CN111698178B - Flow analysis method and device - Google Patents
Flow analysis method and device Download PDFInfo
- Publication number
- CN111698178B CN111698178B CN202010289354.8A CN202010289354A CN111698178B CN 111698178 B CN111698178 B CN 111698178B CN 202010289354 A CN202010289354 A CN 202010289354A CN 111698178 B CN111698178 B CN 111698178B
- Authority
- CN
- China
- Prior art keywords
- real
- flow
- processor
- traffic
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2416—Real-time traffic
Abstract
The application provides a traffic analysis method and a device, the method is applied to a traffic analysis device arranged on network equipment in an Ethernet, and the method comprises the following steps: a processor in the traffic analysis device receives real-time traffic redirected by a switching chip on network equipment; when the real-time flow is not the flow which is received by the exchange chip and matched with the preset ACL rule and the real-time flow is determined to be analyzed by a GPU card in the flow analysis device according to the preset first application rule, the processor sends the real-time flow to the GPU card so that the GPU card analyzes the real-time flow according to an analysis strategy corresponding to the preset first application rule. The method and the device can save the equipment deployment cost of the Ethernet.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a traffic analysis method and apparatus.
Background
With the explosive development of ethernet networks and the increasing of bandwidth, various services including data, voice, image, video, etc. are carried on the ethernet networks, and the applications and services on the ethernet networks are also continuously enriched. Meanwhile, the cost and the technical threshold of the Ethernet attack are greatly reduced, and various attacks and abnormal traffic on the Ethernet appear in large quantity. Therefore, it is necessary to analyze the traffic of the ethernet network in depth to know the various distributions and changing trends of the traffic.
At present, a traffic analysis apparatus for analyzing traffic is usually deployed in an ethernet network separately, and collects traffic entering a network device in the ethernet network by using an optical splitter or a port mirroring manner, for example, the network device may be a core switch.
It can be seen that no matter which way is used to collect traffic, a traffic analysis device needs to be deployed in the ethernet network separately, which results in higher equipment cost for deploying the ethernet network.
Moreover, if the flow is collected by the optical splitter, the optical splitter needs to be additionally and separately deployed, and one-time network cutover is involved, which easily causes instantaneous interruption of the ethernet link, not only increases the equipment cost, but also has a certain influence on the stability of the ethernet link. If the traffic is collected by the port mirroring mode, the network device is required to support the port mirroring function, which may occupy a certain number of ethernet ports of the network device, resulting in a shortage of port resources of the network device.
Disclosure of Invention
The application provides a traffic analysis method and a traffic analysis device, which can save the equipment deployment cost of an Ethernet, do not influence the stability of an Ethernet link, and do not occupy the Ethernet port resources of network equipment.
The technical scheme provided by the application is as follows:
the application provides a traffic analysis method, which is applied to a traffic analysis device arranged on network equipment in an Ethernet, and comprises the following steps:
a processor in the traffic analysis device receives real-time traffic redirected by a switching chip on the network equipment;
when the real-time traffic is not the traffic which is received by the switch chip and is matched with a preset Access Control List (ACL) rule, and the real-time traffic is determined to be analyzed by a Graphic Processing Unit (GPU) card in the traffic analysis device according to a preset first application rule, the processor sends the real-time traffic to the GPU card, so that the GPU card analyzes the real-time traffic according to an analysis strategy corresponding to the preset first application rule.
The present application further provides a traffic analysis apparatus, where the apparatus is disposed on a network device in an ethernet network, and the apparatus includes: a processor and a GPU card;
the processor is used for receiving real-time traffic redirected by a switching chip on the network equipment; when the real-time flow is not the flow which is received by the exchange chip and matched with a preset ACL rule, and the real-time flow is determined to be analyzed by the GPU card according to a preset first application rule, the real-time flow is sent to the GPU card;
and the GPU card is used for analyzing the real-time flow according to the analysis strategy corresponding to the preset first application rule.
It can be seen from the above technical solutions that, in the present application, the traffic analysis device is disposed on the network device, and in some application scenarios, the processor and the GPU card in the traffic analysis device cooperate to implement real-time traffic analysis, and there is no need to separately deploy the traffic analysis device in the ethernet network, or deploy the optical splitter, or occupy a certain number of ethernet ports of the network device to configure the port mirroring function, so that not only the device deployment cost of the ethernet network is saved, but also the stability of the ethernet link is not affected and the ethernet port resources of the network device are not occupied.
Drawings
Fig. 1 is a schematic flowchart of a traffic analysis method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a flow analysis apparatus according to an embodiment of the present disclosure;
fig. 3 is a second schematic structural diagram of a flow analysis apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
An embodiment of the present application provides a traffic analysis method, which is applied to a traffic analysis apparatus disposed on a network device in an ethernet network, where the network device may be a switching device, for example, a core switch, or may be a routing device, and the method may include the following steps:
and S11, the processor in the traffic analysis device receives the real-time traffic redirected by the switching chip on the network equipment.
In this step, the processor may be an X86 processor.
And S12, when the real-time flow is not the flow which is received by the switching chip and is matched with the preset ACL rule, and the real-time flow is determined to be analyzed by a GPU card in the flow analysis device according to the preset first application rule, the processor sends the real-time flow to the GPU card, so that the GPU card analyzes the real-time flow according to the analysis strategy corresponding to the preset first application rule.
In this embodiment of the present application, the traffic analysis apparatus may be disposed on the network device in a plug-in manner, and specifically may be disposed on any slot of an interface board of the network device. Therefore, when the flow analysis device is added or reduced in the Ethernet, the operation is very convenient, and the stability of the Ethernet link is not influenced or the Ethernet port resource is not occupied.
Further, in the embodiment of the present application, the processor may further perform the following operations:
when the real-time flow is the flow which is received by the exchange chip and is matched with the preset ACL rule, determining the output port information of the real-time flow;
and sending the determined output port information to the switching chip so that the switching chip forwards the real-time traffic according to the determined output port information.
The operation flow is suitable for a specific application scene, once the switching chip receives the flow matched with the preset ACL rule, the switching chip considers that the switching chip cannot process the flow, and the flow needs to be forwarded by the assistance of the flow analysis device, and under the condition, the switching chip redirects the flow to the processor in the flow analysis device.
It should be noted that, in an embodiment of the present application, after receiving the traffic, the processor may directly perform processing according to the above operation flow, for example, in a certain application scenario, the processor may determine egress port information of the traffic according to a specified Hash algorithm and related aggregation group information.
Of course, in another embodiment of the present application, after receiving the traffic, the processor may also send the traffic to the GPU card, and the GPU card assists in completing the determination of the egress port information.
Further, in the embodiment of the present application, the processor may further perform the following operations:
obtaining historical flow from a switching chip;
and when the historical flow is determined to be analyzed by the GPU card according to the preset second application rule, sending the historical flow to the GPU card, and analyzing the historical flow by the GPU card according to an analysis strategy corresponding to the preset second application rule.
For the processor, if the received real-time traffic is not the traffic received by the switch chip and matched with the preset ACL rule, and it is determined that the real-time traffic needs to be analyzed by the processor according to the preset third application rule, the real-time traffic may be directly analyzed according to the analysis policy corresponding to the preset third application rule.
If the acquired historical flow needs to be analyzed by the self according to the preset fourth application rule, the analysis can be directly performed according to the analysis strategy corresponding to the preset fourth application rule.
It should be noted that all the application rules described above may be set according to actual applications, such as video applications, voice applications, etc., and the first application rule and the second application rule may be the same or different. The third application rule and the fourth application rule may be the same or different.
Moreover, for the traffic that needs to be sent to the GPU card for analysis, the processor may perform, according to the specific content of the corresponding application rule, an operation of directly forwarding or forwarding the traffic after performing corresponding processing (for example, performing feature extraction on the traffic, etc.).
In addition, in the embodiment of the present application, in order to further optimize the ethernet network, the processor may further perform the following operations:
receiving an analysis result aiming at real-time flow sent by a GPU card;
and sending the analysis result to a Software Defined Network (SDN) controller for flow control.
Certainly, under the condition that the processor directly analyzes the real-time traffic, the processor directly sends the analysis result to the SDN controller subsequently.
It should be noted that the SDN controller may be disposed in the traffic analysis device, or may be deployed separately.
Specific flow control operations may include dropping traffic, passing traffic, congestion control of traffic, handling traffic by priority, and so forth.
For example, in a Transmission Control Protocol (TCP) Transmission process across a wide area network, an X86 processor in a traffic analysis device receives a TCP session, and determines that the TCP session needs to be analyzed by a GPU according to a preset application rule; then, the TCP session is sent to the GPU card, and the GPU card performs analysis according to an analysis policy corresponding to a preset application rule, for example, a header field (e.g., SYN field, ACK field, FIN field, etc.) of the TCP session is analyzed, and an analysis result is sent to an SDN controller in the traffic analysis device; the SDN controller may perform corresponding flow control according to the analysis result. For example, the SDN controller determines the location of the congestion point according to the analysis result, and may perform corresponding flow control according to the location, such as discarding a low-priority packet.
It can be seen from the above technical solutions that, in the present application, the traffic analysis device is disposed on the network device, and in some application scenarios, the processor and the GPU card in the traffic analysis device cooperate to implement real-time traffic analysis, and there is no need to separately deploy the traffic analysis device in the ethernet network, or deploy an optical splitter, or occupy a certain number of ethernet ports of the network device to configure a port mirroring function, so that not only is the device deployment cost of the ethernet network saved, but also the stability of the ethernet link is not affected and the ethernet port resources of the network device are not occupied.
Based on the same inventive concept, the present application further provides a traffic analysis apparatus, as shown in fig. 2, the apparatus 2 is disposed on a network device in an ethernet network, and the apparatus 2 includes: a processor 21 and a GPU card 22.
The processor 21 is configured to receive real-time traffic redirected by a switching chip on the network device; and when the real-time traffic is not the traffic matched with the ACL rule received by the switch chip and it is determined that the real-time traffic needs to be analyzed by the GPU card 22 according to the preset first application rule, sending the real-time traffic to the GPU card 22.
And the GPU card 22 is configured to analyze the real-time traffic according to an analysis policy corresponding to a preset first application rule.
In the embodiment of the present application, the processor 21 may be an X86 processor.
Preferably, the processor 21 is further configured to determine output port information of the real-time traffic when the real-time traffic is traffic received by the switch chip and matched with a preset ACL rule; and sending the determined output port information to the switching chip so that the switching chip forwards the real-time traffic according to the determined output port information.
Preferably, the processor 21 is further configured to obtain a historical traffic from the switch chip; when it is determined that the historical traffic needs to be analyzed by the GPU card 22 according to the preset second application rule, sending the historical traffic to the GPU card 22;
the GPU card 22 is further configured to analyze the historical traffic according to an analysis policy corresponding to a preset second application rule.
Preferably, the processor 21 is further configured to receive an analysis result for the real-time traffic sent by the GPU card 22; and sending the analysis result to an SDN controller for flow control.
In the embodiment of the present application, the SDN controller may be deployed alone or may be disposed in a traffic analysis device (as shown in fig. 3).
The traffic analysis device 2 is preferably arranged on the network device in a plug-in manner.
Of course, the flow analysis device 2 includes, in addition to the above components, other components not shown in fig. 2, for example, a PCH chip, a BMC chip, and the like.
It can be seen from the above technical solutions that, in the present application, the traffic analysis device is disposed on the network device, and in some application scenarios, the processor and the GPU card in the traffic analysis device cooperate to implement real-time traffic analysis, and there is no need to separately deploy the traffic analysis device in the ethernet network, or deploy an optical splitter, or occupy a certain number of ethernet ports of the network device to configure a port mirroring function, so that not only is the device deployment cost of the ethernet network saved, but also the stability of the ethernet link is not affected and the ethernet port resources of the network device are not occupied.
The above description is only a preferred embodiment of the present application and should not be taken as limiting the present application, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (12)
1. A traffic analysis method applied to a traffic analysis apparatus provided on a network device in an ethernet network, the method comprising:
a processor in the traffic analysis device receives real-time traffic redirected by a switching chip on the network equipment;
and when the real-time flow is not the flow which is received by the exchange chip and is matched with a preset Access Control List (ACL) rule and the real-time flow is determined to be analyzed by a graphic acceleration unit (GPU) card in the flow analysis device according to a preset first application rule, the processor sends the real-time flow to the GPU card so that the GPU card analyzes the real-time flow according to an analysis strategy corresponding to the preset first application rule.
2. The method of claim 1, further comprising:
when the real-time flow is the flow which is received by the exchange chip and matched with the preset ACL rule, the processor determines the output port information of the real-time flow;
and sending the determined output port information to the switching chip so that the switching chip forwards the real-time flow according to the determined output port information.
3. The method of claim 1, further comprising:
the processor acquires historical flow from the switching chip;
and when the processor determines that the historical flow needs to be analyzed by the GPU card according to a preset second application rule, the processor sends the historical flow to the GPU card so that the GPU card analyzes the historical flow according to an analysis strategy corresponding to the preset second application rule.
4. The method of claim 1, further comprising:
the processor receives an analysis result aiming at the real-time flow sent by the GPU card;
and sending the analysis result to a Software Defined Network (SDN) controller for flow control.
5. The method according to claim 1, wherein the traffic analysis device is disposed on the network device in a pluggable manner.
6. The method of claim 1, wherein the processor is an X86 processor.
7. A traffic analyzing apparatus, wherein the apparatus is disposed on a network device in an ethernet network, the apparatus comprising: a processor and a graphics acceleration unit GPU card;
the processor is used for receiving real-time traffic redirected by a switching chip on the network equipment; when the real-time flow is not the flow which is received by the exchange chip and is matched with a preset Access Control List (ACL) rule, and the real-time flow is determined to be analyzed by the GPU card according to a preset first application rule, the real-time flow is sent to the GPU card;
and the GPU card is used for analyzing the real-time flow according to the analysis strategy corresponding to the preset first application rule.
8. The apparatus of claim 7,
the processor is further configured to determine egress port information of the real-time traffic when the real-time traffic is traffic received by the switch chip and matched with the preset ACL rule; and sending the determined output port information to the switching chip so that the switching chip forwards the real-time flow according to the determined output port information.
9. The apparatus of claim 7,
the processor is further used for obtaining historical flow from the switching chip; when the historical flow is determined to need to be analyzed by the GPU card according to a preset second application rule, the historical flow is sent to the GPU card;
and the GPU card is also used for analyzing the historical flow according to an analysis strategy corresponding to the preset second application rule.
10. The apparatus of claim 7,
the processor is further configured to receive an analysis result for the real-time traffic, which is sent by the GPU card; and sending the analysis result to a Software Defined Network (SDN) controller for flow control.
11. The apparatus of claim 7, wherein the traffic analysis device is disposed on the network device in a pluggable manner.
12. The apparatus of claim 7, wherein the processor is an X86 processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010289354.8A CN111698178B (en) | 2020-04-14 | 2020-04-14 | Flow analysis method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010289354.8A CN111698178B (en) | 2020-04-14 | 2020-04-14 | Flow analysis method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111698178A CN111698178A (en) | 2020-09-22 |
| CN111698178B true CN111698178B (en) | 2022-08-30 |
Family
ID=72476297
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010289354.8A Active CN111698178B (en) | 2020-04-14 | 2020-04-14 | Flow analysis method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111698178B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20140049926A (en) * | 2012-10-17 | 2014-04-28 | 한국전자통신연구원 | Apparatus and method for intrusion detection with traffic condition load balancer between cpu and gpu |
| CN105959175A (en) * | 2016-04-21 | 2016-09-21 | 南开大学 | Network flow classification method based on GPU-accelerated kNN algorithm |
| CN106506266A (en) * | 2016-11-01 | 2017-03-15 | 中国人民解放军91655部队 | Network flow analysis method based on GPU, Hadoop/Spark mixing Computational frame |
| CN107852413A (en) * | 2015-08-26 | 2018-03-27 | 英特尔公司 | For network packet processing to be unloaded to GPU technology |
| CN109194590A (en) * | 2018-09-17 | 2019-01-11 | 中国科学技术大学 | Support the internet exchange system of intelligence in net |
| CN110879753A (en) * | 2019-11-19 | 2020-03-13 | 中国移动通信集团广东有限公司 | GPU acceleration performance optimization method and system based on automatic cluster resource management |
-
2020
- 2020-04-14 CN CN202010289354.8A patent/CN111698178B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20140049926A (en) * | 2012-10-17 | 2014-04-28 | 한국전자통신연구원 | Apparatus and method for intrusion detection with traffic condition load balancer between cpu and gpu |
| CN107852413A (en) * | 2015-08-26 | 2018-03-27 | 英特尔公司 | For network packet processing to be unloaded to GPU technology |
| CN105959175A (en) * | 2016-04-21 | 2016-09-21 | 南开大学 | Network flow classification method based on GPU-accelerated kNN algorithm |
| CN106506266A (en) * | 2016-11-01 | 2017-03-15 | 中国人民解放军91655部队 | Network flow analysis method based on GPU, Hadoop/Spark mixing Computational frame |
| CN109194590A (en) * | 2018-09-17 | 2019-01-11 | 中国科学技术大学 | Support the internet exchange system of intelligence in net |
| CN110879753A (en) * | 2019-11-19 | 2020-03-13 | 中国移动通信集团广东有限公司 | GPU acceleration performance optimization method and system based on automatic cluster resource management |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111698178A (en) | 2020-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8149705B2 (en) | Packet communications unit | |
| US10771501B2 (en) | DDoS attack defense method, system, and related device | |
| JP5660198B2 (en) | Network system and switching method | |
| CN109768955B (en) | System and method for defending distributed denial of service attack based on software defined network | |
| US8910267B2 (en) | Method for managing connections in firewalls | |
| CN111314179B (en) | Network quality detection method, device, equipment and storage medium | |
| CN111092840B (en) | Processing strategy generation method, system and storage medium | |
| EP3070879A1 (en) | Oam performance monitoring method and apparatus | |
| JP4988632B2 (en) | Packet relay device and traffic monitoring system | |
| CN108683607B (en) | Virtual machine flow control method and device and server | |
| CN111682989A (en) | Method, device and system for detecting port link state | |
| Shen et al. | Mitigating SYN Flooding and UDP Flooding in P4-based SDN | |
| KR100731230B1 (en) | Congestion Prevention Apparatus and Method of Router | |
| CN107147585B (en) | Flow control method and device | |
| CN111698178B (en) | Flow analysis method and device | |
| US20040047288A1 (en) | Call setup pacing in computer networks | |
| JP2006164038A (en) | Method for coping with dos attack or ddos attack, network device and analysis device | |
| CN113037691A (en) | Message processing method, device and system | |
| EP2768197B1 (en) | Deep packet inspection result dissemination method and device | |
| US10181997B2 (en) | Methods, systems and computer readable media for providing receive port resiliency in a network equipment test device | |
| Shah et al. | Implementation and performance analysis of firewall on open vSwitch | |
| EP2204953A1 (en) | Method, apparatus and system for realizing dynamic correlation of control plane traffic rate | |
| CN113595920A (en) | Network congestion control method and equipment | |
| CN112671662A (en) | Data stream acceleration method, electronic device, and storage medium | |
| CN109547361B (en) | Message processing method and system for FCF (fiber channel F) equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |