WO2017118430A1 - Method and device for packet error detection - Google Patents

Method and device for packet error detection Download PDF

Info

Publication number
WO2017118430A1
WO2017118430A1 PCT/CN2017/070507 CN2017070507W WO2017118430A1 WO 2017118430 A1 WO2017118430 A1 WO 2017118430A1 CN 2017070507 W CN2017070507 W CN 2017070507W WO 2017118430 A1 WO2017118430 A1 WO 2017118430A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
packet
outgoing
inbound
packets
Prior art date
Application number
PCT/CN2017/070507
Other languages
French (fr)
Chinese (zh)
Inventor
吕正勇
刘佳
骆文
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017118430A1 publication Critical patent/WO2017118430A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors

Definitions

  • the present disclosure relates to the field of data communications, for example, to a method and apparatus for implementing message error detection.
  • Network devices of a wide variety and quantity in networks such as carrier networks, enterprise networks, and Internet networks, such as broadband remote access server (BRAS) devices, access/core router devices, and access/core switch devices , three-layer switch equipment and various optical network equipment.
  • BRAS broadband remote access server
  • These network devices run IP network protocols and build a world based on IP network protocols by interconnecting them.
  • BRAS broadband remote access server
  • BRAS broadband remote access server
  • the communication link with area C the communication link between area A and area B, the packet field that should not change due to the IP link problem such as high packet loss rate of the router or switch, system problem, etc.
  • the above system problem may be caused by the failure of the system software or hardware, or the external environment affecting the system performance (such as electromagnetic interference) and other factors affecting the normal transmission of the message. If the message field that should not be changed is changed, for example, the IP address field is modified, the message will be delivered to the wrong destination address, and finally discarded as a bad packet, affecting the normal communication of the network.
  • the network size When the network size is small, after an error packet is found, it can be judged by experienced technicians whether the network device may have problems. Restart the network device that may be faulty, reconnect the network, or replace the network device. And other methods to solve the problem of packet error.
  • the network size is increased to a certain extent, it is very difficult to determine whether the packet has an error.
  • the accuracy of the judgment based on the error packet based on the experience of the network device is greatly reduced.
  • One attempt, and each attempt may cause a complete network interruption, affecting the normal communication of the network. For large-scale Internet networks, it is very difficult to determine the error of a message.
  • the present disclosure provides a method and apparatus for implementing packet error detection, which can It is enough to determine whether an error has occurred in the message when the network size is increased.
  • the present disclosure provides a method for implementing packet error detection, including:
  • the decomposed data block is distributed to two or more pre-established analysis nodes;
  • Each analysis node matches the inbound packet and the outgoing packet in the inbound packet to the data packet that is distributed to itself, and determines the packet that is not in error;
  • the inbound and outbound packets remaining in addition to the packets that are not erroneous are re-allocated according to the preset policy, and the inbound and outbound packets are continued.
  • the matching of the changed part should not occur until all the packets that do not match successfully are in the same analysis node, and it is determined that the packet with no matching success is incorrect.
  • the detected network is a network of one or more network devices.
  • the obtaining the inbound packet and the outgoing packet sent by the detected network may include:
  • the inbound message and the outgoing message are configured to be copied on the network device of the detected network;
  • the optical splitting of the incoming packet and the outgoing packet is performed by the optical splitter of the detected network.
  • storing the inbound packet and the outgoing packet that are transmitted by the detected network may include:
  • the obtained inbound message and the outgoing message are respectively stored in the form of a binary file.
  • the stored inbound packet and the outgoing packet are respectively decomposed into corresponding data blocks, which may include:
  • the stored outgoing message is decomposed into corresponding data blocks according to a preset fixed value or a preset interval value.
  • the stored inbound packet and the outgoing packet are respectively decomposed into corresponding data blocks, which may include:
  • the current data block size is greater than a minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the next report.
  • the data block of the text is used as a decomposed data block.
  • the re-assignment of the inbound and outbound packets, except for the packets that are not in error, according to the preset policy may include:
  • one or more analysis nodes are sequentially selected, and the remaining inbound packets and outgoing packets of the selected analysis node are distributed to other analysis nodes.
  • the method further includes: distinguishing each packet in the data block.
  • the distinguishing between the packets in the data block may include:
  • each packet in the data block is distinguished by the length of the recorded packet.
  • the inbound packet and the outgoing packet are not changed, and may include:
  • the method before determining that an unmatched packet has an error, the method further includes:
  • the method further includes: performing packet learning on the content of the differentiated field included in the incoming packet and the outgoing packet that should not be changed;
  • the packet learning result obtained by obtaining the content of the distinguishing field included in the incoming message and the outgoing message should not be changed in the incoming message and the outgoing message in the message learning result.
  • the packets matching the matching fields are filtered, and the matching of the changed packets in the incoming packets and the outgoing packets is performed on the remaining packets.
  • determining the message that is not in error may include:
  • Each analysis node performs hash mapping and reduction calculation on the inbound message and the outgoing message respectively included in the data block distributed to itself;
  • the inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined.
  • the text is a message that has not gone wrong.
  • culling the determined unerrored message may include:
  • the inbound packet and the outgoing packet that are sent by the detected network are sent to the inbound packet and the outgoing packet that are transmitted by the detected network in the preset time span.
  • the method further includes:
  • the packets whose time attributes in the time interval TR are not matched in the current time span are detected, and are stored in the inbound and outgoing packets of the detected network stored in the next time span T. In the middle, the message is checked.
  • the method further includes: distinguishing the inbound message and the outgoing message.
  • the present disclosure further provides a system for implementing packet error detection, including: a processing device and two or more analysis nodes; wherein
  • the processing device includes: a storage unit, a decomposition distribution unit, and a re-segment unit; wherein
  • Obtaining a storage unit configured to acquire and store an inbound message and an outgoing message transmitted by the detected network
  • the decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
  • the re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
  • Each analysis node includes a matching unit, a culling unit, and a determining unit;
  • the matching unit is configured to perform an inbound message and an outgoing message in the data block distributed to itself.
  • the part that should not be changed should be matched to determine the message that has not been erroneous;
  • a culling unit configured to reject the determined unerrored message
  • the determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that are not successfully matched are incorrect.
  • the detected network is a network of one or more network devices.
  • the disclosure further provides a processing device for implementing packet error detection, comprising: acquiring a storage unit, decomposing a distribution unit, and a re-segment unit;
  • Obtaining a storage unit configured to acquire and store an inbound message and an outgoing message transmitted by the detected network
  • the decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
  • the re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
  • the obtaining storage unit can be configured as,
  • the inbound packet and the outgoing packet are configured to be copied on the network device of the detected network, and the inbound packet transmitted by the detected detected network is configured.
  • Outbound message storage
  • the optical splitter of the detected network performs the optical splitting of the incoming packet and the outgoing packet, and the inbound packet transmitted by the detected network of the split optical replica is transmitted. And outgoing messages are stored.
  • the obtaining storage unit can be configured as,
  • the inbound packet and the outgoing packet transmitted by the detected network are obtained, and the obtained incoming packet and the outgoing packet are respectively stored in the form of a binary file.
  • the decomposition distribution unit can be configured to
  • the decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
  • the decomposition distribution unit can be configured to
  • the current data block size is smaller than the preset fixed value, and the next message data block size is greater than the preset fixed value, the current data block is subjected to complementary digital processing, so that the data after the complementary digital processing is completed
  • the block size is equal to the preset fixed value, and the data block that completes the digital processing is used as the decomposed data block;
  • the current data block size is greater than a minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the next report.
  • the data block of the text is used as a decomposed data block;
  • the decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
  • the processing device further includes a distinguishing unit configured to distinguish each of the packets in the data block.
  • the distinguishing unit can be configured to
  • each packet in the data block is distinguished by the length of the recorded packet.
  • the re-segment unit may be configured to: after rejecting the error-free message determined by each analysis node, select one or more analysis nodes one by one, and select the remaining inbound message and the outgoing direction of the selected analysis node. Messages are distributed to other analysis nodes.
  • the inbound packet and the outgoing packet sent by the detected network are inbound packets and outgoing packets transmitted by the detected network within a preset time span
  • the processing device further includes a boundary processing unit configured to The packets whose time attributes in the time interval TR are not matched in the current time span are detected, and are stored in the inbound and outgoing packets of the detected network stored in the next time span T. In the middle, the message is checked.
  • the processing device further includes an inbound and outbound distinguishing unit configured to distinguish the inbound message from the outgoing message.
  • the disclosure further provides an analysis node that implements packet error detection, including a matching unit, a culling unit, and a determining unit;
  • the matching unit is configured to perform inbound and outbound messages on the received data block.
  • the change part is matched to determine the message that has not been erroneous;
  • a culling unit configured to reject the determined unerrored message
  • the determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that do not match successfully are incorrect.
  • the matching unit may be configured to, for the inbound message and the outgoing message in the data block distributed to itself,
  • the analyzing node further includes a filtering unit, configured to filter an outgoing message actively sent by the detected network and an incoming report sent to the detected network before determining that a packet that is not successfully matched has an error. Text.
  • a filtering unit configured to filter an outgoing message actively sent by the detected network and an incoming report sent to the detected network before determining that a packet that is not successfully matched has an error. Text.
  • the analysis node further includes a message learning unit and a learning filtering unit.
  • the message learning unit is configured to: when the common message of the packet transmitted by the detected network is used, perform packet learning on the content of the distinguishing field included in the incoming message and the outgoing message;
  • the learning filtering unit is configured to obtain the packet learning result of the distinguishing field content included in the incoming message and the outgoing message, and should not be included in the incoming message and the outgoing message in the message learning result.
  • the packet that matches the matching field included in the changed part is filtered, and the remaining packets are sent to the matching unit to perform matching in the incoming packet and the outgoing packet.
  • the matching unit can be configured to
  • the inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined.
  • the text is a message that has not gone wrong.
  • the culling unit may be configured to determine the matching according to the hash calculated mapping The position of the corresponding inbound message and the outgoing message in the data block of the successful key value pair is subjected to the culling process.
  • the present disclosure also provides a non-transitory computer readable storage medium storing computer executable instructions arranged to perform the above method.
  • the present disclosure also provides an electronic device, including:
  • At least one processor At least one processor
  • the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to cause the at least one processor to perform the method described above.
  • the technical solution of the present disclosure includes: separately decomposing the stored inbound message and the outgoing message into corresponding data blocks, and distributing the two to two or more analysis nodes that are pre-established; The data block that is distributed to itself is matched with the non-changing part of the incoming message and the outgoing message, and the error-free message is determined; the remaining inbound direction except the message that determines the error is re-allocated according to the preset policy. Packets and outgoing packets, and the matching between the incoming packets and the outgoing packets should not be changed until all the packets that are not successfully matched are in the same analysis node. .
  • the disclosed method performs matching of the portion that should not be changed, thereby realizing the detection of the error message.
  • FIG. 1 is a flowchart of a method for implementing packet error detection according to the present disclosure
  • FIG. 2 is a structural diagram of a system for implementing packet error detection according to the present disclosure
  • FIG. 3 is a structural block diagram of a processing apparatus for implementing packet error detection according to the present disclosure
  • FIG. 4 is a structural block diagram of an analysis node for implementing packet error detection according to the present disclosure
  • Figure 5 is a flowchart of a method of the first embodiment of the present disclosure
  • Figure 6 is a flow chart of a method according to a second embodiment of the present disclosure.
  • Figure 7 is a flowchart of a method of a third embodiment of the present disclosure.
  • Figure 8 is a flow chart of a method according to a fourth embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
  • FIG. 1 is a flowchart of a method for implementing packet error detection according to the present disclosure. As shown in FIG. 1, the method includes:
  • Step 100 Acquire and store an inbound packet and an outgoing packet transmitted by the detected network.
  • the detected network is a network composed of one or more network devices.
  • the inbound and outbound packets transmitted by the detected network may be obtained, and may include:
  • the inbound and outbound packets and the outgoing packets are configured on the network device of the detected network.
  • the optical splitting of the incoming packet and the outgoing packet is performed by the optical splitter of the detected network.
  • Storing the inbound and outbound packets transmitted by the detected network may include:
  • the obtained inbound message and outgoing message are stored in the form of a binary file.
  • Step 101 Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
  • the stored inbound packet and the outgoing packet are respectively decomposed into corresponding data blocks, which may include:
  • the stored outgoing message is decomposed into corresponding data blocks according to a preset fixed value or a preset interval value.
  • Decomposing the stored inbound and outbound packets into corresponding data blocks, respectively, may include:
  • the current data block size is smaller than the preset fixed value, and the next message data block size is greater than the preset fixed value, the current data block is subjected to complementary digital processing, so that the data block size after the completion of the complementary digital processing is equal to the pre- A fixed value is set, and the data block that completes the digital processing is used as the decomposed data block; or
  • the current data block size is greater than the minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the data block of the next message. As a decomposed data block.
  • next message refers to the corresponding incoming message or outgoing message, that is, the data block of the incoming message.
  • the next message must be an incoming message, and the next block of the outgoing message must be an outgoing message.
  • Step 102 Each analysis node performs matching on the inbound packet and the outgoing packet in the data packet distributed to itself, and determines the packet that is not in error;
  • the incoming packet and the outgoing packet are not changed, and may include:
  • the feature value of the content of the extracted inbound message that should not be changed is matched with the feature value of the content of the extracted outgoing message that should not change.
  • the matching means that the content or the feature value is the same.
  • Identify the packets that have not gone wrong which can include:
  • Each analysis node performs hash mapping and reduction calculation on the inbound message and the outgoing message respectively included in the data block distributed to itself;
  • the inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined.
  • the text is a message that has not gone wrong.
  • Step 103 After removing the error-free packets determined by each analysis node, reallocating according to the preset policy In addition to determining the inbound and outbound messages remaining in the error-free message, and continuing the match between the incoming message and the outgoing message, the matching part should not be changed until all the unmatched messages are in the same analysis. When a node is determined, it is determined that an unmatched packet has an error.
  • the re-assignment of the inbound and outbound packets, except for the packets that are determined to be in error, according to the preset policy may include:
  • one or more analysis nodes are sequentially selected, and the remaining inbound packets and outgoing messages of the selected analysis node are distributed to other analysis nodes.
  • one or more analysis nodes may be selected one by one, and one analysis node may be selected, and the inbound and outbound messages remaining in the analysis node except the unidentified message are equally divided into other analysis nodes; You can also select two, three, half analysis nodes, and even more analysis nodes. The selected analysis nodes are divided into other analysis nodes except for the inbound packets and outgoing packets.
  • Excluding the determined unerrored messages may include:
  • the location of the corresponding incoming message and the outgoing message in the data block is determined according to the hash-calculated mapping, and the culling process is performed.
  • the mapping calculation when the mapping calculation is performed, the inbound packet and the outgoing packet are extracted from the data block and mapped into the hash list. Since the mapping calculation is required, the incoming packet and the outgoing packet are in the data block. The offset in is the default parameter.
  • the disclosed method also includes distinguishing between pieces of messages in the data block.
  • the distinguishing between the packets in the data block may include: distinguishing each incoming message in the data block of the incoming message; and sending out the outgoing message in the data block of the outgoing message. Make a distinction.
  • Differentiating each packet in a data block may include:
  • each packet in the data block is distinguished by the length of the recorded packet.
  • the disclosed method further includes:
  • the time may be set according to the network configuration and performance.
  • the method of the disclosure further includes: performing packet learning on the content of the distinguishing field included in the incoming packet and the outgoing packet that should not be changed;
  • the difference between the incoming message and the outgoing message in the incoming message should not be changed.
  • the matched packets are filtered, and the matching packets in the incoming packets and outgoing packets should not be matched in the outgoing packets.
  • the distinguished field included in the outgoing packet matches the packet indicating that the partial packet is an error.
  • the method for storing the inbound packet and the outgoing packet transmitted by the detected network is the inbound packet and the outgoing packet transmitted by the detected network in the preset time span.
  • the method further includes:
  • the packets whose time attributes in the time interval (TR) are not matched in the current time span are detected, and are stored in the inbound packet and the outgoing direction of the detected network stored in the next time span (T).
  • T is mainly calculated according to the size of the decomposed data block divided by the flow rate.
  • the data block size is mainly set according to the system performance, and the flow rate is set according to the system capacity; TR is mainly set according to the network delay condition, and the TR value is set. Generally no more than 2 minutes.
  • the method of the present disclosure may use a hash algorithm to perform matching between the inbound message and the outgoing message, and the length of the packet, the time attribute, and the offset of the message in the database during the matching process.
  • the amount can be stored by keyword.
  • the method of the present disclosure also includes: distinguishing between an incoming message and an outgoing message.
  • the disclosed method By storing, decomposing and distributing the inbound message and the outgoing message, the disclosed method performs matching of the portion that should not be changed, thereby realizing the detection of the error message.
  • FIG. 2 is a structural diagram of a system for implementing packet error detection according to the present disclosure. As shown in FIG. 2, the method includes: a processing device and two or more analysis nodes; wherein
  • the processing device includes: a storage unit, a decomposition distribution unit, and a re-segment unit; wherein
  • Obtaining a storage unit configured to acquire and store an inbound message and an outgoing message transmitted by the detected network
  • the decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
  • the re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
  • Each analysis node includes a matching unit, a culling unit, and a determining unit;
  • the matching unit is configured to perform matching on the inbound packet and the outgoing packet in the data packet distributed to itself, and determine the packet that is not in error;
  • a culling unit configured to reject the determined unerrored message
  • the determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that are not successfully matched are incorrect.
  • the detected network is a network of one or more network devices.
  • the method includes: acquiring a storage unit, decomposing a distribution unit, and a re-segment unit;
  • Obtaining a storage unit configured to acquire and store an inbound message and an outgoing message transmitted by the detected network
  • Obtaining a storage unit can be configured to
  • the inbound and outbound packets transmitted by the detected network are configured to be stored in the network device of the network to be detected, and the inbound and outbound packets transmitted by the detected network are configured to be stored;
  • the optical splitter of the detected network performs the optical splitting of the incoming packet and the outgoing packet, and stores the incoming packet and the outgoing packet transmitted by the detected network.
  • Obtaining a storage unit can be configured to
  • the decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
  • the decomposition distribution unit can be configured to
  • the decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
  • the decomposition distribution unit can be configured to
  • the current data block size is smaller than the preset fixed value, and the next message data block size is greater than the preset fixed value, the current data block is subjected to complementary digital processing, so that the data block size after the completion of the complementary digital processing is equal to the pre- A fixed value is set, and the data block that completes the digital processing is used as the decomposed data block; or
  • the current data block size is greater than the minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the data block of the next message.
  • the current data block is added to the data block of the next message.
  • the decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
  • the re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
  • the re-segment unit may be configured to, after rejecting the unerrored message determined by each analysis node, successively select one or more analysis nodes, and distribute the remaining inbound and outbound messages of the selected analysis node to other analysis. node.
  • the disclosed processing apparatus further includes a distinguishing unit configured to distinguish between pieces of messages in the data block.
  • the distinguishing unit can be configured to
  • each packet in the data block is distinguished by the length of the recorded packet.
  • the disclosed processing apparatus further includes a boundary processing unit configured to set the current time The packets whose time attributes are in the time boundary (TR) are detected in the packets that are not matched in the span, and are stored in the inbound and outgoing packets of the detected network that is stored in the next time span (T). , the message error detection.
  • TR time boundary
  • T next time span
  • the disclosed processing apparatus further includes an inbound and outbound distinguishing unit configured to distinguish between an incoming message and an outgoing message.
  • the method includes a matching unit, a culling unit, and a determining unit.
  • the matching unit is configured to match the inbound packet of the received data block with the unchanged portion of the outgoing packet, and determine the packet that is not erroneous;
  • the matching unit may be configured to, for the inbound message and the outgoing message in the data block distributed to itself,
  • the feature value of the content of the extracted inbound message that should not be changed is matched with the feature value of the content of the extracted outgoing message that should not change.
  • a culling unit configured to reject the determined unerrored message
  • the determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that do not match successfully are incorrect.
  • the present disclosure analysis node further includes a filtering unit configured to filter the outgoing message actively sent by the detected network and the incoming message sent to the detected network before the packet with the unmatched success is determined to be in error.
  • the disclosed analysis node further includes a message learning unit and a learning filtering unit.
  • the packet learning unit is configured to perform packet learning on the content of the distinguishing field included in the incoming packet and the outgoing packet in the incoming packet and the outgoing packet when the packet is detected by the detected network;
  • the learning filtering unit is configured to obtain the packet learning result of the distinguishing field content included in the incoming message and the outgoing message, and should not be included in the incoming message and the outgoing message in the message learning result.
  • the packets matching the matching fields included in the change part are filtered, and the remaining packets are sent to the matching unit to perform matching between the incoming packets and the outgoing packets.
  • the matching unit can be configured to
  • the inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined.
  • the text is a message that has not gone wrong.
  • the culling unit may be configured to determine, according to the hash calculated mapping, the location of the incoming message and the outgoing message in the data block corresponding to the successfully matched key value pair for culling processing.
  • the detected network when the packet is detected, the detected network may be a network composed of one or more network devices, and the network device may be a router or a switch.
  • the inbound packet and the outgoing packet transmitted by the detected network are obtained.
  • the inbound packet and the outgoing packet are separately stored; the storage mode can be performed in the form of a file, and each incoming packet or outgoing packet is stored with corresponding packet content, time attribute, and packet. Flow direction information, etc.; after the stored message is decomposed into data blocks according to a preset decomposition strategy, the decomposed data block is sent to two or more analysis nodes for inbound and outgoing messages.
  • the matching of the changed part determines whether the packet has an error by the matching result.
  • FIG. 5 is a flowchart of a method according to a first embodiment of the present disclosure. As shown in FIG. 5, the method includes:
  • Step 500 Acquire and store the inbound packet and the outgoing packet transmitted by the detected network.
  • the packet flowing through the detected network is differentiated according to the inflow interface and the outbound interface, and then copied and stored in the form of a binary file. ;
  • the inbound and outbound packets and the outgoing packets may be configured on the network device; if the optical device is in the optical device, the inflow is on the optical splitter.
  • the incoming packet and the outgoing outgoing packet are split-spectrum.
  • the time attribute ie, transmission time
  • the flow direction information of the packet the length of the packet, and the like
  • the like may be stored. Check the error in the message.
  • Step 501 Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
  • each packet in the data block is distinguished by the length of the recorded packet; the length of each packet is added in the preset position by, for example, recording the length of the packet in an int before recording a packet, and then adding Corresponding report
  • each message is distinguished according to the length of the recorded message, and the message is read based on the difference of the message.
  • this embodiment in order to ensure load balancing of each analysis node, this embodiment first needs to determine the size of each data block, and the data block size is generally determined by the performance of the analysis node, and the data block size is generally 2 to the power of N; currently, A general PC can satisfy the matching of the inbound packet data block and the outgoing packet data block with the data block size of 64M.
  • This embodiment is decomposed into the stored inbound packet according to a preset fixed value or a preset interval value.
  • the preset fixed value is 64M.
  • the current data block size is less than 64M, the current data block is added to the size of the next message. If it is greater than 64M, the current data block is supplemented with digital processing. For example, the process of supplementing the number of digits of 0 is such that the data block that completes the zero-padding process reaches 64M as a decomposed data block; the next message is decomposed into the next data block. in.
  • the preset interval value needs to be limited first.
  • the preset interval value is set to be a reasonable size from 63M to 65M, that is, the current data block is added to the size of the next message.
  • the current data block is added to the data block of the next message as the decomposed data block.
  • the number of the analysis nodes is generally determined according to the traffic volume of the network port to be detected. When the average network traffic reaches 1 Gigabit, an analysis node needs to change the inbound and outbound packets. Partial match.
  • Step 502 Each analysis node performs matching on the inbound packet and the outgoing packet in the data block distributed to itself, and determines the packet that is not in error;
  • the change does not change from the incoming network device to the outgoing network device, and the content does not change, that is, if the link does not occur on the network, the incoming packet is sent.
  • the message field that should not change in the middle part of the message field and the message field that should not change in the outgoing message part are the same.
  • the message is determined to have no error; for example, the network is assumed. If the message transmitted by the device should not change, the content of the message is [0x10, 0x20, 0x30].
  • the device that detects the error of the packet obtains an incoming message, the content of the change should not be [0x10, 0x20, 0x30]; The device for error detection of the packet determines that the packet does not have an error according to the matching of the incoming packet and the outgoing packet. In this embodiment, if the packet should not change, the transmission occurs during the transmission. If the change is made, for example, the outgoing message obtained becomes [0x10, 0x20, 0x31], at this time, The device that detects the error of the packet cannot match the outgoing packet with the same change as the incoming packet, and determines that the packet has an error.
  • Different types of packets may be different in the field of the message field that does not change when the network device transmits the information, and may be determined according to common knowledge of those skilled in the art.
  • the changed message field refers to the message except that the change does not occur.
  • the content of the text field, such as the TTL field of the IP packet, is legally modified by the network device during transmission (for example, a router for the network device at this time).
  • the matching between the incoming message and the outgoing message should not be changed.
  • the content of the incoming message should not be changed, and the content of the outgoing message should not be changed.
  • Loading the unchanged part of the incoming message into the first list, loading the outgoing part of the outgoing message into the second list, and the order of loading into the list is generally sorted by time.
  • the outbound packets in the second list are matched one by one to match the inbound packets in the first list until the inbound packets of the same content are matched.
  • the matching between the incoming message and the outgoing message should not be changed.
  • the feature value can be extracted separately after the change should not be made in the incoming message and the change should not be made in the outgoing message.
  • the feature value extracted in the packet should not match the feature value extracted in the outgoing packet, and the feature value extracted from the outgoing packet can be improved.
  • the method of extracting the eigenvalues can be implemented by calculating the hash value.
  • the eigenvalues of the packets are mapped to the packets in the matching process.
  • the hash calculation is used as an example.
  • the eigenvalues of the packets and the packets are corresponding.
  • the VALUE value and the KEY value corresponding to the message in the hash table may be separately stored, and the VALUE value is successfully matched according to the matching of the KEY value, thereby determining that the message is successfully matched.
  • the position offset of each packet can be calculated, and when the inbound packet and the outgoing packet are hashed, the position offset of each packet is calculated. According to the position offset, the message that determines that no error has occurred is deleted from the hash calculation.
  • the method in this embodiment further includes:
  • the obtained hash value may be the same, the source port, and/or destination port is mainly for TCP/UDP.
  • the message when the message is hashed, if the message is long, the message can be segmented and then hashed, and the hash value calculated by the segmentation is used as the feature value of the message. There should be no matching part of the incoming message and the outgoing message.
  • Step 503 After the undue error message determined by each analysis node is removed, one or more analysis nodes are selected one by one, and the remaining inbound packets and outgoing packets of the selected analysis node are distributed to other analysis nodes, and the continuation is performed. The match between the incoming packet and the outgoing packet should not be changed until all the packets that do not match successfully are in the same analysis node.
  • FIG. 6 is a flowchart of a method according to a second embodiment of the present disclosure. As shown in FIG. 6, the method includes:
  • Step 600 Acquire and store an inbound packet and an outgoing packet transmitted by the detected network.
  • Step 601 Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
  • Step 602 Each analysis node performs mapping and reduction calculation on the inbound message and the outgoing message included in the data block distributed to itself.
  • Step 603 Perform matching on the inbound and outbound messages of the inbound and outbound packets for completing the mapping and the protocol calculation, and remove the unchanged packets from the data block.
  • the culling of the message that determines that no error has occurred can be implemented by the method of position offset calculation in Embodiment 1, that is, the message in which no error occurs in the data block is determined by the position offset to perform the culling process.
  • step 604 one or more analysis nodes are selected one by one, and the remaining inbound packets and outgoing packets of the selected analysis node are distributed to other analysis nodes, and the inbound and outbound messages are not changed. Partial matches until all unmatched messages are on the same analysis node.
  • Step 605 Filter the outgoing packets that are sent by the detected network and the incoming packets that are sent to the detected network, and obtain the packets that determine the error.
  • step 605 can be processed before the matching of the incoming message and the outgoing message should not be changed, thereby reducing data transmission and improving matching efficiency.
  • the inbound packet and the outgoing packet transmitted by the detected network are stored according to the time span T.
  • the stored inbound packet and the outgoing packet may be stored in files stored in different time spans.
  • a time-boundary TR is used to prevent incoming packets and outgoing packets from appearing in files stored in different time spans.
  • the unmatched packets in the time boundary are added to the stored inbound traffic of the next time span according to the flow direction. Text and outgoing messages.
  • FIG. 7 is a flowchart of the method according to the third embodiment of the present disclosure. As shown in FIG. 7, the method includes:
  • Step 700 Acquire and store an inbound packet and an outgoing packet transmitted by the detected network.
  • the Nth packet is successfully added in the step S700;
  • Step 701 Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
  • Step 702 Each analysis node performs mapping and reduction calculation on the inbound message and the outgoing message included in the data block distributed to itself.
  • Step 703 Perform matching on the inbound and outbound messages of the inbound and outbound packets that complete the mapping and the protocol calculation, and remove the unchanged packets from the data block.
  • Step 704 Select one or more analysis nodes one by one, and distribute the remaining inbound packets and outgoing packets of the selected analysis node to other analysis nodes, and continue to perform inbound and outbound messages. Partial matching, until all the packets that do not match successfully are in the same analysis node, it is determined that the packet with no matching success is incorrect.
  • Step 705 Filter the outgoing packets that are sent by the detected network and the incoming packets that are sent to the detected network, and obtain the packets that determine the error.
  • Step 706 The packet whose time attribute in the time interval TR is not matched in the current time span is detected, and is stored in the inbound packet of the detected network stored in the next time span T. In the outgoing message, the message is checked for error.
  • the matching efficiency is too low. You can improve the matching efficiency by learning common packets. The number of common packets is large, the content is fixed, and the packets are abnormal. Possibility is low.
  • the packet learning is mainly for special distinguishing fields in the incoming and outgoing packets that should not change, including protocols and/or lengths and/or flags, for example, a large number of TCP SYNs.
  • the parameters carried by the message are almost the same, such as the length, SYN flag, and so on.
  • the obtaining unit extracts the distinguishing field of the protocol and/or the length and/or the flag bit, and does not occur in the incoming packet and the outgoing packet.
  • the distinguishing field extracted by the change part is matched after the packet learning; the matching is successful, and it is determined that the packet does not have an error. If the match fails, the packet is not a common packet.
  • the method in the first embodiment is used to match the inbound packet and the outgoing packet in the inbound packet to determine whether the packet has an error.
  • whether the packet learning of the distinguishing field is performed may be analyzed by a person skilled in the art to analyze the frequency and quantity of the packet, and when the packet learning is determined by analysis, the presence or absence of the packet is monitored. When the part of the packet is detected, the packet learning is automatically triggered.
  • FIG. 8 is a flowchart of a method according to a fourth embodiment of the present disclosure. As shown in FIG. 8, the method includes:
  • Step 800 Acquire and store an inbound packet and an outgoing packet transmitted by the detected network.
  • Step 801 Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
  • Step 802 Each analysis node performs mapping and reduction calculation on the inbound message and the outgoing message included in the data block distributed to itself.
  • Step 803 Each analysis node extracts a distinguishing field in the inbound and outbound messages that should not change, and performs packet learning on the differentiated field.
  • Step 804 Match the distinguishing field of the packet learning; if the matching is successful, go to step 8050; if the matching fails, go to step 8060;
  • Step 8050 Determine that the packet matching the successfully matched packet is a packet with no error, and remove the packet that determines that no error occurs in the data block.
  • step 8060 a matching part of the incoming message and the outgoing message is not matched, and the packet that does not have an error is determined.
  • the inbound packet and the outgoing packet that are sent to the detected network and the detected network are sent by the detected network.
  • Step 8061 After each of the analysis nodes culls the determined unerrored message, one or more analysis nodes are sequentially selected, and the remaining inbound and outgoing packets of the selected analysis node are distributed to other analysis nodes, and the continuation is continued. The match between the incoming packet and the outgoing packet should not be changed until all the packets that do not match successfully are in the same analysis node.
  • the present disclosure also provides a non-transitory computer readable storage medium storing computer executable instructions arranged to perform the method of any of the above embodiments.
  • the present disclosure also provides a schematic structural diagram of an electronic device.
  • the electronic device includes:
  • At least one processor 90 which is exemplified by a processor 90 in FIG. 9; and a memory 91, may further include a communication interface 92 and a bus 93.
  • the processor 90, the communication interface 92, and the memory 91 can complete communication with each other through the bus 93.
  • Communication interface 92 can be used for information transfer.
  • Processor 90 can invoke logic instructions in memory 91 to perform the methods of the above-described embodiments.
  • logic instructions in the memory 91 described above may be implemented in the form of a software functional unit and sold or used as a stand-alone product, and may be stored in a computer readable storage medium.
  • the memory 91 is a computer readable storage medium and can be used to store a software program, a computer executable program, and a program instruction/module corresponding to the method in the embodiment of the present invention.
  • the processor 90 executes the function application and the data processing by executing the software program, the instruction and the module stored in the memory 91, that is, the method for implementing the message error detection in the above method embodiment.
  • the memory 91 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data created according to usage of the terminal device, and the like.
  • the memory 91 may include a high speed random access memory, and may also include Non-volatile memory.
  • the technical solution of the embodiment of the present invention may be embodied in the form of a software product stored in a storage medium, including one or more instructions for causing a computer device (which may be a personal computer, a server, or a network) The device or the like) performs all or part of the steps of the method described in the embodiments of the present invention.
  • the foregoing storage medium may be a non-transitory storage medium, including: a USB flash drive, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like.
  • the method and apparatus for implementing message error detection of the present disclosure implements detection of an error message.

Landscapes

  • Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed are a method and device for packet error detection. The method comprises: decomposing stored incoming packets and outgoing packets respectively into corresponding data blocks, and distributing the same to two or more pre-established analysis nodes; the analysis nodes performing, on the data blocks distributed thereto, matching of the parts of the incoming packets and outgoing packets that should be unchanged, to determine error-free packets; reallocating, according to a preset policy, and excluding those packets which are determined to be error-free, the remaining incoming packets and outgoing packets, and continuing to perform matching of the parts of the incoming packets and outgoing packets that should be unchanged, until all unmatched packets are at the same analysis node, at which point it is determined that errors have occurred in the unmatched packets. The method disclosed in the present invention enables detection of packets in which errors have occurred, by storing, decomposing and distributing incoming packets and outgoing packets and then matching the parts that should be unchanged.

Description

一种实现报文检错的方法及装置Method and device for realizing message error detection 技术领域Technical field
本公开涉及数据通信领域,例如涉及一种实现报文检错的方法及装置。The present disclosure relates to the field of data communications, for example, to a method and apparatus for implementing message error detection.
背景技术Background technique
在运行商网络、企业网络、以及互联网网络等网络中涉及种类和数量都十分庞大的网络设备,例如:宽带远程接入服务器(BRAS)设备、接入/核心路由器设备、接入/核心交换机设备、三层交换机设备和各种光网络设备等。这些网络设备运行IP网络协议,通过相互连接构建了一个基于IP网络协议的世界。报文经过网络设备传输时部分报文字段是不应发生变化的,而在报文传输过程中则可能发生报文错误的情况;以企业网络为例,假设存在区域A与区域B、区域A与区域C的通信链路,区域A和区域B之间的通信链路由于路由器或交换机的丢包率高、系统问题等IP链路问题使不应发生变化的报文字段在区域A和区域B之间传输时发生变化,造成报文错误的问题,影响正常通信。上述系统问题可能是系统软件或硬件存在故障、或外部环境影响系统工作性能(比如电磁干扰)等影响报文正常传输的问题。如果不应发生变化的报文字段被改变,例如IP地址字段被修改,则报文会被投递到错误的目的地址,最终作为坏包丢弃,影响网络的正常通信。Network devices of a wide variety and quantity in networks such as carrier networks, enterprise networks, and Internet networks, such as broadband remote access server (BRAS) devices, access/core router devices, and access/core switch devices , three-layer switch equipment and various optical network equipment. These network devices run IP network protocols and build a world based on IP network protocols by interconnecting them. When a packet is transmitted over a network device, part of the packet field should not be changed. In the case of packet transmission, a packet error may occur. Taking the enterprise network as an example, assume that there are area A, area B, and area A. The communication link with area C, the communication link between area A and area B, the packet field that should not change due to the IP link problem such as high packet loss rate of the router or switch, system problem, etc. in area A and area A change occurs during transmission between B, causing a message error and affecting normal communication. The above system problem may be caused by the failure of the system software or hardware, or the external environment affecting the system performance (such as electromagnetic interference) and other factors affecting the normal transmission of the message. If the message field that should not be changed is changed, for example, the IP address field is modified, the message will be delivered to the wrong destination address, and finally discarded as a bad packet, affecting the normal communication of the network.
当网络规模不大时,发现错误报文后,一般可以由经验丰富的技术人员根据经验判断是否网络设备可能存在的问题,通过重启可能存在问题的网络设备、重新进行网络连接、或更换网络设备等方法进行报文出错问题的解决。当网络规模增大到一定程度时,如何确定报文是否发生错误变得十分困难,基于错误报文依据经验进行网络设备是否存在问题的判断准确程度也大大降低,解决错误报文问题需要进行多次尝试,而每次尝试都可能造成网络彻底中断,影响网络的正常通信。对于规模庞大的互联网网络而言,确定报文发生错误非常困难。When the network size is small, after an error packet is found, it can be judged by experienced technicians whether the network device may have problems. Restart the network device that may be faulty, reconnect the network, or replace the network device. And other methods to solve the problem of packet error. When the network size is increased to a certain extent, it is very difficult to determine whether the packet has an error. The accuracy of the judgment based on the error packet based on the experience of the network device is greatly reduced. One attempt, and each attempt may cause a complete network interruption, affecting the normal communication of the network. For large-scale Internet networks, it is very difficult to determine the error of a message.
发明内容Summary of the invention
为了解决上述技术问题,本公开提供一种实现报文检错的方法及装置,能 够在网络规模增大的情况下,确定报文是否发生错误。In order to solve the above technical problem, the present disclosure provides a method and apparatus for implementing packet error detection, which can It is enough to determine whether an error has occurred in the message when the network size is increased.
本公开提供了一种实现报文检错的方法,包括:The present disclosure provides a method for implementing packet error detection, including:
获取并存储被检测网络传输的入向报文和出向报文;Acquiring and storing the inbound packet and the outgoing packet transmitted by the detected network;
将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的两个或两个以上分析节点;After the stored inbound message and the outgoing message are respectively decomposed into corresponding data blocks, the decomposed data block is distributed to two or more pre-established analysis nodes;
各分析节点对分发给自身的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;Each analysis node matches the inbound packet and the outgoing packet in the inbound packet to the data packet that is distributed to itself, and determines the packet that is not in error;
剔除各分析节点确定的未出错的报文后,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文,并继续进行入向报文与出向报文中不应发生变化部分的匹配,直至所有未匹配成功的报文在同一分析节点时,确定未匹配成功的报文发生错误;After the undue error message determined by each analysis node is removed, the inbound and outbound packets remaining in addition to the packets that are not erroneous are re-allocated according to the preset policy, and the inbound and outbound packets are continued. The matching of the changed part should not occur until all the packets that do not match successfully are in the same analysis node, and it is determined that the packet with no matching success is incorrect.
所述被检测网络为由一个或一个以上网络设备构成的网络。The detected network is a network of one or more network devices.
可选的,获取被检测网络传输的入向报文和出向报文,可以包括:Optionally, the obtaining the inbound packet and the outgoing packet sent by the detected network may include:
当所述网络设备为电口设备时,通过所述被检测网络的网络设备上配置复制所述入向报文和所述出向报文;When the network device is an electrical interface device, the inbound message and the outgoing message are configured to be copied on the network device of the detected network;
当所述网络设备为光口设备时,通过所述被检测网络的分光器进行所述入向报文和所述出向报文的分光复制。When the network device is an optical port device, the optical splitting of the incoming packet and the outgoing packet is performed by the optical splitter of the detected network.
可选的,存储被检测网络传输的入向报文和出向报文,可以包括:Optionally, storing the inbound packet and the outgoing packet that are transmitted by the detected network may include:
将获取的所述入向报文和所述出向报文分别按照二进制文件的形式进行存储。The obtained inbound message and the outgoing message are respectively stored in the form of a binary file.
可选的,将存储的入向报文和出向报文分别分解为相应的数据块,可以包括:Optionally, the stored inbound packet and the outgoing packet are respectively decomposed into corresponding data blocks, which may include:
将存储的入向报文按照预设的固定值或预设的区间值分解为相应的数据块;Decomposing the stored inbound packet into a corresponding data block according to a preset fixed value or a preset interval value;
将存储的出向报文按照预设的固定值或预设的区间值分解为相应的数据块。The stored outgoing message is decomposed into corresponding data blocks according to a preset fixed value or a preset interval value.
可选的,将存储的入向报文和出向报文分别分解为相应的数据块,可以包括:Optionally, the stored inbound packet and the outgoing packet are respectively decomposed into corresponding data blocks, which may include:
当当前数据块大小小于预设的固定值,且加上下一条报文数据块大小大于 所述预设的固定值,则将所述当前数据块进行补充数位处理,使完成补充数位处理后的数据块大小等于所述预设的固定值,将完成补充数位处理的数据块作为分解的数据块;或,When the current data block size is smaller than the preset fixed value, and the next message data block size is greater than And the preset fixed value is used to perform the complementary digital processing on the current data block, so that the data block size after the completion of the supplemental digital processing is equal to the preset fixed value, and the data block that completes the complementary digital processing is used as the decomposition. Data block; or,
当当前数据块大小大于预设的区间值的最小值,且加上下一条报文的数据块大小小于或等于所述预设的区间值的最大值,则将所述当前数据块加上下一条报文的数据块作为分解的数据块。When the current data block size is greater than a minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the next report. The data block of the text is used as a decomposed data block.
可选的,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文,可以包括:Optionally, the re-assignment of the inbound and outbound packets, except for the packets that are not in error, according to the preset policy, may include:
剔除各分析节点确定的未出错的报文后,逐次选择一个或一个以上分析节点,将选择的分析节点的所述剩余的入向报文和出向报文分发到其他分析节点。After the undue error message determined by each analysis node is removed, one or more analysis nodes are sequentially selected, and the remaining inbound packets and outgoing packets of the selected analysis node are distributed to other analysis nodes.
可选的,该方法还包括:对所述数据块中的各条报文进行区分。Optionally, the method further includes: distinguishing each packet in the data block.
可选的,对所述数据块中的各条报文进行区分,可以包括:Optionally, the distinguishing between the packets in the data block may include:
在数据块的预设位置记录各报文长度,通过记录的报文长度区分所述数据块中的各条报文。The length of each packet is recorded in a preset position of the data block, and each packet in the data block is distinguished by the length of the recorded packet.
可选的,将入向报文与出向报文中不应发生变化部分进行匹配,可以包括:Optionally, the inbound packet and the outgoing packet are not changed, and may include:
将所述入向报文中不应发生变化部分的内容与出向报文中所述不应发生变化部分的内容进行匹配;或,Matching the content of the incoming message in the incoming message with the content of the outgoing message that should not change; or
提取所述入向报文中不应发生变化部分的内容的特征值和所述出向报文中不应发生变化部分的内容的特征值;Extracting, in the inbound message, a feature value of the content of the change portion and a feature value of the content of the outgoing message that should not change;
将提取的所述入向报文中不应发生变化部分的内容的特征值与提取的所述出向报文中不应发生变化部分的内容的特征值进行匹配。And extracting, in the extracted inbound message, the feature value of the content that should not be changed, and the extracted feature value of the content of the outgoing message that should not change.
可选的,确定未匹配成功的报文发生错误前,该方法还包括:Optionally, before determining that an unmatched packet has an error, the method further includes:
过滤所述被检测网络主动发出的出向报文和发送给所述被检测网络的入向报文。And filtering an outgoing packet sent by the detected network and an incoming packet sent to the detected network.
可选的,当所述被检测网络传输的报文的常见报文时,该方法还包括:对入向报文和出向报文中不应发生变化部分包含的区分字段内容进行报文学习;Optionally, when the packet of the packet transmitted by the detected network is a common packet, the method further includes: performing packet learning on the content of the differentiated field included in the incoming packet and the outgoing packet that should not be changed;
通过获得入向报文和出向报文中不应发生变化部分包含的区分字段内容的报文学习结果对报文学习结果中入向报文和出向报文中不应发生变化部分包含 的区分字段匹配的报文进行过滤,对剩余的报文进行所述入向报文和出向报文中不应发生变化部分的匹配。The packet learning result obtained by obtaining the content of the distinguishing field included in the incoming message and the outgoing message should not be changed in the incoming message and the outgoing message in the message learning result. The packets matching the matching fields are filtered, and the matching of the changed packets in the incoming packets and the outgoing packets is performed on the remaining packets.
可选的,确定未出错的报文,可以包括:Optionally, determining the message that is not in error may include:
各分析节点对分发给自身的数据块中包含的入向报文和出向报文分别进行哈希映射及归约计算;Each analysis node performs hash mapping and reduction calculation on the inbound message and the outgoing message respectively included in the data block distributed to itself;
对完成映射及规约计算的入向报文和出向报文进行入向报文与出向报文的中不应发生变化部分的匹配,确定匹配成功的键值对对应的入向报文和出向报文为未出错的报文。The inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined. The text is a message that has not gone wrong.
可选的,剔除确定的未出错的报文,可以包括:Optionally, culling the determined unerrored message may include:
根据所述哈希计算的映射确定所述匹配成功的键值对对应的入向报文和出向报文在数据块中的位置,并进行剔除处理。Determining, according to the mapping calculated by the hash, the location of the inbound message and the outgoing message in the data block corresponding to the key pair that is successfully matched, and performing the culling process.
可选的,存储被检测网络传输的入向报文和出向报文为预设时间跨度内被检测网络传输的入向报文和出向报文,该方法还包括:Optionally, the inbound packet and the outgoing packet that are sent by the detected network are sent to the inbound packet and the outgoing packet that are transmitted by the detected network in the preset time span. The method further includes:
将当前时间跨度内未匹配成功的报文中时间属性在时间边界TR内的报文检出,并存储到下一个时间跨度T存储的所述被检测网络传输的入向报文和出向报文中,进行报文检错。The packets whose time attributes in the time interval TR are not matched in the current time span are detected, and are stored in the inbound and outgoing packets of the detected network stored in the next time span T. In the middle, the message is checked.
可选的,该方法之前还包括:区分所述入向报文和出向报文。Optionally, the method further includes: distinguishing the inbound message and the outgoing message.
另一方面,本公开还提供一种实现报文检错的系统,包括:处理装置和两个或两个以上分析节点;其中,In another aspect, the present disclosure further provides a system for implementing packet error detection, including: a processing device and two or more analysis nodes; wherein
处理装置包括:获取存储单元、分解分发单元及重分单元;其中,The processing device includes: a storage unit, a decomposition distribution unit, and a re-segment unit; wherein
获取存储单元,被配置为获取并存储被检测网络传输的入向报文和出向报文;Obtaining a storage unit, configured to acquire and store an inbound message and an outgoing message transmitted by the detected network;
分解分发单元,被配置为将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的各分析节点;The decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
重分单元,被配置为各分析节点剔除确定的未出错的报文后,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文;The re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
各分析节点包括匹配单元、剔除单元及确定单元;其中,Each analysis node includes a matching unit, a culling unit, and a determining unit; wherein
匹配单元,被配置为对分发给自身的数据块进行入向报文与出向报文的中 不应发生变化部分进行匹配,确定未出错的报文;The matching unit is configured to perform an inbound message and an outgoing message in the data block distributed to itself. The part that should not be changed should be matched to determine the message that has not been erroneous;
剔除单元,被配置为剔除确定的未出错的报文;a culling unit configured to reject the determined unerrored message;
确定单元,被配置为确定所有未匹配成功的报文均在自身时,确定未匹配成功的报文发生错误;The determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that are not successfully matched are incorrect.
所述被检测网络为由一个或一个以上网络设备构成的网络。The detected network is a network of one or more network devices.
再一方面,本公开还提供一种实现报文检错的处理装置,包括:获取存储单元、分解分发单元及重分单元;其中,In a further aspect, the disclosure further provides a processing device for implementing packet error detection, comprising: acquiring a storage unit, decomposing a distribution unit, and a re-segment unit;
获取存储单元,被配置为获取并存储被检测网络传输的入向报文和出向报文;Obtaining a storage unit, configured to acquire and store an inbound message and an outgoing message transmitted by the detected network;
分解分发单元,被配置为将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的各分析节点;The decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
重分单元,被配置为各分析节点剔除确定的未出错的报文后,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文;The re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
可选的,获取存储单元可以被配置为,Optionally, the obtaining storage unit can be configured as,
当所述网络设备为电口设备时,通过所述被检测网络的网络设备上配置复制所述入向报文和所述出向报文,将配置复制的被检测网络传输的入向报文和出向报文进行存储;When the network device is an electrical interface device, the inbound packet and the outgoing packet are configured to be copied on the network device of the detected network, and the inbound packet transmitted by the detected detected network is configured. Outbound message storage;
当所述网络设备为光口设备时,通过所述被检测网络的分光器进行所述入向报文和所述出向报文的分光复制,将分光复制的被检测网络传输的入向报文和出向报文进行存储。When the network device is an optical interface device, the optical splitter of the detected network performs the optical splitting of the incoming packet and the outgoing packet, and the inbound packet transmitted by the detected network of the split optical replica is transmitted. And outgoing messages are stored.
可选的,获取存储单元可以被配置为,Optionally, the obtaining storage unit can be configured as,
获取被检测网络传输的入向报文和出向报文,将获取的所述入向报文和所述出向报文分别按照二进制文件的形式进行存储。The inbound packet and the outgoing packet transmitted by the detected network are obtained, and the obtained incoming packet and the outgoing packet are respectively stored in the form of a binary file.
可选的,分解分发单元可以被配置为,Optionally, the decomposition distribution unit can be configured to
将存储的入向报文按照预设的固定值或预设的区间值分解为相应的数据块;和,Decomposing the stored inbound message into corresponding data blocks according to a preset fixed value or a preset interval value; and,
将存储的出向报文按照预设的固定值或预设的区间值分解为相应的数据块; Decomposing the stored outgoing message into a corresponding data block according to a preset fixed value or a preset interval value;
分发分解的数据块到预先建立的各分析节点进行报文检错。The decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
可选的,分解分发单元可以被配置为,Optionally, the decomposition distribution unit can be configured to
当当前数据块大小小于预设的固定值,且加上下一条报文数据块大小大于所述预设的固定值,则将所述当前数据块进行补充数位处理,使完成补充数位处理后的数据块大小等于所述预设的固定值,将完成补充数位处理的数据块作为分解的数据块;或,When the current data block size is smaller than the preset fixed value, and the next message data block size is greater than the preset fixed value, the current data block is subjected to complementary digital processing, so that the data after the complementary digital processing is completed The block size is equal to the preset fixed value, and the data block that completes the digital processing is used as the decomposed data block; or
当当前数据块大小大于预设的区间值的最小值,且加上下一条报文的数据块大小小于或等于所述预设的区间值的最大值,则将所述当前数据块加上下一条报文的数据块作为分解的数据块;When the current data block size is greater than a minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the next report. The data block of the text is used as a decomposed data block;
分发分解的数据块到预先建立的各分析节点进行报文检错。The decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
可选的,该处理装置还包括区分单元,被配置为对所述数据块中的各条报文进行区分。Optionally, the processing device further includes a distinguishing unit configured to distinguish each of the packets in the data block.
可选的,区分单元可以被配置为,Optionally, the distinguishing unit can be configured to
在数据块的预设位置记录各报文长度,通过记录的报文长度区分所述数据块中的各条报文。The length of each packet is recorded in a preset position of the data block, and each packet in the data block is distinguished by the length of the recorded packet.
可选的,重分单元可以被配置为,剔除各分析节点确定的未出错的报文后,逐次选择一个或一个以上分析节点,将选择的分析节点的所述剩余的入向报文和出向报文分发到其他分析节点。Optionally, the re-segment unit may be configured to: after rejecting the error-free message determined by each analysis node, select one or more analysis nodes one by one, and select the remaining inbound message and the outgoing direction of the selected analysis node. Messages are distributed to other analysis nodes.
可选的,存储被检测网络传输的入向报文和出向报文为预设时间跨度内被检测网络传输的入向报文和出向报文,该处理装置还包括边界处理单元,被配置为将当前时间跨度内未匹配成功的报文中时间属性在时间边界TR内的报文检出,并存储到下一个时间跨度T存储的所述被检测网络传输的入向报文和出向报文中,进行报文检错。Optionally, the inbound packet and the outgoing packet sent by the detected network are inbound packets and outgoing packets transmitted by the detected network within a preset time span, and the processing device further includes a boundary processing unit configured to The packets whose time attributes in the time interval TR are not matched in the current time span are detected, and are stored in the inbound and outgoing packets of the detected network stored in the next time span T. In the middle, the message is checked.
可选的,该处理装置还包括入向出向区分单元,被配置为区分所述入向报文和出向报文。Optionally, the processing device further includes an inbound and outbound distinguishing unit configured to distinguish the inbound message from the outgoing message.
还一方面,本公开还提供一种实现报文检错的分析节点,包括匹配单元、剔除单元及确定单元;其中,In an aspect, the disclosure further provides an analysis node that implements packet error detection, including a matching unit, a culling unit, and a determining unit;
匹配单元,被配置为对接收的数据块进行入向报文与出向报文的中不应发 生变化部分进行匹配,确定未出错的报文;The matching unit is configured to perform inbound and outbound messages on the received data block. The change part is matched to determine the message that has not been erroneous;
剔除单元,被配置为剔除确定的未出错的报文;a culling unit configured to reject the determined unerrored message;
确定单元,被配置为确定所有未匹配成功的报文均在自身时,确定未匹配成功的报文发生错误。The determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that do not match successfully are incorrect.
可选的,匹配单元可以被配置为,对分发给自身的数据块中的入向报文和出向报文,Optionally, the matching unit may be configured to, for the inbound message and the outgoing message in the data block distributed to itself,
将所述入向报文中不应发生变化部分的内容与出向报文中所述不应发生变化部分的内容进行匹配;或,Matching the content of the incoming message in the incoming message with the content of the outgoing message that should not change; or
提取所述入向报文中不应发生变化部分的内容的特征值和所述出向报文中不应发生变化部分的内容的特征值;Extracting, in the inbound message, a feature value of the content of the change portion and a feature value of the content of the outgoing message that should not change;
将提取的所述入向报文中不应发生变化部分的内容的特征值与提取的所述出向报文中不应发生变化部分的内容的特征值进行匹配。And extracting, in the extracted inbound message, the feature value of the content that should not be changed, and the extracted feature value of the content of the outgoing message that should not change.
可选的,该分析节点还包括过滤单元,被配置为确定未匹配成功的报文发生错误前,过滤所述被检测网络主动发出的出向报文和发送给所述被检测网络的入向报文。Optionally, the analyzing node further includes a filtering unit, configured to filter an outgoing message actively sent by the detected network and an incoming report sent to the detected network before determining that a packet that is not successfully matched has an error. Text.
可选的,该分析节点还包括报文学习单元和学习过滤单元,Optionally, the analysis node further includes a message learning unit and a learning filtering unit.
报文学习单元,被配置为当所述被检测网络传输的报文的常见报文时,对入向报文和出向报文中不应发生变化部分包含的区分字段内容进行报文学习;The message learning unit is configured to: when the common message of the packet transmitted by the detected network is used, perform packet learning on the content of the distinguishing field included in the incoming message and the outgoing message;
学习过滤单元,被配置为通过获得入向报文和出向报文中不应发生变化部分包含的区分字段内容的报文学习结果对报文学习结果中入向报文和出向报文中不应发生变化部分包含的区分字段匹配的报文进行过滤,对剩余的报文发送到匹配单元进行所述入向报文和出向报文中不应发生变化部分的匹配。The learning filtering unit is configured to obtain the packet learning result of the distinguishing field content included in the incoming message and the outgoing message, and should not be included in the incoming message and the outgoing message in the message learning result. The packet that matches the matching field included in the changed part is filtered, and the remaining packets are sent to the matching unit to perform matching in the incoming packet and the outgoing packet.
可选的,匹配单元可以被配置为,Optionally, the matching unit can be configured to
对接收的数据块中包含的入向报文和出向报文进行哈希映射及归约计算;Performing hash mapping and reduction calculation on the incoming message and the outgoing message included in the received data block;
对完成映射及规约计算的入向报文和出向报文进行入向报文与出向报文的中不应发生变化部分的匹配,确定匹配成功的键值对对应的入向报文和出向报文为未出错的报文。The inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined. The text is a message that has not gone wrong.
可选的,剔除单元可以被配置为,根据所述哈希计算的映射确定所述匹配 成功的键值对对应的入向报文和出向报文在数据块中的位置,以进行剔除处理。Optionally, the culling unit may be configured to determine the matching according to the hash calculated mapping The position of the corresponding inbound message and the outgoing message in the data block of the successful key value pair is subjected to the culling process.
本公开还提供了一种非暂态计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行上述方法。The present disclosure also provides a non-transitory computer readable storage medium storing computer executable instructions arranged to perform the above method.
本公开还提供了一种电子设备,包括:The present disclosure also provides an electronic device, including:
至少一个处理器;以及At least one processor;
与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein
所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器执行上述的方法。The memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to cause the at least one processor to perform the method described above.
与相关技术相比,本公开技术方案包括:将存储的入向报文和出向报文分别分解为相应的数据块后,分发到预先建立的两个或两个以上分析节点;各分析节点对分发给自身的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文,并继续进行入向报文与出向报文中不应发生变化部分的匹配,直至所有未匹配成功的报文在同一分析节点时,确定未匹配成功的报文发生错误。本公开方法通过将入向报文和出向报文进行存储、分解和分发后,进行不应发生变化部分的匹配,实现了对发生错误报文的检测。Compared with the related art, the technical solution of the present disclosure includes: separately decomposing the stored inbound message and the outgoing message into corresponding data blocks, and distributing the two to two or more analysis nodes that are pre-established; The data block that is distributed to itself is matched with the non-changing part of the incoming message and the outgoing message, and the error-free message is determined; the remaining inbound direction except the message that determines the error is re-allocated according to the preset policy. Packets and outgoing packets, and the matching between the incoming packets and the outgoing packets should not be changed until all the packets that are not successfully matched are in the same analysis node. . By storing, decomposing and distributing the inbound message and the outgoing message, the disclosed method performs matching of the portion that should not be changed, thereby realizing the detection of the error message.
附图概述BRIEF abstract
此处所说明的附图用来提供对本公开的理解,构成本公开的一部分,本公开的示意性实施例及其说明用于解释本公开,并不构成对本公开的不当限定。在附图中:The drawings described herein are intended to provide an understanding of the present disclosure, and are intended to be a part of this disclosure. In the drawing:
图1为本公开实现报文检错的方法的流程图;1 is a flowchart of a method for implementing packet error detection according to the present disclosure;
图2为本公开实现报文检错的系统的结构程图;2 is a structural diagram of a system for implementing packet error detection according to the present disclosure;
图3为本公开实现报文检错的处理装置的结构框图;3 is a structural block diagram of a processing apparatus for implementing packet error detection according to the present disclosure;
图4为本公开实现报文检错的分析节点的结构框图;4 is a structural block diagram of an analysis node for implementing packet error detection according to the present disclosure;
图5为本公开第一实施例的方法流程图; Figure 5 is a flowchart of a method of the first embodiment of the present disclosure;
图6为本公开第二实施例的方法流程图;Figure 6 is a flow chart of a method according to a second embodiment of the present disclosure;
图7为本公开第三实施例的方法流程图;Figure 7 is a flowchart of a method of a third embodiment of the present disclosure;
图8为本公开第四实施例的方法流程图;以及Figure 8 is a flow chart of a method according to a fourth embodiment of the present disclosure;
图9是本公开实施例提供的电子设备的结构示意图。FIG. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
具体实施方式detailed description
为使本公开的技术方案和优点更加清楚明白,下文中将结合附图对本公开的实施例进行详细说明。需要说明的是,在不冲突的情况下,本公开中的实施例及实施例中的特征可以相互任意组合。In order to make the technical solutions and advantages of the present disclosure more apparent, the embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments in the present disclosure and the features in the embodiments may be arbitrarily combined with each other without conflict.
图1为本公开实现报文检错的方法的流程图,如图1所示,包括:FIG. 1 is a flowchart of a method for implementing packet error detection according to the present disclosure. As shown in FIG. 1, the method includes:
步骤100、获取并存储被检测网络传输的入向报文和出向报文;这里,被检测网络为由一个或一个以上网络设备构成的网络。Step 100: Acquire and store an inbound packet and an outgoing packet transmitted by the detected network. Here, the detected network is a network composed of one or more network devices.
本步骤中,获取被检测网络传输的入向报文和出向报文,可以包括:In this step, the inbound and outbound packets transmitted by the detected network may be obtained, and may include:
当网络设备为电口设备时,通过被检测网络的网络设备上配置复制入向报文和出向报文;When the network device is an electrical interface device, the inbound and outbound packets and the outgoing packets are configured on the network device of the detected network.
当网络设备为光口设备时,通过被检测网络的分光器进行入向报文和出向报文的分光复制。When the network device is an optical interface device, the optical splitting of the incoming packet and the outgoing packet is performed by the optical splitter of the detected network.
存储被检测网络传输的入向报文和出向报文,可以包括:Storing the inbound and outbound packets transmitted by the detected network may include:
将获取的入向报文和出向报文分别按照二进制文件的形式进行存储。The obtained inbound message and outgoing message are stored in the form of a binary file.
步骤101、将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的两个或两个以上分析节点;Step 101: Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
本步骤中,将存储的入向报文和出向报文分别分解为相应的数据块,可以包括:In this step, the stored inbound packet and the outgoing packet are respectively decomposed into corresponding data blocks, which may include:
将存储的入向报文按照预设的固定值或预设的区间值分解为相应的数据块;Decomposing the stored inbound packet into a corresponding data block according to a preset fixed value or a preset interval value;
将存储的出向报文按照预设的固定值或预设的区间值分解为相应的数据块。The stored outgoing message is decomposed into corresponding data blocks according to a preset fixed value or a preset interval value.
将存储的入向报文和出向报文分别分解为相应的数据块,可以包括: Decomposing the stored inbound and outbound packets into corresponding data blocks, respectively, may include:
当当前数据块大小小于预设的固定值,且加上下一条报文数据块大小大于预设的固定值,则将当前数据块进行补充数位处理,使完成补充数位处理后的数据块大小等于预设的固定值,将完成补充数位处理的数据块作为分解的数据块;或,When the current data block size is smaller than the preset fixed value, and the next message data block size is greater than the preset fixed value, the current data block is subjected to complementary digital processing, so that the data block size after the completion of the complementary digital processing is equal to the pre- A fixed value is set, and the data block that completes the digital processing is used as the decomposed data block; or
当当前数据块大小大于预设的区间值的最小值,且加上下一条报文的数据块大小小于或等于预设的区间值的最大值,则将当前数据块加上下一条报文的数据块作为分解的数据块。When the current data block size is greater than the minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the data block of the next message. As a decomposed data block.
需要说明的是,入向报文的数据块和出向报文的数据块是分开进行分解的,下一条报文是指相应的入向报文或出向报文,即入向报文的数据块的下一条报文必定是入向报文,出向报文的数据块的下一条必定是出向报文。It should be noted that the data block of the incoming message and the data block of the outgoing message are separately decomposed, and the next message refers to the corresponding incoming message or outgoing message, that is, the data block of the incoming message. The next message must be an incoming message, and the next block of the outgoing message must be an outgoing message.
步骤102、各分析节点对分发给自身的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;Step 102: Each analysis node performs matching on the inbound packet and the outgoing packet in the data packet distributed to itself, and determines the packet that is not in error;
本步骤中,将入向报文与出向报文中不应发生变化部分进行匹配,可以包括:In this step, the incoming packet and the outgoing packet are not changed, and may include:
将入向报文中不应发生变化部分的内容与出向报文中不应发生变化部分的内容进行匹配;或,Matching the content of the inbound message that should not change with the content of the outgoing message that should not change; or,
提取入向报文中不应发生变化部分的内容的特征值和出向报文中不应发生变化部分的内容的特征值;Extracting feature values of content that should not change in the incoming message and feature values of content that should not change in the outgoing message;
将提取的入向报文中不应发生变化部分的内容的特征值与提取的出向报文中不应发生变化部分的内容的特征值进行匹配。The feature value of the content of the extracted inbound message that should not be changed is matched with the feature value of the content of the extracted outgoing message that should not change.
需要说明的是,这里的匹配是指内容或特征值相同。It should be noted that the matching here means that the content or the feature value is the same.
确定未出错的报文,可以包括:Identify the packets that have not gone wrong, which can include:
各分析节点对分发给自身的数据块中包含的入向报文和出向报文分别进行哈希映射及归约计算;Each analysis node performs hash mapping and reduction calculation on the inbound message and the outgoing message respectively included in the data block distributed to itself;
对完成映射及规约计算的入向报文和出向报文进行入向报文与出向报文的中不应发生变化部分的匹配,确定匹配成功的键值对对应的入向报文和出向报文为未出错的报文。The inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined. The text is a message that has not gone wrong.
步骤103、剔除各分析节点确定的未出错的报文后,按照预设策略重新分配 除确定未出错的报文外剩余的入向报文和出向报文,并继续进行入向报文与出向报文中不应发生变化部分的匹配,直至所有未匹配成功的报文在同一分析节点时,确定未匹配成功的报文发生错误;Step 103: After removing the error-free packets determined by each analysis node, reallocating according to the preset policy In addition to determining the inbound and outbound messages remaining in the error-free message, and continuing the match between the incoming message and the outgoing message, the matching part should not be changed until all the unmatched messages are in the same analysis. When a node is determined, it is determined that an unmatched packet has an error.
本步骤中,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文,可以包括:In this step, the re-assignment of the inbound and outbound packets, except for the packets that are determined to be in error, according to the preset policy, may include:
各分析节点剔除确定的未出错的报文后,逐次选择一个或一个以上分析节点,将选择的分析节点的剩余的入向报文和出向报文分发到其他分析节点。After each of the analysis nodes culls the determined unerrored message, one or more analysis nodes are sequentially selected, and the remaining inbound packets and outgoing messages of the selected analysis node are distributed to other analysis nodes.
需要说明的是,这里逐次选择一个或一个以上分析节点可以是,选择一个分析节点,将该分析节点除确定未出错报文外剩余的入向报文和出向报文均分到其他分析节点;也可以选择两个、三个,一半分析节点,甚至更多的分析节点,将选择的分析节点除确定未出错报文外剩余的入向报文和出向报文均分到其他分析节点。It should be noted that, one or more analysis nodes may be selected one by one, and one analysis node may be selected, and the inbound and outbound messages remaining in the analysis node except the unidentified message are equally divided into other analysis nodes; You can also select two, three, half analysis nodes, and even more analysis nodes. The selected analysis nodes are divided into other analysis nodes except for the inbound packets and outgoing packets.
剔除确定的未出错的报文,可以包括:Excluding the determined unerrored messages may include:
根据哈希计算的映射确定匹配成功的键值对对应的入向报文和出向报文在数据块中的位置,并进行剔除处理。The location of the corresponding incoming message and the outgoing message in the data block is determined according to the hash-calculated mapping, and the culling process is performed.
需要说明的是,进行映射计算时,会将入向报文和出向报文从数据块提取后映射到哈希列表中,由于需要进行映射计算,因此入向报文和出向报文在数据块中的偏移量为默认的参数。It should be noted that, when the mapping calculation is performed, the inbound packet and the outgoing packet are extracted from the data block and mapped into the hash list. Since the mapping calculation is required, the incoming packet and the outgoing packet are in the data block. The offset in is the default parameter.
本公开方法还包括:对数据块中的各条报文进行区分。The disclosed method also includes distinguishing between pieces of messages in the data block.
这里,对数据块中的各条报文进行区分,可以包括:对入向报文的数据块中的各条入向报文进行区分;对出向报文的数据块中的各条出向报文进行区分。Here, the distinguishing between the packets in the data block may include: distinguishing each incoming message in the data block of the incoming message; and sending out the outgoing message in the data block of the outgoing message. Make a distinction.
对数据块中的各条报文进行区分,可以包括:Differentiating each packet in a data block may include:
在数据块的预设位置记录各报文长度,通过记录的报文长度区分数据块中的各条报文。The length of each packet is recorded in a preset position of the data block, and each packet in the data block is distinguished by the length of the recorded packet.
确定未匹配成功的报文发生错误前,本公开方法还包括:Before determining that an unmatched message has an error, the disclosed method further includes:
过滤被检测网络主动发出的出向报文和发送给被检测网络的入向报文。Filtering outgoing packets sent by the detected network and incoming packets sent to the detected network.
需要说明的是,这里确定未匹配成功的报文发生错误前可以是进行匹配之前,也可以是匹配之后,时间可以根据网络配置和性能等进行设置。 It should be noted that before the packet is successfully matched, it may be before the matching occurs, or after the matching, the time may be set according to the network configuration and performance.
当被检测网络传输的报文的常见报文时,本公开方法还包括:对入向报文和出向报文中不应发生变化部分包含的区分字段内容进行报文学习;When the common message of the packet transmitted by the network is detected, the method of the disclosure further includes: performing packet learning on the content of the distinguishing field included in the incoming packet and the outgoing packet that should not be changed;
通过获得入向报文和出向报文中不应发生变化部分包含的区分字段内容的报文学习结果对报文学习结果中入向报文和出向报文中不应发生变化部分包含的区分字段匹配的报文进行过滤,对剩余的报文进行入向报文和出向报文中不应发生变化部分的匹配。By obtaining the message learning result of the content of the distinguishing field included in the incoming message and the outgoing message, the difference between the incoming message and the outgoing message in the incoming message should not be changed. The matched packets are filtered, and the matching packets in the incoming packets and outgoing packets should not be matched in the outgoing packets.
需要说明的是,入向报文和出向报文中不应发生变化部分包含的区分字段匹配表示该部分报文为未发生错误的报文。It should be noted that the incoming field and the outgoing message should not change. The distinguished field included in the outgoing packet matches the packet indicating that the partial packet is an error.
存储被检测网络传输的入向报文和出向报文为预设时间跨度内被检测网络传输的入向报文和出向报文,本公开方法还包括:The method for storing the inbound packet and the outgoing packet transmitted by the detected network is the inbound packet and the outgoing packet transmitted by the detected network in the preset time span. The method further includes:
将当前时间跨度内未匹配成功的报文中时间属性在时间边界(TR)内的报文检出,并存储到下一个时间跨度(T)存储的被检测网络传输的入向报文和出向报文中,进行报文检错。其中T主要根据分解的数据块大小除以流量速率计算获得,数据块大小主要根据系统性能进行设定,流量速率根据系统容量进行设定;TR主要根据网络延时情况进行设定,TR取值一般不大于2分钟。The packets whose time attributes in the time interval (TR) are not matched in the current time span are detected, and are stored in the inbound packet and the outgoing direction of the detected network stored in the next time span (T). In the message, the message is checked for errors. The T is mainly calculated according to the size of the decomposed data block divided by the flow rate. The data block size is mainly set according to the system performance, and the flow rate is set according to the system capacity; TR is mainly set according to the network delay condition, and the TR value is set. Generally no more than 2 minutes.
需要说明的是,本公开方法可以采用哈希算法进行入向报文和出向报文中不应发生变化部分的匹配,匹配过程中,报文长度、时间属性及报文在数据库中的偏移量可以通过关键字进行存储。It should be noted that the method of the present disclosure may use a hash algorithm to perform matching between the inbound message and the outgoing message, and the length of the packet, the time attribute, and the offset of the message in the database during the matching process. The amount can be stored by keyword.
本公开方法之前还包括:区分入向报文和出向报文。The method of the present disclosure also includes: distinguishing between an incoming message and an outgoing message.
本公开方法通过将入向报文和出向报文进行存储、分解和分发后,进行不应发生变化部分的匹配,实现了对发生错误报文的检测。By storing, decomposing and distributing the inbound message and the outgoing message, the disclosed method performs matching of the portion that should not be changed, thereby realizing the detection of the error message.
图2为本公开实现报文检错的系统的结构程图,如图2所示,包括:处理装置和两个或两个以上分析节点;其中,2 is a structural diagram of a system for implementing packet error detection according to the present disclosure. As shown in FIG. 2, the method includes: a processing device and two or more analysis nodes; wherein
处理装置包括:获取存储单元、分解分发单元及重分单元;其中,The processing device includes: a storage unit, a decomposition distribution unit, and a re-segment unit; wherein
获取存储单元,被配置为获取并存储被检测网络传输的入向报文和出向报文;Obtaining a storage unit, configured to acquire and store an inbound message and an outgoing message transmitted by the detected network;
分解分发单元,被配置为将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的各分析节点; The decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
重分单元,被配置为各分析节点剔除确定的未出错的报文后,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文;The re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
各分析节点包括匹配单元、剔除单元及确定单元;其中,Each analysis node includes a matching unit, a culling unit, and a determining unit; wherein
匹配单元,被配置为对分发给自身的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;The matching unit is configured to perform matching on the inbound packet and the outgoing packet in the data packet distributed to itself, and determine the packet that is not in error;
剔除单元,被配置为剔除确定的未出错的报文;a culling unit configured to reject the determined unerrored message;
确定单元,被配置为确定所有未匹配成功的报文均在自身时,确定未匹配成功的报文发生错误;The determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that are not successfully matched are incorrect.
被检测网络为由一个或一个以上网络设备构成的网络。The detected network is a network of one or more network devices.
图3为本公开实现报文检错的处理装置的结构框图,如图3所示,包括:获取存储单元、分解分发单元及重分单元;其中,3 is a structural block diagram of a processing device for implementing packet error detection according to the present disclosure. As shown in FIG. 3, the method includes: acquiring a storage unit, decomposing a distribution unit, and a re-segment unit;
获取存储单元,被配置为获取并存储被检测网络传输的入向报文和出向报文;Obtaining a storage unit, configured to acquire and store an inbound message and an outgoing message transmitted by the detected network;
获取存储单元可以被配置为,Obtaining a storage unit can be configured to
当网络设备为电口设备时,通过被检测网络的网络设备上配置复制入向报文和出向报文,将配置复制的被检测网络传输的入向报文和出向报文进行存储;When the network device is an electrical interface device, the inbound and outbound packets transmitted by the detected network are configured to be stored in the network device of the network to be detected, and the inbound and outbound packets transmitted by the detected network are configured to be stored;
当网络设备为光口设备时,通过被检测网络的分光器进行入向报文和出向报文的分光复制,将分光复制的被检测网络传输的入向报文和出向报文进行存储。When the network device is an optical interface device, the optical splitter of the detected network performs the optical splitting of the incoming packet and the outgoing packet, and stores the incoming packet and the outgoing packet transmitted by the detected network.
获取存储单元可以被配置为,Obtaining a storage unit can be configured to
获取被检测网络传输的入向报文和出向报文,将获取的入向报文和出向报文分别按照二进制文件的形式进行存储。Obtaining the inbound and outbound packets transmitted by the detected network, and storing the obtained inbound and outbound packets in the form of binary files.
分解分发单元,被配置为将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的各分析节点;The decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
分解分发单元可以被配置为,The decomposition distribution unit can be configured to
将存储的入向报文按照预设的固定值或预设的区间值分解为相应的数据块;和, Decomposing the stored inbound message into corresponding data blocks according to a preset fixed value or a preset interval value; and,
将存储的出向报文按照预设的固定值或预设的区间值分解为相应的数据块;Decomposing the stored outgoing message into a corresponding data block according to a preset fixed value or a preset interval value;
分发分解的数据块到预先建立的各分析节点进行报文检错。The decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
分解分发单元可以被配置为,The decomposition distribution unit can be configured to
当当前数据块大小小于预设的固定值,且加上下一条报文数据块大小大于预设的固定值,则将当前数据块进行补充数位处理,使完成补充数位处理后的数据块大小等于预设的固定值,将完成补充数位处理的数据块作为分解的数据块;或,When the current data block size is smaller than the preset fixed value, and the next message data block size is greater than the preset fixed value, the current data block is subjected to complementary digital processing, so that the data block size after the completion of the complementary digital processing is equal to the pre- A fixed value is set, and the data block that completes the digital processing is used as the decomposed data block; or
当当前数据块大小大于预设的区间值的最小值,且加上下一条报文的数据块大小小于或等于预设的区间值的最大值,则将当前数据块加上下一条报文的数据块作为分解的数据块;When the current data block size is greater than the minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the data block of the next message. As a decomposed data block;
分发分解的数据块到预先建立的各分析节点进行报文检错。The decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
重分单元,被配置为各分析节点剔除确定的未出错的报文后,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文;The re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
重分单元可以被配置为,剔除各分析节点确定的未出错的报文后,逐次选择一个或一个以上分析节点,将选择的分析节点的剩余的入向报文和出向报文分发到其他分析节点。The re-segment unit may be configured to, after rejecting the unerrored message determined by each analysis node, successively select one or more analysis nodes, and distribute the remaining inbound and outbound messages of the selected analysis node to other analysis. node.
本公开处理装置还包括区分单元,被配置为对数据块中的各条报文进行区分。The disclosed processing apparatus further includes a distinguishing unit configured to distinguish between pieces of messages in the data block.
区分单元可以被配置为,The distinguishing unit can be configured to
在数据块的预设位置记录各报文长度,通过记录的报文长度区分数据块中的各条报文。The length of each packet is recorded in a preset position of the data block, and each packet in the data block is distinguished by the length of the recorded packet.
存储被检测网络传输的入向报文和出向报文为预设时间跨度内被检测网络传输的入向报文和出向报文,本公开处理装置还包括边界处理单元,被配置为将当前时间跨度内未匹配成功的报文中时间属性在时间边界(TR)内的报文检出,并存储到下一个时间跨度(T)存储的被检测网络传输的入向报文和出向报文中,进行报文检错。And storing the inbound packet and the outgoing packet transmitted by the detected network as the inbound packet and the outgoing packet transmitted by the detected network within the preset time span, the disclosed processing apparatus further includes a boundary processing unit configured to set the current time The packets whose time attributes are in the time boundary (TR) are detected in the packets that are not matched in the span, and are stored in the inbound and outgoing packets of the detected network that is stored in the next time span (T). , the message error detection.
本公开处理装置还包括入向出向区分单元,被配置为区分入向报文和出向报文。 The disclosed processing apparatus further includes an inbound and outbound distinguishing unit configured to distinguish between an incoming message and an outgoing message.
图4为本公开实现报文检错的分析节点的结构框图,如图4所示,包括匹配单元、剔除单元及确定单元;其中,4 is a structural block diagram of an analysis node for implementing packet error detection according to the present disclosure. As shown in FIG. 4, the method includes a matching unit, a culling unit, and a determining unit.
匹配单元,被配置为对接收的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;The matching unit is configured to match the inbound packet of the received data block with the unchanged portion of the outgoing packet, and determine the packet that is not erroneous;
匹配单元可以被配置为,对分发给自身的数据块中的入向报文和出向报文,The matching unit may be configured to, for the inbound message and the outgoing message in the data block distributed to itself,
将入向报文中不应发生变化部分的内容与出向报文中不应发生变化部分的内容进行匹配;或,Matching the content of the inbound message that should not change with the content of the outgoing message that should not change; or,
提取入向报文中不应发生变化部分的内容的特征值和出向报文中不应发生变化部分的内容的特征值;Extracting feature values of content that should not change in the incoming message and feature values of content that should not change in the outgoing message;
将提取的入向报文中不应发生变化部分的内容的特征值与提取的出向报文中不应发生变化部分的内容的特征值进行匹配。The feature value of the content of the extracted inbound message that should not be changed is matched with the feature value of the content of the extracted outgoing message that should not change.
剔除单元,被配置为剔除确定的未出错的报文;a culling unit configured to reject the determined unerrored message;
确定单元,被配置为确定所有未匹配成功的报文均在自身时,确定未匹配成功的报文发生错误。The determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that do not match successfully are incorrect.
本公开分析节点还包括过滤单元,被配置为确定未匹配成功的报文发生错误前,过滤被检测网络主动发出的出向报文和发送给被检测网络的入向报文。The present disclosure analysis node further includes a filtering unit configured to filter the outgoing message actively sent by the detected network and the incoming message sent to the detected network before the packet with the unmatched success is determined to be in error.
本公开分析节点还包括报文学习单元和学习过滤单元,The disclosed analysis node further includes a message learning unit and a learning filtering unit.
报文学习单元,被配置为当被检测网络传输的报文的常见报文时,对入向报文和出向报文中不应发生变化部分包含的区分字段内容进行报文学习;The packet learning unit is configured to perform packet learning on the content of the distinguishing field included in the incoming packet and the outgoing packet in the incoming packet and the outgoing packet when the packet is detected by the detected network;
学习过滤单元,被配置为通过获得入向报文和出向报文中不应发生变化部分包含的区分字段内容的报文学习结果对报文学习结果中入向报文和出向报文中不应发生变化部分包含的区分字段匹配的报文进行过滤,对剩余的报文发送到匹配单元进行入向报文和出向报文中不应发生变化部分的匹配。The learning filtering unit is configured to obtain the packet learning result of the distinguishing field content included in the incoming message and the outgoing message, and should not be included in the incoming message and the outgoing message in the message learning result. The packets matching the matching fields included in the change part are filtered, and the remaining packets are sent to the matching unit to perform matching between the incoming packets and the outgoing packets.
匹配单元可以被配置为,The matching unit can be configured to
对接收的数据块中包含的入向报文和出向报文进行哈希映射及归约计算;Performing hash mapping and reduction calculation on the incoming message and the outgoing message included in the received data block;
对完成映射及规约计算的入向报文和出向报文进行入向报文与出向报文的中不应发生变化部分的匹配,确定匹配成功的键值对对应的入向报文和出向报文为未出错的报文。 The inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined. The text is a message that has not gone wrong.
剔除单元可以被配置为,根据哈希计算的映射确定匹配成功的键值对对应的入向报文和出向报文在数据块中的位置,以进行剔除处理。The culling unit may be configured to determine, according to the hash calculated mapping, the location of the incoming message and the outgoing message in the data block corresponding to the successfully matched key value pair for culling processing.
以下通过可以实施例对本公开方法进行清楚详细的说明,实施例仅用于陈述本公开,并不用于限定本公开方法的保护范围。The method of the present disclosure is described in detail below by way of examples, which are merely used to illustrate the disclosure and are not intended to limit the scope of the present disclosure.
实施例1Example 1
本实施例进行报文检错时,被检测网络可以是一个或一个以上网络设备构成的网络,网络设备可以是路由器或交换机等;本实施例获取被检测网络传输的入向报文和出向报文,将获取的入向报文和出向报文进行区分存储;存储方式可以采用文件的形式进行,每一个入向报文或出向报文存储时包含相应的报文内容、时间属性、和报文的流向信息等;按照预设的分解策略将存储的报文分解为数据块后,将分解的数据块发送到两个或两个以上分析节点进行入向报文与出向报文中不应发生变化部分的匹配,通过匹配结果确定报文是否发生错误;这里,分解的数据块需要保证入向报文或出向报文内容的完整,即每一入向报文和出向报文都应该是完整的报文。图5为本公开第一实施例的方法流程图,如图5所示,包括:In this embodiment, when the packet is detected, the detected network may be a network composed of one or more network devices, and the network device may be a router or a switch. In this embodiment, the inbound packet and the outgoing packet transmitted by the detected network are obtained. The inbound packet and the outgoing packet are separately stored; the storage mode can be performed in the form of a file, and each incoming packet or outgoing packet is stored with corresponding packet content, time attribute, and packet. Flow direction information, etc.; after the stored message is decomposed into data blocks according to a preset decomposition strategy, the decomposed data block is sent to two or more analysis nodes for inbound and outgoing messages. The matching of the changed part determines whether the packet has an error by the matching result. Here, the decomposed data block needs to ensure the integrity of the incoming message or the outgoing message, that is, each incoming message and outgoing message should be complete. Message. FIG. 5 is a flowchart of a method according to a first embodiment of the present disclosure. As shown in FIG. 5, the method includes:
步骤500、获取并存储被检测网络传输的入向报文和出向报文;本实施例将流经被检测网络的报文按照流入接口和流出接口进行区分后复制,以二进制文件的形式进行存储;Step 500: Acquire and store the inbound packet and the outgoing packet transmitted by the detected network. In this embodiment, the packet flowing through the detected network is differentiated according to the inflow interface and the outbound interface, and then copied and stored in the form of a binary file. ;
本实施例中,如果被检测网络包含的网络设备是电口设备,可以在网络设备上配置复制入向报文和出向报文;如果网络设备时光口设备,则在分光器上,对流入的入向报文和流出的出向报文进行分光复制。In this embodiment, if the network device included in the detected network is an electrical interface device, the inbound and outbound packets and the outgoing packets may be configured on the network device; if the optical device is in the optical device, the inflow is on the optical splitter. The incoming packet and the outgoing outgoing packet are split-spectrum.
本实施例存储被检测网络传输的入向报文和出向报文时,除了报文内容外还可以存储报文的时间属性(即传输时间)、报文的流向信息、报文长度等信息用于报文检错。In this embodiment, when storing the inbound packet and the outgoing packet transmitted by the detected network, in addition to the content of the packet, the time attribute (ie, transmission time) of the packet, the flow direction information of the packet, the length of the packet, and the like may be stored. Check the error in the message.
步骤501、将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的两个或两个以上分析节点;Step 501: Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
本步骤中,数据块的分发可以根据负载均衡技术进行。另外,数据块中的各个报文通过记录报文长度进行区分;在预设位置添加各个报文的长度可以通过例如每记录一条报文前先以int形式记录本报文的长度,然后再添加相应的报 文;在进行匹配时,根据记录的报文长度区分各个报文,并基于报文区分进行报文的读取。In this step, the distribution of data blocks can be performed according to load balancing technology. In addition, each packet in the data block is distinguished by the length of the recorded packet; the length of each packet is added in the preset position by, for example, recording the length of the packet in an int before recording a packet, and then adding Corresponding report In the case of matching, each message is distinguished according to the length of the recorded message, and the message is read based on the difference of the message.
本实施例中,为了保证各个分析节点负载均衡,本实施例首先需要确定各个数据块的大小,数据块大小一般由分析节点的性能决定,且数据块大小一般为2的N次幂;目前,一般的PC可以满足数据块大小为64M的入向报文数据块和出向报文数据块的匹配;本实施例按照预设的固定值或预设的区间值分解为存储的入向报文和出向报文相应的数据块,这里,对存储的入向报文和出向报文是分别进行数据块的分解的;本实施例仍以PC可以满足数据块大小为64M的数据块的匹配为基础,即假设预设的固定值为64M,分解数据块时,当当前数据块大小小于64M时,计算当前数据块加上下一条报文的大小,如果大于64M,则将当前数据块进行补充数位处理,例如补充数值0的位数的处理,使完成补零处理的数据块达到64M,作为一个分解的数据块;下一条报文被分解到下一数据块中。采用第二种方式进行数据块分解时,首先需要限定预设的区间值,本实施例可以设定预设的区间值为63M到65M为合理大小,即当前数据块加上下一条报文的大小在63M到65M之间时,将当前数据块加上下一条报文的数据块作为分解的数据块。In this embodiment, in order to ensure load balancing of each analysis node, this embodiment first needs to determine the size of each data block, and the data block size is generally determined by the performance of the analysis node, and the data block size is generally 2 to the power of N; currently, A general PC can satisfy the matching of the inbound packet data block and the outgoing packet data block with the data block size of 64M. This embodiment is decomposed into the stored inbound packet according to a preset fixed value or a preset interval value. The corresponding data block of the outgoing message, where the stored inbound message and the outgoing message are respectively decomposed into data blocks; this embodiment is still based on the matching of the data block whose data block size is 64M is satisfied by the PC. Assume that the preset fixed value is 64M. When the data block is decomposed, when the current data block size is less than 64M, the current data block is added to the size of the next message. If it is greater than 64M, the current data block is supplemented with digital processing. For example, the process of supplementing the number of digits of 0 is such that the data block that completes the zero-padding process reaches 64M as a decomposed data block; the next message is decomposed into the next data block. in. When the second method is used for data block decomposition, the preset interval value needs to be limited first. In this embodiment, the preset interval value is set to be a reasonable size from 63M to 65M, that is, the current data block is added to the size of the next message. When between 63M and 65M, the current data block is added to the data block of the next message as the decomposed data block.
需要说明的是,分析节点的个数一般根据被检测网络网口流量大小进行确定,一般的网络流量达到1千兆时需要一个分析节点进行入向报文与出向报文的中不应发生变化部分的匹配。It should be noted that the number of the analysis nodes is generally determined according to the traffic volume of the network port to be detected. When the average network traffic reaches 1 Gigabit, an analysis node needs to change the inbound and outbound packets. Partial match.
步骤502、各分析节点对分发给自身的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;Step 502: Each analysis node performs matching on the inbound packet and the outgoing packet in the data block distributed to itself, and determines the packet that is not in error;
需要说明的是,报文经过网络设备传输时,不应发生变化部分从流入网络设备到流出网络设备,其内容是不会发生变化的,即如果网络未出现链路问题,则入向报文中不应发生变化部分的报文字段和出向报文中不应发生变化部分的报文字段所包含的内容是一样的,匹配确定包含内容一致时,确定报文没有发生错误;例如、假设网络设备传输的报文不应发生变化部分的内容是[0x10,0x20,0x30],则报文检错的装置如果获取到一个入向报文,不应发生变化部分的内容是[0x10,0x20,0x30];报文检错的装置根据入向报文和出向报文不应发生变化部分的匹配,确定报文未发生错误;本实施例如果报文不应发生变化部分在传输过程中发生了改变,则例如获取的出向报文变成[0x10,0x20,0x31],此时, 报文检错的装置无法匹配与入向报文不应发生变化部分相同的出向报文,确定报文发生了错误。不同种类的报文,在网络设备传输时不发生变化的报文字段部分可能是不同的,可以根据本领域技术人员的公知常识进行确定,发生变化的报文字段是指除不发生变化的报文字段部分的内容,如IP报文的TTL字段,在传输过程中会被网络设备做合法修改(比如、此时网络设备时一个路由器)。It should be noted that, when a packet is transmitted through a network device, the change does not change from the incoming network device to the outgoing network device, and the content does not change, that is, if the link does not occur on the network, the incoming packet is sent. The message field that should not change in the middle part of the message field and the message field that should not change in the outgoing message part are the same. When the matching content is consistent, the message is determined to have no error; for example, the network is assumed. If the message transmitted by the device should not change, the content of the message is [0x10, 0x20, 0x30]. If the device that detects the error of the packet obtains an incoming message, the content of the change should not be [0x10, 0x20, 0x30]; The device for error detection of the packet determines that the packet does not have an error according to the matching of the incoming packet and the outgoing packet. In this embodiment, if the packet should not change, the transmission occurs during the transmission. If the change is made, for example, the outgoing message obtained becomes [0x10, 0x20, 0x31], at this time, The device that detects the error of the packet cannot match the outgoing packet with the same change as the incoming packet, and determines that the packet has an error. Different types of packets may be different in the field of the message field that does not change when the network device transmits the information, and may be determined according to common knowledge of those skilled in the art. The changed message field refers to the message except that the change does not occur. The content of the text field, such as the TTL field of the IP packet, is legally modified by the network device during transmission (for example, a router for the network device at this time).
对入向报文与出向报文中不应发生变化部分进行匹配可以是对入向报文中不应发生变化部分与出向报文中不应发生变化部分进行内容上的一一对比;例如、将入向报文中不应发生变化部分加载到第一列表中,将出向报文中不应发生变化部分加载到第二列表中,加载到列表的顺序一般按照时间排序,进行内容对比时,逐个提取第二列表中的出向报文与第一列表中的入向报文进行匹配,直至匹配到相同内容的入向报文时,确定报文未发生错误。The matching between the incoming message and the outgoing message should not be changed. The content of the incoming message should not be changed, and the content of the outgoing message should not be changed. For example, Loading the unchanged part of the incoming message into the first list, loading the outgoing part of the outgoing message into the second list, and the order of loading into the list is generally sorted by time. The outbound packets in the second list are matched one by one to match the inbound packets in the first list until the inbound packets of the same content are matched.
对入向报文与出向报文中不应发生变化部分进行匹配还可以通过对入向报文中不应发生变化部分和出向报文中不应发生变化部分分别提取特征值后,将入向报文中不应发生变化部分提取的特征值与出向报文中不应发生变化部分提取的特征值进行匹配,通过提取特征值的方法可以提高入向报文和出向报文的匹配效率。The matching between the incoming message and the outgoing message should not be changed. The feature value can be extracted separately after the change should not be made in the incoming message and the change should not be made in the outgoing message. The feature value extracted in the packet should not match the feature value extracted in the outgoing packet, and the feature value extracted from the outgoing packet can be improved.
提取特征值的方法可以通过计算哈希值的方法实现,报文的特征值与报文在匹配过程中存在映射关系,以哈希计算进行匹配为例,各报文及报文对应的特征值可以通过哈希表中该报文对应的VALUE值和KEY值分别进行存储,根据KEY值的匹配成功确定VALUE值匹配成功,从而确定报文匹配成功。为了实现多未发生错误报文的检测,本实施例可以对各个报文进行位置偏移计算,及将入向报文和出向报文进行哈希计算时,计算获得各个报文的位置偏移,根据位置偏移对确定未发生错误的报文从哈希计算从删除。The method of extracting the eigenvalues can be implemented by calculating the hash value. The eigenvalues of the packets are mapped to the packets in the matching process. The hash calculation is used as an example. The eigenvalues of the packets and the packets are corresponding. The VALUE value and the KEY value corresponding to the message in the hash table may be separately stored, and the VALUE value is successfully matched according to the matching of the KEY value, thereby determining that the message is successfully matched. In this embodiment, the position offset of each packet can be calculated, and when the inbound packet and the outgoing packet are hashed, the position offset of each packet is calculated. According to the position offset, the message that determines that no error has occurred is deleted from the hash calculation.
当采用计算哈希值的方法进行入向报文与出向报文中不应发生变化部分的匹配时,本实施例方法还包括:When the method of calculating the hash value is used to perform the matching between the inbound packet and the outgoing packet, the method in this embodiment further includes:
将报文长度、和/或源地址、和/或目的地址、和/或源端口、和/或目的端口作为特征值进行匹配;Matching the message length, and/or source address, and/or destination address, and/or source port, and/or destination port as feature values;
需要说明的是,只所以增加报文长度、和/或源地址、和/或目的地址、和/或源端口、和/或目的端口作为特征值进行匹配主要是考虑到不同报文进行哈希计算时,获得的哈希值可能会相同,源端口、和/或目的端口主要针对TCP/UDP 报文而言;另外,对报文进行哈希计算时,如果报文较长,可以将报文分段后进行哈希计算、将分段计算的哈希值作为报文的特征值,进行入向报文和出向报文中不应发生变化部分的匹配。It should be noted that only the increase of the packet length, and/or the source address, and/or the destination address, and/or the source port, and/or the destination port as the feature values are mainly matched by considering different messages for hashing. When calculating, the obtained hash value may be the same, the source port, and/or destination port is mainly for TCP/UDP. For the message, in addition, when the message is hashed, if the message is long, the message can be segmented and then hashed, and the hash value calculated by the segmentation is used as the feature value of the message. There should be no matching part of the incoming message and the outgoing message.
步骤503、剔除各分析节点确定的未出错的报文后,逐次选择一个或一个以上分析节点,将选择的分析节点的剩余的入向报文和出向报文分发到其他分析节点,并继续进行入向报文与出向报文中不应发生变化部分的匹配,直至所有未匹配成功的报文在同一分析节点时,确定未匹配成功的报文发生错误。Step 503: After the undue error message determined by each analysis node is removed, one or more analysis nodes are selected one by one, and the remaining inbound packets and outgoing packets of the selected analysis node are distributed to other analysis nodes, and the continuation is performed. The match between the incoming packet and the outgoing packet should not be changed until all the packets that do not match successfully are in the same analysis node.
需要说明的是,这里是一个逻辑循环的过程,假设将第一分析节点未匹配成功的入向报文和出向报文均分后分配给第二分析节点和第三分析节点,在第二分析节点和第三分析节点剔除确定未发生错误的报文后,需要继续选择一个或一个以上分析节点,将未匹配成功的入向报文和出向报文按照预设的重分策略发送到其他分析节点继续进行入向报文和出向报文中不应发生变化部分的匹配,直至所有未匹配的报文最终在同一分析节点时,完成整个报文检错流程。It should be noted that here is a logical loop process, which assumes that the inbound and outbound packets that are not successfully matched by the first analysis node are equally divided and then assigned to the second analysis node and the third analysis node, in the second analysis. After the node and the third analysis node are removed from the packet to determine that no error has occurred, the node or the outbound packet that has not been successfully matched is sent to another analysis according to the preset re-segmentation policy. The node continues to perform matching in the incoming packet and the outgoing packet, and the entire packet error detection process is completed when all the unmatched packets are finally in the same analysis node.
实施例2Example 2
图6为本公开第二实施例的方法流程图,如图6所示,包括:FIG. 6 is a flowchart of a method according to a second embodiment of the present disclosure. As shown in FIG. 6, the method includes:
步骤600、获取并存储被检测网络传输的入向报文和出向报文;Step 600: Acquire and store an inbound packet and an outgoing packet transmitted by the detected network.
步骤601、将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的两个或两个以上分析节点;Step 601: Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
步骤602、各分析节点对分发给自身的数据块中包含的入向报文和出向报文分别进行映射及归约计算;Step 602: Each analysis node performs mapping and reduction calculation on the inbound message and the outgoing message included in the data block distributed to itself.
步骤603、对完成映射及规约计算的入向报文和出向报文进行入向报文与出向报文的中不应发生变化部分进行匹配,从数据块中剔除确定未出错的报文。Step 603: Perform matching on the inbound and outbound messages of the inbound and outbound packets for completing the mapping and the protocol calculation, and remove the unchanged packets from the data block.
剔除确定未发生错误的报文可以通过实施例1中位置偏移计算的方法实现,即通过位置偏移确定数据块中未发生错误的报文,以进行剔除处理。The culling of the message that determines that no error has occurred can be implemented by the method of position offset calculation in Embodiment 1, that is, the message in which no error occurs in the data block is determined by the position offset to perform the culling process.
步骤604、逐次选择一个或一个以上分析节点,将选择的分析节点的剩余的入向报文和出向报文分发到其他分析节点,并继续进行入向报文与出向报文中不应发生变化部分的匹配,直至所有未匹配成功的报文在同一分析节点。In step 604, one or more analysis nodes are selected one by one, and the remaining inbound packets and outgoing packets of the selected analysis node are distributed to other analysis nodes, and the inbound and outbound messages are not changed. Partial matches until all unmatched messages are on the same analysis node.
步骤605、对未匹配成功的报文过滤被检测网络主动发出的出向报文和发送给被检测网络的入向报文,获得确定发生错误的报文。 Step 605: Filter the outgoing packets that are sent by the detected network and the incoming packets that are sent to the detected network, and obtain the packets that determine the error.
需要说明的是,步骤605可以在进行入向报文和出向报文不应发生变化部分的匹配之前进行处理,减少数据传输和提高匹配效率。It should be noted that step 605 can be processed before the matching of the incoming message and the outgoing message should not be changed, thereby reducing data transmission and improving matching efficiency.
实施例3Example 3
本实施例按照时间跨度T对被检测网络传输的入向报文和出向报文进行存储,存储的入向报文和出向报文可能出现在不同时间跨度存储的文件中,因此,需要根据设定时间边界TR,用于避免入向报文和出向报文出现在不同时间跨度存储的文件中,对时间边界内未匹配的报文按照流向分别添加到下一个时间跨度的存储的入向报文和出向报文中。In this embodiment, the inbound packet and the outgoing packet transmitted by the detected network are stored according to the time span T. The stored inbound packet and the outgoing packet may be stored in files stored in different time spans. A time-boundary TR is used to prevent incoming packets and outgoing packets from appearing in files stored in different time spans. The unmatched packets in the time boundary are added to the stored inbound traffic of the next time span according to the flow direction. Text and outgoing messages.
假设本实施例为第一次进行被检测网络传输的入向报文和出向报文的存储,图7为本公开第三实施例的方法流程图,如图7所示,包括:It is assumed that the present embodiment is the first time to perform the storage of the inbound packet and the outgoing packet transmitted by the detected network. FIG. 7 is a flowchart of the method according to the third embodiment of the present disclosure. As shown in FIG. 7, the method includes:
步骤700、获取并存储被检测网络传输的入向报文和出向报文;Step 700: Acquire and store an inbound packet and an outgoing packet transmitted by the detected network.
需要说明的是,如果是第N次进行被检测网络传输的入向报文和出向报文的存储,则步骤700中需要加入第N-1次未匹配成功的报文;It should be noted that, in the case that the inbound packet and the outgoing packet are transmitted in the Nth time, the Nth packet is successfully added in the step S700;
步骤701、将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的两个或两个以上分析节点;Step 701: Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
步骤702、各分析节点对分发给自身的数据块中包含的入向报文和出向报文分别进行映射及归约计算;Step 702: Each analysis node performs mapping and reduction calculation on the inbound message and the outgoing message included in the data block distributed to itself.
步骤703、对完成映射及规约计算的入向报文和出向报文进行入向报文与出向报文的中不应发生变化部分进行匹配,从数据块中剔除确定未出错的报文。Step 703: Perform matching on the inbound and outbound messages of the inbound and outbound packets that complete the mapping and the protocol calculation, and remove the unchanged packets from the data block.
步骤704、逐次选择一个或一个以上分析节点,将选择的分析节点的剩余的入向报文和出向报文分发到其他分析节点,并继续进行入向报文与出向报文中不应发生变化部分的匹配,直至所有未匹配成功的报文在同一分析节点时,确定未匹配成功的报文发生错误。Step 704: Select one or more analysis nodes one by one, and distribute the remaining inbound packets and outgoing packets of the selected analysis node to other analysis nodes, and continue to perform inbound and outbound messages. Partial matching, until all the packets that do not match successfully are in the same analysis node, it is determined that the packet with no matching success is incorrect.
需要说明的是,这里的匹配过程和步骤703中的匹配过程相同。It should be noted that the matching process here is the same as the matching process in step 703.
步骤705、对未匹配成功的报文过滤被检测网络主动发出的出向报文和发送给被检测网络的入向报文,获得确定发生错误的报文。Step 705: Filter the outgoing packets that are sent by the detected network and the incoming packets that are sent to the detected network, and obtain the packets that determine the error.
步骤706、将当前时间跨度内未匹配成功的报文中时间属性在时间边界TR内的报文检出,并存储到下一个时间跨度T存储的被检测网络传输的入向报文 和出向报文中,进行报文检错。Step 706: The packet whose time attribute in the time interval TR is not matched in the current time span is detected, and is stored in the inbound packet of the detected network stored in the next time span T. In the outgoing message, the message is checked for error.
实施例4Example 4
在进行报文匹配时,如果报文数量过多会使得匹配效率过低,则可以通过对常见报文进行学习的方法提高匹配效率;常见报文数量多、内容比较固定、报文发生异常的可能性低。If the number of packets is too large, the matching efficiency is too low. You can improve the matching efficiency by learning common packets. The number of common packets is large, the content is fixed, and the packets are abnormal. Possibility is low.
在本实施例中,报文学习主要针对入向报文和出向报文中不应发生变化部分中特殊的区分字段,包括协议和/或长度和/或标志位等,例如,大量的TCP SYN报文携带的参数几乎一样,比如长度、SYN标志位等。本实施例获取单元获取入向报文和出向报文不应发生变化部分后,提取协议和/或长度和/或标志位等区分字段;对从入向报文和出向报文中不应发生变化部分提取的区分字段进行报文学习后进行匹配;匹配成功,确定报文未发生错误。如果匹配失败,则该报文不是常见报文,采用实施例一中的方法对入向报文和出向报文中不应发生变化部分进行匹配,确定报文是否发生错误。In this embodiment, the packet learning is mainly for special distinguishing fields in the incoming and outgoing packets that should not change, including protocols and/or lengths and/or flags, for example, a large number of TCP SYNs. The parameters carried by the message are almost the same, such as the length, SYN flag, and so on. In this embodiment, after obtaining the inbound packet and the outgoing packet, the obtaining unit extracts the distinguishing field of the protocol and/or the length and/or the flag bit, and does not occur in the incoming packet and the outgoing packet. The distinguishing field extracted by the change part is matched after the packet learning; the matching is successful, and it is determined that the packet does not have an error. If the match fails, the packet is not a common packet. The method in the first embodiment is used to match the inbound packet and the outgoing packet in the inbound packet to determine whether the packet has an error.
需要说明的是,是否进行区分字段的报文学习可以通过本领域技术人员对该类报文出现频率和数量进行分析,通过分析确定进行报文学习时,通过监测该部分报文是否出现,一旦监测到该部分报文出现时,自动触发进行报文学习。It should be noted that whether the packet learning of the distinguishing field is performed may be analyzed by a person skilled in the art to analyze the frequency and quantity of the packet, and when the packet learning is determined by analysis, the presence or absence of the packet is monitored. When the part of the packet is detected, the packet learning is automatically triggered.
图8为本公开第四实施例的方法流程图,如图8所示,包括:FIG. 8 is a flowchart of a method according to a fourth embodiment of the present disclosure. As shown in FIG. 8, the method includes:
步骤800、获取并存储被检测网络传输的入向报文和出向报文;Step 800: Acquire and store an inbound packet and an outgoing packet transmitted by the detected network.
步骤801、将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的两个或两个以上分析节点;Step 801: Decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data block to two or more pre-established analysis nodes;
步骤802、各分析节点对分发给自身的数据块中包含的入向报文和出向报文分别进行映射及归约计算;Step 802: Each analysis node performs mapping and reduction calculation on the inbound message and the outgoing message included in the data block distributed to itself.
步骤803、各分析节点提取入向报文和出向报文中不应发生变化部分中的区分字段,对区分字段进行报文学习;Step 803: Each analysis node extracts a distinguishing field in the inbound and outbound messages that should not change, and performs packet learning on the differentiated field.
步骤804、匹配报文学习的区分字段;如果匹配成功,执行步骤8050;如果匹配失败,则执行步骤8060;Step 804: Match the distinguishing field of the packet learning; if the matching is successful, go to step 8050; if the matching fails, go to step 8060;
步骤8050、确定报文学习的区分字段匹配成功对应的报文为未发生错误的报文,剔除数据块中确定未发生错误的报文; Step 8050: Determine that the packet matching the successfully matched packet is a packet with no error, and remove the packet that determines that no error occurs in the data block.
步骤8060、对入向报文和出向报文中不应发生变化部分进行匹配,确定未发生错误的报文。In step 8060, a matching part of the incoming message and the outgoing message is not matched, and the packet that does not have an error is determined.
需要说明的是,本实施例进行报文检错的入向报文和出向报文是除发送给被检测网络和被检测网络主动发出的报文。It should be noted that the inbound packet and the outgoing packet that are sent to the detected network and the detected network are sent by the detected network.
步骤8061、各分析节点剔除确定的未出错的报文后,逐次选择一个或一个以上分析节点,将选择的分析节点的剩余的入向报文和出向报文分发到其他分析节点,并继续进行入向报文与出向报文中不应发生变化部分的匹配,直至所有未匹配成功的报文在同一分析节点时,确定未匹配成功的报文发生错误。Step 8061: After each of the analysis nodes culls the determined unerrored message, one or more analysis nodes are sequentially selected, and the remaining inbound and outgoing packets of the selected analysis node are distributed to other analysis nodes, and the continuation is continued. The match between the incoming packet and the outgoing packet should not be changed until all the packets that do not match successfully are in the same analysis node.
本公开还提供了一种非暂态计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行上述任一实施例中的方法。The present disclosure also provides a non-transitory computer readable storage medium storing computer executable instructions arranged to perform the method of any of the above embodiments.
本公开还提供了一种电子设备的结构示意图。参见图9,该电子设备包括:The present disclosure also provides a schematic structural diagram of an electronic device. Referring to FIG. 9, the electronic device includes:
至少一个处理器(processor)90,图9中以一个处理器90为例;和存储器(memory)91,还可以包括通信接口(Communications Interface)92和总线93。其中,处理器90、通信接口92、存储器91可以通过总线93完成相互间的通信。通信接口92可以用于信息传输。处理器90可以调用存储器91中的逻辑指令,以执行上述实施例的方法。At least one processor 90, which is exemplified by a processor 90 in FIG. 9; and a memory 91, may further include a communication interface 92 and a bus 93. The processor 90, the communication interface 92, and the memory 91 can complete communication with each other through the bus 93. Communication interface 92 can be used for information transfer. Processor 90 can invoke logic instructions in memory 91 to perform the methods of the above-described embodiments.
此外,上述的存储器91中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。In addition, the logic instructions in the memory 91 described above may be implemented in the form of a software functional unit and sold or used as a stand-alone product, and may be stored in a computer readable storage medium.
存储器91作为一种计算机可读存储介质,可用于存储软件程序、计算机可执行程序,如本发明实施例中的方法对应的程序指令/模块。处理器90通过运行存储在存储器91中的软件程序、指令以及模块,从而执行功能应用以及数据处理,即实现上述方法实施例中的实现报文检错的方法。The memory 91 is a computer readable storage medium and can be used to store a software program, a computer executable program, and a program instruction/module corresponding to the method in the embodiment of the present invention. The processor 90 executes the function application and the data processing by executing the software program, the instruction and the module stored in the memory 91, that is, the method for implementing the message error detection in the above method embodiment.
存储器91可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据终端设备的使用所创建的数据等。此外,存储器91可以包括高速随机存取存储器,还可以包括 非易失性存储器。The memory 91 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data created according to usage of the terminal device, and the like. In addition, the memory 91 may include a high speed random access memory, and may also include Non-volatile memory.
本发明实施例的技术方案可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括一个或多个指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明实施例所述方法的全部或部分步骤。而前述的存储介质可以是非暂态存储介质,包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等多种可以存储程序代码的介质,也可以是暂态存储介质。The technical solution of the embodiment of the present invention may be embodied in the form of a software product stored in a storage medium, including one or more instructions for causing a computer device (which may be a personal computer, a server, or a network) The device or the like) performs all or part of the steps of the method described in the embodiments of the present invention. The foregoing storage medium may be a non-transitory storage medium, including: a USB flash drive, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like. A medium that can store program code, or a transitory storage medium.
虽然本公开所揭露的实施方式如上,但所述的内容仅为便于理解本公开而采用的实施方式,并非用以限定本公开。任何本公开所属领域内的技术人员,在不脱离本公开实施例范围的前提下,可以在实施的形式及细节上进行任何的修改与变化,但本公开的专利保护范围,仍须以所附的权利要求书所界定的范围为准。The embodiments disclosed in the present disclosure are as described above, but are merely used to facilitate the understanding of the present disclosure, and are not intended to limit the present disclosure. Any modification and variation in the form and details of the embodiments may be made by those skilled in the art without departing from the scope of the embodiments of the present disclosure. The scope defined by the claims is subject to.
工业实用性Industrial applicability
本公开的实现报文检错的方法及装置实现了对发生错误报文的检测。 The method and apparatus for implementing message error detection of the present disclosure implements detection of an error message.

Claims (33)

  1. 一种实现报文检错的方法,包括:A method for implementing packet error detection, including:
    获取并存储被检测网络传输的入向报文和出向报文;Acquiring and storing the inbound packet and the outgoing packet transmitted by the detected network;
    将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的两个或两个以上分析节点;After the stored inbound message and the outgoing message are respectively decomposed into corresponding data blocks, the decomposed data block is distributed to two or more pre-established analysis nodes;
    各分析节点对分发给自身的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;Each analysis node matches the inbound packet and the outgoing packet in the inbound packet to the data packet that is distributed to itself, and determines the packet that is not in error;
    剔除各分析节点确定的未出错的报文后,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文,并继续进行入向报文与出向报文中不应发生变化部分的匹配,直至所有未匹配成功的报文在同一分析节点时,确定未匹配成功的报文发生错误;After the undue error message determined by each analysis node is removed, the inbound and outbound packets remaining in addition to the packets that are not erroneous are re-allocated according to the preset policy, and the inbound and outbound packets are continued. The matching of the changed part should not occur until all the packets that do not match successfully are in the same analysis node, and it is determined that the packet with no matching success is incorrect.
    所述被检测网络为由一个或一个以上网络设备构成的网络。The detected network is a network of one or more network devices.
  2. 根据权利要求1所述的方法,其中,所述获取被检测网络传输的入向报文和出向报文,包括:The method of claim 1, wherein the obtaining the inbound message and the outgoing message transmitted by the detected network comprises:
    当所述网络设备为电口设备时,通过所述被检测网络的网络设备上配置复制所述入向报文和所述出向报文;When the network device is an electrical interface device, the inbound message and the outgoing message are configured to be copied on the network device of the detected network;
    当所述网络设备为光口设备时,通过所述被检测网络的分光器进行所述入向报文和所述出向报文的分光复制。When the network device is an optical port device, the optical splitting of the incoming packet and the outgoing packet is performed by the optical splitter of the detected network.
  3. 根据权利要求1所述的方法,其中,所述存储被检测网络传输的入向报文和出向报文,包括:The method of claim 1, wherein the storing the inbound message and the outgoing message transmitted by the detected network comprises:
    将获取的所述入向报文和所述出向报文分别按照二进制文件的形式进行存储。The obtained inbound message and the outgoing message are respectively stored in the form of a binary file.
  4. 根据权利要求1所述的方法,其中,所述将存储的入向报文和出向报文 分别分解为相应的数据块,包括:The method of claim 1 wherein said stored inbound and outbound messages are to be stored Decomposed into corresponding data blocks, including:
    将存储的入向报文按照预设的固定值或预设的区间值分解为相应的数据块;Decomposing the stored inbound packet into a corresponding data block according to a preset fixed value or a preset interval value;
    将存储的出向报文按照预设的固定值或预设的区间值分解为相应的数据块。The stored outgoing message is decomposed into corresponding data blocks according to a preset fixed value or a preset interval value.
  5. 根据权利要求4所述的方法,其中,所述将存储的入向报文和出向报文分别分解为相应的数据块,包括:The method according to claim 4, wherein the respectively decomposing the stored inbound message and the outgoing message into corresponding data blocks comprises:
    当当前数据块大小小于预设的固定值,且加上下一条报文数据块大小大于所述预设的固定值,则将所述当前数据块进行补充数位处理,使完成补充数位处理后的数据块大小等于所述预设的固定值,将完成补充数位处理的数据块作为分解的数据块;或,When the current data block size is smaller than the preset fixed value, and the next message data block size is greater than the preset fixed value, the current data block is subjected to complementary digital processing, so that the data after the complementary digital processing is completed The block size is equal to the preset fixed value, and the data block that completes the digital processing is used as the decomposed data block; or
    当当前数据块大小大于预设的区间值的最小值,且加上下一条报文的数据块大小小于或等于所述预设的区间值的最大值,则将所述当前数据块加上下一条报文的数据块作为分解的数据块。When the current data block size is greater than a minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the next report. The data block of the text is used as a decomposed data block.
  6. 根据权利要求1~5任一项所述的方法,其中,所述按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文,包括:The method according to any one of claims 1 to 5, wherein the re-allocating the inbound and outbound messages remaining in addition to the message that is determined to be in error according to the preset policy includes:
    剔除各分析节点确定的未出错的报文后,逐次选择一个或一个以上分析节点,将选择的分析节点的所述剩余的入向报文和出向报文分发到其他分析节点。After the undue error message determined by each analysis node is removed, one or more analysis nodes are sequentially selected, and the remaining inbound packets and outgoing packets of the selected analysis node are distributed to other analysis nodes.
  7. 根据权利要求1~5任一项所述的方法,还包括:对所述数据块中的各条报文进行区分。The method according to any one of claims 1 to 5, further comprising: distinguishing each of the packets in the data block.
  8. 根据权利要求7所述的方法,其中,对所述数据块中的各条报文进行区分,包括:The method of claim 7, wherein distinguishing each of the packets in the data block comprises:
    在数据块的预设位置记录各报文长度,通过记录的报文长度区分所述数据块中的各条报文。The length of each packet is recorded in a preset position of the data block, and each packet in the data block is distinguished by the length of the recorded packet.
  9. 根据权利要求1~5任一项所述的方法,其中,将入向报文与出向报文中 不应发生变化部分进行匹配,包括:The method according to any one of claims 1 to 5, wherein the incoming message and the outgoing message are There should be no changes to match, including:
    将所述入向报文中不应发生变化部分的内容与出向报文中所述不应发生变化部分的内容进行匹配;或,Matching the content of the incoming message in the incoming message with the content of the outgoing message that should not change; or
    提取所述入向报文中不应发生变化部分的内容的特征值和所述出向报文中不应发生变化部分的内容的特征值;Extracting, in the inbound message, a feature value of the content of the change portion and a feature value of the content of the outgoing message that should not change;
    将提取的所述入向报文中不应发生变化部分的内容的特征值与提取的所述出向报文中不应发生变化部分的内容的特征值进行匹配。And extracting, in the extracted inbound message, the feature value of the content that should not be changed, and the extracted feature value of the content of the outgoing message that should not change.
  10. 根据权利要求1~5任一项所述的方法,其中,所述确定未匹配成功的报文发生错误前,该方法还包括:The method according to any one of claims 1 to 5, wherein before the determining that the unmatched message has an error, the method further comprises:
    过滤所述被检测网络主动发出的出向报文和发送给所述被检测网络的入向报文。And filtering an outgoing packet sent by the detected network and an incoming packet sent to the detected network.
  11. 根据权利要求1~5任一项所述的方法,其中,当所述被检测网络传输的报文的常见报文时,该方法还包括:对入向报文和出向报文中不应发生变化部分包含的区分字段内容进行报文学习;The method according to any one of claims 1 to 5, wherein, when the packet of the packet transmitted by the detected network is a common packet, the method further comprises: not occurring in the incoming packet and the outgoing packet The content of the distinguishing field included in the change part is used for message learning;
    通过获得入向报文和出向报文中不应发生变化部分包含的区分字段内容的报文学习结果对报文学习结果中入向报文和出向报文中不应发生变化部分包含的区分字段匹配的报文进行过滤,对剩余的报文进行所述入向报文和出向报文中不应发生变化部分的匹配。By obtaining the message learning result of the content of the distinguishing field included in the incoming message and the outgoing message, the difference between the incoming message and the outgoing message in the incoming message should not be changed. The matched packets are filtered, and the matching packets in the incoming packets and outgoing packets should not be matched in the remaining packets.
  12. 根据权利要求1~5任一项所述的方法,其中,所述确定未出错的报文,包括:The method according to any one of claims 1 to 5, wherein the determining the message that is not erroneous comprises:
    各分析节点对分发给自身的数据块中包含的入向报文和出向报文分别进行哈希映射及归约计算;Each analysis node performs hash mapping and reduction calculation on the inbound message and the outgoing message respectively included in the data block distributed to itself;
    对完成映射及规约计算的入向报文和出向报文进行入向报文与出向报文的 中不应发生变化部分的匹配,确定匹配成功的键值对对应的入向报文和出向报文为未出错的报文。Inbound and outgoing packets for incoming and outgoing packets for mapping and protocol calculations The matching of the changed part should not occur, and the incoming message and the outgoing message corresponding to the successful key-value pair are determined to be unerrorized.
  13. 根据权利要求12所述的方法,其中,所述剔除确定的未出错的报文,包括:The method of claim 12 wherein said culling of the determined error-free message comprises:
    根据所述哈希计算的映射确定所述匹配成功的键值对对应的入向报文和出向报文在数据块中的位置,并进行剔除处理。Determining, according to the mapping calculated by the hash, the location of the inbound message and the outgoing message in the data block corresponding to the key pair that is successfully matched, and performing the culling process.
  14. 根据权利要求1~5任一项所述的方法,其中,所述存储被检测网络传输的入向报文和出向报文为预设时间跨度内被检测网络传输的入向报文和出向报文,该方法还包括:The method according to any one of claims 1 to 5, wherein the inbound packet and the outgoing packet transmitted by the detected network are inbound packets and outgoing packets transmitted by the detected network within a preset time span. The method further includes:
    将当前时间跨度内未匹配成功的报文中时间属性在时间边界TR内的报文检出,并存储到下一个时间跨度T存储的所述被检测网络传输的入向报文和出向报文中,进行报文检错。The packets whose time attributes in the time interval TR are not matched in the current time span are detected, and are stored in the inbound and outgoing packets of the detected network stored in the next time span T. In the middle, the message is checked.
  15. 根据权利要求1~5任一项所述的方法,其中,该方法之前还包括:区分所述入向报文和出向报文。The method according to any one of claims 1 to 5, wherein the method further comprises: distinguishing between the incoming message and the outgoing message.
  16. 一种实现报文检错的系统,包括:处理装置和两个或两个以上分析节点;其中,A system for implementing packet error detection, comprising: a processing device and two or more analysis nodes; wherein
    处理装置包括:获取存储单元、分解分发单元及重分单元;其中,The processing device includes: a storage unit, a decomposition distribution unit, and a re-segment unit; wherein
    获取存储单元,被配置为获取并存储被检测网络传输的入向报文和出向报文;Obtaining a storage unit, configured to acquire and store an inbound message and an outgoing message transmitted by the detected network;
    分解分发单元,被配置为将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的各分析节点;The decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
    重分单元,被配置为各分析节点剔除确定的未出错的报文后,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文; The re-segment unit is configured to re-allocate the remaining inbound packets and the outgoing packets in addition to the packets that are determined to be in error according to the preset policy.
    各分析节点包括匹配单元、剔除单元及确定单元;其中,Each analysis node includes a matching unit, a culling unit, and a determining unit; wherein
    匹配单元,被配置为对分发给自身的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;The matching unit is configured to perform matching on the inbound packet and the outgoing packet in the data packet distributed to itself, and determine the packet that is not in error;
    剔除单元,被配置为剔除确定的未出错的报文;a culling unit configured to reject the determined unerrored message;
    确定单元,被配置为确定所有未匹配成功的报文均在自身时,确定未匹配成功的报文发生错误;The determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that are not successfully matched are incorrect.
    所述被检测网络为由一个或一个以上网络设备构成的网络。The detected network is a network of one or more network devices.
  17. 一种实现报文检错的处理装置,包括:获取存储单元、分解分发单元及重分单元;其中,A processing device for implementing packet error detection, comprising: acquiring a storage unit, a decomposition distribution unit, and a re-segment unit; wherein
    获取存储单元,被配置为获取并存储被检测网络传输的入向报文和出向报文;Obtaining a storage unit, configured to acquire and store an inbound message and an outgoing message transmitted by the detected network;
    分解分发单元,被配置为将存储的入向报文和出向报文分别分解为相应的数据块后,分发分解的数据块到预先建立的各分析节点;The decomposition distribution unit is configured to respectively decompose the stored inbound message and the outgoing message into corresponding data blocks, and then distribute the decomposed data blocks to the pre-established analysis nodes;
    重分单元,被配置为各分析节点剔除确定的未出错的报文后,按照预设策略重新分配除确定未出错的报文外剩余的入向报文和出向报文。The re-segment unit is configured to re-allocate the remaining inbound and outbound packets except the packets that are determined to be in error according to the preset policy.
  18. 根据权利要求17所述的处理装置,其中,所述获取存储单元被配置为,The processing device according to claim 17, wherein the acquisition storage unit is configured to
    当所述网络设备为电口设备时,通过所述被检测网络的网络设备上配置复制所述入向报文和所述出向报文,将配置复制的被检测网络传输的入向报文和出向报文进行存储;When the network device is an electrical interface device, the inbound packet and the outgoing packet are configured to be copied on the network device of the detected network, and the inbound packet transmitted by the detected detected network is configured. Outbound message storage;
    当所述网络设备为光口设备时,通过所述被检测网络的分光器进行所述入向报文和所述出向报文的分光复制,将分光复制的被检测网络传输的入向报文和出向报文进行存储。When the network device is an optical interface device, the optical splitter of the detected network performs the optical splitting of the incoming packet and the outgoing packet, and the inbound packet transmitted by the detected network of the split optical replica is transmitted. And outgoing messages are stored.
  19. 根据权利要求17或18所述的处理装置,其中,所述获取存储单元被 配置为,The processing apparatus according to claim 17 or 18, wherein said acquisition storage unit is Configured as,
    获取被检测网络传输的入向报文和出向报文,将获取的所述入向报文和所述出向报文分别按照二进制文件的形式进行存储。The inbound packet and the outgoing packet transmitted by the detected network are obtained, and the obtained incoming packet and the outgoing packet are respectively stored in the form of a binary file.
  20. 根据权利要求17或18所述的处理装置,其中,所述分解分发单元被配置为,The processing device according to claim 17 or 18, wherein the decomposition distribution unit is configured to
    将存储的入向报文按照预设的固定值或预设的区间值分解为相应的数据块;和,Decomposing the stored inbound message into corresponding data blocks according to a preset fixed value or a preset interval value; and,
    将存储的出向报文按照预设的固定值或预设的区间值分解为相应的数据块;Decomposing the stored outgoing message into a corresponding data block according to a preset fixed value or a preset interval value;
    分发分解的数据块到预先建立的各分析节点进行报文检错。The decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
  21. 根据权利要求17或18所述的处理装置,其中,所述分解分发单元被配置为,The processing device according to claim 17 or 18, wherein the decomposition distribution unit is configured to
    当当前数据块大小小于预设的固定值,且加上下一条报文数据块大小大于所述预设的固定值,则将所述当前数据块进行补充数位处理,使完成补充数位处理后的数据块大小等于所述预设的固定值,将完成补充数位处理的数据块作为分解的数据块;或,When the current data block size is smaller than the preset fixed value, and the next message data block size is greater than the preset fixed value, the current data block is subjected to complementary digital processing, so that the data after the complementary digital processing is completed The block size is equal to the preset fixed value, and the data block that completes the digital processing is used as the decomposed data block; or
    当当前数据块大小大于预设的区间值的最小值,且加上下一条报文的数据块大小小于或等于所述预设的区间值的最大值,则将所述当前数据块加上下一条报文的数据块作为分解的数据块;When the current data block size is greater than a minimum value of the preset interval value, and the data block size of the next message is less than or equal to the maximum value of the preset interval value, the current data block is added to the next report. The data block of the text is used as a decomposed data block;
    分发分解的数据块到预先建立的各分析节点进行报文检错。The decomposed data blocks are distributed to the pre-established analysis nodes for message error detection.
  22. 根据权利要求17或18所述的处理装置,还包括区分单元,被配置为对所述数据块中的各条报文进行区分。The processing apparatus according to claim 17 or 18, further comprising a distinguishing unit configured to distinguish each of the pieces of the data block.
  23. 根据权利要求22所述的处理装置,其中,所述区分单元被配置为,The processing device according to claim 22, wherein the distinguishing unit is configured to
    在数据块的预设位置记录各报文长度,通过记录的报文长度区分所述数据 块中的各条报文。Recording the length of each packet at a preset position of the data block, and distinguishing the data by the length of the recorded packet Each message in the block.
  24. 根据权利要求17或18所述的处理装置,其中,所述重分单元被配置为,剔除各分析节点确定的未出错的报文后,逐次选择一个或一个以上分析节点,将选择的分析节点的所述剩余的入向报文和出向报文分发到其他分析节点。The processing apparatus according to claim 17 or 18, wherein the re-dividing unit is configured to, after rejecting the error-free message determined by each analysis node, sequentially select one or more analysis nodes, and select the selected analysis node The remaining inbound and outbound messages are distributed to other analysis nodes.
  25. 根据权利要求17或18所述的处理装置,其中,所述存储被检测网络传输的入向报文和出向报文为预设时间跨度内被检测网络传输的入向报文和出向报文,该处理装置还包括边界处理单元,被配置为将当前时间跨度内未匹配成功的报文中时间属性在时间边界TR内的报文检出,并存储到下一个时间跨度T存储的所述被检测网络传输的入向报文和出向报文中,进行报文检错。The processing device according to claim 17 or 18, wherein the inbound packet and the outgoing packet transmitted by the detected network are inbound packets and outgoing packets transmitted by the detected network within a preset time span. The processing device further includes a boundary processing unit configured to detect a message whose time attribute in the unmatched message within the current time span is within the time boundary TR, and store the message stored in the next time span T Detects incoming packets and outgoing packets transmitted by the network, and performs packet error detection.
  26. 根据权利要求17或18所述的处理装置,还包括入向出向区分单元,被配置为区分所述入向报文和出向报文。The processing apparatus according to claim 17 or 18, further comprising an inbound and outbound distinguishing unit configured to distinguish the inbound message from the outgoing message.
  27. 一种实现报文检错的分析节点,包括匹配单元、剔除单元及确定单元;其中,An analysis node for implementing packet error detection, comprising a matching unit, a culling unit and a determining unit; wherein
    匹配单元,被配置为对接收的数据块进行入向报文与出向报文的中不应发生变化部分进行匹配,确定未出错的报文;The matching unit is configured to match the inbound packet of the received data block with the unchanged portion of the outgoing packet, and determine the packet that is not erroneous;
    剔除单元,被配置为剔除确定的未出错的报文;a culling unit configured to reject the determined unerrored message;
    确定单元,被配置为确定所有未匹配成功的报文均在自身时,确定未匹配成功的报文发生错误。The determining unit is configured to determine that all the packets that are not successfully matched are in themselves, and determine that the packets that do not match successfully are incorrect.
  28. 根据权利要求27所述的分析节点,其中,所述匹配单元被配置为,对分发给自身的数据块中的入向报文和出向报文,The analysis node according to claim 27, wherein said matching unit is configured to, for an inbound message and an outgoing message in a data block distributed to itself,
    将所述入向报文中不应发生变化部分的内容与出向报文中所述不应发生变化部分的内容进行匹配;或,Matching the content of the incoming message in the incoming message with the content of the outgoing message that should not change; or
    提取所述入向报文中不应发生变化部分的内容的特征值和所述出向报文中 不应发生变化部分的内容的特征值;Extracting, in the inbound message, the feature value of the content of the change portion and the outgoing message The feature value of the content of the changed part should not occur;
    将提取的所述入向报文中不应发生变化部分的内容的特征值与提取的所述出向报文中不应发生变化部分的内容的特征值进行匹配。And extracting, in the extracted inbound message, the feature value of the content that should not be changed, and the extracted feature value of the content of the outgoing message that should not change.
  29. 根据权利要求27或28所述的分析节点,还包括过滤单元,被配置为确定未匹配成功的报文发生错误前,过滤所述被检测网络主动发出的出向报文和发送给所述被检测网络的入向报文。The analysis node according to claim 27 or 28, further comprising a filtering unit configured to filter an outgoing message actively sent by the detected network and send the detected message to the detected device before determining that the packet that is not successfully matched is incorrect. Inbound message of the network.
  30. 根据权利要求27或28所述的分析节点,还包括报文学习单元和学习过滤单元,The analysis node according to claim 27 or 28, further comprising a message learning unit and a learning filtering unit,
    报文学习单元,被配置为当所述被检测网络传输的报文的常见报文时,对入向报文和出向报文中不应发生变化部分包含的区分字段内容进行报文学习;The message learning unit is configured to: when the common message of the packet transmitted by the detected network is used, perform packet learning on the content of the distinguishing field included in the incoming message and the outgoing message;
    学习过滤单元,被配置为通过获得入向报文和出向报文中不应发生变化部分包含的区分字段内容的报文学习结果对报文学习结果中入向报文和出向报文中不应发生变化部分包含的区分字段匹配的报文进行过滤,对剩余的报文发送到匹配单元进行所述入向报文和出向报文中不应发生变化部分的匹配。The learning filtering unit is configured to obtain the packet learning result of the distinguishing field content included in the incoming message and the outgoing message, and should not be included in the incoming message and the outgoing message in the message learning result. The packet that matches the matching field included in the changed part is filtered, and the remaining packets are sent to the matching unit to perform matching in the incoming packet and the outgoing packet.
  31. 根据权利要求27所述的分析节点,其中,所述匹配单元被配置为,The analysis node according to claim 27, wherein said matching unit is configured to
    对接收的数据块中包含的入向报文和出向报文进行哈希映射及归约计算;Performing hash mapping and reduction calculation on the incoming message and the outgoing message included in the received data block;
    对完成映射及规约计算的入向报文和出向报文进行入向报文与出向报文的中不应发生变化部分的匹配,确定匹配成功的键值对对应的入向报文和出向报文为未出错的报文。The inbound and outbound packets of the inbound and outbound packets that are used for the mapping and the grammar calculations are not matched in the inbound and outbound packets, and the inbound and outbound packets corresponding to the successfully matched key-value pairs are determined. The text is a message that has not gone wrong.
  32. 根据权利要求31所述的分析节点,其中,所述剔除单元被配置为,根据所述哈希计算的映射确定所述匹配成功的键值对对应的入向报文和出向报文在数据块中的位置,以进行剔除处理。The analysis node according to claim 31, wherein the culling unit is configured to determine, according to the mapping of the hash calculation, an inbound message and an outbound message corresponding to the successfully matched key value pair in the data block. The position in the middle for culling.
  33. 一种非暂态计算机可读存储介质,存储有计算机可执行指令,所述计 算机可执行指令设置为执行权利要求1-15中任一项的方法。 A non-transitory computer readable storage medium storing computer executable instructions The computer executable instructions are arranged to perform the method of any of claims 1-15.
PCT/CN2017/070507 2016-01-06 2017-01-06 Method and device for packet error detection WO2017118430A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610009902.0 2016-01-06
CN201610009902.0A CN106953775A (en) 2016-01-06 2016-01-06 A kind of method and device for realizing message error detection

Publications (1)

Publication Number Publication Date
WO2017118430A1 true WO2017118430A1 (en) 2017-07-13

Family

ID=59273314

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/070507 WO2017118430A1 (en) 2016-01-06 2017-01-06 Method and device for packet error detection

Country Status (2)

Country Link
CN (1) CN106953775A (en)
WO (1) WO2017118430A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115834411B (en) * 2023-02-16 2023-06-27 北京派网软件有限公司 Network performance analysis method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594600A (en) * 2012-02-21 2012-07-18 中兴通讯股份有限公司 Method and system for determining failure position of bidirectional forwarding detection session
CN103051629A (en) * 2012-12-24 2013-04-17 华为技术有限公司 Software defined network-based data processing system, method and node
CN103580953A (en) * 2013-10-21 2014-02-12 华为技术有限公司 Method and devices for detecting faults
CN104243348A (en) * 2014-09-22 2014-12-24 曙光信息产业(北京)有限公司 Data processing method and device
CN104243093A (en) * 2013-06-14 2014-12-24 西门子公司 Method and system for detecting errors in the transmission of data from a transmitter to at least one receiver
US20150200827A1 (en) * 2014-01-13 2015-07-16 Cisco Technology, Inc. Network performance diagnostics system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101783786B (en) * 2009-01-19 2013-01-16 中兴通讯股份有限公司 Method and device for filtering data packets
CN203027498U (en) * 2012-11-27 2013-06-26 北京交控科技有限公司 Testing device
CN103746868B (en) * 2013-12-23 2017-07-04 普联技术有限公司 A kind of method, device and test equipment for sending and receiving test packet
CN105141583B (en) * 2015-07-28 2019-02-15 中国电子科技集团公司第三十六研究所 A kind of character string matching method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594600A (en) * 2012-02-21 2012-07-18 中兴通讯股份有限公司 Method and system for determining failure position of bidirectional forwarding detection session
CN103051629A (en) * 2012-12-24 2013-04-17 华为技术有限公司 Software defined network-based data processing system, method and node
CN104243093A (en) * 2013-06-14 2014-12-24 西门子公司 Method and system for detecting errors in the transmission of data from a transmitter to at least one receiver
CN103580953A (en) * 2013-10-21 2014-02-12 华为技术有限公司 Method and devices for detecting faults
US20150200827A1 (en) * 2014-01-13 2015-07-16 Cisco Technology, Inc. Network performance diagnostics system
CN104243348A (en) * 2014-09-22 2014-12-24 曙光信息产业(北京)有限公司 Data processing method and device

Also Published As

Publication number Publication date
CN106953775A (en) 2017-07-14

Similar Documents

Publication Publication Date Title
CN110401662B (en) Industrial control equipment fingerprint identification method and storage medium
US7802009B2 (en) Automatic reverse engineering of message formats from network traces
CN113259143B (en) Information processing method, device, system and storage medium
CN109379390B (en) Network security baseline generation method based on full flow
WO2022048668A1 (en) Knowledge graph construction method and apparatus, check method and storage medium
US9614773B1 (en) Systems and methods for automatically correcting classification signatures
CN110708250A (en) Method for improving data forwarding performance, electronic equipment and storage medium
EP3832960B1 (en) Establishment of fast forwarding table
CN112751733A (en) Link detection method, device, equipment, system and switch
CN108833430B (en) Topology protection method of software defined network
CN114553730B (en) Application identification method and device, electronic equipment and storage medium
CN113839882B (en) Message flow splitting method and device
CN113507431B (en) Message management method, device, equipment and machine-readable storage medium
WO2017118430A1 (en) Method and device for packet error detection
CN111010362B (en) Monitoring method and device for abnormal host
CN116015796A (en) Flow table updating method and device, firewall equipment and storage medium
CN111901138B (en) Visual auditing method for illegal access of industrial network
CN113064906B (en) Binlog log data adaptive migration method and system
WO2017118428A1 (en) Method and apparatus for realizing message error detection
CN110166295B (en) Method for judging whether network topology supports Byzantine fault tolerance or not
US20220200860A1 (en) Mitigation of physical network misconfigurations for clustered nodes
CN111884919B (en) Method, device, equipment and readable medium for clearing invalid virtual IP
CN109067603B (en) Method and system for determining VLAN configuration problem of transformer substation network
CN106789150B (en) Network fault detection method and device
CN101599902A (en) A kind of method and device that obtains business information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17735868

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17735868

Country of ref document: EP

Kind code of ref document: A1