CN109309591B - Traffic data statistical method, electronic device and storage medium - Google Patents
Traffic data statistical method, electronic device and storage medium Download PDFInfo
- Publication number
- CN109309591B CN109309591B CN201811284881.9A CN201811284881A CN109309591B CN 109309591 B CN109309591 B CN 109309591B CN 201811284881 A CN201811284881 A CN 201811284881A CN 109309591 B CN109309591 B CN 109309591B
- Authority
- CN
- China
- Prior art keywords
- network card
- transmission data
- card transmission
- data
- specific
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a traffic data statistical method, electronic equipment and a storage medium, wherein the traffic data statistical method comprises the following steps: calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing; extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy; and carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data. According to the technical scheme provided by the invention, more detailed and accurate specific flow data can be obtained by carrying out statistical analysis on the transmission data of the specific network card, and system operation and maintenance personnel can know the specific flow condition, so that the system can be maintained more conveniently, the normal operation of the system is ensured, the flow data statistical efficiency is improved, and the flow data statistical mode is optimized.
Description
Technical Field
The invention relates to the technical field of data processing, in particular to a traffic data statistical method, electronic equipment and a storage medium.
Background
In the internet technology, a server can provide business services and the like to users. In order to maintain the server, statistical analysis needs to be performed on data transmitted by the network card to obtain flow data, data packets are managed and controlled according to the flow data, and whether malicious attacks exist can be judged to a certain extent through changes of the flow data.
The existing traffic data statistical mode is mostly realized based on tools such as NMON and the like carried by the Linux system, the overall conclusion of the traffic data of the server side is obtained, more detailed and accurate traffic data conditions such as specific ports in the server side and the traffic data of specific IP cannot be obtained, and an effective traffic data result cannot be provided.
Disclosure of Invention
In view of the above, the present invention has been made to provide a traffic data statistical method, an electronic device, and a storage medium that overcome or at least partially solve the above-mentioned problems.
According to an aspect of the present invention, there is provided a traffic data statistical method, including:
calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing;
extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy;
and carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data.
According to another aspect of the present invention, there is provided an electronic apparatus including: the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the following operations:
calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing;
extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy;
and carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data.
According to yet another aspect of the present invention, there is provided a storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to:
calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing;
extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy;
and carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data.
According to the technical scheme provided by the invention, the specific network card transmission data can be extracted from the network card transmission data obtained by mirror image processing according to the pre-configuration strategy for statistical analysis, and compared with the prior art which can only obtain the overall conclusion of the flow data of the server side, the technical scheme can obtain more detailed and accurate specific flow data by performing statistical analysis on the specific network card transmission data, and system operation and maintenance personnel can accurately know the specific flow condition according to the specific flow data, so that the system can be maintained more conveniently, the system is effectively defended from malicious attack, and the normal operation of the system is ensured; compared with the full amount of network card transmission data, the data volume of the specific network card transmission data is far smaller than that of the network card transmission data, so that the data statistics is effectively reduced, the flow data statistical efficiency is improved, and the flow data statistical mode is optimized.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart illustrating a traffic data statistical method according to a first embodiment of the present invention;
fig. 2 is a flow chart of a traffic data statistical method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Example one
Fig. 1 is a schematic flow chart of a traffic data statistical method according to a first embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
and step S101, calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing.
When the network card in the system communicates with other machines, data packets received by the network card from the other machines and data packets sent by the network card to the other machines are applied by the system kernel and the system, and flow data can be obtained by statistically analyzing data transmitted by the network card. The system kernel provides an interface capable of capturing data, for example, a libpcap (packet Capture library) interface provided by the Linux system kernel, and when the interface is called, a corresponding data Capture function is operated, all data transmitted through the network card can be captured, and the captured data is subjected to mirror image processing to obtain network card transmission data.
The network card transmission data obtained through the mirror image processing is the full amount of data transmitted through the network card, and includes but is not limited to: data packets, synchronization information (syn information), data processing success information (ack information), and the like. In step S101, network card transmission data obtained through mirroring is acquired so as to perform statistical analysis on the network card transmission data.
And step S102, extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy.
After the network card transmission data obtained through the mirror image processing is obtained, part of the network card transmission data can be extracted from the network card transmission data according to a pre-configured strategy, and then the specific network card transmission data is determined according to the extracted part of the network card transmission data. The preconfigured policy can be set by those skilled in the art according to actual needs, and is not limited herein. For example, the preconfigured policy may include: and extracting according to the current running state of the port, extracting according to the configuration file and/or extracting according to the sampling rule.
Compared with the full amount of network card transmission data, the data volume of the specific network card transmission data is far smaller than that of the network card transmission data, so that the data statistics is effectively reduced, and the flow data statistical efficiency is improved.
Step S103, carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data.
After the data transmitted by the specific network card is determined, a preset algorithm may be used to perform statistical analysis on the data packets, the synchronization information, and the like in the data transmitted by the specific network card, for example, to perform statistical analysis on the number of received data packets, the number of transmitted data packets, the total number of bytes of data of received data packets, the total number of bytes of data of transmitted data packets, and the number of synchronization information in a connection state, so as to obtain specific flow data. The specific traffic data may include the total number of bytes of received traffic, the total number of bytes of sent traffic, and a Query Per Second (QPS) corresponding to the data transmitted by the specific network card, and may also include other information.
By using the traffic data statistical method provided by the embodiment, specific network card transmission data can be extracted from network card transmission data obtained through mirror image processing according to a preconfigured strategy for statistical analysis, and compared with the prior art that only the overall conclusion of traffic data of a server side can be obtained, the technical scheme can obtain more detailed and accurate specific traffic data by performing statistical analysis on the specific network card transmission data, and system operation and maintenance personnel can accurately know the specific traffic condition according to the specific traffic data, so that the system can be maintained more conveniently, the system is effectively protected from malicious attack, and the normal operation of the system is ensured; compared with the full amount of network card transmission data, the data volume of the specific network card transmission data is far smaller than that of the network card transmission data, so that the data statistics is effectively reduced, the flow data statistical efficiency is improved, and the flow data statistical mode is optimized.
Example two
Fig. 2 is a schematic flow chart of a traffic data statistical method according to a second embodiment of the present invention, and as shown in fig. 2, the method includes the following steps:
step S201, an interface provided by the system kernel is called, and network card transmission data obtained through mirror image processing is acquired.
The method is suitable for the TCP protocol and the UDP protocol. Specifically, a Libpcap interface provided by a Linux system kernel can be called, after the Libpcap interface is called, a corresponding data capture function can be run, all data transmitted through a network card can be captured, and the captured data is mirrored. And acquiring network card transmission data obtained through mirror image processing so as to carry out statistical analysis on the network card transmission data.
After the network card transmission data obtained through the mirror image processing is obtained, the specific network card transmission data can be extracted from the network card transmission data according to the pre-configuration strategy. In a specific embodiment, the process of extracting the transmission data of the specific network card can be implemented through steps S202 to S203.
Step S202, acquiring a preset designated port and/or a designated IP from the configuration file.
The configuration file may be preset with a designated port and/or a designated IP that needs to be statistically analyzed, and those skilled in the art may set the configuration file according to actual needs, which is not limited herein. For example, if the designated ports preset in the configuration file include the port 80 and the port 81, and the designated IP includes 192.0.0.10, it indicates that statistical analysis needs to be performed on the network card transmission data corresponding to the port 80, the network card transmission data corresponding to the port 81, and the network card transmission data corresponding to the port 192.0.0.10.
Step S203, extracting network card transmission data corresponding to the designated port and/or the designated IP from the network card transmission data, and determining specific network card transmission data according to the extracted network card transmission data.
After the designated port and/or the designated IP are/is obtained, network card transmission data corresponding to the designated port and/or the designated IP are extracted from the network card transmission data according to the designated port and/or the designated IP, and then specific network card transmission data are determined according to the extracted network card transmission data.
Taking the obtained designated port as the port 80 as an example, the network card transmission data obtained through the mirror image processing includes network card transmission data corresponding to all ports, then the network card transmission data corresponding to the port 80 is extracted from all the network card transmission data, and then the specific network card transmission data is determined according to the extracted network card transmission data.
Taking the obtained designated IP as 192.0.0.10 as an example, the network card transmission data obtained through the mirroring process includes network card transmission data corresponding to a plurality of IPs, then extracting 192.0.0.10 corresponding network card transmission data from all the network card transmission data, and then determining the specific network card transmission data according to the extracted network card transmission data.
Those skilled in the art can determine the data transmitted by the specific network card according to actual needs, and the determination is not limited herein. Optionally, all extracted network card transmission data may be determined as specific network card transmission data; or sampling the extracted network card transmission data at preset intervals to obtain specific network card transmission data, namely determining the network card transmission data obtained by sampling as the specific network card transmission data. The skilled person can set the preset time according to actual needs, for example, when the preset time is 5 seconds, the extracted network card transmission data is sampled every 5 seconds.
Step S204, the transmission data of the specific network card is subjected to statistical analysis to obtain specific flow data.
And when the specific network card transmission data is determined according to the extracted network card transmission data corresponding to the designated port and/or the designated IP, performing statistical analysis on the specific network card transmission data to obtain specific flow data corresponding to the designated port and/or the designated IP.
Wherein the specific traffic data may include: receiving the data such as the total byte number of the flow, the total byte number of the sending flow, the query rate per second and the like. The traffic-specific data may also include other data, such as the total number of received packets, the total number of transmitted packets, etc., which is not limited herein. The data packets in the data transmitted by the specific network card and the synchronization information in the connection state can be subjected to statistical analysis to obtain the total number of bytes of the received flow, the total number of bytes of the sent flow and the query rate per second.
Specifically, the total number of data bytes of a received data packet, the total number of data bytes of a sent data packet, the total number of received data packets, the total number of sent data packets, the number of synchronization information in a connection state, and the like in the data transmitted by the specific network card may be counted, the total number of received traffic bytes may be determined according to the total number of data bytes of the received data packet, the total number of sent traffic bytes may be determined according to the total number of data bytes of the sent data packet, the total number of received data packets may be determined according to the total number of the received data packet, the total number of sent data packets may be determined according to the total number of the sent data packet, and the query rate per second may be determined according to the number of synchronization information in a connection state.
Step S205, judging whether the specific flow data is abnormal or not; if yes, go to step S206; if not, the method ends.
The specific flow data can be compared with historical specific flow data, and whether the specific flow data is abnormal or not can be judged according to the comparison result. Wherein the exceptions may include: the total byte number of the received flow is too high, the query rate per second is too high, and the like. The historical specific flow data can be obtained by analyzing historical specific network card transmission data by using algorithms such as linear regression and normal distribution. Specifically, if the specific flow data obtained through comparison conforms to the historical specific flow data, which indicates that the specific flow data is not abnormal, and no alarm reminding is needed, the method is ended; if the obtained specific flow data does not conform to the historical specific flow data after comparison, which indicates that the specific flow data is abnormal and needs maintenance by system operation and maintenance personnel, for example, management and control of the data packet, etc., step S206 is executed.
And step S206, carrying out alarm reminding.
And under the condition that the specific flow data is judged to be abnormal, automatically alarming and reminding so that system operation and maintenance personnel can timely know the abnormality of the specific network card transmission data, and the system operation and maintenance personnel can maintain the network card as soon as possible. A person skilled in the art may set an alarm reminding mode according to actual needs, for example, the alarm reminding mode may be performed by sending alarm information to a system operation and maintenance person, which is not limited herein. Assuming that the designated port is the port 80, if it is judged that the specific flow data corresponding to the port 80 is abnormal, alarm information is generated, and the generated alarm information may be "abnormal flow of the port 80", and then the alarm information is sent to system operation and maintenance personnel, so that the system operation and maintenance personnel can check and maintain the port 80 in time.
In another specific embodiment, after the network card transmission data obtained through the mirroring processing is obtained in step S201, the current operation states of the plurality of ports are obtained in step S202, the network card transmission data corresponding to the port whose current operation state is the monitoring state is extracted from the network card transmission data in step S203, and the specific network card transmission data is determined according to the extracted network card transmission data.
The network card transmission data obtained through the mirror image processing comprises network card transmission data corresponding to all ports, and the current operation states of all the ports can be obtained firstly, wherein the current operation states of the ports comprise a monitoring (LISTEN) state, a communication (ESTABLISHED) state, a passive closing (CLOSE _ WAIT) state and an active closing (TIME _ WAIT) state. Optionally, all extracted network card transmission data may be determined as specific network card transmission data; or sampling the extracted network card transmission data at preset time intervals, so as to obtain the specific network card transmission data. After the data transmitted by the specific network card is determined, statistical analysis may be performed on the data transmitted by the specific network card to obtain specific flow data corresponding to each port in the current operating state being the monitoring state, and then step S205 to step S206 are performed.
When the number of the ports in the monitoring state is too large, for example, exceeds a preset threshold, after the specific flow data corresponding to each port in the monitoring state is obtained, the specific flow data corresponding to each port in the monitoring state is arranged in a descending order, and n pieces of specific flow data arranged in the front are selected from the arrangement result for further analysis. The preset threshold and n can be set by those skilled in the art according to actual needs, and are not limited herein. For example, the preset threshold may be set to 20, and n may be set to 10.
In another embodiment, after the network card transmission data obtained through the mirroring process is obtained in step S201, all the network card transmission data may be sampled at preset time intervals to obtain the specific network card transmission data, and then step S204 to step S206 are performed. Compared with the full amount of network card transmission data, the specific network card transmission data obtained through sampling processing can reflect the full amount of network card transmission data, and the data volume of the specific network card transmission data is far smaller than that of the network card transmission data, so that the data statistics is effectively reduced, and the flow data statistical efficiency is improved.
By using the traffic data statistical method provided by the embodiment, network card transmission data corresponding to a designated port and/or a designated IP, or network card transmission data corresponding to a port in a current running state, or network card transmission data subjected to sampling processing, can be conveniently extracted from network card transmission data obtained by mirroring processing according to a preconfigured strategy, specific network card transmission data is determined according to the extracted network card transmission data, and the specific network card transmission data is subjected to statistical analysis to obtain more detailed and accurate specific traffic data, so that not only is accurate statistics of the traffic data realized, and the system operation and maintenance personnel can know specific traffic conditions, but also the traffic data statistical efficiency is improved; the technical scheme is suitable for a wide range of protocols, is suitable for not only a TCP protocol, but also a UDP protocol, and is convenient to use; in addition, the system can automatically alarm and remind when the specific flow data is abnormal, so that system operation and maintenance personnel can know the abnormality of the specific network card transmission data in time, and can maintain the system as soon as possible.
EXAMPLE III
The third embodiment of the present invention provides a nonvolatile storage medium, where the storage medium stores at least one executable instruction, and the executable instruction may execute the traffic data statistical method in any of the above method embodiments.
The executable instructions may be specifically configured to cause the processor to: calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing; extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy; and carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data.
In an alternative embodiment, the executable instructions further cause the processor to: acquiring current operating states of a plurality of ports; and extracting network card transmission data corresponding to the port with the current running state being the monitoring state from the network card transmission data, and determining the specific network card transmission data according to the extracted network card transmission data.
In an alternative embodiment, the executable instructions further cause the processor to: acquiring a preset appointed port and/or an appointed IP from a configuration file; and extracting network card transmission data corresponding to the designated port and/or the designated IP from the network card transmission data, and determining the specific network card transmission data according to the extracted network card transmission data.
In an alternative embodiment, the executable instructions further cause the processor to: sampling the network card transmission data at preset intervals to obtain specific network card transmission data.
In an alternative embodiment, the executable instructions further cause the processor to: and carrying out statistical analysis on the data packets in the transmission data of the specific network card and the synchronous information in the connection state to obtain the total number of bytes of the received flow, the total number of bytes of the sent flow and the query rate per second.
In an alternative embodiment, the executable instructions further cause the processor to: comparing the specific flow data with historical specific flow data, and judging whether the specific flow data is abnormal or not; if yes, alarming and reminding are carried out.
Example four
Fig. 3 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.
As shown in fig. 3, the electronic device may include: a processor (processor)302, a communication Interface 304, a memory 306, and a communication bus 308.
Wherein:
the processor 302, communication interface 304, and memory 306 communicate with each other via a communication bus 308.
A communication interface 304 for communicating with network elements of other devices, such as clients or other servers.
The processor 302 is configured to execute the program 310, and may specifically perform the relevant steps in the above embodiment of the traffic data statistics method.
In particular, program 310 may include program code comprising computer operating instructions.
The processor 302 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The electronic device comprises one or more processors, which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 306 for storing a program 310. Memory 306 may comprise high-speed RAM memory and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 310 may specifically be configured to cause the processor 302 to perform the following operations: calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing; extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy; and carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data.
In an alternative embodiment, program 310 further causes processor 302 to: acquiring current operating states of a plurality of ports; and extracting network card transmission data corresponding to the port with the current running state being the monitoring state from the network card transmission data, and determining the specific network card transmission data according to the extracted network card transmission data.
In an alternative embodiment, program 310 further causes processor 302 to: acquiring a preset appointed port and/or an appointed IP from a configuration file; and extracting network card transmission data corresponding to the designated port and/or the designated IP from the network card transmission data, and determining the specific network card transmission data according to the extracted network card transmission data.
In an alternative embodiment, program 310 further causes processor 302 to: sampling the network card transmission data at preset intervals to obtain specific network card transmission data.
In an alternative embodiment, program 310 further causes processor 302 to: and carrying out statistical analysis on the data packets in the transmission data of the specific network card and the synchronous information in the connection state to obtain the total number of bytes of the received flow, the total number of bytes of the sent flow and the query rate per second.
In an alternative embodiment, program 310 further causes processor 302 to: comparing the specific flow data with historical specific flow data, and judging whether the specific flow data is abnormal or not; if yes, alarming and reminding are carried out.
For specific implementation of each step in the program 310, reference may be made to the description corresponding to the corresponding step in the foregoing traffic data statistics embodiment, which is not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the above-described device may refer to the corresponding process description in the foregoing method embodiment, and is not described herein again.
Through the scheme that this embodiment provided, through carrying out statistical analysis to specific network card transmission data, can obtain more detailed, accurate specific flow data, system operation and maintenance personnel can accurately know the concrete flow condition according to specific flow data, more conveniently maintains the system, and defense system is attacked maliciously effectively, guarantees system normal operating.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (15)
1. A traffic data statistics method, comprising:
calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing;
extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy;
carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data;
wherein the extracting the specific network card transmission data from the network card transmission data according to the preconfigured policy further comprises:
acquiring current operating states of a plurality of ports;
extracting network card transmission data corresponding to a port with the current running state being a monitoring state from the network card transmission data, and determining specific network card transmission data according to the extracted network card transmission data; and if the number of the ports with the current running state being the monitoring state exceeds a preset threshold value, selecting specific network card transmission data from the network card transmission data corresponding to the ports with the current running state being the monitoring state according to the data size.
2. The method of claim 1, the extracting, according to a preconfigured policy, a particular network card transmission data from the network card transmission data further comprising:
acquiring a preset appointed port and/or an appointed IP from a configuration file;
and extracting network card transmission data corresponding to the designated port and/or the designated IP from the network card transmission data, and determining specific network card transmission data according to the extracted network card transmission data.
3. The method of claim 1, the extracting, according to a preconfigured policy, a particular network card transmission data from the network card transmission data further comprising:
and sampling the network card transmission data at preset intervals to obtain specific network card transmission data.
4. The method of claim 1, wherein the performing statistical analysis on the transmission data of the specific network card to obtain specific traffic data further comprises:
and carrying out statistical analysis on the data packets in the transmission data of the specific network card and the synchronous information in the connection state to obtain the total number of bytes of the received flow, the total number of bytes of the sent flow and the query rate per second.
5. The method according to any one of claims 1 to 4, after said performing statistical analysis on said specific network card transmission data to obtain specific traffic data, said method further comprising:
comparing the specific flow data with historical specific flow data to judge whether the specific flow data is abnormal or not; if yes, alarming and reminding are carried out.
6. An electronic device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to:
calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing;
extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy;
carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data;
wherein the extracting the specific network card transmission data from the network card transmission data according to the preconfigured policy further comprises:
acquiring current operating states of a plurality of ports;
extracting network card transmission data corresponding to a port with the current running state being a monitoring state from the network card transmission data, and determining specific network card transmission data according to the extracted network card transmission data; and if the number of the ports with the current running state being the monitoring state exceeds a preset threshold value, selecting specific network card transmission data from the network card transmission data corresponding to the ports with the current running state being the monitoring state according to the data size.
7. The electronic device of claim 6, the executable instructions further cause the processor to:
acquiring a preset appointed port and/or an appointed IP from a configuration file;
and extracting network card transmission data corresponding to the designated port and/or the designated IP from the network card transmission data, and determining specific network card transmission data according to the extracted network card transmission data.
8. The electronic device of claim 6, the executable instructions further cause the processor to:
and sampling the network card transmission data at preset intervals to obtain specific network card transmission data.
9. The electronic device of claim 6, the executable instructions further cause the processor to:
and carrying out statistical analysis on the data packets in the transmission data of the specific network card and the synchronous information in the connection state to obtain the total number of bytes of the received flow, the total number of bytes of the sent flow and the query rate per second.
10. The electronic device of any of claims 6-9, the executable instructions further cause the processor to:
comparing the specific flow data with historical specific flow data to judge whether the specific flow data is abnormal or not; if yes, alarming and reminding are carried out.
11. A storage medium for performing a traffic data statistics method, the storage medium having stored therein at least one executable instruction that causes a processor to:
calling an interface provided by a system kernel, and acquiring network card transmission data obtained through mirror image processing;
extracting specific network card transmission data from the network card transmission data according to a pre-configuration strategy;
carrying out statistical analysis on the transmission data of the specific network card to obtain specific flow data;
wherein the extracting the specific network card transmission data from the network card transmission data according to the preconfigured policy further comprises:
acquiring current operating states of a plurality of ports;
extracting network card transmission data corresponding to a port with the current running state being a monitoring state from the network card transmission data, and determining specific network card transmission data according to the extracted network card transmission data; and if the number of the ports with the current running state being the monitoring state exceeds a preset threshold value, selecting specific network card transmission data from the network card transmission data corresponding to the ports with the current running state being the monitoring state according to the data size.
12. The storage medium of claim 11, the executable instructions further causing the processor to:
acquiring a preset appointed port and/or an appointed IP from a configuration file;
and extracting network card transmission data corresponding to the designated port and/or the designated IP from the network card transmission data, and determining specific network card transmission data according to the extracted network card transmission data.
13. The storage medium of claim 11, the executable instructions further causing the processor to:
and sampling the network card transmission data at preset intervals to obtain specific network card transmission data.
14. The storage medium of claim 11, the executable instructions further causing the processor to:
and carrying out statistical analysis on the data packets in the transmission data of the specific network card and the synchronous information in the connection state to obtain the total number of bytes of the received flow, the total number of bytes of the sent flow and the query rate per second.
15. The storage medium of any one of claims 11-14, the executable instructions further causing the processor to:
comparing the specific flow data with historical specific flow data to judge whether the specific flow data is abnormal or not; if yes, alarming and reminding are carried out.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811284881.9A CN109309591B (en) | 2018-10-31 | 2018-10-31 | Traffic data statistical method, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811284881.9A CN109309591B (en) | 2018-10-31 | 2018-10-31 | Traffic data statistical method, electronic device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109309591A CN109309591A (en) | 2019-02-05 |
| CN109309591B true CN109309591B (en) | 2021-10-22 |
Family
ID=65222561
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811284881.9A Active CN109309591B (en) | 2018-10-31 | 2018-10-31 | Traffic data statistical method, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109309591B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110572361B (en) * | 2019-08-02 | 2021-11-02 | 视联动力信息技术股份有限公司 | Method, system, equipment and storage medium for selecting video network card |
| CN111083012B (en) * | 2019-12-18 | 2021-10-26 | 苏州浪潮智能科技有限公司 | Data center switch flow statistical method and equipment |
| CN111162973A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Data flow acquisition method and device, electronic equipment and medium |
| CN114465741B (en) * | 2020-11-09 | 2023-09-26 | 腾讯科技(深圳)有限公司 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
| CN113992624A (en) * | 2021-12-08 | 2022-01-28 | 赛尔网络有限公司 | Traffic statistical method, device, equipment and medium based on address identification |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106375235A (en) * | 2016-08-30 | 2017-02-01 | 成都科来软件有限公司 | Method and device for obtaining specified IP (Internet Protocol) traffic information by statistics |
| CN107370755A (en) * | 2017-08-23 | 2017-11-21 | 杭州安恒信息技术有限公司 | A kind of method of the profound detection APT attacks of various dimensions |
| CN107579981A (en) * | 2017-09-08 | 2018-01-12 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow monitoring method and system |
| CN107979506A (en) * | 2017-10-30 | 2018-05-01 | 阿里巴巴集团控股有限公司 | Flow obtains and high in the clouds display systems, method, apparatus and equipment |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7826377B2 (en) * | 2006-06-16 | 2010-11-02 | Ixia | Memory access optimization and communications statistics computation |
| CN202535371U (en) * | 2011-11-28 | 2012-11-14 | 曙光信息产业(北京)有限公司 | Network card device supporting complex flow statistics |
| CN103944771A (en) * | 2013-01-19 | 2014-07-23 | 鸿富锦精密工业(深圳)有限公司 | Method and system for testing network data traffic |
| CN105429801B (en) * | 2015-12-10 | 2019-03-05 | 北京奇虎科技有限公司 | A kind of flux monitoring method and device |
| CN108512720B (en) * | 2018-03-02 | 2021-01-26 | 杭州迪普科技股份有限公司 | Website traffic statistical method and device |
-
2018
- 2018-10-31 CN CN201811284881.9A patent/CN109309591B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106375235A (en) * | 2016-08-30 | 2017-02-01 | 成都科来软件有限公司 | Method and device for obtaining specified IP (Internet Protocol) traffic information by statistics |
| CN107370755A (en) * | 2017-08-23 | 2017-11-21 | 杭州安恒信息技术有限公司 | A kind of method of the profound detection APT attacks of various dimensions |
| CN107579981A (en) * | 2017-09-08 | 2018-01-12 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow monitoring method and system |
| CN107979506A (en) * | 2017-10-30 | 2018-05-01 | 阿里巴巴集团控股有限公司 | Flow obtains and high in the clouds display systems, method, apparatus and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109309591A (en) | 2019-02-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109309591B (en) | Traffic data statistical method, electronic device and storage medium | |
| CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
| US10673877B2 (en) | Method and apparatus for detecting port scans in a network | |
| CN112468488B (en) | Industrial anomaly monitoring method, industrial anomaly monitoring device, computer equipment and readable storage medium | |
| US9130983B2 (en) | Apparatus and method for detecting abnormality sign in control system | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| CN109922072B (en) | Distributed denial of service attack detection method and device | |
| CN110417717B (en) | Login behavior identification method and device | |
| CN108293039B (en) | Computing device, method and storage medium for handling cyber threats | |
| CN113067804B (en) | Network attack detection method and device, electronic equipment and storage medium | |
| CN111083157B (en) | Method and device for processing message filtering rules | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| JP2015057930A (en) | Network apparatus, communication system, and detection method and program for abnormal traffic | |
| CN112165445B (en) | Method, device, storage medium and computer equipment for detecting network attack | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| CN111654477A (en) | Information topology method and device of industrial control network based on FINS protocol and computer equipment | |
| CN110740144B (en) | Method, device, equipment and storage medium for determining attack target | |
| CN113965406A (en) | Network blocking method, device, electronic device and storage medium | |
| US11595419B2 (en) | Communication monitoring system, communication monitoring apparatus, and communication monitoring method | |
| CN112311728A (en) | Host attack and sink judgment method and device, computing equipment and computer storage medium | |
| CN114374838A (en) | Network camera monitoring method, device, equipment and medium | |
| CN105704057B (en) | The method and apparatus for determining the type of service of burst port congestion packet loss | |
| CN114553546A (en) | Message capturing method and device based on network application | |
| CN110162969B (en) | Flow analysis method and device | |
| CN111162929B (en) | Hierarchical management method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |