CN110908798B - Multi-process cooperative network traffic analysis method and device - Google Patents
Multi-process cooperative network traffic analysis method and device Download PDFInfo
- Publication number
- CN110908798B CN110908798B CN201911089657.9A CN201911089657A CN110908798B CN 110908798 B CN110908798 B CN 110908798B CN 201911089657 A CN201911089657 A CN 201911089657A CN 110908798 B CN110908798 B CN 110908798B
- Authority
- CN
- China
- Prior art keywords
- taa
- sub
- flow
- main
- processes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/546—Message passing systems or structures, e.g. queues
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/54—Indexing scheme relating to G06F9/54
- G06F2209/548—Queue
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a multi-process collaborative network flow analysis method, which comprises the following steps: the main flow auditing engine process, namely the main TAA process, creates a specified number of sub TAA processes for processing network flow; an interprocess communication link is arranged between the sub TAA process and the main TAA process, each sub TAA process and the main TAA process share a global structure, the members of the global structure comprise a queue for storing flow files distributed to the sub TAA processes and a counting identifier, and for each flow file, the counting identifier is increased by one when a message of the flow file is analyzed; and the main TAA process distributes the flow files stored by the acquisition process to the sub TAA processes in sequence, and the flow files distributed to the sub TAA processes are inserted into the queues of the sub TAA processes in sequence. The invention also relates to a multi-process cooperative network flow analysis device. By the method and the device, the data analysis rate can be effectively improved, and the packet loss rate is reduced.
Description
Technical Field
The present invention relates to the field of network traffic analysis, and in particular, to a method and an apparatus for analyzing multi-process cooperative network traffic.
Background
The network flow analysis is an operation aiming at collecting network flow and analyzing and auditing the network flow, the flow is collected by a network card and then transmitted to an application layer for analysis, and finally application layer data is obtained, for example, the analysis flow of wireshark to modbus is as follows:
1. the network card collects the flow (message/original flow message);
2. analyzing the frame data, ether data, ip data, tcp data, modbus data and the like of the message from low to high in sequence according to an OSI model;
3. and outputting the obtained result.
The collection in the operation is performed by one process independently, and the analysis processing (including output) is responsible for the other process, which is also a commonly adopted mode in the whole market and academia at present. The method is simple and easy to understand, and a one-to-one producer-consumer model is adopted.
However, it is found that the above method is a good solution for a not too large network traffic, but in the face of the impact of a large traffic, the above method may cause a serious packet loss problem, and the packet loss rate is positively correlated with the traffic size. And when the flow reaches a certain amount, the message processing capacity tends to be saturated, and the flow load which is increased by continuously increasing the flow is basically completely abandoned. Observing the CPU occupation at the moment, the single CPU occupation can reach about 100 percent, the whole CPU occupation is relatively abundant, and the used system environment is as follows: intel (R) Core (TM) i7-3555LE CPU@2.50GHz,memory: and 16G, using a flow auditing engine TAA by the flow analysis platform. Through analysis, the phenomenon that one core is difficult and multiple cores are surrounded can be determined to occur during message processing. When the network flow is reduced, the occupation of a system CPU is reduced from 100%, and the packet loss rate is reduced. Therefore, the performance of the single-core CPU is the most direct factor influencing message analysis.
Disclosure of Invention
In order to solve the above problems, the present invention provides a multi-process collaborative network traffic analysis method and apparatus, when the network traffic is severe, multiple messages are cached and written into a file in batch, so that the IO operation frequency of the system is reduced, the occupation of the system CPU is reduced to a certain extent, more importantly, multiple processes with the same number as the system CPU are created to collaboratively and concurrently process the network traffic, thereby improving the performance of message analysis and avoiding serious packet loss under the impact of large traffic.
According to an aspect of the present invention, there is also provided a method for multi-process collaborative network traffic analysis, the method including:
a main flow auditing engine process, namely a main TAA process, creates a specified number of sub TAA processes for processing network flow;
an interprocess communication link is arranged between the sub TAA process and the main TAA process, each sub TAA process and the main TAA process share a global structure, the members of the global structure comprise a queue for storing flow files distributed to the sub TAA processes and a counting identifier, and for each flow file, the counting identifier is increased by one when a message of the flow file is analyzed;
the main TAA process distributes the flow files saved by the acquisition process to the sub TAA processes in sequence, and for each sub TAA process, the distributed flow files are inserted into the queue of the flow files of the sub TAA process in sequence, and the position of a queue starting file of the sub TAA process is given to serve as the position where the sub TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
the method for processing the network traffic by using the main traffic auditing engine process, namely the main TAA process to create the sub TAA processes with the specified number comprises the following steps: and if the number of the sub-TAA processes is not specified, the main TAA process automatically detects the number of the system CPU cores and takes the number of the system CPU cores as the specified number.
According to another aspect of the present invention, there is provided a multi-process collaborative network traffic analysis apparatus for a main traffic audit engine process, i.e., a main TAA process, the apparatus including:
a first creation module for creating a specified number of sub-TAA processes for processing network traffic;
a link setting module, configured to set an interprocess communication link between a sub-TAA process and a main TAA process, where each sub-TAA process and the main TAA process share a global structure, and members of the global structure include a queue that stores traffic files distributed to the sub-TAA processes and a count identifier, and for each traffic file, add one to the count identifier every time a message is analyzed;
the file distribution module is used for sequentially distributing the flow files stored in the acquisition process to the sub-TAA processes, and for each sub-TAA process, sequentially inserting the distributed flow files into the queue of the flow files of the sub-TAA process, and giving the position of a queue start file of the sub-TAA process as the position where the sub-TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
wherein creating a specified number of sub-TAA processes for processing network traffic comprises: and if the number of the sub-TAA processes is not specified, automatically detecting the number of the system CPU cores and taking the number of the system CPU cores as the specified number.
In addition, a message (message) is a data unit exchanged and transmitted in the network, that is, a data block to be sent by the station at one time.
The message contains complete data information to be sent, and the message is very inconsistent in length, unlimited in length and variable. The message is also a unit of network transmission, and can be continuously encapsulated into packets, packets and frames for transmission in the transmission process, wherein the encapsulation mode is to add some information sections, namely data organized by a certain format of a message header. For example, the message type, message version, message length, message entity, etc. are contained in the message.
The application message is mostly when communication is needed among a plurality of systems, such as an ESB system of a bank, a gateway system and a UnionPay system. The intermediate message takes over the functions of loading and transporting data, and the formats of the messages in the three systems may be different from each other, but the data carried by the messages are the same. The message authentication mode includes the authentication of the traditional encryption mode, the message authentication code mode using a secret key, the authentication using a one-way hash function and the digital signature authentication mode. When a station wants to send a message, it attaches a destination address to the message, and the network node sends the message to the next node according to the destination address information on the message, and forwards the message to the destination node one by one. After each node receives the whole message and checks it, it temporarily stores the message, then uses the route information to find out the address of the next node, and then transmits the whole message to the next node.
When the message is adopted for network data transmission, the method has the following advantages:
(1) The circuit utilization rate is high; because many messages can share the channel between two nodes in a time-sharing manner, the requirement on the transmission capability of a circuit is lower for the same communication traffic;
(2) On a circuit switched network, when the traffic becomes large, new calls cannot be accepted; on the message switching network, the message can still be received when the communication volume is large, but the transmission delay is increased;
(3) A message switch can send a message to multiple destinations, which is difficult to do by circuit-switched networks;
(4) The packet-switched network can perform speed and code conversion.
It can be seen that the present invention has at least two important aspects:
(1) For the analysis process for processing the network flow, multi-core resources are fully utilized, a plurality of processes with the same number as the number of system CPU cores are created to cooperatively and parallelly process the network flow, the phenomenon that one core is difficult and multi-core is surrounded when the message is processed is avoided, and the message processing capacity is improved by multiple times of the original processing capacity;
(2) When the network flow is severe, a plurality of messages are cached and written into the file in batches, so that the IO operation frequency of the system is reduced, the system calling times are reduced, and the real-time property of message processing is ensured by adopting a mode of writing the file in real time when the network flow is relatively small.
Drawings
Embodiments of the invention will now be described with reference to the accompanying drawings, in which:
fig. 1 is a flowchart illustrating a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating another step of a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
Fig. 3 is a flowchart illustrating another step of a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
Fig. 4 is a block diagram illustrating an architecture of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
Fig. 5 is a block diagram illustrating another structure of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
Fig. 6 is a block diagram illustrating another structure of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
Detailed Description
Embodiments of a method and an apparatus for multi-process collaborative network traffic analysis according to the present invention will be described in detail below with reference to the accompanying drawings.
In the prior art, when network traffic analysis is performed, an acquisition process, an analysis process, and a message playing process are created in a system to sequentially complete acquisition of network data and message analysis operations.
A system for performing network traffic analysis generally adopts a multi-core, i.e., multi-CPU, hardware environment;
in actual operation, a comparison table of experimental data of the acquisition process can be obtained as shown in table 1.
TABLE 1
As can be seen from Table 1, the acquisition process can easily cope even in the face of an impact exceeding 40 MB/s. For industrial applications, the capability of one CPU core basically meets the needs of most scenarios.
In actual practice, a table of experimental data showing how the analysis was carried out is shown in table 2.
Player pps (frame) | Flow (MB/s) | Single CPU occupancy (%) | Total CPUidle (%) | Actual processing pps (frame) |
2000 | 1.84 | 61.8-73.1 | 55.0 | ~2000 |
4000 | 3.60 | 97.3-100.0 | 49.0 | ~3030 |
8000 | 7.13 | 99.7-101.0 | 48.7 | ~3030 |
15000 | 13.37 | 100.0-100.7 | 48.0 | ~3030 |
TABLE 2
As can be seen from table 2, when pps reaches a certain amount, pps continues to be increased, actual processing of pps does not increase, the utilization rate of the single-core CPU reaches a limit, and the utilization rate of the total idle CPU does not change basically, which indicates that the processing capability of the single-core CPU cannot be improved even if the flow is increased after the performance of the single-core CPU is exhausted, and meanwhile, for a real-time system, once the flow cannot be processed in real time, the flow is discarded, which inevitably brings a serious test on the packet processing rate or the packet loss rate. In addition, the total idle CPU utilization rate is still considerable, so that it is conceivable that if each CPU can be fully utilized, the resolution rate can be inevitably increased to a better level, and the packet loss is reduced.
Based on the above analysis, if it is desired to increase the message parsing rate, the following two methods are available: the first way is to improve the single-core performance of the CPU, but the improvement of the single-core performance is not optimistic in view of the development situation of the modern CPU, including the way that INTEL company and AMD company are also moving toward multi-core stacking to improve the overall performance of the CPU; the second way is to fully utilize the advantage of multiple cores, to distribute the most CPU consuming parsing steps to multiple CPU cores, while reducing CPU occupancy by some other means, such as reducing I/O usage frequency. Therefore, the first method is difficult to implement, and the technical problem of packet loss in the parsing process can only be solved by the second method, however, a specific solution corresponding to the second method is not provided in the prior art.
In order to overcome the defects, the invention builds a multi-process cooperative network traffic analysis method and a multi-process cooperative network traffic analysis device, and can effectively solve the corresponding technical problems.
Fig. 1 is a flowchart illustrating a multi-process collaborative network traffic parsing method according to an embodiment of the present invention, the method including:
a main flow auditing engine process, namely a main TAA process, creates a specified number of sub TAA processes for processing network flow;
an interprocess communication link is arranged between the sub TAA process and the main TAA process, each sub TAA process and the main TAA process share a global structure, the members of the global structure comprise a queue for storing flow files distributed to the sub TAA processes and a counting identifier, and for each flow file, the counting identifier is increased by one when a message of the flow file is analyzed;
the main TAA process distributes the flow files saved by the acquisition process to the sub TAA processes in sequence, and for each sub TAA process, the distributed flow files are inserted into the queue of the flow files of the sub TAA process in sequence, and the position of a queue starting file of the sub TAA process is given to serve as the position where the sub TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
the method for processing the network traffic by the main traffic auditing engine process, namely the main TAA process, comprises the following steps of: and if the number of the sub-TAA processes is not specified, the main TAA process automatically detects the number of the system CPU cores and takes the number of the system CPU cores as the specified number.
Next, the specific steps of the multi-process cooperative network traffic analysis method of the present invention will be further described.
Fig. 2 is a flowchart illustrating another step of a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
As shown in fig. 2, after the main TAA process sequentially distributes the traffic files stored in the acquisition process to the sub-TAA processes, the multi-process collaborative network traffic analysis method may further include:
the main TAA process monitors the running condition of the sub TAA processes at any time, when one sub TAA process crashes, the main TAA process sequentially delivers the residual unresolved flow files in the queue of the crashed sub TAA process to other sub TAA processes, and continues to analyze the message from the position of the counting identification, or restarts a new sub TAA process, delivers the residual unresolved flow files in the queue of the crashed sub TAA process to the restarted new sub TAA process, and continues to analyze the message from the position of the counting identification;
when the main TAA process finds that the flow is smaller than the preset speed threshold value and the number of the flow files in each queue of each sub TAA process is not uniform, part of the flow files of the sub TAA process with more flow files are uniformly distributed to the sub TAA process with less flow files to balance the load.
Fig. 3 is a flowchart illustrating another step of a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
As shown in fig. 3, before the main traffic auditing engine process, i.e., the main TAA process, creates a specified number of sub-TAA processes for processing network traffic, the multi-process collaborative network traffic parsing method may further include:
the main TAA process creates a traffic collection process.
In the multi-process collaborative network traffic parsing method:
the flow acquisition process is used for caching all the acquired messages and writing the messages into a flow file in batch when the flow acquisition rate is detected to be greater than or equal to the preset rate threshold;
and the flow acquisition process is also used for writing the acquired messages into a flow file in real time when the flow acquisition rate is detected to be smaller than the preset rate threshold.
Fig. 4 is a block diagram illustrating a structure of a multi-process cooperative network traffic analysis apparatus according to an embodiment of the present invention, the apparatus is used for a main traffic audit engine process, i.e., a main TAA process, and the apparatus includes:
a first creation module for creating a specified number of sub-TAA processes for processing network traffic;
a link setting module, configured to set an inter-process communication link between the sub-TAA process and the main TAA process, where each sub-TAA process and the main TAA process share a global structure, and members of the global structure include a queue that stores traffic files distributed to the sub-TAA processes and a count identifier, and the count identifier is incremented for each traffic file every time a message of the traffic file is analyzed;
the file distribution module is used for sequentially distributing the flow files stored in the acquisition process to the sub-TAA processes, and for each sub-TAA process, sequentially inserting the distributed flow files into the queue of the flow files of the sub-TAA process, and giving the position of a queue start file of the sub-TAA process as the position where the sub-TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
wherein creating a specified number of sub-TAA processes for processing network traffic comprises: and if the number of the sub-TAA processes is not specified, automatically detecting the number of the system CPU cores and taking the number of the system CPU cores as the specified number.
Next, a specific configuration of the multiprocess cooperative network traffic analysis apparatus of the present invention will be further described.
Fig. 5 is a block diagram illustrating another structure of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
As shown in fig. 5, the multi-process collaborative network traffic analysis apparatus may further include:
the operation monitoring module is used for monitoring the operation condition of the sub TAA process at any moment, when a certain sub TAA process is broken down, sequentially handing over the residual unresolved flow files in the queue of the broken down sub TAA process to other sub TAA processes, and continuing to analyze the message from the position of the counting identification, or restarting a new sub TAA process, handing over the residual unresolved flow files in the queue of the broken down sub TAA process to the restarted new sub TAA process, and continuing to analyze the message from the position of the counting identification;
and the load balancing module is used for uniformly distributing part of the flow files of the sub-TAA process with more flow files to the sub-TAA process with less flow files to balance the load when the flow is smaller than the preset rate threshold and the number of the flow files in each queue of each sub-TAA process is uneven.
Fig. 6 is a block diagram illustrating another structure of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
As shown in fig. 6, the multi-process collaborative network traffic analysis apparatus may further include:
and the second creating module is used for creating a flow acquisition process.
In the multi-process collaborative network traffic analysis device:
the flow acquisition process is used for caching all the acquired messages and writing the messages into a flow file in batch when the flow acquisition rate is detected to be greater than or equal to the preset rate threshold;
and the flow acquisition process is also used for writing the acquired messages into a flow file in real time when the flow acquisition rate is detected to be smaller than the preset rate threshold.
In actual practice, a table of experimental data comparison using a plurality of sub-TAA analysis processes is obtained as shown in table 3:
TABLE 3
As can be seen from the comparison between the data in table 3 and table 2, in the face of the same traffic impact, the actual number of processing frames in the parsing mode using multiple sub-TAA parsing processes is much larger than the actual number of processing frames in the parsing mode using a single parsing process, that is, the packet loss rate in the parsing mode using multiple sub-TAA parsing processes is much smaller than the packet loss rate in the parsing mode using a single parsing process, and the packet processing rate increases with the increase of the number of processes and is in a linear proportional relationship when the cpu resource is not exhausted.
In summary, the multi-process collaborative network traffic analysis method and apparatus of the present invention, on one hand, reduce CPU occupation by using some technical means, and on the other hand, increase the message analysis rate of network data under large flow by creating multiple processes to fully utilize multi-core resources, reduce packet loss rate while improving message analysis performance, and also reduce CPU occupation.
Finally, it should be noted that each functional device in the embodiments of the present invention may be integrated into one processing device, or each device may exist alone physically, or two or more devices may be integrated into one device.
The functions, if implemented in the form of software-enabled devices and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (2)
1. A multi-process collaborative network traffic parsing method, the method comprising:
a main flow auditing engine process, namely a main TAA process, creates a specified number of sub TAA processes for processing network flow;
an interprocess communication link is arranged between the sub TAA process and the main TAA process, each sub TAA process and the main TAA process share a global structure, the members of the global structure comprise a queue for storing flow files distributed to the sub TAA processes and a counting identifier, and for each flow file, the counting identifier is increased by one when a message of the flow file is analyzed;
the main TAA process distributes the flow files saved by the acquisition process to the sub TAA processes in sequence, and for each sub TAA process, the distributed flow files are inserted into the queue of the flow files of the sub TAA process in sequence, and the position of a queue starting file of the sub TAA process is given to serve as the position where the sub TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
the method for processing the network traffic by the main traffic auditing engine process, namely the main TAA process, comprises the following steps of: if the number of the sub-TAA processes is not specified, the main TAA process automatically detects the number of the system CPU cores and takes the number of the system CPU cores as the specified number;
the main TAA process creates a flow acquisition process; the flow acquisition process is used for caching all the acquired messages and writing the messages into a flow file in batch when the flow acquisition rate is detected to be greater than or equal to a preset flow rate threshold value;
the flow acquisition process is further used for writing the acquired messages into a flow file in real time when the flow acquisition rate is detected to be smaller than the preset flow rate threshold;
the main TAA process monitors the running condition of the sub TAA processes at any time, when one sub TAA process crashes, the main TAA process sequentially delivers the residual unresolved flow files in the queue of the crashed sub TAA process to other sub TAA processes, and continues to analyze the message from the position of the counting identification, or restarts a new sub TAA process, delivers the residual unresolved flow files in the queue of the crashed sub TAA process to the restarted new sub TAA process, and continues to analyze the message from the position of the counting identification;
when the main TAA process finds that the flow is smaller than the preset speed threshold value and the number of the flow files in each queue of each sub TAA process is not uniform, part of the flow files of the sub TAA process with more flow files are uniformly distributed to the sub TAA process with less flow files to balance the load.
2. A multi-process cooperative network traffic analysis device is used for a main traffic audit engine process (main TAA process), and is characterized by comprising the following steps: a first creation module for creating a specified number of sub-TAA processes for processing network traffic; a link setting module, configured to set an inter-process communication link between the sub-TAA process and the main TAA process, where each sub-TAA process and the main TAA process share a global structure, and members of the global structure include a queue that stores traffic files distributed to the sub-TAA processes and a count identifier, and the count identifier is incremented for each traffic file every time a message of the traffic file is analyzed; the file distribution module is used for sequentially distributing the flow files stored in the acquisition process to the sub-TAA processes, and for each sub-TAA process, sequentially inserting the distributed flow files into the queue of the flow files of the sub-TAA process, and giving the position of a queue start file of the sub-TAA process as the position where the sub-TAA process starts to read the flow files; removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero; wherein creating a specified number of sub-TAA processes for processing network traffic comprises: if the number of the TAA processes is not specified, automatically detecting the number of the CPU cores of the system and taking the number of the CPU cores as the specified number;
the operation monitoring module is used for monitoring the operation condition of the sub TAA process at any moment, when a certain sub TAA process is broken down, sequentially handing over the residual unresolved flow files in the queue of the broken down sub TAA process to other sub TAA processes, and continuing to analyze the message from the position of the counting identification, or restarting a new sub TAA process, handing over the residual unresolved flow files in the queue of the broken down sub TAA process to the restarted new sub TAA process, and continuing to analyze the message from the position of the counting identification; the load balancing module is used for uniformly distributing part of the flow files of the sub-TAA processes with more flow files to the sub-TAA processes with less flow files to balance the load when the flow is smaller than a preset rate threshold value and the number of the flow files in each queue of each sub-TAA process is uneven;
the second establishing module is used for establishing a flow acquisition process; the flow acquisition process is used for caching all the acquired messages and writing the messages into a flow file in batch when the flow acquisition rate is detected to be greater than or equal to a preset flow rate threshold value; and the flow acquisition process is also used for writing the acquired messages into a flow file in real time when the flow acquisition rate is detected to be smaller than the preset flow rate threshold value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911089657.9A CN110908798B (en) | 2019-11-08 | 2019-11-08 | Multi-process cooperative network traffic analysis method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911089657.9A CN110908798B (en) | 2019-11-08 | 2019-11-08 | Multi-process cooperative network traffic analysis method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110908798A CN110908798A (en) | 2020-03-24 |
CN110908798B true CN110908798B (en) | 2022-11-25 |
Family
ID=69817137
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911089657.9A Active CN110908798B (en) | 2019-11-08 | 2019-11-08 | Multi-process cooperative network traffic analysis method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110908798B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111694783B (en) * | 2020-06-11 | 2021-06-25 | 福建宏创科技信息有限公司 | Parallel data analysis method and device applied to DPI equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1578272A (en) * | 2003-07-11 | 2005-02-09 | 株式会社日立制作所 | Packet forwarding device equipped with statistics collection device and statistics collection method |
CN109936551A (en) * | 2017-12-19 | 2019-06-25 | 中国电信股份有限公司 | Defence method, defence installation and the controller of domain name system attack |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1536497A (en) * | 2003-04-04 | 2004-10-13 | 上海广电应确信有限公司 | Flame-proof wall for imlementing packet filtering and its method for implementing packet filtering |
JP6015342B2 (en) * | 2012-10-24 | 2016-10-26 | 富士通株式会社 | Information processing method, program, information processing apparatus, and information processing system |
CN103281213B (en) * | 2013-04-18 | 2016-04-06 | 西安交通大学 | A kind of network traffic content extracts and analyzes search method |
JP6421753B2 (en) * | 2013-08-22 | 2018-11-14 | 日本電気株式会社 | System, service platform, application server, and method |
CN104821924B (en) * | 2014-01-30 | 2018-11-27 | 西门子公司 | A kind of processing method of network data packets, device and network processing device |
JP2015176401A (en) * | 2014-03-17 | 2015-10-05 | 株式会社リコー | information processing system, information processing method, and program |
CN104978321B (en) * | 2014-04-02 | 2018-12-04 | 阿里巴巴集团控股有限公司 | Construct the method, apparatus of data queue and the method from its insertion and consumer objects |
CN104158757B (en) * | 2014-08-21 | 2017-07-07 | 福建星海通信科技有限公司 | A kind of gps data enters library processing method and system |
CN104503909A (en) * | 2014-12-18 | 2015-04-08 | 浪潮(北京)电子信息产业有限公司 | Method and device for testing IO (input/output) performance of magnetic disk |
CN104468629B (en) * | 2014-12-30 | 2018-10-09 | 北京奇虎科技有限公司 | A kind of method and apparatus of Batch sending message |
US10853277B2 (en) * | 2015-06-24 | 2020-12-01 | Intel Corporation | Systems and methods for isolating input/output computing resources |
CN105138410A (en) * | 2015-08-31 | 2015-12-09 | 北京锐安科技有限公司 | Message queue achievement method and device based on disk buffer |
CN105549952A (en) * | 2015-12-03 | 2016-05-04 | 上海高性能集成电路设计中心 | Two-stage buffer issue regulation and control device based on scoreboard principle |
CN108306832B (en) * | 2018-01-29 | 2021-07-27 | 北京启明星辰信息安全技术有限公司 | Network traffic shunting method and device |
CN108809748A (en) * | 2018-03-26 | 2018-11-13 | 北京天融信网络安全技术有限公司 | Network audit collecting method and related device, equipment and storage medium |
CN110222503A (en) * | 2019-04-26 | 2019-09-10 | 西安交大捷普网络科技有限公司 | Database audit method, system and equipment under a kind of load of high amount of traffic |
CN110417675B (en) * | 2019-07-29 | 2020-12-01 | 广州竞远安全技术股份有限公司 | Network shunting method, device and system of high-performance probe under SOC (System on chip) |
-
2019
- 2019-11-08 CN CN201911089657.9A patent/CN110908798B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1578272A (en) * | 2003-07-11 | 2005-02-09 | 株式会社日立制作所 | Packet forwarding device equipped with statistics collection device and statistics collection method |
CN109936551A (en) * | 2017-12-19 | 2019-06-25 | 中国电信股份有限公司 | Defence method, defence installation and the controller of domain name system attack |
Non-Patent Citations (2)
Title |
---|
Dynamic Feature Analysis and Measurement for Large-Scale Network Traffic Monitoring;Xiaohong Guan等;《IEEE Transactions on Information Forensics and Security》;20100812;第905-919页 * |
高性能网络服务器框架的研究与实现;郭庆涛等;《计算机工程》;20131215;第70-74页 * |
Also Published As
Publication number | Publication date |
---|---|
CN110908798A (en) | 2020-03-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106972985B (en) | Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment | |
US11888744B2 (en) | Spin-leaf network congestion control method, node, system, and storage medium | |
CN109525495B (en) | Data processing device and method and FPGA board card | |
US20100229182A1 (en) | Log information issuing device, log information issuing method, and program | |
US11095674B2 (en) | DDoS attack detection method and device | |
CN107454120A (en) | The method of network attack defending system and defending against network attacks | |
CN111782140A (en) | Network data packet storage method and device, computer equipment and storage medium | |
CN112543149B (en) | Method for preventing IPFIX message from being lost, application thereof and ASIC chip | |
CN106921665A (en) | A kind of message processing method and the network equipment | |
CN112383585A (en) | Message processing system and method and electronic equipment | |
CN110908798B (en) | Multi-process cooperative network traffic analysis method and device | |
CN112019407A (en) | Forwarding equipment data testing method and device, computer equipment and storage medium | |
CN107819697B (en) | Data transmission method, switch and data center | |
JP2020088517A (en) | Communication apparatus, and control method and program of communication apparatus | |
Pan et al. | Nb-cache: Non-blocking in-network caching for high-performance content routers | |
CN113448729B (en) | Load balancing method, device, equipment and storage medium | |
US8819107B2 (en) | Relay apparatus, recording medium storing a relay program, and a relay method | |
CN113014555B (en) | Method and device for determining attack event, electronic equipment and storage medium | |
WO2021128936A1 (en) | Message processing method and apparatus | |
CN104243395B (en) | A kind of high frequency time write operation method, interface message processor (IMP) and system | |
CN109542662B (en) | Memory management method, device, server and storage medium | |
CN109347760B (en) | Data sending method and device | |
CN108449252B (en) | Dump method and device for access log | |
CN115396319B (en) | Data stream slicing method, device, equipment and storage medium | |
CN115988574B (en) | Data processing method, system, equipment and storage medium based on flow table |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |