WO2017012315A1 - 业务监听控制方法及装置 - Google Patents

业务监听控制方法及装置 Download PDF

Info

Publication number
WO2017012315A1
WO2017012315A1 PCT/CN2016/071212 CN2016071212W WO2017012315A1 WO 2017012315 A1 WO2017012315 A1 WO 2017012315A1 CN 2016071212 W CN2016071212 W CN 2016071212W WO 2017012315 A1 WO2017012315 A1 WO 2017012315A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
path
monitoring
forwarding node
forwarding
Prior art date
Application number
PCT/CN2016/071212
Other languages
English (en)
French (fr)
Inventor
王大勇
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017012315A1 publication Critical patent/WO2017012315A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services

Definitions

  • the present invention relates to the field of communications, and in particular to a service interception control method and apparatus.
  • SDN Software Defined Network
  • the SDN is a new type of data communication network technology.
  • the SDN is characterized by separation of control and bearer, separating the control part of the router and the switch in the original network, implemented by software, and the remaining forwarding part is implemented by the network device.
  • the former can be called the control plane/control layer, and the latter can be called the forwarding plane or the forwarding layer.
  • the forwarding table implements the data packet forwarding based on the flow table.
  • the flow table is composed of a number of flow entries with different priorities. The flow entries with high priority are matched first.
  • a flow entry mainly consists of a matching domain, an instruction domain, and a statistical domain, and other subsidiary fields.
  • the forwarding plane device receives the inbound packet, performs matching operations on the flow table entry priority order, and switches the statistics field counter to the hit flow table entry, and performs the operation specified by the command domain. These actions may include performing datagrams on the datagram. Modify, discard, report to the control plane, forward from the specified port, and so on.
  • the forwarding plane device supports multi-level flow tables. After all the flow tables are matched, the action set output message is executed.
  • Controlling the behavior of the device facing the forwarding plane is to modify the latter's flow table implementation with the OpenFlow protocol.
  • the current OpenFlow protocol supports multi-level flow tables, group tables, supports IPv6, and supports capability negotiation.
  • the control plane obtains the switch port information, obtains the network connection diagram through the link detection protocol, learns the MAC address to obtain the connection relationship between the host and the network, and generates the topology and the end-to-end path, and generates a forwarding table to be sent to the forwarding plane device.
  • the control plane can send the flow table to the control plane, generate a new path by querying the topology, and then send the forwarding table to the forwarding plane device on the corresponding path to validate the new path.
  • the listening object is voice communication, and additional modules are implemented on the telephone exchange.
  • the interception object not only contains voice communication, but also contains various data communication, such as instant messaging, web browsing, etc., and is not limited to the terminal host. Inter-communication traffic also includes traffic between various servers.
  • the monitoring system is deployed on a single host with limited resources.
  • the monitoring system provides setting conditions and filters the collection of communication traffic.
  • the actual listening behavior is generally a superposition of these two dimensions, such as the traffic of one/some of the services on a certain/some hosts. Listening to multiple hosts or multiple traffic flows can eventually be broken down into snooping for a single host and individual traffic.
  • the monitoring system generally includes two roles of an executor and a collector.
  • the former selects a listening object according to the listening requirement, triggers a listening action, and the latter is responsible for receiving the monitoring result.
  • One is to set the network card to a spurious mode according to the broadcast characteristics of the local area network, and can accept all broadcast data messages.
  • the advantage is standardization generalization.
  • the disadvantage is that it can only be monitored on devices that are on the same local area network as the listening module/system.
  • the invention provides a service monitoring control method and device, so as to at least solve the problem that various monitoring methods in the related art have implementation difficulties and limited application applications.
  • a service interception control method includes: selecting, in a software-defined network, a designated forwarding node from a first path for transmitting a service to be monitored; wherein the designated forwarding node is the foregoing Any one of the forwarding nodes in the path; obtaining the second path of the specified forwarding node to the monitoring system; and controlling the replication service to be sent to the monitoring system by using the second path, where the replication service is in accordance with the characteristics of the to-be-listened service business.
  • control of the replication service to be sent to the monitoring system by using the foregoing second path includes: sending a flow table to one or more forwarding nodes in the second path; and controlling, by using the flow table, the copy service to be sent to the monitoring system .
  • the method further includes: after monitoring the replication service, deleting the second path; or deleting the second path and the flow table after listening to the replication service.
  • selecting the designated forwarding node from the first path of the service to be monitored includes: querying all forwarding nodes included in the first path between the sending end and the receiving end of the to-be-listed service; and all forwarding nodes from the foregoing Select the above specified forwarding node.
  • the foregoing replication service is obtained by replicating, by the foregoing specified forwarding node, the to-be-listened service.
  • a service interception control apparatus including: a selection module, configured to select a designated forwarding node from a first path for transmitting a to-be-listened service in a software-defined network;
  • the forwarding node is a forwarding node of any one of the foregoing first paths;
  • the acquiring module is configured to obtain the second path of the specified forwarding node to the monitoring system;
  • the processing module is configured to control the replication service to be sent to the monitoring by using the second path.
  • the system wherein the replication service is a service that meets the characteristics of the to-be-listened service.
  • the processing module further includes: a sending unit, configured to send a flow table to one or more forwarding nodes in the second path; and the processing unit is configured to control, by using the flow table, that the copy service is sent to the foregoing Monitor system.
  • a sending unit configured to send a flow table to one or more forwarding nodes in the second path
  • the processing unit is configured to control, by using the flow table, that the copy service is sent to the foregoing Monitor system.
  • the device further includes: a deleting module, configured to delete the second path after listening to the replication service; or deleting the second path and the flow table after listening to the replication service.
  • a deleting module configured to delete the second path after listening to the replication service.
  • the foregoing selecting module further includes: a query unit, configured to query all forwarding nodes included in the first path between the sending end and the receiving end of the to-be-listened service; and the selecting unit is configured to be configured from all the forwarding nodes Select the above specified forwarding node.
  • the foregoing replication service is obtained by replicating, by the foregoing specified forwarding node, the to-be-listened service.
  • the designated forwarding node is selected from the first path of the service to be monitored; wherein the designated forwarding node is any one of the forwarding paths in the first path; and the designated forwarding node is obtained.
  • the second path of the monitoring system is sent to the monitoring system through the second path, wherein the replication service is a service that conforms to the characteristics of the service to be monitored, and the implementation of various monitoring methods in the related technology is difficult to implement, and the application is subject to The problem of limitation, in turn, achieves the effect of no need to separately modify the forwarding device, and can implement the service monitoring without deploying the monitoring agent on the user host and the network server.
  • FIG. 1 is a flowchart of a service interception control method according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of a service monitoring control apparatus according to an embodiment of the present invention.
  • FIG. 3 is a structural block diagram (1) of a service monitoring control apparatus according to an embodiment of the present invention.
  • FIG. 4 is a structural block diagram (2) of a service monitoring control apparatus according to an embodiment of the present invention.
  • FIG. 5 is a structural block diagram (3) of a service monitoring control apparatus according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a path of a listening system, a monitored object, and a monitored traffic according to an embodiment of the present invention
  • Figure 7 is a flow chart of monitoring in accordance with an embodiment of the present invention.
  • FIG. 1 is a flowchart of a service monitoring control method according to an embodiment of the present invention. As shown in FIG. 1, the process includes the following steps:
  • Step S102 in the software-defined network, selecting a designated forwarding node from the first path for transmitting the to-be-listened service; wherein the designated forwarding node is any one of the first paths;
  • Step S104 Acquire a second path that specifies the forwarding node to the monitoring system.
  • Step S106 The control replication service is sent to the monitoring system by using the second path, where the replication service is a service that meets the characteristics of the to-be-listened service.
  • the network card is set to a spurious mode, and all broadcast data messages can be accepted, but only devices that are in the same local area network as the monitoring module/system are monitored; or at all
  • the monitoring agent software is installed on the user terminal host and the network server that needs attention, the monitoring policy is set, the qualified communication traffic is saved, or sent to the monitoring server, but because the agent software is installed on a specific or all user hosts, the promotion is difficult.
  • the user acceptance is low.
  • the designated forwarding node is selected from the first path of the service to be monitored in the software-defined network; wherein the designated forwarding node is any forwarding node in the first path; Specifying a second path from the forwarding node to the monitoring system; controlling the replication service to be sent to the monitoring system through the second path, where the replication service is a service that conforms to the characteristics of the service to be monitored, and the implementation of various monitoring methods in the related technology is difficult to implement. , the problem of limited application, and further It is achieved that there is no need to separately modify the forwarding device, and it is not necessary to deploy a monitoring agent on the user host and the network server to implement the service monitoring effect.
  • step S106 involves the control of the replication service being sent to the monitoring system through the second path.
  • the replication service can be sent to the monitoring system through the second path in multiple manners.
  • the flow table is sent to one or more forwarding nodes in the second path, and the replication service is sent to the monitoring system through the flow table, thereby completing the sending of the replication service to the monitoring path through the second path. Monitor system.
  • the second path is deleted after the replication service is monitored. In another optional embodiment, after the replication service is monitored, the second path and the flow table are deleted, thereby clearing the monitoring. On-site, saving memory space.
  • the step S102 relates to selecting a designated forwarding node from the first path for transmitting the to-be-listened service.
  • the method may be implemented by querying between the sending end and the receiving end of the to-be-listen service. All forwarding nodes included in a path select a designated forwarding node from all the forwarding nodes.
  • the replication service involved in the foregoing step S106 is obtained by copying the to-be-listened service by the designated forwarding node.
  • a service monitoring control device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • the apparatus includes: a selection module 22 configured to select from a first path for transmitting a service to be monitored in a software-defined network. Specifying a forwarding node; wherein the forwarding node is designated as any forwarding node in the first path; the obtaining module 24 is configured to obtain a second path of the specified forwarding node to the monitoring system; and the processing module 26 is configured to control the replication service by using the second The path is sent to the monitoring system, where the replication service is a service that conforms to the characteristics of the service to be monitored.
  • FIG. 3 is a structural block diagram (1) of a service monitoring control apparatus according to an embodiment of the present invention.
  • the processing module 26 of the apparatus further includes: a sending unit 262, configured to be in a second path.
  • One or more forwarding nodes send a flow table; the processing unit 264 is configured to control the replication service to be sent to the monitoring system through the flow table.
  • FIG. 4 is a structural block diagram (2) of a service interception control apparatus according to an embodiment of the present invention.
  • the apparatus includes, in addition to all the modules shown in FIG. 2, a deletion module 42 configured to be in the right copy. After the service is monitored, the second path is deleted; or, after the replication service is monitored, the second path and the flow table are deleted.
  • FIG. 5 is a structural block diagram (3) of a service monitoring control apparatus according to an embodiment of the present invention.
  • the selection module 22 involved in the apparatus further includes: a query unit 222, configured to query a sending end of the service to be monitored. And all forwarding nodes included in the first path between the receiving end and the receiving end; the selecting unit 224 is configured to select the designated forwarding node from the all forwarding nodes.
  • the replication service is obtained by copying the service to be monitored by the designated forwarding node.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are located in multiple In the processor.
  • Embodiments of the present invention also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • S1 in the software-defined network, selecting a designated forwarding node from the first path of the service to be monitored; wherein the designated forwarding node is any one of the first paths;
  • the control replication service is sent to the monitoring system by using a second path, where the replication service is a service that meets the characteristics of the to-be-listened service.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • the processor executes the above S1, S2, and S3 according to the stored program code in the storage medium.
  • an optional embodiment of the present invention provides a monitoring technology solution based on a software-defined network, and the monitoring behavior of the related forwarding device is set by the controller, so that the monitoring of the specific communication service is realized, and the forwarding device does not need to be modified separately. There is no need to deploy a listening agent on the user host and network server.
  • the path of the communication traffic path to be monitored may have multiple paths.
  • the present invention treats each path as well, which is a related related art.
  • An alternative embodiment of the present invention provides a method for implementing monitoring, including:
  • FIG. 6 is a schematic diagram of a listening system, a monitored object, and a path corresponding to the monitored traffic according to an embodiment of the present invention.
  • all forwarding devices in the SDN network are controlled by the controller.
  • There is an executor role of the monitoring system which exists as an App form of the controller, interfaces with the controller, invokes the programming interface of the controller to implement control of the network service, and is responsible for determining parameters of the communication hosts H1 and H2 at both ends of the communication according to the monitoring requirements. Therefore, the path is determined.
  • a communication service from the host H1 to the host H2 is the monitored object, and the nodes 1, N-1, N, N+1, and M are forwarding paths that carry the communication service.
  • the monitoring system executor selects the path node N as the monitoring point, establishes a path from the monitoring point to the monitoring system collector, and starts monitoring. Monitor the path N, x-1, x, x+1 between the system collector and node N.
  • FIG. 7 is a monitoring flowchart according to an embodiment of the present invention. As shown in FIG. 7, the flowchart includes:
  • Step 701 Obtain host information and service information of both ends of the communication according to the interception requirement. According to the host information, query the controller to obtain the forwarding node and port connected to the hosts at both ends. According to the interception system collector information query, the forwarding node and port connected to it are obtained.
  • Step 702 According to the switch node and port information at both ends, query the controller to obtain the forwarding paths of the two ends of the communication: node 1, node N-1, node N, node N+1, and node M.
  • step 703 the node N in the path is selected as the monitoring point.
  • Step 704 query the controller for the path between the node N and the monitoring system collector: node N, node x-1, node x, node x+1.
  • the controller sends a flow entry to the forwarding device except the M along the path to generate a forwarding path, so as to send the monitored packet to the monitoring system collector.
  • Step 705 The monitoring system executor starts the monitoring, sends a flow entry to the monitoring point N through the controller, copies the packet that meets the characteristics of the monitored service, and sends the copied message to the node x-1, thereby starting the monitoring process. In this way, as long as the forwarded message conforms to the monitored feature, it will be sent to the monitoring system collector.
  • step 706 when the monitoring is stopped, the monitoring system executor deletes the duplicated monitored message flow table of the monitoring point N through the controller, thereby canceling the monitoring.
  • Step 707 after the monitoring is stopped, the monitoring system executor deletes the flow entry of the device node x-1, the node x, and the node x+1 along the way by the controller, and deletes the slave monitoring point N established in step 704 to the monitoring system collector. Forward the path and clear the monitoring site.
  • the present invention uses a software-defined network to select a designated forwarding node from a first path for transmitting a service to be monitored; wherein the designated forwarding node is any one of the forwarding paths in the first path; Forwarding the second path of the node to the monitoring system; the control replication service is sent to the monitoring system through the second path, wherein the replication service is a service that conforms to the characteristics of the service to be monitored, and the implementation of various monitoring methods in the related technology is difficult to implement.
  • the problem of limited application, and thus the need to separately modify the forwarding device, without the need to deploy a monitoring agent on the user host and the network server can achieve the effect of service monitoring.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the designated forwarding node is selected from the first path of the service to be monitored; wherein the designated forwarding node is any one of the forwarding paths in the first path; and the designated forwarding node is obtained.
  • the second path of the monitoring system is sent to the monitoring system through the second path, wherein the replication service is a service that conforms to the characteristics of the service to be monitored, and the implementation of various monitoring methods in the related technology is difficult to implement, and the application is subject to The problem of limitation, in turn, achieves the effect of no need to separately modify the forwarding device, and can implement the service monitoring without deploying the monitoring agent on the user host and the network server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种业务监听控制方法及装置,其中,该方法包括:在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,指定转发节点为第一路径中的任意一个转发节点;获取该指定转发节点到监听系统的第二路径;控制复制业务通过第二路径发送至监听系统,其中,复制业务为符合待监听业务的特征的业务。通过本发明,解决了相关技术中监听手段均存在实施困难,应用场合受限的问题,进而达到了无需单独对转发设备进行改造,无需在用户主机及网络服务器部署监听代理就能实现业务监听的效果。

Description

业务监听控制方法及装置 技术领域
本发明涉及通信领域,具体而言,涉及一种业务监听控制方法及装置。
背景技术
软件定义的网络(Software Defined Network,简称为SDN)是一种新型的数据通信网络技术。SDN的特点是控制和承载分离,将原先网络中的路由器和交换机的控制部分分离出来,由软件实现,剩余的转发部分由网络设备实现。前者可称为控制面/控制层,后者可称为转发面或者转发层。
转发面实现数据报转发的基础是流表,流表由若干具有不同优先级的流表项顺序排列组成,优先级高的流表项优先进行匹配。流表项主要由匹配域,指令域和统计域三部分以及其他附属字段组成。转发面设备接收入向报文,对其按流表项优先级顺序进行匹配操作,对命中的流表项,翻转统计域计数器,执行指令域指定的操作,这些动作可包含,对数据报进行修改,丢弃,上报给控制面,从指定端口转发等等。一般转发面设备支持多级流表。所有流表匹配完后执行动作集合输出报文。
控制面对转发面设备行为的操纵是借助OpenFlow协议修改后者的流表实现。当前OpenFlow协议可支持多级流表,组表,支持IPv6,支持能力协商等等。
控制面获取交换机端口信息,通过链路探测协议获取网络连接图,学习MAC地址得到主机和网络的连接关系,从而生成拓扑及端到端路径,并据此生成转发表下发给转发面设备。对于未知报文,控制面可下发流表要求上报给控制面,通过查询拓扑生成新的路径,再下发转发表给对应路径上的转发面设备,从而将新路径生效。
监听是基于安全目的对符合条件的通信流进行采集,监视,存储。在电路交换时代,监听对象是语音通信,在电话交换机上附加另外的模块实现。随着报文交换对电路交换的逐步替换,在报文交换时代,监听对象不仅包含语音通信,还包含各种各样的数据通信,比如即时消息,网络浏览等等,也不仅限于终端主机之间通信流量,也包含各种服务器之间的通信流量。
监听系统部署在一台主机上,资源有限。为降低监听系统压力,监听系统提供设置条件,对通信流量的采集进行筛选,有两个维度,某个主机的流量,某个业务的流量。实际上的监听行为一般是这两个维度的叠加,比如某个/某些个主机上某个/某些个业务的流量。对多个主机或者多个业务流量的监听可最终分解为对单个主机和单个业务流量的监听。
监听系统一般包含执行器和采集器两个角色,前者根据监听需求选择监听对象,触发监听动作,后者负责接收监听结果。
当前对数据通信进行监听,一般有如下几种实现:
一种是在网络转发设备,比如路由器或者交换机上附加单独的监听代理,由于网络设备种类,厂家很多,对监听的定义标准化缺乏,需要根据监听的业务和对象,选择合适的转发设备进行定制化改造,成本较高,只能用于特定场合。
一种是根据局域网的广播特点,将网卡设置为杂散模式,能接受所有广播数据报文。优点是标准化通用化。缺点是只能对和监听模块/系统处于同一局域网络的设备进行监听。
一种是在所有需要关注的用户终端主机和网络服务器上安装监视代理软件,设置监视策略,将符合条件的通信流量保存,或者发送给监视服务器。因为在特定或者所有用户主机上安装代理软件,推广难度大,用户接受度较低。
针对相关技术中各种监听手段均存在实施困难,应用场合受限的问题,并未提出有效的解决方案。
发明内容
本发明提供了一种业务监听控制方法及装置,以至少解决相关技术中各种监听手段均存在实施困难,应用场合受限的问题。
根据本发明实施例的一个方面,提供了一种业务监听控制方法,包括:在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,上述指定转发节点为上述第一路径中的任意一个转发节点;获取上述指定转发节点到监听系统的第二路径;控制复制业务通过上述第二路径发送至上述监听系统,其中,上述复制业务为符合上述待监听业务的特征的业务。
可选地,控制复制业务通过上述第二路径发送至上述监听系统包括:向上述第二路径中的一个或者多个转发节点下发流表;通过上述流表控制上述复制业务发送至上述监听系统。
可选地,上述方法还包括:在对上述复制业务进行监听之后,删除上述第二路径;或者,在对上述复制业务进行监听之后,删除上述第二路径和上述流表。
可选地,从传输待监听业务的第一路径中选择指定转发节点包括:查询上述待监听业务的发送端和接收端之间的上述第一路径所包括的所有转发节点;从上述所有转发节点中选择上述指定转发节点。
可选地,上述复制业务由上述指定转发节点对上述待监听业务进行复制得到。
根据本发明实施例的另一方面,提供了一种业务监听控制装置,包括:选择模块,设置为在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,上述指定转发节点为上述第一路径中的任意一个转发节点;获取模块,设置为获取上述指定转发节点到监听系统的第二路径;处理模块,设置为控制复制业务通过上述第二路径发送至上述监听系统,其中,上述复制业务为符合上述待监听业务的特征的业务。
可选地,上述处理模块还包括:下发单元,设置为向上述第二路径中的一个或者多个转发节点下发流表;处理单元,设置为通过上述流表控制上述复制业务发送至上述监听系统。
可选地,上述装置还包括:删除模块,设置为在对上述复制业务进行监听之后,删除上述第二路径;或者,在对上述复制业务进行监听之后,删除上述第二路径和上述流表。
可选地,上述选择模块还包括:查询单元,设置为查询上述待监听业务的发送端和接收端之间的上述第一路径所包括的所有转发节点;选择单元,设置为从上述所有转发节点中选择上述指定转发节点。
可选地,上述复制业务由上述指定转发节点对上述待监听业务进行复制得到。
通过本发明实施例,采用在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,指定转发节点为第一路径中的任意一个转发节点;获取该指定转发节点到监听系统的第二路径;控制复制业务通过第二路径发送至监听系统,其中,复制业务为符合待监听业务的特征的业务,解决了相关技术中各种监听手段均存在实施困难,应用场合受限的问题,进而达到了无需单独对转发设备进行改造,无需在用户主机及网络服务器部署监听代理就能实现业务监听的效果。
附图说明
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1是根据本发明实施例的业务监听控制方法的流程图;
图2是根据本发明实施例的业务监听控制装置的结构框图;
图3是根据本发明实施例的业务监听控制装置的结构框图(一);
图4是根据本发明实施例的业务监听控制装置的结构框图(二);
图5是根据本发明实施例的业务监听控制装置的结构框图(三);
图6是根据本发明实施例的监听系统,被监听对象,以及被监听流量对应的路径示意图;
图7是根据本发明实施例的监听流程图。
具体实施方式
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。
在本实施例中提供了一种业务监听控制方法,图1是根据本发明实施例的业务监听控制方法的流程图,如图1所示,该流程包括如下步骤:
步骤S102,在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,指定转发节点为第一路径中的任意一个转发节点;
步骤S104,获取指定转发节点到监听系统的第二路径;
步骤S106,控制复制业务通过第二路径发送至该监听系统,其中,该复制业务为符合该待监听业务的特征的业务。
相比于相关技术中,根据局域网的广播特点,将网卡设置为杂散模式,能接受所有广播数据报文,但是只能对和监听模块/系统处于同一局域网络的设备进行监听;或者在所有需要关注的用户终端主机和网络服务器上安装监视代理软件,设置监视策略,将符合条件的通信流量保存,或者发送给监视服务器,但是因为在特定或者所有用户主机上安装代理软件,推广难度大,用户接受度较低,通过上述步骤,采用在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,指定转发节点为第一路径中的任意一个转发节点;获取该指定转发节点到监听系统的第二路径;控制复制业务通过第二路径发送至监听系统,其中,复制业务为符合待监听业务的特征的业务,解决了相关技术中各种监听手段均存在实施困难,应用场合受限的问题,进而达到了无需单独对转发设备进行改造,无需在用户主机及网络服务器部署监听代理就能实现业务监听的效果。
上述步骤S106涉及到控制复制业务通过第二路径发送至该监听系统,需要说明的是可以采用多种方式控制复制业务通过第二路径发送至监听系统,下面对此进行举例说明。在一个可选实施例中,可以通过向第二路径中的一个或者多个转发节点下发流表,通过流表控制复制业务发送至监听系统,进而完成了将复制业务通过第二路径发送至监听系统。
在一个可选实施例中,在对复制业务进行监听之后,删除第二路径,在另一个可选实施例中,在对复制业务进行监听之后,删除第二路径和流表,从而清除了监听现场,节省了内存空间。
上述步骤S102涉及到的从传输待监听业务的第一路径中选择指定转发节点,在一个可选的实施方式中,可以通过如下方式实现,查询待监听业务的发送端和接收端之间的第一路径所包括的所有转发节点,从该所有转发节点中选择指定转发节点。
在一个可选的实施方式中,上述步骤S106涉及到的复制业务由指定转发节点对该待监听业务进行复制得到。
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机, 服务器,或者网络设备等)执行本发明各个实施例所述的方法。
在本实施例中还提供了一种业务监听控制装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。
图2是根据本发明实施例的业务监听控制装置的结构框图,如图2所示,该装置包括:选择模块22,设置为在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,指定转发节点为第一路径中的任意一个转发节点;获取模块24,设置为获取指定转发节点到监听系统的第二路径;处理模块26,设置为控制复制业务通过第二路径发送至监听系统,其中,该复制业务为符合该待监听业务的特征的业务。
图3是根据本发明实施例的业务监听控制装置的结构框图(一),如图3所示,该装置涉及到的上述处理模块26还包括:下发单元262,设置为向第二路径中的一个或者多个转发节点下发流表;处理单元264,设置为通过流表控制复制业务发送至监听系统。
图4是根据本发明实施例的业务监听控制装置的结构框图(二),如图4所示,该装置除包括图2所示的所有模块外还包括:删除模块42,设置为在对复制业务进行监听之后,删除第二路径;或者,在对该复制业务进行监听之后,删除该第二路径和该流表。
图5是根据本发明实施例的业务监听控制装置的结构框图(三),如图5所示,该装置中涉及的选择模块22还包括:查询单元222,设置为查询待监听业务的发送端和接收端之间的第一路径所包括的所有转发节点;选择单元224,设置为从该所有转发节点中选择该指定转发节点。
在一个可选的实施方式中,复制业务由指定转发节点对待监听业务进行复制得到。
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述模块分别位于多个处理器中。
本发明的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:
S1,在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,指定转发节点为第一路径中的任意一个转发节点;
S2,获取指定转发节点到监听系统的第二路径;
S3,控制复制业务通过第二路径发送至该监听系统,其中,该复制业务为符合该待监听业务的特征的业务。
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或 者光盘等各种可以存储程序代码的介质。
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行上述S1,S2以及S3。
可选地,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。
为了解决上述技术问题,本发明可选实施例基于软件定义网络提出一种监听技术方案,通过控制器设置相关转发设备的转发行为,来实现对特定通信业务的监听,无需单独对转发设备进行改造,无需在用户主机及网络服务器部署监听代理。
根据被监听对象的属性,可以得到待监听通信流量途径的路径,即转发节点的有序集合,可能有多条路径,本发明对每条路径的处理一样,此为相关相关技术。
本发明可选实施例提出了一种实现监听的方法,包括:
S1,从路径上选择一个任意转发节点作为监听点;
S2,向控制器查询该监听点和监听系统主机连接的转发节点之间的路径;
S3,向该监听点下发流表,将待监听流量复制并发送到监听系统。
下面结合附图对本发明可选实施例进行说明。
图6是根据本发明实施例的监听系统,被监听对象,以及被监听流量对应的路径示意图,如图6所示,SDN网络中所有转发设备均受控制器的控制。存在监听系统的执行器角色,作为控制器的一个App形式存在,和控制器对接,调用控制器的编程接口实现对网络业务的控制,负责根据监听要求确定通信两端的通信主机H1和H2的参数,从而确定路径,从主机H1到主机H2之间的一个通信业务为被监听对象,节点1,N-1,N,N+1,M是承载该通信业务的转发路径。
存在监听系统采集器角色,用于接收监听数据。
监听系统执行器选择路径节点N作为监听点,建立从监听点到监听系统采集器的路径,开始监听。监听系统采集器和节点N之间的路径N,x-1,x,x+1。
图7是根据本发明实施例的监听流程图,如图7所示,该流程图包括:
步骤701,根据监听需求获取通信双方两端的主机信息和业务信息。根据主机信息,向控制器查询得到两端主机连接的转发节点和端口。根据监听系统采集器信息查询得到其连接的转发节点和端口。
步骤702,根据两端的交换机节点和端口信息,向控制器查询得到通信两端的转发路径:节点1,节点N-1,节点N,节点N+1,节点M。
步骤703,选择路径中节点N作为监听点。
步骤704,向控制器查询节点N和监听系统采集器之间的路径:节点N,节点x-1,节点x,节点x+1。根据被监听的业务信息,通过控制器向路径沿途除M外的转发设备下发流表项,生成转发路径,以便将被监听报文发送到监听系统采集器。
步骤705,监听系统执行器启动监听,通过控制器向监听点N下发流表项,复制符合被监听业务特征的报文,并将复制报文发送给节点x-1,从而启动监听过程。这样只要转发报文符合被监听特征,就会被发送给监听系统采集器。
步骤706,当停止监听的时候,监听系统执行器通过控制器删除监听点N的复制被监听报文流表,从而取消监听。
步骤707,停止监听后,监听系统执行器通过控制器删除沿途转发设备节点x-1,节点x,节点x+1的流表项,删除步骤704建立的从监听点N到监听系统采集器的转发路径,清除监听现场。
综上所述,通过本发明,采用在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,指定转发节点为第一路径中的任意一个转发节点;获取该指定转发节点到监听系统的第二路径;控制复制业务通过第二路径发送至监听系统,其中,复制业务为符合待监听业务的特征的业务,解决了相关技术中各种监听手段均存在实施困难,应用场合受限的问题,进而达到了无需单独对转发设备进行改造,无需在用户主机及网络服务器部署监听代理的就能够实现业务监听的效果。
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。
工业实用性
通过本发明实施例,采用在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,指定转发节点为第一路径中的任意一个转发节点;获取该指定转发节点到监听系统的第二路径;控制复制业务通过第二路径发送至监听系统,其中,复制业务为符合待监听业务的特征的业务,解决了相关技术中各种监听手段均存在实施困难,应用场合受限的问题,进而达到了无需单独对转发设备进行改造,无需在用户主机及网络服务器部署监听代理就能实现业务监听的效果。

Claims (10)

  1. 一种业务监听控制方法,包括:
    在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,所述指定转发节点为所述第一路径中的任意一个转发节点;
    获取所述指定转发节点到监听系统的第二路径;
    控制复制业务通过所述第二路径发送至所述监听系统,其中,所述复制业务为符合所述待监听业务的特征的业务。
  2. 根据权利要求1所述的方法,其中,控制复制业务通过所述第二路径发送至所述监听系统包括:
    向所述第二路径中的一个或者多个转发节点下发流表;
    通过所述流表控制所述复制业务发送至所述监听系统。
  3. 根据权利要求1或者权利要求2所述的方法,其中,所述方法还包括:
    在对所述复制业务进行监听之后,删除所述第二路径;或者,
    在对所述复制业务进行监听之后,删除所述第二路径和所述流表。
  4. 根据权利要求1所述的方法,其中,从传输待监听业务的第一路径中选择指定转发节点包括:
    查询所述待监听业务的发送端和接收端之间的所述第一路径所包括的所有转发节点;
    从所述所有转发节点中选择所述指定转发节点。
  5. 根据权利要求1至4中任一项所述的方法,其中,所述复制业务由所述指定转发节点对所述待监听业务进行复制得到。
  6. 一种业务监听控制装置,包括:
    选择模块,设置为在软件定义网络中,从传输待监听业务的第一路径中选择指定转发节点;其中,所述指定转发节点为所述第一路径中的任意一个转发节点;
    获取模块,设置为获取所述指定转发节点到监听系统的第二路径;
    处理模块,设置为控制复制业务通过所述第二路径发送至所述监听系统,其中,所述复制业务为符合所述待监听业务的特征的业务。
  7. 根据权利要求6所述的装置,其中,所述处理模块还包括:
    下发单元,设置为向所述第二路径中的一个或者多个转发节点下发流表;
    处理单元,设置为通过所述流表控制所述复制业务发送至所述监听系统。
  8. 根据权利要求6或者权利要求7所述的装置,其中,所述装置还包括:
    删除模块,设置为在对所述复制业务进行监听之后,删除所述第二路径;或者,
    在对所述复制业务进行监听之后,删除所述第二路径和所述流表。
  9. 根据权利要求6所述的装置,其中,所述选择模块还包括:
    查询单元,设置为查询所述待监听业务的发送端和接收端之间的所述第一路径所包括的所有转发节点;
    选择单元,设置为从所述所有转发节点中选择所述指定转发节点。
  10. 根据权利要求6至9中任一项所述的装置,其中,所述复制业务由所述指定转发节点对所述待监听业务进行复制得到。
PCT/CN2016/071212 2015-07-22 2016-01-18 业务监听控制方法及装置 WO2017012315A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510436064.0 2015-07-22
CN201510436064.0A CN106375266A (zh) 2015-07-22 2015-07-22 业务监听控制方法及装置

Publications (1)

Publication Number Publication Date
WO2017012315A1 true WO2017012315A1 (zh) 2017-01-26

Family

ID=57834848

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/071212 WO2017012315A1 (zh) 2015-07-22 2016-01-18 业务监听控制方法及装置

Country Status (2)

Country Link
CN (1) CN106375266A (zh)
WO (1) WO2017012315A1 (zh)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147134B (zh) * 2018-11-06 2021-09-14 中国电信股份有限公司 数据传输装置和方法、数据测试系统以及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296270A (zh) * 2007-04-28 2008-10-29 华为技术有限公司 合法监听的方法、通信系统、路由器以及监听网关
US7730521B1 (en) * 2004-09-23 2010-06-01 Juniper Networks, Inc. Authentication device initiated lawful intercept of network traffic
CN104168144A (zh) * 2014-08-22 2014-11-26 国都兴业信息审计系统技术(北京)有限公司 一种对sdn网络进行审计的方法
WO2015024838A1 (en) * 2013-08-23 2015-02-26 Nokia Solutions And Networks Oy Subscriber tracing in communications

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104639362A (zh) * 2013-11-15 2015-05-20 中兴通讯股份有限公司 Oam性能监控方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7730521B1 (en) * 2004-09-23 2010-06-01 Juniper Networks, Inc. Authentication device initiated lawful intercept of network traffic
CN101296270A (zh) * 2007-04-28 2008-10-29 华为技术有限公司 合法监听的方法、通信系统、路由器以及监听网关
WO2015024838A1 (en) * 2013-08-23 2015-02-26 Nokia Solutions And Networks Oy Subscriber tracing in communications
CN104168144A (zh) * 2014-08-22 2014-11-26 国都兴业信息审计系统技术(北京)有限公司 一种对sdn网络进行审计的方法

Also Published As

Publication number Publication date
CN106375266A (zh) 2017-02-01

Similar Documents

Publication Publication Date Title
US20170289791A1 (en) Communication method and apparatus using network slice
US20210226902A1 (en) Time-Sensitive Networking Communication Method and Apparatus
JP2022513083A (ja) 時間依存ネットワーキング通信方法及び装置
WO2019184752A1 (zh) 网络设备的管理方法、装置及系统
CN109660442B (zh) Overlay网络中组播复制的方法及装置
WO2014153967A1 (zh) 一种OpenFlow网络中流表配置的方法、装置和系统
WO2018113792A1 (zh) 广播报文的处理方法和处理装置、控制器和交换机
TWI740210B (zh) 終端設備管理方法及伺服器
WO2018024121A1 (zh) 一种网络功能nf管理方法及nf管理设备
WO2015180154A1 (zh) 网络控制方法和装置
JP2018107791A (ja) 第1のタイプのネットワークの顧客構内機器に接続されるように構成されたデバイスで実施される方法および対応するデバイス
JP2019057905A (ja) イーサネット(登録商標)スイッチ用のロールベースの自動構成システム及び方法
CN104426756A (zh) 一种服务节点能力信息的获取方法及控制平台
WO2020057445A1 (zh) 一种通信系统、方法及装置
WO2020063776A1 (zh) OpenFlow实例配置
EP3002916B1 (en) Packet forwarding system, device and method
JP2012533959A (ja) マルチキャスト対応ルータにおいて効果的なホスト・マネジメント・プロトコル
KR20210016802A (ko) 소프트웨어 정의 네트워킹 환경에서 서버-클라이언트 기반의 네트워크 서비스를 위한 플로우 테이블을 최적화하는 방법 및 이를 위한 sdn 스위치
US11095514B2 (en) System and method for propagating anima network objective changes
CN107465582B (zh) 数据发送方法、装置、系统、物理家庭网关及接入节点
WO2017012315A1 (zh) 业务监听控制方法及装置
WO2020119317A1 (zh) 报文转发方法及装置、存储介质、电子装置
WO2014019196A1 (zh) 拓扑信息处理方法及设备
WO2018113633A1 (zh) 报文转发方法、报文转发控制器、bras、计算机存储介质
WO2018108168A1 (zh) 分组传送网的组播业务实现方法及其装置、通信系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16827009

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16827009

Country of ref document: EP

Kind code of ref document: A1