CN117499322A - Network traffic service processing method, system, electronic equipment and storage medium - Google Patents
Network traffic service processing method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117499322A CN117499322A CN202311521094.2A CN202311521094A CN117499322A CN 117499322 A CN117499322 A CN 117499322A CN 202311521094 A CN202311521094 A CN 202311521094A CN 117499322 A CN117499322 A CN 117499322A
- Authority
- CN
- China
- Prior art keywords
- message
- flow
- content
- network traffic
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 15
- 238000012545 processing Methods 0.000 claims abstract description 69
- 238000004458 analytical method Methods 0.000 claims abstract description 61
- 238000001914 filtration Methods 0.000 claims abstract description 56
- 238000000034 method Methods 0.000 claims abstract description 31
- 230000032683 aging Effects 0.000 claims description 8
- 230000003993 interaction Effects 0.000 claims description 5
- 238000005206 flow analysis Methods 0.000 abstract description 7
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/22—Traffic shaping
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/23—Bit dropping
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/25—Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
- H04N21/262—Content or additional data distribution scheduling, e.g. sending additional data at off-peak times, updating software modules, calculating the carousel transmission frequency, delaying a video stream transmission, generating play-lists
- H04N21/26208—Content or additional data distribution scheduling, e.g. sending additional data at off-peak times, updating software modules, calculating the carousel transmission frequency, delaying a video stream transmission, generating play-lists the scheduling operation being performed under constraints
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/40—Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
- H04N21/45—Management operations performed by the client for facilitating the reception of or the interaction with the content or administrating data related to the end-user or to the client device itself, e.g. learning user preferences for recommending movies, resolving scheduling conflicts
- H04N21/454—Content or additional data filtering, e.g. blocking advertisements
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Databases & Information Systems (AREA)
- Multimedia (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a network traffic service processing method, a system, electronic equipment and a storage medium, and relates to the technical field of network traffic processing, wherein the method comprises the following steps: obtaining a message flow corresponding to initial network flow data, and analyzing the message flow through the high-speed network flow filtering module to obtain an analysis message; performing content matching on the analysis message to obtain message load content; determining audio and video data and encrypted data according to the message load content of the analysis message, and filtering the audio and video data and the encrypted data through the high-speed network flow filtering module; and carrying out service processing on the filtered target network flow data through the service processing module. According to the method and the device, low-value audio and video data and encrypted data are filtered before business processing, so that the efficiency of subsequent flow analysis is improved, and memory resources consumed by flow analysis are saved.
Description
Technical Field
The present disclosure relates to the field of network traffic processing technologies, and in particular, to a method, a system, an electronic device, and a storage medium for processing a network traffic service.
Background
With the development of the Internet, various video websites and live broadcast websites are rapidly developed, and the video watching and online live broadcast by using a mobile phone become a part of people's life. For a back-end service analysis system, audio and video traffic and encrypted data belong to low-value data, and have limited effect on service analysis. Therefore, when the network traffic analysis system processes the network traffic, if the processing of the audio and video traffic and the encrypted data is performed too much, a large amount of memory resources are wasted, so that the efficiency of traffic processing analysis is very low.
Disclosure of Invention
The invention aims to provide a network traffic service processing method, a system, electronic equipment and a storage medium, which are used for filtering low-value audio and video data and encrypted data before service processing, so that the efficiency of subsequent traffic analysis is improved, and meanwhile, the memory resources consumed by traffic analysis are saved.
In a first aspect, the present invention provides a network traffic service processing method, applied to a pre-constructed network traffic analysis system, where the pre-constructed network traffic analysis system includes a high-speed network traffic filtering module and a service processing module; the method comprises the following steps:
obtaining a message flow corresponding to initial network flow data, and analyzing the message flow through the high-speed network flow filtering module to obtain an analysis message;
performing content matching on the analysis message to obtain message load content;
determining audio and video data and encrypted data according to the message load content of the analysis message, and filtering the audio and video data and the encrypted data through the high-speed network flow filtering module;
and carrying out service processing on the filtered target network flow data through the service processing module.
In an alternative embodiment, the parsing the packet flow by the high-speed network traffic filtering module to obtain a parsed packet includes:
and analyzing the 2-4 layer header content of the message contained in the message flow according to a TCP/IP protocol stack by the high-speed network flow filtering module to obtain five-tuple information of the message flow and the offset position of the message load content.
In an optional embodiment, before performing content matching on the parsed packet to obtain the packet payload content, the method further includes:
and acquiring quintuple information of the message flow, and taking the quintuple information as a main key value.
In an alternative embodiment, performing content matching on the parsed packet to obtain packet payload content, including:
after the message is analyzed, the offset position of the message load is obtained, and the message load content corresponding to the offset position is used as a key value to be transmitted into a content addressable memory, so that a content matching result is obtained.
In an alternative embodiment, determining the audio and video data and the encrypted data according to the message load content of the parsing message includes:
and determining audio and video data and encrypted data according to the specified content field in the message load content of the analysis message.
In an alternative embodiment, determining the audio and video data and the encrypted data according to the content field specified in the message payload content of the parsing message includes:
determining audio and video data according to a Content-Type Content field in the message load Content of the analysis message;
and determining the encrypted data according to the content field of SSL session interaction in the message load content of the analysis message.
In an alternative embodiment, the method further comprises:
after the first message of each message flow is processed, if the flow table is not queried, the flow table is created;
when the next message of the message flow is obtained again, the flow table is carried out again, and if the next message exists after the inquiry, the flow table is updated; if the aging time set by the flow table is exceeded, the message of the message flow is not updated any more, and the aging treatment of the flow table is carried out.
In a second aspect, the present invention provides a network traffic service processing system, applied to a pre-constructed network traffic analysis system, where the pre-constructed network traffic analysis system includes a high-speed network traffic filtering module and a service processing module; the system comprises:
the message analysis module is used for acquiring a message flow corresponding to the initial network flow data, and analyzing the message flow through the high-speed network flow filtering module to obtain an analysis message;
the content matching module is used for carrying out content matching on the analysis message to obtain message load content;
the filtering module is used for determining audio and video data and encrypted data according to the message load content of the analysis message, and filtering the audio and video data and the encrypted data through the high-speed network flow filtering module;
and the service processing module is used for carrying out service processing on the filtered target network flow data through the service processing module.
In a third aspect, the present invention provides an electronic device comprising a processor and a memory storing computer executable instructions executable by the processor, the processor executing the computer executable instructions to implement the network traffic handling method of any of the preceding embodiments.
In a fourth aspect, the present invention provides a computer readable storage medium storing computer executable instructions that, when invoked and executed by a processor, cause the processor to implement a network traffic handling method according to any of the preceding embodiments.
According to the network traffic service processing method, system, electronic equipment and storage medium, the recognized audio and video traffic and encrypted traffic are discarded according to the strategy, the remaining valuable messages are transmitted to the back-end service analysis system and filtered through the high-speed network traffic filtering platform, the traffic to the network traffic analysis platform can be obviously reduced, the burden of processing the network traffic is reduced, and the resource waste of the network traffic analysis platform is avoided. Thereby greatly improving the performance of the whole machine.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram of a network traffic analysis system according to an embodiment of the present application;
fig. 2 is a flowchart of a method for processing network traffic service according to an embodiment of the present application;
fig. 3 is a block diagram of a network traffic service processing system according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The embodiment of the application provides a network traffic service processing method which is applied to a pre-built network traffic analysis system, wherein the pre-built network traffic analysis system comprises a high-speed network traffic filtering module and a service processing module; the high-speed network flow filtering module is used for filtering the acquired flow, such as filtering audio and video data and encrypted data which have no much value to the service analysis processing and waste memory resources, and the service processing module is used for carrying out service processing on the filtered data, so that the service processing efficiency is improved, the memory resources are prevented from being occupied by too much low-value data, and the utilization rate of the memory resources is improved.
Fig. 1 shows a block diagram of a specific network traffic analysis system that includes a high-speed network traffic filtering platform (i.e., a high-speed network traffic filtering module), a load balancing platform, and a traffic processing platform. The high-speed network flow filtering platform is used for filtering the audio and video data and the encrypted data of the acquired flow, the filtered data is input to the load balancing platform for processing, and the filtered data is input to the service processing platform for service processing after the load balancing processing, so that the service processing efficiency is improved, memory resources are prevented from being occupied by too much low-value data, and the utilization rate of the memory resources is improved.
The network flow analysis system introduces a high-speed network flow filtering platform, filters out audio and video data and encrypted data, improves the value density of network flow, and reduces the flow access of the network flow analysis platform. On the premise of not influencing the network flow analysis service, the processing performance of the whole network flow analysis system is improved.
The high-speed network flow filtering platform adopts a high-speed network processor, and the processor optimizes the memory and accelerates the hardware of the data structure table, so that the processing efficiency is higher and the capacity is larger. The main work is to analyze the message content, maintain the session flow table, match the content rule, identify the audio and video and encrypt the data.
Applied to the network traffic analysis system, fig. 2 provides a flow chart of a network traffic service processing method, which mainly includes the following steps:
step S210, obtaining a message flow corresponding to the initial network flow data, and analyzing the message flow through a high-speed network flow filtering module to obtain an analysis message.
In one embodiment, the high-speed network flow filtering module analyzes the message flow to obtain an analysis message, and the high-speed network flow filtering module analyzes the 2-4 layer header content of the message contained in the message flow according to the TCP/IP protocol stack to obtain five-tuple information of the message flow and an offset position of the message load content.
The high-speed network flow filtering module comprises a processing chip for analyzing network messages at high speed, and the chip provides an analysis interface of the L2-L4 layers. And respectively calling the analysis interfaces of different L layers through protocol identification of each layer, so that source IP, destination IP and protocol number corresponding to the L3 layer and source port and destination port quintuple information corresponding to the L4 layer can be obtained, and the offset position of the message load content after the L4 layer is obtained.
Wherein network traffic is transported in compliance with the TCP/IP protocol and in compliance with the OSI seven layer model. The five-tuple information corresponding to the application layer interaction message crossing the host comprises a source IP address, a destination IP address, a source port number, a destination port number and a transmission protocol number, a session is determined by the five-tuple information, a hash stream table is corresponding to the five-tuple information, and the five-tuple information is used as a key value of the hash stream table.
Therefore, after the analysis message is obtained, the five-tuple information of the message stream can be obtained, and the five-tuple information is used as a main key value. Namely, five-tuple information obtained in the parsing process of the high-speed network flow filtering module is used as a key value of the hash flow table.
In an alternative embodiment, after the first message of each message flow is processed, if the flow table is not queried, the flow table is created; when the next message of the message flow is obtained again, the flow table is carried out again, and if the next message exists after the inquiry, the flow table is updated; if the aging time set by the flow table is exceeded, the message of the message flow is not updated any more, and the aging treatment of the flow table is carried out.
Step S220, content matching is carried out on the analysis message, and message load content is obtained.
In one embodiment, after the message is analyzed, the offset position of the message load is obtained, and the message load content corresponding to the offset position is used as a key value to be transmitted into the content addressable memory, so as to obtain a content matching result.
In practical application, the message content with a designated length can be taken as the key value of the content addressable memory from the message load offset position, and the matching result is queried for identifying the message load content.
Step S230, the audio and video data and the encrypted data are determined according to the message load content of the analysis message, and the audio and video data and the encrypted data are filtered through the high-speed network flow filtering module.
In one embodiment, when determining audio and video data and encrypted data according to the message payload content of the parsing message, the audio and video data and the encrypted data may be determined according to a content field specified in the message payload content of the parsing message. Specific:
determining audio and video data according to Content-Type Content fields in message load Content of the analysis message;
and determining the encrypted data according to the content field of SSL session interaction in the message load content of the analysis message.
And step S240, performing service processing on the filtered target network flow data through a service processing module.
In one embodiment, the service processing may include processing of dropping, load balancing output, homology, etc. of the message.
The method and the system cooperate with the existing service processor platform by introducing a high-speed network traffic filtering platform. The new network flow filtering platform can filter low-value audio and video and encrypted data, and then gives the residual flow to the existing service platform, thereby reducing the processing pressure of the existing service platform and improving the processing capacity of the whole system.
The high-speed network processor service platform used by the network traffic filtering platform adopts a hardware architecture with more flexible module cutting, and the architecture has unique configurability and expandability, the core processing units of the high-speed network processor service platform are organized in a cluster mode, a plurality of processing cores are highly integrated, and the parallel processing capability of the system is greatly improved. The high-speed network processor system provides a high-speed memory system and a hardware acceleration engine, and improves the reading, writing and inquiring performances of the data table items. In cooperation with the integrated content rule matching module, the video stream and the encrypted stream are rapidly identified, so that video traffic and encrypted traffic are rapidly filtered.
According to the method, after the high-speed network flow filtering platform is added, the audio and video streams and the encrypted data streams are discarded on the high-speed network flow filtering platform, so that after a large part of flow is filtered by the platform, the flow of the service processing system is reduced, the computing resources of the service processing platform are fully utilized, and the system processing performance is integrally improved.
By introducing the high-speed network flow filtering platform, low-value flows are filtered and then delivered to the service processing platform, so that a large amount of invalid calculated amount is reduced, the overall network flow processing efficiency is improved, and the performance of the network flow analysis system is greatly improved.
Based on the method embodiment, the embodiment of the application also provides a network traffic service processing system which is applied to a pre-built network traffic analysis system, wherein the pre-built network traffic analysis system comprises a high-speed network traffic filtering module and a service processing module; referring to fig. 3, the system mainly comprises the following parts:
the message parsing module 310 is configured to obtain a message flow corresponding to the initial network traffic data, parse the message flow through the high-speed network traffic filtering module, and obtain a parsed message;
the content matching module 320 is configured to perform content matching on the parsed packet to obtain a packet payload content;
the filtering module 330 is configured to determine audio and video data and encrypted data according to the message load content of the parsed message, and filter the audio and video data and the encrypted data through the high-speed network traffic filtering module;
the service processing module 340 is configured to perform service processing on the filtered target network traffic data through the service processing module.
In an alternative embodiment, the foregoing message parsing module 310 is further configured to:
and analyzing the 2-4 layer header content of the message contained in the message stream according to the TCP/IP protocol stack by the high-speed network flow filtering module to obtain five-tuple information of the message stream and the offset position of the message load content.
In an optional embodiment, before performing content matching on the parsed packet to obtain the packet payload content, the system further includes an obtaining module, configured to:
and acquiring quintuple information of the message flow, and taking the quintuple information as a main key value.
In an alternative embodiment, the content matching module 320 is further configured to:
after the message is analyzed, the offset position of the message load is obtained, and the message load content corresponding to the offset position is used as a key value to be transmitted into a content addressable memory, so that a content matching result is obtained.
In an alternative embodiment, the filtering module 330 is further configured to:
and determining the audio and video data and the encrypted data according to the content field specified in the message load content of the analysis message.
In an alternative embodiment, the filtering module 330 is further configured to:
determining audio and video data according to Content-Type Content fields in message load Content of the analysis message;
and determining the encrypted data according to the content field of SSL session interaction in the message load content of the analysis message.
In an alternative embodiment, the system further includes a flow table processing module, configured to:
after the first message of each message flow is processed, if the flow table is not queried, the flow table is created;
when the next message of the message flow is obtained again, the flow table is carried out again, and if the next message exists after the inquiry, the flow table is updated; if the aging time set by the flow table is exceeded, the message of the message flow is not updated any more, and the aging treatment of the flow table is carried out.
The implementation principle and the generated technical effects of the network traffic processing device provided in the embodiment of the present application are the same as those of the foregoing method embodiment, and for brevity description, reference may be made to corresponding contents in the foregoing network traffic processing method embodiment where an embodiment portion of the network traffic processing device is not mentioned.
The embodiment of the present application further provides an electronic device, as shown in fig. 4, which is a schematic structural diagram of the electronic device, where the electronic device 100 includes a processor 41 and a memory 40, where the memory 40 stores computer executable instructions that can be executed by the processor 41, and the processor 41 executes the computer executable instructions to implement any one of the above network traffic service processing methods.
In the embodiment shown in fig. 4, the electronic device further comprises a bus 42 and a communication interface 43, wherein the processor 41, the communication interface 43 and the memory 40 are connected by the bus 42.
The memory 40 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and the at least one other network element is achieved via at least one communication interface 43 (which may be wired or wireless), which may use the internet, a wide area network, a local network, a metropolitan area network, etc. Bus 42 may be an ISA (Industry Standard Architecture ) bus, PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or EISA (Extended Industry Standard Architecture ) bus, among others. The bus 42 may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, only one bi-directional arrow is shown in FIG. 4, but not only one bus or type of bus.
The processor 41 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 41 or by instructions in the form of software. The processor 41 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), and the like; but also digital signal processors (Digital Signal Processor, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor 41 reads the information in the memory, and in combination with its hardware, performs the steps of the network traffic handling method of the foregoing embodiment.
The embodiment of the application further provides a computer readable storage medium, where the computer readable storage medium stores computer executable instructions, where the computer executable instructions, when being called and executed by a processor, cause the processor to implement the above-mentioned network traffic service processing method, and the specific implementation can be found in the foregoing method embodiment, which is not repeated herein.
The computer program product of the network traffic service processing method, system, electronic device and storage medium provided in the embodiments of the present application includes a computer readable storage medium storing program codes, and instructions included in the program codes may be used to execute the method in the foregoing method embodiment, and specific implementation may refer to the method embodiment and will not be repeated herein.
The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the present application unless specifically stated otherwise.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In the description of the present application, it should also be noted that, unless explicitly specified and limited otherwise, the terms "disposed," "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the terms in this application will be understood by those of ordinary skill in the art in a specific context.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. The network traffic service processing method is characterized by being applied to a pre-built network traffic analysis system, wherein the pre-built network traffic analysis system comprises a high-speed network traffic filtering module and a service processing module; the method comprises the following steps:
obtaining a message flow corresponding to initial network flow data, and analyzing the message flow through the high-speed network flow filtering module to obtain an analysis message;
performing content matching on the analysis message to obtain message load content;
determining audio and video data and encrypted data according to the message load content of the analysis message, and filtering the audio and video data and the encrypted data through the high-speed network flow filtering module;
and carrying out service processing on the filtered target network flow data through the service processing module.
2. The method for processing network traffic according to claim 1, wherein analyzing the packet flow by the high-speed network traffic filtering module to obtain an analysis packet comprises:
and analyzing the 2-4 layer header content of the message contained in the message flow according to a TCP/IP protocol stack by the high-speed network flow filtering module to obtain five-tuple information of the message flow and the offset position of the message load content.
3. The network traffic processing method according to claim 2, wherein before performing content matching on the parsed packet to obtain a packet payload content, the method further comprises:
and acquiring quintuple information of the message flow, and taking the quintuple information as a main key value.
4. The network traffic processing method according to claim 2, wherein the content matching is performed on the parsed packet to obtain a packet payload content, including:
after the message is analyzed, the offset position of the message load is obtained, and the message load content corresponding to the offset position is used as a key value to be transmitted into a content addressable memory, so that a content matching result is obtained.
5. The method for processing network traffic according to claim 1, wherein determining audio and video data and encrypted data according to the message load content of the parsing message comprises:
and determining audio and video data and encrypted data according to the specified content field in the message load content of the analysis message.
6. The method for processing network traffic according to claim 5, wherein determining audio-video data and encrypted data according to a content field specified in a message payload content of the parsing message comprises:
determining audio and video data according to a Content-Type Content field in the message load Content of the analysis message;
and determining the encrypted data according to the content field of SSL session interaction in the message load content of the analysis message.
7. The network traffic handling method of claim 1, wherein the method further comprises:
after the first message of each message flow is processed, if the flow table is not queried, the flow table is created;
when the next message of the message flow is obtained again, the flow table is carried out again, and if the next message exists after the inquiry, the flow table is updated; if the aging time set by the flow table is exceeded, the message of the message flow is not updated any more, and the aging treatment of the flow table is carried out.
8. The network traffic service processing system is characterized by being applied to a pre-constructed network traffic analysis system, wherein the pre-constructed network traffic analysis system comprises a high-speed network traffic filtering module and a service processing module; the system comprises:
the message analysis module is used for acquiring a message flow corresponding to the initial network flow data, and analyzing the message flow through the high-speed network flow filtering module to obtain an analysis message;
the content matching module is used for carrying out content matching on the analysis message to obtain message load content;
the filtering module is used for determining audio and video data and encrypted data according to the message load content of the analysis message, and filtering the audio and video data and the encrypted data through the high-speed network flow filtering module;
and the service processing module is used for carrying out service processing on the filtered target network flow data through the service processing module.
9. An electronic device comprising a processor and a memory, the memory storing computer executable instructions executable by the processor, the processor executing the computer executable instructions to implement the network traffic handling method of any of claims 1 to 7.
10. A computer readable storage medium storing computer executable instructions which, when invoked and executed by a processor, cause the processor to implement the network traffic handling method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311521094.2A CN117499322A (en) | 2023-11-15 | 2023-11-15 | Network traffic service processing method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311521094.2A CN117499322A (en) | 2023-11-15 | 2023-11-15 | Network traffic service processing method, system, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117499322A true CN117499322A (en) | 2024-02-02 |
Family
ID=89682633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311521094.2A Pending CN117499322A (en) | 2023-11-15 | 2023-11-15 | Network traffic service processing method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117499322A (en) |
-
2023
- 2023-11-15 CN CN202311521094.2A patent/CN117499322A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2012080170A1 (en) | Network processor and method for accelerating data packet parsing | |
| CN106972985B (en) | Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment | |
| US20090204723A1 (en) | System and Method for Processing and Forwarding Transmitted Information | |
| CN112468413B (en) | Message processing method and device, electronic equipment and storage medium | |
| CN112672381B (en) | Data association method, device, terminal equipment and medium | |
| US8782092B2 (en) | Method and apparatus for streaming netflow data analysis | |
| US8132182B2 (en) | Parallel processing of triggering rules in SIP event notification filters | |
| CN114885045B (en) | Method and device for saving DMA channel resources in high-speed intelligent network card/DPU | |
| CN112015575A (en) | Message processing method, device and related equipment | |
| CN112953841B (en) | Message distribution method and system | |
| US7991917B1 (en) | High performance packet processing using a general purpose processor | |
| CN114598659B (en) | Rule base optimization method and device | |
| CN114125015A (en) | Data acquisition method and system | |
| CN102780616A (en) | Network equipment and method and device for message processing based on multi-core processor | |
| CN117499322A (en) | Network traffic service processing method, system, electronic equipment and storage medium | |
| CN115033407B (en) | System and method for collecting and identifying flow suitable for cloud computing | |
| CN116015889A (en) | Data stream forwarding method, device, network equipment and storage medium | |
| CN110908798B (en) | Multi-process cooperative network traffic analysis method and device | |
| CN113992364B (en) | Network data packet blocking optimization method and system | |
| CN113872882A (en) | Network traffic processing method and device, storage medium and electronic equipment | |
| CN113934767A (en) | Data processing method and device, computer equipment and storage medium | |
| CN113791955A (en) | Data aggregation device and method for monitoring system and server | |
| CN112835934A (en) | Query information acquisition method and device, electronic equipment and storage medium | |
| CN113098858B (en) | Lock-free processing system and method for link establishment message | |
| CN112073357A (en) | Method and device for issuing access control list |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |