CN113360740B - Data packet labeling method and system - Google Patents

Data packet labeling method and system Download PDF

Info

Publication number
CN113360740B
CN113360740B CN202110625820.XA CN202110625820A CN113360740B CN 113360740 B CN113360740 B CN 113360740B CN 202110625820 A CN202110625820 A CN 202110625820A CN 113360740 B CN113360740 B CN 113360740B
Authority
CN
China
Prior art keywords
matching
label
module
data packet
quintuple
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110625820.XA
Other languages
Chinese (zh)
Other versions
CN113360740A (en
Inventor
叶志强
蔡晓华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Netis Technologies Co ltd
Original Assignee
Shanghai Netis Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Netis Technologies Co ltd filed Critical Shanghai Netis Technologies Co ltd
Priority to CN202110625820.XA priority Critical patent/CN113360740B/en
Publication of CN113360740A publication Critical patent/CN113360740A/en
Application granted granted Critical
Publication of CN113360740B publication Critical patent/CN113360740B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a data packet labeling method and a system, comprising the following steps: step S1: configuration loading, namely reading the configuration of the matched tags of the data packet and generating a corresponding tag matching method; step S2: and (4) matching labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading. The invention can support flexible configuration, such as common IP/PORT/IP PROTOCOL basic network layer characteristics, network layer characteristics of VALN/MPLS/VXLAN, application layer characteristics of HTTP/DNS, etc. The high-performance requirement can be met, the CPU consumption in the matching process is reduced, and the memory consumption in the matching process is reduced.

Description

Data packet labeling method and system
Technical Field
The present invention relates to the field of network traffic processing, and in particular, to a method and system for labeling a packet.
Background
One common function in the field of network security analysis and network performance analysis is to label different data packets with different labels according to their characteristics, and then perform flexible operations of decoupling according to the labels.
There are two common methods for tagging packets, which are: feature matching based on Multi-Bit Trie, and feature matching based on HashMap optimization.
The core of the method for matching the characteristics based on the Multi-Bit Trie is to construct the Multi-Bit Trie with the step length of 8, namely, one byte can be matched each time, and the matching result is finally obtained by continuously traversing according to the content of a data packet. The core of the optimization of the technology is to merge the branch number according to the matching rule, thereby reducing the matching times and the memory consumption. Moreover, the method is based on the matching of the data packet loads, only the data packet load position corresponding to the specified characteristic value is provided, and the characteristic value does not need to be extracted. The biggest problem with this approach is that the matching features need to be continuous in the packet payload to achieve the desired performance. Meanwhile, some characteristics cannot be directly obtained from the data packet load, and corresponding characteristic values can be obtained only after decoding conversion, so that the method cannot be used for matching the characteristics, and the flexibility of the method cannot meet the requirement.
The method for matching the features based on HashMap optimization comprises the steps of firstly extracting corresponding feature values according to data packet loads, and then matching one by one according to matching conditions. This approach meets the flexibility requirement but is less efficient. Therefore, data needs to be buffered in HashMap according to feature value generation, and the efficiency of matching after the second time is improved. The disadvantage of this approach is that the number of hashmaps is limited, too large a number may exceed the memory usage limit, and too small a number may result in a cache miss. Meanwhile, the buffer cannot improve the efficiency of the first matching, and if the characteristic values of matching in each time are different, the buffer cannot be hit, so that the overall efficiency is reduced to a scene without the buffer.
Disclosure of Invention
In view of the defects in the prior art, the present invention aims to provide a method and a system for labeling a data packet.
The invention provides a data packet labeling method, which comprises the following steps:
step S1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
step S2: and (4) matching labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading.
Preferably, the step S1 includes the following substeps:
step S1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics;
step S1.2: constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics;
step S1.3: the matching condition only has five-tuple characteristics; if the test result is Ture, executing step S1.4, otherwise executing step S1.5;
step S1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
step S1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
step S1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching functions, the input is the quintuple feature, and the output is the corresponding matching function in the corresponding step S1.5.
Preferably, in step S1.1, the IP/PORT/IP protocol is a quintuple feature, and the rest are other network layer features and application layer features.
Preferably, in the step S1.2, the step length is set to n, and the outgoing edge of each node in the Multi-Bit Trie is set to 2 n And during generation, compressing the data structure in different modes to remove redundant outgoing edges.
Preferably, the step S2 includes the following substeps:
step S2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly skipping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
step S2.2: directly pointing to the corresponding label, and judging whether the result in the step S2.1 is the label or not; if the test result is Ture, executing step S2.3, otherwise executing step S2.4;
step S2.3: directly returning the corresponding label;
step S2.4: extracting other characteristic values except the quintuple;
step S2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is Ture, executing step S2.6, otherwise executing step S2.7;
step S2.6: returning the buffered label, and directly returning the label without matching again;
step S2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
step S2.8: and putting the label into a buffer area, and putting the characteristic value and the label corresponding to the characteristic value into the buffer area.
The invention provides a data packet label system, which comprises the following modules:
a module M1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
a module M2: and (4) matching labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading.
Preferably, the module M1 comprises the following sub-modules:
module M1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics;
module M1.2: constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics;
module M1.3: the matching condition has only five-tuple characteristics; if the test result is true, executing the module M1.4, otherwise, executing the module M1.5;
module M1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
module M1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
module M1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching functions, the input is the quintuple feature, and the output is the corresponding matching function in the corresponding module M1.5.
Preferably, in the module M1.1, the IP/PORT/IP protocol is a quintuple feature, and the rest are other network layer features and application layer features.
Preferably, in the module M1.2, the step length is set to be n, and the outgoing edge of each node in the Multi-Bit Trie is set to be 2 n And during generation, compressing the data structure in different modes to remove redundant outgoing edges.
Preferably, said module M2 comprises the following sub-steps:
module M2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly skipping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
module M2.2: directly pointing to the corresponding label, and judging whether the result in the module M2.1 is the label; if the test result is true, executing the module M2.3, otherwise executing the module M2.4;
module M2.3: directly returning the corresponding label;
module M2.4: extracting other characteristic values except quintuple;
module M2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is true, executing the module M2.6, otherwise executing the module M2.7;
module M2.6: returning the buffered label, and directly returning the label without matching again;
module M2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to a matching function, and outputting corresponding labels;
module M2.8: and (4) placing the label into a buffer area, and placing the characteristic value and the label corresponding to the characteristic value into the buffer area.
Compared with the prior art, the invention has the following beneficial effects:
1. flexible configurations may be supported such as common IP/PORT/IP PROTOCOL underlying network layer features (also referred to as quintuple features), network layer features such as vlan/MPLS/VXLAN, application layer features such as HTTP/DNS, and the like.
2. The high-performance requirement can be met, the CPU consumption in the matching process is reduced, and the memory consumption in the matching process is reduced.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a flow chart of configuration loading in a packet tagging method of the present invention;
FIG. 2 is a flow chart of label matching in a packet labeling method according to the present invention,
fig. 3 is a diagram illustrating an example of Multi-Bit Trie node compression in a packet tagging method according to the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
Example 1:
the invention provides a data packet labeling method, which comprises the following steps:
step S1: configuration loading, namely reading the configuration of the matched tags of the data packet and generating a corresponding tag matching method;
step S2: and (4) matching labels, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading.
Specifically, referring to fig. 1, step S1 includes the following sub-steps:
step S1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics; the IP/PORT/IP PROTOCOL is a quintuple characteristic, and the rest is other network layer characteristics and application layer characteristics;
step S1.2: constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics; generally speaking, when the step length is n, the outgoing edge of each node in the Trie is 2^ n, and when the Trie is generated, different modes are adopted to compress a data structure and remove redundant outgoing edges.
The Multi-Bit Trie only supports the matching of the white list, and the matching of the black list needs to be split into two Multi-Bit tries, one for processing the white list and the other for processing the black list.
Step S1.3: the matching condition has only five-tuple characteristics; if the test result is Ture, executing step S1.4, otherwise executing step S1.5;
step S1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
step S1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output of each function is a corresponding label;
step S1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching functions, the input is the quintuple feature, and the output is the corresponding matching function in the corresponding step S1.5.
Specifically, referring to fig. 2, step S2 includes the following sub-steps:
step S2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
step S2.2: directly pointing to the corresponding label, and judging whether the result in the step S2.1 is the label or not; if the test result is Ture, executing step S2.3, otherwise executing step S2.4;
step S2.3: directly returning the corresponding label;
step S2.4: extracting other characteristic values except the quintuple;
step S2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is Ture, executing step S2.6, otherwise executing step S2.7;
step S2.6: returning the buffered label, and directly returning the label without matching again;
step S2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
step S2.8: and (4) placing the label into a buffer area, and placing the characteristic value and the label corresponding to the characteristic value into the buffer area.
Example 2:
this embodiment is a preferred embodiment of embodiment 1.
Configuration loading, comprising the steps of:
matching conditions are as follows: the HTTP packet tag for the source IP address 192.168.1.2 is HTTP.
And matching conditions are as follows: the packet at source IP address 192.168.4.5 is labeled SERVER.
Step 1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics, wherein IP/PORT/IP PROTOCOL is the quintuple characteristics, and the rest are the other network layer characteristics and the application layer characteristics;
extracted quintuple characteristics:
matching conditions are as follows: the IP source is 192.168.1.2, the IP purpose is arbitrary, the IP protocol is TCP, the PORT source is arbitrary, and the PORT purpose is arbitrary.
And matching conditions are as follows: the IP source is 192.168.4.5, the IP purpose is arbitrary, the IP protocol is arbitrary PORT source, and the PORT purpose is arbitrary.
And extracting other network layer characteristics and application layer characteristics:
matching conditions are as follows: the payload of TCP is HTTP payload.
And matching conditions are as follows: none.
Step 1.2: and constructing a matched Multi-Bit Trie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics. Generally speaking, when the step length is n, the outgoing edge of each node in the Trie is 2^ n, and when the Trie is generated, different modes are adopted to compress a data structure and remove redundant outgoing edges.
The matching condition corresponds to a Trie A, the matching condition corresponds to a Trie B, and finally the Trie B is merged into the Trie A, which is specifically shown in FIG. 3.
In fig. 3, when node 1 and node 1 'are merged, node 1' is directly merged into node 1 because the node is the root node;
when node 4 and node 4 'merge, a new node c1 (a copy of node 4) is created because the nodes do not intersect, and the edges on node 4' are copied into node c 1.
Step 1.3: the matching condition has only five-tuple characteristics; if the test result is true, step 1.4 is executed, otherwise step 1.5 is executed.
Matching conditions are as follows: the test result is False, and step 1.5 is performed.
And matching conditions are as follows: if the test result is Ture, step 1.4 is performed.
Step 1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
and matching conditions are as follows: node 6 points directly to the SERVER tag.
Step 1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
matching conditions are as follows: a corresponding HTTP match function is generated. The matching function is to detect the load of the TCP, and the load starts to be HTTP characteristics such as 'GET', 'POST', 'HTTP' and the like, and is judged to be HTTP.
Step 1.6: the result corresponding to the Multi-Bit Trie points to the corresponding other matching functions, the input is the quintuple feature, and the output is the corresponding matching function in the corresponding 1.5.
Matching conditions are as follows: node 6' points to the HTTP match function.
The label of the process 2 comprises the following steps:
step 2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly skipping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the Multi-Bit Trie hits node 6' and the corresponding HTTP match function is found.
Data packet 2: the IP source is 192.168.4.5, the IP destination is 192.168.4.6, the IP protocol is UDP, the PORT source is 20000, the PORT destination is 8080:
and the Multi-Bit Trie hits the node 6, and a corresponding label SERVER is found.
Data packet 3: 192.168.1.7 for IP source, 192.168.1.8 for IP destination, TCP for IP protocol, 30000 for PORT source, 80 for PORT destination:
the Multi-Bit Trie hits node 5', which does not have any tags and matching functions, and therefore ends directly.
Data packet 4: an IP source of 192.168.5.10, an IP destination of 192.168.1.2, an IP protocol of UDP, a PORT source of 40000, a PORT destination of 80:
the Multi-Bit Trie hits node 4, which does not have any tags and matching functions, and therefore ends directly.
Data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the Multi-Bit Trie hits node 6' and the corresponding HTTP match function is found.
Step 2.2: directly pointing to the corresponding label, and judging whether the result in the step 2.1 is the label or not; if the test result is true, step 2.3 is performed, otherwise step 2.4 is performed.
Data packet 1: 192.168.1.2 for IP source, 192.168.1.3 for IP destination, TCP for IP protocol, 10000 for PORT source, 80 for PORT destination:
the test results are as follows: false.
Data packet 2: the IP source is 192.168.4.5, the IP destination is 192.168.4.6, the IP protocol is UDP, the PORT source is 20000, the PORT destination is 8080:
the test results are: and (6) True.
Data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the test results are as follows: false.
Step 2.3: directly returning the corresponding label;
data packet 2: the IP source is 192.168.4.5, the IP destination is 192.168.4.6, the IP protocol is UDP, the PORT source is 20000, the PORT destination is 8080:
the tag SERVER is returned.
Step 2.4: extracting other characteristic values except the quintuple;
data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the first 8 bytes of the TCP load are extracted as characteristic values: "GET/Web".
Data packet 5: 192.168.1.2 for IP source, 192.168.1.3 for IP destination, TCP for IP protocol, 10000 for PORT source, 80 for PORT destination:
the first 8 bytes of the TCP load are extracted as characteristic values: "GET/Web".
Step 2.5: whether the buffer can be hit or not, and whether the characteristic value is in the buffer or not; if the test result is true, step 2.6 is performed, otherwise step 2.7 is performed.
Data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the test results are: false.
Data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the test results are: and (6) True.
Step 2.6: returning the buffered label, and directly returning the label without matching again;
data packet 5: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
and returning the label: finding the buffer content with the IP source of 192.168.1.2 and the IP destination of 192.168.1.3 in the buffer area, and returning a label HTTP
Step 2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
data packet 1: the IP source is 192.168.1.2, the IP destination is 192.168.1.3, the IP protocol is TCP, the PORT source is 10000, the PORT destination is 80:
the first 8 bytes of the TCP load are extracted as characteristic values: "GET/Web"
And according to the obtained HTTP matching function, inputting the first 8 bytes of the TCP load, and obtaining a matching result which is True. The output label is therefore HTTP
Step 2.8: putting the label into a buffer area, and putting the characteristic value and the label corresponding to the characteristic value into the buffer area;
an IP source is 192.168.1.2, an IP target is 192.168.1.3, an IP protocol is TCP, a PORT source is 10000, a PORT target is 80 Key, a label is HTTP Value, and the HashMap is put into the PORT system.
Those skilled in the art will appreciate that, in addition to implementing the system and its various devices, modules, units provided by the present invention as pure computer readable program code, the system and its various devices, modules, units provided by the present invention can be fully implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the invention can be regarded as a hardware component, and the devices, modules and units included in the system for realizing various functions can also be regarded as structures in the hardware component; means, modules, units for realizing various functions can also be regarded as structures in both software modules and hardware components for realizing the methods.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.

Claims (2)

1. A method for labeling a packet, comprising the steps of:
step S1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
step S2: label matching, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading;
the step S1 includes the following substeps:
step S1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics;
step S1.2: constructing a matched Multi-BitTrie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics;
step S1.3: the matching condition has only five-tuple characteristics; if the test result is Ture, executing step S1.4, otherwise executing step S1.5;
step S1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
step S1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
step S1.6: the result corresponding to the Multi-BitTrie points to the corresponding other matching functions, the input is the quintuple feature, and the output is the corresponding matching function in the step S1.5;
in the step S1.1, IP/PORT/IPPROTOCOL is a quintuple feature, VALN/MPLS/VXLAN is other network layer features, and HTTP/DNS is an application layer feature;
in the step S1.2, the step length is set to be n, and the outgoing edge of each node in the Multi-BitTrie is set to be 2 n When generating, adopting different modes to compress the data structure and removing redundant edges;
the step S2 includes the following substeps:
step S2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
step S2.2: directly pointing to the corresponding label, and judging whether the result in the step S2.1 is the label or not; if the test result is true, executing step S2.3, otherwise executing step S2.4;
step S2.3: directly returning the corresponding label;
step S2.4: extracting other characteristic values except the quintuple;
step S2.5: judging whether the characteristic value can hit the buffer area or not, and judging whether the characteristic value is in the buffer area or not; if the test result is Ture, executing step S2.6, otherwise executing step S2.7;
step S2.6: returning the buffered label, and directly returning the label without matching again;
step S2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to a matching function, and outputting corresponding labels;
step S2.8: and putting the label into a buffer area, and putting the characteristic value and the label corresponding to the characteristic value into the buffer area.
2. A packet tagging system, characterized by: the system comprises the following modules:
a module M1: loading configuration, reading the configuration of the matching tags of the data packet, and generating a corresponding tag matching method;
a module M2: label matching, namely marking different labels on the data packet according to the characteristics of the data packet according to a label matching method generated by configuration loading;
the module M1 comprises the following sub-modules:
module M1.1: distinguishing quintuple characteristics from other network layer characteristics and application layer characteristics;
module M1.2: constructing a matched Multi-BitTrie according to the quintuple characteristics, and matching one byte each time according to the quintuple characteristics;
module M1.3: the matching condition has only five-tuple characteristics; if the test result is Ture, executing the module M1.4, otherwise executing the module M1.5;
module M1.4: the result corresponding to the Multi-Bit Trie directly points to the corresponding label, the input is quintuple characteristics, and the output is the corresponding label;
module M1.5: constructing corresponding matching functions according to a HashMap optimization-based feature matching method, wherein the input of each function is other network layer features and application layer features, and the output is a corresponding label;
module M1.6: the result corresponding to the Multi-BitTrie points to the corresponding other matching functions, the input is the quintuple characteristics, and the output is the corresponding matching function in the corresponding module M1.5;
in the module M1.1, IP/PORT/IPPROTOCOL is a quintuple feature, VALN/MPLS/VXLAN is other network layer features, and HTTP/DNS is an application layer feature;
in the module M1.2, the step length is set to be n, and the outgoing edge of each node in the Multi-BitTrie is set to be 2 n When generating, adopting different modes to compress the data structure and removing redundant edges;
the module M2 comprises the following sub-steps:
module M2.1: directly matching the Multi-Bit Trie according to the data packet load, and directly jumping in the Multi-Bit Trie according to the data packet load to find a corresponding label or a matching function;
module M2.2: directly points to the corresponding label, and judges whether the result in the module M2.1 is the label; if the test result is true, executing the module M2.3, otherwise executing the module M2.4;
module M2.3: directly returning the corresponding label;
module M2.4: extracting other characteristic values except the quintuple;
module M2.5: judging whether the characteristic value can hit the buffer area or not and judging whether the characteristic value is in the buffer area or not; if the test result is true, executing the module M2.6, otherwise executing the module M2.7;
module M2.6: returning the buffered label, and directly returning the label without matching again;
module M2.7: inputting the characteristic value to a matching function to obtain a label; inputting other network layer characteristics and application layer characteristics to the matching function, and outputting corresponding labels;
module M2.8: and putting the label into a buffer area, and putting the characteristic value and the label corresponding to the characteristic value into the buffer area.
CN202110625820.XA 2021-06-04 2021-06-04 Data packet labeling method and system Active CN113360740B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110625820.XA CN113360740B (en) 2021-06-04 2021-06-04 Data packet labeling method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110625820.XA CN113360740B (en) 2021-06-04 2021-06-04 Data packet labeling method and system

Publications (2)

Publication Number Publication Date
CN113360740A CN113360740A (en) 2021-09-07
CN113360740B true CN113360740B (en) 2022-10-11

Family

ID=77532355

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110625820.XA Active CN113360740B (en) 2021-06-04 2021-06-04 Data packet labeling method and system

Country Status (1)

Country Link
CN (1) CN113360740B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114822077A (en) * 2022-06-27 2022-07-29 深圳市奇见科技有限公司 Scheduling management system of intelligent stereo garage

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567854A (en) * 2009-05-26 2009-10-28 武汉烽火网络有限责任公司 Ethernet data frame VLAN double-layer label processing device and method based on flow classification
WO2012167559A1 (en) * 2011-06-10 2012-12-13 中兴通讯股份有限公司 Method and triple layer device for fast forwarding data packets
CN104333510A (en) * 2014-11-24 2015-02-04 重庆邮电大学 Label switching forwarding strategy in named date network
CN104660460A (en) * 2015-01-15 2015-05-27 北京奥普维尔科技有限公司 System and method for testing performance of Ethernet
CN107181736A (en) * 2017-04-21 2017-09-19 湖北微源卓越科技有限公司 Based on 7 layers of network data packet classification method applied and system

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1305276C (en) * 2004-01-15 2007-03-14 中兴通讯股份有限公司 Method and system for immediately processing real time media stream data packets
CN101764741B (en) * 2009-11-27 2012-06-06 上海恒为信息科技有限公司 Filtering and shunting device and method supporting multi-service function
CN102523241B (en) * 2012-01-09 2014-11-19 北京邮电大学 Method and device for classifying network traffic on line based on decision tree high-speed parallel processing
US9098601B2 (en) * 2012-06-27 2015-08-04 Futurewei Technologies, Inc. Ternary content-addressable memory assisted packet classification
CN102739473B (en) * 2012-07-09 2015-06-24 南京中新赛克科技有限责任公司 Network detecting method using intelligent network card
CN103051605B (en) * 2012-11-21 2016-06-29 国家计算机网络与信息安全管理中心 A kind of data package processing method, device and system
CN103746892B (en) * 2013-11-27 2016-01-13 北京邮电大学 A kind of SDN virtualization platform uplink signaling flow label processing method based on OpenFlow
EP3091695B1 (en) * 2014-01-29 2018-10-24 Huawei Technologies Co., Ltd. Wireless network system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567854A (en) * 2009-05-26 2009-10-28 武汉烽火网络有限责任公司 Ethernet data frame VLAN double-layer label processing device and method based on flow classification
WO2012167559A1 (en) * 2011-06-10 2012-12-13 中兴通讯股份有限公司 Method and triple layer device for fast forwarding data packets
CN104333510A (en) * 2014-11-24 2015-02-04 重庆邮电大学 Label switching forwarding strategy in named date network
CN104660460A (en) * 2015-01-15 2015-05-27 北京奥普维尔科技有限公司 System and method for testing performance of Ethernet
CN107181736A (en) * 2017-04-21 2017-09-19 湖北微源卓越科技有限公司 Based on 7 layers of network data packet classification method applied and system

Also Published As

Publication number Publication date
CN113360740A (en) 2021-09-07

Similar Documents

Publication Publication Date Title
US7949683B2 (en) Method and apparatus for traversing a compressed deterministic finite automata (DFA) graph
US8180803B2 (en) Deterministic finite automata (DFA) graph compression
US8861524B2 (en) Method for TCAM lookup using a key in multi-threaded packet processors
US9665660B2 (en) Logical data flow mapping rules for (sub) graph isomorphism in a cluster computing environment
Wang et al. Wire Speed Name Lookup: A {GPU-based} Approach
US8886680B2 (en) Deterministic finite automata graph traversal with nodal bit mapping
US6493698B1 (en) String search scheme in a distributed architecture
US20060242123A1 (en) Hierarchical tree of deterministic finite automata
US20140208198A1 (en) Representation of an element in a page via an identifier
CN102111331B (en) Matching method based on hash table and adopting mask five-element rule
CN111026982A (en) Intelligent contract processing method, computer equipment and storage medium
Ma et al. Leveraging parallelism for multi-dimensional packetclassification on software routers
CN113360740B (en) Data packet labeling method and system
WO2016107306A1 (en) Message subscription method, processing node device and message bus
CN113411380A (en) Processing method, logic circuit and equipment based on FPGA (field programmable gate array) programmable session table
WO2012075818A1 (en) Method for parsing packet header, header parsing pre-processing device and network processor
CN111405007B (en) TCP session management method, device, storage medium and electronic equipment
US20060080467A1 (en) Apparatus and method for high performance data content processing
CN114338529B (en) Five-tuple rule matching method and device
CN114024758B (en) Flow characteristic extraction method, system, storage medium and electronic equipment
CN109450811A (en) Flow control methods, device and server
CN114827030A (en) Flow classification device based on folded SRAM and table entry compression method
CN114124822A (en) Message matching processing device and method
Ros-Giralt et al. Algorithms and data structures to accelerate network analysis
CN113810392B (en) TOP ranking method, device and storage medium for massive data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant