CN109194516B - Method for reducing cost of network flow acquisition equipment - Google Patents

Method for reducing cost of network flow acquisition equipment Download PDF

Info

Publication number
CN109194516B
CN109194516B CN201811079557.3A CN201811079557A CN109194516B CN 109194516 B CN109194516 B CN 109194516B CN 201811079557 A CN201811079557 A CN 201811079557A CN 109194516 B CN109194516 B CN 109194516B
Authority
CN
China
Prior art keywords
value
protocol library
acquisition
acquisition equipment
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811079557.3A
Other languages
Chinese (zh)
Other versions
CN109194516A (en
Inventor
林飞
易永波
王娜
古元
毛华阳
华仲锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Act Technology Development Co ltd
Original Assignee
Beijing Act Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Act Technology Development Co ltd filed Critical Beijing Act Technology Development Co ltd
Priority to CN201811079557.3A priority Critical patent/CN109194516B/en
Publication of CN109194516A publication Critical patent/CN109194516A/en
Application granted granted Critical
Publication of CN109194516B publication Critical patent/CN109194516B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method for reducing the cost of network flow acquisition equipment relates to the technical field of information, and the steps for realizing the invention comprise: step 1, establishing a newly added component of a front-end network access device; step 2, establishing a newly added component of the rear-end flow acquisition equipment; step 3, establishing a rear-end flow acquisition equipment management end; step 4, establishing a protocol format of data stored in an access protocol library, an acquisition protocol library and a configuration protocol library; step 5, completing network configuration; step 6, front-end flow filtration; step 7, newly adding a component to the rear-end flow acquisition equipment to maintain the consistency of the acquisition protocol library and the access protocol library; and 8, maintaining and updating the acquisition protocol library of the newly added components of the rear-end flow acquisition equipment by the rear-end flow acquisition equipment management end. The invention reduces the acquisition equipment needed by the information security, network security and other monitoring systems, reduces the investment cost for constructing the system and lightens the burden of basic operators.

Description

Method for reducing cost of network flow acquisition equipment
Technical Field
The invention relates to the technical field of information, in particular to the technical field of network flow acquisition equipment.
Background
With the release of network security laws, information security and network security are more and more emphasized by the state, and the ministries such as the Ministry of industry and communications make a lot of regulations, laws and standards to require that each provincial basic operator deploys supervision systems such as information security, network security and the like at the network outlet, and the supervision systems need to deploy acquisition equipment from the network outlet to acquire the current network traffic.
The current supervision system in the industry is composed of two parts, one part is front-end network access equipment, the other part is rear-end flow acquisition equipment and rear-end flow acquisition equipment management end equipment, and the two parts work independently. The front-end network access equipment completes a flow access function, copies original flow needed by the rear-end flow acquisition equipment to give a copy to the rear-end flow acquisition equipment, the rear-end flow acquisition equipment completes a flow analysis function, and the rear-end flow acquisition equipment management end equipment mainly completes management work on the rear-end flow acquisition equipment, mainly monitors the running state of the rear-end flow acquisition equipment and issues protocol library rules. The existing mode is that the flow of the front-end network access equipment after load balancing is completely copied to the rear-end flow acquisition equipment, so that the quantity of the rear-end flow acquisition equipment is huge, and the construction cost is high.
The patent provides a method for reducing the input quantity of rear-end flow acquisition equipment and reducing the input cost, and aims to solve the problem that the investment cost is very high because the network bandwidth of a basic operator is increased and the rear-end flow acquisition equipment needs linear expansion.
The common technique related to the present invention:
the Content-Type in the commonly used http traffic is as follows:
'hqx' => 'application/mac-binhex40',
'cpt' => 'application/mac-compactpro',
'doc' => 'application/msword',
'bin' => 'application/octet-stream',
'dms' => 'application/octet-stream',
'lha' => 'application/octet-stream',
'lzh' => 'application/octet-stream',
'exe' => 'application/octet-stream',
'class' => 'application/octet-stream',
'so' => 'application/octet-stream',
'dll' => 'application/octet-stream',
'oda' => 'application/oda',
'pdf' => 'application/pdf',
'ai' => 'application/postscript',
'eps' => 'application/postscript',
'ps' => 'application/postscript',
'smi' => 'application/smil',
'smil' => 'application/smil',
'mif' => 'application/vnd.mif',
'xls' => 'application/vnd.ms-excel',
'ppt' => 'application/vnd.ms-powerpoint',
'wbxml' => 'application/vnd.wap.wbxml',
'wmlc' => 'application/vnd.wap.wmlc',
'wmlsc' => 'application/vnd.wap.wmlscriptc',
'bcpio' => 'application/x-bcpio',
'vcd' => 'application/x-cdlink',
'pgn' => 'application/x-chess-pgn',
'cpio' => 'application/x-cpio',
'csh' => 'application/x-csh',
'dcr' => 'application/x-director',
'dir' => 'application/x-director',
'dxr' => 'application/x-director',
'dvi' => 'application/x-dvi',
'spl' => 'application/x-futuresplash',
'gtar' => 'application/x-gtar',
'hdf' => 'application/x-hdf',
'js' => 'application/x-javascript',
'skp' => 'application/x-koan',
'skd' => 'application/x-koan',
'skt' => 'application/x-koan',
'skm' => 'application/x-koan',
'latex' => 'application/x-latex',
'nc' => 'application/x-netcdf',
'cdf' => 'application/x-netcdf',
'sh' => 'application/x-sh',
'shar' => 'application/x-shar',
'swf' => 'application/x-shockwave-flash',
'sit' => 'application/x-stuffit',
'sv4cpio' => 'application/x-sv4cpio',
'sv4crc' => 'application/x-sv4crc',
'tar' => 'application/x-tar',
'tcl' => 'application/x-tcl',
'tex' => 'application/x-tex',
'texinfo' => 'application/x-texinfo',
'texi' => 'application/x-texinfo',
't' => 'application/x-troff',
'tr' => 'application/x-troff',
'roff' => 'application/x-troff',
'man' => 'application/x-troff-man',
'me' => 'application/x-troff-me',
'ms' => 'application/x-troff-ms',
'ustar' => 'application/x-ustar',
'src' => 'application/x-wais-source',
'xhtml' => 'application/xhtml+xml',
'xht' => 'application/xhtml+xml',
'zip' => 'application/zip',
'au' => 'audio/basic',
'snd' => 'audio/basic',
'mid' => 'audio/midi',
'midi' => 'audio/midi',
'kar' => 'audio/midi',
'mpga' => 'audio/mpeg',
'mp2' => 'audio/mpeg',
'mp3' => 'audio/mpeg',
'aif' => 'audio/x-aiff',
'aiff' => 'audio/x-aiff',
'aifc' => 'audio/x-aiff',
'm3u' => 'audio/x-mpegurl',
'ram' => 'audio/x-pn-realaudio',
'rm' => 'audio/x-pn-realaudio',
'rpm' => 'audio/x-pn-realaudio-plugin',
'ra' => 'audio/x-realaudio',
'wav' => 'audio/x-wav',
'pdb' => 'chemical/x-pdb',
'xyz' => 'chemical/x-xyz',
'bmp' => 'image/bmp',
'gif' => 'image/gif',
'ief' => 'image/ief',
'jpeg' => 'image/jpeg',
'jpg' => 'image/jpeg',
'jpe' => 'image/jpeg',
'png' => 'image/png',
'tiff' => 'image/tiff',
'tif' => 'image/tiff',
'djvu' => 'image/vnd.djvu',
'djv' => 'image/vnd.djvu',
'wbmp' => 'image/vnd.wap.wbmp',
'ras' => 'image/x-cmu-raster',
'pnm' => 'image/x-portable-anymap',
'pbm' => 'image/x-portable-bitmap',
'pgm' => 'image/x-portable-graymap',
'ppm' => 'image/x-portable-pixmap',
'rgb' => 'image/x-rgb',
'xbm' => 'image/x-xbitmap',
'xpm' => 'image/x-xpixmap',
'xwd' => 'image/x-xwindowdump',
'igs' => 'model/iges',
'iges' => 'model/iges',
'msh' => 'model/mesh',
'mesh' => 'model/mesh',
'silo' => 'model/mesh',
'wrl' => 'model/vrml',
'vrml' => 'model/vrml',
'css' => 'text/css',
'html' => 'text/html',
'htm' => 'text/html',
'asc' => 'text/plain',
'txt' => 'text/plain',
'rtx' => 'text/richtext',
'rtf' => 'text/rtf',
'sgml' => 'text/sgml',
'sgm' => 'text/sgml',
'tsv' => 'text/tab-separated-values',
'wml' => 'text/vnd.wap.wml',
'wmls' => 'text/vnd.wap.wmlscript',
'etx' => 'text/x-setext',
'xsl' => 'text/xml',
'xml' => 'text/xml',
'mpeg' => 'video/mpeg',
'mpg' => 'video/mpeg',
'mpe' => 'video/mpeg',
'qt' => 'video/quicktime',
'mov' => 'video/quicktime',
'mxu' => 'video/vnd.mpegurl',
'avi' => 'video/x-msvideo',
'movie' => 'video/x-sgi-movie',
'ice' => 'x-conference/x-cooltalk'。
disclosure of Invention
In the actual work of network traffic supervision, because the supervised services are of different types, and many network flows are not necessary to be acquired and stored, for example, flow monitoring is performed on a network provider of video content, if all access flows are copied, a large amount of video flows are repeatedly acquired and copied, so that the cost of the flow acquisition equipment is increased, and meanwhile, the copying of a large amount of video flows is not necessary for network supervision.
A method for reducing the cost of network flow acquisition equipment is realized by the following steps:
step 1, establishing a newly added component of a front-end network access device
Establishing a front-end network access equipment newly-added component at the front-end network access equipment, wherein the front-end network access equipment newly-added component consists of an access protocol library, an analysis module, a scheduling module, a filtering module and a configuration memory;
step 2, establishing a newly added assembly of the rear-end flow acquisition equipment
The method comprises the steps that a back-end flow acquisition equipment newly-added component is established on the back-end flow acquisition equipment, and the back-end flow acquisition equipment newly-added component consists of an acquisition protocol library, an acquisition analysis module, a protocol library updater, a reporting module and an acquisition configuration memory;
step 3, establishing a management terminal of the rear-end flow acquisition equipment
The management end of the rear-end flow acquisition equipment consists of a protocol library configurator, a configuration protocol library and a management configuration memory;
step 4, establishing protocol formats of data stored in the access protocol library, the acquisition protocol library and the configuration protocol library
The protocol formats of the data stored in the access protocol library, the acquisition protocol library and the configuration protocol library are uniform, and the protocol format is specified as follows: numbering | type | value | matching position | matching mode | discarding mode | wherein | is a separation symbol and the size of the number is specified to be 4 Byte; the size of the type is defined as 1Byte, the value 0 represents an IP address, the value 1 represents a domain name, the value 2 represents a port, and the value 3 represents a keyword; the value is specified as 32 bytes, the value is set according to the type, the IP address is filled in when the value of the type is 0, the domain name is filled in when the value of the type is 1, the port number is filled in when the value of the type is 2, and the specific keyword is filled in when the value of the type is 3; the size of the matching position is specified to be 4 bytes, when the type value is IP and port, the field value of the matching position is-2, when the matching position is in full-message floating matching, the field value of the matching position is-1, when the matching position is in fixed position matching, the field value of the matching position is a value of a fixed position, the value of the fixed position of the matching position is generated according to the fixed position of a TCP/IP protocol application layer, and the maximum value is 1514; the value of the matching mode is 0 to represent a fuzzy mode, and the value of the matching mode is 1 to represent an accurate mode; the value of the discarding mode is 0 to represent unidirectional discarding, and the value of the discarding mode is 1 to represent bidirectional discarding;
step 5, completing network configuration
Storing the IP address and the port number of the rear-end flow acquisition equipment in a configuration memory of a newly added component of the front-end network access equipment; the method comprises the steps that an acquisition configuration memory of a newly added component of the back-end flow acquisition equipment stores the IP address and the port number of the front-end network access equipment; an acquisition configuration memory of a newly added component of the back-end traffic acquisition equipment stores the IP and the port number of a management end of the back-end traffic acquisition equipment; the front-end network access device, the back-end flow acquisition device and the management terminal of the back-end flow acquisition device are accessed to the network which can be interconnected;
step 6, front end flow filtration
The front-end network access equipment newly-added component of the front-end network access equipment analyzes the received flow through a TCP/IP protocol by an analysis module of the front-end network access equipment newly-added component to obtain TCP/IP application layer data, the front-end network access equipment newly-added component matches the TCP/IP application layer data with data in an access protocol library, and the matching result comprises the following steps: 1) discarding the unidirectional traffic, namely the value of the discarding mode is 0; 2) discarding the bidirectional flow, namely the value of the discarding mode is 1; 3) no match; when the matching result contains the operation of discarding the flow, the scheduling module of the newly added component of the front-end network access equipment calls the filtering module to filter the received flow to generate the flow filtered by the front end, and the newly added component of the front-end network access equipment sends the flow filtered by the front end to the rear-end flow acquisition equipment which is configured in the configuration memory; when the matching result is not matched, the newly added component of the front-end network access equipment directly sends the received flow to the rear-end flow acquisition equipment which is configured in the configuration memory; the method for sending the flow to the rear-end flow acquisition equipment configured in the configuration memory by the newly added assembly of the front-end network access equipment comprises a light splitting method and a mirror image method;
step 7, newly adding a component to the back-end flow acquisition equipment to maintain the consistency of the acquisition protocol library and the access protocol library
The acquisition analysis module of the back-end flow acquisition equipment newly-added component of the back-end flow acquisition equipment analyzes the TCP/IP protocol of the flow received by the back-end flow acquisition equipment to obtain acquisition end TCP/IP application layer data, the back-end flow acquisition equipment newly-added component matches the acquisition end TCP/IP application layer data with the data in the acquisition protocol library, and the matching result comprises: 1) discarding the unidirectional traffic, namely the value of the discarding mode is 0; 2) discarding the bidirectional flow, namely the value of the discarding mode is 1; 3) no match; when the matching result contains the operation of discarding the flow, a protocol library updater of a newly added component of the back-end flow acquisition equipment sends the data in the acquisition protocol library to an access protocol library of the newly added component of the front-end network access equipment, and the newly added component of the front-end network access equipment completes the updating of the access protocol library; when the matching result is unmatched and the flow is HTTP flow, a reporting module of a newly added component of the rear-end flow acquisition equipment extracts a Content-Type field of the HTTP protocol characteristic and reports the Content-Type field and TCP/IP application layer data of an acquisition end to a protocol library configurator of a management end of the rear-end flow acquisition equipment;
step 8, the management end of the back-end flow acquisition equipment maintains and updates the acquisition protocol library of the newly added components of the back-end flow acquisition equipment
The protocol library configurator of the management end of the rear-end flow acquisition equipment receives the Content-Type field and the TCP/IP application layer data of the acquisition end, automatically generates standard data of a configuration protocol library according to the requirement of an upper-layer service system on network data and stores the standard data in the configuration protocol library, and the expression form of the requirement of the upper-layer service system on the network data is that the upper-layer service system filters the data requirement related to the Content-Type field which meets the requirement; the configuration protocol library provides a manual configuration interface, and a manager can write data conforming to the protocol rules of the configuration protocol library according to the management requirements; and the data stored in the configuration protocol library is periodically sent to the acquisition protocol library of the newly added component of the back-end flow acquisition equipment to complete the updating of the acquisition protocol library.
Advantageous effects
The implementation of the invention solves the problems that: 1. the protocol identification accuracy problem of the rear-end flow acquisition equipment is solved; 2. the real-time interaction problem of the front-end network access equipment and the rear-end flow acquisition equipment is solved; 3. the front-end network access equipment has accurate matching capability on the protocol characteristic value; the invention reduces the acquisition equipment needed by the information security, network security and other monitoring systems, reduces the investment cost for constructing the system and lightens the burden of basic operators.
Drawings
FIG. 1 is a system block diagram of the present invention;
FIG. 2 is a front end flow filtration flow diagram of the present invention;
FIG. 3 is a flow chart of the invention for maintaining consistency of the acquisition protocol library and the access protocol library by adding new components to the back-end traffic acquisition device;
fig. 4 is an overall flow diagram of the present invention.
Detailed Description
Referring to fig. 1 to 4, a method for reducing the cost of a network traffic collection device according to the present invention is implemented by the following steps:
step S01, establishing the added component 1 of the front-end network access equipment
Establishing a front-end network access equipment newly-added component 1 at front-end network access equipment A, wherein the front-end network access equipment newly-added component 1 consists of an access protocol library 11, an analysis module 12, a scheduling module 13, a filtering module 14 and a configuration memory 15;
step S02, establishing a newly added assembly 2 of the rear-end flow acquisition equipment
The method comprises the following steps that a rear-end flow acquisition equipment newly-added component 2 is established in a rear-end flow acquisition equipment B, and the rear-end flow acquisition equipment newly-added component 2 consists of an acquisition protocol library 21, an acquisition analysis module 22, a protocol library updater 23, a reporting module 24 and an acquisition configuration memory 25;
step S03, establishing a rear-end flow acquisition equipment management terminal 3
The rear-end flow acquisition equipment management end 3 consists of a protocol library configurator 31, a configuration protocol library 32 and a management configuration memory 33;
step S04, establishing the protocol format of the data stored in the access protocol library 11, the collection protocol library 21 and the configuration protocol library 32
The protocol formats of the data stored in the access protocol library 11, the acquisition protocol library 21 and the configuration protocol library 32 are uniform, and the protocol formats are specified as follows: numbering | type | value | matching position | matching mode | discarding mode | wherein | is a separation symbol and the size of the number is specified to be 4 Byte; the size of the type is defined as 1Byte, the value 0 represents an IP address, the value 1 represents a domain name, the value 2 represents a port, and the value 3 represents a keyword; the value is specified as 32 bytes, the value is set according to the type, the IP address is filled in when the value of the type is 0, the domain name is filled in when the value of the type is 1, the port number is filled in when the value of the type is 2, and the specific keyword is filled in when the value of the type is 3; the size of the matching position is specified to be 4 bytes, when the type value is IP and port, the field value of the matching position is-2, when the matching position is in full-message floating matching, the field value of the matching position is-1, when the matching position is in fixed position matching, the field value of the matching position is a value of a fixed position, the value of the fixed position of the matching position is generated according to the fixed position of a TCP/IP protocol application layer, and the maximum value is 1514; the value of the matching mode is 0 to represent a fuzzy mode, and the value of the matching mode is 1 to represent an accurate mode; the value of the discarding mode is 0 to represent unidirectional discarding, and the value of the discarding mode is 1 to represent bidirectional discarding;
step S05, completing network configuration
Storing the IP address and the port number of the rear-end flow acquisition equipment B in a configuration memory 15 of a front-end network access equipment newly-added component 1 of the front-end network access equipment A; the acquisition configuration memory 25 of the back-end traffic acquisition device newly added component 2 of the back-end traffic acquisition device B stores the IP address and the port number of the front-end network access device a; the acquisition configuration memory 25 of the back-end traffic acquisition device newly added component 2 of the back-end traffic acquisition device B stores the IP and port number of the back-end traffic acquisition device management terminal 3; the front-end network access device A, the rear-end flow acquisition device B and the rear-end flow acquisition device management terminal 3 are accessed to an interconnectable network;
step S06, front end flow filtration
The front-end network access equipment newly added component 1 of the front-end network access equipment a analyzes the received flow 16 through the analysis module 12 of the front-end network access equipment newly added component 1 to obtain the TCP/IP application layer data 121, the front-end network access equipment newly added component 1 matches the TCP/IP application layer data 121 with the data in the access protocol library 11, and the matching result includes: 1) discarding the unidirectional traffic, namely the value of the discarding mode is 0; 2) discarding the bidirectional flow, namely the value of the discarding mode is 1; 3) no match; when the matching result includes the operation of discarding the traffic, the scheduling module 13 of the front-end network access device newly-added component 1 calls the filtering module 14 to perform filtering operation on the received traffic 16 to generate the traffic 141 filtered by the front end, and the front-end network access device newly-added component 1 sends the traffic 141 filtered by the front end to the rear-end traffic collection device B configured in the configuration memory 15; when the matching result is not matched, the front-end network access device newly added component 1 directly sends the received traffic 16 to the rear-end traffic collection device B configured in the configuration memory 15; the method for the front-end network access equipment newly added component 1 to send the flow to the rear-end flow acquisition equipment B configured in the configuration memory 15 comprises a light splitting method and a mirror image method;
step S07, the back-end traffic collection device add-on component 2 maintains the consistency of the collection protocol library 21 and the access protocol library 11
The acquisition analysis module 22 of the rear-end traffic acquisition equipment newly added component 2 of the rear-end traffic acquisition equipment B analyzes the TCP/IP protocol of the traffic 26 received by the rear-end traffic acquisition equipment to obtain an acquisition end TCP/IP application layer data 221, the rear-end traffic acquisition equipment newly added component 2 matches the acquisition end TCP/IP application layer data 221 with the data of 21 in an acquisition protocol library, 1) and discards the unidirectional traffic, namely the value of a discarding mode is 0; 2) discarding the bidirectional flow, namely the value of the discarding mode is 1; 3) no match; when the matching result contains the operation of discarding the flow, the protocol library updater 23 of the newly added component 2 of the back-end flow acquisition equipment sends the data 211 in the acquisition protocol library to the access protocol library 11 of the newly added component 1 of the front-end network access equipment, and the newly added component 1 of the front-end network access equipment completes the updating of the access protocol library 11; when the matching result is not matched and the flow is HTTP flow, the reporting module 24 of the newly added component 3 of the back-end flow acquisition device extracts the Content-Type field 241 of the HTTP protocol characteristic, and reports the Content-Type field 241 and the TCP/IP application layer data 221 of the acquisition end to the protocol library configurator 31 of the management end 3 of the back-end flow acquisition device;
step S08, the management end 3 of the back-end traffic collection device maintains and updates the collection protocol library 21 of the newly added component 2 of the back-end traffic collection device
The protocol base configurator 31 of the rear-end flow acquisition equipment management end 3 receives the Content-Type field 241 and the acquisition end TCP/IP application layer data 221, automatically generates standard data for configuring the protocol base 3 according to the requirement of the upper-layer service system on network data and stores the standard data in the configuration protocol base 3, and the requirement expression form of the upper-layer service system on the network data is that the upper-layer service system filters the data requirement related to the Content-Type field which meets the requirement; the configuration protocol library 32 provides a manual configuration interface, and a manager can write data conforming to the protocol rules of the configuration protocol library according to the management requirements; the data stored in the configuration protocol library 32 is periodically sent to the acquisition protocol library 21 of the newly added component 2 of the back-end flow rate acquisition equipment, and the updating of the acquisition protocol library 21 is completed.
Second embodiment, the protocol formats of the data stored in the access protocol library 11, the acquisition protocol library 21, and the configuration protocol library 32
The protocol formats of the data stored in the access protocol library 11, the acquisition protocol library 21 and the configuration protocol library 32 are uniform, and the protocol formats are specified as follows: numbering | type | value | matching position | matching mode | discarding mode | wherein | is a separation symbol and the size of the number is specified to be 4 Byte; the size of the type is defined as 1Byte, the value 0 represents an IP address, the value 1 represents a domain name, the value 2 represents a port, and the value 3 represents a keyword; the value is specified as 32 bytes, the value is set according to the type, the IP address is filled in when the value of the type is 0, the domain name is filled in when the value of the type is 1, the port number is filled in when the value of the type is 2, and the specific keyword is filled in when the value of the type is 3; the size of the matching position is specified to be 4 bytes, when the type value is IP and port, the field value of the matching position is-2, when the matching position is in full-message floating matching, the field value of the matching position is-1, when the matching position is in fixed position matching, the field value of the matching position is a value of a fixed position, the value of the fixed position of the matching position is generated according to the fixed position of a TCP/IP protocol application layer, and the maximum value is 1514; the value of the matching mode is 0 to represent a fuzzy mode, and the value of the matching mode is 1 to represent an accurate mode; the value of the discarding mode is 0 to represent unidirectional discarding, and the value of the discarding mode is 1 to represent bidirectional discarding; for example: 1|0|192.168.1.100|0|1|1, indicating that bidirectional traffic with an IP of 192.168.1.100 is dropped; for example: and 2|3| GET |0|1|0, which represents that the GET unidirectional message is discarded.

Claims (1)

1. A method for reducing the cost of network flow acquisition equipment is characterized by comprising the following steps:
step 1, establishing a newly added component of a front-end network access device
Establishing a front-end network access equipment newly-added component at the front-end network access equipment, wherein the front-end network access equipment newly-added component consists of an access protocol library, an analysis module, a scheduling module, a filtering module and a configuration memory;
step 2, establishing a newly added assembly of the rear-end flow acquisition equipment
The method comprises the steps that a back-end flow acquisition equipment newly-added component is established on the back-end flow acquisition equipment, and the back-end flow acquisition equipment newly-added component consists of an acquisition protocol library, an acquisition analysis module, a protocol library updater, a reporting module and an acquisition configuration memory;
step 3, establishing a management terminal of the rear-end flow acquisition equipment
The management end of the rear-end flow acquisition equipment consists of a protocol library configurator, a configuration protocol library and a management configuration memory;
step 4, establishing protocol formats of data stored in the access protocol library, the acquisition protocol library and the configuration protocol library
The protocol formats of the data stored in the access protocol library, the acquisition protocol library and the configuration protocol library are uniform, and the protocol format is specified as follows: numbering | type | value | matching position | matching mode | discarding mode | wherein | is a separation symbol and the size of the number is specified to be 4 Byte; the size of the type is defined as 1Byte, the value 0 represents an IP address, the value 1 represents a domain name, the value 2 represents a port, and the value 3 represents a keyword; the value is specified as 32 bytes, the value is set according to the type, the IP address is filled in when the value of the type is 0, the domain name is filled in when the value of the type is 1, the port number is filled in when the value of the type is 2, and the specific keyword is filled in when the value of the type is 3; the size of the matching position is specified to be 4 bytes, when the type value is IP and port, the field value of the matching position is-2, when the matching position is in full-message floating matching, the field value of the matching position is-1, when the matching position is in fixed position matching, the field value of the matching position is a value of a fixed position, the value of the fixed position of the matching position is generated according to the fixed position of a TCP/IP protocol application layer, and the maximum value is 1514; the value of the matching mode is 0 to represent a fuzzy mode, and the value of the matching mode is 1 to represent an accurate mode; the value of the discarding mode is 0 to represent unidirectional discarding, and the value of the discarding mode is 1 to represent bidirectional discarding;
step 5, completing network configuration
Storing the IP address and the port number of the rear-end flow acquisition equipment in a configuration memory of a newly added component of the front-end network access equipment; the method comprises the steps that an acquisition configuration memory of a newly added component of the back-end flow acquisition equipment stores the IP address and the port number of the front-end network access equipment; an acquisition configuration memory of a newly added component of the back-end traffic acquisition equipment stores the IP and the port number of a management end of the back-end traffic acquisition equipment; the front-end network access device, the back-end flow acquisition device and the management terminal of the back-end flow acquisition device are accessed to the network which can be interconnected;
step 6, front end flow filtration
The front-end network access equipment newly-added component of the front-end network access equipment analyzes the received flow through a TCP/IP protocol by an analysis module of the front-end network access equipment newly-added component to obtain TCP/IP application layer data, the front-end network access equipment newly-added component matches the TCP/IP application layer data with data in an access protocol library, and the matching result comprises the following steps: 1) discarding the unidirectional traffic, namely the value of the discarding mode is 0; 2) discarding the bidirectional flow, namely the value of the discarding mode is 1; 3) no match; when the matching result contains the operation of discarding the flow, the scheduling module of the newly added component of the front-end network access equipment calls the filtering module to filter the received flow to generate the flow filtered by the front end, and the newly added component of the front-end network access equipment sends the flow filtered by the front end to the rear-end flow acquisition equipment which is configured in the configuration memory; when the matching result is not matched, the newly added component of the front-end network access equipment directly sends the received flow to the rear-end flow acquisition equipment which is configured in the configuration memory; the method for sending the flow to the rear-end flow acquisition equipment configured in the configuration memory by the newly added assembly of the front-end network access equipment comprises a light splitting method and a mirror image method;
step 7, newly adding a component to the back-end flow acquisition equipment to maintain the consistency of the acquisition protocol library and the access protocol library
The acquisition analysis module of the back-end flow acquisition equipment newly-added component of the back-end flow acquisition equipment analyzes the TCP/IP protocol of the flow received by the back-end flow acquisition equipment to obtain acquisition end TCP/IP application layer data, the back-end flow acquisition equipment newly-added component matches the acquisition end TCP/IP application layer data with the data in the acquisition protocol library, and the matching result comprises: 1) discarding the unidirectional traffic, namely the value of the discarding mode is 0; 2) discarding the bidirectional flow, namely the value of the discarding mode is 1; 3) no match; when the matching result contains the operation of discarding the flow, a protocol library updater of a newly added component of the back-end flow acquisition equipment sends the data in the acquisition protocol library to an access protocol library of the newly added component of the front-end network access equipment, and the newly added component of the front-end network access equipment completes the updating of the access protocol library; when the matching result is unmatched and the flow is HTTP flow, a reporting module of a newly added component of the rear-end flow acquisition equipment extracts a Content-Type field of the HTTP protocol characteristic and reports the Content-Type field and TCP/IP application layer data of an acquisition end to a protocol library configurator of a management end of the rear-end flow acquisition equipment;
step 8, the management end of the back-end flow acquisition equipment maintains and updates the acquisition protocol library of the newly added components of the back-end flow acquisition equipment
The protocol library configurator of the management end of the rear-end flow acquisition equipment receives the Content-Type field and the TCP/IP application layer data of the acquisition end, automatically generates standard data of a configuration protocol library according to the requirement of an upper-layer service system on network data and stores the standard data in the configuration protocol library, and the expression form of the requirement of the upper-layer service system on the network data is that the upper-layer service system filters the data requirement related to the Content-Type field which meets the requirement; the configuration protocol library provides a manual configuration interface, and a manager can write data conforming to the protocol rules of the configuration protocol library according to the management requirements; and the data stored in the configuration protocol library is periodically sent to the acquisition protocol library of the newly added component of the back-end flow acquisition equipment to complete the updating of the acquisition protocol library.
CN201811079557.3A 2018-09-17 2018-09-17 Method for reducing cost of network flow acquisition equipment Active CN109194516B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811079557.3A CN109194516B (en) 2018-09-17 2018-09-17 Method for reducing cost of network flow acquisition equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811079557.3A CN109194516B (en) 2018-09-17 2018-09-17 Method for reducing cost of network flow acquisition equipment

Publications (2)

Publication Number Publication Date
CN109194516A CN109194516A (en) 2019-01-11
CN109194516B true CN109194516B (en) 2021-07-09

Family

ID=64911410

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811079557.3A Active CN109194516B (en) 2018-09-17 2018-09-17 Method for reducing cost of network flow acquisition equipment

Country Status (1)

Country Link
CN (1) CN109194516B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472821A (en) * 2021-09-06 2021-10-01 成都卡莱博尔信息技术股份有限公司 Data acquisition and management integrated method, system, device and storage medium
CN113810310A (en) * 2021-09-10 2021-12-17 北京云杉世纪网络科技有限公司 Flow acquisition method, device, equipment and storage medium
CN114095243A (en) * 2021-11-18 2022-02-25 许昌许继软件技术有限公司 Data filtering method based on configuration

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296256A (en) * 2008-06-19 2008-10-29 中国电信股份有限公司 Method and system for implementing accurate information propelling by internet
CN102143070A (en) * 2011-03-04 2011-08-03 中兴通讯股份有限公司 Remote traffic acquisition method, device and system
CN103402077A (en) * 2013-07-24 2013-11-20 佳都新太科技股份有限公司 Video and audio transmission strategy method for dynamic adjusting of code stream rate in IP (internet protocol) network of public network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130196601A1 (en) * 2011-12-19 2013-08-01 Empath Technologies Patent Holdings, LLC Proximity-related device determinations
US11042430B2 (en) * 2017-02-21 2021-06-22 Futurewei Technologies, Inc. Elastic consistency high availability in multiple boards

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296256A (en) * 2008-06-19 2008-10-29 中国电信股份有限公司 Method and system for implementing accurate information propelling by internet
CN102143070A (en) * 2011-03-04 2011-08-03 中兴通讯股份有限公司 Remote traffic acquisition method, device and system
CN103402077A (en) * 2013-07-24 2013-11-20 佳都新太科技股份有限公司 Video and audio transmission strategy method for dynamic adjusting of code stream rate in IP (internet protocol) network of public network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于集群架构的移动终端网络流量采集与服务平台研发";曹栋;《中国优秀硕士学位论文全文数据库信息科技辑》;20180315;I139-104 *

Also Published As

Publication number Publication date
CN109194516A (en) 2019-01-11

Similar Documents

Publication Publication Date Title
CN109194516B (en) Method for reducing cost of network flow acquisition equipment
US9860229B2 (en) Integrated data extraction and retrieval system
US9607303B2 (en) Messaging model and architecture
CN100483405C (en) Method and system for alert delivery architecture
CN111290763B (en) Event stream processing cluster manager
DE102016119084A9 (en) Distributed performance monitoring and analysis of industrial plants
GB2574906A (en) Pipeline data processing
EP1500228A1 (en) Method and device for management of tree data exchange
EP1436677A1 (en) Method for implementing an operating and observation system for field devices
CN102571720A (en) Method and device for processing heterogeneous information contents
CN105321108A (en) System and method for creating a list of shared information on a peer-to-peer network
DE602005004370T2 (en) Synchronization of server and device data using device data schemas
DE102010036511A1 (en) Process control system with integrated external data sources
CN110932918B (en) Log data acquisition method and device and storage medium
KR20080021061A (en) Query based synchronization
US7617324B2 (en) Protocol method for provisioning services
KR20030060899A (en) Configurable transformation of electronic documents
US20020078065A1 (en) Object-oriented method and system for transfrring a file system
CN112929437A (en) Data transmission system, method and device based on Internet of things MQTT technical framework
CN113486095A (en) Civil aviation air traffic control cross-network safety data exchange management platform
WO2003036401A2 (en) Method for detecting a number of field devices in a device configuration
US20230353648A1 (en) Data tracking for data owners
Dailey et al. Self-describing data transfer methodology for intelligent transportation systems applications
Brinkhoff et al. Continuous queries within an architecture for querying XML-represented moving objects
CN101778001B (en) Method and system for mutual compatibility of multi-version between SNMP (Simple Network Management Protocol) agent and managed apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant