WO2016082380A1 - Network data packet processing method and apparatus - Google Patents

Network data packet processing method and apparatus Download PDF

Info

Publication number
WO2016082380A1
WO2016082380A1 PCT/CN2015/074632 CN2015074632W WO2016082380A1 WO 2016082380 A1 WO2016082380 A1 WO 2016082380A1 CN 2015074632 W CN2015074632 W CN 2015074632W WO 2016082380 A1 WO2016082380 A1 WO 2016082380A1
Authority
WO
WIPO (PCT)
Prior art keywords
protocol
data packet
open system
osi layer
port
Prior art date
Application number
PCT/CN2015/074632
Other languages
French (fr)
Chinese (zh)
Inventor
赵先进
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016082380A1 publication Critical patent/WO2016082380A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of network communications, and in particular, to a network packet processing method and apparatus.
  • Ethernet devices With the development of the Internet faster and faster, the amount of information increases, a large amount of invalid data reduces the efficiency of network monitoring, and its processing capacity requirements for Ethernet devices are also growing. In addition to pure data forwarding, today's Ethernet devices also need to provide the co-processing capability of protocol packets. For Ethernet switches that are not very high-end, many protocol processing and network management data are performed by the central processing unit (CPU) that comes with the Ethernet switch. This structure greatly enhances the functions of the Layer 2 Ethernet switch, but it also brings serious load and security risks to the CPU, which causes the CPU to crash easily and greatly reduces the reliability of the system.
  • CPU central processing unit
  • the CPU must run a protocol stack to support various protocols such as ARP (Address Resolution Protocol), ICMP (Internet Control Message Protocol), and IGMP (Internet Group Management Protocol).
  • ARP Address Resolution Protocol
  • ICMP Internet Control Message Protocol
  • IGMP Internet Group Management Protocol
  • Packet filtering or packet capture is mainly to compare the protocol field information in the packet header of the packet with the filtering or capturing rules to achieve filtering of the packet.
  • Packet filtering is a versatile, inexpensive and effective security tool. It does not use a special processing method for each specific network service, and is applicable to all network services.
  • the packet filtering or packet capturing method used in the prior art is often only for a special case, the adaptation range is narrow, and the filtering or capturing algorithm is complicated and the efficiency is low.
  • the present invention provides a network packet processing method and apparatus, which can simplify the process of determining a data packet to be captured, and adapt to most situations in which data packet filtering or capturing is required.
  • a network packet processing method provided by the present invention based on the above object includes the following steps:
  • the data packet is captured and a predetermined security process is performed on the data packet.
  • the step of determining whether the received data packet needs to be captured according to the protocol rule of the data packet that is required to be captured by the port in the preset search data table includes:
  • each open system interconnection OSI layer protocol is consistent with the protocol adopted by each open system interconnection layer OSI (Open System Interconnection) layer of the received data packet, it is determined to receive Packets need to be captured;
  • the method before determining the port and the packet protocol information of the received data packet, the method further includes:
  • the protocol type used by at least one open system interconnection OSI layer of the data packet to be captured is set.
  • the at least one open system interconnection OSI layer includes an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
  • the protocol rule record includes each open system interconnection OSI layer label and each open system interconnection OSI layer label protocol type number; the label is used to indicate whether the corresponding open system interconnection OSI layer protocol type is Empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
  • the present invention provides a network packet processing apparatus, including:
  • Packet parsing module set to determine the port and packet protocol information of the received packet
  • the capture judging module is configured to determine, according to a protocol rule of the data packet that the port needs to capture in the preset search data table, whether the received data packet needs to be captured;
  • Packet processing module configured to capture the data packet and perform a predetermined security process on the data packet when it is determined that the data packet needs to be captured.
  • the capture determining module specifically includes:
  • a protocol rule search unit configured to search for a protocol rule of a data packet to be captured by the port in a preset search data table according to the port that receives the data packet;
  • the capture determining unit is configured to determine, according to the retrieved data table, when the protocol of each open system interconnect OSI layer specified in a protocol rule record is consistent with the protocol adopted by each open system interconnect OSI layer of the received data packet, determining receipt The incoming packet needs to be captured;
  • the device further includes:
  • a port creation module configured to add, in the retrieval data table, at least one protocol rule record of a data packet that needs to be captured by the port;
  • Protocol Rule Record Add Module Set to set the protocol type used by at least one Open System Interconnect OSI layer of the data packet to be captured in the newly added protocol rule record.
  • the at least one open system interconnection OSI layer includes an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
  • the protocol rule record includes each open system interconnection OSI layer label and each open system interconnection OSI layer label protocol type number; the label is used to indicate whether the corresponding open system interconnection OSI layer protocol type is Empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
  • the packet filtering method and apparatus use the data table method to record the protocol rules used for the data packets to be filtered.
  • the method is simple, and the filtering line can be matched effectively; at the same time, it is convenient to add ports and protocols in the retrieval data table, the packet capture filtering has small overhead, small delay, wide application range, convenient optimization, and does not affect network stability. And reliability, it can also be applied to applications such as firewalls and network access servers that need to quickly filter or capture packets.
  • FIG. 1 is a schematic flowchart of a network packet filtering method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a port retrieval table according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a protocol rule retrieval table according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a protocol rule record according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a network packet filtering apparatus according to an embodiment of the present invention.
  • the present invention first provides a network packet filtering method, including the steps shown in FIG. 1:
  • Step 101 Determine port and packet protocol information of the received data packet
  • Step 102 Determine, according to a protocol rule of the data packet that the port needs to capture in the preset retrieval data table, whether the received data packet needs to be captured;
  • Step 103 Perform a preset security process on the data packet when it is determined that the data packet needs to be captured.
  • the network packet filtering method provided by the present invention determines whether the received data packet needs to be obtained by searching an item in the preset search data table that matches the protocol information carried in the received data packet. Capture, suitable for most scenarios that need to capture data packets, and the search operation is simple and has high efficiency. When the number of received data packets is large, the function of the network device will not be affected because the CPU is overloaded.
  • the invention can capture the capture method through a simple and effective data packet, and better meets the current requirements, and can prevent the CPU co-processing load from being too heavy and affecting the management device function of the Ethernet switch.
  • the search data table is corresponding to each filter packet that needs to be filtered to establish a corresponding filter rule, and the rule specifies a protocol used by the data packet to be filtered in the corresponding open system interconnection OSI layer.
  • the data packet may be subjected to security check, or processing such as filtering discarding may be performed.
  • the step of determining whether the received data packet needs to be captured according to a protocol rule of the data packet that is required to be captured by the port in the preset retrieval data table includes:
  • each open system interconnection OSI layer protocol is consistent with the protocol adopted by each open system interconnection OSI layer of the received data packet, it is determined that the received data packet needs to be captured.
  • the preset retrieval data table may include a port retrieval table and a protocol rule retrieval table, and the port retrieval table includes port numbers and port names of one or more ports, respectively corresponding to one or more data packets.
  • the port to be sent; the port number of each port recorded in the port retrieval table can be found in the protocol rule retrieval table, and the corresponding protocol rule record can be found when the received data packet conforms to the port to be sent.
  • the protocol rule corresponding to the record is retrieved in the protocol rule retrieval table, it is determined that the received data packet needs to be captured because there may be a security risk.
  • the method before determining the port and packet protocol information of the received data packet, the method further includes:
  • the protocol type used by at least one open system interconnection OSI layer of the data packet to be captured is set.
  • the structure of the port retrieval table is as shown in FIG. 2, including one or more port names and port numbers, and a port number corresponding to a port name and a protocol as shown in FIG.
  • a rule retrieval table in which one or more protocol rule records are set in the retrieval table.
  • Protocol rule retrieval table Record and create a corresponding protocol rule retrieval table as shown in Figure 3, and add one or more protocol rule records in the protocol rule retrieval table, so that the port name of the received packet port is ETH0, port When the port number is 0, the protocol rule record in the search table is retrieved according to the corresponding protocol rule to determine whether the data packet needs to be captured. When ETH0 port is required The filtering rule is set to ARP protocol, and then the protocol rule retrieval table corresponds to the protocol rule record for establishing the ARP protocol.
  • the port retrieval table structure is as shown in FIG. 2, and includes one or more port names and port numbers, and one port number corresponds to a port name and a protocol rule as shown in FIG. retrieve one or more protocol rule records in the table.
  • ETH0 and port number When you need to add a port named ETH0 and port number 0, and filter the packets sent to the ETH0 port, add the port named ETH0 and port number 0 to the port search table shown in Figure 2. Record and add the protocol rule record of the port whose port name is ETH0 and port number 0 to the protocol rule search table shown in Figure 3.
  • the protocol rule record corresponding to the ETH0 port in the corresponding protocol rule is used to determine whether the data packet needs to be captured.
  • the protocol rule retrieval table corresponds to the protocol rule record for establishing the ARP protocol.
  • the at least one open system interconnection OSI layer comprises an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
  • the protocol rule record includes each open system interconnect OSI layer label and each open system interconnect OSI layer label protocol type number; the label is used to indicate a corresponding open system interconnect OSI layer. Whether the protocol type is empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
  • each protocol rule record includes the following items: protocol name, open system interconnection OSI layer 2 protocol type number, open system interconnection OSI layer 2 label, open type System interconnection OSI three-layer protocol type number, open system interconnection OSI three-layer label, open system interconnection OSI four-layer protocol type number, open system interconnection OSI four-layer label.
  • the label is used to indicate whether the corresponding open system interconnection OSI layer protocol type is empty.
  • the protocol system records the open system interconnection OSI layer 3 protocol type,
  • the open system interconnection OSI four-layer protocol type shall be empty or invalid; in this case, the corresponding open system interconnection OSI three-layer label, open system interconnection OSI four-layer label indicates the open type in this protocol rule record
  • the system interconnect OSI Layer 3 protocol type is empty or invalid, and the Open System Interconnect OSI Layer 4 protocol type is empty or invalid.
  • the label 0 indicates that the corresponding open system interconnection layer protocol type is valid;
  • the open system interconnect layer protocol type is invalid;
  • the protocol type number 0 indicates that the corresponding open system interconnect layer protocol type is empty.
  • the corresponding protocol rule records are: the protocol name is ARP, the open system interconnection OSI layer 2 protocol type number is 0 ⁇ 0806, and the open system interconnection OSI layer 2 is 0.
  • the open system interconnection OSI three-layer protocol type number is 0 ⁇ 0, the open system interconnection OSI three-layer label is 1, the open system interconnection OSI four-layer protocol type number is 0 ⁇ 0, and the open system interconnection OSI four-layer label is 1.
  • the protocol rule record is as shown in FIG.
  • the method includes the following steps:
  • Step 201 Receive a data packet to be sent to the port.
  • Step 202 Parse the data packet to obtain a port number and protocol header information.
  • the received data packet is an ARP data packet.
  • the analysis indicates that the port name to be sent by the data packet is ETH0, the port number is 0, and the Layer 2 protocol type number of the data packet is 0x0806.
  • Step 203 Obtain a port corresponding to the port number, a protocol rule record corresponding to the port, and obtain an OSI layer 2 protocol type, an OSI layer 3 protocol type, and an OSI layer 4 of the data packet in a preset search data packet. agreement type.
  • the protocol rule record corresponding to the ETH0 port is found in the preset search data table; in the protocol rule record corresponding to ETH0, as shown in FIG. 4, a record of the Layer 2 protocol type number 0x0806 is found.
  • Step 204 Search for the OSI Layer 2 protocol type in the protocol rule record.
  • Step 205 If there is a match between the OSI Layer 2 protocol type recorded in the protocol rule record and the OSI Layer 2 protocol type used by the data packet, then the OSI Layer 3 protocol type is searched in the protocol rule record.
  • the Layer 2 protocol type of the packet is 0x0806, the Layer 3 protocol type is empty, and the Layer 4 protocol type is empty. If there is a protocol rule record with the Layer 2 protocol type number 0x0806, the Layer 3 protocol type is empty, and the Layer 4 protocol type is empty in the protocol rule record, the received data packet is consistent with the protocol rule record.
  • Step 206 If the OSI Layer 3 protocol type of the data packet is not empty, look for an item matching the OSI Layer 3 protocol type of the data packet in the OSI Layer 3 protocol type recorded in the protocol rule record.
  • Step 207 If there is a matching item between the OSI Layer 3 protocol type and the OSI Layer 3 protocol type of the data packet in the protocol rule record, then in the protocol rule record, look for the OSI layer 4 protocol type.
  • Step 208 If the OSI four-layer protocol type of the data packet is not empty, look for an item matching the OSI four-layer protocol type of the data packet in the OSI four-layer protocol type recorded in the protocol rule record.
  • the protocol type of the corresponding OSI layer in the protocol rule record is considered to be the same as the protocol type of the corresponding OSI layer of the data packet.
  • the present invention provides a network packet processing apparatus, and the structure is as shown in FIG. 5, including:
  • Packet parsing module set to determine the port and packet protocol information of the received packet
  • the capture judging module is configured to determine, according to a protocol rule of the data packet that the port needs to capture in the preset search data table, whether the received data packet needs to be captured;
  • Packet processing module configured to capture the data packet and perform a predetermined security process on the data packet when it is determined that the data packet needs to be captured.
  • the capture determining module specifically includes:
  • a protocol rule search unit configured to search for a protocol rule of a data packet to be captured by the port in a preset search data table according to the port that receives the data packet;
  • the capture determining unit is configured to determine, according to the retrieved data table, when the protocol of each open system interconnect OSI layer specified in a protocol rule record is consistent with the protocol adopted by each open system interconnect OSI layer of the received data packet, determining receipt The incoming packet needs to be captured;
  • the apparatus further includes:
  • a port creation module configured to add, in the retrieval data table, at least one protocol rule record of a data packet that needs to be captured by the port;
  • Protocol Rule Record Add Module Set to set the protocol type used by at least one Open System Interconnect OSI layer of the data packet to be captured in the newly added protocol rule record.
  • the at least one open system interconnection OSI layer comprises an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
  • the protocol rule record includes each open system interconnect OSI layer label and each open system interconnect OSI layer label protocol type number; the label is used to indicate a corresponding open system interconnect OSI layer protocol. Whether the type is empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
  • the protocol rule used for the data packet to be filtered is recorded, and when the data packet is received, only the search data table needs to be searched, and the method is simple and effective. Matching the filtering lines at the same time; at the same time, it is convenient to add ports and protocols in the retrieval data table, the packet capture filtering has small overhead, small delay, wide application range, easy optimization, does not affect the stability and reliability of the network, and can also be applied. Applications that need to quickly filter or capture packets, such as firewalls and network access servers.

Abstract

The present invention provides a network data packet processing method and apparatus. The method comprises the following steps: determining a port that receives a data packet as well as packet protocol information (101); determining, according to a protocol rule of a data packet that needs to be captured by the port in a preset retrieval data table, whether the received data packet needs to be captured (102); and when it is determined that the data packet needs to be captured, capturing the data packet and performing preset security processing on the data packet (103). The apparatus comprises a data packet parsing module, a capture determining module, and a data packet processing module. The method and the apparatus provided in the present invention can simplify a determining process of a data packet that needs to be captured, and are applicable to most conditions in which a data packet needs to be filtered or captured.

Description

一种网络数据包处理方法及装置Network data packet processing method and device 技术领域Technical field
本发明涉及网络通信领域,尤其涉及一种网络数据包处理方法及装置。The present invention relates to the field of network communications, and in particular, to a network packet processing method and apparatus.
背景技术Background technique
随着互联网络的发展越来越快,信息量的增大,大量的无效数据降低了网络监控的效率,它对以太网设备的处理能力要求也不断增长。现在的以太网络设备除了单纯的数据转发之外,还需要提供协议数据包的协处理能力。对于那些不是很高端的以太网交换机而言,很多协议处理和网络管理数据都是由以太网交换机附带的中央处理器(CPU)来进行的。这种结构极大的增强了二层以太网交换机的功能,但是同时也给CPU带来了严重负荷和安全隐患,造成CPU容易死机从而大大的降低了系统的可靠性。例如CPU必需运行一个协议栈来支持ARP(Address Resolution Protocol,地址解析协议)、ICMP(Internet Control Message Protocol,网络控制报文协议)、IGMP(Internet Group Management Protocol,网际组管理协议)等各种协议包功能,当数据包传输的速率过大时,由于收发包中断优先级高,此时会对CPU造成很大的负担,从而导致无法正常完成管理设备的功能,而且在这种情况下还很容易给外部恶意攻击者带来可乘之机,他们可以通过发送以太网广播或者组播数据包造成网络上的洪泛。With the development of the Internet faster and faster, the amount of information increases, a large amount of invalid data reduces the efficiency of network monitoring, and its processing capacity requirements for Ethernet devices are also growing. In addition to pure data forwarding, today's Ethernet devices also need to provide the co-processing capability of protocol packets. For Ethernet switches that are not very high-end, many protocol processing and network management data are performed by the central processing unit (CPU) that comes with the Ethernet switch. This structure greatly enhances the functions of the Layer 2 Ethernet switch, but it also brings serious load and security risks to the CPU, which causes the CPU to crash easily and greatly reduces the reliability of the system. For example, the CPU must run a protocol stack to support various protocols such as ARP (Address Resolution Protocol), ICMP (Internet Control Message Protocol), and IGMP (Internet Group Management Protocol). The packet function, when the rate of data packet transmission is too large, because the priority of the packet transmission interruption is high, the CPU will be greatly burdened, which may result in the failure to complete the function of the management device, and in this case, It is easy for external malicious attackers to take advantage of the fact that they can flood the network by sending Ethernet broadcasts or multicast packets.
考虑到上述风险,对网络数据包的捕获和过滤就变的尤为必要了。包过滤或包捕获主要是对数据包的包头中的协议字段信息和过滤或捕获规则进行比较来实现数据包的过滤。数据包过滤是一种通用、廉价和有效的安全手段。它不是针对各个具体的网络服务采用特殊的处理方式,适用于所有的网络服务。现有技术中所采用的包过滤或包捕获方法,往往只是针对一种特殊情况,适应范围较窄,且过滤或捕获算法复杂,效率较低。In view of the above risks, the capture and filtering of network packets becomes more necessary. Packet filtering or packet capture is mainly to compare the protocol field information in the packet header of the packet with the filtering or capturing rules to achieve filtering of the packet. Packet filtering is a versatile, inexpensive and effective security tool. It does not use a special processing method for each specific network service, and is applicable to all network services. The packet filtering or packet capturing method used in the prior art is often only for a special case, the adaptation range is narrow, and the filtering or capturing algorithm is complicated and the efficiency is low.
发明内容Summary of the invention
有鉴于此,本发明提供一种网络数据包处理方法及装置,能够简化需要捕获的数据包的确定过程,适应大多数需要数据包过滤或捕获的情况。In view of this, the present invention provides a network packet processing method and apparatus, which can simplify the process of determining a data packet to be captured, and adapt to most situations in which data packet filtering or capturing is required.
基于上述目的本发明提供的一种网络数据包处理方法,包括如下步骤:A network packet processing method provided by the present invention based on the above object includes the following steps:
确定接收到数据包的端口和包协议信息; Determine the port and packet protocol information of the received packet;
根据预设的检索数据表中,所述端口所需要捕获的数据包的协议规则,判断所接收到的数据包是否需要捕获;Determining whether the received data packet needs to be captured according to a protocol rule of the data packet that the port needs to capture in the preset retrieval data table;
当确定所述数据包需要捕获时,捕获所述数据包并对所述数据包执行预设的安全处理。When it is determined that the data packet needs to be captured, the data packet is captured and a predetermined security process is performed on the data packet.
在本实施例中,根据预设的检索数据表中、所述端口所需要捕获的数据包的协议规则、判断所接收到的数据包是否需要捕获的步骤具体包括:In this embodiment, the step of determining whether the received data packet needs to be captured according to the protocol rule of the data packet that is required to be captured by the port in the preset search data table includes:
根据接收到数据包的端口,在预设的检索数据表中查找该端口所需要捕获的数据包的协议规则;According to the port that receives the data packet, look up the protocol rule of the data packet that the port needs to capture in the preset retrieval data table;
根据检索数据表,当存在一条协议规则记录中规定的各开放式系统互联OSI层协议与接收到的数据包各开放式系统互联OSI(Open System Interconnection)层所采用的协议一致时,确定接收到的数据包需要捕获;According to the retrieval data table, when there is a protocol protocol record, each open system interconnection OSI layer protocol is consistent with the protocol adopted by each open system interconnection layer OSI (Open System Interconnection) layer of the received data packet, it is determined to receive Packets need to be captured;
所述协议规则记录需要捕获的数据包的至少一个开放式系统互联OSI层所采用的至少一种协议。The protocol rules record at least one protocol employed by at least one open system interconnect OSI layer of the data packet to be captured.
在本实施例中,确定接收到数据包的端口和包协议信息之前,还包括:In this embodiment, before determining the port and the packet protocol information of the received data packet, the method further includes:
在所述检索数据表中,添加所述端口所需要捕获的数据包的至少一条协议规则记录;Adding at least one protocol rule record of the data packet that the port needs to capture in the retrieval data table;
在新添加的协议规则记录中,设置需要捕获的数据包的至少一个开放式系统互联OSI层所采用的协议类型。In the newly added protocol rule record, the protocol type used by at least one open system interconnection OSI layer of the data packet to be captured is set.
在本实施例中,所述至少一个开放式系统互联OSI层包括开放式系统互联OSI二层、开放式系统互联OSI三层、开放式系统互联OSI四层。In this embodiment, the at least one open system interconnection OSI layer includes an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
在本实施例中,所述协议规则记录包括各开放式系统互联OSI层标号和各开放式系统互联OSI层标号协议类型号;所述标号用于指示相应的开放式系统互联OSI层协议类型是否为空;所述协议类型号用于指示相应的开放式系统OSI层的协议类型。In this embodiment, the protocol rule record includes each open system interconnection OSI layer label and each open system interconnection OSI layer label protocol type number; the label is used to indicate whether the corresponding open system interconnection OSI layer protocol type is Empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
同时,本发明提供一种网络数据包处理装置,包括:In the meantime, the present invention provides a network packet processing apparatus, including:
数据包解析模块:设置为确定接收到数据包的端口和包协议信息; Packet parsing module: set to determine the port and packet protocol information of the received packet;
捕获判断模块:设置为根据预设的检索数据表中,所述端口所需要捕获的数据包的协议规则,判断所接收到的数据包是否需要捕获;The capture judging module is configured to determine, according to a protocol rule of the data packet that the port needs to capture in the preset search data table, whether the received data packet needs to be captured;
数据包处理模块:设置为当确定所述数据包需要捕获时,捕获所述数据包并对所述数据包执行预设的安全处理。Packet processing module: configured to capture the data packet and perform a predetermined security process on the data packet when it is determined that the data packet needs to be captured.
在本实施例中,所述捕获判断模块具体包括:In this embodiment, the capture determining module specifically includes:
协议规则查找单元:设置为根据接收到数据包的端口,在预设的检索数据表中查找该端口所需要捕获的数据包的协议规则;a protocol rule search unit: configured to search for a protocol rule of a data packet to be captured by the port in a preset search data table according to the port that receives the data packet;
捕获确定单元:设置为根据检索数据表,当存在一条协议规则记录中规定的各开放式系统互联OSI层协议与接收到的数据包各开放式系统互联OSI层所采用的协议一致时,确定接收到的数据包需要捕获;The capture determining unit is configured to determine, according to the retrieved data table, when the protocol of each open system interconnect OSI layer specified in a protocol rule record is consistent with the protocol adopted by each open system interconnect OSI layer of the received data packet, determining receipt The incoming packet needs to be captured;
所述协议规则记录需要捕获的数据包的至少一个开放式系统互联OSI层所采用的至少一种协议。The protocol rules record at least one protocol employed by at least one open system interconnect OSI layer of the data packet to be captured.
在本实施例中,所述装置还包括:In this embodiment, the device further includes:
端口创建模块:设置为在所述检索数据表中,添加所述端口所需要捕获的数据包的至少一条协议规则记录;a port creation module: configured to add, in the retrieval data table, at least one protocol rule record of a data packet that needs to be captured by the port;
协议规则记录添加模块:设置为在新添加的协议规则记录中,设置需要捕获的数据包的至少一个开放式系统互联OSI层所采用的协议类型。Protocol Rule Record Add Module: Set to set the protocol type used by at least one Open System Interconnect OSI layer of the data packet to be captured in the newly added protocol rule record.
在本实施例中,所述至少一个开放式系统互联OSI层包括开放式系统互联OSI二层、开放式系统互联OSI三层、开放式系统互联OSI四层。In this embodiment, the at least one open system interconnection OSI layer includes an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
在本实施例中,所述协议规则记录包括各开放式系统互联OSI层标号和各开放式系统互联OSI层标号协议类型号;所述标号用于指示相应的开放式系统互联OSI层协议类型是否为空;所述协议类型号用于指示相应的开放式系统OSI层的协议类型。In this embodiment, the protocol rule record includes each open system interconnection OSI layer label and each open system interconnection OSI layer label protocol type number; the label is used to indicate whether the corresponding open system interconnection OSI layer protocol type is Empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
从上面所述可以看出,本发明提供的数据包过滤方法及装置,采用数据表的方法记录需要过滤的数据包所采用的协议规则,在接收到数据包时,只需要查找检索数据表即可,方法简单,能够有效地进行过滤线路的匹配;同时方便在检索数据表中添加端口和协议,数据包捕获过滤开销小、时延小,适用范围广,便于优化,不影响网络的稳定性及可靠性,还可应用于防火墙、网络接入服务器等需要快速过滤或捕获数据包的应用。 As can be seen from the above, the packet filtering method and apparatus provided by the present invention use the data table method to record the protocol rules used for the data packets to be filtered. When receiving the data packet, only the search data table needs to be searched. However, the method is simple, and the filtering line can be matched effectively; at the same time, it is convenient to add ports and protocols in the retrieval data table, the packet capture filtering has small overhead, small delay, wide application range, convenient optimization, and does not affect network stability. And reliability, it can also be applied to applications such as firewalls and network access servers that need to quickly filter or capture packets.
附图说明DRAWINGS
图1为本发明实施例提供的网络数据包过滤方法流程示意图;1 is a schematic flowchart of a network packet filtering method according to an embodiment of the present invention;
图2为本发明实施例的端口检索表示意图;2 is a schematic diagram of a port retrieval table according to an embodiment of the present invention;
图3为本发明实施例的协议规则检索表示意图;3 is a schematic diagram of a protocol rule retrieval table according to an embodiment of the present invention;
图4为本发明实施例的协议规则记录示意图;4 is a schematic diagram of a protocol rule record according to an embodiment of the present invention;
图5为本发明实施例的网络数据包过滤装置示意图。FIG. 5 is a schematic diagram of a network packet filtering apparatus according to an embodiment of the present invention.
具体实施方式detailed description
为了给出有效的实现方案,本发明提供了下述实施例,以下结合说明书附图对本发明实施例进行说明。In order to provide an effective implementation, the present invention provides the following embodiments, which are described below in conjunction with the accompanying drawings.
本发明首先提供一种网络数据包过滤方法,包括如图1所示的步骤:The present invention first provides a network packet filtering method, including the steps shown in FIG. 1:
步骤101:确定接收到数据包的端口和包协议信息;Step 101: Determine port and packet protocol information of the received data packet;
步骤102:根据预设的检索数据表中,所述端口所需要捕获的数据包的协议规则,判断所接收到的数据包是否需要捕获;Step 102: Determine, according to a protocol rule of the data packet that the port needs to capture in the preset retrieval data table, whether the received data packet needs to be captured;
步骤103:当确定所述数据包需要捕获时,对所述数据包执行预设的安全处理。Step 103: Perform a preset security process on the data packet when it is determined that the data packet needs to be captured.
从上面所述可以看出,本发明提供的网络数据包过滤方法,通过在预设的检索数据表中查找符合接收到的数据包所携带的协议信息的项目,确定接收到的数据包是否需要捕获,适用于大多数需要捕获数据包的场景,且查找操作简单,具有较高的效率,当接收到的数据包的数量较多时,不会因为CPU负荷过重而影响到网络设备的功能。本发明能够通过一个简单有效的数据包检索捕获方法,较好的满足目前需求,可以防止出现CPU协处理负荷过重而影响到以太网交换机的管理设备功能。As can be seen from the above, the network packet filtering method provided by the present invention determines whether the received data packet needs to be obtained by searching an item in the preset search data table that matches the protocol information carried in the received data packet. Capture, suitable for most scenarios that need to capture data packets, and the search operation is simple and has high efficiency. When the number of received data packets is large, the function of the network device will not be affected because the CPU is overloaded. The invention can capture the capture method through a simple and effective data packet, and better meets the current requirements, and can prevent the CPU co-processing load from being too heavy and affecting the management device function of the Ethernet switch.
在本发明的具体实施例中,检索数据表对应每个需要过滤数据包建立相应的过滤规则,该规则中规定需要过滤的数据包在相应的开放式系统互联OSI层所采用的协议。In a specific embodiment of the present invention, the search data table is corresponding to each filter packet that needs to be filtered to establish a corresponding filter rule, and the rule specifies a protocol used by the data packet to be filtered in the corresponding open system interconnection OSI layer.
在本发明的具体实施例中,捕获所述数据包之后,可以对数据包进行安全检查、或执行过滤丢弃等处理。 In a specific embodiment of the present invention, after the data packet is captured, the data packet may be subjected to security check, or processing such as filtering discarding may be performed.
在本发明的一些实施例中,根据预设的检索数据表中、所述端口所需要捕获的数据包的协议规则、判断所接收到的数据包是否需要捕获的步骤具体包括:In some embodiments of the present invention, the step of determining whether the received data packet needs to be captured according to a protocol rule of the data packet that is required to be captured by the port in the preset retrieval data table includes:
根据接收到数据包的端口,在预设的检索数据表中查找该端口所需要捕获的数据包的协议规则;According to the port that receives the data packet, look up the protocol rule of the data packet that the port needs to capture in the preset retrieval data table;
根据检索数据表,当存在一条协议规则记录中规定的各开放式系统互联OSI层协议与接收到的数据包各开放式系统互联OSI层所采用的协议一致时,确定接收到的数据包需要捕获;According to the retrieval data table, when there is a protocol protocol record, each open system interconnection OSI layer protocol is consistent with the protocol adopted by each open system interconnection OSI layer of the received data packet, it is determined that the received data packet needs to be captured. ;
所述协议规则记录需要捕获的数据包的至少一个开放式系统互联OSI层所采用的至少一种协议。The protocol rules record at least one protocol employed by at least one open system interconnect OSI layer of the data packet to be captured.
在本发明的具体实施例中,预设的检索数据表可以包括端口检索表和协议规则检索表,端口检索表包含一个或多个端口的端口号和端口名,分别对应一个或多个数据包所要发送的端口;端口检索表中所记录的每个端口的端口号在协议规则检索表中均可查找到相应的协议规则记录,当接收到的数据包所采用的协议符合其要发送的端口在协议规则检索表中对应记录的协议规则时,确定接收到的数据包因为可能存在安全隐患而需要捕获。In a specific embodiment of the present invention, the preset retrieval data table may include a port retrieval table and a protocol rule retrieval table, and the port retrieval table includes port numbers and port names of one or more ports, respectively corresponding to one or more data packets. The port to be sent; the port number of each port recorded in the port retrieval table can be found in the protocol rule retrieval table, and the corresponding protocol rule record can be found when the received data packet conforms to the port to be sent. When the protocol rule corresponding to the record is retrieved in the protocol rule retrieval table, it is determined that the received data packet needs to be captured because there may be a security risk.
在本发明的一些实施例中,确定接收到数据包的端口和包协议信息之前,还包括:In some embodiments of the present invention, before determining the port and packet protocol information of the received data packet, the method further includes:
在所述检索数据表中,添加所述端口所需要捕获的数据包的至少一条协议规则记录;Adding at least one protocol rule record of the data packet that the port needs to capture in the retrieval data table;
在新添加的协议规则记录中,设置需要捕获的数据包的至少一个开放式系统互联OSI层所采用的协议类型。In the newly added protocol rule record, the protocol type used by at least one open system interconnection OSI layer of the data packet to be captured is set.
在本发明的一种具体实施例中,端口检索表的结构如图2所示,包括一个或多个端口名称以及端口号,一个端口号对应于一个端口名称和如图3所示的一个协议规则检索表,该协议规则检索表中设置有一个或多个协议规则记录。当需要添加一个名称为ETH0、端口号为0的端口,并对发送到该ETH0端口的数据包进行过滤,则在图2所示的端口检索表中添加名称为ETH0、端口号为0的端口记录,并创建相应的如图3所示的一个协议规则检索表,并在该协议规则检索表中添加一个或多个协议规则记录,使得接收到的数据包端口的端口名称为ETH0、端口的端口号为0时,根据对应的协议规则检索表中的协议规则记录判断该数据包是否需要捕获。当ETH0端口所需要设 置的过滤规则为ARP协议,那么在协议规则检索表中对应于建立ARP协议的协议规则记录。In a specific embodiment of the present invention, the structure of the port retrieval table is as shown in FIG. 2, including one or more port names and port numbers, and a port number corresponding to a port name and a protocol as shown in FIG. A rule retrieval table in which one or more protocol rule records are set in the retrieval table. When you need to add a port named ETH0 and port number 0, and filter the packets sent to the ETH0 port, add the port named ETH0 and port number 0 to the port search table shown in Figure 2. Record and create a corresponding protocol rule retrieval table as shown in Figure 3, and add one or more protocol rule records in the protocol rule retrieval table, so that the port name of the received packet port is ETH0, port When the port number is 0, the protocol rule record in the search table is retrieved according to the corresponding protocol rule to determine whether the data packet needs to be captured. When ETH0 port is required The filtering rule is set to ARP protocol, and then the protocol rule retrieval table corresponds to the protocol rule record for establishing the ARP protocol.
在本发明的另一种具体实施例中,端口检索表结构如图2所示,包括一个或多个端口名称以及端口号,一个端口号对应于一个端口名称和如图3所示的协议规则检索表中的一条或多条协议规则记录。当需要添加一个名称为ETH0、端口号为0的端口,并对发送到该ETH0端口的数据包进行过滤,则在图2所示的端口检索表中添加名称为ETH0、端口号为0的端口记录,并在图3所示的协议规则检索表中添加端口名称为ETH0、端口号为0的端口的协议规则记录。使得接收到的数据包端口的端口名称为ETH0、端口的端口号为0时,根据对应的协议规则检索表中ETH0端口对应的协议规则记录判断该数据包是否需要捕获。当ETH0端口所需要设置的过滤规则为ARP协议,那么在协议规则检索表中对应于建立ARP协议的协议规则记录。In another specific embodiment of the present invention, the port retrieval table structure is as shown in FIG. 2, and includes one or more port names and port numbers, and one port number corresponds to a port name and a protocol rule as shown in FIG. Retrieve one or more protocol rule records in the table. When you need to add a port named ETH0 and port number 0, and filter the packets sent to the ETH0 port, add the port named ETH0 and port number 0 to the port search table shown in Figure 2. Record and add the protocol rule record of the port whose port name is ETH0 and port number 0 to the protocol rule search table shown in Figure 3. When the port name of the received packet port is ETH0 and the port number of the port is 0, the protocol rule record corresponding to the ETH0 port in the corresponding protocol rule is used to determine whether the data packet needs to be captured. When the filtering rule to be set on the ETH0 port is the ARP protocol, the protocol rule retrieval table corresponds to the protocol rule record for establishing the ARP protocol.
在本发明的一些实施例中,所述至少一个开放式系统互联OSI层包括开放式系统互联OSI二层、开放式系统互联OSI三层、开放式系统互联OSI四层。In some embodiments of the present invention, the at least one open system interconnection OSI layer comprises an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
在本发明的一些实施例中,所述协议规则记录包括各开放式系统互联OSI层标号和各开放式系统互联OSI层标号协议类型号;所述标号用于指示相应的开放式系统互联OSI层协议类型是否为空;所述协议类型号用于指示相应的开放式系统OSI层的协议类型。In some embodiments of the present invention, the protocol rule record includes each open system interconnect OSI layer label and each open system interconnect OSI layer label protocol type number; the label is used to indicate a corresponding open system interconnect OSI layer. Whether the protocol type is empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
仍然参照图3,在本发明的一种具体实施例中,每一条协议规则记录包括如下项目:协议名称、开放式系统互联OSI二层协议类型号、开放式系统互联OSI二层标号、开放式系统互联OSI三层协议类型号、开放式系统互联OSI三层标号、开放式系统互联OSI四层协议类型号、开放式系统互联OSI四层标号。标号用于指示相应的开放式系统互联OSI层协议类型是否为空,例如,若一条协议规则记录中记载的协议为二层协议,那么该协议规则记录的开放式系统互联OSI三层协议类型、开放式系统互联OSI四层协议类型应当为空或无效;在这种情况下,采用相应的开放式系统互联OSI三层标号、开放式系统互联OSI四层标号指示本条协议规则记录中的开放式系统互联OSI三层协议类型为空或无效,以及开放式系统互联OSI四层协议类型为空或无效。Still referring to FIG. 3, in a specific embodiment of the present invention, each protocol rule record includes the following items: protocol name, open system interconnection OSI layer 2 protocol type number, open system interconnection OSI layer 2 label, open type System interconnection OSI three-layer protocol type number, open system interconnection OSI three-layer label, open system interconnection OSI four-layer protocol type number, open system interconnection OSI four-layer label. The label is used to indicate whether the corresponding open system interconnection OSI layer protocol type is empty. For example, if the protocol described in a protocol rule record is a layer 2 protocol, the protocol system records the open system interconnection OSI layer 3 protocol type, The open system interconnection OSI four-layer protocol type shall be empty or invalid; in this case, the corresponding open system interconnection OSI three-layer label, open system interconnection OSI four-layer label indicates the open type in this protocol rule record The system interconnect OSI Layer 3 protocol type is empty or invalid, and the Open System Interconnect OSI Layer 4 protocol type is empty or invalid.
在本发明一种具体实施例中,假设端口名称为ETH0、端口号为0的端口需要过滤ARP协议数据包,采用标号0表示对应的开放式系统互联层协议类型有效;采用标号1表示对应的开放式系统互联层协议类型无效;采用协议类型号0表示对应的开放式系统互联层协议类型为空。那么对应的协议规则记录各项分别为:协议名称为ARP、开放式系统互联OSI二层协议类型号为0×0806、开放式系统互联OSI二层标号为0、 开放式系统互联OSI三层协议类型号为0×0、开放式系统互联OSI三层标号为1、开放式系统互联OSI四层协议类型号为0×0、开放式系统互联OSI四层标号为1。In a specific embodiment of the present invention, it is assumed that a port whose port name is ETH0 and whose port number is 0 needs to filter ARP protocol data packets, and the label 0 indicates that the corresponding open system interconnection layer protocol type is valid; The open system interconnect layer protocol type is invalid; the protocol type number 0 indicates that the corresponding open system interconnect layer protocol type is empty. Then, the corresponding protocol rule records are: the protocol name is ARP, the open system interconnection OSI layer 2 protocol type number is 0×0806, and the open system interconnection OSI layer 2 is 0. The open system interconnection OSI three-layer protocol type number is 0×0, the open system interconnection OSI three-layer label is 1, the open system interconnection OSI four-layer protocol type number is 0×0, and the open system interconnection OSI four-layer label is 1.
在本发明的一种具体实施例中,协议规则记录如图4所示。In a specific embodiment of the invention, the protocol rule record is as shown in FIG.
在本发明的一种具体实施例中,结合图4,所述方法包括如下步骤:In a specific embodiment of the present invention, in conjunction with FIG. 4, the method includes the following steps:
步骤201:接收到将发送至端口的数据包。Step 201: Receive a data packet to be sent to the port.
步骤202:解析所述数据包,获取端口号和协议头信息。例如,所述接收到的数据包为ARP数据包,通过解析得知,该数据包所要发送的端口名称为ETH0、端口号为0,该数据包的二层协议类型号为0x0806。Step 202: Parse the data packet to obtain a port number and protocol header information. For example, the received data packet is an ARP data packet. The analysis indicates that the port name to be sent by the data packet is ETH0, the port number is 0, and the Layer 2 protocol type number of the data packet is 0x0806.
步骤203:在预设的检索数据包中获取所述端口号对应的端口、该端口对应的协议规则记录,并获取所述数据包的OSI二层协议类型、OSI三层协议类型、OSI四层协议类型。例如,在预设的检索数据表中查找到ETH0端口所对应的协议规则记录;在ETH0对应的、如图4所示的协议规则记录中,查找到二层协议类型号为0x0806的一条记录。Step 203: Obtain a port corresponding to the port number, a protocol rule record corresponding to the port, and obtain an OSI layer 2 protocol type, an OSI layer 3 protocol type, and an OSI layer 4 of the data packet in a preset search data packet. agreement type. For example, the protocol rule record corresponding to the ETH0 port is found in the preset search data table; in the protocol rule record corresponding to ETH0, as shown in FIG. 4, a record of the Layer 2 protocol type number 0x0806 is found.
步骤204:在所述协议规则记录中,查找OSI二层协议类型。Step 204: Search for the OSI Layer 2 protocol type in the protocol rule record.
步骤205:若协议规则记录中所记录的OSI二层协议类型与数据包所采用的OSI二层协议类型存在匹配项,那么在所述协议规则记录中,查找OSI三层协议类型。Step 205: If there is a match between the OSI Layer 2 protocol type recorded in the protocol rule record and the OSI Layer 2 protocol type used by the data packet, then the OSI Layer 3 protocol type is searched in the protocol rule record.
若接收到的数据包所要发送的端口名称为ETH0、端口号为0,该数据包的二层协议类型号为0x0806、三层协议类型为空、四层协议类型为空。若在协议规则记录中存在二层协议类型号为0x0806、三层协议类型为空、四层协议类型为空的协议规则记录,那么接收到的数据包与协议规则记录一致。If the port name to be sent is ETH0 and the port number is 0, the Layer 2 protocol type of the packet is 0x0806, the Layer 3 protocol type is empty, and the Layer 4 protocol type is empty. If there is a protocol rule record with the Layer 2 protocol type number 0x0806, the Layer 3 protocol type is empty, and the Layer 4 protocol type is empty in the protocol rule record, the received data packet is consistent with the protocol rule record.
步骤206:若所述数据包的OSI三层协议类型不为空,那么在所述协议规则记录中所记录的OSI三层协议类型中查找与数据包的OSI三层协议类型匹配的项目。Step 206: If the OSI Layer 3 protocol type of the data packet is not empty, look for an item matching the OSI Layer 3 protocol type of the data packet in the OSI Layer 3 protocol type recorded in the protocol rule record.
步骤207:若所述协议规则记录中所记载的OSI三层协议类型与数据包的OSI三层协议类型存在匹配项目,那么在所述协议规则记录中,查找OSI四层协议类型。Step 207: If there is a matching item between the OSI Layer 3 protocol type and the OSI Layer 3 protocol type of the data packet in the protocol rule record, then in the protocol rule record, look for the OSI layer 4 protocol type.
步骤208:若所述数据包的OSI四层协议类型不为空,那么在所述协议规则记录中所记录的OSI四层协议类型中查找与数据包的OSI四层协议类型匹配的项目。 Step 208: If the OSI four-layer protocol type of the data packet is not empty, look for an item matching the OSI four-layer protocol type of the data packet in the OSI four-layer protocol type recorded in the protocol rule record.
在上述步骤201-208中,若接收到的数据包的OSI二层、或三层、或四层中至少一层协议为空,且同时在协议规则记录中所记载的相应OSI二层、或三层、或四层的标号指示为空,那么则认为协议规则记录中相应OSI层的协议类型与数据包相应OSI层的协议类型一致。In the above steps 201-208, if at least one of the OSI Layer 2, or Layer 3, or Layer 4 protocols of the received data packet is empty, and at the same time, the corresponding OSI Layer 2, or If the label of the third layer or the fourth layer is empty, then the protocol type of the corresponding OSI layer in the protocol rule record is considered to be the same as the protocol type of the corresponding OSI layer of the data packet.
进一步,本发明提供一种一种网络数据包处理装置,结构如图5所示,包括:Further, the present invention provides a network packet processing apparatus, and the structure is as shown in FIG. 5, including:
数据包解析模块:设置为确定接收到数据包的端口和包协议信息;Packet parsing module: set to determine the port and packet protocol information of the received packet;
捕获判断模块:设置为根据预设的检索数据表中,所述端口所需要捕获的数据包的协议规则,判断所接收到的数据包是否需要捕获;The capture judging module is configured to determine, according to a protocol rule of the data packet that the port needs to capture in the preset search data table, whether the received data packet needs to be captured;
数据包处理模块:设置为当确定所述数据包需要捕获时,捕获所述数据包并对所述数据包执行预设的安全处理。Packet processing module: configured to capture the data packet and perform a predetermined security process on the data packet when it is determined that the data packet needs to be captured.
在本发明一些实施例中,所述捕获判断模块具体包括:In some embodiments of the present invention, the capture determining module specifically includes:
协议规则查找单元:设置为根据接收到数据包的端口,在预设的检索数据表中查找该端口所需要捕获的数据包的协议规则;a protocol rule search unit: configured to search for a protocol rule of a data packet to be captured by the port in a preset search data table according to the port that receives the data packet;
捕获确定单元:设置为根据检索数据表,当存在一条协议规则记录中规定的各开放式系统互联OSI层协议与接收到的数据包各开放式系统互联OSI层所采用的协议一致时,确定接收到的数据包需要捕获;The capture determining unit is configured to determine, according to the retrieved data table, when the protocol of each open system interconnect OSI layer specified in a protocol rule record is consistent with the protocol adopted by each open system interconnect OSI layer of the received data packet, determining receipt The incoming packet needs to be captured;
所述协议规则记录需要捕获的数据包的至少一个开放式系统互联OSI层所采用的至少一种协议。The protocol rules record at least one protocol employed by at least one open system interconnect OSI layer of the data packet to be captured.
在本发明一些实施例中,所述装置还包括:In some embodiments of the present invention, the apparatus further includes:
端口创建模块:设置为在所述检索数据表中,添加所述端口所需要捕获的数据包的至少一条协议规则记录;a port creation module: configured to add, in the retrieval data table, at least one protocol rule record of a data packet that needs to be captured by the port;
协议规则记录添加模块:设置为在新添加的协议规则记录中,设置需要捕获的数据包的至少一个开放式系统互联OSI层所采用的协议类型。Protocol Rule Record Add Module: Set to set the protocol type used by at least one Open System Interconnect OSI layer of the data packet to be captured in the newly added protocol rule record.
在本发明一些实施例中,所述至少一个开放式系统互联OSI层包括开放式系统互联OSI二层、开放式系统互联OSI三层、开放式系统互联OSI四层。 In some embodiments of the present invention, the at least one open system interconnection OSI layer comprises an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
在本发明一些实施例中,所述协议规则记录包括各开放式系统互联OSI层标号和各开放式系统互联OSI层标号协议类型号;所述标号用于指示相应的开放式系统互联OSI层协议类型是否为空;所述协议类型号用于指示相应的开放式系统OSI层的协议类型。In some embodiments of the present invention, the protocol rule record includes each open system interconnect OSI layer label and each open system interconnect OSI layer label protocol type number; the label is used to indicate a corresponding open system interconnect OSI layer protocol. Whether the type is empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
应当理解,本说明书所描述的多个实施例仅用于说明和解释本发明,并不用于限定本发明。并且在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。It is to be understood that the various embodiments of the present invention are intended to illustrate and explain the invention. And in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention
工业实用性Industrial applicability
基于本发明实施例提供的上述技术方案,通过采用数据表的方法记录需要过滤的数据包所采用的协议规则,在接收到数据包时,只需要查找检索数据表即可,方法简单,能够有效地进行过滤线路的匹配;同时方便在检索数据表中添加端口和协议,数据包捕获过滤开销小、时延小,适用范围广,便于优化,不影响网络的稳定性及可靠性,还可应用于防火墙、网络接入服务器等需要快速过滤或捕获数据包的应用。 According to the foregoing technical solution provided by the embodiment of the present invention, by using a data table method, the protocol rule used for the data packet to be filtered is recorded, and when the data packet is received, only the search data table needs to be searched, and the method is simple and effective. Matching the filtering lines at the same time; at the same time, it is convenient to add ports and protocols in the retrieval data table, the packet capture filtering has small overhead, small delay, wide application range, easy optimization, does not affect the stability and reliability of the network, and can also be applied. Applications that need to quickly filter or capture packets, such as firewalls and network access servers.

Claims (10)

  1. 一种网络数据包处理方法,包括如下步骤:A network packet processing method includes the following steps:
    确定接收到数据包的端口和包协议信息;Determine the port and packet protocol information of the received packet;
    根据预设的检索数据表中,所述端口所需要捕获的数据包的协议规则,判断所接收到的数据包是否需要捕获;Determining whether the received data packet needs to be captured according to a protocol rule of the data packet that the port needs to capture in the preset retrieval data table;
    当确定所述数据包需要捕获时,捕获所述数据包并对所述数据包执行预设的安全处理。When it is determined that the data packet needs to be captured, the data packet is captured and a predetermined security process is performed on the data packet.
  2. 根据权利要求1所述的方法,其中,根据预设的检索数据表中、所述端口所需要捕获的数据包的协议规则、判断所接收到的数据包是否需要捕获的步骤具体包括:The method of claim 1, wherein the step of determining whether the received data packet needs to be captured according to a protocol rule of the data packet that is required to be captured by the port in the preset search data table comprises:
    根据接收到数据包的端口,在预设的检索数据表中查找该端口所需要捕获的数据包的协议规则;According to the port that receives the data packet, look up the protocol rule of the data packet that the port needs to capture in the preset retrieval data table;
    根据检索数据表,当存在一条协议规则记录中规定的各开放式系统互联OSI层协议与接收到的数据包各开放式系统互联OSI层所采用的协议一致时,确定接收到的数据包需要捕获;According to the retrieval data table, when there is a protocol protocol record, each open system interconnection OSI layer protocol is consistent with the protocol adopted by each open system interconnection OSI layer of the received data packet, it is determined that the received data packet needs to be captured. ;
    所述协议规则记录需要捕获的数据包的至少一个开放式系统互联OSI层所采用的至少一种协议。The protocol rules record at least one protocol employed by at least one open system interconnect OSI layer of the data packet to be captured.
  3. 根据权利要求2所述的方法,其中,确定接收到数据包的端口和包协议信息之前,还包括:The method of claim 2, wherein before determining the port and packet protocol information of the data packet, the method further comprises:
    在所述检索数据表中,添加所述端口所需要捕获的数据包的至少一条协议规则记录;Adding at least one protocol rule record of the data packet that the port needs to capture in the retrieval data table;
    在新添加的协议规则记录中,设置需要捕获的数据包的至少一个开放式系统互联OSI层所采用的协议类型。In the newly added protocol rule record, the protocol type used by at least one open system interconnection OSI layer of the data packet to be captured is set.
  4. 根据权利要求2或3所述的方法,其中,所述至少一个开放式系统互联OSI层包括开放式系统互联OSI二层、开放式系统互联OSI三层、开放式系统互联OSI四层。 The method according to claim 2 or 3, wherein the at least one open system interconnection OSI layer comprises an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
  5. 根据权利要求4所述的方法,其中,所述协议规则记录包括各开放式系统互联OSI层标号和各开放式系统互联OSI层标号协议类型号;所述标号用于指示相应的开放式系统互联OSI层协议类型是否为空;所述协议类型号用于指示相应的开放式系统OSI层的协议类型。The method according to claim 4, wherein said protocol rule record comprises each open system interconnect OSI layer label and each open system interconnect OSI layer label protocol type number; said label is used to indicate a corresponding open system interconnection Whether the OSI layer protocol type is empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
  6. 一种网络数据包处理装置,包括:A network packet processing apparatus includes:
    数据包解析模块:设置为确定接收到数据包的端口和包协议信息;Packet parsing module: set to determine the port and packet protocol information of the received packet;
    捕获判断模块:设置为根据预设的检索数据表中,所述端口所需要捕获的数据包的协议规则,判断所接收到的数据包是否需要捕获;The capture judging module is configured to determine, according to a protocol rule of the data packet that the port needs to capture in the preset search data table, whether the received data packet needs to be captured;
    数据包处理模块:设置为当确定所述数据包需要捕获时,捕获所述数据包并对所述数据包执行预设的安全处理。Packet processing module: configured to capture the data packet and perform a predetermined security process on the data packet when it is determined that the data packet needs to be captured.
  7. 根据权利要求6所述的装置,其中,所述捕获判断模块具体包括:The device according to claim 6, wherein the capture determination module specifically comprises:
    协议规则查找单元:设置为根据接收到数据包的端口,在预设的检索数据表中查找该端口所需要捕获的数据包的协议规则;a protocol rule search unit: configured to search for a protocol rule of a data packet to be captured by the port in a preset search data table according to the port that receives the data packet;
    捕获确定单元:设置为根据检索数据表,当存在一条协议规则记录中规定的各开放式系统互联OSI层协议与接收到的数据包各开放式系统互联OSI层所采用的协议一致时,确定接收到的数据包需要捕获;The capture determining unit is configured to determine, according to the retrieved data table, when the protocol of each open system interconnect OSI layer specified in a protocol rule record is consistent with the protocol adopted by each open system interconnect OSI layer of the received data packet, determining receipt The incoming packet needs to be captured;
    所述协议规则记录需要捕获的数据包的至少一个开放式系统互联OSI层所采用的至少一种协议。The protocol rules record at least one protocol employed by at least one open system interconnect OSI layer of the data packet to be captured.
  8. 根据权利要求7所述的装置,其中,所述装置还包括:The apparatus of claim 7 wherein said apparatus further comprises:
    端口创建模块:设置为在所述检索数据表中,添加所述端口所需要捕获的数据包的至少一条协议规则记录;a port creation module: configured to add, in the retrieval data table, at least one protocol rule record of a data packet that needs to be captured by the port;
    协议规则记录添加模块:设置为在新添加的协议规则记录中,设置需要捕获的数据包的至少一个开放式系统互联OSI层所采用的协议类型。Protocol Rule Record Add Module: Set to set the protocol type used by at least one Open System Interconnect OSI layer of the data packet to be captured in the newly added protocol rule record.
  9. 根据权利要求7或8所述的装置,其中,所述至少一个开放式系统互联OSI层包括开放式系统互联OSI二层、开放式系统互联OSI三层、开放式系统互联OSI四层。The apparatus according to claim 7 or 8, wherein the at least one open system interconnection OSI layer comprises an open system interconnection OSI layer 2, an open system interconnection OSI layer 3, and an open system interconnection OSI layer 4.
  10. 根据权利要求9所述的装置,其中,所述协议规则记录包括各开放式系统互联OSI层标号和各开放式系统互联OSI层标号协议类型号;所述标号用于指示相 应的开放式系统互联OSI层协议类型是否为空;所述协议类型号用于指示相应的开放式系统OSI层的协议类型。 The apparatus according to claim 9, wherein said protocol rule record comprises each open system interconnect OSI layer label and each open system interconnect OSI layer label protocol type number; said label is used to indicate phase Whether the open system interconnection OSI layer protocol type is empty; the protocol type number is used to indicate the protocol type of the corresponding open system OSI layer.
PCT/CN2015/074632 2014-11-25 2015-03-19 Network data packet processing method and apparatus WO2016082380A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410690241.3A CN105635088A (en) 2014-11-25 2014-11-25 Network data packet processing method and device
CN201410690241.3 2014-11-25

Publications (1)

Publication Number Publication Date
WO2016082380A1 true WO2016082380A1 (en) 2016-06-02

Family

ID=56049584

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/074632 WO2016082380A1 (en) 2014-11-25 2015-03-19 Network data packet processing method and apparatus

Country Status (2)

Country Link
CN (1) CN105635088A (en)
WO (1) WO2016082380A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN2824449Y (en) * 2004-11-18 2006-10-04 北京锐安科技有限公司 Dynamic controller of data filtering condition
CN102497372A (en) * 2011-12-13 2012-06-13 曙光信息产业(北京)有限公司 System and method based on Internet protocol (IP) message destination port filtering strategy
US8332927B1 (en) * 2007-08-10 2012-12-11 Juniper Networks, Inc. Merging filter rules to reduce forwarding path lookup cycles
CN102959924A (en) * 2010-06-30 2013-03-06 西门子公司 Method for filtering and processing data in a packet-switched communication network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN2824449Y (en) * 2004-11-18 2006-10-04 北京锐安科技有限公司 Dynamic controller of data filtering condition
US8332927B1 (en) * 2007-08-10 2012-12-11 Juniper Networks, Inc. Merging filter rules to reduce forwarding path lookup cycles
CN102959924A (en) * 2010-06-30 2013-03-06 西门子公司 Method for filtering and processing data in a packet-switched communication network
CN102497372A (en) * 2011-12-13 2012-06-13 曙光信息产业(北京)有限公司 System and method based on Internet protocol (IP) message destination port filtering strategy

Also Published As

Publication number Publication date
CN105635088A (en) 2016-06-01

Similar Documents

Publication Publication Date Title
JP4759389B2 (en) Packet communication device
US7636305B1 (en) Method and apparatus for monitoring network traffic
US7831822B2 (en) Real-time stateful packet inspection method and apparatus
US8724466B2 (en) Packet filtering
EP2393255B1 (en) Method and device for identifying an SCTP packet
US8705362B2 (en) Systems, methods, and apparatus for detecting a pattern within a data packet
EP1774716B1 (en) Inline intrusion detection using a single physical port
CN102123076B (en) High availability for network security devices
US9246815B2 (en) Load reducing system and load reducing method
US20070022468A1 (en) Packet transmission equipment and packet transmission system
US10587514B1 (en) Filtering control plane decision requests for forwarding network packets
JP2009088936A (en) Network monitoring apparatus and network monitoring method
EP3832960B1 (en) Establishment of fast forwarding table
CN103281257A (en) Method and device for processing protocol message
US20050190752A1 (en) Method and system for locating the incoming port of a MAC address in an Ethernet switch network
US8259740B2 (en) Method and an apparatus for processing packets
WO2016082380A1 (en) Network data packet processing method and apparatus
WO2017118428A1 (en) Method and apparatus for realizing message error detection
CN113055217B (en) Equipment offline repair method and device
CN101312465A (en) Abnormal packet access point discovering method and device
CN114827044B (en) Message processing method, device and network equipment
JP6497142B2 (en) Communication monitoring device, communication monitoring program, and communication monitoring method
CN111200505A (en) Message processing method and device
JP4863310B2 (en) IP satellite communication system and illegal packet intrusion prevention method
US10063487B2 (en) Pattern matching values of a packet which may result in false-positive matches

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15863116

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15863116

Country of ref document: EP

Kind code of ref document: A1