CN116319980A - Data message marking method, device, network equipment and storage medium - Google Patents

Data message marking method, device, network equipment and storage medium Download PDF

Info

Publication number
CN116319980A
CN116319980A CN202111585912.6A CN202111585912A CN116319980A CN 116319980 A CN116319980 A CN 116319980A CN 202111585912 A CN202111585912 A CN 202111585912A CN 116319980 A CN116319980 A CN 116319980A
Authority
CN
China
Prior art keywords
data message
physical interface
value corresponding
tag
physical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111585912.6A
Other languages
Chinese (zh)
Inventor
付正平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN202111585912.6A priority Critical patent/CN116319980A/en
Publication of CN116319980A publication Critical patent/CN116319980A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a data message marking method, a device, network equipment and a storage medium, wherein the method comprises the following steps: receiving a data message through a physical interface; judging whether the data message is a network forwarding message or not; if yes, acquiring a label value corresponding to the physical interface, and marking a preset header field in the data message according to the label value corresponding to the physical interface to obtain the marked data message. In the implementation process, when the network device receives the data message through the physical interface, the data message is marked with the label corresponding to the physical interface, so that the specific physical interface of the network device, rather than the specific network device through which the data message passes, of the data message can be determined according to the label of the data message, the tracing analysis precision of the data message is directly improved from the granularity of the network device to the granularity of the physical interface, and the tracing analysis precision of the data message is effectively improved.

Description

Data message marking method, device, network equipment and storage medium
Technical Field
The application relates to the technical fields of network communication, data acquisition and analysis and network security, in particular to a data message marking method, a device, network equipment and a storage medium.
Background
At present, in the scene of data acquisition and flow visual analysis, network equipment images flow onto a flow divider device, and a port image mode is used for mirroring data message flow passing through the network equipment into the flow divider device. After receiving the data message flow mirrored by the network device port, the splitter device marks the data message flows from different mirrored interfaces with VLAN (Virtual Local Area Network ) labels, and then sends the data message flow marked with VLAN to the data analysis server, so that the data analysis server analyzes the received data message flow. However, when the data analysis server analyzes the data message traffic, it is found that the VLAN tag can only be analyzed from the received data message traffic, and the source network device of the data message is determined according to the VLAN tag, which makes it difficult to further perform tracing analysis on the data message traffic.
Disclosure of Invention
An embodiment of the present application is directed to a method, an apparatus, a network device, and a storage medium for marking a data packet, which are used for improving the problem that it is difficult to further perform traceability analysis on the data packet traffic.
The embodiment of the application provides a data message marking method, which is applied to network equipment and comprises the following steps: receiving a data message through a physical interface; judging whether the data message is a network forwarding message or not; if yes, obtaining a label value corresponding to the physical interface, marking a preset header field in the data message according to the label value corresponding to the physical interface, and obtaining the marked data message, wherein the label value corresponding to the physical interface is calculated according to the identification information of the physical interface. In the implementation process, when the network device receives the data message through the physical interface, the data message is marked with the label corresponding to the physical interface, so that the specific physical interface of the network device, rather than the specific network device through which the data message passes, of the data message can be determined according to the label of the data message, the tracing analysis precision of the data message is directly improved from the granularity of the network device to the granularity of the physical interface, and the tracing analysis precision of the data message is effectively improved.
Optionally, in this embodiment of the present application, before obtaining a tag value corresponding to a physical interface, the method further includes: the identification information of the physical interface is sent to the tag server, so that the tag server determines and returns a tag value corresponding to the physical interface according to the identification information of the physical interface; and receiving a label value corresponding to the physical interface sent by the label server. In the implementation process, the tag server determines and returns the tag value corresponding to the physical interface according to the identification information of the physical interface, so that the problem that the tag value is difficult to modify during adjustment caused by calculating the tag value through network equipment is avoided, and the flexibility of setting the tag value is effectively improved.
Optionally, in the embodiment of the present application, obtaining a tag value corresponding to a physical interface includes: acquiring identification information of a physical interface, wherein the identification information of the physical interface comprises: physical address and/or physical port number; carrying out hash calculation on the physical address and/or the physical port number to obtain a hash value; and determining the label value corresponding to the physical interface by the hash value or the substring of the hash value. In the implementation process, the hash value or the sub-character string of the hash value calculated by the identification information of the physical interface is used as the label value by the network equipment, so that the speed of obtaining the label value is effectively improved, and the speed of labeling the data message is also improved.
Optionally, in the embodiment of the present application, marking a preset header field in the data packet according to a tag value corresponding to the physical interface includes: judging whether a preset header field in the data message is filled; if yes, forwarding the data message according to the content of the header in the data message, otherwise, marking a preset header field in the data message as a tag value corresponding to the physical interface. In the implementation process, the data message is marked under the condition that the preset header field in the data message is not filled, so that the label value covering the data message filled by other network equipment is avoided, and the accuracy of marking the data message is effectively improved.
Optionally, in an embodiment of the present application, after obtaining the marked data packet, the method further includes: and sending the marked data message to a data analysis server so that the data analysis server performs traceability analysis and/or network security analysis on the marked data message. In the implementation process, the data analysis server performs traceability analysis and/or network security analysis on the marked data message, so that timeliness of solving the security problem in the network corresponding to the data message is improved.
The embodiment of the application also provides a data message marking method which is applied to the tag server and comprises the following steps: receiving identification information of a physical interface sent by network equipment, wherein the identification information of the physical interface comprises: physical address and/or physical port number; carrying out hash calculation on the physical address and/or the physical port number to obtain a hash value; determining a label value corresponding to the physical interface according to the hash value; and sending a label value corresponding to the physical interface to the network equipment so that the network equipment marks a preset header field in the data message as the label value corresponding to the physical interface to obtain the marked data message. In the implementation process, the hash calculation is performed on the physical address and/or the physical port number, and the hash value is used as a label value to mark, so that the tracing analysis precision of the data message is directly improved from the granularity of the network equipment to the granularity of the physical interface, and the tracing analysis precision of the data message is effectively improved.
Optionally, in the embodiment of the present application, determining, according to the hash value, a tag value corresponding to the physical interface includes: generating an identification value, and associating the identification value with the hash value to obtain an associated identification value; determining the associated identification value as a label value corresponding to the physical interface, wherein the identification value comprises: self-increment value, timestamp, and/or random value. In the implementation process, the identification value is associated with the hash value to obtain the associated identification value, and the associated identification value is determined to be the label value corresponding to the physical interface, so that the problem that the label value is difficult to modify during adjustment due to the fact that the label value is calculated through network equipment is avoided, and the flexibility of setting the label value is effectively improved.
The embodiment of the application also provides a data message marking device, which is applied to network equipment and comprises: the data message receiving module is used for receiving the data message through the physical interface; the data message judging module is used for judging whether the data message is a network forwarding message or not; and the data message marking module is used for acquiring a label value corresponding to the physical interface if the data message is a network forwarding message, marking a preset header field in the data message according to the label value corresponding to the physical interface, and acquiring the marked data message, wherein the label value corresponding to the physical interface is calculated according to the identification information of the physical interface.
Optionally, in an embodiment of the present application, the data packet marking apparatus further includes: the identification information sending module is used for sending the identification information of the physical interface to the tag server so that the tag server can determine and return the tag value corresponding to the physical interface according to the identification information of the physical interface; the label value receiving module is used for receiving the label value corresponding to the physical interface sent by the label server.
Optionally, in an embodiment of the present application, the data packet marking module includes: the identification information acquisition module is used for acquiring the identification information of the physical interface, and the identification information of the physical interface comprises: physical address and/or physical port number; the hash value obtaining module is used for carrying out hash calculation on the physical address and/or the physical port number to obtain a hash value; and the tag value determining module is used for determining the tag value corresponding to the physical interface from the hash value or the substring of the hash value.
Optionally, in an embodiment of the present application, the data packet marking module further includes: the header field judging module is used for judging whether a preset header field in the data message is filled or not; and the header field filling module is used for forwarding the data message according to the header content in the data message if the preset header field in the data message is filled, otherwise, marking the preset header field in the data message as a tag value corresponding to the physical interface.
Optionally, in an embodiment of the present application, the data packet marking apparatus further includes: and the data message sending module is used for sending the marked data message to the data analysis server so that the data analysis server can perform traceability analysis and/or network security analysis on the marked data message.
The embodiment of the application also provides a data message marking device, which is applied to the tag server and comprises: the identification information receiving module is configured to receive identification information of a physical interface sent by the network device, where the identification information of the physical interface includes: physical address and/or physical port number; the identification hash calculation module is used for carrying out hash calculation on the physical address and/or the physical port number to obtain a hash value; the tag value determining module is used for determining a tag value corresponding to the physical interface according to the hash value; the label value sending module is used for sending a label value corresponding to the physical interface to the network equipment so that the network equipment marks a preset header field in the data message as the label value corresponding to the physical interface and obtains the marked data message.
Optionally, in an embodiment of the present application, the tag value determining module includes: the identification value obtaining module is used for generating an identification value, correlating the identification value with the hash value and obtaining the correlated identification value; the identification value association module is used for determining the associated identification value as a label value corresponding to the physical interface, and the identification value comprises: self-increment value, timestamp, and/or random value.
The embodiment of the application also provides a network device, which comprises: a processor and a memory storing machine-readable instructions executable by the processor to perform the method as described above when executed by the processor.
Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application, and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort to a person having ordinary skill in the art.
Fig. 1 is a schematic structural diagram of a data packet marking system according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a data packet marking method executed by a network device according to an embodiment of the present application;
fig. 3 is a schematic flow chart of a data packet marking method executed by a tag server according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a data packet marking device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments, but not all embodiments in the embodiments of the present application. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Accordingly, the following detailed description of the embodiments of the present application, which is provided in the accompanying drawings, is not intended to limit the scope of the claimed embodiments of the present application, but is merely representative of selected ones of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to fall within the scope of the embodiments of the present application.
Before introducing the data message marking method provided in the embodiments of the present application, some concepts involved in the embodiments of the present application are described first:
port mirroring refers to monitoring a network by forwarding data traffic of one or more source ports to a specific port on a switch or a router, where the specific port is called a "mirror port" or a "destination port", and under the condition that normal throughput of the source port is not seriously affected, the traffic of the network can be monitored and analyzed through the mirror port, and the port can be a physical port, i.e. a socket plugged with a network cable.
Denial of service (Denial of Service, doS) attacks, also known as flood attacks, are a network attack technique aimed at exhausting the network or system resources of the target computer, temporarily interrupting or stopping the service, resulting in its inability to be accessed by its normal users.
Please refer to fig. 1, which illustrates a schematic structural diagram of a data packet marking system provided in an embodiment of the present application; the data message marking system may include: a plurality of network devices, a tag server and a data analysis server; the plurality of network devices can communicate with each other, the plurality of network devices can communicate with the splitter device and the tag server device respectively, and the splitter device communicates with the tag server and the data analysis server respectively.
The network device refers to a device that is not the final receiver of the data traffic, but simply forwards the data traffic to the final receiver, and the network device in this embodiment of the present application may further perform a data marking function, that is, the optional field in the data packet to be marked is marked as the tag value corresponding to the physical interface. The plurality of network devices include: a first network device on which a physical interface 1 is provided and a second network device on which a physical interface 2 is provided, where the network devices include, but are not limited to: switches), routers, network firewalls, home gateways, home routers, enterprise level routers, and the like.
A tag server, which refers to a tag value that is used to generate and distribute a tag that is required to be marked by a network device, and thus, the tag server herein may also be referred to as a tag distribution server; servers that may be specifically employed are, for example: an x86 server and a non-x 86 server, the non-x 86 server comprising: mainframe, minicomputer, and UNIX servers.
And the splitter device (TAP) is used for identifying and collecting the data message traffic marked by the network device and forwarding the collected data message traffic to the data analysis server.
The data analysis server analyzes the data message traffic of the network mark, and the analysis includes but is not limited to: trace-source analysis, network security analysis, and the like.
It will be appreciated that the data message marking method may be applied to a network device, i.e. the data marking method may be performed by the network device, by a tag server, etc. In a specific practical process, the tag server and the data analysis server may be the same server, that is, the same server is used to calculate, distribute and distribute the tag value of the data message, and the server may also be used to perform the data analysis, so that the two servers are separately described for convenience of understanding and explanation. Alternatively, the splitter device and the data analysis server are the same server, that is, the same server is used to identify, collect and analyze the data packet traffic. Therefore, the above division of servers is described only by functional division, and the number of servers may be increased or decreased according to circumstances in actual practice.
Please refer to fig. 2, which is a flowchart illustrating a method for marking a data packet executed by a network device according to an embodiment of the present application; the main idea of the data message marking method is that when the data message is received through the physical interface by the network equipment, the data message is marked with the label corresponding to the physical interface, so that the specific physical interface of the network equipment is determined to be passed by the data message according to the label of the data message, rather than the specific network equipment through which the data message is passed, the tracing analysis precision of the data message is directly improved from the granularity of the network equipment to the granularity of the physical interface, and the tracing analysis precision of the data message is effectively improved. The data message marking method can comprise the following steps:
step S110: the network device receives the data message through the physical interface.
The embodiment of step S110 described above is, for example: the first network device receives the first data message through the physical interface 1, or the second network device receives the first data message sent by the first network device through the physical interface, and then forwards the first data message Wen Congwu through the physical interface 2.
After step S110, step S120 is performed: the network device judges whether the data message is a network forwarding message.
The embodiment of step S120 described above is, for example: the network device judges whether the received data message is an internet protocol (Internet Protocol, IP) network forwarding message; if the received data message is not an IP network forwarding message (for example, a network control protocol message or a data message that needs to be processed by the present network device), the data message may be directly delivered to a central processing unit (Central Processing Unit, CPU) for processing. If the received data message is an IP network forwarding message, for example, the data message is an IPv4 forwarding message or an IPv6 forwarding message, and the preset header field in the data message has a value, and the preset header field value is in accordance with the specification, it indicates that the IP network forwarding message has been marked by other network devices, and then the data message can be directly routed according to the forwarding table entry (e.g. routing table) of the device. Correspondingly, if the data packet is an IPv4 forwarding packet or an IPv6 forwarding packet, and there is no value in the preset header field in the data packet, or there is a value that does not meet the specification, step S130 is performed. The specification herein refers to that when filling a preset header field in a data packet according to a tag value, the filled character string conforms to a certain specification, for example: the string is of cyclic redundancy check (Cyclic redundancy check, CRC) code, e.g. the last bit or bits are of check code.
After step S120, step S130 is performed: if the data message is a network forwarding message, the network device obtains a tag value corresponding to the physical interface, marks a preset header field in the data message according to the tag value corresponding to the physical interface, and obtains the marked data message, wherein the tag value corresponding to the physical interface is calculated according to the identification information of the physical interface.
It can be appreciated that before the tag value marks the preset header field in the data packet, the tag value needs to be acquired, and various embodiments of acquiring the tag value corresponding to the physical interface in the step S130 described above include, but are not limited to, the following:
in a first embodiment, the tag server calculates a tag value, and the network device may receive the tag value sent by the tag server, where the embodiment specifically may include:
step S131: the network device sends the identification information of the physical interface to the tag server, so that the tag server determines and returns the tag value corresponding to the physical interface according to the identification information of the physical interface.
The embodiment of step S131 described above is, for example: the network device sends identification information of the physical interface to the tag server via a transmission control protocol (Transmission Control Protocol, TCP) or a user datagram protocol (User Datagram Protocol, UDP). The identification information of the physical interface includes, but is not limited to: device name, IP address, media access control (Media Access Control, MAC) address and/or port information, etc. And the tag server generates a tag value corresponding to the physical interface according to the identification information of the physical interface, and then sends the tag value corresponding to the physical interface to the network equipment. Among them, since there are various embodiments in which the tag server generates the tag value, for convenience of understanding and description, after the action of the network device is introduced, the action steps performed by the tag server are then described in detail later.
Step S132: and the network equipment receives the label value corresponding to the physical interface sent by the label server.
The embodiment of step S132 described above is, for example: the network device receives the tag value corresponding to the physical interface sent by the tag server through the TCP protocol or the UDP protocol, marks the preset header field in the data message according to the tag value, namely generates a filling value meeting the specification according to the tag value (for example, adds a check code to obtain the filling value after the tag value), and fills the preset header field in the data message into the filling value meeting the specification, thereby completing the data marking process.
In a second embodiment, the label value is calculated by the network device, and the embodiment specifically may include:
step S133: the network device obtains the identification information of the physical interface, wherein the identification information of the physical interface comprises: physical address and/or physical port number.
The embodiment of step S133 described above is, for example: the network device obtains identification information of the physical interface, including but not limited to: device name, IP address, physical address (i.e., MAC address), and/or physical port number. The following only includes identification information of the physical interface: physical addresses and/or physical port numbers are illustrated as examples.
Step S134: the network device performs hash calculation on the physical address and/or the physical port number to obtain a hash value.
The embodiment of step S134 includes: the network equipment uses a hash algorithm to perform hash calculation on the physical address and/or the physical port number to obtain a hash value; among the hash algorithms that may be used include: MD5, SHA-256/224, SHA-512/384, WHIRRLPOOL, etc. Specific examples are: assuming that the network device and the physical port are less, hash calculation can be performed by only adopting the physical port number; assuming that a physical port can take 1 and that MD5 is used as the hash algorithm, the hash value obtained (i.e., a 16-bit MD5 value) is 1749363732825611.
Step S135: the network device determines the tag value corresponding to the physical interface from the hash value or the substring of the hash value.
The embodiment of step S135 described above is, for example: the hash value or a substring of the hash value (e.g., a preceding few bits of string or a following few bits of string) may be used as the tag value for the physical interface.
The embodiment of step S130 may include: it is determined whether a preset header field in the data message has been filled. If the preset header field in the data message is filled, forwarding the data message according to the header content in the data message, otherwise, marking the preset header field in the data message as a tag value corresponding to the physical interface. Specific examples are: if the data packet is an IPv4 network forwarding packet, it obtains whether there is a value in a preset header field of the IPv4 network forwarding packet, where the preset header field may be a flow identifier (Stream Identifier) field in a header option (header options), and if the preset header field already has a value and the preset header field value is in accordance with a specification, it indicates that the IP network forwarding packet has been marked by another network device, and then the data packet may be directly routed according to a forwarding table entry (e.g. a routing table) of the device. If the preset header field has no value or a value which does not meet the specification, a tag value corresponding to the physical interface is obtained, the preset header field in the data message is marked according to the tag value, namely, a filling value which meets the specification is generated according to the tag value (for example, a check code is added after the tag value to obtain the filling value), and then the preset header field in the data message is filled into the filling value which meets the specification, so that the data marking process is completed. Similarly, if the data packet is an IPv6 network forwarding packet, the implementation is similar to the above, except that the preset Header field of the IPv6 network forwarding packet may use the extended Header data (Extension Head Data) field corresponding to the Next Header (Next Header).
Optionally, after obtaining the marked data packet, the method may further include:
step S140: the network device sends the marked data message to the data analysis server so that the data analysis server performs tracing analysis and/or network security analysis on the marked data message.
The embodiment of step S140 described above is, for example: the network device sends the marked data message to the splitter device in a port mirror image mode, and then the splitter device sends the marked data message to the data analysis server after receiving the marked data message. After receiving the marked data message, the data analysis server performs data analysis on the marked data message, specifically for example: extracting the value of a flow identification (Stream Identifier) field in a Header option (Header options) of the IPv4 forwarding message and the value of an extension Header data (Extension Head Data) field corresponding to the Next Header (Next Header) of the IPv6 forwarding message, and searching according to the value to obtain network equipment and port information for transmitting the data message, thereby achieving the effect of rapidly tracing and analyzing the data message.
Optionally, a network security analysis may also be performed on the data packet, where the network security analysis includes, but is not limited to: private access networks, network attacks, and IP address collisions, among others; wherein the private access situation is for example: if a particular tag value corresponds to a small number (e.g., 3 or 4) of source IP addresses, then this indicates that there are multiple hosts under the port to which the particular tag value corresponds, and thus that there is a private access in the network. The case of a network attack is for example: if a particular tag value corresponds to a large number (e.g., ten thousand) of different source IP addresses, then it is indicated that there is a DoS attack or IP address spoofing attack, etc., under the port to which the particular tag value corresponds. The case of IP address collision is for example: if an IP address corresponds to multiple tag values, then this indicates that there is an IP address conflict in the network. Therefore, the data message marking method can effectively and accurately position the source equipment and the source interface of the data message, and can effectively analyze whether the network attack exists in the network.
In the implementation process, the data message is received through the physical interface of the network device, and when the data message is a network forwarding message, the tag value corresponding to the physical interface is obtained, and the preset header field in the data message is marked according to the tag value corresponding to the physical interface, so that the marked data message is obtained. That is, when the physical interface receives the data message, the network device marks the label corresponding to the physical interface on the data message, so that the specific physical interface of the network device can be determined according to the label of the data message, instead of determining the specific network device through which the data message passes, and the tracing analysis precision of the data message is directly improved from the granularity of the network device to the granularity of the physical interface, and the tracing analysis precision of the data message is effectively improved.
Please refer to fig. 3, which is a flowchart illustrating a method for marking a data message executed by a tag server according to an embodiment of the present application; the embodiment of the application provides a data message marking method, which is applied to a tag server and comprises the following steps:
step S210: the label server receives the identification information of the physical interface sent by the network equipment, wherein the identification information of the physical interface comprises: physical address and/or physical port number.
The embodiment of step S210 described above is, for example: the tag server receives identification information of a physical interface sent by the network device through a hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) or a hypertext transfer security protocol (Hyper Text Transfer Protocol Secure, HTTPs), wherein the identification information of the physical interface includes: physical address and/or physical port number.
After step S210, step S220 is performed: and the tag server performs hash calculation on the physical address and/or the physical port number to obtain a hash value.
The embodiment of step S220 described above is, for example: the tag server uses hash algorithms such as MD5, SHA-256/224, SHA-512/384 and WHIRRLPOOL to perform hash calculation on the physical address and/or physical port number to obtain a hash value. Specific examples are: assuming that only the physical port number is used for hash calculation, and that the physical port may use 1, and that MD5 is used as the hash algorithm, the hash value obtained (i.e., 16-bit MD5 value) is 1749363732825611.
After step S220, step S230 is performed: and the tag server determines a tag value corresponding to the physical interface according to the hash value.
The embodiment of step S230 may specifically include: it will be appreciated that in a specific implementation, the 16-bit MD5 value is typically not stored in many fields of the data packet, and thus the hash value may be further mapped in association with the tag value, thereby determining the associated identification value as the tag value. This embodiment specifically includes, for example: the tag server generates an identification value (e.g., 2-byte tag M) and associates the identification value (e.g., 2-byte tag M) with the hash value to obtain an associated identification value (e.g., 2-byte tag M). The tag server determines the associated identification value (e.g., 2-byte tag M) as the tag value corresponding to the physical interface, where the identification value may specifically be generated by using a self-increment value, the first few bits of the timestamp, and/or a random value, etc.
After step S230, step S240 is performed: the tag server sends a tag value corresponding to the physical interface to the network device, so that the network device marks a preset header field in the data message as the tag value corresponding to the physical interface, and the marked data message is obtained.
The embodiment of step S240 described above is, for example: and the tag server sends the tag value corresponding to the physical interface to the network equipment through the HTTP protocol or the HTTPS protocol. The network device receives the label value corresponding to the physical interface sent by the label server and receives the data message through the physical interface. The network device judges whether the data message is a network forwarding message. If the data packet is a network forwarding packet, the network device obtains a tag value corresponding to the physical interface, marks a preset header field in the data packet according to the tag value corresponding to the physical interface, and obtains a marked data packet, where the tag value corresponding to the physical interface is calculated according to the identification information of the physical interface, and specific implementation details can be seen from the implementation of step S130 above.
In the implementation process, the hash calculation is performed on the physical address and/or the physical port number, and the hash value is used as a label value to mark, so that the tracing analysis precision of the data message is directly improved from the granularity of the network equipment to the granularity of the physical interface, and the tracing analysis precision of the data message is effectively improved.
Please refer to fig. 4, which illustrates a schematic structural diagram of a data packet marking apparatus provided in an embodiment of the present application; the embodiment of the application provides a data message marking device 300, which is applied to network equipment and comprises:
the data message receiving module 310 is configured to receive a data message through a physical interface.
The data message determining module 320 is configured to determine whether the data message is a network forwarding message.
The datagram Wen Biaoji module 330 is configured to obtain a tag value corresponding to the physical interface if the datagram is a network forwarding datagram, and tag a preset header field in the datagram according to the tag value corresponding to the physical interface, so as to obtain a tagged datagram, where the tag value corresponding to the physical interface is calculated according to the identification information of the physical interface.
Optionally, in an embodiment of the present application, the data packet marking apparatus further includes:
the label server is used for determining and returning a label value corresponding to the physical interface according to the identification information of the physical interface.
The label value receiving module is used for receiving the label value corresponding to the physical interface sent by the label server.
Optionally, in an embodiment of the present application, the data packet marking module includes:
the identification information acquisition module is used for acquiring the identification information of the physical interface, and the identification information of the physical interface comprises: physical address and/or physical port number.
And the hash value obtaining module is used for carrying out hash calculation on the physical address and/or the physical port number to obtain a hash value.
And the tag value determining module is used for determining the tag value corresponding to the physical interface from the hash value or the substring of the hash value.
Optionally, in an embodiment of the present application, the data packet marking module further includes:
and the header field judging module is used for judging whether the preset header field in the data message is filled.
And the header field filling module is used for forwarding the data message according to the header content in the data message if the preset header field in the data message is filled, otherwise, marking the preset header field in the data message as a tag value corresponding to the physical interface.
Optionally, in an embodiment of the present application, the data packet marking apparatus further includes:
and the data message sending module is used for sending the marked data message to the data analysis server so that the data analysis server can perform traceability analysis and/or network security analysis on the marked data message.
The embodiment of the application provides a data message marking device, which is applied to a tag server and comprises:
the identification information receiving module is configured to receive identification information of a physical interface sent by the network device, where the identification information of the physical interface includes: physical address and/or physical port number.
The identification hash calculation module is used for carrying out hash calculation on the physical address and/or the physical port number to obtain a hash value.
And the tag value determining module is used for determining a tag value corresponding to the physical interface according to the hash value.
The label value sending module is used for sending a label value corresponding to the physical interface to the network equipment so that the network equipment marks a preset header field in the data message as the label value corresponding to the physical interface and obtains the marked data message.
Optionally, in an embodiment of the present application, the tag value determining module includes:
the identification value obtaining module is used for generating an identification value, correlating the identification value with the hash value and obtaining the correlated identification value.
The identification value association module is used for determining the associated identification value as a label value corresponding to the physical interface, and the identification value comprises: self-increment value, timestamp, and/or random value.
It should be understood that, the apparatus corresponds to the above data message marking method embodiment, and is capable of executing each step related to the above method embodiment, and specific functions of the apparatus may be referred to the above description, and detailed descriptions are omitted herein as appropriate to avoid repetition. The device includes at least one software functional module that can be stored in memory in the form of software or firmware (firmware) or cured in an Operating System (OS) of the device.
Please refer to fig. 5, which illustrates a schematic structural diagram of a network device provided in an embodiment of the present application. The network device 400 provided in the embodiment of the present application includes: a processor 410 and a memory 420, the memory 420 storing machine-readable instructions executable by the processor 410, which when executed by the processor 410 perform the method as described above.
The present embodiment also provides a computer readable storage medium 430, the computer readable storage medium 430 having stored thereon a computer program which, when executed by the processor 410, performs the method as above.
The computer-readable storage medium 430 may be implemented by any type or combination of volatile or nonvolatile Memory devices, such as static random access Memory (Static Random Access Memory, SRAM for short), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM for short), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM for short), programmable Read-Only Memory (Programmable Read-Only Memory, PROM for short), read-Only Memory (ROM for short), magnetic Memory, flash Memory, magnetic disk, or optical disk.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
In addition, the functional modules of the embodiments in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The foregoing description is merely an optional implementation of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any person skilled in the art may easily think about changes or substitutions within the technical scope of the embodiments of the present application, and the changes or substitutions should be covered in the scope of the embodiments of the present application.

Claims (10)

1. A method for marking data messages, which is applied to a network device, comprising:
receiving a data message through a physical interface;
judging whether the data message is a network forwarding message or not;
if yes, acquiring a label value corresponding to the physical interface, marking a preset header field in the data message according to the label value corresponding to the physical interface, and obtaining a marked data message, wherein the label value corresponding to the physical interface is calculated according to the identification information of the physical interface.
2. The method of claim 1, further comprising, prior to the obtaining the tag value corresponding to the physical interface:
the identification information of the physical interface is sent to a tag server, so that the tag server determines and returns a tag value corresponding to the physical interface according to the identification information of the physical interface;
and receiving a label value corresponding to the physical interface sent by the label server.
3. The method of claim 1, wherein the obtaining the tag value corresponding to the physical interface comprises:
acquiring the identification information of the physical interface, wherein the identification information of the physical interface comprises: physical address and/or physical port number;
carrying out hash calculation on the physical address and/or the physical port number to obtain a hash value;
and determining the label value corresponding to the physical interface by the hash value or the substring of the hash value.
4. The method according to claim 1, wherein the marking the preset header field in the data packet according to the tag value corresponding to the physical interface includes:
judging whether a preset header field in the data message is filled;
if yes, forwarding the data message according to the header content in the data message, otherwise, marking a preset header field in the data message as a tag value corresponding to the physical interface.
5. The method of claim 1, further comprising, after the obtaining the tagged data message:
and sending the marked data message to a data analysis server so that the data analysis server performs traceability analysis and/or network security analysis on the marked data message.
6. The data message marking method is characterized by being applied to a tag server and comprising the following steps:
receiving identification information of a physical interface sent by network equipment, wherein the identification information of the physical interface comprises: physical address and/or physical port number;
carrying out hash calculation on the physical address and/or the physical port number to obtain a hash value;
determining a label value corresponding to the physical interface according to the hash value;
and sending a label value corresponding to the physical interface to the network equipment so that the network equipment marks a preset header field in the data message as the label value corresponding to the physical interface to obtain the marked data message.
7. The method of claim 6, wherein determining the tag value corresponding to the physical interface according to the hash value comprises:
generating an identification value, and associating the identification value with the hash value to obtain an associated identification value;
determining the associated identification value as a tag value corresponding to the physical interface, wherein the identification value comprises: self-increment value, timestamp, and/or random value.
8. A data message marking apparatus, for use with a network device, comprising:
the data message receiving module is used for receiving the data message through the physical interface;
the data message judging module is used for judging whether the data message is a network forwarding message or not;
and the data message marking module is used for acquiring a label value corresponding to the physical interface if the data message is a network forwarding message, marking a preset header field in the data message according to the label value corresponding to the physical interface, and acquiring the marked data message, wherein the label value corresponding to the physical interface is calculated according to the identification information of the physical interface.
9. A network device, comprising: a processor and a memory storing machine-readable instructions executable by the processor to perform the method of any one of claims 1 to 7 when executed by the processor.
10. A computer-readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the method according to any of claims 1 to 7.
CN202111585912.6A 2021-12-20 2021-12-20 Data message marking method, device, network equipment and storage medium Pending CN116319980A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111585912.6A CN116319980A (en) 2021-12-20 2021-12-20 Data message marking method, device, network equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111585912.6A CN116319980A (en) 2021-12-20 2021-12-20 Data message marking method, device, network equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116319980A true CN116319980A (en) 2023-06-23

Family

ID=86811807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111585912.6A Pending CN116319980A (en) 2021-12-20 2021-12-20 Data message marking method, device, network equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116319980A (en)

Similar Documents

Publication Publication Date Title
US9369435B2 (en) Method for providing authoritative application-based routing and an improved application firewall
CN109802924B (en) Method and device for identifying encrypted data stream
US10084713B2 (en) Protocol type identification method and apparatus
CN110708215B (en) Deep packet inspection rule base generation method, device, network equipment and storage medium
US10148573B2 (en) Packet processing method, node, and system
US8904524B1 (en) Detection of fast flux networks
WO2017206576A1 (en) Gateway service processing method and apparatus
EP3242240B1 (en) Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program
EP3525407A1 (en) Device and method of forwarding data packets in a virtual switch of a software-defined wide area network environment
CN107690004B (en) Method and device for processing address resolution protocol message
TW201626759A (en) Method for detecting a number of the devices of a plurality of client terminals selected by a WEB server with additional non-specified domain name from the internet request traffics sharing the public IP address and system for detecting selectively
CN113938474B (en) Virtual machine access method and device, electronic equipment and storage medium
CN113595812A (en) Client identification method, device, storage medium and network equipment
US10834110B1 (en) Methods for preventing DDoS attack based on adaptive self learning of session and transport layers and devices thereof
KR101081433B1 (en) An ip traceback method with enhanced integrity for ipv6-based network and the recording medium thereof
US10834179B2 (en) Load balancing
CN116319980A (en) Data message marking method, device, network equipment and storage medium
CN115883574A (en) Access equipment identification method and device in industrial control network
CN111953486B (en) Message processing method and device with self-authentication code
CN114281547A (en) Data message processing method and device, electronic equipment and storage medium
CN114362985A (en) Message processing method and device
CN106067864B (en) Message processing method and device
Wagener et al. Towards an estimation of the accuracy of TCP reassembly in network forensics
CN111683068A (en) Method for positioning lost host, protection device, network security equipment and medium
JP4167866B2 (en) Data transmission method, data transmission system, and data transmission apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication