Disclosure of Invention
In order to solve the above problems, the present invention provides a method for quickly and accurately positioning an original network data packet, comprising the following steps:
the method comprises the following steps: the server collects network flow data packets, records the time stamp of each original network data packet, and numbers the original network data packets with the same time stamp. And then sequentially storing the original network data packets to the server by taking the time stamps as indexes.
Step two: when a transaction log or an alarm log is generated in the process of analyzing the data packets, the server stores the log and records a time stamp and a number of each original network data packet generating the transaction log or the alarm log in the log.
Step three: the client queries the generated transaction logs or alarm logs.
Step four: and the client locates the original network data packet corresponding to each transaction log or alarm log according to the timestamp and the serial number.
Further, in the first step, the storage mode of the original network data packet is as follows: the fixed length header information is written first to store the related information of the original network data packet. And then writing the original content of the original network data packet.
Further, in the first step, the information included in the header information includes: the time stamp of the original network data packet, the number of the original network data packet and the original content length of the original network data packet.
Further, the fourth step is specifically:
step 4.1: and reading the time stamp and the number recorded in the transaction log or the alarm log to be positioned.
Step 4.2: and reading all original network data packets which are stored in the server and are the same as the time stamp by taking the time stamp as an index.
Step 4.3: and (4) filtering the original network data packets read in the step (4.1) through the serial numbers, and finding out the original network data packets with the same serial numbers.
Step 4.4: and repeating the step 4.1 to the step 4.3 until all the transaction logs or the original network data packets corresponding to the alarm logs are positioned.
Further, step 4.3 specifically includes: starting from the initial storage position of the original network data packet acquired in step 4.1, the header information written in the first original network data packet is checked, and whether the stored number is matched with the number of the original network data packet to be positioned is judged. If the data packets are matched, the original network data packet is the original network data packet needing positioning, the original content in the original network data packet is the data packet content needing positioning, if the data packets are not matched, the next original network data packet is matched, and the data packets are matched one by one until the matched original network data packet is found or the number of the read original network data packet is larger than the number of the data packet needing positioning.
Furthermore, each original network data packet with the same timestamp has a different offset, the offset is equal to the sum of the lengths of the original network data packets before the original network data packet, and in step 4.3, the original network data packets are matched one by one through the change of the offset.
Further, the offset of the original network packet at the start position is 0.
Further, the length of the original network data packet is the sum of the length of the header and the length of the original content.
Further, in step two, when the transaction log or the alarm log is generated by a plurality of consecutive data packets, the numbers of the data packets are recorded in a range of the interval.
The invention has the beneficial effects that:
the invention innovates the storage mode of the original network data packet, adds the timestamp and the number information, and writes the timestamp and the number information into the log, thereby facilitating the client to position the original network data packet through the timestamp and the number information. The client can screen out a small range of original network data packets through the timestamp, and then further screens the original network data packets through number matching, so that quick and accurate positioning is realized.
Detailed Description
The method comprises the following steps:
the method comprises the following steps: the method comprises the following steps that a server collects network flow data packets, records a timestamp of each original network data packet, and numbers the original network data packets; and then sequentially storing the original network data packets to a disk of the server by taking the time stamps as indexes.
In order to realize positioning, the embodiment innovates a storage mode of the original network data packet, and marks the data packet by using a time stamp and a serial number. The storage mode of the original network data packet is as follows: writing fixed-length header information to store some related information of the original network data packet; and then writing the original content of the original network data packet. Wherein the header information at least comprises the following field information: the timestamp of the original network data packet, the number of the original network data packet, and the original content length of the original network data packet (i.e. the length of the content to be written after the header is written). The length of the entire original network packet is equal to the sum of the length of the header information and the length of the original content.
Step two: when a transaction log or an alarm log is generated in the process of analyzing the data packets, the server stores the log and records a time stamp and a number of each original network data packet generating the transaction log or the alarm log in the log. Preferably, when the transaction log or the alarm log is generated by a plurality of consecutive data packets, the number of the data packets is recorded in a range format. The original network data packet can be positioned as soon as possible by using the timestamp and the number.
Step three: the client queries the generated transaction logs or alarm logs.
The timestamp and number information of these packets are also passed to the client during the query.
Step four: and the client locates the original network data packet corresponding to each transaction log or alarm log according to the timestamp and the serial number.
The specific method comprises the following steps:
step 4.1: and reading the time stamp and the number of each original network data packet in the transaction log or the alarm log to be positioned.
Step 4.2: and reading all original network data packets which are stored in a server disk and are the same as the time stamp by taking the time stamp as an index.
Step 4.3: and (4) filtering the original network data packets read in the step (4.1) through the serial numbers, and finding out the original network data packets with the same serial numbers.
The method specifically comprises the following steps: starting from the initial storage position (namely offset is 0) of the original network data packet acquired in the step 4.1, checking the header information written in the first original network data packet, and judging whether the stored number is matched with the number of a certain original network data packet to be positioned or not; if the data packets are matched, the original network data packets are the original network data packets needing positioning, the client reads the original content in the original network data packets as the data packet content needing positioning, if the data packets are not matched, the next original network data packets are matched, and the data packets are matched one by one until the matched original network data packets are found or the number of the read original network data packets is larger than the number of the data packets needing positioning.
Further, the process of matching the original network data packets with the same time stamp one by one is realized by calculating the offset, and the offset of each original network data packet is the sum of the total length of the previous original network data packets. Such as: the offset of the first original network packet is 0, if the header fixed length is a, the following original content length is b (the original memory length b is stored in the header information), and the offset of the second original network packet is a + b. And checking the written header information of the second original network data packet with the offset of a + b, and judging whether the stored number is matched with the numbers of other data packets to be determined. The original network packet offset for the start location is generally considered to be 0.
Step 4.4: and (4.1) repeatedly executing the step 4.1 to the step 4.3 until the accurate positioning of the original network data packet corresponding to all the transaction logs or the alarm logs is completed.