CN108900374A - A kind of data processing method and device applied to DPI equipment - Google Patents

A kind of data processing method and device applied to DPI equipment Download PDF

Info

Publication number
CN108900374A
CN108900374A CN201810654859.2A CN201810654859A CN108900374A CN 108900374 A CN108900374 A CN 108900374A CN 201810654859 A CN201810654859 A CN 201810654859A CN 108900374 A CN108900374 A CN 108900374A
Authority
CN
China
Prior art keywords
target
data stream
target data
application type
layer protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810654859.2A
Other languages
Chinese (zh)
Other versions
CN108900374B (en
Inventor
吴胜万
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN201810654859.2A priority Critical patent/CN108900374B/en
Publication of CN108900374A publication Critical patent/CN108900374A/en
Application granted granted Critical
Publication of CN108900374B publication Critical patent/CN108900374B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of data processing method and device applied to DPI equipment, belong to technical field of data processing.The method includes:When receiving target data stream, the target application layer protocol that the target data stream uses is determined;The object message feature for obtaining the target data stream identifies the corresponding target application type of the object message feature in conjunction with the corresponding default recognition rule of the target application layer protocol;The target data stream is distributed to the corresponding target processing devices of the target application type.Using the present invention, the treatment effeciency of data flow can be improved.

Description

A kind of data processing method and device applied to DPI equipment
Technical field
The present invention relates to technical field of data processing, in particular to a kind of data processing method applied to DPI equipment and Device.
Background technique
Currently, a kind of development trend of high flow capacity high bandwidth, under this development trend, DPI (Deep is presented in internet Packet Inspection, deep-packet detection) equipment is widely applied.DPI equipment is a kind of flow detection device, one As dispose at key node in a network, detection identification can be carried out to by the data flow of key node, then will known Other result is sent to corresponding analysis platform, and analysis platform can be carried out based on recognition result to by the data flow of key node Analysis statistics.
DPI equipment can be identified and be answered used by data flow based on the message in data flow after receiving data flow With layer protocol, such as FTP (File Transfer Protocol, File Transfer Protocol), SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer protocol), HTTP (Hyper Text Transfer Protocol, hypertext Transport protocol) etc. agreements and each message characteristic, such as message length, each message field (MFLD) carry information feature.So Afterwards, DPI equipment can be generated journal file and be sent it to above-mentioned analysis platform based on the above- mentioned information identified.Due to Existing DPI equipment is mainly used for identifying the corresponding application layer protocol of data flow and message characteristic, more coarse to the processing of data, Therefore, a kind of data processing method for being preferably applied to DPI equipment is needed.
Summary of the invention
In order to solve problems in the prior art, the embodiment of the invention provides a kind of data processings applied to DPI equipment Method and apparatus.The technical solution is as follows:
In a first aspect, a kind of data processing method applied to DPI equipment is provided, the method includes:
When receiving target data stream, the target application layer protocol that the target data stream uses is determined;
The object message feature for obtaining the target data stream, in conjunction with the corresponding default identification of the target application layer protocol Rule identifies the corresponding target application type of the object message feature;
The target data stream is distributed to the corresponding target processing devices of the target application type.
Further, after the target application layer protocol that the determination target data stream uses, further include:
Judge whether the target application layer protocol is application layer protocol to be processed;
If the target application layer protocol is application layer protocol to be processed, the target of the target data stream is obtained Message characteristic.
Further, after the corresponding target application type of the identification object message feature, further include:
It is the application type of the target data stream by the target application class record, wherein the target application class Type is to have identified application type or unidentified application type;
According to the application type of all data flows of record, statistics is described to have identified application type or the unidentified application The data flow of type accounts for the ratio of all data flows.
Further, the method also includes:
Target area belonging to the target data stream is determined according to the object message feature, and by the object message Feature is updated to the corresponding target database in the target area;
Based on the target database generate the target area range statistics as a result, by the range statistics result into Row page presentation.
Further, the method also includes:
Target data channel belonging to the target data stream is determined according to the object message feature;
The target flow information in the target data channel is counted, and the target is calculated based on the target flow information Data channel estimates bandwidth capacity;
If the adjustment threshold value estimated bandwidth capacity and be higher than the target data channel, generates to the number of targets According to the adjustment instruction in channel.
Second aspect, provides a kind of data processing equipment applied to DPI equipment, and described device includes:
Determining module, the target application layer used for when receiving target data stream, determining the target data stream Agreement;
Identification module, for obtaining the object message feature of the target data stream, in conjunction with the target application layer protocol Corresponding default recognition rule identifies the corresponding target application type of the object message feature;
Distribution module is set for the target data stream to be distributed to the corresponding target processing of the target application type It is standby.
Further, described device further includes judgment module, is used for:
Judge whether the target application layer protocol is application layer protocol to be processed;
If the target application layer protocol is application layer protocol to be processed, the target of the target data stream is obtained Message characteristic.
Further, described device further includes statistical module, is used for:
It is the application type of the target data stream by the target application class record, wherein the target application class Type is to have identified application type or unidentified application type;
According to the application type of all data flows of record, statistics is described to have identified application type or the unidentified application The data flow of type accounts for the ratio of all data flows.
Further, described device further includes display module, is used for:
Target area belonging to the target data stream is determined according to the object message feature, and by the object message Feature is updated to the corresponding target database in the target area;
Based on the target database generate the target area range statistics as a result, by the range statistics result into Row page presentation.
Further, described device further includes generation module, is used for:
Target data channel belonging to the target data stream is determined according to the object message feature;
The target flow information in the target data channel is counted, and the target is calculated based on the target flow information Data channel estimates bandwidth capacity;
If the adjustment threshold value estimated bandwidth capacity and be higher than the target data channel, generates to the number of targets According to the adjustment instruction in channel.
The third aspect, provides a kind of network equipment, and the network equipment includes processor and memory, the memory In be stored at least one instruction, at least one section of program, code set or instruction set, at least one instruction, described at least one Duan Chengxu, the code set or instruction set are loaded by the processor and are executed to realize being applied to as described in relation to the first aspect The data processing method of DPI equipment.
Fourth aspect provides a kind of computer readable storage medium, at least one finger is stored in the storage medium Enable, at least one section of program, code set or instruction set, at least one instruction, at least one section of program, the code set or Instruction set is loaded by processor and is executed to realize the data processing method applied to DPI equipment as described in relation to the first aspect.
Technical solution bring beneficial effect provided in an embodiment of the present invention is:
In the present embodiment, when receiving target data stream, the target application layer that the target data stream uses is determined Agreement;The object message feature for obtaining the target data stream, in conjunction with the corresponding default identification rule of the target application layer protocol Then, the corresponding target application type of the object message feature is identified;The target data stream is distributed to the target application The corresponding target processing devices of type.In this way, DPI equipment not only can carry out detection identification to data stream, can also will identify The data flow of application type is distributed to the processing equipment for handling the application type out, sets so as to give full play to each processing Standby processing capacity improves the treatment effeciency to the data flow of different application type.Also, DPI equipment can also unite region It counts result to be shown to scheme, in the form of table or text etc. in the corresponding administration interface of DPI equipment, so as to save manual sorting Required time and efforts, and accuracy rate with higher.Meanwhile the module rack of DPI equipment provided in an embodiment of the present invention Structure can integrate a variety of data processing functions, allow DPI equipment to be flexibly adapted to plurality of application scenes, so as to effective Reduce the management complexity and management cost of DPI equipment.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is a kind of DPI equipment application scene figure provided in an embodiment of the present invention;
Fig. 2 is a kind of data processing method flow chart applied to DPI equipment provided in an embodiment of the present invention;
Fig. 3 is a kind of module rack composition of DPI equipment provided in an embodiment of the present invention;
Fig. 4 is the structural schematic diagram of equipment configuration module in Fig. 3;
Fig. 5 is a kind of data processing equipment structural diagram applied to DPI equipment provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of DPI equipment provided in an embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.
The embodiment of the invention provides a kind of data processing methods applied to DPI equipment, and the executing subject of this method can Think that DPI equipment, DPI equipment can carry out detection identification to data stream, can be deployed in backbone network, Metropolitan Area Network (MAN) and enterprise The plurality of application scenes such as portion's network are made of as shown in Figure 1, DPI equipment can be directly deployed in network interface card and multiple network equipments Network device link in, in this way, network interface card output data flow can by the detection of DPI equipment identification after return again to next-hop The network equipment.It may include processor, memory, transceiver in above-mentioned DPI equipment, processor can be used for carrying out following streams To all kinds of processing of data in journey, memory can be used for storing the number of the data and generation that need in following treatment processes According to transceiver can be used for sending and receiving the related data in following treatment processes.Under certain conditions, above-mentioned DPI equipment Function can be realized by being embedded with the arbitrary equipment of DPI functional unit, the present embodiment by executing subject be DPI equipment for It is illustrated, remaining situation is similar therewith, repeats no more.
Below in conjunction with specific embodiment, to a kind of place of the data processing method applied to DPI equipment shown in Fig. 2 Reason process is described in detail, and content can be as follows:
Step 201:When receiving target data stream, the target application layer protocol that target data stream uses is determined.
In an implementation, the computer room of business service quotient can flow in or out a large amount of data traffic all the time, these Data traffic can be transmitted by way of data flow in equipment room, such as certain CDN (Content Delivery Network, content distributing network) service provider in the network computer room of certain regional deployment, can receive different user in the region The request data to different business issued, and corresponding business datum can be returned to each user.Business service quotient can be with DPI equipment is disposed at the node that computer room externally contacts, in this way, flowing in or out the data traffic of the computer room can pass through DPI equipment, so that DPI equipment can collect a plurality of data flow, then DPI equipment these data flows can be identified, The various data processings such as management.
Specifically, DPI equipment can be first when DPI equipment receives arbitrary data stream (can be described as target data stream) The packet parsing of network layer and transport layer is carried out, to the message of target data stream to obtain the following information of message:Source IP (Internet Protocol, Internet protocol) address, source port number, purpose IP address, destination slogan and protocol class Type, wherein protocol type can be TCP (Transmission Control Protocol, transmission control protocol), UDP (User Datagram Protocol, User Datagram Protocol), ICMP (Internet Control Message Protocol, network-control message protocol) etc. transport layer protocols.Later, DPI equipment can pass through well known port identification or feature Word knows the application layer protocol (can be described as target application layer protocol) for determining that target data stream uses otherwise.Known with well known port For other mode, since the protocol type of many standards all supports the port for defining or recommending using some standards or by operator Protocol identification is carried out, if File Transfer Protocol often uses port 20/21, smtp protocol often uses port 25, and http protocol is often adopted With port 80/8080, therefore, DPI equipment can be identified by the port numbers for the target data stream being resolved to according to well known port Mode come determine target data stream use target application layer protocol.
Optionally, DPI equipment can carry out selective processing to received data flow, correspondingly, specific processing can be as Under:Judge whether target application layer protocol is application layer protocol to be processed;If target application layer protocol is to be processed answers With layer protocol, then the object message feature of target data stream is obtained.
In an implementation, whether the application layer protocol that DPI equipment can be used based on data flow, setting carry out the data flow Processing.For example, DPI equipment can set certain application layer protocols to application layer protocol to be processed, and then DPI equipment can be with Only processing uses the data flow of application layer protocol to be processed.In this way, DPI equipment is in the target application layer for determining target data stream After agreement, it can be determined that whether target application layer protocol is application layer protocol to be processed, if target application layer protocol is Application layer protocol to be processed, then DPI equipment can continue the object message for obtaining target data stream according to follow-up processing flow Feature;If target application layer protocol is not application layer protocol to be processed, DPI equipment can to target data stream without Subsequent processing such as abandons the data flow, or directly lets pass to the data flow.
Step 202:Obtain the object message feature of target data stream, the corresponding default identification of combining target application layer protocol Rule, the corresponding target application type of identification object message feature.
In an implementation, business service quotient can preset the corresponding default knowledge of each application layer protocol in DPI equipment Irregular, DPI equipment can use default recognition rule and identify to the corresponding application type of different message characteristics, such as video The application types such as class application, voice class application, web page class application, son application under certain application provider.With http protocol pair For the default recognition rule for certain Video Applications for identification answered, if the fields such as host, uri, origin of message carry Information recognition rule successful match can be preset with this, if host field carries network address or the keyword of the Video Applications Show successful match, then DPI equipment can identify that the corresponding application type of the message characteristic is the Video Applications.In this way, DPI is set It is standby after determining the target application layer protocol of target data stream, can be based on target application layer protocol to the report of target data stream Text carries out application layer parsing, and then the available message characteristic to target data stream of DPI equipment (can be described as object message spy Sign), message characteristic can be the features such as the host field of URL, message carried in the source IP, destination IP, message of message.It Afterwards, DPI equipment can identify the corresponding target of object message feature with the corresponding default recognition rule of combining target application layer protocol Application type.
Optionally, DPI equipment can also count certain class after the corresponding target application type of identification object message feature The data flow of type accounts for the ratio of all data flows, and corresponding processing can be as follows:It is target data by target application class record The application type of stream, wherein target application type is to have identified application type or unidentified application type;According to all of record The application type of data flow counts the ratio for having identified that the data flow of application type or unidentified application type accounts for all data flows Example.
In an implementation, since new opplication emerges one after another, so that application type type is extremely more, DPI equipment may only often be known The application type of data flow can be divided into based on recognition result and identify application by other certain applications type, therefore, DPI equipment Type or unidentified application type, and then DPI equipment can count the discrimination of certain application type, that is, count certain application type Data flow accounts for the ratio of all data flows.In this way, DPI equipment the corresponding target application type of identification object message feature it Afterwards, as can recognize, application type or unidentified application type, the target application class record that can be will identify that are target data The application type of stream.Later, DPI equipment can be in real time or according to predetermined period, such as ten minutes or half an hour, based on record The application type of all data flows, statistics has identified that the data flow of application type accounts for the ratio of all data flows, or statistics is not The data flow of identification application type accounts for the ratio of all data flows.
Step 203:Target data stream is distributed to the corresponding target processing devices of target application type.
In an implementation, the node externally contacted in above-mentioned computer room can be set by wired or wireless mode and multiple processing Standby connection, meanwhile, different processing can be set for handling the data flow of certain application type, for example, pressing application function The server for handling video class application, the server for handling voice class application can be set, for handling certain application The server or service cluster of all sub- applications under provider can be set to processing Great Wall bandwidth industry by network operator The server of business, processing sing the server etc. of magnificent band width service.In this way, DPI equipment is identifying that object message feature is corresponding After target application type, target data stream can be distributed to the corresponding target processing devices of target application type, so as to The processing capacity of each processing equipment is given full play to, the treatment effeciency to the data flow of different application type is improved.It needs to illustrate It is that, if target application type is unidentified application type, target data stream can be distributed to unidentified application by DPI equipment The corresponding processing equipment of type, such as handling the general purpose processing device of any application.
Optionally, DPI equipment can count the message characteristic of data flow, and statistical result is carried out page exhibition Show, corresponding processing can be as follows:According to object message feature determine target data stream belonging to target area, and by target report Literary feature is updated to the corresponding target database in target area;The range statistics knot of target area is generated based on target database Range statistics result is carried out page presentation by fruit.
In an implementation, the region where receiving the processing equipment of data flow is properly termed as region belonging to the data flow, such as It can be divided into Beijing Area, Xiamen region etc. by geographical location, meanwhile, different zones can be corresponding with respective database, It can recorde the message characteristic of all data flows in the corresponding region in the database.In this way, DPI equipment can be according to target report Literary feature determines target area belonging to target data stream, and it is corresponding then object message feature can be updated to target area Target database.For example, DPI equipment can the message characteristics such as destination IP to target data stream or special packet field solve Analysis, obtains area information, is directed toward in Xiamen region or special packet field such as destination IP and carries region relevant to Xiamen Information, then DPI equipment can determine that target data stream belongs to Xiamen region.Later, DPI equipment can be remembered based on target database The message characteristic of all data flows in the region of record generates the range statistics of target area as a result, then DPI equipment can incite somebody to action Range statistics result carries out page presentation.Specifically, DPI equipment can be based on all in the region recorded in target database The message characteristic of data flow, according to different dimensions such as district, user, application types, generate the range statistics of multiple dimensions as a result, Such as the flow proportional in each area in Xiamen, county, different application type is in range statistics knots such as the flow proportionals in each area in Xiamen, county Fruit, so DPI equipment can by above-mentioned zone statistical result, to scheme, in the form of table or text etc. in the corresponding management field of DPI equipment Face is shown, in this way, technical staff can check above-mentioned zone statistical result by the administration interface, so as to save people It is carefully and neatly done to manage required time and efforts, and accuracy rate with higher.
Optionally, DPI equipment can also feed back the adjustment information for data channel, and corresponding processing can be as follows:Root Target data channel belonging to target data stream is determined according to object message feature;Count the target flow letter in target data channel Breath, and bandwidth capacity is estimated based on target flow information calculating target data channel;If estimating bandwidth capacity higher than target The adjustment threshold value of data channel then generates the adjustment instruction to target data channel.
In an implementation, the computer room of business service quotient can receive the data from each region by way of data channel Flow, such as it is deployed in Pekinese's computer room, the corresponding data in each urban district such as Dongcheng District, Xicheng District, Haidian District can be passed through Channel receives the data traffic from these urban districts, also, business service quotient can be corresponding for the setting of each data channel in advance Bandwidth capacity, for example, the bandwidth capacity of the corresponding data channel in Dongcheng District can be 10Gbps, the corresponding data in Xicheng District are logical The bandwidth capacity in road can be 12Gbps.Meanwhile business service quotient can receive the adjustment instruction from DPI equipment, executing should Adjustment instruction is to adjust the bandwidth capacity of data channel.Specifically, DPI equipment can determine number of targets according to object message feature According to target data channel belonging to stream, such as the channel information that special packet field carries, later, DPI equipment can combine mesh Other data flows of data flow and target data channel are marked, the target flow information in target data channel, and then DPI equipment are counted Target data channel can be calculated based on target flow information estimates bandwidth capacity.Later, it is higher than if estimating bandwidth capacity The adjustment threshold value in target data channel, then the adjustment instruction to target data channel can be generated in DPI equipment, and then can pass through Adjustment instruction triggering business service negotiates the transfer of the bandwidth capacity in whole target data channel.
A kind of module architectures of above-mentioned DPI equipment are given below, as shown in figure 3, above-mentioned DPI equipment may include DPI master Module and with one or more of lower module:Device management module, equipment configuration module, monitoring of tools module, log are adopted Collect module, equipment scheduling module, a data acquisition module, secondary data acquisition module, information display module, data flow-guilding mold Block.Wherein:
Device management module can store the installation kit and installation and deployment script of DPI equipment, can be by DPI Equipment transmission starts or stops order, to start or stop DPI equipment.Meanwhile device management module can detecte DPI equipment Operating status, when DPI device fails, device management module can be by decompressing the installation kit of DPI equipment, running and install The mode of deployment script restarts DPI equipment and restores its original configuration.
Monitoring of tools module can be used for monitoring the state parameter of DPI equipment, such as peak flow, memory usage, CPU The state parameter of monitoring can also be sent to log collection mould by the parameters such as utilization rate, packet loss in the form of log information Block or equipment scheduling module.
Log acquisition module can read the log information of DPI equipment in real time or according to predetermined period, can will read Log information be stored in corresponding journal file, log information can also be sent to other application by log acquisition module, Urgent log information is such as sent to e-mail applications, to be sent to urgent log information by e-mail applications Technical staff solves a problem promptly convenient for technical staff.
Equipment scheduling module, can monitoring of tools module based on the received state parameter, judge whether to start DPI equipment Stand-by equipment, for example, the present peak value flow of DPI equipment be more than warning threshold when, equipment scheduling module can be to DPI equipment Stand-by equipment send start command.
Data acquisition module, can recorde the recognition result of DPI equipment, such as record every data stream and application layer The corresponding relationship of agreement, traffic trends of every kind of application type etc., and recognition result can be saved in database.
Secondary data acquisition module, the data that can be recorded based on a data acquisition module, carries out big data analysis.Example Such as, the data traffic that can sort out different zones out, the data traffic based on the region judge whether the region needs to adjust band Tolerance;The data traffic of the application types such as video class application, voice class application, game class application can be assigned to accordingly Processing equipment, so as to accelerate to these data traffics, to promote service quality;It can be united based on the region in certain region Meter is as a result, analyze the market characteristics in the region;The accounting of each application type, such as application class of the statistics without the number of putting on record can be counted Whether the accounting of type can also have the number of putting on record by certain application type to identify whether the application type is malicious application class Type.
The statistical result of the recognition result of DPI equipment and disparate databases can be carried out the page by information display module It shows.
Data water conservancy diversion module can be based on water conservancy diversion application configuration table, different application type water conservancy diversion is set to different processing It is standby.
Equipment configuration module, as shown in figure 4, it may include following one or more configuration units:Domain name rules unit, Log configuration unit, external plug-in unit, the number of putting on record unit, protocol switch unit, agreement combining unit, access control unit, Packet filtering unit, memory configurations unit, interface configuration unit etc..Above-mentioned configuration unit can be according to the needs of different application scene Carry out flexible configuration, and can be after configuration is complete by sending load or the orders such as restarting makes DPI equipment come into force, so that DPI Equipment can be based on the equipment configuration module processing data postponed.In this way, by each configuration unit in device configuration mould Centralized management is carried out in block, can reduce the complexity of DPI device configuration.
Specifically, domain name rules unit can recorde and safeguard the domain name or IP of certain application type, with application type Corresponding relationship;Log configuration unit can configure different journal files, such as configuration log text for the modules of DPI equipment Whether the storage location of part memory space, is divided, journal format, logging level etc.;External plug-in unit can extend DPI and set Standby discrimination;The number of putting on record unit can recorde and safeguard the number of putting on record the information of multiple application types, and can be each with persistence maintenance The number of putting on record the information of domain name, so that DPI equipment can identify malicious application type based on the number of putting on record information;Protocol switch Unit can be used for opening identification or a certain agreement of nonrecognition;Agreement combining unit can merge some protocol identification situations For the identification situation to some application type;Access control unit can configure source IP, source port, destination IP, destination port Filtering rule, allow or do not allow certain data flows pass through DPI equipment;Packet filtering unit can be captured through DPI equipment Certain agreement message, such as the source IP to DPI equipment, destination IP, source port, destination port, protocol type configuration capture rule Then, to capture legal message;Memory configurations unit can be pre-configured with memory headroom required for DPI equipment is run; Interface configuration unit can specify DPI equipment from an interface or multiple interface data flows, and can analyze DPI equipment The traffic conditions of distinct interface, meanwhile, interface configuration unit can also identify existing message, such as identify packet capturing software The message of crawl.
In the present embodiment, when receiving target data stream, the target application layer that the target data stream uses is determined Agreement;The object message feature for obtaining the target data stream, in conjunction with the corresponding default identification rule of the target application layer protocol Then, the corresponding target application type of the object message feature is identified;The target data stream is distributed to the target application The corresponding target processing devices of type.In this way, DPI equipment not only can carry out detection identification to data stream, can also will identify The data flow of application type is distributed to the processing equipment for handling the application type out, sets so as to give full play to each processing Standby processing capacity improves the treatment effeciency to the data flow of different application type.Also, DPI equipment can also unite region It counts result to be shown to scheme, in the form of table or text etc. in the corresponding administration interface of DPI equipment, so as to save manual sorting Required time and efforts, and accuracy rate with higher.Meanwhile the module rack of DPI equipment provided in an embodiment of the present invention Structure can integrate a variety of data processing functions, allow DPI equipment to be flexibly adapted to plurality of application scenes, so as to effective Reduce the management complexity and management cost of DPI equipment.
Based on the same technical idea, the embodiment of the invention also provides a kind of data processing dresses applied to DPI equipment It sets, as shown in figure 5, described device includes:
Determining module 501, the target application used for when receiving target data stream, determining the target data stream Layer protocol;
Identification module 502 is assisted for obtaining the object message feature of the target data stream in conjunction with the target application layer Corresponding default recognition rule is discussed, identifies the corresponding target application type of the object message feature;
Distribution module 503 is handled for the target data stream to be distributed to the corresponding target of the target application type Equipment.
Optionally, described device further includes judgment module 504, is used for:
Judge whether the target application layer protocol is application layer protocol to be processed;
If the target application layer protocol is application layer protocol to be processed, the target of the target data stream is obtained Message characteristic.
Optionally, described device further includes statistical module 505, is used for:
It is the application type of the target data stream by the target application class record, wherein the target application class Type is to have identified application type or unidentified application type;
According to the application type of all data flows of record, statistics is described to have identified application type or the unidentified application The data flow of type accounts for the ratio of all data flows.
Optionally, described device further includes display module 506, is used for:
Target area belonging to the target data stream is determined according to the object message feature, and by the object message Feature is updated to the corresponding target database in the target area;
Based on the target database generate the target area range statistics as a result, by the range statistics result into Row page presentation.
Optionally, described device further includes generation module 507, is used for:
Target data channel belonging to the target data stream is determined according to the object message feature;
The target flow information in the target data channel is counted, and the target is calculated based on the target flow information Data channel estimates bandwidth capacity;
If the adjustment threshold value estimated bandwidth capacity and be higher than the target data channel, generates to the number of targets According to the adjustment instruction in channel.
In the present embodiment, when receiving target data stream, the target application layer that the target data stream uses is determined Agreement;The object message feature for obtaining the target data stream, in conjunction with the corresponding default identification rule of the target application layer protocol Then, the corresponding target application type of the object message feature is identified;The target data stream is distributed to the target application The corresponding target processing devices of type.In this way, DPI equipment not only can carry out detection identification to data stream, can also will identify The data flow of application type is distributed to the processing equipment for handling the application type out, sets so as to give full play to each processing Standby processing capacity improves the treatment effeciency to the data flow of different application type.Also, DPI equipment can also unite region It counts result to be shown to scheme, in the form of table or text etc. in the corresponding administration interface of DPI equipment, so as to save manual sorting Required time and efforts, and accuracy rate with higher.Meanwhile the module rack of DPI equipment provided in an embodiment of the present invention Structure can integrate a variety of data processing functions, allow DPI equipment to be flexibly adapted to plurality of application scenes, so as to effective Reduce the management complexity and management cost of DPI equipment.
It should be noted that:Data processing equipment provided by the above embodiment applied to DPI equipment when handling data, Only the example of the division of the above functional modules, it in practical application, can according to need and by above-mentioned function distribution It is completed by different functional modules, i.e., the internal structure of device is divided into different functional modules, it is described above to complete All or part of function.In addition, the data processing equipment provided by the above embodiment applied to DPI equipment be applied to DPI The data processing method embodiment of equipment belongs to same design, and specific implementation process is detailed in embodiment of the method, no longer superfluous here It states.
Fig. 6 is the structural schematic diagram of the network equipment provided in an embodiment of the present invention.The network equipment 600 can be because of configuration or property Energy is different and generates bigger difference, may include one or more central processing units 622 (for example, one or one The above processor) and memory 632, the 630 (example of storage medium of one or more storage application programs 642 or data 644 Such as one or more mass memory units).Wherein, memory 632 and storage medium 630 can be of short duration storage or lasting Storage.The program for being stored in storage medium 630 may include one or more modules (diagram does not mark), and each module can To include to the series of instructions operation in the network equipment.Further, central processing unit 622 can be set to be situated between with storage Matter 630 communicates, and the series of instructions operation in storage medium 630 is executed on the network equipment 600.
The network equipment 600 can also include one or more power supplys 626, one or more wired or wireless nets Network interface 650, one or more input/output interfaces 658, one or more keyboards 656, and/or, one or one A above operating system 641, such as Windows Server TM, Mac OS X TM, Unix TM, Linux TM, FreeBSD TM etc..
The network equipment 600 may include have memory and one perhaps more than one program one of them or one A procedure above is stored in memory, and is configured to execute one or one by one or more than one processor A procedure above includes the instruction for carrying out the above-mentioned data processing applied to DPI equipment.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (12)

1. a kind of data processing method applied to DPI equipment, which is characterized in that the method includes:
When receiving target data stream, the target application layer protocol that the target data stream uses is determined;
The object message feature for obtaining the target data stream, in conjunction with the corresponding default identification rule of the target application layer protocol Then, the corresponding target application type of the object message feature is identified;
The target data stream is distributed to the corresponding target processing devices of the target application type.
2. the method according to claim 1, wherein the target application that the determination target data stream uses After layer protocol, further include:
Judge whether the target application layer protocol is application layer protocol to be processed;
If the target application layer protocol is application layer protocol to be processed, the object message of the target data stream is obtained Feature.
3. the method according to claim 1, wherein the corresponding target of the identification object message feature is answered After type, further include:
It is the application type of the target data stream by the target application class record, wherein the target application type is Application type or unidentified application type are identified;
According to the application type of all data flows of record, statistics is described to have identified application type or the unidentified application type Data flow account for the ratios of all data flows.
4. the method according to claim 1, wherein the method also includes:
Target area belonging to the target data stream is determined according to the object message feature, and by the object message feature It is updated to the corresponding target database in the target area;
The range statistics of the target area are generated based on the target database as a result, the range statistics result is carried out page Face is shown.
5. the method according to claim 1, wherein the method also includes:
Target data channel belonging to the target data stream is determined according to the object message feature;
The target flow information in the target data channel is counted, and the target data is calculated based on the target flow information Estimate bandwidth capacity in channel;
If the adjustment threshold value estimated bandwidth capacity and be higher than the target data channel, generates logical to the target data The adjustment instruction in road.
6. a kind of data processing equipment applied to DPI equipment, which is characterized in that described device includes:
Determining module, the target application layer protocol used for when receiving target data stream, determining the target data stream;
Identification module, it is corresponding in conjunction with the target application layer protocol for obtaining the object message feature of the target data stream Default recognition rule, identify the corresponding target application type of the object message feature;
Distribution module, for the target data stream to be distributed to the corresponding target processing devices of the target application type.
7. device according to claim 6, which is characterized in that described device further includes judgment module, is used for:
Judge whether the target application layer protocol is application layer protocol to be processed;
If the target application layer protocol is application layer protocol to be processed, the object message of the target data stream is obtained Feature.
8. device according to claim 6, which is characterized in that described device further includes statistical module, is used for:
It is the application type of the target data stream by the target application class record, wherein the target application type is Application type or unidentified application type are identified;
According to the application type of all data flows of record, statistics is described to have identified application type or the unidentified application type Data flow account for the ratios of all data flows.
9. device according to claim 6, which is characterized in that described device further includes display module, is used for:
Target area belonging to the target data stream is determined according to the object message feature, and by the object message feature It is updated to the corresponding target database in the target area;
The range statistics of the target area are generated based on the target database as a result, the range statistics result is carried out page Face is shown.
10. device according to claim 6, which is characterized in that described device further includes generation module, is used for:
Target data channel belonging to the target data stream is determined according to the object message feature;
The target flow information in the target data channel is counted, and the target data is calculated based on the target flow information Estimate bandwidth capacity in channel;
If the adjustment threshold value estimated bandwidth capacity and be higher than the target data channel, generates logical to the target data The adjustment instruction in road.
11. a kind of network equipment, which is characterized in that the network equipment includes processor and memory, is deposited in the memory Contain at least one instruction, at least one section of program, code set or instruction set, at least one instruction, at least one section of journey Sequence, the code set or instruction set are loaded by the processor and are executed to realize application as claimed in claim 1 to 5 In the data processing method of DPI equipment.
12. a kind of computer readable storage medium, which is characterized in that be stored at least one instruction, extremely in the storage medium Few one section of program, code set or instruction set, at least one instruction, at least one section of program, the code set or the instruction Collection is loaded by processor and is executed to realize the data processing side as claimed in claim 1 to 5 applied to DPI equipment Method.
CN201810654859.2A 2018-06-22 2018-06-22 Data processing method and device applied to DPI equipment Active CN108900374B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810654859.2A CN108900374B (en) 2018-06-22 2018-06-22 Data processing method and device applied to DPI equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810654859.2A CN108900374B (en) 2018-06-22 2018-06-22 Data processing method and device applied to DPI equipment

Publications (2)

Publication Number Publication Date
CN108900374A true CN108900374A (en) 2018-11-27
CN108900374B CN108900374B (en) 2021-05-25

Family

ID=64345538

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810654859.2A Active CN108900374B (en) 2018-06-22 2018-06-22 Data processing method and device applied to DPI equipment

Country Status (1)

Country Link
CN (1) CN108900374B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111163573A (en) * 2019-12-27 2020-05-15 上海力申科学仪器有限公司 System and method for intelligently identifying lamp holder of multichannel shadowless lamp
CN111786985A (en) * 2020-06-28 2020-10-16 厦门市美亚柏科信息股份有限公司 Method, device and storage medium for analyzing TCP and UDP data
CN111884876A (en) * 2020-07-22 2020-11-03 杭州安恒信息技术股份有限公司 Method, device, equipment and medium for detecting protocol type of network protocol
CN112073335A (en) * 2020-09-03 2020-12-11 深圳市掌易文化传播有限公司 Game data connection card pause processing system and method under big data support
CN112187498A (en) * 2019-07-03 2021-01-05 中国电信股份有限公司 Bypass protection method, device and system thereof and Deep Packet Inspection (DPI) system
CN112583832A (en) * 2020-12-14 2021-03-30 北京鼎普科技股份有限公司 DPI-based application layer protocol identification method and system
CN114900350A (en) * 2022-04-29 2022-08-12 北京元数智联技术有限公司 Message transmission method, device, equipment, storage medium and program product
CN114978734A (en) * 2022-05-30 2022-08-30 新华三信息安全技术有限公司 Message processing method and device, storage medium and electronic equipment

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102277A (en) * 2007-06-20 2008-01-09 华为技术有限公司 Recognition method and system for service data and recognition control device
CN101741744A (en) * 2009-12-17 2010-06-16 东南大学 Network flow identification method
CN102045363A (en) * 2010-12-31 2011-05-04 成都市华为赛门铁克科技有限公司 Establishment, identification control method and device for network flow characteristic identification rule
US8358660B2 (en) * 2009-11-16 2013-01-22 Verizon Patent And Licensing Inc. Method and system for providing integrated content delivery
CN103051725A (en) * 2012-12-31 2013-04-17 华为技术有限公司 Application identification method, data mining method, device and system
CN103297270A (en) * 2013-05-24 2013-09-11 华为技术有限公司 Application type recognition method and network equipment
WO2014029094A1 (en) * 2012-08-23 2014-02-27 华为技术有限公司 Packet processing method, deep packet inspection requesting network element, and deep packet inspection device
US20140133320A1 (en) * 2012-11-13 2014-05-15 Netronome Systems, Inc. Inter-packet interval prediction learning algorithm
CN103916294A (en) * 2014-04-29 2014-07-09 华为技术有限公司 Identification method and device for protocol type
CN104010139A (en) * 2014-05-23 2014-08-27 杭州宽云视讯科技有限公司 Method for achieving video stream seamless switching based on DPI packet inspection technology
CN104348677A (en) * 2013-08-05 2015-02-11 华为技术有限公司 Deep packet inspection method and equipment and coprocessor
CN105357071A (en) * 2015-11-12 2016-02-24 成都科来软件有限公司 Identification method and identification system for network complex traffic
CN105357083A (en) * 2015-12-15 2016-02-24 福建星网锐捷网络有限公司 Gateway flow adjusting method and system based on uncertain bandwidth detection
CN106027692A (en) * 2016-05-16 2016-10-12 北京小米移动软件有限公司 Information acquisition method and device and server
CN107819646A (en) * 2017-10-23 2018-03-20 国网冀北电力有限公司信息通信分公司 A kind of net flow assorted system and method for distributed transmission

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102277A (en) * 2007-06-20 2008-01-09 华为技术有限公司 Recognition method and system for service data and recognition control device
US8358660B2 (en) * 2009-11-16 2013-01-22 Verizon Patent And Licensing Inc. Method and system for providing integrated content delivery
CN101741744A (en) * 2009-12-17 2010-06-16 东南大学 Network flow identification method
CN102045363A (en) * 2010-12-31 2011-05-04 成都市华为赛门铁克科技有限公司 Establishment, identification control method and device for network flow characteristic identification rule
WO2014029094A1 (en) * 2012-08-23 2014-02-27 华为技术有限公司 Packet processing method, deep packet inspection requesting network element, and deep packet inspection device
US20140133320A1 (en) * 2012-11-13 2014-05-15 Netronome Systems, Inc. Inter-packet interval prediction learning algorithm
CN103051725A (en) * 2012-12-31 2013-04-17 华为技术有限公司 Application identification method, data mining method, device and system
CN103297270A (en) * 2013-05-24 2013-09-11 华为技术有限公司 Application type recognition method and network equipment
CN104348677A (en) * 2013-08-05 2015-02-11 华为技术有限公司 Deep packet inspection method and equipment and coprocessor
CN103916294A (en) * 2014-04-29 2014-07-09 华为技术有限公司 Identification method and device for protocol type
CN104010139A (en) * 2014-05-23 2014-08-27 杭州宽云视讯科技有限公司 Method for achieving video stream seamless switching based on DPI packet inspection technology
CN105357071A (en) * 2015-11-12 2016-02-24 成都科来软件有限公司 Identification method and identification system for network complex traffic
CN105357083A (en) * 2015-12-15 2016-02-24 福建星网锐捷网络有限公司 Gateway flow adjusting method and system based on uncertain bandwidth detection
CN106027692A (en) * 2016-05-16 2016-10-12 北京小米移动软件有限公司 Information acquisition method and device and server
CN107819646A (en) * 2017-10-23 2018-03-20 国网冀北电力有限公司信息通信分公司 A kind of net flow assorted system and method for distributed transmission

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHU-SING YANG: "A Network Management System Based on DPI", 《2010 13TH INTERNATIONAL CONFERENCE ON NETWORK-BASED INFORMATION SYSTEMS》 *
陈泽鑫: "基于DPI技术的流量监控系统的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187498A (en) * 2019-07-03 2021-01-05 中国电信股份有限公司 Bypass protection method, device and system thereof and Deep Packet Inspection (DPI) system
CN112187498B (en) * 2019-07-03 2022-09-06 中国电信股份有限公司 Bypass protection method, device and system thereof and Deep Packet Inspection (DPI) system
CN111163573A (en) * 2019-12-27 2020-05-15 上海力申科学仪器有限公司 System and method for intelligently identifying lamp holder of multichannel shadowless lamp
CN111786985A (en) * 2020-06-28 2020-10-16 厦门市美亚柏科信息股份有限公司 Method, device and storage medium for analyzing TCP and UDP data
CN111884876A (en) * 2020-07-22 2020-11-03 杭州安恒信息技术股份有限公司 Method, device, equipment and medium for detecting protocol type of network protocol
CN112073335A (en) * 2020-09-03 2020-12-11 深圳市掌易文化传播有限公司 Game data connection card pause processing system and method under big data support
CN112583832A (en) * 2020-12-14 2021-03-30 北京鼎普科技股份有限公司 DPI-based application layer protocol identification method and system
CN114900350A (en) * 2022-04-29 2022-08-12 北京元数智联技术有限公司 Message transmission method, device, equipment, storage medium and program product
CN114900350B (en) * 2022-04-29 2024-02-20 北京元数智联技术有限公司 Message transmission method, device, equipment, storage medium and program product
CN114978734A (en) * 2022-05-30 2022-08-30 新华三信息安全技术有限公司 Message processing method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN108900374B (en) 2021-05-25

Similar Documents

Publication Publication Date Title
CN108900374A (en) A kind of data processing method and device applied to DPI equipment
EP1764951B1 (en) Statistical trace-based method, apparatus, node and system for real-time traffic classification
KR101234326B1 (en) Distributed traffic analysis
CN102769549B (en) The method and apparatus of network security monitoring
CN106815112B (en) Massive data monitoring system and method based on deep packet inspection
US7599288B2 (en) Processing of usage data for first and second types of usage-based functions
CN106972985B (en) Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment
CN108337652B (en) Method and device for detecting flow fraud
CN110519177A (en) A kind of network flow identification method and relevant device
CN103414608B (en) Rapid web flow collection statistical system and method
CN110572280B (en) Network monitoring method and system
JP2007336512A (en) Statistical information collecting system, and apparatus thereof
CN112350854B (en) Flow fault positioning method, device, equipment and storage medium
CN101960780B (en) In-bound mechanism that monitors end-to-end QOE of services with application awareness
JP2009171431A (en) Traffic analyzer, traffic analyzing method, and traffic analyzing system
CN108322354B (en) Method and device for identifying running-stealing flow account
CN112929376A (en) Flow data processing method and device, computer equipment and storage medium
CN111741007B (en) Financial business real-time monitoring system and method based on network layer message analysis
CN113472858A (en) Buried point data processing method and device and electronic equipment
CN111177281B (en) Access control method, device, equipment and storage medium
CN101447934A (en) Business flow-recognizing method and system thereof and business flow charging method and system thereof
CN112688924A (en) Network protocol analysis system
CN111224891A (en) Traffic application identification system and method based on dynamic learning triples
EP4280561A1 (en) Information flow identification method, network chip, and network device
CN113037551B (en) Quick identification and positioning method for sensitive-related services based on traffic slice

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant