CN110138682A - A kind of method for recognizing flux and device - Google Patents

A kind of method for recognizing flux and device Download PDF

Info

Publication number
CN110138682A
CN110138682A CN201910388947.7A CN201910388947A CN110138682A CN 110138682 A CN110138682 A CN 110138682A CN 201910388947 A CN201910388947 A CN 201910388947A CN 110138682 A CN110138682 A CN 110138682A
Authority
CN
China
Prior art keywords
port
address
detected
message
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910388947.7A
Other languages
Chinese (zh)
Inventor
顾成杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910388947.7A priority Critical patent/CN110138682A/en
Publication of CN110138682A publication Critical patent/CN110138682A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present application provides a kind of method for recognizing flux and device, is related to network technique field, wherein whether the above method includes: to judge in protocol information that each message of network data flow carries comprising Transmission Control Protocol information and udp protocol information;If it is, determining IP address to be detected and port to be detected according to the IP address of each message carrying and port;Statistics is with the first address port to the first quantity of the second address port centering different IP addresses for establishing connection and the second quantity of different port, wherein first address port is to the information pair to be made of the IP address to be detected and port to be detected;In the case that difference between first quantity and the second quantity is less than preset quantity threshold value, the network data flow is identified as point-to-point P2P flow.It can be improved the accuracy of flow identification using scheme provided by the embodiments of the present application identification flow.

Description

A kind of method for recognizing flux and device
Technical field
This application involves network technique fields, more particularly to a kind of method for recognizing flux and device.
Background technique
In recent years, based on TCP/IP, (Transmission Control Protocol/Internet Protocol is passed Transport control protocol view/Internet protocol) internet scale constantly expand, the business of the network carrying is also more and more.In addition to HTTP, Outside the traditional businesses such as FTP (File Transfer Protocol, File Transfer Protocol), E-mail, P2P (Peer-to-Peer, It is point-to-point), the new industry of networks such as VoIP (Voice over Internet Protocol, IP-based voice transfer) and Streaming Media Business also emerges one after another.A large amount of appearance of especially P2P application give a pushing effect on internet.However, P2P flow Data volume is larger, and the Internet resources needed are more, causes the huge consumption of network bandwidth, Yi Yinqi network congestion.In addition, " decentralization " feature of P2P network makes network not allow manageability, passes through P2P net distribution content, Yi Yinqi worm, virus Or the propagation of other malicious codes, carry out security risk to Netowrk tape.
In view of the foregoing, it needs to identify network data flow, it, can be according to specific after identifying P2P flow Situation controls P2P flow.
In the prior art, when being identified to network data flow, network data is flowed into generally by port match method Row identification.Due to the early stage that P2P rises, most of P2P are communicated using fixed port, therefore, can be according to net The source port or destination port that each message carries in network data flow judge whether network data flow is P2P flow.
However, more and more P2P are applied using dynamic random port or camouflage port with the popularization of P2P business Communication is difficult to out P2P flow, to lead when so that carrying out network data flow identification using above-mentioned port match method sometimes Cause flow recognition accuracy low.
Summary of the invention
The embodiment of the present application is designed to provide a kind of method for recognizing flux and device, to improve the accurate of flow identification Rate.Specific technical solution is as follows:
In a first aspect, the embodiment of the present application provides a kind of method for recognizing flux, which comprises
Judge whether believe comprising Transmission Control Protocol information and udp protocol in the protocol information of each message carrying of network data flow Breath;
If it is, determining IP address to be detected and port to be detected according to the IP address of each message carrying and port;
Statistics and the first address port to the first quantity of the second address port centering different IP addresses for establishing connection, with And the second quantity of different port, wherein first address port is to for by the IP address to be detected and port to be detected The information pair of composition;
In the case that difference between first quantity and the second quantity is less than preset quantity threshold value, by the network Data flow is identified as point-to-point P2P flow.
Second aspect, the embodiment of the present application provide a kind of flow identification device, and described device includes:
Signal judgement module, for judge network data flow each message carry protocol information in whether comprising TCP assist Discuss information and udp protocol information;If it is, triggering information determination module;
The information determination module, IP address and port for being carried according to each message, with determining IP to be detected Location and port to be detected;
Quantity statistics module, for counting with the first address port to the second address port centering difference IP for establishing connection First quantity of address and the second quantity of different port, wherein first address port is to for by the IP to be detected The information pair of address and port to be detected composition;
Traffic identification module is less than preset quantity threshold value for the difference between first quantity and the second quantity In the case of, the network data flow is identified as point-to-point P2P flow.
The third aspect, the embodiment of the present application provide a kind of electronic equipment, including processor and machine readable storage medium, The machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor, and the processor is by institute It states machine-executable instruction to promote: realizing method and step described in above-mentioned first aspect.
A kind of fourth aspect, machine readable storage medium, is stored with machine-executable instruction, is being called and is being held by processor When row, the machine-executable instruction promotes the processor: realizing method and step described in above-mentioned first aspect.
As seen from the above, when carrying out flow identification using scheme provided by the embodiments of the present application, in each of network data flow In the case that the protocol information that message carries includes Transmission Control Protocol information and udp protocol information, according to the IP address of each message carrying And port, determine IP address to be detected and port to be detected, and count and include above-mentioned IP address to be detected and port to be detected Address port to the first quantity of the IP address for establishing connection, with address above mentioned port to the second number of the port for establishing connection Amount, and the difference between the first quantity and the second quantity be less than preset quantity threshold value when, network data flow is just identified as P2P Flow.As it can be seen that not only respectively being reported with reference in network data flow when carrying out flow identification using scheme provided by the embodiments of the present application The port that text carries, protocol information, IP address also according to message carrying each in network data flow, by comprehensive to much information Close analysis, whether identification network data flow is P2P flow, compared with the prior art in simple consideration port, used letter Breath is more abundant, to be conducive to provide the accuracy of network data flow identification.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow diagram of method for recognizing flux provided by the embodiments of the present application;
Fig. 2 a is the first schematic network structure provided by the embodiments of the present application;
Fig. 2 b is second of schematic network structure provided by the embodiments of the present application;
Fig. 2 c is the third schematic network structure provided by the embodiments of the present application;
Fig. 3 is a kind of structural schematic diagram of flow identification device provided by the embodiments of the present application;
Fig. 4 is the structural schematic diagram of a kind of electronic equipment provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
Fig. 1 is a kind of flow diagram of method for recognizing flux provided by the embodiments of the present application, and this method can be applied to The network equipment, method shown in FIG. 1 include following S101-S104, and each section is described in detail below.
S101: judge whether assist comprising Transmission Control Protocol information and UDP in the protocol information of each message carrying of network data flow Information is discussed, if it is, executing S102.
Specifically, can be due to carrying out identification to network flow to the network data flow transmitted in network in a period of time It is identified, so above-mentioned network data flow can be the network data flow transmitted in network in the period of certain time length, example Such as, the network data flow transmitted in network within 5 minutes before current time can also be network between two particular point in time The network data flow of middle transmission, for example, in this period of 2019.5.918:00:00-2019.5.9 18:05:00 in network The network flow etc. of transmission.
Above-mentioned TCP (Transmission Control Protocol, transmission control protocol) protocol information can be expression The identification information of TCP.For example, the identification information of above-mentioned TCP are as follows: TCP.
Above-mentioned UDP (User Datagram Protocol, User Datagram Protocol) protocol information, which can be, indicates UDP's Identification information.For example, the identification information of above-mentioned UDP are as follows: UDP.
Specifically, due to including protocol information in the five-tuple information of message, seven tuple informations etc., in light of this situation, The protocol information that each message carries can be obtained from the five-tuple information, seven tuple informations of each message of network data flow, so After whether judge in all protocol informations obtained both comprising Transmission Control Protocol information, also include udp protocol information.
It is not not only to have included Transmission Control Protocol information but also included in protocol information obtained in one embodiment of the application In the case where udp protocol information, it is believed that above-mentioned network data flow is not P2P flow.
S102: the IP address carried according to above-mentioned each message and port determine IP address to be detected and port to be detected.
It will be appreciated by persons skilled in the art that in addition to including association in the five-tuple information or seven tuple informations of message It discusses outside information, further includes source IP address, purpose IP address, source port and destination port.In consideration of it, one embodiment of the application In, IP address to be detected and port to be detected can be determined by one of following two mode.
The purpose IP address that each message carries is determined as IP address to be detected, and each message is carried by first way Destination port be determined as port to be detected.
The source IP address that each message carries is determined as IP address to be detected by the second way, and each message is carried Source port is determined as port to be detected.
Any determination IP address to be detected in above two mode can be selected in concrete application as the case may be With port to be detected.
S103: statistics is with the first address port to the first number of the second address port centering different IP addresses for establishing connection Second quantity of amount and different port.
It is address port pair by the information symmetrical that an IP address and a port form in the embodiment of the present application.
Above-mentioned first address port is to the information pair to be made of IP address to be detected and port to be detected.
It is that connection is established based on IP address and port when establishing connection between two equipment, it is understood that be yes Based on two address ports to establishing connection.Based on this, with above-mentioned first comprising IP address to be detected and port to be detected Address port is each second address port pair to establish connection.
When statistically stating the first quantity, the number of above-mentioned each second address port centering different IP addresses can be counted Amount.Similarly, when statistically stating the second quantity, the quantity of above-mentioned each second address port centering different port can be counted.
Specifically, in counting each second address port pair when the quantity of different IP addresses, it can be with above-mentioned first number The initial value of amount is 0, the IP address of every one second address port centering is checked one by one, if checking second address port pair In IP address it is different from the IP address of the second address port centering that inspected is crossed, then above-mentioned first quantity can be added 1.
It, can be with the initial value of above-mentioned second quantity in counting each second address port pair when the quantity of different port Be 0, check the port of every one second address port centering one by one, if check the port of a second address port centering with The port of the second address port centering checked is different, then above-mentioned second quantity can be added 1.
S104: in the case that the difference between the first quantity and the second quantity is less than preset quantity threshold value, by network number P2P flow is identified as according to stream.
It is illustrated below with reference to Fig. 2 a- Fig. 2 c, Fig. 2 a- Fig. 2 c shows a host in P2P network and network is added and builds The process of vertical connection.
Such as Fig. 2 a, host A is connected to super node, and sends to super node and carry local IP address A and for leading to The message of the port A of letter, the message are referred to as logon message.Such as Fig. 2 b, super node, which receives, above-mentioned carries host A IP address A and port A logon message after, broadcast carries the default lattice of above-mentioned IP address A and port A in P2P network The message of formula.It, can be from above-mentioned message after host B above-mentioned in this way and host C receive the above-mentioned message of super node broadcast Obtain above-mentioned IP address A and port A.Such as Fig. 2 c, if desired the host B in P2P network establishes connection with host A, then to host A The connection request for carrying itself IP address B and port B is sent, host A responds the connection request, to establish with host B Connection.The process for establishing connection can be established in such a way that traditional network connects, such as traditional TCP connection establishment process, UDP establishment of connection process.After host A, B establish connection, when host B sends service message to host A, the service message It is source port by source IP address, port B of IP address B, is purpose port by purpose IP address, port A of IP address A.P2P net If desired host C in network establishes connection with host A, then the connection for carrying itself IP address C and port C is sent to host A Request.Host A responds the connection request, to establish connection with host C.After host A, C establish connection, when host C is to master When machine A sends service message, which is source port by source IP address, port C of IP address C, for the purpose of IP address A IP address, port A are that purpose port and host A establish connection.
Wherein, the message of above-mentioned preset format can preset the message of application scenarios setting according to.For example, above-mentioned default May include: in the message of format protocol version information, protocol-identifier information, reserved bit, check information, above-mentioned IP address A and Port A etc..
From the foregoing, it can be seen that after each host and other hosts establish connection in P2P network, other above-mentioned masters For machine when establishing connection with the host, the IP address quantity and port number of the second address port centering are almost the same.
Wherein, above-mentioned super node is the node for possessing large bandwidth and higher calculated performance in P2P network.
And in the business such as Web, each host will be connected to first belonging to a specified address port centering IP address Equipment, to obtain Web service.And for a host, in order to improve data speed of download, often establish a plurality of company It connects, it is parallel to carry out data downloading, it is, a host may be specified based on same IP address, different ports with above-mentioned Address port centering IP address belonging to the first equipment establish connection.In this case, the IP of connection is established with the first equipment It can be had differences between number of addresses and port number, no longer unanimously.
In view of the foregoing, it is believed that when the difference between above-mentioned first quantity and the second quantity is smaller, above-mentioned network Data flow is P2P flow.Furthermore it is possible to when thinking that difference between above-mentioned first quantity and the second quantity is larger, above-mentioned network Data flow is not P2P flow.
Specifically, the difference between above-mentioned first quantity and the second quantity can be understood as the first quantity and the second quantity it Absolute value of the difference.
For example, above-mentioned preset quantity threshold value can be 8,9,10 etc..
In one embodiment of the application, after determining port to be detected, can also judge port to be detected whether be Port in default port list;If it has not, executing above-mentioned S103.
Specifically, above-mentioned default port list is used to record the port numbers of each port.For example, remembering in above-mentioned port list The port numbers of record can be port that user determines according to actual needs, without being identified, i.e., records in port list Port numbers are not the port numbers of P2P application of electronic report, are answered when executing method provided by the embodiments of the present application and carrying out the identification of P2P flow Work as exclusion.When detection finds that above-mentioned port to be detected belongs to above-mentioned port list, it is believed that above-mentioned network data flow is not P2P flow.And detect when finding that above-mentioned port to be detected is not belonging to above-mentioned port list, it is believed that above-mentioned network data flow can Can be P2P network data flow, therefore can by subsequent S103 and etc. further detected.
In one embodiment of the application, in the case where port to be detected is not the port in default port list, sentence Whether port to be detected of breaking is port used by known business;If it has not, executing above-mentioned S103.
Specifically, above-mentioned known business may include: NETBIOS (Network Basic Input/Output System, online basic input output system), DNS (Domain Name System, domain name system), NTP (Network Time Protocol, Network Time Protocol), ISAKMP (Internet Security Association and Key Management Protocol), Streaming (stream Or Streaming Media), IRC (Internet Relay Chat, the Internet relay chat) etc..In this case, it can pre-establish each Corresponding relationship between port used by a known business and each business is sentenced then according to the corresponding relationship pre-established Whether port to be detected of breaking is port used by known business.
For example, port used by NETBIOS is 135,137,139,445 ports, port used by DNS is 53 ends Mouthful, port used by NTP is 123 ports, and port used by ISAKMP is 500 ports, port used by Streaming For 554,7070,1755,6970,5000,5001 ports, port used by IRC is 7000,7514,6667 ports etc..
When finding port to be detected after testing is port used by known business, it is believed that above-mentioned network data Stream is not P2P flow, when finding port to be detected after testing not is port used by known business, it is believed that above-mentioned Network data flow may be P2P flow, in this case, can further judge whether above-mentioned network data flow is P2P flow.
The port as used by above-mentioned preset port list and known business is Given information, so using above-mentioned Two ways can first filter out the network data flow that a part is not P2P flow, the identification process of simplified network data flow, It can accelerate the recognition speed of network data flow.
As seen from the above, when carrying out flow identification using the scheme that above-mentioned each embodiment provides, belonging to consolidated network In the case that the protocol information that each message of data flow carries includes Transmission Control Protocol information and udp protocol information, taken according to each message The IP address of band and port, determine IP address to be detected and port to be detected, and obtain with comprising above-mentioned IP address to be detected and The address port of port to be detected is to the first quantity of the IP address for establishing connection, with address above mentioned port to the end for establishing connection Mouthful the second quantity, and the difference between the first quantity and the second quantity be less than preset quantity threshold value when, just by network data Stream is identified as P2P flow.As it can be seen that when carrying out flow identification using the scheme that above-mentioned each embodiment provides, not only with reference to net The port that each message carries in network data flow, protocol information, IP address also according to message carrying each in network data flow, leads to Cross to much information comprehensive analysis, identify whether network data flow is P2P flow, compared with the prior art in simple consideration end Mouthful, used information is more abundant, to be conducive to provide the accuracy of network data flow identification.
In addition, especially may be used also in the prior art in the case where being unaware of the network protocol that network data flow is based on To identify P2P flow by analyzing the application layer payload in network data flow.And the side that above-mentioned each embodiment provides In case, protocol information, IP address and the port that can carry using each message of network data flow carry out flow identification, because This, though in the case where being unaware of the network protocol that network data flow is based on, also still available above-mentioned protocol information, IP address and port, and then without also can recognize that P2P flow in the case where analyze application layer payload. Improve recognition efficiency.
Furthermore even if P2P flow is hidden in HTTP, Mail, DNS (Domain Name System, domain name system) and net In the network data flows such as network game, also still can therefrom obtain the protocol information carried in each message of network data flow, IP address and port, and then detect the P2P flow wherein hidden, to improve the accuracy of P2P flow identification.
Below for identifying the P2P flow being hidden in http network data flow, it is illustrated.
It is assumed that can communicate between other each host Bs in host A and network, and both there is HTTP visit therebetween The service of asking, but there are P2P services, are properly termed as the situation that P2P flow is hidden in http network data flow in this case.
In these cases, the protocol information that judgement learns that some messages of network data flow carry is Transmission Control Protocol information, The protocol information that some messages carry is udp protocol information.It is assumed that according to message carry IP address and port, determine to Detection IP address and port to be detected are respectively as follows: IP_t and port _ t.It counts and includes IP_t and the first address port _ t end Mouth is to the first quantity of the second address port centering IP address for establishing connection and the second quantity of port.If it was found that the first quantity Difference between the second quantity is greater than 10, it may be considered that above-mentioned network data flow is not P2P flow, otherwise it is assumed that above-mentioned Network data flow is P2P flow, to realize the P2P flow that identification is hidden in http network data flow.
To sum up, when carrying out flow identification using the scheme that above-mentioned each embodiment provides, it can not only be directed to and be unaware of institute Network data flow based on network protocol carries out the identification of P2P flow, additionally it is possible to being hidden in HTTP, Mail, DNS and online game P2P flow in equal network data flows is identified that therefore, the scheme that above-mentioned each embodiment provides is when identifying P2P flow With preferable scalability.
Corresponding with above-mentioned method for recognizing flux, the embodiment of the present application provides a kind of flow identification device.
Fig. 3 is a kind of structural schematic diagram of flow identification device provided by the embodiments of the present application, which includes:
Signal judgement module 301, for whether judging in protocol information that each message of network data flow carries comprising TCP Protocol information and udp protocol information;If it is, triggering information determination module 302;
The information determination module 302, IP address and port for being carried according to each message, determines IP to be detected Address and port to be detected;
Quantity statistics module 303, for counting with the first address port to establishing the second address port centering of connection not With the first quantity of IP address and the second quantity of different port, wherein first address port is to for by described to be checked Survey the information pair of IP address and port to be detected composition;
Traffic identification module 304 is less than preset quantity threshold for the difference between first quantity and the second quantity In the case where value, the network data flow is identified as point-to-point P2P flow.
In one embodiment of the application, the information determination module 302 is specifically used for:
The purpose IP address that each message carries is determined as IP address to be detected, and the mesh that each message is carried Port be determined as port to be detected;Or
The source IP address that each message carries is determined as IP address to be detected, and the source that each message is carried Mouth is determined as port to be detected.
In one embodiment of the application, described device further include:
First port judgment module, for judging institute after the information determination module determines the port to be detected State whether port to be detected is the port preset in port list;If it has not, triggering the quantity obtains module.
In one embodiment of the application, described device further include:
Second port judgment module, for not being the feelings of port in the default port list in the port to be detected Under condition, judge whether the port to be detected is port used by known business;If it has not, triggering the quantity obtains mould Block.
As seen from the above, when carrying out flow identification using the scheme that above-mentioned each embodiment provides, in network data flow In the case that the protocol information that each message carries includes Transmission Control Protocol information and udp protocol information, according to the IP of each message carrying Location and port determine IP address to be detected and port to be detected, and count and include above-mentioned IP address to be detected and end to be detected The address port of mouth is to the first quantity of the IP address for establishing connection, with address above mentioned port to the second of the port for establishing connection Quantity, and the difference between the first quantity and the second quantity be less than preset quantity threshold value when, just network data flow is identified as P2P flow.As it can be seen that when carrying out flow identification using the scheme that above-mentioned each embodiment provides, not only with reference to network data flow In the port that carries of each message, the protocol information also carried according to each message in network data flow, IP address, by a variety of Information comprehensive analysis, whether identification network data flow is P2P flow, compared with the prior art in simple consideration port, made Information is more abundant, to be conducive to provide the accuracy of network data flow identification.
Corresponding with above-mentioned method for recognizing flux, the embodiment of the present application also provides a kind of electronic equipment.
Fig. 4 is the structural schematic diagram of a kind of electronic equipment provided by the embodiments of the present application, which includes: processor 401 and machine readable storage medium 402, the machine readable storage medium 402, which is stored with, to be executed by the processor 401 Machine-executable instruction, the processor 401 promoted by the machine-executable instruction: realizing and flows described in the embodiment of the present application Measure recognition methods step.
In one embodiment of the application, a kind of method for recognizing flux is provided, this method comprises:
Judge whether believe comprising Transmission Control Protocol information and udp protocol in the protocol information of each message carrying of network data flow Breath;
If it is, determining IP address to be detected and port to be detected according to the IP address of each message carrying and port;
Statistics and the first address port to the first quantity of the second address port centering different IP addresses for establishing connection, with And the second quantity of different port, wherein first address port is to for by the IP address to be detected and port to be detected The information pair of composition;
In the case that difference between first quantity and the second quantity is less than preset quantity threshold value, by the network Data flow is identified as point-to-point P2P flow.
It should be noted that its for the method for recognizing flux that above-mentioned processor 401 is promoted to realize by machine-executable instruction His embodiment, identical as embodiment mentioned by preceding method embodiment part, which is not described herein again.
As seen from the above, when carrying out flow identification using electronic equipment provided in this embodiment, not only with reference to network number According to the port that message each in stream carries, protocol information, IP address also according to message carrying each in network data flow, by right Much information comprehensive analysis, whether identification network data flow is P2P flow, compared with the prior art in simple consideration port, Used information is more abundant, to be conducive to provide the accuracy of network data flow identification.
Corresponding with above-mentioned method for recognizing flux, the embodiment of the present application also provides a kind of machine readable storage mediums, deposit Machine-executable instruction is contained, when being called and being executed by processor, the machine-executable instruction promotes the processor: real Method for recognizing flux step described in existing the embodiment of the present application.
In one embodiment of the application, a kind of method for recognizing flux is provided, this method comprises:
Judge whether believe comprising Transmission Control Protocol information and udp protocol in the protocol information of each message carrying of network data flow Breath;
If it is, determining IP address to be detected and port to be detected according to the IP address of each message carrying and port;
Statistics and the first address port to the first quantity of the second address port centering different IP addresses for establishing connection, with And the second quantity of different port, wherein first address port is to for by the IP address to be detected and port to be detected The information pair of composition;
In the case that difference between first quantity and the second quantity is less than preset quantity threshold value, by the network Data flow is identified as point-to-point P2P flow.
It should be noted that other implementations for the method for recognizing flux that above-mentioned machine-executable instruction promotes processor to realize Example, identical as embodiment mentioned by preceding method embodiment part, which is not described herein again.
As seen from the above, execute the machine-executable instruction that is stored in machine readable storage medium provided in this embodiment into When row flow identifies, the port not only carried with reference to message each in network data flow is gone back and is respectively reported according in network data flow The protocol information of text carrying, IP address, by identifying whether network data flow is P2P flow, phase to much information comprehensive analysis Than in consideration port simple in the prior art, used information is more abundant, to be conducive to provide network data flow knowledge Other accuracy.
It should be noted that above-mentioned machine readable storage medium may include random access memory (Random Access Memory, RAM), it also may include nonvolatile memory (Non-Volatile Memory, NVM), for example, at least a magnetic Disk storage.Optionally, above-mentioned machine readable storage medium can also be that at least one is located remotely from the storage of aforementioned processor Device.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device, For electronic equipment and machine readable storage medium embodiment, since it is substantially similar to the method embodiment, so the ratio of description Relatively simple, the relevent part can refer to the partial explaination of embodiments of method.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection scope of the application.It is all Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection scope of the application It is interior.

Claims (10)

1. a kind of method for recognizing flux, which is characterized in that the described method includes:
Whether judge in the protocol information of each message carrying of network data flow comprising Transmission Control Protocol information and udp protocol information;
If it is, determining IP address to be detected and port to be detected according to the IP address of each message carrying and port;
Statistics with the first address port to the first quantity of the second address port centering different IP addresses for establishing connection and not With the second quantity of port, wherein first address port the IP address to be detected and port to be detected to be made of Information pair;
In the case that difference between first quantity and the second quantity is less than preset quantity threshold value, by the network data Stream is identified as point-to-point P2P flow.
2. the method according to claim 1, wherein the IP address carried according to each message and end Mouthful, determine IP address to be detected and port to be detected, comprising:
The purpose IP address that each message carries is determined as IP address to be detected, and the destination that each message is carried Mouth is determined as port to be detected;Or
The source IP address that each message carries is determined as IP address to be detected, and the source port that each message is carried is true It is set to port to be detected.
3. method according to claim 1 or 2, which is characterized in that after determining the port to be detected, further includes:
Judge whether the port to be detected is the port preset in port list;
If it has not, executing the acquisition with the first address port to the first of the address port centering different IP addresses for establishing connection The step of quantity and the second quantity of different port.
4. method according to claim 1 or 2, which is characterized in that the method also includes:
In the case where the port to be detected is not the port in the default port list, judge that the port to be detected is No is port used by known business;
If it has not, executing the acquisition with the first address port to the first of the address port centering different IP addresses for establishing connection The step of quantity and the second quantity of different port.
5. a kind of flow identification device, which is characterized in that described device includes:
Signal judgement module, for judge network data flow each message carry protocol information in whether comprising Transmission Control Protocol believe Breath and udp protocol information;If it is, triggering information determination module;
The information determination module, IP address and port for being carried according to each message, determine IP address to be detected and Port to be detected;
Quantity statistics module, for counting with the first address port to the second address port centering different IP addresses for establishing connection The first quantity and different port the second quantity, wherein first address port is to for by the IP address to be detected With the information pair of port to be detected composition;
Traffic identification module, for the difference between first quantity and the second quantity be less than preset quantity threshold value the case where Under, the network data flow is identified as point-to-point P2P flow.
6. device according to claim 5, which is characterized in that the information determination module is specifically used for:
The purpose IP address that each message carries is determined as IP address to be detected, and the destination that each message is carried Mouth is determined as port to be detected;Or
The source IP address that each message carries is determined as IP address to be detected, and the source port that each message is carried is true It is set to port to be detected.
7. device according to claim 5 or 6, which is characterized in that described device further include:
First port judgment module, for after the information determination module determines the port to be detected, judgement it is described to Whether detection port is the port preset in port list;If it has not, triggering the quantity obtains module.
8. device according to claim 5 or 6, which is characterized in that described device further include:
Second port judgment module, for the case where the port to be detected is not the port in the default port list Under, judge whether the port to be detected is port used by known business;If it has not, triggering the quantity obtains module.
9. a kind of electronic equipment, which is characterized in that including processor and machine readable storage medium, the machine readable storage is situated between Matter is stored with the machine-executable instruction that can be executed by the processor, and the processor is promoted by the machine-executable instruction Make: realizing any method and step of claim 1-4.
10. a kind of machine readable storage medium, which is characterized in that be stored with machine-executable instruction, by processor call and When execution, the machine-executable instruction promotes the processor: realizing any method and step of claim 1-4.
CN201910388947.7A 2019-05-10 2019-05-10 A kind of method for recognizing flux and device Withdrawn CN110138682A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910388947.7A CN110138682A (en) 2019-05-10 2019-05-10 A kind of method for recognizing flux and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910388947.7A CN110138682A (en) 2019-05-10 2019-05-10 A kind of method for recognizing flux and device

Publications (1)

Publication Number Publication Date
CN110138682A true CN110138682A (en) 2019-08-16

Family

ID=67573285

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910388947.7A Withdrawn CN110138682A (en) 2019-05-10 2019-05-10 A kind of method for recognizing flux and device

Country Status (1)

Country Link
CN (1) CN110138682A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111988239A (en) * 2020-08-21 2020-11-24 哈尔滨工业大学 Method for acquiring pure software flow for Android application
CN112751835A (en) * 2020-12-23 2021-05-04 石溪信息科技(上海)有限公司 Traffic early warning method, system, equipment and storage device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111988239A (en) * 2020-08-21 2020-11-24 哈尔滨工业大学 Method for acquiring pure software flow for Android application
CN112751835A (en) * 2020-12-23 2021-05-04 石溪信息科技(上海)有限公司 Traffic early warning method, system, equipment and storage device
CN112751835B (en) * 2020-12-23 2023-05-02 石溪信息科技(上海)有限公司 Flow early warning method, system, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN1937541B (en) Network performance test method
US7596096B2 (en) Method and apparatus for providing trace route and timing information for media streams
TW536890B (en) Scalable real-time quality of service monitoring and analysis of service dependent subscriber satisfaction in IP networks
CN107404408B (en) Virtual identity association identification method and device
US7583604B2 (en) Probe for measuring quality-of-service parameters in a telecommunication network
JP5053445B2 (en) Inbound mechanism to check end-to-end service configuration using application awareness
CN109889547A (en) A kind of detection method and device of abnormal network equipment
CN115695248A (en) Method and device for processing multicast message
JP5405498B2 (en) Inbound mechanism for monitoring end-to-end QOE of services using application awareness
CN104869155B (en) Data Audit method and device
WO2014177023A1 (en) Method and device for determining service type
Mazhar Rathore et al. Exploiting encrypted and tunneled multimedia calls in high-speed big data environment
CN103718508A (en) Advanced determination, processing and control in communication networks
CN110138682A (en) A kind of method for recognizing flux and device
Pekar et al. Towards threshold‐agnostic heavy‐hitter classification
CN101854366B (en) Peer-to-peer network flow-rate identification method and device
CN112019393B (en) Method and device for determining time delay
CN104253712B (en) A kind of method that P2P Network Recognitions are carried out using deep packet inspection technical
CN114285769B (en) Shared internet surfing detection method, device, equipment and storage medium
CN114189480B (en) Flow sampling method, device, electronic equipment and medium
JP4871775B2 (en) Statistical information collection device
Hark et al. Monitoring flows with per-application granularity using programmable data planes
CN110049147A (en) A kind of NAT aft engine quantity detection method
Rathore Threshold-based generic scheme for encrypted and tunneled Voice Flows Detection over IP Networks
Tung et al. VoIP packets filtering for mobile instant messaging using N-gram models

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20190816