CN105635035A - Method for monitoring flow of virtual machine - Google Patents
Method for monitoring flow of virtual machine Download PDFInfo
- Publication number
- CN105635035A CN105635035A CN201410583260.6A CN201410583260A CN105635035A CN 105635035 A CN105635035 A CN 105635035A CN 201410583260 A CN201410583260 A CN 201410583260A CN 105635035 A CN105635035 A CN 105635035A
- Authority
- CN
- China
- Prior art keywords
- module
- data
- monitoring
- data cache
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 79
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000004891 communication Methods 0.000 claims abstract description 16
- 238000001914 filtration Methods 0.000 claims abstract description 13
- 238000004458 analytical method Methods 0.000 claims abstract description 9
- 238000007619 statistical method Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 8
- 230000006399 behavior Effects 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 4
- 238000007405 data analysis Methods 0.000 claims description 3
- 238000005457 optimization Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000000605 extraction Methods 0.000 claims 1
- 238000007781 pre-processing Methods 0.000 claims 1
- 230000007246 mechanism Effects 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 description 3
- 238000013481 data capture Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for monitoring the flow of a virtual machine. The method comprises the steps that firstly, the virtual machine including a monitor module is started; a data packet capturing module and a data cache module are deployed into an inner core of a monitor of the virtual machine; the data packet capturing module copies a data packet flowing through a TCP/IP protocol stack according to a filtering mechanism, and the data packet is stored in the cache of the data cache module; the data cache module transmits the cached data packet to the monitor module; the monitor module carries out statistic analysis on the data packet, and the flow of the virtual machine is monitored. The problem that communication between virtual machines is out of monitoring due to server virtualization is solved, and communication of the virtual machines on the same physical server and communication of the virtual machines and a server external network can be monitored in a unified mode.
Description
Technical field
This invention relates to the monitoring of server virtual machine virtual machine traffic, particularly relates to the virtual machine traffic monitoring method and system on physical server.
Background technology
Server virtualization can improve the utilization rate calculating resource, strengthens the managerial flexibility of IT resource, and therefore, this technology becomes current data center important technology. But, after server virtualization, there is multiple virtual machine in same physical server, the communication between these virtual machines cannot be deployed in the monitoring system institute perception outside physical server.
Existing method is to redirect strategy by flow to realize, and including two big classes, a class is to be redirected on the network equipment outside server to be monitored processing by virtual machine traffic. Another kind of is redirected virtual machine traffic in the virtual machine on monitor of virtual machine (VirtualMachineMonitor, VMM) by virtual machine switch to be monitored. The advantage of first kind method is available with existing monitoring resource, but needs amendment procotol drive or increase new network hardware equipment. Equations of The Second Kind method is relatively common, but relies on the configurability of virtual switch, lacks the optimization ability of aspect of performance, can only give monitoring outlay simultaneously for virtual machine with the monitoring of outside communication flows and process, lack the operating capability of unified monitoring.
Summary of the invention
It is an object of the invention to: utilize the Hook Mechanism of monitor of virtual machine to obtain the communication data stream of virtual machine, and introduce caching mechanism and filtering policy, improve the efficiency of monitoring; The invention discloses a set of monitoring system, it is possible to achieve the unified monitoring to inter-virtual machine communication and virtual machine and server PERCOM peripheral communication simultaneously.
The present invention is achieved in that
A kind of virtual machine traffic monitoring method comprises the following steps:
Step one: comprise the virtual machine of monitoring module in the upper startup of monitor of virtual machine (VirtualMachineMonitor, VMM), by kernel module loading interface, packet capture module and data cache module are loaded in kernel; Monitoring module and data cache module are set up communication connection; Monitoring module issues filtered addresses list to kernel; Monitoring module sends to start orders kernel. Idiographic flow is as follows:
1., start and comprise the virtual machine of monitoring module after, monitoring module is startup optimization also;
2., monitoring module calls kernel module loading interface, loading data Packet capturing module and data cache module to kernel;
3., data cache module is set up with security monitoring module and is connected;
4., security monitoring module sends address filtering table to described data cache module;
5., security monitoring module sends enabled instruction to described data cache module;
6., data cache module arranges kernel global variable value for starting.
Step 2: packet capture module is monitored by data in monitor of virtual machine VMM kernel ICP/IP protocol stack; According to data address filter table duplicate packet, and store in the buffer memory of data cache module; Data module module sends the data to monitoring module. Idiographic flow is as follows:
1., data cache module judge described kernel global variable value, if for start, then distribute a certain size buffer memory, and start data buffer storage treatment progress; Otherwise do not do any process;
2., packet capture module judge described kernel global variable value, if for start, then start described packet capture mould, otherwise, do not do any process;
3., packet capture module judges whether current ICP/IP protocol stack data packet addressed mates described address filtering table; Mate then duplicate packet storage in the buffer memory of described data cache module; Otherwise, any process is not done;
4., data buffer storage process judges in described buffer memory whether be empty, not empty then reading cache data the connection by described data cache module with the foundation of described security monitoring module send data; Sky is then left intact.
Step 3: monitoring module extracts the essential information of packet, statistical data analysis flow, shows statistic analysis result and alarm. Idiographic flow is as follows:
1., monitoring module call pretreatment module extract data packet header information, including source purpose MAC, source purpose IP, data package size;
2., the session traffic at monitoring module statistical data packet place, session content, and analyze intrusion behavior according to inbreak detection rule; According to malicious code rule detection malicious code;
3., statistical analysis module according to output configuration requirement, export statistic analysis result, and in page presentation;
4., statistical analysis module according to alarm configuration requirement, outputting alarm result, and in page presentation. A kind of virtual machine traffic monitoring system, it is characterised in that described system includes such as lower module:
1., monitoring module: be used for disposing packet capture module, data cache module; Call pretreatment module and statistical analysis module; Communication connection is set up with data cache module; Accept data cache module and send the packet of coming, issue address filtering table, order to data cache module; Management and monitoring configures; Pretreatment module: obtain described data packet header information, including source purpose MAC, source purpose IP, data package size;
2., statistical analysis module: for the result of described pretreatment module is carried out statistical analysis, adding up including session traffic, session content is reduced; Intrusion behavior is analyzed according to inbreak detection rule; According to malicious code rule detection malicious code; According to output configuration and alarm configuration, output statistic analysis result and alarm result, and in page presentation;
3., packet capture module: for monitoring the packet of ICP/IP protocol stack at monitor of virtual machine (VMM) kernel, and replicate described packet according to described address filtering table; And store in the buffer memory of data cache module;
4., data cache module: for setting up and the connection of described monitoring module; Send the data in institute's buffer memory to described monitoring module; Accept the instruction and data that described monitoring module sends;
Compared to what prior art had, the present invention has the active effect that patent of the present invention the inter-virtual machine communication brought of settlement server virtualization can lose the problem of monitoring, and achieve on Same Physical server the unified monitoring of the communication of the communication between virtual machine and virtual machine and server external network. It addition, patent of the present invention is by introducing caching mechanism, packet filtering mechanism, offline storage mechanism, solve the control function performance impact problem to monitor of virtual machine.
Detailed description of the invention
The present invention is the traffic monitoring between virtual machine and the traffic monitoring between virtual machine and server external network provides a kind of unified monitoring system. Initial phase: start the virtual machine comprising monitoring module on monitor of virtual machine, packet capture module and data cache module are deployed to kernel, monitoring module and data cache module are set up and are connected, monitoring module issues filtered addresses list to kernel, monitoring module sends and starts order to kernel, and monitoring system deployment is complete.
In the present invention, packet capture module and data cache module all operate in kernel, first pass through kernel programming interfaces and be loaded in kernel before operation. Owing to monitoring module is deployed in virtual machine, and virtual machine operates in User space, accordingly, it would be desirable to build the communication connection of kernel and user's space. Setting up after connecting, monitoring module sends address filtering list to kernel, it is provided that packet capture module uses. Then, monitoring module kernel transmission startup order is started working to kernel, data capture module and data cache module.
In the data capture stage: packet capture module monitors ICP/IP protocol stack data, according to address filter table duplicate packet, and storing in the buffer memory of data cache module, data cache module sends the data to monitoring module.
In the present invention, packet capture module check each flow through the packet of ICP/IP protocol stack, MAC value according to each packet or IP information, compare with the address information in address filtering list, if coupling, then corresponding packet is replicated portion, and stores in the buffer memory of data cache module. Buffer memory in data cache module is that data cache module is pre-assigned, and dynamically can be extended according to actual amount; Data cache module finds when buffer memory is not empty, and the connection set up by kernel and user's space delivers a packet to the monitoring module in virtual machine;
The data statistic analysis stage: monitoring module extracts data packet head essential information, statistical data analysis flow, shows statistic analysis result and alarm.
Claims (5)
1. a virtual machine traffic monitoring method, it is characterised in that comprise the following steps:
Step one: comprise the virtual machine of monitoring module in the upper startup of monitor of virtual machine (VirtualMachineMonitor, VMM), by kernel module loading interface, packet capture module and data cache module are loaded in kernel; Virtual machine monitoring module and data cache module are set up communication connection; Monitoring module issues filtered addresses list to kernel, and monitoring module sends to start orders kernel;
Step 2: packet capture module monitors data in ICP/IP protocol stack; According to address filter table duplicate packet, and store in the buffer memory of data cache module; Data cache module transmits data to monitoring module;
Step 3: monitoring module extracts the essential information of packet, statistical data analysis flow, shows statistic analysis result and alarm.
2. monitoring method according to claim 1, it is characterised in that: the idiographic flow in described step one is as follows:
1., start and comprise the virtual machine of monitoring module after, monitoring module is startup optimization also;
2., monitoring module calls kernel module loading interface, loading data Packet capturing module and data cache module to kernel;
3., data cache module is set up with monitoring module and is connected;
4., monitoring module sends address filtering table to described data cache module;
5., monitoring module sends enabled instruction to described data cache module;
6., data cache module arranges kernel global variable value for starting.
3. monitoring method according to claim 1, it is characterised in that: the idiographic flow of described step 2 is as follows:
1., data cache module judge described kernel global variable value, if for start, then distribute a certain size buffer memory, and start data buffer storage treatment progress; Otherwise do not do any process;
2., packet capture module judge described kernel global variable value, if for start, then start described packet capture mould, otherwise, do not do any process;
3., packet capture module judges whether current ICP/IP protocol stack data packet addressed mates described address filtering table; Mate then duplicate packet storage in the buffer memory of described data cache module; Otherwise, any process is not done;
4., data buffer storage process judges in described buffer memory whether be empty, not empty then reading cache data the connection by described data cache module with the foundation of described monitoring module send data; Sky is then left intact.
4. monitoring method according to claim 1, it is characterised in that: the idiographic flow of described step 3 is as follows:
1., monitoring module accepts the data that the transmission of described data cache module comes; And call data preprocessing module extraction data packet header information, including source purpose MAC, source purpose IP, data package size;
2., monitoring module calls the session traffic at statistical analysis module statistical data packet place, session content, and analyzes intrusion behavior according to inbreak detection rule; According to malicious code rule detection malicious code;
3., statistical analysis module according to output configuration requirement, export statistic analysis result, and in page presentation;
4., statistical analysis module according to alarm configuration requirement, outputting alarm result, and in page presentation.
5. a virtual machine traffic monitoring system, it is characterised in that described system includes such as lower module:
1., monitoring module: be used for disposing packet capture module, data cache module; Call pretreatment module and statistical analysis module; Communication connection is set up with data cache module; Accept data cache module and send the packet of coming, issue address filtering table, order to data cache module; Management and monitoring configures;
2., pretreatment module: obtain described data packet header information, including source purpose MAC, source purpose IP, data package size;
3., statistical analysis module: for the result of described pretreatment module is carried out statistical analysis, adding up including session traffic, session content is reduced; Intrusion behavior is analyzed according to inbreak detection rule; According to malicious code rule detection malicious code;
According to output configuration requirement and alarm configuration requirement, output statistic analysis result and alarm result, and in page presentation;
4., packet capture module: for monitoring the packet of ICP/IP protocol stack at monitor of virtual machine (VMM) kernel, and replicate described packet according to described address filtering table; And store in the buffer memory of data cache module;
5., data cache module: for setting up and the connection of described monitoring module; Send the data in institute's buffer memory to described monitoring module; Accept the instruction and data that described monitoring module sends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410583260.6A CN105635035A (en) | 2014-10-27 | 2014-10-27 | Method for monitoring flow of virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410583260.6A CN105635035A (en) | 2014-10-27 | 2014-10-27 | Method for monitoring flow of virtual machine |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105635035A true CN105635035A (en) | 2016-06-01 |
Family
ID=56049542
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410583260.6A Pending CN105635035A (en) | 2014-10-27 | 2014-10-27 | Method for monitoring flow of virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105635035A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106844144A (en) * | 2016-12-29 | 2017-06-13 | 广州凯耀资产管理有限公司 | A kind of secure virtual machine monitoring method |
| CN107148009A (en) * | 2017-07-01 | 2017-09-08 | 浙江省计量科学研究院 | Multi-standard mobile communications network internet surfing data traffic measurement apparatus and its method |
| CN107370686A (en) * | 2017-08-08 | 2017-11-21 | 郑州云海信息技术有限公司 | A kind of flow control methods and device |
| CN107395621A (en) * | 2017-08-18 | 2017-11-24 | 国云科技股份有限公司 | A kind of virtual machine network interface card traffic classification monitoring method |
| CN109981403A (en) * | 2019-03-05 | 2019-07-05 | 北京勤慕数据科技有限公司 | Virtual machine network data traffic monitoring method and device |
| CN110958152A (en) * | 2019-10-13 | 2020-04-03 | 苏州浪潮智能科技有限公司 | Method, system and equipment for monitoring virtual machine service network |
| CN111356166A (en) * | 2018-12-20 | 2020-06-30 | 福建雷盾信息安全有限公司 | Flow monitoring method |
| CN112350854A (en) * | 2020-10-22 | 2021-02-09 | 中国建设银行股份有限公司 | Flow fault positioning method, device, equipment and storage medium |
-
2014
- 2014-10-27 CN CN201410583260.6A patent/CN105635035A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106844144A (en) * | 2016-12-29 | 2017-06-13 | 广州凯耀资产管理有限公司 | A kind of secure virtual machine monitoring method |
| CN107148009A (en) * | 2017-07-01 | 2017-09-08 | 浙江省计量科学研究院 | Multi-standard mobile communications network internet surfing data traffic measurement apparatus and its method |
| CN107148009B (en) * | 2017-07-01 | 2022-09-20 | 浙江省计量科学研究院 | Multi-standard mobile communication network internet data flow measuring device and method thereof |
| CN107370686A (en) * | 2017-08-08 | 2017-11-21 | 郑州云海信息技术有限公司 | A kind of flow control methods and device |
| CN107395621A (en) * | 2017-08-18 | 2017-11-24 | 国云科技股份有限公司 | A kind of virtual machine network interface card traffic classification monitoring method |
| CN111356166A (en) * | 2018-12-20 | 2020-06-30 | 福建雷盾信息安全有限公司 | Flow monitoring method |
| CN109981403A (en) * | 2019-03-05 | 2019-07-05 | 北京勤慕数据科技有限公司 | Virtual machine network data traffic monitoring method and device |
| CN110958152A (en) * | 2019-10-13 | 2020-04-03 | 苏州浪潮智能科技有限公司 | Method, system and equipment for monitoring virtual machine service network |
| CN112350854A (en) * | 2020-10-22 | 2021-02-09 | 中国建设银行股份有限公司 | Flow fault positioning method, device, equipment and storage medium |
| CN112350854B (en) * | 2020-10-22 | 2022-11-18 | 中国建设银行股份有限公司 | Flow fault positioning method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105635035A (en) | Method for monitoring flow of virtual machine | |
| CN104063267B (en) | A kind of virtual machine traffic monitoring method and system | |
| EP3226508B1 (en) | Attack packet processing method, apparatus, and system | |
| US9282173B2 (en) | Reconfigurable packet header parsing | |
| US10277717B2 (en) | Network introspection in an operating system | |
| CN101599963B (en) | Suspected network threat information screener and screening and processing method | |
| US11936562B2 (en) | Virtual machine packet processing offload | |
| CN102255903A (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| CN101577729A (en) | Method for blocking bypass by combining DNS redirection with Http redirection | |
| CN106713064A (en) | Virtual machine traffic monitoring method | |
| CN103067242A (en) | Virtual machine system used for providing network service | |
| US10243799B2 (en) | Method, apparatus and system for virtualizing a policy and charging rules function | |
| WO2017219957A1 (en) | Fault type determination method and apparatus, and storage medium | |
| JP2010148090A (en) | Packet processing method and toe apparatus employing the same | |
| CN101110772B (en) | Device and method for handling message | |
| CN108234425A (en) | A kind of virtual machine traffic monitoring method | |
| CN101582880B (en) | Method and system for filtering messages based on audited object | |
| CN107249038A (en) | Business datum retransmission method and system | |
| CN111262782B (en) | Message processing method, device and equipment | |
| US20220006712A1 (en) | System and method for monitoring ingress/egress packets at a network device | |
| CN112311717B (en) | Network data recovery method and device, storage medium and computer equipment | |
| CN110943895A (en) | Network shutdown and Linux system-based network data processing method and device | |
| CN107959603A (en) | Transmission control method and device | |
| CN104735080B (en) | A kind of server ip guard method and system | |
| CN110121060A (en) | A kind of intelligence enhancing device and method for IP Camera |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160601 |