CN102497371A - Sampling equipment based on quintuple and load contents - Google Patents
Sampling equipment based on quintuple and load contents Download PDFInfo
- Publication number
- CN102497371A CN102497371A CN2011104135644A CN201110413564A CN102497371A CN 102497371 A CN102497371 A CN 102497371A CN 2011104135644 A CN2011104135644 A CN 2011104135644A CN 201110413564 A CN201110413564 A CN 201110413564A CN 102497371 A CN102497371 A CN 102497371A
- Authority
- CN
- China
- Prior art keywords
- sample devices
- sampling
- filtering module
- module
- application layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides sampling equipment based on a quintuple and load contents. The sampling equipment comprises a data packet receiving module, a sampling module, an application layer protocol filtering module and a quintuple filtering module, wherein the data packet receiving module is connected with the sampling module; the sampling module is connected with the quintuple filtering module; and the quintuple filtering module is connected with the application layer protocol filtering module. Compared with the prior art, the sampling equipment has the advantages that: 1) network traffic is sampled according to a configuration proportion; 2) the quintuple and an application layer protocol message are uploaded to a host for analysis; 3) the load of a central processing unit (CPU) is reduced, and a network traffic counting bandwidth is increased; and 4) analysis is focused on concerned characteristic traffic.
Description
Technical field
The invention belongs to network safety filed, be specifically related to a kind of sample devices based on five-tuple and load content.
Background technology
Along with the high speed development of the Internet and the continuous expansion of network size, not only online application also becomes increasingly complex, and the various attack on the network is also more and more, so the network equipment all needs the function of monitoring traffic in network distribution situation.The present network equipment of the prior art can both provide the statistical function of packet; But this statistical function can only be understood through this network equipment flow roughly; The distribution situation of awareness network flow that can not be detailed; As maximum from the flow of which source IP address message maximum and which kind of application layer protocol in passing through the flow of this network equipment, yet this is necessary to confirming the network attack source just.
The patent No. " CN200780023942.X ", denomination of invention disclose the technology of managing electronic program guide for " technology of managing electronic program guide ".A kind of device can comprise the display that shows the electronic program guides that comprises dynamic scaling grid.This device also can comprise the medium processing device that is coupled to this display.This medium processing device can comprise processor and the electronic program guide management module that supplies this processor to carry out.But the dynamic scaling grid on this electronic program guide management module administration display.The content cell that this dynamic scaling grid can comprise the main memory item is showing first group of metadata that is associated, and this content cell is enlarged to show second group of metadata that is associated corresponding to this item when being selected.Other embodiment is also described and claimed.
The patent No. " CN201010130309.4 ", denomination of invention disclose a kind of sample devices for " sample devices and method ", comprising: by the sampled signal input, be used to receive the signal of being sampled; The sampling clock input is used to receive sampling clock; A plurality of sampling units, each sampling unit all have first input that is used to receive the signal of being sampled, the output of the data after being used to receive second input of sampling clock separately and being used to export sampling; Phase-shifting unit carries out phase shift to sampling clock and handles, and exports the sampling clock after a plurality of phase shifts processing second input of each sampling unit in a plurality of sampling units to respectively; And gather the unit, the output of each sampling unit in a plurality of sampling units is gathered, to obtain final sampled data.The present invention also provides a kind of corresponding method of sampling.The present invention need not to improve the frequency of sampling clock, and the sampling clock with lower frequency just capable of using is realized the sampling of high sampling rate.
If all packets to network flow carry out a large amount of cpu resource of analysis meeting consumption, and the bandwidth traffic scope of statistics is smaller.For detail knowledge network traffics distribution situation reduces the CPU burden simultaneously and increases the statistic flow bandwidth, the present invention adopts the data flow Sampling techniques, simultaneously five-tuple and the application layer protocol flow be concerned about is uploaded main frame analysis.
In order to realize this target; A lot of technology based on the stream statistics occur, these technology generally can both be added up packet and the byte number statistical conditions of a data flow in certain time period, comprise five-tuple (source IP; Purpose IP, source port, destination interface, protocol type) information.If but all to sample for all packets of data flow, will consume a large amount of cpu resources, because the bandwidth traffic of statistics limits, also can't add up simultaneously more stream.Therefore in order to reduce the use burden of CPU, also, generally can take sampling techniques, can effectively reduce the data traffic of statistics like this, the flow distribution situation of the understanding data that can prepare is arranged data flow in order to add up wider flow distribution situation.Existing sampling techniques is just gathered according to certain interval network packet, for the analysis to network flow has more specific aim, for example just is directed against certain IP or certain port or certain application layer protocol and carries out
Be detail knowledge network traffics distribution situation; A lot of technology based on the stream statistics occur, these technology generally can both be added up packet and the byte number statistical conditions of a data flow in certain time period, comprise five-tuple (source IP; Purpose IP, source port, destination interface, protocol type) information.If but all to sample for all packets of data flow, will consume a large amount of cpu resources, because the bandwidth traffic of statistics limits, also can't add up simultaneously more stream.
For discharging CPU and increasing the statistic flow bandwidth, a lot of sampling techniquess appear, and these technology generally all are to carry out network flow is extracted according to certain sampling, and are indifferent to concrete five-tuple and application layer protocol, can't make analysis pointed.
Summary of the invention
The present invention overcomes the prior art deficiency, and the present invention adopts hardware to realize.
The invention provides a kind of sample devices, comprise the packet receiver module, decimation blocks, application layer protocol filtering module and the five-tuple filtering module that connect successively based on five-tuple and load content.
Sample devices based on five-tuple and load content provided by the invention, said packet receiver module is accepted network traffics.
Sample devices based on five-tuple and load content provided by the invention, said decimation blocks receive data message that the packet receiver module the transmits line sampling of going forward side by side.
Sample devices based on five-tuple and load content provided by the invention, said decimation blocks comprises the packet accouter that message is counted.
Sample devices based on five-tuple and load content provided by the invention, the frequency of packet accouter equated with the sampling interval.
Sample devices based on five-tuple and load content provided by the invention, said decimation blocks uploads to said five-tuple filtering module with message, and packet accouter carries out modular arithmetic to the sampling interval simultaneously.
Sample devices based on five-tuple and load content provided by the invention, the sampling proportion of decimation blocks is 50%.
Sample devices based on five-tuple and load content provided by the invention, said five-tuple filtering module adopt the parallel mode of searching based on CAM, search strictly all rules is parallel, will hit regular message and be uploaded to said application layer protocol filtering module.
Sample devices based on five-tuple and load content provided by the invention; Said application layer protocol filtering module adopts way of hardware and software combination; Software is compiled into the DFA table with regular expression; Be stored in the Device memory, said application layer protocol module is carried out table lookup operation, if matching feature then upload this message.
Compared with prior art, beneficial effect of the present invention is:
1) network traffics is sampled according to allocation ratio;
2) five-tuple and application layer protocol message are uploaded main frame analysis;
3) reduce CPU burden and increase network flow statistics bandwidth;
4) carry out selective analysis to paying close attention to the characteristic flow.
Description of drawings
Fig. 1 is a structural representation of the present invention;
Fig. 2 is a sampling interval sketch map of the present invention;
Fig. 3 is a sampling structure sketch map of the present invention.
Embodiment
The present invention adopts hardware to realize; Comprise that packet receiver module, decimation blocks, five-tuple filter and the application layer protocol analysis module; As shown in Figure 1, sample devices comprises the packet receiver module, decimation blocks, application layer protocol filtering module and the five-tuple filtering module that connect successively.
Referring to accompanying drawing 2; The decimation blocks receiving data packets is also counted; If equate with the sampling interval (can carry out dynamic-configuration) by main frame, message is uploaded five-tuple filtering module while packet accouter the sampling interval is carried out modular arithmetic, as shown in the figure; Sampling proportion is 50%, and wherein black box is by packet sampling.
The five-tuple filtering module adopts the parallel mode of searching based on CAM, searches strictly all rules is parallel, will hit regular message and be uploaded to the application layer protocol filtering module.The application layer protocol filtering module adopts way of hardware and software combination, and software is compiled into the DFA table with regular expression, is stored in the Device memory, and the application layer protocol module is carried out table lookup operation, if matching feature then upload this message is as shown in Figure 3.Just accomplished paying close attention to the sampling of five-tuple and application layer protocol network traffics through above-mentioned module.
The present invention samples network traffics according to allocation ratio, five-tuple and application layer protocol message are uploaded main frame analysis, reduces the CPU burden and increases network flow statistics bandwidth, carries out selective analysis to paying close attention to the characteristic flow.
If but all to sample for all packets of data flow, will consume a large amount of cpu resources, because the bandwidth traffic of statistics limits, also can't add up simultaneously more stream.
Above embodiment is only in order to technical scheme of the present invention to be described but not to its restriction; Although the present invention has been carried out detailed explanation with reference to the foregoing description; The those of ordinary skill in said field is to be understood that: still can specific embodiments of the invention make amendment or replacement on an equal basis; And do not break away from any modification of spirit and scope of the invention or be equal to replacement, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (9)
1. the sample devices based on five-tuple and load content is characterized in that, comprises the packet receiver module, decimation blocks, application layer protocol filtering module and the five-tuple filtering module that connect successively.
2. sample devices according to claim 1 is characterized in that, said packet receiver module is accepted network traffics.
3. according to the described sample devices of claim 1-2, it is characterized in that said decimation blocks receives data message that the packet receiver module the transmits line sampling of going forward side by side.
4. according to the described sample devices of claim 1-3, it is characterized in that said decimation blocks comprises the packet accouter that message is counted.
5. according to the described sample devices of claim 1-4, it is characterized in that the frequency of packet accouter equated with the sampling interval.
6. according to the described sample devices of claim 1-5, it is characterized in that said decimation blocks uploads to said five-tuple filtering module with message, packet accouter carries out modular arithmetic to the sampling interval simultaneously.
7. according to the described sample devices of claim 1-6, it is characterized in that the sampling proportion of decimation blocks is 50%.
8. according to the described sample devices of claim 1-7, it is characterized in that said five-tuple filtering module adopts the parallel mode of searching based on CAM, searches strictly all rules is parallel, will hit regular message and be uploaded to said application layer protocol filtering module.
9. according to the described sample devices of claim 1-8; It is characterized in that; Said application layer protocol filtering module adopts way of hardware and software combination, and software is compiled into the DFA table with regular expression, is stored in the Device memory; Said application layer protocol module is carried out table lookup operation, if matching feature then upload this message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104135644A CN102497371A (en) | 2011-12-13 | 2011-12-13 | Sampling equipment based on quintuple and load contents |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104135644A CN102497371A (en) | 2011-12-13 | 2011-12-13 | Sampling equipment based on quintuple and load contents |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102497371A true CN102497371A (en) | 2012-06-13 |
Family
ID=46189156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011104135644A Pending CN102497371A (en) | 2011-12-13 | 2011-12-13 | Sampling equipment based on quintuple and load contents |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102497371A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107277073A (en) * | 2017-08-16 | 2017-10-20 | 北京新网数码信息技术有限公司 | A kind of method for monitoring network and device |
| CN110191109A (en) * | 2019-05-17 | 2019-08-30 | 杭州迪普信息技术有限公司 | A kind of packet sampling method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1822567A (en) * | 2005-12-23 | 2006-08-23 | 清华大学 | Multi-domain net packet classifying method based on network flow |
| CN1913528A (en) * | 2006-08-25 | 2007-02-14 | 清华大学 | P2P data message detection method based on character code |
| CN101052046A (en) * | 2007-05-22 | 2007-10-10 | 网御神州科技(北京)有限公司 | Anti-virus method and device for fire-proof wall |
| CN101753456A (en) * | 2009-12-25 | 2010-06-23 | 苏州大学 | Method and system for detecting flow of peer-to-peer network |
-
2011
- 2011-12-13 CN CN2011104135644A patent/CN102497371A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1822567A (en) * | 2005-12-23 | 2006-08-23 | 清华大学 | Multi-domain net packet classifying method based on network flow |
| CN1913528A (en) * | 2006-08-25 | 2007-02-14 | 清华大学 | P2P data message detection method based on character code |
| CN101052046A (en) * | 2007-05-22 | 2007-10-10 | 网御神州科技(北京)有限公司 | Anti-virus method and device for fire-proof wall |
| CN101753456A (en) * | 2009-12-25 | 2010-06-23 | 苏州大学 | Method and system for detecting flow of peer-to-peer network |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107277073A (en) * | 2017-08-16 | 2017-10-20 | 北京新网数码信息技术有限公司 | A kind of method for monitoring network and device |
| CN110191109A (en) * | 2019-05-17 | 2019-08-30 | 杭州迪普信息技术有限公司 | A kind of packet sampling method and device |
| CN110191109B (en) * | 2019-05-17 | 2021-11-02 | 杭州迪普信息技术有限公司 | Message sampling method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11115297B2 (en) | Highly probable identification of related messages using sparse hash function sets | |
| CN103281252B (en) | Message flow control method and device based on multi-path transmission | |
| CN103870297B (en) | The performance data collection system and method for virtual machine in cloud computing environment | |
| CN101335686B (en) | Method for carrying out data flow analysis and management on network appliance | |
| CN106101015A (en) | A kind of mobile Internet traffic classes labeling method and system | |
| Yang et al. | Sketchint: Empowering int with towersketch for per-flow per-switch measurement | |
| CN106972985B (en) | Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment | |
| CN101795230A (en) | Network flow recovery method | |
| CN102035698A (en) | HTTP tunnel detection method based on decision tree classification algorithm | |
| CN102611626B (en) | System and method for analyzing network flow | |
| CN103414608B (en) | Rapid web flow collection statistical system and method | |
| CN102904730A (en) | Intelligent acceleration network card capable of filtering and picking traffic according to protocol, port and IP address | |
| CN104394149B (en) | A kind of method of the Complex event processing based on parallel distributed framework | |
| CN101753639B (en) | Service role recognition method based on flow communication mode | |
| CN101741608A (en) | Traffic characteristic-based P2P application identification system and method | |
| CN206962832U (en) | Network data auditing system based on FPGA high-performance capture cards | |
| CN102497371A (en) | Sampling equipment based on quintuple and load contents | |
| CN105516016A (en) | Flow-based data packet filtering system and data packet filtering method by using Tilera multi-core accelerator card | |
| Takano et al. | {SF-TAP}: Scalable and Flexible Traffic Analysis Platform Running on Commodity Hardware | |
| Lukashin et al. | Distributed packet trace processing method for information security analysis | |
| Liu et al. | Next generation internet traffic monitoring system based on netflow | |
| CN102664773A (en) | Method and device for detecting network flow | |
| Liu et al. | Programmable per-packet network telemetry: From wire to kafka at scale | |
| Roquero et al. | High-speed TCP flow record extraction using GPUs | |
| CN114826775B (en) | Method, device, system, equipment and medium for generating filtering rule of data packet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120613 |