CN113810310A - Flow acquisition method, device, equipment and storage medium - Google Patents
Flow acquisition method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113810310A CN113810310A CN202111060765.0A CN202111060765A CN113810310A CN 113810310 A CN113810310 A CN 113810310A CN 202111060765 A CN202111060765 A CN 202111060765A CN 113810310 A CN113810310 A CN 113810310A
- Authority
- CN
- China
- Prior art keywords
- data packet
- address
- target data
- information
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000004458 analytical method Methods 0.000 claims description 15
- 238000005206 flow analysis Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/32—Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The technical scheme of the embodiment of the invention discloses a flow acquisition method, a device, equipment and a storage medium. The method comprises the following steps: acquiring a target data packet in a virtual network, and extracting data packet information contained in the target data packet; acquiring pre-configured acquisition point information, and performing information comparison on the data packet information and the pre-configured acquisition point information; and acquiring a target data packet according to the information comparison result so as to analyze the flow. The method can analyze local information of the data packet in a virtual network environment formed by a plurality of servers, and determine whether repeated data packets exist or not, so that the flow receiving equipment receives the data packets without repeatability, the capacity requirement on the flow receiving equipment is reduced, and the network bandwidth consumption caused by repeated flow acquisition is reduced; and misjudgment caused by content comparison of complete data packets can be reduced.
Description
Technical Field
The embodiment of the invention relates to the technical field of computer network performance monitoring, in particular to a flow acquisition method, a flow acquisition device, flow acquisition equipment and a storage medium.
Background
Traffic collection is a prerequisite for computer network performance monitoring. In a virtual network environment such as virtualization and container, a virtual switch exists in a physical server and a virtual machine, so that two virtual machines or containers can directly communicate without passing through the physical switch. Generally, when collecting traffic, all the virtual network card traffic is collected on the virtual switch. For example, when the virtual machine a sends a data packet to the virtual machine B, the data packet may be respectively mirrored to the traffic receiving device on the virtual network cards of the virtual machine a and the virtual machine B. Obviously, this way of collecting and analyzing the traffic will result in the traffic receiving device collecting the repeated traffic.
In the prior art, the traffic collected by the mirror image is usually deduplicated depending on the deduplication capability of the traffic receiving device. However, the deduplication is performed depending on the deduplication capability of the traffic receiving device, which is a way of deduplication after collection, and the collection of repeated traffic may cause additional consumption of network bandwidth; in addition, the contents of the complete data packets need to be compared during duplicate removal, which may cause duplicate removal misjudgment and affect the accuracy of flow analysis.
Disclosure of Invention
Embodiments of the present invention provide a traffic collection method, apparatus, device, and storage medium, which can reduce network bandwidth consumption caused by collecting and sending duplicate data packets, and reduce misjudgment caused by comparing complete data packet contents in a traffic receiving device.
In a first aspect, an embodiment of the present invention provides a traffic collection method, where the method includes:
acquiring a target data packet in a virtual network, and extracting data packet information contained in the target data packet;
acquiring pre-configured acquisition point information, and performing information comparison on the data packet information and the pre-configured acquisition point information;
and acquiring the target data packet according to the information comparison result so as to analyze the flow.
In a second aspect, an embodiment of the present invention further provides a flow collecting device, where the flow collecting device includes:
the data packet information extraction module is used for acquiring a target data packet in a virtual network and extracting data packet information contained in the target data packet;
the information comparison module is used for acquiring the preconfigured acquisition point information and comparing the data packet information with the preconfigured acquisition point information;
and the target data packet acquisition module is used for acquiring the target data packet according to the information comparison result so as to analyze the flow.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method of traffic collection as described in any embodiment of the invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a traffic collection method according to any embodiment of the present invention.
The technical scheme of the embodiment of the invention obtains the target data packet in the virtual network and extracts the data packet information contained in the target data packet; acquiring pre-configured acquisition point information, and performing information comparison on the data packet information and the pre-configured acquisition point information; according to the information comparison result, the target data packet is acquired to perform flow analysis, the problem of duplicate removal during flow acquisition is solved, the capacity requirement on the flow receiving equipment is lowered, the network bandwidth consumption caused by repeated flow acquisition is reduced, and the misjudgment effect caused by complete data packet content comparison can be reduced.
Drawings
Fig. 1 is a flowchart of a traffic collection method according to an embodiment of the present invention;
fig. 2 is a flowchart of another traffic collection method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an application of a traffic collection method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an application of another traffic collection method provided in an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a flow rate collection device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Fig. 1 is a flowchart of a traffic collection method provided in an embodiment of the present invention, where this embodiment is applicable to collecting data packets in a virtual network environment, and when performing traffic analysis to implement network performance monitoring, duplicate traffic is removed, so that a traffic receiving device only receives one complete data packet, and performs backend traffic analysis, where this method may be executed by a traffic collection device, and this device may be implemented in a software and/or hardware manner, and the device may be integrated in an electronic device, such as a virtualization host, a container node, or a virtual machine, as shown in fig. 1, where this method specifically includes:
step 110, obtaining a target data packet in the virtual network, and extracting data packet information contained in the target data packet.
The target data packet may be in a data form for data transmission in a virtual network environment. Specifically, virtual machine a may send the destination data packet to virtual machine B. The target data packet may be a data packet to be collected for traffic analysis. In the prior art, when a virtual machine a sends a target data packet to a virtual machine B, two identical data packets with repeatability are obtained through images of virtual network cards of the virtual machine a and the virtual machine B, and the two identical data packets occupy double bandwidths when sent to a traffic receiving device for traffic analysis.
In the embodiment of the present invention, the target data packet may not be sent first, but the data packet information of the target data packet is extracted first, so as to remove a duplicate data packet (duplicate removal), and then the flow acquisition and sending are performed. The packet information may be information for distinguishing whether or not the packet is within the acquisition range. Further, the packet information may be information for distinguishing whether or not the acquisition requirement in the designated direction is satisfied within the acquisition range.
According to the technical scheme of the embodiment of the invention, the acquisition range and the acquisition direction can be determined according to the data packet information, whether the acquisition requirement is met or not is determined according to the comparison condition of the acquisition range and the acquisition direction with the acquisition point information, and the duplicate removal of the repeated flow is realized.
Specifically, in an optional implementation manner of the embodiment of the present invention, acquiring a target data packet in a virtual network, and extracting data packet information included in the target data packet includes: and acquiring a target data packet in the virtual network, and extracting a source IP address and a destination IP address contained in the target data packet.
The source Internet Protocol (IP) address and the destination IP address may be IP address information corresponding to a transmitting end and a receiving end of the target packet, respectively. For example, when virtual machine a sends a destination packet to virtual machine B, the source IP address may be the IP address of virtual machine a, and the destination IP address may be the IP address of virtual machine B. The source IP address and the destination IP address may be used to distinguish whether the packet is within the acquisition scope.
And 120, acquiring the pre-configured acquisition point information, and comparing the data packet information with the pre-configured acquisition point information.
The acquisition point information may be information indicating a traffic acquisition range. In an optional implementation manner of the embodiment of the present invention, the collecting point information includes: and the IP address set is formed by the IP addresses of the at least one target collected virtual machine. For example, the collection point information may indicate that the packets for virtual machine a, virtual machine B, and virtual machine C need to be collected. The collection point information may include IP addresses corresponding to the virtual machine a, the virtual machine B, and the virtual machine C, respectively, and an IP address set formed by the IP addresses.
In the embodiment of the present invention, the information comparison between the data packet information and the pre-configured acquisition point information may be to determine whether the data packet information is included in the acquisition point information. That is, whether the data packet information satisfies the acquisition range indicated by the acquisition point information can be determined through information comparison.
Specifically, in an optional implementation manner of the embodiment of the present invention, the information comparison between the data packet information and the pre-configured acquisition point information includes: and respectively comparing the source IP address and the destination IP address with the IP addresses in the IP address set.
The information comparison may be to determine whether the IP address set includes a source IP address or a destination IP address. And if the source IP address is in the IP address set, the target data packet corresponding to the source IP address is in the acquisition range. And if the destination IP address is in the IP address set, the target data packet corresponding to the destination IP address is in the acquisition range.
And step 130, collecting the target data packet according to the information comparison result so as to analyze the flow.
And when the information comparison result is that the comparison fails, namely the data packet information does not meet the acquisition range indicated by the acquisition point information, the target data packet can not be acquired. And when the information comparison result is that the comparison is successful, namely the data packet information meets the acquisition range indicated by the acquisition point information, the target data packet can be acquired. Further, the data packet information may further include information of acquisition requirement of a specified direction, and the information of the acquisition point may also limit the direction of acquisition requirement. When the data packet information meets the acquisition range and the designated direction indicated by the acquisition point information, a target data packet can be acquired; otherwise, the target data packet is not collected.
Specifically, in an optional implementation manner of the embodiment of the present invention, the collecting of the target data packet according to the information comparison result to perform flow analysis includes: if the information comparison result is that only the source IP address or the target IP address is in the IP address set, collecting a target data packet; and if the information comparison result shows that the source IP address and the destination IP address are not in the IP address set, not collecting the target data packet.
When only the source IP address or the destination IP address is in the IP address set, the target data packet sent from the virtual machine corresponding to the source IP address to the virtual machine corresponding to the destination IP address is indicated, and only the virtual machine in a single direction is in the acquisition range. At this time, the collection of the target data packets can be performed, and the collected target data packets have only one copy and are not duplicated. Namely, the deduplication processing is carried out during flow acquisition, so that the occupation of bandwidth resources can be saved.
When the source IP address and the destination IP address are not in the IP address set, the target data packet sent from the virtual machine corresponding to the source IP address to the virtual machine corresponding to the destination IP address is not in the acquisition range, and the acquisition of the target data packet can be omitted.
Further, in an optional implementation manner of the embodiment of the present invention, the collecting of the target data packet according to the information comparison result to perform flow analysis includes: if the information comparison result is that the source IP address and the destination IP address are both in the IP address set, determining the sending or receiving direction of the target data packet; and collecting the target data packet according to the sending or receiving direction so as to analyze the flow.
When the source IP address and the destination IP address are both in the IP address set, the target data packet sent from the virtual machine corresponding to the source IP address to the virtual machine corresponding to the destination IP address is indicated, and the virtual machines in two directions are in the acquisition range. At this time, if the target data packet is directly collected, a duplicate target data packet may be collected, that is, there is a repeated target data packet collection. In order to perform deduplication on a target data packet, in the embodiment of the present invention, a sending or receiving direction of the target data packet may be determined, and then the target data packet is collected according to the sending or receiving direction. Through double determination of the acquisition range and the acquisition direction, only one acquired target data packet can be acquired, and no repetition exists. Namely, the deduplication processing is carried out during flow acquisition, so that the occupation of bandwidth resources can be saved.
Specifically, in an optional implementation manner of the embodiment of the present invention, determining a transmission or reception direction of a target packet includes: extracting a source MAC address and a target MAC address contained in a target data packet, and acquiring a virtual network card MAC address corresponding to a traffic acquisition network port; and determining the sending or receiving direction of the target data packet according to the comparison result between the source MAC address and the target MAC address and the MAC address of the virtual network card respectively.
The source Media Access Control Address (MAC) Address and the destination MAC Address may also be packet information contained in the destination packet. The source MAC address and the destination MAC address may be used to indicate whether the destination packet meets specified directional acquisition requirements. Virtual network cards are installed on virtual machines corresponding to the source IP address and the destination IP address, and the virtual network cards are provided with MAC addresses which can be respectively used as a source MAC address and a destination MAC address. The MAC address of the virtual network card of the traffic collection portal may be the MAC address of the virtual network card of the virtual machine or container that executes the method according to the embodiment of the present invention. Specifically, the virtual machine a may execute the method of the embodiment of the present invention to perform traffic acquisition, and the MAC address of the virtual network card of the traffic acquisition port may be the MAC address of the virtual network card of the virtual machine a. When the source MAC address is consistent with the MAC address of the virtual network card, the target data packet is in the sending direction, for example, the virtual machine A sends the target data packet to the virtual machine corresponding to the target MAC address; when the destination MAC address is consistent with the MAC address of the virtual network card, it indicates that the destination data packet is in the receiving direction, for example, the virtual machine a receives the destination data packet from the virtual machine corresponding to the source MAC address.
In the embodiment of the invention, the flow collection can be carried out according to the sending or receiving direction of the target data packet. Specifically, in an optional implementation manner of the embodiment of the present invention, the collecting of the target data packet according to the sending or receiving direction to perform traffic analysis includes: only collecting target data packets in the sending direction to analyze the flow; or, only the target data packet in the receiving direction is collected for flow analysis.
The collecting of only the target data packet in the sending direction or only the target data packet in the receiving direction may be the collecting of the target data packets in the same direction for all the virtual machines executing the method of the embodiment of the present invention. For example, all the virtual machines acquire the target data packet in the sending direction, or all the virtual machines acquire the target data packet in the receiving direction, so that unidirectional acquisition of traffic can be realized, traffic duplication can be avoided, bandwidth consumption can be reduced, subsequent traffic acquisition and analysis equipment can be prevented from performing traffic deduplication processing on the traffic based on the content of the data packet, and deduplication misjudgment can be avoided. For example, when there are multiple identical packets in the network due to a loop or an attack, the deduplication based on comparing the packet contents may cause misjudgment. In the technical scheme of the embodiment of the invention, the problem can be avoided, and the accuracy of flow analysis is improved.
It should be further noted that there may be other implementations for determining the sending or receiving direction of the target data packet in the embodiments of the present invention. For example, when the comparison result shows that the source IP address is the same as the IP address corresponding to the traffic collection portal, it may be determined that the target data packet is a transmission direction; when the comparison result shows that the target IP address is the same as the IP address corresponding to the traffic collection network port, the target data packet can be determined to be the receiving direction. The IP address corresponding to the traffic collection portal may be an IP address of a virtual machine or a container that executes the method of the embodiment of the present invention to collect traffic.
According to the technical scheme of the embodiment, a target data packet in a virtual network is obtained, and data packet information contained in the target data packet is extracted; acquiring pre-configured acquisition point information, and performing information comparison on the data packet information and the pre-configured acquisition point information; according to the information comparison result, the target data packet is acquired to perform flow analysis, so that the problem of duplicate removal during flow acquisition is solved, the data packet which is not repetitive is received by the flow receiving equipment, the capacity requirement on the flow receiving equipment is reduced, and the network bandwidth consumption caused by repeated flow acquisition is reduced; the effect of repeated misjudgment caused by content comparison of complete data packets can be reduced; specifically, in a network environment of a distributed cluster, each server can independently acquire traffic and perform local information analysis by adopting the technical scheme of the embodiment of the invention to complete traffic deduplication, so that only the traffic after deduplication is sent to traffic receiving equipment, and the bandwidth occupied by acquiring the traffic is reduced.
Fig. 2 is a flowchart of another traffic collection method according to an embodiment of the present invention. The present embodiment is a further refinement of the above technical solutions, and the technical solutions in the present embodiment may be combined with various alternatives in one or more of the above embodiments. As shown in fig. 2, the method includes:
Step 220, when a target data packet in the virtual network is acquired, extracting data packet information included in the target data packet, wherein the data packet information includes a source IP address, a destination IP address, a source MAC address, and a destination MAC address.
And step 230, comparing the source IP address and the destination IP address with the IP addresses in the IP address set respectively.
And 240, if only the source IP address or the destination IP address is in the IP address set, acquiring a target data packet to analyze the flow, and ending.
And step 250, if the source IP address and the destination IP address are not in the IP address set, not collecting the target data packet, and ending.
And step 260, if the source IP address and the destination IP address are both in the IP address set, comparing the source MAC address and the destination MAC address with the virtual network card MAC address corresponding to the traffic collection network port respectively.
And step 270, determining the sending or receiving direction of the target data packet according to the comparison result.
Step 280, collecting only the target data packet in the sending direction to analyze the flow; or, only collecting the target data packet in the receiving direction to perform traffic analysis, and ending.
According to the technical scheme of the embodiment of the invention, the flow receiving equipment can be deployed according to actual requirements, and the specified flow is collected without requiring the whole network deployment; the method and the device can meet flexibly-changed flow acquisition requirements, support unidirectional flow acquisition on the virtual machine or container with the flow acquisition method, realize de-duplication processing during flow acquisition, and can accurately analyze the flow.
Fig. 3 is a schematic diagram of an application of the traffic collection method according to the embodiment of the present invention, and as shown in fig. 3, traffic collection is performed on a virtual machine VM-a, where an IP address of the VM-a is 10.1.2.3. The communication between the VM-A and other IP addresses meets the condition that only a source IP address or a destination IP address is in an IP address set (the IP address of the VM-A is always in the IP address set for collecting point information, and the VM-A can be used as a sending party or a receiving party of the flow), so that all the flow of the VM-A can be collected and sent to flow collection and analysis equipment for flow analysis. At this time, the acquired flow is the flow after the duplication removal, so that the flow analysis misjudgment cannot be caused, and extra bandwidth resources cannot be occupied.
Fig. 4 is a schematic diagram of another application of the traffic collection method according to the embodiment of the present invention, and as shown in fig. 4, traffic collection is performed on VM-A, VM-B, VM-C, and IP addresses of VM-A, VM-B, VM-C are 10.1.2.3, 10.1.2.4, and 10.1.2.5, respectively. The communication between the VM-A, VM-B, VM-C and other externally accessed IP addresses meets the condition that only a source IP address or a destination IP address is in an IP address set (the IP address of the VM-A, VM-B, VM-C is always in the IP address set for collecting point information, and the VM-A, VM-B, VM-C can be used as a sender or a receiver of traffic), and the traffic between the VM-A, VM-B, VM-C and the externally accessed IP addresses can be collected and sent to a traffic collection and analysis device for traffic analysis. While traffic between VM-A, VM-B, VM-C satisfies that both the source IP address and the destination IP address are in the set of IP addresses.
Taking the communication between VM-B and VM-C as an example, the direction of transmission or reception of traffic may be determined. Specifically, when the source MAC address in the data packet is consistent with the MAC address of the VM-B, the VM-B sends the data packet; when the destination MAC address in the data packet is consistent with the MAC of the VM-B, the VM-B is explained to receive the data packet. When the source MAC address in the data packet is consistent with the MAC address of the VM-C, the VM-C sends the data packet; and when the destination MAC address in the data packet is consistent with the MAC of the VM-C, the VM-C is explained to receive the data packet.
In the embodiment of the invention, the data packet sent by the VM-B, VM-C can be collected; alternatively, the data packets received by VM-B, VM-C may be collected. Illustratively, when VM-B sends a data packet to VM-C, the source MAC address of the data packet is consistent with the MAC address of VM-B, and the destination MAC address is consistent with the MAC address of VM-C. On the VM-B side, data packets with source MAC addresses consistent with the MAC addresses of the VM-B can be collected (data packets in the sending direction are collected); on the VM-C side, a packet whose destination MAC address coincides with the MAC address of VM-C may not be collected (a reception direction packet is not collected). Or, at the VM-B side, a data packet whose destination MAC address is consistent with the MAC address of VM-B may be collected (collecting a reception direction data packet); on the VM-C side, packets whose source MAC addresses coincide with the MAC address of VM-C may not be collected (no transmit direction packets are collected). The duplicate removal of the data packet can be realized, the repeated collected flow is avoided, the occupation of network transmission bandwidth is saved, and the accuracy of flow analysis is improved.
Fig. 5 is a schematic structural diagram of a flow rate collection device according to an embodiment of the present invention. With reference to fig. 5, the apparatus comprises: a data packet information extraction module 510, an information comparison module 520 and a target data packet collection module 530. Wherein:
a packet information extraction module 510, configured to obtain a target packet in the virtual network, and extract packet information included in the target packet;
an information comparison module 520, configured to obtain preconfigured acquisition point information, and perform information comparison between the data packet information and the preconfigured acquisition point information;
and a target data packet collecting module 530, configured to collect a target data packet according to the information comparison result, so as to perform traffic analysis.
Optionally, the data packet information extracting module 510 includes:
and the IP address extraction unit is used for acquiring a target data packet in the virtual network and extracting a source IP address and a destination IP address contained in the target data packet.
Optionally, the collecting point information includes: an IP address set formed by the IP addresses of at least one target collected virtual machine;
the information comparing module 520 includes:
and the information comparison unit is used for comparing the source IP address and the destination IP address with the IP addresses in the IP address set respectively.
Optionally, the target data packet collecting module 530 includes:
the first acquisition unit is used for acquiring the target data packet if the information comparison result is that only the source IP address or the target IP address is in the IP address set;
and the second acquisition unit is used for not acquiring the target data packet if the information comparison result shows that the source IP address and the destination IP address are not in the IP address set.
Optionally, the target data packet collecting module 530 includes:
the direction determining unit is used for determining the sending or receiving direction of the target data packet if the information comparison result shows that the source IP address and the target IP address are both in the IP address set;
and the third acquisition unit is used for acquiring the target data packet according to the sending or receiving direction so as to analyze the flow.
Optionally, the direction determining unit includes:
the MAC address extracting subunit is used for extracting a source MAC address and a target MAC address contained in the target data packet and acquiring a virtual network card MAC address corresponding to the traffic acquisition network port;
and the direction determining subunit is used for determining the sending or receiving direction of the target data packet according to the comparison result between the source MAC address and the target MAC address and the MAC address of the virtual network card respectively.
Optionally, the third collecting unit includes:
the acquisition subunit is used for acquiring only the target data packet in the sending direction so as to analyze the flow; or, only the target data packet in the receiving direction is collected for flow analysis.
The flow acquisition device provided by the embodiment of the invention can execute the flow acquisition method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 6, the electronic device includes:
one or more processors 610, one processor 610 being exemplified in fig. 6;
a memory 620;
the apparatus may further include: an input device 630 and an output device 640.
The processor 610, the memory 620, the input device 630 and the output device 640 of the apparatus may be connected by a bus or other means, and fig. 6 illustrates the example of connection by a bus.
The memory 620, as a non-transitory computer-readable storage medium, may be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to a traffic collection method in an embodiment of the present invention (for example, the packet information extraction module 510, the information comparison module 520, and the target packet collection module 530 shown in fig. 5). The processor 610 executes various functional applications and data processing of the computer device by running the software programs, instructions and modules stored in the memory 620, so as to implement a traffic collection method of the above method embodiment, that is:
acquiring a target data packet in a virtual network, and extracting data packet information contained in the target data packet;
acquiring pre-configured acquisition point information, and performing information comparison on the data packet information and the pre-configured acquisition point information;
and acquiring the target data packet according to the information comparison result so as to analyze the flow.
The memory 620 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the computer device, and the like. Further, the memory 620 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 620 optionally includes memory located remotely from processor 610, which may be connected to the terminal device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input means 630 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus. The output device 640 may include a display device such as a display screen.
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a traffic collection method according to an embodiment of the present invention:
acquiring a target data packet in a virtual network, and extracting data packet information contained in the target data packet;
acquiring pre-configured acquisition point information, and performing information comparison on the data packet information and the pre-configured acquisition point information;
and acquiring the target data packet according to the information comparison result so as to analyze the flow.
Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A method of traffic collection, the method comprising:
acquiring a target data packet in a virtual network, and extracting data packet information contained in the target data packet;
acquiring pre-configured acquisition point information, and performing information comparison on the data packet information and the pre-configured acquisition point information;
and acquiring the target data packet according to the information comparison result so as to analyze the flow.
2. The method of claim 1, wherein obtaining a target packet in a virtual network and extracting packet information included in the target packet comprises:
the method comprises the steps of obtaining a target data packet in a virtual network, and extracting a source IP address and a destination IP address contained in the target data packet.
3. The method of claim 2, wherein said collecting point information comprises: an IP address set formed by the IP addresses of at least one target collected virtual machine;
comparing the data packet information with the pre-configured acquisition point information, comprising:
and respectively carrying out information comparison on the source IP address and the destination IP address with the IP addresses in the IP address set.
4. The method of claim 3, wherein collecting the target data packet according to the information comparison result to perform traffic analysis comprises:
if the information comparison result is that only the source IP address or the destination IP address is in the IP address set, collecting the target data packet;
and if the information comparison result shows that the source IP address and the destination IP address are not in the IP address set, not collecting the target data packet.
5. The method of claim 3, wherein collecting the target data packet according to the information comparison result to perform traffic analysis comprises:
if the information comparison result is that the source IP address and the destination IP address are both in the IP address set, determining the sending or receiving direction of the target data packet;
and acquiring the target data packet according to the sending or receiving direction so as to analyze the flow.
6. The method of claim 5, wherein determining the direction of transmission or reception of the target packet comprises:
extracting a source MAC address and a target MAC address contained in the target data packet, and acquiring a virtual network card MAC address corresponding to a traffic acquisition network port;
and determining the sending or receiving direction of the target data packet according to the comparison result between the source MAC address and the target MAC address and the MAC address of the virtual network card respectively.
7. The method of claim 6, wherein collecting the target data packet according to the sending or receiving direction for traffic analysis comprises:
only collecting target data packets in the sending direction to analyze the flow; or, only the target data packet in the receiving direction is collected for flow analysis.
8. A flow collection device, comprising:
the data packet information extraction module is used for acquiring a target data packet in a virtual network and extracting data packet information contained in the target data packet;
the information comparison module is used for acquiring the preconfigured acquisition point information and comparing the data packet information with the preconfigured acquisition point information;
and the target data packet acquisition module is used for acquiring the target data packet according to the information comparison result so as to analyze the flow.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111060765.0A CN113810310A (en) | 2021-09-10 | 2021-09-10 | Flow acquisition method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111060765.0A CN113810310A (en) | 2021-09-10 | 2021-09-10 | Flow acquisition method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113810310A true CN113810310A (en) | 2021-12-17 |
Family
ID=78895126
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111060765.0A Pending CN113810310A (en) | 2021-09-10 | 2021-09-10 | Flow acquisition method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113810310A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168156A (en) * | 2014-08-05 | 2014-11-26 | 中国人民解放军91655部队 | Autonomous system level flow collection system and method based on Netflow |
| CN107517143A (en) * | 2017-10-23 | 2017-12-26 | 合肥时代智慧高新投资管理有限公司 | A kind of network traffics collection and monitoring method based on bgp protocol |
| CN109194516A (en) * | 2018-09-17 | 2019-01-11 | 北京亚鸿世纪科技发展有限公司 | A method of it reducing network flow and acquires equipment cost |
| CN110868436A (en) * | 2018-08-28 | 2020-03-06 | 清华大学 | Internet of things data acquisition method and device |
| WO2021022689A1 (en) * | 2019-08-05 | 2021-02-11 | 苏州闻道网络科技股份有限公司 | Information collection method and apparatus |
| CN112825506A (en) * | 2019-11-21 | 2021-05-21 | 中国移动通信有限公司研究院 | Flow mirror image detection method and device |
-
2021
- 2021-09-10 CN CN202111060765.0A patent/CN113810310A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168156A (en) * | 2014-08-05 | 2014-11-26 | 中国人民解放军91655部队 | Autonomous system level flow collection system and method based on Netflow |
| CN107517143A (en) * | 2017-10-23 | 2017-12-26 | 合肥时代智慧高新投资管理有限公司 | A kind of network traffics collection and monitoring method based on bgp protocol |
| CN110868436A (en) * | 2018-08-28 | 2020-03-06 | 清华大学 | Internet of things data acquisition method and device |
| CN109194516A (en) * | 2018-09-17 | 2019-01-11 | 北京亚鸿世纪科技发展有限公司 | A method of it reducing network flow and acquires equipment cost |
| WO2021022689A1 (en) * | 2019-08-05 | 2021-02-11 | 苏州闻道网络科技股份有限公司 | Information collection method and apparatus |
| CN112825506A (en) * | 2019-11-21 | 2021-05-21 | 中国移动通信有限公司研究院 | Flow mirror image detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112738791B (en) | User information correlation backfill method, device, equipment and medium based on 5G core network | |
| CN113364804B (en) | Method and device for processing flow data | |
| CN111131544A (en) | Method for realizing NAT traversal | |
| CN108989151B (en) | Flow collection method for network or application performance management | |
| CN106713351B (en) | Secure communication method and device based on serial server | |
| CN113114707B (en) | Rule filtering method for power chip Ethernet controller | |
| CN110719215A (en) | Flow information acquisition method and device of virtual network | |
| CN108462590B (en) | Network flow monitoring method and device and computer terminal | |
| CN109788050B (en) | Method, system, electronic device and medium for acquiring IP address of source station | |
| CN113014510A (en) | Data caching method and device in distributed test of inertial navigation system | |
| CN110324199B (en) | Method and device for realizing universal protocol analysis framework | |
| CN112887289A (en) | Network data processing method and device, computer equipment and storage medium | |
| CN112688924A (en) | Network protocol analysis system | |
| CN113810310A (en) | Flow acquisition method, device, equipment and storage medium | |
| CN116633823A (en) | Different-network broadband user identification method, device, equipment and storage medium | |
| CN108289165B (en) | Method and device for realizing camera control based on mobile phone and terminal equipment | |
| CN108494700B (en) | Cross-link data transmission method and device, computer equipment and storage medium | |
| CN114528114B (en) | Data processing method, device and equipment | |
| CN110430098B (en) | Data processing system | |
| CN113660134A (en) | Port detection method, device, electronic device and storage medium | |
| CN114024758A (en) | Flow characteristic extraction method, system, storage medium and electronic equipment | |
| EP3176986A1 (en) | Method, device and system for remote desktop protocol gateway to conduct routing and switching | |
| CN112003885A (en) | Content transmission apparatus and content transmission method | |
| CN115174367B (en) | Service system boundary determining method and device, electronic equipment and storage medium | |
| CN111367762B (en) | Equipment intrusion detection method and system and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |