CN115604138A - Data acquisition method, firewall and storage medium - Google Patents
Data acquisition method, firewall and storage medium Download PDFInfo
- Publication number
- CN115604138A CN115604138A CN202110723354.9A CN202110723354A CN115604138A CN 115604138 A CN115604138 A CN 115604138A CN 202110723354 A CN202110723354 A CN 202110723354A CN 115604138 A CN115604138 A CN 115604138A
- Authority
- CN
- China
- Prior art keywords
- flow table
- data
- data flow
- attribute information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Abstract
The invention discloses a data acquisition method, a firewall and a storage medium, wherein the method comprises the following steps: collecting data flow, and acquiring attribute information of the data flow; adding attribute information of the data flow into the data flow table; and when the preset conditions are met, transmitting the attribute information in the data flow table to the information acquisition device. The invention not only reduces the influence on the data forwarding performance of the network when the full amount or non-full amount of the network flow is acquired, but also reduces the loss of network resources, and simultaneously improves the accuracy of the network flow information acquisition.
Description
Technical Field
The invention relates to the technical field of network information monitoring, in particular to a data acquisition method, a firewall and a storage medium.
Background
At present, flow acquisition technologies such as Netflow (network data Flow detection protocol)/IPFIX (IP Flow Information Export, which is an international standard for network Flow monitoring) and sFlow (Sampled Flow) are usually selected to realize full acquisition or non-full acquisition of network Flow Information, so as to provide a data source for monitoring operation of network Flow state Information. However, the method of collecting network traffic in full or non-full quantities by using the traffic collection technology is continuous, and has a great influence on the data forwarding performance of the network, resulting in excessive network resource loss.
Disclosure of Invention
The embodiment of the application aims to solve the problem of excessive network resource loss caused by the adoption of the current flow acquisition technology by providing a data acquisition method, a firewall and a storage medium.
The embodiment of the application provides a data acquisition method, which is applied to a firewall and comprises the following steps:
collecting a data stream, and acquiring attribute information of the data stream;
adding attribute information of the data flow into a data flow table;
and when the preset conditions are met, transmitting the attribute information in the data flow table to an information acquisition device.
In one embodiment, the preset condition includes at least one of:
receiving a flow table information acquisition instruction sent by the information acquisition device;
the storage time of the data flow table is longer than the preset storage time;
and the time interval between the time point of sending the attribute information last time and the current time point reaches a preset time interval.
In an embodiment, the step of adding the attribute information of the data flow to the data flow table includes:
judging whether a data flow table matched with the attribute information is stored or not;
if a data flow table matched with the attribute information is stored, acquiring the data flow table matched with the attribute information;
and adding the attribute information of the data flow into the acquired data flow table.
In an embodiment, the determining whether a data flow table matching the attribute information is stored includes:
acquiring index information of the data stream; the index information is obtained according to the attribute information of the data stream;
and judging whether the index information is matched with the identification information of each data flow table, wherein when the identification information of the data flow table is matched with the index information, the data flow table matched with the attribute information is judged to be stored, and the identification information is obtained according to the attribute information stored in the data flow table.
In an embodiment, the step of adding the attribute information of the data flow to a data flow table further includes:
if the data flow tables which are matched with the attribute information do not exist in all the data flow tables, establishing the data flow tables which are matched with the attribute information;
adding attribute information of the data flow to the created data flow table.
In an embodiment, the step of obtaining the attribute information of the data stream includes:
and acquiring the attribute information of the data stream according to a first stream table entry in the data stream table.
In an embodiment, the receiving of the flow table information acquisition instruction sent by the information acquisition device includes the receiving of the flow table information acquisition instruction, and after the step of sending the attribute information in the data flow table to the information acquisition device when the preset condition is met, the method further includes:
acquiring a first flow table entry of each data flow table; and the number of the first and second groups,
acquiring a second flow table item included in the flow table information acquisition instruction;
if the first flow table entry is different from the second flow table entry, the first flow table entry of the data flow table is adjusted, so that the first flow table entry and the second flow table entry in each data flow table are the same.
In addition, to achieve the above object, the present invention further provides a firewall, including:
the information acquisition module is used for acquiring data streams and acquiring attribute information of the data streams;
the information adding module is used for adding the attribute information of the data flow into a data flow table;
and the information sending module is used for sending the attribute information in the data flow table to the information acquisition device when a preset condition is met.
In addition, to achieve the above object, the present invention also provides a firewall comprising: the data acquisition system comprises a memory, a processor and a data acquisition program which is stored on the memory and can run on the processor, wherein the data acquisition program realizes the steps of the data acquisition method when being executed by the processor.
In addition, to achieve the above object, the present invention also provides a storage medium having a data acquisition program stored thereon, wherein the data acquisition program, when executed by a processor, implements the steps of the data acquisition method described above.
The technical scheme of the data acquisition method, the firewall and the storage medium provided in the embodiment of the application at least has the following technical effects or advantages:
the technical scheme that the data flow is collected, the attribute information of the data flow is obtained, the attribute information of the data flow is added into the data flow table, and when the preset condition is met, the attribute information in the data flow table is sent to the information collection device is adopted, so that the problem of overlarge network resource loss caused by the adoption of the conventional flow collection technology is solved, the influence on the data forwarding performance of a network during full collection or non-full collection of network flow is reduced, the loss of network resources is reduced, and meanwhile, the accuracy of network flow information collection is improved.
Drawings
Fig. 1 is a schematic diagram of a hardware architecture of an apparatus according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a first embodiment of a data acquisition method according to the present invention;
FIG. 3 is a schematic flow chart diagram of a second embodiment of a data collection method according to the present invention;
FIG. 4 is a schematic flow chart diagram of a data collection method according to a third embodiment of the present invention;
fig. 5 is a functional block diagram of a firewall according to the present invention.
Detailed Description
For a better understanding of the above technical solutions, exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As an implementation manner, as shown in fig. 1, fig. 1 is a schematic diagram of a hardware architecture of a device according to an embodiment of the present invention.
The embodiment of the invention relates to a firewall, which comprises: a processor 101, e.g. a CPU, a memory 102, a communication bus 103. Wherein a communication bus 103 is used for enabling the connection communication between these components.
The memory 102 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as a disk memory. As shown in fig. 1, a memory 102 as a storage medium may include a data acquisition program therein; and the processor 101 may be configured to call the data collection program stored in the memory 102 and perform the following operations:
collecting a data stream, and acquiring attribute information of the data stream;
adding attribute information of the data flow into a data flow table;
and when a preset condition is met, sending the attribute information in the data flow table to an information acquisition device.
Wherein the preset condition comprises at least one of:
receiving a flow table information acquisition instruction sent by the information acquisition device;
the storage time of the data flow table is longer than the preset storage time;
and the time interval between the time point of sending the attribute information last time and the current time point reaches a preset time interval.
In one embodiment, the processor 101 may be configured to invoke the data collection program stored in the memory 102, and further perform the following operations:
judging whether a data flow table matched with the attribute information is stored or not;
if a data flow table matched with the attribute information is stored, acquiring the data flow table matched with the attribute information;
and adding the attribute information of the data flow into the acquired data flow table.
In one embodiment, the processor 101 may be configured to invoke the data collection program stored in the memory 102 and further perform the following operations:
acquiring index information of the data stream; wherein, the index information is obtained according to the attribute information of the data stream;
and judging whether the index information is matched with the identification information of each data flow table, wherein when the identification information of the data flow table is matched with the index information, the data flow table matched with the attribute information is judged to be stored, and the identification information is obtained according to the attribute information stored in the data flow table.
In one embodiment, the processor 101 may be configured to invoke the data collection program stored in the memory 102 and further perform the following operations:
if the data flow tables which are matched with the attribute information do not exist in all the data flow tables, establishing the data flow tables which are matched with the attribute information;
adding attribute information of the data flow to the created data flow table.
In one embodiment, the processor 101 may be configured to invoke the data collection program stored in the memory 102 and further perform the following operations:
and acquiring the attribute information of the data stream according to a first stream table entry in the data stream table.
In one embodiment, the processor 101 may be configured to invoke the data collection program stored in the memory 102 and further perform the following operations:
acquiring a first flow table entry of each data flow table; and (c) a second step of,
acquiring a second flow table item included in the flow table information acquisition instruction;
if the first flow table entry is different from the second flow table entry, the first flow table entry of the data flow table is adjusted, so that the first flow table entry and the second flow table entry in each data flow table are the same.
It should be noted that, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that shown, and the data collection method is applied to the collection of data flow information, and may be particularly applied to, but not limited to, a firewall, and the following embodiments are described by taking a firewall as an example.
As shown in fig. 2, in a first embodiment of the present application, when applied to a firewall, the data collection method of the present application includes the following steps:
step S210: and collecting data flow and acquiring attribute information of the data flow.
A virtual network in a cloud computing network (data center network) is often composed of various virtual network elements, such as a virtual switch, a virtual router, a virtual firewall, and a virtual machine. Wherein, different virtual network elements are connected through a virtual link. Usually, for security, a virtual firewall (hereinafter, referred to as a firewall) is deployed on each virtual link, and each firewall keeps track of the data flow through its own stored data flow table when the data flow passes through the firewall. The data flow includes information for matching the data flow table, which is a source IP address, a destination IP address, a source port number, a destination port number, and a transport protocol. In this embodiment, when the firewall detects that the data stream passes through the firewall, the firewall collects the data stream in real time and acquires attribute information of the data stream collected in real time. The attribute information also includes various types of information, and the attribute information includes, in addition to other information included in the data stream, such as a source IP address, a destination IP address, a source port number, a destination port number, and a transport protocol, information such as start time of the data stream, end time of the data stream, number of packets passing through the data stream, total size of the packets passing through the data stream, a flow direction passing through the data stream, and ingress/egress port information of the data stream when the data stream passes through the firewall.
When creating a firewall, a data flow table for tracking data flow is configured and stored in the firewall in advance. When the data flow passes through the firewall, the firewall acquires the attribute information of the data flow according to the first flow table entry in the data flow table. Specifically, when a data stream passes through a firewall, the firewall searches a data stream table matched with the data stream from all data streams stored in the firewall, obtains a first stream entry of the searched data stream table, and obtains attribute information of the data stream according to the first stream entry of the searched data stream table. The data flow table generally has a plurality of first flow table entries, each of the first flow table entries is different in type, and the number of the first flow table entries in the data flow table may be equal to or less than the total number of the information in the attribute information. The first flow table entry in the data flow table has a one-to-one correspondence relationship with all or part of the information in the attribute information. For example, the number of the first flow table entries in the data flow table is 3, which are the source port number entry, the destination port number entry, and the start time entry of the data flow, and then the correspondence between the three first flow table entries and the partial information in the attribute information is that the source port number entry corresponds to the source port number, the destination port number entry corresponds to the destination port number, and the start time entry of the data flow corresponds to the start time of the data flow.
Step S220: and adding the attribute information of the data flow into a data flow table.
In this embodiment, after acquiring the attribute information of the data stream according to the first flow entry in the data stream table, different types of information in the attribute information are added to the data stream table, that is, the information is written into the first flow entry in the data stream table corresponding to the information. For example, the source port number in the attribute information is written into the source port number entry in the data flow table. Specifically, how many pieces of information in the attribute information are added to the data flow table depends on the number of the first flow table entries in the data flow table, and the number of the pieces of information in the attribute information added to the data flow table is the same as the number of the first flow table entries.
Step S230: and when the preset conditions are met, transmitting the attribute information in the data flow table to an information acquisition device.
In this embodiment, when monitoring network traffic in the cloud computing network, the information collecting device may be configured to collect attribute information of a data stream from a firewall to provide data for monitoring the network traffic. Aiming at the firewall, a preset condition for sending the attribute information of the data stream to the information acquisition device is preset in the firewall, so that the firewall sends the attribute information of the data stream to the information acquisition device according to the preset condition. Specifically, after the firewall adds the attribute information of the data stream into the data stream table, when the preset conditions are met, the attribute information in the data stream table is sent to the information acquisition device according to different preset conditions. Wherein the preset condition comprises at least one of:
condition 1: receiving a flow table information acquisition instruction sent by an information acquisition device;
condition 2: the storage time of the data flow table is longer than the preset storage time;
condition 3: the time interval between the time point of the last sending of the attribute information and the current time point reaches a preset time interval.
The flow table information acquisition instruction is an instruction sent by the information acquisition device to the firewall and is used for triggering the firewall to send the attribute information in the data flow table to the information acquisition device. Besides triggering the firewall to send the attribute information in the data flow table to the information acquisition device, the flow table information acquisition instruction also carries a second flow table item which needs to be acquired and corresponds to the attribute information.
When the preset condition is condition 1, after receiving a flow table information acquisition instruction sent by the information acquisition device, the firewall sends information corresponding to the second flow table item in the attribute information in the data flow table to the information acquisition device according to the second flow table item, so that the information acquisition device realizes acquisition of the attribute information of the data flow. If the firewall does not receive the flow table information acquisition instruction sent by the information acquisition device, the attribute information in the data flow table is not sent.
After the data flow tables are configured in the firewall, the usable time of each data flow table is preset, namely the preset storage time of each data flow table stored in the firewall is preset. And when the firewall detects that the storage time of any data flow table is longer than the preset storage time, deleting the data flow table of which the storage time is longer than the preset storage time.
And when the preset condition is a condition 2, the firewall sends the attribute information in the data table with the storage duration being greater than the preset storage duration to the information acquisition device, so that the information acquisition device can acquire the attribute information of the data stream.
After configuring the data flow table in the firewall, a preset time interval for sending the attribute information in the data table to the information acquisition device is preset.
And when the preset condition is a condition 3, the firewall monitors the time interval between the time point of sending the attribute information to the information acquisition device last time and the current time point in real time, and if the time interval between the time point of sending the attribute information last time and the current time point reaches the preset time interval, the firewall sends the attribute information in the data flow table to the information acquisition device once so that the information acquisition device acquires the attribute information of the data flow once every the preset time interval. For example, 10 ten thousand data flow tables are stored in each firewall, the set preset time interval is 1ms, each firewall sends the attribute information in 1 data flow table to the information acquisition device every 1ms, so that the attribute information of 10 ten thousand data flow tables is sent to the information acquisition device in sequence according to the preset time interval of 1ms, that is, the information acquisition device acquires the attribute information in 1 data flow table every 1ms, until the attribute information in each data flow table in 10 ten thousand data flow tables is acquired.
When the preset conditions are condition 1 and condition 2, after receiving a flow table information acquisition instruction sent by the information acquisition device, the firewall sends information corresponding to the second flow table item in the attribute information in the data flow table to the information acquisition device according to the second flow table item, so that the information acquisition device acquires the attribute information of the data flow. When the attribute information is sent to the information acquisition device, the attribute information in the data table with the storage duration being longer than the preset storage duration is sent to the information acquisition device when the data table with the storage duration being longer than the preset storage duration is detected, and the data table with the storage duration being longer than the preset storage duration is deleted. And if the firewall does not receive the flow table information acquisition instruction sent by the information acquisition device, the attribute information in the data flow table is not sent.
When the preset conditions are condition 1 and condition 3, after receiving a flow table information acquisition instruction sent by the information acquisition device, the firewall acquires the time interval between the last time of sending the attribute information to the information acquisition device and the current time monitored in real time, and if the time interval between the last time of sending the attribute information and the current time reaches the preset time interval, the firewall sends information corresponding to the second flow table item in the attribute information in the data flow table to the information acquisition device according to the second flow table item, so that the information acquisition device acquires the attribute information of the data flow at every preset time interval.
And when the preset conditions are a condition 2 and a condition 3, the firewall acquires the time interval between the last time for sending the attribute information to the information acquisition device and the current time point monitored in real time, and if the time interval between the last time for sending the attribute information and the current time point reaches the preset time interval, the firewall sends the attribute information in the data flow table to the information acquisition device once so that the information acquisition device acquires the attribute information of the data flow once at the preset time interval. When the attribute information is sent to the information acquisition device, the attribute information in the data table with the storage duration being longer than the preset storage duration is sent to the information acquisition device when the data table with the storage duration being longer than the preset storage duration is detected, and the data table with the storage duration being longer than the preset storage duration is deleted.
When the preset conditions are condition 1, condition 2 and condition 3, after receiving a flow table information acquisition instruction sent by the information acquisition device, the firewall acquires the time interval between the last time of sending the attribute information to the information acquisition device and the current time monitored in real time, and if the time interval between the last time of sending the attribute information and the current time reaches the preset time interval, the firewall sends information corresponding to the second flow table item in the attribute information in the data flow table to the information acquisition device according to the second flow table item, so that the information acquisition device acquires the attribute information of the data flow at every interval of the preset time interval. When the attribute information is sent to the information acquisition device, the attribute information in the data table with the storage duration being longer than the preset storage duration is sent to the information acquisition device when the data table with the storage duration being longer than the preset storage duration is detected, and the data table with the storage duration being longer than the preset storage duration is deleted. And if the firewall does not receive the flow table information acquisition instruction sent by the information acquisition device, the attribute information in the data flow table is not sent.
According to the technical scheme, the data flow is collected, the attribute information of the data flow is obtained, the attribute information of the data flow is added into the data flow table, and when the preset condition is met, the attribute information in the data flow table is sent to the information collection device, so that the influence on the data forwarding performance of the network during full collection or non-full collection of network flow is reduced, the loss of network resources is reduced, and the accuracy of network flow information collection is improved.
As shown in fig. 3, in the second embodiment of the present application, based on the first embodiment, the step S220 includes the following steps:
step S221: and judging whether a data flow table matched with the attribute information is stored or not.
In this embodiment, when a data stream passes through a firewall, the firewall analyzes the data stream passing through itself to obtain index information of the data stream. Wherein the index information is obtained according to the attribute information of the data stream. Specifically, the information for matching the data flow table may be obtained through the attribute information of the data flow, and the information for matching the data flow table is index information, that is, the index information includes a source IP address, a destination IP address, a source port number, a destination port number, and a transmission protocol. After the firewall acquires the index information of the data stream, the firewall acquires the stored identification information of each data stream table, and judges whether the index information is matched with the identification information of each data stream table, wherein when the identification information of the data stream table is matched with the index information, the firewall judges that the data stream table matched with the attribute information is stored in the firewall. Specifically, the identification information is obtained according to attribute information stored in the data flow table. The firewall obtains the attribute information stored in the data flow table, and obtains the information which is included in the attribute information stored in the data flow table and used for matching the data flow table, that is, the information which is included in the attribute information stored in the data flow table and used for matching the data flow table is the identification information. If the identification information of the data flow table is in one-to-one correspondence with and the same as the index information of the data flow, the firewall can determine that the firewall self stores the data flow table matched with the attribute information of the data flow.
Step S222: and if the data flow table matched with the attribute information is stored, acquiring the data flow table matched with the attribute information.
Step S223: and adding the attribute information of the data flow into the acquired data flow table.
In this embodiment, if the firewall determines that the firewall itself stores the data flow table matching the attribute information of the data flow, the firewall acquires the data flow table matching the attribute information of the data flow, and then adds the attribute information of the data flow passing through the firewall itself to the data flow table matching the attribute information of the data flow, that is, writes the information in the attribute information of the data flow into the first flow entry in the data flow table correspondingly.
Further, step S221 is followed by the following steps:
step S224: and if the data flow tables matched with the attribute information do not exist in all the data flow tables, establishing the data flow table matched with the attribute information.
Step S225: adding attribute information of the data flow to the created data flow table.
In this embodiment, if the identification information of the data flow table does not match the index information of the data flow, the firewall determines that the data flow table that matches the attribute information of the data flow is not stored by itself, and determines that the identification information of the data flow table does not match the index information of the data flow.
Further, the firewall creates a data flow table matched with the attribute information of the data flow according to the attribute information of the data flow passing through the firewall, and then adds the attribute information of the data flow passing through the firewall into the created data flow table, that is, information in the attribute information of the data flow is correspondingly written into a first flow table entry in the created data flow table.
According to the technical scheme, whether a data flow table matched with the attribute information is stored or not is judged, if the data flow table matched with the attribute information is stored, the data flow table matched with the attribute information is acquired, and the attribute information of the data flow is added into the acquired data flow table; and if the data flow tables matched with the attribute information do not exist in all the data flow tables, creating the data flow tables matched with the attribute information, and adding the attribute information of the data flow to the created data flow tables, so that the accuracy of collecting the attribute information of the data flow is realized.
As shown in fig. 4, in the third embodiment of the present application, based on the first embodiment, the preset condition includes that the flow table information acquisition instruction sent by the information acquisition apparatus is received, and after step S230, the method includes the following steps:
step S240: acquiring a first flow table entry of each data flow table; and acquiring a second flow table item included in the flow table information acquisition instruction.
The number of the first flow table entries in the data flow table is generally fixed, and the number of the second flow table entries and the second flow table entries carried in the flow table information acquisition instruction are set in a user-defined manner according to acquisition requirements. The number of the second flow table entries may not be the same as the number of the first flow table entries, or the number of the second flow table entries may also be the same as the number of the first flow table entries, and the second flow table entries correspond to and are the same as the first flow table entries one to one; or the number of the second flow table entries may be the same as that of the first flow table entries, but the second flow table entries are different from the first flow table entries, that is, there is no one-to-one correspondence and no same relationship.
In this embodiment, after receiving a flow table information acquisition instruction sent by an information acquisition device, a firewall acquires a first flow table entry of each data flow table and a second flow table entry included in the flow table information acquisition instruction, and if the firewall determines that the number of the second flow table entries is the same as that of the first flow table entries and that the second flow table entries are in one-to-one correspondence and the same as that of the first flow table entries, according to the second flow table entries, sending information corresponding to the second flow table entries in attribute information in the data flow table to the information acquisition device, otherwise, executing step S250.
Step S250: if the first flow table entry is different from the second flow table entry, the first flow table entry of the data flow table is adjusted, so that the first flow table entry and the second flow table entry in each data flow table are the same.
In this embodiment, if the firewall determines that the number of the second flow entries is different from the number of the first flow entries, or that the number of the second flow entries is the same as the number of the first flow entries but the second flow entries is different from the first flow entries, the firewall adjusts the first flow entries according to the second flow entries, so that the first flow entries are the same as the second flow entries. The method for adjusting the first flow table entry according to the second flow table entry includes:
when the number of the second flow table entries is different from the number of the first flow table entries, if the number of the second flow table entries is greater than the number of the first flow table entries, adding the first flow table entries in the data flow table according to the second flow table entries, that is, expanding the data flow table, so that the first flow table entries and the second flow table entries in the expanded data flow table are the same, which is equivalent to adding the first flow table entries which do not exist before to the data flow table. If the number of the second flow table entries is smaller than that of the first flow table entries, the first flow table entries are reduced in the data flow table according to the second flow table entries, that is, the data flow table is reduced, so that the first flow table entries and the second flow table entries in the reduced data flow table are the same, which is equivalent to deleting redundant first flow table entries in the data flow table.
And when the number of the second flow table entries is the same as that of the first flow table entries but the second flow table entries are different from the first flow table entries, replacing the first flow table entries in the data flow table with the second flow table entries.
Further, after the first flow table entry of the data flow table is adjusted according to the second flow table entry, the adjusted data flow table can be obtained. When the data stream passes through the firewall, the firewall executes the following steps:
a, step a: and collecting the data stream and acquiring the attribute information of the data stream.
Step b: and adding the attribute information of the data flow into the adjusted data flow table.
Step c: and sending the attribute information in the adjusted data flow table to an information acquisition device.
The specific implementation process of steps a to c is the same as the specific implementation process of steps S210 to S230 in the first embodiment, and details are not repeated in this embodiment.
According to the technical scheme, the first flow table entry of each data flow table is obtained, the second flow table entry included in the flow table information acquisition instruction is obtained, and if the first flow table entry is different from the second flow table entry, the first flow table entry of the data flow table is adjusted, so that the first flow table entry and the second flow table entry in each data flow table are the same.
As shown in fig. 5, the present application provides a firewall, including:
the information acquisition module 310 is configured to acquire a data stream and obtain attribute information of the data stream;
an information adding module 320, configured to add attribute information of the data flow to a data flow table;
and the information sending module 330 is configured to send the attribute information in the data flow table to the information acquisition device when a preset condition is met.
Further, the preset condition includes at least one of:
receiving a flow table information acquisition instruction sent by the information acquisition device;
the storage time of the data flow table is longer than the preset storage time;
and the time interval between the time point of sending the attribute information last time and the current time point reaches a preset time interval.
Further, the information adding module 320 includes:
a flow table judging unit for judging whether a data flow table matched with the attribute information is stored;
the flow table acquiring unit is used for acquiring the data flow table matched with the attribute information if the data flow table matched with the attribute information is stored;
and the first information entry unit is used for adding the attribute information of the data stream into the acquired data stream table.
Further, the flow table determining unit includes:
an index information obtaining subunit, configured to obtain index information of the data stream; the index information is obtained according to the attribute information of the data stream;
and the flow table judging subunit is used for judging whether the index information is matched with the identification information of each data flow table, wherein when the identification information of the data flow table is matched with the index information, the data flow table stored with the attribute information is judged, and the identification information is obtained according to the attribute information stored in the data flow table.
Further, the information adding module 320 further includes:
a flow table creating unit configured to create a data flow table matching the attribute information if there is no data flow table matching the attribute information in all the data flow tables;
and the second information entry unit is used for adding the attribute information of the data flow into the created data flow table.
Further, the information acquisition module 310 is specifically configured to, in terms of acquiring the attribute information of the data stream, acquire the attribute information of the data stream according to a first stream table entry in a data stream table.
Further, the preset condition includes that the flow table information acquisition instruction sent by the information acquisition device is received, the firewall further includes:
a flow table entry obtaining unit, configured to obtain a first flow table entry of each data flow table; acquiring a second flow table item included in the flow table information acquisition instruction;
and a flow table entry adjusting unit, configured to adjust the first flow table entry of the data flow table if the first flow table entry is different from the second flow table entry, so that the first flow table entry and the second flow table entry in each data flow table are the same.
The firewall specific implementation manner of the present invention is basically the same as the data acquisition method embodiments, and is not described herein again.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A data acquisition method is characterized in that the data acquisition method is applied to a firewall and comprises the following steps:
collecting a data stream, and acquiring attribute information of the data stream;
adding attribute information of the data flow into a data flow table;
and when the preset conditions are met, transmitting the attribute information in the data flow table to an information acquisition device.
2. The data acquisition method as set forth in claim 1, wherein the preset condition includes at least one of:
receiving a flow table information acquisition instruction sent by the information acquisition device;
the storage time of the data flow table is longer than the preset storage time;
and the time interval between the time point of sending the attribute information last time and the current time point reaches a preset time interval.
3. The data acquisition method as set forth in claim 2, wherein the step of adding attribute information of the data flow to a data flow table comprises:
judging whether a data flow table matched with the attribute information is stored or not;
if a data flow table matched with the attribute information is stored, acquiring the data flow table matched with the attribute information;
and adding the attribute information of the data flow into the acquired data flow table.
4. The data collection method according to claim 3, wherein the determining whether a data flow table matching the attribute information is stored includes:
acquiring index information of the data stream; wherein, the index information is obtained according to the attribute information of the data stream;
and judging whether the index information is matched with the identification information of each data flow table, wherein when the identification information of the data flow table is matched with the index information, the data flow table matched with the attribute information is judged to be stored, and the identification information is obtained according to the attribute information stored in the data flow table.
5. The data acquisition method as set forth in claim 3, wherein the step of adding attribute information of the data flow to a data flow table further comprises:
if the data flow tables matched with the attribute information do not exist in all the data flow tables, establishing the data flow tables matched with the attribute information;
adding attribute information of the data flow to the created data flow table.
6. The data collection method of claim 1, wherein the step of obtaining attribute information of the data stream comprises:
and acquiring the attribute information of the data stream according to a first stream table entry in the data stream table.
7. The data acquisition method according to claim 6, wherein the preset condition includes the step of receiving a flow table information acquisition instruction sent by the information acquisition device, and after the step of sending the attribute information in the data flow table to the information acquisition device when the preset condition is satisfied, the method further comprises:
acquiring a first flow table entry of each data flow table; and (c) a second step of,
acquiring a second flow table item included in the flow table information acquisition instruction;
if the first flow table entry is different from the second flow table entry, the first flow table entry of the data flow table is adjusted, so that the first flow table entry and the second flow table entry in each data flow table are the same.
8. A firewall, comprising:
the information acquisition module is used for acquiring data streams and acquiring attribute information of the data streams;
the information adding module is used for adding the attribute information of the data flow into a data flow table;
and the information sending module is used for sending the attribute information in the data flow table to the information acquisition device when a preset condition is met.
9. A firewall, comprising: memory, a processor and a data acquisition program stored on the memory and executable on the processor, the data acquisition program when executed by the processor implementing the steps of the data acquisition method as claimed in any one of claims 1 to 7.
10. A storage medium having stored thereon a data acquisition program which, when executed by a processor, carries out the steps of the data acquisition method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110723354.9A CN115604138A (en) | 2021-06-28 | 2021-06-28 | Data acquisition method, firewall and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110723354.9A CN115604138A (en) | 2021-06-28 | 2021-06-28 | Data acquisition method, firewall and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115604138A true CN115604138A (en) | 2023-01-13 |
Family
ID=84841098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110723354.9A Pending CN115604138A (en) | 2021-06-28 | 2021-06-28 | Data acquisition method, firewall and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115604138A (en) |
-
2021
- 2021-06-28 CN CN202110723354.9A patent/CN115604138A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108111432B (en) | Message forwarding method and device | |
| US7203173B2 (en) | Distributed packet capture and aggregation | |
| CN105684382A (en) | Packet control method, switch and controller | |
| CN108900374B (en) | Data processing method and device applied to DPI equipment | |
| US10135711B2 (en) | Technologies for sideband performance tracing of network traffic | |
| CN109992427B (en) | DPI association rule backfill processing method, device, equipment and medium | |
| CN106470213A (en) | A kind of source tracing method of attack message and device | |
| CN115225734A (en) | Message processing method and network equipment | |
| CN101741745B (en) | Method and system for identifying application traffic of peer-to-peer network | |
| CN114172854A (en) | Message mirror image, mirror image configuration method, virtual switch and mirror image configuration device | |
| CN115174676A (en) | Convergence and shunt method and related equipment thereof | |
| CN112737995B (en) | Method, device and equipment for processing Ethernet frame and storage medium | |
| CN111131479B (en) | Flow processing method and device and flow divider | |
| CN112350844B (en) | Method and device for data transmission | |
| CN112688924A (en) | Network protocol analysis system | |
| CN115604138A (en) | Data acquisition method, firewall and storage medium | |
| CN112787873A (en) | IOAM time delay measurement performance sequencing method and system | |
| CN116185598A (en) | Address processing method, address processing device, electronic equipment and readable storage medium | |
| CN111106977B (en) | Data stream detection method, device and storage medium | |
| CN109309604B (en) | Loop detection method, device, terminal equipment and medium | |
| CN107147694B (en) | Information processing method and device | |
| CN113691607B (en) | Flow load balancing control method and device and electronic equipment | |
| CN110365675B (en) | Method, device and system for network tracking long chain attack | |
| EP3068079B1 (en) | Monitoring communication in a network comprising a plurality of nodes | |
| CN109347678B (en) | Method and device for determining routing loop |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |