CN112825506B - Flow mirror image detection method and device - Google Patents
Flow mirror image detection method and device Download PDFInfo
- Publication number
- CN112825506B CN112825506B CN201911147341.0A CN201911147341A CN112825506B CN 112825506 B CN112825506 B CN 112825506B CN 201911147341 A CN201911147341 A CN 201911147341A CN 112825506 B CN112825506 B CN 112825506B
- Authority
- CN
- China
- Prior art keywords
- acquisition
- virtualized
- data
- target
- virtual probe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Traffic Control Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a flow mirror image detection method and device, and relates to the technical field of wireless communication. The flow mirror image detection method comprises the following steps: acquiring a virtualized acquisition planning table, virtual probe data and virtual switch OVS data; and detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result. According to the scheme, the virtual probe data and/or the OVS data are detected by utilizing the virtualized acquisition planning table, so that whether the acquired virtualized flow data are accurate or not is determined, and the virtualized flow data acquisition rule which is inaccurate is used for assisting operation and maintenance personnel in timely adjusting, so that accurate virtualized flow data can be acquired.
Description
Technical Field
The present invention relates to the field of wireless communications technologies, and in particular, to a method and an apparatus for detecting a traffic mirror image.
Background
In 4G systems, the hard mining scheme in deep packet inspection (Deep Packet Inspection, DPI) replicates the current network traffic by physically testing access points (Test access point, TAP) +splitters and sends it to the virtual probe and data analysis system.
In the existing 5G system, with the popularization of network function virtualization (Network Function Virtualization, NFV) technology, many network elements are deployed by adopting virtualization, so that the original acquisition mode based on the physical TAP and the optical splitter is not applicable any more, and therefore, the industry proposes: the data is transferred to the virtual probe by the virtual tap+virtual switch (OVS) mode instead of the original scheme. However, in this way, how to ensure whether the data of the virtualized acquisition scheme is complete and accurate becomes a key problem.
Disclosure of Invention
The embodiment of the invention provides a flow mirror image detection method and a flow mirror image detection device, which are used for solving the problem that the integrity and accuracy of data of a virtualized acquisition scheme cannot be guaranteed in the existing 5G.
In order to solve the above technical problems, an embodiment of the present invention provides a flow mirror detection method, including:
acquiring a virtualized acquisition planning table, virtual probe data and virtual switch OVS data;
and detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result.
Specifically, the virtualized acquisition planning table includes: network element information, filtering rules and a target port mapping table.
Optionally, obtaining virtual probe data includes:
and interacting with the virtual probe to obtain flow statistic data of each flow rule.
Optionally, acquiring OVS data includes:
and periodically sending a query command to the OVS to acquire flow statistic data which is not matched with the virtualized acquisition planning table.
Optionally, the detecting the virtual probe data and/or OVS data according to the virtualized acquisition planning table, to obtain a detection result, includes at least one of the following:
detecting whether a first IP with the acquisition direction of an exit direction or an entry direction in a virtualized acquisition planning table appears in a source IP list in virtual probe data and corresponding ports are consistent, if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
detecting whether second IPs with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table are all in a source IP list in the virtual probe data and the corresponding ports are consistent, if the second IPs are not all in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining missed allocation IP or IP pairs;
Detecting whether a third IP with the acquisition direction of the output direction or the input direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the third IP appears in the source IP list in the virtual probe data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
detecting whether a fourth IP with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the fourth IP appears in the source IP list in the virtual probe data, determining that the detection result is regular missed allocation, and obtaining the missed allocation IP or IP pair.
Optionally, the detecting the virtual probe data and/or OVS data according to the virtualized acquisition plan table, to obtain a detection result includes:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether source IPs in the virtual probe data are all present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table, and the corresponding ports are consistent, if the source IPs are not present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining an incorrectly issued IP or IP pair; and/or
Detecting whether source IPs in the virtual probe data are all appeared in the virtualized acquisition planning table, wherein the acquisition direction of the source IPs is the IP in the in-direction or the in-out direction, and the corresponding ports are consistent, if the source IPs are not appeared in the virtualized acquisition planning table, the acquisition direction of the source IPs is the IP in the out-direction or the in-out direction, or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining the IP or the IP pair which is issued incorrectly.
Optionally, the detecting the virtual probe data and/or OVS data according to the virtualized acquisition plan table, to obtain a detection result includes:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether a first network element appearing in the first port in the virtual probe data does not appear in the virtualized acquisition planning table, and if the first network element appearing in the first port does not appear in the virtualized acquisition planning table, determining that the detection result is that the first network element is wrongly provided with the target port.
Optionally, the detecting the virtual probe data and/or OVS data according to the virtualized acquisition plan table, to obtain a detection result includes:
Summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether the first IP pair in the virtual probe data has repeated packet numbers;
if the first IP pair has the repeated packet number, acquiring a mirror image rule corresponding to a first target IP and a second target IP in the first IP pair in the virtual probe data;
determining whether the first target IP and the second target IP are simultaneously present in two mirror image rules or not, wherein the acquisition directions are the same;
if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the acquisition directions are the same, determining that the detection result is that the mirror image rules corresponding to the first target IP and the second target IP are repeatedly configured;
if the first target IP and the second target IP do not appear in the two mirror image rules at the same time or the acquisition directions are different, detecting whether the first target IP and the second target IP appear in the configuration rule at the same time;
if the first target IP and the second target IP are simultaneously present in the configuration rule, determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured.
The embodiment of the invention also provides a flow mirror image detection device, which comprises:
The first acquisition module is used for acquiring a virtualized acquisition planning table, virtual probe data and virtual switch OVS data;
and the second acquisition module is used for detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to acquire a detection result.
Specifically, the virtualized acquisition planning table includes: network element information, filtering rules and a target port mapping table.
Optionally, when the first obtaining module obtains the virtual probe data, the first obtaining module is configured to:
and interacting with the virtual probe to obtain flow statistic data of each flow rule.
Optionally, when the first obtaining module obtains OVS data, the first obtaining module is configured to:
and periodically sending a query command to the OVS to acquire flow statistic data which is not matched with the virtualized acquisition planning table.
Optionally, the second obtaining module is configured to implement at least one of:
detecting whether a first IP with the acquisition direction of an exit direction or an entry direction in a virtualized acquisition planning table appears in a source IP list in virtual probe data and corresponding ports are consistent, if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
Detecting whether second IPs with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table are all in a source IP list in the virtual probe data and the corresponding ports are consistent, if the second IPs are not all in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining missed allocation IP or IP pairs;
detecting whether a third IP with the acquisition direction of the output direction or the input direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the third IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
detecting whether a fourth IP with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the fourth IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining the missed allocation IP or IP pair.
Optionally, the second acquisition module includes:
the first summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
The first determining unit is used for detecting whether source IPs in the virtual probe data are all appeared in the virtualized acquisition planning table, wherein the acquisition direction is the IP of the exit direction or the entrance direction, and the corresponding ports are consistent, if the source IPs are not appeared in the virtualized acquisition planning table, the acquisition direction is the IP of the exit direction or the entrance direction, or the corresponding ports are inconsistent, the detecting result is determined to be that the virtualized acquisition planning table is not issued correctly, and an incorrectly issued IP or IP pair is obtained; and/or
The second determining unit is configured to detect whether source IPs in the virtual probe data are all present in IPs with an acquisition direction being an in-direction or an in-out direction in the virtualized acquisition plan table, and the corresponding ports are consistent, and if the source IPs are not present in IPs with an acquisition direction being an in-direction or an in-out direction in the virtualized acquisition plan table, or the corresponding ports are inconsistent, determine that the detection result is that the virtualized acquisition plan table is not issued correctly, and obtain an IP or an IP pair that is issued incorrectly.
Optionally, the second acquisition module includes:
the second summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
and the third determining unit is used for detecting whether the first network element appearing in the first port in the virtual probe data does not appear in the virtualized acquisition planning table, and if the first network element appearing in the first port does not appear in the virtualized acquisition planning table, determining that the detection result is that the first network element is wrongly provided with the target port.
Optionally, the second acquisition module includes:
the third summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
a detection unit, configured to detect whether a first IP pair in the virtual probe data has a duplicate packet number;
the first acquisition unit is used for acquiring mirror image rules corresponding to a first target IP and a second target IP in the first IP pair in the virtual probe data if the first IP pair has repeated packet numbers;
the judging unit is used for determining whether the first target IP and the second target IP are simultaneously present in the two mirror image rules or not, and the acquisition directions are the same;
the fourth determining unit is used for determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the acquisition directions are the same;
the detection unit is used for detecting whether the first target IP and the second target IP are simultaneously present in the configuration rule or not if the first target IP and the second target IP are not simultaneously present in the two mirror image rules or the acquisition directions are different;
and the fifth determining unit is used for determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured if the first target IP and the second target IP are simultaneously present in the configuration rule.
The embodiment of the invention also provides a flow mirror image detection device, which comprises a transceiver and a processor;
the processor is configured to:
acquiring a virtualized acquisition planning table, virtual probe data and virtual switch OVS data;
and detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result.
The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps in the flow mirror detection method described above.
The beneficial effects of the invention are as follows:
according to the scheme, the virtual probe data and/or the OVS data are detected by utilizing the virtualized acquisition planning table, so that whether the acquired virtualized flow data are accurate or not is determined, and the virtualized flow data acquisition rule which is inaccurate is used for assisting operation and maintenance personnel in timely adjusting, so that accurate virtualized flow data can be acquired.
Drawings
FIG. 1 is a flow chart of a flow mirror detection method according to an embodiment of the present invention;
FIG. 2 is a diagram showing the architecture of a virtual flow rate detection apparatus;
FIG. 3 is a functional diagram of a virtual flow rate detection device;
FIG. 4 is a schematic diagram of a specific implementation flow of rule missing configuration according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a specific implementation flow of incorrect delivery of a virtualized acquisition plan table according to an embodiment of the invention;
FIG. 6 is a schematic diagram of a specific implementation of mirror rule repetition configuration according to an embodiment of the present invention;
fig. 7 is a schematic block diagram of a flow mirror detection device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail below with reference to the drawings and the specific embodiments thereof in order to make the objects, technical solutions and advantages of the present invention more apparent.
The invention provides a flow mirror image detection method and device aiming at the problem that the integrity and accuracy of data of a virtualized acquisition scheme cannot be guaranteed in the existing 5G.
As shown in fig. 1, the flow mirror detection method according to the embodiment of the present invention includes:
and step 12, detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result.
It should be noted that, the Flow mirror detection method is applied to a Flow mirror detection device (may also be referred to as a virtual Flow detection device), specifically, as shown in fig. 2 by using an architecture diagram, the Flow between the virtual network elements VNF1 and VNF2 may be configured to an OVS by using a Flow rule (Flow) in a virtual TAP, then the Flow between the virtual network elements may be mirrored to a mirror port where an acquisition probe is located by a monitored port through the OVS, and the virtual Flow detection device may detect the acquisition data of the virtual probe and the OVS by acquiring a virtualized acquisition plan table mainly composed of network element information, a filtering rule and a target port mapping table, acquiring Flow statistics information from the virtual probe, and also acquiring data Flow which is not matched to any virtualized acquisition plan table from the OVS.
Here, the virtual traffic detection device can interface with the OVS and the virtual probe (or any other virtual receiving device), so as to conveniently receive the data streams sent by the OVS and the virtual probe.
Specifically, the specific implementation manner of obtaining virtual probe data in the embodiment of the invention is as follows: the method comprises the steps of interacting with the virtual probe to obtain flow statistic data of each flow rule, and particularly, the method for interacting with the virtual probe comprises, but is not limited to, real-time message communication, file transmission and the like.
Specifically, the specific implementation manner of acquiring OVS data in the embodiment of the present invention is: and periodically sending a query command to the OVS to acquire flow statistic data which is not matched with the virtualized acquisition planning table.
Further, as shown in fig. 3, a functional diagram of the virtual flow rate detection apparatus is shown.
The virtual flow detection device mainly comprises: the system comprises a module for receiving OVS data (namely an OVS data receiving module), a module for receiving virtual probe data (a virtual probe data receiving module), a module for importing and analyzing a virtual acquisition rule table (a virtual acquisition rule table importing and analyzing module), a module for synthesizing data (namely a data synthesizing module), a module for comparing and analyzing (a comparing and analyzing module) and a module for outputting a report (a report outputting module).
The specific functions of the modules are as follows:
the virtualized acquisition rule table importing analyzing module is used for analyzing the imported virtualized acquisition planning table; it should be noted that, the data included in the virtualized acquisition plan table may be manually imported at one time.
The rule table importing analysis module processes the data source of the virtualized acquisition planning table to generate a data format shown in table 1:
TABLE 1
And the OVS data receiving module is used for periodically sending a query command to the OVS, acquiring the flow statistic data of each flow rule, and simultaneously receiving and decoding the data flow of the default rule.
And the virtual probe data receiving module is used for interacting with the virtual probe and acquiring flow statistic data of each flow rule.
The data synthesis module is used for aligning the OVS data, the virtual probe data and the default rule data stream data on the time stamp and carrying out index statistics synthesis by taking the IP and the port as dimensions;
it should be noted that, the data synthesis module processes the virtual probe data to generate a data format as shown in table 2:
TABLE 2
It should be noted that, statistics of the number of repeated packets may be determined by whether the Hash value of the payload is repeated.
After the OVS data is acquired, the data synthesis module analyzes the flow to generate a sample format identical to that of the virtual probe data.
And the comparison and analysis module is used for comparing the OVS data with the virtual probe data indexes, judging the accuracy of virtual network flow acquisition and positioning the inaccurate reasons.
And the report output module is used for outputting the statistical data, whether the statistical data are accurate or not and the reasons of inaccuracy of each flow rule OVS and the virtual probe, and can be output in a report mode or an interface display mode.
The main functions of the virtual flow rate detection device for detection are described in detail below.
The virtual flow detection device mainly can realize detection of four layers of rule missing distribution, incorrect distribution of a virtualized acquisition planning table, misdistribution of a target port by a network element and mirror image rule repeated configuration, and the functions of the device can be mainly realized by the comparison analysis module.
1. Regular missing-matching
In particular, in this case, the specific implementation of step 12 includes at least one of the following:
a11, detecting whether a first IP with the acquisition direction of an OUT direction (OUT) or an in-OUT direction (BOTH) in a virtualized acquisition planning table appears in a source IP list in virtual probe data and corresponding ports are consistent, if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that a detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
Specifically, an IP or IP pair in the source IP list in which the first IP does not appear in the virtual probe data is determined as a mismatching IP or IP pair.
A12, detecting whether second IPs with the acquisition direction of an IN direction (IN) or an IN-out direction IN a virtualized acquisition planning table are all IN a source IP list IN virtual probe data and corresponding ports are consistent, if the second IPs are not all IN the source IP list IN the virtual probe data or the corresponding ports are inconsistent, determining that detection results are regular missed allocation, and obtaining missed allocation IP or IP pairs;
specifically, an IP or IP pair in the source IP list in which the second IP does not appear in the virtual probe data is determined as a mismatching IP or IP pair.
A13, detecting whether a third IP with the acquisition direction of the output direction or the input direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the third IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
specifically, the IP or IP pair in the source IP list appearing in the OVS data in the third IP is determined as a missed IP or IP pair.
A14, detecting whether a fourth IP with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the fourth IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
Specifically, the IP or IP pair in the source IP list appearing in the OVS data in the fourth IP is determined as a missed IP or IP pair.
In the specific implementation, the above four cases need to be detected one by one, and the specific case is not particularly limited.
As shown in fig. 4, a specific flow of an alternative implementation is:
step 41, collecting all data sources in the same period;
if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, executing step 46, otherwise, executing step 43;
if the second IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, executing step 46, otherwise, executing step 44;
if the third IP appears in the source IP list in the OVS data, then step 46 is performed, otherwise step 45 is performed;
if the fourth IP appears in the source IP list in the OVS data, then step 46 is executed, otherwise, the flow is ended;
2. Incorrect delivery of virtualized acquisition planning tables
Specifically, in this case, the specific implementation manner of step 12 is:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether source IPs in the virtual probe data are all present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table, and the corresponding ports are consistent, if the source IPs are not present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining an incorrectly issued IP or IP pair; and/or
Detecting whether source IPs in the virtual probe data are all appeared in the virtualized acquisition planning table, wherein the acquisition direction of the source IPs is the IP in the in-direction or the in-out direction, and the corresponding ports are consistent, if the source IPs are not appeared in the virtualized acquisition planning table, the acquisition direction of the source IPs is the IP in the in-direction or the in-out direction, or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining the incorrectly issued IP or IP pair.
In this case, if the source IP in the virtual probe data is the IP that appears in the virtualized acquisition planning table or the corresponding ports are inconsistent, the specification resolves the virtualized acquisition planning table correctly when the data is acquired, that is, the virtualized acquisition planning table is not issued correctly.
In the specific implementation, the above two cases need to be detected one by one, and the specific case is not particularly limited.
As shown in fig. 5, a specific flow of an alternative implementation is:
step 51, collecting all data sources in the same period;
if the source IPs are not identical in IP or corresponding ports with the collection direction being the exit direction or the entrance direction in the virtualized collection plan table, executing step 55, otherwise, executing step 54;
if the source IPs are not identical in IP or corresponding ports in which the collection direction is the exit direction or the entrance direction in the virtualized collection plan table, step 55 is executed, otherwise, the flow is ended.
3. Network element mismatching destination port
Specifically, in this case, the specific implementation manner of step 12 is:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether a first network element appearing in the first port in the virtual probe data does not appear in the virtualized acquisition planning table, and if the first network element appearing in the first port does not appear in the virtualized acquisition planning table, determining that the detection result is that the first network element is wrongly provided with the target port.
4. Mirror image rule repetition configuration
Specifically, in this case, the specific implementation manner of step 12 is:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether the first IP pair in the virtual probe data has repeated packet numbers;
if the first IP pair has the repeated packet number, acquiring a mirror image rule corresponding to a first target IP and a second target IP in the first IP pair in the virtual probe data;
determining whether the first target IP and the second target IP are simultaneously present in two mirror image rules or not, wherein the acquisition directions are the same;
if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the acquisition directions are the same, determining that the detection result is that the mirror image rules corresponding to the first target IP and the second target IP are repeatedly configured;
if the first target IP and the second target IP do not appear in the two mirror image rules at the same time or the acquisition directions are different, detecting whether the first target IP and the second target IP appear in the configuration rule at the same time;
if the first target IP and the second target IP are simultaneously present in the configuration rule, determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured.
As shown in fig. 6, a specific flow of an alternative implementation is:
if the number of the repeated packets appears in the first IP pair, executing a step 64, otherwise, ending the flow;
if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the collection directions are the same, executing step 67, otherwise, executing step 66;
if the first target IP and the second target IP are present in the configuration rule at the same time, step 67 is executed, otherwise, the flow is ended.
And 67, repeatedly configuring the mirror image rule corresponding to the first target IP and the second target IP.
It should be noted that, in the embodiment of the present invention, by using the virtualized acquisition planning table, the virtual probe data and/or OVS data are detected to determine whether the acquired virtualized traffic data is accurate, so as to assist an operation and maintenance person to adjust an inaccurate virtualized traffic data acquisition rule in time, thereby ensuring that accurate virtualized traffic data can be acquired.
As shown in fig. 7, a flow mirror detection apparatus 70 according to an embodiment of the present invention includes:
a first obtaining module 71, configured to obtain a virtualized acquisition plan table, virtual probe data, and virtual switch OVS data;
and a second obtaining module 72, configured to detect the virtual probe data and/or OVS data according to the virtualized acquisition plan table, and obtain a detection result.
Specifically, the virtualized acquisition planning table includes: network element information, filtering rules and a target port mapping table.
Optionally, when the first obtaining module 71 obtains virtual probe data, it is configured to implement:
and interacting with the virtual probe to obtain flow statistic data of each flow rule.
Optionally, when the first obtaining module 71 obtains OVS data, it is configured to:
and periodically sending a query command to the OVS to acquire flow statistic data which is not matched with the virtualized acquisition planning table.
Optionally, the second obtaining module 72 is configured to implement at least one of:
detecting whether a first IP with the acquisition direction of an exit direction or an entry direction in a virtualized acquisition planning table appears in a source IP list in virtual probe data and corresponding ports are consistent, if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
detecting whether second IPs with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table are all in a source IP list in the virtual probe data and the corresponding ports are consistent, if the second IPs are not all in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining missed allocation IP or IP pairs;
detecting whether a third IP with the acquisition direction of the output direction or the input direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the third IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
detecting whether a fourth IP with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the fourth IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining the missed allocation IP or IP pair.
Optionally, the second obtaining module 72 includes:
the first summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
the first determining unit is used for detecting whether source IPs in the virtual probe data are all appeared in the virtualized acquisition planning table, wherein the acquisition direction is the IP of the exit direction or the entrance direction, and the corresponding ports are consistent, if the source IPs are not appeared in the virtualized acquisition planning table, the acquisition direction is the IP of the exit direction or the entrance direction, or the corresponding ports are inconsistent, the detecting result is determined to be that the virtualized acquisition planning table is not issued correctly, and an incorrectly issued IP or IP pair is obtained; and/or
The second determining unit is configured to detect whether source IPs in the virtual probe data are all present in IPs with an acquisition direction being an in-direction or an in-out direction in the virtualized acquisition plan table, and the corresponding ports are consistent, and if the source IPs are not present in IPs with an acquisition direction being an in-direction or an in-out direction in the virtualized acquisition plan table, or the corresponding ports are inconsistent, determine that the detection result is that the virtualized acquisition plan table is not issued correctly, and obtain an IP or an IP pair that is issued incorrectly.
Optionally, the second obtaining module 72 includes:
The second summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
and the third determining unit is used for detecting whether the first network element appearing in the first port in the virtual probe data does not appear in the virtualized acquisition planning table, and if the first network element appearing in the first port does not appear in the virtualized acquisition planning table, determining that the detection result is that the first network element is wrongly provided with the target port.
Optionally, the second obtaining module 72 includes:
the third summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
a detection unit, configured to detect whether a first IP pair in the virtual probe data has a duplicate packet number;
the first acquisition unit is used for acquiring mirror image rules corresponding to a first target IP and a second target IP in the first IP pair in the virtual probe data if the first IP pair has repeated packet numbers;
the judging unit is used for determining whether the first target IP and the second target IP are simultaneously present in the two mirror image rules or not, and the acquisition directions are the same;
the fourth determining unit is used for determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the acquisition directions are the same;
The detection unit is used for detecting whether the first target IP and the second target IP are simultaneously present in the configuration rule or not if the first target IP and the second target IP are not simultaneously present in the two mirror image rules or the acquisition directions are different;
and the fifth determining unit is used for determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured if the first target IP and the second target IP are simultaneously present in the configuration rule.
It should be noted that, the embodiment of the present invention is a main functional module of the flow mirror detection device 70, and it should be noted that the flow mirror detection device 70 further includes all functional modules that implement functions of the flow mirror detection device 70 mentioned in the above embodiment and are different from those of the embodiment of the present invention.
It should be noted that, the flow mirror image detection device provided in the embodiment of the present invention is a device capable of executing the flow mirror image detection method, and all implementation manners in the flow mirror image detection method embodiment are applicable to the device, and the same or similar beneficial effects can be achieved.
The embodiment of the invention also provides a flow mirror image detection device, which comprises a transceiver and a processor;
the processor is configured to:
Acquiring a virtualized acquisition planning table, virtual probe data and virtual switch OVS data;
and detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result.
Specifically, the virtualized acquisition planning table includes: network element information, filtering rules and a target port mapping table.
Optionally, the processor acquires virtual probe data for implementing:
and interacting with the virtual probe to obtain flow statistic data of each flow rule.
Optionally, the processor acquires OVS data for implementing:
and periodically sending a query command to the OVS to acquire flow statistic data which is not matched with the virtualized acquisition planning table.
Optionally, the processor detects the virtual probe data and/or OVS data according to the virtualized acquisition plan table, and obtains a detection result, so as to implement at least one of the following:
detecting whether a first IP with the acquisition direction of an exit direction or an entry direction in a virtualized acquisition planning table appears in a source IP list in virtual probe data and corresponding ports are consistent, if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
Detecting whether second IPs with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table are all in a source IP list in the virtual probe data and the corresponding ports are consistent, if the second IPs are not all in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining missed allocation IP or IP pairs;
detecting whether a third IP with the acquisition direction of the output direction or the input direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the third IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair;
detecting whether a fourth IP with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the fourth IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining the missed allocation IP or IP pair.
Optionally, the processor detects the virtual probe data and/or OVS data according to the virtualized acquisition plan table, and obtains a detection result, which is used for implementing:
Summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether source IPs in the virtual probe data are all present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table, and the corresponding ports are consistent, if the source IPs are not present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining an incorrectly issued IP or IP pair; and/or
Detecting whether source IPs in the virtual probe data are all appeared in the virtualized acquisition planning table, wherein the acquisition direction of the source IPs is the IP in the in-direction or the in-out direction, and the corresponding ports are consistent, if the source IPs are not appeared in the virtualized acquisition planning table, the acquisition direction of the source IPs is the IP in the in-direction or the in-out direction, or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining the incorrectly issued IP or IP pair.
Optionally, the processor detects the virtual probe data and/or OVS data according to the virtualized acquisition plan table, and obtains a detection result, which is used for implementing:
Summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether a first network element appearing in the first port in the virtual probe data does not appear in the virtualized acquisition planning table, and if the first network element appearing in the first port does not appear in the virtualized acquisition planning table, determining that the detection result is that the first network element is wrongly provided with the target port.
Optionally, the processor detects the virtual probe data and/or OVS data according to the virtualized acquisition plan table, and obtains a detection result, which is used for implementing:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether the first IP pair in the virtual probe data has repeated packet numbers;
if the first IP pair has the repeated packet number, acquiring a mirror image rule corresponding to a first target IP and a second target IP in the first IP pair in the virtual probe data;
determining whether the first target IP and the second target IP are simultaneously present in two mirror image rules or not, wherein the acquisition directions are the same;
if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the acquisition directions are the same, determining that the detection result is that the mirror image rules corresponding to the first target IP and the second target IP are repeatedly configured;
If the first target IP and the second target IP do not appear in the two mirror image rules at the same time or the acquisition directions are different, detecting whether the first target IP and the second target IP appear in the configuration rule at the same time;
if the first target IP and the second target IP are simultaneously present in the configuration rule, determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured.
The embodiment of the invention also provides a flow mirror image detection device, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes each process in the flow mirror image detection method embodiment as described above when executing the program, and can achieve the same technical effect, and the repetition is avoided, so that the description is omitted.
The embodiment of the present invention further provides a computer readable storage medium, on which a computer program is stored, where the program when executed by a processor implements each process in the embodiment of the flow mirror detection method described above, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here. Wherein the computer readable storage medium is selected from Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, magnetic disk storage and optical storage, etc.) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block or blocks.
These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and changes can be made without departing from the principles of the present invention, and such modifications and changes are intended to be within the scope of the present invention.
Claims (8)
1. A traffic mirror detection method, comprising:
Acquiring a virtualized acquisition planning table, virtual probe data and virtual switch OVS data; the virtualized acquisition planning table comprises the following components: network element information, filtering rules and a target port mapping table;
detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result;
the virtual probe data and/or OVS data are detected according to the virtualized acquisition planning table, and a detection result is obtained, including at least one of the following:
detecting whether a first IP with the acquisition direction of an exit direction or an entry direction in a virtualized acquisition planning table appears in a source IP list in virtual probe data and corresponding ports are consistent, if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein the IP or the IP pair in the source IP list of which the first IP does not appear in the virtual probe data is determined to be the IP or the IP pair of the missed configuration; otherwise the first set of parameters is selected,
detecting whether second IPs with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table are all in a source IP list in the virtual probe data and the corresponding ports are consistent, if the second IPs are not all in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining missed allocation IP or IP pairs; wherein the IP or the IP pair in the source IP list of which the second IP does not appear in the virtual probe data is determined to be the IP or the IP pair of the missed configuration; otherwise the first set of parameters is selected,
Detecting whether a third IP with the acquisition direction of the output direction or the input direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the third IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein, the IP or the IP pair in the source IP list appearing in the OVS data in the third IP is determined as the IP or the IP pair of the missed configuration;
if the third IP is not in the source IP list in the OVS data, detecting whether a fourth IP with the acquisition direction being the input direction or the output direction in the virtualized acquisition planning table is in the source IP list in the OVS data, if the fourth IP is in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein, the IP or the IP pair in the source IP list appearing in the OVS data in the fourth IP is determined as the IP or the IP pair of the missed configuration;
or detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table, to obtain a detection result, including:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
Detecting whether source IPs in the virtual probe data are all present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table, and the corresponding ports are consistent, if the source IPs are not present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining an incorrectly issued IP or IP pair; and/or
Detecting whether source IPs in the virtual probe data are all present in the IP with the acquisition direction being the inlet direction or the outlet direction in the virtualized acquisition planning table, and the corresponding ports are consistent, if the source IPs are not present in the virtualized acquisition planning table, the IP with the acquisition direction being the inlet direction or the outlet direction or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining an incorrectly issued IP or IP pair;
or detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table, to obtain a detection result, including:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether a first network element appearing in a first port in the virtual probe data does not appear in the virtualized acquisition planning table, and if the first network element appearing in the first port does not appear in the virtualized acquisition planning table, determining that the detection result is that the first network element is wrongly provided with a target port;
Or detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table, to obtain a detection result, including:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether the first IP pair in the virtual probe data has repeated packet numbers;
if the first IP pair has the repeated packet number, acquiring a mirror image rule corresponding to a first target IP and a second target IP in the first IP pair in the virtual probe data;
determining whether the first target IP and the second target IP are simultaneously present in two mirror image rules or not, wherein the acquisition directions are the same;
if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the acquisition directions are the same, determining that the detection result is that the mirror image rules corresponding to the first target IP and the second target IP are repeatedly configured;
if the first target IP and the second target IP do not appear in the two mirror image rules at the same time and the acquisition directions are different, detecting whether the first target IP and the second target IP appear in the configuration rule at the same time;
if the first target IP and the second target IP are simultaneously present in the configuration rule, determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured.
2. The flow mirror detection method of claim 1, wherein obtaining virtual probe data comprises:
and interacting with the virtual probe to obtain flow statistic data of each flow rule.
3. The flow mirror detection method of claim 1, wherein obtaining OVS data comprises:
and periodically sending a query command to the OVS to acquire flow statistic data which is not matched with the virtualized acquisition planning table.
4. A flow mirror detection apparatus, comprising:
the first acquisition module is used for acquiring a virtualized acquisition planning table, virtual probe data and virtual switch OVS data; the virtualized acquisition planning table comprises the following components: network element information, filtering rules and a target port mapping table;
the second acquisition module is used for detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to acquire a detection result;
the second acquisition module is used for realizing at least one of the following:
detecting whether a first IP with the acquisition direction of an exit direction or an entry direction in a virtualized acquisition planning table appears in a source IP list in virtual probe data and corresponding ports are consistent, if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein the IP or the IP pair in the source IP list of which the first IP does not appear in the virtual probe data is determined to be the IP or the IP pair of the missed configuration; otherwise the first set of parameters is selected,
Detecting whether second IPs with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table are all in a source IP list in the virtual probe data and the corresponding ports are consistent, if the second IPs are not all in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining missed allocation IP or IP pairs; wherein the IP or the IP pair in the source IP list of which the second IP does not appear in the virtual probe data is determined to be the IP or the IP pair of the missed configuration; otherwise the first set of parameters is selected,
detecting whether a third IP with the acquisition direction of the output direction or the input direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the third IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein, the IP or the IP pair in the source IP list appearing in the OVS data in the third IP is determined as the IP or the IP pair of the missed configuration;
if the third IP is not in the source IP list in the OVS data, detecting whether a fourth IP with the acquisition direction being the input direction or the output direction in the virtualized acquisition planning table is in the source IP list in the OVS data, if the fourth IP is in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein, the IP or the IP pair in the source IP list appearing in the OVS data in the fourth IP is determined as the IP or the IP pair of the missed configuration;
Or, the second acquisition module includes:
the first summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
the first determining unit is used for detecting whether source IPs in the virtual probe data are all appeared in the virtualized acquisition planning table, wherein the acquisition direction is the IP of the exit direction or the entrance direction, and the corresponding ports are consistent, if the source IPs are not appeared in the virtualized acquisition planning table, the acquisition direction is the IP of the exit direction or the entrance direction, or the corresponding ports are inconsistent, the detecting result is determined to be that the virtualized acquisition planning table is not issued correctly, and an incorrectly issued IP or IP pair is obtained; and/or
The second determining unit is used for detecting whether source IPs in the virtual probe data are all appeared in the virtualized acquisition planning table, wherein the acquisition direction of the source IPs is the IP of the entering direction or the entering direction, and the corresponding ports are consistent, if the source IPs are not appeared in the virtualized acquisition planning table, the acquisition direction of the source IPs is the IP of the entering direction or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining an incorrectly issued IP or IP pair;
or alternatively, the first and second heat exchangers may be,
the second acquisition module includes:
The second summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
the third determining unit is used for detecting whether a first network element appearing in the first port in the virtual probe data does not appear in the virtualized acquisition planning table, and if the first network element appearing in the first port does not appear in the virtualized acquisition planning table, determining that the detection result is that the first network element is wrongly provided with the target port;
or alternatively, the first and second heat exchangers may be,
the second acquisition module includes:
the third summarizing unit is used for summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
a detection unit, configured to detect whether a first IP pair in the virtual probe data has a duplicate packet number;
the first acquisition unit is used for acquiring mirror image rules corresponding to a first target IP and a second target IP in the first IP pair in the virtual probe data if the first IP pair has repeated packet numbers;
the judging unit is used for determining whether the first target IP and the second target IP are simultaneously present in the two mirror image rules or not, and the acquisition directions are the same;
the fourth determining unit is used for determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the acquisition directions are the same;
The detection unit is used for detecting whether the first target IP and the second target IP are simultaneously present in the configuration rule or not if the first target IP and the second target IP are not simultaneously present in the two mirror image rules and the acquisition directions are different;
and the fifth determining unit is used for determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured if the first target IP and the second target IP are simultaneously present in the configuration rule.
5. The traffic mirror detection apparatus according to claim 4, wherein when the first acquisition module acquires virtual probe data, the first acquisition module is configured to:
and interacting with the virtual probe to obtain flow statistic data of each flow rule.
6. The traffic mirror detection device according to claim 4, wherein when the first acquisition module acquires OVS data, the first acquisition module is configured to:
and periodically sending a query command to the OVS to acquire flow statistic data which is not matched with the virtualized acquisition planning table.
7. A traffic mirror detection device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following when executing the computer program:
Acquiring a virtualized acquisition planning table, virtual probe data and virtual switch OVS data; the virtualized acquisition planning table comprises the following components: network element information, filtering rules and a target port mapping table;
detecting the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result;
the processor detects the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result, wherein the detection result is used for realizing at least one of the following:
detecting whether a first IP with the acquisition direction of an exit direction or an entry direction in a virtualized acquisition planning table appears in a source IP list in virtual probe data and corresponding ports are consistent, if the first IP does not appear in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein the IP or the IP pair in the source IP list of which the first IP does not appear in the virtual probe data is determined to be the IP or the IP pair of the missed configuration; otherwise the first set of parameters is selected,
detecting whether second IPs with the acquisition direction of the input direction or the output direction in the virtualized acquisition planning table are all in a source IP list in the virtual probe data and the corresponding ports are consistent, if the second IPs are not all in the source IP list in the virtual probe data or the corresponding ports are inconsistent, determining that the detection result is regular missed allocation, and obtaining missed allocation IP or IP pairs; wherein the IP or the IP pair in the source IP list of which the second IP does not appear in the virtual probe data is determined to be the IP or the IP pair of the missed configuration; otherwise the first set of parameters is selected,
Detecting whether a third IP with the acquisition direction of the output direction or the input direction in the virtualized acquisition planning table appears in a source IP list in the OVS data, if the third IP appears in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein, the IP or the IP pair in the source IP list appearing in the OVS data in the third IP is determined as the IP or the IP pair of the missed configuration;
if the third IP is not in the source IP list in the OVS data, detecting whether a fourth IP with the acquisition direction being the input direction or the output direction in the virtualized acquisition planning table is in the source IP list in the OVS data, if the fourth IP is in the source IP list in the OVS data, determining that the detection result is regular missed allocation, and obtaining a missed allocation IP or IP pair; wherein, the IP or the IP pair in the source IP list appearing in the OVS data in the fourth IP is determined as the IP or the IP pair of the missed configuration; or the processor detects the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result, which is used for realizing:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
Detecting whether source IPs in the virtual probe data are all present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table, and the corresponding ports are consistent, if the source IPs are not present in the IP with the acquisition direction being the exit direction or the entrance direction in the virtualized acquisition planning table or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining an incorrectly issued IP or IP pair; and/or
Detecting whether source IPs in the virtual probe data are all present in the IP with the acquisition direction being the inlet direction or the outlet direction in the virtualized acquisition planning table, and the corresponding ports are consistent, if the source IPs are not present in the virtualized acquisition planning table, the IP with the acquisition direction being the inlet direction or the outlet direction or the corresponding ports are inconsistent, determining that the detection result is that the virtualized acquisition planning table is not issued correctly, and obtaining an incorrectly issued IP or IP pair;
or the processor detects the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result, which is used for realizing:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
Detecting whether a first network element appearing in a first port in the virtual probe data does not appear in the virtualized acquisition planning table, and if the first network element appearing in the first port does not appear in the virtualized acquisition planning table, determining that the detection result is that the first network element is wrongly provided with a target port;
or the processor detects the virtual probe data and/or the OVS data according to the virtualized acquisition planning table to obtain a detection result, which is used for realizing:
summarizing network element IP (Internet protocol) associated with the port in the virtualized acquisition planning table and the virtual probe data by taking the port as an index;
detecting whether the first IP pair in the virtual probe data has repeated packet numbers;
if the first IP pair has the repeated packet number, acquiring a mirror image rule corresponding to a first target IP and a second target IP in the first IP pair in the virtual probe data;
determining whether the first target IP and the second target IP are simultaneously present in two mirror image rules or not, wherein the acquisition directions are the same;
if the first target IP and the second target IP are simultaneously present in the two mirror image rules and the acquisition directions are the same, determining that the detection result is that the mirror image rules corresponding to the first target IP and the second target IP are repeatedly configured;
If the first target IP and the second target IP do not appear in the two mirror image rules at the same time and the acquisition directions are different, detecting whether the first target IP and the second target IP appear in the configuration rule at the same time;
if the first target IP and the second target IP are simultaneously present in the configuration rule, determining that the detection result is that the mirror image rule corresponding to the first target IP and the second target IP is repeatedly configured.
8. A computer readable storage medium having stored thereon a computer program, which when executed by a processor performs the steps in the flow mirror detection method according to any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911147341.0A CN112825506B (en) | 2019-11-21 | 2019-11-21 | Flow mirror image detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911147341.0A CN112825506B (en) | 2019-11-21 | 2019-11-21 | Flow mirror image detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112825506A CN112825506A (en) | 2021-05-21 |
| CN112825506B true CN112825506B (en) | 2023-05-12 |
Family
ID=75907546
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911147341.0A Active CN112825506B (en) | 2019-11-21 | 2019-11-21 | Flow mirror image detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112825506B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113810310A (en) * | 2021-09-10 | 2021-12-17 | 北京云杉世纪网络科技有限公司 | Flow acquisition method, device, equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494657A (en) * | 2018-04-08 | 2018-09-04 | 苏州云杉世纪网络科技有限公司 | OpenStack cloud platform virtual probe mirror methods based on Open vSwitch |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101188531B (en) * | 2007-12-27 | 2010-04-07 | 东软集团股份有限公司 | A method and system for monitoring network traffic exception |
| CN101534305A (en) * | 2009-04-24 | 2009-09-16 | 中国科学院计算技术研究所 | Method and system for detecting network flow exception |
| US9917609B2 (en) * | 2015-07-31 | 2018-03-13 | Blackberry Limited | System and method for automatic detection and enablement of a virtual SIM on a mobile device |
| CN108900384A (en) * | 2018-07-20 | 2018-11-27 | 新华三云计算技术有限公司 | Network flow monitoring method, apparatus and system, computer readable storage medium |
| CN109189555A (en) * | 2018-08-20 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of implementation method of Port Mirroring, device, server and storage medium |
-
2019
- 2019-11-21 CN CN201911147341.0A patent/CN112825506B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494657A (en) * | 2018-04-08 | 2018-09-04 | 苏州云杉世纪网络科技有限公司 | OpenStack cloud platform virtual probe mirror methods based on Open vSwitch |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112825506A (en) | 2021-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111901327B (en) | Cloud network vulnerability mining method and device, electronic equipment and medium | |
| US8819807B2 (en) | Apparatus and method for analyzing and monitoring sap application traffic, and information protection system using the same | |
| US10164839B2 (en) | Log analysis system | |
| CN105577454A (en) | Method for quickly positioning service fault based on log | |
| CN105721193A (en) | Method and device for system information monitoring | |
| CN111651363B (en) | Test data acquisition method and device, electronic equipment and medium | |
| CN106131083A (en) | A kind of attack message detection and take precautions against method and switch | |
| JP2005235054A (en) | Time correction device for event trace data, time correction method, and time correction program | |
| CN105812195A (en) | Method and device for computer to identify batch accounts | |
| CN111294233A (en) | Network alarm statistical analysis method, system and computer readable storage medium | |
| US10241957B2 (en) | Workload patterns for realistic load recreation in performance testing | |
| CN107347016B (en) | Signaling flow model identification method and abnormal signaling flow identification method | |
| CN112825506B (en) | Flow mirror image detection method and device | |
| CN114979186B (en) | Flow link analysis method and system based on Flink component | |
| CN113536770B (en) | Text analysis method, device and equipment based on artificial intelligence and storage medium | |
| CN112363923A (en) | Test method, device, computer equipment and medium based on questionnaire system | |
| CN107360062B (en) | DPI equipment identification result verification method and system and DPI equipment | |
| CN112181485B (en) | Script execution method and device, electronic equipment and storage medium | |
| CN107517237B (en) | Video identification method and device | |
| WO2016201876A1 (en) | Service identification method and device for encrypted traffic, and computer storage medium | |
| CN103532937B (en) | Application identification verifying method and device | |
| RU2669686C1 (en) | Method and system for assisting in verification and validation of algorithm chain | |
| CN106649352B (en) | Data processing method and device | |
| CN113821450A (en) | Integrated method and system for executing computer software test | |
| CN105352112B (en) | Method and system for transmitting operating data of air conditioning unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |