CN113360740A - Data packet labeling method and system - Google Patents
Data packet labeling method and system Download PDFInfo
- Publication number
- CN113360740A CN113360740A CN202110625820.XA CN202110625820A CN113360740A CN 113360740 A CN113360740 A CN 113360740A CN 202110625820 A CN202110625820 A CN 202110625820A CN 113360740 A CN113360740 A CN 113360740A
- Authority
- CN
- China
- Prior art keywords
- matching
- module
- label
- quintuple
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/951—Indexing; Web crawling techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
Abstract
The invention provides a data packet labeling method and a system, which comprises the following steps: step S1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method; step S2: and (4) matching the labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading. The invention can support flexible configuration, such as common IP/PORT/IP PROTOCOL basic network layer characteristics, network layer characteristics of VALN/MPLS/VXLAN and the like, application layer characteristics of HTTP/DNS and the like. The high-performance requirement can be met, the CPU consumption in the matching process is reduced, and the memory consumption in the matching process is reduced.
Description
Technical Field
The present invention relates to the field of network traffic processing, and in particular, to a method and system for labeling a packet.
Background
One common function in the field of network security analysis and network performance analysis is to label different data packets with different labels according to their characteristics, and then perform flexible operations of decoupling according to the labels.
There are two common methods for tagging packets, which are: feature matching based on Multi-Bit Trie, and feature matching based on HashMap optimization.
The core of the method for matching the characteristics based on the Multi-Bit Trie is to construct the Multi-Bit Trie with the step length of 8, namely, one byte can be matched each time, and the matching result is finally obtained by continuously traversing according to the content of a data packet. The core of the optimization of the technology is to merge the branch number according to the matching rule, thereby reducing the matching times and the memory consumption. Moreover, the method is based on the matching of the data packet loads, only the data packet load position corresponding to the specified characteristic value is provided, and the characteristic value does not need to be extracted. The biggest problem with this approach is that the matching features need to be continuous in the packet payload to achieve the desired performance. Meanwhile, some characteristics cannot be directly obtained from the data packet load, and corresponding characteristic values can be obtained only after decoding and conversion, so that the method cannot be used for matching the characteristics, and the flexibility of the method cannot meet the requirement.
The method for matching the features based on HashMap optimization comprises the steps of extracting corresponding feature values according to data packet loads, and matching one by one according to matching conditions. This approach meets the flexibility requirement but is less efficient. Therefore, data needs to be cached in HashMap according to feature value generation, and the efficiency of matching after the second time is improved. The disadvantage of this approach is that the number of hashmaps is limited, too large a number may exceed the memory usage limit, and too small a number may result in a cache miss. Meanwhile, the buffer cannot improve the efficiency of the first matching, and if the characteristic values of each matching are different and cannot hit the cache, the overall efficiency is reduced to a cache-free scene.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a data packet labeling method and a data packet labeling system.
The invention provides a data packet labeling method, which comprises the following steps:
step S1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
step S2: and (4) matching labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading.
Preferably, the step S1 includes the following sub-steps:
step S1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics;
step S1.2: constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics;
step S1.3: the matching condition has only five-tuple characteristics; if the test result is Ture, executing step S1.4, otherwise executing step S1.5;
step S1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
step S1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
step S1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching function, the input is the quintuple feature, and the output is the corresponding matching function in step S1.5.
Preferably, in step S1.1, the IP/PORT/IP protocol is a quintuple feature, and the rest are other network layer features and application layer features.
Preferably, in the step S1.2, the step length is set to n, and the outgoing edge of each node in the Multi-Bit Trie is set to 2nAnd during generation, compressing the data structure in different modes to remove redundant outgoing edges.
Preferably, the step S2 includes the following sub-steps:
step S2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
step S2.2: directly pointing to the corresponding label, and judging whether the result in the step S2.1 is the label or not; if the test result is Ture, executing step S2.3, otherwise executing step S2.4;
step S2.3: directly returning the corresponding label;
step S2.4: extracting other characteristic values except the quintuple;
step S2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is Ture, executing step S2.6, otherwise executing step S2.7;
step S2.6: returning the buffered label, and directly returning the label without matching again;
step S2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
step S2.8: and (4) placing the label into a buffer area, and placing the characteristic value and the label corresponding to the characteristic value into the buffer area.
The invention provides a data packet label system, which comprises the following modules:
module M1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
module M2: and (4) matching labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading.
Preferably, the module M1 includes the following sub-modules:
module M1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics;
module M1.2: constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics;
module M1.3: the matching condition has only five-tuple characteristics; if the test result is Ture, executing the module M1.4, otherwise executing the module M1.5;
module M1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
module M1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
module M1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching functions, the input is the quintuple feature, and the output is the corresponding matching function in the corresponding module M1.5.
Preferably, in the module M1.1, the IP/PORT/IP protocol is a quintuple feature, and the rest are other network layer features and application layer features.
Preferably, in the module M1.2, the step length is set to be n, and the outgoing edge of each node in the Multi-Bit Trie is set to be 2nAnd during generation, compressing the data structure in different modes to remove redundant outgoing edges.
Preferably, said module M2 comprises the following sub-steps:
module M2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
module M2.2: directly pointing to the corresponding label, and judging whether the result in the module M2.1 is the label; if the test result is true, executing the module M2.3, otherwise executing the module M2.4;
module M2.3: directly returning the corresponding label;
module M2.4: extracting other characteristic values except the quintuple;
module M2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is true, executing the module M2.6, otherwise executing the module M2.7;
module M2.6: returning the buffered label, and directly returning the label without matching again;
module M2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
module M2.8: and (4) placing the label into a buffer area, and placing the characteristic value and the label corresponding to the characteristic value into the buffer area.
Compared with the prior art, the invention has the following beneficial effects:
1. flexible configurations such as common IP/PORT/IP PROTOCOL infrastructure network layer features (also known as quintuple features), network layer features such as vlan/MPLS/VXLAN, application layer features such as HTTP/DNS, etc. may be supported.
2. The high-performance requirement can be met, the CPU consumption in the matching process is reduced, and the memory consumption in the matching process is reduced.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a flow chart of configuration loading in a packet tagging method of the present invention;
FIG. 2 is a flow chart of label matching in a data packet labeling method according to the present invention,
fig. 3 is a diagram illustrating an example of Multi-Bit Trie node compression in a packet tagging method according to the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
Example 1:
the invention provides a data packet labeling method, which comprises the following steps:
step S1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
step S2: and (4) matching the labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading.
Specifically, referring to fig. 1, step S1 includes the following sub-steps:
step S1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics; the IP/PORT/IP PROTOCOL is a quintuple feature, and the rest is other network layer features and application layer features;
step S1.2: constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics; generally speaking, when the step length is n, the outgoing edge of each node in the Trie is 2^ n, and when the Trie is generated, different modes are adopted to compress a data structure and remove redundant outgoing edges.
The Multi-Bit Trie only supports the matching of the white list, and the matching of the black list needs to be split into two Multi-Bit tries, wherein one processing white list and one processing black list.
Step S1.3: the matching condition has only five-tuple characteristics; if the test result is Ture, executing step S1.4, otherwise executing step S1.5;
step S1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
step S1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
step S1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching function, the input is the quintuple feature, and the output is the corresponding matching function in step S1.5.
Specifically, referring to fig. 2, step S2 includes the following sub-steps:
step S2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
step S2.2: directly pointing to the corresponding label, and judging whether the result in the step S2.1 is the label or not; if the test result is Ture, executing step S2.3, otherwise executing step S2.4;
step S2.3: directly returning the corresponding label;
step S2.4: extracting other characteristic values except the quintuple;
step S2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is Ture, executing step S2.6, otherwise executing step S2.7;
step S2.6: returning the buffered label, and directly returning the label without matching again;
step S2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
step S2.8: and (4) placing the label into a buffer area, and placing the characteristic value and the label corresponding to the characteristic value into the buffer area.
Example 2:
this embodiment is a preferred embodiment of embodiment 1.
Configuration loading, comprising the steps of:
matching conditions are as follows: the HTTP packet tag for the source IP address 192.168.1.2 is HTTP.
And matching conditions are as follows: the packet at source IP address 192.168.4.5 is labeled SERVER.
Step 1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics, wherein IP/PORT/IP PROTOCOL is the quintuple characteristics, and the rest are the other network layer characteristics and the application layer characteristics;
extracted quintuple features:
matching conditions are as follows: the IP source is 192.168.1.2, the IP purpose is arbitrary, the IP protocol is TCP, the PORT source is arbitrary, and the PORT purpose is arbitrary.
And matching conditions are as follows: the IP source is 192.168.4.5, the IP purpose is arbitrary, the IP protocol is arbitrary PORT source, and the PORT purpose is arbitrary.
And extracting other network layer characteristics and application layer characteristics:
matching conditions are as follows: the load of TCP is HTTP load.
And matching conditions are as follows: none.
Step 1.2: and constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics. Generally speaking, when the step length is n, the outgoing edge of each node in the Trie is 2^ n, and when the Trie is generated, different modes are adopted to compress a data structure and remove redundant outgoing edges.
The matching condition corresponds to a Trie A, the matching condition corresponds to a Trie B, and finally the Trie B is merged into the Trie A, which is specifically shown in FIG. 3.
In fig. 3, when node 1 and node 1 'are merged, node 1' is directly merged into node 1 because the node is the root node;
when node 4 and node 4 'merge, a new node c1 (a copy of node 4) is created because the nodes do not intersect, and the edges on node 4' are copied into node c 1.
Step 1.3: the matching condition has only five-tuple characteristics; if the test result is true, step 1.4 is executed, otherwise step 1.5 is executed.
Matching conditions are as follows: the test result is False, and step 1.5 is performed.
And matching conditions are as follows: if the test result is Ture, step 1.4 is performed.
Step 1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
and matching conditions are as follows: node 6 points directly to the SERVER tag.
Step 1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
matching conditions are as follows: a corresponding HTTP match function is generated. The matching function is to detect the load of the TCP, and the load starts to be HTTP characteristics such as 'GET', 'POST', 'HTTP' and the like, and is judged to be HTTP.
Step 1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching functions, the input is the quintuple feature, and the output is the corresponding matching function in the corresponding 1.5.
Matching conditions are as follows: node 6' points to the HTTP match function.
The label of the process 2 comprises the following steps:
step 2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the Multi-Bit Trie hits node 6' and the corresponding HTTP match function is found.
Data packet 2: the IP source is 192.168.4.5, the IP purpose is 192.168.4.6, the IP protocol is UDP, the PORT source is 20000, the PORT purpose is 8080:
and the Multi-Bit Trie hits the node 6, and a corresponding label SERVER is found.
Data packet 3: the IP source is 192.168.1.7, the IP destination is 192.168.1.8, the IP protocol is TCP, the PORT source is 30000, the PORT destination is 80:
the Multi-Bit Trie hits node 5', which does not have any tags and matching functions, and therefore ends directly.
Data packet 4: the IP source is 192.168.5.10, the IP destination is 192.168.1.2, the IP protocol is UDP, the PORT source is 40000, the PORT destination is 80:
the Multi-Bit Trie hits node 4, which does not have any tags and matching functions, and therefore ends directly.
Data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the Multi-Bit Trie hits node 6' and the corresponding HTTP match function is found.
Step 2.2: directly pointing to the corresponding label, and judging whether the result in the step 2.1 is the label or not; if the test result is true, step 2.3 is performed, otherwise step 2.4 is performed.
Data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the test results are: false.
Data packet 2: the IP source is 192.168.4.5, the IP purpose is 192.168.4.6, the IP protocol is UDP, the PORT source is 20000, the PORT purpose is 8080:
the test results are: and (6) True.
Data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the test results are: false.
Step 2.3: directly returning the corresponding label;
data packet 2: the IP source is 192.168.4.5, the IP purpose is 192.168.4.6, the IP protocol is UDP, the PORT source is 20000, the PORT purpose is 8080:
and returning the label SERVER.
Step 2.4: extracting other characteristic values except the quintuple;
data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the first 8 bytes of the TCP load are extracted as characteristic values: "GET/Web".
Data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the first 8 bytes of the TCP load are extracted as characteristic values: "GET/Web".
Step 2.5: whether the buffer can be hit or not, and whether the characteristic value is in the buffer or not; if the test result is true, step 2.6 is performed, otherwise step 2.7 is performed.
Data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the test results are: false.
Data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the test results are: and (6) True.
Step 2.6: returning the buffered label, and directly returning the label without matching again;
data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
and returning the label: find the buffer content with IP source 192.168.1.2 and IP destination 192.168.1.3 in the buffer area, return label HTTP
Step 2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the first 8 bytes of the TCP load are extracted as characteristic values: "GET/Web"
And according to the obtained HTTP matching function, inputting the first 8 bytes of the TCP load, and obtaining a matching result which is True. The output label is therefore HTTP
Step 2.8: putting the label into a buffer area, and putting the characteristic value and the label corresponding to the characteristic value into the buffer area;
and putting 192.168.1.2 of an IP source, 192.168.1.3 of an IP purpose, TCP of an IP protocol, 10000 of a PORT source, 80 of a PORT purpose and Key of a PORT purpose and Value of HTTP into HashMap.
Those skilled in the art will appreciate that, in addition to implementing the system and its various devices, modules, units provided by the present invention as pure computer readable program code, the system and its various devices, modules, units provided by the present invention can be fully implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the invention can be regarded as a hardware component, and the devices, modules and units included in the system for realizing various functions can also be regarded as structures in the hardware component; means, modules, units for performing the various functions may also be regarded as structures within both software modules and hardware components for performing the method.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (10)
1. A method for labeling a packet, comprising the steps of:
step S1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
step S2: and (4) matching labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading.
2. The packet tagging method of claim 1, wherein: the step S1 includes the following sub-steps:
step S1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics;
step S1.2: constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics;
step S1.3: the matching condition has only five-tuple characteristics; if the test result is Ture, executing step S1.4, otherwise executing step S1.5;
step S1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
step S1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
step S1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching function, the input is the quintuple feature, and the output is the corresponding matching function in step S1.5.
3. The packet tagging method of claim 2, wherein: in the step S1.1, the IP/PORT/IP protocol is a quintuple feature, and the rest are other network layer features and application layer features.
4. The packet tagging method of claim 2, wherein: in the step S1.2, the steps are setLength is n, and the outgoing edge of each node in the Multi-Bit Trie is 2nAnd during generation, compressing the data structure in different modes to remove redundant outgoing edges.
5. The packet tagging method of claim 1, wherein: the step S2 includes the following sub-steps:
step S2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
step S2.2: directly pointing to the corresponding label, and judging whether the result in the step S2.1 is the label or not; if the test result is Ture, executing step S2.3, otherwise executing step S2.4;
step S2.3: directly returning the corresponding label;
step S2.4: extracting other characteristic values except the quintuple;
step S2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is Ture, executing step S2.6, otherwise executing step S2.7;
step S2.6: returning the buffered label, and directly returning the label without matching again;
step S2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
step S2.8: and (4) placing the label into a buffer area, and placing the characteristic value and the label corresponding to the characteristic value into the buffer area.
6. A packet tagging system, characterized by: the system comprises the following modules:
module M1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
module M2: and (4) matching labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading.
7. The packet tagging system of claim 6, wherein: the module M1 includes the following sub-modules:
module M1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics;
module M1.2: constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics;
module M1.3: the matching condition has only five-tuple characteristics; if the test result is Ture, executing the module M1.4, otherwise executing the module M1.5;
module M1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
module M1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
module M1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching functions, the input is the quintuple feature, and the output is the corresponding matching function in the corresponding module M1.5.
8. The packet tagging system of claim 7, wherein: in the module M1.1, IP/PORT/IPPROTOCOL is a quintuple feature, and the rest are other network layer features and application layer features.
9. The packet tagging system of claim 7, wherein: in the module M1.2, the step length is set to be n, and the outgoing edge of each node in the Multi-Bit Trie is set to be 2nAnd during generation, compressing the data structure in different modes to remove redundant outgoing edges.
10. The packet tagging system of claim 6, wherein: the module M2 comprises the following sub-steps:
module M2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
module M2.2: directly pointing to the corresponding label, and judging whether the result in the module M2.1 is the label; if the test result is true, executing the module M2.3, otherwise executing the module M2.4;
module M2.3: directly returning the corresponding label;
module M2.4: extracting other characteristic values except the quintuple;
module M2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is true, executing the module M2.6, otherwise executing the module M2.7;
module M2.6: returning the buffered label, and directly returning the label without matching again;
module M2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
module M2.8: and (4) placing the label into a buffer area, and placing the characteristic value and the label corresponding to the characteristic value into the buffer area.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110625820.XA CN113360740B (en) | 2021-06-04 | 2021-06-04 | Data packet labeling method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110625820.XA CN113360740B (en) | 2021-06-04 | 2021-06-04 | Data packet labeling method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113360740A true CN113360740A (en) | 2021-09-07 |
| CN113360740B CN113360740B (en) | 2022-10-11 |
Family
ID=77532355
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110625820.XA Active CN113360740B (en) | 2021-06-04 | 2021-06-04 | Data packet labeling method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113360740B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114822077A (en) * | 2022-06-27 | 2022-07-29 | 深圳市奇见科技有限公司 | Scheduling management system of intelligent stereo garage |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101567854A (en) * | 2009-05-26 | 2009-10-28 | 武汉烽火网络有限责任公司 | Ethernet data frame VLAN double-layer label processing device and method based on flow classification |
| US7742429B1 (en) * | 2004-01-15 | 2010-06-22 | Zte Corporation | Method and system of promptly processing real-time media stream data packet |
| CN101764741A (en) * | 2009-11-27 | 2010-06-30 | 上海恒为信息科技有限公司 | Filtering and shunting device and method supporting multi-service function |
| CN102523241A (en) * | 2012-01-09 | 2012-06-27 | 北京邮电大学 | Method and device for classifying network traffic on line based on decision tree high-speed parallel processing |
| CN102739473A (en) * | 2012-07-09 | 2012-10-17 | 南京中兴特种软件有限责任公司 | Network detecting method using intelligent network card |
| WO2012167559A1 (en) * | 2011-06-10 | 2012-12-13 | 中兴通讯股份有限公司 | Method and triple layer device for fast forwarding data packets |
| CN103051605A (en) * | 2012-11-21 | 2013-04-17 | 国家计算机网络与信息安全管理中心 | Data packet processing method, device and system |
| CN103746892A (en) * | 2013-11-27 | 2014-04-23 | 北京邮电大学 | SDN virtualization platform uplink signaling flow label processing method based on OpenFlow |
| CN104333510A (en) * | 2014-11-24 | 2015-02-04 | 重庆邮电大学 | Label switching forwarding strategy in named date network |
| CN104660460A (en) * | 2015-01-15 | 2015-05-27 | 北京奥普维尔科技有限公司 | System and method for testing performance of Ethernet |
| CN104718731A (en) * | 2012-06-27 | 2015-06-17 | 华为技术有限公司 | Ternary content-addressable memory assisted packet classification |
| CN105075191A (en) * | 2014-01-29 | 2015-11-18 | 华为技术有限公司 | Wireless network data processing device and wireless network system |
| CN107181736A (en) * | 2017-04-21 | 2017-09-19 | 湖北微源卓越科技有限公司 | Based on 7 layers of network data packet classification method applied and system |
-
2021
- 2021-06-04 CN CN202110625820.XA patent/CN113360740B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7742429B1 (en) * | 2004-01-15 | 2010-06-22 | Zte Corporation | Method and system of promptly processing real-time media stream data packet |
| CN101567854A (en) * | 2009-05-26 | 2009-10-28 | 武汉烽火网络有限责任公司 | Ethernet data frame VLAN double-layer label processing device and method based on flow classification |
| CN101764741A (en) * | 2009-11-27 | 2010-06-30 | 上海恒为信息科技有限公司 | Filtering and shunting device and method supporting multi-service function |
| WO2012167559A1 (en) * | 2011-06-10 | 2012-12-13 | 中兴通讯股份有限公司 | Method and triple layer device for fast forwarding data packets |
| CN102523241A (en) * | 2012-01-09 | 2012-06-27 | 北京邮电大学 | Method and device for classifying network traffic on line based on decision tree high-speed parallel processing |
| CN104718731A (en) * | 2012-06-27 | 2015-06-17 | 华为技术有限公司 | Ternary content-addressable memory assisted packet classification |
| CN102739473A (en) * | 2012-07-09 | 2012-10-17 | 南京中兴特种软件有限责任公司 | Network detecting method using intelligent network card |
| CN103051605A (en) * | 2012-11-21 | 2013-04-17 | 国家计算机网络与信息安全管理中心 | Data packet processing method, device and system |
| CN103746892A (en) * | 2013-11-27 | 2014-04-23 | 北京邮电大学 | SDN virtualization platform uplink signaling flow label processing method based on OpenFlow |
| CN105075191A (en) * | 2014-01-29 | 2015-11-18 | 华为技术有限公司 | Wireless network data processing device and wireless network system |
| CN104333510A (en) * | 2014-11-24 | 2015-02-04 | 重庆邮电大学 | Label switching forwarding strategy in named date network |
| CN104660460A (en) * | 2015-01-15 | 2015-05-27 | 北京奥普维尔科技有限公司 | System and method for testing performance of Ethernet |
| CN107181736A (en) * | 2017-04-21 | 2017-09-19 | 湖北微源卓越科技有限公司 | Based on 7 layers of network data packet classification method applied and system |
Non-Patent Citations (3)
| Title |
|---|
| 刘洋: "数据包过滤规则匹配与并行化技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 尚凤军、潘英俊等: "基于随机分布的多比特Trie树IP数据包分类算法研究", 《通信学报》 * |
| 秦怡、杨云等: "哈希表和多比特Trie相结合的IPv6分阶段路由查找算法", 《小型微型计算机系统》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114822077A (en) * | 2022-06-27 | 2022-07-29 | 深圳市奇见科技有限公司 | Scheduling management system of intelligent stereo garage |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113360740B (en) | 2022-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7949683B2 (en) | Method and apparatus for traversing a compressed deterministic finite automata (DFA) graph | |
| US8180803B2 (en) | Deterministic finite automata (DFA) graph compression | |
| US8861524B2 (en) | Method for TCAM lookup using a key in multi-threaded packet processors | |
| US9495479B2 (en) | Traversal with arc configuration information | |
| US20140324900A1 (en) | Intelligent Graph Walking | |
| US10284460B1 (en) | Network packet tracing | |
| Ma et al. | Leveraging parallelism for multi-dimensional packetclassification on software routers | |
| CN102111331B (en) | Matching method based on hash table and adopting mask five-element rule | |
| CN111026982A (en) | Intelligent contract processing method, computer equipment and storage medium | |
| CN113360740B (en) | Data packet labeling method and system | |
| CN114285781B (en) | SRV6 service flow statistics method, device, electronic equipment and medium | |
| CN113254767A (en) | Big data searching method and device, computer equipment and storage medium | |
| WO2012075818A1 (en) | Method for parsing packet header, header parsing pre-processing device and network processor | |
| CN114338498B (en) | SRv 6-based message processing method, SRv-based message processing system, electronic equipment and medium | |
| Wang et al. | GPU-accelerated name lookup with component encoding | |
| JP5961745B2 (en) | Communication device or packet transfer method | |
| US20060080467A1 (en) | Apparatus and method for high performance data content processing | |
| CN114338529B (en) | Five-tuple rule matching method and device | |
| CN114827030B (en) | Flow classification device based on folded SRAM and table entry compression method | |
| CN114024758B (en) | Flow characteristic extraction method, system, storage medium and electronic equipment | |
| CN113411380B (en) | Processing method, logic circuit and equipment based on FPGA (field programmable gate array) programmable session table | |
| CN114124106A (en) | LZ4 decompression method, system, storage medium and equipment | |
| CN113934767A (en) | Data processing method and device, computer equipment and storage medium | |
| CN114363257B (en) | Five-tuple matching method and device for tunnel message | |
| CN113810392B (en) | TOP ranking method, device and storage medium for massive data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |