CN210780842U - Network flow monitoring and analyzing equipment based on ZYNQ - Google Patents
Network flow monitoring and analyzing equipment based on ZYNQ Download PDFInfo
- Publication number
- CN210780842U CN210780842U CN201921814487.1U CN201921814487U CN210780842U CN 210780842 U CN210780842 U CN 210780842U CN 201921814487 U CN201921814487 U CN 201921814487U CN 210780842 U CN210780842 U CN 210780842U
- Authority
- CN
- China
- Prior art keywords
- module
- network
- clock
- power supply
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model discloses a network flow monitoring analytical equipment based on ZYNQ, the utility model discloses a with the integrated structure of modularization, by 10G 40G ethernet input interface module, network data package unpacks module, DDR storage module, PCIE data interface module, the categorised statistical module of network data package, flow table are established and are counted module, custom agreement reconsitution and analytic module, DMA data channel module, ARM treater, 1G ethernet data interface module and clock and power module and constitute. The utility model discloses possess network flow statistics and network flow analysis's function. The user utilizes the equipment, the response speed of flow statistics and analysis is improved, the analysis data can be obtained in real time to take measures, and the pressure of flow analysis of the core analysis equipment can be effectively reduced.
Description
Technical Field
The utility model relates to a network flow, network communication, network information safety and control and heterogeneous processing technology field are applicable to high data flow's core network flow and analytic system, especially a network flow control analytical equipment based on ZYNQ.
Background
Under the age of the rapid development of the internet, the number of internet users and facilities rises dramatically, the demand of a high-speed optical network grows exponentially, and the network traffic is developing towards dynamism and high speed. Therefore, network traffic monitoring is one of the key points in modern network engineering, and it provides network information that is vital to the network to ensure stability, availability and security, and is also a necessary process for performance evaluation, traffic classification and problem detection of the network. In the field of network traffic monitoring, a monitoring device collects basic statistics about network flows and reports them to a central storage collector using a switching protocol such as NetFlow or IPFIX. However, most network traffic monitoring devices only output basic network traffic information, and the information is finally analyzed on a central processing unit and a central server, and under the condition of high-speed traffic centralized analysis, the central server causes analysis delay and poor analysis efficiency. On the other hand, network monitoring systems are very useful tools for network administrators and are classified into two types of monitoring: passive monitoring and active monitoring. Passive monitoring monitors the performance of the entire network by collecting and analyzing the status of the routers and switches that make up the network. The active monitoring is to additionally add data packets to detect the network performance. However, these monitoring methods do not involve real data of network traffic and network packets, and have limitations.
SUMMERY OF THE UTILITY MODEL
The utility model aims at not enough and the network flow control analytical equipment based on ZYNQ that provides to prior art, the utility model discloses a with the integrated structure of modularization, by 10G 40G ethernet input interface module, network data package unpacks module, DDR storage module, PCIE data interface module, the categorised statistical module of network data package, flow table are established and are counted module, custom agreement reconsitution and analytic module, DMA data channel module, ARM treater, 1G ethernet data interface module and clock and power module and constitute. The utility model provides a based on heterogeneous structure-dedicated logic circuit and treater for network flow statistics and network flow analysis, the utility model discloses can monitor and analyze the network data flow up to 40 Gbps. The flow and protocol statistics is realized on hardware, the ARM processor is matched to analyze the network flow and data, the response speed of flow statistics and analysis is improved, the analysis data can be obtained in real time to make measures, and the pressure of flow analysis of core analysis equipment can be effectively reduced.
Realize the utility model discloses the concrete technical scheme of purpose is:
a network flow monitoring and analyzing device based on ZYNQ is characterized by comprising a 10G/40G Ethernet input interface module, a network data packet unpacking module, a DDR storage module, a PCIE data interface module, a network data packet classification and statistics module, a flow table establishing and statistics module, a custom protocol reconstruction and analysis module, a DMA data channel module, an ARM processor, a 1G Ethernet data interface module and a clock and power supply module;
the 10G/40G Ethernet input interface module is respectively connected with the network data packet unpacking module and the clock and power supply module;
the network data packet unpacking module is respectively connected with the network data packet classification and statistics module and the clock and power supply module;
the DDR storage module is respectively connected with the PCIE data interface module, the flow table establishing and counting module and the clock and power supply module;
the PCIE data interface module is respectively connected with the flow table establishing and counting module and the clock and power supply module;
the network data packet classification statistical module is respectively connected with the flow table establishing and statistical module, the self-defined protocol reconstructing and analyzing module and the clock and power supply module;
the flow table establishing and counting module is respectively connected with the self-defined protocol reconstructing and analyzing module and the clock and power supply module;
the self-defined protocol reconstruction and analysis module is respectively connected with the network data packet classification and statistics module, the DMA data channel module and the clock and power supply module;
the DMA data channel module is respectively connected with the ARM processor and the clock and power supply module;
the ARM processor is respectively connected with the 1G Ethernet data interface module and the clock and power supply module;
and the 1G Ethernet data interface module is connected with the clock and power supply module.
The 10G/40G Ethernet input interface module is formed by connecting a 10G/40G network optical interface with a 10G/40G Ethernet PHY core.
The network data packet classification statistical module is formed by connecting a network data packet classifier module with two to four layers of statistical modules and a network data filtering module respectively.
The utility model discloses a with the integrated structure of modularization, by 10G 40G ethernet input interface module, network data package unpacks module, DDR storage module, PCIE data interface module, the categorised statistical module of network data package, flow table are established and are counted module, self-defined agreement reconsitution and analytic module, DMA data channel module, ARM treater, 1G ethernet data interface module and clock and power module and constitute. The utility model provides a based on heterogeneous structure-dedicated logic circuit and treater for network flow statistics and network flow analysis, the utility model discloses can monitor and analyze the network data flow up to 40 Gbps. The flow and protocol statistics is realized on hardware, the ARM processor is matched to analyze the network flow and data, the response speed of flow statistics and analysis is improved, the analysis data can be obtained in real time to make measures, and the pressure of flow analysis of core analysis equipment can be effectively reduced.
The utility model has the advantages of:
the utility model provides a based on heterogeneous structure-dedicated logic circuit and treater, based on ZYNQ's network flow monitoring analytical equipment, can monitor and analyze the network data flow up to 40 Gbps. The flow and protocol statistics is realized on hardware, the ARM processor is matched to analyze the network flow and data, the response speed of flow statistics and analysis is improved, the analysis data can be obtained in real time to make measures, and the pressure of flow analysis of core analysis equipment can be effectively reduced.
At present, the network develops towards the high-speed direction, the network data packet is increasingly complex, and by using the equipment, the network flow can be analyzed and counted completely and effectively at high speed, the attack in the network can be found, and the response can be made in time; based on this device, the analysis pressure of the core analysis server can also be reduced.
Drawings
FIG. 1 is a block diagram of the present invention;
FIG. 2 is a flowchart illustrating the operation of the network packet classification and statistics module of the present invention;
FIG. 3 is a flow chart of the present invention;
fig. 4 is a reference diagram of the usage status of the present invention.
Detailed Description
Referring to fig. 1, the utility model discloses a 10G/40G ethernet input interface module 1, network data package unpack module 2, DDR memory module 3, PCIE data interface module 4, network data package classification statistics module 5, flow table are established and are counted module 6, custom agreement reconsitution and analysis module 7, DMA data channel module 8, ARM treater 9, 1G ethernet data interface module 13 and clock and power module 10;
the 10G/40G Ethernet input interface module 1 is respectively connected with the network data packet unpacking module 2 and the clock and power supply module 10;
the network data packet unpacking module 2 is respectively connected with the network data packet classification statistical module 5 and the clock and power supply module 10;
the DDR storage module 3 is respectively connected with the PCIE data interface module 4, the flow table establishing and counting module 6 and the clock and power supply module 10;
the PCIE data interface module 4 is respectively connected with a flow table establishing and counting module 6 and a clock and power supply module 10;
the network data packet classification statistical module 5 is respectively connected with a flow table establishing and statistical module 6, a self-defined protocol reconstructing and analyzing module 7 and a clock and power supply module 10;
the flow table establishing and counting module 6 is respectively connected with a self-defined protocol reconstructing and analyzing module 7 and a clock and power supply module 10;
the self-defined protocol reconstruction and analysis module 7 is respectively connected with the network data packet classification statistical module 5, the DMA data channel module 8 and the clock and power supply module 10;
the DMA data channel module 8 is respectively connected with the ARM processor 9 and the clock and power supply module 10;
the ARM processor 9 is respectively connected with the 1G Ethernet data interface module 13 and the clock and power supply module 10;
the 1G ethernet data interface module 13 is connected to the clock and power supply module 10.
Referring to fig. 1, the 10G/40G ethernet input interface module 1 is formed by connecting a 10G/40G ethernet optical interface 11 with a 10G/40G ethernet PHY core 12.
Referring to fig. 1, the network packet classifying and counting module 5 is formed by a network packet classifier module 51 respectively connected to a network two-to-four layer counting module 52 and a network data filtering module 53.
Examples
Referring to fig. 4, the utility model discloses the during operation needs a computer to receive and a core switch provides the network data output of mirror image as network flow and analysis result, the utility model discloses a network data of statistics and analysis mirror image port utilizes gigabit ethernet interface to send out statistics and analysis result, receives and shows the result through the network socket program at the computer end.
The utility model discloses a work flow:
referring to fig. 1, the utility model discloses a network flow statistics work flow as follows: the network data packet unpacking module 2 receives the light interface data converted and received by the 10G/40G ethernet input interface module 1 as AX4-Stream data Stream, and after the network data packet unpacking module 2 performs packet header analysis on the network data packet, inputs the control information into the network data packet classifier module 51 in the network data packet classification statistical module 5, and inputs the data information into the network data filter 53. The network packet classifier module 51 classifies different protocol types (including IPv4, IPv6, ICMP, ARP, TCP, UDP, etc.), and outputs classified control information to the network two-to-four layer statistics module 52 and the network data filtering module 53. Calculating and inputting two-to-four-layer protocol information including data length and unit time data flow into a self-defined protocol reconstruction and analysis module 7 in a network two-to-four-layer statistic module 52, filtering data packets in a network data filtering module 53 according to control information output by a network data packet classifier module 51, filtering out the data packets meeting UDP/TCP flow conditions, and entering a flow table establishing and statistic module 6; and dynamically establishing a network flow table in the flow table establishing and counting module 6, carrying out timing statistics on each input flow, outputting information such as network flow, flow distribution and the like of each flow, and inputting the information into the custom protocol reconstruction and analysis module 7. In the self-defined protocol reconstruction and analysis module 7, data reconstruction is carried out on the flow information and the protocol information to form an ARM and logic module communication protocol, and the communication protocol is transmitted to an ARM processor 9 through a DMA data channel module 8; in the ARM processing process 9, the statistical result is used as a data segment to form a UDP packet, and the UDP packet is output from the 1G Ethernet data interface module 13.
Referring to fig. 1, the network traffic analysis workflow of the present invention is as follows: on the basis of the completion of the network flow statistics, the ARM processor 9 analyzes the network flow information sent to the ARM, judges the legality of the flow, and if the flow subjected to illegal attack is detected, the information is formed into a UDP packet which is output from the 1G Ethernet data interface module 13; in addition, according to the analysis result, data of a sensitive stream or a specified application layer protocol type stream (such as HTTP) is acquired, an instruction is sent to the custom protocol reconstruction and analysis module 7 from the ARM processor 9 through the DMA data channel module 8, the flow table establishing and counting module 6 sends a specific network data packet (such as HTTP) required by the ARM to the custom protocol reconstruction and analysis module 7 according to a control command from the custom protocol reconstruction and analysis module 7, and uploads the specific network data packet to the ARM processor 9, and the network data packet required to be subjected to computer auxiliary analysis is cached in the DDR storage module 3 and uploaded to the computer through the PCIE data interface module 4.
Referring to fig. 1 and fig. 2, the working process of the network data packet classification statistical module of the present invention is as follows: inside the network packet classifier module 51, a state machine on the left side of fig. 2 is operated, and the packet header data is sequentially classified and judged according to the input packet header data, and the classification result of each step is output to the network 2-4 layer statistics module 52. Judging a counting request and an internal timer in a network 2-4 layer counting module 52, and counting a corresponding counter according to the type of the counting request when the request comes; and when the timing reaches the rated time, outputting the count values of all the classifiers and emptying the classifiers. The network data filtering module 53 filters and outputs the corresponding TCP or UDP packet and the header information according to the packet type provided by the classifier, and discards other types of packets directly.
Referring to fig. 3, the utility model discloses an operation as follows, for equipment power-on, detect normal back, insert this equipment to mirror image network data input port and statistics analysis result output port respectively with optic fibre and network. And then opening the computer, and opening the application program to display the received network statistical analysis result.
The utility model discloses the statistics of flow and agreement has been realized on the hardware to cooperation ARM treater carries out the analysis to network flow and data, has improved the response speed of flow statistics and analysis, can obtain the analytic data in real time and make the measure, and can effectively alleviate the pressure of core analytical equipment flow analysis.
At present, the network develops towards the high-speed direction, the network data packet is increasingly complex, and by using the equipment, the network flow can be analyzed and counted completely and effectively at high speed, the attack in the network can be found, and the response can be made in time; based on this device, the analysis pressure of the core analysis server can also be reduced.
Claims (3)
1. A network flow monitoring and analyzing device based on ZYNQ is characterized by comprising a 10G/40G Ethernet input interface module (1), a network data packet unpacking module (2), a DDR storage module (3), a PCIE data interface module (4), a network data packet classification and statistics module (5), a flow table establishing and statistics module (6), a custom protocol reconstruction and analysis module (7), a DMA data channel module (8), an ARM processor (9), a 1G Ethernet data interface module (13) and a clock and power supply module (10);
the 10G/40G Ethernet input interface module (1) is respectively connected with the network data packet unpacking module (2) and the clock and power supply module (10);
the network data packet unpacking module (2) is respectively connected with the network data packet classification statistical module (5) and the clock and power supply module (10);
the DDR storage module (3) is respectively connected with the PCIE data interface module (4), the flow table establishing and counting module (6) and the clock and power supply module (10);
the PCIE data interface module (4) is respectively connected with the flow table establishing and counting module (6) and the clock and power supply module (10);
the network data packet classification and statistics module (5) is respectively connected with the flow table establishing and statistics module (6), the custom protocol reconstruction and analysis module (7) and the clock and power supply module (10);
the flow table establishing and counting module (6) is respectively connected with the custom protocol reconstructing and analyzing module (7) and the clock and power supply module (10);
the self-defined protocol reconstruction and analysis module (7) is respectively connected with the network data packet classification and statistics module (5), the DMA data channel module (8) and the clock and power supply module (10);
the DMA data channel module (8) is respectively connected with the ARM processor (9) and the clock and power supply module (10);
the ARM processor (9) is respectively connected with the 1G Ethernet data interface module (13) and the clock and power supply module (10);
the 1G Ethernet data interface module (13) is connected with the clock and power supply module (10).
2. The device according to claim 1, wherein the 10G/40G ethernet input interface module (1) is formed by connecting a 10G/40G ethernet PHY core (12) to a 10G/40G network optical interface (11).
3. The device for monitoring and analyzing network traffic according to claim 1, wherein the network packet classification statistical module (5) is composed of a network packet classifier module (51) respectively connected to a network two-to-four layer statistical module (52) and a network data filtering module (53).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201921814487.1U CN210780842U (en) | 2019-10-25 | 2019-10-25 | Network flow monitoring and analyzing equipment based on ZYNQ |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201921814487.1U CN210780842U (en) | 2019-10-25 | 2019-10-25 | Network flow monitoring and analyzing equipment based on ZYNQ |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN210780842U true CN210780842U (en) | 2020-06-16 |
Family
ID=71042030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201921814487.1U Active CN210780842U (en) | 2019-10-25 | 2019-10-25 | Network flow monitoring and analyzing equipment based on ZYNQ |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN210780842U (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113377051A (en) * | 2021-06-18 | 2021-09-10 | 华东师范大学 | Network safety protection equipment based on FPGA |
-
2019
- 2019-10-25 CN CN201921814487.1U patent/CN210780842U/en active Active
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113377051A (en) * | 2021-06-18 | 2021-09-10 | 华东师范大学 | Network safety protection equipment based on FPGA |
| CN113377051B (en) * | 2021-06-18 | 2022-04-05 | 华东师范大学 | Network safety protection equipment based on FPGA |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Svoboda et al. | Network monitoring approaches: An overview | |
| Phan et al. | Sdn-mon: Fine-grained traffic monitoring framework in software-defined networks | |
| Castanheira et al. | Flowstalker: Comprehensive traffic flow monitoring on the data plane using p4 | |
| CN103067218B (en) | A kind of express network packet content analytical equipment | |
| CN103444132A (en) | Network system, and switching method | |
| CN102223263A (en) | Method and device for monitoring packet loss rate based on an FPGA (Field Programmable Gate Array) | |
| CN111049843A (en) | Intelligent substation network abnormal flow analysis method | |
| CN110191024B (en) | Network traffic monitoring method and device | |
| CN110798345A (en) | Network flow monitoring and analyzing equipment based on ZYNQ | |
| CN102215102A (en) | Method and applications of network monitoring data packet with timestamp | |
| CN103997439A (en) | Flow monitoring method, device and system | |
| CN110061999A (en) | A kind of network data security analysis ancillary equipment based on ZYNQ | |
| CN106572190A (en) | Autonomous collection method for operational data of information communication | |
| CN210780842U (en) | Network flow monitoring and analyzing equipment based on ZYNQ | |
| CN115484047A (en) | Method, device, equipment and storage medium for identifying flooding attack in cloud platform | |
| Coppens et al. | Scampi-a scaleable monitoring platform for the internet | |
| CN111726410B (en) | Programmable real-time computing and network load sensing method for decentralized computing network | |
| Forconesi et al. | Accurate and flexible flow-based monitoring for high-speed networks | |
| CN113377051B (en) | Network safety protection equipment based on FPGA | |
| CN209913856U (en) | Network data security analysis auxiliary assembly based on ZYNQ | |
| CN111800311B (en) | Real-time sensing method for decentralized computing state | |
| Kamamura et al. | Fast xFlow proxy: Exploring and visualizing deep inside of carrier traffic | |
| KR100862727B1 (en) | Method and system for traffic analysis | |
| Silva et al. | A modular traffic sampling architecture: bringing versatility and efficiency to massive traffic analysis | |
| Ehrlich et al. | Passive flow monitoring of hybrid network connections regarding quality of service parameters for the industrial automation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |