accepted (allowing it to go to the destination), and it will stop ergodic chain (though this packets of information may travel through other chain in another table, and might be dropped there).
DROP: when packets of information is mated fully with the rule with DROP target, can block this packets of information, and it not done further processing.
REJECT: the working method of this target is identical with the DROP target, but it is better than DROP.Different with DROP, REJECT can not stay dead socket on server and client computer.In addition, REJECT sends back to error message the transmit leg of packets of information.
Compatible portion appointed information bag and rule match the feature (as source and destination way address, agreement etc.) that should have.Coupling is divided into two big classes: general coupling and specific to the coupling of agreement.Following is that some general couplings commonly used illustrate:
-p or--protocol: this puppy parc coupling is used to check some specific protocol.Example of protocols has TCP, UDP, ICMP, with the Assembly Listing and the ALL (being used for institute's protocols having) of any these three kinds of agreements of CSV, ALL is default coupling, can after-p, use "! " symbol, its expression not with this coupling.
-s or--source: this source coupling is used for coming and their couplings according to the source IP address of packets of information.This coupling also allows the IP address in a certain scope is mated, can after-s, use "! " symbol, the expression not with this coupling.Default source coupling and all IP matching addresses.
-d or--destination: this destination coupling is used for coming and their couplings according to the IP address, destination of packets of information.This coupling also allows IP in a certain scope is mated the address, can after-d, use "! " symbol, the expression not with this coupling.
Except that some above-mentioned matching conditions commonly used, the user also can be by user interface 170 according to self-defined other the matching condition of its actual demand.
In embodiments of the present invention, be to implement the IP daily record in the PREROUTING reference point.The user need register a connection tracking (CONNTRACK), and it is used for following the tracks of and connects, and knows how, where packets of information is associated in a connection.When a new connection was set up, this connection tracking can be mated should newly connecting with the condition of connection tracking.If the packets of information in should newly connecting meets the condition of connection tracking, then it can be obtained by network filter 120 in the PREROUTING reference point.
Klogd program 130 is a kind of information record programs, and it is used to transmit information that log pattern 110 sent to event log 140.Event log 140 is to be used for writing down the log information that is transmitted via Klogd program 130.Logging application interface 150 is to be used for being provided with log pattern to open or close and show current stl status.Configuration manager 160 is used for managing each software and the hardware of IP log system of the present invention, and it can be deployed to various task application program divisions in the diverse location, and collects hardware and software configuration information.User interface 170 is used for sending various instructions for the user to IP log system of the present invention, and it can be that (Command Line Interface CLI), also can be the Web interface to command line interface.By user interface 170, the user can set opening or closing of log pattern.
Consult Fig. 2, be depicted as the process flow diagram of IP log approach of the present invention.At step S201, network filter 120 obtains various packets of information from network.At step S203, network filter 120 determines whether the packets of information that is received is complementary with its predetermined matching condition.Should predetermined matching condition comprise puppy parc coupling, source address matches and destination-address coupling.If any matching condition in packets of information and the network filter 120 is not complementary, then at step S211, network filter 120 blocks this packets of information.Log pattern 110 needn't be handled this packets of information under this kind situation, and reaches the purpose that reduces network traffics by blocking unwanted packets of information.If the matching condition in this packets of information and the network filter 120 is complementary, at step S205, the service load that log pattern 110 is checked by the packets of information of network filter 120.At step S207, log pattern 110 obtains information in package, and it is formatd according to predetermined form.At step S209, the information after log pattern 110 will format sends Klogd program 130 to, and is sent to event log 140 via Klogd program 130 and carries out record.

Claims (13)

1. an IP log approach is used for writing down the network information according to predetermined condition from network, it is characterized in that this method comprises the steps:
(a) from network, obtain packets of information;
(b) packets of information and predetermined matching condition are mated;
(c) if packets of information is complementary with the matching condition of being scheduled to, obtain information in package;
(d) information of being obtained is sent to event log and carries out record.
2. IP log approach as claimed in claim 1 is characterized in that step (b) more includes when packets of information is not complementary with the matching condition of being scheduled to, and blocks the step of this packets of information.
3. IP log approach as claimed in claim 1 is characterized in that matching condition includes source address matches.
4. IP log approach as claimed in claim 1 is characterized in that matching condition includes the destination-address coupling.
5. IP log approach as claimed in claim 1 is characterized in that matching condition includes the puppy parc coupling.
6. IP log approach as claimed in claim 1 is characterized in that step (b) more includes fox message afterwards and is surrounded by the step of imitating load.
7. IP log system, be used for writing down the network information from network according to predetermined condition, it is characterized in that this system includes a network filter that is used for obtaining according to predetermined condition from network packets of information, one is used for packets of information that the analyzing and processing network filter obtained obtaining the log pattern of required information from these packets of information, and an event log that is used for the information that the log module obtained.
8. IP log system as claimed in claim 7 is characterized in that this system more includes a Klogd program, and the information that is used for log pattern is obtained is sent to event log.
9. IP log system as claimed in claim 7 is characterized in that this system more includes one and is used to the logging application interface that the log pattern switch is set and shows current stl status.
10. IP log system as claimed in claim 7 is characterized in that this system more includes one and is used for supplying the user to send the user interface of various instructions.
11. IP log system as claimed in claim 10, it is characterized in that user interface be command line interface (Command Line Interface, CLI).
12. IP log system as claimed in claim 10 is characterized in that user interface is the Web interface.
13. IP log system as claimed in claim 7 is characterized in that this system more includes one and is used for the software of management system and the configuration manager of hardware.
CN 03139623 2003-06-24 2003-06-24 IP log system and method Pending CN1567258A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 03139623 CN1567258A (en) 2003-06-24 2003-06-24 IP log system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 03139623 CN1567258A (en) 2003-06-24 2003-06-24 IP log system and method

Publications (1)

Publication Number Publication Date
CN1567258A true CN1567258A (en) 2005-01-19

Family

ID=34470637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 03139623 Pending CN1567258A (en) 2003-06-24 2003-06-24 IP log system and method

Country Status (1)

Country Link
CN (1) CN1567258A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100431302C (en) * 2005-08-30 2008-11-05 飞塔信息科技(北京)有限公司 Log device, system and method with function of analyzing network traffic
CN101707534B (en) * 2009-10-28 2013-03-27 北京天碁科技有限公司 Method and device for carrying out analysis on physical layer logs

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100431302C (en) * 2005-08-30 2008-11-05 飞塔信息科技(北京)有限公司 Log device, system and method with function of analyzing network traffic
CN101707534B (en) * 2009-10-28 2013-03-27 北京天碁科技有限公司 Method and device for carrying out analysis on physical layer logs

Similar Documents

Publication Publication Date Title
US8166547B2 (en) Method, apparatus, signals, and medium for managing a transfer of data in a data network
US10164851B2 (en) Transmission and reception of a diagnostic request in an IP network
US7742473B2 (en) Accelerator module
US7830898B2 (en) Method and apparatus for inter-layer binding inspection
US8898265B2 (en) Determining data flows in a network
JP2007006477A (en) Apparatus and method
JP4829982B2 (en) Detection and control of peer-to-peer communication
US20060168267A1 (en) Tunneling IPv6 packets
US20090028144A1 (en) Dedicated network interface
US20060150243A1 (en) Management of network security domains
US7774847B2 (en) Tracking computer infections
Agarwal et al. An infrastructure for passive network monitoring of application data streams
US8050266B2 (en) Low impact network debugging
CN1567258A (en) IP log system and method
US20040267925A1 (en) System and method for IP logging
CN1812373A (en) Communication system, method and apparatus for providing mirroring service in the communication system
US7299246B1 (en) Client initiated multicast domain discovery
CN115174243A (en) Malicious IP address blocking processing method, device, equipment and storage medium
Kipp Using Snort as an IDS and Network Monitor in Linux
CN1561071A (en) Method for implementing network management to equipment in private network
JP5388407B2 (en) Program, information processing apparatus and control method thereof
Ragavendra et al. NETWORK SECURITY THROUGH SCRUBBER USING TCP/IP
Westall A Simple, Configurable, and Adaptive Network Firewall for Linux
Lhotka Deliverable DJ2. 2.2 v1: User and Test Report on the Netflow Probe
Kanesin IPv6 Network Monitoring Tool

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication