CN109309591A - Data on flows statistical method, electronic equipment and storage medium - Google Patents
Data on flows statistical method, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN109309591A CN109309591A CN201811284881.9A CN201811284881A CN109309591A CN 109309591 A CN109309591 A CN 109309591A CN 201811284881 A CN201811284881 A CN 201811284881A CN 109309591 A CN109309591 A CN 109309591A
- Authority
- CN
- China
- Prior art keywords
- network interface
- interface card
- transmission data
- data
- card transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a kind of data on flows statistical method, electronic equipment and storage mediums, wherein data on flows statistical method includes: the interface that calling system kernel provides, and obtains the network interface card transmission data obtained through mirror image processing;According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;It is for statistical analysis to specific network interface card transmission data, obtain particular flow rate data.The technical solution provided according to the present invention, it is for statistical analysis by transmitting data to specific network interface card, can obtain specifically, accurately particular flow rate data, facilitate system operation maintenance personnel and understands specific traffic conditions, safeguard its to system more conveniently, guarantee system operates normally, and also improves data on flows statistical efficiency, optimizes data on flows statistical.
Description
Technical field
The present invention relates to technical field of data processing, and in particular to a kind of data on flows statistical method, electronic equipment and deposits
Storage media.
Background technique
In Internet technology, server-side can provide a user business service etc..For the ease of being tieed up to server-side
Shield, need for statistical analysis to the data transmitted through network interface card and obtain data on flows, according to data on flows to data packet into
Row management and control, and malicious attack can also be judged whether there is by the variation of data on flows to a certain extent.
Existing data on flows statistical is based on the included tool such as NMON of linux system itself mostly come real
Existing, what is obtained is the whole conclusion of the data on flows of server-side, be unable to get specifically, accurately data on flows situation,
Such as specific port in server-side and the data on flows of specific IP etc., effective data on flows result cannot be provided.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
State data on flows statistical method, electronic equipment and the storage medium of problem.
According to an aspect of the invention, there is provided a kind of data on flows statistical method, comprising:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to specific network interface card transmission data, obtain particular flow rate data.
According to another aspect of the present invention, provide a kind of electronic equipment, comprising: processor, memory, communication interface and
Communication bus, processor, memory and communication interface complete mutual communication by communication bus;
Memory makes processor execute following operation for storing an at least executable instruction, executable instruction:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to specific network interface card transmission data, obtain particular flow rate data.
According to another aspect of the invention, a kind of storage medium is provided, it is executable that at least one is stored in storage medium
Instruction, executable instruction make processor execute following operation:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to specific network interface card transmission data, obtain particular flow rate data.
The technical solution provided according to the present invention can be passed according to strategy is pre-configured from the network interface card obtained through mirror image processing
Specific network interface card transmission data are extracted in transmission of data for statisticalling analyze, and can only obtain the data on flows of server-side with the prior art
Whole conclusion, the technical solution by specific network interface card transmit data it is for statistical analysis, can obtain specifically, accurately
Particular flow rate data, system operation maintenance personnel can precisely understand specific traffic conditions according to particular flow rate data, more conveniently
System is safeguarded, effectively system of defense guarantees that system operates normally by malicious attack;And it is transmitted with the network interface card of full dose
Data are compared, and the data volume of specific network interface card transmission data will be far smaller than the data volume of network interface card transmission data, to effectively subtract
Lack data statistics amount, improved data on flows statistical efficiency, optimizes data on flows statistical.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of according to embodiments of the present invention one data on flows statistical method;
Fig. 2 shows a kind of flow diagrams of according to embodiments of the present invention two data on flows statistical method;
Fig. 3 shows the structural schematic diagram of according to embodiments of the present invention four a kind of electronic equipment.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Embodiment one
Fig. 1 shows a kind of flow diagram of according to embodiments of the present invention one data on flows statistical method, such as Fig. 1 institute
Show, this method comprises the following steps:
Step S101, the interface that calling system kernel provides obtain the network interface card transmission data obtained through mirror image processing.
When in system network interface card and other machines communicated when, data packet and network interface card that network interface card is received from other machines
The data packet sent to other machines all can be by applying provided by system kernel and system, can be by statisticalling analyze through network interface card
The data transmitted and obtain data on flows.System kernel provides the interface that can be used in capturing data, such as linux system
Libpcap (Packet Capture Libray) interface that kernel provides, calls the interface, will run corresponding data and catch
Function is caught, all data transmitted by network interface card can be captured, and mirror image processing is done to the data captured, obtain network interface card
Transmit data.
Wherein, the network interface card transmission data obtained through mirror image processing are the data of full dose transmitted through network interface card, including but not
It is limited to: data packet, synchronizing information (syn information), data processing successful information (ack information) etc..Warp is obtained in step s101
The network interface card that mirror image processing obtains transmits data, so as to for statistical analysis to its.
Step S102 extracts specific network interface card transmission data according to strategy is pre-configured from network interface card transmission data.
After obtaining the network interface card obtained through mirror image processing transmission data, it can be transmitted according to strategy is pre-configured from network interface card
The network interface card of extraction section transmits data in data, and then the network interface card transmission data according to the part extracted determine that specific network interface card passes
Transmission of data.Those skilled in the art can according to actual needs be configured pre-configuration strategy, herein without limitation.For example, pre-
Configuration strategy can include: extracted according to the current operating conditions of port, extract and/or according to pumping according to configuration file
Control gauge is then extracted.
Compared with the network interface card of full dose transmits data, the data volume of specific network interface card transmission data will be far smaller than network interface card transmission number
According to data volume help to improve data on flows statistical efficiency to effectively reduce data statistics amount.
Step S103, it is for statistical analysis to specific network interface card transmission data, obtain particular flow rate data.
After specific network interface card transmission data have been determined, using preset algorithm to the data in specific network interface card transmission data
Packet, synchronizing information etc. are for statistical analysis, for example, the statistics quantity of received data packet, the quantity of transmitted data packet,
The data total bytes of received data packet, the data total bytes of transmitted data packet and in the same of connection status
The quantity etc. for walking information, to obtain particular flow rate data.Wherein, particular flow rate data may include specific network interface card transmission data pair
Reception flow total bytes, transmitted traffic total bytes and the query rate per second (Query Per Second, QPS) answered, it is specific
Data on flows may also include other information, and those skilled in the art can be configured according to actual needs, herein without limitation.
Using data on flows statistical method provided in this embodiment, can be obtained according to strategy is pre-configured from through mirror image processing
To network interface card transmission data in extract specific network interface card transmission data for statisticalling analyze, can only obtain server-side with the prior art
The whole conclusion of data on flows, the technical solution by specific network interface card transmit data it is for statistical analysis, can obtain more
In detail, accurately particular flow rate data, system operation maintenance personnel can precisely understand specific traffic conditions according to particular flow rate data,
System is safeguarded more conveniently, effectively system of defense guarantees that system operates normally by malicious attack;And with full dose
Network interface card transmission data compare, the data volume of specific network interface card transmission data will be far smaller than the data volume of network interface card transmission data, from
And data statistics amount is effectively reduced, data on flows statistical efficiency is improved, data on flows statistical is optimized.
Embodiment two
Fig. 2 shows a kind of flow diagrams of according to embodiments of the present invention two data on flows statistical method, such as Fig. 2 institute
Show, this method comprises the following steps:
Step S201, the interface that calling system kernel provides obtain the network interface card transmission data obtained through mirror image processing.
This method is suitable for Transmission Control Protocol and udp protocol.Specifically, linux system kernel can be called to provide
Libpcap interface will run corresponding data capture function after calling Libpcap interface, capture all by network interface card
The data transmitted, by the data image captured portion.The network interface card transmission data obtained through mirror image processing are obtained, so as to right
Its is for statistical analysis.
After obtaining the network interface card obtained through mirror image processing transmission data, so that it may according to strategy is pre-configured, be passed from network interface card
Specific network interface card transmission data are extracted in transmission of data.Wherein, in a specific embodiment, specific network interface card transmission data are extracted
Process can be realized by step S202 to step S203.
Step S202 obtains pre-set designated port and/or specified IP from configuration file.
Wherein, needs designated port for statistical analysis and/or specified IP, ability can be preset in configuration file
Field technique personnel can according to actual needs be configured configuration file, herein without limitation.For example, being set in advance in configuration file
The designated port set includes port 80 and port 81, and specified IP includes 192.0.0.10, then illustrating to need corresponding to port 80
Network interface card transmission data, the corresponding network interface card in port 81 transmission data and 192.0.0.10 corresponding network interface card transmission data unite
Meter analysis.
Step S203, extracts designated port from network interface card transmission data and/or the corresponding network interface card of specified IP transmits data, according to
Specific network interface card transmission data are determined according to the network interface card transmission data extracted.
After obtaining designated port and/or specified IP, so that it may according to designated port and/or specified IP, be passed from network interface card
Designated port is extracted in transmission of data and/or the corresponding network interface card of specified IP transmits data, then according to the network interface card transmission number extracted
Data are transmitted according to the specific network interface card of determination.
By taking the designated port of acquisition is port 80 as an example, the network interface card transmission data obtained through mirror image processing include all of the port
Corresponding network interface card transmits data, then the corresponding network interface card of extraction port 80 transmits data from whole network interface card transmission data, so
Specific network interface card transmission data are determined according to the network interface card transmission data extracted afterwards.
By taking the specified IP of acquisition is 192.0.0.10 as an example, the network interface card transmission data obtained through mirror image processing include multiple IP
Corresponding network interface card transmits data, then extracting the corresponding network interface card of 192.0.0.10 from whole network interface card transmission data transmits number
According to the network interface card transmission data that then foundation is extracted determine specific network interface card transmission data.
Those skilled in the art can according to actual needs be determined specific network interface card transmission data, herein without limitation.
Optionally, the whole network interface card transmission data extracted can be determined as specific network interface card and transmits data;Or it can be when default
Between processing is sampled to the network interface card transmission data extracted, so that obtaining specific network interface card transmits data, i.e., by sampled processing
Obtained network interface card transmission data are determined as specific network interface card transmission data.Those skilled in the art can according to actual needs to it is default when
Between be configured, for example, when preset time be 5 seconds when, then every 5 seconds to extracted network interface card transmission data be sampled place
Reason.
Step S204, it is for statistical analysis to specific network interface card transmission data, obtain particular flow rate data.
When specific network interface card transmits data as according to the designated port extracted and/or the corresponding network interface card transmission data of specified IP
And determine when, to specific network interface card transmission data it is for statistical analysis, designated port and/or the corresponding spy of specified IP can be obtained
Constant flow data.
Wherein, particular flow rate data can include: receive flow total bytes, transmitted traffic total bytes and query rate per second
Etc. data.Particular flow rate data may also include other data, for example, received data packet total quantity and transmission data packet total quantity
Deng herein without limitation.Wherein, can to specific network interface card transmit data in data packet, the synchronizing information in connection status into
Row statistical analysis obtains receiving flow total bytes, transmitted traffic total bytes and query rate per second.
Specifically, data total bytes of received data packet in statistics available specific network interface card transmission data, transmitted
The data total bytes of data packet, the total quantity of received data packet, the total quantity of transmitted data packet and the company of being in
The quantity etc. of the synchronizing information of state is connect, the data total bytes according to received data packet, which determine, receives flow total byte
Number, the data total bytes according to transmitted data packet determine transmitted traffic total bytes, according to received data packet
Total quantity determines received data packet total quantity, and the total quantity according to transmitted data packet, which determines, sends data packet total quantity, according to
Query rate per second is determined according to the quantity of the synchronizing information in connection status.
Step S205 judges particular flow rate data with the presence or absence of abnormal;If so, thening follow the steps S206;If it is not, the then party
Method terminates.
Particular flow rate data can be compared with history particular flow rate data, particular flow rate is judged according to comparison result
Data are with the presence or absence of abnormal.Wherein, abnormal can include: reception flow total bytes are excessively high, query rate per second is excessively high.History is special
Constant flow data can be obtained to be analyzed using linear regression, normal distribution scheduling algorithm the specific network interface card transmission data of history
It arrives.Specifically, if obtaining particular flow rate data fit history particular flow rate data through comparing, illustrate particular flow rate data not
There are exceptions, and without carrying out warning reminding, then this method terminates;History spy is not met if being compared and obtaining particular flow rate data
It is abnormal to illustrate that particular flow rate data exist for constant flow data, and the system operation maintenance personnel of needs is safeguarded, such as is carried out to data packet
Management and control etc., then follow the steps S206.
Step S206 carries out warning reminding.
Particular flow rate data are obtained in judgement to deposit in an exceptional case, automatically carry out warning reminding, for system fortune
Dimension personnel can recognize exception present in specific network interface card transmission data in time, to be safeguarded as early as possible.Art technology
Personnel can be arranged the mode of warning reminding according to actual needs, such as can be by sending the side of warning message to system operation maintenance personnel
Formula carries out warning reminding, herein without limitation.Assuming that designated port is port 80, the corresponding specific stream in port 80 is obtained through judgement
It measures data and there is exception, then generating warning message, warning message generated can be " 80 Traffic Anomaly of port ", then should
Warning message is sent to system operation maintenance personnel, so that system operation maintenance personnel checks simultaneously maintenance port 80 in time.
In another embodiment specific implementation mode, step S201 obtain obtained through mirror image processing network interface card transmission data it
Afterwards, the current operating conditions that multiple ports are obtained in step S202 extract from network interface card transmission data in step S203 and work as
Preceding operating status is that the corresponding network interface card in port of listening state transmits data, is determined according to the network interface card transmission data extracted specific
Network interface card transmits data.
The network interface card transmission data obtained through mirror image processing include the corresponding network interface card transmission data of all of the port, can first obtain institute
There are the current operating conditions of port, wherein the current operating conditions of port include monitoring (LISTEN) state, communication
(ESTABLISHED) state, it is passive close (CLOSE_WAIT) state and actively close (TIME_WAIT) state, actually answering
The corresponding network interface card transmission data in port that current operating conditions are listening state are concerned mostly in, then can pass from network interface card
The corresponding network interface card in port that current operating conditions are listening state is automatically extracted in transmission of data and transmits data, according to what is extracted
Network interface card transmission data determine specific network interface card transmission data.Optionally, the whole network interface card transmission data extracted can be determined as
Specific network interface card transmits data;Or processing can be sampled to the network interface card transmission data extracted every preset time, thus
Data are transmitted to specific network interface card.After specific network interface card transmission data have been determined, so that it may unite to specific network interface card transmission data
Meter analysis obtains the corresponding particular flow rate data in port that each current operating conditions are listening state, is then followed by and executes step
Rapid S205 to step S206.
It wherein, can when the quantity for the port that current operating conditions are listening state is excessive, such as when more than preset threshold
After obtaining the corresponding particular flow rate data in port that each current operating conditions are listening state, by each current operation shape
State is that the corresponding particular flow rate data in port of listening state are arranged according to sequence from big to small, is selected from rank results
It takes and arranges n forward particular flow rate data for further analyzing.Those skilled in the art can be according to actual needs to default
Threshold value and n are configured, herein without limitation.For example, 20 can be set by preset threshold, 10 are set by n.
In another specific embodiment, step S201 obtain obtained through mirror image processing network interface card transmission data it
Afterwards, processing can be sampled to whole network interface card transmission data every preset time, to obtain specific network interface card transmission data, so
Followed by execute step S204 to step S206.It is sampled to handle obtained ad hoc networks compared with the network interface card of full dose transmits data
Card transmission data can not only reflect the case where network interface card transmission data of full dose, and its data volume will be far smaller than network interface card transmission
The data volume of data effectively reduces data statistics amount, improves data on flows statistical efficiency.
It, can be according to strategy be pre-configured, easily from through mirror image using data on flows statistical method provided in this embodiment
It handles and extracts designated port and/or the corresponding network interface card transmission data of specified IP, or current fortune in obtained network interface card transmission data
Row state is that the corresponding network interface card in port of listening state transmits data or the network interface card of sampled processing transmits data, according to institute
The network interface card transmission data of extraction determine specific network interface card transmission data, and for statistical analysis to specific network interface card transmission data, obtain
Specifically, accurately particular flow rate data, not only realize the accurate statistics to data on flows, facilitate system operation maintenance personnel
Understand specific traffic conditions, and also improves data on flows statistical efficiency;And the agreement that the technical solution is applicable in is extensive,
It is applicable not only to Transmission Control Protocol, applies also for udp protocol, is easy to use;In addition it is possible to exist in particular flow rate data abnormal
In the case where, warning reminding is automatically carried out, system operation maintenance personnel is enabled to recognize specific network interface card transmission data institute in time
Existing exception, to be safeguarded as early as possible.
Embodiment three
The embodiment of the present invention three provides a kind of non-volatile memory medium, and storage medium is stored at least one executable finger
It enables, which can be performed the data on flows statistical method in above-mentioned any means embodiment.
Executable instruction specifically can be used for so that the following operation of processor execution: the interface that calling system kernel provides,
Obtain the network interface card transmission data obtained through mirror image processing;According to strategy is pre-configured, specific network interface card is extracted from network interface card transmission data
Transmit data;It is for statistical analysis to specific network interface card transmission data, obtain particular flow rate data.
In a kind of optional embodiment, executable instruction further makes processor execute following operation: obtaining multiple
The current operating conditions of port;The corresponding network interface card in port that current operating conditions are listening state is extracted from network interface card transmission data
Data are transmitted, determine specific network interface card transmission data according to the network interface card transmission data extracted.
In a kind of optional embodiment, executable instruction further makes processor execute following operation: from configuration text
Pre-set designated port and/or specified IP are obtained in part;Designated port and/or specified IP are extracted from network interface card transmission data
Corresponding network interface card transmits data, determines specific network interface card transmission data according to the network interface card transmission data extracted.
In a kind of optional embodiment, executable instruction further makes processor execute following operation: every default
Time is sampled processing to network interface card transmission data, obtains specific network interface card transmission data.
In a kind of optional embodiment, executable instruction further makes processor execute following operation: to ad hoc networks
Card transmission data in data packet, the synchronizing information in connection status it is for statistical analysis, obtain receive flow total bytes,
Transmitted traffic total bytes and query rate per second.
In a kind of optional embodiment, executable instruction further makes processor execute following operation: by specific stream
Amount data are compared with history particular flow rate data, judge particular flow rate data with the presence or absence of abnormal;If so, alarming
It reminds.
Example IV
Fig. 3 shows the structural schematic diagram of according to embodiments of the present invention four a kind of electronic equipment, present invention specific implementation
Example does not limit the specific implementation of electronic equipment.
As shown in figure 3, the electronic equipment may include: processor (processor) 302, communication interface
(Communications Interface) 304, memory (memory) 306 and communication bus 308.
Wherein:
Processor 302, communication interface 304 and memory 306 complete mutual communication by communication bus 308.
Communication interface 304, for being communicated with the network element of other equipment such as client or other servers etc..
Processor 302 can specifically execute in above-mentioned data on flows statistical method embodiment for executing program 310
Correlation step.
Specifically, program 310 may include program code, which includes computer operation instruction.
Processor 302 may be central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that electronic equipment includes can be same type of processor, such as one or more CPU;It can also
To be different types of processor, such as one or more CPU and one or more ASIC.
Memory 306, for storing program 310.Memory 306 may include high speed RAM memory, it is also possible to further include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 310 specifically can be used for so that processor 302 executes following operation: the interface that calling system kernel provides,
Obtain the network interface card transmission data obtained through mirror image processing;According to strategy is pre-configured, specific network interface card is extracted from network interface card transmission data
Transmit data;It is for statistical analysis to specific network interface card transmission data, obtain particular flow rate data.
In a kind of optional embodiment, program 310 is further such that processor 302 executes following operation: obtaining more
The current operating conditions of a port;The corresponding net in port that current operating conditions are listening state is extracted from network interface card transmission data
Card transmission data determine specific network interface card transmission data according to the network interface card transmission data extracted.
In a kind of optional embodiment, program 310 is further such that processor 302 executes following operation: from configuration
Pre-set designated port and/or specified IP are obtained in file;Designated port is extracted from network interface card transmission data and/or is specified
The corresponding network interface card of IP transmits data, determines specific network interface card transmission data according to the network interface card transmission data extracted.
In a kind of optional embodiment, program 310 is further such that processor 302 executes following operation: every pre-
If the time is sampled processing to network interface card transmission data, specific network interface card transmission data are obtained.
In a kind of optional embodiment, program 310 is further such that processor 302 executes following operation: to specific
Data packet in network interface card transmission data, the synchronizing information in connection status are for statistical analysis, obtain receiving flow total byte
Number, transmitted traffic total bytes and query rate per second.
In a kind of optional embodiment, program 310 is further such that processor 302 executes following operation: will be specific
Data on flows is compared with history particular flow rate data, judges particular flow rate data with the presence or absence of abnormal;If so, being reported
It is alert to remind.
The specific implementation of each step may refer to the corresponding steps pair in above-mentioned data on flows Statistics Implementation example in program 310
The description answered, this will not be repeated here.It is apparent to those skilled in the art that for convenience and simplicity of description, on
The specific work process for stating the equipment of description can refer to corresponding processes in the foregoing method embodiment description, no longer superfluous herein
It states.
The scheme provided through this embodiment, by specific network interface card transmit data it is for statistical analysis, can obtain more
For detailed, accurately particular flow rate data, system operation maintenance personnel can precisely understand specific flow feelings according to particular flow rate data
Condition safeguards that effectively system of defense guarantees that system is operated normally by malicious attack to system more conveniently.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, such as right
As claim reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows tool
Thus claims of body embodiment are expressly incorporated in the specific embodiment, wherein each claim conduct itself
Separate embodiments of the invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of any
Can in any combination mode come using.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.The use of word first, second, and third does not indicate any sequence.These words can be construed to title.
The invention discloses: a kind of data on flows statistical method of A1., comprising:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to the specific network interface card transmission data, obtain particular flow rate data.
A2. method according to a1, it is described according to strategy is pre-configured, ad hoc networks are extracted from network interface card transmission data
Card transmission data further comprise:
Obtain the current operating conditions of multiple ports;
The corresponding network interface card in port that current operating conditions are listening state is extracted from network interface card transmission data transmits number
According to the network interface card transmission data that foundation is extracted determine specific network interface card transmission data.
A3. method according to a1, it is described according to strategy is pre-configured, ad hoc networks are extracted from network interface card transmission data
Card transmission data further comprise:
Pre-set designated port and/or specified IP are obtained from configuration file;
Designated port is extracted from network interface card transmission data and/or the corresponding network interface card of specified IP transmits data, according to institute
The network interface card transmission data of extraction determine specific network interface card transmission data.
A4. described according to strategy is pre-configured according to the described in any item methods of A1-A3, it is transmitted in data from the network interface card
Extracting specific network interface card transmission data further comprises:
Processing is sampled to network interface card transmission data every preset time, obtains specific network interface card transmission data.
It is A5. described for statistical analysis to the specific network interface card transmission data according to the described in any item methods of A1-A4,
Obtaining particular flow rate data further comprises:
It is for statistical analysis to the data packet in the specific network interface card transmission data, the synchronizing information in connection status,
It obtains receiving flow total bytes, transmitted traffic total bytes and query rate per second.
A6. according to the described in any item methods of A1-A5, statistical is carried out to the specific network interface card transmission data described
Analysis, after obtaining particular flow rate data, the method also includes:
The particular flow rate data are compared with history particular flow rate data, whether judge the particular flow rate data
There are exceptions;If so, theing make an alarm reminder.
The invention also discloses: B7. a kind of electronic equipment, comprising: processor, memory, communication interface and communication bus,
The processor, the memory and the communication interface complete mutual communication by the communication bus;
For the memory for storing an at least executable instruction, it is following that the executable instruction executes the processor
Operation:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to the specific network interface card transmission data, obtain particular flow rate data.
B8. the electronic equipment according to B7, the executable instruction further make the processor execute following operation:
Obtain the current operating conditions of multiple ports;
The corresponding network interface card in port that current operating conditions are listening state is extracted from network interface card transmission data transmits number
According to the network interface card transmission data that foundation is extracted determine specific network interface card transmission data.
B9. the electronic equipment according to B7, the executable instruction further make the processor execute following operation:
Pre-set designated port and/or specified IP are obtained from configuration file;
Designated port is extracted from network interface card transmission data and/or the corresponding network interface card of specified IP transmits data, according to institute
The network interface card transmission data of extraction determine specific network interface card transmission data.
B10. according to the described in any item electronic equipments of B7-B9, the executable instruction further holds the processor
The following operation of row:
Processing is sampled to network interface card transmission data every preset time, obtains specific network interface card transmission data.
B11. according to the described in any item electronic equipments of B7-B10, the executable instruction further holds the processor
The following operation of row:
It is for statistical analysis to the data packet in the specific network interface card transmission data, the synchronizing information in connection status,
It obtains receiving flow total bytes, transmitted traffic total bytes and query rate per second.
B12. according to the described in any item electronic equipments of B7-B11, the executable instruction further holds the processor
The following operation of row:
The particular flow rate data are compared with history particular flow rate data, whether judge the particular flow rate data
There are exceptions;If so, theing make an alarm reminder.
The invention also discloses a kind of storage medium of C13., an at least executable instruction is stored in the storage medium,
The executable instruction makes processor execute following operation:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to the specific network interface card transmission data, obtain particular flow rate data.
C14. the storage medium according to C13, the executable instruction further make the processor execute following behaviour
Make:
Obtain the current operating conditions of multiple ports;
The corresponding network interface card in port that current operating conditions are listening state is extracted from network interface card transmission data transmits number
According to the network interface card transmission data that foundation is extracted determine specific network interface card transmission data.
C15. the storage medium according to C13, the executable instruction further make the processor execute following behaviour
Make:
Pre-set designated port and/or specified IP are obtained from configuration file;
Designated port is extracted from network interface card transmission data and/or the corresponding network interface card of specified IP transmits data, according to institute
The network interface card transmission data of extraction determine specific network interface card transmission data.
C16. according to the described in any item storage mediums of C13-C15, the executable instruction further makes the processor
Execute following operation:
Processing is sampled to network interface card transmission data every preset time, obtains specific network interface card transmission data.
C17. according to the described in any item storage mediums of C13-C16, the executable instruction further makes the processor
Execute following operation:
It is for statistical analysis to the data packet in the specific network interface card transmission data, the synchronizing information in connection status,
It obtains receiving flow total bytes, transmitted traffic total bytes and query rate per second.
C18. according to the described in any item storage mediums of C13-C17, the executable instruction further makes the processor
Execute following operation:
The particular flow rate data are compared with history particular flow rate data, whether judge the particular flow rate data
There are exceptions;If so, theing make an alarm reminder.
Claims (10)
1. a kind of data on flows statistical method, comprising:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to the specific network interface card transmission data, obtain particular flow rate data.
2. according to the method described in claim 1, it is described according to be pre-configured strategy, from the network interface card transmission data in extract it is specific
Network interface card transmission data further comprise:
Obtain the current operating conditions of multiple ports;
The corresponding network interface card in port that current operating conditions are listening state is extracted from network interface card transmission data transmits data, according to
Specific network interface card transmission data are determined according to the network interface card transmission data extracted.
3. according to the method described in claim 1, it is described according to be pre-configured strategy, from the network interface card transmission data in extract it is specific
Network interface card transmission data further comprise:
Pre-set designated port and/or specified IP are obtained from configuration file;
Designated port is extracted from network interface card transmission data and/or the corresponding network interface card of specified IP transmits data, and foundation is extracted
Network interface card transmission data determine specific network interface card transmission data.
4. method according to claim 1-3, described according to strategy is pre-configured, transmitted in data from the network interface card
Extracting specific network interface card transmission data further comprises:
Processing is sampled to network interface card transmission data every preset time, obtains specific network interface card transmission data.
5. method according to claim 1-4, described for statistical analysis to the specific network interface card transmission data,
Obtaining particular flow rate data further comprises:
It is for statistical analysis to the data packet in the specific network interface card transmission data, the synchronizing information in connection status, it obtains
Receive flow total bytes, transmitted traffic total bytes and query rate per second.
6. method according to claim 1-5 carries out statistical to the specific network interface card transmission data described
Analysis, after obtaining particular flow rate data, the method also includes:
The particular flow rate data are compared with history particular flow rate data, judge that the particular flow rate data whether there is
It is abnormal;If so, theing make an alarm reminder.
7. a kind of electronic equipment, comprising: processor, memory, communication interface and communication bus, the processor, the storage
Device and the communication interface complete mutual communication by the communication bus;
The memory makes the processor execute following behaviour for storing an at least executable instruction, the executable instruction
Make:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to the specific network interface card transmission data, obtain particular flow rate data.
8. electronic equipment according to claim 7, the executable instruction further makes the processor execute following behaviour
Make:
Obtain the current operating conditions of multiple ports;
The corresponding network interface card in port that current operating conditions are listening state is extracted from network interface card transmission data transmits data, according to
Specific network interface card transmission data are determined according to the network interface card transmission data extracted.
9. electronic equipment according to claim 7, the executable instruction further makes the processor execute following behaviour
Make:
Pre-set designated port and/or specified IP are obtained from configuration file;
Designated port is extracted from network interface card transmission data and/or the corresponding network interface card of specified IP transmits data, and foundation is extracted
Network interface card transmission data determine specific network interface card transmission data.
10. a kind of storage medium, it is stored with an at least executable instruction in the storage medium, the executable instruction makes to handle
Device executes following operation:
The interface that calling system kernel provides obtains the network interface card transmission data obtained through mirror image processing;
According to strategy is pre-configured, specific network interface card transmission data are extracted from network interface card transmission data;
It is for statistical analysis to the specific network interface card transmission data, obtain particular flow rate data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811284881.9A CN109309591B (en) | 2018-10-31 | 2018-10-31 | Traffic data statistical method, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811284881.9A CN109309591B (en) | 2018-10-31 | 2018-10-31 | Traffic data statistical method, electronic device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109309591A true CN109309591A (en) | 2019-02-05 |
| CN109309591B CN109309591B (en) | 2021-10-22 |
Family
ID=65222561
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811284881.9A Active CN109309591B (en) | 2018-10-31 | 2018-10-31 | Traffic data statistical method, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109309591B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110572361A (en) * | 2019-08-02 | 2019-12-13 | 视联动力信息技术股份有限公司 | video networking network card selection method and system |
| CN111083012A (en) * | 2019-12-18 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Data center switch flow statistical method and equipment |
| CN111162973A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Data flow acquisition method and device, electronic equipment and medium |
| CN113992624A (en) * | 2021-12-08 | 2022-01-28 | 赛尔网络有限公司 | Traffic statistical method, device, equipment and medium based on address identification |
| CN114465741A (en) * | 2020-11-09 | 2022-05-10 | 腾讯科技(深圳)有限公司 | Anomaly detection method and device, computer equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070291654A1 (en) * | 2006-06-16 | 2007-12-20 | Gerald Pepper | Memory Access Optimization and Communications Statistics Computation |
| CN202535371U (en) * | 2011-11-28 | 2012-11-14 | 曙光信息产业(北京)有限公司 | Network card device supporting complex flow statistics |
| CN103944771A (en) * | 2013-01-19 | 2014-07-23 | 鸿富锦精密工业(深圳)有限公司 | Method and system for testing network data traffic |
| CN105429801A (en) * | 2015-12-10 | 2016-03-23 | 北京奇虎科技有限公司 | Traffic monitoring method and apparatus |
| CN106375235A (en) * | 2016-08-30 | 2017-02-01 | 成都科来软件有限公司 | Method and device for obtaining specified IP (Internet Protocol) traffic information by statistics |
| CN107370755A (en) * | 2017-08-23 | 2017-11-21 | 杭州安恒信息技术有限公司 | A kind of method of the profound detection APT attacks of various dimensions |
| CN107579981A (en) * | 2017-09-08 | 2018-01-12 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow monitoring method and system |
| CN107979506A (en) * | 2017-10-30 | 2018-05-01 | 阿里巴巴集团控股有限公司 | Flow obtains and high in the clouds display systems, method, apparatus and equipment |
| CN108512720A (en) * | 2018-03-02 | 2018-09-07 | 杭州迪普科技股份有限公司 | A kind of statistical method and device of website traffic |
-
2018
- 2018-10-31 CN CN201811284881.9A patent/CN109309591B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070291654A1 (en) * | 2006-06-16 | 2007-12-20 | Gerald Pepper | Memory Access Optimization and Communications Statistics Computation |
| CN202535371U (en) * | 2011-11-28 | 2012-11-14 | 曙光信息产业(北京)有限公司 | Network card device supporting complex flow statistics |
| CN103944771A (en) * | 2013-01-19 | 2014-07-23 | 鸿富锦精密工业(深圳)有限公司 | Method and system for testing network data traffic |
| CN105429801A (en) * | 2015-12-10 | 2016-03-23 | 北京奇虎科技有限公司 | Traffic monitoring method and apparatus |
| CN106375235A (en) * | 2016-08-30 | 2017-02-01 | 成都科来软件有限公司 | Method and device for obtaining specified IP (Internet Protocol) traffic information by statistics |
| CN107370755A (en) * | 2017-08-23 | 2017-11-21 | 杭州安恒信息技术有限公司 | A kind of method of the profound detection APT attacks of various dimensions |
| CN107579981A (en) * | 2017-09-08 | 2018-01-12 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow monitoring method and system |
| CN107979506A (en) * | 2017-10-30 | 2018-05-01 | 阿里巴巴集团控股有限公司 | Flow obtains and high in the clouds display systems, method, apparatus and equipment |
| CN108512720A (en) * | 2018-03-02 | 2018-09-07 | 杭州迪普科技股份有限公司 | A kind of statistical method and device of website traffic |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110572361A (en) * | 2019-08-02 | 2019-12-13 | 视联动力信息技术股份有限公司 | video networking network card selection method and system |
| CN110572361B (en) * | 2019-08-02 | 2021-11-02 | 视联动力信息技术股份有限公司 | Method, system, equipment and storage medium for selecting video network card |
| CN111083012A (en) * | 2019-12-18 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Data center switch flow statistical method and equipment |
| CN111083012B (en) * | 2019-12-18 | 2021-10-26 | 苏州浪潮智能科技有限公司 | Data center switch flow statistical method and equipment |
| CN111162973A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Data flow acquisition method and device, electronic equipment and medium |
| CN114465741A (en) * | 2020-11-09 | 2022-05-10 | 腾讯科技(深圳)有限公司 | Anomaly detection method and device, computer equipment and storage medium |
| CN114465741B (en) * | 2020-11-09 | 2023-09-26 | 腾讯科技(深圳)有限公司 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
| CN113992624A (en) * | 2021-12-08 | 2022-01-28 | 赛尔网络有限公司 | Traffic statistical method, device, equipment and medium based on address identification |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109309591B (en) | 2021-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109309591A (en) | Data on flows statistical method, electronic equipment and storage medium | |
| US11095670B2 (en) | Hierarchical activation of scripts for detecting a security threat to a network using a programmable data plane | |
| EP3738292A1 (en) | Self-adaptive application programming interface level security monitoring | |
| CN109711171A (en) | Localization method and device, system, storage medium, the electronic device of software vulnerability | |
| AU2016336006A1 (en) | Systems and methods for security and risk assessment and testing of applications | |
| Xuan et al. | Detecting application denial-of-service attacks: A group-testing-based approach | |
| CN111385260B (en) | Port detection method, system, server and storage medium | |
| CN109936545A (en) | The detection method and relevant apparatus of Brute Force attack | |
| US8976676B2 (en) | Adaptive signaling for network performance measurement, access, and control | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN104021141B (en) | Method, device and system for data processing and cloud service | |
| CN107483472A (en) | A kind of method, apparatus of network security monitoring, storage medium and server | |
| CN105991628A (en) | Network attack identification method and network attack identification device | |
| CN108337266A (en) | A kind of efficient protocol client vulnerability mining method and system | |
| CN111818069A (en) | Method, device, medium and computer equipment for presenting security event processing flow | |
| CN113542253A (en) | Network flow detection method, device, equipment and medium | |
| CN104980421B (en) | Batch request processing method and system | |
| Janabi et al. | Convolutional neural network based algorithm for early warning proactive system security in software defined networks | |
| US10775751B2 (en) | Automatic generation of regular expression based on log line data | |
| CN111049784A (en) | Network attack detection method, device, equipment and storage medium | |
| KR20220074819A (en) | Graph Stream Mining Pipeline for Efficient Subgraph Detection | |
| CN113259364B (en) | Network event correlation analysis method and device and computer equipment | |
| EP3718284B1 (en) | Extending encrypted traffic analytics with traffic flow data | |
| CN117336033A (en) | Traffic interception method and device, storage medium and electronic equipment | |
| CN112003842A (en) | High-interaction honeypot system and honeypot protection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |