CN106452856A - Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function - Google Patents

Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function Download PDF

Info

Publication number
CN106452856A
CN106452856A CN201610859258.6A CN201610859258A CN106452856A CN 106452856 A CN106452856 A CN 106452856A CN 201610859258 A CN201610859258 A CN 201610859258A CN 106452856 A CN106452856 A CN 106452856A
Authority
CN
China
Prior art keywords
data
function
flows
flow
hook
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610859258.6A
Other languages
Chinese (zh)
Inventor
董森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hongyan Intelligent Technology Co Ltd
Original Assignee
Hangzhou Hongyan Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hongyan Intelligent Technology Co Ltd filed Critical Hangzhou Hongyan Intelligent Technology Co Ltd
Priority to CN201610859258.6A priority Critical patent/CN106452856A/en
Publication of CN106452856A publication Critical patent/CN106452856A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Environmental & Geological Engineering (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a traffic flow statistics method and device, and wireless access equipment with a traffic flow statistics function. The method comprises a step 101 of obtaining multiple data packets, wherein sources of the data packets may wired channels or wireless channels, and the data packets can be sent to electric equipment by a server or sent to the server by the electric equipment; a step 102 of obtaining multiple traffic flow data packets in the multiple data packets through a hook function mounted on a network protocol stack hook point, wherein a network protocol stack is arranged in a Netfilter frame of a linux kernel; a step 103 of classifying the multiple traffic flow data packets by a hash algorithm; and a step 104 of carrying out statistics of the traffic flow value of each type of traffic flow data packets. In the traffic flow filtering and counting processes, the system resource occupation of the product of the invention is smaller than the traditional wireless access equipment. The computing time and the storage space are saved, the computing accuracy is enhanced, the working efficiency is improved, and conditions that the system is blocked and the resource is wasted are effectively avoided.

Description

Flow statistical method and device and the radio reception device with traffic statistic function
【Technical field】
The present invention relates to smart home field, more particularly to a kind of flow statistical method and device and with traffic statistics work( The radio reception device of energy.
【Background technology】
With developing rapidly for the technology such as network new media, the explosive increase of network application, network security threats, network In abnormal flow all bring very big impact to the normal operation of network.Simultaneously as network has isomerism and complexity Property feature, by monitor network packet, network traffics are carried out with statistical analysiss, so as to realize the detection of network traffics, are Research network performance, fault and performance diagnogtics and the effective ways of detection Network Abnormal, while it can ask to solving network Topic provides foundation, and for ensureing that network QoS lays the foundation.
In current Linux platform, traditional network traffics acquisition technique has following several ways:
In the network using SNMP, the main thought of flow monitoring method is to deposit a pipe on each network node Reason information bank, and the agent maintenance having on node, are then passed to network of relation application and access, simple flow collection pattern, Simple and easy to use, but very big burden is brought to the network bandwidth and egress router.
The ability of Libpcap gather information is most strong, widest in area, but due to from kernel buffers to user buffering area Data copy, can increase memory copying number of times, when network traffic is excessive, can seriously reduce the performance of system.
【Content of the invention】
For solving foregoing problems, the present invention proposes a kind of flow statistical method and device and the nothing with traffic statistic function Line access device, to solve the problems, such as that in prior art, traffic statistics consuming performance is excessive.
For reaching object defined above, the method that the present invention is adopted is:Flow statistical method, comprises the steps:
Obtain multiple packets;
Hook Function by carry on network protocol stack hook point obtains the multiple datas on flows in multiple packets Bag;
By hashing algorithm, the plurality of data on flows bag is classified;
Count the flow value of all kinds of data on flows bags.
For reaching object defined above, the device that the present invention is adopted is:Flow statistic device, including such as lower module:
Acquiring unit, obtains multiple packets;
Filter element, the Hook Function by carry on network protocol stack hook point obtains multiple in multiple packets Data on flows bag;
Taxon, is classified to the plurality of data on flows bag by hashing algorithm;
Statistic unit, counts the flow value of all kinds of data on flows bags.
For reaching object defined above, the equipment that the present invention is adopted is:Radio reception device with traffic statistic function, including Couple for obtaining the wireless communication module of packet and the processor of wireless communication module coupling and with the processor Memory module and peripheral interface circuit,
Network protocol stack is set in the processor, and the hook point of the network protocol stack is provided with Hook Function, for obtaining Take the multiple data on flows bags in the plurality of packet;
The processor 1 is classified to the plurality of data on flows bag by hashing algorithm and is counted all kinds of flows The flow value of packet.
The present invention can reach following technique effect:Can be using residing for the product of the technology surrounding enviroment provide stable Wire/wireless signal, while traffic filtering and traffic statistic function can be carried out for radio reception device end.Further, exist During carrying out traffic filtering and traffic statistics, the system resource of the product is compared conventional wireless access device and takes resource Few, saved calculating time and memory space, strengthened the accuracy for calculating, improved work efficiency, effectively reduce system congestion and Wasting of resources situation.
These features of the present invention and advantage will be detailed in following specific embodiment, accompanying drawing exposure.This Bright optimal embodiment or means will combine the detailed performance of accompanying drawing, but be not the restrictions to technical solution of the present invention.Separately Outward, these features for occurring in text and accompanying drawing in each of the lower, key element and component are with multiple, and mark to represent convenient Remember different symbols or numeral, but all represent the part of same or similar construction or function.
【Description of the drawings】
The present invention is described further below in conjunction with the accompanying drawings.
Fig. 1 is the method flow diagram of the embodiment of the present invention 1.
Fig. 2 is the apparatus module figure of the embodiment of the present invention 2.
Fig. 3 is the EM equipment module figure of the embodiment of the present invention 3.
【Specific embodiment】
With reference to the accompanying drawing of the embodiment of the present invention, the technical scheme of the embodiment of the present invention is explained and illustrated, but under State embodiment and the preferred embodiments of the present invention are only, and not all.Based on the embodiment in embodiment, those skilled in the art Obtained other embodiment on the premise of creative work is not made, belongs to protection scope of the present invention.
" one embodiment " or " example " or " example " that quotes in this manual means that itself describes in conjunction with the embodiments Special characteristic, structure or characteristic can be included at least one embodiment disclosed in this patent.Phrase is " in one embodiment In " appearance of each position in the description is not necessarily all referring to same embodiment.
Although it should be noted that represent the connected mode of each module in the present invention in the accompanying drawings, the connection side Formula is only One function explanation, rather than specific connected mode, in specific application scenarios, based on present invention structure Think, those skilled in the art are readily conceivable that
The process step for illustrating in the accompanying drawing appended by this specification be by include hardware (such as circuit, special logic list Unit etc.), firmware (such as on general-purpose calculating appts or special purpose machinery run) or both combination processs logic execution. Although each embodiment is described to process according to some order operations below, it is understood that, the step of some descriptions Operation can be executed in different order.Additionally, some step operation can be executed in parallel rather than be sequentially performed.
Embodiment 1.
Referring to Fig. 1, a kind of flow statistical method, the enforcement of the method can be based on any computing device or device clusters reality Existing, the example of these computing devices may include such as digital signal processor (DSP), CPU (CPU) or microprocessor Device (MCU), such as portable digital telephone, portable computer or digital assistants, in the illustrative of the present invention, to " place Referring to for reason device " etc. is appreciated that not only comprising with different frameworks (such as single/multiple logic control constructs and string Row/parallel organization) computer, and include specific analog/digital integrated circuit, such as field programmable gate array (FPGA), special circuit (ASIC), signal transmitting and receiving circuit and other process circuit equipment.To computer program, instruction, code Deng reference be appreciated that include for programmable control circuit software or firmware.Comprise the steps:
Step 101:Obtain multiple packets;The source of the packet can be limited passage, or radio channel. Electrical equipment can be sent to by server, or electrical equipment is sent to server.
Step 102:Hook Function by carry on network protocol stack hook point obtains multiple in multiple packets Data on flows bag;Network protocol stack is arranged at the Netfilter framework in linux kernel.
Step 103:By hashing algorithm, the plurality of data on flows bag is classified;
Step 104:Count the flow value of all kinds of data on flows bags.
Abovementioned steps 103 include:Using hash algorithm, in the source network address and destination address according to multiple packets Key value is classified to the plurality of data on flows bag.Key value is that in source network address and destination address, 25-32 position is right The lowest numeric that answers.Multiple data on flows bags are categorized as N class data on flows bag (first kind data on flows bag, Equations of The Second Kind flow Packet, to N class data on flows bag), after the completion of classification, count the flow value of each class data on flows bag.
Preceding method, also includes the flow value for sending all kinds of data on flows bags to User space program.User space program In User space, User space is separated with linus kernel.
User space (user mode) refers to two similar concepts in computer configuation.In the design of CPU, User space refers to Unprivileged.In this case, the code of execution is limited by hardware, it is impossible to carry out some operations, such as writes other processes Memory space, to prevent from bringing potential safety hazard to operating system.In the design of operating system, User space is also similar to, and refers to non- The execution state of privilege.Kernel forbids that the code under this state carries out the operation of potential danger, such as writing system configuration file, Kill the process of other users, restart system etc..
Kernel state is kernel mode again, and kernel mode is the pattern run by operating system nucleus, operates in the code of the pattern, Unrestrictedly system storage, external equipment can be conducted interviews.
Netfilter is the Linux fire prevention wall telephone of a new generation after the IPchains of IPfwadm, 2.2.x of 2.0.x System.Netfilter adopts modularized design, with good expandability.Its important tool module I PTables is connected to In the framework of Netfilter, and allow user to carry out datagram to filter, address conversion, the operation such as process.Netfilter There is provided a framework, the direct interference of network code will be preferably minimized, and allow to process other bags with the interface of regulation Code is added in kernel in modular form, with extremely strong motility.
The program segment of actually one process message of hook, is called by system, it is linked into system.Whenever specific Message sends, and before purpose window is not reached, hook program just first captures the message, that is, Hook Function is first controlled Power.At this moment Hook Function i.e. can be with processed (change) message, it is also possible to does not deal with and continues to transmit the message, may be used also To force the transmission of end.A hook chain is safeguarded by system to each type of hook, the hook that installs recently is put In the beginning of chain, and the hook that installs at first is placed on finally, that is, the first acquisition control for adding afterwards.Win32's to be realized System hook, it is necessary to call api function SetWindowsHookEx in SDK to install this Hook Function, this function Prototype is HHOOK SetWindowsHookEx (int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId);, wherein, first parameter is the type of hook;Second parameter is the address of Hook Function;3rd ginseng Number is the module handle comprising Hook Function;4th parameter specifies the thread of supervision.If specifying the thread for determining, as line The special hook of journey;If being appointed as sky, as global hook.Wherein, global hook function must be included in DLL (dynamic link Storehouse) in, and the special hook of thread is further included in executable file.The Hook Function for obtaining control is completed to message Process after, if it is desired to the message continues transmission, then it must call the api function in another SDK CallNextHookEx is transmitting it.Hook Function can also abandon the message by directly returning TRUE, and prevent this from disappearing The transmission of breath.
Hashing algorithm is hash algorithm again, and the binary value of random length is mapped as shorter regular length by hash algorithm Binary value, this little binary value is referred to as cryptographic Hash.Cryptographic Hash is the unique and extremely compact numerical tabular of one piece of data Show form.If hashing one section of plaintext and even only changing a letter of the paragraph, subsequent Hash will all produce different Value.Two different inputs of the hash for same value are found, is computationally impossible, so the cryptographic Hash of data Can be with the integrity of inspection data.It is generally used for quick lookup and AES.Hash table is the hash function H according to setting (key) with process collision method, one set of keyword is mapped on a limited address section, and with keyword in address area Between in as used as storage location of the record in table, this table is referred to as Hash table or hash, and gained storage location is referred to as Hash Address or hash address.As linear data structure compared with form and queue etc., it is very fast that Hash table is undoubtedly to look for speed ratio One kind.By the fixation that unidirectional mathematical function (sometimes referred to as " hash algorithm ") is applied to obtained by any number of data The result of size.If changed in input data, Hash can also change.Hash can be used for many operations, including body Part checking and digital signature.Also referred to as " eap-message digest ".Simplicity of explanation:Hash (Hash) algorithm, i.e. hash function.It is a kind of One-way cipher system, i.e., it is an irreversible mapping from plaintext to ciphertext, only ciphering process, without decrypting process. Meanwhile, the input of random length can be fixed after change hash function the output of length.Hash function this The feature for planting characteristic of unidirectional and the fixation of output data length allows it to generate message or data.
Embodiment 2.
Referring to Fig. 2, a kind of flow statistic device 20, the enforcement of the device can be based on any computing device or device clusters reality Existing, the example of these computing devices may include such as digital signal processor (DSP), CPU (CPU) or microprocessor Device (MCU), such as portable digital telephone, portable computer or digital assistants, in the illustrative of the present invention, to " place Referring to for reason device " etc. is appreciated that not only comprising with different frameworks (such as single/multiple logic control constructs and string Row/parallel organization) computer, and include specific analog/digital integrated circuit, such as field programmable gate array (FPGA), special circuit (ASIC), signal transmitting and receiving circuit and other process circuit equipment.To computer program, instruction, code Deng reference be appreciated that include for programmable control circuit software or firmware.Including such as lower module:
Acquiring unit 21:Obtain multiple packets;The source of the packet can be limited passage, or channel radio Road.Electrical equipment can be sent to by server, or electrical equipment is sent to server.
Filter element 22:Hook Function by carry on network protocol stack hook point obtains many in multiple packets Individual data on flows bag;Network protocol stack is arranged at the Netfilter framework in linux kernel.
Taxon 23:By hashing algorithm, the plurality of data on flows bag is classified;
Statistic unit 24:Count the flow value of all kinds of data on flows bags.
Aforesaid class unit adopts hash algorithm, according to the key in the source network address and destination address of multiple packets Value is classified to the plurality of data on flows bag.Key value is that in source network address and destination address, 25-32 position is corresponding Lowest numeric.Multiple data on flows bags are categorized as N class data on flows bag (first kind data on flows bag, Equations of The Second Kind data on flows Bag, to N class data on flows bag), after the completion of classification, count the flow value of each class data on flows bag.
Aforementioned means, also include to send the transmitting element of the flow value to User space program of all kinds of data on flows bags. User space program is in User space, and User space is separated with linus kernel.
User space (user mode) refers to two similar concepts in computer configuation.In the design of CPU, User space refers to Unprivileged.In this case, the code of execution is limited by hardware, it is impossible to carry out some operations, such as writes other processes Memory space, to prevent from bringing potential safety hazard to operating system.In the design of operating system, User space is also similar to, and refers to non- The execution state of privilege.Kernel forbids that the code under this state carries out the operation of potential danger, such as writing system configuration file, Kill the process of other users, restart system etc..
Kernel state is kernel mode again, and kernel mode is the pattern run by operating system nucleus, operates in the code of the pattern, Unrestrictedly system storage, external equipment can be conducted interviews.
Netfilter is the Linux fire prevention wall telephone of a new generation after the IPchains of IPfwadm, 2.2.x of 2.0.x System.Netfilter adopts modularized design, with good expandability.Its important tool module I PTables is connected to In the framework of Netfilter, and allow user to carry out datagram to filter, address conversion, the operation such as process.Netfilter There is provided a framework, the direct interference of network code will be preferably minimized, and allow to process other bags with the interface of regulation Code is added in kernel in modular form, with extremely strong motility.
The program segment of actually one process message of hook, is called by system, it is linked into system.Whenever specific Message sends, and before purpose window is not reached, hook program just first captures the message, that is, Hook Function is first controlled Power.At this moment Hook Function i.e. can be with processed (change) message, it is also possible to does not deal with and continues to transmit the message, may be used also To force the transmission of end.A hook chain is safeguarded by system to each type of hook, the hook that installs recently is put In the beginning of chain, and the hook that installs at first is placed on finally, that is, the first acquisition control for adding afterwards.Win32's to be realized System hook, it is necessary to call api function SetWindowsHookEx in SDK to install this Hook Function, this function Prototype is HHOOK SetWindowsHookEx (int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId);, wherein, first parameter is the type of hook;Second parameter is the address of Hook Function;3rd ginseng Number is the module handle comprising Hook Function;4th parameter specifies the thread of supervision.If specifying the thread for determining, as line The special hook of journey;If being appointed as sky, as global hook.Wherein, global hook function must be included in DLL (dynamic link Storehouse) in, and the special hook of thread is further included in executable file.The Hook Function for obtaining control is completed to message Process after, if it is desired to the message continues transmission, then it must call the api function in another SDK CallNextHookEx is transmitting it.Hook Function can also abandon the message by directly returning TRUE, and prevent this from disappearing The transmission of breath.
Hashing algorithm is hash algorithm again, and the binary value of random length is mapped as shorter regular length by hash algorithm Binary value, this little binary value is referred to as cryptographic Hash.Cryptographic Hash is the unique and extremely compact numerical tabular of one piece of data Show form.If hashing one section of plaintext and even only changing a letter of the paragraph, subsequent Hash will all produce different Value.Two different inputs of the hash for same value are found, is computationally impossible, so the cryptographic Hash of data Can be with the integrity of inspection data.It is generally used for quick lookup and AES.Hash table is the hash function H according to setting (key) with process collision method, one set of keyword is mapped on a limited address section, and with keyword in address area Between in as used as storage location of the record in table, this table is referred to as Hash table or hash, and gained storage location is referred to as Hash Address or hash address.As linear data structure compared with form and queue etc., it is very fast that Hash table is undoubtedly to look for speed ratio One kind.By the fixation that unidirectional mathematical function (sometimes referred to as " hash algorithm ") is applied to obtained by any number of data The result of size.If changed in input data, Hash can also change.Hash can be used for many operations, including body Part checking and digital signature.Also referred to as " eap-message digest ".Simplicity of explanation:Hash (Hash) algorithm, i.e. hash function.It is a kind of One-way cipher system, i.e., it is an irreversible mapping from plaintext to ciphertext, only ciphering process, without decrypting process. Meanwhile, the input of random length can be fixed after change hash function the output of length.Hash function this The feature for planting characteristic of unidirectional and the fixation of output data length allows it to generate message or data.
Embodiment 3.
Referring to Fig. 3, a kind of radio reception device with traffic statistic function, including the channel radio for obtaining packet Processor 1 and the memory module 3 for coupling and periphery connect with the processor 1 that news module 2 is coupled with the wireless communication module Mouth circuit 6.Radio reception device be based on openwrt Open Source Platform, can self-defined loading software module, realize access device pair The support of vector network host-host protocol.OpenWRT is a high modularization, supermatic embedded Linux system, gathers around Have powerful networking component and autgmentability, be typically used to industrial control equipment, phone, small scale robot, smart home, router with And in VOIP equipment.Meanwhile, it additionally provides more than 100 a compiled good software, and quantity is also being continuously increased, and OpenWrt SDK more simplifies the operation of exploitation software.OpenWRT is different from other many for the release of router, it It is a router operating system that is writing, multiple functional, being easily modified of starting from scratch.
Network protocol stack is set in the processor 1, the hook point of the network protocol stack is provided with Hook Function, for obtaining Take the multiple data on flows bags in the plurality of packet;The network protocol stack is arranged at the Netfilter in linux kernel Framework, the linux kernel is in the processor.
The processor is classified to the plurality of data on flows bag by hashing algorithm and is counted all kinds of flows The flow value of packet.
Processor adopts hash algorithm, according to the key value in the source network address and destination address of multiple packets to institute State multiple data on flows bags to be classified.Key value is the corresponding minimum number in 25-32 position in source network address and destination address Word.Multiple data on flows bags are categorized as N class data on flows bag, and (first kind data on flows bag, Equations of The Second Kind data on flows bag, to arriving N class data on flows bag), after the completion of classification, count the flow value of each class data on flows bag.
The processor sends the flow value of all kinds of data on flows bags to User space program, and the User space program sets In the processor 1.The linux kernel adopts NetLink communication mechanism with the User space program.
Also include the power module 4 that powers to the radio reception device.Power module 4 include DC-AC conversion device or The conversion equipment of person's DC-to-dc.The peripheral interface circuit 5 includes Wi-Fi switch 501, SR 502, display lamp 503 Or RJ45 network interface 504.The RJ45 network interface at least includes a WAN mouth and at least one LAN mouth.
Power module 4 obtains+3.3V DC source to no by DC-AC conversion device or DC-to-dc conversion equipment Line access device is powered.Wireless device can provide stable Wireless-wire letter for residing periphery in normal operating conditions Number, while traffic filtering and traffic statistic function can be carried out for radio reception device end.The Wi-Fi switch of radio reception device 501 wireless switchings that can control access device, it is ensured that environmental protection of the user in sleeping at night is radiationless, display lamp 503 The working condition of access device can be shown, SR 502 can recover radio reception device and return to Default Value, in case frequently it Need.
User space (user mode) refers to two similar concepts in computer configuation.In the design of CPU, User space refers to Unprivileged.In this case, the code of execution is limited by hardware, it is impossible to carry out some operations, such as writes other processes Memory space, to prevent from bringing potential safety hazard to operating system.In the design of operating system, User space is also similar to, and refers to non- The execution state of privilege.Kernel forbids that the code under this state carries out the operation of potential danger, such as writing system configuration file, Kill the process of other users, restart system etc..
Kernel state is kernel mode again, and kernel mode is the pattern run by operating system nucleus, operates in the code of the pattern, Unrestrictedly system storage, external equipment can be conducted interviews.
Netfilter is the Linux fire prevention wall telephone of a new generation after the IPchains of IPfwadm, 2.2.x of 2.0.x System.Netfilter adopts modularized design, with good expandability.Its important tool module I PTables is connected to In the framework of Netfilter, and allow user to carry out datagram to filter, address conversion, the operation such as process.Netfilter There is provided a framework, the direct interference of network code will be preferably minimized, and allow to process other bags with the interface of regulation Code is added in kernel in modular form, with extremely strong motility.
The program segment of actually one process message of hook, is called by system, it is linked into system.Whenever specific Message sends, and before purpose window is not reached, hook program just first captures the message, that is, Hook Function is first controlled Power.At this moment Hook Function i.e. can be with processed (change) message, it is also possible to does not deal with and continues to transmit the message, may be used also To force the transmission of end.A hook chain is safeguarded by system to each type of hook, the hook that installs recently is put In the beginning of chain, and the hook that installs at first is placed on finally, that is, the first acquisition control for adding afterwards.Win32's to be realized System hook, it is necessary to call api function SetWindowsHookEx in SDK to install this Hook Function, this function Prototype is HHOOK SetWindowsHookEx (int idHook, HOOKPROC lpfn, HINSTANCE
hMod,DWORD dwThreadId);, wherein, first parameter is the type of hook;Second parameter is hook The address of function;3rd parameter is the module handle comprising Hook Function;4th parameter specifies the thread of supervision.If referred to The fixed thread for determining, the as special hook of thread;If being appointed as sky, as global hook.Wherein, global hook function is necessary It is included in DLL (dynamic link library), and the special hook of thread is further included in executable file.Obtain the hook of control Subfunction is after the process to message is completed, if it is desired to which the message continues transmission, then it must call in another SDK Api function CallNextHookEx transmitting it.Hook Function can also abandon the message by directly returning TRUE, and Prevent the transmission of the message.
Hashing algorithm is hash algorithm again, and the binary value of random length is mapped as shorter regular length by hash algorithm Binary value, this little binary value is referred to as cryptographic Hash.Cryptographic Hash is the unique and extremely compact numerical tabular of one piece of data Show form.If hashing one section of plaintext and even only changing a letter of the paragraph, subsequent Hash will all produce different Value.Two different inputs of the hash for same value are found, is computationally impossible, so the cryptographic Hash of data Can be with the integrity of inspection data.It is generally used for quick lookup and AES.Hash table is the hash function H according to setting (key) with process collision method, one set of keyword is mapped on a limited address section, and with keyword in address area Between in as used as storage location of the record in table, this table is referred to as Hash table or hash, and gained storage location is referred to as Hash Address or hash address.As linear data structure compared with form and queue etc., it is very fast that Hash table is undoubtedly to look for speed ratio One kind.By the fixation that unidirectional mathematical function (sometimes referred to as " hash algorithm ") is applied to obtained by any number of data The result of size.If changed in input data, Hash can also change.Hash can be used for many operations, including body Part checking and digital signature.Also referred to as " eap-message digest ".Simplicity of explanation:Hash (Hash) algorithm, i.e. hash function.It is a kind of One-way cipher system, i.e., it is an irreversible mapping from plaintext to ciphertext, only ciphering process, without decrypting process. Meanwhile, the input of random length can be fixed after change hash function the output of length.Hash function this The feature for planting characteristic of unidirectional and the fixation of output data length allows it to generate message or data.
A kind of specific example, such as aforementioned radio reception device are that router, the router is wirelessly connected with household electrical appliance. The router include for obtain the wireless communications chips of packet and wireless communications chips coupling main control chip and with The memory module of the main control chip coupling and peripheral interface circuit,
Network protocol stack is set in the main control chip, and the hook point of the network protocol stack is provided with Hook Function, is used for Obtain the multiple data on flows bags in the plurality of packet;The network protocol stack is arranged in linux kernel Netfilter framework, the linux kernel is in the main control chip.
The main control chip is classified to the plurality of data on flows bag by hashing algorithm and is counted all kinds of streams The flow value of amount packet.
Main control chip adopts hash algorithm, according to the key value pair in the source network address and destination address of multiple packets The plurality of data on flows bag is classified.Key value is the corresponding minimum in 25-32 position in source network address and destination address Numeral.Multiple data on flows bags be categorized as N class data on flows bag (first kind data on flows bag, Equations of The Second Kind data on flows bag, extremely To N class data on flows bag), after the completion of classification, count the flow value of each class data on flows bag.
The main control chip sends the flow value of all kinds of data on flows bags to User space program, the User space program In the main control chip.The linux kernel adopts NetLink communication mechanism with the User space program.
In addition, as used in this application, term " module ", " device " refer to the whole of following items:
(1) circuit implementation (such as with the embodiment of only analog and/or digital circuit arrangement) of only hardware;
(2) combination of circuit and software, such as:I the combination of () control circuit or (ii) control circuit/software are (including number Word signal control circuit), the part of software and memorizer, its cooperation is to cause such as mobile phone or server etc Equipment executes various functions;And
(3) circuit of such as micro-control circuit or micro-control circuit part etc, which needs the software for operating or solid Part, even if software or firmware are not physically presented.
The definition of " unit " or " device " suitable for all (include any claim) in the embodiment above right The use of the term.As another example, term " module " can also cover only one control circuit or control circuit part with And the way of example of its attached software and/or firmware.Term " device " can also cover such as adhesive integrated circuit, Cellular Networks Based band integrated circuit in network equipment or other network equipments or application control circuit integrated circuit.
The present invention is the flow process with reference to method according to embodiments of the present invention, equipment (system) and computer program Figure and/or block diagram are describing.It should be understood that can be by computer program instructions flowchart and/or each stream in block diagram Journey and/or the combination of square frame and flow chart and/or the flow process in block diagram and/or square frame.These computer programs can be provided The processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is instructed to produce A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing device Present one flow process of flow chart or the device of multiple flow processs and/or one square frame of block diagram or the function in multiple square frames.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creation Property concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to include excellent Select embodiment and fall into being had altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out the essence of various changes and modification without deviating from the present invention to the present invention God and scope.So, if these modifications of the present invention and modification belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising these changes and modification.

Claims (20)

1. flow statistical method, comprises the steps:
Obtain multiple packets;
Hook Function by carry on network protocol stack hook point obtains the multiple data on flows bags in multiple packets;
By hashing algorithm, the plurality of data on flows bag is classified;
Count the flow value of all kinds of data on flows bags.
2. flow statistical method according to claim 1, it is characterised in that:The network protocol stack is arranged at linux kernel In Netfilter framework.
3. flow statistical method according to claim 1, it is characterised in that described to passing through the plurality of flow of hash function Packet is classified, including:Using hash algorithm, according to the key in the source network address and destination address of multiple packets Value is classified to the plurality of data on flows bag.
4. flow statistical method according to claim 3, it is characterised in that:The key value is source network address and destination The corresponding lowest numeric in 25-32 position in location.
5. flow statistical method according to claim 1, it is characterised in that also include to send all kinds of data on flows bags Flow value is to User space program.
6. flow statistic device, including such as lower module:
Acquiring unit, obtains multiple packets;
Filter element, the Hook Function by carry on network protocol stack hook point obtains the multiple flows in multiple packets Packet;
Taxon, is classified to the plurality of data on flows bag by hashing algorithm;
Statistic unit, counts the flow value of all kinds of data on flows bags.
7. flow statistic device according to claim 6, it is characterised in that:The network protocol stack is arranged at linux kernel In Netfilter framework.
8. flow statistic device according to claim 6, it is characterised in that the taxon adopts hash algorithm, according to Key value in the source network address and destination address of multiple packets is classified to the plurality of data on flows bag.
9. flow statistic device according to claim 8, it is characterised in that:The key value is source network address and destination The corresponding lowest numeric in 25-32 position in location.
10. flow statistic device according to claim 6, it is characterised in that also include transmitting element, send all kinds of streams The flow value of amount packet is to User space program.
11. radio reception devices with traffic statistic function, including for obtain the wireless communication module of packet with described The processor of wireless communication module coupling and the memory module with processor coupling and peripheral interface circuit, its feature exists In:
Network protocol stack is set in the processor, and the hook point of the network protocol stack is provided with Hook Function, for obtaining State the multiple data on flows bags in multiple packets;
The processor is classified to the plurality of data on flows bag by hashing algorithm and is counted all kinds of datas on flows The flow value of bag.
12. radio reception devices according to claim 11 with traffic statistic function, it is characterised in that:The network association View stack is arranged at the Netfilter framework in linux kernel, and the linux kernel is in the processor.
13. radio reception devices according to claim 11 with traffic statistic function, it is characterised in that described to passing through The plurality of data on flows bag of hash function is classified, including:Using hash algorithm, according to the source network ground of multiple packets Key value in location and destination address is classified to the plurality of data on flows bag.
14. radio reception devices according to claim 13 with traffic statistic function, it is characterised in that:The key value For the corresponding lowest numeric in 25-32 position in source network address and destination address.
15. radio reception devices according to claim 12 with traffic statistic function, it is characterised in that the processor The flow value of all kinds of data on flows bags is sent to User space program, the User space program is in the processor.
16. radio reception devices according to claim 11 with traffic statistic function, it is characterised in that also include to institute State the power module that radio reception device is powered.
17. radio reception devices according to claim 11 with traffic statistic function, it is characterised in that the periphery connects Mouth circuit includes Wi-Fi switch, SR, display lamp or RJ45 network interface.
18. radio reception devices according to claim 15 with traffic statistic function, it is characterised in that the linux Kernel adopts NetLink communication mechanism with the User space program.
19. radio reception devices according to claim 16 with traffic statistic function, it is characterised in that the power supply mould Block includes the conversion equipment of DC-AC conversion device or DC-to-dc.
20. radio reception devices according to claim 17 with traffic statistic function, it is characterised in that the RJ45 net Network interface at least includes a WAN mouth and at least one LAN mouth.
CN201610859258.6A 2016-09-28 2016-09-28 Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function Pending CN106452856A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610859258.6A CN106452856A (en) 2016-09-28 2016-09-28 Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610859258.6A CN106452856A (en) 2016-09-28 2016-09-28 Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function

Publications (1)

Publication Number Publication Date
CN106452856A true CN106452856A (en) 2017-02-22

Family

ID=58171234

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610859258.6A Pending CN106452856A (en) 2016-09-28 2016-09-28 Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function

Country Status (1)

Country Link
CN (1) CN106452856A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241283A (en) * 2017-05-23 2017-10-10 国家计算机网络与信息安全管理中心 A kind of East and West direction network traffics mirror image acquisition method across main frame tenant
CN108259478A (en) * 2017-12-29 2018-07-06 中国电力科学研究院有限公司 Safety protecting method based on industry control terminal device interface HOOK
CN113132259A (en) * 2019-12-31 2021-07-16 北京金山云网络技术有限公司 Traffic data packet statistical method, device, equipment and storage medium
CN113132261A (en) * 2019-12-31 2021-07-16 北京金山云网络技术有限公司 Traffic data packet classification method and device and electronic equipment
CN113726917A (en) * 2020-05-26 2021-11-30 网神信息技术(北京)股份有限公司 Domain name determination method and device and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101389085A (en) * 2008-10-14 2009-03-18 中国联合通信有限公司 Rubbish short message recognition system and method based on sending behavior
CN101873640A (en) * 2010-05-27 2010-10-27 华为终端有限公司 Flow processing method, device and mobile terminal
CN102307136A (en) * 2011-07-06 2012-01-04 杭州华三通信技术有限公司 Method for processing message and device thereof
CN102780591A (en) * 2011-05-12 2012-11-14 弗兰克公司 Method and apparatus for distinguishing and sampling bi-directional network traffic at a conversation level
CN103139315A (en) * 2013-03-26 2013-06-05 烽火通信科技股份有限公司 Application layer protocol analysis method suitable for home gateway
CN103763154A (en) * 2014-01-11 2014-04-30 浪潮电子信息产业股份有限公司 Network flow detection method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101389085A (en) * 2008-10-14 2009-03-18 中国联合通信有限公司 Rubbish short message recognition system and method based on sending behavior
CN101873640A (en) * 2010-05-27 2010-10-27 华为终端有限公司 Flow processing method, device and mobile terminal
CN102780591A (en) * 2011-05-12 2012-11-14 弗兰克公司 Method and apparatus for distinguishing and sampling bi-directional network traffic at a conversation level
CN102307136A (en) * 2011-07-06 2012-01-04 杭州华三通信技术有限公司 Method for processing message and device thereof
CN103139315A (en) * 2013-03-26 2013-06-05 烽火通信科技股份有限公司 Application layer protocol analysis method suitable for home gateway
CN103763154A (en) * 2014-01-11 2014-04-30 浪潮电子信息产业股份有限公司 Network flow detection method

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241283A (en) * 2017-05-23 2017-10-10 国家计算机网络与信息安全管理中心 A kind of East and West direction network traffics mirror image acquisition method across main frame tenant
CN108259478A (en) * 2017-12-29 2018-07-06 中国电力科学研究院有限公司 Safety protecting method based on industry control terminal device interface HOOK
CN108259478B (en) * 2017-12-29 2021-10-01 中国电力科学研究院有限公司 Safety protection method based on industrial control terminal equipment interface HOOK
CN113132259A (en) * 2019-12-31 2021-07-16 北京金山云网络技术有限公司 Traffic data packet statistical method, device, equipment and storage medium
CN113132261A (en) * 2019-12-31 2021-07-16 北京金山云网络技术有限公司 Traffic data packet classification method and device and electronic equipment
CN113132259B (en) * 2019-12-31 2022-07-05 北京金山云网络技术有限公司 Traffic data packet statistical method, device, equipment and storage medium
CN113726917A (en) * 2020-05-26 2021-11-30 网神信息技术(北京)股份有限公司 Domain name determination method and device and electronic equipment
CN113726917B (en) * 2020-05-26 2024-04-12 奇安信网神信息技术(北京)股份有限公司 Domain name determination method and device and electronic equipment

Similar Documents

Publication Publication Date Title
CN106452856A (en) Traffic flow statistics method and device, and wireless access equipment with traffic flow statistics function
CN101599963B (en) Suspected network threat information screener and screening and processing method
CN105357137B (en) Message filtering method and the FPGA being applicable in, intelligent substation
CN103428094A (en) Method and device for packet transmitting in Open Flow system
CN106921637A (en) The recognition methods of the application message in network traffics and device
CN103763695B (en) Method for evaluating safety of internet of things
CN107659612A (en) Data transfer control method and device based on device packets
CN109120524A (en) Link aggregation method and relevant device
CN103200123A (en) Safety control method of switchboard port
CN105141637A (en) Transmission encryption method taking flows as granularity
TW201431320A (en) Method and network device for loop detection
JP6671112B2 (en) Method and apparatus for flexible and efficient analysis in network switch
CN102158422B (en) Message forwarding method and equipment for layer 2 ring network
CN102790966A (en) Method for multithreaded communication between network nodes of wireless sensor and gateway
CN103532908A (en) P2P protocol identification method based on secondary decision tree
CN107306412A (en) Method, user equipment and base station to realize message transmitting
CN104917703B (en) Defence line head of line blocking method and system based on SDN
CN105450647B (en) A kind of method and system preventing message aggression
CN103905184A (en) Classical network and quantum secret communication network integration traffic control method
CN104734884B (en) A kind of GOOSE communication means and device
CN105323234B (en) Service node ability processing method, device, business classifier and service controller
Kaur et al. Simulation and investigation of Zigbee sensor network with mobility support
Hamood et al. Keywords Sensitivity Recognition of Military Applications in Secure CRNs Environments
Pagano et al. RTNS: an NS-2 extension to simulate wireless real-time distributed systems for structured topologies
Jiang et al. Performance bounds of distributed CSMA scheduling

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170222

RJ01 Rejection of invention patent application after publication