CN100433659C - Flow statistical method and flow collecting device - Google Patents
Flow statistical method and flow collecting device Download PDFInfo
- Publication number
- CN100433659C CN100433659C CNB200610112116XA CN200610112116A CN100433659C CN 100433659 C CN100433659 C CN 100433659C CN B200610112116X A CNB200610112116X A CN B200610112116XA CN 200610112116 A CN200610112116 A CN 200610112116A CN 100433659 C CN100433659 C CN 100433659C
- Authority
- CN
- China
- Prior art keywords
- message
- application
- apply property
- statistics
- network attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network flow counting method, characterized in preestablishing a message load-application attribute relation, and comprising the steps of: obtaining a message from a tested port, determining network attribute and message load of the message, determining application attribute of the message according to the message load-application attribute relation, counting the flow according to the determined network attribute and application attribute, and obtaining the statistical result. And it also discloses a flow collector for network flow counting, characterized in comprising: flow conversation management module, application identification module, and application protocol counting module. And it can count flow according to network application.
Description
Technical field
The present invention relates to the network flow statistic technology, relate in particular to a kind of flow statistical method and flow collection device of application Network Based.
Background technology
Along with the fast development of computer and network technology, use wired and wireless network is frequent further, and number of users also constantly increases.In order to know various transmission of Information situations in the network, network flow statistic arises at the historic moment, and becomes the important technology of network management and network application.
The acquisition technique of existing network flow statistic flow Network Based, the flow collection device is that object is added up with the network attribute of message.Here, the network attribute of message comprises the indexs such as source Internet Protocol (IP) address, purpose IP address, source port, destination interface and employed agreement of message.Fig. 1 shows the method flow diagram of existing network traffic statistics.Referring to Fig. 1, this method comprises:
In step 101, network message arrives tested port, and this port is with interrupt mode notice flow collector.
In step 102~103, this message of flow collection device buffer memory also obtains the network attribute of message, and the network attribute that gets access to is carried out Hash (hash) operation, obtains index value; Then according to the index value retrieval acquisition stream scale that is obtained.
Carry out record for the ease of result to flow collection, the acquisition stream scale is set in the flow collection device usually, each list item wherein all includes index value, such as traffic statistics projects such as message byte number, message number, timestamps, like this, message of every transmission in the network, the information of respective record will be upgraded thereupon in the acquisition stream scale.
In step 104~106, judge whether to hit the acquisition stream scale, if, then upgrade the corresponding discharge statistic record in the acquisition stream scale, and execution in step 107; Otherwise, generate new list item according to the form of acquisition stream scale, join in the acquisition stream scale, and execution in step 107.
When the index value of operating acquisition through hash is consistent with the index value of a certain list item in the acquisition stream scale, judges and hit the acquisition stream scale.Upgrade the content of the corresponding list item in the acquisition stream scale this moment, and for example the byte number with message is added in the message byte number of this list item, utilizes timestamp in the update of time stamp list item of message or the like.When the index value of each list item in the acquisition stream scale all with the network attribute of message is carried out hash after the index value that obtains when inconsistent, judge miss acquisition stream scale.In the acquisition stream scale, increase one this moment newly with the list item of hash result, and in each statistical item of list item, insert corresponding information according to this message as index value.
In step 107~108, whether needs are aging to judge the acquisition stream scale according to aging standard, if, then sluggish list item is carried out burin-in process, and execution in step 109; Otherwise, direct execution in step 109.
In order to guarantee effective utilization to the space of acquisition stream scale, usually set in advance aging standard, ageing time thresholding etc. for example, when having the list item that meets aging standard in the acquisition stream scale, judgement need be carried out burin-in process, at this moment with sluggish list item, and the promptly long-time list item that is not updated, from the acquisition stream scale, extract, and these list items are put into aging module.
In step 109, the acquisition stream scale is gathered, generate statistical analysis table and show to the user.
So far, finish existing traffic statistics flow process.
In above-mentioned existing traffic statistics process, the flow collection device obtains network attribute according to heading, carries out traffic statistics at the network attribute that gets access to.Because network application at present is of a great variety, for example point-to-point (P2P), Enterprise Resources Planning (ERP) etc., the flow of accurately knowing various application is users' such as operator or network management personnel active demand.And existing flow statistical method can't provide statistics at the apply property of message, thereby the user can't analyze according to apply property, makes troubles to network management.
Summary of the invention
In view of this, the invention provides a kind of method of network flow statistic, can carry out traffic statistics at network application.
Network flux statistical method is set up the corresponding relation of message load and apply property in advance among the present invention, and carries out network flow statistic according to following steps:
Obtain the message that comes from tested port, determine the network attribute and the message load of this message, described network attribute comprises Internet Protocol IP address, source, purpose IP address, source port, destination interface and employed agreement, and described message load is this message at transmission control protocol TCP layer and with the information of lower part;
According to the message load of setting up in advance and the corresponding relation of apply property, determine the apply property of this message, and carry out traffic statistics at determined network attribute and apply property, obtain statistics.
Wherein, the described corresponding relation of setting up message load and apply property is: determine each message load and represent corresponding relation between the application identities of apply property, and be stored in the application characteristic database that sets in advance;
The apply property of described definite message is: according to described message load retrieve application property data base, and judge whether to hit record in this application characteristic database, if, then from the application characteristic database, obtain the application identities of message load correspondence, otherwise the application identities of this message load correspondence is set to the unknown.
Wherein, corresponding relation between described each message load and the application identities is to comprise root node, the tree of one-level minor matters point and leaf node at least, then describedly according to message load retrieve application property data base is: from the root node of tree to leaf node step by step with described message loaded matching;
Describedly judge whether to hit this application characteristic database and be: consistent after the content of root node, minor matters point at different levels and leaf node merges in proper order with the content of described message load, then judge the record that hits in the application characteristic database; Otherwise, judge the record in the miss application characteristic database;
The described application identities of obtaining message load correspondence from the application characteristic database is: with the application identities of the leaf node correspondence of the record that is hit in the application characteristic database application identities as this message load correspondence.
Wherein, set in advance the acquisition stream scale, be used to preserve network attribute and the result of apply property combination and corresponding statistical item, describedly carry out traffic statistics at determined network attribute and apply property and be:
Network attribute and application identities to described message are carried out the Hash processing, obtain index value, retrieve described acquisition stream scale according to this index value, and judge whether there be the list item corresponding in this acquisition stream scale with this index value, if, then according to this contents in table in this message renewal acquisition stream scale, otherwise, generate the new list item that comprises this index value according to this message, join in the described acquisition stream scale;
Described acquisition traffic statistics result is: determine the project that the user need add up, from described traffic statistics table, obtain the statistical information of determined project correspondence, and gather, with summarized results as the traffic statistics result.
Wherein, after the network attribute and message load of described definite this message, further comprise: described message is carried out preliminary treatment, and determine according to the preliminary treatment result whether this message is legal message;
It is described that to carry out traffic statistics at determined network attribute and apply property be to judge that according to the preliminary treatment result this message is to carry out under the situation of legal message.
Wherein, before the described acquisition statistics, further comprise:
According to the aging standard that sets in advance, judge whether the acquisition stream scale is carried out burin-in process, if the list item that then will meet aging standard extracts, and continue to carry out the operation of described acquisition statistics from flow collection; Otherwise, directly carry out the operation of described acquisition statistics.
The present invention also provides a kind of network traffics collector, can carry out traffic statistics at network application.
Network traffics collector among the present invention comprises: the words that fail to be convened for lack of a quorum administration module, application recognition module, application protocol statistical module, wherein,
The described words administration module that fails to be convened for lack of a quorum is used to obtain the message that comes from tested port, determine the network attribute and the message load of this message, described network attribute comprises Internet Protocol IP address, source, purpose IP address, source port, destination interface and employed agreement, and described message load is this message at transmission control protocol TCP layer and with the information of lower part; Send message load to application recognition module, receive the apply property that comes from application recognition module, and send the network attribute and the apply property of this message to the applied statistics module;
Described application recognition module is used to preserve the corresponding relation of message load and apply property, receives the message load that comes from the words administration module that fails to be convened for lack of a quorum, and determines corresponding apply property, and sends to the described words administration module that fails to be convened for lack of a quorum;
Described application protocol statistical module is used to receive the network attribute and the apply property of the message that comes from the described words administration module that fails to be convened for lack of a quorum, and carries out traffic statistics at network attribute that receives and apply property.
Preferably, described application recognition module comprises: application characteristic database and retrieval submodule, wherein
Corresponding relation between the application identities that described application characteristic database is used to preserve message load and represent apply property;
Described retrieval submodule is used to receive the message load that comes from the words administration module that fails to be convened for lack of a quorum, according to the message load that receives the described corresponding relation of using in the characteristic is retrieved, obtain the application identities of this message load correspondence, and this application identities is sent to the described words administration module that fails to be convened for lack of a quorum as apply property.
Preferably, described application protocol statistical module comprises: acquisition stream scale and statistics submodule, wherein
Described acquisition stream scale is used to preserve the list item of the Hash result that comprises network attribute and apply property and corresponding statistical item, and upgrades the content or the newly-built list item of statistical item under the control of described statistics submodule;
Described statistics submodule is used to receive the network attribute and the apply property of the message that comes from the described words administration module that fails to be convened for lack of a quorum, network attribute and the apply property that receives carried out the Hash processing, with the Hash result as index value, retrieve described acquisition stream scale, when in definite acquisition stream scale, having corresponding list item, notice acquisition stream scale upgrades described corresponding list item according to message, and when not having corresponding list item in definite acquisition stream scale, notice acquisition stream scale is according to the newly-built list item of message.
Preferably, described flow collection device further comprises:
The message pretreatment module is used to receive the message that comes from the words administration module that fails to be convened for lack of a quorum, and the message that receives is carried out preliminary treatment, and the preliminary treatment result is returned to the words administration module that fails to be convened for lack of a quorum.
Preferably, described flow collection device further comprises:
Applied statistics table module is used to receive the statistics that comes from the application protocol statistical module, generates statistical analysis table according to the statistics that receives, and shows to the user.
Use the present invention, can carry out traffic statistics at network application.Particularly, the present invention has following beneficial effect:
The present invention obtains network attribute and obtains apply property by message load by heading when carrying out network flow statistic, carries out real-time traffic statistics at network attribute and apply property then.As seen among the present invention with the apply property of message as objects of statistics, therefore can accurately know the flow of various application, be convenient to the user and analyze according to apply property, effectively improved the comfort level of network management.
In addition, owing to can carry out network flow statistic based on application among the present invention, network manager can charge to the user according to the flow of various application, and adjusts service quality (QOS) according to traffic conditions, to guarantee that the unobstructed of Network Transmission is with efficient.
Description of drawings
To make clearer above-mentioned and other feature and advantage of the present invention of those of ordinary skill in the art by describe exemplary embodiment of the present invention in detail with reference to accompanying drawing below, in the accompanying drawing:
Fig. 1 is the method flow diagram of existing network traffic statistics;
Fig. 2 is the exemplary process diagram of flow statistical method of the present invention;
Fig. 3 is the flow chart of flow statistical method in the embodiment of the invention;
Fig. 4 is the tree schematic diagram of property data base in the embodiment of the invention;
Fig. 5 is the structural representation of flow collection device in the embodiment of the invention.
Embodiment
For making purpose of the present invention, technical scheme clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
The present invention is a kind of method of network flow statistic, and its basic thought is: the network attribute and the apply property of message are combined, carry out traffic statistics.
Fig. 2 shows the exemplary process diagram of network flux statistical method among the present invention.Referring to Fig. 2, this method is set up the corresponding relation of the load and the application identities of message in advance, and this method comprises:
In step 201, obtain the message that comes from tested port, determine the network attribute and the message load of this message, according to the message load of setting up in advance and the corresponding relation of apply property, determine the apply property of this message;
In step 202, carry out traffic statistics at determined network attribute and apply property, obtain statistics.
Here, the load of message is meant that message is at the TCP layer and with the information of lower part.Because network attribute can obtain from heading, so the present invention when carrying out traffic statistics, with the full content of message as foundation, but not only at the content of heading.For the ease of practical operation, can carry out hash to network attribute and application identities and handle, the result that obtains sign as each project in the traffic statistics.
Fig. 3 shows the method flow diagram of traffic statistics in the embodiment of the invention.Referring to Fig. 3, this method may further comprise the steps:
In step 301, network message arrives tested port, and this port is with interrupt mode notice flow collector.
Adopt the flow collection device that the flow of network message is gathered and added up among the present invention, and before gathering, pre-determine tested port, when the tested port of message process, these ports of finding message have indicated message to the flow collection device and have arrived by sending the mode of interrupt requests.
In step 302, flow collection device buffer memory message obtains the network attribute and the load of this message, and this message is carried out preliminary treatment.
In this step, the flow collection device at first from the port that sends interrupt notification obtain message and with this packet buffer among self, from the heading of this message, obtain again such as network attributes such as source IP address, purpose IP address, source port, destination interface and used agreements, and with the content of this message below the TCP layer as load, promptly the load of message comprises character string and numeral etc.In order to guarantee the authenticity of traffic statistics, avoid a large amount of messages that network attack produces are counted statistics, also by pretreatment operation, verify the legitimacy of this message in this step.Only when getting access to legal message, just with its object, so that in the subsequent step this message is carried out the identification of apply property as traffic statistics.Pretreatment operation in the present embodiment comprises: the IP fragmentation message is synthesized complete IP message, message is carried out verification such as (CRC) etc.
In step 303, judge whether message is legal message, if then execution in step 304; Otherwise, finish this statistics flow process.
For instance, when pretreatment operation is synthetic complete IP message,, judge that then this message is illegal if the IP fragmentation message that receives can't be synthesized the complete IP message into protocol compliant; When pretreatment operation is when carrying out CRC check, if the result after the CRC check judges then that for the numerical value 1 of expression verification failure this message is an invalid packet.
In step 304~307, the application characteristic database that retrieval sets in advance according to message load judges whether to hit the application characteristic database, if, then obtain and use ID, and execution in step 308; Otherwise, the application ID of this message load correspondence is made as the unknown (unknow), and execution in step 308.
In order to be convenient to handle and identification, adopt in the present embodiment and use the apply property that ID represents message, for example the application ID of P2P message is 1, and the application ID of ERP message is 2, and the application ID of VoIP message is 3 or the like.And, also set up the application characteristic database that is used to preserve message load and uses corresponding relation between the ID in the present embodiment in advance, so that determine the application ID of expression apply property according to message load.This application characteristic database can adopt tree shown in Figure 4, and referring to Fig. 4, this tree comprises root node, one-level minor matters point and leaf node at least, and leaf node wherein is the last grade node.According to message load retrieve application property data base the time, begin to mate step by step from the root node of tree to leaf node, after having only content with root node, minor matters point at different levels and leaf node to merge in proper order, in full accord with the content of message load, just judge the content that exists in the application characteristic database with the message loaded matching, promptly hit the record in the application characteristic database, this moment is with the application ID of this leaf node correspondence application ID as this message load correspondence.If any record in the miss application characteristic database then shows the flow collection device as yet for this message load is provided with application ID, Ci Shi application ID is set to unknow so.
With message load is that abc001 is an example, the front three of message load is identical with the content abc of root node, then turn to first order minor matters point, and message load is the 4th identical with the 5th content 00 with the minor matters point on right side, then turn to leaf node, this moment, last position of message load was 1, and the application ID of this message load correspondence is 1 so.Above-mentioned example is comparatively simple, and in actual applications, because the content that message load comprises is more, the minor matters point progression that comprises in the application characteristic database is also more, and the process of retrieval coupling is more complicated.However, in the practical application still according to the method executable operations of above-mentioned example.
In step 308~311, network attribute and application ID to message carry out the hash processing, obtain index value, according to this index value retrieval acquisition stream scale, and judge whether to hit this acquisition stream scale, if then according to the corresponding discharge statistic record in this message renewal acquisition stream scale, then execution in step 312; Otherwise, generate the new list item that comprises this index value, join in the acquisition stream scale, then execution in step 312.
In the acquisition stream scale that present embodiment sets in advance, preserve network attribute and the result of apply property combination and corresponding statistical item, wherein also comprise the statistical item of correspondence when apply property is unknown.In order to save the memory headroom of acquisition stream scale, the index value in the acquisition stream scale is network attribute and uses ID and handle the numerical value that obtains through hash.Therefore, in order in the acquisition stream scale, to find the list item of coupling, here at first the application ID that obtains in the network attribute of the message that arrives in the step 301 and step 306 or 307 is combined into a segment information, network attribute occupies the position of front usually, uses the position that ID takies the back; Then, the information after the combination is carried out hash handle, obtain a numerical value, this numerical value is this message corresponding index value; Then, search the acquisition stream scale, and judge whether to exist the list item consistent with the message index value, if, then judge and hit the acquisition stream scale, otherwise, judge miss acquisition stream scale.
Under the situation of hitting the acquisition stream scale, show before this and the network attribute message identical occurred in the network with apply property, and add up, when then receive this kind message this moment once more, upgrade each statistical item in the corresponding list item, for example message byte number, message number, timestamp or the like according to this message.And under the situation of miss acquisition stream scale, the message that shows this kind network attribute and apply property was not added up, newly-built list item in the acquisition stream scale then, the index value of this list item are for to network attribute with use result after ID carries out hash, and remainder is required statistical item.As seen, the purpose of adding new list item is: be convenient to after this to add up from application point of view when the message of same application type occurring.
In step 312~313, judge whether and need carry out burin-in process the acquisition stream scale, if, then that sluggish list item is aging, and execution in step 314; Otherwise, direct execution in step 314.
The burin-in process operation here is identical with burin-in process operation of the prior art.
In step 314, according to user's request the acquisition stream scale is gathered, generate statistical analysis table and be shown to the user.
In this step, at first determine user's demand, i.e. the project that need add up of user; Then, from the acquisition stream scale, obtain the statistical information of determined project correspondence, and the statistical analysis table that the user checks is convenient in generation after gathering.For example, when the project that need add up as the user is the application protocol type, through including message amount such as application protocols such as P2P, ERP, byte number, the results such as timestamp of message recently in the statistical analysis table after gathering.The user can know and know the pairing flow of various application accurately when carrying out the network traffics analysis like this.
So far, finish network flow statistic flow process in the present embodiment.
By above-mentioned flow process as seen, present embodiment obtains network attribute and obtains apply property by message load by heading when carrying out network flow statistic, carries out real-time traffic statistics at network attribute and apply property then.
Present embodiment also provides a kind of flow collection device, is used to carry out above-mentioned network flow statistic flow process.Fig. 5 shows the structural representation of flow collection device in the present embodiment.Referring to Fig. 5, this flow collection device comprises: the words that fail to be convened for lack of a quorum administration module, application recognition module, application protocol statistical module.Wherein, the words that fail to be convened for lack of a quorum administration module is used to obtain the message that comes from tested port, determine the network attribute and the message load of this message, send message load to application recognition module, reception comes from the apply property of application recognition module, and sends the network attribute and the apply property of this message to the applied statistics module; Application recognition module is used to preserve the corresponding relation of message load and apply property, receives the message load that comes from the words administration module that fails to be convened for lack of a quorum, and determines corresponding apply property, and sends to the described words administration module that fails to be convened for lack of a quorum; The application protocol statistical module is used to receive the network attribute and the apply property of the message that comes from the words administration module that fails to be convened for lack of a quorum, and carries out traffic statistics at network attribute that receives and apply property.
For the traffic statistics flow process in the present embodiment, include application characteristic database and retrieval submodule, the wherein corresponding relation between the application characteristic database application ID that is used to preserve message load and represent apply property in the application recognition module; The retrieval submodule is used to receive the message load that comes from the words administration module that fails to be convened for lack of a quorum, according to the message load that receives the corresponding relation of using in the characteristic is retrieved, obtain the application ID of this message load correspondence, and should use ID and send to the described words administration module that fails to be convened for lack of a quorum as apply property.In other words, the retrieval submodule according to the step 304 among Fig. 3 to the 307 application ID that determine message load correspondence.
Include acquisition stream scale and statistics submodule in the application protocol statistical module, wherein, the acquisition stream scale is used to preserve the list item of the Hash result that comprises network attribute and apply property and corresponding statistical item, and upgrades the content or the newly-built list item of statistical item under the control of statistics submodule; The statistics submodule is used to receive the network attribute and the apply property of the message that comes from the words administration module that fails to be convened for lack of a quorum, network attribute and the apply property that receives carried out the hash processing, with the hash result as index value, retrieval acquisition stream scale, when in definite acquisition stream scale, having corresponding list item, notice acquisition stream scale upgrades described corresponding list item according to message, when in definite acquisition stream scale, not having corresponding list item, notice acquisition stream scale is according to the newly-built list item of message, promptly adds up submodule and carries out application oriented traffic statistics according to the step 308 among Fig. 3 to 311.In addition, the application protocol statistical module determines whether there is the list item that need carry out burin-in process in the acquisition stream scale after finishing traffic statistics, and when having the list item that need wear out, these list items is sent to the words administration module that fails to be convened for lack of a quorum; The words that fail to be convened for lack of a quorum comprise aging submodule in the administration module, are used to preserve the list item of the aging acquisition stream scale of the needs that come from the application protocol statistical module.
Flow collection device in the present embodiment also comprises the message pretreatment module, is used to receive in failing to be convened for lack of a quorum talk about the message of administration module, the message that receives is carried out preliminary treatment, and the preliminary treatment result is returned to the words administration module that fails to be convened for lack of a quorum.
In addition, the flow collection device here can also comprise applied statistics table module, is used to receive the statistics that comes from the application protocol statistical module, generates statistical analysis table according to the statistics that receives, and shows to the user.
In the network flux statistical method and flow collection device of above-mentioned illustrated embodiment, all with the apply property of message as objects of statistics, therefore can accurately know the flow of various application, be convenient to the user and analyze, effectively improve the comfort level of network management according to apply property.And just because of the traffic statistics based on application that realized in the foregoing description, network manager can charge to the user according to the flow of various application, and adjusts QOS according to traffic conditions, to guarantee that the unobstructed of Network Transmission is with efficient.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1, a kind of network flux statistical method is characterized in that, sets up the corresponding relation of message load and apply property in advance, and this method comprises:
Obtain the message that comes from tested port, determine the network attribute and the message load of this message, described network attribute comprises Internet Protocol IP address, source, purpose IP address, source port, destination interface and employed agreement, and described message load is this message at transmission control protocol TCP layer and with the information of lower part;
According to the message load of setting up in advance and the corresponding relation of apply property, determine the apply property of this message, and carry out traffic statistics at determined network attribute and apply property, obtain statistics.
2, the method for claim 1, it is characterized in that, the described corresponding relation of setting up message load and apply property is: determine each message load and represent corresponding relation between the application identities of apply property, and be stored in the application characteristic database that sets in advance;
The apply property of described definite message is: according to described message load retrieve application property data base, and judge whether to hit record in this application characteristic database, if, then from the application characteristic database, obtain the application identities of message load correspondence, otherwise the application identities of this message load correspondence is set to the unknown.
3, method as claimed in claim 2, it is characterized in that, corresponding relation between described each message load and the application identities is to comprise root node, the tree of one-level minor matters point and leaf node at least, then describedly according to message load retrieve application property data base is: from the root node of tree to leaf node step by step with described message loaded matching;
Describedly judge whether to hit this application characteristic database and be: consistent after the content of root node, minor matters point at different levels and leaf node merges in proper order with the content of described message load, then judge the record that hits in the application characteristic database; Otherwise, judge the record in the miss application characteristic database;
The described application identities of obtaining message load correspondence from the application characteristic database is: with the application identities of the leaf node correspondence of the record that is hit in the application characteristic database application identities as this message load correspondence.
4, method as claimed in claim 2 is characterized in that, sets in advance the acquisition stream scale, is used to preserve network attribute and the result of apply property combination and corresponding statistical item, describedly carries out traffic statistics at determined network attribute and apply property and is:
Network attribute and application identities to described message are carried out the Hash processing, obtain index value, retrieve described acquisition stream scale according to this index value, and judge whether there be the list item corresponding in this acquisition stream scale with this index value, if, then according to this contents in table in this message renewal acquisition stream scale, otherwise, generate the new list item that comprises this index value according to this message, join in the described acquisition stream scale;
Described acquisition traffic statistics result is: determine the project that the user need add up, from described traffic statistics table, obtain the statistical information of determined project correspondence, and gather, with summarized results as the traffic statistics result.
5, the method for claim 1 is characterized in that, after the network attribute and message load of described definite this message, further comprises: described message is carried out preliminary treatment, and determine according to the preliminary treatment result whether this message is legal message;
Describedly carry out traffic statistics at determined network attribute and apply property and judge in the preliminary treatment result and carry out after this message is legal message.
6, the method for claim 1 is characterized in that, before the described acquisition statistics, further comprises:
According to the aging standard that sets in advance, judge whether the acquisition stream scale is carried out burin-in process, if the list item that then will meet aging standard extracts, and continue to carry out the operation of described acquisition statistics from flow collection; Otherwise, directly carry out the operation of described acquisition statistics.
7, a kind of flow collection device that is used for network flow statistic is characterized in that, this flow collection device comprises: the words that fail to be convened for lack of a quorum administration module, application recognition module, application protocol statistical module, wherein,
The described words administration module that fails to be convened for lack of a quorum is used to obtain the message that comes from tested port, determine the network attribute and the message load of this message, described network attribute comprises Internet Protocol IP address, source, purpose IP address, source port, destination interface and employed agreement, and described message load is this message at transmission control protocol TCP layer and with the information of lower part; Send message load to application recognition module, receive the apply property that comes from application recognition module, and send the network attribute and the apply property of this message to the applied statistics module;
Described application recognition module is used to preserve the corresponding relation of message load and apply property, receives the message load that comes from the words administration module that fails to be convened for lack of a quorum, and determines corresponding apply property, and sends to the described words administration module that fails to be convened for lack of a quorum;
Described application protocol statistical module is used to receive the network attribute and the apply property of the message that comes from the described words administration module that fails to be convened for lack of a quorum, and carries out traffic statistics at network attribute that receives and apply property.
8, flow collection device as claimed in claim 7 is characterized in that, described application recognition module comprises: application characteristic database and retrieval submodule, wherein
Corresponding relation between the application identities that described application characteristic database is used to preserve message load and represent apply property;
Described retrieval submodule is used to receive the message load that comes from the words administration module that fails to be convened for lack of a quorum, according to the message load that receives the described corresponding relation of using in the characteristic is retrieved, obtain the application identities of this message load correspondence, and this application identities is sent to the described words administration module that fails to be convened for lack of a quorum as apply property.
9, flow collection device as claimed in claim 7 is characterized in that, described application protocol statistical module comprises: acquisition stream scale and statistics submodule, wherein
Described acquisition stream scale is used to preserve the list item of the Hash result that comprises network attribute and apply property and corresponding statistical item, and upgrades the content or the newly-built list item of statistical item under the control of described statistics submodule;
Described statistics submodule is used to receive the network attribute and the apply property of the message that comes from the described words administration module that fails to be convened for lack of a quorum, network attribute and the apply property that receives carried out the Hash processing, with the Hash result as index value, retrieve described acquisition stream scale, when in definite acquisition stream scale, having corresponding list item, notice acquisition stream scale upgrades described corresponding list item according to message, and when not having corresponding list item in definite acquisition stream scale, notice acquisition stream scale is according to the newly-built list item of message.
10, as any described flow collection device in the claim 7 to 9, it is characterized in that described flow collection device further comprises:
The message pretreatment module is used to receive the message that comes from the words administration module that fails to be convened for lack of a quorum, and the message that receives is carried out preliminary treatment, and the preliminary treatment result is returned to the words administration module that fails to be convened for lack of a quorum.
11, as any described flow collection device in the claim 7 to 9, it is characterized in that described flow collection device further comprises:
Applied statistics table module is used to receive the statistics that comes from the application protocol statistical module, generates statistical analysis table according to the statistics that receives, and shows to the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610112116XA CN100433659C (en) | 2006-08-11 | 2006-08-11 | Flow statistical method and flow collecting device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610112116XA CN100433659C (en) | 2006-08-11 | 2006-08-11 | Flow statistical method and flow collecting device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1905491A CN1905491A (en) | 2007-01-31 |
| CN100433659C true CN100433659C (en) | 2008-11-12 |
Family
ID=37674627
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200610112116XA Active CN100433659C (en) | 2006-08-11 | 2006-08-11 | Flow statistical method and flow collecting device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100433659C (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175038B (en) * | 2007-10-16 | 2010-10-27 | 华为技术有限公司 | Data stream information transmission method, communication system and equipment |
| CN101286903B (en) * | 2008-05-06 | 2010-09-15 | 北京锐安科技有限公司 | Method for enhancing integrity of sessions in network audit field |
| CN101325597B (en) * | 2008-07-30 | 2011-04-06 | 北京星网锐捷网络技术有限公司 | Method, apparatus and system for processing data |
| CN101605069B (en) * | 2009-06-30 | 2011-06-08 | 杭州华三通信技术有限公司 | Method and device for acquiring stream information |
| CN102664773A (en) * | 2012-05-22 | 2012-09-12 | 中国人民解放军信息工程大学 | Method and device for detecting network flow |
| CN102801624B (en) * | 2012-08-16 | 2015-03-04 | 中国人民解放军信息工程大学 | Sampling method and device of network data stream |
| CN102916854B (en) * | 2012-10-22 | 2018-02-09 | 北京瓦力网络科技有限公司 | Flow statistical method, device and proxy server |
| CN103796186B (en) * | 2012-10-30 | 2017-11-28 | 中国电信股份有限公司 | Communication flows statistical method and mobile terminal desktop system based on application |
| CN103581044A (en) * | 2013-11-04 | 2014-02-12 | 汉柏科技有限公司 | Flow statistic method and device |
| CN103685057B (en) * | 2013-12-26 | 2017-06-20 | 华为技术有限公司 | Flow statistical method and device |
| CN104378263A (en) * | 2014-11-27 | 2015-02-25 | 盛科网络(苏州)有限公司 | Network flow monitoring method and device based on TCP session and message processing chip |
| CN104935526B (en) * | 2015-06-11 | 2018-07-24 | 新华三技术有限公司 | A kind of application and identification method and equipment |
| US10250466B2 (en) | 2016-03-29 | 2019-04-02 | Juniper Networks, Inc. | Application signature generation and distribution |
| CN105978748A (en) * | 2016-04-26 | 2016-09-28 | 上海斐讯数据通信技术有限公司 | Terminal equipment information counting method and terminal equipment information counting device based on Hash node |
| CN106339244A (en) * | 2016-08-30 | 2017-01-18 | 中国银行股份有限公司 | Method and device for realizing statistical information collection |
| CN110166318B (en) * | 2019-05-15 | 2021-01-26 | 杭州迪普科技股份有限公司 | Data statistical method and device |
| CN110661684B (en) * | 2019-09-29 | 2021-06-29 | 北京浪潮数据技术有限公司 | Flow statistical method and device |
| CN112235160B (en) * | 2020-10-14 | 2022-02-01 | 福建奇点时空数字科技有限公司 | Flow identification method based on protocol data deep layer detection |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1341345A1 (en) * | 2002-01-29 | 2003-09-03 | Acme Packet, Inc. | System and method for collecting statistics within a packet network |
| US6754662B1 (en) * | 2000-08-01 | 2004-06-22 | Nortel Networks Limited | Method and apparatus for fast and consistent packet classification via efficient hash-caching |
| CN1601975A (en) * | 2004-09-29 | 2005-03-30 | 重庆邮电学院 | Packet-switcher flow monitoring and inquiry method and line card picker |
| CN1612527A (en) * | 2003-10-28 | 2005-05-04 | 华为技术有限公司 | Data service information collecting device and charging method using same |
| WO2005093576A1 (en) * | 2004-03-28 | 2005-10-06 | Robert Iakobashvili | Visualization of packet network performance, analysis and optimization for design |
-
2006
- 2006-08-11 CN CNB200610112116XA patent/CN100433659C/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6754662B1 (en) * | 2000-08-01 | 2004-06-22 | Nortel Networks Limited | Method and apparatus for fast and consistent packet classification via efficient hash-caching |
| EP1341345A1 (en) * | 2002-01-29 | 2003-09-03 | Acme Packet, Inc. | System and method for collecting statistics within a packet network |
| CN1612527A (en) * | 2003-10-28 | 2005-05-04 | 华为技术有限公司 | Data service information collecting device and charging method using same |
| WO2005093576A1 (en) * | 2004-03-28 | 2005-10-06 | Robert Iakobashvili | Visualization of packet network performance, analysis and optimization for design |
| CN1601975A (en) * | 2004-09-29 | 2005-03-30 | 重庆邮电学院 | Packet-switcher flow monitoring and inquiry method and line card picker |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1905491A (en) | 2007-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100433659C (en) | Flow statistical method and flow collecting device | |
| US11855967B2 (en) | Method for identifying application information in network traffic, and apparatus | |
| EP0994602B1 (en) | Computer system and network performance monitoring | |
| US6279113B1 (en) | Dynamic signature inspection-based network intrusion detection | |
| US9277012B2 (en) | Apparatus and method for tracking transaction related data | |
| CN106209506B (en) | A kind of virtualization deep-packet detection flow analysis method and system | |
| EP2240854B1 (en) | Method of resolving network address to host names in network flows for network device | |
| CN108712426B (en) | Crawler identification method and system based on user behavior buried points | |
| JP2018531527A6 (en) | Method and apparatus for identifying application information in network traffic | |
| CN105022815A (en) | Information interception method and device | |
| CN101626375B (en) | Domain name protecting system and method thereof | |
| CN110198251B (en) | Method and device for obtaining client address | |
| CN109729183A (en) | Request processing method, device, equipment and storage medium | |
| CN111224831B (en) | Method and system for generating call ticket | |
| WO2020258982A1 (en) | Method and system for analyzing security log of base station, and computer-readable storage medium | |
| CN108093428B (en) | Server for authenticating real traffic | |
| CN101175038B (en) | Data stream information transmission method, communication system and equipment | |
| CN104836700A (en) | NAT (Network Address Translation) host number detection method based on IPID and probability statistics model | |
| CN115225544A (en) | Network flow counting and monitoring method, device, electronic equipment and medium | |
| CN103580959A (en) | Distributed statistical reporting implementation method | |
| CN109840264B (en) | Method and device for auditing access of application program database | |
| CN102664813B (en) | System and method for localizing peer-to-peer (P2P) flow | |
| KR100621996B1 (en) | Method and system of analyzing internet service traffic | |
| US6847996B2 (en) | Method for managing an open computer system | |
| CN109905325A (en) | A kind of flow bootstrap technique and flow identify equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |