CN101127690A - Identification method for next generation of network service traffic - Google Patents
Identification method for next generation of network service traffic Download PDFInfo
- Publication number
- CN101127690A CN101127690A CNA2006101096806A CN200610109680A CN101127690A CN 101127690 A CN101127690 A CN 101127690A CN A2006101096806 A CNA2006101096806 A CN A2006101096806A CN 200610109680 A CN200610109680 A CN 200610109680A CN 101127690 A CN101127690 A CN 101127690A
- Authority
- CN
- China
- Prior art keywords
- message
- session
- time
- next generation
- identification method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model discloses a recognizing method for the business flow of the next generation network, comprising the following steps: receiving the message; calculating the hashing according to the message and making relevant processing according to the flag bit of the message. The utility model has the advantages that the method can record all statistical information of each business conversation, which is favorable to the network management and control, thus the most common business type of the network can be recognized.
Description
Technical field
The present invention relates to a kind of method of NTM network traffic management monitoring, particularly a kind of identification method for next generation of network service traffic.
Background technology
Along with constantly popularizing of broadband network, the level of informatization of all trades and professions is more and more higher, and the Internet has become indispensable part in people's work and the life.But, flow is for the unlimited demand of bandwidth and the contradiction between the finite element network resource, contradiction between core business and the non-core services provides the contradiction between differentiation good service and the guarantee public service quality, has become a problem demanding prompt solution of restriction network integration development.
Cause the reason of the problems referred to above, can reduce following several:
● the Resource Allocation in Networks mechanism of " making no exception ", broadband IP network to all business, all are with indiscriminate " Best Effort " is provided transmission service per family, therefore, must cause core business, sensitive traffic, emphasis user's resource preferentially to be ensured, cause utilization efficiency of network resources low.
● the extensive use of P2P business, thoroughly overturned the network system of traditional B/S, C/S framework.Traditional B/S, C/S framework are owing to be subjected to the restriction of server end, and the ability of data interaction amount and server is directly proportional; And each communication participant of P2P is a server, is again client.Therefore, in the P2P applied environment, its data provide and the ability of sharing be with network in participant's number exponentially increase.Studies show that the P2P business has occupied the 50%-80% of current network total data flow.
● the huge spread between local area network (LAN) bandwidth and the wide area network bandwidth: local area network technology is through the development of great-leap-forward several times, from initial 10M network, develop into present gigabit networking, even ten thousand mbit ethernet technology, data movement capacity sharply increases, and the not corresponding revolutionary development of wan technology.Therefore,, will inevitably cause the huge bottleneck of formation in wide area network, cause network congestion for the network environment of a closed loop.
● the inadequate natural endowment of TCP/IP on QoS, caused each to be connected and carried out in the data exchange process, all can do one's utmost to expand its bandwidth occupancy, only in network congestion, just carry out selfdiscipline.Therefore, basically, there is the inadequate natural endowment that causes network congestion easily in the TCP/IP technology.
Comprehensive above the analysis as can be seen, current network is owing to the type of service that can't identify in the current network, can't carry out the QoS guarantee to core business and sensitive traffic, cause network to be easy to occur heavy congestion, resource does not obtain effective and reasonable utilization, the social labor production efficiency of influence under information-based environment, be difficult to improve the network operation income of operator, be difficult to break away from the extensive style pattern of data network, can't carry out effective control and management to service traffics, service quality problem has become one of critical bottleneck of restriction broadband network business development.
Summary of the invention
For the next generation network management, the basis of service traffics management just is to carry out traffic identification, on the basis of traffic identification, realizes the bandwidth of miscellaneous service is suppressed, and perhaps the bandwidth to core business ensures.The invention provides a kind of identification method for next generation of network service traffic, can identify in the network common, most type of service, and count out various information in each service conversation.
The present invention realizes by following scheme: a kind of identification method for next generation of network service traffic comprises the steps:
(1) receives message;
(2) calculate Hash according to message;
(3) according to the message flag position, handle:
(A) be TCP SYN message when what receive, then create new session, the recording conversation statistical information;
(B) be TCP SYN/ACK message when what receive, the then response time of calculation server, more new session statistical information;
(C) be TCP ACK message when what receive, the response time of then calculating new client, more new session statistical information;
(D) be TCP session message when what receive, then agreement resolved, carry out traffic identification, more the new session statistical information;
(E) be TCP FIN or TCP RST message when what receive, then the recording conversation statistical information is removed session connection then.
In the described step (2), can obtain the HASH value according to the method for source IP address, source port, purpose IP address, destination interface four-tuple:
HASH value=(source port+destination interface+source IP address+purpose IP address) ﹠amp; MAX_SESSION_CNT,
Wherein the value of MAC_SESSION_CNT is 50000.
In the described step (3), the statistical information of session comprises: professional type, protocol type, the IP address of server, the port of server, the IP address of client, the port numbers of client, this time the time of the foundation of dialogue, this time the time of end-of-dialogue, this time talk with the time that continues, the message number that dialogue this time sends, the byte number that dialogue this time sends, the message number that dialogue this time receives, the byte number that dialogue this time receives.
The traffic identification of described step (D) comprising:
(a), judge that this business is the HTTP file downloading service as duration>180s and exchanges data>3MB.
(b) contain the keyword of BitTorrent Protocol in the place of 68,55,137 bytes of message, judge that then this session is a BT downloading service.
(c) judge that message port (no matter being source port or destination interface) equals 4242, perhaps greater than 4661 and less than 4665, judges that then this session is the EDK business.
(d) contain the keyword of PSProtocol in the place of 68,55,137 bytes of message, judge that then this session is a ppStream downloading service.
(e) judge whether it is the business of passive type FTP, and do respective handling:
1) message to all 21 ports carries out character string search, seeks the control signaling field " Passive " of passive type FTP;
2) when there being this field, then FPDP is carried by this message, and the back has comprised " source port+destination interface " of data transmission channel the inside;
3) resolution data transmission channel, and set up session in advance, set up relevant conversation recording information;
When 4) message arrives next time, finish by new session the session of FTP data transmission channel is followed the tracks of.
The invention has the beneficial effects as follows:
1. use Network recognition technology provided by the invention, can provide statistical informations all in each service conversation, help network management and control.
2. the present invention can identify in the network commonly, and most type of service can object B T business, during a large amount of downloading service such as EDK business, can carry out bandwidth constraints to it, prevents that it from engulfing a large amount of bandwidth resources.
Description of drawings
Fig. 1 is a flow chart of the present invention.
Embodiment
Below in conjunction with the drawings and specific embodiments workflow of the present invention is described in more detail.
As shown in Figure 1, workflow of the present invention is:
For ability that traffic identification is provided and the processing speed that improves message, simultaneously, distribute the decline that causes the stability of a system and efficient for fear of Dram, adopted the data structure of static memory-mapped as the session storage, so just can finish session location according to the position of internal memory to message.
And how to utilize the existing information of message, and calculate corresponding core position, can adopt popular hash algorithm.But consider that concurrent session is no more than 50,000 network environment under the normal condition, therefore, can obtain the HASH value according to the method for source IP address, source port, purpose IP address, destination interface four-tuple.
HASH value=(source port+destination interface+source IP address+purpose IP address) ﹠amp; MAX_SESSION_CNT;
Wherein the value of MAC_SESSION_CNT is 50000.
This algorithm can ensure under the situation of certain accuracy, the fastest realization Hash calculation.
Certainly, in the network of complexity, also can use other accurate hash algorithm, the safeguards system precision.
Described business comprises:
● the HTTP file is downloaded
For normal web browsing session, the duration of a session can not surpass 3 minutes, and for a webpage, therefore each element can, can not exceed the service traffics of 3MB a session the inside carrying.
Therefore, for the HTTP business, as long as check the duration and the session data statistical conditions of its session, when:
Duration>180s﹠amp; ﹠amp; In the time of exchanges data>3MB (these parameters can flexible configuration), just can think that this http session belongs to file downloading service.
● the BT service downloading
In the BT business, always can be before carrying out exchanges data, provide a place to contain the keyword of BitTorrent Protocol in 68,55,137 bytes of message, therefore, character string search is carried out in the place that this several byte offset address of message begins, if exist, can think that this session is the service traffics download of a BT.
After a session clearly is identified as BT, just can carry out traffic statistics, and, it be carried out bandwidth constraints according to pre-configured P2P bandwidth chahnel to them, prevent that it from engulfing a large amount of bandwidth resources.
● the EDK service downloading
The identification of EDK business is comparatively simple, and every message port (no matter being source port or destination interface) equals 4242, perhaps greater than 4661 and less than 4665, can think the EDK business.
● the ppStream service downloading
The realization of ppStream business and BT striking resemblances, just keyword difference.Its condition code keyword is " PSProtocol ".
● the passive type ftp business is downloaded
It is professional different that passive type FTP and the simple condition code of other use can be discerned.The service port of passive type FTP is by after the 21FTP of standard control port the inside has consulted, and transmits again, and 20 ports that are different from the use standard are as the FTP data transmission port.
Concrete tracing process is:
Message to all 21 ports carries out character string search, seeks the control signaling field " Passive " of passive type FTP;
If there is this field, then FPDP is carried by this message, and the back has comprised " source port+destination interface " of data transmission channel the inside;
Parse data transmission channel, and set up out session in advance, set up relevant conversation recording information;
When message arrives next time, finish by new session the session of FTP data transmission channel is followed the tracks of.
Step 110 is removed session connection, and the stored memory zero clearing with this session enters step 111 then, and end message is handled, and finishes the complete tracking of a session.
Claims (8)
1. an identification method for next generation of network service traffic comprises the steps:
(1) receives message;
(2) calculate Hash according to message;
(3) according to the message flag position, handle:
(A) be TCP SYN message when what receive, then create new session, the recording conversation statistical information;
(B) be TCP SYN/ACK message when what receive, the then response time of calculation server, more new session statistical information;
(C) be TCP ACK message when what receive, the response time of then calculating new client, more new session statistical information;
(D) be TCP session message when what receive, then agreement resolved, carry out traffic identification, more the new session statistical information;
(E) be TCP FIN or TCP RST message when what receive, then the recording conversation statistical information is removed session connection then.
2. identification method for next generation of network service traffic according to claim 1 is characterized in that: in the described step (2), obtain the HASH value according to the method for source IP address, source port, purpose IP address, destination interface four-tuple:
HASH value=(source port+destination interface+source IP address+purpose IP address) ﹠amp; MAX_SESSION_CNT,
Wherein the value of MAC_SESSION_CNT is 50000.
3. identification method for next generation of network service traffic according to claim 1, it is characterized in that: in the described step (3), the statistical information of session comprises: professional type, protocol type, the IP address of server, the port of server, the IP address of client, the port numbers of client, this time time of the foundation of dialogue, the time of this end-of-dialogue, the time that dialogue this time continues, the message number that dialogue this time sends, the byte number that dialogue this time sends, the message number that dialogue this time receives, the byte number that dialogue this time receives.
4. according to claim 1 or 2 or 3 described identification method for next generation of network service traffic, it is characterized in that: in the described step (D),, judge that this business is the HTTP file downloading service as duration>180s and exchanges data>3MB.
5. according to claim 1 or 2 or 3 described identification method for next generation of network service traffic, it is characterized in that: in the described step (D), contain the keyword of BitTorrent Protocol in the place of 68,55,137 bytes of message, judge that then this session is a BT downloading service.
6. according to claim 1 or 2 or 3 described identification method for next generation of network service traffic, it is characterized in that: in the described step (D), judge that the message port equals 4242, perhaps greater than 4661 and less than 4665, judges that then this session is the EDK business.
7. according to claim 1 or 2 or 3 described identification method for next generation of network service traffic, it is characterized in that: in the described step (D), contain the keyword of PSProtocol in the place of 68,55,137 bytes of message, judge that then this session is a ppStream downloading service.
8. according to claim 1 or 2 or 3 described identification method for next generation of network service traffic, it is characterized in that: in the described step (D), judge whether it is the business of passive type FTP, and do respective handling:
1) message to all 21 ports carries out character string search, seeks the control signaling field " Passive " of passive type FTP;
2) when there being this field, then FPDP is carried by this message, and the back has comprised " source port+destination interface " of data transmission channel the inside;
3) resolution data transmission channel, and set up session in advance, set up relevant conversation recording information;
When 4) message arrives next time, finish by new session the session of FTP data transmission channel is followed the tracks of.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101096806A CN101127690A (en) | 2006-08-17 | 2006-08-17 | Identification method for next generation of network service traffic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101096806A CN101127690A (en) | 2006-08-17 | 2006-08-17 | Identification method for next generation of network service traffic |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101127690A true CN101127690A (en) | 2008-02-20 |
Family
ID=39095618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006101096806A Pending CN101127690A (en) | 2006-08-17 | 2006-08-17 | Identification method for next generation of network service traffic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101127690A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102377602A (en) * | 2011-10-26 | 2012-03-14 | 国家广播电影电视总局广播科学研究院 | Data stream processing method and system |
| CN101841456B (en) * | 2009-03-18 | 2012-07-25 | 中国电信股份有限公司 | Method and system for implementing service application division |
| CN104579805A (en) * | 2013-10-12 | 2015-04-29 | 郑州冰川网络技术有限公司 | A novel network traffic identifying method |
| CN105681111A (en) * | 2016-03-21 | 2016-06-15 | 汉柏科技有限公司 | Flow statistical method and device based on session |
| CN107592303A (en) * | 2017-08-28 | 2018-01-16 | 北京明朝万达科技股份有限公司 | A kind of high speed mirror is as the extracting method and device of outgoing document in network traffics |
| CN108173781A (en) * | 2017-12-20 | 2018-06-15 | 广东宜通世纪科技股份有限公司 | HTTPS method for recognizing flux, device, terminal device and storage medium |
| CN109634966A (en) * | 2018-12-17 | 2019-04-16 | 广州天懋信息系统股份有限公司 | Millions network session table management method, system, medium and equipment based on hash algorithm |
| CN109831530A (en) * | 2019-03-15 | 2019-05-31 | 武汉思普崚技术有限公司 | A kind of method for recognizing flux and device based on FTP downloading |
-
2006
- 2006-08-17 CN CNA2006101096806A patent/CN101127690A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841456B (en) * | 2009-03-18 | 2012-07-25 | 中国电信股份有限公司 | Method and system for implementing service application division |
| CN102377602A (en) * | 2011-10-26 | 2012-03-14 | 国家广播电影电视总局广播科学研究院 | Data stream processing method and system |
| CN104579805A (en) * | 2013-10-12 | 2015-04-29 | 郑州冰川网络技术有限公司 | A novel network traffic identifying method |
| CN105681111A (en) * | 2016-03-21 | 2016-06-15 | 汉柏科技有限公司 | Flow statistical method and device based on session |
| CN107592303A (en) * | 2017-08-28 | 2018-01-16 | 北京明朝万达科技股份有限公司 | A kind of high speed mirror is as the extracting method and device of outgoing document in network traffics |
| CN107592303B (en) * | 2017-08-28 | 2020-01-03 | 北京明朝万达科技股份有限公司 | Method and device for extracting outgoing files in high-speed mirror image network traffic |
| CN108173781A (en) * | 2017-12-20 | 2018-06-15 | 广东宜通世纪科技股份有限公司 | HTTPS method for recognizing flux, device, terminal device and storage medium |
| CN109634966A (en) * | 2018-12-17 | 2019-04-16 | 广州天懋信息系统股份有限公司 | Millions network session table management method, system, medium and equipment based on hash algorithm |
| CN109831530A (en) * | 2019-03-15 | 2019-05-31 | 武汉思普崚技术有限公司 | A kind of method for recognizing flux and device based on FTP downloading |
| CN109831530B (en) * | 2019-03-15 | 2022-03-22 | 武汉思普崚技术有限公司 | Flow identification method and device based on FTP downloading |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101127690A (en) | Identification method for next generation of network service traffic | |
| CN106101015B (en) | Mobile internet traffic class marking method and system | |
| CN103765839B (en) | Variable-based forwarding path construction for packet processing within a network device | |
| CN104158753B (en) | Dynamic stream scheduling method and system based on software defined network | |
| US11272396B2 (en) | Frame aggregation method, network setting frame sending method, and device | |
| CN104158755B (en) | The methods, devices and systems of transmitting message | |
| CN106921637A (en) | The recognition methods of the application message in network traffics and device | |
| CN106972985B (en) | Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment | |
| JP2004112791A (en) | Method of measuring network operation parameter | |
| CN105556916B (en) | The information statistical method and device of network flow | |
| CN101577671A (en) | Method and system for automatically controlling flow of peer-to-peer networking service | |
| CN105828310A (en) | Data service billing method, equipment and system | |
| CN109547288B (en) | Programmable flow measuring method for protocol independent forwarding network | |
| WO2014177023A1 (en) | Method and device for determining service type | |
| WO2014008694A1 (en) | Signaling monitoring device for implementing ps domain distributed architecture | |
| CN108141387A (en) | The length of packet header sampling is controlled | |
| CN105847179B (en) | The method and device that Data Concurrent reports in a kind of DPI system | |
| KR20220029142A (en) | Sdn controller server and method for analysing sdn based network traffic usage thereof | |
| CN100466549C (en) | Method of identifing VOIP flow based on SIP protocol process performance | |
| CN107451092A (en) | A kind of data transmission system based on IB networks | |
| CN102035750B (en) | Peer-to-peer (P2P) flow recognizing method and device | |
| CN101355585B (en) | System and method for protecting information of distributed architecture data communication equipment | |
| EP3461083B1 (en) | Data processing method and device | |
| CN101459695B (en) | P2P service recognition method and apparatus | |
| KR20120008478A (en) | 10 gbps scalable flow generation and control, using dynamic classification with 3-level aggregation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080220 |