Embodiment
Lower in order to solve in the prior art Network Transmission usefulness, can not farthest utilize the defective of the network bandwidth, the defective that the speed limit pattern is comparatively stiff, the embodiment of the invention provide a kind of method that realizes network speed limit.
Following elder generation describes some notions that this paper relates to, and is very not identical to the characteristic of access to netwoks in some network application processes.Generally speaking, can be divided into two big classes: peak value type network application process and mean type network application process, when the excursion of a network application process network flow during greater than setting threshold this network application process be peak value type network application process, as for the excursion of web application process network traffics from 10kbps to 100kbps, greater than preset threshold 20kbps, judge that then the web application process is a peak value type network application process, when the excursion of a network application process network flow during less than setting threshold this network application process be mean type network application process, as for the excursion of down load application network traffics from 50kbps to 60kbps, less than preset threshold 20kbps, judge that then the down load application process is a mean type network application process.
Peak value type network application process is shown network resources demand functional image such as Fig. 1.Curve among the figure is N=N (t).The meaning of N (t) is: the t use amount of Internet resources constantly is network traffics.Lines 10 are the network traffics peak value Nmax under the current environment.As can be seen from the figure, 11 parts are available network resources, and 12 parts are the Internet resources that this peak value type network application process is used.The characteristics of this peak value type network application process are: the most of the time network traffics all remain on a very low level, but can produce a large amount of network applications and continue a bit of time tx in certain moment, then continue to remain on a reduced levels afterwards.The typical case of peak value type network application process is: WEB browser, science calculating etc.
In the application of WEB browser, the client imports a URL, browser will be resolved this URL and obtain webpage on corresponding server, this moment, network traffics can reach a peak value, after obtaining the webpage success, the user begins browsing page, and the network use amount of browser is tending towards 0 gradually until the user imports URL next time.
In the application that science is calculated, client computer is submitted to supercomputer with calculative content by network, waits for then after supercomputer calculates the result and the result being fetched by network again.Generally speaking, why will replace this computer with supercomputer, be exactly because the time complexity height that calculates.In the moment of submitting computation requests to, can produce the use peak value of doubting a network.Wait for that afterwards network is in silent status substantially and produces up to result of calculation in the process that computer crosses.
Mean type network application process is opposite with peak value type network application process, and the network application process of mean type remains on a stable state substantially to the use of network in certain hour scope tx.The typical case of this type of application is: download tool and Online Video are browsed etc.
In the download tool case, as long as the user begins to download.Download tool can be tried one's best and be made network keep full load condition to reach minimum required total time so that download.
In the case of video tour, the browsing video that the user generally can continue within a certain period of time, broadcast this moment process will take certain bandwidth at least and guarantee that video can continue to play.Generally speaking, need only speed of download greater than video code rate.
The characteristics that the peak value type is used are that request comes soon, go also soon, and request amount is big.So, in actual use, should give priority to the interim request of peak value type network application process, experience with the online that improves the user.Reason is as follows: suppose that peak value type network application process is T0 for the time that the resource occupying rate is higher than Internet resources total amount 80%, and the time of mean type network application process is T1.Then the essential distinction of two kinds of network application processes is that then T0 is much smaller than T1.So, guarantee that peak value type network application process is preferential, the network bandwidth of the former free time is offered mean type network application process, only can increase very little ratio of T1.From real example, in user's download, downloading process can take whole bandwidth, if this moment, the user needed browsing page, will occur causing webpage slowly can't open owing to browser and download tool competition network resource.And the webpage time of opening of sacrificing browser is very little for improving the effect of downloading total time, such as reduced to 59 minutes and 59 seconds from 1 hour.For the example of Online Video, when the user opens webpage, can suspend broadcast fully, after waiting webpage to open the network that finishes fully to begin the free time, continue to play again even the content that will see in the future downloaded in advance so that the user when opening webpage next time video still can continue to play.
In user's use of reality, network environment is complicated and changeable.Said as preamble, if having only a process, no matter he is peak value type network application process or mean type network application process, all need not Internet resources are carried out special allotment so using network.But,, just need a coordinator and guarantee overall network behaviour in service optimization in case there is various network process in the same network environment.By top description to two class processes we as can be seen, the network application process of peak value type can produce waste of network resources in the most of the time, so be the key of intelligent speed limit.Therefore in the network environment for use that mixes, next interim in the request of peak value type application process by process control, the access to netwoks of the network application process of restriction mean type is to guarantee the process visit of peak value type.Finish or after the peak value request duration surpasses preset value t, decontrol restriction again in peak value type process visit, allow free competition Internet resources between the process.
A kind of method that realizes network speed limit of first embodiment provided by the invention, method flow comprises as shown in Figure 2:
Step 101: the network access request packet of monitoring network application process.
Step 102: when monitoring the network access request packet of WEB browser, the restriction downloading process is carried out network and is connected.
If desired a network application process that operates on the stand-alone computer is monitored and controlled, optimal way just is to use the network firewall technology.Be that example describes step 101 and step 102 below with the fire compartment wall.
Rate of change and setting threshold according to network application process network flow compare, the type that can pre-determine the diverse network application process is that (as pre-determining downloading process is mean type network application process for peak value type or mean type, the WEB browser process is a peak value type network application process), monitor the network access request packet of each network application process by fire compartment wall, when user's webpage clicking, the WEB browser conducts interviews to network, fire compartment wall monitors the network access request packet of WEB browser process, fire compartment wall is according to access control policy, the restriction downloading process is carried out network and is connected, if have downloading process to carry out access to netwoks this moment, then fire compartment wall is by the network access request packet of each network application process of monitoring, know that having downloading process to carry out network connects, fire compartment wall is by the network access request packet of Network Packet Intercept Technology interception downloading process.
Firewall technology implementation on different operating system is identical accidentally.Be that example is set forth the realization details with windows operating system below.But be not limited to windows operating system,, can all can implement in the operating system of operate as normal at all network interface card hardware by the kit that uses different operating system to provide.Owing to need use the technology that network packet monitors interception when implementing above-mentioned steps, the fire compartment wall that following elder generation is briefly described under the windows system is realized.
Network firewall is exactly the software between the network that is connected in computer and it.All communications of computer and network all will be passed through this fire compartment wall.
The main functional modules of fire compartment wall comprises: network packet processing, safety regulation and daily record.
Processing is described below to network packet, on Internet, the data of all contacts all are divided into the packet of various certain-lengths, comprise the information such as interface and outgoing interface that enter of IP source address, IP destination address, interior dress agreement (ICP, UDP, ICMP or IP Tunnel), TCP/UDP target port, icmp message type, packet in the packet header of packet.Fire compartment wall can be checked the header packet information in all packets that pass through, and the safety filtering rule-based filtering packet that sets according to the user.If fire compartment wall is set a certain IP for dangerous, from this address and all packets that come all can be masked by fire compartment wall.This shows that the personal fire wall core technology can be implemented in the Network Packet Intercept under the Windows operating system.
For the safety regulation setting, the safety regulation of fire compartment wall is exactly that interior system agreement to the employed local area network (LAN) of computer, the Internet is provided with, the network data packet handing module can be handled network packet according to being provided with, thereby reach the best safety state of system.The safety regulation mode of personal firewall software can be divided into two kinds: a kind of is the safety regulation that defines.Exactly safety regulation is defined as several schemes, generally is divided into basic, normal, highly three kinds, be ignorant of the user of procotol like this, also can different safety approachs be set flexibly according to the needs of oneself.Also having a kind of is exactly user-defined safety regulation.This needs the user under the situation of having understood procotol, according to oneself security needs certain agreement is provided with separately.
Because in firewall software, the setting of safety regulation and the processing of packet generally divide two modules to finish, therefore in the information interaction that has just related in the realization of firewall software between these two modules.The fire compartment wall of Windows operating system is to have utilized some technology that intercom mutually between application program and the device driver to realize the information interaction of these two intermodules.
By top analysis, can know that the problem that fire compartment wall mainly solves in realization is: Network Packet Intercept, safety regulation are provided with the information interaction of module and processing data packets module to the firewall functionality module.Below we will be discussed respectively these two problems.
The core technology of fire compartment wall realizes Network Packet Intercept Technology exactly under Windows operating system.Before introducing this technology, at first to understand the network architecture in the Windows system.The network packet of tackling under the Windows can be carried out two aspects: user's attitude (user-mode) and kernel state (kernel-mode).The interception of carrying out network packet under user's attitude has three kinds of methods: the WINSOCK dynamic link libraries that WinsockLayered Service Provider (LSP), Windows 2000 packet filtering interfaces, replacement system carry.Under user's attitude, carry out the most fatal shortcoming of packet interception and can only on the Winsock level, carry out exactly, and can't handle for the packet of underlying protocol in the network protocol stack.Therefore, these methods and be not suitable for fire compartment wall.We can know from the hierarchical structure of TCP/IP, and Transmission Control Protocol belongs to still IP agreement of its basis of upper-layer protocol.So,, realize controlling fully Transmission Control Protocol just can programme as long as can control at the packet of ip protocol layer.
Under kernel state, carry out Network Packet Intercept following several method is arranged: at first, TDI filter drive program (TDI Filter Driver).When the network application process will send or the receiving network data bag time, all be to be undertaken by the interface that is provided with protocol-driven.Protocol-driven provides between predefined standard interface of a cover system and the network application process carries out alternately.Therefore, only need a filtration drive to intercept and capture these mutual interfaces, just can realize the interception of network packet.
The second, Win2k Filter-Hook Driver is a kind of driver, and this driver mainly is that the function of utilizing Ipfiltdrv.sys to provide is come intercepting network data package.Filter-Hook Driver is very simple in structure, is easy to realize.
The 3rd, NDIS Hook Driver is bigger to the dependence of platform, needs to judge that different operating system versions uses diverse ways.
At last, NDIS intermediate driver (NDIS Intermediate Driver).NDIS (NetworkDriver Interface Specification) is a kind of abbreviation of NDIS, and it supports following three types network driver: little port drivers, intermediate driver (IntermediateDriver) and protocol driver.Wherein the intermediate layer drives between protocol layer driving and portlet driving, its function is very powerful, and multiple service can be provided, and can intercept and capture all network packet (Ether frame), filter little port drivers, realize certain protocol or other are such as functions such as packet encryption, authentications.
In sum, carry out the method specification for structure that network packet is intercepted and captured in the NDIS intermediate layer, powerful, be the present embodiment optimized technical scheme.
NDIS (network drive interface standard) intermediate driver border is thereon derived the MiniportXxx function, derives the ProtocalXxx function at its lower boundary.This driver border thereon only provides towards the connectionless communication support, and at its lower boundary, then gets final product seating surface to connectionless communication, but also seating surface is communicated by letter to connecting.
Little port section (coboundary) of intermediate driver must be non-serial, operating system will rely on these non-driven in series programs, rather than NDIS carries out to the operation of MiniportXxx function that serialization is handled and the operation of ranking provides good boundary to derive TDI driver driver as long as keep very little critical zone (this code of thread execution can only be arranged) just can provide well behaved full-duplex operation at every turn to the output packet that inside generates.But these non-serial Miniport will be subjected to more also more restrictions of strict design requirement, often will pay more debugging and testing time for this reason.
Intermediate driver is a kind of typical hierarchical structure program, and it is based on one or more NDISNIC drivers, and its upper strata is a transmission driver (also may be sandwich construction) that provides TDI (TDI) to support to the upper strata.Theoretically, intermediate driver also can be based on other intermediate drivers or occur as the low layer of other intermediate drivers.
The NDIS intermediate driver plays in NDIS transmits the packet that upper layer drivers is sent here, and with its interface function that sends to lower floor's driver.When the intermediate layer driver when lower floor's driver receives packet, it otherwise call the NdisMXxxIndicateReceive function, or call the NdisMindicateReceivePacket function and indicate this packet to the upper strata.So, can utilize this process to reach the function of filtering data bag.A binding to low layer NIC driver or NDIS intermediate driver is opened and set up to intermediate driver by calling NDIS.Intermediate driver provides MiniportSetInformation and MiniportQueryInformation function to handle the setting and the query requests of high-rise driver, under some situation, may also these requests to be transmitted to low layer NDIS driver, if its lower boundary is can realize this function by calling NidsRequest towards connectionless, if its lower boundary is connection-oriented then realizes this function by calling NidsCoRequest.Intermediate driver sends packet by the function that calls NDIS and provide to network low layer NDIS driver.For example, lower boundary must call NdisSend or NdisSendPackets towards connectionless intermediate driver and send packet or bag array, sends and wraps the array data bag and just must call NdisCoSendPackets under the connection-oriented situation of lower boundary.If intermediate driver is based on non-NDIS NIC driver, after MiniportSend that calls intermediate driver or Miniport (Co) SendPackets function, transmission interface will be opaque to NDIS so.NDIS provides one group of NdisXxx function of hiding the low-level operation system detail and grand.For example, intermediate driver can call NdisMInitializeTimer and create synchronised clock, can call NdisInitializeListHead and create chained list.Intermediate driver uses the function that meets the NDIS standard, improves its portability on the microsoft operation system of supporting the Win32 interface.
The use firewall technology not only will be realized the intercepting and capturing to network packet, also will according to the user capture control strategy packet be handled after analyzing packet, and the limiting network application process is carried out the network connection.Because the access control policy setting is to be finished by an application program with man-machine interface, therefore,, also must realize the information interaction of device driver and application program except needing network device driver based on the fire compartment wall principle.
Communication between the communication of device driver and application program comprises two aspects:
Application program transmits data and gives device driver.This part is realized than being easier to, after application program is obtained the handle of device driver by CreateFile () function, just can use Win32 function as DeviceIoControl (), ReadFile () or WriteFile () realize with device driver between communicate by letter.
Device driver sends message to application program.The realization of this part is concluded and is got up to have following five kinds of implementations: asynchronous procedure call (APC), event mode (VxD), message mode, asynchronous I/O mode and event mode (WDM) more than the former complexity.Wherein preceding 3 kinds of methods are mainly used among the VxD, and back 2 kinds of methods are mainly used in WDM.Wherein the most frequently used is event mode, will carry out the introduction of emphasis to it below.
Under event mode, application program is at first created an incident, then this event handler is passed to device driver, then creates a worker thread, waiting event signal condition arranged.After device driver obtains the handle of this incident, convert it to can use incident pointer, and store so that use the back.Just incident has been set to signal condition when device driver has incident to tell application program, and the worker thread of application program can be known this message at once and handle accordingly like this.
In the local area network (LAN) scope, be that unit is to the whole limiting network SC service ceiling of this machine with the computer.So network bandwidth limitations is actually to be described a kind of narrow sense of the behavior.Its real behavior purpose is to coordinate each process, distributes Internet resources rationally, so that the whole efficiency maximization.On the basis of this theoretical breakthrough,, designed a kind of algorithm of each network application process of energy automatic synchronization in conjunction with the present network user's the generally online custom and the behavioural characteristic of network application process.The program of implementing this algorithm can reach under the situation of the basic nonintervention of user, and network is used the maximized situation of whole structure.
Under windows platform, by using firewall technology, network that can limiting process connects.The front is described in detail, no longer too much describes the realization of fire compartment wall at this.In the present invention of unit deploy, need two basic modules: fire compartment wall part and control section.
Fire compartment wall partly is responsible for concrete supervision and the refusal of carrying out at some process network operations, guarantees that control section can reach the control effect of expection.The inner table 1 that keeps of control section, as follows:
Process ID |
Type |
The resource occupying situation |
543? |
A? |
94? |
3413? |
B? |
6354? |
876? |
B? |
36? |
132? |
A? |
213? |
876? |
A? |
817? |
Table 1
(annotate: process ID is the unique identification that operating system is distributed to process, and type A is a mean type, and B is the peak value type)
Control Software serves as the operation granularity with certain hour unit, refreshes this table at regular intervals, and the decision access to netwoks of certain process next time is to be allowed to or to hang up.
In the local area network (LAN) scope, can regard the computer in the net process of unit scheme as, thereby apply mechanically such scheme.In implementation process, should be noted that a problem, that is: for process, it is that mean type or peak value type are relatively good definite, but the process on computer has a lot, generally speaking may not belong to any type, but in certain time, belong to type A and in another time, belong to type B.So, thereby the controller of controlling in the local area network (LAN) scope needs dynamically to judge which kind of type its certain local machine belongs at this moment and decide the resource quota of its access to netwoks with this.Dynamically the method for judging is a lot, and a kind of scheme is provided here:
Controller at each the net in independently computer all keep an array, the network traffics of this machine when beginning to carry out access to netwoks have been write down in this array, be designated as N1, write down the network traffics of this machine on each time point afterwards, be designated as Ni, in time interval of every mistake, just calculate Ns=Ni-N1.Then Ns is network traffics excursion (being equivalent to continuous function derivative value in this).Whether in predetermined threshold value, judge that it still is the mean type type that this machine belongs to the peak value type according to Ns.Such as, if Ns then belongs to the peak value type not in ± 10%N1 scope.If Ns then is a mean type in ± 10%N1 scope.
Second embodiment provided by the invention is a kind of device of realizing network speed limit, and its structure comprises as shown in Figure 3:
Monitoring modular 201: the network access request packet that is used for the monitoring network application process;
Control module 202: be used for when monitoring the network access request packet of peak value type network application process, restriction mean type network application process is carried out network and is connected, the excursion of described peak value type network application process network flow is not in the setting threshold scope, and the excursion of described mean type network application process network flow is in the setting threshold scope.
Further, control module 202: also be used for after the visit of peak value type network application process finishes or carries out the access to netwoks scheduled time, decontrol restriction to the network connection of mean type network application process.
Further, monitoring modular 201: the network packet that also is used for carrying by the fire compartment wall monitoring network access request of peak value type network application process;
Control module 202: the network packet that also is used for carrying the network access request of mean type network application process by the fire compartment wall interception.
Further, control module 202: also be used for carrying out under kernel state Network Packet Intercept, restriction mean type network application process is carried out network and is connected.
The 3rd embodiment provided by the invention is a kind of device of realizing network speed limit, and its structure comprises as shown in Figure 4:
Flow monitoring module 203: the network traffics excursion that is used to monitor each terminal;
Flow-control module 204: be used for when the network traffics excursion that monitors first terminal is not in the setting threshold scope, limit second terminal and carry out the network connection, the network traffics excursion of described second terminal is in the setting threshold scope.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.