CN118101739B - Network connection reset information acquisition method, device and storage medium - Google Patents
Network connection reset information acquisition method, device and storage medium Download PDFInfo
- Publication number
- CN118101739B CN118101739B CN202410501429.2A CN202410501429A CN118101739B CN 118101739 B CN118101739 B CN 118101739B CN 202410501429 A CN202410501429 A CN 202410501429A CN 118101739 B CN118101739 B CN 118101739B
- Authority
- CN
- China
- Prior art keywords
- function
- rst
- reason
- connection reset
- tcp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012545 processing Methods 0.000 claims abstract description 46
- 230000002159 abnormal effect Effects 0.000 claims abstract description 27
- 238000012544 monitoring process Methods 0.000 claims abstract description 16
- 230000006870 function Effects 0.000 claims description 146
- 238000011835 investigation Methods 0.000 abstract description 5
- 238000000605 extraction Methods 0.000 abstract description 4
- 238000012546 transfer Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network connection reset information acquisition method, a device and a storage medium, wherein the method comprises the following steps: monitoring a function for processing a connection reset scene in a Linux kernel network protocol stack, and acquiring a connection reset reason description parameter by utilizing a description parameter of a connection reset reason newly added in the function of the connection reset scene when the function of the connection reset scene is called; and acquiring network connection information by using a tracking hook function mounted for the function of processing the connection resetting scene, wherein the tracking hook function is associated with the connection resetting reason description parameter. The method can add problem description parameters to the function for processing the connection reset scene in the Linux kernel network protocol stack, assign the parameters according to the context scene when the function is called, and trigger the monitoring program to complete the extraction and collection of the current information when the connection reset occurs. And the collected connection reset information is utilized to facilitate analysis and investigation of abnormal disconnection.
Description
Technical Field
The present invention relates to the field of network connection technologies, and in particular, to a method, an apparatus, and a storage medium for obtaining network connection reset information.
Background
In many network usage scenarios today, tcp is the most widely used transport layer protocol. As a connection-oriented protocol, tcp protocol needs to ensure security and stability of connection. And a connection reset is an abnormal condition that occurs in tcp connections. When one end of the interconnection receives a tcp message with an rst mark, the connection is directly disconnected, and no confirmation information is sent to the opposite end, and the rough connection termination mode causes a plurality of unpredictable problems in network application scenes, and meanwhile, the analysis and the investigation of reasons for abnormal disconnection become difficult.
Disclosure of Invention
The embodiment of the invention provides a network connection reset information acquisition method, a device and a storage medium, which are used for solving the technical problem that a firewall cannot finely manage the behavior of a specific application program in the prior art.
In a first aspect, an embodiment of the present invention provides a method for acquiring network connection reset information, including:
Monitoring a function for processing a connection reset scene in a Linux kernel network protocol stack, and acquiring a connection reset reason description parameter by utilizing a description parameter of a connection reset reason newly added in the function of the connection reset scene when the function of the connection reset scene is called;
And acquiring network connection information by using a tracking hook function mounted for the function of processing the connection resetting scene, wherein the tracking hook function is associated with the connection resetting reason description parameter.
In a second aspect, an embodiment of the present invention further provides a network connection reset information acquisition apparatus, including:
The monitoring module is used for monitoring a function for processing a connection reset scene in the Linux kernel network protocol stack, and acquiring a connection reset reason description parameter by utilizing a description parameter of a connection reset reason newly added in the function of the connection reset scene when the function of the connection reset scene is called;
And the acquisition module is used for acquiring network connection information by utilizing a tracking hook function mounted for the function of processing the connection resetting scene, wherein the tracking hook function is associated with the connection resetting reason description parameter.
In a third aspect, embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a network connection reset information acquisition method as provided in the above embodiments.
According to the network connection reset information acquisition method, device and storage medium provided by the embodiment of the invention, the function of the connection reset scene is processed in the Linux kernel network protocol stack by monitoring, and when the function of the connection reset scene is called, the description parameters of the connection reset reason newly added in the function of the connection reset scene are utilized to acquire the description parameters of the connection reset reason; and acquiring network connection information by using a tracking hook function mounted for the function of processing the connection resetting scene, wherein the tracking hook function is associated with the connection resetting reason description parameter. The method can add problem description parameters to the function for processing the connection reset scene in the Linux kernel network protocol stack, assign the parameters according to the context scene when the function is called, and trigger the monitoring program to complete the extraction and collection of the current information when the connection reset occurs. And the collected connection reset information is utilized to facilitate analysis and investigation of abnormal disconnection.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
fig. 1 is a flowchart of a method for obtaining network connection reset information according to an embodiment of the present invention;
fig. 2 is a flowchart of a network connection reset information acquisition method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network connection reset information acquisition device according to a third embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flowchart of a network connection reset information acquisition method according to an embodiment of the present invention, where the embodiment is applicable to a case of acquiring network connection reset information in Linux, the method may be executed by a network connection reset information acquisition device, and specifically includes the following steps:
Step 110, monitoring a function of the Linux kernel network protocol stack for processing a connection reset scene, and obtaining connection reset reason description parameters by using the description parameters of the connection reset reasons newly added in the function of the connection reset scene when the function of the connection reset scene is called.
In the kernel, a function in the Linux kernel network protocol stack that handles the connection reset scenario is monitored. Illustratively, the processing the function of the connection reset scenario may include: tcp_send_active_reset, tcp_v4_send_reset, and tcp_reset functions, wherein the tcp_send_active_reset functions are used for processing socket abnormal connection reset; the tcp_v4_send_reset function is used for processing abnormal connection reset of the abnormal data packet; the tcp_reset function is used for processing the rst message abnormal connection reset. And when the function for processing the connection reset scene is monitored to be called, acquiring the connection reset reason description parameter by utilizing the function of the connection reset scene. By way of example, it may include: and returning the description parameters of the connection reset reasons by using the function added to the connection reset scene in the Linux kernel, wherein the Linux kernel is defined with a predefined reason enumeration type, and the description constants of the connection reset reasons in the function of the connection reset scene are defined by using the reason enumeration type.
In this embodiment, an enum tcp_rst_request enumeration type may be added in advance in the Linux kernel, and an enumeration constant described by a connection reset reason may be defined, and illustratively, enum tcp_rst_request enumeration type may be defined in a kernel include/net/tcp.h file, and an enumeration constant may be defined according to a problem scenario, where the enumeration constant may include the following constants:
| Enumerating constants | Meaning of |
| tcp_rst_reason_error_syn | Receiving illegal SYN message |
| tcp_rst_reason_error_ack | Receiving illegal ACK message |
| tcp_rst_reason_error_time_stamp | Receipt of illegal timestamp messages |
| tcp_rst_reason_no_listen_port_socket | Monitoring port does not exist |
| tcp_rst_reason_data_recv_close_socket | Closing socket when data is not received |
| tcp_rst_reason_data_send_close_socket | Socket is closed when data is sent |
| tcp_rst_reason_data_send_no_socket | Transmitting data to non-existent socket |
| tcp_rst_reason_fin_send_close_socket | Send FIN to closed socket |
| tcp_rst_reason_ack_in_listen_socket | The LISTEN status receives the ACK message |
| tcp_rst_reason_recv_rst | Receiving RST message |
| tcp_rst_reason_ack_recv_rst | RST flag in ACK message |
| tcp_rst_reason_timewait_recv_rst | TIMEWAIT status receives RST message |
In addition, the enum tcp_rst_reflection rst_reflection parameter needs to be added in the function of the processing core connection reset scene. Such that when the processing core connect scene function is called, the rst_reflection parameter is assigned a value using the corresponding enumeration constant.
The Linux network protocol stack refers to the implementation of the Linux kernel to the whole network protocol specification. the tcp protocol is a transport layer protocol in a network protocol stack, and needs to analyze the reason for generating connection reset in this scenario according to the specification of the tcp protocol and context logic, that is, according to the implementation of the specification of the tcp protocol by an internal core, assign the reason to an added function parameter rst_request, and then transmit the reason to three functions for processing connection reset. Specifically, the rst_reason parameter may be assigned according to three functions of the processing core connection reset scenario.
When an abnormal data packet is received, the description parameters of tcp_rst_reflection_error_syn, tcp_rst_reflection_error_ack or tcp_rst_reflection_error_time_stamp are respectively returned according to different scenes of the kernel context.
When the socket is abnormal, the parameters tcp_rst_reason_no_listen_port_socket、tcp_rst_reason_data_recv_close_socket、tcp_rst_reason_data_send_close_socket、tcp_rst_reason_data_send_no_socket、tcp_rst_reason_ack_in_listen_socket or tcp_rst_reflection_data_send_no_socket description are returned correspondingly according to different scenes of the kernel context.
When the rst message is received, according to different scenes of the kernel context, respectively and correspondingly returns tcp/u rst_reflection_recv_rst rst_reason\u recv_rst.
Illustratively, the parameters may be assigned according to a tcp protocol specification and a Linux kernel network protocol stack. Searching corresponding context in the network protocol stack, searching a protocol layer tcp protocol layer or an interface layer in the context to obtain a corresponding connection reset reason, and returning the description parameter of the corresponding connection reset reason according to the definition preset rule of the connection reset reason and the description parameter.
Step 120, obtaining network connection information by using a tracking hook function mounted for the function of processing the connection reset scene, wherein the tracking hook function is associated with the connection reset reason description parameter.
After the network connection reset reason description parameter is acquired, only the network connection reset reason can be known, but the reason of the network connection reset scene still cannot be checked. Therefore, various network connection parameters at the time of network reset connection need to be acquired.
In this embodiment, a tracking hook function may be pre-installed in the function for processing the connection reset scenario, and various network parameters of the connection reset scenario may be acquired using the hook function. The connection reset reason description parameter is related to the hook function, and the required data information is obtained from the monitoring program through the hook function according to the kernel function parameter
In the embodiment, a function of a connection reset scene is processed in a Linux kernel network protocol stack by monitoring, and when the function of the connection reset scene is called, a description parameter of a new connection reset reason in the function of the connection reset scene is utilized to obtain a connection reset reason description parameter; and acquiring network connection information by using a tracking hook function mounted for the function of processing the connection resetting scene, wherein the tracking hook function is associated with the connection resetting reason description parameter. The method can add problem description parameters to the function for processing the connection reset scene in the Linux kernel network protocol stack, assign the parameters according to the context scene when the function is called, and trigger the monitoring program to complete the extraction and collection of the current information when the connection reset occurs. And the collected connection reset information is utilized to facilitate analysis and investigation of abnormal disconnection.
Example two
Fig. 2 is a flow chart of a network connection reset information obtaining method according to a second embodiment of the present invention, wherein the network connection reset information obtaining method is optimized based on the above embodiment, and specifically includes: acquiring a connection reset reason description parameter by using the context information stored in ctx, and transmitting the ctx into a bpf_get_ stackid function; using the tracking hook function to call a bpf_get_ stackid function to obtain a kernel function context stack; obtaining SK and SKB information according to the context stack; and acquiring source address, source port, destination address, destination port and connection state information based on the SK and SKB information.
Referring to fig. 2, the network connection reset information acquisition method includes:
step 210, monitoring a function of the Linux kernel network protocol stack for processing a connection reset scene, and obtaining a connection reset reason description parameter by using a description parameter of a connection reset reason newly added in the function of the connection reset scene when the function of the connection reset scene is called.
Step 220, obtain the connection reset reason description parameter by using the context information stored in ctx, and transfer ctx into bpf_get_ stackid function.
In this embodiment, first, a kernel function trace_event of the above three connection reset scenarios is registered with kprobe/tcp_send_active_reset, kprobe/tcp_v4_send_reset, and kprobe/tcp_reset, respectively. And associating a connection reset reason description parameter with the hook function trace _ event. The ctx can store context information when kprobe calls, and can extract kernel function parameters from the ctx to obtain connection reset reason description parameters, and further obtain corresponding kernel function parameters from the mounting function. In this embodiment, ctx may be regarded as an address of a kernel function with a transfer function, and a corresponding relationship is implemented through transfer, so as to obtain parameters in the kernel function, and further obtain corresponding information. For example: kprobe (tcp_send_active_reset_kprobe, sk, rst_reflection) and trace_event (ctx, sk, rst_reflection), in this process, ctx=tcp_send_active_reset, and later parameter transfer is achieved, sk=sk, rst_reflection=rst_reflection.
Step 230, using the trace hook function, invoking the bpf_get_ stackid function obtains the function context stack that handles the connection reset scenario.
The hook function can call the bpf_get_ stackid function, the bpf_get_ stackid function is an interface function of eBPF, and stack information of a function of the query processing connection reset scene can be obtained by using the function.
Step 240, obtaining SK and SKB information according to the context stack.
In the Linux kernel, the sk_buff data structure is used for storing and managing the data packet. The data structure starts from the network card drive to receive the packet and runs through the top layer of the kernel network protocol stack until the user mode program obtains data from the kernel.
Thus, the network socket and structsk_buff structures may be read in the function context stack using a function that handles the connection reset scenario.
Step 250, acquiring source address, source port, destination address, destination port and connection state information based on the SK and SKB information.
Corresponding source address, source port, destination address, destination port and connection status information are read from the structsk_buff structure and the SK structure.
The embodiment obtains the network connection information by using the tracking hook function mounted for the function of processing the connection resetting scene, which is specifically optimized as follows: acquiring a connection reset reason description parameter by using the context information stored in ctx, and transmitting the ctx into a bpf_get_ stackid function; using the tracking hook function to call a bpf_get_ stackid function to obtain a function context stack for processing a connection reset scene; obtaining SK and SKB information according to the context stack; and acquiring source address, source port, destination address, destination port and connection state information based on the SK and SKB information. The method can acquire the connection reset information, and the collected connection reset information is used for conveniently analyzing and checking the abnormal disconnection.
In a preferred implementation of this embodiment, the method may further comprise the steps of: and transmitting the source address, the source port, the destination address, the destination port and the connection state information from the kernel space to the user space by using the BPF Map, and storing the source address, the source port, the destination address, the destination port and the connection state information in the user space. By using the mode, the related information of connection reset can be transmitted into the user space, so that the abnormal disconnection can be analyzed and checked conveniently.
Example III
Fig. 3 is a schematic structural diagram of a network connection reset information acquisition device according to a third embodiment of the present invention, referring to fig. 3, the network connection reset information acquisition device includes:
A monitoring module 310, configured to monitor a function of a Linux kernel network protocol stack for processing a connection reset scenario, and obtain a connection reset reason description parameter by using a description parameter of a connection reset reason newly added in the function of the connection reset scenario when the function of the connection reset scenario is called;
An obtaining module 320, configured to obtain network connection information by using a tracking hook function mounted for the function of processing the connection reset scenario, where the tracking hook function is associated with the connection reset reason description parameter.
According to the network connection reset information acquisition device provided by the embodiment, the function of a connection reset scene is processed in the Linux kernel network protocol stack by monitoring, and when the function of the connection reset scene is called, the description parameters of the connection reset reason newly added in the function of the connection reset scene are utilized to acquire the description parameters of the connection reset reason; and acquiring network connection information by using a tracking hook function mounted for the function of processing the connection resetting scene, wherein the tracking hook function is associated with the connection resetting reason description parameter. The method can add problem description parameters to the function for processing the connection reset scene in the Linux kernel network protocol stack, assign the parameters according to the context scene when the function is called, and trigger the monitoring program to complete the extraction and collection of the current information when the connection reset occurs. And the collected connection reset information is utilized to facilitate analysis and investigation of abnormal disconnection.
On the basis of the above embodiments, the monitoring module includes:
And the return unit is used for returning the description parameters of the connection reset reasons by using the function added to the connection reset scene in the Linux kernel, wherein the Linux kernel is defined with a predefined reason enumeration type, and the connection reset reasons in the function of the connection reset scene are defined with a description constant of the reason enumeration type.
On the basis of the above embodiments, the return unit includes:
The corresponding return subunit is configured to, when receiving the rst packet, respectively and correspondingly return tcp_rst_reflection_recv_rst, tcp_rst_reflection_ack_recv_rst or tcp_rst_reflection_ timewait _recv_rst description parameters according to different scenes of the kernel context.
On the basis of the above embodiments, the return unit includes:
The first corresponding return subunit is configured to, when receiving the rst packet, respectively and correspondingly return tcp_rst_reflection_recv_rst, tcp_rst_reflection_ack_recv_rst or tcp_rst_reflection_ timewait _recv_rst description parameters according to different scenes of the kernel context.
On the basis of the above embodiments, the return unit includes:
the second corresponding return subunit is configured to, when an abnormal data packet is received, respectively and correspondingly return tcp_rst_reflection_error_syn, tcp_rst_reflection_error_ack or tcp_rst_reflection_error_time_stamp description parameters according to different scenes of the kernel context.
On the basis of the above embodiments, the return unit includes:
And the third corresponding return subunit is configured to return tcp_rst_reason_no_listen_port_socket、tcp_rst_reason_data_recv_close_socket、tcp_rst_reason_data_send_close_socket、tcp_rst_reason_data_send_no_socket、tcp_rst_reason_ack_in_listen_socket or tcp_rst_reflection_data_send_no_socket description parameters respectively according to different scenes of the kernel context when the socket is abnormal.
On the basis of the above embodiments, the obtaining module includes:
An input unit, configured to acquire a connection reset reason description parameter by using the context information stored in ctx, and input the connection reset reason description parameter into a bpf_get_ stackid function;
A calling unit, configured to call a bpf_get_ stackid function to obtain a function context stack for processing a connection reset scene by using the tracking hook function;
An obtaining unit, configured to obtain SK and SKB information according to the context stack;
and the information acquisition unit is used for acquiring the source address, the source port, the destination address, the destination port and the connection state information based on the SK and SKB information.
On the basis of the above embodiments, the processing the function of the connection reset scenario includes:
tcp_send_active_reset, tcp_v4_send_reset, and tcp_reset functions, wherein the tcp_send_active_reset functions are used for processing socket abnormal connection reset; the tcp_v4_send_reset function is used for processing abnormal connection reset of the abnormal data packet; the tcp_reset function is used for processing the rst message abnormal connection reset.
On the basis of the above embodiments, the device further includes:
and the transfer module is used for transferring the source address, the source port, the destination address, the destination port and the connection state information from the kernel space to the user space by using bpf map and storing the source address, the source port, the destination address, the destination port and the connection state information in the user space.
The network connection reset information acquisition device provided by the embodiment of the invention can execute the network connection reset information acquisition method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
A fourth embodiment of the present invention also provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the network connection reset information acquisition method according to any one of the above embodiments.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or device. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (5)
1. A network connection reset information acquisition method, comprising:
Monitoring a function for processing a connection reset scene in a Linux kernel network protocol stack, and acquiring a connection reset reason description parameter by utilizing a description parameter of a connection reset reason newly added in the function of the connection reset scene when the function of the connection reset scene is called;
Acquiring network connection information by using a tracking hook function mounted for the function of processing the connection resetting scene, wherein the tracking hook function is associated with the connection resetting reason description parameter;
The obtaining the connection reset reason description parameter by using the description parameter of the connection reset reason newly added in the function of the connection reset scene comprises the following steps:
Returning the description parameters of the connection reset reasons by using the functions of the connection reset scene in the Linux kernel, wherein the predefined reason enumeration type in the Linux kernel, and the description parameters of the connection reset reasons in the functions of the connection reset scene are defined by using the reason enumeration type;
The method for returning the description parameters of the connection reset reasons by using the function added to the connection reset scene in the Linux kernel comprises the following steps:
when receiving the RST message, according to different scenes of the kernel context, respectively and correspondingly returns TCP/u RST_REASON_RECV_RST RST_REASON\u RECV_RST; or alternatively
When an abnormal data packet is received, according to different scenes of the kernel context, respectively and correspondingly return TCP_RST REASON ERROR SYN REASON ERROR SYN; or alternatively
When the SOCKET is abnormal, returning TCP_RST_REASON_NO_LISTEN_PORT_SOCKET、TCP_RST_REASON_DATA_RECV_CLOSE_SOCKET、TCP_RST_REASON_DATA_SEND_CLOSE_SOCKET、TCP_RST_REASON_DATA_SEND_NO_SOCKET、TCP_RST_REASON_ACK_IN_LISTEN_SOCKET or TCP_RST_REASON_DATA_SEND_NO_SOCKET description parameters according to different scenes of the kernel context;
the obtaining network connection information by using a tracking hook function mounted for the function of processing the connection resetting scene includes:
acquiring a connection reset reason description parameter by using context information stored by a context structure instance parameter ctx, and transmitting the ctx into a bpf_get_ stackid function;
Using the tracking hook function to call a bpf_get_ stackid function to obtain a kernel function context stack;
acquiring socket SK and socket cache SKB information according to the context stack;
and acquiring source address, source port, destination address, destination port and connection state information based on the socket SK and socket cache SKB information.
2. The method of claim 1, wherein the processing a function of a connection reset scenario comprises:
tcp_send_active_reset, tcp_v4_send_reset, and tcp_reset functions, wherein the tcp_send_active_reset functions are used for processing socket abnormal connection reset; the tcp_v4_send_reset function is used for processing abnormal connection reset of the abnormal data packet; the tcp_reset function is used for processing RST message abnormal connection reset.
3. The method according to claim 2, wherein the method further comprises:
And transmitting the source address, the source port, the destination address, the destination port and the connection state information from the kernel space to the user space by using the BPF Map, and storing the source address, the source port, the destination address, the destination port and the connection state information in the user space.
4. A network connection reset information acquisition apparatus, characterized by comprising:
The monitoring module is used for monitoring a function for processing a connection reset scene in the Linux kernel network protocol stack, and acquiring a connection reset reason description parameter by utilizing a description parameter of a connection reset reason newly added in the function of the connection reset scene when the function of the connection reset scene is called;
The acquisition module is used for acquiring network connection information by utilizing a tracking hook function mounted for the function of processing the connection resetting scene, wherein the tracking hook function is associated with the connection resetting reason description parameter;
the monitoring module includes:
A return unit, configured to return, by using a function added to the connection reset scenario in a Linux kernel, a description parameter of a connection reset reason, where the Linux kernel defines a predefined reason enumeration type, and define, by using the reason enumeration type, a description parameter of a connection reset reason in the function of the connection reset scenario;
the return unit includes:
The corresponding return subunit is configured to, when receiving the RST message, respectively and correspondingly return the description parameters of the tcp_rst_reach_recv_rst, the tcp_rst_reach_ack_recv_rst, or the tcp_rst_reach_ TIMEWAIT _recv_rst according to different scenarios of the kernel context; or alternatively
The first corresponding return subunit is configured to, when receiving the RST message, respectively and correspondingly return the description parameters of the tcp_rst_reach_recv_rst, the tcp_rst_reach_ack_recv_rst, or the tcp_rst_reach_ TIMEWAIT _recv_rst according to different scenarios of the kernel context; or alternatively
The third corresponding return subunit is configured to return TCP_RST_REASON_NO_LISTEN_PORT_SOCKET、TCP_RST_REASON_DATA_RECV_CLOSE_SOCKET、TCP_RST_REASON_DATA_SEND_CLOSE_SOCKET、TCP_RST_REASON_DATA_SEND_NO_SOCKET、TCP_RST_REASON_ACK_IN_LISTEN_SOCKET or tcp_rst_read_data_send_no_socket description parameters respectively according to different scenarios of the kernel context when the SOCKET is abnormal;
The acquisition module comprises:
An input unit, configured to acquire a connection reset reason description parameter by using context information stored in the context structure instance parameter ctx, and input the connection reset reason description parameter into a bpf_get_ stackid function;
A calling unit, configured to call a bpf_get_ stackid function to obtain a function context stack for processing a connection reset scene by using the tracking hook function;
An obtaining unit, configured to obtain socket SK and socket cache SKB information according to the context stack;
and the information acquisition unit is used for acquiring the source address, the source port, the destination address, the destination port and the connection state information based on the socket SK and socket cache SKB information.
5. A storage medium containing computer executable instructions which, when executed by a computer processor, are for performing the network connection reset information acquisition method of any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410501429.2A CN118101739B (en) | 2024-04-25 | 2024-04-25 | Network connection reset information acquisition method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410501429.2A CN118101739B (en) | 2024-04-25 | 2024-04-25 | Network connection reset information acquisition method, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118101739A CN118101739A (en) | 2024-05-28 |
| CN118101739B true CN118101739B (en) | 2024-08-13 |
Family
ID=91155566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410501429.2A Active CN118101739B (en) | 2024-04-25 | 2024-04-25 | Network connection reset information acquisition method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118101739B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101217493A (en) * | 2008-01-08 | 2008-07-09 | 北京大学 | TCP data package transmission method |
| CN111800490A (en) * | 2020-06-23 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for acquiring network behavior data and terminal equipment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105808287B (en) * | 2016-02-25 | 2019-06-18 | 网宿科技股份有限公司 | A kind of method and system for restarting network service |
| CN115061837B (en) * | 2022-08-16 | 2023-03-14 | 苏州浪潮智能科技有限公司 | Method and device for scheduling, tracking and acquiring user space call stack |
| CN115664832A (en) * | 2022-11-02 | 2023-01-31 | 北京指掌易科技有限公司 | Network connection processing method, device, equipment and storage medium |
| CN117041379B (en) * | 2023-07-10 | 2024-04-19 | 中科驭数(北京)科技有限公司 | Method and device for simultaneously monitoring newly-built connection of user mode protocol stack and kernel mode protocol stack |
-
2024
- 2024-04-25 CN CN202410501429.2A patent/CN118101739B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101217493A (en) * | 2008-01-08 | 2008-07-09 | 北京大学 | TCP data package transmission method |
| CN111800490A (en) * | 2020-06-23 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for acquiring network behavior data and terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118101739A (en) | 2024-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113835902B (en) | Data processing method, device, computer equipment and storage medium | |
| CN109547474A (en) | A kind of data transmission method and device | |
| CN112448969B (en) | Link tracking method, device, system, equipment and readable storage medium | |
| CN112600928A (en) | File transmission method and device, electronic equipment and medium | |
| US20230042747A1 (en) | Message Processing Method and Device, Storage Medium, and Electronic Device | |
| CN114124929A (en) | Cross-network data processing method and device | |
| CN113114707B (en) | Rule filtering method for power chip Ethernet controller | |
| CN112433920A (en) | Buried point data reporting method, device, equipment and medium | |
| US8447857B2 (en) | Transforming HTTP requests into web services trust messages for security processing | |
| CN108833500B (en) | Service calling method, service providing method, data transmission method and server | |
| CN118101739B (en) | Network connection reset information acquisition method, device and storage medium | |
| CN110995538B (en) | Network data acquisition method, device, system, equipment and storage medium | |
| CN108306815A (en) | A kind of method, apparatus, equipment and computer readable storage medium obtaining message | |
| CN110022332B (en) | Hypertext transfer security protocol proxy method, device, equipment and medium | |
| CN114449052B (en) | Data compression method and device, electronic equipment and storage medium | |
| CN116389615A (en) | Dual-protocol information transmission method, device and equipment based on same port | |
| CN109766347B (en) | Data updating method, device, system, computer equipment and storage medium | |
| CN111459819B (en) | Software testing method and device, electronic equipment and computer readable medium | |
| US20170099350A1 (en) | Apparatus and method for transmitting mass data | |
| WO2021155529A1 (en) | Resource deletion method, apparatus, and device, and storage medium | |
| CN113965629A (en) | UDP application layer protocol identification method, device, storage medium and equipment | |
| CN117896182B (en) | Linux network communication security management and control method, device and storage medium | |
| CN111552907A (en) | Message processing method, device, equipment and storage medium | |
| US20110265184A1 (en) | Security monitoring method, security monitoring system and security monitoring program | |
| CN110196862B (en) | Data scene construction method, device, server and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |