CN100576819C - Flow Analysis Method Based on Linux Kernel - Google Patents
Flow Analysis Method Based on Linux Kernel Download PDFInfo
- Publication number
- CN100576819C CN100576819C CN200510004247A CN200510004247A CN100576819C CN 100576819 C CN100576819 C CN 100576819C CN 200510004247 A CN200510004247 A CN 200510004247A CN 200510004247 A CN200510004247 A CN 200510004247A CN 100576819 C CN100576819 C CN 100576819C
- Authority
- CN
- China
- Prior art keywords
- analysis
- kernel
- traffic
- flow
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000005206 flow analysis Methods 0.000 title claims abstract description 10
- 238000004458 analytical method Methods 0.000 claims abstract description 74
- 238000012544 monitoring process Methods 0.000 abstract description 18
- 238000012545 processing Methods 0.000 abstract description 7
- 238000005070 sampling Methods 0.000 abstract 1
- 230000006870 function Effects 0.000 description 21
- 238000013461 design Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000001914 filtration Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 241000321461 Mycteroperca phenax Species 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
一种基于Linux内核的流量分析方法,采用Linux中可装载内核的方式实现,可以实现数据包级及流级的流量分析。提供的监测分析指标包括流量速率,链路利用率,2-7层协议分布,不同协议的流量速率,包大小分布等;还可根据各种流定义规则,进行特定类型流的监测并提供相关统计结果。由于采用了可装载内核模块的方式,降低了系统调用和内存拷贝等开销,提高了流量分析性能。实验结果显示对于100Mbps和1000Mbps链路,采样该方法可以分别实现对速率为142000pps和405000pps的流量进行实时监测和分析。比较基于libpcap的用户空间流量分析方法,该方法可以提高约50%的处理能力。
A flow analysis method based on the Linux kernel is realized by using a loadable kernel in Linux, and can realize packet-level and flow-level flow analysis. The monitoring and analysis indicators provided include traffic rate, link utilization rate, layer 2-7 protocol distribution, traffic rate of different protocols, packet size distribution, etc.; it can also monitor specific types of flows and provide related information according to various flow definition rules. statistical results. Due to the adoption of a loadable kernel module, overheads such as system calls and memory copies are reduced, and traffic analysis performance is improved. Experimental results show that for 100Mbps and 1000Mbps links, the method of sampling can realize real-time monitoring and analysis of traffic rates of 142000pps and 405000pps respectively. Comparing the user space traffic analysis method based on libpcap, this method can improve the processing power by about 50%.
Description
技术领域 technical field
本发明涉及计算机网络流量分析技术领域,特别是设计一种基于Linux内核的流量分析方法。The invention relates to the technical field of computer network traffic analysis, in particular to design a Linux kernel-based traffic analysis method.
背景技术 Background technique
流量指标是网络运维最重要的指标之一,是网络规划设计、协议设计、业务部署、流量工程实施、攻击检测与故障诊断的基础。通过网络流量的监测和分析可以获得大量网络性能信息、网络服务状况以及网络中存在的攻击或者弱点。通过数据包捕获与协议分析的被动流量监测获得各个协议层次的流量指标,是流量监测最常用的方法。Traffic indicators are one of the most important indicators for network operation and maintenance, and are the basis for network planning and design, protocol design, service deployment, traffic engineering implementation, attack detection, and fault diagnosis. Through the monitoring and analysis of network traffic, a large amount of network performance information, network service status, and attacks or weaknesses in the network can be obtained. Passive traffic monitoring through packet capture and protocol analysis is the most commonly used method for traffic monitoring to obtain traffic indicators at each protocol level.
近几年来,网络链路速率迅速增长,已经开始从Mbit/s迈向Gbit/s,不久的将来可能还会发展至40Gbit/s甚至Tbit/s。千兆网卡和千兆交换机已经相当的便宜,几乎每个新的局域网用户都会采用此项技术,一个普通的家庭用户所能够获得的带宽比两年前一个公司获得的带宽还要大。网络应用的普及与网络技术的发展,导致网络流量也日益庞大,基于数据包捕获的被动流量监测分析受到诸多技术的限制,如PCI(Peripheral ComponentInterconnect,外设部件互连)总线吞吐量、存储容量、内存访问速度以及磁盘阵列的速率[1],使得满足低速链路流量监测分析的传统被动流量监测分析技术不能适用于更高速率的网络环境,如基于libpcap的流量监测分析工具。为了克服操作系统、PCI总线带宽和系统资源所带来的性能限制,很多研究人员开始采用网络处理器进行流量监测分析。而采用网络处理器往往需要专用的设备,开发周期长,大量部署不太现实。In recent years, the network link rate has increased rapidly, and has begun to move from Mbit/s to Gbit/s, and may develop to 40Gbit/s or even Tbit/s in the near future. Gigabit network cards and gigabit switches are already quite cheap. Almost every new LAN user will adopt this technology. An ordinary home user can get more bandwidth than a company got two years ago. The popularity of network applications and the development of network technology have led to increasingly large network traffic. Passive traffic monitoring and analysis based on packet capture is limited by many technologies, such as PCI (Peripheral Component Interconnect, peripheral component interconnection) bus throughput and storage capacity. , memory access speed, and disk array speed [1] , so that the traditional passive flow monitoring and analysis technology that satisfies low-speed link flow monitoring and analysis cannot be applied to a higher-speed network environment, such as the flow monitoring and analysis tool based on libpcap. In order to overcome the performance limitations brought by the operating system, PCI bus bandwidth and system resources, many researchers began to use network processors for traffic monitoring and analysis. However, the use of network processors often requires dedicated equipment, and the development cycle is long, so it is not realistic to deploy a large number of them.
数据包捕获方法是进行被动流量监测分析最常用的方法。近几年,也有很多研究人员和硬件生产厂商试图A通过专用硬件实现被动流量监测和分析,如OC3MON及DAG。另外,有关流量监测分析的一些新的研究项目也正在进行,如欧洲的SCAMP设计了一种数据包捕获的体系结构;MAGNet则可以进行应用流的监测;CoralReef是由著名的CAIDA组织开发实现的一种收集和分析Internet被动流量监测信息的重要工具之一。The packet capture method is the most common method for passive traffic monitoring analysis. In recent years, many researchers and hardware manufacturers have tried to achieve passive traffic monitoring and analysis through dedicated hardware, such as OC3MON and DAG. In addition, some new research projects on traffic monitoring and analysis are also underway. For example, SCAMP in Europe has designed a data packet capture architecture; MAGNet can monitor application flows; CoralReef is developed by the famous CAIDA organization. One of the important tools to collect and analyze Internet passive traffic monitoring information.
在通用平台上实现流量监测分析仍然是最为常用的方法,如Tcpdump/Libpcap,Sniffer等,其基本原理是捕获流经链路或者端口的数据包,分析每个数据包并获得流量统计分析结果。流量分析方法被广泛应用到入侵检测(snort,Bro),流量分析(ntop,ethereal,tcpflow)系统中。目前大部分的流量分析工具是基于libpcap实现的,能够提供基本的网络链路状况信息,比如链路利用率,带宽,协议分布等。It is still the most commonly used method to implement traffic monitoring and analysis on a common platform, such as Tcpdump/Libpcap, Sniffer, etc. The basic principle is to capture data packets flowing through links or ports, analyze each data packet and obtain traffic statistics and analysis results. Traffic analysis methods are widely used in intrusion detection (snort, Bro), traffic analysis (ntop, ethereal, tcpflow) systems. Most of the current traffic analysis tools are implemented based on libpcap, which can provide basic network link status information, such as link utilization, bandwidth, and protocol distribution.
Libpcap是可以适用于多种操作系统(如Linux,FreeBSD,Solaris等)的数据包捕获库,利用该库可以向开发人员屏蔽底层网络链路所采用技术。Libpcap提供强大的内核包过滤器-BPF(Berkeley Packet Filter)。在介绍BPF之前,首先解释Linux操作系统中网络通信的实现。图1是一个简单linux系统中数据包接收的流向图,其中包括了BPF的位置。Linux网络接口包括四个重要部分:网络设备接口、网络核心接口、网络协议栈和网络socket接口。前两个部分是实现网络通信的基础,也是和本文介绍的流量分析方法密切相关的。网络设备接口是实现网络通信的最关键的部分之一,可以屏蔽底层不同的物理介质,提供统一的数据包发送/接收接口,如图1中所示的网络设备(Network Interface)。网络核心接口则负责从网络设备获得相应的数据包并缓存在内核中,根据用户或者系统缺省注册的处理函数进行分发处理,图1所示的BPF即属于网络核心接口。BPF是基于内核的数据包过滤器,是进行数据包捕获的重要组件之一。BPF被认为是Unix中实现数据包过滤组件中最好的一种实现[10]。BPF包括两个主要部分:数据包复制器和数据包过滤器。数据包复制器负责从网络设备驱动获得网络链路中数据包的备份,并把该备份传送给数据包过滤器。过滤器则根据过滤规则决定数据包取舍。非常重要的一点,BPF只把符合规则要求的数据包传递到用户空间。同时,BPF也支持只把所需要的部分数据包,如数据包的前64字节,传递到用户空间,以降低数据包拷贝开销。举例来讲,对于以太网数据包,前64字节足以满足对以太网头与IP/TCP头的分析。Libpcap is a packet capture library that can be applied to various operating systems (such as Linux, FreeBSD, Solaris, etc.), using this library can shield developers from the technology used in the underlying network link. Libpcap provides a powerful kernel packet filter - BPF (Berkeley Packet Filter). Before introducing BPF, first explain the implementation of network communication in the Linux operating system. Figure 1 is a flow diagram of packet reception in a simple linux system, including the location of BPF. The Linux network interface includes four important parts: network device interface, network core interface, network protocol stack and network socket interface. The first two parts are the basis for realizing network communication, and are also closely related to the traffic analysis method introduced in this article. The network device interface is one of the most critical parts to realize network communication. It can shield different physical media at the bottom layer and provide a unified data packet sending/receiving interface, such as the network device (Network Interface) shown in Figure 1. The network core interface is responsible for obtaining the corresponding data packets from the network device and buffering them in the kernel, and distributes them according to the processing functions registered by the user or the system by default. The BPF shown in Figure 1 belongs to the network core interface. BPF is a kernel-based packet filter and is one of the important components for packet capture. BPF is considered to be the best implementation of packet filtering components in Unix [10] . BPF consists of two main parts: packet duplicator and packet filter. The data packet duplicator is responsible for obtaining a copy of the data packets in the network link from the network device driver, and sending the copy to the data packet filter. The filter determines the data packet selection according to the filtering rules. It is very important that BPF only passes packets that meet the requirements of the rules to user space. At the same time, BPF also supports transferring only the required part of the data packet, such as the first 64 bytes of the data packet, to the user space to reduce the overhead of data packet copying. For example, for an Ethernet packet, the first 64 bytes are sufficient to analyze the Ethernet header and IP/TCP header.
发明内容 Contents of the invention
本发明是一种基于Linux内核的流量分析方法,该方法的关键在于其采用了基于Linux内核可装载模式实现,以字符设备方式供用户空间程序使用,具体内容叙述如下:The present invention is a kind of flow analysis method based on Linux kernel, and the key of this method is that it adopts the realization based on the loadable mode of Linux kernel, uses for user space program with the character device mode, and specific content is described as follows:
1)基于Linux内核的流量分析方法在Linux内核空间实现,并且集成BPF的数据包过滤以及网络流量分析功能,能够支持对2-7层100多种协议数据包的分析。其实现方法能够有效减少内存拷贝及系统调用时间,降低存储空间的需求,提高流量监测分析的效率。附图1为该方法设计的系统结构图。1) The traffic analysis method based on the Linux kernel is implemented in the Linux kernel space, and integrates the data packet filtering and network traffic analysis functions of BPF, which can support the analysis of more than 100 protocol data packets on the 2-7 layer. The implementation method can effectively reduce memory copy and system call time, reduce storage space requirements, and improve the efficiency of traffic monitoring and analysis. Accompanying drawing 1 is the system structural diagram of this method design.
2)网络数据包在Linux系统内核中的到达和处理流程可描述如下:网卡收到数据包即向CPU发送硬中断,CPU将把数据包从网卡的缓存中取出,并在内核的数据包内核缓存(socket buff,Skbuff)链表中创建新的结点,存储接收到的数据包,等待协议栈或者其他注册的功能函数的处理。由于方法在内核中完成所有的流量分析功能,只是把分析结果通过API方式提供给用户空间程序。而且,待分析的网络数据包可以直接从内核中的Skbuff链表中获得,大大降低了内核到用户空间的内存拷贝和系统调用开销。2) The arrival and processing flow of the network data packet in the Linux system kernel can be described as follows: the network card sends a hard interrupt to the CPU when it receives the data packet, and the CPU will take the data packet out of the buffer memory of the network card and send it to the packet core of the kernel. Create a new node in the cache (socket buff, Skbuff) linked list, store the received data packet, and wait for the processing of the protocol stack or other registered function functions. Because the method completes all traffic analysis functions in the kernel, it only provides the analysis results to the user space program through the API. Moreover, the network data packet to be analyzed can be directly obtained from the Skbuff linked list in the kernel, which greatly reduces the memory copy and system call overhead from the kernel to user space.
该方法通过直接获取Skbuff中数据包的内容,并在内核空间实现所有的流量分析功能,包括数据包捕获功能均在内核中实现。This method directly obtains the content of the data packet in the Skbuff, and realizes all traffic analysis functions in the kernel space, including the data packet capture function, which is implemented in the kernel.
3)本发明的流量分析方法支持两种级别的流量分析:数据包级和流(Flow)级。数据包级,缺省情况下能够完成对所有原始数据包的协议分析,并提供200多种协议分析结果。这些结果可以通过方法本身提供的用户空间可用的接口获得,主要的分析指标包括流量速率(包速率和字节速率),链路利用率,不同层次的协议分布,包大小分布、包间隔分布以及不同协议流量速率等。除此之外,还可以根据不同的流规则定义实现指定流的监测并提供基于流的分析指标,其中统计指标包括流持续时间的统计分布,流速率,流大小统计分布,并发流数量统计分布等;其他详细指标根据流规则定义不同而有所不同,例如出入境流量区分、特定端口、特定AS域、特定IP地址段、特定服务的监测分析、流量排名前N的IP主机,IP主机对及流量排名前N的端口和AS域等。3) The traffic analysis method of the present invention supports two levels of traffic analysis: packet level and flow (Flow) level. Packet level, by default, it can complete the protocol analysis of all original data packets, and provide more than 200 protocol analysis results. These results can be obtained through the interface available in the user space provided by the method itself. The main analysis indicators include traffic rate (packet rate and byte rate), link utilization, protocol distribution at different levels, packet size distribution, packet interval distribution, and Different protocol traffic rates, etc. In addition, it is also possible to monitor specified flows and provide flow-based analysis indicators according to different flow rule definitions. The statistical indicators include statistical distribution of flow duration, flow rate, statistical distribution of flow size, and statistical distribution of concurrent flow numbers. etc.; other detailed indicators vary according to the definition of flow rules, such as distinction between inbound and outbound traffic, specific ports, specific AS domains, specific IP address segments, monitoring and analysis of specific services, top N IP hosts in traffic, and IP host pair And the top N ports and AS domains with traffic ranking.
4)支持原始数据包的捕获也是流量分析工具的一个重要功能,因此本方法提供了对一定数量的原始数据包捕获的功能支持。方法中能够提供的配置功能、原始数据包以及统计分析数据的上传都可以通过设计的API接口供用户空间程序使用。并且鉴于BPF(Berkeley PacketFilter)是一种比较成熟,且被广泛使用的过滤器,方法中继承了对BPF的过滤规则的语法支持。4) Supporting the capture of original data packets is also an important function of traffic analysis tools, so this method provides functional support for capturing a certain number of original data packets. The configuration function provided in the method, the upload of the original data package and the statistical analysis data can be used by the user space program through the designed API interface. And since BPF (Berkeley PacketFilter) is a relatively mature and widely used filter, the method inherits the syntax support for BPF filtering rules.
附图说明 Description of drawings
图1是Linux系统下数据包接收过程流程图。Figure 1 is a flow chart of the data packet receiving process under the Linux system.
图2是基于内核的流量分析方法的系统结构示意图。Fig. 2 is a schematic diagram of the system structure of the kernel-based traffic analysis method.
图3是基于Linux内核的流量分析方法流程图。Fig. 3 is a flowchart of a flow analysis method based on the Linux kernel.
具体实施方式 Detailed ways
图1:Linux系统内核中数据包接收过程的走向图,首先网卡收到数据包会向CPU发送中断请求,CPU根据中断请求从网卡缓存中获得到达的数据包,数据包经由PCI总线传到内核空间,并在Skbuff中创建对应数据包的结点,最后交给协议栈或者类似BPF的基于内核的处理模块处理。所有的处理以及结果根据用户需求通过系统调用方式和用户空间程序互通。Figure 1: The trend diagram of the data packet receiving process in the Linux system kernel. First, the network card will send an interrupt request to the CPU when it receives the data packet. The CPU obtains the arriving data packet from the network card cache according to the interrupt request. Space, and create a node corresponding to the data packet in the Skbuff, and finally hand it over to the protocol stack or a BPF-like kernel-based processing module for processing. All processing and results communicate with user space programs through system calls according to user needs.
图2:基于内核的流量分析方法体系结构设计图。该方法的所有分析功能均在内核中实现,并且提供两种级别:数据包级和流级的监测分析指标,并支持一定数量原始数据包的捕获。分析结果和原始数据包都通过API方式提供给用户空间程序使用。Figure 2: Architecture design diagram of kernel-based traffic analysis method. All analysis functions of this method are implemented in the kernel, and two levels are provided: packet-level and flow-level monitoring and analysis indicators, and support the capture of a certain number of original data packets. The analysis results and original data packets are provided to user space programs through API.
图3的基于Linux内核的流量分析方法,其步骤如下:The flow analysis method based on the Linux kernel of Fig. 3, its steps are as follows:
首先网卡收到数据包会向CPU发送中断请求,CPU根据中断请求从网卡缓存中获得到达的数据包,数据包经由PCI总线传到内核空间,并在Skbuff中创建对应数据包的结点,最后交由内核中注册的数据包分析函数进行分析,获得上述各流量分析指标。First, the network card will send an interrupt request to the CPU when it receives the data packet, and the CPU will obtain the arriving data packet from the network card cache according to the interrupt request, and the data packet will be transmitted to the kernel space via the PCI bus, and a node corresponding to the data packet will be created in the Skbuff, and finally It is analyzed by the data packet analysis function registered in the kernel to obtain the above-mentioned flow analysis indicators.
具体步骤为:The specific steps are:
步骤S1,把网卡设置为混杂模式以获得所有网络数据包;Step S1, setting the network card to promiscuous mode to obtain all network packets;
步骤S2,在操作系统内核中注册内核级注册内核级网络流量分析函数,用来对分析函数指定的协议类型进行处理,本方法中的流量分析函数指定的协议类型为所有以太网类型;Step S2, registering a kernel-level registration kernel-level network traffic analysis function in the operating system kernel to process the protocol type specified by the analysis function, and the protocol type specified by the traffic analysis function in this method is all Ethernet types;
步骤S3,配置流量分析参数,使得流量分析函数能够根据用户自定义规则进行流量分析;Step S3, configuring traffic analysis parameters, so that the traffic analysis function can perform traffic analysis according to user-defined rules;
步骤S4,如果内核空间中的数据包内核缓存链表不为空,则调用已注册的流量分析函数进行分析,结果放在统计结果缓存和流记录缓存中;Step S4, if the packet kernel buffer linked list in the kernel space is not empty, then call the registered traffic analysis function for analysis, and put the result in the statistical result cache and the flow record cache;
步骤S5,如果模块接收到用户空间卸载模块请求则取消网卡混杂模式并执行S6;Step S5, if the module receives the user space unloading module request, cancel the network card promiscuous mode and execute S6;
步骤S6,取消注册的内核级流量分析函数;Step S6, canceling the registered kernel-level traffic analysis function;
步骤S7,如果模块接收到用户空间获取分析结果的请求,则处理请求并返回相应结果。Step S7, if the module receives a request from the user space to obtain the analysis result, process the request and return the corresponding result.
具体实施例:Specific examples:
1.以Linux内核下的字符设备驱动方式实现方法中提到的流量分析功能、配置功能、结果获取API。1. Implement the traffic analysis function, configuration function, and result acquisition API mentioned in the method by means of character device drivers under the Linux kernel.
2.装载实现流量分析功能的字符设备驱动,并根据提供的字符设备操作API对内核中的流量分析功能进行配置并获取分析结果。2. Load the character device driver that realizes the traffic analysis function, and configure the traffic analysis function in the kernel according to the provided character device operation API and obtain the analysis results.
Claims (5)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510004247A CN100576819C (en) | 2005-01-14 | 2005-01-14 | Flow Analysis Method Based on Linux Kernel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510004247A CN100576819C (en) | 2005-01-14 | 2005-01-14 | Flow Analysis Method Based on Linux Kernel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1633110A CN1633110A (en) | 2005-06-29 |
| CN100576819C true CN100576819C (en) | 2009-12-30 |
Family
ID=34853019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200510004247A Expired - Fee Related CN100576819C (en) | 2005-01-14 | 2005-01-14 | Flow Analysis Method Based on Linux Kernel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100576819C (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100435514C (en) * | 2006-03-10 | 2008-11-19 | 中国科学院软件研究所 | Ethernet driver level bottom layer filtering method and system |
| CN101370009B (en) * | 2008-03-12 | 2011-08-24 | 武汉理工大学 | Construction Method of Virtual Network Block Framework Based on Linux Kernel Network Subsystem |
| CN102752321A (en) * | 2012-08-07 | 2012-10-24 | 广州微仕科信息技术有限公司 | Firewall realization method based on multicore network processor |
| CN106878107B (en) * | 2017-02-28 | 2019-10-29 | 无锡研勤信息科技有限公司 | Network bandwidth speed-measuring method based on linux kernel driving |
| CN108540333A (en) * | 2017-03-02 | 2018-09-14 | 中兴通讯股份有限公司 | The method of measurement network side handling capacity, home gateway, apparatus and system |
| CN107171895A (en) * | 2017-07-01 | 2017-09-15 | 浙江省计量科学研究院 | A kind of communication network data flow-measuring method |
| CN107483287B (en) * | 2017-08-17 | 2021-07-20 | 郑州云海信息技术有限公司 | A system and method for automatically monitoring network port data packet sending and receiving faults |
| CN110138797B (en) * | 2019-05-27 | 2021-12-14 | 北京知道创宇信息技术股份有限公司 | Message processing method and device |
| CN110351275B (en) * | 2019-07-11 | 2022-08-19 | 北京长亭未来科技有限公司 | Host port flow monitoring method, system, device and storage equipment |
| CN113037532B (en) * | 2019-12-25 | 2024-08-02 | 中兴通讯股份有限公司 | Method and device for detecting streaming media code stream, server and readable storage medium |
| CN111756575B (en) * | 2020-06-19 | 2023-08-11 | 北京星辰天合科技股份有限公司 | Performance analysis method and device of storage server and electronic equipment |
| CN111917835A (en) * | 2020-07-13 | 2020-11-10 | 北京天空卫士网络安全技术有限公司 | A system, method and device for monitoring network data |
| CN112153013B (en) * | 2020-09-02 | 2023-04-18 | 杭州安恒信息技术股份有限公司 | Socket data forwarding method and device, electronic equipment and storage medium |
| CN114726633B (en) * | 2022-04-14 | 2023-10-03 | 中国电信股份有限公司 | Traffic data processing method and device, storage medium and electronic equipment |
| CN115037658B (en) * | 2022-06-08 | 2023-05-02 | 广东电网有限责任公司 | BPF-based metering master station network detection method and metering master station |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20040009225A (en) * | 2002-07-23 | 2004-01-31 | 엘지엔시스(주) | Method of network packet checking by kernel hooking |
| CN1474534A (en) * | 2002-08-09 | 2004-02-11 | 联想(北京)有限公司 | Network protocol layer user identifying method for packet filter |
| KR20040048466A (en) * | 2002-12-03 | 2004-06-10 | 한국전자통신연구원 | Intrusion detection system and method based on kernel module in security gateway system for high-speed intrusion detection on network |
-
2005
- 2005-01-14 CN CN200510004247A patent/CN100576819C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20040009225A (en) * | 2002-07-23 | 2004-01-31 | 엘지엔시스(주) | Method of network packet checking by kernel hooking |
| CN1474534A (en) * | 2002-08-09 | 2004-02-11 | 联想(北京)有限公司 | Network protocol layer user identifying method for packet filter |
| KR20040048466A (en) * | 2002-12-03 | 2004-06-10 | 한국전자통신연구원 | Intrusion detection system and method based on kernel module in security gateway system for high-speed intrusion detection on network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1633110A (en) | 2005-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100576819C (en) | Flow Analysis Method Based on Linux Kernel | |
| CN113794605B (en) | Method, system and device for detecting kernel packet loss based on eBPF | |
| CN100558089C (en) | A Realization Method of Content Filtering Gateway Based on Network Filter | |
| US8724633B2 (en) | Internet real-time deep packet inspection and control device and method | |
| CN109309605B (en) | In-band network telemetry system and method | |
| CN1206600C (en) | Full distribution type aggregation network servicer system | |
| US8649395B2 (en) | Protocol stack using shared memory | |
| García-Dorado et al. | High-performance network traffic processing systems using commodity hardware | |
| CN100477643C (en) | Data Packet Capture Method Based on Shared Memory | |
| CN107181738B (en) | Software intrusion detection system and method | |
| US7414975B2 (en) | Protocol stack | |
| US8005958B2 (en) | Virtual interface | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| CN105099730B (en) | Terminal device, the network flux statistical method based on terminal device and system | |
| CN102694733A (en) | Method for acquiring network flow data set with accurate application type identification | |
| WO2006055691A2 (en) | Queued, asynchronous communication architecture interface | |
| Li et al. | The comparison and verification of some efficient packet capture and processing technologies | |
| Li et al. | Triton: A flexible hardware offloading architecture for accelerating apsara vSwitch in alibaba cloud | |
| US8180856B2 (en) | Testing a network | |
| CN118170706A (en) | PCIe interface data high-speed processing and forwarding method based on DPDK | |
| CN118590327A (en) | New high-speed encryption and decryption system and method based on FPGA offloading | |
| CN118573595A (en) | Network data capturing and analyzing system based on ARM framework hardware platform | |
| Wang et al. | An optimized RDMA QP communication mechanism for hyperscale AI infrastructure | |
| US8050266B2 (en) | Low impact network debugging | |
| CN1992595A (en) | Terminal and related method for detecting maliciously attempted data in a computer network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091230 Termination date: 20190114 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |