CN115941531A - Network original message extraction method based on newly-added kernel driving module - Google Patents
Network original message extraction method based on newly-added kernel driving module Download PDFInfo
- Publication number
- CN115941531A CN115941531A CN202211556523.5A CN202211556523A CN115941531A CN 115941531 A CN115941531 A CN 115941531A CN 202211556523 A CN202211556523 A CN 202211556523A CN 115941531 A CN115941531 A CN 115941531A
- Authority
- CN
- China
- Prior art keywords
- network
- message
- kernel
- original
- probe module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network original message extraction method based on a newly added kernel drive module, which provides a new message capture method for a user mode process by newly adding a network message probe module in a Linux kernel and customizing and modifying a Linux kernel network subsystem and a network equipment drive. The invention expands the function of capturing the network original message and provides the physical network adapter information for receiving the network original message. Based on the technology, the original network message data forwarding function based on the serial number of the physical network adapter equipment can be realized on a hardware platform of a multi-physical network adapter running a Linux operating system, the system function is further expanded, and a low-cost technical solution is provided for network deep customized use, network test, network fault analysis and the like.
Description
Technical Field
The invention belongs to the technical field of Linux operating system kernels, and particularly relates to a network original message extraction method based on a newly-added Linux kernel driver module.
Background
The message capturing technology is a technology for monitoring and intercepting a message on a network, and can copy the message to a system of a packet capturing end without moving. As a front end of network analysis, the message capturing technology is widely applied to firewalls, intrusion detection systems and host routers. The traditional message capture can be realized by calling a packet capture function library, for example, an intrusion detection program and a sniffer capture packets through a packet capture function library. However, in a high-speed network environment, the packet capturing efficiency of the function library is low and the packet loss rate is high due to the limitation of multiple memory copies of the protocol stack of the operating system, the interrupt response of the bottom layer and some inherent redundant data processing of the general operating system, so that the function library is not suitable for the packet capturing task in the high-speed network environment and is only suitable for a single machine or a network with less than one hundred million. Dedicated packet capturing mechanisms are typically used to meet the needs of gigabit and higher speed networks. The special packet capturing mechanism is not only improved in software, but also purposefully designed and modified in hardware. In terms of software, aiming at redundant memory copy in a protocol stack of a general operating system, a zero copy technology is generally adopted to modify memory management, and meanwhile, the interrupt management is improved aiming at the problem of excessive network card packet receiving interrupt. The hardware adopts a specific processing chip system structure to capture the packet network card and is matched with a customized operating system kernel, so that the specificity of the hardware is improved as much as possible, and the packet capturing performance is improved. The method for acquiring the network original message based on the self mechanism of the Linux operating system cannot correspond the network original message to a certain physical network adapter in the user mode process when a plurality of physical network adapters exist in a hardware platform, so that the further analysis and application of the network original message are limited.
Disclosure of Invention
The invention aims to provide a network original message extraction method based on a newly added kernel driving module aiming at the problems in the prior art.
The technical solution for realizing the purpose of the invention is as follows: a network primitive message extraction method based on newly-added kernel drive module is realized based on Linux operating system environment, and relates to state monitoring and configuration process and message capture process in user mode, and a network message probe module, a kernel network subsystem, a character type device driver, a PCI network card device driver and a platform network card device driver in kernel mode;
a PCI network card device driver or a platform network card device driver acquires a network original message from the Ethernet, and the network original message is sent to a kernel network subsystem after being processed; the kernel network subsystem mounts the network original message processing affair to a work queue to wait for subsequent processing until the following processes are executed: firstly, judging a message capture enabling flag bit, if the flag bit is set to zero, not performing message capture operation, and if the flag bit is set to one, calling an external function (3) to perform message capture operation; copying one network original message from the skb structure by the external function (3), forming a structure variable together with the equipment number, storing the structure variable into a circular buffer area of the network message probe module, giving a semaphore, and then releasing a memory occupied by the skb structure; when the structure variable is composed of the network original message and the equipment number stored in the circular buffer area, the message capturing process can obtain the structure variable from the circular buffer area of the network message probe module, the equipment number can correspond the source of the network original message to a specific network adapter, and the network original message capturing process is finished.
Further, the network message probe module is constructed based on a character type driving model of a Linux kernel, and an ioctl method and a read method are realized; the ioctl method provides two functions of acquiring the serial number of the network adapter equipment and starting or closing the capturing of the original message of the network; the read method obtains a structure variable composed of the original network message and the equipment number from the circular buffer area and sends the structure variable into a message capturing process.
Furthermore, the circular buffer area uses the old storage space in a covering writing mode, and synchronizes the writing structure body variable initiated by the external function (3) and the reading structure body variable initiated by the read method in a semaphore mode; the external function (3) gives a semaphore after writing in the structure variable; the read method first acquires the semaphore and then reads the data from the circular buffer, and if the external function (3) does not give the semaphore, the read method will block until the external function (3) gives the semaphore.
Further, the state monitoring and configuration process issues a network card enumeration command to the network message probe module through an ioctl method provided by the network message probe module, and the network message probe module obtains the device numbers of all the detected network adapters in the current hardware system from a PCI network card device driver or a platform network card device driver through an external function (1).
Further, the enumeration process of the PCI network card device driver for the network adapter specifically includes:
the PCI network card device driver firstly registers the PCI platform device driver, then enumerates the PCI devices in the system, identifies the network adapter devices therein and records the device numbers thereof.
Further, the enumeration process of the network adapter by the platform network card device driver specifically includes:
the platform network card device driver registers the platform device driver, enumerates the platform devices in the system, identifies the network adapter devices therein and records the device numbers thereof.
Further, the state monitoring and configuration process issues a function configuration command to the network message probe module through an ioctl method provided by the network message probe module, and the network message probe module transmits the configuration command to the kernel network subsystem through the external function (2), so as to realize the operation of opening or closing the message capture function.
Further, the message capturing process obtains the message data from the circular buffer register in the network message probe module through a read method provided by the network message probe module.
Further, the network message probe module injects an external function (2) into the kernel network subsystem, and the kernel network subsystem stores the network message and the serial number of the network adapter equipment into a circular buffer register in the network message probe module through the external function (2)
Compared with the prior art, the invention has the following remarkable advantages:
1) The invention provides a new message capturing method for the user mode process by adding a network message probe module in the Linux kernel and customizing and modifying the Linux kernel network subsystem and the network equipment driver. The method provides the physical network adapter information for receiving the network original message on the basis of acquiring the network original message, thereby expanding the application range of the network original message.
2) The method has the advantage that the user mode process uniquely determines the physical network adapter corresponding to the original network message according to the equipment number. The structural body data received by the user mode simultaneously comprises two pieces of information, namely the network original message and the equipment number, the corresponding physical network adapter is found through the equipment number, the source of the network original message is further determined, and more information is provided for network communication behavior analysis.
3) The invention expands the capturing function of the network original message and provides the physical network adapter information for receiving the network original message. Based on the technology, the original network message data forwarding function based on the serial number of the physical network adapter equipment can be realized on a hardware platform of a multi-physical network adapter running a Linux operating system, the system function is further expanded, and a low-cost technical solution is provided for network deep customized use, network test, network fault analysis and the like.
The present invention is described in further detail below with reference to the attached drawing figures.
Drawings
Fig. 1 is a schematic diagram of the technical implementation of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
With reference to fig. 1, the present invention provides a method for extracting a network primitive packet based on a newly added kernel driver module, which is implemented based on a Linux operating system environment and relates to a state monitoring and configuration process and a packet capturing process in a user mode, and a network packet probe module, a kernel network subsystem, a character-type device driver, a PCI network card device driver and a platform network card device driver in a kernel mode;
a PCI network card device driver or a platform network card device driver acquires a network original message from the Ethernet through an NAPI method, and the network original message is sent to a kernel network subsystem after being processed; the kernel network subsystem mounts the network original message processing affair to a work queue to wait for subsequent processing until the following processes are executed: firstly, judging a message capture enabling flag bit, if the flag bit is set to zero, not performing message capture operation, and if the flag bit is set to one, calling an external function (3) to perform message capture operation; copying one network original message from the skb structure by the external function (3), forming a structure variable together with the equipment number, storing the structure variable into a circular buffer area of the network message probe module, giving a semaphore, and then releasing a memory occupied by the skb structure; when the original network message and the equipment number are stored in the circular buffer area to form a structure variable, the message capturing process can acquire the structure variable from the circular buffer area of the network message probe module, and the structure variable carries the equipment number, so that the source of the original network message can be corresponded to a specific network adapter by the equipment number, and the process of capturing the original network message is finished.
Further, in one embodiment, the network message probe module is constructed based on a character type driving model of a Linux kernel, and an ioctl method and a read method are realized; the ioctl method provides two functions of acquiring the serial number of the network adapter equipment and starting or closing the capture of the original message of the network; the read method obtains a structure variable composed of the original network message and the equipment number from the circular buffer, and sends the structure variable to the message capturing process through a copy _ to _ user method.
Further, in one embodiment, the circular buffer uses an old storage space in an overwriting manner, and synchronizes a writing structure variable initiated by the external function (3) and a reading structure variable initiated by the read method in a semaphore manner; the external function (3) gives a semaphore after writing in the structure variable; the read method first acquires the semaphore and then reads the data from the circular buffer, and if the external function (3) does not give the semaphore, the read method will block until the external function (3) gives the semaphore.
Further, in one embodiment, the state monitoring and configuration process issues a network card enumeration command to the network message probe module through an ioctl () method provided by the network message probe module, and the network message probe module obtains the device numbers of all the detected network adapters in the current hardware system from a PCI network card device driver or a platform network card device driver through an external function (1).
The enumeration process of the PCI network card device driver to the network adapter specifically includes:
the PCI network card device driver firstly registers the PCI platform device driver, then calls a probe method to enumerate the PCI devices in the system, identifies the network adapter devices therein and records the device numbers thereof.
The enumeration process of the platform network card device driver to the network adapter specifically includes:
the platform network card device driver registers the platform device driver at first, then calls the probe method to enumerate the platform device in the system, identifies the network adapter device therein and records the device number thereof.
Further, in one embodiment, the state monitoring and configuration process issues a function configuration command to the network message probe module through an ioctl () method provided by the network message probe module, and the network message probe module transmits the configuration command to the kernel network subsystem through the external function (2), so as to implement the operation of turning on or off the message capture function.
Further, in one embodiment, the message capture process obtains the message data from the circular buffer register in the network message probe module by a read () method provided by the network message probe module.
Further, in one embodiment, the network message probe module injects an external function (2) into the kernel network subsystem, and the kernel network subsystem stores the network message and the network adapter device number into a circular buffer register in the network message probe module through the external function (2).
In conclusion, the invention expands the function of capturing the network original message and provides the physical network adapter information for receiving the network original message. Based on the technology, the original network message data forwarding function based on the serial number of the physical network adapter equipment can be realized on a hardware platform of a multi-physical network adapter running a Linux operating system, the system function is further expanded, and a low-cost technical solution is provided for network deep customized use, network test, network fault analysis and the like.
The foregoing shows and describes the general principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and the embodiments and descriptions are only illustrative of the principles of the invention, and any modifications, equivalent substitutions, improvements and the like within the spirit and principle of the invention should be included within the scope of the invention without departing from the spirit and scope of the invention.
Claims (9)
1. A network original message extraction method based on a newly added kernel drive module is characterized in that the method is realized based on a Linux operating system environment, and relates to a state monitoring and configuration process and a message capture process in a user mode, a network message probe module, a kernel network subsystem, a PCI network card device driver, a character type device driver and a platform network card device driver in a kernel mode;
a PCI network card device driver or a platform network card device driver acquires a network original message from the Ethernet, and the network original message is sent to a kernel network subsystem after being processed; the kernel network subsystem mounts the network original message processing affair to a work queue to wait for subsequent processing until the following processes are executed: firstly, judging a message capture enabling flag bit, if the flag bit is set to zero, not performing message capture operation, and if the flag bit is set to one, calling an external function (3) to perform message capture operation; copying one network original message from the skb structure by the external function (3), forming a structure variable together with the equipment number, storing the structure variable into a circular buffer area of the network message probe module, giving a semaphore, and then releasing a memory occupied by the skb structure; when the structure variable is composed of the network original message and the equipment number stored in the circular buffer area, the message capturing process can obtain the structure variable from the circular buffer area of the network message probe module, the equipment number can correspond the source of the network original message to a specific network adapter, and the network original message capturing process is finished.
2. The method for extracting the original network message based on the newly added kernel driver module according to claim 1, wherein the network message probe module is constructed based on a character type driver model of a Linux kernel to realize an ioctl method and a read method; the ioctl method provides two functions of acquiring the serial number of the network adapter equipment and starting or closing the capturing of the original message of the network; the read method obtains a structure variable composed of the original network message and the equipment number from the circular buffer area and sends the structure variable into a message capturing process.
3. The method for extracting the network original message based on the newly added kernel driving module according to claim 2, wherein the circular buffer area uses an old storage space in an overwriting manner, and synchronizes a writing structure variable initiated by the external function (3) and a reading structure variable initiated by a read method in a semaphore manner; the external function (3) gives a semaphore after writing in the structure variable; the read method first acquires the semaphore and then reads the data from the circular buffer, and if the external function (3) does not give the semaphore, the read method will block until the external function (3) gives the semaphore.
4. The method for extracting the original network packet based on the newly added kernel driver module according to claim 2, wherein the status monitoring and configuration process issues a network card enumeration command to the network packet probe module through an ioctl method provided by the network packet probe module, and the network packet probe module obtains device numbers of all detected network adapters in the current hardware system from the PCI network card device driver or the platform network card device driver through an external function (1).
5. The method for extracting the network original message based on the newly added kernel driver module according to claim 4, wherein an enumeration process of the PCI network card device driver to the network adapter specifically includes:
the PCI network card device driver firstly registers the PCI platform device driver, then enumerates the PCI devices in the system, identifies the network adapter devices therein and records the device numbers thereof.
6. The method for extracting network primitive messages based on the newly added kernel driver module according to claim 4, wherein the enumeration process of the platform network card device driver to the network adapter specifically includes:
the platform network card device driver registers the platform device driver at first, enumerates the platform devices in the system, identifies the network adapter devices therein and records the device numbers thereof.
7. The method for extracting the network original message based on the newly added kernel driver module according to claim 2, wherein the state monitoring and configuration process issues a function configuration command to the network message probe module through an ioctl method provided by the network message probe module, and the network message probe module transmits the configuration command to the kernel network subsystem through an external function (2), so as to implement a message capture function opening or closing operation.
8. The method for extracting original network packets based on the newly added kernel driver module as claimed in claim 2, wherein the packet capturing process obtains the packet data from the circular buffer register in the network packet probe module through a read method provided by the network packet probe module.
9. The method for extracting network primitive messages based on the newly added kernel driver module as claimed in claim 2, wherein the network message probe module injects an external function (2) into the kernel network subsystem, and the kernel network subsystem stores the network message and the serial number of the network adapter device into a circular buffer register in the network message probe module through the external function (2).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211556523.5A CN115941531A (en) | 2022-12-06 | 2022-12-06 | Network original message extraction method based on newly-added kernel driving module |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211556523.5A CN115941531A (en) | 2022-12-06 | 2022-12-06 | Network original message extraction method based on newly-added kernel driving module |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115941531A true CN115941531A (en) | 2023-04-07 |
Family
ID=86650323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211556523.5A Pending CN115941531A (en) | 2022-12-06 | 2022-12-06 | Network original message extraction method based on newly-added kernel driving module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941531A (en) |
-
2022
- 2022-12-06 CN CN202211556523.5A patent/CN115941531A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101630270B (en) | Data processing system and method therefor | |
| US7941569B2 (en) | Input/output tracing in a protocol offload system | |
| CN108600053B (en) | Wireless network data packet capturing method based on zero copy technology | |
| CN101635652B (en) | Method and equipment for recovering fault of multi-core system | |
| CN109491958B (en) | Error processing system and error processing method | |
| CN113535633A (en) | On-chip cache device and read-write method | |
| US10409744B1 (en) | Low-latency wake-up in a peripheral device | |
| CN103986585A (en) | Message preprocessing method and device | |
| CN115905086A (en) | Control method and controller for synchronously reading and writing single-port SRAM (static random Access memory) based on AXI (advanced extensible interface) | |
| WO2016202113A1 (en) | Queue management method, apparatus, and storage medium | |
| CN101447931B (en) | Realizing method and device for exclusive operation | |
| CN102750245B (en) | Message method of reseptance, message receiver module, Apparatus and system | |
| CN114020529A (en) | Backup method and device of flow table data, network equipment and storage medium | |
| CN102833088A (en) | Method and device for processing interrupt | |
| CN113672410A (en) | Data processing method and electronic device | |
| CN117041379B (en) | Method and device for simultaneously monitoring newly-built connection of user mode protocol stack and kernel mode protocol stack | |
| CN107479900A (en) | A kind of hot plug software scenario suitable for real time operating system | |
| CN101212480B (en) | Method and apparatus for communication between universal serial bus (USB) host and USB device | |
| CN115941531A (en) | Network original message extraction method based on newly-added kernel driving module | |
| US9769093B2 (en) | Apparatus and method for performing InfiniBand communication between user programs in different apparatuses | |
| US20120136958A1 (en) | Method for analyzing protocol data unit of internet small computer systems interface | |
| CN112333162B (en) | Service processing method and equipment | |
| CN106982176B (en) | Data transmission method and equipment | |
| CN115033407A (en) | System and method for collecting and identifying flow suitable for cloud computing | |
| CN112217689B (en) | Network message tracking method and system based on OpenStack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |