[go: up one dir, main page]

CN110719215A - Flow information acquisition method and device of virtual network - Google Patents

Flow information acquisition method and device of virtual network Download PDF

Info

Publication number
CN110719215A
CN110719215A CN201910999665.0A CN201910999665A CN110719215A CN 110719215 A CN110719215 A CN 110719215A CN 201910999665 A CN201910999665 A CN 201910999665A CN 110719215 A CN110719215 A CN 110719215A
Authority
CN
China
Prior art keywords
information
forwarding
meta
packet information
aggregation module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910999665.0A
Other languages
Chinese (zh)
Other versions
CN110719215B (en
Inventor
胡延楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201910999665.0A priority Critical patent/CN110719215B/en
Publication of CN110719215A publication Critical patent/CN110719215A/en
Application granted granted Critical
Publication of CN110719215B publication Critical patent/CN110719215B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请的实施例公开了虚拟网络的流信息采集方法及装置,涉及云计算领域。该方法的一具体实施方式包括:获取虚拟网络中的报文信息;响应于确定报文信息与预设转发规则的匹配域相匹配,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块;基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息。本申请基于转发规则的匹配域将匹配后的报文信息的元信息转发至聚合模块进行统计,避免了对不必要的报文信息进行统计;而且只将报文信息的元信息转发至聚合模块,元信息数据量小,减小了数据转发时的开销。

Figure 201910999665

The embodiments of the present application disclose a method and device for collecting flow information of a virtual network, and relate to the field of cloud computing. A specific implementation of the method includes: acquiring the message information in the virtual network; in response to determining that the message information matches the matching field of the preset forwarding rule, using the forwarding instruction in the action field in the preset forwarding rule, The meta-information of the packet information is forwarded to the aggregation module specified by the forwarding instruction; based on the meta-information of the packet information, flow information of the virtual switch is obtained through statistics by the aggregation module. The present application forwards the meta-information of the matched packet information to the aggregation module for statistics based on the matching field of the forwarding rule, avoiding unnecessary packet information statistics; and only forwards the meta-information of the packet information to the aggregation module , the metadata data amount is small, which reduces the overhead of data forwarding.

Figure 201910999665

Description

虚拟网络的流信息采集方法及装置Flow information collection method and device for virtual network

技术领域technical field

本申请实施例涉及计算机技术领域,具体涉及一种虚拟网络的流信息采集方法及装置。The embodiments of the present application relate to the field of computer technologies, and in particular, to a method and device for collecting flow information of a virtual network.

背景技术Background technique

随着云业务的迅猛增长,云计算平台上承载了越来越多的业务。伴随着业务的复杂化,云平台的流量也呈现出爆发式的增长。流量的增长不只考验着云网络的承载能力,同时也对云网络的流量监控提出了更大的挑战。With the rapid growth of cloud services, more and more services are carried on cloud computing platforms. With the complexity of business, the traffic of cloud platform also shows explosive growth. The growth of traffic not only tests the carrying capacity of the cloud network, but also poses greater challenges to the traffic monitoring of the cloud network.

目前,在虚拟网络中,流量的统计组件实现在ovs-vswitchd上,ovs-vswitchd守护进程是OVS(Open vSwitch,开放虚拟交换标准)的核心部件,它和数据通道内核模块一起实现OVS基于流的数据交换。对于需要进行流量采集的每个数据包,OVS都需要把报文从数据通道中通过一定方式复制到ovs-vswitchd,再由ovs-vswitchd进行报文分类及统计。在统计大流量的过程中,数据包的复制以及将数据包从数据通道传输到ovs-vswitchd的过程会造成较大的开销,进行流量采集很可能会影响数据包的正常转发。At present, in the virtual network, the traffic statistics component is implemented on ovs-vswitchd. The ovs-vswitchd daemon is the core component of OVS (Open vSwitch, Open Virtual Switching Standard). data exchange. For each data packet that needs to be collected, OVS needs to copy the packet from the data channel to ovs-vswitchd in a certain way, and then ovs-vswitchd performs packet classification and statistics. In the process of counting large traffic, the duplication of data packets and the process of transmitting data packets from the data channel to ovs-vswitchd will cause a lot of overhead, and traffic collection is likely to affect the normal forwarding of data packets.

发明内容SUMMARY OF THE INVENTION

本申请实施例提出了一种虚拟网络的流信息采集方法及装置。The embodiments of the present application provide a method and device for collecting flow information of a virtual network.

第一方面,本申请实施例提供了一种虚拟网络的流信息采集方法,其中,上述方法包括:获取虚拟网络中的报文信息;响应于确定报文信息与预设转发规则的匹配域相匹配,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块,匹配域用于识别转发规则对应的报文信息,动作域用于表征对匹配后的报文信息执行的指令信息;基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息。In a first aspect, an embodiment of the present application provides a method for collecting flow information of a virtual network, wherein the method includes: acquiring packet information in the virtual network; in response to determining that the packet information matches a matching field of a preset forwarding rule Matching, through the forwarding instruction in the action field in the preset forwarding rule, forwards the meta-information of the packet information to the aggregation module specified by the forwarding instruction. The matching field is used to identify the message information corresponding to the forwarding rule, and the action field is used to represent the The instruction information executed on the matched packet information; based on the meta information of the packet information, the flow information of the virtual switch is obtained through the aggregation module statistics.

在一些实施例中,报文信息的元信息包括:局域网地址、转发端口,转发端口为虚拟网络中虚拟交换机与虚拟机进行数据传输的转发端口;上述基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息,包括:根据报文信息的局域网地址、转发端口,通过聚合模块识别报文信息对应的虚拟私有网络属性信息;基于虚拟私有网络属性信息,通过聚合模块统计得到基于报文信息对应的虚拟私有网络的流信息。In some embodiments, the meta-information of the message information includes: a local area network address and a forwarding port, where the forwarding port is a forwarding port for data transmission between a virtual switch and a virtual machine in the virtual network; the above-mentioned meta-information based on the message information, through the aggregation module The flow information of the virtual switch is obtained by statistics, including: identifying the virtual private network attribute information corresponding to the packet information through the aggregation module according to the local area network address and forwarding port of the packet information; The flow information of the virtual private network corresponding to the text information.

在一些实施例中,上述响应于确定报文信息与预设转发规则的匹配域相匹配,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块,包括:响应于确定报文信息与预设转发规则的匹配域相匹配,为报文信息添加访问标识,访问标识用于表征虚拟网络的安全访问规则是否接受报文信息对应的终端的访问请求;通过预设转发规则中的动作域中的转发指令,将添加访问标识的报文信息的元信息转发至转发指令指定的聚合模块,元信息包括访问标识。In some embodiments, in response to determining that the packet information matches the matching field of the preset forwarding rule, the meta-information of the packet information is forwarded to the specified forwarding instruction through the forwarding instruction in the action field of the preset forwarding rule. The aggregation module includes: in response to determining that the message information matches the matching domain of the preset forwarding rule, adding an access identifier to the message information, and the access identifier is used to characterize whether the security access rule of the virtual network accepts the terminal corresponding to the message information The access request is forwarded to the aggregation module specified by the forwarding instruction through the forwarding instruction in the action field in the preset forwarding rule, and the meta-information of the message information with the access identifier is forwarded to the aggregation module specified by the forwarding instruction, and the meta-information includes the access identifier.

在一些实施例中,上述基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息,包括:基于报文信息的访问标识,通过聚合模块统计得到区分是否被安全访问规则接受的流信息。In some embodiments, the above-mentioned meta-information based on the packet information, the flow information of the virtual switch is obtained by the aggregation module, including: based on the access identifier of the packet information, the aggregation module is used to collect statistics to distinguish whether the flow is accepted by the security access rule. information.

在一些实施例中,上述响应于确定报文信息与预设转发规则的匹配域相匹配,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块,包括:响应于确定报文信息与预设转发规则的匹配域相匹配,将报文信息的元信息存入缓存;响应于到达预设导出时刻,通过预设转发规则中的动作域中的转发指令,将缓存中的报文信息的元信息转发至转发指令指定的聚合模块。In some embodiments, in response to determining that the packet information matches the matching field of the preset forwarding rule, the meta-information of the packet information is forwarded to the specified forwarding instruction through the forwarding instruction in the action field of the preset forwarding rule. The aggregation module includes: in response to determining that the message information matches the matching domain of the preset forwarding rule, storing the meta-information of the message information in the cache; in response to reaching the preset export time, through the action in the preset forwarding rule The forwarding instruction in the domain forwards the meta-information of the packet information in the cache to the aggregation module specified by the forwarding instruction.

第二方面,本申请实施例提供了一种虚拟网络的流信息采集装置,其中,上述装置包括:获取单元,被配置成获取虚拟网络中的报文信息;转发单元,被配置成响应于确定报文信息与预设转发规则的匹配域相匹配,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块,匹配域用于识别转发规则对应的报文信息,动作域用于表征对匹配后的报文信息执行的指令信息;统计单元,被配置成基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息。In a second aspect, an embodiment of the present application provides an apparatus for collecting flow information of a virtual network, wherein the apparatus includes: an obtaining unit configured to obtain packet information in the virtual network; a forwarding unit configured to respond to determining The packet information matches the matching field of the preset forwarding rule, and the meta-information of the packet information is forwarded to the aggregation module specified by the forwarding instruction through the forwarding instruction in the action field in the preset forwarding rule, and the matching field is used to identify the forwarding The packet information corresponding to the rule, the action field is used to represent the instruction information executed on the matched packet information; the statistics unit is configured to obtain the flow information of the virtual switch through the aggregation module based on the meta information of the packet information.

在一些实施例中,上述报文信息的元信息包括:局域网地址、转发端口,转发端口为虚拟网络中虚拟交换机与虚拟机进行数据传输的转发端口;统计单元,进一步被配置成根据报文信息的局域网地址、转发端口,通过聚合模块识别报文信息对应的虚拟私有网络属性信息;基于虚拟私有网络属性信息,通过聚合模块统计得到基于报文信息对应的虚拟私有网络的流信息。In some embodiments, the meta-information of the above-mentioned message information includes: a local area network address and a forwarding port, where the forwarding port is a forwarding port for data transmission between a virtual switch and a virtual machine in the virtual network; the statistics unit is further configured according to the message information According to the local area network address and forwarding port, the aggregation module identifies the virtual private network attribute information corresponding to the packet information; based on the virtual private network attribute information, the aggregation module obtains the flow information of the virtual private network corresponding to the packet information through statistics.

在一些实施例中,转发单元,进一步被配置成响应于确定报文信息与预设转发规则的匹配域相匹配,为报文信息添加访问标识,访问标识用于表征虚拟网络的安全访问规则是否接受报文信息对应的终端的访问请求;通过预设转发规则中的动作域中的转发指令,将添加访问标识的报文信息的元信息转发至转发指令指定的聚合模块,元信息包括访问标识。In some embodiments, the forwarding unit is further configured to, in response to determining that the packet information matches a matching field of a preset forwarding rule, add an access identifier to the packet information, where the access identifier is used to characterize whether the security access rule of the virtual network is Accept the access request of the terminal corresponding to the message information; forward the meta information of the message information with the access identifier added to the aggregation module specified by the forwarding instruction through the forwarding instruction in the action field in the preset forwarding rule, and the meta information includes the access identifier .

在一些实施例中,统计单元,进一步被配置成基于报文信息的访问标识,通过聚合模块统计得到区分是否被安全访问规则接受的流信息。In some embodiments, the statistics unit is further configured to obtain, through the aggregation module, flow information that distinguishes whether the flow information is accepted by the security access rule or not based on the access identifier of the packet information.

在一些实施例中,转发单元,进一步被配置成响应于确定报文信息与预设转发规则的匹配域相匹配,将报文信息的元信息存入缓存;响应于到达预设导出时刻,通过预设转发规则中的动作域中的转发指令,将缓存中的报文信息的元信息转发至转发指令指定的聚合模块。In some embodiments, the forwarding unit is further configured to, in response to determining that the packet information matches the matching field of the preset forwarding rule, store the meta information of the packet information in the cache; in response to reaching the preset export time, pass The forwarding instruction in the action field in the forwarding rule is preset, and the meta-information of the packet information in the cache is forwarded to the aggregation module specified by the forwarding instruction.

第三方面,本申请实施例提供了一种计算机可读介质,其上存储有计算机程序,其中,程序被处理器执行时实现如第一方面任一实现方式描述的方法。In a third aspect, an embodiment of the present application provides a computer-readable medium on which a computer program is stored, wherein the method described in any implementation manner of the first aspect is implemented when the program is executed by a processor.

第四方面,本申请实施例提供了一种电子设备,包括:一个或多个处理器;存储装置,其上存储有一个或多个程序,当一个或多个程序被一个或多个处理器执行,使得一个或多个处理器实现如第一方面任一实现方式描述的方法。In a fourth aspect, an embodiment of the present application provides an electronic device, including: one or more processors; a storage device, on which one or more programs are stored, when the one or more programs are processed by the one or more processors Execution causes one or more processors to implement a method as described in any implementation form of the first aspect.

本申请实施例提供的虚拟网络的流信息采集方法和装置,首先,获取虚拟网络中的报文信息;然后,响应于确定所述报文信息与预设转发规则的匹配域相匹配,通过所述预设转发规则中的动作域中的转发指令,将所述报文信息的元信息转发至所述转发指令指定的聚合模块;然后,基于所述报文信息的元信息,通过所述聚合模块统计得到虚拟交换机的流信息。本申请基于转发规则的匹配域将匹配后的报文信息的元信息转发至聚合模块进行统计,避免了对不必要的报文信息进行统计;此外,由于仅将报文信息的元信息转发至聚合模块,而元信息数据量小,减小了数据转发时的开销。In the method and device for collecting flow information of a virtual network provided by the embodiments of the present application, first, the packet information in the virtual network is acquired; then, in response to determining that the packet information matches the matching field of the preset forwarding rule, the The forwarding instruction in the action field in the preset forwarding rule, forwards the meta-information of the packet information to the aggregation module specified by the forwarding instruction; then, based on the meta-information of the packet information, through the aggregation The module obtains the flow information of the virtual switch through statistics. The present application forwards the meta-information of the matched packet information to the aggregation module for statistics based on the matching field of the forwarding rule, avoiding unnecessary packet information statistics; in addition, because only the meta-information of the packet information is forwarded to The aggregation module has a small amount of metadata data, which reduces the overhead of data forwarding.

附图说明Description of drawings

通过阅读参照以下附图所作的对非限制性实施例所作的详细描述,本申请的其它特征、目的和优点将会变得更明显:Other features, objects and advantages of the present application will become more apparent by reading the detailed description of non-limiting embodiments made with reference to the following drawings:

图1是本申请的一个实施例可以应用于其中的示例性系统架构图;FIG. 1 is an exemplary system architecture diagram to which an embodiment of the present application may be applied;

图2是根据本申请的虚拟网络的流信息采集方法的一个实施例的流程图;2 is a flowchart of an embodiment of a method for collecting flow information of a virtual network according to the present application;

图3是根据本实施例的虚拟网络的流信息采集方法的应用场景的示意图;3 is a schematic diagram of an application scenario of the method for collecting flow information of a virtual network according to the present embodiment;

图4是根据本申请的虚拟网络的流信息采集方法的又一个实施例的流程图;FIG. 4 is a flowchart of another embodiment of a method for collecting flow information of a virtual network according to the present application;

图5是根据本申请的虚拟网络的流信息采集装置的一个实施例的结构图;5 is a structural diagram of an embodiment of a device for collecting flow information of a virtual network according to the present application;

图6是适于用来实现本申请实施例的计算机系统的结构示意图。FIG. 6 is a schematic structural diagram of a computer system suitable for implementing the embodiments of the present application.

具体实施方式Detailed ways

下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与有关发明相关的部分。The present application will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the related invention, but not to limit the invention. In addition, it should be noted that, for the convenience of description, only the parts related to the related invention are shown in the drawings.

需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。It should be noted that the embodiments in the present application and the features of the embodiments may be combined with each other in the case of no conflict. The present application will be described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.

图1示出了可以应用本申请的虚拟网络的流信息采集方法及装置的示例性架构100。FIG. 1 shows an exemplary architecture 100 to which the method and apparatus for collecting flow information of a virtual network of the present application can be applied.

如图1所示,系统架构100可以包括终端设备101、102、103,网络104和服务器105。网络104用以在终端设备101、102、103和服务器105之间提供通信链路的介质。网络104可以包括各种连接类型,例如有线、无线通信链路或者光纤电缆等等。As shown in FIG. 1 , the system architecture 100 may include terminal devices 101 , 102 , and 103 , a network 104 and a server 105 . The network 104 is a medium used to provide a communication link between the terminal devices 101 , 102 , 103 and the server 105 . The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

终端设备101、102、103可以是支持网络连接从而进行数据交互和数据处理的硬件设备或软件。当终端设备101、102、103为硬件时,其可以是信息交互、网络连接等功能的各种电子设备,包括但不限于智能手机、平板电脑、电子书阅读器、膝上型便携计算机和台式计算机等等。当终端设备101、102、103为软件时,可以安装在上述所列举的电子设备中。其可以实现成例如用来提供分布式服务的多个软件或软件模块,也可以实现成单个软件或软件模块。在此不做具体限定。The terminal devices 101, 102, and 103 may be hardware devices or software that support network connection for data interaction and data processing. When the terminal devices 101, 102, and 103 are hardware, they can be various electronic devices with functions such as information interaction, network connection, etc., including but not limited to smart phones, tablet computers, e-book readers, laptop computers and desktops computer, etc. When the terminal devices 101, 102, and 103 are software, they can be installed in the electronic devices listed above. It can be implemented, for example, as multiple software or software modules for providing distributed services, or as a single software or software module. There is no specific limitation here.

服务器105可以是提供各种服务的服务器,例如对终端设备101、102、103提供虚拟网络连接、数据处理等功能的服务器。服务器可以对接收到的各种数据进行存储或处理,并将处理结果反馈给终端设备。The server 105 may be a server that provides various services, for example, a server that provides functions such as virtual network connection and data processing to the terminal devices 101 , 102 , and 103 . The server can store or process the various data received, and feed back the processing results to the terminal device.

需要说明的是,本公开的实施例所提供的虚拟网络的流信息采集方法可以由服务器105执行;相应地,虚拟网络的流信息采集装置可以设置于服务器105中。在此不做具体限定。It should be noted that the method for collecting flow information of the virtual network provided by the embodiments of the present disclosure may be executed by the server 105 ; correspondingly, the apparatus for collecting flow information of the virtual network may be set in the server 105 . There is no specific limitation here.

需要说明的是,服务器可以是硬件,也可以是软件。当服务器为硬件时,可以实现成多个服务器组成的分布式服务器集群,也可以实现成单个服务器。当服务器为软件时,可以实现成例如用来提供分布式服务的多个软件或软件模块,也可以实现成单个软件或软件模块。在此不做具体限定。It should be noted that the server may be hardware or software. When the server is hardware, it can be implemented as a distributed server cluster composed of multiple servers, or can be implemented as a single server. When the server is software, it may be implemented as multiple software or software modules for providing distributed services, or may be implemented as a single software or software module. There is no specific limitation here.

应该理解,图1中的终端设备和服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的终端设备和服务器。It should be understood that the numbers of terminal devices and servers in FIG. 1 are only illustrative. There can be any number of terminal devices and servers according to implementation needs.

继续参考图2,示出了根据本申请的虚拟网络的流信息采集方法的一个实施例的流程200,包括以下步骤:Continuing to refer to FIG. 2 , a flow 200 of an embodiment of the method for collecting flow information of a virtual network according to the present application is shown, including the following steps:

步骤201,获取虚拟网络中的报文信息。Step 201: Obtain packet information in the virtual network.

本实施例中,虚拟网络是一种至少部分是虚拟网络链接的计算机网络。虚拟网络链接是在两个计算设备间不包含物理连接,而是通过网络虚拟化来实现。在虚拟网络中,VMs(Virtual Machine Server,虚拟服务器)能够连接在虚拟交换机上,借助虚拟交换机,可以为服务器上运行的VMs或容器提供逻辑的虚拟的以太网接口,以实现网络数据的分流和转发。In this embodiment, the virtual network is a computer network that is at least partly virtual network links. A virtual network link does not contain a physical connection between two computing devices, but is implemented through network virtualization. In a virtual network, VMs (Virtual Machine Server, virtual server) can be connected to a virtual switch. With the help of the virtual switch, a logical virtual Ethernet interface can be provided for the VMs or containers running on the server to realize the distribution of network data and Forward.

本实施例中,报文信息是虚拟网络中交换与传输的数据单元,包含了源IP(Internet Protocol,互联网协议地址)地址、源端口、目的IP地址、目的端口、传输层协议、时间、报文数据等完整的数据信息。在虚拟网络中,报文信息通过虚拟交换机进行分流和转发。In this embodiment, the packet information is a data unit exchanged and transmitted in a virtual network, including a source IP (Internet Protocol, Internet Protocol address) address, source port, destination IP address, destination port, transport layer protocol, time, message Complete data information such as text data. In a virtual network, packet information is distributed and forwarded through virtual switches.

执行主体(例如图1中的服务器)中设置有虚拟交换机,可以获取虚拟网络中的报文信息。A virtual switch is set in the execution body (for example, the server in FIG. 1 ), and the message information in the virtual network can be obtained.

步骤202,响应于确定报文信息与预设转发规则的匹配域相匹配,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块。Step 202, in response to determining that the packet information matches the matching field of the preset forwarding rule, forward the meta information of the packet information to the aggregation module specified by the forwarding instruction through the forwarding instruction in the action field of the preset forwarding rule.

本实施例中,预设匹配规则至少由匹配域、动作域组成。匹配域用于识别转发规则对应的报文信息,动作域用于表征对匹配后的报文信息执行的指令信息。In this embodiment, the preset matching rule is composed of at least a matching domain and an action domain. The matching field is used to identify the packet information corresponding to the forwarding rule, and the action field is used to represent the instruction information executed on the matched packet information.

匹配域包括但不限于如下字段:虚拟局域网ID(Identity document,身份标识号)、虚拟局域网优先级、源IP地址、目的IP地址、IP协议、源端口、目的端口、传输层协议。动作域包括但不限于如下指令:用于转发报文信息的元信息的指令,满足条件时丢弃是丢弃报文信息的指令,将报文指定队列ID,用于实施QOS(Quality of Service,服务质量)的指令。The matching field includes but is not limited to the following fields: virtual local area network ID (Identity document, identification number), virtual local area network priority, source IP address, destination IP address, IP protocol, source port, destination port, and transport layer protocol. The action field includes but is not limited to the following instructions: an instruction for forwarding the meta-information of the message information, discarding is an instruction for discarding the message information when the conditions are met, and specifying a queue ID for the message to implement QOS (Quality of Service, service). quality) instructions.

例如,预设转发规则的格式可以为“源IP=11:11:11:11/24,目的IP=10.10.10.0/24,action=统计流信息,从端口10转发出去”。该预设转发规则用于表征将源IP为11:11:11:11/24,目的IP为10.10.10.0/24的报文信息的元信息从端口10转发至聚合模块进行流信息统计。For example, the format of the preset forwarding rule may be "source IP=11:11:11:11/24, destination IP=10.10.10.0/24, action=statistical flow information, forwarding from port 10". The preset forwarding rule is used to represent that the meta information of the packet information whose source IP is 11:11:11:11/24 and whose destination IP is 10.10.10.0/24 is forwarded from port 10 to the aggregation module for flow information statistics.

本实施例中,执行主体通过预设匹配规则的匹配域识别符合匹配域的报文信息,并将匹配的报文信息的元信息通过预设转发规则的动作域中的转发指令转发至聚合模块。In this embodiment, the execution body identifies the packet information that matches the matching domain through the matching domain of the preset matching rule, and forwards the meta-information of the matching packet information to the aggregation module through the forwarding instruction in the action domain of the preset forwarding rule .

在一些可选的实现方式中,执行主体根据预设导出时刻转发报文信息的元信息,以集中转发报文信息的元信息,减少实时转发报文信息的元信息而造成的运行开销时间。具体的,执行主体响应于确定报文信息与预设转发规则的匹配域相匹配,将报文信息的元信息存入缓存;响应于到达预设导出时刻,通过预设转发规则中的动作域中的转发指令,将缓存中的报文信息的元信息转发至转发指令指定的聚合模块。In some optional implementation manners, the execution body forwards the meta information of the packet information according to the preset export time, so as to centrally forward the meta information of the packet information and reduce the running overhead time caused by real-time forwarding of the meta information of the packet information. Specifically, in response to determining that the message information matches the matching field of the preset forwarding rule, the execution body stores the meta-information of the message information in the cache; in response to reaching the preset export time, the action field in the preset forwarding rule is used. The forwarding instruction in the cache forwards the meta-information of the packet information in the cache to the aggregation module specified by the forwarding instruction.

在一些可选的实现方式中,预设转发规则可以通过OpenFlow协议实现。In some optional implementation manners, the preset forwarding rule may be implemented through the OpenFlow protocol.

本实施例中,报文信息的元信息通过提取报文信息中的特征信息而得到,包括源IP地址、源端口、目的IP地址、目的端口、传输层协议。In this embodiment, the meta information of the packet information is obtained by extracting the feature information in the packet information, including source IP address, source port, destination IP address, destination port, and transport layer protocol.

步骤203,基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息。Step 203 , based on the meta information of the packet information, obtain flow information of the virtual switch through statistics by the aggregation module.

本实施例中,聚合模块可以根据报文信息的全部或部分的元信息统计得到相应的流信息。例如,聚合模块可以对元信息为“源IP地址为A、源端口为B、目的IP地址为A'、目的端口B'、传输层协议为C”的报文信息统计,得到与上述元信息对应的流信息。流信息中包括但不限于报文数量、字节数量、流信息的开始时间和结束时间。In this embodiment, the aggregation module may obtain the corresponding flow information according to the statistics of all or part of the meta information of the packet information. For example, the aggregation module can collect statistics on packet information whose meta information is "source IP address A, source port B, destination IP address A', destination port B', and transport layer protocol C", and obtain the same meta information corresponding flow information. The flow information includes but is not limited to the number of packets, the number of bytes, and the start time and end time of the flow information.

在一些可选的实现方式中,报文信息的元信息还包括:局域网地址、转发端口,转发端口为虚拟网络中虚拟交换机与虚拟机进行数据传输的转发端口。执行主体根据报文信息的元信息可以得到区分虚拟私有网络的流信息。具体的,执行主体根据报文信息的局域网地址、转发端口,通过聚合模块识别报文信息对应的虚拟私有网络属性信息;基于虚拟私有网络属性信息,通过聚合模块统计得到基于报文信息对应的虚拟私有网络的流信息。In some optional implementation manners, the meta information of the packet information further includes: a local area network address and a forwarding port, where the forwarding port is a forwarding port for data transmission between the virtual switch and the virtual machine in the virtual network. The execution subject can obtain the flow information for distinguishing the virtual private network according to the meta information of the packet information. Specifically, the execution body identifies the virtual private network attribute information corresponding to the packet information through the aggregation module according to the local area network address and forwarding port of the packet information; Flow information for private networks.

本实施例中,执行主体基于转发规则的匹配域将匹配后的报文信息的元信息转发至聚合模块进行统计,避免了对不必要的报文信息进行统计;而且只将报文信息的元信息转发至聚合模块,元信息数据量小,减小了数据转发时的开销。In this embodiment, the execution subject forwards the meta information of the matched packet information to the aggregation module for statistics based on the matching field of the forwarding rule, so as to avoid unnecessary packet information statistics; and only the meta information of the packet information is The information is forwarded to the aggregation module, and the amount of metadata data is small, which reduces the overhead of data forwarding.

图3示意性地示出了根据本实施例的虚拟网络的流信息采集方法的一个应用场景。服务器301中设置有虚拟服务器和虚拟交换机,虚拟服务器通过虚拟交换机转发和分流网络数据信息,为众多的公司提供虚拟网络服务,包括公司302、公司303、公司304。服务器在提供虚拟网络服务过程中,获取关于众多公司的报文信息,服务器通过预设匹配规则的匹配域匹配得到公司302、公司303的报文信息,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块,通过聚合模块统计得到公司302、公司303的流信息。FIG. 3 schematically shows an application scenario of the method for collecting flow information of a virtual network according to this embodiment. The server 301 is provided with a virtual server and a virtual switch. The virtual server forwards and distributes network data information through the virtual switch to provide virtual network services for numerous companies, including the company 302 , the company 303 , and the company 304 . In the process of providing the virtual network service, the server obtains the message information about many companies, and the server obtains the message information of the company 302 and the company 303 by matching the matching fields of the preset matching rules. The forwarding instruction forwards the meta-information of the packet information to the aggregation module specified by the forwarding instruction, and obtains the flow information of the company 302 and the company 303 through the aggregation module statistics.

继续参考图4,示出了根据本申请的虚拟网络的流信息采集方法的另一个实施例的示意性流程400,包括以下步骤:Continuing to refer to FIG. 4 , a schematic flow 400 of another embodiment of the method for collecting flow information of a virtual network according to the present application is shown, including the following steps:

步骤401,获取虚拟网络中的报文信息。Step 401: Obtain packet information in the virtual network.

本实施例中,步骤401按照与步骤201类似的方式执行,在此不再赘述。In this embodiment, step 401 is performed in a manner similar to step 201, and details are not described herein again.

步骤402,响应于确定报文信息与预设转发规则的匹配域相匹配,为报文信息添加访问标识。Step 402, in response to determining that the packet information matches the matching field of the preset forwarding rule, add an access identifier to the packet information.

本实施例中,访问标识用于表征虚拟网络的安全访问规则是否接受报文信息对应的终端的访问请求。In this embodiment, the access identifier is used to represent whether the security access rule of the virtual network accepts the access request of the terminal corresponding to the message information.

执行主体中的虚拟交换机在对报文信息进行分流的过程中,会识别报文信息是否被安全访问规则准入,并基于被安全访问规则的识别结果为报文信息添加对应的特征信息;通过识别报文信息中是否被虚拟网络的安全访问规则接受的特征信息,执行主体为报文信息添加访问标识。During the process of distributing the packet information, the virtual switch in the execution body will identify whether the packet information is admitted by the security access rule, and add corresponding feature information to the packet information based on the identification result of the security access rule; The feature information that identifies whether the message information is accepted by the security access rules of the virtual network, and the execution subject adds an access identifier to the message information.

步骤403,通过预设转发规则中的动作域中的转发指令,将添加访问标识的报文信息的元信息转发至转发指令指定的聚合模块。Step 403: Forward the meta information of the message information to which the access identifier is added to the aggregation module specified by the forwarding instruction through the forwarding instruction in the action field in the preset forwarding rule.

本实施例中,执行主体对于报文信息的元信息的转发动作按照与步骤202中的转发动作类似的方式执行,其不同之处在于,本实施例中的报文信息的元信息包括访问标识。In this embodiment, the forwarding action of the execution subject with respect to the meta information of the message information is performed in a manner similar to the forwarding action in step 202, the difference is that the meta information of the message information in this embodiment includes an access identifier .

步骤404,基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息。Step 404 , based on the meta information of the packet information, obtain flow information of the virtual switch through statistics by the aggregation module.

本实施例中,执行主体可以通过聚合模块,根据报文信息的元信息统计得到对应的的流信息。在一些可选的实现方式中,报文信息的元信息包括访问标识,执行主体根据报文信息的访问标识,可以统计得到区分是否被安全访问规则接受的流信息。In this embodiment, the execution subject may obtain the corresponding flow information through the aggregation module according to the meta-information statistics of the packet information. In some optional implementation manners, the meta-information of the packet information includes an access identifier, and the execution subject can obtain statistical flow information that distinguishes whether it is accepted by the security access rule according to the access identifier of the packet information.

在一些可选的实现方式中,执行主体可以根据报文信息的部分的元信息统计得到流信息,在该流信息的基础上,基于其他的元信息进行再次统计。例如,执行主体根据报文信息的元信息源IP地址、源端口、目的IP地址、目的端口、传输层协议统计得到流信息X,在流信息X的基础上,根据访问标识对流信息X进行再次统计,区分流信息X中是否被安全访问规则接受的流信息。In some optional implementation manners, the execution body may obtain flow information according to the meta-information statistics of part of the packet information, and on the basis of the flow information, perform statistics again based on other meta-information. For example, the execution body obtains the flow information X according to the source IP address, source port, destination IP address, destination port, and transport layer protocol of the meta information of the packet information. Statistics, to distinguish whether the flow information in the flow information X is accepted by the security access rule.

从图4中可以看出,与图2对应的实施例相比,本实施例中的虚拟网络的流信息采集方法的流程400具体说明了报文信息的元信息还可以包括访问标识,访问标识可以用于区分流信息是否被安全访问规则接受。As can be seen from FIG. 4 , compared with the embodiment corresponding to FIG. 2 , the process 400 of the method for collecting flow information of a virtual network in this embodiment specifically illustrates that the meta-information of the packet information may further include an access identifier, and the access identifier Can be used to distinguish whether flow information is accepted by security access rules.

继续参考图5,作为对上述各图所示方法的实现,本公开提供了一种虚拟网络的流信息采集装置的一个实施例,该装置实施例与图2所示的方法实施例相对应,该装置具体可以应用于各种电子设备中。Continuing to refer to FIG. 5 , as an implementation of the methods shown in the above figures, the present disclosure provides an embodiment of an apparatus for collecting flow information of a virtual network, and the apparatus embodiment corresponds to the method embodiment shown in FIG. 2 , Specifically, the device can be applied to various electronic devices.

如图5所示,流信息采集装置包括:获取单元501、转发单元502和统计单元503。As shown in FIG. 5 , the flow information collection apparatus includes: an acquisition unit 501 , a forwarding unit 502 and a statistics unit 503 .

获取单元501,被配置成获取虚拟网络中的报文信息;转发单元502,被配置成响应于确定报文信息与预设转发规则的匹配域相匹配,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块,匹配域用于识别转发规则对应的报文信息,动作域用于表征对匹配后的报文信息执行的指令信息;统计单元503,被配置成基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息。The obtaining unit 501 is configured to obtain the message information in the virtual network; the forwarding unit 502 is configured to, in response to determining that the message information matches the matching field of the preset forwarding rule, pass the information in the action field in the preset forwarding rule. The forwarding instruction forwards the meta-information of the message information to the aggregation module specified by the forwarding instruction, the matching field is used to identify the message information corresponding to the forwarding rule, and the action field is used to represent the instruction information executed on the matched message information; The statistics unit 503 is configured to obtain the flow information of the virtual switch by collecting statistics through the aggregation module based on the meta information of the packet information.

在一些实施例中,上述报文信息的元信息包括:局域网地址、转发端口,转发端口为虚拟网络中虚拟交换机与虚拟机进行数据传输的转发端口;统计单元503,进一步被配置成根据报文信息的局域网地址、转发端口,通过聚合模块识别报文信息对应的虚拟私有网络属性信息;基于虚拟私有网络属性信息,通过聚合模块统计得到基于报文信息对应的虚拟私有网络的流信息。In some embodiments, the meta-information of the above-mentioned message information includes: a local area network address and a forwarding port, where the forwarding port is a forwarding port for data transmission between a virtual switch and a virtual machine in the virtual network; the statistics unit 503 is further configured to The local area network address and forwarding port of the information, and the virtual private network attribute information corresponding to the packet information is identified through the aggregation module; based on the virtual private network attribute information, the aggregation module obtains the flow information of the virtual private network corresponding to the packet information through statistics.

在一些实施例中,转发单元502,进一步被配置成响应于确定报文信息与预设转发规则的匹配域相匹配,为报文信息添加访问标识,访问标识用于表征虚拟网络的安全访问规则是否接受报文信息对应的终端的访问请求;通过预设转发规则中的动作域中的转发指令,将添加访问标识的报文信息的元信息转发至转发指令指定的聚合模块,元信息包括访问标识。In some embodiments, the forwarding unit 502 is further configured to, in response to determining that the packet information matches a matching field of a preset forwarding rule, add an access identifier to the packet information, where the access identifier is used to characterize the security access rule of the virtual network Whether to accept the access request of the terminal corresponding to the message information; forward the meta information of the message information with the access identifier added to the aggregation module specified by the forwarding instruction through the forwarding instruction in the action field in the preset forwarding rule, and the meta information includes the access logo.

在一些实施例中,统计单元503,进一步被配置成基于报文信息的访问标识,通过聚合模块统计得到区分是否被安全访问规则接受的流信息。In some embodiments, the statistics unit 503 is further configured to obtain, through the aggregation module, statistics based on the access identifier of the packet information to distinguish whether the flow information is accepted by the security access rule.

在一些实施例中,转发单元501,进一步被配置成响应于确定报文信息与预设转发规则的匹配域相匹配,将报文信息的元信息存入缓存;响应于到达预设导出时刻,通过预设转发规则中的动作域中的转发指令,将缓存中的报文信息的元信息转发至转发指令指定的聚合模块。In some embodiments, the forwarding unit 501 is further configured to, in response to determining that the packet information matches the matching field of the preset forwarding rule, store the meta information of the packet information in the cache; in response to reaching the preset export time, Through the forwarding instruction in the action field in the preset forwarding rule, the meta-information of the packet information in the cache is forwarded to the aggregation module specified by the forwarding instruction.

下面参考图6,其示出了适于用来实现本申请实施例的设备(例如图1所示的设备101、102、103、105)的计算机系统600的结构示意图。图6示出的设备仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。Referring next to FIG. 6 , it shows a schematic structural diagram of a computer system 600 suitable for implementing the devices of the embodiments of the present application (eg, devices 101 , 102 , 103 , and 105 shown in FIG. 1 ). The device shown in FIG. 6 is only an example, and should not impose any limitations on the functions and scope of use of the embodiments of the present application.

如图6所示,计算机系统600包括处理器(例如CPU,中央处理器)601,其可以根据存储在只读存储器(ROM)602中的程序或者从存储部分608加载到随机访问存储器(RAM)603中的程序而执行各种适当的动作和处理。在RAM603中,还存储有系统600操作所需的各种程序和数据。处理器601、ROM602以及RAM603通过总线604彼此相连。输入/输出(I/O)接口605也连接至总线604。As shown in FIG. 6, a computer system 600 includes a processor (eg, CPU, central processing unit) 601 that can be loaded into a random access memory (RAM) according to a program stored in a read only memory (ROM) 602 or from a storage section 608 The program in 603 executes various appropriate actions and processes. In the RAM 603, various programs and data necessary for the operation of the system 600 are also stored. The processor 601 , the ROM 602 and the RAM 603 are connected to each other through a bus 604 . An input/output (I/O) interface 605 is also connected to bus 604 .

以下部件连接至I/O接口605:包括键盘、鼠标等的输入部分606;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分607;包括硬盘等的存储部分608;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分609。通信部分609经由诸如因特网的网络执行通信处理。驱动器610也根据需要连接至I/O接口605。可拆卸介质611,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器610上,以便于从其上读出的计算机程序根据需要被安装入存储部分608。The following components are connected to the I/O interface 605: an input section 606 including a keyboard, a mouse, etc.; an output section 607 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 608 including a hard disk, etc. ; and a communication section 609 including a network interface card such as a LAN card, a modem, and the like. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the I/O interface 605 as needed. A removable medium 611, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 610 as needed so that a computer program read therefrom is installed into the storage section 608 as needed.

特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分609从网络上被下载和安装,和/或从可拆卸介质611被安装。在该计算机程序被处理器601执行时,执行本申请的方法中限定的上述功能。In particular, according to embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 609 and/or installed from the removable medium 611 . When the computer program is executed by the processor 601, the above-mentioned functions defined in the method of the present application are performed.

需要说明的是,本申请的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本申请中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本申请中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、电线、光缆、RF等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium of the present application may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples of computer readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Programmable read only memory (EPROM or flash memory), fiber optics, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In this application, a computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code therein. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device . Program code embodied on a computer readable medium may be transmitted using any suitable medium including, but not limited to, wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

可以以一种或多种程序设计语言或其组合来编写用于执行本申请的操作的计算机程序代码,程序设计语言包括面向目标的程序设计语言—诸如Java、Smalltalk、C++,还包括常规的过程式程序设计语言—诸如”C”语言或类似的程序设计语言。程序代码可以完全地在客户计算机上执行、部分地在客户计算机上执行、作为一个独立的软件包执行、部分在客户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)—连接到客户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。Computer program code for performing the operations of the present application may be written in one or more programming languages, including object-oriented programming languages—such as Java, Smalltalk, C++, and also conventional procedures, or a combination thereof programming language - such as "C" or a similar programming language. The program code may execute entirely on the client computer, partly on the client computer, as a stand-alone software package, partly on the client computer and partly on a remote computer, or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the client computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (eg, using an Internet service provider through Internet connection).

附图中的流程图和框图,图示了按照本申请各种实施例的装置、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,该模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more logical functions for implementing the specified functions executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in dedicated hardware-based systems that perform the specified functions or operations , or can be implemented in a combination of dedicated hardware and computer instructions.

描述于本申请实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元也可以设置在处理器中,例如,可以描述为:一种处理器,包括获取单元、转发单元和统计单元。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定,例如,获取单元还可以被描述为“获取虚拟网络中的报文信息”的单元。The units involved in the embodiments of the present application may be implemented in a software manner, and may also be implemented in a hardware manner. The described unit can also be set in the processor, for example, it can be described as: a processor, including an acquisition unit, a forwarding unit and a statistics unit. Wherein, the names of these units do not constitute a limitation on the unit itself under certain circumstances. For example, the acquisition unit may also be described as a unit for "acquiring packet information in a virtual network".

作为另一方面,本申请还提供了一种计算机可读介质,该计算机可读介质可以是上述实施例中描述的设备中所包含的;也可以是单独存在,而未装配入该设备中。上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被该装置执行时,使得该计算机设备:获取虚拟网络中的报文信息;响应于确定报文信息与预设转发规则的匹配域相匹配,通过预设转发规则中的动作域中的转发指令,将报文信息的元信息转发至转发指令指定的聚合模块,匹配域用于识别转发规则对应的报文信息,动作域用于表征对匹配后的报文信息执行的指令信息;基于报文信息的元信息,通过聚合模块统计得到虚拟交换机的流信息。As another aspect, the present application also provides a computer-readable medium. The computer-readable medium may be included in the device described in the above embodiments, or may exist alone without being assembled into the device. The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by the apparatus, the computer equipment: acquires message information in the virtual network; in response to determining the message information and preset forwarding The matching fields of the rules match, and the meta-information of the packet information is forwarded to the aggregation module specified by the forwarding instructions through the forwarding instructions in the action fields in the preset forwarding rules. The matching fields are used to identify the packet information corresponding to the forwarding rules. The action field is used to represent the instruction information executed on the matched packet information; based on the meta-information of the packet information, the flow information of the virtual switch is obtained through statistics by the aggregation module.

以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离上述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本申请中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is only a preferred embodiment of the present application and an illustration of the applied technical principles. Those skilled in the art should understand that the scope of the invention involved in this application is not limited to the technical solution formed by the specific combination of the above technical features, and should also cover the above technical features or Other technical solutions formed by any combination of its equivalent features. For example, a technical solution is formed by replacing the above-mentioned features with the technical features disclosed in this application (but not limited to) with similar functions.

Claims (12)

1.一种虚拟网络的流信息采集方法,其中,所述方法包括:1. A method for collecting flow information of a virtual network, wherein the method comprises: 获取虚拟网络中的报文信息;Obtain the packet information in the virtual network; 响应于确定所述报文信息与预设转发规则的匹配域相匹配,通过所述预设转发规则中的动作域中的转发指令,将所述报文信息的元信息转发至所述转发指令指定的聚合模块,所述匹配域用于识别所述转发规则对应的报文信息,所述动作域用于表征对匹配后的报文信息执行的指令信息;In response to determining that the packet information matches the matching field of the preset forwarding rule, forwarding the meta-information of the packet information to the forwarding instruction through the forwarding instruction in the action field in the preset forwarding rule The specified aggregation module, the matching field is used to identify the message information corresponding to the forwarding rule, and the action field is used to represent the instruction information executed on the matched message information; 基于所述报文信息的元信息,通过所述聚合模块统计得到虚拟交换机的流信息。Based on the meta information of the packet information, the aggregation module obtains statistics on the flow information of the virtual switch. 2.根据权利要求1所述的方法,其中,所述报文信息的元信息包括:局域网地址、转发端口,所述转发端口为虚拟网络中虚拟交换机与虚拟机进行数据传输的转发端口;2. The method according to claim 1, wherein the meta-information of the message information comprises: a local area network address and a forwarding port, and the forwarding port is a forwarding port for data transmission between a virtual switch and a virtual machine in a virtual network; 所述基于所述报文信息的元信息,通过所述聚合模块统计得到虚拟交换机的流信息,包括:The flow information of the virtual switch is obtained through statistics by the aggregation module based on the meta information of the packet information, including: 根据所述报文信息的局域网地址、转发端口,通过所述聚合模块识别所述报文信息对应的虚拟私有网络属性信息;According to the local area network address and forwarding port of the packet information, identify the virtual private network attribute information corresponding to the packet information by the aggregation module; 基于所述虚拟私有网络属性信息,通过聚合模块统计得到基于所述报文信息对应的虚拟私有网络的流信息。Based on the attribute information of the virtual private network, the aggregation module obtains the flow information of the virtual private network corresponding to the packet information through statistics. 3.根据权利要求1所述的方法,其中,所述响应于确定所述报文信息与预设转发规则的匹配域相匹配,通过所述预设转发规则中的动作域中的转发指令,将所述报文信息的元信息转发至所述转发指令指定的聚合模块,包括:3. The method according to claim 1, wherein, in response to determining that the packet information matches a matching domain of a preset forwarding rule, through a forwarding instruction in an action domain in the preset forwarding rule, Forwarding the meta information of the packet information to the aggregation module specified by the forwarding instruction, including: 响应于确定所述报文信息与预设转发规则的匹配域相匹配,为所述报文信息添加访问标识,所述访问标识用于表征虚拟网络的安全访问规则是否接受所述报文信息对应的终端的访问请求;In response to determining that the packet information matches the matching field of the preset forwarding rule, an access identifier is added to the packet information, and the access identifier is used to represent whether the security access rule of the virtual network accepts the correspondence of the packet information. the access request of the terminal; 通过所述预设转发规则中的动作域中的转发指令,将添加所述访问标识的报文信息的元信息转发至所述转发指令指定的聚合模块,所述元信息包括所述访问标识。Through the forwarding instruction in the action field in the preset forwarding rule, the meta information of the packet information added with the access identifier is forwarded to the aggregation module specified by the forwarding instruction, where the meta information includes the access identifier. 4.根据权利要求3所述的方法,所述基于所述报文信息的元信息,通过所述聚合模块统计得到虚拟交换机的流信息,包括:4. The method according to claim 3, wherein the flow information of the virtual switch is obtained by statistics of the aggregation module based on the meta information of the packet information, comprising: 基于所述报文信息的访问标识,通过所述聚合模块统计得到区分是否被所述安全访问规则接受的流信息。Based on the access identifier of the packet information, the aggregation module collects statistics to determine whether the flow information is accepted by the security access rule. 5.根据权利要求1所述的方法,其中,所述响应于确定所述报文信息与预设转发规则的匹配域相匹配,通过所述预设转发规则中的动作域中的转发指令,将所述报文信息的元信息转发至所述转发指令指定的聚合模块,包括:5. The method according to claim 1, wherein, in response to determining that the packet information matches a matching field of a preset forwarding rule, through a forwarding instruction in an action field in the preset forwarding rule, Forwarding the meta information of the packet information to the aggregation module specified by the forwarding instruction, including: 响应于确定所述报文信息与预设转发规则的匹配域相匹配,将所述报文信息的元信息存入缓存;In response to determining that the message information matches the matching field of the preset forwarding rule, storing the meta-information of the message information in the cache; 响应于到达预设导出时刻,通过所述预设转发规则中的动作域中的转发指令,将所述缓存中的报文信息的元信息转发至所述转发指令指定的聚合模块。In response to reaching the preset export time, the meta-information of the packet information in the cache is forwarded to the aggregation module specified by the forwarding instruction through the forwarding instruction in the action field in the preset forwarding rule. 6.一种虚拟网络的流信息采集装置,其中,所述装置包括:6. A device for collecting flow information of a virtual network, wherein the device comprises: 获取单元,被配置成获取虚拟网络中的报文信息;an acquisition unit, configured to acquire message information in the virtual network; 转发单元,被配置成响应于确定所述报文信息与预设转发规则的匹配域相匹配,通过所述预设转发规则中的动作域中的转发指令,将所述报文信息的元信息转发至所述转发指令指定的聚合模块,所述匹配域用于识别所述转发规则对应的报文信息,所述动作域用于表征对匹配后的报文信息执行的指令信息;The forwarding unit is configured to, in response to determining that the packet information matches the matching field of the preset forwarding rule, convert the meta information of the packet information to the forwarding instruction in the action field of the preset forwarding rule Forwarding to the aggregation module specified by the forwarding instruction, the matching field is used to identify the message information corresponding to the forwarding rule, and the action field is used to represent the instruction information executed on the matched message information; 统计单元,被配置成基于所述报文信息的元信息,通过所述聚合模块统计得到虚拟交换机的流信息。The statistics unit is configured to obtain the flow information of the virtual switch through statistics by the aggregation module based on the meta information of the packet information. 7.根据权利要求6所述的装置,其中,所述报文信息的元信息包括:局域网地址、转发端口,所述转发端口为虚拟网络中虚拟交换机与虚拟机进行数据传输的转发端口;7. The device according to claim 6, wherein the meta-information of the message information comprises: a local area network address and a forwarding port, and the forwarding port is a forwarding port for data transmission between a virtual switch and a virtual machine in the virtual network; 所述统计单元,进一步被配置成根据所述报文信息的局域网地址、转发端口,通过所述聚合模块识别所述报文信息对应的虚拟私有网络属性信息;基于所述虚拟私有网络属性信息,通过聚合模块统计得到基于所述报文信息对应的虚拟私有网络的流信息。The statistics unit is further configured to identify the virtual private network attribute information corresponding to the packet information through the aggregation module according to the local area network address and forwarding port of the packet information; based on the virtual private network attribute information, The flow information of the virtual private network corresponding to the packet information is obtained through statistics by the aggregation module. 8.根据权利要求6所述的装置,其中,8. The apparatus of claim 6, wherein, 所述转发单元,进一步被配置成响应于确定所述报文信息与预设转发规则的匹配域相匹配,为所述报文信息添加访问标识,所述访问标识用于表征虚拟网络的安全访问规则是否接受所述报文信息对应的终端的访问请求;通过所述预设转发规则中的动作域中的转发指令,将添加所述访问标识的报文信息的元信息转发至所述转发指令指定的聚合模块,所述元信息包括所述访问标识。The forwarding unit is further configured to, in response to determining that the packet information matches a matching field of a preset forwarding rule, add an access identifier to the packet information, where the access identifier is used to represent secure access of the virtual network Whether the rule accepts the access request of the terminal corresponding to the message information; forwards the meta information of the message information with the access identifier added to the forwarding instruction through the forwarding instruction in the action field in the preset forwarding rule The specified aggregation module, the meta information includes the access identifier. 9.根据权利要求8所述的装置,其中,9. The apparatus of claim 8, wherein, 所述统计单元,进一步被配置成基于所述报文信息的访问标识,通过所述聚合模块统计得到区分是否被所述安全访问规则接受的流信息。The statistics unit is further configured to obtain, through the aggregation module, statistics based on the access identifier of the packet information to distinguish whether the flow information is accepted by the security access rule. 10.根据权利要求6所述的装置,其中,10. The apparatus of claim 6, wherein, 所述转发单元,进一步被配置成响应于确定所述报文信息与预设转发规则的匹配域相匹配,将所述报文信息的元信息存入缓存;响应于到达预设导出时刻,通过所述预设转发规则中的动作域中的转发指令,将所述缓存中的报文信息的元信息转发至所述转发指令指定的聚合模块。The forwarding unit is further configured to, in response to determining that the packet information matches the matching domain of the preset forwarding rule, store the meta information of the packet information in the cache; in response to reaching the preset export time, pass The forwarding instruction in the action field in the preset forwarding rule forwards the meta-information of the packet information in the cache to the aggregation module specified by the forwarding instruction. 11.一种计算机可读介质,其上存储有计算机程序,其中,所述程序被处理器执行时实现如权利要求1-5中任一所述的方法。11. A computer-readable medium having stored thereon a computer program, wherein the program, when executed by a processor, implements the method of any one of claims 1-5. 12.一种电子设备,包括:12. An electronic device comprising: 一个或多个处理器;one or more processors; 存储装置,其上存储有一个或多个程序,a storage device on which one or more programs are stored, 当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如权利要求1-5中任一所述的方法。The one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-5.
CN201910999665.0A 2019-10-21 2019-10-21 Flow information acquisition method and device of virtual network Active CN110719215B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910999665.0A CN110719215B (en) 2019-10-21 2019-10-21 Flow information acquisition method and device of virtual network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910999665.0A CN110719215B (en) 2019-10-21 2019-10-21 Flow information acquisition method and device of virtual network

Publications (2)

Publication Number Publication Date
CN110719215A true CN110719215A (en) 2020-01-21
CN110719215B CN110719215B (en) 2022-02-18

Family

ID=69213936

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910999665.0A Active CN110719215B (en) 2019-10-21 2019-10-21 Flow information acquisition method and device of virtual network

Country Status (1)

Country Link
CN (1) CN110719215B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111355639A (en) * 2020-03-10 2020-06-30 北京意锐新创科技有限公司 Heartbeat packet forwarding method and device suitable for payment equipment
CN111786973A (en) * 2020-06-19 2020-10-16 北京百度网讯科技有限公司 A flow log collection method, device, device and storage medium
CN113709052A (en) * 2020-05-21 2021-11-26 中移(苏州)软件技术有限公司 Network message processing method and device, electronic equipment and storage medium
CN113783825A (en) * 2020-09-15 2021-12-10 北京京东尚科信息技术有限公司 Message flow statistical method and device
CN113824772A (en) * 2021-08-30 2021-12-21 济南浪潮数据技术有限公司 Data acquisition method, system and device based on cloud network and readable storage medium
CN115529245A (en) * 2021-06-25 2022-12-27 深信服科技股份有限公司 Stream information completion method and device, cloud host equipment and computer storage medium
CN115914003A (en) * 2022-12-08 2023-04-04 苏州浪潮智能科技有限公司 Flow monitoring method and system based on intelligent network card

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997415A (en) * 2013-02-20 2014-08-20 中兴通讯股份有限公司 Apparatus and method for realizing message statistics
CN104063267A (en) * 2014-07-11 2014-09-24 孙强强 Method and system for monitoring flow of virtual machine
US20180013675A1 (en) * 2015-09-15 2018-01-11 Cisco Technology, Inc. Method and apparatus for advanced statistics collection
CN107682275A (en) * 2016-08-01 2018-02-09 新华三技术有限公司 Monitoring messages method and device
CN109981403A (en) * 2019-03-05 2019-07-05 北京勤慕数据科技有限公司 Virtual machine network data traffic monitoring method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997415A (en) * 2013-02-20 2014-08-20 中兴通讯股份有限公司 Apparatus and method for realizing message statistics
CN104063267A (en) * 2014-07-11 2014-09-24 孙强强 Method and system for monitoring flow of virtual machine
US20180013675A1 (en) * 2015-09-15 2018-01-11 Cisco Technology, Inc. Method and apparatus for advanced statistics collection
CN107682275A (en) * 2016-08-01 2018-02-09 新华三技术有限公司 Monitoring messages method and device
CN109981403A (en) * 2019-03-05 2019-07-05 北京勤慕数据科技有限公司 Virtual machine network data traffic monitoring method and device

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111355639A (en) * 2020-03-10 2020-06-30 北京意锐新创科技有限公司 Heartbeat packet forwarding method and device suitable for payment equipment
CN113709052A (en) * 2020-05-21 2021-11-26 中移(苏州)软件技术有限公司 Network message processing method and device, electronic equipment and storage medium
CN113709052B (en) * 2020-05-21 2024-02-27 中移(苏州)软件技术有限公司 Processing method and device of network message, electronic equipment and storage medium
CN111786973A (en) * 2020-06-19 2020-10-16 北京百度网讯科技有限公司 A flow log collection method, device, device and storage medium
CN111786973B (en) * 2020-06-19 2022-09-23 北京百度网讯科技有限公司 A flow log collection method, device, device and storage medium
CN113783825A (en) * 2020-09-15 2021-12-10 北京京东尚科信息技术有限公司 Message flow statistical method and device
CN113783825B (en) * 2020-09-15 2023-12-05 北京京东尚科信息技术有限公司 Message flow statistics method and device
CN115529245A (en) * 2021-06-25 2022-12-27 深信服科技股份有限公司 Stream information completion method and device, cloud host equipment and computer storage medium
CN113824772A (en) * 2021-08-30 2021-12-21 济南浪潮数据技术有限公司 Data acquisition method, system and device based on cloud network and readable storage medium
CN113824772B (en) * 2021-08-30 2023-04-18 济南浪潮数据技术有限公司 Data acquisition method, system and device based on cloud network and readable storage medium
CN115914003A (en) * 2022-12-08 2023-04-04 苏州浪潮智能科技有限公司 Flow monitoring method and system based on intelligent network card
CN115914003B (en) * 2022-12-08 2024-10-15 苏州浪潮智能科技有限公司 Flow monitoring method and system based on intelligent network card

Also Published As

Publication number Publication date
CN110719215B (en) 2022-02-18

Similar Documents

Publication Publication Date Title
CN110719215B (en) Flow information acquisition method and device of virtual network
US11546380B2 (en) System and method for creation and implementation of data processing workflows using a distributed computational graph
US20230164148A1 (en) Enhanced cloud infrastructure security through runtime visibility into deployed software
US12225049B2 (en) System and methods for integrating datasets and automating transformation workflows using a distributed computational graph
US11064021B2 (en) Method, device and computer program product for managing network system
CN109033471B (en) A kind of information asset identification method and device
CN113987074A (en) Distributed service full-link monitoring method and device, electronic equipment and storage medium
CN110198248B (en) Method and device for detecting IP address
US10097510B2 (en) Identifying network flows under network address translation
CN113364804B (en) Method and device for processing flow data
WO2019206295A1 (en) Network access method and device for edge router
CN116055411A (en) UPF data flow classification method, system, device and medium based on machine learning
US9948694B2 (en) Addressing application program interface format modifications to ensure client compatibility
WO2021097713A1 (en) Distributed security testing system, method and device, and storage medium
US9917747B2 (en) Problem detection in a distributed digital network through distributed packet analysis
US11516138B2 (en) Determining network flow direction
CN115225545B (en) A message transmission method and device
CN114449052B (en) A data compression method, device, electronic equipment and storage medium
CN115361450A (en) Request information processing method, apparatus, electronic device, medium, and program product
CN114490280A (en) Log processing method, device, equipment and medium
CN113965408B (en) Method, device, medium and equipment for extracting HTTP (hyper text transport protocol) message
US11947942B2 (en) Application artifact registration
CN110674374A (en) Information classification method and device
CN116032995B (en) Data communication method and device, electronic device and computer-readable storage medium
US20250321812A1 (en) Policy Driven Service Insertion with Middleware for Cloud Applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20200121

Assignee: Beijing Intellectual Property Management Co.,Ltd.

Assignor: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd.

Contract record no.: X2023110000093

Denomination of invention: Method and device for collecting flow information in virtual networks

Granted publication date: 20220218

License type: Common License

Record date: 20230818