CN102195816B - Method and equipment for feeding back unidentified flow information - Google Patents
Method and equipment for feeding back unidentified flow information Download PDFInfo
- Publication number
- CN102195816B CN102195816B CN201110135090.1A CN201110135090A CN102195816B CN 102195816 B CN102195816 B CN 102195816B CN 201110135090 A CN201110135090 A CN 201110135090A CN 102195816 B CN102195816 B CN 102195816B
- Authority
- CN
- China
- Prior art keywords
- information
- packet
- flow
- fluidic device
- unidentified
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a method and equipment for feeding back unidentified flow information. The method comprises the following steps of: A, finding an unidentified flow; B, acquiring tuple information in a data packet; C, inquiring relevant process information of the data packet through the tuple information of the data packet; and D, generating log information according to the data packet and the relevant process information. The equipment comprises a data packet classification engine, a tuple information extracting module, a process inquiring module and a log generating module, wherein the data packet classification engine is used for acquiring data packet information in the unidentified flow; the tuple information extracting module is used for extracting the tuple information in the data packet; the process inquiring module is used for searching a relevant process in which the data packet is positioned according to tuple information; and the log generating module is used for recording the corresponding relation of the tuple information of the data packet and the process. The method has low cost and high processing efficiency, can be taken as functional realization of flow controlling equipment, and can be applied to network application control in a strategy.
Description
Technical field
The present invention relates to a kind of method and equipment thereof of feeding back unidentified flow information.
Background technology
Fast development along with Internet technology, carrying newly-increased application and application redaction on the internet also emerges in an endless stream thereupon, the network fluidic device of application layer lacks a kind of feedback mechanism fast for the redaction of the Unidentified newly-increased application occurring on the Internet and application, and then causes newly-increased application and application redaction not to be supported fast and effectively.
Summary of the invention
The object of this invention is to provide a kind of unidentified flow that application layer network fluidic device occurs that solves, the feedback mechanism while comprising the redaction of Unidentified newly-increased application and application.
For achieving the above object, one aspect of the present invention provides a kind of method of feeding back unidentified flow information, comprises the following steps: steps A, find unidentified flow; Step B, obtains the tuple information in described packet; Step C, inquires about described packet association process information by described packet tuple information; Step D, according to described packet and associated progress information generating log information.
Second aspect present invention provides a kind of equipment of feeding back unidentified flow information, comprising: packet classification engine, for when the unidentified flow of application layer network Flow Control device discovery, obtains packet information in unidentified flow; Tuple information extraction module, for extracting source IP address, source port, agreement, object IP address, the destination interface of packet; Process enquiry module, for the source IP address of the tuple information extracted according to tuple information extraction module and the association process that source port is searched packet place; Daily record generation module, for recording the related information that comprises packet tuple information and process.
The present invention gets all unidentified flow informations by the hard disk expense with minimum, and finds in time application that some are new or the redaction of application.Cost of the present invention is low, treatment effeciency is high, can be used as fluidic device function realizes, and the network application can be used in strategy is controlled.
Accompanying drawing explanation
Exemplary embodiment of the present invention will be understood the accompanying drawing of the detailed description from hereinafter providing and different embodiments of the invention more completely, however this should not be regarded as the present invention to be limited to specific embodiment, and should be just in order to explain and to understand.
Fig. 1 is principle schematic of the present invention;
Fig. 2 is the method flow diagram of the feeding back unidentified flow information of one embodiment of the invention;
Fig. 3 is the network Flow Control equipment structure chart of the feeding back unidentified flow information of one embodiment of the invention.
Embodiment
Those of ordinary skill in the art will recognize, the following detailed description of described exemplary embodiment is only illustrative, and is not to be intended to be limited by any way.
Fig. 1 is principle schematic of the present invention;
In Fig. 1, in 2 pairs of main frames 1 of network fluidic device, the application of operation is identified and is monitored.When comprising the packet flow path network flow control equipment 2 of application information, network fluidic device 2 is carried out proportioning by obtaining application signature feature in packet and the signature character storehouse in equipment, by proportioning result, judge whether application is identified by network fluidic device 2, when in main frame 1, the application of operation can not be identified by network fluidic device 2, network fluidic device is for Unidentified application message generating log information, by the Internet, send to long-range daily record central server, or by daily record central server to network fluidic device collector journal information.
Fig. 2 is the method flow diagram of the feeding back unidentified flow information of one embodiment of the invention;
At step S201, flow process starts.
At step S202, find unidentified flow, there is Unidentified flow in application layer network fluidic device, comprises Unidentified new application and application redaction.
At step S203, obtain the tuple information of packet information in unidentified flow, comprise source IP address, source port, agreement, object IP address, destination interface.
At step S204, according to the packet tuple information of obtaining, to the process at source IP address host query tuple information place, comprise the process of obtaining packet place by the source port number in packet in step S203.
At step S205, generating log information, records packet tuple information in unidentified flow and the corresponding relation of packet place process.
For example: the log information of generation is as follows:
| Date | Packet five-tuple information | Process name |
| 2010.01.01 | 192.168.0.1 10000 TCP 121.14.88.76 80 | Abc.exe |
| 2010.02.01 | 192.168.0.10 10000 UDP 121.14.33.76 80 | Bcd.exe |
| ..... | ..... | ...... |
| ..... | ..... | ...... |
At step S206, daily record central server, for special collector journal information, comprises collecting being distributed in the log information of recording in a plurality of network fluidic device.The log information generating in step S205 is regularly sent to daily record central server by the log information of generation, or by daily record central server regularly to the network fluidic device collector journal information in application layer.
Daily record central server, by the arrangement to daily record, is applied the unidentified flow of output accordingly for application protocol development personnel and is processed.
In an example, the discernible application of network fluidic device comprises a sudden peal of thunder 6.0 versions, when moving a sudden peal of thunder 7.0 version in client, network fluidic device is by these sudden peal of thunder 7.0 versions of None-identified, when network fluidic device None-identified flow,, by the packet in the unidentified flow obtaining, further obtain the tuple information in packet, comprise source IP address, source port, object IP address, destination interface, protocol type.By the source IP address and the source port number that obtain, to source IP address client, send process query statement and be used for searching the corresponding process name of source port number.And then generate a log information, for the process context information at record data bag tuple information and packet place.Network fluidic device is regularly sent to log information daily record central server, or by daily record central server regularly to the network equipment collector journal information in application layer.Finally by protocol development personnel, processed.
Fig. 3 is the fluidic device structure chart of the feeding back unidentified flow information of one embodiment of the invention.301 represent packet classification engine, and 302 represent tuple information extraction modules, and 303 represent process enquiry module, and 304 represent daily record generation module.
Packet classification engine 3 01, for when network fluidic device fails to identify flow, obtains packet information in unidentified flow.
Tuple information extraction module 302 carries out the extraction of tuple information for the packet obtaining according to packet classification engine 3 01, comprise the source IP address in packet, source port, agreement, object IP address, destination interface.
Process enquiry module 303 is for the source IP address of the tuple information extracted according to tuple information extraction module 302 and the process that source port is searched packet place.
Daily record generation module 304, for the corresponding relation of record data bag tuple information and process, comprises the process title at record date, tuple information and packet place.
It should be noted that, this network fluidic device can be an independently network equipment, can be to be also in the network equipments such as gateway, internet behavior management with a modular form storage.
Although illustrated and described specific embodiments of the present invention, yet do not deviating from exemplary embodiment of the present invention and more under the prerequisite of broad aspect, those skilled in the art obviously can make changes and modifications in the teaching based on herein.Therefore, appended claim is intended to all these classes not deviate within the true spirit of exemplary embodiment of the present invention and the variation of scope and change be included in its scope.
Claims (4)
1. a method for feeding back unidentified flow information, is characterized in that, comprises the following steps:
Steps A, finds unidentified flow;
Step B, obtains the tuple information in packet;
Step C, inquires about described packet association process information by described packet tuple information;
Step D, according to described packet and associated progress information generating log information, described log information is regularly collected by daily record central server;
Described daily record central server, by the arrangement to described log information, is exported described unidentified flow and is applied accordingly, to process;
Described steps A, find that unidentified flow is specially: network fluidic device is identified and monitored the application of main frame operation, when described in comprising the packet flow path of application information during network fluidic device, described network fluidic device is carried out proportioning by obtaining application signature feature in packet and the signature character storehouse in equipment, by proportioning result, judges that whether application is by described network Flow Control recognition of devices.
2. method according to claim 1, is characterized in that: described step C comprises the association process information of inquiring about described packet by No. IP, the source in described packet tuple information and source port number.
3. method according to claim 1, is characterized in that: the log information recording that described step D generates the related information of packet tuple information and described packet place process.
4. a network fluidic device for feeding back unidentified flow information, is characterized in that, comprising:
Packet classification engine, for obtaining flow packet information;
Tuple information extraction module, for extracting the source IP address of packet, source port, agreement, object IP address, destination interface;
Process enquiry module, for the source IP address of the tuple information extracted according to tuple information extraction module and the association process that source port is searched packet;
Daily record generation module, for recording the related information that comprises packet tuple information and process;
Described network fluidic device can be an independently equipment, can be to be also in the network equipment with a modular form storage;
Daily record central server, by the arrangement to daily record, will be exported unidentified flow and apply accordingly, to process;
Described network fluidic device, for described network fluidic device, the application of main frame operation is identified and monitored, when described in comprising the packet flow path of application information during network fluidic device, described network fluidic device is carried out proportioning by obtaining application signature feature in packet and the signature character storehouse in equipment, by proportioning result, judges that whether application is by described network Flow Control recognition of devices.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110135090.1A CN102195816B (en) | 2011-05-24 | 2011-05-24 | Method and equipment for feeding back unidentified flow information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110135090.1A CN102195816B (en) | 2011-05-24 | 2011-05-24 | Method and equipment for feeding back unidentified flow information |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102195816A CN102195816A (en) | 2011-09-21 |
| CN102195816B true CN102195816B (en) | 2014-08-20 |
Family
ID=44603238
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110135090.1A Active CN102195816B (en) | 2011-05-24 | 2011-05-24 | Method and equipment for feeding back unidentified flow information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102195816B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11855967B2 (en) | 2015-12-28 | 2023-12-26 | Huawei Technologies Co., Ltd. | Method for identifying application information in network traffic, and apparatus |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2806602A4 (en) * | 2013-02-04 | 2015-03-04 | Huawei Tech Co Ltd | Feature extraction device, network traffic identification method, device and system. |
| CN105812188A (en) * | 2016-04-25 | 2016-07-27 | 北京网康科技有限公司 | Traffic recognition method and device |
| CN105959178B (en) * | 2016-05-31 | 2019-06-14 | 北京网康科技有限公司 | A kind of data information acquisition methods and device |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100553206C (en) * | 2007-12-14 | 2009-10-21 | 北京交通大学 | Internet, applications method for recognizing flux based on packet sampling and application signature |
| CN101505276B (en) * | 2009-03-23 | 2011-06-01 | 杭州华三通信技术有限公司 | Network application flow recognition method and apparatus and network application flow management apparatus |
| CN101547207A (en) * | 2009-05-07 | 2009-09-30 | 杭州迪普科技有限公司 | Protocol identification control method and equipment based on application behavior mode |
| CN101635720B (en) * | 2009-08-31 | 2012-09-05 | 杭州华三通信技术有限公司 | Filtering method of unknown flow rate and bandwidth management equipment |
| CN101826991A (en) * | 2010-02-04 | 2010-09-08 | 蓝盾信息安全技术股份有限公司 | Method and system for identifying illegal data packet |
| CN101909077A (en) * | 2010-07-09 | 2010-12-08 | 北京邮电大学 | Method and device for identifying peer-to-peer services and access network |
-
2011
- 2011-05-24 CN CN201110135090.1A patent/CN102195816B/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11855967B2 (en) | 2015-12-28 | 2023-12-26 | Huawei Technologies Co., Ltd. | Method for identifying application information in network traffic, and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102195816A (en) | 2011-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10264027B2 (en) | Computer-implemented process and system employing outlier score detection for identifying and detecting scenario-specific data elements from a dynamic data source | |
| US10997788B2 (en) | Context-aware tagging for augmented reality environments | |
| CN101695035B (en) | Flow rate identification method and device thereof | |
| CN107315810B (en) | Internet of things equipment behavior portrait method | |
| CN102195816B (en) | Method and equipment for feeding back unidentified flow information | |
| CN103793285A (en) | Method and platform server for processing online anomalies | |
| CN106878074B (en) | Flow filtering method and device | |
| RU2015156608A (en) | NETWORK DEVICE AND SERVICE PROCESS MANAGEMENT METHOD | |
| KR20140119561A (en) | System and method for big data aggregaton in sensor network | |
| CN104951544A (en) | User data processing method and system and method and system for providing user data | |
| CN105072196A (en) | Distributed data package storage, recall method and system | |
| CN103209087A (en) | Distributed log statistical processing method and system | |
| CN102681888A (en) | Application server management system, application server management method, management apparatus, application server and computer program | |
| CN103248677A (en) | Internet behavior analysis system and working method thereof | |
| CN105930502B (en) | System, client and method for collecting data | |
| CN113127307A (en) | Method for processing tracing request, related device, system and storage medium | |
| CN102999424B (en) | Parallel remote automated testing method | |
| CN103093377B (en) | A kind of advertisement placement method and system | |
| US11038803B2 (en) | Correlating network level and application level traffic | |
| US10984111B2 (en) | Data driven parser selection for parsing event logs to detect security threats in an enterprise system | |
| CN114189348A (en) | Asset identification method suitable for industrial control network environment | |
| CN111010362B (en) | Monitoring method and device for abnormal host | |
| CN102420833A (en) | Network protocol identification method, device and system | |
| CN111224891A (en) | Traffic application identification system and method based on dynamic learning triples | |
| CN114598731B (en) | Cluster log acquisition method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |