CN117336211A - Network bandwidth monitoring method, device, equipment, medium and program product - Google Patents
Network bandwidth monitoring method, device, equipment, medium and program product Download PDFInfo
- Publication number
- CN117336211A CN117336211A CN202311489880.9A CN202311489880A CN117336211A CN 117336211 A CN117336211 A CN 117336211A CN 202311489880 A CN202311489880 A CN 202311489880A CN 117336211 A CN117336211 A CN 117336211A
- Authority
- CN
- China
- Prior art keywords
- network
- flow
- flow value
- netflow
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000012544 monitoring process Methods 0.000 title claims abstract description 63
- 238000003860 storage Methods 0.000 claims abstract description 22
- 238000012163 sequencing technique Methods 0.000 claims abstract description 7
- 230000002776 aggregation Effects 0.000 claims description 20
- 238000004220 aggregation Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 20
- 238000006116 polymerization reaction Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 description 17
- 238000004458 analytical method Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 230000015654 memory Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 230000002159 abnormal effect Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000012216 screening Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 238000005259 measurement Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000012800 visualization Methods 0.000 description 2
- 230000004931 aggregating effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000000087 stabilizing effect Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0894—Packet rate
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a network bandwidth monitoring method, which can be applied to the technical field of network security. The method comprises the following steps: collecting network flow data packets at fixed time; determining the flow value of each associated user according to the network flow data packet; sequencing flow values in a preset period to obtain a first flow value sequence; removing the flow value of the preset proportion at the maximum side of the first flow value sequence to obtain a second flow value sequence; and determining a maximum traffic value of the second sequence of traffic values as the measured network bandwidth. The present disclosure also provides a network bandwidth monitoring apparatus, device, storage medium and program product.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a network bandwidth monitoring method, apparatus, device, medium, and program product.
Background
The real-time monitoring and flow analysis of the network are one of important means for ensuring the normal operation of the network, and the actually measured bandwidth is an important index for detecting the operation quality of the network.
NetFlow is a traffic monitoring and analysis technique used to acquire, collect, and analyze network data traffic. It was originally proposed by cisco systems and is widely used in the field of network performance management and security monitoring. NetFlow monitoring can provide critical traffic statistics and analysis information, helping network administrators to better understand network traffic patterns, traffic sources, and traffic destinations.
However, there are distortion conditions in the flow data collected based on NetFlow, such as packet loss, packet delay, packet reassembly, packet repetition, and inaccurate sampling rate. Therefore, how to accurately use NetFlow packets to monitor network bandwidth is a challenge.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a network bandwidth monitoring method, apparatus, device, medium, and program product that improve network bandwidth monitoring accuracy, for at least partially solving the above technical problems.
According to a first aspect of the present disclosure, there is provided a network bandwidth monitoring method, comprising: collecting network flow data packets at fixed time; determining the flow value of each associated user according to the network flow data packet; sequencing flow values in a preset period to obtain a first flow value sequence; removing the flow value of the preset proportion at the maximum side of the first flow value sequence to obtain a second flow value sequence; and determining a maximum traffic value of the second sequence of traffic values as the measured network bandwidth.
According to an embodiment of the present disclosure, the timing acquisition of network traffic data packets includes: collecting NetFlow data packets of a CERNET trunk according to the hours; and/or collecting the NetFlow data packets of the CERNET backbone through the device identifier.
According to an embodiment of the present disclosure, determining a traffic value for each associated user from a network traffic data packet includes: analyzing the NetFlow data packet to obtain user identity information; determining the flow value of each associated user according to the NetFlow v5 protocol and the user identity information; wherein the user identity information includes a source IP address and a source port.
According to an embodiment of the present disclosure, before ordering the flow values within the preset period, the method further includes: determining a first time threshold; judging the duration time of the NetFlow data packet and the size of a first time threshold value; and rejecting the NetFlow packet if the duration of the NetFlow packet is less than the first time threshold.
According to an embodiment of the present disclosure, before ordering the flow values within the preset period, the method further includes: determining a polymerization rate threshold; judging the aggregation speed of the NetFlow data packet and the aggregation speed threshold value; and rejecting the NetFlow data packet when the aggregation speed of the NetFlow data packet is less than the aggregation speed threshold.
According to an embodiment of the present disclosure, the network bandwidth monitoring method further includes: and visually displaying the actually measured network bandwidth in the form of a chart, a graph or a report.
A second aspect of the present disclosure provides a network bandwidth monitoring apparatus, comprising: the acquisition module is used for acquiring network flow data packets at fixed time; the first determining module is used for determining the flow value of each associated user according to the network flow data packet; the sequencing module is used for sequencing the flow values in a preset period to obtain a first flow value sequence; the rejecting module is used for rejecting the flow value of the preset proportion at the maximum side of the first flow value sequence to obtain a second flow value sequence; and the second determining module is used for determining the maximum flow value of the second flow value sequence as the actually measured network bandwidth.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of the embodiments described above.
A fourth aspect of the present disclosure also provides a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any of the embodiments described above.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method of any of the embodiments described above.
Compared with the prior art, the network bandwidth monitoring method, the device, the electronic equipment, the storage medium and the program product have at least the following beneficial effects:
(1) According to the network bandwidth monitoring method, abnormal traffic occurring due to sudden network faults or other abnormal conditions in an actual network environment is removed and stabilized, and the accuracy of monitoring the bandwidth is improved.
(2) The network bandwidth monitoring method is based on the network flow data packet of the CERNET trunk, optimizes the network flow monitoring tool of the current main stream, and is high in applicability.
(3) According to the network bandwidth monitoring method, invalid data with too short duration and too short length of the data packet is removed by setting the threshold value, so that the accuracy of monitoring the bandwidth is further improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of a network bandwidth monitoring method, apparatus, device, medium and program product according to an embodiment of the present disclosure;
fig. 2 schematically illustrates a flow chart of a network bandwidth monitoring method according to an embodiment of the present disclosure;
fig. 3 schematically illustrates a block diagram of a network bandwidth monitoring apparatus according to an embodiment of the present disclosure; and
fig. 4 schematically illustrates a block diagram of an electronic device adapted to implement a network bandwidth monitoring method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the invention, the related user information (including but not limited to user personal information, user image information, user equipment information, such as position information and the like) and data (including but not limited to data for analysis, stored data, displayed data and the like) are information and data authorized by a user or fully authorized by all parties, and the processing of the related data such as collection, storage, use, processing, transmission, provision, disclosure, application and the like are all conducted according to the related laws and regulations and standards of related countries and regions, necessary security measures are adopted, no prejudice to the public welfare is provided, and corresponding operation inlets are provided for the user to select authorization or rejection.
Fig. 1 schematically illustrates an application scenario diagram of a network bandwidth monitoring method, apparatus, device, medium and program product according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the network bandwidth monitoring method provided by the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the network bandwidth monitoring apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The network bandwidth monitoring method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the network bandwidth monitoring apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The network bandwidth monitoring method of the disclosed embodiment will be described in detail with reference to fig. 2 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a flow chart of a network bandwidth monitoring method according to an embodiment of the present disclosure.
As shown in fig. 2, the network bandwidth monitoring method of this embodiment includes, for example, operations S210 to S250, and the network bandwidth monitoring method may be executed by a computer program on corresponding computer hardware.
In operation S210, network traffic packets are collected periodically.
In operation S220, a flow value for each associated user is determined from the network flow data packet.
In operation S230, the flow values within the preset period are ordered to obtain a first flow value sequence.
In operation S240, the flow value of the preset proportion on the maximum side of the first flow value sequence is removed to obtain a second flow value sequence.
In operation S250, a maximum traffic value of the second sequence of traffic values is determined as the measured network bandwidth.
For example, there is a network environment in which there are 100 users, each of which may generate different network traffic over a particular period of time. To monitor the bandwidth of this network, the following steps may be used:
a network monitoring system may be provided that periodically (e.g., every hour) collects network traffic packets. These packets may include information of source IP address, destination IP address, transport layer protocol, source port, destination port, etc.
The monitoring system may parse the packets and associate traffic with a particular user based on information such as the source IP address. For example, if a particular IP address sends a larger number of packets, it may be indicated that the user is more heavily subscribed to.
The values may be ordered by size based on the determined user flow values to form a sequence of flow values. For example, users may be ranked from large to small in terms of flow value.
A threshold value, for example 95% of the maximum flow, may be set and then flow values exceeding this threshold value are removed from the first sequence of flow values, resulting in a second sequence of flow values.
Finally, a maximum value in the second sequence of flow values may be found, which may represent the measured bandwidth of the network. For example, if the maximum value in the second sequence of flow values is 100Mbps, then the measured bandwidth of this network can be considered to be 100Mbps.
By the method, the user traffic distribution condition in the network can be known, and the actual measurement bandwidth of the network can be determined.
The method disclosed by the invention is applied to the campus network, can reduce the cost, accurately and rapidly calculate the actual measurement bandwidth of the campus network user, and effectively improve the monitoring and guaranteeing of the network operation quality. The number of users of the campus network is usually very large, and the traditional actual measurement bandwidth monitoring mode is difficult to meet the requirements. By adopting the bandwidth monitoring method disclosed by the invention, the actually measured bandwidth of the user can be rapidly and accurately determined, so that powerful support is provided for monitoring and optimizing the network performance.
It should be noted that, the design basis of eliminating the maximum 5% measured value is as follows:
contingencies or abnormal situations: during the data collection process, sudden network faults or other abnormal conditions may occur, so that the measured values of part of traffic users deviate from the normal range obviously. These outliers can have a large impact on the final bandwidth calculation result. Therefore, to eliminate the interference of these contingencies, eliminating the largest 5% measurement would help to improve the accuracy and reliability of the calculation.
Influence of flow peaks: during network usage, there may be some incidents, such as large file transfer, network peaks for a specific period of time, etc., that may cause the traffic value of a portion of the traffic users to increase significantly beyond their average level. If the traffic peaks are not removed, the bandwidth calculation result is too large and does not accord with the situation that the user actually accesses the bandwidth.
By eliminating the maximum 5% measured value, the deviation of the accidental event and the flow peak value to the bandwidth calculation result can be avoided, and the stability and the accuracy of the measured result are improved. However, 5% is a ratio of the reject values employed based on experience and common practice, and may be appropriately adjusted according to actual conditions.
According to an embodiment of the present disclosure, network traffic data packets are periodically collected, for example, through operations S311 through S312.
In operation S311, netFlow packets of the CERNET backbone are collected on an hourly basis. And/or
In operation S312, the NetFlow packet of the CERNET backbone is collected by the device identifier.
For example, the NetFlow infrastructure is divided into three parts, version and Header, data Flow Set:
version and Header: version of NetFlow data and data header are identified, including IP address, timestamp, sequence number, and type value of the NetFlow processor.
Data Flow Set: the data Flow Set contains one or more Flow Set Records (FSRs), each containing details concerning an IP Flow, such as protocols (TCP, UDP or other), number of flows, source and destination addresses, etc.
Based on the information provided, data sampled once per hour by NetFlow (i.e., records produced by the data flow manager) is limited in terms of data volume and corresponding metric record size specifying bandwidth rate (specific offset is unknown), leaving only ninety-five percent of the top ranked flows (i.e., flows with greater data volume). And finally, re-ordering the screened data, and selecting the maximum value as the actually measured bandwidth value during the period of accessing the CERNET by the user. By eliminating and stabilizing abnormal traffic conditions in the actual network environment, the rationality of the calculated bandwidth is improved.
For example, one specific method to time the collection of network traffic packets is as follows:
the goal of determining network traffic packets to collect is the CERNET backbone network. Two ways can be selected to collect NetFlow packets for a CERNET backbone:
collecting according to the hours: a network monitoring system can be provided to collect NetFlow packets of the CERNET backbone per hour. This can be achieved by NetFlow modules on routers or switches connected to the CERNET backbone network. At the beginning of each hour, the monitoring system automatically acquires the NetFlow data packet of the hour from the NetFlow module.
Collecting by a device identifier: the NetFlow packets of the CERNET backbone may also be collected by a device identifier. The device identifier is a special software or hardware device that can identify and collect NetFlow packets. The device identifier may be installed at a critical location of the CERNET backbone network, such as a router or switch, to collect NetFlow packets through the network in real time.
After the NetFlow packet is collected, processing and analysis can be performed. This includes the steps of parsing the data packet, determining the flow value for each associated user, ordering the flow values, and the like. Automated processes for data processing and analysis may be implemented using specialized network monitoring tools or custom scripting programs.
Finally, the collected NetFlow data packet can be stored and managed. The data can be selectively stored in the database, the file, the cloud storage and other positions, and the data backup and the security management are well done. Meanwhile, the data can be subjected to operations such as regular cleaning, screening and statistics according to actual demands, so that the subsequent data utilization and mining are facilitated.
Through the steps, the aim of regularly collecting network flow data packets can be fulfilled, and the flow value of each associated user and the actually measured network bandwidth are determined according to the data packets. This helps to better understand network performance and optimize accordingly. Meanwhile, the collection mode (collection according to the hour and/or collection through the equipment identifier) can be flexibly selected according to the actual demand, and data processing, storage and management can be carried out according to the demand.
According to an embodiment of the present disclosure, the flow value of each associated user is determined, for example, through operations S421 to S422.
In operation S421, the NetFlow packet is parsed to obtain user identity information. Wherein the user identity information includes a source IP address and a source port.
In operation S422, a flow value of each associated user is determined according to the NetFlow v5 protocol and user identity information.
For example, there is a large internet company that has millions of active users, each day with a large number of network traffic packets transmitted across the network. To better understand the traffic usage of each user, it is necessary to determine the traffic value for each associated user. The following is a specific method:
and analyzing the network flow data packet, and extracting user identity information from the network flow data packet. This can be achieved by using a NetFlow parser or a custom script program. When parsing the NetFlow packet, information such as the source IP address, source port, etc. can be extracted, which will be used to determine the flow value for each associated user.
The NetFlow v5 protocol is a network traffic reporting protocol that defines how to report network traffic information. The NetFlow v5 protocol and user identity information can be used to determine the flow value for each associated user. Specifically, the information such as the source IP address and the source port can be matched with fields in the NetFlow v5 protocol, so as to determine the flow value of each associated user.
For example, there is a NetFlow packet that contains the following information:
source IP address: 192.168.0.1
Target IP address: 10.0.0.1
Transport layer protocol: TCP (Transmission control protocol)
Source port: 12345
Target port: 80
Number of data packets: 1000
Number of bytes: 100000
From the above information, it can be determined that the packet belongs to a specific user (the source IP address and the source port uniquely identify a user). The information for the packet (e.g., the number of packets and bytes) may then be attributed to the user to determine the flow value for the user.
Statistics may also be performed after determining the traffic value for each associated user. This may be accomplished through the use of databases, data warehouses, or other data processing tools. The flow values for each user may be accumulated, averaged, peaked, etc. to better understand the flow usage for each user.
It should be noted that the above method is only a simple example to illustrate how to determine the flow value of each associated user. In practical applications, more complex data processing and analysis operations are required according to specific situations.
According to an embodiment of the present disclosure, before ordering the traffic values within the preset period, the network bandwidth monitoring method further includes, for example:
in operation S510, a time threshold is determined.
In operation S520, the duration of the NetFlow packet and the size of the time threshold are determined.
And
In operation S530, in the case where the duration of the NetFlow packet is less than the time threshold, the NetFlow packet is rejected.
For example, because there are a large number of transient traffic packets in the network, such as users turning on videos and then off quickly, these packets are not of great value for actual traffic monitoring. Therefore, it is necessary to determine a time threshold, determine the duration of the NetFlow packet and the size of the time threshold, and reject these transient packets if the duration of the NetFlow packet is less than the time threshold.
The following is a specific method:
the time threshold may be determined based on actual demand and network conditions. For example, a time of 5 seconds or 1 minute may be set, meaning that only traffic packets having a duration exceeding 5 seconds or 1 minute are retained.
After the NetFlow packets are collected, the duration and the time threshold of each packet need to be determined. This can be achieved by recording the time stamp of each data packet and calculating the time difference between two adjacent data packets. A certain data packet may be rejected if its duration is less than a first time threshold.
When judging that the duration of a certain NetFlow data packet is smaller than the time threshold, the NetFlow data packet can be rejected. Therefore, a large number of short-flow data packets can be filtered, the data processing amount is reduced, and the data processing efficiency is improved.
After the short-lived traffic packets are removed, the remaining NetFlow packets have more practical traffic value. The data may be ordered by a preset period of time (e.g., per hour) to obtain a sequence of flow values for each hour.
Finally, user identity information (such as a source IP address and a source port) can be extracted by parsing the NetFlow packet, and a flow value of each associated user can be determined according to the user identity information. The traffic usage of each user can be known and used for network bandwidth monitoring and optimization.
The methods of the present disclosure are also applicable to network security aspects. With the continuous upgrade of network attack means, the traditional security defense method cannot meet the current network security requirement, and protecting personal privacy and network security becomes an increasingly focused problem. The bandwidth monitoring method can effectively identify and defend network attacks by analyzing traffic data, removing abnormal traffic data and screening the effective data by threshold value, and improves network security.
According to an embodiment of the present disclosure, before ordering the traffic values within the preset period, the network bandwidth monitoring method further includes, for example:
in operation S610, a polymerization speed threshold is determined.
In operation S610, the aggregation speed of the NetFlow packet and the aggregation speed threshold are determined. And
In operation S610, in the case where the aggregation speed of the NetFlow packet is less than the aggregation speed threshold, the NetFlow packet is rejected.
For example, in addition to screening data by determining the duration of NetFlow packets, we can also perform further screening based on the aggregation speed of the data. For example, by removing data having a duration of less than 1 second.
The following is a specific method:
defining a polymerization speed threshold: an aggregation speed threshold, such as the number of packets transmitted per second, may be set. If the aggregation speed of a certain NetFlow packet is below the threshold, the packet can be considered to belong to invalid data.
Calculating the aggregation speed of each NetFlow data packet: for each NetFlow packet, the aggregation speed, i.e. the number of packets transmitted per unit time, can be calculated. This can be achieved by calculating the time difference between two adjacent data packets and the number of data packets.
Screening out NetFlow data packets with aggregation speed lower than a threshold value: some NetFlow packet may be marked as invalid if its aggregation speed is below a set threshold. These packets may have too low an aggregation speed due to network delay, packet loss, etc., and are not of great value for actual traffic monitoring.
Reject invalid NetFlow packets: after marking the invalid data packet, it can be removed from the data set to reduce data throughput and avoid interfering with subsequent analysis results.
Further analysis of the effective NetFlow packet: processing and analysis can continue as before for the remaining valid NetFlow packets. For example, the NetFlow packet may be parsed to extract user identity information, and a flow value for each associated user may be determined based on the user identity information. These data may then be ranked, counted, etc. to learn the usage of network bandwidth and traffic usage for each user.
It should be noted that the above method is only a simple example to illustrate how to screen and process NetFlow data in combination with the polymerization rate threshold. In practical applications, more complex data processing and analysis operations are required according to specific situations.
According to an embodiment of the present disclosure, the network bandwidth monitoring method further includes, for example:
operation S710, visually displaying the measured network bandwidth in a form of a chart, a graph or a report.
For example, besides monitoring and analyzing the network bandwidth by technical means, the actually measured network bandwidth can be displayed in a visual manner, so that the use condition of the network bandwidth can be more intuitively known.
The following is a specific method:
network bandwidth monitoring data, including network bandwidth usage, traffic distribution, etc., can be collected using a network bandwidth monitoring tool or NetFlow analysis tool.
After the network bandwidth monitoring data is collected, data processing and analysis is required. This includes cleaning, sorting, aggregating, etc. the data to better reflect the use of network bandwidth.
Various charts, graphs, or reports may be used to visually represent measured network bandwidth. For example, a bar graph may be used to show network bandwidth usage over different time periods, a line graph may be used to show a trend of network bandwidth change, a pie graph may be used to show a ratio of network bandwidth occupied by different protocols or services, and so on.
The use condition of the network bandwidth can be more intuitively known by displaying the manufactured chart, graph or report on a monitoring system, a large screen display or other visual platforms in the company. This helps to discover and resolve network congestion or other problems in a timely manner, while also helping to provide high-level management personnel with reports and displays of network bandwidth usage.
It should be noted that the above method is only a simple example to illustrate how the measured network bandwidth is displayed in combination with the visualization. In practical applications, more complex data processing and visualization operations are required according to specific situations.
Based on the network bandwidth monitoring method, the disclosure also provides a network bandwidth monitoring device. The device will be described in detail below in connection with fig. 3.
Fig. 3 schematically illustrates a block diagram of a network bandwidth monitoring apparatus according to an embodiment of the present disclosure.
As shown in fig. 3, the network bandwidth monitoring apparatus 300 of this embodiment includes, for example: the system comprises an acquisition module 310, a first determination module 320, a ranking module 330, a culling module 340 and a second determination module 350.
The acquisition module 310 is configured to periodically acquire network traffic packets. In an embodiment, the acquisition module 310 may be configured to perform the operation S210 described above, which is not described herein.
The first determining module 320 is configured to determine a flow value of each associated user according to the network flow data packet. In an embodiment, the first determining module 320 may be configured to perform the operation S220 described above, which is not described herein.
The sorting module 330 is configured to sort the flow values within a preset period of time to obtain a first flow value sequence. In an embodiment, the sorting module 330 may be configured to perform the operation S230 described above, which is not described herein.
The rejecting module 340 is configured to reject a flow value of a preset proportion on a maximum side of the first flow value sequence, to obtain a second flow value sequence. In an embodiment, the rejection module 340 may be configured to perform the operation S240 described above, which is not described herein.
The second determining module 350 is configured to determine a maximum traffic value of the second sequence of traffic values as the measured network bandwidth. In an embodiment, the second determining module 350 may be configured to perform the operation S250 described above, which is not described herein.
Any of the collection module 310, the first determination module 320, the sorting module 330, the culling module 340, and the second determination module 350 may be combined in one module to be implemented, or any of them may be split into a plurality of modules, according to an embodiment of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the acquisition module 310, the first determination module 320, the ordering module 330, the culling module 340, and the second determination module 350 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of any of the three implementations of software, hardware, and firmware. Alternatively, at least one of the acquisition module 310, the first determination module 320, the ranking module 330, the culling module 340 and the second determination module 350 may be at least partially implemented as a computer program module, which, when executed, may perform the respective functions.
Fig. 4 schematically illustrates a block diagram of an electronic device adapted to implement a network bandwidth monitoring method according to an embodiment of the disclosure.
As shown in fig. 4, an electronic device 400 according to an embodiment of the present disclosure includes a processor 401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. The processor 401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 401 may also include on-board memory for caching purposes. Processor 401 may include a single processing unit or multiple processing units for performing different actions of the method flows in accordance with embodiments of the disclosure.
In the RAM 403, various programs and data necessary for the operation of the electronic device 400 are stored. The processor 401, the ROM 402, and the RAM 403 are connected to each other by a bus 404. The processor 401 performs various operations of the method flow according to the embodiment of the present disclosure by executing programs in the ROM 402 and/or the RAM 403. Note that the program may be stored in one or more memories other than the ROM 402 and the RAM 403. The processor 401 may also perform various operations of the method flow according to the embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 400 may also include an input/output (I/O) interface 405, with input/output (I/O) interface 405 also connected to bus 404. Electronic device 400 may also include one or more of the following components connected to I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output portion 407 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage section 408 including a hard disk or the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. The drive 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed on the drive 410 as needed, so that a computer program read therefrom is installed into the storage section 408 as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs that, when executed, implement a network bandwidth monitoring method according to an embodiment of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 402 and/or RAM 403 and/or one or more memories other than ROM 402 and RAM 403 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the network bandwidth monitoring method provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 401. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication portion 409, and/or installed from the removable medium 411. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 409 and/or installed from the removable medium 411. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 401. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (10)
1. A method for monitoring network bandwidth, comprising:
collecting network flow data packets at fixed time;
determining the flow value of each associated user according to the network flow data packet;
sequencing the flow values in a preset period of time to obtain a first flow value sequence;
removing the flow value of the preset proportion at the maximum side of the first flow value sequence to obtain a second flow value sequence; and
and determining the maximum flow value of the second flow value sequence as the actual measured network bandwidth.
2. The method of claim 1, wherein the periodically collecting network traffic packets comprises:
collecting NetFlow data packets of a CERNET trunk according to the hours; and/or
And collecting the NetFlow data packet of the CERNET trunk through a device identifier.
3. The method of claim 2, wherein said determining a traffic value for each associated user based on said network traffic data packets comprises:
analyzing the NetFlow data packet to obtain user identity information;
determining the flow value of each associated user according to a NetFlow v5 protocol and the user identity information;
wherein the user identity information includes a source IP address and a source port.
4. The method of claim 2, wherein prior to ordering the flow values for a preset period of time, the method further comprises:
determining a time threshold;
judging the duration time of the NetFlow data packet and the size of the time threshold; and
and rejecting the NetFlow data packet under the condition that the duration time of the NetFlow data packet is smaller than the time threshold value.
5. The method of claim 4, wherein prior to ordering the flow values for a preset period of time, the method further comprises:
determining a polymerization rate threshold;
judging the aggregation speed of the NetFlow data packet and the aggregation speed threshold value; and
and eliminating the NetFlow data packet under the condition that the aggregation speed of the NetFlow data packet is smaller than the aggregation speed threshold value.
6. The method as recited in claim 1, further comprising:
and visually displaying the actually measured network bandwidth in the form of a chart, a graph or a report.
7. A network bandwidth monitoring apparatus, comprising:
the acquisition module is used for acquiring network flow data packets at fixed time;
the first determining module is used for determining the flow value of each associated user according to the network flow data packet;
the sequencing module is used for sequencing the flow values in a preset period of time to obtain a first flow value sequence;
the rejecting module is used for rejecting the flow value of the preset proportion at the maximum side of the first flow value sequence to obtain a second flow value sequence; and
and the second determining module is used for determining the maximum flow value of the second flow value sequence as the actually measured network bandwidth.
8. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-6.
10. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311489880.9A CN117336211A (en) | 2023-11-09 | 2023-11-09 | Network bandwidth monitoring method, device, equipment, medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311489880.9A CN117336211A (en) | 2023-11-09 | 2023-11-09 | Network bandwidth monitoring method, device, equipment, medium and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117336211A true CN117336211A (en) | 2024-01-02 |
Family
ID=89290460
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311489880.9A Pending CN117336211A (en) | 2023-11-09 | 2023-11-09 | Network bandwidth monitoring method, device, equipment, medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117336211A (en) |
-
2023
- 2023-11-09 CN CN202311489880.9A patent/CN117336211A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10686681B2 (en) | Systems and methods for measuring effective customer impact of network problems in real-time using streaming analytics | |
| US7801985B1 (en) | Data transfer for network interaction fraudulence detection | |
| US20150039749A1 (en) | Detecting traffic anomalies based on application-aware rolling baseline aggregates | |
| US7969893B2 (en) | List-based alerting in traffic monitoring | |
| CN109787833B (en) | Network abnormal event sensing method and system | |
| EP2661020B1 (en) | Adaptive monitoring of telecommunications networks | |
| US20160234094A1 (en) | Streaming method and system for processing network metadata | |
| US10193908B2 (en) | Data transfer for network interaction fraudulence detection | |
| US20150120914A1 (en) | Service monitoring system and service monitoring method | |
| US10708155B2 (en) | Systems and methods for managing network operations | |
| US20220247650A1 (en) | Network device measurements employing white boxes | |
| CN110633195B (en) | Performance data display method and device, electronic equipment and storage medium | |
| CN111181799A (en) | Network traffic monitoring method and equipment | |
| CN111314179A (en) | Network quality detection method, device, equipment and storage medium | |
| CN105763387A (en) | Network traffic monitoring method and device | |
| US9917747B2 (en) | Problem detection in a distributed digital network through distributed packet analysis | |
| CN108322354B (en) | Method and device for identifying running-stealing flow account | |
| US20220103442A1 (en) | Internet of things operations monitoring system | |
| CN115766471B (en) | Network service quality analysis method based on multicast flow | |
| CN111865951A (en) | Network data flow abnormity detection method based on data packet feature extraction | |
| CN114189480B (en) | Flow sampling method, device, electronic equipment and medium | |
| CN117336211A (en) | Network bandwidth monitoring method, device, equipment, medium and program product | |
| KR20100003099A (en) | The enterprise network analysis system and its method | |
| Uzun et al. | End-to-end internet speed analysis of mobile networks with mapReduce | |
| TWI597952B (en) | Broadband Internet service quality monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |