CN102546392A - System and method used for sampling network messages and based on transmission control protocol (tcp) connection - Google Patents
System and method used for sampling network messages and based on transmission control protocol (tcp) connection Download PDFInfo
- Publication number
- CN102546392A CN102546392A CN2011103836952A CN201110383695A CN102546392A CN 102546392 A CN102546392 A CN 102546392A CN 2011103836952 A CN2011103836952 A CN 2011103836952A CN 201110383695 A CN201110383695 A CN 201110383695A CN 102546392 A CN102546392 A CN 102546392A
- Authority
- CN
- China
- Prior art keywords
- tcp
- message
- sampling
- judge module
- management table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a system used for sampling network messages and based on transmission control protocol (tcp) connection, which comprises a tcp message judging module, a tcp identification judging module, a sampling proportion judging module, a tcp searching module connected with the tcp identification judging module and a tcp connection management table respectively connected with the tcp searching module and the sampling proportion judging module. The invention further provides a method used for sampling network messages and based on the tcp connection. The tcp connection management table is built in the message sampling system and used for managing processes of building, transmitting and closing the tcp connection. The system and the method used for sampling network messages and based on the tcp connection can sample messages continuously and improve effectiveness of sampled data.
Description
Technical field
The invention belongs to the network data processing field, specifically relate to a kind of network message sampling system and method that connects based on tcp.
Background technology
Current network data processing system need receive processing to the message on the network; Under the very big situation of network traffics; For reducing system load, generally adopt the method for packet sampling, that is to say; System does not receive all messages, analyzes but from all messages, extract a certain amount of message.
Packet sampling is often based on message, and with the method for accounting message counting, according to certain sampling ratio, the stochastical sampling message is analyzed such as from per 10 messages, extracting a message.But in practical application, a lot of network data analysis work are not to be directed against single message, but connect to tcp.
The patent No. is: the invention that ZL200910073048.4, name are called " a kind of self adaptive network traffic sampling method that is used for abnormality detection " has disclosed a kind of self adaptive network traffic sampling method; Utilize the method for accounting message counting that the data packets for transmission message is sampled; But message is sampled tend to lose some message in the tcp connection like this; The data that tcp is connected are imperfect, cause when the analytical sampling data, existing the not high problem of sampled data validity.
Summary of the invention
The objective of the invention is to, propose a kind of network message sampling system and method that connects based on tcp, can carry out continuous acquisition, improve the validity of sampled data message.
Be to realize that above-mentioned purpose, the present invention provide a kind of network message sampling system that connects based on tcp, said packet sampling system comprises: tcp message judge module, tcp sign judge module and sampling ratio judge module; It is characterized in that the tcp that is connected with said tcp sign judge module searches module, reach said tcp and search module and be connected with the tcp admin table respectively with said sampling ratio judge module; Said tcp message judge module, said tcp sign judge module are connected with said sampling ratio judge module successively.
In the optimal technical scheme provided by the invention, the four-tuple structure that each list item in the said tcp connection management table connects for sign tcp.
In second optimal technical scheme provided by the invention; Whether said tcp message judge module is that the tcp message is made judgement to the message of input; Confirm it is, continue to handle next incoming message and still this message transmissions is identified judge module to tcp in sampling ratio stochastical sampling.
In the 3rd optimal technical scheme provided by the invention, said tcp sign judge module is judged the tcp sign of message, confirms said message transmissions is still searched module with said tcp message transmissions to said tcp to said sampling ratio judge module.
In the 4th optimal technical scheme provided by the invention; Said sampling ratio judge module judges whether the data volume of current sampling has reached the sampling ratio of systemic presupposition; Judgement is to abandon the message of receiving; Continue to handle next incoming message, the still message received of sampling, and extract the four-tuple structure of the said message of receiving and be transferred in the said tcp connection management table.
In the 5th optimal technical scheme provided by the invention, said four-tuple structure comprises source ip, purpose ip, source port and destination interface.
In the 6th optimal technical scheme provided by the invention; Said tcp searches module after receiving the tcp message that said tcp sign judge module sends; Extract the four-tuple structure of this tcp message, and in said tcp connection management table, search whether the list item identical with the tcp message of said extraction is arranged.
In the 7th optimal technical scheme provided by the invention, a kind of network message method of sampling that connects based on tcp is provided, its improvements are that the said network message method of sampling comprises the steps:
(1) in the packet sampling system, sets up a tcp connection management table;
(2) type of judgement incoming message is the TCP message like this type of message, then checks the tcp flag of this message; Otherwise, continue to handle next incoming message then in sampling ratio stochastical sampling;
(3) judge the tcp flag of message, newly-built tcp connects if this tcp message belongs to, and then carry out step 4; If this tcp message belongs to the data message of the tcp connection of having built, then carry out step 5; If this tcp message belongs to the message of closing of tcp connection, then carry out step 6;
(4) judge whether the data volume of current sampling has reached the sampling ratio of systemic presupposition, if reached the sampling ratio, then abandons the message of receiving, continue to handle next incoming message; Otherwise the message received of sampling, and extract the four-tuple structure of the said message of receiving, be inserted in the said tcp connection management table;
(5) extract the four-tuple structure of tcp message, in said tcp connection management table, search whether the list item identical with the tcp message of said extraction is arranged, if found, this tcp message of then sampling; Otherwise abandon this tcp message, continue to handle next incoming message;
(6) extract the four-tuple structure of tcp message, in said tcp connection management table, search whether the list item identical with the tcp message of said extraction is arranged; If found, this tcp message of then sampling, and this tcp of deletion connects from said tcp connection management table; Otherwise abandon this tcp message, continue to handle next incoming message.
With the prior art ratio; A kind of network message sampling system and method that connects based on tcp provided by the invention; Can in the packet sampling system, set up a tcp connection management table; Management tcp connects the process of setting up, transmitting, close, and realizes the packet sampling that connects based on tcp through tcp connection management table; When a new tcp connection came to light, sampling was just managed it to get up in tcp connection table if desired, and messages all in the whole transmission course are all sampled, up to connection closed.Do not need sampling if a newfound tcp connects, just in tcp connection management table, do not set up the option that this tcp connects, follow-up message all abandons; And, avoided existing packet sampling system when message is sampled, to tend to lose tcp some message in connecting, the data that tcp is connected are imperfect, cause when the analytical sampling data, existing the not high problem of sampled data validity.
Description of drawings
Fig. 1 is the structural representation of network message sampling system.
Fig. 2 is the flow chart of the network message method of sampling.
Embodiment
As shown in Figure 1; Network message sampling system based on the tcp connection; Comprise: tcp message judge module, tcp sign judge module and sampling ratio judge module; The tcp that is connected with said tcp sign judge module searches module, and searches the tcp connection management table that module is connected with said sampling ratio judge module with said tcp respectively; Said tcp message judge module, said tcp sign judge module are connected with said sampling ratio judge module successively.
Each list item in the said tcp connection management table is the four-tuple structure that sign tcp connects; Said four-tuple structure comprises source ip, purpose ip, source port and destination interface.Whether said tcp message judge module is that the tcp message is judged to the message of input, and judged result is " denying ", then in sampling ratio stochastical sampling, continues to handle next incoming message then; Judged result is " being ", then this message transmissions is identified judge module to tcp.Said tcp sign judge module can be judged the sign of tcp message, if the tcp sign shows that said tcp message belongs to newly-built tcp and connects, then said tcp message transmissions is arrived said sampling ratio judge module; If tcp sign shows said tcp message and belongs to the message of closing that data message that the tcp that built connects or tcp connect, then said tcp message transmissions searched module to said tcp.Said sampling ratio judge module judges whether the data volume of current sampling has reached the sampling ratio of systemic presupposition, and judged result is " being ", then abandons the message of receiving, continues to handle next incoming message; Judged result is " denying ", the message received of sampling then, and extract the four-tuple structure of the said message of receiving and be transferred in the said tcp connection management table.Said tcp searches module after receiving the tcp message that said tcp sign judge module sends, and extracts the four-tuple structure of this tcp message, and in said tcp connection management table, searches whether the list item identical with the tcp message of said extraction is arranged.
As shown in Figure 2, for a kind of network message method of sampling that connects based on tcp, comprise the steps:
(1) in the packet sampling system, sets up a tcp connection management table;
(2) whether the message to input is that the tcp message is judged, judged result is " denying ", then in sampling ratio stochastical sampling, continues to handle next incoming message then; Judged result is " being ", then checks the tcp flag of message;
(3) the tcp flag of message is judged that this tcp message of judgment result displays belongs to that newly-built tcp connects, and then carry out step 4; This tcp message of judgment result displays belongs to the data message of the tcp connection of having built, then carry out step 5; This tcp message of judgment result displays belongs to the message of closing of tcp connection, then carry out step 6;
(4) judge whether the data volume of current sampling has reached the sampling ratio of systemic presupposition, and judged result is " being ", then abandons the message of receiving, continue to handle next incoming message; Judged result is " denying ", the message received of sampling then, and extract the four-tuple structure of the said message of receiving, be inserted in the said tcp connection management table;
(5) extract the four-tuple structure of tcp message, in said tcp connection management table, search whether the list item identical with the tcp message of said extraction is arranged, lookup result is " being ", this tcp message of then sampling; Lookup result is " denying ", then abandons this tcp message, continues to handle next incoming message;
(6) extract the four-tuple structure of tcp message; In said tcp connection management table, search whether the list item identical with the tcp message of said extraction is arranged; Lookup result is " being ", this tcp message of then sampling, and this tcp of deletion connects from said tcp connection management table; Lookup result is " denying ", then abandons this tcp message, continues to handle next incoming message.
What need statement is that content of the present invention and embodiment are intended to prove the practical application of technical scheme provided by the present invention, should not be construed as the qualification to protection range of the present invention.Those skilled in the art can do various modifications, be equal to replacement or improvement under spirit of the present invention and principle inspiration.But these changes or modification are all in the protection range that application is awaited the reply.
Claims (8)
1. network message sampling system that connects based on tcp, said packet sampling system comprises: tcp message judge module, tcp sign judge module and sampling ratio judge module; It is characterized in that the tcp that is connected with said tcp sign judge module searches module, reach said tcp and search module and be connected with the tcp admin table respectively with said sampling ratio judge module; Said tcp message judge module, said tcp sign judge module are connected with said sampling ratio judge module successively.
2. packet sampling according to claim 1 system is characterized in that, the four-tuple structure that each list item in the said tcp connection management table connects for sign tcp.
3. packet sampling according to claim 1 system; It is characterized in that; Whether said tcp message judge module is that the tcp message is made judgement to the message of input; Confirm it is, continue to handle next incoming message and still this message transmissions is identified judge module to tcp in sampling ratio stochastical sampling.
4. packet sampling according to claim 1 system; It is characterized in that; Said tcp sign judge module is judged the tcp sign of message, confirms said tcp message transmissions is still searched module with said tcp message transmissions to said tcp to said sampling ratio judge module.
5. packet sampling according to claim 1 system; It is characterized in that; Said sampling ratio judge module judges whether the data volume of current sampling has reached the sampling ratio of systemic presupposition, and judgement is to abandon the message of receiving, continues to handle next incoming message; Still the message received of sampling, and extract the four-tuple structure of the said message of receiving and be transferred in the said tcp connection management table.
6. packet sampling according to claim 2 system is characterized in that said four-tuple structure comprises source ip, purpose ip, source port and destination interface.
7. packet sampling according to claim 4 system; It is characterized in that; Said tcp searches module after receiving the tcp message that said tcp sign judge module sends; Extract the four-tuple structure of this tcp message, and in said tcp connection management table, search whether the list item identical with the tcp message of said extraction is arranged.
8. according to the network message method of sampling that connects based on tcp of each described network message sampling system that connects based on tcp of 1-7 item claim, it is characterized in that the said network message method of sampling comprises the steps:
(1) in the packet sampling system, sets up a tcp connection management table;
(2) type of judgement incoming message is the TCP message like this type of message, then checks the tcp flag of this message; Otherwise, continue to handle next incoming message then in sampling ratio stochastical sampling;
(3) judge the tcp flag of message, newly-built tcp connects if this tcp message belongs to, and then carry out step 4; If this tcp message belongs to the data message of the tcp connection of having built, then carry out step 5; If this tcp message belongs to the message of closing of tcp connection, then carry out step 6;
(4) judge whether the data volume of current sampling has reached the sampling ratio of systemic presupposition, if reached the sampling ratio, then abandons the message of receiving, continue to handle next incoming message; Otherwise the message received of sampling, and extract the four-tuple structure of the said message of receiving, be inserted in the said tcp connection management table;
(5) extract the four-tuple structure of tcp message, in said tcp connection management table, search whether the list item identical with the tcp message of said extraction is arranged, if found, this tcp message of then sampling; Otherwise abandon this tcp message, continue to handle next incoming message;
(6) extract the four-tuple structure of tcp message, in said tcp connection management table, search whether the list item identical with the tcp message of said extraction is arranged; If found, this tcp message of then sampling, and this tcp of deletion connects from said tcp connection management table; Otherwise abandon this tcp message, continue to handle next incoming message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110383695.2A CN102546392B (en) | 2011-11-28 | 2011-11-28 | System and method used for sampling network messages and based on transmission control protocol (tcp) connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110383695.2A CN102546392B (en) | 2011-11-28 | 2011-11-28 | System and method used for sampling network messages and based on transmission control protocol (tcp) connection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102546392A true CN102546392A (en) | 2012-07-04 |
| CN102546392B CN102546392B (en) | 2014-08-27 |
Family
ID=46352381
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110383695.2A Active CN102546392B (en) | 2011-11-28 | 2011-11-28 | System and method used for sampling network messages and based on transmission control protocol (tcp) connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102546392B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897541A (en) * | 2005-07-15 | 2007-01-17 | 华为技术有限公司 | Method for realizing network sampling |
| CN102130789A (en) * | 2011-04-15 | 2011-07-20 | 北京网御星云信息技术有限公司 | Method, device and system for measuring and sampling streams based on application groups |
| CN102143085A (en) * | 2011-04-27 | 2011-08-03 | 北京网御星云信息技术有限公司 | Multi-dimensional network situation awareness method, equipment and system |
-
2011
- 2011-11-28 CN CN201110383695.2A patent/CN102546392B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897541A (en) * | 2005-07-15 | 2007-01-17 | 华为技术有限公司 | Method for realizing network sampling |
| CN102130789A (en) * | 2011-04-15 | 2011-07-20 | 北京网御星云信息技术有限公司 | Method, device and system for measuring and sampling streams based on application groups |
| CN102143085A (en) * | 2011-04-27 | 2011-08-03 | 北京网御星云信息技术有限公司 | Multi-dimensional network situation awareness method, equipment and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102546392B (en) | 2014-08-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104320304B (en) | A kind of core network user flow application recognition methods of the multimode fusion easily extended | |
| CN101741862B (en) | System and method for detecting IRC bot network based on data packet sequence characteristics | |
| CN103259728B (en) | A kind of OFS in-band communications method and OFS | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| CN103312565B (en) | A kind of peer-to-peer network method for recognizing flux based on autonomous learning | |
| WO2009069874A8 (en) | System and method for reassembling packets in relay node | |
| WO2011080714A3 (en) | Device, system and method of media delivery optimization | |
| WO2016107210A1 (en) | Redundant industrial ethernet system with multistage packet filtering and service classification control | |
| CN103532672A (en) | Processing method of disordered fragmentation messages in SDN and application | |
| WO2006115798A3 (en) | One-way proxy system | |
| CN102739457A (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
| CN104702584A (en) | Modbus communication access control method based on rule self-learning | |
| CN101123582B (en) | A communication method between private network terminals | |
| CN101087211A (en) | A method and system for realizing echo function in BFD mechanism and its function entity | |
| CN102970386A (en) | Method and device for realizing traverse of IPv6 message to IPv4 network | |
| CN105554002A (en) | Tunnel message analyzing method and device | |
| CN112422567A (en) | Network intrusion detection method for large flow | |
| CN103248605B (en) | A kind of TCP flow assemblage method based on IPV6 and system | |
| CN103001966A (en) | Processing and identifying method and device for private network IP | |
| CN101552728A (en) | Path MTU discovery method and system facing to IPV6 | |
| CN101442490A (en) | Method for processing flux load equilibrium | |
| CN102546392B (en) | System and method used for sampling network messages and based on transmission control protocol (tcp) connection | |
| CN109274551A (en) | A kind of accurate efficient industry control resource location method | |
| CN101079830A (en) | A method, system and device for providing friend status in instant communication process | |
| CN101040279B (en) | System and method for filter rubbish e-mails faced to connection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220725 Address after: 100193 No. 36 Building, No. 8 Hospital, Wangxi Road, Haidian District, Beijing Patentee after: Dawning Information Industry (Beijing) Co.,Ltd. Patentee after: DAWNING INFORMATION INDUSTRY Co.,Ltd. Address before: 100084 Beijing Haidian District City Mill Street No. 64 Patentee before: Dawning Information Industry (Beijing) Co.,Ltd. |