CN114244560A - Traffic processing method and device - Google Patents
Traffic processing method and device Download PDFInfo
- Publication number
- CN114244560A CN114244560A CN202111327821.2A CN202111327821A CN114244560A CN 114244560 A CN114244560 A CN 114244560A CN 202111327821 A CN202111327821 A CN 202111327821A CN 114244560 A CN114244560 A CN 114244560A
- Authority
- CN
- China
- Prior art keywords
- data packet
- network card
- point information
- hook point
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 26
- 238000001914 filtration Methods 0.000 claims abstract description 108
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000005111 flow chemistry technique Methods 0.000 claims abstract description 5
- 238000012545 processing Methods 0.000 claims description 45
- 238000004590 computer program Methods 0.000 claims description 13
- 239000000872 buffer Substances 0.000 claims description 3
- 230000006870 function Effects 0.000 description 16
- 230000008569 process Effects 0.000 description 15
- 238000004891 communication Methods 0.000 description 9
- 239000000243 solution Substances 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 6
- 101150093240 Brd2 gene Proteins 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 3
- 230000000717 retained effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 101150007742 RING1 gene Proteins 0.000 description 1
- 208000035217 Ring chromosome 1 syndrome Diseases 0.000 description 1
- 208000032825 Ring chromosome 2 syndrome Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a traffic processing method and device. Wherein, the method comprises the following steps: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information; sending the hook point information to a network card control module in a kernel state; filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to the network card driving module in the kernel state; and capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card. The data packets can be stored and analyzed in real time by a flow processing tool based on the libpcap at any position. The network flow filtering rule equivalent to the kernel packet filtering function is realized in a user mode, so that the filtering rule of the data packet is dynamically configurable.
Description
Technical Field
The present invention relates to the field of information security, and in particular, to a traffic processing method and apparatus.
Background
For forensic tracking or diagnostic analysis purposes, industrial control network security devices often need to retain samples of specific network traffic at appropriate hook points during the processing of the network traffic.
In the prior art, network security equipment embeds codes retained by data packet samples into service logic of a data forwarding process, and the filtering function of the data packets is realized by means of hard coding. In an IT network, filtering rules based on IP and port can generally meet requirements, but for an industrial control network, filtering based on packet content is often needed to determine which packet samples to retain, and message formats of various industrial control protocols are different, and a hard-coded filtering logic cannot meet dynamically configurable data filtering requirements in an actual application scenario.
The existing open-source network traffic capturing and analyzing tool based on the libpcap library, such as wireshark and the like, has a powerful data filtering and analyzing function, but only can retain and analyze data packets received and transmitted through a network card, and cannot be used for any hook point of a user space program.
Disclosure of Invention
To solve the problems in the prior art, embodiments of the present invention provide a traffic processing method and apparatus.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a traffic processing method, which is applied to a user mode, and includes: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data; sending the hook point information to a network card control module in a kernel state, wherein the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel state, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information; capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
Further, the filtering the traffic data according to the packet filtering rule to obtain at least one first packet meeting the packet filtering rule includes: converting the data packet filtering rule into a BPF byte code instruction; and filtering the flow data through the BPF byte code instruction to obtain the at least one first data packet conforming to the BPF byte code instruction.
In a second aspect, an embodiment of the present invention provides a traffic processing method, applied to a kernel mode, including: receiving hook point information through a network card control module, and establishing a virtual network card corresponding to the hook point information; receiving and storing at least one first data packet and the hook point information through a network card driving module, wherein the at least one first data packet corresponds to the hook point information, and sending the at least one first data packet to the corresponding virtual network card according to the hook point information, and the first data packet represents a data packet which accords with a data packet filtering rule; and obtaining at least one second data packet through the virtual network card.
Further, the network card driving module comprises a cache descriptor and a packet receiving thread; and the receiving and storing the at least one first data packet and the hook point information through the network card driving module, wherein the at least one first data packet corresponds to the hook point information, and the sending of the at least one first data packet to the corresponding virtual network card according to the hook point information comprises: receiving and storing the at least one first data packet and the hook point information through the cache descriptor, wherein the at least one first data packet corresponds to the hook point information; and the packet receiving thread sends the at least one first data packet to the corresponding virtual network card according to the hook point information.
Further, the obtaining at least one second data packet through the virtual network card includes: and judging whether the network card name of the virtual network card is a preset network card name, if so, obtaining at least one second data PACKET after the AF _ PACKET logic is operated in the virtual network card, and discarding the at least one second data PACKET.
In a third aspect, an embodiment of the present invention further provides a traffic processing apparatus, applied to a user mode, including: the system comprises a first processing module, a second processing module and a processing module, wherein the first processing module is used for receiving flow data, hook point information and a data packet filtering rule, the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data; the second processing module is used for sending the hook point information to a network card control module in a kernel state, and the network card control module is used for creating a virtual network card corresponding to the hook point information; the third processing module is used for filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a kernel-state network card driving module, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information; and the fourth processing module is used for capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
In a fourth aspect, an embodiment of the present invention further provides a traffic processing apparatus, applied to a kernel mode, including: the fifth processing module is used for receiving the hook point information through the network card control module and establishing a virtual network card corresponding to the hook point information; a sixth processing module, configured to receive and store at least one first data packet and the hook point information through a network card driver module, where the at least one first data packet corresponds to the hook point information, and send the at least one first data packet to a corresponding virtual network card according to the hook point information, where the first data packet represents a data packet that meets a data packet filtering rule; and the seventh processing module is used for obtaining at least one second data packet through the virtual network card.
In a fifth aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the traffic processing method according to the first aspect when executing the program.
In a sixth aspect, the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the traffic processing method according to the first aspect.
In a fifth aspect, the present invention further provides a computer program product, on which executable instructions are stored, and when executed by a processor, the instructions cause the processor to implement the steps of the traffic processing method according to the first aspect or the second aspect.
According to the traffic processing method and device provided by the embodiment of the invention, by receiving traffic data, hook point information and a data packet filtering rule, the traffic data corresponds to the hook point information, and the hook point information represents the intercepted position of the traffic data; sending the hook point information to a network card control module in a kernel state, wherein the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel state, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information; capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card. It can be seen that the invention realizes that the data packet can be preserved and analyzed by the flow processing tool based on the libpcap in real time at any position. And realizing the network flow filtering rule equivalent to the kernel packet filtering function in a user mode, so that the filtering rule of the data packet is dynamically configurable.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a flow chart of an embodiment of a traffic handling method of the present invention;
FIG. 2 is a flow diagram of another embodiment of a traffic handling method of the present invention;
fig. 3 is a schematic diagram of an application scenario of the traffic processing method of the present invention;
FIG. 4 is a schematic structural diagram of an embodiment of a flow processing apparatus according to the present invention;
FIG. 5 is a schematic structural diagram of another embodiment of a flow treatment apparatus according to the present invention;
FIG. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a flowchart of an embodiment of a traffic processing method according to the present invention, and is applied to a user mode. As shown in fig. 1, a traffic processing method according to an embodiment of the present invention includes:
s101, receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data.
The traffic data may be data containing arbitrary content. The position of the hook point information for intercepting the traffic data is specific to the application program, so that the traffic data in the network card cannot be intercepted. The packet filtering rules may be user-defined (e.g., filtering for a certain keyword), and may be received by invoking the predefined rules. The computer is in a user mode when receiving the traffic data, the hook point information and the packet filtering rules, the user mode is two operation levels of the operating system, and the intel cpu provides three operation modes of Ring0-Ring 3. Ring0 grade was highest and Ring3 lowest. Wherein privilege level 0(Ring0) is reserved for operating system code, device driver code, which operates in system kernel mode; while privilege level 3(Ring3) is given to normal user programs, which operate in the user mode.
And S102, sending the hook point information to a kernel-mode network card control module, wherein the network card control module is used for creating a virtual network card corresponding to the hook point information.
In some embodiments, when a task (process) executes a system call while trapped in kernel code, we refer to the process as being in kernel run state (or simply kernel state). The processor is executing in the most privileged (level 0) kernel code at this time. When a process is in kernel mode, the kernel stack of the current process is used by the executing kernel code. Each process has its own kernel stack. When a process is executing the user's own code, it is said to be in the user running state (user state). I.e. when the processor is running in the lowest privileged (level 3) user code. The kernel mode and the user mode can be mutually converted by means of programmable interrupt, hardware interrupt, soft interrupt and the like. For example, Linux uses Ring3 level to run user state, Ring0 as kernel state, and Ring1 and Ring2 are not used. The Ring3 state does not have access to Ring 0's address space, including code and data. The 4GB address space of the Linux process, 3G-4G part is shared and is the address space of kernel state, wherein the code and all kernel modules of the whole kernel and the data maintained by the kernel are stored. The user runs a program, a process created by the program starts to run in a user mode, if operations such as file operation, network data sending and the like are to be executed, system calls such as write, send and the like are required, the system calls can call codes in a kernel to complete the operations (namely hook point information is sent to a kernel-mode network card control module, and the network card control module calls the codes in the kernel to create a virtual network card corresponding to the hook point information), at this time, the program needs to be switched to Ring0, then the program enters a kernel address space in 3GB-4GB to execute the operations of the codes, and after the operations are completed, the program is switched back to Ring3 to return to the user mode. Therefore, the user mode program cannot operate the kernel address space at will, and certain safety protection effect is achieved.
S103, filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a kernel-state network card driving module, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information.
In some embodiments, filtering traffic data through packet filtering rules may be accomplished with a packet filter that examines all packets passing in and out of it and prevents transmission of those packets that do not comply with the established rules. The packet filter may filter packets based on the following criteria: the protocol (TCP, UDP, etc.) to which the packet belongs, the source address, the destination address, the port number (request type) of the destination device, the transmission direction of the packet, the signature of a given packet which is transmitted to the internet or to the lan, the database, etc. The flow data can be filtered through the data packet filter to obtain at least one first data packet, at this time, the user state is changed into the kernel state, and the hook point information corresponds to the flow data (also corresponds to the first data packet), so that the kernel-state network card driving module is called, and the virtual network card corresponding to the at least one first data packet is driven according to the hook point information (the hook point information corresponds to the virtual network card) (the hook point information corresponds to the at least one first data packet).
S104, capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
In some embodiments, when the at least one first packet is sent to the kernel state, the processing procedure of the at least one first packet in the kernel is mainly performed between the network card and the protocol stack: receiving data from the network card, and handing the data to a protocol stack for processing; the protocol stack sends out the data to be sent (i.e. the at least one second data packet) over the network. Since the at least one first data packet passes through the network card (i.e., the virtual network card) in the processing process of the kernel, the at least one second data packet becomes the traffic passing through the network card, and the method can be applied to the existing open-source network traffic capturing and analyzing tool based on the libpcap library, such as wireshark and the like. Since the at least one first packet is data that can be captured at any hook point by the packet filtering rule, the at least one second packet obtained by the first packet enables the network data sample to be retained at any hook point using the libpcap-based traffic processing tool.
According to the traffic processing method provided by the embodiment of the invention, by receiving traffic data, hook point information and a data packet filtering rule, the traffic data corresponds to the hook point information, and the hook point information represents the intercepted position of the traffic data; sending the hook point information to a network card control module in a kernel state, wherein the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel state, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information; and capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card. It can be seen that the invention realizes that the data packet can be preserved and analyzed by the flow processing tool based on the libpcap in real time at any position. And realizing the network flow filtering rule equivalent to the kernel packet filtering function in a user mode, so that the filtering rule of the data packet is dynamically configurable.
In some optional implementations, filtering the traffic data by the packet filtering rule to obtain at least one first packet that conforms to the packet filtering rule includes: converting the data packet filtering rule into a BPF byte code instruction; and filtering the flow data through the BPF byte code instruction to obtain at least one first data packet conforming to the BPF byte code instruction.
By way of example, the object of the Berkeley Packet Filter (BPF) is to provide a method for filtering packets (i.e., filtering traffic data via BPF bytecode instructions), and to avoid useless Packet replication from kernel space to user space. It is initially composed of a simple bytecode injected from user space into the kernel, which checks at that location with a checker to avoid kernel crashes or security issues, and attaches to a socket and then runs on each received packet. The Packet filtering rule may also be converted into an extended burkeley Packet Filter (eBPF) byte code file, where the eBPF provides a Packet filtering mechanism for the kernel. It expands the function of BPF, and enriches the instruction set. The BPF interpreter is realized in a user mode to filter data packets, and filtering rules based on BPF byte codes can be dynamically injected.
As an example, as shown in fig. 3, the user state may include a data sending module, a filtering instruction generating module, a filtering instruction executing module, and a start-stop control module.
(1) And a data sending module. And the user mode is operated in a user mode and is used for sending the data packet to the kernel mode. During initialization, the/dev/mem can be mapped to a process address space through mmap system call, and then the offset of the physical address and the user-state virtual address is obtained. When the user mode sends the data packet to the kernel mode, the following steps are executed:
step 1-1, judging hook point information of a caller to obtain a physical address pdes of a virtual network card cache descriptor of a target virtual network card, and converting the physical address pdes into a user mode virtual address;
step 1-2, calling a filtering instruction execution module, and if the instruction execution module returns a matching failure, exiting;
step 1-3, taking out a physical address paddr of a data field of skb from an idle data packet storage area;
step 1-4, adding offset to paddr, and converting the paddr into a user-state virtual address uaddr;
1-5, copying the content of a data packet to be sent to a pkt _ data area;
step 1-6, filling in a data _ len field;
step 1-7, filling a dev _ name field according to source hook point information of the data packet;
step 1-8, placing paddr in an available data packet storage area.
(2) And a filtering instruction generation module. The filtering rule in tcpdump format written by the user is converted into BPF byte codes through a libpcap library and the like.
(3) And a filtering instruction execution module. In the prior art, BPF machine instructions are issued to the kernel and executed by the operating system kernel. The invention additionally realizes a BPF bytecode interpreter in user space.
The execution steps are as follows:
step 2-1, analyzing the instruction, and extracting information such as an operation code, an operand, a jump address and the like;
step 2-2, according to the operation code, calling the security check logic of the corresponding instruction: if the division instruction is received, judging whether the divisor is 0; if the check fails, exiting;
step 2-3, calling an execution logic corresponding to the instruction, and explaining and executing;
step 2-4, goto step1, until a ret instruction is encountered, returns either a 1 (indicating at least one first packet that complies with the packet filtering rules) or a 0 (indicating at least one first packet that does not comply with the packet filtering rules).
(4) And a start-stop control module. For controlling the turning on and off of the packet capture function. The starting process refers to the following steps:
step 3-1, acquiring a starting command issued by a user through a human-computer interface, wherein the starting command comprises starting hook point information and data packet filtering rule information;
and 3-2, informing the virtual network card control module to create a virtual network card with a specified name in the operating system through a netlink socket. For example, if the hooking point information retained in the sample is an entry of the Modbus protocol parsing module, and the hooking point information may include a number, for example, the number is 25, a virtual network card named sample25 is created;
3-3, calling a filtering instruction generation module to generate BPF byte codes according to filtering rules issued by a user, and sending the BPF byte codes to a data sending module through interprocess communication;
3-4, starting a data packet capturing and analyzing tool based on the libpcap on the sample25 network card;
and 3-5, informing the data sending module to start a data packet capturing function of the designated hook point.
And 3-6, the data forwarding process sends the inlet flow of the Modbus protocol analysis module to the kernel protocol stack through the data sending module, and the inlet flow is finally captured by the libpcap tool.
The shut down procedure is referred to the following steps:
step 4-1, informing the data forwarding process to close the data packet capturing function of the designated hook point;
step 4-2, waiting for the completion of the processing of the data packet which is sent into the kernel;
step 4-3, closing a data packet capturing and analyzing tool based on the libpcap;
and 4-4, informing the virtual network card control module to register the appointed virtual network card in the operating system through the netlink socket.
Fig. 2 is a flow chart of another embodiment of the traffic processing method of the present invention, applied to a kernel mode. As shown in fig. 2, the traffic processing method according to the embodiment of the present invention includes:
s201, the hook point information is received through the network card control module, and a virtual network card corresponding to the hook point information is established.
In some embodiments, each data packet capture hook point is used as a virtual network card, so that multiplexing of a data packet capture analysis tool based on the network card is realized. The network card control module as shown in fig. 3 may be used to create virtual network cards and delete virtual network cards. The network card control module monitors a netlink socket in the kernel and is used for communication between the user-mode start-stop control module and the network card control module. The network card control module can provide the following two functions:
(1) hot-plug virtual network card
And establishing a virtual network card in the kernel of the operating system, and registering the virtual network card in a kernel protocol stack. The name of the network card is generally the number of sample + hook point information. For example, if the hook point information number of virus detection is 34, a network card named sample34 is dynamically inserted into the kernel protocol stack.
(2) Hot-plug virtual network card
And logging off the hot-plugged virtual network card from the kernel protocol stack. For example, a dev _ get _ by _ name function may be used to obtain a pointer of a net _ device through a network card name, and a unregister _ network device function may be called to log out the network card from the kernel protocol stack.
S202, receiving and storing at least one first data packet and hook point information through a network card driving module, wherein the at least one first data packet corresponds to the hook point information, and sending the at least one first data packet to a corresponding virtual network card according to the hook point information, and the first data packet represents a data packet which accords with a data packet filtering rule.
In some optional implementations, the network card driver module includes a cache descriptor and a packet receiving thread; and receiving and storing at least one first data packet and hook point information through the network card driving module, wherein the at least one first data packet corresponds to the hook point information, and sending the at least one first data packet to a corresponding virtual network card according to the hook point information, and the method comprises the following steps: receiving and storing at least one first data packet and hooking point information through a cache descriptor, wherein the at least one first data packet corresponds to the hooking point information; and the packet receiving thread sends at least one first data packet to the corresponding virtual network card according to the hook point information.
As an example, as shown in fig. 3, the kernel mode includes a network card driver module, which functions to enable the user mode packet capture analysis program based on libpcap to select a virtual network card when capturing packets, and capture packets from the virtual network card. Because the virtual network card is not associated with the real physical network card, the physical address of the virtual network card is randomly generated.
The virtual network card driving module is internally provided with three core submodules: the virtual network card cache descriptor, the packet receiving thread and the packet sending interface.
(1) Virtual network card cache descriptor
The virtual network card driving kernel realizes a memory-based cache descriptor, which is essentially a section of continuous memory applied on a physical memory, and comprises two first-in first-out queues:
(a) idle packet queue: the physical address of the data field of an idle sk _ buff (the sk _ buff is a structure body of which the kernel is used for storing the data packet, and is abbreviated as skb) is stored, the data field is filled with the physical address at one time when the system is started, and then, each time the data receiving module takes out one skb from the available data packet storage queue, one skb is filled into the idle data packet storage area.
Filling:
step1, call dev _ alloc _ skb () function to apply for a skb, and initialize the virt _ addr field of the data area of the skb (the remaining fields are filled by the user-mode data path sub-module).
In the prior art, the data field of skb is used to store the packet contents. In the present invention, the data field is interpreted as the following format:
table 1 field meanings
step2, the data pointer of skb is converted from kernel virtual address to physical address paddr by virt _ to _ phys () function.
step3, put paddr into the free packet storage area.
(b) Available packet store queue: stored is the physical address of the data field of skb, which is filled in by the data sending module at the time of packet sending.
(2) Receive packet thread
The kernel thread receives the packet from the available data packet storage queue in a polling mode and submits the data packet sent by the data path to the kernel protocol stack, and the steps are as follows:
step1, fetching a physical address paddr from the available data packet storage queue, and entering step6 if the fetching fails;
step2, converting paddr into a kernel virtual address kaddr through a phys _ to _ virt () function;
step3, acquiring virt _ addr, data _ len and dev _ name through kaddr, and filling a metadata part of sk _ buff according to the three fields;
step4, moving the data pointer of sk _ buff backward to point to pkt _ data;
step5, submitting the data packet to a packet receiving interface of the corresponding virtual network card according to the dev _ name, and further submitting the data packet to an operating system kernel protocol stack;
step6, judging the network card by the kernel protocol stack, if the network card name starts with sample, discarding the data PACKET after the AF _ PACKET logic is finished. An upper protocol stack is not needed to be removed, so that the influence on the active outward sending of the data packet after the application layer network program running on the local machine receives the data packet is avoided, and the data packet retention result is not influenced;
step7 gives way to the cpu for a while and then returns to step 1.
(3) Hair pack interface
The virtual network card is not used for data communication, but the operating system may send out data packets such as DHCP and the like through the virtual network card. The interface is released directly when receiving the data packet sent by the operating system.
S203, obtaining at least one second data packet through the virtual network card.
In some optional implementations, obtaining at least one second data packet through the virtual network card includes: and judging whether the network card name of the virtual network card is a preset network card name, if so, obtaining at least one second data PACKET after the AF _ PACKET logic is operated in the virtual network card, and discarding the at least one second data PACKET.
As an example, in Linux, the AF _ PACKET logic may open a specified network card through a socket, and then use the recvmsg to read, and an actual process needs to copy a message from a kernel area (kernel mode) to a user area (i.e., the user mode obtains at least one second data PACKET). A kernel buffer area in a kernel space can be allocated by using a shared memory mode through packet _ mmap, and then a user space program calls mmap to map to a user space. The received skb is copied to that block of kernel buffers (or the packet is discarded) so that the user-space program can read the captured packet directly.
The method for processing the flow, provided by the embodiment of the invention, has the advantages that a plurality of virtual hot-pluggable network cards are realized in the kernel, and the filtered data packet can be introduced into the virtual network card of the kernel of the operating system at any hook point information through a physical memory mapping technology, so that a user-mode data forwarding program also has the dynamic injection function of the data packet filtering code only possessed by the kernel protocol stack.
Fig. 4 is a schematic structural diagram of an embodiment of a traffic processing apparatus according to the present invention, applied to a user mode. As shown in fig. 4, the flow rate processing apparatus includes:
the first processing module 401 is configured to receive traffic data, hook point information, and a data packet filtering rule, where the traffic data corresponds to the hook point information, and the hook point information indicates a position where the traffic data is intercepted;
the second processing module 402 is configured to send the hook point information to a kernel-mode network card control module, where the network card control module is configured to create a virtual network card corresponding to the hook point information;
a third processing module 403, configured to filter traffic data according to the packet filtering rule to obtain at least one first packet that meets the packet filtering rule, and send the hook point information and the at least one first packet to a kernel-state network card driver module, where the network card driver module is configured to drive a virtual network card corresponding to the at least one first packet according to the hook point information;
the fourth processing module 404 is configured to capture at least one second data packet of the virtual network card in the kernel mode, where the second data packet is a traffic through the virtual network card.
Optionally, the third processing module 403 is further configured to convert the packet filtering rule into a BPF bytecode instruction; and filtering the flow data through the BPF byte code instruction to obtain at least one first data packet conforming to the BPF byte code instruction.
Fig. 5 is a schematic structural diagram of another embodiment of the traffic processing apparatus according to the present invention, applied to a kernel mode. As shown in fig. 5, the flow rate processing apparatus includes:
a fifth processing module 501, configured to receive the hook point information through the network card control module, and establish a virtual network card corresponding to the hook point information;
a sixth processing module 502, configured to receive and store at least one first data packet and hook point information through the network card driver module, where the at least one first data packet corresponds to the hook point information, and send the at least one first data packet to a corresponding virtual network card according to the hook point information, where the first data packet represents a data packet that meets a data packet filtering rule;
the seventh processing module 503 is configured to obtain at least one second data packet through the virtual network card.
Optionally, the network card driving module includes a cache descriptor and a packet receiving thread; the sixth processing module 502 is further configured to receive and store at least one first data packet and hooking point information through the cache descriptor, where the at least one first data packet corresponds to the hooking point information; and the packet receiving thread sends at least one first data packet to the corresponding virtual network card according to the hook point information.
Optionally, the seventh processing module 503 is further configured to determine whether the network card name of the virtual network card is the preset network card name, if so, obtain at least one second data PACKET after the AF _ PACKET logic is run in the virtual network card, and discard the at least one second data PACKET.
An example is as follows:
fig. 6 illustrates a schematic physical structure diagram of an electronic device, and as shown in fig. 6, the electronic device may include: a processor (processor)601, a communication Interface (Communications Interface)602, a memory (memory)603 and a communication bus 604, wherein the processor 601, the communication Interface 602 and the memory 603 complete communication with each other through the communication bus 604. The processor 601 may call logic instructions in the memory 603 to perform the following method: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data; sending the hook point information to a network card control module in a kernel state, wherein the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel state, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information; and capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
In addition, the logic instructions in the memory 603 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, and the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the traffic processing method provided in the foregoing embodiments, and apply to a user state, for example, including: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data; sending the hook point information to a network card control module in a kernel state, wherein the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel state, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information; and capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
In yet another aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to execute the traffic processing method provided in the foregoing embodiments, and the method is applied to a user mode, and includes: receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data; sending the hook point information to a network card control module in a kernel state, wherein the network card control module is used for creating a virtual network card corresponding to the hook point information; filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel state, wherein the network card driving module is used for driving a virtual network card corresponding to the at least one first data packet according to the hook point information; and capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
The above-described embodiments of the apparatus are merely illustrative, and the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A traffic processing method, applied to a user mode, the method comprising:
receiving flow data, hook point information and a data packet filtering rule, wherein the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data;
sending the hook point information to a network card control module in a kernel state, wherein the network card control module is used for creating a virtual network card corresponding to the hook point information;
filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a network card driving module in a kernel state, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information;
capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
2. The traffic processing method according to claim 1, wherein the filtering the traffic data according to the packet filtering rule to obtain at least one first packet that conforms to the packet filtering rule comprises:
converting the data packet filtering rule into a BPF byte code instruction;
and filtering the flow data through the BPF byte code instruction to obtain the at least one first data packet conforming to the BPF byte code instruction.
3. A traffic processing method, applied to a kernel mode, the method comprising:
receiving hook point information through a network card control module, and establishing a virtual network card corresponding to the hook point information;
receiving and storing at least one first data packet and the hook point information through a network card driving module, wherein the at least one first data packet corresponds to the hook point information, and sending the at least one first data packet to the corresponding virtual network card according to the hook point information, and the first data packet represents a data packet which accords with a data packet filtering rule;
and obtaining at least one second data packet through the virtual network card.
4. The traffic processing method according to claim 3, wherein the network card driver module comprises a buffer descriptor and a packet receiving thread; and the number of the first and second groups,
the receiving and storing the at least one first data packet and the hook point information through the network card driving module, the at least one first data packet corresponding to the hook point information, and sending the at least one first data packet to the corresponding virtual network card according to the hook point information, includes:
receiving and storing the at least one first data packet and the hook point information through the cache descriptor, wherein the at least one first data packet corresponds to the hook point information;
and the packet receiving thread sends the at least one first data packet to the corresponding virtual network card according to the hook point information.
5. The traffic processing method according to claim 3 or 4, wherein the obtaining at least one second data packet through the virtual network card comprises:
and judging whether the network card name of the virtual network card is a preset network card name, if so, obtaining at least one second data PACKET after the AF _ PACKET logic is operated in the virtual network card, and discarding the at least one second data PACKET.
6. A traffic processing apparatus, applied to a user state, comprising:
the system comprises a first processing module, a second processing module and a processing module, wherein the first processing module is used for receiving flow data, hook point information and a data packet filtering rule, the flow data corresponds to the hook point information, and the hook point information represents the intercepted position of the flow data;
the second processing module is used for sending the hook point information to a network card control module in a kernel state, and the network card control module is used for creating a virtual network card corresponding to the hook point information;
the third processing module is used for filtering the flow data through the data packet filtering rule to obtain at least one first data packet which accords with the data packet filtering rule, and sending the hook point information and the at least one first data packet to a kernel-state network card driving module, wherein the network card driving module is used for driving the virtual network card corresponding to the at least one first data packet according to the hook point information;
and the fourth processing module is used for capturing at least one second data packet of the virtual network card in the kernel mode, wherein the second data packet is the flow passing through the virtual network card.
7. A traffic processing apparatus, applied to a kernel mode, comprising:
the fifth processing module is used for receiving the hook point information through the network card control module and establishing a virtual network card corresponding to the hook point information;
a sixth processing module, configured to receive and store at least one first data packet and the hook point information through a network card driver module, where the at least one first data packet corresponds to the hook point information, and send the at least one first data packet to a corresponding virtual network card according to the hook point information, where the first data packet represents a data packet that meets a data packet filtering rule;
and the seventh processing module is used for obtaining at least one second data packet through the virtual network card.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the traffic processing method according to any of claims 1 to 2 or 3 to 5 when executing the program.
9. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the traffic processing method according to any one of claims 1 to 2 or 3 to 5.
10. A computer program product having executable instructions stored thereon, which instructions, when executed by a processor, cause the processor to carry out the steps of the flow processing method according to any one of claims 1 to 2 or 3 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111327821.2A CN114244560B (en) | 2021-11-10 | 2021-11-10 | Flow processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111327821.2A CN114244560B (en) | 2021-11-10 | 2021-11-10 | Flow processing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244560A true CN114244560A (en) | 2022-03-25 |
| CN114244560B CN114244560B (en) | 2024-04-16 |
Family
ID=80749032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111327821.2A Active CN114244560B (en) | 2021-11-10 | 2021-11-10 | Flow processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244560B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726633A (en) * | 2022-04-14 | 2022-07-08 | 中国电信股份有限公司 | Flow data processing method and device, storage medium and electronic equipment |
| CN114978897A (en) * | 2022-05-17 | 2022-08-30 | 阿里巴巴(中国)有限公司 | Network control method and system based on eBPF and application identification technology |
| CN115033407A (en) * | 2022-08-09 | 2022-09-09 | 微栈科技(浙江)有限公司 | System and method for collecting and identifying flow suitable for cloud computing |
| CN115580485A (en) * | 2022-11-18 | 2023-01-06 | 网络通信与安全紫金山实验室 | Data traffic processing method and device, optical network equipment and storage medium |
| CN115883255A (en) * | 2023-02-02 | 2023-03-31 | 中信证券股份有限公司 | Data filtering method, device and computer readable medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101815014A (en) * | 2010-02-09 | 2010-08-25 | 上海百络信息技术有限公司 | Real-time network data capture method based on connection |
| US20120230202A1 (en) * | 2011-03-07 | 2012-09-13 | Oracle International Corporation | Virtual network interface with packet filtering hooks |
| CN112422453A (en) * | 2020-12-09 | 2021-02-26 | 新华三信息技术有限公司 | Message processing method, device, medium and equipment |
-
2021
- 2021-11-10 CN CN202111327821.2A patent/CN114244560B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101815014A (en) * | 2010-02-09 | 2010-08-25 | 上海百络信息技术有限公司 | Real-time network data capture method based on connection |
| US20120230202A1 (en) * | 2011-03-07 | 2012-09-13 | Oracle International Corporation | Virtual network interface with packet filtering hooks |
| CN112422453A (en) * | 2020-12-09 | 2021-02-26 | 新华三信息技术有限公司 | Message processing method, device, medium and equipment |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726633A (en) * | 2022-04-14 | 2022-07-08 | 中国电信股份有限公司 | Flow data processing method and device, storage medium and electronic equipment |
| CN114726633B (en) * | 2022-04-14 | 2023-10-03 | 中国电信股份有限公司 | Traffic data processing method and device, storage medium and electronic equipment |
| CN114978897A (en) * | 2022-05-17 | 2022-08-30 | 阿里巴巴(中国)有限公司 | Network control method and system based on eBPF and application identification technology |
| CN114978897B (en) * | 2022-05-17 | 2023-09-05 | 阿里巴巴(中国)有限公司 | Network control method and system based on eBPF and application identification technology |
| CN115033407A (en) * | 2022-08-09 | 2022-09-09 | 微栈科技(浙江)有限公司 | System and method for collecting and identifying flow suitable for cloud computing |
| CN115580485A (en) * | 2022-11-18 | 2023-01-06 | 网络通信与安全紫金山实验室 | Data traffic processing method and device, optical network equipment and storage medium |
| CN115883255A (en) * | 2023-02-02 | 2023-03-31 | 中信证券股份有限公司 | Data filtering method, device and computer readable medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244560B (en) | 2024-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114244560A (en) | Traffic processing method and device | |
| US11093284B2 (en) | Data processing system | |
| US11146508B2 (en) | Data processing system | |
| CN110535813B (en) | Method and device for processing coexistence of kernel mode protocol stack and user mode protocol stack | |
| US7966620B2 (en) | Secure network optimizations when receiving data directly in a virtual machine's memory address space | |
| EP4160424A2 (en) | Zero-copy processing | |
| CN104994032B (en) | A kind of method and apparatus of information processing | |
| US8495262B2 (en) | Using a table to determine if user buffer is marked copy-on-write | |
| US11606302B2 (en) | Methods and apparatus for flow-based batching and processing | |
| US20150370582A1 (en) | At least one user space resident interface between at least one user space resident virtual appliance and at least one virtual data plane | |
| EP3402172B1 (en) | A data processing system | |
| EP3862879A1 (en) | Container network interface monitoring | |
| US9621633B2 (en) | Flow director-based low latency networking | |
| US9836338B2 (en) | Method and apparatus for message interactive processing | |
| CN115269213A (en) | Data receiving method, data transmitting method, device, electronic device and medium | |
| CN111813547A (en) | DPDK-based data packet processing method and device | |
| US20150331812A1 (en) | Input/output (i/o) processing via a page fault doorbell mechanism | |
| Chang et al. | Virtualization technology for TCP/IP offload engine | |
| CN106528267B (en) | Network communication monitoring system and method based on Xen privileged domain | |
| EP3139298B1 (en) | Information processing system, control method, and control program | |
| CN115033407B (en) | System and method for collecting and identifying flow suitable for cloud computing | |
| US7707344B2 (en) | Interrupt mitigation on multiple network adapters | |
| US8056089B2 (en) | Shortcut IP communications between software entities in a single operating system | |
| CN105893112B (en) | Data packet processing method and device in virtualization environment | |
| US10284501B2 (en) | Technologies for multi-core wireless network data transmission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: Qianxin Technology Group Co.,Ltd. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: Qianxin Technology Group Co.,Ltd. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |