CN103023728A - Flow monitoring method - Google Patents
Flow monitoring method Download PDFInfo
- Publication number
- CN103023728A CN103023728A CN2013100146653A CN201310014665A CN103023728A CN 103023728 A CN103023728 A CN 103023728A CN 2013100146653 A CN2013100146653 A CN 2013100146653A CN 201310014665 A CN201310014665 A CN 201310014665A CN 103023728 A CN103023728 A CN 103023728A
- Authority
- CN
- China
- Prior art keywords
- list item
- stream
- stream list
- clear text
- built
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a flow monitoring method. The flow monitoring method includes the steps: a header field extracting unit analyzes each message to be processed to obtain message information of each message to be processed, and outputs the message information to a to-be-processed queue unit; a computing unit performs Hash operation for a quintuple of each message to be processed to obtain a stream ID, and outputs the stream ID to the to-be-processed queue unit for storage; the to-be-processed queue unit outputs all the stored message information and the corresponding stream IDs to a processing unit; the processing unit acquires storage addresses and storage information in storage units matched with the stream IDs, and processes according to the storage information and the message information corresponding to the IDs, so that processed stream table items of the message information including the messages to be processed are obtained; a processed queue unit outputs the stored processed stream table items and the storage addresses to a storage control unit; and the storage control unit writes the processed stream table items into the corresponding storage units.
Description
Technical field
The present invention relates to technical field of the computer network, particularly the flow monitoring method
Background technology
Along with the rapid expansion of internet scale, new emerging in an endless stream of using, cause the manageability of network and controllability worse and worse, therefore be badly in need of efficient network management and control means (guaranteeing and exception stream detection etc. such as congestion control, intrusion detection, QOS).Because flow monitoring provides the basis of network management and control means in the network equipment (such as router, fire compartment wall and network invasion monitoring device), so the flow monitoring method is becoming study hotspot.
Summary of the invention
In view of this, the object of the present invention is to provide the flow monitoring method, realize the flow monitoring to the network equipment.
For achieving the above object, the invention provides following technical scheme:
A kind of flow monitoring method, based on the flow monitoring device, described flow monitoring device comprises header field extraction unit, computing unit, pending queue unit, processing and control element (PCE), processing queue unit and storage control unit at least; Described method comprises:
Described header field extraction unit is resolved each clear text of link respectively, obtains the message information of each clear text, and exports to described pending queue unit and store; Described message information comprises five-tuple, message number, type of message, byte number and COS Tos at least; Described five-tuple comprises source IP address, source port, purpose IP address, destination interface and transport layer protocol number;
Described computing unit carries out Hash operation to the five-tuple of each clear text and obtains flowing sequence number ID, and described stream ID is exported to described pending queue unit store;
When the number of the message information of storing reached the first preset number or Preset Time, described pending queue unit exported all message informations and the corresponding stream ID that stores to described processing unit; Described the first preset number is greater than 1;
Described processing unit obtains the storage information in the memory cell that memory address and described stream ID be complementary, and processes according to described storage information and message information corresponding to described stream ID, obtains comprising the processing stream list item of the message information of clear text;
Described processing queue unit is stored described stream list item and the memory address processed, and when the described number of having processed the stream list item of storage reaches the second preset number or Preset Time, export processing stream list item and the memory address of storing to described storage control unit; Described the second preset number is greater than 1;
Described storage control unit writes corresponding memory cell with the described stream list item of having processed, and the described stream list item of having processed writes after the corresponding memory cell as built stream list item.
Preferably, described flow monitoring device also comprises the linked list maintenance unit, the linked list maintenance unit distributes N single-track link table for the memory cell that has built stream list item in advance, described N is the natural number greater than 1, each described single-track link table comprises at least one chained list node, the corresponding memory cell that stores built stream list item of each described chained list node; Described method also comprises: described linked list maintenance unit reads the built stream list item of storing in each chained list node institute corresponding stored unit in each single-track link table successively, if the built stream list item that reads is the overtime stream of inertia, then delete the built stream list item that reads.
Preferably, the memory address of the 1st chained list node of N chained list of described linked list maintenance unit storage, and except the chained list tail node of each single-track link table, the corresponding memory address of next chained list node of storage place single-track link table in the corresponding built stream list item of all the other all chained list nodes.
Preferably, described linked list maintenance unit reads the built stream list item of storing in each single-track link table node institute corresponding stored unit successively, if the built stream list item that reads is the overtime stream of inertia, then deletes the built stream list item that reads and specifically comprises:
Described linked list maintenance unit as reading target, reads the 1st the corresponding memory cell of chained list node of each single-track link table target to each successively and sends the read operation instruction, respectively reads the built stream list item that target is stored in order to read in;
After corresponding memory cell sent the read operation instruction to the 1st chained list node of N single-track link table, described linked list maintenance unit carried out timeout treatment to each built stream list item that has read in;
Described timeout treatment comprises: when the described built stream list item that has read in is the overtime stream of inertia, delete described built stream list item, and send described read operation order to the corresponding memory cell of next chained list node of the described corresponding single-track link table of built stream list item that has read in.
Preferably, describedly process according to described storage information and message information corresponding to described stream ID, the processing stream list item that obtains comprising the message information of clear text specifically comprises:
Will with described pending queue unit output respectively flow each memory cell that ID is complementary as reading object, send the read operation order to each reading object continuously successively, so that each reading object is carried out read operation according to the read operation order that receives;
Whenever read in the storage information that a reading object is stored, namely process according to the type of message in the message information of clear text and the storage information of reading in, processed the stream list item.
Preferably, described flow monitoring device comprises that also movable overtime flowmeter calculates the unit, also comprises after whenever reading in the storage information that a reading object stores:
Movable overtime flowmeter is calculated the unit and is checked whether storage information is built stream list item; If described storage information is built stream list item, then check the first time of advent of the message in the described clear text time of advent and the built stream list item, whether calculate greater than the timeout value that sets in advance movable overtime stream;
If greater than, delete described built stream list item.
Preferably, described type of message comprises SYN type, FIN type, RST type and other types;
Storage information in each reading object is specially empty or built stream list item, and described built stream list item comprises message information;
Preferably, describedly process according to the type of message in the message information of clear text and the storage information of reading in, processed the stream list item and specifically comprised:
When type of message corresponding to clear text is the SYN type, generate empty stream list item as processing the stream list item;
When type of message corresponding to clear text is FIN type, other type or RST type, the built stream list item of storing in the corresponding reading object is changed to the described stream list item of having processed;
Preferably, described the described stream list item of having processed write corresponding memory cell and specifically comprises:
To write object with processing corresponding each memory cell conduct of stream list item, send the write operation order to respectively writing object continuously successively, carry out write operation in order to respectively write object according to the write operation order that receives.
Preferably, described memory address comprises one-level memory address and secondary storage address;
The storage information that respectively writes in the object is specially empty or built stream list item, and described built stream list item comprises effective built stream list item and invalid built stream list item;
Will with process corresponding each memory cell of stream list item as writing object, send before the write operation order to respectively writing object continuously successively, described method also comprises:
When type of message corresponding to clear text is the SYN type, and, when the storage information in the corresponding reading object of described clear text is specially empty or invalid built stream list item, with described reading object as writing object;
When type of message corresponding to clear text is the SYN type, and, when the storage information in the corresponding reading object of described clear text is specially effective built stream list item, recalculate the memory address of described clear text and as the object flow ID of clear text, and exporting the message information of described clear text and the object flow ID of described clear text to pending queue unit, a certain secondary storage of the object flow ID address of described clear text is complementary;
When type of message corresponding to clear text is FIN type, RST type or other types, five-tuple in the message information of comparison clear text, whether identical with the five-tuple of the built stream list item of storing in the corresponding reading object, if identical, then with described reading object as writing object; Otherwise, recalculate the memory address of described clear text and as the object flow ID of clear text, and export the message information of described clear text and the object flow ID of described clear text to pending queue unit, described clear text a certain secondary storage of object flow ID address be complementary.
Can find out that from above-mentioned technical scheme in embodiments of the present invention, at first, the header field extraction unit is resolved respectively each clear text of link, obtains the message information of each clear text, and exports to pending queue unit and store.Secondly, computing unit carries out Hash operation to the five-tuple of each clear text, obtains flowing ID, and will flow ID and export to pending queue unit and store.And when the message information of storing when pending unit reaches the first preset number or Preset Time, export all message informations and export processing unit to corresponding stream ID.Again, processing unit obtains the storage information in memory address and the memory cell that is complementary of stream ID, then processes according to storage information and message information corresponding to stream ID, obtains comprising the processing stream list item of the message information of clear text.Processing queue is stored processing stream list item and memory address, and when the number of processing the stream list item of storage reaches the second preset number or Preset Time, processing stream list item and the memory address of storing is outputed to storage control unit.At last, storage control unit will be processed the stream list item and write corresponding memory cell, and will process the stream list item and write after the corresponding memory cell as built stream list item.Because the present invention resolves respectively each clear text, obtain each outstanding message information, and can obtain the storage information in memory address and the memory cell that is complementary of stream ID, and process according to storage information and message information corresponding to stream ID, processed the stream list item.Thereby make process stream list item comprised the message information of institute's analytic message, and will process stream list item write corresponding memory cell.By checking the processing stream list item in the memory cell, can realize flow monitoring.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the flow chart of the flow monitoring method that provides of the embodiment of the invention;
Fig. 2 is built stream list item provided by the invention and the storage format figure that has processed the stream list item.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The present invention based on the flow monitoring device, comprise at least header field extraction unit, computing unit, pending queue unit, processing unit, processing queue unit and storage control unit; As shown in Figure 1, flow monitoring method provided by the present invention may further comprise the steps at least:
S1: the header field extraction unit is resolved each clear text of link respectively, obtains the message information of each clear text, and exports to pending queue unit and store; Message information comprises five-tuple, message number, type of message, byte number and the COS Tos etc. of message at least; Five-tuple comprises source IP address, source port, purpose IP address, destination interface and transport layer protocol number;
Concrete, the header field extraction unit is resolved each clear text, obtains the message information of each clear text, and exports to pending queue unit and store.Wherein message information can comprise the information such as five-tuple, message number, type of message, byte number and COS Tos of institute's analytic message, and wherein five-tuple comprises source IP address, source port, purpose IP address, destination interface and the transport layer protocol number of clear text.For example, a five-tuple is 192.168.1.110000TCP121.14.88.7680, its representative be the IP address terminal that is 192.168.1.1 by port one 0000, utilize Transmission Control Protocol, with the IP address be 121.14.88.76, port is that 80 terminal connects.
S2: computing unit carries out Hash operation to the five-tuple of each clear text and obtains flowing sequence number ID, and will flow ID and export to pending queue unit and store;
S3: when the number of the message information of storing reached the first preset number or Preset Time, pending queue unit exported all message informations and the corresponding stream ID that stores to processing unit; The first preset number is greater than 1;
Concrete, can export all message informations and the corresponding stream ID that stores to processing unit by timer or the pending queue unit of counter triggers.Pre-stored the first preset number of counter, preset number be greater than 1, when the number that can work as the message information that pending queue unit stores reaches the first pre-number, by the output of the pending queue unit of counter triggers.Also but timer is set Preset Time (being pending queue unit output all message informations of storing and the time interval of flowing accordingly ID), after all message informations that pending queue unit output is stored and the time interval of flowing accordingly ID reach Preset Time, triggered the output of pending queue unit by timer.
S4: processing unit obtains the storage information in memory address and the memory cell that is complementary of stream ID, and processes according to storage information and message information corresponding to stream ID, obtains comprising the processing stream list item of the message information of clear text; Wherein, processed stream list item form as shown in Figure 2.
S5: the processing queue unit is stored processing stream list item and memory address, and when the number of processing the stream list item of storage reaches the second preset number or Preset Time, processing stream list item and memory address that output is stored; The second preset number is greater than 1;
The output procedure of the output procedure of processing queue unit and pending queue unit is similar, does not repeat them here.
S6: storage control unit will be processed the stream list item and write corresponding memory cell, process the stream list item and write after the corresponding memory cell as built stream list item.
Concrete, storage control unit can be comprised of memory and on-site programmable gate array FPGA.The processing queue unit can be exported processing stream list item and the memory address of storing successively.Memory cell corresponding to a plurality of memory addresss that FPGA exports to processing queue unit writes down order successively.
For instance, suppose to process that stream list item write storage unit is inner needs A, B, three cycles of C, processing queue exports a address is arranged and having processed stream list item a, b address and processed stream list item b and c address and processed stream list item c of storage control unit to.At this moment, FPGA can be successively writes order under the memory cell corresponding with the c address of a address, b address.FPGA can assign first and write order, flow the order that writes that list item a writes a address with processing, need A, B, three cycles of C owing to carry out write operation, arrive B during the cycle so can write command execution at first, FPGA can assign second and write order, flow the order that writes that list item b writes the b address with processing, and can write command execution to the C cycle at first, second writes command execution and arrives B during the cycle, FPGA can assign the 3rd and write order, flows the order that writes that list item c writes the c address with processing.Like this, memory is almost constantly all processed the stream list item writing within a certain period of time, and needn't wait write process this operation of stream list item a and finish after, write again and processed stream list item b, wait for that having processed stream list item b writes this operation and finish after, write again and processed stream list item c.Like this, will greatly improve built stream list item and write the efficient of storage control unit.
Therefore in embodiments of the present invention, at first, the header field extraction unit is resolved respectively each clear text of link, obtains the message information of each clear text, and exports to pending queue unit and store.Secondly, computing unit carries out Hash operation to the five-tuple of each clear text, obtains flowing ID, and will flow ID and export to pending queue unit and store.And when the message information of storing when pending unit reaches the first preset number or Preset Time, export all message informations and export processing unit to corresponding stream ID.Again, processing unit obtains the storage information in memory address and the memory cell that is complementary of stream ID, then processes according to storage information and message information corresponding to stream ID, obtains comprising the processing stream list item of the message information of clear text.Processing queue is stored processing stream list item and memory address, and when the number of processing the stream list item of storage reaches the second preset number or Preset Time, processing stream list item and the memory address of storing is outputed to storage control unit.At last, storage control unit will be processed the stream list item and write corresponding memory cell, and will process the stream list item and write after the corresponding memory cell as built stream list item.Because the present invention resolves respectively each clear text, obtain each outstanding message information, and can obtain the storage information in memory address and the memory cell that is complementary of stream ID, and process according to storage information and message information corresponding to stream ID, processed the stream list item.Thereby make process stream list item comprised the message information of institute's analytic message, and will process stream list item write corresponding memory cell.By checking the processing stream list item in the memory cell, can realize flow monitoring.
In other embodiment of the present invention, flow monitoring device among above-mentioned all embodiment also comprises the linked list maintenance unit, the linked list maintenance unit distributes N single-track link table for the memory cell that has built stream list item in advance, wherein N is the natural number greater than 1, each single-track link table comprises at least one chained list node, the corresponding memory cell that stores built stream list item of each chained list node; Said method also comprises: the linked list maintenance unit reads the built stream list item of storing in each chained list node institute corresponding stored unit in each single-track link table successively, if the built stream list item that reads is the overtime stream of inertia, then deletes the built stream list item that reads.
The overtime stream of so-called inertia refers to that a long-time not new bag of stream arrives, and the time that arrives apart from last bag surpasses certain threshold value, needs the overtime stream of deletion inertia.For the different network of the setting of threshold value different demands is arranged.Wherein, the corresponding stream of the built stream list item that memory cell is stored, memory cell is stored the form of built stream list item still can be referring to Fig. 2; Concrete, after reading built stream list item, check the time of advent of last bag that records in the built stream list item, and check whether surpass threshold value, if surpass, then be the overtime stream of inertia, and with the overtime stream deletion of inertia.More specifically, as shown in Figure 2, with the Live position of the corresponding built stream list item of the overtime stream of inertia in 0, can be with the overtime stream deletion of inertia.
In other embodiment of the present invention, the memory address of the 1st chained list node of N the chained list of linked list maintenance unit storage among above-mentioned all embodiment, and except the chained list tail node of each single-track link table, the corresponding memory address of next chained list node of storage place single-track link table in the corresponding built stream list item of all the other all chained list nodes.Still please refer to Fig. 2, the next hop address in the built stream list item namely except chained list node, the corresponding memory address of next chained list node of the chained list node place single-track link table that all the other are all.Next hop address memory contents in the built stream list item of storing in the chained list tail node corresponding stored unit of each single-track link table is for empty.
Concrete, the linked list maintenance unit distributes N single-track link table for the memory cell that has built stream list item in advance.For instance, memory address is that the memory cell of 1-9 all stores built stream list item, can distribute 3 single-track link tables for 1-9, and single-track link table 1 can be 1 → 3 → 5 → 2, and single-track link table 2 can be 4 → 6 → 9, and single-track link table 3 can be 7 → 8.This moment, the chained list node of single-track link table 1 can comprise chained list node 1, chained list node 3, chained list node 5 and chained list node 2; The chained list node of single-track link table 2 can comprise chained list node 4, chained list node 6 and chained list node 9; The chained list node of single-track link table 3 can comprise chained list node 7 and chained list node 8.Chained list node 1 corresponding memory address is that the next hop address of storing in the built stream table in 1 the memory cell is address 3.The chained list tail node in each single-track link table, the next hop address of storing in the corresponding built stream table of all the other chained list nodes the like, do not repeat them here.Chained list node 8 is the chained list tail node of the chained list node of place single-track link table in chained list node 2, the chained list node 9 in the single-track link table 2 and the single-track link table 3 in the while single-track link table 1, and the memory contents of the next hop address in chained list node 2, chained list node 9 and the chained list node 8 corresponding built stream tables is empty.
The memory address that the corresponding built stream list item of first chained list node of each single-track link table is preserved in its linked list maintenance unit gets final product.Still continue to use above-mentioned example, when having new flowing to reach need to upgrade chained list, can new stream the memory address of corresponding built stream list item join in the chained list of lacking, at this moment, the memory address of new built stream list item can be joined in the chained list 3.Concrete, the memory address 7 of the chained list 3 that the linked list maintenance unit is preserved changes to the memory address of the corresponding built stream list item of new stream, and the next hop address that will newly flow simultaneously in the corresponding built stream list item changes to memory address 7.
In other embodiment of the present invention, linked list maintenance unit among above-mentioned all embodiment reads the built stream list item of storing in each single-track link table node institute corresponding stored unit successively, if the built stream list item that reads is the overtime stream of inertia, then deletes the built stream list item that reads and specifically comprise:
The linked list maintenance unit as reading target, reads the 1st the corresponding memory cell of chained list node of each single-track link table target to each successively and sends the read operation instruction, respectively reads the built stream list item that target is stored in order to read in;
After corresponding memory cell sent the read operation instruction to the 1st chained list node of N single-track link table, the linked list maintenance unit carried out timeout treatment to each built stream list item that has read in;
Above-mentioned timeout treatment comprises: when the built stream list item that has read in is the overtime stream of inertia, delete above-mentioned built stream list item, and send described read operation order to the corresponding memory cell of next chained list node of the corresponding single-track link table of built stream list item that has read in.
Length triggering by pending formation interrupts carrying out the linked list maintenance unit, still continue to use above-mentioned example, the linked list maintenance unit can be memory address 1 corresponding memory cell with the 1st node of chained list 1, the 1st node of chained list 2 is memory address 4 corresponding memory cell, the 1st node of chained list 3 is the corresponding memory cell of memory address 7 as reading target, FPGA can be successively memory address 1 corresponding memory cell in the chained list 1, the memory address 4 corresponding memory cell of chained list 2 and the memory address 7 corresponding memory cell of chained list 3 send read command successively.Same hypothesis is read the built stream list item that memory cell stores and is needed A, B, three cycles of C to finishing from sending read command.
FPGA can assign first first sense command, and the built stream list item that the memory address 1 of chained list 1 is stored is read.Need A, B, three cycles of C owing to carry out this write operation, so can carry out B during the cycle in first sense command, FPGA can assign second sense command, and the memory address 4 of chained list 2 is read.And can carry out the C cycle in first sense command, and second sense command carried out B during the cycle, and FPGA can assign the 3rd sense command, and the memory address 7 of chained list 3 is read.Then after the memory address 7 of chained list 3 is read, built stream list item in the memory address 1 that chained list is 1 can be finished and calculate whether it is the overtime stream of inertia, and chained list 1 has next hop address to read, can continue to read the built stream table that the next hop address of chained list 1 is stored this moment, the built stream table that the next hop address of same chained list 2 is stored also can obtain, and criticizes with this class that circulates.
Check the built stream of reading show corresponding stream whether be the overtime stream detailed process of inertia can for: according to the actual conditions of network, set in advance the timeout value of the overtime stream of inertia.Whether after the built stream table of storing in single-track link table is read, check last bag in built stream table time of advent of (the bag the inside includes message), the available current time deducts the time of advent of last bag, check greater than default timeout value.As greater than default timeout value, then FPGA will send order with its deletion.Concrete, still seeing also Fig. 2, the overtime stream of deletion inertia can be 0 with the Live position in the built stream list item, simultaneously the corresponding chained list node of the overtime stream of inertia is deleted from single-track link table.If the chained list node of deleting is first chained list node in the single-track link table of place, the memory address that the address that then the linked list maintenance unit can be stored changes to second chained list node gets final product, still continue to use above-mentioned example, be that chained list node 1 is deleted from chained list 1 such as need with first chained list node in the chained list 1, a memory address 3 that then only needs the memory address that the linked list maintenance unit be preserved to be changed to second chained list node gets final product.If the chained list node of deleting is the intermediate list node (also not being the chained list tail node for first chained list node neither) in the single-track link table of place, the memory address that then needs next hop address in the right built stream table of the last chained list node of the chained list node that will delete to change to a rear chained list node that needs the deletion chained list node gets final product, still continue to use above-mentioned example, such as need the chained list node 3 in the chained list 1 is deleted from chained list 1, then only need with chained list node 1 the next hop address in the built stream list item just changed to memory address 5 get final product.If the chained list node of deleting is the tail node in the single-track link table of place, then only need the next hop address that need be deleted in the corresponding built stream list item of last chained list node of chained list node is changed to empty getting final product, still continue to use above-mentioned example, such as need with the deletion of the chained list node 2 in the chained list 1, then only need with chained list node 5 the next hop address in the built stream list item is just changed to empty getting final product.
Therefore, in embodiments of the present invention, at first provide a kind of method that realizes processing the overtime stream of inertia, realized the management of convection current.Again, the linked list maintenance unit distributes N way flow table for the memory cell that has built stream table in advance in embodiments of the present invention, whether then read successively the built stream table of storing in the single-track link table overtime, so when checking the overtime stream of inertia, only need to check the memory cell that stores built stream table and needn't all check all memory cell.Simultaneously owing to reading built stream table and judging that built stream shows corresponding stream whether in the process as the overtime stream of inertia, have the process of a large amount of time-interleavings, therefore within the identical time, can realize the flow management to more stream.
In other embodiment of the present invention, " process according to storage information and stream message information corresponding to ID, obtain comprising the processing stream list item of the message information of clear text " among above-mentioned all embodiment specifically comprises:
Will with the output of pending queue unit respectively flow each memory cell that ID is complementary as reading object, send the read operation order to each reading object continuously successively, so that each reading object is carried out read operation according to the read operation order that receives;
Whenever read in the storage information that a reading object is stored, namely process according to the type of message in the message information of clear text and the storage information of reading in, processed the stream list item.The read operation of reading in the operating process of the storage information that reading object stores and linked list maintenance unit herein is similar, does not repeat them here.
In other embodiment of the present invention, the flow monitoring device among above-mentioned all embodiment comprises that also movable overtime flowmeter calculates the unit, also comprises after whenever reading in the storage information that a reading object stores above-mentioned:
Movable overtime flowmeter is calculated the unit and is checked whether storage information is built stream list item; If storage information is built stream table, then check the first time of advent of the message in the clear text time of advent and the built stream list item, whether calculate greater than the timeout value that sets in advance movable overtime stream;
If greater than, delete described built stream table.
Therefore, want in the embodiment of the invention, a kind of method of processing movable overtime stream is provided, realized flow management, simultaneously since adopt in the present invention extract successively to the method for reading object transmit operation order, will save the time of reading storage information, so that at one time, can process the overtime stream of more activity.
In other embodiment of the present invention, the storage information in each reading object among above-mentioned all embodiment is specially empty or built stream list item, and wherein built stream list item comprises message information; Type of message in the message information comprises SYN type, FIN type, RST type and other types.
In other embodiment of the present invention, processing according to the type of message in the message information of clear text and the storage information of reading among above-mentioned all embodiment, it is concrete to have been processed the stream list item, has processed the stream tableau format and still can with reference to Fig. 2, comprise:
When type of message corresponding to clear text is the SYN type, generate empty stream list item as processing the stream list item;
When type of message corresponding to clear text is FIN type, other type or RST type, the built stream list item of storing in the corresponding reading object is changed to the described stream list item of having processed;
Concrete, still see also Fig. 2, the Live position among the figure is significance bit, the Live position is 1 can represent that built stream list item is effective,, the Live position is 0 can represent that built stream list item is invalid, and with amended built stream list item as processing the stream list item.When type of message corresponding to clear text is FIN type or RST type, be 0 with the Live position of built stream list item.
When the type of message of clear text is other type, revise the information such as bag number in the built stream list item, byte number and last bag time of advent, and with amended built stream list item as processing the stream list item.
In other embodiment of the present invention, will process the stream list item and write corresponding memory cell and specifically comprise:
To write object with processing corresponding each memory cell conduct of stream list item, send the write operation order to respectively writing object continuously successively, carry out write operation in order to respectively write object according to the write operation order that receives.
In other embodiment of the present invention, the storage information that respectively writes in the object among above-mentioned all embodiment is specially empty or built stream list item, and described built stream list item comprises effective built stream list item and invalid built stream list item;
To directly be divided into one-level memory address and secondary storage address with storing.For instance, memory address can be divided into secondary, 0000-0999 can be used as the one-level memory address, and 1000-1999 can be used as the secondary storage address.
Will with process corresponding each memory cell of stream list item as writing object, send before the write operation order to respectively writing object continuously successively, method also comprises: when type of message corresponding to clear text is the SYN type, and, storage information in the corresponding reading object of clear text is specially empty or during invalid built stream list item, with reading object as writing object;
When type of message corresponding to clear text is the SYN type, and, when the storage information in the corresponding reading object of clear text is specially effective built stream list item, recalculate the memory address of clear text and as the object flow ID of clear text, and exporting the message information of clear text and the object flow ID of clear text to pending queue unit, the object flow ID of clear text and a certain secondary storage address are complementary; Concrete, recalculate memory address can be the change former memory address head be the address, for example SYN packet storage address is 0100, but memory address is 0100 memory cell has effective built stream table, then the memory address of SYN message can be changed to 1100 and also can with its object flow ID as clear text, again export pending queue unit to.
When type of message corresponding to clear text is FIN type, RST type or other types, five-tuple in the message information of comparison clear text, whether identical with the five-tuple of the built stream table of storing in the corresponding reading object, if identical, then with described reading object as writing object; Otherwise, recalculate the memory address of clear text and as the object flow ID of clear text, and exporting the message information of described clear text and the object flow ID of pending formation to pending queue unit, the object flow ID of pending formation and a certain secondary storage address are complementary.Similar such as above-mentioned process, do not repeat them here.
To the above-mentioned explanation of the disclosed embodiments, make this area professional and technical personnel can realize or use the present invention.Multiple modification to these embodiment will be apparent concerning those skilled in the art, and General Principle as defined herein can in the situation that does not break away from the spirit or scope of the present invention, realize in other embodiments.Therefore, the present invention will can not be restricted to these embodiment shown in this article, but will meet the widest scope consistent with principle disclosed herein and features of novelty.
Claims (10)
1. a flow monitoring method is characterized in that, based on the flow monitoring device, described flow monitoring device comprises header field extraction unit, computing unit, pending queue unit, processing and control element (PCE), processing queue unit and storage control unit at least; Described method comprises:
Described header field extraction unit is resolved each clear text of link respectively, obtains the message information of each clear text, and exports to described pending queue unit and store; Described message information comprises five-tuple, message number, type of message, byte number and COS Tos at least; Described five-tuple comprises source IP address, source port, purpose IP address, destination interface and transport layer protocol number;
Described computing unit carries out Hash operation to the five-tuple of each clear text and obtains flowing sequence number ID, and described stream ID is exported to described pending queue unit store;
When the number of the message information of storing reached the first preset number or Preset Time, described pending queue unit exported all message informations and the corresponding stream ID that stores to described processing unit; Described the first preset number is greater than 1;
Described processing unit obtains the storage information in the memory cell that memory address and described stream ID be complementary, and processes according to described storage information and message information corresponding to described stream ID, obtains comprising the processing stream list item of the message information of clear text;
Described processing queue unit is stored described stream list item and the memory address processed, and when the described number of having processed the stream list item of storage reaches the second preset number or Preset Time, export processing stream list item and the memory address of storing to described storage control unit; Described the second preset number is greater than 1;
Described storage control unit writes corresponding memory cell with the described stream list item of having processed, and the described stream list item of having processed writes after the corresponding memory cell as built stream list item.
2. method according to claim 1, it is characterized in that, described flow monitoring device also comprises the linked list maintenance unit, the linked list maintenance unit distributes N single-track link table for the memory cell that has built stream list item in advance, described N is the natural number greater than 1, each described single-track link table comprises at least one chained list node, the corresponding memory cell that stores built stream list item of each described chained list node; Described method also comprises: described linked list maintenance unit reads the built stream list item of storing in each chained list node institute corresponding stored unit in each single-track link table successively, if the built stream list item that reads is the overtime stream of inertia, then delete the built stream list item that reads.
3. method according to claim 2, it is characterized in that, the memory address of the 1st chained list node of N chained list of described linked list maintenance unit storage, and except the chained list tail node of each single-track link table, the corresponding memory address of next chained list node of storage place single-track link table in the corresponding built stream list item of all the other all chained list nodes.
4. method according to claim 3, it is characterized in that, described linked list maintenance unit reads the built stream list item of storing in each single-track link table node institute corresponding stored unit successively, if the built stream list item that reads is the overtime stream of inertia, then deletes the built stream list item that reads and specifically comprise:
Described linked list maintenance unit as reading target, reads the 1st the corresponding memory cell of chained list node of each single-track link table target to each successively and sends the read operation instruction, respectively reads the built stream list item that target is stored in order to read in;
After corresponding memory cell sent the read operation instruction to the 1st chained list node of N single-track link table, described linked list maintenance unit carried out timeout treatment to each built stream list item that has read in;
Described timeout treatment comprises: when the described built stream list item that has read in is the overtime stream of inertia, delete described built stream list item, and send described read operation order to the corresponding memory cell of next chained list node of the described corresponding single-track link table of built stream list item that has read in.
5. method according to claim 1 is characterized in that, describedly processes according to described storage information and message information corresponding to described stream ID, and the processing stream list item that obtains comprising the message information of clear text specifically comprises:
Will with described pending queue unit output respectively flow each memory cell that ID is complementary as reading object, send the read operation order to each reading object continuously successively, so that each reading object is carried out read operation according to the read operation order that receives;
Whenever read in the storage information that a reading object is stored, namely process according to the type of message in the message information of clear text and the storage information of reading in, processed the stream list item.
6. method according to claim 5 is characterized in that, described flow monitoring device comprises that also movable overtime flowmeter calculates the unit, also comprises after whenever reading in the storage information that a reading object stores:
Movable overtime flowmeter is calculated the unit and is checked whether storage information is built stream list item; If described storage information is built stream list item, then check the first time of advent of the message in the described clear text time of advent and the built stream list item, whether calculate greater than the timeout value that sets in advance movable overtime stream;
If greater than, delete described built stream list item.
7. method according to claim 5 is characterized in that:
Described type of message comprises SYN type, FIN type, RST type and other types;
Storage information in each reading object is specially empty or built stream list item, and described built stream list item comprises message information.
8. method according to claim 7 is characterized in that, describedly processes according to the type of message in the message information of clear text and the storage information of reading in, and has been processed the stream list item and has specifically comprised:
When type of message corresponding to clear text is the SYN type, generate empty stream list item as processing the stream list item;
When type of message corresponding to clear text is FIN type, other type or RST type, the built stream list item of storing in the corresponding reading object is changed to the described stream list item of having processed.
9. method according to claim 7 is characterized in that, described the described stream list item of having processed is write corresponding memory cell and specifically comprises:
To write object with processing corresponding each memory cell conduct of stream list item, send the write operation order to respectively writing object continuously successively, carry out write operation in order to respectively write object according to the write operation order that receives.
10. method according to claim 9 is characterized in that, described memory address comprises one-level memory address and secondary storage address;
The storage information that respectively writes in the object is specially empty or built stream list item, and described built stream list item comprises effective built stream list item and invalid built stream list item;
Will with process corresponding each memory cell of stream list item as writing object, send before the write operation order to respectively writing object continuously successively, described method also comprises:
When type of message corresponding to clear text is the SYN type, and, when the storage information in the corresponding reading object of described clear text is specially empty or invalid built stream list item, with described reading object as writing object;
When type of message corresponding to clear text is the SYN type, and, when the storage information in the corresponding reading object of described clear text is specially effective built stream list item, recalculate the memory address of described clear text and as the object flow ID of clear text, and exporting the message information of described clear text and the object flow ID of described clear text to pending queue unit, a certain secondary storage of the object flow ID address of described clear text is complementary;
When type of message corresponding to clear text is FIN type, RST type or other types, five-tuple in the message information of comparison clear text, whether identical with the five-tuple of the built stream list item of storing in the corresponding reading object, if identical, then with described reading object as writing object; Otherwise, recalculate the memory address of described clear text and as the object flow ID of clear text, and export the message information of described clear text and the object flow ID of described clear text to pending queue unit, described clear text a certain secondary storage of object flow ID address be complementary.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310014665.3A CN103023728B (en) | 2013-01-15 | 2013-01-15 | flow monitoring method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310014665.3A CN103023728B (en) | 2013-01-15 | 2013-01-15 | flow monitoring method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103023728A true CN103023728A (en) | 2013-04-03 |
| CN103023728B CN103023728B (en) | 2016-03-02 |
Family
ID=47971880
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310014665.3A Active CN103023728B (en) | 2013-01-15 | 2013-01-15 | flow monitoring method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103023728B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105245471A (en) * | 2015-09-25 | 2016-01-13 | 京信通信技术(广州)有限公司 | Message sending method and message sending device |
| CN109274593A (en) * | 2018-08-31 | 2019-01-25 | 新华三信息安全技术有限公司 | A kind of information storage means and device |
| CN109495311A (en) * | 2018-11-30 | 2019-03-19 | 锐捷网络股份有限公司 | A kind of network fault detecting method and device |
| CN109729022A (en) * | 2017-10-30 | 2019-05-07 | 华为技术有限公司 | A kind of data transmission method for uplink based on software defined network, apparatus and system |
| CN110365590A (en) * | 2019-07-12 | 2019-10-22 | 北京大学深圳研究生院 | A kind of L2 cache method and two stages time-out flow table structure |
| CN112511450A (en) * | 2020-11-02 | 2021-03-16 | 杭州迪普信息技术有限公司 | Flow control equipment and method |
| CN114338529A (en) * | 2021-12-29 | 2022-04-12 | 杭州迪普信息技术有限公司 | Quintuple rule matching method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937574A (en) * | 2005-09-19 | 2007-03-28 | 北京大学 | Network flow classifying, state tracking and message processing device and method |
| CN101572670A (en) * | 2009-05-07 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Data packet processing method based on flow table, device and network system |
| CN101841438A (en) * | 2010-04-02 | 2010-09-22 | 中国科学院计算技术研究所 | Method or system for accessing and storing stream records of massive concurrent TCP streams |
-
2013
- 2013-01-15 CN CN201310014665.3A patent/CN103023728B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937574A (en) * | 2005-09-19 | 2007-03-28 | 北京大学 | Network flow classifying, state tracking and message processing device and method |
| CN101572670A (en) * | 2009-05-07 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Data packet processing method based on flow table, device and network system |
| CN101841438A (en) * | 2010-04-02 | 2010-09-22 | 中国科学院计算技术研究所 | Method or system for accessing and storing stream records of massive concurrent TCP streams |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105245471A (en) * | 2015-09-25 | 2016-01-13 | 京信通信技术(广州)有限公司 | Message sending method and message sending device |
| CN109729022A (en) * | 2017-10-30 | 2019-05-07 | 华为技术有限公司 | A kind of data transmission method for uplink based on software defined network, apparatus and system |
| CN109729022B (en) * | 2017-10-30 | 2020-07-28 | 华为技术有限公司 | Data sending method, device and system based on software defined network |
| CN109274593A (en) * | 2018-08-31 | 2019-01-25 | 新华三信息安全技术有限公司 | A kind of information storage means and device |
| CN109274593B (en) * | 2018-08-31 | 2021-06-04 | 新华三信息安全技术有限公司 | Information storage method and device |
| CN109495311B (en) * | 2018-11-30 | 2022-05-20 | 锐捷网络股份有限公司 | Network fault detection method and device |
| CN109495311A (en) * | 2018-11-30 | 2019-03-19 | 锐捷网络股份有限公司 | A kind of network fault detecting method and device |
| CN110365590A (en) * | 2019-07-12 | 2019-10-22 | 北京大学深圳研究生院 | A kind of L2 cache method and two stages time-out flow table structure |
| CN110365590B (en) * | 2019-07-12 | 2021-06-04 | 北京大学深圳研究生院 | Two-stage caching method and two-stage timeout flow table structure |
| CN112511450A (en) * | 2020-11-02 | 2021-03-16 | 杭州迪普信息技术有限公司 | Flow control equipment and method |
| CN112511450B (en) * | 2020-11-02 | 2022-05-31 | 杭州迪普信息技术有限公司 | Flow control equipment and method |
| CN114338529A (en) * | 2021-12-29 | 2022-04-12 | 杭州迪普信息技术有限公司 | Quintuple rule matching method and device |
| CN114338529B (en) * | 2021-12-29 | 2024-03-08 | 杭州迪普信息技术有限公司 | Five-tuple rule matching method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103023728B (en) | 2016-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103023728A (en) | Flow monitoring method | |
| US20200220807A1 (en) | Systems and methods for software defined networking service function chaining | |
| CN105553880B (en) | Data processing method and device in a kind of software defined network | |
| CN104283785B (en) | A kind of method and apparatus of quick processing flow table | |
| EP3076612B1 (en) | Packet processing methods and nodes | |
| CN104618194B (en) | Software defined network monitoring messages method and SDN controllers, switching equipment | |
| CN105247831B (en) | Flow table amending method, flow table modification device and open flows network system | |
| CN108476177A (en) | Data plane for processing function scalability | |
| CN105027506A (en) | Scalable flow and congestion control in a network | |
| CN104320278A (en) | Wide area network realizing method and device based on software-defined network | |
| CN106063202A (en) | State-dependent data forwarding | |
| CN103812860B (en) | A kind of high speed network strategy matching method based on FPGA | |
| CN106713182A (en) | Method and device for processing flow table | |
| CN105359472B (en) | A kind of data processing method and device for OpenFlow networks | |
| US9998293B2 (en) | Method and device for maintaining multicast group member | |
| US11184283B2 (en) | Service function chaining congestion tracking | |
| CN109218200A (en) | A kind of message processing method and device | |
| CN104980302B (en) | A kind of method for eliminating redundant link based on STP under SDN frames | |
| EP3531653A1 (en) | Processing rule modification method, apparatus and device | |
| CN112787902B (en) | Message encapsulation method and device and message decapsulation method and device | |
| JP2017011423A (en) | System and method for data processing | |
| CN109005116A (en) | A kind of message forwarding method and device | |
| CN109982384A (en) | Message forwarding method, device, the network equipment and medium | |
| CN105656814B (en) | A kind of SDN network repeater system and method | |
| US10284426B2 (en) | Method and apparatus for processing service node ability, service classifier and service controller |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |